@ichibase/cli 0.1.0

package/README.md

@@ -0,0 +1,73 @@
+# @ichibase/cli
+
+The `ichibase` CLI. Today it ships the **migration** commands — extract an
+existing app from Supabase / Postgres / MongoDB / Atlas into an ichibase
+migration bundle and push it to your project. (The broader local-dev surface —
+`init` / `db push` / `functions deploy` — is still future work.)
+
+Extraction runs entirely on **your** machine against **your** source. Your source
+credentials never leave your computer; only the resulting migration bundle is
+uploaded to your ichibase project.
+
+## Install
+
+```sh
+npm i -g @ichibase/cli      # or: npx @ichibase/cli …
+```
+
+For MongoDB/Atlas sources you also need the
+[MongoDB Database Tools](https://www.mongodb.com/docs/database-tools/)
+(`mongodump`) on your `PATH`.
+
+## 1. Extract a bundle
+
+```sh
+# Supabase (tables + data + auth users; bcrypt passwords come across)
+# Use the SESSION POOLER string (Settings → Database → Connection string → Session pooler);
+# the direct db.<ref>.supabase.co host is IPv6-only and won't resolve on most machines.
+ichibase migrate supabase --conn "postgresql://postgres.<ref>:PASSWORD@aws-0-<region>.pooler.supabase.com:5432/postgres" --out ./bundle
+
+# Generic Postgres (schema + data)
+ichibase migrate postgres --conn "postgresql://user:pw@host:5432/dbname" --out ./bundle
+
+# MongoDB / Atlas (collections + documents)
+ichibase migrate mongodb --conn "mongodb://user:pw@host:27017" --db myapp --out ./bundle
+ichibase migrate atlas   --conn "mongodb+srv://user:pw@cluster.mongodb.net" --db myapp --out ./bundle
+```
+
+This writes an **ichibase migration bundle** to `./bundle`:
+
+```
+manifest.json          source kind, row counts, (mongo) source db name
+schema.json            Postgres: tables, columns, PK, uniques, indexes, FKs
+data/<table>.ndjson    Postgres rows (one JSON object per line)
+data/mongo.archive     Mongo: native mongodump --archive --gzip
+auth.ndjson            users (Supabase): id, email, password_hash, oauth links
+```
+
+## 2. Push it to your project
+
+```sh
+ichibase migrate push --project <slug> --bundle ./bundle \
+  --api https://api.ichibase.com --token "$ICHIBASE_TOKEN"
+```
+
+`--token` is your ichibase owner token / API key (or set `ICHIBASE_TOKEN`).
+The CLI uploads each bundle part to storage via presigned URLs, starts the
+import, and streams progress until it completes. The final report lists row /
+document counts and any manual follow-ups.
+
+## Notes & limitations (v1)
+
+- **Same-paradigm only:** Supabase/Postgres → Postgres, MongoDB/Atlas → MongoDB.
+  Cross-paradigm (SQL→Mongo, Firestore) is coming later.
+- **Passwords:** imported users keep working — ichibase verifies the source
+  hash (bcrypt) on first login and transparently upgrades it to Argon2id. Users
+  whose hash can't be verified must use "forgot password".
+- **User IDs are preserved**, so your data's foreign keys to `auth.users` stay valid.
+- **RLS:** imported tables have Row-Level Security **enabled with no policies** —
+  only your service key can read them until you add policies (Dashboard →
+  Database → RLS). Source policies are reported, not auto-translated.
+- **Paid plans only.**
+- Integers larger than 2^53 should be stored as strings in the source to avoid
+  JSON precision loss; standard `bigint` ids within that range are fine.

package/dist/auth-map.js

@@ -0,0 +1,106 @@
+// "Bring your own users" — a source-agnostic mapper that turns an arbitrary
+// users table / collection into auth.ndjson records the server imports into
+// ichibase Auth. Works for ANY source (generic Postgres, Mongo/Atlas, a Firestore
+// users collection), in ADDITION to the built-in extractors (Supabase auth.users,
+// Firebase Auth export).
