@ktmcp-cli/awsathena 1.0.0

package/AGENT.md

@@ -0,0 +1,93 @@
+# AGENT.md — Amazon Athena CLI for AI Agents
+
+This document explains how to use the Amazon Athena CLI as an AI agent.
+
+## Overview
+
+The `awsathena` CLI provides access to the Amazon Athena Query API. Requires AWS credentials with Athena permissions.
+
+## Prerequisites
+
+```bash
+awsathena config set accessKeyId YOUR_AWS_ACCESS_KEY_ID
+awsathena config set secretAccessKey YOUR_AWS_SECRET_ACCESS_KEY
+awsathena config set region us-east-1
+```
+
+## All Commands
+
+### Config
+
+```bash
+awsathena config get <key>
+awsathena config set <key> <value>
+awsathena config list
+```
+
+### Queries
+
+```bash
+# Run query
+awsathena queries run --sql "SELECT * FROM table LIMIT 10" --database my_db --output s3://bucket/results/
+awsathena queries run --sql "SELECT count(*) FROM table" --workgroup primary
+
+# Check status
+awsathena queries get <execution-id>
+
+# List recent queries
+awsathena queries list
+awsathena queries list --workgroup primary
+
+# Stop query
+awsathena queries stop <execution-id>
+
+# Get results
+awsathena queries results <execution-id>
+awsathena queries results <execution-id> --limit 100
+```
+
+### Databases
+
+```bash
+awsathena databases list
+awsathena databases list --catalog AwsDataCatalog
+awsathena databases get <database-name>
+awsathena databases create <database-name> --output s3://bucket/results/
+```
+
+### Workgroups
+
+```bash
+awsathena workgroups list
+awsathena workgroups get <workgroup-name>
+awsathena workgroups create <name> --description "desc" --output s3://bucket/results/
+```
+
+## JSON Output
+
+All commands support `--json`:
+
+```bash
+awsathena queries get <id> --json
+awsathena databases list --json
+awsathena workgroups list --json
+```
+
+## Typical Workflow
+
+```bash
+# 1. Start a query
+awsathena queries run --sql "SELECT * FROM my_db.my_table LIMIT 100" --output s3://my-bucket/results/
+
+# 2. Check status (wait for SUCCEEDED)
+awsathena queries get <execution-id>
+
+# 3. Get results
+awsathena queries results <execution-id> --json
+```
+
+## Error Handling
+
+The CLI exits with code 1 on error and prints to stderr.
+- `AWS authentication failed` — Check accessKeyId and secretAccessKey
+- `Resource not found` — Check query execution ID or resource name

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 KTMCP
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,86 @@
+> "Six months ago, everyone was talking about MCPs. And I was like, screw MCPs. Every MCP would be better as a CLI."
+>
+> — [Peter Steinberger](https://twitter.com/steipete), Founder of OpenClaw
+> [Watch on YouTube (~2:39:00)](https://www.youtube.com/@lexfridman) | [Lex Fridman Podcast #491](https://lexfridman.com/peter-steinberger/)
+
+# Amazon Athena CLI
+
+Production-ready CLI for the Amazon Athena Query API. Run SQL queries and manage databases and workgroups directly from your terminal.
