@optima-chat/dev-skills 0.7.20 → 0.7.22

package/.claude/commands/logs.md

@@ -32,6 +32,10 @@
   - `commerce-rq-worker` - RQ 后台任务
   - `commerce-rq-scheduler` - RQ 定时调度
   - `optima-logistics` - 物流服务（仅 Stage/Prod）
+  - `billing` - 计费服务（仅 Stage/Prod）
+  - `browser-backend` - 浏览器自动化服务（仅 Stage/Prod）
+  - `optima-generation` - 内容生成服务（仅 Stage/Prod）
+  - `optima-generation-worker` - 内容生成 Worker（仅 Stage/Prod）
 - `lines` (可选): 显示行数，默认 50
 - `environment` (可选): 环境，默认 ci
   - `ci` - CI 持续集成环境（开发环境，默认）
@@ -128,6 +132,10 @@ aws logs get-log-events --log-group-name /ecs/commerce-backend-stage --log-strea
 - `commerce-rq-worker` → `/ecs/commerce-rq-worker-stage`
 - `commerce-rq-scheduler` → `/ecs/commerce-rq-scheduler-stage`
 - `optima-logistics` → `/ecs/optima-logistics-stage`
+- `billing` → `/ecs/billing-stage`
+- `browser-backend` → `/ecs/browser-backend-stage`
+- `optima-generation` → `/ecs/optima-generation-stage`
+- `optima-generation-worker` → `/ecs/optima-generation-worker-stage`
 
 ### 2. Prod 环境（environment = "prod"）
 
@@ -167,6 +175,10 @@ aws logs get-log-events --log-group-name /ecs/commerce-backend-prod --log-stream
 - `commerce-rq-worker` → `/ecs/commerce-rq-worker-prod`
 - `commerce-rq-scheduler` → `/ecs/commerce-rq-scheduler-prod`
 - `optima-logistics` → `/ecs/optima-logistics-prod`
+- `billing` → `/ecs/billing-prod`
+- `browser-backend` → `/ecs/browser-backend-prod`
+- `optima-generation` → `/ecs/optima-generation-prod`
+- `optima-generation-worker` → `/ecs/optima-generation-worker-prod`
 
 **注意**: `optima-store` 仅在 Stage 环境部署
 

package/.claude/commands/query-db.md

@@ -47,6 +47,10 @@ optima-query-db commerce-backend "SELECT * FROM products LIMIT 5" prod
   - `agentic-chat` - AI 聊天服务数据库
   - `bi-backend` - BI 后端数据库
   - `session-gateway` - AI Shell 网关数据库
+  - `optima-logistics` - 物流服务数据库
+  - `billing` - 计费服务数据库
+  - `browser-backend` - 浏览器自动化服务数据库
+  - `optima-generation` - 内容生成服务数据库
 - `sql` (必需): SQL 查询语句（用引号包裹）
 - `environment` (可选): 环境，默认 ci
   - `ci` - CI 持续集成环境（开发环境，默认）
@@ -245,9 +249,22 @@ pkill -f "ssh.*15432:${DATABASE_HOST}:5432"
   - 用户: Infisical `AI_SHELL_DB_USER`
   - 密码: Infisical `AI_SHELL_DB_PASSWORD`
 
+- `billing`:
+  - 数据库: `optima_billing_stage`
+  - 凭证: Infisical `/services/billing` → `DATABASE_URL`
+
+- `browser-backend`:
+  - 数据库: `optima_stage_browser`
+  - 凭证: Infisical `/services/browser-backend` → `DATABASE_URL`
+
+- `optima-generation`:
+  - 数据库: `optima_generation_stage`
+  - 凭证: Infisical `/services/optima-generation` → `DATABASE_URL`
+
 **说明**:
 - Infisical 配置从 GitHub Variables 获取
 - 数据库密钥从 Infisical 动态获取（项目: optima-secrets-v2, 环境: staging, 路径: /shared-secrets/database-users）
+- billing、browser-backend、optima-generation 的凭证存在各自服务路径的 DATABASE_URL 中
 - Stage RDS: `optima-stage-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com`
 - Shared EC2 IP: `3.0.210.113`
 - SSH 隧道: 本地端口 `15432` → Shared EC2 → Stage RDS `5432`
@@ -343,9 +360,22 @@ pkill -f "ssh.*15433:${DATABASE_HOST}:5432"
   - 用户: Infisical `AI_SHELL_DB_USER`
   - 密码: Infisical `AI_SHELL_DB_PASSWORD`
 
+- `billing`:
+  - 数据库: `optima_billing`
+  - 凭证: Infisical `/services/billing` → `DATABASE_URL`
+
+- `browser-backend`:
+  - 数据库: `optima_browser`
+  - 凭证: Infisical `/services/browser-backend` → `DATABASE_URL`
+
+- `optima-generation`:
+  - 数据库: `optima_generation`
+  - 凭证: Infisical `/services/optima-generation` → `DATABASE_URL`
+
 **说明**:
 - Infisical 配置从 GitHub Variables 获取
 - 数据库密钥从 Infisical 动态获取（项目: optima-secrets-v2, 环境: prod, 路径: /shared-secrets/database-users）
+- billing、browser-backend、optima-generation 的凭证存在各自服务路径的 DATABASE_URL 中
 - Prod RDS: `optima-prod-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com`
 - Shared EC2 IP: `3.0.210.113`
 - SSH 隧道: 本地端口 `15433` → Shared EC2 → Prod RDS `5432`

package/.claude/commands/restart-ecs.md

@@ -31,6 +31,10 @@
   - `optima-scout` - 产品研究工具
   - `ai-shell-web-ui` - Shell Web UI
   - `optima-store` - 商城前端（仅 Stage）
+  - `billing` - 计费服务
+  - `browser-backend` - 浏览器自动化服务
+  - `optima-generation` - 内容生成服务
+  - `optima-generation-worker` - 内容生成 Worker
   - `pgbouncer` - 连接池（仅 Stage）
 - `environment` (可选): 环境，默认 stage
   - `stage` - Stage 预发布环境（默认，更安全）
@@ -93,6 +97,10 @@ aws ecs update-service \
 - `optima-scout-stage`
 - `ai-shell-web-ui-stage`
 - `optima-store-stage`
+- `billing-stage`
+- `browser-backend-stage`
+- `optima-generation-stage`
+- `optima-generation-worker-stage`
 - `pgbouncer-stage`
 
 ### 2. Prod 环境重启（environment = "prod"）
@@ -126,6 +134,10 @@ aws ecs update-service \
 - `bi-dashboard-prod`
 - `optima-scout-prod`
 - `ai-shell-web-ui-prod`
+- `billing-prod`
+- `browser-backend-prod`
+- `optima-generation-prod`
+- `optima-generation-worker-prod`
 