+//
+// The owner declares which fields hold the email / password hash / id / etc. and
+// what scheme the hash is in:
+//   bcrypt | argon2  → passed verbatim (login verifies, then lazy-upgrades)
+//   fbscrypt         → wrapped into a $fbscrypt$ tag (needs per-user salt field +
+//                      project params; see services/auth/fbscrypt.go)
+//   plain | none     → no hash stored → user lands as needs_reset (must reset /
+//                      use OAuth). Plaintext is never stored.
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+// Assemble the self-describing tag that services/auth verifies (matches the
+// parser in fbscrypt.go). Shared with the Firebase Auth export path.
+export function buildFbscryptTag(fb, saltB64, hashB64) {
+    return `$fbscrypt$ln=${fb.memCost},r=${fb.rounds},p=1$${fb.saltSeparator}$${fb.signerKey}$${saltB64}$${hashB64}`;
+}
+function asString(v) {
+    if (v === null || v === undefined)
+        return null;
+    if (typeof v === 'string')
+        return v;
+    if (v instanceof Date)
+        return v.toISOString();
+    return String(v);
+}
+function truthy(v) {
+    if (typeof v === 'boolean')
+        return v;
+    if (typeof v === 'number')
+        return v !== 0;
+    if (typeof v === 'string')
+        return ['true', 't', '1', 'yes', 'y'].includes(v.trim().toLowerCase());
+    return false;
+}
+// Map one source row/document → an AuthRecord, or null to skip (no usable email).
+export function mapAuthRecord(doc, m) {
+    const email = (asString(doc[m.emailField]) ?? '').trim().toLowerCase();
+    if (!email || !email.includes('@'))
+        return null;
+    let password_hash = null;
+    if (m.passField && m.hashScheme !== 'none' && m.hashScheme !== 'plain') {
+        const raw = asString(doc[m.passField]);
+        if (raw) {
+            if (m.hashScheme === 'bcrypt' || m.hashScheme === 'argon2') {
+                password_hash = raw; // already a verifiable, self-identifying tagged hash
+            }
+            else if (m.hashScheme === 'fbscrypt' && m.fb && m.saltField) {
+                const salt = asString(doc[m.saltField]);
+                if (salt)
+                    password_hash = buildFbscryptTag(m.fb, salt, raw);
+            }
+        }
+    }
+    const metadata = {};
+    let id;
+    if (m.idField) {
+        const idRaw = asString(doc[m.idField]);
+        if (idRaw) {
+            // The server preserves a valid UUID; otherwise it mints a new one, so keep
+            // the original around for reference / data reconciliation.
+            if (UUID_RE.test(idRaw))
+                id = idRaw;
+            else
+                metadata.source_id = idRaw;
+        }
+    }
+    return {
+        id,
+        email,
+        password_hash,
+        email_verified: m.verifiedField ? truthy(doc[m.verifiedField]) : false,
+        metadata,
+        created_at: m.createdField ? asString(doc[m.createdField]) : null,
+        oauth: [],
+    };
+}
+// Parse the common --auth-* flags into a field map, or undefined when the owner
+// didn't ask to import users from a custom source.
+export function parseAuthMap(f) {
+    const source = f['auth-collection'] ?? f['auth-table'];
+    if (!source)
+        return undefined;
+    const hashScheme = (f['auth-hash-scheme'] ?? 'none');
+    const map = {
+        source,
+        emailField: f['auth-email-field'] ?? 'email',
+        passField: f['auth-pass-field'],
+        idField: f['auth-id-field'],
+        verifiedField: f['auth-verified-field'],
+        createdField: f['auth-created-field'],
+        saltField: f['auth-salt-field'],
+        hashScheme,
+    };
+    if (hashScheme === 'fbscrypt') {
+        map.fb = {
+            signerKey: f['auth-fb-signer-key'] ?? '',
+            saltSeparator: f['auth-fb-salt-separator'] ?? '',
+            rounds: Number(f['auth-fb-rounds'] ?? '8'),
+            memCost: Number(f['auth-fb-mem-cost'] ?? '14'),
+        };
+    }
+    return map;
+}

package/dist/bundle.js

@@ -0,0 +1,39 @@
+// Shapes + writers for the "ichibase migration bundle" (IMB) the server imports.
