@optima-chat/dev-skills 0.7.21 → 0.7.23

package/bin/helpers/db-utils.ts

@@ -0,0 +1,143 @@
+import { execSync } from 'child_process';
+import * as fs from 'fs';
+
+// ─── Types ──────────────────────────────────────────────────────────────────
+export interface InfisicalConfig { url: string; clientId: string; clientSecret: string; projectId: string }
+
+export interface DBConnection {
+  host: string;
+  port: number;
+  user: string;
+  password: string;
+  database: string;
+}
+
+// ─── Constants ──────────────────────────────────────────────────────────────
+export const RDS_HOSTS: Record<string, string> = {
+  stage: 'optima-stage-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com',
+  prod:  'optima-prod-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com',
+};
+
+const EC2_HOST = '3.0.210.113';
+
+// ─── SQL escaping ───────────────────────────────────────────────────────────
+/** Escape a string value for safe inclusion in SQL single-quoted literals. */
+export function escapeSQL(value: string): string {
+  return value.replace(/'/g, "''").replace(/\\/g, '\\\\');
+}
+
+// ─── GitHub Variables ───────────────────────────────────────────────────────
+export function getGitHubVariable(name: string): string {
+  return execSync(`gh variable get ${name} -R Optima-Chat/optima-dev-skills`, { encoding: 'utf-8' }).trim();
+}
+
+// ─── Infisical ──────────────────────────────────────────────────────────────
+export function getInfisicalConfig(): InfisicalConfig {
+  return {
+    url: getGitHubVariable('INFISICAL_URL'),
+    clientId: getGitHubVariable('INFISICAL_CLIENT_ID'),
+    clientSecret: getGitHubVariable('INFISICAL_CLIENT_SECRET'),
+    projectId: getGitHubVariable('INFISICAL_PROJECT_ID'),
+  };
+}
+
+export function getInfisicalToken(config: InfisicalConfig): string {
+  const response = execSync(
+    `curl -s -X POST "${config.url}/api/v1/auth/universal-auth/login" -H "Content-Type: application/json" -d '{"clientId": "${config.clientId}", "clientSecret": "${config.clientSecret}"}'`,
+    { encoding: 'utf-8' }
+  );
+  return JSON.parse(response).accessToken;
+}
+
+export function getInfisicalSecrets(config: InfisicalConfig, token: string, environment: string, secretPath: string): Record<string, string> {
+  const response = execSync(
+    `curl -s "${config.url}/api/v3/secrets/raw?workspaceId=${config.projectId}&environment=${environment}&secretPath=${secretPath}" -H "Authorization: Bearer ${token}"`,
+    { encoding: 'utf-8' }
+  );
+  const data = JSON.parse(response);
+  const secrets: Record<string, string> = {};
+  for (const secret of data.secrets || []) {
+    secrets[secret.secretKey] = secret.secretValue;
+  }
+  return secrets;
+}
+
+// ─── Database URL parsing ───────────────────────────────────────────────────
+export function parseDatabaseUrl(url: string): { user: string; password: string; host: string; port: number; database: string } {
+  const match = url.match(/^postgresql:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/([^?]+)/);
+  if (!match) throw new Error('Failed to parse DATABASE_URL (format: postgresql://user:pass@host:port/db)');
+  return { user: decodeURIComponent(match[1]), password: decodeURIComponent(match[2]), host: match[3], port: parseInt(match[4], 10), database: match[5] };
+}
+
+// ─── SSH tunnel ─────────────────────────────────────────────────────────────
+export function setupSSHTunnel(dbHost: string, localPort: number): void {
+  try { execSync(`lsof -ti:${localPort}`, { stdio: 'ignore' }); return; } catch { /* need tunnel */ }
+  const sshKeyPath = `${process.env.HOME}/.ssh/optima-ec2-key`;
+  if (!fs.existsSync(sshKeyPath)) throw new Error(`SSH key not found: ${sshKeyPath}. Please obtain optima-ec2-key from xbfool.`);
+  console.log(`Creating SSH tunnel: localhost:${localPort} -> ${EC2_HOST} -> ${dbHost}:5432`);
+  execSync(`ssh -i ${sshKeyPath} -f -N -o StrictHostKeyChecking=no -L ${localPort}:${dbHost}:5432 ec2-user@${EC2_HOST}`, { stdio: 'inherit' });
+}
+
+// ─── psql ───────────────────────────────────────────────────────────────────
+function findPsqlPath(): string {
+  try {
+    const result = execSync('which psql', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'ignore'] });
+    if (result.trim()) return result.trim();
+  } catch { /* fallback */ }
+  const paths = ['/usr/local/opt/postgresql@16/bin/psql', '/usr/local/opt/postgresql@15/bin/psql', '/opt/homebrew/bin/psql', '/usr/bin/psql', '/usr/local/bin/psql'];
+  for (const p of paths) { if (fs.existsSync(p)) return p; }
+  throw new Error('PostgreSQL client (psql) not found. Install with: brew install postgresql@16');
+}
+
+export function queryDB(conn: DBConnection, sql: string): string {
+  const psql = findPsqlPath();
+  return execSync(`"${psql}" -h ${conn.host} -p ${conn.port} -U ${conn.user} -d ${conn.database} -t -A --quiet -c "${sql.replace(/"/g, '\\"')}"`, {
+    encoding: 'utf-8',
+    env: { ...process.env, PGPASSWORD: conn.password },
+  }).trim();
+}
+
+// ─── High-level connection helpers ──────────────────────────────────────────
+
+/** Connect to user-auth DB and return a query function. */
+export async function connectAuthDB(env: string, infisicalConfig: InfisicalConfig, token: string): Promise<{ query: (sql: string) => string }> {
+  const infisicalEnv = env === 'stage' ? 'staging' : 'prod';
+  const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/shared-secrets/database-users');
+  const host = RDS_HOSTS[env as 'stage' | 'prod'];
+  const port = env === 'stage' ? 15432 : 15433;
+
+  setupSSHTunnel(host, port);
+  await new Promise(r => setTimeout(r, 1000));
+
+  const conn: DBConnection = { host: 'localhost', port, user: secrets['AUTH_DB_USER'], password: secrets['AUTH_DB_PASSWORD'], database: 'optima_auth' };
+  return { query: (sql: string) => queryDB(conn, sql) };
+}
+
+/** Connect to billing DB and return a query function. */
+export async function connectBillingDB(env: string, infisicalConfig: InfisicalConfig, token: string): Promise<{ query: (sql: string) => string }> {
+  const infisicalEnv = env === 'stage' ? 'staging' : 'prod';
+  const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/services/billing');
+  const dbUrl = secrets['DATABASE_URL'];
+  if (!dbUrl) throw new Error('DATABASE_URL not found for billing service');
+
+  const parsed = parseDatabaseUrl(dbUrl);
+  const port = env === 'stage' ? 15434 : 15435;
+  setupSSHTunnel(parsed.host, port);
+  await new Promise(r => setTimeout(r, 1000));
+
+  const conn: DBConnection = { host: 'localhost', port, user: parsed.user, password: parsed.password, database: parsed.database };
+  return { query: (sql: string) => queryDB(conn, sql) };
+}
+
+/** Look up user_id by email from user-auth DB. Throws if not found. */
+export async function resolveUserId(email: string, env: string, infisicalConfig: InfisicalConfig, token: string): Promise<string> {
+  console.log(`Looking up user by email: ${email}`);
+  const auth = await connectAuthDB(env, infisicalConfig, token);
+  const userId = auth.query(`SELECT id FROM users WHERE email='${escapeSQL(email)}' LIMIT 1`);
+  if (!userId) {
+    console.error(`❌ User not found: ${email}`);
+    process.exit(1);
+  }
+  console.log(`✓ Found user: ${userId}`);
+  return userId;
+}