 **注意**: `optima-store` 和 `pgbouncer` 仅在 Stage 环境部署
 

package/.claude/settings.local.json

@@ -0,0 +1,51 @@
+{
+  "permissions": {
+    "allow": [
+      "WebSearch",
+      "WebFetch(domain:code.claude.com)",
+      "WebFetch(domain:platform.claude.com)",
+      "WebFetch(domain:github.com)",
+      "Bash(gh repo view:*)",
+      "Bash(gh repo clone:*)",
+      "Bash(gh repo list:*)",
+      "Read(//private/tmp/optima-docs/**)",
+      "Read(//tmp/optima-docs/**)",
+      "Bash(git init:*)",
+      "Bash(gh repo create:*)",
+      "Read(//private/tmp/optima-workspace/**)",
+      "Read(//tmp/optima-workspace/**)",
+      "Read(//tmp/optima-workspace/.claude/commands/**)",
+      "Bash(git add:*)",
+      "Bash(git push:*)",
+      "Bash(find:*)",
+      "Bash(git commit:*)",
+      "Bash(aws logs get-log-events:*)",
+      "Bash(npm install:*)",
+      "Bash(optima-dev-skills:*)",
+      "Bash(optima-generate-test-token:*)",
+      "Bash(optima-query-db:*)",
+      "Bash(gh variable set:*)",
+      "Bash(npm publish:*)",
+      "Bash(python3:*)",
+      "Bash(gh api:*)",
+      "Bash(curl -s http://auth.optima.chat/openapi.json)",
+      "Bash(curl -s https://auth.optima.chat/openapi.json)",
+      "Bash(cat:*)",
+      "Bash(node /Users/verypro/optima-dev-skills/scripts/install.js:*)",
+      "Bash(aws logs tail:*)",
+      "Bash(grep:*)",
+      "Bash(npm view:*)",
+      "Bash(npm version:*)",
+      "Bash(git checkout:*)",
+      "Bash(git pull:*)",
+      "Bash(node scripts/install.js:*)",
+      "Bash(gh issue:*)",
+      "Bash(npm run:*)",
+      "Bash(gh pr:*)",
+      "Bash(node:*)",
+      "Bash(echo \"exit: $?\")"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

package/bin/cli.js

@@ -38,6 +38,7 @@ switch (command) {
 
     log('\nSupported Services:', 'yellow');
     log('  commerce-backend  user-auth  mcp-host  agentic-chat  optima-logistics', 'cyan');
+    log('  optima-scout  billing  browser-backend  optima-generation', 'cyan');
 
     log('\nEnvironments:', 'yellow');
     log('  stage (default)   prod', 'cyan');

package/bin/helpers/db-utils.ts

@@ -0,0 +1,143 @@
+import { execSync } from 'child_process';
+import * as fs from 'fs';
+
+// ─── Types ──────────────────────────────────────────────────────────────────
+export interface InfisicalConfig { url: string; clientId: string; clientSecret: string; projectId: string }
+
+export interface DBConnection {
+  host: string;
+  port: number;
+  user: string;
+  password: string;
+  database: string;
+}
+
+// ─── Constants ──────────────────────────────────────────────────────────────
+export const RDS_HOSTS: Record<string, string> = {
+  stage: 'optima-stage-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com',
+  prod:  'optima-prod-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com',
+};
+
+const EC2_HOST = '3.0.210.113';
+
+// ─── SQL escaping ───────────────────────────────────────────────────────────
+/** Escape a string value for safe inclusion in SQL single-quoted literals. */
+export function escapeSQL(value: string): string {
+  return value.replace(/'/g, "''").replace(/\\/g, '\\\\');
+}
+
+// ─── GitHub Variables ───────────────────────────────────────────────────────
+export function getGitHubVariable(name: string): string {
+  return execSync(`gh variable get ${name} -R Optima-Chat/optima-dev-skills`, { encoding: 'utf-8' }).trim();
+}
+
+// ─── Infisical ──────────────────────────────────────────────────────────────
+export function getInfisicalConfig(): InfisicalConfig {
+  return {
+    url: getGitHubVariable('INFISICAL_URL'),
+    clientId: getGitHubVariable('INFISICAL_CLIENT_ID'),
+    clientSecret: getGitHubVariable('INFISICAL_CLIENT_SECRET'),
+    projectId: getGitHubVariable('INFISICAL_PROJECT_ID'),
+  };
+}
+
+export function getInfisicalToken(config: InfisicalConfig): string {
+  const response = execSync(
+    `curl -s -X POST "${config.url}/api/v1/auth/universal-auth/login" -H "Content-Type: application/json" -d '{"clientId": "${config.clientId}", "clientSecret": "${config.clientSecret}"}'`,
+    { encoding: 'utf-8' }
+  );
+  return JSON.parse(response).accessToken;
+}
+
+export function getInfisicalSecrets(config: InfisicalConfig, token: string, environment: string, secretPath: string): Record<string, string> {
+  const response = execSync(
+    `curl -s "${config.url}/api/v3/secrets/raw?workspaceId=${config.projectId}&environment=${environment}&secretPath=${secretPath}" -H "Authorization: Bearer ${token}"`,
+    { encoding: 'utf-8' }
+  );
+  const data = JSON.parse(response);
+  const secrets: Record<string, string> = {};
+  for (const secret of data.secrets || []) {
+    secrets[secret.secretKey] = secret.secretValue;
+  }
+  return secrets;
+}
+
+// ─── Database URL parsing ───────────────────────────────────────────────────
+export function parseDatabaseUrl(url: string): { user: string; password: string; host: string; port: number; database: string } {
+  const match = url.match(/^postgresql:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/([^?]+)/);
+  if (!match) throw new Error('Failed to parse DATABASE_URL (format: postgresql://user:pass@host:port/db)');
+  return { user: decodeURIComponent(match[1]), password: decodeURIComponent(match[2]), host: match[3], port: parseInt(match[4], 10), database: match[5] };
+}
+
+// ─── SSH tunnel ─────────────────────────────────────────────────────────────
+export function setupSSHTunnel(dbHost: string, localPort: number): void {
+  try { execSync(`lsof -ti:${localPort}`, { stdio: 'ignore' }); return; } catch { /* need tunnel */ }
+  const sshKeyPath = `${process.env.HOME}/.ssh/optima-ec2-key`;
+  if (!fs.existsSync(sshKeyPath)) throw new Error(`SSH key not found: ${sshKeyPath}. Please obtain optima-ec2-key from xbfool.`);
+  console.log(`Creating SSH tunnel: localhost:${localPort} -> ${EC2_HOST} -> ${dbHost}:5432`);
+  execSync(`ssh -i ${sshKeyPath} -f -N -o StrictHostKeyChecking=no -L ${localPort}:${dbHost}:5432 ec2-user@${EC2_HOST}`, { stdio: 'inherit' });
+}
+
+// ─── psql ───────────────────────────────────────────────────────────────────
+function findPsqlPath(): string {
+  try {
+    const result = execSync('which psql', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'ignore'] });
+    if (result.trim()) return result.trim();
+  } catch { /* fallback */ }
+  const paths = ['/usr/local/opt/postgresql@16/bin/psql', '/usr/local/opt/postgresql@15/bin/psql', '/opt/homebrew/bin/psql', '/usr/bin/psql', '/usr/local/bin/psql'];
+  for (const p of paths) { if (fs.existsSync(p)) return p; }
+  throw new Error('PostgreSQL client (psql) not found. Install with: brew install postgresql@16');
+}
+
+export function queryDB(conn: DBConnection, sql: string): string {
+  const psql = findPsqlPath();
+  return execSync(`"${psql}" -h ${conn.host} -p ${conn.port} -U ${conn.user} -d ${conn.database} -t -A --quiet -c "${sql.replace(/"/g, '\\"')}"`, {
+    encoding: 'utf-8',
+    env: { ...process.env, PGPASSWORD: conn.password },
+  }).trim();
+}
+
+// ─── High-level connection helpers ──────────────────────────────────────────
+
+/** Connect to user-auth DB and return a query function. */
+export async function connectAuthDB(env: string, infisicalConfig: InfisicalConfig, token: string): Promise<{ query: (sql: string) => string }> {
+  const infisicalEnv = env === 'stage' ? 'staging' : 'prod';
+  const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/shared-secrets/database-users');
+  const host = RDS_HOSTS[env as 'stage' | 'prod'];
+  const port = env === 'stage' ? 15432 : 15433;
+
+  setupSSHTunnel(host, port);
+  await new Promise(r => setTimeout(r, 1000));
+
+  const conn: DBConnection = { host: 'localhost', port, user: secrets['AUTH_DB_USER'], password: secrets['AUTH_DB_PASSWORD'], database: 'optima_auth' };
+  return { query: (sql: string) => queryDB(conn, sql) };
+}
+
+/** Connect to billing DB and return a query function. */
+export async function connectBillingDB(env: string, infisicalConfig: InfisicalConfig, token: string): Promise<{ query: (sql: string) => string }> {
+  const infisicalEnv = env === 'stage' ? 'staging' : 'prod';
+  const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/services/billing');
+  const dbUrl = secrets['DATABASE_URL'];
+  if (!dbUrl) throw new Error('DATABASE_URL not found for billing service');
+
+  const parsed = parseDatabaseUrl(dbUrl);
+  const port = env === 'stage' ? 15434 : 15435;
+  setupSSHTunnel(parsed.host, port);
+  await new Promise(r => setTimeout(r, 1000));
+
+  const conn: DBConnection = { host: 'localhost', port, user: parsed.user, password: parsed.password, database: parsed.database };
+  return { query: (sql: string) => queryDB(conn, sql) };
+}
+
+/** Look up user_id by email from user-auth DB. Throws if not found. */
+export async function resolveUserId(email: string, env: string, infisicalConfig: InfisicalConfig, token: string): Promise<string> {
+  console.log(`Looking up user by email: ${email}`);
+  const auth = await connectAuthDB(env, infisicalConfig, token);
+  const userId = auth.query(`SELECT id FROM users WHERE email='${escapeSQL(email)}' LIMIT 1`);
+  if (!userId) {
+    console.error(`❌ User not found: ${email}`);
+    process.exit(1);
+  }
+  console.log(`✓ Found user: ${userId}`);
+  return userId;
+}