+// Layout on disk (and in R2 under migrations/<slug>/<job>/):
+//   manifest.json   { source_kind, mongo_source_db?, counts? }
+//   schema.json     Postgres: { schema, tables[...] }
+//   data/<t>.ndjson Postgres rows (one JSON object per line)
+//   data/mongo.archive  Mongo: native mongodump --archive --gzip
+//   auth.ndjson     users (one JSON object per line)
+import { createWriteStream, mkdirSync } from 'node:fs';
+import { writeFile } from 'node:fs/promises';
+import path from 'node:path';
+export class BundleWriter {
+    dir;
+    constructor(dir) {
+        this.dir = dir;
+        mkdirSync(path.join(dir, 'data'), { recursive: true });
+    }
+    async writeManifest(m) {
+        await writeFile(path.join(this.dir, 'manifest.json'), JSON.stringify(m, null, 2));
+    }
+    async writeSchema(s) {
+        await writeFile(path.join(this.dir, 'schema.json'), JSON.stringify(s, null, 2));
+    }
+    async writeJsonLine(file, obj) {
+        const full = path.join(this.dir, file);
+        mkdirSync(path.dirname(full), { recursive: true });
+        await writeFile(full, JSON.stringify(obj) + '\n', { flag: 'a' });
+    }
+    // Stream-append raw NDJSON text (already one-object-per-line) — used for table
+    // row dumps so we never JSON.parse on the way out (preserves fidelity + memory).
+    // Creates parent dirs (e.g. data/mongo/) so nested collection files work.
+    ndjsonStream(file) {
+        const full = path.join(this.dir, file);
+        mkdirSync(path.dirname(full), { recursive: true });
+        return createWriteStream(full, { flags: 'w' });
+    }
+    dataPath(file) {
+        return path.join(this.dir, 'data', file);
+    }
+}

package/dist/firebase.js

@@ -0,0 +1,271 @@
+// Extract a Firebase project: Firestore data + Firebase Auth users.
+//
+//   ichibase migrate firebase --service-account ./sa.json \
+//       --target <mongo|postgres> \
+//       [--auth-export ./users.json --auth-fb-signer-key … --auth-fb-salt-separator … \
+//        --auth-fb-rounds 8 --auth-fb-mem-cost 14] [--out <dir>]
+//
+// Firestore is read with the Admin SDK (a service-account JSON). Subcollections
+// are flattened into separate tables/collections named `parent__child` with a
+// `_parent_id` reference. Firebase Auth is migrated from a `firebase auth:export`
+// JSON; password hashes are wrapped into a $fbscrypt$ tag (using the project's
+// hash params from the console) so users keep their passwords (lazy-upgraded to
+// Argon2id on first login).
+import { readFileSync } from 'node:fs';
+import { createHash } from 'node:crypto';
+import { initializeApp, cert } from 'firebase-admin/app';
+import { getFirestore, Timestamp, GeoPoint, DocumentReference, } from 'firebase-admin/firestore';
+import { inferCollection, coerceRow, sanitizeTableName } from './infer.js';
+import { buildFbscryptTag, mapAuthRecord, } from './auth-map.js';
+export async function extractFirebase(opts) {
+    const sa = JSON.parse(readFileSync(opts.serviceAccountPath, 'utf8'));
+    const app = initializeApp({ credential: cert(sa) });
+    const db = getFirestore(app);
+    // Build the Firebase-UID → deterministic-UUID map from the auth export FIRST,
+    // so document fields that reference users (posterUID, ownerId, doc ids, …) can
+    // be rewritten to the SAME UUIDs the users import under. Firebase UIDs aren't
+    // UUIDs, so without this the references would dangle after migration.