package/bin/helpers/grant-credits.ts

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+
+import { getInfisicalConfig, getInfisicalToken, resolveUserId, connectBillingDB, escapeSQL } from './db-utils';
+
+function parseArgs(args: string[]): { email: string; amount: number; type: string; description: string | null; env: string } {
+  if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
+    console.log(`Usage: optima-grant-credits <email> --amount <n> [options]
+
+Options:
+  --amount <n>          Credits to grant (required)
+  --type <type>         Credit type: bonus, referral (default: bonus)
+  --description <text>  Description (optional)
+  --env <env>           Environment: stage, prod (default: stage)
+  -h, --help            Show this help`);
+    process.exit(0);
+  }
+
+  const email = args[0];
+  let amount = 0;
+  let type = 'bonus';
+  let description: string | null = null;
+  let env = 'stage';
+
+  for (let i = 1; i < args.length; i++) {
+    if (args[i] === '--amount' && args[i + 1]) { amount = parseInt(args[++i], 10); }
+    else if (args[i] === '--type' && args[i + 1]) { type = args[++i]; }
+    else if (args[i] === '--description' && args[i + 1]) { description = args[++i]; }
+    else if (args[i] === '--env' && args[i + 1]) { env = args[++i]; }
+  }
+
+  if (amount < 1) { console.error('--amount is required and must be >= 1'); process.exit(1); }
+  if (!['bonus', 'referral'].includes(type)) { console.error(`Unknown type: ${type}. Available: bonus, referral`); process.exit(1); }
+  if (!['stage', 'prod'].includes(env)) { console.error('Env must be stage or prod (billing DB not available in CI)'); process.exit(1); }
+
+  return { email, amount, type, description, env };
+}
+
+async function main() {
+  const { email, amount, type, description, env } = parseArgs(process.argv.slice(2));
+  const infisicalConfig = getInfisicalConfig();
+  const token = getInfisicalToken(infisicalConfig);
+
+  console.log(`\n🎁 Granting ${amount} ${type} credits to ${email} [${env.toUpperCase()}]\n`);
+
+  const userId = await resolveUserId(email, env, infisicalConfig, token);
+  const billing = await connectBillingDB(env, infisicalConfig, token);
+  const bq = billing.query;
+
+  const now = new Date().toISOString();
+  const safeUserId = escapeSQL(userId);
+  const safeType = escapeSQL(type);
+  const safeDesc = escapeSQL(description || `Admin ${type} credit grant`);
+
+  console.log(`Inserting ${amount} ${type} credits...`);
+  const ledgerId = bq(`INSERT INTO credit_ledger (id, user_id, type, description, initial_amount, remaining, created_at) VALUES (concat('crd_${safeType}_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safeType}', '${safeDesc}', ${amount}, ${amount}, '${now}') RETURNING id`);
+  console.log(`✓ Credits granted (ledger ID: ${ledgerId})`);
+
+  const balance = bq(`SELECT COALESCE(SUM(remaining), 0) FROM credit_ledger WHERE user_id='${safeUserId}' AND remaining > 0 AND (expires_at IS NULL OR expires_at > NOW())`);
+  console.log(`\n✅ Done! ${email} now has ${balance} total credits\n`);
+}
+
+main().catch(error => {
+  console.error('\n❌ Error:', error.message);
+  process.exit(1);
+});