package/bin/helpers/grant-credits.ts

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+
+import { getInfisicalConfig, getInfisicalToken, resolveUserId, connectBillingDB, escapeSQL } from './db-utils';
+
+function parseArgs(args: string[]): { email: string; amount: number; type: string; description: string | null; env: string } {
+  if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
+    console.log(`Usage: optima-grant-credits <email> --amount <n> [options]
+
+Options:
+  --amount <n>          Credits to grant (required)
+  --type <type>         Credit type: bonus, referral (default: bonus)
+  --description <text>  Description (optional)
+  --env <env>           Environment: stage, prod (default: stage)
+  -h, --help            Show this help`);
+    process.exit(0);
+  }
+
+  const email = args[0];
+  let amount = 0;
+  let type = 'bonus';
+  let description: string | null = null;
+  let env = 'stage';
+
+  for (let i = 1; i < args.length; i++) {
+    if (args[i] === '--amount' && args[i + 1]) { amount = parseInt(args[++i], 10); }
+    else if (args[i] === '--type' && args[i + 1]) { type = args[++i]; }
+    else if (args[i] === '--description' && args[i + 1]) { description = args[++i]; }
+    else if (args[i] === '--env' && args[i + 1]) { env = args[++i]; }
+  }
+
+  if (amount < 1) { console.error('--amount is required and must be >= 1'); process.exit(1); }
+  if (!['bonus', 'referral'].includes(type)) { console.error(`Unknown type: ${type}. Available: bonus, referral`); process.exit(1); }
+  if (!['stage', 'prod'].includes(env)) { console.error('Env must be stage or prod (billing DB not available in CI)'); process.exit(1); }
+
+  return { email, amount, type, description, env };
+}
+
+async function main() {
+  const { email, amount, type, description, env } = parseArgs(process.argv.slice(2));
+  const infisicalConfig = getInfisicalConfig();
+  const token = getInfisicalToken(infisicalConfig);
+
+  console.log(`\n🎁 Granting ${amount} ${type} credits to ${email} [${env.toUpperCase()}]\n`);
+
+  const userId = await resolveUserId(email, env, infisicalConfig, token);
+  const billing = await connectBillingDB(env, infisicalConfig, token);
+  const bq = billing.query;
+
+  const now = new Date().toISOString();
+  const safeUserId = escapeSQL(userId);
+  const safeType = escapeSQL(type);
+  const safeDesc = escapeSQL(description || `Admin ${type} credit grant`);
+
+  console.log(`Inserting ${amount} ${type} credits...`);
+  const ledgerId = bq(`INSERT INTO credit_ledger (id, user_id, type, description, initial_amount, remaining, created_at) VALUES (concat('crd_${safeType}_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safeType}', '${safeDesc}', ${amount}, ${amount}, '${now}') RETURNING id`);
+  console.log(`✓ Credits granted (ledger ID: ${ledgerId})`);
+
+  const balance = bq(`SELECT COALESCE(SUM(remaining), 0) FROM credit_ledger WHERE user_id='${safeUserId}' AND remaining > 0 AND (expires_at IS NULL OR expires_at > NOW())`);
+  console.log(`\n✅ Done! ${email} now has ${balance} total credits\n`);
+}
+
+main().catch(error => {
+  console.error('\n❌ Error:', error.message);
+  process.exit(1);
+});

