npm - @neetru/cli - Versions diffs - 2.0.0 → 2.1.0 - Mend

@neetru/cli 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/dist/commands/agent-release.d.ts +13 -0
package/dist/commands/agent-release.js +204 -0
package/dist/commands/agent-release.js.map +1 -0
package/dist/commands/agent-write.d.ts +12 -0
package/dist/commands/agent-write.js +94 -0
package/dist/commands/agent-write.js.map +1 -0
package/dist/commands/api-catalog.d.ts +20 -0
package/dist/commands/api-catalog.js +126 -0
package/dist/commands/api-catalog.js.map +1 -0
package/dist/commands/audit.d.ts +8 -0
package/dist/commands/audit.js +69 -0
package/dist/commands/audit.js.map +1 -0
package/dist/commands/billing.d.ts +6 -0
package/dist/commands/billing.js +69 -0
package/dist/commands/billing.js.map +1 -0
package/dist/commands/build.js +10 -3
package/dist/commands/build.js.map +1 -1
package/dist/commands/cloud-run.d.ts +11 -0
package/dist/commands/cloud-run.js +87 -0
package/dist/commands/cloud-run.js.map +1 -0
package/dist/commands/deploy.d.ts +7 -0
package/dist/commands/deploy.js +150 -17
package/dist/commands/deploy.js.map +1 -1
package/dist/commands/deployments.d.ts +11 -0
package/dist/commands/deployments.js +69 -0
package/dist/commands/deployments.js.map +1 -0
package/dist/commands/dr.d.ts +11 -0
package/dist/commands/dr.js +79 -0
package/dist/commands/dr.js.map +1 -0
package/dist/commands/infra-read.d.ts +9 -0
package/dist/commands/infra-read.js +113 -0
package/dist/commands/infra-read.js.map +1 -0
package/dist/commands/init.js +91 -27
package/dist/commands/init.js.map +1 -1
package/dist/commands/products-db.d.ts +37 -0
package/dist/commands/products-db.js +230 -0
package/dist/commands/products-db.js.map +1 -0
package/dist/commands/products.d.ts +12 -0
package/dist/commands/products.js +97 -0
package/dist/commands/products.js.map +1 -0
package/dist/commands/servers.d.ts +23 -0
package/dist/commands/servers.js +166 -0
package/dist/commands/servers.js.map +1 -0
package/dist/commands/support.d.ts +25 -0
package/dist/commands/support.js +184 -0
package/dist/commands/support.js.map +1 -0
package/dist/commands/surface-status.d.ts +5 -0
package/dist/commands/surface-status.js +63 -0
package/dist/commands/surface-status.js.map +1 -0
package/dist/commands/tenants.d.ts +34 -0
package/dist/commands/tenants.js +179 -0
package/dist/commands/tenants.js.map +1 -0
package/dist/commands/workspaces.d.ts +15 -0
package/dist/commands/workspaces.js +72 -0
package/dist/commands/workspaces.js.map +1 -0
package/dist/index.js +761 -4
package/dist/index.js.map +1 -1
package/dist/lib/api-client.d.ts +18 -0
package/dist/lib/api-client.js +124 -4
package/dist/lib/api-client.js.map +1 -1
package/dist/lib/cli-read.d.ts +13 -0
package/dist/lib/cli-read.js +103 -0
package/dist/lib/cli-read.js.map +1 -0
package/dist/lib/cli-write.d.ts +47 -0
package/dist/lib/cli-write.js +137 -0
package/dist/lib/cli-write.js.map +1 -0
package/dist/lib/config-schema.d.ts +10 -10
package/dist/lib/render.d.ts +16 -0
package/dist/lib/render.js +74 -0
package/dist/lib/render.js.map +1 -0
package/package.json +4 -4

package/dist/index.js CHANGED Viewed

@@ -110,6 +110,8 @@ program
     .option('--artifact-url <url>', 'URL pública/signed do artifact (GCS, S3)')
     .option('--artifact-sha256 <sha>', 'sha256 do artifact (par com --artifact-url)')
     .option('--env-file <file>', 'arquivo .env com vars passadas pro deploy')
+    .option('--env <env>', 'ambiente alvo: dev | staging | prod', 'dev')
+    .option('--local-artifact', 'F-11: NÃO faz upload pra GCS — manda file:// pro Core (só funciona se o agent compartilha FS com este CLI)')
     .option('--non-interactive', 'falha em vez de perguntar (modo CI)')
     .action(async (opts) => {
     const { runDeploy } = await import('./commands/deploy.js');
@@ -125,18 +127,560 @@ program
         artifactUrl: opts.artifactUrl,
         artifactSha256: opts.artifactSha256,
         envFile: opts.envFile,
+        env: opts.env,
+        localArtifact: !!opts.localArtifact,
         nonInteractive: !!opts.nonInteractive,
     });
 });
 // ── neetru status ─────────────────────────────────────────────────────
+// Default: saúde das superfícies públicas (control plane). Com --client-id,
+// delega ao status de workspace legado (backward-compat).
