@upend/cli 0.1.2 → 0.1.4

package/bin/cli.ts

@@ -21,6 +21,7 @@ const commands: Record<string, () => Promise<void>> = {
   migrate: () => import("../src/commands/migrate").then((m) => m.default(args.slice(1))),
   infra: () => import("../src/commands/infra").then((m) => m.default(args.slice(1))),
   env: () => import("../src/commands/env").then((m) => m.default(args.slice(1))),
+  workflows: () => import("../src/commands/workflows").then((m) => m.default(args.slice(1))),
 };
 
 if (!command || command === "--help" || command === "-h") {
@@ -33,6 +34,9 @@ if (!command || command === "--help" || command === "-h") {
     upend deploy             deploy to remote instance
     upend migrate            run database migrations
     upend env:set <K> <V>    set an env var (decrypts, sets, re-encrypts)
+    upend workflows          list workflows
+    upend workflows run <n>  run a workflow manually
+    upend workflows install  install cron schedules
     upend infra:aws          provision AWS infrastructure
 
   options:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@upend/cli",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Anti-SaaS stack. Deploy live apps with Claude, Postgres, and rsync.",
   "type": "module",
   "bin": {
@@ -9,7 +9,8 @@
   "files": [
     "bin",
     "src",
-    "templates"
+    "templates",
+    "src/apps"
   ],
   "keywords": ["cli", "deploy", "postgres", "claude", "rsync", "caddy", "bun"],
   "author": "cif",

package/src/apps/users/index.html

@@ -0,0 +1,227 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>users</title>
+  <script src="https://cdn.tailwindcss.com"></script>
+  <script>tailwind.config = { theme: { extend: { colors: { bg: '#0a0a0a', surface: '#141414', border: '#262626', accent: '#f97316', muted: '#737373' } } } }</script>
+  <style>body { background: #0a0a0a; font-family: ui-monospace, monospace; }</style>
+</head>
+<body class="text-gray-200 min-h-screen p-6">
+  <div class="max-w-4xl mx-auto">
+    <div class="flex items-center justify-between mb-6">
+      <h1 class="text-accent font-bold text-lg">users</h1>
+      <div class="flex items-center gap-3">
+        <span id="my-info" class="text-xs text-muted"></span>
+        <button id="btn-add" onclick="showModal('add')" class="bg-accent text-black text-xs px-3 py-1.5 rounded font-bold cursor-pointer hidden">+ add user</button>
+      </div>
+    </div>
+
+    <table class="w-full text-sm">
+      <thead>
+        <tr class="text-muted text-xs text-left border-b border-border">
+          <th class="pb-2 font-normal">email</th>
+          <th class="pb-2 font-normal">role</th>
+          <th class="pb-2 font-normal">created</th>
+          <th class="pb-2 font-normal w-40"></th>
+        </tr>
+      </thead>
+      <tbody id="users-table"></tbody>
+    </table>
+  </div>
+
+  <!-- edit modal -->
+  <div id="edit-modal" class="fixed inset-0 bg-black/60 flex items-center justify-center z-50 hidden" onclick="if(event.target===this)hideModal('edit')">
+    <form onsubmit="saveUser(event)" class="bg-surface border border-border rounded-xl p-6 w-96 flex flex-col gap-4">
+      <h3 class="text-accent font-bold text-sm" id="edit-title">edit user</h3>
+      <input id="edit-email" type="email" placeholder="email"
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <div id="edit-role-wrap">
+        <select id="edit-role"
+          class="w-full bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+          <option value="user">user</option>
+          <option value="admin">admin</option>
+        </select>
+      </div>
+      <input type="hidden" id="edit-id">
+      <div class="flex gap-2 justify-end">
+        <button type="button" onclick="hideModal('edit')"
+          class="text-muted text-xs px-3 py-1.5 rounded border border-border cursor-pointer hover:text-gray-200 font-mono">cancel</button>
+        <button type="submit"
+          class="bg-accent text-black text-xs px-4 py-1.5 rounded font-bold cursor-pointer font-mono">save</button>
+      </div>
+    </form>
+  </div>
+
+  <!-- add modal -->
+  <div id="add-modal" class="fixed inset-0 bg-black/60 flex items-center justify-center z-50 hidden" onclick="if(event.target===this)hideModal('add')">
+    <form onsubmit="addUser(event)" class="bg-surface border border-border rounded-xl p-6 w-96 flex flex-col gap-4">
+      <h3 class="text-accent font-bold text-sm">add user</h3>
+      <input id="add-email" type="email" placeholder="email" required
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <input id="add-password" type="password" placeholder="password" required
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <select id="add-role"
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+        <option value="user">user</option>
+        <option value="admin">admin</option>
+      </select>
+      <div class="flex gap-2 justify-end">
+        <button type="button" onclick="hideModal('add')"
+          class="text-muted text-xs px-3 py-1.5 rounded border border-border cursor-pointer hover:text-gray-200 font-mono">cancel</button>
+        <button type="submit"
+          class="bg-accent text-black text-xs px-4 py-1.5 rounded font-bold cursor-pointer font-mono">create</button>
+      </div>
+    </form>
+  </div>
+
+  <!-- impersonation banner -->
+  <div id="imp-banner" class="fixed top-0 left-0 right-0 bg-yellow-500/20 border-b border-yellow-500/50 text-yellow-400 text-xs text-center py-1.5 z-50 hidden font-mono">
+    viewing as <span id="imp-email"></span>
+    <button onclick="exitImpersonation()" class="ml-3 underline cursor-pointer">exit</button>
+  </div>
+
+<script>
+const token = localStorage.getItem('upend_token');
+if (!token) window.location.href = '/';
+
+const claims = JSON.parse(atob(token.split('.')[1]));
+const isAdmin = claims.app_role === 'admin';
+const myId = claims.sub;
+
+// impersonation check
+const realToken = localStorage.getItem('upend_real_token');
+if (realToken) {
+  document.getElementById('imp-banner').classList.remove('hidden');
+  document.getElementById('imp-email').textContent = claims.email;
+}
+
+document.getElementById('my-info').textContent = `${claims.email} (${claims.app_role || 'user'})`;
+if (isAdmin) document.getElementById('btn-add').classList.remove('hidden');
+
+const headers = { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' };
+
+async function api(url, opts = {}) {
+  const res = await fetch(url, { headers, ...opts });
+  if (res.status === 401) { localStorage.removeItem('upend_token'); window.location.href = '/'; }
+  return res;
+}
+
+async function load() {
+  // everyone sees all users
+  const res = await api('/api/data/users?select=id,email,role,created_at&order=created_at.desc');
+  if (!res.ok) { console.error('failed to load users', await res.text()); return; }
+  const users = await res.json();
+  render(users);
+}
+
+function render(users) {
+  document.getElementById('users-table').innerHTML = users.map(u => {
+    const isMe = u.id === myId;
+    const canEdit = isMe || isAdmin;
+    return `
+    <tr class="border-b border-border/50 hover:bg-surface/50">
+      <td class="py-2.5">${u.email} ${isMe ? '<span class="text-accent text-xs">(you)</span>' : ''}</td>
+      <td class="py-2.5">
+        <span class="px-2 py-0.5 rounded text-xs ${u.role === 'admin' ? 'bg-accent/20 text-accent' : 'bg-border text-muted'}">${u.role}</span>
+      </td>
+      <td class="py-2.5 text-muted text-xs">${new Date(u.created_at).toLocaleDateString()}</td>
+      <td class="py-2.5 text-right space-x-2">
+        ${canEdit ? `<button onclick='editUser(${JSON.stringify(u).replace(/'/g, "&#39;")})' class="text-muted text-xs hover:text-gray-200 cursor-pointer">edit</button>` : ''}
+        ${isAdmin && !isMe ? `<button onclick='impersonate("${u.id}")' class="text-muted text-xs hover:text-yellow-400 cursor-pointer">impersonate</button>` : ''}
+        ${isAdmin && !isMe ? `<button onclick='deleteUser("${u.id}")' class="text-muted text-xs hover:text-red-400 cursor-pointer">delete</button>` : ''}
+      </td>
+    </tr>`;
+  }).join('');
+}
+
+function showModal(name) {
+  document.getElementById(name + '-modal').classList.remove('hidden');
+  const input = document.getElementById(name + '-email');
+  if (input) setTimeout(() => input.focus(), 50);
+}
+function hideModal(name) { document.getElementById(name + '-modal').classList.add('hidden'); }
+
+function editUser(user) {
+  const isMe = user.id === myId;
+  document.getElementById('edit-id').value = user.id;
+  document.getElementById('edit-email').value = user.email;
+  document.getElementById('edit-email').readOnly = !isAdmin && !isMe;
+  document.getElementById('edit-role').value = user.role;
+  document.getElementById('edit-title').textContent = isMe ? 'my profile' : 'edit user';
+
+  // only admins can change role, and not their own
+  const roleWrap = document.getElementById('edit-role-wrap');
+  if (!isAdmin || isMe) {
+    roleWrap.innerHTML = `<input type="text" value="${user.role}" readonly class="w-full bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-400 font-mono">`;
+  } else {
+    roleWrap.innerHTML = `<select id="edit-role" class="w-full bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <option value="user" ${user.role === 'user' ? 'selected' : ''}>user</option>
+      <option value="admin" ${user.role === 'admin' ? 'selected' : ''}>admin</option>
+    </select>`;
+  }
+  showModal('edit');
+}
+
+async function saveUser(e) {
+  e.preventDefault();
+  const id = document.getElementById('edit-id').value;
+  const email = document.getElementById('edit-email').value;
+  const roleEl = document.getElementById('edit-role');
+  const body = { email };
+  if (roleEl && roleEl.tagName === 'SELECT') body.role = roleEl.value;
+  await api(`/api/data/users?id=eq.${id}`, { method: 'PATCH', body: JSON.stringify(body) });
+  hideModal('edit');
+  load();
+}
+
+async function addUser(e) {
+  e.preventDefault();
+  const res = await api('/api/auth/signup', {
+    method: 'POST',
+    body: JSON.stringify({
+      email: document.getElementById('add-email').value,
+      password: document.getElementById('add-password').value,
+      role: document.getElementById('add-role').value,
+    }),
+  });
+  if (res.ok) { hideModal('add'); load(); }
+  else { const err = await res.json(); alert(err.error || 'failed'); }
+}
+
+async function deleteUser(id) {
+  if (!confirm('delete this user?')) return;
+  await api(`/api/data/users?id=eq.${id}`, { method: 'DELETE' });
+  load();
+}
+
+async function impersonate(userId) {
+  const res = await api('/api/auth/impersonate', {
+    method: 'POST',
+    body: JSON.stringify({ user_id: userId }),
+  });
+  if (res.ok) {
+    const { token: newToken } = await res.json();
+    localStorage.setItem('upend_real_token', token);
+    localStorage.setItem('upend_token', newToken);
+    window.location.reload();
+  } else {
+    const err = await res.json();
+    alert(err.error || 'impersonation failed');
+  }
+}
+
+function exitImpersonation() {
+  const real = localStorage.getItem('upend_real_token');
+  if (real) {
+    localStorage.setItem('upend_token', real);
+    localStorage.removeItem('upend_real_token');
+    window.location.reload();
+  }
+}
+
+load();
+</script>
+</body>
+</html>

