@upend/cli 0.1.0 → 0.1.1

package/README.md

@@ -16,7 +16,7 @@ Bun + Hono + Neon Postgres + Caddy. Custom JWT auth. Claude editing sessions wit
 
 ```bash
 # create a new project
-bunx @upend/cli init my-app
+bunx @upend/cli init my-project
 
 # follow the prompts — if neonctl is installed, it will:
 #   1. create a Neon database
@@ -25,7 +25,7 @@ bunx @upend/cli init my-app
 #   4. generate RSA signing keys
 #   5. encrypt your .env with dotenvx
 
-cd my-app
+cd my-project
 
 # add your Anthropic API key
 # (edit .env, then re-encrypt)
@@ -44,7 +44,7 @@ Open http://localhost:4000 — you'll see the dashboard.
 ## What you get
 
 ```
-my-app/
+my-project/
 ├── apps/                 → hot-deployed frontends (drop files in, they're live)
 ├── migrations/
 │   └── 001_init.sql      → starter migration
@@ -211,7 +211,7 @@ bunx upend setup:jwks
 import { defineConfig } from "@upend/cli";
 
 export default defineConfig({
-  name: "my-app",
+  name: "my-project",
   database: process.env.DATABASE_URL,
   dataApi: process.env.NEON_DATA_API,
   deploy: {

package/bin/cli.ts

@@ -9,6 +9,7 @@ const commands: Record<string, () => Promise<void>> = {
   deploy: () => import("../src/commands/deploy").then((m) => m.default(args.slice(1))),
   migrate: () => import("../src/commands/migrate").then((m) => m.default(args.slice(1))),
   infra: () => import("../src/commands/infra").then((m) => m.default(args.slice(1))),
+  env: () => import("../src/commands/env").then((m) => m.default(args.slice(1))),
 };
 
 if (!command || command === "--help" || command === "-h") {
@@ -20,8 +21,8 @@ if (!command || command === "--help" || command === "-h") {
     upend dev                start local dev (services + caddy)
     upend deploy             deploy to remote instance
     upend migrate            run database migrations
+    upend env:set <K> <V>    set an env var (decrypts, sets, re-encrypts)
     upend infra:aws          provision AWS infrastructure
-    upend infra:gcp          provision GCP infrastructure
 
   options:
     --help, -h               show this help
@@ -36,8 +37,8 @@ if (command === "--version" || command === "-v") {
   process.exit(0);
 }
 
-// handle infra:provider syntax
-const cmd = command.startsWith("infra:") ? "infra" : command;
+// handle colon syntax: infra:aws, env:set
+const cmd = command.startsWith("infra:") ? "infra" : command.startsWith("env:") ? "env" : command;
 
 if (!commands[cmd]) {
   console.error(`unknown command: ${command}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@upend/cli",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Anti-SaaS stack. Deploy live apps with Claude, Postgres, and rsync.",
   "type": "module",
   "bin": {

package/src/commands/dev.ts

@@ -23,7 +23,8 @@ export default async function dev(args: string[]) {
 
   // start API service
   log.info(`starting api → :${apiPort}`);
-  Bun.spawn(["bun", "--watch", `${cliRoot}/src/services/gateway/index.ts`], {
+  Bun.spawn(["bunx", "@dotenvx/dotenvx", "run", "--", "bun", "--watch", `${cliRoot}/src/services/gateway/index.ts`], {
+    cwd: projectDir,
     env: { ...process.env, API_PORT: apiPort, UPEND_PROJECT: projectDir },
     stdout: "inherit",
     stderr: "inherit",
@@ -31,7 +32,8 @@ export default async function dev(args: string[]) {
 
   // start Claude service
   log.info(`starting claude → :${claudePort}`);
-  Bun.spawn(["bun", "--watch", `${cliRoot}/src/services/claude/index.ts`], {
+  Bun.spawn(["bunx", "@dotenvx/dotenvx", "run", "--", "bun", "--watch", `${cliRoot}/src/services/claude/index.ts`], {
+    cwd: projectDir,
     env: { ...process.env, CLAUDE_PORT: claudePort, UPEND_PROJECT: projectDir },
     stdout: "inherit",
     stderr: "inherit",