 program
     .command('status')
-    .description('Mostra o status atual do workspace (build/deploy último, domínio, tier)')
-    .option('--client-id <id>', 'oauthClientId do workspace (UI Core /workspaces/{id})')
+    .description('Saúde das superfícies públicas (landing/api/portal/políticas). --client-id = status de workspace')
+    .option('--client-id <id>', 'oauthClientId do workspace (status de workspace legado)')
     .option('--json', 'saída em JSON')
     .action(async (opts) => {
-    const { runStatus } = await import('./commands/status.js');
-    await runStatus({ clientId: opts.clientId, json: !!opts.json });
+    const { runSurfaceStatus } = await import('./commands/surface-status.js');
+    await runSurfaceStatus({ clientId: opts.clientId, json: !!opts.json });
+});
+// ── neetru tenants ────────────────────────────────────────────────────
+const tenantsCmd = program
+    .command('tenants')
+    .description('Control plane — inspeção de tenants (read-only)');
+tenantsCmd
+    .command('list')
+    .description('Lista tenants (filtros --status / --product)')
+    .option('--status <status>', 'ativo | em provisionamento | suspenso | arquivado')
+    .option('--product <productId>', 'filtra por productId')
+    .option('--limit <n>', 'máximo de resultados (default 100, max 500)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runTenantsList } = await import('./commands/tenants.js');
+    await runTenantsList({
+        status: opts.status,
+        product: opts.product,
+        limit: opts.limit,
+        json: !!opts.json,
+    });
+});
+tenantsCmd
+    .command('get <id>')
+    .description('Detalha um tenant pelo ID')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runTenantsGet } = await import('./commands/tenants.js');
+    await runTenantsGet(id, { json: !!opts.json });
+});
+tenantsCmd
+    .command('create')
+    .description('Cria um tenant (status inicial: em provisionamento)')
+    .requiredOption('--name <name>', 'nome do tenant')
+    .requiredOption('--slug <slug>', 'slug do tenant')
+    .requiredOption('--customer <customerId>', 'id do customer')
+    .requiredOption('--product <productId>', 'id do produto')
+    .requiredOption('--env <env>', 'dev | staging | prod')
+    .option('--domain <domain>', 'domínio primário')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runTenantsCreate } = await import('./commands/tenants.js');
+    await runTenantsCreate({
+        name: opts.name,
+        slug: opts.slug,
+        customer: opts.customer,
+        product: opts.product,
+        env: opts.env,
+        domain: opts.domain,
+        json: !!opts.json,
+    });
+});
+tenantsCmd
+    .command('update <id>')
+    .description('Atualiza dados de um tenant existente')
+    .requiredOption('--name <name>', 'nome do tenant')
+    .requiredOption('--slug <slug>', 'slug do tenant')
+    .requiredOption('--customer <customerId>', 'id do customer')
+    .requiredOption('--product <productId>', 'id do produto')
+    .requiredOption('--env <env>', 'dev | staging | prod')
+    .option('--domain <domain>', 'domínio primário')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runTenantsUpdate } = await import('./commands/tenants.js');
+    await runTenantsUpdate(id, {
+        name: opts.name,
+        slug: opts.slug,
+        customer: opts.customer,
+        product: opts.product,
+        env: opts.env,
+        domain: opts.domain,
+        json: !!opts.json,
+    });
+});
+tenantsCmd
+    .command('suspend <id>')
+    .description('Suspende um tenant (destrutivo — confirmação interativa)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runTenantsSuspend } = await import('./commands/tenants.js');
+    await runTenantsSuspend(id, { yes: !!opts.yes, force: !!opts.force, json: !!opts.json });
+});
+tenantsCmd
+    .command('reactivate <id>')
+    .description('Reativa um tenant suspenso')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runTenantsReactivate } = await import('./commands/tenants.js');
+    await runTenantsReactivate(id, { json: !!opts.json });
+});
+// ── neetru audit ──────────────────────────────────────────────────────
+const auditCmd = program
+    .command('audit')
+    .description('Control plane — trilha de auditoria do Core (read-only)');
