npm - @neetru/cli - Versions diffs - 1.0.1 → 2.1.0 - Mend

@neetru/cli 1.0.1 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

package/CHANGELOG.md +136 -0
package/README.md +109 -152
package/dist/commands/add.d.ts +8 -3
package/dist/commands/add.js +70 -143
package/dist/commands/add.js.map +1 -1
package/dist/commands/agent-release.d.ts +13 -0
package/dist/commands/agent-release.js +204 -0
package/dist/commands/agent-release.js.map +1 -0
package/dist/commands/agent-write.d.ts +12 -0
package/dist/commands/agent-write.js +94 -0
package/dist/commands/agent-write.js.map +1 -0
package/dist/commands/ai.d.ts +4 -0
package/dist/commands/ai.js +88 -0
package/dist/commands/ai.js.map +1 -0
package/dist/commands/api-catalog.d.ts +20 -0
package/dist/commands/api-catalog.js +126 -0
package/dist/commands/api-catalog.js.map +1 -0
package/dist/commands/audit.d.ts +8 -0
package/dist/commands/audit.js +69 -0
package/dist/commands/audit.js.map +1 -0
package/dist/commands/autocomplete.d.ts +7 -0
package/dist/commands/autocomplete.js +107 -0
package/dist/commands/autocomplete.js.map +1 -0
package/dist/commands/billing.d.ts +6 -0
package/dist/commands/billing.js +69 -0
package/dist/commands/billing.js.map +1 -0
package/dist/commands/build.d.ts +18 -0
package/dist/commands/build.js +295 -0
package/dist/commands/build.js.map +1 -0
package/dist/commands/cloud-run.d.ts +11 -0
package/dist/commands/cloud-run.js +87 -0
package/dist/commands/cloud-run.js.map +1 -0
package/dist/commands/config.d.ts +3 -0
package/dist/commands/config.js +70 -0
package/dist/commands/config.js.map +1 -0
package/dist/commands/db.d.ts +14 -0
package/dist/commands/db.js +187 -0
package/dist/commands/db.js.map +1 -0
package/dist/commands/deploy.d.ts +23 -3
package/dist/commands/deploy.js +530 -177
package/dist/commands/deploy.js.map +1 -1
package/dist/commands/deployments.d.ts +11 -0
package/dist/commands/deployments.js +69 -0
package/dist/commands/deployments.js.map +1 -0
package/dist/commands/doctor.d.ts +27 -0
package/dist/commands/doctor.js +211 -0
package/dist/commands/doctor.js.map +1 -0
package/dist/commands/dr.d.ts +11 -0
package/dist/commands/dr.js +79 -0
package/dist/commands/dr.js.map +1 -0
package/dist/commands/env.d.ts +15 -0
package/dist/commands/env.js +56 -0
package/dist/commands/env.js.map +1 -0
package/dist/commands/fn.d.ts +6 -0
package/dist/commands/fn.js +87 -0
package/dist/commands/fn.js.map +1 -0
package/dist/commands/infra-read.d.ts +9 -0
package/dist/commands/infra-read.js +113 -0
package/dist/commands/infra-read.js.map +1 -0
package/dist/commands/init.d.ts +10 -3
package/dist/commands/init.js +275 -142
package/dist/commands/init.js.map +1 -1
package/dist/commands/login.d.ts +6 -3
package/dist/commands/login.js +222 -92
package/dist/commands/login.js.map +1 -1
package/dist/commands/logout.d.ts +1 -0
package/dist/commands/logout.js +28 -0
package/dist/commands/logout.js.map +1 -0
package/dist/commands/logs.d.ts +14 -3
package/dist/commands/logs.js +132 -106
package/dist/commands/logs.js.map +1 -1
package/dist/commands/mocks.d.ts +5 -0
package/dist/commands/mocks.js +23 -0
package/dist/commands/mocks.js.map +1 -0
package/dist/commands/open.d.ts +4 -3
package/dist/commands/open.js +53 -85
package/dist/commands/open.js.map +1 -1
package/dist/commands/products-db.d.ts +37 -0
package/dist/commands/products-db.js +230 -0
package/dist/commands/products-db.js.map +1 -0
package/dist/commands/products.d.ts +12 -0
package/dist/commands/products.js +97 -0
package/dist/commands/products.js.map +1 -0
package/dist/commands/promote.d.ts +9 -0
package/dist/commands/promote.js +114 -0
package/dist/commands/promote.js.map +1 -0
package/dist/commands/publish.d.ts +14 -0
package/dist/commands/publish.js +180 -0
package/dist/commands/publish.js.map +1 -0
package/dist/commands/servers.d.ts +23 -0
package/dist/commands/servers.js +166 -0
package/dist/commands/servers.js.map +1 -0
package/dist/commands/status.d.ts +5 -3
package/dist/commands/status.js +91 -93
package/dist/commands/status.js.map +1 -1
package/dist/commands/support.d.ts +25 -0
package/dist/commands/support.js +184 -0
package/dist/commands/support.js.map +1 -0
package/dist/commands/surface-status.d.ts +5 -0
package/dist/commands/surface-status.js +63 -0
package/dist/commands/surface-status.js.map +1 -0
package/dist/commands/tenants.d.ts +34 -0
package/dist/commands/tenants.js +179 -0
package/dist/commands/tenants.js.map +1 -0
package/dist/commands/upgrade.d.ts +12 -0
package/dist/commands/upgrade.js +77 -0
package/dist/commands/upgrade.js.map +1 -0
package/dist/commands/validate.d.ts +1 -3
package/dist/commands/validate.js +83 -91
package/dist/commands/validate.js.map +1 -1
package/dist/commands/whoami.d.ts +5 -3
package/dist/commands/whoami.js +76 -28
package/dist/commands/whoami.js.map +1 -1
package/dist/commands/workspaces.d.ts +15 -0
package/dist/commands/workspaces.js +72 -0
package/dist/commands/workspaces.js.map +1 -0
package/dist/index.d.ts +0 -1
package/dist/index.js +1094 -36
package/dist/index.js.map +1 -1
package/dist/lib/ai/context.d.ts +11 -0
package/dist/lib/ai/context.js +112 -0
package/dist/lib/ai/context.js.map +1 -0
package/dist/lib/ai/orchestrator.d.ts +10 -0
package/dist/lib/ai/orchestrator.js +92 -0
package/dist/lib/ai/orchestrator.js.map +1 -0
package/dist/lib/api-client.d.ts +39 -0
package/dist/lib/api-client.js +185 -0
package/dist/lib/api-client.js.map +1 -0
package/dist/lib/auth.d.ts +15 -0
package/dist/lib/auth.js +98 -0
package/dist/lib/auth.js.map +1 -0
package/dist/lib/cli-read.d.ts +13 -0
package/dist/lib/cli-read.js +103 -0
package/dist/lib/cli-read.js.map +1 -0
package/dist/lib/cli-write.d.ts +47 -0
package/dist/lib/cli-write.js +137 -0
package/dist/lib/cli-write.js.map +1 -0
package/dist/lib/config-schema.d.ts +165 -0
package/dist/lib/config-schema.js +57 -0
package/dist/lib/config-schema.js.map +1 -0
package/dist/lib/config.d.ts +15 -0
package/dist/lib/config.js +33 -0
package/dist/lib/config.js.map +1 -0
package/dist/lib/render.d.ts +16 -0
package/dist/lib/render.js +74 -0
package/dist/lib/render.js.map +1 -0
package/dist/utils/logger.d.ts +13 -0
package/dist/utils/logger.js +27 -0
package/dist/utils/logger.js.map +1 -0
package/package.json +35 -33
package/templates/auth/callback.ts +22 -0
package/templates/auth/sign-in.tsx +41 -0
package/templates/billing/checkout.ts +22 -0
package/templates/billing/page.tsx +43 -0
package/templates/support/ticket-form.tsx +68 -0
package/templates/usage/track.ts +30 -0
package/templates/users/profile.tsx +43 -0
package/LICENSE +0 -21
package/dist/commands/add.d.ts.map +0 -1
package/dist/commands/deploy.d.ts.map +0 -1
