@upend/cli 0.1.1 → 0.1.4

package/bin/cli.ts

@@ -1,7 +1,18 @@
 #!/usr/bin/env bun
 
+import { existsSync } from "fs";
+
+// auto-load encrypted .env if present (skip for init — no .env yet)
 const args = process.argv.slice(2);
 const command = args[0];
+if (command !== "init" && existsSync(".env")) {
+  try {
+    const { config } = await import("@dotenvx/dotenvx");
+    config({ quiet: true });
+  } catch {
+    // dotenvx not available, env vars must be set manually
+  }
+}
 
 const commands: Record<string, () => Promise<void>> = {
   init: () => import("../src/commands/init").then((m) => m.default(args.slice(1))),
@@ -10,6 +21,7 @@ const commands: Record<string, () => Promise<void>> = {
   migrate: () => import("../src/commands/migrate").then((m) => m.default(args.slice(1))),
   infra: () => import("../src/commands/infra").then((m) => m.default(args.slice(1))),
   env: () => import("../src/commands/env").then((m) => m.default(args.slice(1))),
+  workflows: () => import("../src/commands/workflows").then((m) => m.default(args.slice(1))),
 };
 
 if (!command || command === "--help" || command === "-h") {
@@ -22,6 +34,9 @@ if (!command || command === "--help" || command === "-h") {
     upend deploy             deploy to remote instance
     upend migrate            run database migrations
     upend env:set <K> <V>    set an env var (decrypts, sets, re-encrypts)
+    upend workflows          list workflows
+    upend workflows run <n>  run a workflow manually
+    upend workflows install  install cron schedules
     upend infra:aws          provision AWS infrastructure
 
   options:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@upend/cli",
-  "version": "0.1.1",
+  "version": "0.1.4",
   "description": "Anti-SaaS stack. Deploy live apps with Claude, Postgres, and rsync.",
   "type": "module",
   "bin": {
@@ -9,7 +9,8 @@
   "files": [
     "bin",
     "src",
-    "templates"
+    "templates",
+    "src/apps"
   ],
   "keywords": ["cli", "deploy", "postgres", "claude", "rsync", "caddy", "bun"],
   "author": "cif",
@@ -19,6 +20,7 @@
     "url": "https://github.com/cif/upend"
   },
   "dependencies": {
+    "@dotenvx/dotenvx": "^1.55.1",
     "hono": "^4.12.8",
     "jose": "^6.2.1",
     "postgres": "^3.4.8"