package/bin/helpers/grant-subscription.ts

@@ -0,0 +1,122 @@
+#!/usr/bin/env node
+
+import { getInfisicalConfig, getInfisicalToken, resolveUserId, connectBillingDB, escapeSQL } from './db-utils';
+
+function parseArgs(args: string[]): { email: string; plan: string; months: number; env: string } {
+  if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
+    console.log(`Usage: optima-grant-subscription <email> [options]
+
+Options:
+  --plan <id>       Plan: free, pro, enterprise (default: enterprise)
+  --months <n>      Duration in months (default: 1)
+  --env <env>       Environment: stage, prod (default: stage)
+  -h, --help        Show this help`);
+    process.exit(0);
+  }
+
+  const email = args[0];
+  let plan = 'enterprise';
+  let months = 1;
+  let env = 'stage';
+
+  for (let i = 1; i < args.length; i++) {
+    if (args[i] === '--plan' && args[i + 1]) { plan = args[++i]; }
+    else if (args[i] === '--months' && args[i + 1]) { months = parseInt(args[++i], 10); }
+    else if (args[i] === '--env' && args[i + 1]) { env = args[++i]; }
+  }
+
+  if (!['free', 'pro', 'enterprise'].includes(plan)) {
+    console.error(`Unknown plan: ${plan}. Available: free, pro, enterprise`);
+    process.exit(1);
+  }
+  if (months < 1) { console.error('Months must be >= 1'); process.exit(1); }
+  if (!['stage', 'prod'].includes(env)) { console.error('Env must be stage or prod (billing DB not available in CI)'); process.exit(1); }
+
+  return { email, plan, months, env };
+}
+
+async function main() {
+  const { email, plan, months, env } = parseArgs(process.argv.slice(2));
+  const infisicalConfig = getInfisicalConfig();
+  const token = getInfisicalToken(infisicalConfig);
+
+  console.log(`\n🎁 Granting ${plan} subscription to ${email} for ${months} month(s) [${env.toUpperCase()}]\n`);
+
+  const userId = await resolveUserId(email, env, infisicalConfig, token);
+  const billing = await connectBillingDB(env, infisicalConfig, token);
+  const bq = billing.query;
+
+  // Read plan config from DB
+  console.log(`Loading plan config: ${plan}`);
+  const planRow = bq(`SELECT name, monthly_credits, session_token_limit, weekly_token_limit FROM plans WHERE id='${escapeSQL(plan)}'`);
+  if (!planRow) { console.error(`❌ Plan not found in DB: ${plan}`); process.exit(1); }
+
+  const [planName, monthlyCreditsStr, sessionTokenLimitStr, weeklyTokenLimitStr] = planRow.split('|');
+  const monthlyCredits = parseInt(monthlyCreditsStr, 10);
+  const sessionTokenLimit = parseInt(sessionTokenLimitStr, 10);
+  const weeklyTokenLimit = parseInt(weeklyTokenLimitStr, 10);
+  console.log(`✓ Plan: ${planName} (credits: ${monthlyCredits}, session: ${sessionTokenLimit.toLocaleString()}, weekly: ${weeklyTokenLimit.toLocaleString()})`);
+
+  // Execute all mutations in a single transaction
+  const now = new Date().toISOString();
+  const periodEnd = new Date();
+  periodEnd.setMonth(periodEnd.getMonth() + months);
+  const periodEndISO = periodEnd.toISOString();
+  const sessionEnd = new Date(new Date().getTime() + 5 * 60 * 60 * 1000).toISOString();
+  const weekEnd = new Date(new Date().getTime() + 7 * 24 * 60 * 60 * 1000).toISOString();
+
+  const safeUserId = escapeSQL(userId);
+  const safePlan = escapeSQL(plan);
+  const safePlanName = escapeSQL(planName);
+
+  console.log('Executing transaction...');
+  const txSQL = `
+BEGIN;
+
+-- Cancel active subscriptions
+UPDATE subscriptions SET status='canceled', canceled_at='${now}'
+WHERE user_id='${safeUserId}' AND status IN ('active','trialing');
+
+-- Zero out old subscription credits
+UPDATE credit_ledger SET remaining=0
+WHERE user_id='${safeUserId}' AND type IN ('monthly_grant','subscription') AND remaining > 0;
+
+-- Create new subscription
+INSERT INTO subscriptions (id, user_id, plan_id, status, billing_interval, current_period_start, current_period_end, created_at, updated_at)
+VALUES (concat('sub_gift_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'active', 'monthly', '${now}', '${periodEndISO}', '${now}', '${now}');
+
+-- Grant monthly credits
+INSERT INTO credit_ledger (id, user_id, type, description, initial_amount, remaining, expires_at, created_at)
+SELECT concat('crd_gift_', substr(md5(random()::text), 1, 16)), '${safeUserId}', 'subscription', '${safePlanName} plan gift (${months} month)', ${monthlyCredits}, ${monthlyCredits}, '${periodEndISO}', '${now}'
+WHERE ${monthlyCredits} > 0;
+
+-- Upsert session token quota
+INSERT INTO token_quotas (id, user_id, plan_id, period_type, monthly_limit, monthly_used, period_start, period_end, created_at, updated_at)
+VALUES (concat('tq_sess_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'session', ${sessionTokenLimit}, 0, '${now}', '${sessionEnd}', '${now}', '${now}')
+ON CONFLICT (user_id, period_type, period_start) DO UPDATE SET plan_id='${safePlan}', monthly_limit=${sessionTokenLimit}, updated_at='${now}';
+
+-- Upsert weekly token quota
+INSERT INTO token_quotas (id, user_id, plan_id, period_type, monthly_limit, monthly_used, period_start, period_end, created_at, updated_at)
+VALUES (concat('tq_week_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'weekly', ${weeklyTokenLimit}, 0, '${now}', '${weekEnd}', '${now}', '${now}')
+ON CONFLICT (user_id, period_type, period_start) DO UPDATE SET plan_id='${safePlan}', monthly_limit=${weeklyTokenLimit}, updated_at='${now}';
+
+COMMIT;
+  `.trim();
+
+  bq(txSQL);
+
+  console.log('✓ Old subscriptions canceled');
+  console.log('✓ Old credits cleared');
+  console.log(`✓ ${planName} subscription created (expires: ${periodEnd.toLocaleDateString()})`);
+  if (monthlyCredits > 0) {
+    console.log(`✓ ${monthlyCredits} credits granted`);
+  }
+  console.log(`✓ Token quotas updated (session: ${sessionTokenLimit.toLocaleString()}, weekly: ${weeklyTokenLimit.toLocaleString()})`);
+
+  console.log(`\n✅ Done! ${email} now has ${planName} plan until ${periodEnd.toLocaleDateString()}\n`);
+}
+
+main().catch(error => {
+  console.error('\n❌ Error:', error.message);
+  process.exit(1);
+});

package/bin/helpers/query-db.ts

@@ -47,6 +47,21 @@ const SERVICE_DB_MAP = {
     ci: null,
     stage: { userKey: 'LOGISTICS_DB_USER', passwordKey: 'LOGISTICS_DB_PASSWORD', database: 'optima_stage_logistics' },
     prod: { userKey: 'LOGISTICS_DB_USER', passwordKey: 'LOGISTICS_DB_PASSWORD', database: 'optima_logistics' }
+  },
+  'billing': {
+    ci: null,
+    stage: { databaseUrlPath: '/services/billing', databaseUrlKey: 'DATABASE_URL' },
+    prod: { databaseUrlPath: '/services/billing', databaseUrlKey: 'DATABASE_URL' }
+  },
+  'browser-backend': {
+    ci: null,
+    stage: { databaseUrlPath: '/services/browser-backend', databaseUrlKey: 'DATABASE_URL' },
+    prod: { databaseUrlPath: '/services/browser-backend', databaseUrlKey: 'DATABASE_URL' }
+  },
+  'optima-generation': {
+    ci: null,
+    stage: { databaseUrlPath: '/services/optima-generation', databaseUrlKey: 'DATABASE_URL' },
+    prod: { databaseUrlPath: '/services/optima-generation', databaseUrlKey: 'DATABASE_URL' }
   }
 };
 
@@ -59,6 +74,21 @@ const RDS_HOSTS = {
 // 统一使用 BI Data ARM Host 作为跳板机
 const EC2_HOST = '3.0.210.113';
 