package/dist/commands/generate-types.d.ts +0 -3
package/dist/commands/generate-types.d.ts.map +0 -1
package/dist/commands/generate-types.js +0 -150
package/dist/commands/generate-types.js.map +0 -1
package/dist/commands/init.d.ts.map +0 -1
package/dist/commands/login.d.ts.map +0 -1
package/dist/commands/logs.d.ts.map +0 -1
package/dist/commands/open.d.ts.map +0 -1
package/dist/commands/status.d.ts.map +0 -1
package/dist/commands/validate.d.ts.map +0 -1
package/dist/commands/whoami.d.ts.map +0 -1
package/dist/config.d.ts +0 -14
package/dist/config.d.ts.map +0 -1
package/dist/config.js +0 -83
package/dist/config.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/scaffold/auth.d.ts +0 -3
package/dist/scaffold/auth.d.ts.map +0 -1
package/dist/scaffold/auth.js +0 -228
package/dist/scaffold/auth.js.map +0 -1
package/dist/scaffold/billing.d.ts +0 -3
package/dist/scaffold/billing.d.ts.map +0 -1
package/dist/scaffold/billing.js +0 -184
package/dist/scaffold/billing.js.map +0 -1
package/dist/scaffold/usage.d.ts +0 -3
package/dist/scaffold/usage.d.ts.map +0 -1
package/dist/scaffold/usage.js +0 -173
package/dist/scaffold/usage.js.map +0 -1
package/dist/scaffold/users.d.ts +0 -3
package/dist/scaffold/users.d.ts.map +0 -1
package/dist/scaffold/users.js +0 -135
package/dist/scaffold/users.js.map +0 -1

package/dist/index.js CHANGED Viewed

@@ -1,40 +1,1098 @@
 #!/usr/bin/env node
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const commander_1 = require("commander");
-const chalk_1 = __importDefault(require("chalk"));
-const init_1 = require("./commands/init");
-const add_1 = require("./commands/add");
-const validate_1 = require("./commands/validate");
-const generate_types_1 = require("./commands/generate-types");
-const whoami_1 = require("./commands/whoami");
-const login_1 = require("./commands/login");
-const status_1 = require("./commands/status");
-const logs_1 = require("./commands/logs");
-const deploy_1 = require("./commands/deploy");
-const open_1 = require("./commands/open");
-const program = new commander_1.Command();
+import { Command } from 'commander';
+import { log } from './utils/logger.js';
+const program = new Command();
 program
     .name('neetru')
-    .description(chalk_1.default.bold('Neetru CLI') +
-    ' — SDK & DevOps para integrar seu SaaS com Neetru Core\n' +
-    chalk_1.default.dim('  init · add · login · status · deploy · logs · open'))
-    .version('1.0.0');
-// Setup
-program.addCommand((0, init_1.initCommand)());
-program.addCommand((0, add_1.addCommand)());
-program.addCommand((0, validate_1.validateCommand)());
-program.addCommand((0, generate_types_1.generateTypesCommand)());
-// Auth & info
-program.addCommand((0, login_1.loginCommand)());
-program.addCommand((0, whoami_1.whoamiCommand)());
-// Operations
-program.addCommand((0, status_1.statusCommand)());
-program.addCommand((0, deploy_1.deployCommand)());
-program.addCommand((0, logs_1.logsCommand)());
-program.addCommand((0, open_1.openCommand)());
-program.parseAsync(process.argv);
+    .description('Neetru Developer Kit — scaffold, AI assistant e deploy para produtos SaaS')
+    .version('2.0.0');
+// ── neetru ai ─────────────────────────────────────────────────────────
+program
+    .command('ai')
+    .description('REPL interativo com IA Neetru-aware (Claude / OpenAI / Gemini)')
+    .option('-m, --model <model>', 'modelo: claude | openai | gemini | auto', 'auto')
+    .action(async (opts) => {
+    const { runAiRepl } = await import('./commands/ai.js');
+    await runAiRepl({ model: opts.model });
+});
+// ── neetru init ───────────────────────────────────────────────────────
+program
+    .command('init <name>')
+    .description('Scaffold de novo produto SaaS Neetru')
+    .option('--type <type>', 'nextjs | node-api', 'nextjs')
+    .action(async (name, opts) => {
+    const { runInit } = await import('./commands/init.js');
+    await runInit({ name, type: opts.type });
+});
+// ── neetru config ─────────────────────────────────────────────────────
+const configCmd = program
+    .command('config')
+    .description('Gerenciar configurações do CLI (chaves de API, modelo padrão)');
+configCmd
+    .command('set <key> <value>')
+    .description('Define uma configuração')
+    .action(async (key, value) => {
+    const { configSet } = await import('./commands/config.js');
+    configSet(key, value);
+});
+configCmd
+    .command('get [key]')
+    .description('Lê configuração(ões)')
+    .action(async (key) => {
+    const { configGet } = await import('./commands/config.js');
+    configGet(key);
+});
+configCmd
+    .command('path')
+    .description('Mostra o caminho do arquivo de configuração')
+    .action(async () => {
+    const { configPath } = await import('./commands/config.js');
+    configPath();
+});
+// ── neetru login ──────────────────────────────────────────────────────
+program
+    .command('login')
+    .description('Autentica o CLI via Device Code OAuth (RFC 8628)')
+    .option('--token <token>', 'token nrt_<keyId>_<secret> (modo CI/legado, pula browser)')
+    .option('--json', 'saída em JSON (machine-readable)')
+    .action(async (opts) => {
+    const { runLogin } = await import('./commands/login.js');
+    await runLogin({ token: opts.token, json: !!opts.json });
+});
+// ── neetru logout ─────────────────────────────────────────────────────
+program
+    .command('logout')
+    .description('Apaga as credenciais locais (~/.config/neetru-cli/auth.json + cache legado)')
+    .action(async () => {
+    const { runLogout } = await import('./commands/logout.js');
+    await runLogout();
+});
+// ── neetru whoami ─────────────────────────────────────────────────────
+program
+    .command('whoami')
+    .description('Mostra a identidade da chave CLI corrente')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runWhoami } = await import('./commands/whoami.js');
+    await runWhoami({ json: !!opts.json });
+});
+// ── neetru build ──────────────────────────────────────────────────────
+program
+    .command('build')
+    .description('Empacota o produto no diretório atual num tarball pronto para deploy')
+    .option('--product <slug>', 'override do slug (default: lê neetru.config.json)')
+    .option('--stack <stack>', 'node | docker | php-apache | static (default: detectado)')
+    .option('--output <dir>', 'diretório de saída', '.neetru-build')
+    .option('--version <version>', 'versão (default: detectada de package.json ou timestamp)')
+    .option('--no-cache', 'invalida caches do build (recria lockfile, --no-cache no docker)')
+    .action(async (opts) => {
+    const { runBuild } = await import('./commands/build.js');