package/src/commands/deploy.ts

@@ -57,6 +57,23 @@ export default async function deploy(args: string[]) {
     sleep 3
     curl -s -o /dev/null -w "API: %{http_code}\\n" http://localhost:3001/
     curl -s -o /dev/null -w "Caddy: %{http_code}\\n" http://localhost:80/
+
+    # install workflow cron schedules
+    if [ -d ${appDir}/workflows ]; then
+      # strip old upend entries
+      crontab -l 2>/dev/null | grep -v "# upend-workflow:" > /tmp/upend-crontab-clean || true
+      # add new entries from @cron comments
+      for f in ${appDir}/workflows/*.ts; do
+        [ -f "$f" ] || continue
+        name=$(basename "$f" .ts)
+        cron=$(grep -oP "//\\s*@cron\\s+\\K.+" "$f" || true)
+        if [ -n "$cron" ]; then
+          echo "$cron cd ${appDir} && bun $f >> /tmp/upend-workflow-$name.log 2>&1 # upend-workflow: $name" >> /tmp/upend-crontab-clean
+        fi
+      done
+      crontab /tmp/upend-crontab-clean
+      echo "workflows installed: $(crontab -l 2>/dev/null | grep -c upend-workflow) cron entries"
+    fi
   '`);
   log.success("deployed");
 

package/src/commands/init.ts

@@ -215,10 +215,36 @@ CREATE TABLE IF NOT EXISTS users (
 
   // apps + services
   mkdirSync(join(projectDir, "apps"), { recursive: true });
-  writeFile(projectDir, "apps/.gitkeep", "");
+  // copy built-in users app
+  const usersAppSrc = new URL("../apps/users/index.html", import.meta.url).pathname;
+  mkdirSync(join(projectDir, "apps/users"), { recursive: true });
+  writeFileSync(join(projectDir, "apps/users/index.html"), readFileSync(usersAppSrc, "utf-8"));
   mkdirSync(join(projectDir, "services"), { recursive: true });
   writeFile(projectDir, "services/.gitkeep", "");
 
+  // workflows
+  mkdirSync(join(projectDir, "workflows"), { recursive: true });
+  writeFile(projectDir, "workflows/example.ts", `// example workflow — runs on a schedule or manually
+// @cron 0 */6 * * *
+// @description clean up ended sessions older than 7 days
+
+import postgres from "postgres";
+
+const sql = postgres(process.env.DATABASE_URL!);
+
+export async function run() {
+  const deleted = await sql\`
+    DELETE FROM upend.editing_sessions
+    WHERE status = 'ended' AND created_at < now() - interval '7 days'
+    RETURNING id
+  \`;
+  console.log(\`cleaned up \${deleted.length} old sessions\`);
+}
+
+// run directly: bun workflows/example.ts
+run().then(() => process.exit(0));
+`);
+
   // CLAUDE.md
   writeFile(projectDir, "CLAUDE.md", `# ${name}
 
@@ -247,6 +273,43 @@ Apps talk to Neon Data API at \`/api/data/<table>\`:
 - DELETE \`/api/data/example?id=eq.5\` — delete
 All requests need \`Authorization: Bearer <jwt>\` header.
 