package/src/commands/env.ts

@@ -0,0 +1,35 @@
+import { log } from "../lib/log";
+import { exec } from "../lib/exec";
+import { readFileSync, writeFileSync } from "fs";
+
+export default async function env(args: string[]) {
+  const [key, value] = args;
+
+  if (!key || !value) {
+    log.error("usage: upend env:set <KEY> <VALUE>");
+    log.dim("  e.g. upend env:set ANTHROPIC_API_KEY sk-ant-...");
+    process.exit(1);
+  }
+
+  // decrypt
+  log.info("decrypting .env...");
+  await exec(["bunx", "@dotenvx/dotenvx", "decrypt"], { silent: true });
+
+  // read, update, write
+  const envFile = readFileSync(".env", "utf-8");
+  const regex = new RegExp(`^${key}=.*$`, "m");
+
+  let updated: string;
+  if (regex.test(envFile)) {
+    updated = envFile.replace(regex, `${key}="${value}"`);
+  } else {
+    updated = envFile.trimEnd() + `\n${key}="${value}"\n`;
+  }
+  writeFileSync(".env", updated);
+  log.success(`${key} set`);
+
+  // re-encrypt
+  log.info("encrypting .env...");
+  await exec(["bunx", "@dotenvx/dotenvx", "encrypt"], { silent: true });
+  log.success(".env encrypted");
+}

package/src/commands/init.ts

@@ -1,16 +1,20 @@
 import { log } from "../lib/log";
 import { exec, execOrDie, hasCommand } from "../lib/exec";
-import { existsSync, mkdirSync, writeFileSync, readFileSync } from "fs";
+import { existsSync, mkdirSync, writeFileSync, readFileSync, rmSync } from "fs";
 import { join, resolve } from "path";
 
 export default async function init(args: string[]) {
   const name = args[0];
   if (!name) {
-    log.error("usage: upend init <name>");
+    log.error("usage: upend init <name> [--admin-email <email> --admin-password <pass>]");
     log.dim("  e.g. upend init beta → deploys to beta.upend.site");
     process.exit(1);
   }
 
+  // parse optional flags
+  const adminEmail = getFlag(args, "--admin-email");
+  const adminPassword = getFlag(args, "--admin-password");
+
   const projectDir = resolve(name);
   const domain = `${name}.upend.site`;
 
@@ -46,7 +50,14 @@ export default async function init(args: string[]) {
   let neonDataApi = "";
   let neonProjectId = "";
 
-  if (await hasCommand("neonctl")) {
+  if (!(await hasCommand("neonctl"))) {
+    log.error("neonctl is required — install with: npm i -g neonctl");
+    log.dim("upend currently requires Neon Postgres. More database support coming soon.");
+    rmSync(projectDir, { recursive: true, force: true });
+    process.exit(1);
+  }
+
+  {
     // check auth
     const { exitCode } = await exec(["neonctl", "me"], { silent: true });
     if (exitCode !== 0) {
@@ -125,21 +136,16 @@ export default async function init(args: string[]) {
         log.warn("couldn't read neon API token — data API needs manual setup");
       }
     }
-  } else {
-    log.warn("neonctl not found — install with: npm i -g neonctl");
-    log.dim("then re-run: upend init " + name);
-    log.dim("or set DATABASE_URL manually in .env");
   }
 
   // ── 3. scaffold project files ──
 
   log.info("scaffolding project...");
 
-  // resolve @upend/cli dependency
+  // resolve @upend/cli version from our own package.json
   const cliPkgPath = new URL("../../package.json", import.meta.url).pathname;
   const cliPkg = JSON.parse(readFileSync(cliPkgPath, "utf-8"));
-  const cliRoot = join(cliPkgPath, "..");
-  const cliDep = cliPkg.version === "0.1.0" ? `file:${cliRoot}` : `^${cliPkg.version}`;
+  const cliDep = `^${cliPkg.version}`;
 
   writeFile(projectDir, "upend.config.ts", `import { defineConfig } from "@upend/cli";
 
@@ -175,6 +181,7 @@ ANTHROPIC_API_KEY=
 DEPLOY_HOST=
 API_PORT=3001
 CLAUDE_PORT=3002
+SIGNUP_ENABLED=false
 `);
 
   writeFile(projectDir, ".env.example", `DATABASE_URL=postgresql://user:pass@host/db?sslmode=require
@@ -195,11 +202,12 @@ sessions/
 
   // migrations
   mkdirSync(join(projectDir, "migrations"), { recursive: true });
-  writeFile(projectDir, "migrations/001_init.sql", `-- your first migration
-CREATE TABLE IF NOT EXISTS example (
-  id BIGSERIAL PRIMARY KEY,
-  name TEXT NOT NULL,
-  data JSONB DEFAULT '{}',
+  writeFile(projectDir, "migrations/001_users.sql", `-- users table (exposed via Data API)
+CREATE TABLE IF NOT EXISTS users (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  email TEXT UNIQUE NOT NULL,
+  password_hash TEXT NOT NULL,
+  role TEXT DEFAULT 'user',
   created_at TIMESTAMPTZ DEFAULT now(),
   updated_at TIMESTAMPTZ DEFAULT now()
 );
@@ -269,18 +277,72 @@ All requests need \`Authorization: Bearer <jwt>\` header.
   await execOrDie(["bun", "install"], { cwd: projectDir });
   log.success("dependencies installed");
 