package/src/apps/users/index.html

@@ -0,0 +1,227 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>users</title>
+  <script src="https://cdn.tailwindcss.com"></script>
+  <script>tailwind.config = { theme: { extend: { colors: { bg: '#0a0a0a', surface: '#141414', border: '#262626', accent: '#f97316', muted: '#737373' } } } }</script>
+  <style>body { background: #0a0a0a; font-family: ui-monospace, monospace; }</style>
+</head>
+<body class="text-gray-200 min-h-screen p-6">
+  <div class="max-w-4xl mx-auto">
+    <div class="flex items-center justify-between mb-6">
+      <h1 class="text-accent font-bold text-lg">users</h1>
+      <div class="flex items-center gap-3">
+        <span id="my-info" class="text-xs text-muted"></span>
+        <button id="btn-add" onclick="showModal('add')" class="bg-accent text-black text-xs px-3 py-1.5 rounded font-bold cursor-pointer hidden">+ add user</button>
+      </div>
+    </div>
+
+    <table class="w-full text-sm">
+      <thead>
+        <tr class="text-muted text-xs text-left border-b border-border">
+          <th class="pb-2 font-normal">email</th>
+          <th class="pb-2 font-normal">role</th>
+          <th class="pb-2 font-normal">created</th>
+          <th class="pb-2 font-normal w-40"></th>
+        </tr>
+      </thead>
+      <tbody id="users-table"></tbody>
+    </table>
+  </div>
+
+  <!-- edit modal -->
+  <div id="edit-modal" class="fixed inset-0 bg-black/60 flex items-center justify-center z-50 hidden" onclick="if(event.target===this)hideModal('edit')">
+    <form onsubmit="saveUser(event)" class="bg-surface border border-border rounded-xl p-6 w-96 flex flex-col gap-4">
+      <h3 class="text-accent font-bold text-sm" id="edit-title">edit user</h3>
+      <input id="edit-email" type="email" placeholder="email"
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <div id="edit-role-wrap">
+        <select id="edit-role"
+          class="w-full bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+          <option value="user">user</option>
+          <option value="admin">admin</option>
+        </select>
+      </div>
+      <input type="hidden" id="edit-id">
+      <div class="flex gap-2 justify-end">
+        <button type="button" onclick="hideModal('edit')"
+          class="text-muted text-xs px-3 py-1.5 rounded border border-border cursor-pointer hover:text-gray-200 font-mono">cancel</button>
+        <button type="submit"
+          class="bg-accent text-black text-xs px-4 py-1.5 rounded font-bold cursor-pointer font-mono">save</button>
+      </div>
+    </form>
+  </div>
+
+  <!-- add modal -->
+  <div id="add-modal" class="fixed inset-0 bg-black/60 flex items-center justify-center z-50 hidden" onclick="if(event.target===this)hideModal('add')">
+    <form onsubmit="addUser(event)" class="bg-surface border border-border rounded-xl p-6 w-96 flex flex-col gap-4">
+      <h3 class="text-accent font-bold text-sm">add user</h3>
+      <input id="add-email" type="email" placeholder="email" required
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <input id="add-password" type="password" placeholder="password" required
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <select id="add-role"
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+        <option value="user">user</option>
+        <option value="admin">admin</option>
+      </select>
+      <div class="flex gap-2 justify-end">
+        <button type="button" onclick="hideModal('add')"
+          class="text-muted text-xs px-3 py-1.5 rounded border border-border cursor-pointer hover:text-gray-200 font-mono">cancel</button>
+        <button type="submit"
+          class="bg-accent text-black text-xs px-4 py-1.5 rounded font-bold cursor-pointer font-mono">create</button>
+      </div>
+    </form>
+  </div>
+
+  <!-- impersonation banner -->
+  <div id="imp-banner" class="fixed top-0 left-0 right-0 bg-yellow-500/20 border-b border-yellow-500/50 text-yellow-400 text-xs text-center py-1.5 z-50 hidden font-mono">
+    viewing as <span id="imp-email"></span>
+    <button onclick="exitImpersonation()" class="ml-3 underline cursor-pointer">exit</button>
+  </div>
+
+<script>
+const token = localStorage.getItem('upend_token');
+if (!token) window.location.href = '/';
+
+const claims = JSON.parse(atob(token.split('.')[1]));
+const isAdmin = claims.app_role === 'admin';
+const myId = claims.sub;
+
+// impersonation check
+const realToken = localStorage.getItem('upend_real_token');
+if (realToken) {
+  document.getElementById('imp-banner').classList.remove('hidden');
+  document.getElementById('imp-email').textContent = claims.email;
+}
+
+document.getElementById('my-info').textContent = `${claims.email} (${claims.app_role || 'user'})`;
+if (isAdmin) document.getElementById('btn-add').classList.remove('hidden');
+
+const headers = { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' };
+