+## Access control
+Apps read JWT claims to decide what to show:
+\`\`\`js
+const token = localStorage.getItem('upend_token');
+const claims = JSON.parse(atob(token.split('.')[1]));
+const isAdmin = claims.app_role === 'admin';
+const myId = claims.sub;
+\`\`\`
+
+The data API at \`/api/data/:table\` sets JWT claims as Postgres session variables before each query,
+so RLS policies have access to the current user.
+
+When the user asks for access control, create RLS policies in a migration:
+\`\`\`sql
+ALTER TABLE projects ENABLE ROW LEVEL SECURITY;
+ALTER TABLE projects FORCE ROW LEVEL SECURITY;
+
+-- everyone can read
+CREATE POLICY "read" ON projects FOR SELECT USING (true);
+
+-- users can only update their own rows
+CREATE POLICY "update_own" ON projects FOR UPDATE
+  USING (owner_id = current_setting('request.jwt.sub')::uuid);
+
+-- only admins can delete
+CREATE POLICY "admin_delete" ON projects FOR DELETE
+  USING (current_setting('request.jwt.role') = 'admin');
+\`\`\`
+
+Available session variables in RLS policies:
+- \`current_setting('request.jwt.sub')\` — user ID
+- \`current_setting('request.jwt.role')\` — user role (admin/user)
+- \`current_setting('request.jwt.email')\` — user email
+
+The dashboard data tab shows active RLS policies per table so users can see what rules are in place.
+The \`apps/users/\` app is an example of the access control pattern.
+
 ## Conventions
 - Migrations: plain SQL in \`migrations/\`, numbered \`001_name.sql\`
 - Apps: static HTML/JS/CSS in \`apps/<name>/\`

package/src/commands/workflows.ts

@@ -0,0 +1,142 @@
+import { log } from "../lib/log";
+import { exec } from "../lib/exec";
+import { readdirSync, readFileSync } from "fs";
+import { join, resolve } from "path";
+
+type Workflow = {
+  name: string;
+  file: string;
+  cron: string | null;
+  description: string;
+  installed: boolean;
+};
+
+export default async function workflows(args: string[]) {
+  const sub = args[0];
+  const projectDir = resolve(".");
+  const workflowsDir = join(projectDir, "workflows");
+
+  switch (sub) {
+    case "list":
+    case undefined:
+      await list(workflowsDir);
+      break;
+    case "run":
+      await run(workflowsDir, args[1]);
+      break;
+    case "install":
+      await install(workflowsDir);
+      break;
+    case "uninstall":
+      await uninstall();
+      break;
+    default:
+      // treat it as a workflow name to run
+      await run(workflowsDir, sub);
+  }
+}
+
+function parseWorkflows(dir: string): Workflow[] {
+  let files: string[];
+  try {
+    files = readdirSync(dir).filter(f => f.endsWith(".ts") || f.endsWith(".js"));
+  } catch {
+    return [];
+  }
+
+  return files.map(file => {
+    const content = readFileSync(join(dir, file), "utf-8");
+    const cronMatch = content.match(/\/\/\s*@cron\s+(.+)/);
+    const descMatch = content.match(/\/\/\s*@description\s+(.+)/);
+    const cron = cronMatch ? cronMatch[1].trim() : null;
+    const description = descMatch ? descMatch[1].trim() : "";
+    const name = file.replace(/\.(ts|js)$/, "");
+    return { name, file, cron, description, installed: false };
+  });
+}
+
+async function getCrontab(): Promise<string> {
+  const { stdout } = await exec(["crontab", "-l"], { silent: true });
+  return stdout;
+}
+
+async function list(dir: string) {
+  const wfs = parseWorkflows(dir);
+  if (wfs.length === 0) {
+    log.info("no workflows found in workflows/");
+    return;
+  }
+
+  const crontab = await getCrontab();
+
+  log.header("workflows");
+  for (const wf of wfs) {
+    const installed = crontab.includes(`workflows/${wf.file}`);
+    const status = installed ? "installed" : wf.cron ? "not installed" : "manual only";
+    const statusColor = installed ? "\x1b[32m" : "\x1b[90m";
+    console.log(`  ${wf.name}`);
+    if (wf.description) console.log(`    ${wf.description}`);
+    if (wf.cron) console.log(`    cron: ${wf.cron}  [${statusColor}${status}\x1b[0m]`);
+    else console.log(`    [manual only]`);
+    console.log();
+  }
+}
+
+async function run(dir: string, name?: string) {
+  if (!name) {
+    log.error("usage: upend workflows run <name>");
+    process.exit(1);
+  }
+
+  const file = name.endsWith(".ts") || name.endsWith(".js") ? name : `${name}.ts`;
+  const path = join(dir, file);
+
+  log.info(`running ${file}...`);
+  const { stdout, stderr, exitCode } = await exec(["bun", path]);
+  if (stdout) console.log(stdout);
+  if (stderr) console.error(stderr);
+
+  if (exitCode === 0) {
+    log.success(`${file} complete`);
+  } else {
+    log.error(`${file} failed (exit ${exitCode})`);
+  }
+}
+
+async function install(dir: string) {
+  const wfs = parseWorkflows(dir).filter(w => w.cron);
+  if (wfs.length === 0) {
+    log.info("no workflows with @cron found");
+    return;
+  }
+
+  const crontab = await getCrontab();
+  const lines = crontab.split("\n").filter(l => !l.includes("# upend-workflow:"));
+  const projectDir = resolve(".");
+
+  for (const wf of wfs) {
+    lines.push(`${wf.cron} cd ${projectDir} && bun workflows/${wf.file} >> /tmp/upend-workflow-${wf.name}.log 2>&1 # upend-workflow: ${wf.name}`);
+    log.info(`installing ${wf.name}: ${wf.cron}`);
+  }
+
+  const newCrontab = lines.filter(Boolean).join("\n") + "\n";
+  const proc = Bun.spawn(["crontab", "-"], { stdin: "pipe" });
+  proc.stdin.write(newCrontab);
+  proc.stdin.end();
+  await proc.exited;
+
+  log.success(`${wfs.length} workflow(s) installed`);
+}
+
+async function uninstall() {
+  const crontab = await getCrontab();
+  const lines = crontab.split("\n").filter(l => !l.includes("# upend-workflow:"));
+  const newCrontab = lines.filter(Boolean).join("\n") + "\n";
+
+  const proc = Bun.spawn(["crontab", "-"], { stdin: "pipe" });
+  proc.stdin.write(newCrontab);
+  proc.stdin.end();
+  await proc.exited;
+
+  log.success("all upend workflows removed from crontab");
+}

package/src/services/claude/index.ts

@@ -59,8 +59,8 @@ app.post("/sessions", async (c) => {
 
   const activeSessions = await sql`
     SELECT es.*,
-      (SELECT sm.content FROM session_messages sm WHERE sm.session_id = es.id ORDER BY sm.created_at DESC LIMIT 1) as last_message
-    FROM editing_sessions es WHERE es.status = 'active' ORDER BY es.created_at DESC
+      (SELECT sm.content FROM upend.session_messages sm WHERE sm.session_id = es.id ORDER BY sm.created_at DESC LIMIT 1) as last_message
+    FROM upend.editing_sessions es WHERE es.status = 'active' ORDER BY es.created_at DESC
   `;
 
