@startanaicompany/crm 2.17.0 → 2.21.0

package/index.js

@@ -1241,7 +1241,9 @@ leadsCmd
         }
         console.log('\n  Run without --dry-run to commit the merge.');
       } else {
-        const res = await client.post(`/leads/${primaryId}/merge`, { merge_into: secondaryId });
+        // Bug 58e6d000: server treats :id as the source (soft-deleted) and merge_into as target (kept)
+        // So we POST to /leads/:secondaryId/merge with { merge_into: primaryId }
+        const res = await client.post(`/leads/${secondaryId}/merge`, { merge_into: primaryId });
         console.log(`Merged lead ${secondaryId} into ${primaryId}.`);
         printJSON(res.data);
       }
@@ -3818,6 +3820,579 @@ formsCmd
     } catch (err) { handleError(err); }
   });
 
+// ============================================================
+// AUDIT COMMANDS — Sprint 55 T1 (admin JWT via stagesAdminLogin)
+// ============================================================
+const auditCmd = program.command('audit').description('View workspace audit log (Sprint 55 T1) — requires admin login');
+
+auditCmd
+  .command('list')
+  .description('List audit log entries with optional filters')
+  .option('--lead-id <id>', 'Filter by lead ID')
+  .option('--author-type <type>', 'Filter by actor type: api_key|human-admin|system')
+  .option('--from <date>', 'From date (YYYY-MM-DD)')
+  .option('--to <date>', 'To date (YYYY-MM-DD)')
+  .option('--limit <n>', 'Max results (max 200)', '50')
+  .option('--offset <n>', 'Pagination offset', '0')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const params = { limit: opts.limit, offset: opts.offset };
+      if (opts.leadId) params.lead_id = opts.leadId;
+      if (opts.authorType) params.author_type = opts.authorType;
+      if (opts.from) params.from = opts.from;
+      if (opts.to) params.to = opts.to;
+      const res = await axios.get(`${base}/api/v1/admin/audit-log`, {
+        params, headers: { Authorization: `Bearer ${token}` }
+      });
+      const d = res.data.data || {};
+      const items = d.items || [];
+      console.log(`Total: ${d.total || items.length}`);
+      items.forEach(e => {
+        const when = new Date(e.created_at).toLocaleString();
+        console.log(`[${e.id}] ${when} | ${e.actor_type} ${e.actor_name || 'system'} | ${e.action}: ${e.old_value || '—'} → ${e.new_value || '—'} | lead: ${e.lead_name || e.lead_id || 'N/A'}`);
+      });
+    } catch (err) { handleError(err); }
+  });
+
+auditCmd
+  .command('get <entry-id>')
+  .description('Get a single audit log entry by ID')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (entryId, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/audit-log/${entryId}`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// TAGS COMMANDS — Sprint 55 T1 (API key auth)
+// ============================================================
+const tagsCmd = program.command('tags').description('Explore lead tags (Sprint 55 T1)');
+
+tagsCmd
+  .command('list')
+  .description('List all unique tags in use with lead counts')
+  .option('--limit <n>', 'Max tags to return', '100')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      const res = await client.get('/tags', { params: { limit: opts.limit } });
+      const tags = res.data.data || res.data || [];
+      if (tags.length === 0) { console.log('No tags in use.'); return; }
+      // Bug 1d18aaac: API returns lead_count not count
+      tags.forEach(t => console.log(`${t.tag} (${t.lead_count} lead${t.lead_count !== 1 ? 's' : ''})`));
+    } catch (err) { handleError(err); }
+  });
+
+tagsCmd
+  .command('leads <tag-name>')
+  .description('List leads with a specific tag')
+  .option('--limit <n>', 'Max results', '50')
+  .action(async (tagName, opts) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      const res = await client.get('/leads', { params: { tag: tagName, per_page: parseInt(opts.limit) } });
+      const leads = res.data.data || [];
+      if (leads.length === 0) { console.log(`No leads found with tag "${tagName}".`); return; }
+      console.log(`Leads tagged "${tagName}" (${leads.length}):`);
+      leads.forEach(l => console.log(`[${l.id}] ${l.name} <${l.email}> — ${l.status} (${l.assigned_to || 'unassigned'})`));