+    await runBuild({
+        product: opts.product,
+        stack: opts.stack,
+        output: opts.output,
+        version: opts.version,
+        noCache: !opts.cache,
+    });
+});
+// ── neetru deploy ─────────────────────────────────────────────────────
+program
+    .command('deploy')
+    .description('Deploy do produto via pipeline Neetru Core (interativo por default)')
+    .option('--product <slug>', 'slug do produto')
+    .option('--version <version>', 'versão a deployar')
+    .option('--stack <stack>', 'node | docker | php-apache | static')
+    .option('--target <target>', 'cloud-run | vm', 'vm')
+    .option('--server <id>', 'id do server (target=vm)')
+    .option('--domain <domain>', 'domínio público')
+    .option('--port <port>', 'porta interna do app', (v) => Number.parseInt(v, 10))
+    .option('--artifact <file>', 'caminho do tarball já buildado')
+    .option('--artifact-url <url>', 'URL pública/signed do artifact (GCS, S3)')
+    .option('--artifact-sha256 <sha>', 'sha256 do artifact (par com --artifact-url)')
+    .option('--env-file <file>', 'arquivo .env com vars passadas pro deploy')
+    .option('--env <env>', 'ambiente alvo: dev | staging | prod', 'dev')
+    .option('--local-artifact', 'F-11: NÃO faz upload pra GCS — manda file:// pro Core (só funciona se o agent compartilha FS com este CLI)')
+    .option('--non-interactive', 'falha em vez de perguntar (modo CI)')
+    .action(async (opts) => {
+    const { runDeploy } = await import('./commands/deploy.js');
+    await runDeploy({
+        product: opts.product,
+        version: opts.version,
+        stack: opts.stack,
+        target: opts.target,
+        server: opts.server,
+        domain: opts.domain,
+        port: opts.port,
+        artifact: opts.artifact,
+        artifactUrl: opts.artifactUrl,
+        artifactSha256: opts.artifactSha256,
+        envFile: opts.envFile,
+        env: opts.env,
+        localArtifact: !!opts.localArtifact,
+        nonInteractive: !!opts.nonInteractive,
+    });
+});
+// ── neetru status ─────────────────────────────────────────────────────
+// Default: saúde das superfícies públicas (control plane). Com --client-id,
+// delega ao status de workspace legado (backward-compat).
+program
+    .command('status')
+    .description('Saúde das superfícies públicas (landing/api/portal/políticas). --client-id = status de workspace')
+    .option('--client-id <id>', 'oauthClientId do workspace (status de workspace legado)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runSurfaceStatus } = await import('./commands/surface-status.js');
+    await runSurfaceStatus({ clientId: opts.clientId, json: !!opts.json });
+});
+// ── neetru tenants ────────────────────────────────────────────────────
+const tenantsCmd = program
+    .command('tenants')
+    .description('Control plane — inspeção de tenants (read-only)');
+tenantsCmd
+    .command('list')
+    .description('Lista tenants (filtros --status / --product)')
+    .option('--status <status>', 'ativo | em provisionamento | suspenso | arquivado')
+    .option('--product <productId>', 'filtra por productId')
+    .option('--limit <n>', 'máximo de resultados (default 100, max 500)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runTenantsList } = await import('./commands/tenants.js');
+    await runTenantsList({
+        status: opts.status,
+        product: opts.product,
+        limit: opts.limit,
+        json: !!opts.json,
+    });
+});
+tenantsCmd
+    .command('get <id>')
+    .description('Detalha um tenant pelo ID')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runTenantsGet } = await import('./commands/tenants.js');
+    await runTenantsGet(id, { json: !!opts.json });
+});
+tenantsCmd
+    .command('create')
+    .description('Cria um tenant (status inicial: em provisionamento)')
+    .requiredOption('--name <name>', 'nome do tenant')
+    .requiredOption('--slug <slug>', 'slug do tenant')
+    .requiredOption('--customer <customerId>', 'id do customer')
+    .requiredOption('--product <productId>', 'id do produto')
+    .requiredOption('--env <env>', 'dev | staging | prod')
+    .option('--domain <domain>', 'domínio primário')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runTenantsCreate } = await import('./commands/tenants.js');
+    await runTenantsCreate({
+        name: opts.name,
+        slug: opts.slug,
+        customer: opts.customer,
+        product: opts.product,
+        env: opts.env,
+        domain: opts.domain,
+        json: !!opts.json,
+    });
+});
+tenantsCmd
+    .command('update <id>')
+    .description('Atualiza dados de um tenant existente')
+    .requiredOption('--name <name>', 'nome do tenant')
+    .requiredOption('--slug <slug>', 'slug do tenant')
+    .requiredOption('--customer <customerId>', 'id do customer')
+    .requiredOption('--product <productId>', 'id do produto')
+    .requiredOption('--env <env>', 'dev | staging | prod')
+    .option('--domain <domain>', 'domínio primário')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runTenantsUpdate } = await import('./commands/tenants.js');
+    await runTenantsUpdate(id, {
+        name: opts.name,
+        slug: opts.slug,
+        customer: opts.customer,
+        product: opts.product,
+        env: opts.env,
+        domain: opts.domain,
+        json: !!opts.json,
+    });
+});
+tenantsCmd
+    .command('suspend <id>')
+    .description('Suspende um tenant (destrutivo — confirmação interativa)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runTenantsSuspend } = await import('./commands/tenants.js');
+    await runTenantsSuspend(id, { yes: !!opts.yes, force: !!opts.force, json: !!opts.json });
+});
+tenantsCmd
+    .command('reactivate <id>')
+    .description('Reativa um tenant suspenso')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runTenantsReactivate } = await import('./commands/tenants.js');
+    await runTenantsReactivate(id, { json: !!opts.json });
+});
+// ── neetru audit ──────────────────────────────────────────────────────
+const auditCmd = program
+    .command('audit')
+    .description('Control plane — trilha de auditoria do Core (read-only)');
+auditCmd
+    .command('tail')
+    .description('Últimos N eventos de audit_logs (mais recente primeiro)')
+    .option('-n, --limit <n>', 'número de eventos (default 50, max 200)')
+    .option('--action <substring>', 'filtra por substring da ação (ex: billing, tenant.create)')
+    .option('--severity <level>', 'info | warning | critical')
+    .option('--actor <substring>', 'filtra por uid ou email do ator')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runAuditTail } = await import('./commands/audit.js');