   if (activeSessions.length > 0 && !force) {
@@ -87,13 +87,13 @@ app.post("/sessions", async (c) => {
   const claudeSessionId = crypto.randomUUID();
 
   const [session] = await sql`
-    INSERT INTO editing_sessions (prompt, status, claude_session_id, snapshot_name, title, context)
+    INSERT INTO upend.editing_sessions (prompt, status, claude_session_id, snapshot_name, title, context)
     VALUES (${prompt}, 'active', ${claudeSessionId}, ${sessionName}, ${title || null}, ${JSON.stringify({ root: worktree.path, worktree: sessionName, branch: worktree.branch })})
     RETURNING *
   `;
 
   const [msg] = await sql`
-    INSERT INTO session_messages (session_id, role, content, status)
+    INSERT INTO upend.session_messages (session_id, role, content, status)
     VALUES (${session.id}, 'user', ${prompt}, 'pending')
     RETURNING *
   `;
@@ -108,17 +108,17 @@ app.post("/sessions/:id/messages", async (c) => {
   const { prompt } = await c.req.json();
   if (!prompt) return c.json({ error: "prompt is required" }, 400);
 
-  const [session] = await sql`SELECT * FROM editing_sessions WHERE id = ${sessionId}`;
+  const [session] = await sql`SELECT * FROM upend.editing_sessions WHERE id = ${sessionId}`;
   if (!session) return c.json({ error: "session not found" }, 404);
   if (session.status !== "active") return c.json({ error: `session is ${session.status}` }, 400);
 
   const [running] = await sql`
-    SELECT id FROM session_messages WHERE session_id = ${sessionId} AND status = 'running'
+    SELECT id FROM upend.session_messages WHERE session_id = ${sessionId} AND status = 'running'
   `;
   if (running) return c.json({ error: "a message is already running" }, 409);
 
   const [msg] = await sql`
-    INSERT INTO session_messages (session_id, role, content, status)
+    INSERT INTO upend.session_messages (session_id, role, content, status)
     VALUES (${sessionId}, 'user', ${prompt}, 'pending')
     RETURNING *
   `;
@@ -133,20 +133,20 @@ app.post("/sessions/:id/messages", async (c) => {
 
 app.get("/sessions/:id", async (c) => {
   const id = c.req.param("id");
-  const [session] = await sql`SELECT * FROM editing_sessions WHERE id = ${id}`;
+  const [session] = await sql`SELECT * FROM upend.editing_sessions WHERE id = ${id}`;
   if (!session) return c.json({ error: "not found" }, 404);
-  const messages = await sql`SELECT * FROM session_messages WHERE session_id = ${id} ORDER BY created_at`;
+  const messages = await sql`SELECT * FROM upend.session_messages WHERE session_id = ${id} ORDER BY created_at`;
   return c.json({ ...session, messages });
 });
 
 app.get("/sessions", async (c) => {
-  const rows = await sql`SELECT * FROM editing_sessions ORDER BY created_at DESC LIMIT 50`;
+  const rows = await sql`SELECT * FROM upend.editing_sessions ORDER BY created_at DESC LIMIT 50`;
   return c.json(rows);
 });
 
 app.post("/sessions/:id/end", async (c) => {
   const id = c.req.param("id");
-  await sql`UPDATE editing_sessions SET status = 'ended' WHERE id = ${id}`;
+  await sql`UPDATE upend.editing_sessions SET status = 'ended' WHERE id = ${id}`;
   activeProcesses.delete(Number(id));
   return c.json({ ended: true });
 });
@@ -157,7 +157,7 @@ app.post("/sessions/:id/kill", async (c) => {
   if (!proc) return c.json({ error: "nothing running" }, 404);
   proc.kill();
   activeProcesses.delete(id);
-  await sql`UPDATE session_messages SET status = 'killed' WHERE session_id = ${id} AND status = 'running'`;
+  await sql`UPDATE upend.session_messages SET status = 'killed' WHERE session_id = ${id} AND status = 'running'`;
   broadcast(id, { type: "status", status: "killed" });
   return c.json({ killed: true });
 });
@@ -167,7 +167,7 @@ app.post("/sessions/:id/kill", async (c) => {
 // check if a session can merge cleanly
 app.get("/sessions/:id/mergeable", async (c) => {
   const id = c.req.param("id");
-  const [session] = await sql`SELECT * FROM editing_sessions WHERE id = ${id}`;
+  const [session] = await sql`SELECT * FROM upend.editing_sessions WHERE id = ${id}`;
   if (!session) return c.json({ error: "not found" }, 404);
 
   const ctx = typeof session.context === 'string' ? JSON.parse(session.context) : session.context;
@@ -187,7 +187,7 @@ app.get("/sessions/:id/mergeable", async (c) => {
 app.post("/sessions/:id/commit", async (c) => {
   const id = c.req.param("id");
   const user = c.get("user") as { sub: string; email: string };
-  const [session] = await sql`SELECT * FROM editing_sessions WHERE id = ${id}`;
+  const [session] = await sql`SELECT * FROM upend.editing_sessions WHERE id = ${id}`;
   if (!session) return c.json({ error: "not found" }, 404);
   if (session.status !== "active") return c.json({ error: `session is ${session.status}` }, 400);
 
@@ -206,7 +206,7 @@ app.post("/sessions/:id/commit", async (c) => {
     }
 
     // mark session as committed
-    await sql`UPDATE editing_sessions SET status = 'committed' WHERE id = ${id}`;
+    await sql`UPDATE upend.editing_sessions SET status = 'committed' WHERE id = ${id}`;
 
     // restart live services so changes take effect
     restartServices();
@@ -310,7 +310,7 @@ async function runMessage(
   cwd: string = PROJECT_ROOT
 ) {
   try {
-    await sql`UPDATE session_messages SET status = 'running' WHERE id = ${messageId}`;
+    await sql`UPDATE upend.session_messages SET status = 'running' WHERE id = ${messageId}`;
     broadcast(sessionId, { type: "status", status: "running", messageId });
     console.log(`[claude:${sessionId}] message ${messageId} → running (user: ${user.email})`);
 
@@ -383,7 +383,7 @@ async function runMessage(
               if (block.type === "text") {
                 resultText += block.text;
                 // update DB with partial result as it streams
-                await sql`UPDATE session_messages SET result = ${resultText} WHERE id = ${messageId}`;
+                await sql`UPDATE upend.session_messages SET result = ${resultText} WHERE id = ${messageId}`;
                 broadcast(sessionId, { type: "text", text: block.text, messageId });
               } else if (block.type === "tool_use") {
                 broadcast(sessionId, { type: "tool_use", name: block.name, input: block.input, messageId });
@@ -419,12 +419,12 @@ async function runMessage(
       const errMsg = `claude error: ${errorDetail}`;
       console.error(`[claude:${sessionId}] FULL OUTPUT:\n${fullOutput}`);
       console.error(`[claude:${sessionId}] ERROR: ${errMsg}`);
-      await sql`UPDATE session_messages SET status = 'error', result = ${errMsg} WHERE id = ${messageId}`;
+      await sql`UPDATE upend.session_messages SET status = 'error', result = ${errMsg} WHERE id = ${messageId}`;
       broadcast(sessionId, { type: "status", status: "error", error: errMsg, messageId });
       return;
     }
 