+async function api(url, opts = {}) {
+  const res = await fetch(url, { headers, ...opts });
+  if (res.status === 401) { localStorage.removeItem('upend_token'); window.location.href = '/'; }
+  return res;
+}
+
+async function load() {
+  // everyone sees all users
+  const res = await api('/api/data/users?select=id,email,role,created_at&order=created_at.desc');
+  if (!res.ok) { console.error('failed to load users', await res.text()); return; }
+  const users = await res.json();
+  render(users);
+}
+
+function render(users) {
+  document.getElementById('users-table').innerHTML = users.map(u => {
+    const isMe = u.id === myId;
+    const canEdit = isMe || isAdmin;
+    return `
+    <tr class="border-b border-border/50 hover:bg-surface/50">
+      <td class="py-2.5">${u.email} ${isMe ? '<span class="text-accent text-xs">(you)</span>' : ''}</td>
+      <td class="py-2.5">
+        <span class="px-2 py-0.5 rounded text-xs ${u.role === 'admin' ? 'bg-accent/20 text-accent' : 'bg-border text-muted'}">${u.role}</span>
+      </td>
+      <td class="py-2.5 text-muted text-xs">${new Date(u.created_at).toLocaleDateString()}</td>
+      <td class="py-2.5 text-right space-x-2">
+        ${canEdit ? `<button onclick='editUser(${JSON.stringify(u).replace(/'/g, "&#39;")})' class="text-muted text-xs hover:text-gray-200 cursor-pointer">edit</button>` : ''}
+        ${isAdmin && !isMe ? `<button onclick='impersonate("${u.id}")' class="text-muted text-xs hover:text-yellow-400 cursor-pointer">impersonate</button>` : ''}
+        ${isAdmin && !isMe ? `<button onclick='deleteUser("${u.id}")' class="text-muted text-xs hover:text-red-400 cursor-pointer">delete</button>` : ''}
+      </td>
+    </tr>`;
+  }).join('');
+}
+
+function showModal(name) {
+  document.getElementById(name + '-modal').classList.remove('hidden');
+  const input = document.getElementById(name + '-email');
+  if (input) setTimeout(() => input.focus(), 50);
+}
+function hideModal(name) { document.getElementById(name + '-modal').classList.add('hidden'); }
+
+function editUser(user) {
+  const isMe = user.id === myId;
+  document.getElementById('edit-id').value = user.id;
+  document.getElementById('edit-email').value = user.email;
+  document.getElementById('edit-email').readOnly = !isAdmin && !isMe;
+  document.getElementById('edit-role').value = user.role;
+  document.getElementById('edit-title').textContent = isMe ? 'my profile' : 'edit user';
+
+  // only admins can change role, and not their own
+  const roleWrap = document.getElementById('edit-role-wrap');
+  if (!isAdmin || isMe) {
+    roleWrap.innerHTML = `<input type="text" value="${user.role}" readonly class="w-full bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-400 font-mono">`;
+  } else {
+    roleWrap.innerHTML = `<select id="edit-role" class="w-full bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <option value="user" ${user.role === 'user' ? 'selected' : ''}>user</option>
+      <option value="admin" ${user.role === 'admin' ? 'selected' : ''}>admin</option>
+    </select>`;
+  }
+  showModal('edit');
+}
+
+async function saveUser(e) {
+  e.preventDefault();
+  const id = document.getElementById('edit-id').value;
+  const email = document.getElementById('edit-email').value;
+  const roleEl = document.getElementById('edit-role');
+  const body = { email };
+  if (roleEl && roleEl.tagName === 'SELECT') body.role = roleEl.value;
+  await api(`/api/data/users?id=eq.${id}`, { method: 'PATCH', body: JSON.stringify(body) });
+  hideModal('edit');
+  load();
+}
+
+async function addUser(e) {
+  e.preventDefault();
+  const res = await api('/api/auth/signup', {
+    method: 'POST',
+    body: JSON.stringify({
+      email: document.getElementById('add-email').value,
+      password: document.getElementById('add-password').value,
+      role: document.getElementById('add-role').value,
+    }),
+  });
+  if (res.ok) { hideModal('add'); load(); }
+  else { const err = await res.json(); alert(err.error || 'failed'); }
+}
+
+async function deleteUser(id) {
+  if (!confirm('delete this user?')) return;
+  await api(`/api/data/users?id=eq.${id}`, { method: 'DELETE' });
+  load();
+}
+
+async function impersonate(userId) {
+  const res = await api('/api/auth/impersonate', {
+    method: 'POST',
+    body: JSON.stringify({ user_id: userId }),
+  });
+  if (res.ok) {
+    const { token: newToken } = await res.json();
+    localStorage.setItem('upend_real_token', token);
+    localStorage.setItem('upend_token', newToken);
+    window.location.reload();
+  } else {
+    const err = await res.json();
+    alert(err.error || 'impersonation failed');
+  }
+}
+
+function exitImpersonation() {
+  const real = localStorage.getItem('upend_real_token');
+  if (real) {
+    localStorage.setItem('upend_token', real);
+    localStorage.removeItem('upend_real_token');
+    window.location.reload();
+  }
+}
+
+load();
+</script>
+</body>
+</html>