+  // ── 7. bootstrap DB + create admin ──
+
+  if (databaseUrl) {
+    // run migrations (bootstrap + user's 001_init.sql which creates users table)
+    log.info("running migrations...");
+    await exec(["bunx", "@dotenvx/dotenvx", "run", "--", "bunx", "upend", "migrate"], { cwd: projectDir });
+    log.success("database ready");
+
+    // prompt: create admin or enable signup?
+    log.blank();
+    process.stdout.write("  create an admin user now? (Y/n): ");
+    const answer = (await readLine()).trim().toLowerCase();
+
+    if (answer === "n" || answer === "no") {
+      // enable signup so they can create accounts from the dashboard
+      log.info("enabling public signup...");
+      await setEnvVar(projectDir, "SIGNUP_ENABLED", "true");
+      log.success("signup enabled — anyone can create an account");
+    } else {
+      // create admin user
+      let email = adminEmail;
+      let password = adminPassword;
+
+      if (!email) {
+        process.stdout.write("  admin email: ");
+        email = (await readLine()).trim();
+      }
+      if (!password) {
+        process.stdout.write("  admin password: ");
+        password = (await readLine()).trim();
+      }
+
+      if (email && password) {
+        log.info("creating admin user...");
+        const postgres = (await import("postgres")).default;
+        const sql = postgres(databaseUrl, { max: 1 });
+        const passwordHash = await Bun.password.hash(password, { algorithm: "argon2id" });
+        try {
+          const [user] = await sql`
+            INSERT INTO users (email, password_hash, role)
+            VALUES (${email}, ${passwordHash}, 'admin')
+            RETURNING id, email, role
+          `;
+          log.success(`admin: ${user.email}`);
+        } catch (err: any) {
+          if (err.code === "23505") {
+            log.warn("admin user already exists");
+          } else {
+            log.warn(`could not create admin: ${err.message}`);
+          }
+        }
+        await sql.end();
+      }
+    }
+  }
+
   // ── done ──
 
   log.blank();
   log.header(`${name} is ready`);
   log.blank();
   log.info(`cd ${name}`);
-  if (!databaseUrl) {
-    log.info("# add your DATABASE_URL to .env");
-  }
   if (!process.env.ANTHROPIC_API_KEY) {
-    log.info("# add your ANTHROPIC_API_KEY to .env");
+    log.info("upend env:set ANTHROPIC_API_KEY <your-key>");
   }
+  log.info("upend migrate");
   log.info("upend dev");
   log.blank();
   if (databaseUrl) {
@@ -314,6 +376,34 @@ function writeFile(dir: string, path: string, content: string) {
   writeFileSync(fullPath, content);
 }
 
+async function setEnvVar(projectDir: string, key: string, value: string) {
+  await exec(["bunx", "@dotenvx/dotenvx", "decrypt"], { cwd: projectDir, silent: true });
+  const envFile = readFileSync(join(projectDir, ".env"), "utf-8");
+  const regex = new RegExp(`^${key}=.*$`, "m");
+  const updated = regex.test(envFile)
+    ? envFile.replace(regex, `${key}=${value}`)
+    : envFile.trimEnd() + `\n${key}=${value}\n`;
+  writeFileSync(join(projectDir, ".env"), updated);
+  await exec(["bunx", "@dotenvx/dotenvx", "encrypt"], { cwd: projectDir, silent: true });
+}
+
+function getFlag(args: string[], flag: string): string | undefined {
+  const idx = args.indexOf(flag);
+  return idx !== -1 && args[idx + 1] ? args[idx + 1] : undefined;
+}
+
+function readLine(): Promise<string> {
+  return new Promise((resolve) => {
+    const stdin = process.stdin;
+    stdin.resume();
+    stdin.setEncoding("utf-8");
+    stdin.once("data", (data: string) => {
+      stdin.pause();
+      resolve(data);
+    });
+  });
+}
+
 async function exportKeyToPem(key: CryptoKey, type: "PRIVATE" | "PUBLIC") {
   const format = type === "PRIVATE" ? "pkcs8" : "spki";
   const exported = await crypto.subtle.exportKey(format, key);

package/src/commands/migrate.ts

@@ -2,13 +2,15 @@ import { log } from "../lib/log";
 import { readdirSync, readFileSync } from "fs";
 import { join, resolve } from "path";
 