+function parseDatabaseUrl(url: string): { user: string; password: string; host: string; port: number; database: string } {
+  // postgresql://user:password@host:port/database?params
+  const match = url.match(/^postgresql:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/([^?]+)/);
+  if (!match) {
+    throw new Error(`Failed to parse DATABASE_URL: ${url}`);
+  }
+  return {
+    user: decodeURIComponent(match[1]),
+    password: decodeURIComponent(match[2]),
+    host: match[3],
+    port: parseInt(match[4]),
+    database: match[5]
+  };
+}
+
 function getGitHubVariable(name: string): string {
   return execSync(`gh variable get ${name} -R Optima-Chat/optima-dev-skills`, { encoding: 'utf-8' }).trim();
 }
@@ -179,7 +209,7 @@ async function main() {
   if (args.length < 2) {
     console.error('Usage: query-db.ts <service> <sql> [environment]');
     console.error('');
-    console.error('Services: commerce-backend, user-auth, agentic-chat, bi-backend, session-gateway');
+    console.error('Services: commerce-backend, user-auth, agentic-chat, bi-backend, session-gateway, optima-logistics, billing, browser-backend, optima-generation');
     console.error('Environments: ci (default), stage, prod');
     console.error('');
     console.error('Example: query-db.ts user-auth "SELECT COUNT(*) FROM users" prod');
@@ -228,19 +258,42 @@ async function main() {
     const token = getInfisicalToken(infisicalConfig);
     console.log('✓ Obtained Infisical access token');
 
-    // 数据库凭证存储在 Infisical 的 /shared-secrets/database-users 路径
-    // Stage 从 staging 环境读取，Prod 从 prod 环境读取
     const infisicalEnv = environment === 'stage' ? 'staging' : 'prod';
-    const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/shared-secrets/database-users');
-    console.log('✓ Retrieved database credentials from Infisical');
-
-    const { userKey, passwordKey, database } = serviceConfig as any;
-    const dbHost = RDS_HOSTS[environment as 'stage' | 'prod'];
-    const dbUser = secrets[userKey];
-    const dbPassword = secrets[passwordKey];
-
-    if (!dbUser || !dbPassword) {
-      throw new Error(`Database credentials not found in Infisical for ${service}. Keys: ${userKey}, ${passwordKey}`);
+    let dbUser: string;
+    let dbPassword: string;
+    let dbHost: string;
+    let database: string;
+
+    if ('databaseUrlPath' in (serviceConfig as any)) {
+      // 从服务路径获取 DATABASE_URL 并解析
+      const { databaseUrlPath, databaseUrlKey } = serviceConfig as any;
+      const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, databaseUrlPath);
+      console.log(`✓ Retrieved DATABASE_URL from Infisical (path: ${databaseUrlPath})`);
+
+      const databaseUrl = secrets[databaseUrlKey];
+      if (!databaseUrl) {
+        throw new Error(`DATABASE_URL not found in Infisical at ${databaseUrlPath}`);
+      }
+
+      const parsed = parseDatabaseUrl(databaseUrl);
+      dbUser = parsed.user;
+      dbPassword = parsed.password;
+      dbHost = parsed.host;
+      database = parsed.database;
+    } else {
+      // 从 shared-secrets/database-users 获取凭证
+      const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/shared-secrets/database-users');
+      console.log('✓ Retrieved database credentials from Infisical');
+
+      const { userKey, passwordKey } = serviceConfig as any;
+      database = (serviceConfig as any).database;
+      dbHost = RDS_HOSTS[environment as 'stage' | 'prod'];
+      dbUser = secrets[userKey];
+      dbPassword = secrets[passwordKey];
+
+      if (!dbUser || !dbPassword) {
+        throw new Error(`Database credentials not found in Infisical for ${service}. Keys: ${userKey}, ${passwordKey}`);
+      }
     }
 
     const localPort = environment === 'stage' ? 15432 : 15433;

package/bin/helpers/show-env.ts

@@ -20,7 +20,10 @@ const SUPPORTED_SERVICES = [
   'optima-scout',
   'mcp-host',
   'shopify-backend',
-  'optima-logistics'
+  'optima-logistics',
+  'billing',
+  'browser-backend',
+  'optima-generation'
 ];
 