+auditCmd
+    .command('tail')
+    .description('Últimos N eventos de audit_logs (mais recente primeiro)')
+    .option('-n, --limit <n>', 'número de eventos (default 50, max 200)')
+    .option('--action <substring>', 'filtra por substring da ação (ex: billing, tenant.create)')
+    .option('--severity <level>', 'info | warning | critical')
+    .option('--actor <substring>', 'filtra por uid ou email do ator')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runAuditTail } = await import('./commands/audit.js');
+    await runAuditTail({
+        limit: opts.limit,
+        action: opts.action,
+        severity: opts.severity,
+        actor: opts.actor,
+        json: !!opts.json,
+    });
+});
+// ── neetru billing ────────────────────────────────────────────────────
+const billingCmd = program
+    .command('billing')
+    .description('Control plane — billing/contabilidade (read-only)');
+billingCmd
+    .command('summary')
+    .description('Sumário contábil do mês corrente (MRR, invoices, subscriptions)')
+    .option('--year <YYYY>', 'ano (default: corrente)')
+    .option('--month <1-12>', 'mês (default: corrente)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runBillingSummary } = await import('./commands/billing.js');
+    await runBillingSummary({ year: opts.year, month: opts.month, json: !!opts.json });
+});
+// ── neetru servers ────────────────────────────────────────────────────
+const serversCmd = program
+    .command('servers')
+    .description('Control plane — inventário de servers (read-only)');
+serversCmd
+    .command('list')
+    .description('Lista servers (filtros --status / --provider / --capacity)')
+    .option('--status <status>', 'online (operacional + heartbeat fresco)')
+    .option('--provider <provider>', 'hetzner | digitalocean | aws | ...')
+    .option('--capacity', 'inclui colunas de RAM/CPU/disco')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runServersList } = await import('./commands/servers.js');
+    await runServersList({
+        status: opts.status,
+        provider: opts.provider,
+        capacity: !!opts.capacity,
+        json: !!opts.json,
+    });
+});
+serversCmd
+    .command('provision')
+    .description('Provisiona uma VM GCP (admin only) — cria server + registration token')
+    .requiredOption('--name <name>', 'nome do servidor')
+    .requiredOption('--zone <zone>', 'zona GCP (ex: us-central1-a)')
+    .requiredOption('--machine-type <type>', 'machine type GCP (ex: e2-small)')
+    .option('--tenant <tenantId>', 'tenant associado')
+    .option('--customer <customerId>', 'customer associado')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runServersProvision } = await import('./commands/servers.js');
+    await runServersProvision({
+        name: opts.name,
+        zone: opts.zone,
+        machineType: opts.machineType,
+        tenant: opts.tenant,
+        customer: opts.customer,
+        json: !!opts.json,
+    });
+});
+serversCmd
+    .command('deactivate <serverId>')
+    .description('Desativa um server (destrutivo top-tier — confirmação + step-up MFA)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runServersDeactivate } = await import('./commands/servers.js');
+    await runServersDeactivate(id, {
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+serversCmd
+    .command('dispatch <serverId> <commandType>')
+    .description('Enfileira um comando pro agente Linux do server')
+    .option('--params <json>', 'objeto JSON de params do comando')
+    .option('--json', 'saída em JSON')
+    .action(async (id, commandType, opts) => {
+    const { runServersDispatch } = await import('./commands/servers.js');
+    await runServersDispatch(id, commandType, { params: opts.params, json: !!opts.json });
+});
+// ── neetru workspaces ─────────────────────────────────────────────────
+const workspacesCmd = program
+    .command('workspaces')
+    .description('Control plane — runtime shared de workspaces');
+workspacesCmd
+    .command('create')
+    .description('Cria um workspace (devolve OAuth client secret one-time)')
+    .requiredOption('--product <productId>', 'id do produto')
+    .requiredOption('--customer <customerId>', 'id do customer')
+    .requiredOption('--env <env>', 'dev | staging | prod')