+    await runAuditTail({
+        limit: opts.limit,
+        action: opts.action,
+        severity: opts.severity,
+        actor: opts.actor,
+        json: !!opts.json,
+    });
+});
+// ── neetru billing ────────────────────────────────────────────────────
+const billingCmd = program
+    .command('billing')
+    .description('Control plane — billing/contabilidade (read-only)');
+billingCmd
+    .command('summary')
+    .description('Sumário contábil do mês corrente (MRR, invoices, subscriptions)')
+    .option('--year <YYYY>', 'ano (default: corrente)')
+    .option('--month <1-12>', 'mês (default: corrente)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runBillingSummary } = await import('./commands/billing.js');
+    await runBillingSummary({ year: opts.year, month: opts.month, json: !!opts.json });
+});
+// ── neetru servers ────────────────────────────────────────────────────
+const serversCmd = program
+    .command('servers')
+    .description('Control plane — inventário de servers (read-only)');
+serversCmd
+    .command('list')
+    .description('Lista servers (filtros --status / --provider / --capacity)')
+    .option('--status <status>', 'online (operacional + heartbeat fresco)')
+    .option('--provider <provider>', 'hetzner | digitalocean | aws | ...')
+    .option('--capacity', 'inclui colunas de RAM/CPU/disco')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runServersList } = await import('./commands/servers.js');
+    await runServersList({
+        status: opts.status,
+        provider: opts.provider,
+        capacity: !!opts.capacity,
+        json: !!opts.json,
+    });
+});
+serversCmd
+    .command('provision')
+    .description('Provisiona uma VM GCP (admin only) — cria server + registration token')
+    .requiredOption('--name <name>', 'nome do servidor')
+    .requiredOption('--zone <zone>', 'zona GCP (ex: us-central1-a)')
+    .requiredOption('--machine-type <type>', 'machine type GCP (ex: e2-small)')
+    .option('--tenant <tenantId>', 'tenant associado')
+    .option('--customer <customerId>', 'customer associado')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runServersProvision } = await import('./commands/servers.js');
+    await runServersProvision({
+        name: opts.name,
+        zone: opts.zone,
+        machineType: opts.machineType,
+        tenant: opts.tenant,
+        customer: opts.customer,
+        json: !!opts.json,
+    });
+});
+serversCmd
+    .command('deactivate <serverId>')
+    .description('Desativa um server (destrutivo top-tier — confirmação + step-up MFA)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runServersDeactivate } = await import('./commands/servers.js');
+    await runServersDeactivate(id, {
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+serversCmd
+    .command('dispatch <serverId> <commandType>')
+    .description('Enfileira um comando pro agente Linux do server')
+    .option('--params <json>', 'objeto JSON de params do comando')
+    .option('--json', 'saída em JSON')
+    .action(async (id, commandType, opts) => {
+    const { runServersDispatch } = await import('./commands/servers.js');
+    await runServersDispatch(id, commandType, { params: opts.params, json: !!opts.json });
+});
+// ── neetru workspaces ─────────────────────────────────────────────────
+const workspacesCmd = program
+    .command('workspaces')
+    .description('Control plane — runtime shared de workspaces');
+workspacesCmd
+    .command('create')
+    .description('Cria um workspace (devolve OAuth client secret one-time)')
+    .requiredOption('--product <productId>', 'id do produto')
+    .requiredOption('--customer <customerId>', 'id do customer')
+    .requiredOption('--env <env>', 'dev | staging | prod')
+    .requiredOption('--tier <tier>', 'dev | standard | enterprise')
+    .option('--name <name>', 'label do workspace')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runWorkspacesCreate } = await import('./commands/workspaces.js');
+    await runWorkspacesCreate({
+        product: opts.product,
+        customer: opts.customer,
+        env: opts.env,
+        tier: opts.tier,
+        name: opts.name,
+        json: !!opts.json,
+    });
+});
+workspacesCmd
+    .command('advance <workspaceId>')
+    .description('Promove uma versão de bundle pra "running" no workspace')
+    .requiredOption('--product <slug>', 'productSlug do bundle')
+    .requiredOption('--version <version>', 'versão do bundle a ativar')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runWorkspacesAdvance } = await import('./commands/workspaces.js');
+    await runWorkspacesAdvance(id, {
+        product: opts.product,
+        version: opts.version,
+        json: !!opts.json,
+    });
+});
+// ── neetru deployments ────────────────────────────────────────────────
+const deploymentsCmd = program
+    .command('deployments')
+    .description('Control plane — recurso deployments/ (paridade com a UI)');
+deploymentsCmd
+    .command('create')
+    .description('Cria um deployment (dispara comando deploy pro agente)')
+    .requiredOption('--product <productId>', 'id do produto')
+    .requiredOption('--tenant <tenantId>', 'id do tenant alvo')
+    .requiredOption('--version <version>', 'versão a deployar')
+    .requiredOption('--env <env>', 'dev | staging | prod')
+    .requiredOption('--server <serverId>', 'id do server alvo')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runDeploymentsCreate } = await import('./commands/deployments.js');
+    await runDeploymentsCreate({
+        product: opts.product,
+        tenant: opts.tenant,
+        version: opts.version,
+        env: opts.env,
+        server: opts.server,
+        json: !!opts.json,
+    });
+});
+deploymentsCmd
+    .command('rollback <deploymentId>')
+    .description('Rollback de um deployment (destrutivo top-tier — confirmação + step-up MFA)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runDeploymentsRollback } = await import('./commands/deployments.js');
+    await runDeploymentsRollback(id, {
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+// ── neetru cloud-run ──────────────────────────────────────────────────
+const cloudRunCmd = program
+    .command('cloud-run')
+    .description('Control plane — serviços Cloud Run (admin only)');
+cloudRunCmd
+    .command('pause <service>')
+    .description('Pausa um serviço Cloud Run (scale-to-zero)')
+    .option('--json', 'saída em JSON')
+    .action(async (service, opts) => {
+    const { runCloudRunPause } = await import('./commands/cloud-run.js');