package/bin/helpers/grant-subscription.ts

@@ -0,0 +1,128 @@
+#!/usr/bin/env node
+
+import { getInfisicalConfig, getInfisicalToken, resolveUserId, connectBillingDB, escapeSQL } from './db-utils';
+
+function parseArgs(args: string[]): { email: string; plan: string; months: number; env: string } {
+  if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
+    console.log(`Usage: optima-grant-subscription <email> [options]
+
+Options:
+  --plan <id>       Plan: free, pro, enterprise (default: enterprise)
+  --months <n>      Duration in months (default: 1)
+  --env <env>       Environment: stage, prod (default: stage)
+  -h, --help        Show this help`);
+    process.exit(0);
+  }
+
+  const email = args[0];
+  let plan = 'enterprise';
+  let months = 1;
+  let env = 'stage';
+
+  for (let i = 1; i < args.length; i++) {
+    if (args[i] === '--plan' && args[i + 1]) { plan = args[++i]; }
+    else if (args[i] === '--months' && args[i + 1]) { months = parseInt(args[++i], 10); }
+    else if (args[i] === '--env' && args[i + 1]) { env = args[++i]; }
+  }
+
+  if (!['free', 'pro', 'enterprise'].includes(plan)) {
+    console.error(`Unknown plan: ${plan}. Available: free, pro, enterprise`);
+    process.exit(1);
+  }
+  if (months < 1) { console.error('Months must be >= 1'); process.exit(1); }
+  if (!['stage', 'prod'].includes(env)) { console.error('Env must be stage or prod (billing DB not available in CI)'); process.exit(1); }
+
+  return { email, plan, months, env };
+}
+
+async function main() {
+  const { email, plan, months, env } = parseArgs(process.argv.slice(2));
+  const infisicalConfig = getInfisicalConfig();
+  const token = getInfisicalToken(infisicalConfig);
+
+  console.log(`\n🎁 Granting ${plan} subscription to ${email} for ${months} month(s) [${env.toUpperCase()}]\n`);
+
+  const userId = await resolveUserId(email, env, infisicalConfig, token);
+  const billing = await connectBillingDB(env, infisicalConfig, token);
+  const bq = billing.query;
+
+  // Read plan config from DB
+  console.log(`Loading plan config: ${plan}`);
+  const planRow = bq(`SELECT name, monthly_credits, session_token_limit, weekly_token_limit FROM plans WHERE id='${escapeSQL(plan)}'`);
+  if (!planRow) { console.error(`❌ Plan not found in DB: ${plan}`); process.exit(1); }
+
+  const [planName, monthlyCreditsStr, sessionTokenLimitStr, weeklyTokenLimitStr] = planRow.split('|');
+  const monthlyCredits = parseInt(monthlyCreditsStr, 10);
+  const sessionTokenLimit = parseInt(sessionTokenLimitStr, 10);
+  const weeklyTokenLimit = parseInt(weeklyTokenLimitStr, 10);
+  console.log(`✓ Plan: ${planName} (credits: ${monthlyCredits}, session: ${sessionTokenLimit.toLocaleString()}, weekly: ${weeklyTokenLimit.toLocaleString()})`);
+
+  // Execute all mutations in a single transaction
+  const now = new Date().toISOString();
+  const periodEnd = new Date();
+  periodEnd.setMonth(periodEnd.getMonth() + months);
+  const periodEndISO = periodEnd.toISOString();
+  const sessionEnd = new Date(new Date().getTime() + 5 * 60 * 60 * 1000).toISOString();
+  const weekEnd = new Date(new Date().getTime() + 7 * 24 * 60 * 60 * 1000).toISOString();
+
+  const safeUserId = escapeSQL(userId);
+  const safePlan = escapeSQL(plan);
+  const safePlanName = escapeSQL(planName);
+
+  console.log('Executing transaction...');
+  const txSQL = `
+BEGIN;
+
+-- Cancel active subscriptions
+UPDATE subscriptions SET status='canceled', canceled_at='${now}'
+WHERE user_id='${safeUserId}' AND status IN ('active','trialing');
+
+-- Zero out old subscription credits
+UPDATE credit_ledger SET remaining=0
+WHERE user_id='${safeUserId}' AND type IN ('monthly_grant','subscription') AND remaining > 0;
+
+-- Create new subscription
+INSERT INTO subscriptions (id, user_id, plan_id, status, billing_interval, current_period_start, current_period_end, created_at, updated_at)
+VALUES (concat('sub_gift_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'active', 'monthly', '${now}', '${periodEndISO}', '${now}', '${now}');
+
+-- Grant monthly credits
+INSERT INTO credit_ledger (id, user_id, type, description, initial_amount, remaining, expires_at, created_at)
+SELECT concat('crd_gift_', substr(md5(random()::text), 1, 16)), '${safeUserId}', 'subscription', '${safePlanName} plan gift (${months} month)', ${monthlyCredits}, ${monthlyCredits}, '${periodEndISO}', '${now}'
+WHERE ${monthlyCredits} > 0;
+
+-- Update existing active session quota, or insert new one if none exists
+UPDATE token_quotas SET plan_id='${safePlan}', monthly_limit=${sessionTokenLimit}, updated_at='${now}'
+WHERE user_id='${safeUserId}' AND period_type='session' AND period_end > '${now}';
+
+INSERT INTO token_quotas (id, user_id, plan_id, period_type, monthly_limit, monthly_used, period_start, period_end, created_at, updated_at)
+SELECT concat('tq_sess_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'session', ${sessionTokenLimit}, 0, '${now}', '${sessionEnd}', '${now}', '${now}'
+WHERE NOT EXISTS (SELECT 1 FROM token_quotas WHERE user_id='${safeUserId}' AND period_type='session' AND period_end > '${now}');
+
+-- Update existing active weekly quota, or insert new one if none exists
+UPDATE token_quotas SET plan_id='${safePlan}', monthly_limit=${weeklyTokenLimit}, updated_at='${now}'
+WHERE user_id='${safeUserId}' AND period_type='weekly' AND period_end > '${now}';
+
+INSERT INTO token_quotas (id, user_id, plan_id, period_type, monthly_limit, monthly_used, period_start, period_end, created_at, updated_at)
+SELECT concat('tq_week_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'weekly', ${weeklyTokenLimit}, 0, '${now}', '${weekEnd}', '${now}', '${now}'
+WHERE NOT EXISTS (SELECT 1 FROM token_quotas WHERE user_id='${safeUserId}' AND period_type='weekly' AND period_end > '${now}');
+
+COMMIT;
+  `.trim();
+
+  bq(txSQL);
+
+  console.log('✓ Old subscriptions canceled');
+  console.log('✓ Old credits cleared');
+  console.log(`✓ ${planName} subscription created (expires: ${periodEnd.toLocaleDateString()})`);
+  if (monthlyCredits > 0) {
+    console.log(`✓ ${monthlyCredits} credits granted`);
+  }
+  console.log(`✓ Token quotas updated (session: ${sessionTokenLimit.toLocaleString()}, weekly: ${weeklyTokenLimit.toLocaleString()})`);
+
+  console.log(`\n✅ Done! ${email} now has ${planName} plan until ${periodEnd.toLocaleDateString()}\n`);
+}
+
+main().catch(error => {
+  console.error('\n❌ Error:', error.message);
+  process.exit(1);
+});