+    let authRecords = [];
+    let uidMap = new Map();
+    if (opts.authExportPath) {
+        ({ records: authRecords, uidMap } = loadFirebaseAuth(opts.authExportPath, opts.fbHash));
+        process.stderr.write(`  • Firebase Auth export: ${authRecords.length} users (UID→UUID remap on)\n`);
+    }
+    const { tables, counts, docTotal, ejsonCounts } = await extractFirestore(db, opts.out, opts.target, uidMap);
+    if (opts.target === 'postgres') {
+        await opts.out.writeSchema({ schema: 'public', tables });
+    }
+    let users = 0;
+    if (authRecords.length) {
+        for (const rec of authRecords)
+            await opts.out.writeJsonLine('auth.ndjson', rec);
+        users = authRecords.length;
+        process.stderr.write(`  • Firebase Auth: ${users} users written\n`);
+    }
+    else if (opts.authMap) {
+        users = await dumpFirestoreCollectionAuth(db, opts.authMap, opts.out);
+        process.stderr.write(`  • ${opts.authMap.source} (custom auth): ${users} users\n`);
+    }
+    await opts.out.writeManifest({
+        source_kind: 'firebase',
+        created_at: new Date().toISOString(),
+        target_flavor: opts.target,
+        counts: opts.target === 'postgres' ? counts : ejsonCounts,
+    });
+    const collCount = opts.target === 'postgres' ? tables.length : Object.keys(ejsonCounts).length;
+    return { collections: collCount, docs: docTotal, users };
+}
+// Deterministic UUIDv5 (SHA-1) so a Firebase UID always maps to the same UUID —
+// across the auth import AND every document reference to that user.
+const ICHIBASE_FB_NAMESPACE = '6f4d8e2a-1c3b-4f5a-9e7d-2b8c1a0f3e6d';
+function uuidv5(name) {
+    const ns = Buffer.from(ICHIBASE_FB_NAMESPACE.replace(/-/g, ''), 'hex');
+    const h = createHash('sha1').update(ns).update(Buffer.from(name, 'utf8')).digest();
+    const b = h.subarray(0, 16);
+    b[6] = (b[6] & 0x0f) | 0x50; // version 5
+    b[8] = (b[8] & 0x3f) | 0x80; // RFC-4122 variant
+    const x = b.toString('hex');
+    return `${x.slice(0, 8)}-${x.slice(8, 12)}-${x.slice(12, 16)}-${x.slice(16, 20)}-${x.slice(20, 32)}`;
+}
+// ── Firestore ─────────────────────────────────────────────────────────────
+async function extractFirestore(db, out, target, uidMap) {
+    // Gather first: subcollections of different parent docs share a logical
+    // collection (users/{a}/posts + users/{b}/posts → one `users__posts` table),
+    // so we can't write per-parent or we'd clobber the file.
+    const buckets = new Map();
+    async function gather(coll, baseName, parentId) {
+        const bucket = buckets.get(baseName) ?? { rows: [], ejson: [] };
+        buckets.set(baseName, bucket);
+        const snap = await coll.get();
+        process.stderr.write(`  • read ${baseName}: ${snap.size} docs\n`);
+        for (const doc of snap.docs) {
+            const data = doc.data();
+            // If the doc id IS a Firebase UID (e.g. users/{uid}), use the user's UUID
+            // so the doc lines up with the migrated auth user + any references.
+            const docId = uidMap.get(doc.id) ?? doc.id;
+            if (target === 'postgres') {
+                const plain = toPlainJs(data, uidMap);
+                if (parentId !== null)
+                    plain._parent_id = parentId;
+                bucket.rows.push({ id: docId, data: plain });
+            }
+            else {
+                const ejson = toEjson(data, uidMap);
+                ejson._id = docId;
+                if (parentId !== null)
+                    ejson._parent_id = parentId;
+                bucket.ejson.push(JSON.stringify(ejson));
+            }
+            // Subcollection parent ref = the (remapped) parent doc id.