-    await sql`UPDATE session_messages SET status = 'complete', result = ${resultText} WHERE id = ${messageId}`;
+    await sql`UPDATE upend.session_messages SET status = 'complete', result = ${resultText} WHERE id = ${messageId}`;
     broadcast(sessionId, { type: "status", status: "complete", messageId });
     console.log(`[claude:${sessionId}] complete: "${resultText.slice(0, 100)}"`);
 
@@ -433,7 +433,7 @@ async function runMessage(
   } catch (err: any) {
     console.error(`[claude:${sessionId}] EXCEPTION:`, err);
     activeProcesses.delete(sessionId);
-    await sql`UPDATE session_messages SET status = 'error', result = ${err.message} WHERE id = ${messageId}`;
+    await sql`UPDATE upend.session_messages SET status = 'error', result = ${err.message} WHERE id = ${messageId}`;
     broadcast(sessionId, { type: "status", status: "error", error: err.message, messageId });
   }
 }

package/src/services/dashboard/public/index.html

@@ -63,6 +63,12 @@
       <button @click="rightPanel = 'data'"
         :class="rightPanel === 'data' ? 'text-accent bg-accent-dim' : 'text-muted hover:text-gray-200 hover:bg-border'"
         class="px-3 py-1 text-xs rounded cursor-pointer font-mono">data</button>
+      <button @click="rightPanel = 'workflows'; loadWorkflows()"
+        :class="rightPanel === 'workflows' ? 'text-accent bg-accent-dim' : 'text-muted hover:text-gray-200 hover:bg-border'"
+        class="px-3 py-1 text-xs rounded cursor-pointer font-mono">workflows</button>
+      <button @click="rightPanel = 'audit'; loadAuditLog()"
+        :class="rightPanel === 'audit' ? 'text-accent bg-accent-dim' : 'text-muted hover:text-gray-200 hover:bg-border'"
+        class="px-3 py-1 text-xs rounded cursor-pointer font-mono">audit</button>
       <div class="relative" @click.away="appsOpen = false">
         <button @click="appsOpen = !appsOpen; loadApps()"
           :class="rightPanel !== 'data' && rightPanel !== 'home' ? 'text-accent bg-accent-dim' : 'text-muted hover:text-gray-200 hover:bg-border'"
@@ -257,8 +263,8 @@
   <!-- right panel -->
   <div class="flex-1 min-h-0 min-w-0 overflow-y-auto" id="panel-right">
     <!-- app iframe -->
-    <iframe x-show="rightPanel !== 'data' && rightPanel !== 'home'" x-ref="rightIframe" class="w-full h-full border-none"
-      :src="token && rightPanel !== 'data' && rightPanel !== 'home' ? appUrl(rightPanel) : 'about:blank'"></iframe>
+    <iframe x-show="!['data','home','workflows','audit'].includes(rightPanel)" x-ref="rightIframe" class="w-full h-full border-none"
+      :src="token && !['data','home','workflows','audit'].includes(rightPanel) ? appUrl(rightPanel) : 'about:blank'"></iframe>
 
     <!-- home panel -->
     <div x-show="rightPanel === 'home'" class="p-8 max-w-2xl mx-auto">
@@ -285,6 +291,87 @@
       </div>
     </div>
 