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// SLA COMMANDS — Sprint 55 T2 (admin JWT via stagesAdminLogin)
+// ============================================================
+const slaCmd = program.command('sla').description('Manage SLA escalation rules and view breaches (Sprint 55 T2)');
+
+slaCmd
+  .command('list')
+  .description('List all SLA escalation rules')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/sla-escalation-rules`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      const rules = res.data.data || res.data || [];
+      if (rules.length === 0) { console.log('No SLA rules configured.'); return; }
+      rules.forEach(r => {
+        const hours = (r.escalate_after_breach_minutes / 60).toFixed(1);
+        const stage = r.stage_name_label ? `stage: ${r.stage_name_label}` : 'all stages';
+        const active = r.is_active ? '✓' : '✗';
+        console.log(`[${r.id}] ${active} "${r.name}" — ${hours}h breach → escalate to ${r.escalate_to} (${stage})`);
+      });
+    } catch (err) { handleError(err); }
+  });
+
+slaCmd
+  .command('create')
+  .description('Create a new SLA escalation rule')
+  .requiredOption('--name <name>', 'Rule name')
+  .requiredOption('--hours <n>', 'Hours after breach before escalating')
+  .requiredOption('--escalate-to <agent>', 'Agent/email to escalate to')
+  .option('--stage-id <id>', 'Pipeline stage UUID to scope this rule (omit for all stages)')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    const minutes = Math.round(parseFloat(opts.hours) * 60);
+    if (isNaN(minutes) || minutes < 1) { console.error('Error: --hours must be a positive number'); process.exit(1); }
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const body = { name: opts.name, escalate_after_breach_minutes: minutes, escalate_to: opts.escalateTo };
+      if (opts.stageId) body.stage_id = opts.stageId;
+      const res = await axios.post(`${base}/api/v1/admin/sla-escalation-rules`, body, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' }
+      });
+      console.log(`SLA rule created: ${res.data.data?.id || res.data?.id}`);
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+slaCmd
+  .command('update <id>')
+  .description('Update an SLA escalation rule')
+  .option('--name <name>', 'New rule name')
+  .option('--hours <n>', 'New escalation threshold in hours')
+  .option('--escalate-to <agent>', 'New escalation target')
+  .option('--active <bool>', 'Enable/disable rule (true|false)')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (id, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    const body = {};
+    if (opts.name) body.name = opts.name;
+    if (opts.hours !== undefined) {
+      const minutes = Math.round(parseFloat(opts.hours) * 60);
+      if (isNaN(minutes) || minutes < 1) { console.error('Error: --hours must be a positive number'); process.exit(1); }
+      body.escalate_after_breach_minutes = minutes;
+    }
+    if (opts.escalateTo) body.escalate_to = opts.escalateTo;
+    if (opts.active !== undefined) body.is_active = opts.active === 'true';
+    if (Object.keys(body).length === 0) { console.error('Error: provide at least one field to update'); process.exit(1); }
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.patch(`${base}/api/v1/admin/sla-escalation-rules/${id}`, body, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' }
+      });
+      console.log(`SLA rule ${id} updated.`);
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+slaCmd
+  .command('delete <id>')
+  .description('Delete an SLA escalation rule')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (id, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      await axios.delete(`${base}/api/v1/admin/sla-escalation-rules/${id}`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      console.log(`SLA rule ${id} deleted.`);
+    } catch (err) { handleError(err); }
+  });
+
+slaCmd
+  .command('breaches')
+  .description('List leads with active SLA breaches')
+  .option('--status <status>', 'open (default) or resolved', 'open')
+  .option('--limit <n>', 'Max results', '50')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/sla-breaches`, {
+        params: { status: opts.status, limit: opts.limit },
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      const d = res.data.data || {};