 // 环境到 Infisical environment 的映射

package/dist/bin/helpers/db-utils.js

@@ -0,0 +1,166 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RDS_HOSTS = void 0;
+exports.escapeSQL = escapeSQL;
+exports.getGitHubVariable = getGitHubVariable;
+exports.getInfisicalConfig = getInfisicalConfig;
+exports.getInfisicalToken = getInfisicalToken;
+exports.getInfisicalSecrets = getInfisicalSecrets;
+exports.parseDatabaseUrl = parseDatabaseUrl;
+exports.setupSSHTunnel = setupSSHTunnel;
+exports.queryDB = queryDB;
+exports.connectAuthDB = connectAuthDB;
+exports.connectBillingDB = connectBillingDB;
+exports.resolveUserId = resolveUserId;
+const child_process_1 = require("child_process");
+const fs = __importStar(require("fs"));
+// ─── Constants ──────────────────────────────────────────────────────────────
+exports.RDS_HOSTS = {
+    stage: 'optima-stage-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com',
+    prod: 'optima-prod-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com',
+};
+const EC2_HOST = '3.0.210.113';
+// ─── SQL escaping ───────────────────────────────────────────────────────────
+/** Escape a string value for safe inclusion in SQL single-quoted literals. */
+function escapeSQL(value) {
+    return value.replace(/'/g, "''").replace(/\\/g, '\\\\');
+}
+// ─── GitHub Variables ───────────────────────────────────────────────────────
+function getGitHubVariable(name) {
+    return (0, child_process_1.execSync)(`gh variable get ${name} -R Optima-Chat/optima-dev-skills`, { encoding: 'utf-8' }).trim();
+}
+// ─── Infisical ──────────────────────────────────────────────────────────────
+function getInfisicalConfig() {
+    return {
+        url: getGitHubVariable('INFISICAL_URL'),
+        clientId: getGitHubVariable('INFISICAL_CLIENT_ID'),
+        clientSecret: getGitHubVariable('INFISICAL_CLIENT_SECRET'),
+        projectId: getGitHubVariable('INFISICAL_PROJECT_ID'),
+    };
+}
+function getInfisicalToken(config) {
+    const response = (0, child_process_1.execSync)(`curl -s -X POST "${config.url}/api/v1/auth/universal-auth/login" -H "Content-Type: application/json" -d '{"clientId": "${config.clientId}", "clientSecret": "${config.clientSecret}"}'`, { encoding: 'utf-8' });
+    return JSON.parse(response).accessToken;
+}
+function getInfisicalSecrets(config, token, environment, secretPath) {
+    const response = (0, child_process_1.execSync)(`curl -s "${config.url}/api/v3/secrets/raw?workspaceId=${config.projectId}&environment=${environment}&secretPath=${secretPath}" -H "Authorization: Bearer ${token}"`, { encoding: 'utf-8' });
+    const data = JSON.parse(response);
+    const secrets = {};
+    for (const secret of data.secrets || []) {
+        secrets[secret.secretKey] = secret.secretValue;
+    }
+    return secrets;
+}
+// ─── Database URL parsing ───────────────────────────────────────────────────
+function parseDatabaseUrl(url) {
+    const match = url.match(/^postgresql:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/([^?]+)/);
+    if (!match)
+        throw new Error('Failed to parse DATABASE_URL (format: postgresql://user:pass@host:port/db)');
+    return { user: decodeURIComponent(match[1]), password: decodeURIComponent(match[2]), host: match[3], port: parseInt(match[4], 10), database: match[5] };
+}
+// ─── SSH tunnel ─────────────────────────────────────────────────────────────
+function setupSSHTunnel(dbHost, localPort) {
+    try {
+        (0, child_process_1.execSync)(`lsof -ti:${localPort}`, { stdio: 'ignore' });
+        return;
+    }
+    catch { /* need tunnel */ }
+    const sshKeyPath = `${process.env.HOME}/.ssh/optima-ec2-key`;
+    if (!fs.existsSync(sshKeyPath))
+        throw new Error(`SSH key not found: ${sshKeyPath}. Please obtain optima-ec2-key from xbfool.`);
+    console.log(`Creating SSH tunnel: localhost:${localPort} -> ${EC2_HOST} -> ${dbHost}:5432`);
+    (0, child_process_1.execSync)(`ssh -i ${sshKeyPath} -f -N -o StrictHostKeyChecking=no -L ${localPort}:${dbHost}:5432 ec2-user@${EC2_HOST}`, { stdio: 'inherit' });
+}
+// ─── psql ───────────────────────────────────────────────────────────────────
+function findPsqlPath() {
+    try {
+        const result = (0, child_process_1.execSync)('which psql', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'ignore'] });
+        if (result.trim())
+            return result.trim();
+    }
+    catch { /* fallback */ }
+    const paths = ['/usr/local/opt/postgresql@16/bin/psql', '/usr/local/opt/postgresql@15/bin/psql', '/opt/homebrew/bin/psql', '/usr/bin/psql', '/usr/local/bin/psql'];
+    for (const p of paths) {
+        if (fs.existsSync(p))
+            return p;
+    }
+    throw new Error('PostgreSQL client (psql) not found. Install with: brew install postgresql@16');
+}
+function queryDB(conn, sql) {
+    const psql = findPsqlPath();
+    return (0, child_process_1.execSync)(`"${psql}" -h ${conn.host} -p ${conn.port} -U ${conn.user} -d ${conn.database} -t -A --quiet -c "${sql.replace(/"/g, '\\"')}"`, {
+        encoding: 'utf-8',
+        env: { ...process.env, PGPASSWORD: conn.password },
+    }).trim();
+}
+// ─── High-level connection helpers ──────────────────────────────────────────
+/** Connect to user-auth DB and return a query function. */
+async function connectAuthDB(env, infisicalConfig, token) {
+    const infisicalEnv = env === 'stage' ? 'staging' : 'prod';
+    const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/shared-secrets/database-users');
+    const host = exports.RDS_HOSTS[env];
+    const port = env === 'stage' ? 15432 : 15433;
+    setupSSHTunnel(host, port);
+    await new Promise(r => setTimeout(r, 1000));
+    const conn = { host: 'localhost', port, user: secrets['AUTH_DB_USER'], password: secrets['AUTH_DB_PASSWORD'], database: 'optima_auth' };
+    return { query: (sql) => queryDB(conn, sql) };
+}
+/** Connect to billing DB and return a query function. */
+async function connectBillingDB(env, infisicalConfig, token) {
+    const infisicalEnv = env === 'stage' ? 'staging' : 'prod';
+    const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/services/billing');
+    const dbUrl = secrets['DATABASE_URL'];
+    if (!dbUrl)
+        throw new Error('DATABASE_URL not found for billing service');
+    const parsed = parseDatabaseUrl(dbUrl);
+    const port = env === 'stage' ? 15434 : 15435;
+    setupSSHTunnel(parsed.host, port);
+    await new Promise(r => setTimeout(r, 1000));
+    const conn = { host: 'localhost', port, user: parsed.user, password: parsed.password, database: parsed.database };
+    return { query: (sql) => queryDB(conn, sql) };
+}
+/** Look up user_id by email from user-auth DB. Throws if not found. */
+async function resolveUserId(email, env, infisicalConfig, token) {
+    console.log(`Looking up user by email: ${email}`);
+    const auth = await connectAuthDB(env, infisicalConfig, token);
+    const userId = auth.query(`SELECT id FROM users WHERE email='${escapeSQL(email)}' LIMIT 1`);
+    if (!userId) {
+        console.error(`❌ User not found: ${email}`);
+        process.exit(1);
+    }
+    console.log(`✓ Found user: ${userId}`);
+    return userId;
+}

package/dist/bin/helpers/grant-credits.js

@@ -0,0 +1,71 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const db_utils_1 = require("./db-utils");
+function parseArgs(args) {
+    if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
+        console.log(`Usage: optima-grant-credits <email> --amount <n> [options]
+
+Options:
+  --amount <n>          Credits to grant (required)
+  --type <type>         Credit type: bonus, referral (default: bonus)
+  --description <text>  Description (optional)
+  --env <env>           Environment: stage, prod (default: stage)
+  -h, --help            Show this help`);
+        process.exit(0);
+    }
+    const email = args[0];
+    let amount = 0;
+    let type = 'bonus';
+    let description = null;
+    let env = 'stage';
+    for (let i = 1; i < args.length; i++) {
+        if (args[i] === '--amount' && args[i + 1]) {
+            amount = parseInt(args[++i], 10);
+        }
+        else if (args[i] === '--type' && args[i + 1]) {
+            type = args[++i];
+        }
+        else if (args[i] === '--description' && args[i + 1]) {
+            description = args[++i];
+        }
+        else if (args[i] === '--env' && args[i + 1]) {
+            env = args[++i];
+        }
+    }
+    if (amount < 1) {
+        console.error('--amount is required and must be >= 1');
+        process.exit(1);
+    }
+    if (!['bonus', 'referral'].includes(type)) {
+        console.error(`Unknown type: ${type}. Available: bonus, referral`);
+        process.exit(1);
+    }
+    if (!['stage', 'prod'].includes(env)) {
+        console.error('Env must be stage or prod (billing DB not available in CI)');
+        process.exit(1);
+    }
+    return { email, amount, type, description, env };
+}
+async function main() {
+    const { email, amount, type, description, env } = parseArgs(process.argv.slice(2));
+    const infisicalConfig = (0, db_utils_1.getInfisicalConfig)();
+    const token = (0, db_utils_1.getInfisicalToken)(infisicalConfig);
+    console.log(`\n🎁 Granting ${amount} ${type} credits to ${email} [${env.toUpperCase()}]\n`);
+    const userId = await (0, db_utils_1.resolveUserId)(email, env, infisicalConfig, token);
+    const billing = await (0, db_utils_1.connectBillingDB)(env, infisicalConfig, token);
+    const bq = billing.query;
+    const now = new Date().toISOString();
+    const safeUserId = (0, db_utils_1.escapeSQL)(userId);
+    const safeType = (0, db_utils_1.escapeSQL)(type);
+    const safeDesc = (0, db_utils_1.escapeSQL)(description || `Admin ${type} credit grant`);
+    console.log(`Inserting ${amount} ${type} credits...`);
+    const ledgerId = bq(`INSERT INTO credit_ledger (id, user_id, type, description, initial_amount, remaining, created_at) VALUES (concat('crd_${safeType}_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safeType}', '${safeDesc}', ${amount}, ${amount}, '${now}') RETURNING id`);
+    console.log(`✓ Credits granted (ledger ID: ${ledgerId})`);
+    const balance = bq(`SELECT COALESCE(SUM(remaining), 0) FROM credit_ledger WHERE user_id='${safeUserId}' AND remaining > 0 AND (expires_at IS NULL OR expires_at > NOW())`);
+    console.log(`\n✅ Done! ${email} now has ${balance} total credits\n`);
+}
+main().catch(error => {
+    console.error('\n❌ Error:', error.message);
+    process.exit(1);
+});