+    <!-- audit panel -->
+    <div x-show="rightPanel === 'audit'" class="flex flex-col h-full overflow-y-auto">
+      <div class="px-4 py-3 border-b border-border flex items-center justify-between">
+        <span class="text-sm font-bold text-gray-200 font-mono">audit log</span>
+        <button @click="loadAuditLog()" class="text-xs text-muted border border-border px-2 py-1 rounded cursor-pointer hover:text-accent hover:border-accent font-mono">refresh</button>
+      </div>
+
+      <div x-show="auditEntries.length === 0" class="p-8 text-center text-muted text-sm">
+        no audit entries yet
+      </div>
+
+      <table x-show="auditEntries.length > 0" class="w-full text-xs">
+        <thead>
+          <tr class="border-b border-border text-muted sticky top-0 bg-surface">
+            <th class="text-left px-3 py-2 font-normal">time</th>
+            <th class="text-left px-3 py-2 font-normal">actor</th>
+            <th class="text-left px-3 py-2 font-normal">action</th>
+            <th class="text-left px-3 py-2 font-normal">target</th>
+            <th class="text-left px-3 py-2 font-normal">detail</th>
+          </tr>
+        </thead>
+        <tbody>
+          <template x-for="entry in auditEntries" :key="entry.id">
+            <tr class="border-b border-border/50 hover:bg-surface/50">
+              <td class="px-3 py-2 text-muted whitespace-nowrap" x-text="new Date(entry.ts).toLocaleString()"></td>
+              <td class="px-3 py-2 text-gray-200 font-mono" x-text="entry.actorEmail || entry.actorId || '—'"></td>
+              <td class="px-3 py-2">
+                <span class="px-1.5 py-0.5 rounded text-[10px] font-bold"
+                  :class="{
+                    'bg-green-500/20 text-green-400': entry.action?.includes('login'),
+                    'bg-blue-500/20 text-blue-400': entry.action?.includes('signup'),
+                    'bg-yellow-500/20 text-yellow-400': entry.action?.includes('impersonate'),
+                    'bg-accent/20 text-accent': entry.action?.includes('session'),
+                    'bg-purple-500/20 text-purple-400': entry.action?.includes('workflow'),
+                    'bg-red-500/20 text-red-400': entry.action?.includes('commit'),
+                  }"
+                  x-text="entry.action"></span>
+              </td>
+              <td class="px-3 py-2 text-muted font-mono" x-text="entry.targetType ? entry.targetType + ':' + (entry.targetId || '') : '—'"></td>
+              <td class="px-3 py-2 text-muted font-mono max-w-[200px] truncate" x-text="entry.detail && Object.keys(entry.detail).length ? JSON.stringify(entry.detail) : ''"></td>
+            </tr>
+          </template>
+        </tbody>
+      </table>
+    </div>
+
+    <!-- workflows panel -->
+    <div x-show="rightPanel === 'workflows'" class="flex flex-col h-full overflow-y-auto">
+      <div class="px-4 py-3 border-b border-border flex items-center justify-between">
+        <span class="text-sm font-bold text-gray-200 font-mono">workflows</span>
+        <button @click="prompt = 'create a new workflow in workflows/ that '; $refs.chatInput.focus()"
+          class="text-xs text-muted border border-border px-3 py-1 rounded cursor-pointer hover:text-accent hover:border-accent font-mono">+ new workflow</button>
+      </div>
+
+      <div x-show="workflowsList.length === 0" class="p-8 text-center text-muted text-sm">
+        no workflows yet — ask Claude to create one, or add a .ts file to workflows/
+      </div>
+
+      <template x-for="wf in workflowsList" :key="wf.name">
+        <div class="px-4 py-3 border-b border-border/50 hover:bg-surface/50">
+          <div class="flex items-center justify-between mb-1">
+            <div class="flex items-center gap-2">
+              <span class="text-sm font-mono text-gray-200" x-text="wf.name"></span>
+              <span x-show="wf.cron" class="text-[10px] text-muted bg-border px-1.5 py-0.5 rounded font-mono" x-text="wf.cron"></span>
+            </div>
+            <div class="flex items-center gap-2">
+              <span x-show="wf._running" class="text-xs text-accent animate-pulse">running...</span>
+              <span x-show="wf._result !== undefined && !wf._running"
+                :class="wf._result === 0 ? 'text-green-400' : 'text-red-400'"
+                class="text-xs" x-text="wf._result === 0 ? 'success' : 'failed'"></span>
+              <button @click="runWorkflow(wf)"
+                :disabled="wf._running"
+                class="text-xs text-muted border border-border px-2 py-1 rounded cursor-pointer hover:text-accent hover:border-accent font-mono disabled:opacity-40">run</button>
+            </div>
+          </div>
+          <p x-show="wf.description" class="text-xs text-muted" x-text="wf.description"></p>
+          <pre x-show="wf._output" class="mt-2 text-[11px] text-gray-400 bg-bg rounded p-2 overflow-x-auto font-mono max-h-32 overflow-y-auto" x-text="wf._output"></pre>
+        </div>
+      </template>
+    </div>
+
     <!-- data panel -->
     <div x-show="rightPanel === 'data'" class="flex flex-col h-full" x-init="$watch('rightPanel', v => { if (v === 'data') loadTables() })">
       <!-- table list sidebar + detail -->
@@ -379,6 +466,48 @@
                 </table>
               </div>
             </div>
+
+            <!-- RLS policies -->
+            <div class="border-t border-border">
+              <div class="px-4 py-2 text-xs border-b border-border flex items-center justify-between">
+                <div class="flex items-center gap-2">
+                  <span class="text-muted">access policies</span>
+                  <span x-show="tablePolicies.length > 0" class="text-muted" x-text="'(' + tablePolicies.length + ')'"></span>
+                </div>
+                <span x-show="tableRLSEnabled" class="text-green-500 text-xs">RLS enabled</span>
+                <span x-show="!tableRLSEnabled" class="text-muted text-xs">RLS not enabled</span>
+              </div>
+
+              <div x-show="tablePolicies.length === 0" class="px-4 py-4 text-xs text-muted">
+                <p>no policies — all authenticated users have full access.</p>
+                <button @click="prompt = 'enable RLS on the ' + selectedTable + ' table with sensible default policies: everyone can read, users can only update/delete their own rows (by owner_id or id), admins can do everything'; $refs.chatInput.focus()"
+                  class="mt-2 text-accent hover:underline cursor-pointer">+ add default policies</button>
+              </div>
+
+              <template x-for="p in tablePolicies" :key="p.policy">
+                <div class="px-4 py-2.5 border-b border-border/50 hover:bg-surface/50">
+                  <div class="flex items-center gap-2 mb-1">
+                    <span class="font-mono text-xs text-gray-200" x-text="p.policy"></span>
+                    <span class="px-1.5 py-0.5 rounded text-[10px] font-bold"
+                      :class="{
+                        'bg-green-500/20 text-green-400': p.operation === 'SELECT',
+                        'bg-blue-500/20 text-blue-400': p.operation === 'INSERT',
+                        'bg-yellow-500/20 text-yellow-400': p.operation === 'UPDATE',
+                        'bg-red-500/20 text-red-400': p.operation === 'DELETE',
+                        'bg-accent/20 text-accent': p.operation === 'ALL',
+                      }"
+                      x-text="p.operation"></span>
+                    <span class="text-[10px] text-muted" x-text="p.permissive === 'PERMISSIVE' ? '' : 'RESTRICTIVE'"></span>
+                  </div>
+                  <div x-show="p.usingExpr" class="text-[11px] text-muted font-mono">
+                    <span class="text-muted/60">USING</span> <span class="text-gray-400" x-text="p.usingExpr"></span>
+                  </div>
+                  <div x-show="p.checkExpr" class="text-[11px] text-muted font-mono">
+                    <span class="text-muted/60">CHECK</span> <span class="text-gray-400" x-text="p.checkExpr"></span>
+                  </div>
+                </div>
+              </template>
+            </div>
           </div>
         </div>
       </div>
@@ -425,6 +554,12 @@ function dashboard() {
     tableColumns: [],
     sampleRows: [],
     sampleRowKeys: [],
+    tablePolicies: [],
+    tableRLSEnabled: false,
+    allPolicies: [],
+    allRLSTables: [],
+    workflowsList: [],
+    auditEntries: [],
     rightPanel: 'home',
     apps: [],
     appsOpen: false,
@@ -763,6 +898,13 @@ function dashboard() {
       try {
         const res = await this.authFetch('/api/tables');
         if (res.ok) this.tables = (await res.json()).map(t => t.name);
+        // load policies for all tables
+        const polRes = await this.authFetch('/api/policies');
+        if (polRes.ok) {
+          const data = await polRes.json();
+          this.allPolicies = data.policies || [];
+          this.allRLSTables = (data.rlsTables || []).map(t => t.table);
+        }
       } catch {}
     },
 
@@ -771,13 +913,15 @@ function dashboard() {
       this.tableColumns = [];
       this.sampleRows = [];
       this.sampleRowKeys = [];
+      this.tablePolicies = this.allPolicies.filter(p => p.table === name);
+      this.tableRLSEnabled = this.allRLSTables.includes(name);
       try {
         // fetch columns
         const colRes = await this.authFetch(`/api/tables/${name}`);
         if (colRes.ok) this.tableColumns = await colRes.json();
 
-        // fetch sample rows via Neon Data API
-        const dataRes = await this.authFetch(`/api/data/${name}?limit=5&order=id.desc`);
+        // fetch sample rows
+        const dataRes = await this.authFetch(`/api/data/${name}?limit=5&order=created_at.desc`);
         if (dataRes.ok) {
           const rows = await dataRes.json();
           this.sampleRows = rows;
@@ -863,11 +1007,39 @@ function dashboard() {
       this.sendPrompt();
     },
 
+    async loadAuditLog() {
+      try {
+        const res = await this.authFetch('/api/audit?limit=100');
+        if (res.ok) this.auditEntries = await res.json();
+      } catch {}
+    },
+
+    async loadWorkflows() {
+      try {
+        const res = await this.authFetch('/api/workflows');
+        if (res.ok) this.workflowsList = (await res.json()).map(w => ({ ...w, _running: false, _result: undefined, _output: '' }));
+      } catch {}
+    },
+
+    async runWorkflow(wf) {
+      wf._running = true;
+      wf._result = undefined;
+      wf._output = '';
+      try {
+        const res = await this.authFetch(`/api/workflows/${wf.name}/run`, { method: 'POST' });
+        const data = await res.json();
+        wf._result = data.exitCode;
+        wf._output = (data.stdout || '') + (data.stderr ? '\n' + data.stderr : '');
+      } catch (err) {
+        wf._result = 1;
+        wf._output = err.message;
+      }
+      wf._running = false;
+    },
+
     refreshRightPanel() {
-      // refresh app iframe if showing
       const iframe = this.$refs.rightIframe;
       if (iframe?.src && iframe.src !== 'about:blank') iframe.src = iframe.src;
-      // refresh data panel if showing
       this.loadTables();
       if (this.selectedTable) this.selectTable(this.selectedTable);
     },

package/src/services/gateway/auth-routes.ts

@@ -1,9 +1,18 @@
 import { Hono } from "hono";
 import { sql } from "../../lib/db";
-import { signToken, getJWKS } from "../../lib/auth";
+import { signToken, getJWKS, verifyToken } from "../../lib/auth";
 
 export const authRoutes = new Hono();
 