+
+## Installation
+
+```bash
+npm install -g @ktmcp-cli/awsathena
+```
+
+## Configuration
+
+```bash
+awsathena config set accessKeyId YOUR_AWS_ACCESS_KEY_ID
+awsathena config set secretAccessKey YOUR_AWS_SECRET_ACCESS_KEY
+awsathena config set region us-east-1
+```
+
+## Usage
+
+### Queries
+
+```bash
+# Run a SQL query
+awsathena queries run --sql "SELECT * FROM my_table LIMIT 10" --database my_db --output s3://my-bucket/results/
+
+# Check query status
+awsathena queries get <execution-id>
+
+# List recent queries
+awsathena queries list
+awsathena queries list --workgroup primary
+
+# Stop a running query
+awsathena queries stop <execution-id>
+
+# Get query results
+awsathena queries results <execution-id>
+awsathena queries results <execution-id> --limit 100
+```
+
+### Databases
+
+```bash
+# List all databases
+awsathena databases list
+awsathena databases list --catalog AwsDataCatalog
+
+# Get database details
+awsathena databases get my_database
+
+# Create a database
+awsathena databases create new_database --output s3://my-bucket/results/
+```
+
+### Workgroups
+
+```bash
+# List workgroups
+awsathena workgroups list
+
+# Get workgroup details
+awsathena workgroups get primary
+
+# Create a workgroup
+awsathena workgroups create my-team --description "My team workgroup" --output s3://my-bucket/results/
+```
+
+### JSON Output
+
+All commands support `--json`:
+
+```bash
+awsathena queries get <id> --json
+awsathena databases list --json | jq '.[].Name'
+awsathena queries results <id> --json
+```
+
+## License
+
+MIT

package/bin/awsathena.js

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+import(join(__dirname, '..', 'src', 'index.js'));

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@ktmcp-cli/awsathena",
+  "version": "1.0.0",
+  "description": "Production-ready CLI for Amazon Athena Query API - Kill The MCP",
+  "type": "module",
+  "main": "src/index.js",
+  "bin": {
+    "awsathena": "bin/awsathena.js"
+  },
+  "keywords": ["awsathena", "athena", "aws", "sql", "cli", "api", "ktmcp"],
+  "author": "KTMCP",
+  "license": "MIT",
+  "dependencies": {
+    "commander": "^12.0.0",
+    "axios": "^1.6.7",
+    "chalk": "^5.3.0",
+    "ora": "^8.0.1",
+    "conf": "^12.0.0"
+  },
+  "engines": { "node": ">=18.0.0" },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ktmcp-cli/awsathena.git"
+  },
+  "homepage": "https://killthemcp.com/awsathena-cli",
+  "bugs": { "url": "https://github.com/ktmcp-cli/awsathena/issues" }
+}

package/src/api.js

@@ -0,0 +1,206 @@
+import axios from 'axios';
+import crypto from 'crypto';
+import { getConfig } from './config.js';
+
+/**
+ * AWS Signature Version 4 signing helper
+ */
+function sign(key, msg) {
+  return crypto.createHmac('sha256', key).update(msg).digest();
+}
+
+function getSigningKey(secretKey, dateStamp, regionName, serviceName) {
+  const kDate = sign('AWS4' + secretKey, dateStamp);
+  const kRegion = sign(kDate, regionName);
+  const kService = sign(kRegion, serviceName);
+  return sign(kService, 'aws4_request');
+}
+
+function buildAuthHeader({ method, url, body, service, region, accessKeyId, secretAccessKey, target }) {
+  const parsedUrl = new URL(url);
+  const host = parsedUrl.host;
+  const path = parsedUrl.pathname;
+  const queryString = parsedUrl.search ? parsedUrl.search.slice(1) : '';
+
+  const now = new Date();
+  const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, '').slice(0, 15) + 'Z';
+  const dateStamp = amzDate.slice(0, 8);
+
+  const payloadHash = crypto.createHash('sha256').update(body || '').digest('hex');
+
+  const canonicalHeaders = `content-type:application/x-amz-json-1.1\nhost:${host}\nx-amz-date:${amzDate}\nx-amz-target:${target}\n`;
+  const signedHeaders = 'content-type;host;x-amz-date;x-amz-target';
+
+  const canonicalRequest = [
+    method.toUpperCase(),
+    path,
+    queryString,
+    canonicalHeaders,
+    signedHeaders,
+    payloadHash
+  ].join('\n');
+
+  const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
+  const stringToSign = [
+    'AWS4-HMAC-SHA256',
+    amzDate,
+    credentialScope,
+    crypto.createHash('sha256').update(canonicalRequest).digest('hex')
+  ].join('\n');
+
+  const signingKey = getSigningKey(secretAccessKey, dateStamp, region, service);
+  const signature = crypto.createHmac('sha256', signingKey).update(stringToSign).digest('hex');