package/dist/bin/helpers/grant-subscription.js

@@ -0,0 +1,121 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const db_utils_1 = require("./db-utils");
+function parseArgs(args) {
+    if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
+        console.log(`Usage: optima-grant-subscription <email> [options]
+
+Options:
+  --plan <id>       Plan: free, pro, enterprise (default: enterprise)
+  --months <n>      Duration in months (default: 1)
+  --env <env>       Environment: stage, prod (default: stage)
+  -h, --help        Show this help`);
+        process.exit(0);
+    }
+    const email = args[0];
+    let plan = 'enterprise';
+    let months = 1;
+    let env = 'stage';
+    for (let i = 1; i < args.length; i++) {
+        if (args[i] === '--plan' && args[i + 1]) {
+            plan = args[++i];
+        }
+        else if (args[i] === '--months' && args[i + 1]) {
+            months = parseInt(args[++i], 10);
+        }
+        else if (args[i] === '--env' && args[i + 1]) {
+            env = args[++i];
+        }
+    }
+    if (!['free', 'pro', 'enterprise'].includes(plan)) {
+        console.error(`Unknown plan: ${plan}. Available: free, pro, enterprise`);
+        process.exit(1);
+    }
+    if (months < 1) {
+        console.error('Months must be >= 1');
+        process.exit(1);
+    }
+    if (!['stage', 'prod'].includes(env)) {
+        console.error('Env must be stage or prod (billing DB not available in CI)');
+        process.exit(1);
+    }
+    return { email, plan, months, env };
+}
+async function main() {
+    const { email, plan, months, env } = parseArgs(process.argv.slice(2));
+    const infisicalConfig = (0, db_utils_1.getInfisicalConfig)();
+    const token = (0, db_utils_1.getInfisicalToken)(infisicalConfig);
+    console.log(`\n🎁 Granting ${plan} subscription to ${email} for ${months} month(s) [${env.toUpperCase()}]\n`);
+    const userId = await (0, db_utils_1.resolveUserId)(email, env, infisicalConfig, token);
+    const billing = await (0, db_utils_1.connectBillingDB)(env, infisicalConfig, token);
+    const bq = billing.query;
+    // Read plan config from DB
+    console.log(`Loading plan config: ${plan}`);
+    const planRow = bq(`SELECT name, monthly_credits, session_token_limit, weekly_token_limit FROM plans WHERE id='${(0, db_utils_1.escapeSQL)(plan)}'`);
+    if (!planRow) {
+        console.error(`❌ Plan not found in DB: ${plan}`);
+        process.exit(1);
+    }
+    const [planName, monthlyCreditsStr, sessionTokenLimitStr, weeklyTokenLimitStr] = planRow.split('|');
+    const monthlyCredits = parseInt(monthlyCreditsStr, 10);
+    const sessionTokenLimit = parseInt(sessionTokenLimitStr, 10);
+    const weeklyTokenLimit = parseInt(weeklyTokenLimitStr, 10);
+    console.log(`✓ Plan: ${planName} (credits: ${monthlyCredits}, session: ${sessionTokenLimit.toLocaleString()}, weekly: ${weeklyTokenLimit.toLocaleString()})`);
+    // Execute all mutations in a single transaction
+    const now = new Date().toISOString();
+    const periodEnd = new Date();
+    periodEnd.setMonth(periodEnd.getMonth() + months);
+    const periodEndISO = periodEnd.toISOString();
+    const sessionEnd = new Date(new Date().getTime() + 5 * 60 * 60 * 1000).toISOString();
+    const weekEnd = new Date(new Date().getTime() + 7 * 24 * 60 * 60 * 1000).toISOString();
+    const safeUserId = (0, db_utils_1.escapeSQL)(userId);
+    const safePlan = (0, db_utils_1.escapeSQL)(plan);
+    const safePlanName = (0, db_utils_1.escapeSQL)(planName);
+    console.log('Executing transaction...');
+    const txSQL = `
+BEGIN;
+
+-- Cancel active subscriptions
+UPDATE subscriptions SET status='canceled', canceled_at='${now}'
+WHERE user_id='${safeUserId}' AND status IN ('active','trialing');
+
+-- Zero out old subscription credits
+UPDATE credit_ledger SET remaining=0
+WHERE user_id='${safeUserId}' AND type IN ('monthly_grant','subscription') AND remaining > 0;
+
+-- Create new subscription
+INSERT INTO subscriptions (id, user_id, plan_id, status, billing_interval, current_period_start, current_period_end, created_at, updated_at)
+VALUES (concat('sub_gift_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'active', 'monthly', '${now}', '${periodEndISO}', '${now}', '${now}');
+
+-- Grant monthly credits
+INSERT INTO credit_ledger (id, user_id, type, description, initial_amount, remaining, expires_at, created_at)
+SELECT concat('crd_gift_', substr(md5(random()::text), 1, 16)), '${safeUserId}', 'subscription', '${safePlanName} plan gift (${months} month)', ${monthlyCredits}, ${monthlyCredits}, '${periodEndISO}', '${now}'
+WHERE ${monthlyCredits} > 0;
+
+-- Upsert session token quota
+INSERT INTO token_quotas (id, user_id, plan_id, period_type, monthly_limit, monthly_used, period_start, period_end, created_at, updated_at)
+VALUES (concat('tq_sess_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'session', ${sessionTokenLimit}, 0, '${now}', '${sessionEnd}', '${now}', '${now}')
+ON CONFLICT (user_id, period_type, period_start) DO UPDATE SET plan_id='${safePlan}', monthly_limit=${sessionTokenLimit}, updated_at='${now}';
+
+-- Upsert weekly token quota
+INSERT INTO token_quotas (id, user_id, plan_id, period_type, monthly_limit, monthly_used, period_start, period_end, created_at, updated_at)
+VALUES (concat('tq_week_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'weekly', ${weeklyTokenLimit}, 0, '${now}', '${weekEnd}', '${now}', '${now}')
+ON CONFLICT (user_id, period_type, period_start) DO UPDATE SET plan_id='${safePlan}', monthly_limit=${weeklyTokenLimit}, updated_at='${now}';
+
+COMMIT;
+  `.trim();
+    bq(txSQL);
+    console.log('✓ Old subscriptions canceled');
+    console.log('✓ Old credits cleared');
+    console.log(`✓ ${planName} subscription created (expires: ${periodEnd.toLocaleDateString()})`);
+    if (monthlyCredits > 0) {
+        console.log(`✓ ${monthlyCredits} credits granted`);
+    }
+    console.log(`✓ Token quotas updated (session: ${sessionTokenLimit.toLocaleString()}, weekly: ${weeklyTokenLimit.toLocaleString()})`);
+    console.log(`\n✅ Done! ${email} now has ${planName} plan until ${periodEnd.toLocaleDateString()}\n`);
+}
+main().catch(error => {
+    console.error('\n❌ Error:', error.message);
+    process.exit(1);
+});