package/dist/bin/helpers/db-utils.js

@@ -0,0 +1,166 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RDS_HOSTS = void 0;
+exports.escapeSQL = escapeSQL;
+exports.getGitHubVariable = getGitHubVariable;
+exports.getInfisicalConfig = getInfisicalConfig;
+exports.getInfisicalToken = getInfisicalToken;
+exports.getInfisicalSecrets = getInfisicalSecrets;
+exports.parseDatabaseUrl = parseDatabaseUrl;
+exports.setupSSHTunnel = setupSSHTunnel;
+exports.queryDB = queryDB;
+exports.connectAuthDB = connectAuthDB;
+exports.connectBillingDB = connectBillingDB;
+exports.resolveUserId = resolveUserId;
+const child_process_1 = require("child_process");
+const fs = __importStar(require("fs"));
+// ─── Constants ──────────────────────────────────────────────────────────────
+exports.RDS_HOSTS = {
+    stage: 'optima-stage-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com',
+    prod: 'optima-prod-postgres.ctg866o0ehac.ap-southeast-1.rds.amazonaws.com',
+};
+const EC2_HOST = '3.0.210.113';
+// ─── SQL escaping ───────────────────────────────────────────────────────────
+/** Escape a string value for safe inclusion in SQL single-quoted literals. */
+function escapeSQL(value) {
+    return value.replace(/'/g, "''").replace(/\\/g, '\\\\');
+}
+// ─── GitHub Variables ───────────────────────────────────────────────────────
+function getGitHubVariable(name) {
+    return (0, child_process_1.execSync)(`gh variable get ${name} -R Optima-Chat/optima-dev-skills`, { encoding: 'utf-8' }).trim();
+}
+// ─── Infisical ──────────────────────────────────────────────────────────────
+function getInfisicalConfig() {
+    return {
+        url: getGitHubVariable('INFISICAL_URL'),
+        clientId: getGitHubVariable('INFISICAL_CLIENT_ID'),
+        clientSecret: getGitHubVariable('INFISICAL_CLIENT_SECRET'),
+        projectId: getGitHubVariable('INFISICAL_PROJECT_ID'),
+    };
+}
+function getInfisicalToken(config) {
+    const response = (0, child_process_1.execSync)(`curl -s -X POST "${config.url}/api/v1/auth/universal-auth/login" -H "Content-Type: application/json" -d '{"clientId": "${config.clientId}", "clientSecret": "${config.clientSecret}"}'`, { encoding: 'utf-8' });
+    return JSON.parse(response).accessToken;
+}
+function getInfisicalSecrets(config, token, environment, secretPath) {
+    const response = (0, child_process_1.execSync)(`curl -s "${config.url}/api/v3/secrets/raw?workspaceId=${config.projectId}&environment=${environment}&secretPath=${secretPath}" -H "Authorization: Bearer ${token}"`, { encoding: 'utf-8' });
+    const data = JSON.parse(response);
+    const secrets = {};
+    for (const secret of data.secrets || []) {
+        secrets[secret.secretKey] = secret.secretValue;
+    }
+    return secrets;
+}
+// ─── Database URL parsing ───────────────────────────────────────────────────
+function parseDatabaseUrl(url) {
+    const match = url.match(/^postgresql:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/([^?]+)/);
+    if (!match)
+        throw new Error('Failed to parse DATABASE_URL (format: postgresql://user:pass@host:port/db)');
+    return { user: decodeURIComponent(match[1]), password: decodeURIComponent(match[2]), host: match[3], port: parseInt(match[4], 10), database: match[5] };
+}
+// ─── SSH tunnel ─────────────────────────────────────────────────────────────
+function setupSSHTunnel(dbHost, localPort) {
+    try {
+        (0, child_process_1.execSync)(`lsof -ti:${localPort}`, { stdio: 'ignore' });
+        return;
+    }
+    catch { /* need tunnel */ }