+            for (const sub of await doc.ref.listCollections()) {
+                await gather(sub, `${baseName}__${sub.id}`, docId);
+            }
+        }
+    }
+    process.stderr.write('  • connecting to Firestore (listing collections)…\n');
+    const topCollections = await db.listCollections();
+    process.stderr.write(`  • ${topCollections.length} top-level collection(s)\n`);
+    for (const c of topCollections)
+        await gather(c, c.id, null);
+    const tables = [];
+    const counts = {};
+    const ejsonCounts = {};
+    let docTotal = 0;
+    const usedNames = new Set();
+    for (const [baseName, bucket] of buckets) {
+        let name = sanitizeTableName(baseName);
+        while (usedNames.has(name))
+            name = `${name}_x`;
+        usedNames.add(name);
+        if (target === 'postgres') {
+            const inf = inferCollection(name, bucket.rows);
+            tables.push(inf.table);
+            const stream = out.ndjsonStream(`data/${name}.ndjson`);
+            for (const r of bucket.rows)
+                stream.write(JSON.stringify(coerceRow(r, inf)) + '\n');
+            await new Promise((res) => stream.end(res));
+            counts[name] = bucket.rows.length;
+            docTotal += bucket.rows.length;
+            process.stderr.write(`  • ${baseName} → ${name}: ${bucket.rows.length} docs, ${inf.table.columns.length} cols\n`);
+        }
+        else {
+            const stream = out.ndjsonStream(`data/mongo/${name}.ndjson`);
+            for (const l of bucket.ejson)
+                stream.write(l + '\n');
+            await new Promise((res) => stream.end(res));
+            ejsonCounts[name] = bucket.ejson.length;
+            docTotal += bucket.ejson.length;
+            process.stderr.write(`  • ${baseName} → ${name}: ${bucket.ejson.length} docs\n`);
+        }
+    }
+    return { tables, counts, ejsonCounts, docTotal };
+}
+// Firestore value → plain JS (for Postgres inference): Timestamp→Date,
+// GeoPoint→{latitude,longitude}, DocumentReference→path, Bytes→base64 string.
+// Any string that is a known Firebase UID is rewritten to the user's UUID so
+// references (posterUID, ownerId, …) stay valid post-migration.
+function toPlainJs(v, uidMap) {
+    if (v === null || v === undefined)
+        return null;
+    if (v instanceof Timestamp)
+        return v.toDate();
+    if (v instanceof GeoPoint)
+        return { latitude: v.latitude, longitude: v.longitude };
+    if (v instanceof DocumentReference)
+        return v.path;
+    if (Buffer.isBuffer(v))
+        return v.toString('base64');
+    if (v instanceof Date)
+        return v;
+    if (Array.isArray(v))
+        return v.map((x) => toPlainJs(x, uidMap));
+    if (typeof v === 'object') {
+        const o = {};
+        for (const k of Object.keys(v))
+            o[k] = toPlainJs(v[k], uidMap);
+        return o;
+    }
+    if (typeof v === 'string')
+        return uidMap.get(v) ?? v;
+    return v;
+}
+// Firestore value → MongoDB Extended JSON (for mongoimport --type json).
+function toEjson(v, uidMap) {
+    if (v === null || v === undefined)
+        return null;
+    if (v instanceof Timestamp)
+        return { $date: v.toDate().toISOString() };
+    if (v instanceof GeoPoint)
+        return { type: 'Point', coordinates: [v.longitude, v.latitude] };
+    if (v instanceof DocumentReference)
+        return v.path;
+    if (Buffer.isBuffer(v))
+        return { $binary: { base64: v.toString('base64'), subType: '00' } };
+    if (v instanceof Date)
+        return { $date: v.toISOString() };
+    if (Array.isArray(v))
+        return v.map((x) => toEjson(x, uidMap));
+    if (typeof v === 'object') {
+        const o = {};
+        for (const k of Object.keys(v))
+            o[k] = toEjson(v[k], uidMap);
+        return o;
+    }
+    if (typeof v === 'string')
+        return uidMap.get(v) ?? v;
+    return v;
+}
+// ── Firebase Auth ───────────────────────────────────────────────────────────
+const PROVIDER_MAP = {
+    'google.com': 'google',
+    'apple.com': 'apple',
+    'github.com': 'github',
+    'facebook.com': 'facebook',
+    'twitter.com': 'twitter',
+    'microsoft.com': 'microsoft',
+};
+// Parse a `firebase auth:export` JSON into auth records + a UID→UUID map.
+// Each user's ichibase id is a DETERMINISTIC uuidv5(localId) so the same id is
+// used by the auth import AND by every document reference to that user. Password
+// hash + per-user salt are wrapped into a $fbscrypt$ tag; OAuth identities become
+// oauth[] links; the Firebase localId is also kept in metadata.