package/dist/bin/helpers/query-db.js

@@ -66,6 +66,21 @@ const SERVICE_DB_MAP = {
         ci: null,
         stage: { userKey: 'LOGISTICS_DB_USER', passwordKey: 'LOGISTICS_DB_PASSWORD', database: 'optima_stage_logistics' },
         prod: { userKey: 'LOGISTICS_DB_USER', passwordKey: 'LOGISTICS_DB_PASSWORD', database: 'optima_logistics' }
+    },
+    'billing': {
+        ci: null,
+        stage: { databaseUrlPath: '/services/billing', databaseUrlKey: 'DATABASE_URL' },
+        prod: { databaseUrlPath: '/services/billing', databaseUrlKey: 'DATABASE_URL' }
+    },
+    'browser-backend': {
+        ci: null,
+        stage: { databaseUrlPath: '/services/browser-backend', databaseUrlKey: 'DATABASE_URL' },
+        prod: { databaseUrlPath: '/services/browser-backend', databaseUrlKey: 'DATABASE_URL' }
+    },
+    'optima-generation': {
+        ci: null,
+        stage: { databaseUrlPath: '/services/optima-generation', databaseUrlKey: 'DATABASE_URL' },
+        prod: { databaseUrlPath: '/services/optima-generation', databaseUrlKey: 'DATABASE_URL' }
     }
 };
 // Stage 和 Prod 独立的 RDS 实例
@@ -75,6 +90,20 @@ const RDS_HOSTS = {
 };
 // 统一使用 BI Data ARM Host 作为跳板机
 const EC2_HOST = '3.0.210.113';
+function parseDatabaseUrl(url) {
+    // postgresql://user:password@host:port/database?params
+    const match = url.match(/^postgresql:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/([^?]+)/);
+    if (!match) {
+        throw new Error(`Failed to parse DATABASE_URL: ${url}`);
+    }
+    return {
+        user: decodeURIComponent(match[1]),
+        password: decodeURIComponent(match[2]),
+        host: match[3],
+        port: parseInt(match[4]),
+        database: match[5]
+    };
+}
 function getGitHubVariable(name) {
     return (0, child_process_1.execSync)(`gh variable get ${name} -R Optima-Chat/optima-dev-skills`, { encoding: 'utf-8' }).trim();
 }
@@ -170,7 +199,7 @@ async function main() {
     if (args.length < 2) {
         console.error('Usage: query-db.ts <service> <sql> [environment]');
         console.error('');
-        console.error('Services: commerce-backend, user-auth, agentic-chat, bi-backend, session-gateway');
+        console.error('Services: commerce-backend, user-auth, agentic-chat, bi-backend, session-gateway, optima-logistics, billing, browser-backend, optima-generation');
         console.error('Environments: ci (default), stage, prod');
         console.error('');
         console.error('Example: query-db.ts user-auth "SELECT COUNT(*) FROM users" prod');
@@ -206,17 +235,38 @@ async function main() {
         console.log('✓ Loaded Infisical config from GitHub Variables');
         const token = getInfisicalToken(infisicalConfig);
         console.log('✓ Obtained Infisical access token');
-        // 数据库凭证存储在 Infisical 的 /shared-secrets/database-users 路径
-        // Stage 从 staging 环境读取，Prod 从 prod 环境读取
         const infisicalEnv = environment === 'stage' ? 'staging' : 'prod';
-        const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/shared-secrets/database-users');
-        console.log('✓ Retrieved database credentials from Infisical');
-        const { userKey, passwordKey, database } = serviceConfig;
-        const dbHost = RDS_HOSTS[environment];
-        const dbUser = secrets[userKey];
-        const dbPassword = secrets[passwordKey];
-        if (!dbUser || !dbPassword) {
-            throw new Error(`Database credentials not found in Infisical for ${service}. Keys: ${userKey}, ${passwordKey}`);
+        let dbUser;
+        let dbPassword;
+        let dbHost;
+        let database;
+        if ('databaseUrlPath' in serviceConfig) {
+            // 从服务路径获取 DATABASE_URL 并解析
+            const { databaseUrlPath, databaseUrlKey } = serviceConfig;
+            const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, databaseUrlPath);
+            console.log(`✓ Retrieved DATABASE_URL from Infisical (path: ${databaseUrlPath})`);
+            const databaseUrl = secrets[databaseUrlKey];
+            if (!databaseUrl) {
+                throw new Error(`DATABASE_URL not found in Infisical at ${databaseUrlPath}`);
+            }
+            const parsed = parseDatabaseUrl(databaseUrl);
+            dbUser = parsed.user;
+            dbPassword = parsed.password;
+            dbHost = parsed.host;
+            database = parsed.database;
+        }
+        else {
+            // 从 shared-secrets/database-users 获取凭证
+            const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/shared-secrets/database-users');
+            console.log('✓ Retrieved database credentials from Infisical');
+            const { userKey, passwordKey } = serviceConfig;
+            database = serviceConfig.database;
+            dbHost = RDS_HOSTS[environment];
+            dbUser = secrets[userKey];
+            dbPassword = secrets[passwordKey];
+            if (!dbUser || !dbPassword) {
+                throw new Error(`Database credentials not found in Infisical for ${service}. Keys: ${userKey}, ${passwordKey}`);
+            }
         }
         const localPort = environment === 'stage' ? 15432 : 15433;
         setupSSHTunnel(EC2_HOST, dbHost, localPort);

package/dist/bin/helpers/show-env.js

@@ -13,7 +13,10 @@ const SUPPORTED_SERVICES = [
     'optima-scout',
     'mcp-host',
     'shopify-backend',
-    'optima-logistics'
+    'optima-logistics',
+    'billing',
+    'browser-backend',
+    'optima-generation'
 ];
 // 环境到 Infisical environment 的映射
 const ENV_MAP = {

package/package.json

@@ -1,13 +1,15 @@
 {
   "name": "@optima-chat/dev-skills",
-  "version": "0.7.20",
+  "version": "0.7.22",
   "description": "Claude Code Skills for Optima development team - cross-environment collaboration tools",
   "main": "index.js",
   "bin": {
     "optima-dev-skills": "./bin/cli.js",
     "optima-query-db": "./dist/bin/helpers/query-db.js",
     "optima-generate-test-token": "./dist/bin/helpers/generate-test-token.js",
-    "optima-show-env": "./dist/bin/helpers/show-env.js"
+    "optima-show-env": "./dist/bin/helpers/show-env.js",
+    "optima-grant-subscription": "./dist/bin/helpers/grant-subscription.js",
+    "optima-grant-credits": "./dist/bin/helpers/grant-credits.js"
   },
   "scripts": {
     "postinstall": "node scripts/install.js",