+    await runCloudRunPause(service, { json: !!opts.json });
+});
+cloudRunCmd
+    .command('resume <service>')
+    .description('Retoma um serviço Cloud Run pausado')
+    .option('--min-instances <n>', 'minInstanceCount')
+    .option('--max-instances <n>', 'maxInstanceCount')
+    .option('--json', 'saída em JSON')
+    .action(async (service, opts) => {
+    const { runCloudRunResume } = await import('./commands/cloud-run.js');
+    await runCloudRunResume(service, {
+        minInstances: opts.minInstances,
+        maxInstances: opts.maxInstances,
+        json: !!opts.json,
+    });
+});
+cloudRunCmd
+    .command('delete <service>')
+    .description('Exclui um serviço Cloud Run (IRREVERSÍVEL — confirmação + step-up MFA)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (service, opts) => {
+    const { runCloudRunDelete } = await import('./commands/cloud-run.js');
+    await runCloudRunDelete(service, {
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+// ── neetru api-catalog ────────────────────────────────────────────────
+const apiCatalogCmd = program
+    .command('api-catalog')
+    .description('Control plane — registry de APIs versionadas (apis/)');
+apiCatalogCmd
+    .command('create <slug>')
+    .description('Registra uma nova API no catálogo')
+    .requiredOption('--name <name>', 'nome da API')
+    .requiredOption('--base-url <url>', 'base URL')
+    .requiredOption('--version <version>', 'versão')
+    .requiredOption('--auth-method <method>', 'método de auth')
+    .requiredOption('--status <status>', 'status (ex: active | deprecated)')
+    .option('--description <text>', 'descrição')
+    .option('--docs-url <url>', 'URL da documentação')
+    .option('--owner-team <team>', 'time responsável')
+    .option('--contact-email <email>', 'email de contato')
+    .option('--scopes <csv>', 'scopes obrigatórios (separados por vírgula)')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runApiCatalogCreate } = await import('./commands/api-catalog.js');
+    await runApiCatalogCreate(slug, {
+        name: opts.name,
+        baseUrl: opts.baseUrl,
+        version: opts.version,
+        authMethod: opts.authMethod,
+        status: opts.status,
+        description: opts.description,
+        docsUrl: opts.docsUrl,
+        ownerTeam: opts.ownerTeam,
+        contactEmail: opts.contactEmail,
+        scopes: opts.scopes,
+        json: !!opts.json,
+    });
+});
+apiCatalogCmd
+    .command('update <slug>')
+    .description('Atualiza uma entrada do catálogo (slug é imutável)')
+    .requiredOption('--name <name>', 'nome da API')
+    .requiredOption('--base-url <url>', 'base URL')
+    .requiredOption('--version <version>', 'versão')
+    .requiredOption('--auth-method <method>', 'método de auth')
+    .requiredOption('--status <status>', 'status (ex: active | deprecated)')
+    .option('--description <text>', 'descrição')
+    .option('--docs-url <url>', 'URL da documentação')
+    .option('--owner-team <team>', 'time responsável')
+    .option('--contact-email <email>', 'email de contato')
+    .option('--scopes <csv>', 'scopes obrigatórios (separados por vírgula)')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runApiCatalogUpdate } = await import('./commands/api-catalog.js');
+    await runApiCatalogUpdate(slug, {
+        name: opts.name,
+        baseUrl: opts.baseUrl,
+        version: opts.version,
+        authMethod: opts.authMethod,
+        status: opts.status,
+        description: opts.description,
+        docsUrl: opts.docsUrl,
+        ownerTeam: opts.ownerTeam,
+        contactEmail: opts.contactEmail,
+        scopes: opts.scopes,
+        json: !!opts.json,
+    });
+});
+apiCatalogCmd
+    .command('archive <slug>')
+    .description('Soft-delete de uma API (--unarchive reativa)')
+    .option('--unarchive', 'reativa em vez de arquivar')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runApiCatalogArchive } = await import('./commands/api-catalog.js');
+    await runApiCatalogArchive(slug, {
+        unarchive: !!opts.unarchive,
+        yes: !!opts.yes,
+        force: !!opts.force,
+        json: !!opts.json,
+    });
+});
+apiCatalogCmd
+    .command('delete <slug>')
+    .description('Delete físico de uma API (IRREVERSÍVEL — confirmação + step-up MFA)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runApiCatalogDelete } = await import('./commands/api-catalog.js');
+    await runApiCatalogDelete(slug, {
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+// ── neetru products ───────────────────────────────────────────────────
+const productsCmd = program
+    .command('products')
+    .description('Control plane — registry interno de produtos SaaS (read-only)');
+productsCmd
+    .command('list')
+    .description('Lista produtos internos (registry products/, filtro --status)')
+    .option('--status <status>', 'ativo | beta | descontinuado')
+    .option('--limit <n>', 'máximo de resultados (default 100, max 500)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runProductsList } = await import('./commands/products.js');
+    await runProductsList({ status: opts.status, limit: opts.limit, json: !!opts.json });
+});
+productsCmd
+    .command('publish <slug>')
+    .description('Publica um produto no catálogo público (published=true)')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runProductsPublish } = await import('./commands/products.js');
+    await runProductsPublish(slug, { json: !!opts.json });
+});
+productsCmd
+    .command('unpublish <slug>')
+    .description('Remove um produto do catálogo público (published=false)')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runProductsUnpublish } = await import('./commands/products.js');
+    await runProductsUnpublish(slug, { json: !!opts.json });
+});
+// ── neetru products db (Phase A — per-product DB isolation) ────────────
+const productsDbCmd = productsCmd
+    .command('db')
+    .description('Bancos de dados isolados por produto (firestore-instance | cloud-sql-* | vm-*)');
+productsDbCmd
+    .command('list')
+    .description('Lista bancos. Filtros: --product-id, --engine, --status')
+    .option('--product-id <id>')
+    .option('--engine <engine>')
+    .option('--status <status>')
+    .option('--json')
+    .action(async (opts) => {
+    const { runDbList } = await import('./commands/products-db.js');
+    await runDbList({
+        productId: opts.productId,
+        engine: opts.engine,
+        status: opts.status,
+        json: !!opts.json,
+    });
+});
+productsDbCmd
+    .command('engines')
+    .description('Lista engines suportados')
+    .option('--json')