+function loadFirebaseAuth(path, fb) {
+    const parsed = JSON.parse(readFileSync(path, 'utf8'));
+    const list = parsed.users ?? [];
+    const records = [];
+    const uidMap = new Map();
+    for (const u of list) {
+        const email = (u.email ?? '').trim().toLowerCase();
+        if (!email || !email.includes('@'))
+            continue;
+        const id = u.localId ? uuidv5(u.localId) : undefined;
+        if (u.localId && id)
+            uidMap.set(u.localId, id);
+        let password_hash = null;
+        if (fb && u.passwordHash && u.salt) {
+            password_hash = buildFbscryptTag(fb, u.salt, u.passwordHash);
+        }
+        const oauth = [];
+        for (const p of u.providerUserInfo ?? []) {
+            const prov = p.providerId ? PROVIDER_MAP[p.providerId] : undefined;
+            if (prov && p.rawId)
+                oauth.push({ provider: prov, provider_uid: p.rawId });
+        }
+        const metadata = {};
+        if (u.localId)
+            metadata.firebase_uid = u.localId;
+        if (u.displayName)
+            metadata.name = u.displayName;
+        if (u.photoUrl)
+            metadata.avatar_url = u.photoUrl;
+        if (u.phoneNumber)
+            metadata.phone = u.phoneNumber;
+        const createdMs = u.createdAt ? Number(u.createdAt) : NaN;
+        records.push({
+            id,
+            email,
+            password_hash,
+            email_verified: Boolean(u.emailVerified),
+            metadata,
+            created_at: Number.isFinite(createdMs) ? new Date(createdMs).toISOString() : null,
+            oauth,
+        });
+    }
+    return { records, uidMap };
+}
+// Alternative: users stored in a Firestore collection (no Firebase Auth).
+async function dumpFirestoreCollectionAuth(db, authMap, out) {
+    const snap = await db.collection(authMap.source).get();
+    let n = 0;
+    for (const doc of snap.docs) {
+        const data = toPlainJs(doc.data(), new Map());
+        if (authMap.idField && !(authMap.idField in data))
+            data[authMap.idField] = doc.id;
+        const rec = mapAuthRecord(data, authMap);
+        if (rec) {
+            await out.writeJsonLine('auth.ndjson', rec);
+            n++;
+        }
+    }
+    return n;
+}

package/dist/index.js

@@ -0,0 +1,135 @@
+#!/usr/bin/env node
+// @ichibase/cli — migrate an existing app into an ichibase project.
+//
+//   ichibase migrate supabase --conn "postgresql://…" --out ./bundle
+//   ichibase migrate postgres --conn "postgresql://…" --out ./bundle
+//   ichibase migrate mongodb  --conn "mongodb://…" --db myapp --out ./bundle
+//   ichibase migrate atlas    --conn "mongodb+srv://…" --db myapp --out ./bundle
+//   ichibase migrate push --project <slug> --bundle ./bundle [--api URL] [--token T]
+//
+// Extraction runs on YOUR machine against YOUR source — credentials never leave
+// it. `push` uploads the bundle to your project and runs the import.
+import { BundleWriter } from './bundle.js';
+import { extractPostgres } from './postgres.js';
+import { extractMongo } from './mongo.js';
+import { extractFirebase } from './firebase.js';
+import { parseAuthMap } from './auth-map.js';
+import { push } from './push.js';
+const SOURCES = ['supabase', 'postgres', 'mongodb', 'atlas', 'firebase'];
+function flags(argv) {
+    const out = {};
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i];
+        if (a.startsWith('--')) {
+            const key = a.slice(2);
+            const next = argv[i + 1];
+            if (next && !next.startsWith('--')) {
+                out[key] = next;
+                i++;
+            }
+            else {
+                out[key] = 'true';
+            }
+        }
+    }
+    return out;
+}
+function usage() {
+    process.stderr.write([
+        'Usage:',
+        '  ichibase migrate <supabase|postgres|mongodb|atlas> --conn <connstr> [--db <name>] [--out <dir>]',
+        '  ichibase migrate <mongodb|atlas> --conn <connstr> --db <name> --target <mongo|postgres> [--out <dir>]',
+        '  ichibase migrate firebase --service-account <key.json> --target <mongo|postgres> [--auth-export <users.json>] [--out <dir>]',
+        '  ichibase migrate push --project <slug> --bundle <dir> [--api <url>] [--token <token>]',