+    .requiredOption('--tier <tier>', 'dev | standard | enterprise')
+    .option('--name <name>', 'label do workspace')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runWorkspacesCreate } = await import('./commands/workspaces.js');
+    await runWorkspacesCreate({
+        product: opts.product,
+        customer: opts.customer,
+        env: opts.env,
+        tier: opts.tier,
+        name: opts.name,
+        json: !!opts.json,
+    });
+});
+workspacesCmd
+    .command('advance <workspaceId>')
+    .description('Promove uma versão de bundle pra "running" no workspace')
+    .requiredOption('--product <slug>', 'productSlug do bundle')
+    .requiredOption('--version <version>', 'versão do bundle a ativar')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runWorkspacesAdvance } = await import('./commands/workspaces.js');
+    await runWorkspacesAdvance(id, {
+        product: opts.product,
+        version: opts.version,
+        json: !!opts.json,
+    });
+});
+// ── neetru deployments ────────────────────────────────────────────────
+const deploymentsCmd = program
+    .command('deployments')
+    .description('Control plane — recurso deployments/ (paridade com a UI)');
+deploymentsCmd
+    .command('create')
+    .description('Cria um deployment (dispara comando deploy pro agente)')
+    .requiredOption('--product <productId>', 'id do produto')
+    .requiredOption('--tenant <tenantId>', 'id do tenant alvo')
+    .requiredOption('--version <version>', 'versão a deployar')
+    .requiredOption('--env <env>', 'dev | staging | prod')
+    .requiredOption('--server <serverId>', 'id do server alvo')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runDeploymentsCreate } = await import('./commands/deployments.js');
+    await runDeploymentsCreate({
+        product: opts.product,
+        tenant: opts.tenant,
+        version: opts.version,
+        env: opts.env,
+        server: opts.server,
+        json: !!opts.json,
+    });
+});
+deploymentsCmd
+    .command('rollback <deploymentId>')
+    .description('Rollback de um deployment (destrutivo top-tier — confirmação + step-up MFA)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runDeploymentsRollback } = await import('./commands/deployments.js');
+    await runDeploymentsRollback(id, {
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+// ── neetru cloud-run ──────────────────────────────────────────────────
+const cloudRunCmd = program
+    .command('cloud-run')
+    .description('Control plane — serviços Cloud Run (admin only)');
+cloudRunCmd
+    .command('pause <service>')
+    .description('Pausa um serviço Cloud Run (scale-to-zero)')
+    .option('--json', 'saída em JSON')
+    .action(async (service, opts) => {
+    const { runCloudRunPause } = await import('./commands/cloud-run.js');
+    await runCloudRunPause(service, { json: !!opts.json });
+});
+cloudRunCmd
+    .command('resume <service>')
+    .description('Retoma um serviço Cloud Run pausado')
+    .option('--min-instances <n>', 'minInstanceCount')
+    .option('--max-instances <n>', 'maxInstanceCount')
+    .option('--json', 'saída em JSON')
+    .action(async (service, opts) => {
+    const { runCloudRunResume } = await import('./commands/cloud-run.js');
+    await runCloudRunResume(service, {
+        minInstances: opts.minInstances,
+        maxInstances: opts.maxInstances,
+        json: !!opts.json,
+    });
+});
+cloudRunCmd
+    .command('delete <service>')
+    .description('Exclui um serviço Cloud Run (IRREVERSÍVEL — confirmação + step-up MFA)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (service, opts) => {
+    const { runCloudRunDelete } = await import('./commands/cloud-run.js');
+    await runCloudRunDelete(service, {
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+// ── neetru api-catalog ────────────────────────────────────────────────
+const apiCatalogCmd = program
+    .command('api-catalog')
+    .description('Control plane — registry de APIs versionadas (apis/)');
+apiCatalogCmd
+    .command('create <slug>')
+    .description('Registra uma nova API no catálogo')
+    .requiredOption('--name <name>', 'nome da API')
+    .requiredOption('--base-url <url>', 'base URL')
+    .requiredOption('--version <version>', 'versão')