+    .action(async (opts) => {
+    const { runDbEngines } = await import('./commands/products-db.js');
+    await runDbEngines({ json: !!opts.json });
+});
+productsDbCmd
+    .command('create')
+    .description('Cria um banco (Phase A: registra + audit; provisionamento real é Phase B)')
+    .requiredOption('--product-id <id>')
+    .requiredOption('--label <label>')
+    .requiredOption('--engine <engine>', 'firestore-instance|cloud-sql-postgres|cloud-sql-mysql|vm-postgres-single|vm-postgres-cluster|vm-mysql-single|vm-mysql-cluster')
+    .requiredOption('--environment <env>', 'dev|staging|production')
+    .option('--region <region>', 'região GCP', 'us-central1')
+    .option('--server-id <serverId>', 'target VM (obrigatório pra engines vm-*)')
+    .option('--replica-count <n>', 'pra engines *-cluster (default 2)')
+    .option('--json')
+    .action(async (opts) => {
+    const { runDbCreate } = await import('./commands/products-db.js');
+    await runDbCreate({
+        productId: opts.productId,
+        label: opts.label,
+        engine: opts.engine,
+        environment: opts.environment,
+        region: opts.region,
+        serverId: opts.serverId,
+        replicaCount: opts.replicaCount,
+        json: !!opts.json,
+    });
+});
+productsDbCmd
+    .command('get <id>')
+    .description('Detalhes de um banco')
+    .option('--json')
+    .action(async (id, opts) => {
+    const { runDbGet } = await import('./commands/products-db.js');
+    await runDbGet(id, { json: !!opts.json });
+});
+productsDbCmd
+    .command('status <id> <status>')
+    .description('Atualiza status (requested|provisioning|active|degraded|failed|archived)')
+    .option('--reason <text>')
+    .option('--json')
+    .action(async (id, status, opts) => {
+    const { runDbStatus } = await import('./commands/products-db.js');
+    await runDbStatus(id, status, { reason: opts.reason, json: !!opts.json });
+});
+productsDbCmd
+    .command('retry <id>')
+    .description('Re-enfileira provisionamento (status failed/degraded → requested)')
+    .option('--json')
+    .action(async (id, opts) => {
+    const { runDbRetry } = await import('./commands/products-db.js');
+    await runDbRetry(id, { json: !!opts.json });
+});
+productsDbCmd
+    .command('rotate <id>')
+    .description('Rotaciona credenciais (admin; Phase A: intent + audit)')
+    .option('--json')
+    .action(async (id, opts) => {
+    const { runDbRotate } = await import('./commands/products-db.js');
+    await runDbRotate(id, { json: !!opts.json });
+});
+productsDbCmd
+    .command('delete <id>')
+    .description('Arquiva o banco (soft-delete; admin)')
+    .option('--json')
+    .action(async (id, opts) => {
+    const { runDbDelete } = await import('./commands/products-db.js');
+    await runDbDelete(id, { json: !!opts.json });
+});
+// ── neetru logs ───────────────────────────────────────────────────────
+program
+    .command('logs')
+    .description('Visualiza logs do workspace; suporta tail contínuo')
+    .option('--client-id <id>', 'oauthClientId do workspace')
+    .option('-f, --follow', 'tail contínuo (poll a cada 5s)')
+    .option('-n, --lines <count>', 'número de linhas a buscar', '50')
+    .option('--since <duration>', 'logs desde N atrás (ex: 30m, 2h, 1d)', '15m')
+    .option('--level <level>', 'filtrar por nível: info | warn | error | debug')
+    .option('--product <product>', 'v1.3 — filtrar por productId')
+    .option('--channel <channel>', 'v1.3 — filtrar por channel (stdout | stderr | app)')
+    .option('--correlation-id <id>', 'v1.3 — filtrar por correlationId (UUID)')
+    .action(async (opts) => {
+    const { runLogs } = await import('./commands/logs.js');
+    await runLogs({
+        clientId: opts.clientId,
+        follow: !!opts.follow,
+        lines: opts.lines,
+        since: opts.since,
+        level: opts.level,
+        product: opts.product,
+        channel: opts.channel,
+        correlationId: opts.correlationId,
+    });
+});
+// ── neetru validate ───────────────────────────────────────────────────
+program
+    .command('validate')
+    .description('Health check da config local + conexão com Core')
+    .action(async () => {
+    const { runValidate } = await import('./commands/validate.js');
+    await runValidate();
+});
+// ── neetru open ───────────────────────────────────────────────────────
+program
+    .command('open [target]')
+    .description('Abre uma página do painel Neetru no browser')
+    .option('--client-id <id>', 'oauthClientId do workspace (anexa em targets workspace-scoped)')
+    .action(async (target, opts) => {
+    const { runOpen } = await import('./commands/open.js');
+    await runOpen(target, { clientId: opts.clientId });
+});
+// ── neetru publish ────────────────────────────────────────────────────
+program
+    .command('publish')
+    .description('Publica o produto no catálogo público da landing (public_products)')
+    .option('--draft', 'salva como rascunho (published=false)')
+    .option('--unpublish', 'remove o produto da landing (mantém o doc)')
+    .option('--slug <slug>', 'override do slug do neetru.config.json')
+    .option('--name <name>', 'override do nome')
+    .option('--tagline <tagline>', 'override do tagline')
+    .option('--description <description>', 'override da description')
+    .option('--icon-key <iconKey>', 'override do iconKey')
+    .option('--status <status>', 'override do status (live | soon | beta)')
+    .option('--order <order>', 'override do order (inteiro)')
+    .option('--cta-href <ctaHref>', 'override do ctaHref')
+    .option('--cta-label <ctaLabel>', 'override do ctaLabel')
+    .action(async (opts) => {
+    const { runPublish } = await import('./commands/publish.js');
+    await runPublish({
+        draft: !!opts.draft,
+        unpublish: !!opts.unpublish,
+        slug: opts.slug,
+        name: opts.name,
+        tagline: opts.tagline,
+        description: opts.description,
+        iconKey: opts.iconKey,
+        status: opts.status,
+        order: opts.order,
+        ctaHref: opts.ctaHref,
+        ctaLabel: opts.ctaLabel,
+    });
+});
+// ── neetru add ────────────────────────────────────────────────────────
+program
+    .command('add <feature>')
+    .description('v1.3 — copia template (auth | billing | usage | users | support) pra src/lib/neetru/')
+    .option('--force', 'sobrescrever arquivos existentes')
+    .action(async (feature, opts) => {
+    const { runAdd } = await import('./commands/add.js');
+    await runAdd({ feature, force: !!opts.force });
+});
+// ── neetru mocks ──────────────────────────────────────────────────────