+
+  const authorization = `AWS4-HMAC-SHA256 Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+
+  return { authorization, amzDate };
+}
+
+async function athenaRequest(action, body = {}) {
+  const accessKeyId = getConfig('accessKeyId');
+  const secretAccessKey = getConfig('secretAccessKey');
+  const region = getConfig('region') || 'us-east-1';
+  const url = `https://athena.${region}.amazonaws.com/`;
+  const target = `AmazonAthena.${action}`;
+  const bodyStr = JSON.stringify(body);
+
+  const { authorization, amzDate } = buildAuthHeader({
+    method: 'POST',
+    url,
+    body: bodyStr,
+    service: 'athena',
+    region,
+    accessKeyId,
+    secretAccessKey,
+    target
+  });
+
+  try {
+    const response = await axios.post(url, bodyStr, {
+      headers: {
+        'Authorization': authorization,
+        'X-Amz-Date': amzDate,
+        'X-Amz-Target': target,
+        'Content-Type': 'application/x-amz-json-1.1',
+        'Accept': 'application/json'
+      }
+    });
+    return response.data;
+  } catch (error) {
+    handleApiError(error);
+  }
+}
+
+function handleApiError(error) {
+  if (error.response) {
+    const status = error.response.status;
+    const data = error.response.data;
+    if (status === 401 || status === 403) {
+      throw new Error('AWS authentication failed. Check your accessKeyId and secretAccessKey.');
+    } else if (status === 404) {
+      throw new Error('Resource not found.');
+    } else if (status === 429) {
+      throw new Error('Rate limit exceeded. Please wait before retrying.');
+    } else {
+      const message = data?.message || data?.Message || data?.__type || JSON.stringify(data);
+      throw new Error(`AWS Athena Error (${status}): ${message}`);
+    }
+  } else if (error.request) {
+    throw new Error('No response from AWS Athena API. Check your internet connection and region.');
+  } else {
+    throw error;
+  }
+}
+
+// ============================================================
+// QUERIES
+// ============================================================
+
+export async function startQuery({ sql, database, workgroup, outputLocation }) {
+  const body = {
+    QueryString: sql,
+    ...(database && { QueryExecutionContext: { Database: database } }),
+    ...(workgroup && { WorkGroup: workgroup }),
+    ...(outputLocation && { ResultConfiguration: { OutputLocation: outputLocation } })
+  };
+  const data = await athenaRequest('StartQueryExecution', body);
+  return data;
+}
+
+export async function getQuery(queryExecutionId) {
+  const data = await athenaRequest('GetQueryExecution', { QueryExecutionId: queryExecutionId });
+  return data?.QueryExecution || null;
+}
+
+export async function listQueries(workgroup) {
+  const body = {};
+  if (workgroup) body.WorkGroup = workgroup;
+  const data = await athenaRequest('ListQueryExecutions', body);
+  return data?.QueryExecutionIds || [];
+}
+
+export async function stopQuery(queryExecutionId) {
+  await athenaRequest('StopQueryExecution', { QueryExecutionId: queryExecutionId });
+  return { stopped: true };
+}
+
+export async function getQueryResults(queryExecutionId, maxResults = 20) {
+  const data = await athenaRequest('GetQueryResults', {
+    QueryExecutionId: queryExecutionId,
+    MaxResults: maxResults
+  });
+  return data;
+}
+
+// ============================================================
+// DATABASES
+// ============================================================
+
+export async function listDatabases(catalogName = 'AwsDataCatalog') {
+  const data = await athenaRequest('ListDatabases', { CatalogName: catalogName });
+  return data?.DatabaseList || [];
+}
+
+export async function getDatabase(catalogName, databaseName) {
+  const data = await athenaRequest('GetDatabase', {
+    CatalogName: catalogName || 'AwsDataCatalog',
+    DatabaseName: databaseName
+  });
+  return data?.Database || null;
+}
+
+export async function createDatabase({ catalogName, databaseName, description, outputLocation }) {
+  // Athena creates databases via DDL query
+  const sql = description
+    ? `CREATE DATABASE IF NOT EXISTS ${databaseName} COMMENT '${description}'`
+    : `CREATE DATABASE IF NOT EXISTS ${databaseName}`;
+  return await startQuery({ sql, outputLocation });
+}
+