+async function audit(action: string, opts: { actorId?: string; actorEmail?: string; targetType?: string; targetId?: string; detail?: any; ip?: string } = {}) {
+  try {
+    await sql`INSERT INTO audit.log (actor_id, actor_email, action, target_type, target_id, detail, ip)
+      VALUES (${opts.actorId || null}, ${opts.actorEmail || null}, ${action}, ${opts.targetType || null}, ${opts.targetId || null}, ${JSON.stringify(opts.detail || {})}, ${opts.ip || null})`;
+  } catch (err) {
+    console.error("[audit] failed:", err);
+  }
+}
+
 // JWKS endpoint — public, Neon Authorize fetches this to validate JWTs
 authRoutes.get("/.well-known/jwks.json", async (c) => {
   const jwks = await getJWKS();
@@ -12,7 +21,17 @@ authRoutes.get("/.well-known/jwks.json", async (c) => {
 
 // signup (disabled by default — admin creates users, or set SIGNUP_ENABLED=true)
 authRoutes.post("/auth/signup", async (c) => {
-  if (process.env.SIGNUP_ENABLED !== "true") {
+  // allow if signup is enabled OR if request has a valid admin token
+  const authHeader = c.req.header("Authorization");
+  let isAdminRequest = false;
+  if (authHeader?.startsWith("Bearer ")) {
+    try {
+      const payload = await import("../../lib/auth").then(m => m.verifyToken(authHeader.slice(7)));
+      if ((payload as any).app_role === "admin") isAdminRequest = true;
+    } catch {}
+  }
+
+  if (process.env.SIGNUP_ENABLED !== "true" && !isAdminRequest) {
     return c.json({ error: "signup is disabled — contact the admin" }, 403);
   }
 
@@ -30,6 +49,7 @@ authRoutes.post("/auth/signup", async (c) => {
     `;
 
     const token = await signToken(user.id, user.email, user.role);
+    await audit("user.signup", { actorId: user.id, actorEmail: user.email, targetType: "user", targetId: user.id });
     return c.json({ user, token }, 201);
   } catch (err: any) {
     if (err.code === "23505") return c.json({ error: "email already exists" }, 409);
@@ -50,12 +70,38 @@ authRoutes.post("/auth/login", async (c) => {
   if (!valid) return c.json({ error: "invalid credentials" }, 401);
 
   const token = await signToken(user.id, user.email, user.role);
+  await audit("user.login", { actorId: user.id, actorEmail: user.email, targetType: "user", targetId: user.id });
   return c.json({
     user: { id: user.id, email: user.email, role: user.role },
     token,
   });
 });
 
+// impersonate — admin only, mint a token as another user
+authRoutes.post("/auth/impersonate", async (c) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) return c.json({ error: "unauthorized" }, 401);
+
+  try {
+    const payload = await verifyToken(authHeader.slice(7));
+    if ((payload as any).app_role !== "admin") return c.json({ error: "admin only" }, 403);
+  } catch {
+    return c.json({ error: "invalid token" }, 401);
+  }
+
+  const { user_id } = await c.req.json();
+  if (!user_id) return c.json({ error: "user_id required" }, 400);
+
+  const [user] = await sql`SELECT id, email, role FROM users WHERE id = ${user_id}`;
+  if (!user) return c.json({ error: "user not found" }, 404);
+
+  const token = await signToken(user.id, user.email, user.role);
+  const adminPayload = await verifyToken(authHeader!.slice(7));
+  await audit("user.impersonate", { actorId: (adminPayload as any).sub, actorEmail: (adminPayload as any).email, targetType: "user", targetId: user.id, detail: { impersonated: user.email } });
+  console.log(`[auth] impersonation: admin → ${user.email}`);
+  return c.json({ user, token });
+});
+
 // ---------- SSO / OAuth ----------
 // Generic OAuth flow: works with Google, GitHub, Okta, Azure AD, whatever
 // Configure via env: OAUTH_<PROVIDER>_CLIENT_ID, OAUTH_<PROVIDER>_CLIENT_SECRET, etc.
@@ -71,7 +117,7 @@ authRoutes.get("/auth/sso/:provider", async (c) => {
 
   // store state for CSRF validation
   await sql`
-    INSERT INTO oauth_states (state, provider, created_at)
+    INSERT INTO upend.oauth_states (state, provider, created_at)
     VALUES (${state}, ${provider}, now())
   `;
 
@@ -99,7 +145,7 @@ authRoutes.get("/auth/sso/:provider/callback", async (c) => {
 
   // validate state
   const [stateRow] = await sql`
-    DELETE FROM oauth_states WHERE state = ${state} AND provider = ${provider}
+    DELETE FROM upend.oauth_states WHERE state = ${state} AND provider = ${provider}
     AND created_at > now() - interval '10 minutes'
     RETURNING *
   `;

package/src/services/gateway/index.ts

@@ -8,6 +8,16 @@ import { requireAuth } from "../../lib/middleware";
 
 const app = new Hono();
 
+// audit log — append-only, used across all services
+export async function audit(action: string, opts: { actorId?: string; actorEmail?: string; targetType?: string; targetId?: string; detail?: any; ip?: string } = {}) {
+  try {
+    await sql`INSERT INTO audit.log (actor_id, actor_email, action, target_type, target_id, detail, ip)
+      VALUES (${opts.actorId || null}, ${opts.actorEmail || null}, ${action}, ${opts.targetType || null}, ${opts.targetId || null}, ${JSON.stringify(opts.detail || {})}, ${opts.ip || null})`;
+  } catch (err) {
+    console.error("[audit] failed to write:", err);
+  }
+}
+
 app.use("*", logger());
 app.use("*", timing());
 app.use("*", cors());
@@ -39,24 +49,202 @@ app.get("/tables/:name", requireAuth, async (c) => {
   return c.json(columns);
 });
 