+    .requiredOption('--auth-method <method>', 'método de auth')
+    .requiredOption('--status <status>', 'status (ex: active | deprecated)')
+    .option('--description <text>', 'descrição')
+    .option('--docs-url <url>', 'URL da documentação')
+    .option('--owner-team <team>', 'time responsável')
+    .option('--contact-email <email>', 'email de contato')
+    .option('--scopes <csv>', 'scopes obrigatórios (separados por vírgula)')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runApiCatalogCreate } = await import('./commands/api-catalog.js');
+    await runApiCatalogCreate(slug, {
+        name: opts.name,
+        baseUrl: opts.baseUrl,
+        version: opts.version,
+        authMethod: opts.authMethod,
+        status: opts.status,
+        description: opts.description,
+        docsUrl: opts.docsUrl,
+        ownerTeam: opts.ownerTeam,
+        contactEmail: opts.contactEmail,
+        scopes: opts.scopes,
+        json: !!opts.json,
+    });
+});
+apiCatalogCmd
+    .command('update <slug>')
+    .description('Atualiza uma entrada do catálogo (slug é imutável)')
+    .requiredOption('--name <name>', 'nome da API')
+    .requiredOption('--base-url <url>', 'base URL')
+    .requiredOption('--version <version>', 'versão')
+    .requiredOption('--auth-method <method>', 'método de auth')
+    .requiredOption('--status <status>', 'status (ex: active | deprecated)')
+    .option('--description <text>', 'descrição')
+    .option('--docs-url <url>', 'URL da documentação')
+    .option('--owner-team <team>', 'time responsável')
+    .option('--contact-email <email>', 'email de contato')
+    .option('--scopes <csv>', 'scopes obrigatórios (separados por vírgula)')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runApiCatalogUpdate } = await import('./commands/api-catalog.js');
+    await runApiCatalogUpdate(slug, {
+        name: opts.name,
+        baseUrl: opts.baseUrl,
+        version: opts.version,
+        authMethod: opts.authMethod,
+        status: opts.status,
+        description: opts.description,
+        docsUrl: opts.docsUrl,
+        ownerTeam: opts.ownerTeam,
+        contactEmail: opts.contactEmail,
+        scopes: opts.scopes,
+        json: !!opts.json,
+    });
+});
+apiCatalogCmd
+    .command('archive <slug>')
+    .description('Soft-delete de uma API (--unarchive reativa)')
+    .option('--unarchive', 'reativa em vez de arquivar')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runApiCatalogArchive } = await import('./commands/api-catalog.js');
+    await runApiCatalogArchive(slug, {
+        unarchive: !!opts.unarchive,
+        yes: !!opts.yes,
+        force: !!opts.force,
+        json: !!opts.json,
+    });
+});
+apiCatalogCmd
+    .command('delete <slug>')
+    .description('Delete físico de uma API (IRREVERSÍVEL — confirmação + step-up MFA)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runApiCatalogDelete } = await import('./commands/api-catalog.js');
+    await runApiCatalogDelete(slug, {
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+// ── neetru products ───────────────────────────────────────────────────
+const productsCmd = program
+    .command('products')
+    .description('Control plane — registry interno de produtos SaaS (read-only)');
+productsCmd
+    .command('list')
+    .description('Lista produtos internos (registry products/, filtro --status)')
+    .option('--status <status>', 'ativo | beta | descontinuado')
+    .option('--limit <n>', 'máximo de resultados (default 100, max 500)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runProductsList } = await import('./commands/products.js');
+    await runProductsList({ status: opts.status, limit: opts.limit, json: !!opts.json });
+});
+productsCmd
+    .command('publish <slug>')
+    .description('Publica um produto no catálogo público (published=true)')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runProductsPublish } = await import('./commands/products.js');
+    await runProductsPublish(slug, { json: !!opts.json });
+});
+productsCmd
+    .command('unpublish <slug>')
+    .description('Remove um produto do catálogo público (published=false)')
+    .option('--json', 'saída em JSON')
+    .action(async (slug, opts) => {