+// ============================================================
+// WORKGROUPS
+// ============================================================
+
+export async function listWorkgroups() {
+  const data = await athenaRequest('ListWorkGroups', {});
+  return data?.WorkGroups || [];
+}
+
+export async function getWorkgroup(workgroupName) {
+  const data = await athenaRequest('GetWorkGroup', { WorkGroup: workgroupName });
+  return data?.WorkGroup || null;
+}
+
+export async function createWorkgroup({ name, description, outputLocation }) {
+  const body = {
+    Name: name,
+    ...(description && { Description: description }),
+    ...(outputLocation && {
+      Configuration: {
+        ResultConfiguration: { OutputLocation: outputLocation }
+      }
+    })
+  };
+  const data = await athenaRequest('CreateWorkGroup', body);
+  return data || { created: true };
+}

package/src/config.js

@@ -0,0 +1,21 @@
+import Conf from 'conf';
+
+const config = new Conf({ projectName: '@ktmcp-cli/awsathena' });
+
+export function getConfig(key) {
+  return config.get(key);
+}
+
+export function setConfig(key, value) {
+  config.set(key, value);
+}
+
+export function isConfigured() {
+  return !!(config.get('accessKeyId') && config.get('secretAccessKey'));
+}
+
+export function getAllConfig() {
+  return config.store;
+}
+
+export default config;

package/src/index.js

@@ -0,0 +1,523 @@
+import { Command } from 'commander';
+import chalk from 'chalk';
+import ora from 'ora';
+import { getConfig, setConfig, getAllConfig, isConfigured } from './config.js';
+import {
+  startQuery,
+  getQuery,
+  listQueries,
+  stopQuery,
+  getQueryResults,
+  listDatabases,
+  getDatabase,
+  createDatabase,
+  listWorkgroups,
+  getWorkgroup,
+  createWorkgroup
+} from './api.js';
+
+const program = new Command();
+
+// ============================================================
+// Helpers
+// ============================================================
+
+function printSuccess(message) {
+  console.log(chalk.green('✓') + ' ' + message);
+}
+
+function printError(message) {
+  console.error(chalk.red('✗') + ' ' + message);
+}
+
+function printTable(data, columns) {
+  if (!data || data.length === 0) {
+    console.log(chalk.yellow('No results found.'));
+    return;
+  }
+
+  const widths = {};
+  columns.forEach(col => {
+    widths[col.key] = col.label.length;
+    data.forEach(row => {
+      const val = String(col.format ? col.format(row[col.key], row) : (row[col.key] ?? ''));
+      if (val.length > widths[col.key]) widths[col.key] = val.length;
+    });
+    widths[col.key] = Math.min(widths[col.key], 40);
+  });
+
+  const header = columns.map(col => col.label.padEnd(widths[col.key])).join('  ');
+  console.log(chalk.bold(chalk.cyan(header)));
+  console.log(chalk.dim('─'.repeat(header.length)));
+
+  data.forEach(row => {
+    const line = columns.map(col => {
+      const val = String(col.format ? col.format(row[col.key], row) : (row[col.key] ?? ''));
+      return val.substring(0, widths[col.key]).padEnd(widths[col.key]);
+    }).join('  ');
+    console.log(line);
+  });
+
+  console.log(chalk.dim(`\n${data.length} result(s)`));
+}
+
+function printJson(data) {
+  console.log(JSON.stringify(data, null, 2));
+}
+
+async function withSpinner(message, fn) {
+  const spinner = ora(message).start();
+  try {
+    const result = await fn();
+    spinner.stop();
+    return result;
+  } catch (error) {
+    spinner.stop();
+    throw error;
+  }
+}
+
+function requireAuth() {
+  if (!isConfigured()) {
+    printError('AWS credentials not configured.');
+    console.log('\nRun the following to configure:');
+    console.log(chalk.cyan('  awsathena config set accessKeyId YOUR_KEY'));
+    console.log(chalk.cyan('  awsathena config set secretAccessKey YOUR_SECRET'));
+    console.log(chalk.cyan('  awsathena config set region us-east-1'));
+    process.exit(1);
+  }
+}
+
+// ============================================================
+// Program metadata
+// ============================================================
+
+program
+  .name('awsathena')
+  .description(chalk.bold('Amazon Athena CLI') + ' - Run queries and manage databases from your terminal')
+  .version('1.0.0');
+
+// ============================================================
+// CONFIG
+// ============================================================