+const mocksCmd = program
+    .command('mocks')
+    .description('v1.3 — gerenciar fixtures dev (NEETRU_ENV=dev)');
+mocksCmd
+    .command('reset')
+    .description('Reseta .neetru/dev-fixtures.json para {}')
+    .action(async () => {
+    const { runMocksReset } = await import('./commands/mocks.js');
+    await runMocksReset();
+});
+// ── neetru env ────────────────────────────────────────────────────────
+const envCmd = program
+    .command('env')
+    .description('v1.3 — gerenciar configuração NEETRU_ENV no .env.local');
+envCmd
+    .command('switch <target>')
+    .description('Alterna NEETRU_ENV: dev | workspace | production')
+    .action(async (target) => {
+    const { runEnvSwitch } = await import('./commands/env.js');
+    await runEnvSwitch({ target });
+});
+// ── neetru db ─────────────────────────────────────────────────────────
+const dbCmd = program
+    .command('db')
+    .description('v1.4 — gerência de schema/migrations/seed do produto');
+dbCmd
+    .command('init')
+    .description('Cria manifest stub a partir de neetru.config.json')
+    .option('--out <path>', 'caminho do manifest (default db/schema.manifest.json)')
+    .option('--force', 'sobrescreve se já existir')
+    .action(async (opts) => {
+    const { runDbInit } = await import('./commands/db.js');
+    await runDbInit({ out: opts.out, force: !!opts.force });
+});
+dbCmd
+    .command('migrate <toVersion>')
+    .description('Aplica migration via Core (chama runMigrations Sprint 8)')
+    .option('--from <fromVersion>', 'versão atual (default: schemaVersion do config)')
+    .action(async (toVersion, opts) => {
+    const { runDbMigrate } = await import('./commands/db.js');
+    await runDbMigrate({ toVersion, fromVersion: opts.from });
+});
+dbCmd
+    .command('seed')
+    .description('Executa db/seed.ts no projeto (NEETRU_ENV=dev)')
+    .option('--script <path>', 'caminho custom do script de seed')
+    .action(async (opts) => {
+    const { runDbSeed } = await import('./commands/db.js');
+    await runDbSeed({ script: opts.script });
+});
+// ── neetru fn ─────────────────────────────────────────────────────────
+const fnCmd = program
+    .command('fn')
+    .description('v1.4 — gestão de Functions/APIs do produto');
+fnCmd
+    .command('deploy')
+    .description('Registra nova versão da API no catálogo neetru-apis (Sprint 7 stub)')
+    .option('--version <v>', 'versão da API (default: apiVersion do config ou v1)')
+    .option('--channel <channel>', 'stable | beta | alpha', 'stable')
+    .option('--spec <path>', 'caminho de OpenAPI/JSON schema')
+    .action(async (opts) => {
+    const { runFnDeploy } = await import('./commands/fn.js');
+    await runFnDeploy({ version: opts.version, channel: opts.channel, spec: opts.spec });
+});
+// ── neetru promote ────────────────────────────────────────────────────
+program
+    .command('promote')
+    .description('v1.4 — solicita promotion entre ambientes (staff-gated). dev→workspace→beta→prod')
+    .requiredOption('--from <env>', 'dev | workspace | beta | prod')
+    .requiredOption('--to <env>', 'dev | workspace | beta | prod')
+    .option('--product <slug>', 'override do slug do neetru.config.json')
+    .option('--reason <text>', 'razão livre da promotion')
+    .option('--from-revision <rev>', 'revisão Cloud Run atual (rollback target)')
+    .option('--to-revision <rev>', 'revisão Cloud Run novo (target do rollout)')
+    .action(async (opts) => {
+    const { runPromote } = await import('./commands/promote.js');
+    await runPromote({
+        from: opts.from,
+        to: opts.to,
+        product: opts.product,
+        reason: opts.reason,
+        fromRevision: opts.fromRevision,
+        toRevision: opts.toRevision,
+    });
+});
+// ── neetru doctor ─────────────────────────────────────────────────────
+program
+    .command('doctor')
+    .description('v2.0 — diagnóstico do CLI: token, core, schema, NEETRU_ENV, version')
+    .option('--json', 'saída em JSON (machine-readable)')
+    .action(async (opts) => {
+    const { runDoctor } = await import('./commands/doctor.js');
+    await runDoctor({ json: !!opts.json });
+});
+// ── neetru upgrade ────────────────────────────────────────────────────
+program
+    .command('upgrade')
+    .description('v2.0 — verifica latest no npm e exibe instrução de upgrade')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runUpgrade } = await import('./commands/upgrade.js');
+    await runUpgrade({ json: !!opts.json });
+});
+// ── neetru autocomplete ───────────────────────────────────────────────
+program
+    .command('autocomplete <shell>')
+    .description('v2.0 — gera script de shell completion (bash | zsh | pwsh)')
+    .action(async (shell) => {
+    const { runAutocomplete } = await import('./commands/autocomplete.js');
+    await runAutocomplete(shell);
+});
+// ── neetru agent release ──────────────────────────────────────────────
+const agentCmd = program
+    .command('agent')
+    .description('Operações sobre o binário do Neetru Agent (Linux daemon)');
+agentCmd
+    .command('release')
+    .description('Registra nova release do agente em agent_releases (Firestore)')
+    .requiredOption('--version <semver>', 'versão (ex: 1.2.0 ou 1.2.0-beta.1)')
+    .option('--channel <channel>', 'stable | beta | canary (default: beta)', 'beta')
+    .option('--changelog <text|@file>', 'changelog markdown inline ou "@path" pra ler de arquivo')
+    .option('--min-core <revision>', 'min revision Cloud Run requerida (ex: 00037-qm8)')
+    .option('--binary <arch=path>', 'binário local (sha256+size computados, URL canônica GCS auto-derivada). Repetível.', (val, prev = []) => [...prev, val])
+    .option('--artifact <arch=URL@sha256@sizeBytes>', 'artifact com URL/sha256/size explícitos (não toca FS). Repetível.', (val, prev = []) => [...prev, val])
+    .option('--dry-run', 'imprime payload sem enviar')
+    .action(async (opts) => {
+    const { runAgentRelease } = await import('./commands/agent-release.js');
+    await runAgentRelease({
+        version: opts.version,
+        channel: opts.channel,
+        changelog: opts.changelog,
+        minCore: opts.minCore,
+        binary: opts.binary,
+        artifact: opts.artifact,
+        dryRun: !!opts.dryRun,
+    });
+});
+agentCmd
+    .command('yank <version>')
+    .description('Soft-revoke de uma release do agente (destrutivo top-tier — confirmação + step-up MFA)')
+    .requiredOption('--reason <text>', 'motivo do yank (mínimo 5 caracteres)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (version, opts) => {