+    const { runProductsUnpublish } = await import('./commands/products.js');
+    await runProductsUnpublish(slug, { json: !!opts.json });
+});
+// ── neetru products db (Phase A — per-product DB isolation) ────────────
+const productsDbCmd = productsCmd
+    .command('db')
+    .description('Bancos de dados isolados por produto (firestore-instance | cloud-sql-* | vm-*)');
+productsDbCmd
+    .command('list')
+    .description('Lista bancos. Filtros: --product-id, --engine, --status')
+    .option('--product-id <id>')
+    .option('--engine <engine>')
+    .option('--status <status>')
+    .option('--json')
+    .action(async (opts) => {
+    const { runDbList } = await import('./commands/products-db.js');
+    await runDbList({
+        productId: opts.productId,
+        engine: opts.engine,
+        status: opts.status,
+        json: !!opts.json,
+    });
+});
+productsDbCmd
+    .command('engines')
+    .description('Lista engines suportados')
+    .option('--json')
+    .action(async (opts) => {
+    const { runDbEngines } = await import('./commands/products-db.js');
+    await runDbEngines({ json: !!opts.json });
+});
+productsDbCmd
+    .command('create')
+    .description('Cria um banco (Phase A: registra + audit; provisionamento real é Phase B)')
+    .requiredOption('--product-id <id>')
+    .requiredOption('--label <label>')
+    .requiredOption('--engine <engine>', 'firestore-instance|cloud-sql-postgres|cloud-sql-mysql|vm-postgres-single|vm-postgres-cluster|vm-mysql-single|vm-mysql-cluster')
+    .requiredOption('--environment <env>', 'dev|staging|production')
+    .option('--region <region>', 'região GCP', 'us-central1')
+    .option('--server-id <serverId>', 'target VM (obrigatório pra engines vm-*)')
+    .option('--replica-count <n>', 'pra engines *-cluster (default 2)')
+    .option('--json')
+    .action(async (opts) => {
+    const { runDbCreate } = await import('./commands/products-db.js');
+    await runDbCreate({
+        productId: opts.productId,
+        label: opts.label,
+        engine: opts.engine,
+        environment: opts.environment,
+        region: opts.region,
+        serverId: opts.serverId,
+        replicaCount: opts.replicaCount,
+        json: !!opts.json,
+    });
+});
+productsDbCmd
+    .command('get <id>')
+    .description('Detalhes de um banco')
+    .option('--json')
+    .action(async (id, opts) => {
+    const { runDbGet } = await import('./commands/products-db.js');
+    await runDbGet(id, { json: !!opts.json });
+});
+productsDbCmd
+    .command('status <id> <status>')
+    .description('Atualiza status (requested|provisioning|active|degraded|failed|archived)')
+    .option('--reason <text>')
+    .option('--json')
+    .action(async (id, status, opts) => {
+    const { runDbStatus } = await import('./commands/products-db.js');
+    await runDbStatus(id, status, { reason: opts.reason, json: !!opts.json });
+});
+productsDbCmd
+    .command('retry <id>')
+    .description('Re-enfileira provisionamento (status failed/degraded → requested)')
+    .option('--json')
+    .action(async (id, opts) => {
+    const { runDbRetry } = await import('./commands/products-db.js');
+    await runDbRetry(id, { json: !!opts.json });
+});
+productsDbCmd
+    .command('rotate <id>')
+    .description('Rotaciona credenciais (admin; Phase A: intent + audit)')
+    .option('--json')
+    .action(async (id, opts) => {
+    const { runDbRotate } = await import('./commands/products-db.js');
+    await runDbRotate(id, { json: !!opts.json });
+});
+productsDbCmd
+    .command('delete <id>')
+    .description('Arquiva o banco (soft-delete; admin)')
+    .option('--json')
+    .action(async (id, opts) => {
+    const { runDbDelete } = await import('./commands/products-db.js');
+    await runDbDelete(id, { json: !!opts.json });
 });
 // ── neetru logs ───────────────────────────────────────────────────────
 program
@@ -332,6 +876,219 @@ program
     const { runAutocomplete } = await import('./commands/autocomplete.js');
     await runAutocomplete(shell);
 });
+// ── neetru agent release ──────────────────────────────────────────────
+const agentCmd = program
+    .command('agent')
+    .description('Operações sobre o binário do Neetru Agent (Linux daemon)');
+agentCmd