+      const items = d.items || [];
+      if (items.length === 0) { console.log(`No ${opts.status} SLA breaches.`); return; }
+      console.log(`${opts.status.toUpperCase()} SLA breaches (${d.total || items.length}):`);
+      items.forEach(l => {
+        const breached = l.breached_at ? new Date(l.breached_at).toLocaleString() : 'N/A';
+        console.log(`[${l.id}] ${l.name} <${l.email}> — ${l.status} | stage: ${l.pipeline_stage || 'N/A'} | breached: ${breached} | assigned: ${l.assigned_to || 'none'}`);
+      });
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// ANALYTICS COMMANDS — Sprint 55 T3 (admin JWT via stagesAdminLogin)
+// (analyticsCmd already declared above — appending pipeline + funnel subcommands)
+// ============================================================
+
+analyticsCmd
+  .command('pipeline')
+  .description('Stage-by-stage pipeline breakdown: lead count, avg deal value, avg time-in-stage, conversion rate')
+  .option('--stage <name>', 'Filter output to a single stage name')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/analytics/funnel`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      let stages = (res.data.data?.stages || []);
+      if (opts.stage) {
+        stages = stages.filter(s => s.stage_name.toLowerCase() === opts.stage.toLowerCase());
+        if (stages.length === 0) { console.log(`Stage "${opts.stage}" not found.`); return; }
+      }
+      console.log('\nPipeline Breakdown:');
+      console.log('─'.repeat(90));
+      stages.forEach(s => {
+        const deal = s.avg_deal_value != null ? `$${s.avg_deal_value}` : 'N/A';
+        const time = s.avg_time_in_stage_hours != null ? `${s.avg_time_in_stage_hours}h` : 'N/A';
+        const conv = s.conversion_rate_to_next_stage != null ? `${s.conversion_rate_to_next_stage}%` : 'N/A';
+        console.log(`${String(s.stage_name).padEnd(20)} leads: ${String(s.lead_count).padStart(4)} | avg deal: ${String(deal).padStart(10)} | avg time: ${String(time).padStart(8)} | conv: ${conv}`);
+      });
+    } catch (err) { handleError(err); }
+  });
+
+analyticsCmd
+  .command('funnel')
+  .description('Full top-to-bottom conversion funnel with drop-off rates')
+  .option('--from <date>', 'From date (YYYY-MM-DD, default: 30 days ago)')
+  .option('--to <date>', 'To date (YYYY-MM-DD, default: today)')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const params = {};
+      if (opts.from) params.from = opts.from;
+      if (opts.to) params.to = opts.to;
+      const res = await axios.get(`${base}/api/v1/admin/analytics/funnel`, {
+        params, headers: { Authorization: `Bearer ${token}` }
+      });
+      const d = res.data.data || {};
+      const stages = d.stages || [];
+      const from = d.from ? new Date(d.from).toLocaleDateString() : '30d ago';
+      const to = d.to ? new Date(d.to).toLocaleDateString() : 'today';
+      console.log(`\nConversion Funnel (${from} → ${to}):`);
+      console.log('─'.repeat(85));
+      stages.forEach((s, i) => {
+        const entered = s.leads_entered_window || 0;
+        const exited = s.leads_exited_window || 0;
+        const dropOff = s.drop_off_rate != null ? `${s.drop_off_rate}% drop-off` : 'N/A';
+        const conv = s.conversion_rate_to_next_stage != null ? `${s.conversion_rate_to_next_stage}%` : 'N/A';
+        const bar = '█'.repeat(Math.min(Math.round((entered / Math.max(...stages.map(x => x.leads_entered_window || 0), 1)) * 20), 20));
+        console.log(`${String(s.stage_name).padEnd(20)} ${bar.padEnd(20)} entered: ${String(entered).padStart(4)} | exited: ${String(exited).padStart(4)} | conv: ${String(conv).padStart(5)} | ${dropOff}`);
+      });
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// Sprint 56 T1: leads timeline subcommand
+// ============================================================
+leadsCmd
+  .command('timeline <lead-id>')
+  .description('View reverse-chronological activity timeline for a lead (Sprint 56 T1)')
+  .option('--limit <n>', 'Max entries to return', '50')
+  .option('--type <type>', 'Filter by event type: note_added|field_changed|score_changed|relationship_added|sla_breach|note|score|merge')
+  .option('--from <date>', 'From date (YYYY-MM-DD)')
+  .option('--to <date>', 'To date (YYYY-MM-DD)')