+        '',
+        '  --target mongo (default) imports 1:1 into MongoDB; --target postgres infers',
+        '  typed tables from your documents and imports into Postgres.',
+        '  Firebase Auth: pass --auth-export plus --auth-fb-signer-key / --auth-fb-salt-separator',
+        '  / --auth-fb-rounds / --auth-fb-mem-cost (Console → Password hash parameters).',
+        '',
+        'Env: ICHIBASE_API_URL, ICHIBASE_TOKEN',
+    ].join('\n') + '\n');
+    process.exit(2);
+}
+async function main() {
+    const [, , cmd, sub, ...rest] = process.argv;
+    if (cmd !== 'migrate' || !sub)
+        usage();
+    const f = flags(rest);
+    if (sub === 'push') {
+        const project = f.project;
+        const bundleDir = f.bundle ?? './ichibase-bundle';
+        const api = f.api ?? process.env.ICHIBASE_API_URL ?? 'https://api.ichibase.com';
+        const token = f.token ?? process.env.ICHIBASE_TOKEN ?? '';
+        if (!project)
+            usage();
+        if (!token) {
+            process.stderr.write('error: --token (or ICHIBASE_TOKEN) is required — your ichibase owner token/API key\n');
+            process.exit(2);
+        }
+        await push({ project, bundleDir, api, token });
+        return;
+    }
+    if (!SOURCES.includes(sub))
+        usage();
+    const source = sub;
+    const outDir = f.out ?? './ichibase-bundle';
+    const out = new BundleWriter(outDir);
+    const authMap = parseAuthMap(f);
+    // Firebase uses a service-account JSON (Admin SDK), not a --conn string.
+    if (source === 'firebase') {
+        const serviceAccountPath = f['service-account'] ?? f.key;
+        if (!serviceAccountPath) {
+            process.stderr.write('error: --service-account <path-to-key.json> is required for firebase\n');
+            process.exit(2);
+        }
+        const target = f.target === 'postgres' ? 'postgres' : 'mongo';
+        const fbHash = f['auth-fb-signer-key']
+            ? {
+                signerKey: f['auth-fb-signer-key'],
+                saltSeparator: f['auth-fb-salt-separator'] ?? '',
+                rounds: Number(f['auth-fb-rounds'] ?? '8'),
+                memCost: Number(f['auth-fb-mem-cost'] ?? '14'),
+            }
+            : undefined;
+        process.stderr.write(`Extracting firebase (→ ${target}) → ${outDir}\n`);
+        const r = await extractFirebase({
+            serviceAccountPath,
+            target,
+            out,
+            authExportPath: f['auth-export'],
+            fbHash,
+            authMap,
+        });
+        process.stderr.write(`✓ ${r.collections} collections, ${r.docs} docs${r.users ? `, ${r.users} users` : ''} → ${outDir}\n`);
+        process.stderr.write(`\nNext: ichibase migrate push --project <slug> --bundle ${outDir} --token <token>\n`);
+        return;
+    }
+    const conn = f.conn;
+    if (!conn) {
+        process.stderr.write('error: --conn <connection string> is required\n');
+        process.exit(2);
+    }
+    process.stderr.write(`Extracting ${source} → ${outDir}\n`);
+    if (source === 'supabase' || source === 'postgres') {
+        const r = await extractPostgres(conn, out, source, authMap);
+        process.stderr.write(`✓ ${r.tables} tables, ${r.rows} rows${r.users ? `, ${r.users} users` : ''} → ${outDir}\n`);
+    }
+    else {
+        // NoSQL sources land in either Mongo (1:1) or Postgres (auto-schema).
+        const target = f.target === 'postgres' ? 'postgres' : 'mongo';
+        const r = await extractMongo(conn, f.db ?? '', out, source, target, authMap);
+        const usersNote = r.users ? `, ${r.users} users` : '';
+        if (target === 'postgres') {
+            process.stderr.write(`✓ ${r.tables} collections → ${r.rows} rows across inferred Postgres tables${usersNote} → ${outDir}\n`);
+        }
+        else {
+            process.stderr.write(`✓ mongodump of "${r.db}"${usersNote} → ${outDir}/data/mongo.archive\n`);
+        }
+    }
+    process.stderr.write(`\nNext: ichibase migrate push --project <slug> --bundle ${outDir} --token <token>\n`);
+}
+main().catch((err) => {
+    process.stderr.write(`\nerror: ${err.message}\n`);
+    process.exit(1);
+});