+    const sshKeyPath = `${process.env.HOME}/.ssh/optima-ec2-key`;
+    if (!fs.existsSync(sshKeyPath))
+        throw new Error(`SSH key not found: ${sshKeyPath}. Please obtain optima-ec2-key from xbfool.`);
+    console.log(`Creating SSH tunnel: localhost:${localPort} -> ${EC2_HOST} -> ${dbHost}:5432`);
+    (0, child_process_1.execSync)(`ssh -i ${sshKeyPath} -f -N -o StrictHostKeyChecking=no -L ${localPort}:${dbHost}:5432 ec2-user@${EC2_HOST}`, { stdio: 'inherit' });
+}
+// ─── psql ───────────────────────────────────────────────────────────────────
+function findPsqlPath() {
+    try {
+        const result = (0, child_process_1.execSync)('which psql', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'ignore'] });
+        if (result.trim())
+            return result.trim();
+    }
+    catch { /* fallback */ }
+    const paths = ['/usr/local/opt/postgresql@16/bin/psql', '/usr/local/opt/postgresql@15/bin/psql', '/opt/homebrew/bin/psql', '/usr/bin/psql', '/usr/local/bin/psql'];
+    for (const p of paths) {
+        if (fs.existsSync(p))
+            return p;
+    }
+    throw new Error('PostgreSQL client (psql) not found. Install with: brew install postgresql@16');
+}
+function queryDB(conn, sql) {
+    const psql = findPsqlPath();
+    return (0, child_process_1.execSync)(`"${psql}" -h ${conn.host} -p ${conn.port} -U ${conn.user} -d ${conn.database} -t -A --quiet -c "${sql.replace(/"/g, '\\"')}"`, {
+        encoding: 'utf-8',
+        env: { ...process.env, PGPASSWORD: conn.password },
+    }).trim();
+}
+// ─── High-level connection helpers ──────────────────────────────────────────
+/** Connect to user-auth DB and return a query function. */
+async function connectAuthDB(env, infisicalConfig, token) {
+    const infisicalEnv = env === 'stage' ? 'staging' : 'prod';
+    const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/shared-secrets/database-users');
+    const host = exports.RDS_HOSTS[env];
+    const port = env === 'stage' ? 15432 : 15433;
+    setupSSHTunnel(host, port);
+    await new Promise(r => setTimeout(r, 1000));
+    const conn = { host: 'localhost', port, user: secrets['AUTH_DB_USER'], password: secrets['AUTH_DB_PASSWORD'], database: 'optima_auth' };
+    return { query: (sql) => queryDB(conn, sql) };
+}
+/** Connect to billing DB and return a query function. */
+async function connectBillingDB(env, infisicalConfig, token) {
+    const infisicalEnv = env === 'stage' ? 'staging' : 'prod';
+    const secrets = getInfisicalSecrets(infisicalConfig, token, infisicalEnv, '/services/billing');
+    const dbUrl = secrets['DATABASE_URL'];
+    if (!dbUrl)
+        throw new Error('DATABASE_URL not found for billing service');
+    const parsed = parseDatabaseUrl(dbUrl);
+    const port = env === 'stage' ? 15434 : 15435;
+    setupSSHTunnel(parsed.host, port);
+    await new Promise(r => setTimeout(r, 1000));
+    const conn = { host: 'localhost', port, user: parsed.user, password: parsed.password, database: parsed.database };
+    return { query: (sql) => queryDB(conn, sql) };
+}
+/** Look up user_id by email from user-auth DB. Throws if not found. */
+async function resolveUserId(email, env, infisicalConfig, token) {
+    console.log(`Looking up user by email: ${email}`);
+    const auth = await connectAuthDB(env, infisicalConfig, token);
+    const userId = auth.query(`SELECT id FROM users WHERE email='${escapeSQL(email)}' LIMIT 1`);
+    if (!userId) {
+        console.error(`❌ User not found: ${email}`);
+        process.exit(1);
+    }
+    console.log(`✓ Found user: ${userId}`);
+    return userId;
+}