+    const { runAgentYank } = await import('./commands/agent-write.js');
+    await runAgentYank(version, {
+        reason: opts.reason,
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+const agentCanaryCmd = agentCmd
+    .command('canary')
+    .description('Controla o canary rollout de releases do agente');
+agentCanaryCmd
+    .command('start <version>')
+    .description('Inicia o canary rollout de uma release (phase1 = 5%)')
+    .option('--json', 'saída em JSON')
+    .action(async (version, opts) => {
+    const { runAgentCanaryStart } = await import('./commands/agent-write.js');
+    await runAgentCanaryStart(version, { json: !!opts.json });
+});
+agentCanaryCmd
+    .command('rollback <version>')
+    .description('Rollback do canary de uma release (destrutivo top-tier — confirmação + step-up MFA)')
+    .requiredOption('--reason <text>', 'motivo do rollback (mínimo 5 caracteres)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (version, opts) => {
+    const { runAgentCanaryRollback } = await import('./commands/agent-write.js');
+    await runAgentCanaryRollback(version, {
+        reason: opts.reason,
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+// ── neetru support ───────────────────────────────────────────────────
+const supportCmd = program
+    .command('support')
+    .description('Support tickets — inbox staff via CLI (F5 §4.2.6)');
+const supportTicketsCmd = supportCmd
+    .command('tickets')
+    .description('Operações sobre support_tickets');
+supportTicketsCmd
+    .command('list')
+    .description('Lista tickets com filtros')
+    .option('--status <s>', 'open | in_progress | resolved | closed')
+    .option('--severity <s>', 'sev1 | sev2 | sev3 | sev4')
+    .option('--product <id>', 'filtra por productId')
+    .option('--customer <id>', 'filtra por customerId/tenantId')
+    .option('--breached', 'apenas tickets com SLA estourado')
+    .option('--limit <n>', 'máximo de resultados (default 100, max 500)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runSupportTicketsList } = await import('./commands/support.js');
+    await runSupportTicketsList({
+        status: opts.status,
+        severity: opts.severity,
+        product: opts.product,
+        customer: opts.customer,
+        breached: !!opts.breached,
+        limit: opts.limit,
+        json: !!opts.json,
+    });
+});
+supportTicketsCmd
+    .command('describe <id>')
+    .description('Detalha um ticket + thread de mensagens')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runSupportTicketsDescribe } = await import('./commands/support.js');
+    await runSupportTicketsDescribe(id, { json: !!opts.json });
+});
+supportTicketsCmd
+    .command('reply <id>')
+    .description('Anexa mensagem staff ao ticket (transiciona open → in_progress se aplicável)')
+    .requiredOption('--message <text>', 'corpo da mensagem')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runSupportTicketsReply } = await import('./commands/support.js');
+    await runSupportTicketsReply(id, { message: opts.message, json: !!opts.json });
+});
+supportTicketsCmd
+    .command('assign <id>')
+    .description('Atribui ticket a um staff (uid)')
+    .requiredOption('--to <staffUid>', 'uid do staff destino')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runSupportTicketsAssign } = await import('./commands/support.js');
+    await runSupportTicketsAssign(id, { to: opts.to, json: !!opts.json });
+});
+supportTicketsCmd
+    .command('status <id>')
+    .description('Transiciona status do ticket (FSM)')
+    .requiredOption('--to <status>', 'open | in_progress | resolved | closed')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runSupportTicketsStatus } = await import('./commands/support.js');
+    await runSupportTicketsStatus(id, { to: opts.to, json: !!opts.json });
+});
+// ── neetru dns ───────────────────────────────────────────────────────
+const dnsCmd = program.command('dns').description('Cloud DNS — managed zones');
+dnsCmd
+    .command('zones')
+    .description('Operações sobre managed zones')
+    .command('list')
+    .description('Lista managed zones do projeto')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runDnsZonesList } = await import('./commands/infra-read.js');
+    await runDnsZonesList({ json: !!opts.json });
+});
+// ── neetru hosting ───────────────────────────────────────────────────
+program
+    .command('hosting')
+    .description('Customer domains — hosting setup')
+    .command('list')
+    .description('Lista customer domains com scope de tenant aplicado')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runHostingList } = await import('./commands/infra-read.js');
+    await runHostingList({ json: !!opts.json });
+});
+// ── neetru builds ────────────────────────────────────────────────────
+program
+    .command('builds')
+    .description('Cloud Build — builds live (status + duração)')
+    .command('list')
+    .description('Lista Cloud Builds recentes (global + regional)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runBuildsList } = await import('./commands/infra-read.js');
+    await runBuildsList({ json: !!opts.json });
+});
+// ── neetru dr ────────────────────────────────────────────────────────
+// Disaster Recovery — listar exports + restore assistido (admin + step-up MFA).
+const drCmd = program
+    .command('dr')
+    .description('Disaster Recovery — exports + restore (admin only, RUNBOOK_DR_DRILL)');
+const drExportsCmd = drCmd
+    .command('exports')
+    .description('Operações sobre exports de Firestore em gs://neetru-backups');
+drExportsCmd
+    .command('list')
+    .description('Lista exports disponíveis (sort: mais recente primeiro)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runDrExportsList } = await import('./commands/dr.js');
+    await runDrExportsList({ json: !!opts.json });
+});
+drCmd
+    .command('restore')
+    .description('Dispara restore Firestore (IRREVERSÍVEL no destino — destrutivo top-tier)')
+    .requiredOption('--gcs-path <path>', 'gs://neetru-backups/firestore-exports/<stamp>/')
+    .requiredOption('--target-project <project>', 'projeto GCP de destino (deve ser STAGING)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runDrRestore } = await import('./commands/dr.js');
+    await runDrRestore({
+        gcsPath: opts.gcsPath,
+        targetProject: opts.targetProject,
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+// ── parse ─────────────────────────────────────────────────────────────
+program.parse(process.argv);
+if (!process.argv.slice(2).length) {
+    log.banner();
+    program.outputHelp();
+}
 //# sourceMappingURL=index.js.map