+
+const configCmd = program.command('config').description('Manage CLI configuration');
+
+configCmd
+  .command('get <key>')
+  .description('Get a configuration value')
+  .action((key) => {
+    const value = getConfig(key);
+    if (value === undefined) {
+      printError(`Key '${key}' not found`);
+    } else {
+      console.log(value);
+    }
+  });
+
+configCmd
+  .command('set <key> <value>')
+  .description('Set a configuration value')
+  .action((key, value) => {
+    setConfig(key, value);
+    printSuccess(`Config '${key}' set`);
+  });
+
+configCmd
+  .command('list')
+  .description('List all configuration values')
+  .action(() => {
+    const all = getAllConfig();
+    console.log(chalk.bold('\nAmazon Athena CLI Configuration\n'));
+    if (Object.keys(all).length === 0) {
+      console.log(chalk.yellow('No configuration set.'));
+      console.log('\nRun:');
+      console.log(chalk.cyan('  awsathena config set accessKeyId YOUR_KEY'));
+      console.log(chalk.cyan('  awsathena config set secretAccessKey YOUR_SECRET'));
+      console.log(chalk.cyan('  awsathena config set region us-east-1'));
+    } else {
+      Object.entries(all).forEach(([k, v]) => {
+        const displayVal = k === 'secretAccessKey' ? chalk.green('*'.repeat(8)) : chalk.cyan(String(v));
+        console.log(`${k}: ${displayVal}`);
+      });
+    }
+  });
+
+// ============================================================
+// QUERIES
+// ============================================================
+
+const queriesCmd = program.command('queries').description('Run and manage Athena queries');
+
+queriesCmd
+  .command('run')
+  .description('Run a SQL query')
+  .requiredOption('--sql <sql>', 'SQL query to execute')
+  .option('--database <db>', 'Database to query')
+  .option('--workgroup <wg>', 'Workgroup to use')
+  .option('--output <s3-path>', 'S3 output location (e.g. s3://bucket/prefix/)')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    requireAuth();
+    try {
+      const result = await withSpinner('Starting query...', () =>
+        startQuery({
+          sql: options.sql,
+          database: options.database,
+          workgroup: options.workgroup,
+          outputLocation: options.output
+        })
+      );
+
+      if (options.json) {
+        printJson(result);
+        return;
+      }
+
+      printSuccess('Query started');
+      console.log('Execution ID: ', chalk.cyan(result?.QueryExecutionId || JSON.stringify(result)));
+      console.log('\nUse this ID to check status or get results:');
+      console.log(chalk.dim(`  awsathena queries get ${result?.QueryExecutionId}`));
+      console.log(chalk.dim(`  awsathena queries results ${result?.QueryExecutionId}`));
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+queriesCmd
+  .command('get <execution-id>')
+  .description('Get query execution status')
+  .option('--json', 'Output as JSON')
+  .action(async (executionId, options) => {
+    requireAuth();
+    try {
+      const query = await withSpinner('Fetching query status...', () => getQuery(executionId));
+
+      if (!query) {
+        printError('Query execution not found');
+        process.exit(1);
+      }
+
+      if (options.json) {
+        printJson(query);
+        return;
+      }
+
+      const state = query.Status?.State;
+      const stateColor = state === 'SUCCEEDED' ? chalk.green : state === 'FAILED' ? chalk.red : chalk.yellow;
+
+      console.log(chalk.bold('\nQuery Execution Details\n'));
+      console.log('Execution ID:  ', chalk.cyan(query.QueryExecutionId));
+      console.log('Status:        ', stateColor(state || 'N/A'));
+      console.log('Query:         ', (query.Query || '').substring(0, 80));
+      console.log('Database:      ', query.QueryExecutionContext?.Database || 'N/A');
+      console.log('Workgroup:     ', query.WorkGroup || 'N/A');
+      console.log('Output:        ', query.ResultConfiguration?.OutputLocation || 'N/A');
+      if (query.Status?.StateChangeReason) {
+        console.log('Reason:        ', chalk.red(query.Status.StateChangeReason));
+      }
+      if (query.Statistics) {
+        console.log('Data Scanned:  ', query.Statistics.DataScannedInBytes ? `${(query.Statistics.DataScannedInBytes / 1024 / 1024).toFixed(2)} MB` : 'N/A');