package/dist/bin/helpers/grant-credits.js

@@ -0,0 +1,71 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const db_utils_1 = require("./db-utils");
+function parseArgs(args) {
+    if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
+        console.log(`Usage: optima-grant-credits <email> --amount <n> [options]
+
+Options:
+  --amount <n>          Credits to grant (required)
+  --type <type>         Credit type: bonus, referral (default: bonus)
+  --description <text>  Description (optional)
+  --env <env>           Environment: stage, prod (default: stage)
+  -h, --help            Show this help`);
+        process.exit(0);
+    }
+    const email = args[0];
+    let amount = 0;
+    let type = 'bonus';
+    let description = null;
+    let env = 'stage';
+    for (let i = 1; i < args.length; i++) {
+        if (args[i] === '--amount' && args[i + 1]) {
+            amount = parseInt(args[++i], 10);
+        }
+        else if (args[i] === '--type' && args[i + 1]) {
+            type = args[++i];
+        }
+        else if (args[i] === '--description' && args[i + 1]) {
+            description = args[++i];
+        }
+        else if (args[i] === '--env' && args[i + 1]) {
+            env = args[++i];
+        }
+    }
+    if (amount < 1) {
+        console.error('--amount is required and must be >= 1');
+        process.exit(1);
+    }
+    if (!['bonus', 'referral'].includes(type)) {
+        console.error(`Unknown type: ${type}. Available: bonus, referral`);
+        process.exit(1);
+    }
+    if (!['stage', 'prod'].includes(env)) {
+        console.error('Env must be stage or prod (billing DB not available in CI)');
+        process.exit(1);
+    }
+    return { email, amount, type, description, env };
+}
+async function main() {
+    const { email, amount, type, description, env } = parseArgs(process.argv.slice(2));
+    const infisicalConfig = (0, db_utils_1.getInfisicalConfig)();
+    const token = (0, db_utils_1.getInfisicalToken)(infisicalConfig);
+    console.log(`\n🎁 Granting ${amount} ${type} credits to ${email} [${env.toUpperCase()}]\n`);
+    const userId = await (0, db_utils_1.resolveUserId)(email, env, infisicalConfig, token);
+    const billing = await (0, db_utils_1.connectBillingDB)(env, infisicalConfig, token);
+    const bq = billing.query;
+    const now = new Date().toISOString();
+    const safeUserId = (0, db_utils_1.escapeSQL)(userId);
+    const safeType = (0, db_utils_1.escapeSQL)(type);
+    const safeDesc = (0, db_utils_1.escapeSQL)(description || `Admin ${type} credit grant`);
+    console.log(`Inserting ${amount} ${type} credits...`);
+    const ledgerId = bq(`INSERT INTO credit_ledger (id, user_id, type, description, initial_amount, remaining, created_at) VALUES (concat('crd_${safeType}_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safeType}', '${safeDesc}', ${amount}, ${amount}, '${now}') RETURNING id`);
+    console.log(`✓ Credits granted (ledger ID: ${ledgerId})`);
+    const balance = bq(`SELECT COALESCE(SUM(remaining), 0) FROM credit_ledger WHERE user_id='${safeUserId}' AND remaining > 0 AND (expires_at IS NULL OR expires_at > NOW())`);
+    console.log(`\n✅ Done! ${email} now has ${balance} total credits\n`);
+}
+main().catch(error => {
+    console.error('\n❌ Error:', error.message);
+    process.exit(1);
+});