package/src/commands/deploy.ts

@@ -57,6 +57,23 @@ export default async function deploy(args: string[]) {
     sleep 3
     curl -s -o /dev/null -w "API: %{http_code}\\n" http://localhost:3001/
     curl -s -o /dev/null -w "Caddy: %{http_code}\\n" http://localhost:80/
+
+    # install workflow cron schedules
+    if [ -d ${appDir}/workflows ]; then
+      # strip old upend entries
+      crontab -l 2>/dev/null | grep -v "# upend-workflow:" > /tmp/upend-crontab-clean || true
+      # add new entries from @cron comments
+      for f in ${appDir}/workflows/*.ts; do
+        [ -f "$f" ] || continue
+        name=$(basename "$f" .ts)
+        cron=$(grep -oP "//\\s*@cron\\s+\\K.+" "$f" || true)
+        if [ -n "$cron" ]; then
+          echo "$cron cd ${appDir} && bun $f >> /tmp/upend-workflow-$name.log 2>&1 # upend-workflow: $name" >> /tmp/upend-crontab-clean
+        fi
+      done
+      crontab /tmp/upend-crontab-clean
+      echo "workflows installed: $(crontab -l 2>/dev/null | grep -c upend-workflow) cron entries"
+    fi
   '`);
   log.success("deployed");
 

package/src/commands/dev.ts

@@ -23,7 +23,7 @@ export default async function dev(args: string[]) {
 
   // start API service
   log.info(`starting api → :${apiPort}`);
-  Bun.spawn(["bunx", "@dotenvx/dotenvx", "run", "--", "bun", "--watch", `${cliRoot}/src/services/gateway/index.ts`], {
+  Bun.spawn(["bun", "--watch", `${cliRoot}/src/services/gateway/index.ts`], {
     cwd: projectDir,
     env: { ...process.env, API_PORT: apiPort, UPEND_PROJECT: projectDir },
     stdout: "inherit",
@@ -32,7 +32,7 @@ export default async function dev(args: string[]) {
 
   // start Claude service
   log.info(`starting claude → :${claudePort}`);
-  Bun.spawn(["bunx", "@dotenvx/dotenvx", "run", "--", "bun", "--watch", `${cliRoot}/src/services/claude/index.ts`], {
+  Bun.spawn(["bun", "--watch", `${cliRoot}/src/services/claude/index.ts`], {
     cwd: projectDir,
     env: { ...process.env, CLAUDE_PORT: claudePort, UPEND_PROJECT: projectDir },
     stdout: "inherit",

package/src/commands/init.ts

@@ -215,10 +215,36 @@ CREATE TABLE IF NOT EXISTS users (
 
   // apps + services
   mkdirSync(join(projectDir, "apps"), { recursive: true });
-  writeFile(projectDir, "apps/.gitkeep", "");
+  // copy built-in users app
+  const usersAppSrc = new URL("../apps/users/index.html", import.meta.url).pathname;
+  mkdirSync(join(projectDir, "apps/users"), { recursive: true });
+  writeFileSync(join(projectDir, "apps/users/index.html"), readFileSync(usersAppSrc, "utf-8"));
   mkdirSync(join(projectDir, "services"), { recursive: true });
   writeFile(projectDir, "services/.gitkeep", "");
 