+  .action(async (leadId, opts) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    // Map friendly type aliases to server type names
+    const typeAliases = {
+      note: 'note_added',
+      score: 'score_changed',
+      merge: 'relationship_added',
+      escalation: 'sla_breach',
+    };
+    const params = { limit: opts.limit };
+    if (opts.type) params.type_filter = typeAliases[opts.type] || opts.type;
+    if (opts.from) params.from = opts.from;
+    if (opts.to) params.to = opts.to;
+    try {
+      const res = await client.get(`/leads/${leadId}/timeline`, { params });
+      const d = res.data.data || {};
+      const entries = d.timeline || [];
+      if (entries.length === 0) { console.log('No timeline entries found.'); return; }
+      console.log(`\nTimeline for lead ${leadId} (${d.total} total, showing ${entries.length}):`);
+      entries.forEach(e => {
+        const when = new Date(e.timestamp).toLocaleString();
+        const actor = e.actor || 'system';
+        console.log(`${when} [${e.type}] ${e.summary} — ${actor}`);
+      });
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// Sprint 56 T2: email-logs + email-sync commands (admin JWT)
+// ============================================================
+const emailLogsCmd = program.command('email-logs').description('Inbound email parse logs (Sprint 56 T2) — requires admin login');
+
+emailLogsCmd
+  .command('list')
+  .description('List inbound email parse log entries')
+  .option('--from <date>', 'From date (YYYY-MM-DD)')
+  .option('--to <date>', 'To date (YYYY-MM-DD)')
+  .option('--status <status>', 'Filter: parsed | failed')
+  .option('--limit <n>', 'Max results', '50')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const params = { limit: opts.limit };
+      if (opts.from) params.from = opts.from;
+      if (opts.to) params.to = opts.to;
+      if (opts.status) params.status = opts.status;
+      const res = await axios.get(`${base}/api/v1/admin/inbound/email/log`, {
+        params, headers: { Authorization: `Bearer ${token}` }
+      });
+      const d = res.data.data || {};
+      const items = d.items || [];
+      if (items.length === 0) { console.log('No email log entries found.'); return; }
+      console.log(`Total: ${d.total || items.length}`);
+      items.forEach(e => {
+        const when = new Date(e.created_at).toLocaleString();
+        const status = e.action === 'failed' ? '❌' : '✅';
+        console.log(`[${e.id}] ${status} ${when} — from: ${e.from_raw || 'N/A'} | action: ${e.action} | lead: ${e.lead_id || 'none'}`);
+      });
+    } catch (err) { handleError(err); }
+  });
+
+emailLogsCmd
+  .command('get <log-id>')
+  .description('Get full details of a single inbound email log entry')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (logId, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/inbound/email/log/${logId}`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+const emailSyncCmd = program.command('email-sync').description('Manage email sync accounts (Sprint 56 T2) — requires admin login');
+
+emailSyncCmd
+  .command('status')
+  .description('Show connected email sync accounts and their status')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/email-accounts`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      const accounts = res.data.data || res.data || [];
+      if (accounts.length === 0) { console.log('No email sync accounts connected.'); return; }
+      accounts.forEach(a => {
+        const lastSync = a.last_sync_at ? new Date(a.last_sync_at).toLocaleString() : 'never';
+        const enabled = a.enabled ? '✓ enabled' : '✗ disabled';
+        console.log(`[${a.id}] ${a.user_email || a.label || 'N/A'} (${a.provider || 'gmail'}) — ${enabled} | last sync: ${lastSync}`);
+      });
+    } catch (err) { handleError(err); }
+  });
+
+emailSyncCmd
+  .command('disconnect <account-id>')
+  .description('Disconnect an email sync account by ID')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (accountId, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      await axios.delete(`${base}/api/v1/admin/email-accounts/${accountId}`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      console.log(`Email sync account ${accountId} disconnected.`);