package/dist/bin/helpers/grant-subscription.js

@@ -0,0 +1,127 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const db_utils_1 = require("./db-utils");
+function parseArgs(args) {
+    if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
+        console.log(`Usage: optima-grant-subscription <email> [options]
+
+Options:
+  --plan <id>       Plan: free, pro, enterprise (default: enterprise)
+  --months <n>      Duration in months (default: 1)
+  --env <env>       Environment: stage, prod (default: stage)
+  -h, --help        Show this help`);
+        process.exit(0);
+    }
+    const email = args[0];
+    let plan = 'enterprise';
+    let months = 1;
+    let env = 'stage';
+    for (let i = 1; i < args.length; i++) {
+        if (args[i] === '--plan' && args[i + 1]) {
+            plan = args[++i];
+        }
+        else if (args[i] === '--months' && args[i + 1]) {
+            months = parseInt(args[++i], 10);
+        }
+        else if (args[i] === '--env' && args[i + 1]) {
+            env = args[++i];
+        }
+    }
+    if (!['free', 'pro', 'enterprise'].includes(plan)) {
+        console.error(`Unknown plan: ${plan}. Available: free, pro, enterprise`);
+        process.exit(1);
+    }
+    if (months < 1) {
+        console.error('Months must be >= 1');
+        process.exit(1);
+    }
+    if (!['stage', 'prod'].includes(env)) {
+        console.error('Env must be stage or prod (billing DB not available in CI)');
+        process.exit(1);
+    }
+    return { email, plan, months, env };
+}
+async function main() {
+    const { email, plan, months, env } = parseArgs(process.argv.slice(2));
+    const infisicalConfig = (0, db_utils_1.getInfisicalConfig)();
+    const token = (0, db_utils_1.getInfisicalToken)(infisicalConfig);
+    console.log(`\n🎁 Granting ${plan} subscription to ${email} for ${months} month(s) [${env.toUpperCase()}]\n`);
+    const userId = await (0, db_utils_1.resolveUserId)(email, env, infisicalConfig, token);
+    const billing = await (0, db_utils_1.connectBillingDB)(env, infisicalConfig, token);
+    const bq = billing.query;
+    // Read plan config from DB
+    console.log(`Loading plan config: ${plan}`);
+    const planRow = bq(`SELECT name, monthly_credits, session_token_limit, weekly_token_limit FROM plans WHERE id='${(0, db_utils_1.escapeSQL)(plan)}'`);
+    if (!planRow) {
+        console.error(`❌ Plan not found in DB: ${plan}`);
+        process.exit(1);
+    }
+    const [planName, monthlyCreditsStr, sessionTokenLimitStr, weeklyTokenLimitStr] = planRow.split('|');
+    const monthlyCredits = parseInt(monthlyCreditsStr, 10);
+    const sessionTokenLimit = parseInt(sessionTokenLimitStr, 10);
+    const weeklyTokenLimit = parseInt(weeklyTokenLimitStr, 10);
+    console.log(`✓ Plan: ${planName} (credits: ${monthlyCredits}, session: ${sessionTokenLimit.toLocaleString()}, weekly: ${weeklyTokenLimit.toLocaleString()})`);
+    // Execute all mutations in a single transaction
+    const now = new Date().toISOString();
+    const periodEnd = new Date();
+    periodEnd.setMonth(periodEnd.getMonth() + months);
+    const periodEndISO = periodEnd.toISOString();
+    const sessionEnd = new Date(new Date().getTime() + 5 * 60 * 60 * 1000).toISOString();
+    const weekEnd = new Date(new Date().getTime() + 7 * 24 * 60 * 60 * 1000).toISOString();
+    const safeUserId = (0, db_utils_1.escapeSQL)(userId);
+    const safePlan = (0, db_utils_1.escapeSQL)(plan);
+    const safePlanName = (0, db_utils_1.escapeSQL)(planName);
+    console.log('Executing transaction...');
+    const txSQL = `
+BEGIN;
+
+-- Cancel active subscriptions
+UPDATE subscriptions SET status='canceled', canceled_at='${now}'
+WHERE user_id='${safeUserId}' AND status IN ('active','trialing');
+
+-- Zero out old subscription credits
+UPDATE credit_ledger SET remaining=0
+WHERE user_id='${safeUserId}' AND type IN ('monthly_grant','subscription') AND remaining > 0;
+
+-- Create new subscription
+INSERT INTO subscriptions (id, user_id, plan_id, status, billing_interval, current_period_start, current_period_end, created_at, updated_at)
+VALUES (concat('sub_gift_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'active', 'monthly', '${now}', '${periodEndISO}', '${now}', '${now}');
+
+-- Grant monthly credits
+INSERT INTO credit_ledger (id, user_id, type, description, initial_amount, remaining, expires_at, created_at)
+SELECT concat('crd_gift_', substr(md5(random()::text), 1, 16)), '${safeUserId}', 'subscription', '${safePlanName} plan gift (${months} month)', ${monthlyCredits}, ${monthlyCredits}, '${periodEndISO}', '${now}'
+WHERE ${monthlyCredits} > 0;
+
+-- Update existing active session quota, or insert new one if none exists
+UPDATE token_quotas SET plan_id='${safePlan}', monthly_limit=${sessionTokenLimit}, updated_at='${now}'
+WHERE user_id='${safeUserId}' AND period_type='session' AND period_end > '${now}';
+
+INSERT INTO token_quotas (id, user_id, plan_id, period_type, monthly_limit, monthly_used, period_start, period_end, created_at, updated_at)
+SELECT concat('tq_sess_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'session', ${sessionTokenLimit}, 0, '${now}', '${sessionEnd}', '${now}', '${now}'
+WHERE NOT EXISTS (SELECT 1 FROM token_quotas WHERE user_id='${safeUserId}' AND period_type='session' AND period_end > '${now}');
+
+-- Update existing active weekly quota, or insert new one if none exists
+UPDATE token_quotas SET plan_id='${safePlan}', monthly_limit=${weeklyTokenLimit}, updated_at='${now}'
+WHERE user_id='${safeUserId}' AND period_type='weekly' AND period_end > '${now}';
+
+INSERT INTO token_quotas (id, user_id, plan_id, period_type, monthly_limit, monthly_used, period_start, period_end, created_at, updated_at)
+SELECT concat('tq_week_', substr(md5(random()::text), 1, 16)), '${safeUserId}', '${safePlan}', 'weekly', ${weeklyTokenLimit}, 0, '${now}', '${weekEnd}', '${now}', '${now}'
+WHERE NOT EXISTS (SELECT 1 FROM token_quotas WHERE user_id='${safeUserId}' AND period_type='weekly' AND period_end > '${now}');
+
+COMMIT;
+  `.trim();
+    bq(txSQL);
+    console.log('✓ Old subscriptions canceled');
+    console.log('✓ Old credits cleared');
+    console.log(`✓ ${planName} subscription created (expires: ${periodEnd.toLocaleDateString()})`);
+    if (monthlyCredits > 0) {
+        console.log(`✓ ${monthlyCredits} credits granted`);
+    }
+    console.log(`✓ Token quotas updated (session: ${sessionTokenLimit.toLocaleString()}, weekly: ${weeklyTokenLimit.toLocaleString()})`);
+    console.log(`\n✅ Done! ${email} now has ${planName} plan until ${periodEnd.toLocaleDateString()}\n`);
+}
+main().catch(error => {
+    console.error('\n❌ Error:', error.message);
+    process.exit(1);
+});