+  // workflows
+  mkdirSync(join(projectDir, "workflows"), { recursive: true });
+  writeFile(projectDir, "workflows/example.ts", `// example workflow — runs on a schedule or manually
+// @cron 0 */6 * * *
+// @description clean up ended sessions older than 7 days
+
+import postgres from "postgres";
+
+const sql = postgres(process.env.DATABASE_URL!);
+
+export async function run() {
+  const deleted = await sql\`
+    DELETE FROM upend.editing_sessions
+    WHERE status = 'ended' AND created_at < now() - interval '7 days'
+    RETURNING id
+  \`;
+  console.log(\`cleaned up \${deleted.length} old sessions\`);
+}
+
+// run directly: bun workflows/example.ts
+run().then(() => process.exit(0));
+`);
+
   // CLAUDE.md
   writeFile(projectDir, "CLAUDE.md", `# ${name}
 
@@ -247,6 +273,43 @@ Apps talk to Neon Data API at \`/api/data/<table>\`:
 - DELETE \`/api/data/example?id=eq.5\` — delete
 All requests need \`Authorization: Bearer <jwt>\` header.
 
+## Access control
+Apps read JWT claims to decide what to show:
+\`\`\`js
+const token = localStorage.getItem('upend_token');
+const claims = JSON.parse(atob(token.split('.')[1]));
+const isAdmin = claims.app_role === 'admin';
+const myId = claims.sub;
+\`\`\`
+
+The data API at \`/api/data/:table\` sets JWT claims as Postgres session variables before each query,
+so RLS policies have access to the current user.
+
+When the user asks for access control, create RLS policies in a migration:
+\`\`\`sql
+ALTER TABLE projects ENABLE ROW LEVEL SECURITY;
+ALTER TABLE projects FORCE ROW LEVEL SECURITY;
+
+-- everyone can read
+CREATE POLICY "read" ON projects FOR SELECT USING (true);
+
+-- users can only update their own rows
+CREATE POLICY "update_own" ON projects FOR UPDATE
+  USING (owner_id = current_setting('request.jwt.sub')::uuid);
+
+-- only admins can delete
+CREATE POLICY "admin_delete" ON projects FOR DELETE
+  USING (current_setting('request.jwt.role') = 'admin');
+\`\`\`
+
+Available session variables in RLS policies:
+- \`current_setting('request.jwt.sub')\` — user ID
+- \`current_setting('request.jwt.role')\` — user role (admin/user)
+- \`current_setting('request.jwt.email')\` — user email
+
+The dashboard data tab shows active RLS policies per table so users can see what rules are in place.
+The \`apps/users/\` app is an example of the access control pattern.
+
 ## Conventions
 - Migrations: plain SQL in \`migrations/\`, numbered \`001_name.sql\`
 - Apps: static HTML/JS/CSS in \`apps/<name>/\`
@@ -340,10 +403,10 @@ All requests need \`Authorization: Bearer <jwt>\` header.
   log.blank();
   log.info(`cd ${name}`);
   if (!process.env.ANTHROPIC_API_KEY) {
-    log.info("upend env:set ANTHROPIC_API_KEY <your-key>");
+    log.info("bunx upend env:set ANTHROPIC_API_KEY <your-key>");
   }
-  log.info("upend migrate");
-  log.info("upend dev");
+  log.info("bunx upend migrate");
+  log.info("bunx upend dev");
   log.blank();
   if (databaseUrl) {
     log.dim(`database:  ${neonProjectId}`);