+    .command('release')
+    .description('Registra nova release do agente em agent_releases (Firestore)')
+    .requiredOption('--version <semver>', 'versão (ex: 1.2.0 ou 1.2.0-beta.1)')
+    .option('--channel <channel>', 'stable | beta | canary (default: beta)', 'beta')
+    .option('--changelog <text|@file>', 'changelog markdown inline ou "@path" pra ler de arquivo')
+    .option('--min-core <revision>', 'min revision Cloud Run requerida (ex: 00037-qm8)')
+    .option('--binary <arch=path>', 'binário local (sha256+size computados, URL canônica GCS auto-derivada). Repetível.', (val, prev = []) => [...prev, val])
+    .option('--artifact <arch=URL@sha256@sizeBytes>', 'artifact com URL/sha256/size explícitos (não toca FS). Repetível.', (val, prev = []) => [...prev, val])
+    .option('--dry-run', 'imprime payload sem enviar')
+    .action(async (opts) => {
+    const { runAgentRelease } = await import('./commands/agent-release.js');
+    await runAgentRelease({
+        version: opts.version,
+        channel: opts.channel,
+        changelog: opts.changelog,
+        minCore: opts.minCore,
+        binary: opts.binary,
+        artifact: opts.artifact,
+        dryRun: !!opts.dryRun,
+    });
+});
+agentCmd
+    .command('yank <version>')
+    .description('Soft-revoke de uma release do agente (destrutivo top-tier — confirmação + step-up MFA)')
+    .requiredOption('--reason <text>', 'motivo do yank (mínimo 5 caracteres)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (version, opts) => {
+    const { runAgentYank } = await import('./commands/agent-write.js');
+    await runAgentYank(version, {
+        reason: opts.reason,
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+const agentCanaryCmd = agentCmd
+    .command('canary')
+    .description('Controla o canary rollout de releases do agente');
+agentCanaryCmd
+    .command('start <version>')
+    .description('Inicia o canary rollout de uma release (phase1 = 5%)')
+    .option('--json', 'saída em JSON')
+    .action(async (version, opts) => {
+    const { runAgentCanaryStart } = await import('./commands/agent-write.js');
+    await runAgentCanaryStart(version, { json: !!opts.json });
+});
+agentCanaryCmd
+    .command('rollback <version>')
+    .description('Rollback do canary de uma release (destrutivo top-tier — confirmação + step-up MFA)')
+    .requiredOption('--reason <text>', 'motivo do rollback (mínimo 5 caracteres)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (version, opts) => {
+    const { runAgentCanaryRollback } = await import('./commands/agent-write.js');
+    await runAgentCanaryRollback(version, {
+        reason: opts.reason,
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
+// ── neetru support ───────────────────────────────────────────────────
+const supportCmd = program
+    .command('support')
+    .description('Support tickets — inbox staff via CLI (F5 §4.2.6)');
+const supportTicketsCmd = supportCmd
+    .command('tickets')
+    .description('Operações sobre support_tickets');
+supportTicketsCmd
+    .command('list')
+    .description('Lista tickets com filtros')
+    .option('--status <s>', 'open | in_progress | resolved | closed')
+    .option('--severity <s>', 'sev1 | sev2 | sev3 | sev4')
+    .option('--product <id>', 'filtra por productId')
+    .option('--customer <id>', 'filtra por customerId/tenantId')
+    .option('--breached', 'apenas tickets com SLA estourado')
+    .option('--limit <n>', 'máximo de resultados (default 100, max 500)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runSupportTicketsList } = await import('./commands/support.js');
+    await runSupportTicketsList({
+        status: opts.status,
+        severity: opts.severity,
+        product: opts.product,
+        customer: opts.customer,
+        breached: !!opts.breached,
+        limit: opts.limit,
+        json: !!opts.json,
+    });
+});
+supportTicketsCmd
+    .command('describe <id>')
+    .description('Detalha um ticket + thread de mensagens')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runSupportTicketsDescribe } = await import('./commands/support.js');
+    await runSupportTicketsDescribe(id, { json: !!opts.json });
+});
+supportTicketsCmd
+    .command('reply <id>')