+// bootstrap SQL lives in the package — framework tables
+const bootstrapPath = new URL("../lib/bootstrap.sql", import.meta.url).pathname;
+
 export default async function migrate(args: string[]) {
   const projectDir = resolve(".");
   const migrationsDir = join(projectDir, "migrations");
 
   log.header("running migrations");
 
-  // dynamic import postgres from the project's node_modules
   const postgres = (await import("postgres")).default;
   const sql = postgres(process.env.DATABASE_URL!, {
     max: 1,
@@ -16,14 +18,13 @@ export default async function migrate(args: string[]) {
   });
 
   try {
-    // ensure migrations table
-    await sql`
-      CREATE TABLE IF NOT EXISTS _migrations (
-        name TEXT PRIMARY KEY,
-        ran_at TIMESTAMPTZ DEFAULT now()
-      )
-    `;
+    // 1. bootstrap framework tables (idempotent)
+    log.info("bootstrapping framework tables...");
+    const bootstrap = readFileSync(bootstrapPath, "utf-8");
+    await sql.unsafe(bootstrap);
+    log.success("framework tables ready");
 
+    // 2. run user migrations
     const ran = new Set(
       (await sql`SELECT name FROM _migrations`).map((r: any) => r.name)
     );
@@ -35,7 +36,8 @@ export default async function migrate(args: string[]) {
         .sort();
     } catch {
       log.warn("no migrations directory found");
-      process.exit(0);
+      await sql.end();
+      return;
     }
 
     let count = 0;

package/src/lib/bootstrap.sql

@@ -0,0 +1,43 @@
+-- upend framework tables — created automatically, not user-managed
+
+-- internal schema (hidden from Data API)
+CREATE SCHEMA IF NOT EXISTS upend;
+
+-- migration tracking (public, but prefixed with _ so Data API ignores it)
+CREATE TABLE IF NOT EXISTS _migrations (
+  id SERIAL PRIMARY KEY,
+  name TEXT UNIQUE NOT NULL,
+  applied_at TIMESTAMPTZ DEFAULT now()
+);
+
+-- oauth state tracking — internal
+CREATE TABLE IF NOT EXISTS upend.oauth_states (
+  id SERIAL PRIMARY KEY,
+  state TEXT UNIQUE NOT NULL,
+  provider TEXT NOT NULL,
+  created_at TIMESTAMPTZ DEFAULT now()
+);
+
+-- claude editing sessions — internal
+CREATE TABLE IF NOT EXISTS upend.editing_sessions (
+  id BIGSERIAL PRIMARY KEY,
+  prompt TEXT NOT NULL,
+  title TEXT,
+  status TEXT DEFAULT 'active',
+  claude_session_id TEXT,
+  snapshot_name TEXT,
+  context JSONB DEFAULT '{}',
+  created_at TIMESTAMPTZ DEFAULT now(),
+  updated_at TIMESTAMPTZ DEFAULT now()
+);
+
+-- session messages — internal
+CREATE TABLE IF NOT EXISTS upend.session_messages (
+  id BIGSERIAL PRIMARY KEY,
+  session_id BIGINT REFERENCES upend.editing_sessions(id),
+  role TEXT NOT NULL,
+  content TEXT,
+  result TEXT,
+  status TEXT DEFAULT 'pending',
+  created_at TIMESTAMPTZ DEFAULT now()
+);

package/src/lib/db.ts

@@ -5,6 +5,7 @@ export const sql = postgres(process.env.DATABASE_URL!, {
   idle_timeout: 20,
   connect_timeout: 10,
   transform: postgres.camel,
+  connection: { search_path: "public,upend" },
   onnotice: (notice) => console.log("pg:", notice.message),
 });
 

package/src/services/gateway/auth-routes.ts

@@ -10,8 +10,12 @@ authRoutes.get("/.well-known/jwks.json", async (c) => {
   return c.json(jwks);
 });
 
-// signup
+// signup (disabled by default — admin creates users, or set SIGNUP_ENABLED=true)
 authRoutes.post("/auth/signup", async (c) => {
+  if (process.env.SIGNUP_ENABLED !== "true") {
+    return c.json({ error: "signup is disabled — contact the admin" }, 403);
+  }
+
   const { email, password, role } = await c.req.json();
   console.log(`[auth] signup attempt: ${email}`);
   if (!email || !password) return c.json({ error: "email and password required" }, 400);