package/src/commands/workflows.ts

@@ -0,0 +1,142 @@
+import { log } from "../lib/log";
+import { exec } from "../lib/exec";
+import { readdirSync, readFileSync } from "fs";
+import { join, resolve } from "path";
+
+type Workflow = {
+  name: string;
+  file: string;
+  cron: string | null;
+  description: string;
+  installed: boolean;
+};
+
+export default async function workflows(args: string[]) {
+  const sub = args[0];
+  const projectDir = resolve(".");
+  const workflowsDir = join(projectDir, "workflows");
+
+  switch (sub) {
+    case "list":
+    case undefined:
+      await list(workflowsDir);
+      break;
+    case "run":
+      await run(workflowsDir, args[1]);
+      break;
+    case "install":
+      await install(workflowsDir);
+      break;
+    case "uninstall":
+      await uninstall();
+      break;
+    default:
+      // treat it as a workflow name to run
+      await run(workflowsDir, sub);
+  }
+}
+
+function parseWorkflows(dir: string): Workflow[] {
+  let files: string[];
+  try {
+    files = readdirSync(dir).filter(f => f.endsWith(".ts") || f.endsWith(".js"));
+  } catch {
+    return [];
+  }
+
+  return files.map(file => {
+    const content = readFileSync(join(dir, file), "utf-8");
+    const cronMatch = content.match(/\/\/\s*@cron\s+(.+)/);
+    const descMatch = content.match(/\/\/\s*@description\s+(.+)/);
+    const cron = cronMatch ? cronMatch[1].trim() : null;
+    const description = descMatch ? descMatch[1].trim() : "";
+    const name = file.replace(/\.(ts|js)$/, "");
+    return { name, file, cron, description, installed: false };
+  });
+}
+
+async function getCrontab(): Promise<string> {
+  const { stdout } = await exec(["crontab", "-l"], { silent: true });
+  return stdout;
+}
+
+async function list(dir: string) {
+  const wfs = parseWorkflows(dir);
+  if (wfs.length === 0) {
+    log.info("no workflows found in workflows/");
+    return;
+  }
+
+  const crontab = await getCrontab();
+
+  log.header("workflows");
+  for (const wf of wfs) {
+    const installed = crontab.includes(`workflows/${wf.file}`);
+    const status = installed ? "installed" : wf.cron ? "not installed" : "manual only";
+    const statusColor = installed ? "\x1b[32m" : "\x1b[90m";
+    console.log(`  ${wf.name}`);
+    if (wf.description) console.log(`    ${wf.description}`);
+    if (wf.cron) console.log(`    cron: ${wf.cron}  [${statusColor}${status}\x1b[0m]`);
+    else console.log(`    [manual only]`);
+    console.log();
+  }
+}
+
+async function run(dir: string, name?: string) {
+  if (!name) {
+    log.error("usage: upend workflows run <name>");
+    process.exit(1);
+  }
+
+  const file = name.endsWith(".ts") || name.endsWith(".js") ? name : `${name}.ts`;
+  const path = join(dir, file);
+
+  log.info(`running ${file}...`);
+  const { stdout, stderr, exitCode } = await exec(["bun", path]);
+  if (stdout) console.log(stdout);
+  if (stderr) console.error(stderr);
+
+  if (exitCode === 0) {
+    log.success(`${file} complete`);
+  } else {
+    log.error(`${file} failed (exit ${exitCode})`);
+  }
+}
+
+async function install(dir: string) {
+  const wfs = parseWorkflows(dir).filter(w => w.cron);
+  if (wfs.length === 0) {
+    log.info("no workflows with @cron found");
+    return;
+  }
+
+  const crontab = await getCrontab();
+  const lines = crontab.split("\n").filter(l => !l.includes("# upend-workflow:"));
+  const projectDir = resolve(".");
+
+  for (const wf of wfs) {
+    lines.push(`${wf.cron} cd ${projectDir} && bun workflows/${wf.file} >> /tmp/upend-workflow-${wf.name}.log 2>&1 # upend-workflow: ${wf.name}`);
+    log.info(`installing ${wf.name}: ${wf.cron}`);
+  }
+
+  const newCrontab = lines.filter(Boolean).join("\n") + "\n";
+  const proc = Bun.spawn(["crontab", "-"], { stdin: "pipe" });
+  proc.stdin.write(newCrontab);
+  proc.stdin.end();
+  await proc.exited;
+
+  log.success(`${wfs.length} workflow(s) installed`);
+}
+
+async function uninstall() {
+  const crontab = await getCrontab();
+  const lines = crontab.split("\n").filter(l => !l.includes("# upend-workflow:"));
+  const newCrontab = lines.filter(Boolean).join("\n") + "\n";
+
+  const proc = Bun.spawn(["crontab", "-"], { stdin: "pipe" });
+  proc.stdin.write(newCrontab);
+  proc.stdin.end();
+  await proc.exited;
+
+  log.success("all upend workflows removed from crontab");
+}