+        console.log('Exec Time:     ', query.Statistics.TotalExecutionTimeInMillis ? `${query.Statistics.TotalExecutionTimeInMillis}ms` : 'N/A');
+      }
+      console.log('');
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+queriesCmd
+  .command('list')
+  .description('List recent query executions')
+  .option('--workgroup <wg>', 'Filter by workgroup')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    requireAuth();
+    try {
+      const ids = await withSpinner('Fetching query list...', () => listQueries(options.workgroup));
+
+      if (options.json) {
+        printJson(ids);
+        return;
+      }
+
+      if (!ids || ids.length === 0) {
+        console.log(chalk.yellow('No query executions found.'));
+        return;
+      }
+
+      console.log(chalk.bold('\nRecent Query Executions\n'));
+      ids.forEach((id, i) => {
+        console.log(`${chalk.dim(String(i + 1).padStart(3, ' '))}. ${chalk.cyan(id)}`);
+      });
+      console.log(chalk.dim(`\n${ids.length} execution(s)`));
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+queriesCmd
+  .command('stop <execution-id>')
+  .description('Stop a running query')
+  .action(async (executionId) => {
+    requireAuth();
+    try {
+      await withSpinner(`Stopping query ${executionId}...`, () => stopQuery(executionId));
+      printSuccess(`Query ${executionId} stopped`);
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+queriesCmd
+  .command('results <execution-id>')
+  .description('Get query results')
+  .option('--limit <n>', 'Maximum number of rows', '20')
+  .option('--json', 'Output as JSON')
+  .action(async (executionId, options) => {
+    requireAuth();
+    try {
+      const results = await withSpinner('Fetching query results...', () =>
+        getQueryResults(executionId, parseInt(options.limit))
+      );
+
+      if (options.json) {
+        printJson(results);
+        return;
+      }
+
+      if (!results?.ResultSet?.Rows || results.ResultSet.Rows.length === 0) {
+        console.log(chalk.yellow('No results found.'));
+        return;
+      }
+
+      const rows = results.ResultSet.Rows;
+      const header = rows[0]?.Data?.map(d => d.VarCharValue || '') || [];
+      const dataRows = rows.slice(1);
+
+      // Print header
+      const headerLine = header.map(h => h.padEnd(20)).join('  ');
+      console.log(chalk.bold(chalk.cyan(headerLine)));
+      console.log(chalk.dim('─'.repeat(headerLine.length)));
+
+      // Print rows
+      dataRows.forEach(row => {
+        const line = (row.Data || []).map(d => (d.VarCharValue || '').substring(0, 20).padEnd(20)).join('  ');
+        console.log(line);
+      });
+
+      console.log(chalk.dim(`\n${dataRows.length} row(s)`));
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+// ============================================================
+// DATABASES
+// ============================================================
+
+const databasesCmd = program.command('databases').description('Manage Athena databases');
+
+databasesCmd
+  .command('list')
+  .description('List databases in the data catalog')
+  .option('--catalog <name>', 'Data catalog name', 'AwsDataCatalog')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    requireAuth();
+    try {
+      const databases = await withSpinner('Fetching databases...', () =>
+        listDatabases(options.catalog)
+      );
+
+      if (options.json) {
+        printJson(databases);
+        return;
+      }
+
+      printTable(databases, [
+        { key: 'Name', label: 'Name' },
+        { key: 'Description', label: 'Description' },
+        { key: 'Parameters', label: 'Parameters', format: (v) => v ? Object.keys(v).join(', ') : '' }
+      ]);
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+databasesCmd
+  .command('get <database-name>')
+  .description('Get database details')
+  .option('--catalog <name>', 'Data catalog name', 'AwsDataCatalog')
+  .option('--json', 'Output as JSON')
+  .action(async (databaseName, options) => {
+    requireAuth();
+    try {
+      const db = await withSpinner(`Fetching database ${databaseName}...`, () =>
+        getDatabase(options.catalog, databaseName)
+      );
+
+      if (!db) {
+        printError('Database not found');
+        process.exit(1);
+      }
+
+      if (options.json) {
+        printJson(db);
+        return;