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// Sprint 56 T3: users get + activity list commands
+// ============================================================
+
+// Sprint 56 T3: users get <id> — uses admin JWT (/admin/users/:id) to avoid requireAdminScope on API key route
+usersCmd
+  .command('get <id>')
+  .description('Get a single user by ID including assigned lead count (Sprint 56 T3)')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (userId, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/users/${userId}`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      const u = res.data.data || res.data;
+      console.log(`[${u.id}] ${u.name || '—'} <${u.email}> — role: ${u.role} | active: ${u.is_active} | assigned leads: ${u.assigned_lead_count ?? 'N/A'}`);
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+// users list — also add admin JWT fallback via /admin/users for workspaces without admin-scope API keys
+usersCmd
+  .command('list-admin')
+  .description('List all users via admin JWT (use when API key lacks admin scope)')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/users`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      const users = res.data.data || res.data || [];
+      if (users.length === 0) { console.log('No users found.'); return; }
+      users.forEach(u => console.log(`[${u.id}] ${u.name || '—'} <${u.email}> — role: ${u.role} | leads: ${u.assigned_lead_count}`));
+    } catch (err) { handleError(err); }
+  });
+
+const activityCmd = program.command('activity').description('System-wide activity feed (Sprint 56 T3) — requires admin login');
+
+activityCmd
+  .command('list')
+  .description('List recent system-wide activity across all leads')
+  .option('--lead-id <id>', 'Filter to a specific lead ID')
+  .option('--author-type <type>', 'Filter by actor type: api_key|human-admin|system')
+  .option('--from <date>', 'From date (YYYY-MM-DD)')
+  .option('--limit <n>', 'Max results', '50')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = cfg.token || await stagesAdminLogin(base, cfg, opts);
+      const params = { limit: opts.limit };
+      if (opts.leadId) params.lead_id = opts.leadId;
+      if (opts.authorType) params.author_type = opts.authorType;
+      if (opts.from) params.from = opts.from;
+      const res = await axios.get(`${base}/api/v1/admin/activity`, {
+        params, headers: { Authorization: `Bearer ${token}` }
+      });
+      const d = res.data;
+      const items = d.data || [];
+      if (items.length === 0) { console.log('No activity found.'); return; }
+      const total = d.pagination?.total || items.length;
+      console.log(`Activity feed (${total} total, showing ${items.length}):`);
+      items.forEach(e => {
+        const when = new Date(e.changed_at).toLocaleString();
+        const lead = e.lead_name ? `${e.lead_name}` : (e.lead_id || 'N/A');
+        console.log(`${when} | ${e.changed_by || 'system'} | ${e.field}: ${e.old_value ?? '—'} → ${e.new_value ?? '—'} | lead: ${lead}`);
+      });
+    } catch (err) { handleError(err); }
+  });
+
 // ============================================================
 // GDPR COMMANDS — Sprint 50 T2
 // ============================================================
@@ -3956,4 +4531,405 @@ reportsCmd
     } catch (err) { handleError(err); }
   });
 
+// ============================================================
+// SCORING RULES COMMANDS (S57-T1) — admin JWT
+// ============================================================
+
+const scoringRulesCmd = program.command('scoring-rules').description('Manage auto lead scoring rules (admin)');
+
+scoringRulesCmd
+  .command('list')
+  .description('List all auto scoring rules')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/score-rules/auto`, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' }
+      });
+      const rules = res.data.data || res.data;
+      if (Array.isArray(rules) && rules.length === 0) { console.log('No scoring rules found.'); return; }
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+scoringRulesCmd
+  .command('get <rule-id>')
+  .description('Get a single auto scoring rule by ID')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (ruleId, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/score-rules/auto/${ruleId}`, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' }