package/package.json

@@ -1,13 +1,15 @@
 {
   "name": "@optima-chat/dev-skills",
-  "version": "0.7.21",
+  "version": "0.7.23",
   "description": "Claude Code Skills for Optima development team - cross-environment collaboration tools",
   "main": "index.js",
   "bin": {
     "optima-dev-skills": "./bin/cli.js",
     "optima-query-db": "./dist/bin/helpers/query-db.js",
     "optima-generate-test-token": "./dist/bin/helpers/generate-test-token.js",
-    "optima-show-env": "./dist/bin/helpers/show-env.js"
+    "optima-show-env": "./dist/bin/helpers/show-env.js",
+    "optima-grant-subscription": "./dist/bin/helpers/grant-subscription.js",
+    "optima-grant-credits": "./dist/bin/helpers/grant-credits.js"
   },
   "scripts": {
     "postinstall": "node scripts/install.js",

package/.claude/settings.local.json

@@ -1,46 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "WebSearch",
-      "WebFetch(domain:code.claude.com)",
-      "WebFetch(domain:platform.claude.com)",
-      "WebFetch(domain:github.com)",
-      "Bash(gh repo view:*)",
-      "Bash(gh repo clone:*)",
-      "Bash(gh repo list:*)",
-      "Read(//private/tmp/optima-docs/**)",
-      "Read(//tmp/optima-docs/**)",
-      "Bash(git init:*)",
-      "Bash(gh repo create:*)",
-      "Read(//private/tmp/optima-workspace/**)",
-      "Read(//tmp/optima-workspace/**)",
-      "Read(//tmp/optima-workspace/.claude/commands/**)",
-      "Bash(git add:*)",
-      "Bash(git push:*)",
-      "Bash(find:*)",
-      "Bash(git commit:*)",
-      "Bash(aws logs get-log-events:*)",
-      "Bash(npm install:*)",
-      "Bash(optima-dev-skills:*)",
-      "Bash(optima-generate-test-token:*)",
-      "Bash(optima-query-db:*)",
-      "Bash(gh variable set:*)",
-      "Bash(npm publish:*)",
-      "Bash(python3:*)",
-      "Bash(gh api:*)",
-      "Bash(curl -s http://auth.optima.chat/openapi.json)",
-      "Bash(curl -s https://auth.optima.chat/openapi.json)",
-      "Bash(cat:*)",
-      "Bash(node /Users/verypro/optima-dev-skills/scripts/install.js:*)",
-      "Bash(aws logs tail:*)",
-      "Bash(grep:*)",
-      "Bash(npm view:*)",
-      "Bash(npm version:*)",
-      "Bash(git checkout:*)",
-      "Bash(git pull:*)",
-      "Bash(node scripts/install.js:*)"
-    ],
-    "deny": [],
-    "ask": []
-  }
-}