+      }
+
+      console.log(chalk.bold('\nDatabase Details\n'));
+      console.log('Name:          ', chalk.cyan(db.Name));
+      console.log('Description:   ', db.Description || 'N/A');
+      if (db.Parameters) {
+        console.log('Parameters:    ', JSON.stringify(db.Parameters));
+      }
+      console.log('');
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+databasesCmd
+  .command('create <database-name>')
+  .description('Create a new database (via DDL query)')
+  .option('--description <desc>', 'Database description')
+  .option('--output <s3-path>', 'S3 output location for query results')
+  .option('--json', 'Output as JSON')
+  .action(async (databaseName, options) => {
+    requireAuth();
+    try {
+      const result = await withSpinner(`Creating database ${databaseName}...`, () =>
+        createDatabase({
+          databaseName,
+          description: options.description,
+          outputLocation: options.output
+        })
+      );
+
+      if (options.json) {
+        printJson(result);
+        return;
+      }
+
+      printSuccess(`Database creation query started`);
+      console.log('Execution ID: ', chalk.cyan(result?.QueryExecutionId || 'N/A'));
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+// ============================================================
+// WORKGROUPS
+// ============================================================
+
+const workgroupsCmd = program.command('workgroups').description('Manage Athena workgroups');
+
+workgroupsCmd
+  .command('list')
+  .description('List workgroups')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    requireAuth();
+    try {
+      const workgroups = await withSpinner('Fetching workgroups...', () => listWorkgroups());
+
+      if (options.json) {
+        printJson(workgroups);
+        return;
+      }
+
+      printTable(workgroups, [
+        { key: 'Name', label: 'Name' },
+        { key: 'State', label: 'State' },
+        { key: 'Description', label: 'Description' },
+        { key: 'CreationTime', label: 'Created', format: (v) => v ? new Date(v).toLocaleDateString() : '' }
+      ]);
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+workgroupsCmd
+  .command('get <workgroup-name>')
+  .description('Get workgroup details')
+  .option('--json', 'Output as JSON')
+  .action(async (workgroupName, options) => {
+    requireAuth();
+    try {
+      const wg = await withSpinner(`Fetching workgroup ${workgroupName}...`, () =>
+        getWorkgroup(workgroupName)
+      );
+
+      if (!wg) {
+        printError('Workgroup not found');
+        process.exit(1);
+      }
+
+      if (options.json) {
+        printJson(wg);
+        return;
+      }
+
+      console.log(chalk.bold('\nWorkgroup Details\n'));
+      console.log('Name:          ', chalk.cyan(wg.Name));
+      console.log('State:         ', wg.State || 'N/A');
+      console.log('Description:   ', wg.Description || 'N/A');
+      console.log('Created:       ', wg.CreationTime ? new Date(wg.CreationTime).toLocaleString() : 'N/A');
+      const output = wg.Configuration?.ResultConfiguration?.OutputLocation;
+      if (output) console.log('Output S3:     ', output);
+      console.log('');
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+workgroupsCmd
+  .command('create <workgroup-name>')
+  .description('Create a new workgroup')
+  .option('--description <desc>', 'Workgroup description')
+  .option('--output <s3-path>', 'Default S3 output location')
+  .option('--json', 'Output as JSON')
+  .action(async (workgroupName, options) => {
+    requireAuth();
+    try {
+      const result = await withSpinner(`Creating workgroup ${workgroupName}...`, () =>
+        createWorkgroup({
+          name: workgroupName,
+          description: options.description,
+          outputLocation: options.output
+        })
+      );
+
+      if (options.json) {
+        printJson(result);
+        return;
+      }
+
+      printSuccess(`Workgroup '${workgroupName}' created`);
+    } catch (error) {
+      printError(error.message);
+      process.exit(1);
+    }
+  });
+
+// ============================================================
+// Parse
+// ============================================================
+
+program.parse(process.argv);
+
+if (process.argv.length <= 2) {
+  program.help();
+}