+      });
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+scoringRulesCmd
+  .command('create')
+  .description('Create a new auto scoring rule')
+  .requiredOption('--name <name>', 'Rule name')
+  .requiredOption('--score <delta>', 'Score delta (-100 to 100, non-zero integer)')
+  .option('--trigger <event>', 'Trigger event (default: lead.status_changed)', 'lead.status_changed')
+  .option('--condition <expr>', 'Condition: "<field> <op> <value>" (repeatable). e.g. --condition "deal_value gte 10000" --condition "status eq qualified"', (val, acc) => { acc.push(val); return acc; }, [])
+  .option('--match <mode>', 'Condition logic: all (AND) or any (OR) (default: all)', 'all')
+  .option('--field <field>', 'Lead field (single-condition shorthand, used if no --condition flags)')
+  .option('--operator <op>', 'Operator shorthand: eq, neq, gt, lt, gte, lte, contains')
+  .option('--value <val>', 'Value shorthand')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    const delta = parseInt(opts.score, 10);
+    if (isNaN(delta)) { console.error('Error: --score must be a non-zero integer'); process.exit(1); }
+    // Build conditions: repeatable --condition "field op value" takes precedence over --field/--operator/--value
+    const conditions = [];
+    if (opts.condition && opts.condition.length > 0) {
+      for (const expr of opts.condition) {
+        const parts = expr.trim().split(/\s+/);
+        if (parts.length < 3) { console.error(`Invalid --condition "${expr}". Format: "<field> <operator> <value>"`); process.exit(1); }
+        const [field, operator, ...rest] = parts;
+        conditions.push({ field, operator, value: rest.join(' ') });
+      }
+    } else if (opts.field && opts.operator && opts.value !== undefined) {
+      conditions.push({ field: opts.field, operator: opts.operator, value: opts.value });
+    }
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = await stagesAdminLogin(base, cfg, opts);
+      const body = { name: opts.name, trigger_event: opts.trigger, score_delta: delta, conditions, match: opts.match };
+      const res = await axios.post(`${base}/api/v1/admin/score-rules/auto`, body, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' }
+      });
+      const r = res.data.data || res.data;
+      console.log(`Rule created: [${r.id}] ${r.name} (delta: ${r.score_delta}, conditions: ${conditions.length})`);
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+scoringRulesCmd
+  .command('update <rule-id>')
+  .description('Update an auto scoring rule')
+  .option('--name <name>', 'New rule name')
+  .option('--score <delta>', 'New score delta (-100 to 100)')
+  .option('--trigger <event>', 'New trigger event')
+  .option('--active <bool>', 'Enable/disable rule (true|false)')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (ruleId, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    const body = {};
+    if (opts.name) body.name = opts.name;
+    if (opts.score !== undefined) body.score_delta = parseInt(opts.score, 10);
+    if (opts.trigger) body.trigger_event = opts.trigger;
+    if (opts.active !== undefined) body.is_active = opts.active === 'true';
+    if (Object.keys(body).length === 0) { console.error('Provide at least one of: --name, --score, --trigger, --active'); process.exit(1); }
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.patch(`${base}/api/v1/admin/score-rules/auto/${ruleId}`, body, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' }
+      });
+      console.log(`Rule updated.`);
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+scoringRulesCmd
+  .command('delete <rule-id>')
+  .description('Delete an auto scoring rule')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (ruleId, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.delete(`${base}/api/v1/admin/score-rules/auto/${ruleId}`, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' }
+      });
+      console.log(`Rule ${ruleId} deleted.`);
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+scoringRulesCmd
+  .command('evaluate <lead-id>')
+  .description('Re-evaluate all active scoring rules against a lead and apply matching score deltas')