+    .description('Anexa mensagem staff ao ticket (transiciona open → in_progress se aplicável)')
+    .requiredOption('--message <text>', 'corpo da mensagem')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runSupportTicketsReply } = await import('./commands/support.js');
+    await runSupportTicketsReply(id, { message: opts.message, json: !!opts.json });
+});
+supportTicketsCmd
+    .command('assign <id>')
+    .description('Atribui ticket a um staff (uid)')
+    .requiredOption('--to <staffUid>', 'uid do staff destino')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runSupportTicketsAssign } = await import('./commands/support.js');
+    await runSupportTicketsAssign(id, { to: opts.to, json: !!opts.json });
+});
+supportTicketsCmd
+    .command('status <id>')
+    .description('Transiciona status do ticket (FSM)')
+    .requiredOption('--to <status>', 'open | in_progress | resolved | closed')
+    .option('--json', 'saída em JSON')
+    .action(async (id, opts) => {
+    const { runSupportTicketsStatus } = await import('./commands/support.js');
+    await runSupportTicketsStatus(id, { to: opts.to, json: !!opts.json });
+});
+// ── neetru dns ───────────────────────────────────────────────────────
+const dnsCmd = program.command('dns').description('Cloud DNS — managed zones');
+dnsCmd
+    .command('zones')
+    .description('Operações sobre managed zones')
+    .command('list')
+    .description('Lista managed zones do projeto')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runDnsZonesList } = await import('./commands/infra-read.js');
+    await runDnsZonesList({ json: !!opts.json });
+});
+// ── neetru hosting ───────────────────────────────────────────────────
+program
+    .command('hosting')
+    .description('Customer domains — hosting setup')
+    .command('list')
+    .description('Lista customer domains com scope de tenant aplicado')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runHostingList } = await import('./commands/infra-read.js');
+    await runHostingList({ json: !!opts.json });
+});
+// ── neetru builds ────────────────────────────────────────────────────
+program
+    .command('builds')
+    .description('Cloud Build — builds live (status + duração)')
+    .command('list')
+    .description('Lista Cloud Builds recentes (global + regional)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runBuildsList } = await import('./commands/infra-read.js');
+    await runBuildsList({ json: !!opts.json });
+});
+// ── neetru dr ────────────────────────────────────────────────────────
+// Disaster Recovery — listar exports + restore assistido (admin + step-up MFA).
+const drCmd = program
+    .command('dr')
+    .description('Disaster Recovery — exports + restore (admin only, RUNBOOK_DR_DRILL)');
+const drExportsCmd = drCmd
+    .command('exports')
+    .description('Operações sobre exports de Firestore em gs://neetru-backups');
+drExportsCmd
+    .command('list')
+    .description('Lista exports disponíveis (sort: mais recente primeiro)')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runDrExportsList } = await import('./commands/dr.js');
+    await runDrExportsList({ json: !!opts.json });
+});
+drCmd
+    .command('restore')
+    .description('Dispara restore Firestore (IRREVERSÍVEL no destino — destrutivo top-tier)')
+    .requiredOption('--gcs-path <path>', 'gs://neetru-backups/firestore-exports/<stamp>/')
+    .requiredOption('--target-project <project>', 'projeto GCP de destino (deve ser STAGING)')
+    .option('--yes', 'pula a confirmação interativa (modo script)')
+    .option('--force', 'alias de --yes')
+    .option('--dry-run', 'valida e mostra o efeito sem aplicar')
+    .option('--mfa-token <code>', 'código TOTP para step-up MFA')
+    .option('--json', 'saída em JSON')
+    .action(async (opts) => {
+    const { runDrRestore } = await import('./commands/dr.js');
+    await runDrRestore({
+        gcsPath: opts.gcsPath,
+        targetProject: opts.targetProject,
+        yes: !!opts.yes,
+        force: !!opts.force,
+        dryRun: !!opts.dryRun,
+        mfaToken: opts.mfaToken,
+        json: !!opts.json,
+    });
+});
 // ── parse ─────────────────────────────────────────────────────────────
 program.parse(process.argv);
 if (!process.argv.slice(2).length) {