+  .action(async (leadId) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      const res = await client.post(`/leads/${leadId}/score/evaluate`);
+      const r = res.data.data || res.data;
+      console.log(`Score evaluated: final_score=${r.final_score}, rules_applied=${r.rules_applied}`);
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// NOTIFICATIONS COMMANDS (S57-T2) — API key auth
+// ============================================================
+
+const notificationsCmd = program.command('notifications').description('Manage agent notifications');
+
+notificationsCmd
+  .command('list')
+  .description('List notifications for current API key')
+  .option('--unread', 'Show only unread notifications')
+  .option('--limit <n>', 'Max notifications to return', '50')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      const params = { limit: opts.limit };
+      if (opts.unread) params.unread = 'true';
+      const res = await client.get('/notifications', { params });
+      const notifications = res.data.data || res.data;
+      if (Array.isArray(notifications) && notifications.length === 0) { console.log('No notifications.'); return; }
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+notificationsCmd
+  .command('read <notification-id>')
+  .description('Mark a notification as read')
+  .action(async (notificationId) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      const res = await client.patch(`/notifications/${notificationId}/read`);
+      console.log('Notification marked as read.');
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+notificationsCmd
+  .command('read-all')
+  .description('Mark all notifications as read for current API key')
+  .action(async () => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      const res = await client.post('/notifications/read-all');
+      const r = res.data.data || res.data;
+      console.log(`Marked ${r.marked_read} notification(s) as read.`);
+    } catch (err) { handleError(err); }
+  });
+
+notificationsCmd
+  .command('delete <notification-id>')
+  .description('Delete a notification')
+  .action(async (notificationId) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      await client.delete(`/notifications/${notificationId}`);
+      console.log(`Notification ${notificationId} deleted.`);
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// KEYS USAGE SUBCOMMAND (S57-T3) — admin JWT
+// ============================================================
+
+keysCmd
+  .command('usage [key-id]')
+  .description('Show API key usage stats. Omit key-id to show all-keys summary.')
+  .option('--all', 'Show summary across all keys')
+  .option('--from <date>', 'From date (YYYY-MM-DD)')
+  .option('--to <date>', 'To date (YYYY-MM-DD)')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (keyId, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = await stagesAdminLogin(base, cfg, opts);
+      const headers = { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' };
+      if (!keyId || opts.all) {
+        const res = await axios.get(`${base}/api/v1/admin/api-keys/usage/summary`, { headers });
+        printJSON(res.data);
+      } else {
+        const params = {};
+        if (opts.from) params.from = opts.from;
+        if (opts.to) params.to = opts.to;
+        const res = await axios.get(`${base}/api/v1/admin/api-keys/${keyId}/usage`, { headers, params });
+        printJSON(res.data);
+      }
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// INTEGRATIONS COMMANDS (S57-T3) — admin JWT
+// ============================================================
+
+const integrationsCmd = program.command('integrations').description('View integration status (email sync, webhooks)');
+
+integrationsCmd
+  .command('list')
+  .description('List all integrations for workspace')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/integrations`, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' }
+      });
+      const list = res.data.data || res.data;
+      if (Array.isArray(list) && list.length === 0) { console.log('No integrations configured.'); return; }
+      if (Array.isArray(list)) {
+        list.forEach(i => {
+          const status = i.status || (i.enabled ? 'active' : 'disabled');
+          console.log(`[${i.id}] ${i.type.padEnd(12)} ${(i.name || '').substring(0, 50).padEnd(52)} status: ${status}`);
+        });
+      } else {
+        printJSON(res.data);
+      }
+    } catch (err) { handleError(err); }
+  });
+
+integrationsCmd
+  .command('status <integration-id>')
+  .description('Show detailed status for a specific integration')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (integrationId, opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = await stagesAdminLogin(base, cfg, opts);
+      const res = await axios.get(`${base}/api/v1/admin/integrations/${integrationId}`, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' }
+      });
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+// ============================================================
+// LEAD ARCHIVAL COMMANDS (S58-T3) — archive, restore, list archived, purge
+// ============================================================
+
+leadsCmd
+  .command('archive <lead-id>')
+  .description('Archive a lead (removes from active pipeline)')
+  .action(async (leadId) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      const res = await client.post(`/leads/${leadId}/archive`);
+      console.log(`Lead ${leadId} archived.`);
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+leadsCmd
+  .command('restore <lead-id>')
+  .description('Restore an archived lead back to the active pipeline')
+  .action(async (leadId) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      const res = await client.post(`/leads/${leadId}/restore`);
+      console.log(`Lead ${leadId} restored.`);
+      printJSON(res.data);
+    } catch (err) { handleError(err); }
+  });
+
+leadsCmd
+  .command('archived')
+  .description('List archived leads')
+  .option('--limit <n>', 'Max leads to return', '50')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const client = getClient(globalOpts);
+    try {
+      const res = await client.get('/leads', { params: { archived_only: 'true', limit: opts.limit } });
+      const leads = res.data.data || res.data;
+      if (Array.isArray(leads) && leads.length === 0) { console.log('No archived leads.'); return; }
+      if (Array.isArray(leads)) {
+        leads.forEach(l => {
+          const archivedAt = l.archived_at ? new Date(l.archived_at).toISOString().split('T')[0] : 'unknown';
+          console.log(`[${l.id}] ${(l.name || l.email || 'unnamed').padEnd(35)} archived: ${archivedAt}`);
+        });
+      } else {
+        printJSON(res.data);
+      }
+    } catch (err) { handleError(err); }
+  });
+
+leadsCmd
+  .command('purge-archived')
+  .description('Permanently delete archived leads older than a given date (admin only)')
+  .requiredOption('--before <date>', 'Cutoff date (YYYY-MM-DD) — delete leads archived before this date')
+  .option('--dry-run', 'Show count of leads that would be deleted without actually deleting')
+  .option('--workspace <slug>', 'Workspace slug')
+  .option('--email <email>', 'Admin email')
+  .option('--password <password>', 'Admin password')
+  .action(async (opts) => {
+    const globalOpts = program.opts();
+    const apiUrl = resolveApiUrl(globalOpts.url);
+    if (!apiUrl) { console.error('Error: API URL not configured.'); process.exit(1); }
+    const cfg = loadConfig();
+    try {
+      const base = apiUrl.replace(/\/$/, '');
+      const token = await stagesAdminLogin(base, cfg, opts);
+      const params = { before: opts.before };
+      if (opts.dryRun) params.dry_run = 'true';
+      const res = await axios.delete(`${base}/api/v1/admin/leads/purge-archived`, {
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
+        params
+      });
+      const r = res.data.data || res.data;
+      if (r.dry_run) {
+        console.log(`Dry run: ${r.would_delete} lead(s) would be permanently deleted (archived before ${opts.before}).`);
+      } else {
+        console.log(`Purged: ${r.deleted} archived lead(s) permanently deleted (before ${opts.before}).`);
+      }
+    } catch (err) { handleError(err); }
+  });
+
 program.parse(process.argv);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@startanaicompany/crm",
-  "version": "2.17.0",
+  "version": "2.21.0",
   "description": "AI-first CRM CLI — manage leads and API keys from the terminal",
   "main": "index.js",
   "bin": {