-// data API info — point apps to Neon Data API (PostgREST)
-app.get("/data", (c) => c.json({
-  message: "Use Neon Data API for data access. Configure it in your Neon console.",
-  setup: {
-    steps: [
-      "1. Enable Data API in Neon console for your project",
-      "2. Set JWKS URL to: <your-upend-domain>/.well-known/jwks.json",
-      "3. Set JWT audience to: upend",
-      "4. Data API exposes all tables in the public schema as REST endpoints",
-    ],
-    docs: "https://neon.com/docs/data-api/overview",
-  },
-  schemas: {
-    public: "User-facing tables (things, users) — exposed via Data API",
-    upend: "Internal tables (sessions, messages) — not exposed",
-    auth: "Auth functions (user_id()) — used by RLS policies",
-  },
-}));
+// ---------- simple CRUD for public schema tables ----------
+// works without Neon Data API — direct postgres queries
+// sets JWT claims as session vars so RLS policies work
+
+function getUser(c: any) {
+  return c.get("user") as { sub: string; email: string; role: string };
+}
+
+async function withRLS<T>(user: { sub: string; email: string; role: string }, fn: (sql: any) => Promise<T>): Promise<T> {
+  return sql.begin(async (tx) => {
+    await tx.unsafe(`SET LOCAL request.jwt.sub = '${user.sub}'`);
+    await tx.unsafe(`SET LOCAL request.jwt.role = '${user.role}'`);
+    await tx.unsafe(`SET LOCAL request.jwt.email = '${user.email}'`);
+    return fn(tx);
+  });
+}
+
+app.get("/data/:table", requireAuth, async (c) => {
+  const table = c.req.param("table");
+  const select = c.req.query("select") || "*";
+  const order = c.req.query("order") || "created_at.desc";
+  const limit = c.req.query("limit") || "100";
+
+  // parse order: "created_at.desc" → "created_at DESC"
+  const [orderCol, orderDir] = order.split(".");
+  const orderSql = `${orderCol} ${orderDir === "asc" ? "ASC" : "DESC"}`;
+
+  // parse filters from query params (PostgREST-style: ?field=eq.value)
+  const filters: string[] = [];
+  const values: any[] = [];
+  for (const [key, val] of Object.entries(c.req.query())) {
+    if (["select", "order", "limit"].includes(key)) continue;
+    const match = (val as string).match(/^(eq|neq|gt|gte|lt|lte|like|ilike|is)\.(.+)$/);
+    if (match) {
+      const [, op, v] = match;
+      const ops: Record<string, string> = { eq: "=", neq: "!=", gt: ">", gte: ">=", lt: "<", lte: "<=", like: "LIKE", ilike: "ILIKE", is: "IS" };
+      values.push(v === "null" ? null : v);
+      filters.push(`"${key}" ${ops[op]} $${values.length}`);
+    }
+  }
+
+  const where = filters.length ? `WHERE ${filters.join(" AND ")}` : "";
+  const query = `SELECT ${select} FROM "${table}" ${where} ORDER BY ${orderSql} LIMIT ${Number(limit)}`;
+  const user = getUser(c);
+  const rows = await withRLS(user, (tx) => tx.unsafe(query, values));
+  return c.json(rows);
+});
+
+app.post("/data/:table", requireAuth, async (c) => {
+  const table = c.req.param("table");
+  const body = await c.req.json();
+  const cols = Object.keys(body);
+  const vals = Object.values(body);
+  const placeholders = cols.map((_, i) => `$${i + 1}`).join(", ");
+  const query = `INSERT INTO "${table}" (${cols.map(c => `"${c}"`).join(", ")}) VALUES (${placeholders}) RETURNING *`;
+  const user = getUser(c);
+  const [row] = await withRLS(user, (tx) => tx.unsafe(query, vals));
+  return c.json(row, 201);
+});
+
+app.patch("/data/:table", requireAuth, async (c) => {
+  const table = c.req.param("table");
+  const body = await c.req.json();
+
+  // parse filters from query params
+  const filters: string[] = [];
+  const filterVals: any[] = [];
+  for (const [key, val] of Object.entries(c.req.query())) {
+    const match = (val as string).match(/^(eq)\.(.+)$/);
+    if (match) {
+      filterVals.push(match[2]);
+      filters.push(`"${key}" = $${filterVals.length}`);
+    }
+  }
+  if (!filters.length) return c.json({ error: "filter required for PATCH" }, 400);
+
+  const setCols = Object.keys(body);
+  const setVals = Object.values(body);
+  const setClause = setCols.map((col, i) => `"${col}" = $${filterVals.length + i + 1}`).join(", ");
+  const query = `UPDATE "${table}" SET ${setClause} WHERE ${filters.join(" AND ")} RETURNING *`;
+  const user = getUser(c);
+  const rows = await withRLS(user, (tx) => tx.unsafe(query, [...filterVals, ...setVals]));
+  return c.json(rows);
+});
+
+app.delete("/data/:table", requireAuth, async (c) => {
+  const table = c.req.param("table");
+
+  const filters: string[] = [];
+  const vals: any[] = [];
+  for (const [key, val] of Object.entries(c.req.query())) {
+    const match = (val as string).match(/^(eq)\.(.+)$/);
+    if (match) {
+      vals.push(match[2]);
+      filters.push(`"${key}" = $${vals.length}`);
+    }
+  }
+  if (!filters.length) return c.json({ error: "filter required for DELETE" }, 400);
+
+  const query = `DELETE FROM "${table}" WHERE ${filters.join(" AND ")} RETURNING *`;
+  const user = getUser(c);
+  const rows = await withRLS(user, (tx) => tx.unsafe(query, vals));
+  return c.json(rows);
+});
+
+// RLS policies — used by dashboard to display access rules
+app.get("/policies", requireAuth, async (c) => {
+  const policies = await sql`
+    SELECT
+      schemaname as schema,
+      tablename as table,
+      policyname as policy,
+      permissive,
+      roles,
+      cmd as operation,
+      qual as using_expr,
+      with_check as check_expr
+    FROM pg_policies
+    WHERE schemaname = 'public'
+    ORDER BY tablename, policyname
+  `;
+
+  // also get which tables have RLS enabled
+  const rlsTables = await sql`
+    SELECT relname as table, relrowsecurity as rls_enabled, relforcerowsecurity as rls_forced
+    FROM pg_class
+    WHERE relnamespace = 'public'::regnamespace AND relkind = 'r' AND relrowsecurity = true
+  `;
+
+  return c.json({ policies, rlsTables });
+});
+
+// ---------- audit log ----------
+
+app.get("/audit", requireAuth, async (c) => {
+  const limit = c.req.query("limit") || "100";
+  const rows = await sql`
+    SELECT * FROM audit.log ORDER BY ts DESC LIMIT ${Number(limit)}
+  `;
+  return c.json(rows);
+});
+
+// ---------- workflows ----------
+
+import { readdirSync, readFileSync } from "fs";
+import { join } from "path";
+
+const WORKFLOWS_DIR = join(process.env.UPEND_PROJECT || process.cwd(), "workflows");
+
+app.get("/workflows", requireAuth, async (c) => {
+  let files: string[];
+  try {
+    files = readdirSync(WORKFLOWS_DIR).filter(f => f.endsWith(".ts") || f.endsWith(".js"));
+  } catch {
+    return c.json([]);
+  }
+
+  const workflows = files.map(file => {
+    const content = readFileSync(join(WORKFLOWS_DIR, file), "utf-8");
+    const cronMatch = content.match(/\/\/\s*@cron\s+(.+)/);
+    const descMatch = content.match(/\/\/\s*@description\s+(.+)/);
+    return {
+      name: file.replace(/\.(ts|js)$/, ""),
+      file,
+      cron: cronMatch ? cronMatch[1].trim() : null,
+      description: descMatch ? descMatch[1].trim() : "",
+    };
+  });
+
+  return c.json(workflows);
+});
+
+app.post("/workflows/:name/run", requireAuth, async (c) => {
+  const user = getUser(c);
+  if (user.role !== "admin") return c.json({ error: "admin only" }, 403);
+
+  const name = c.req.param("name");
+  const file = `${name}.ts`;
+  const path = join(WORKFLOWS_DIR, file);
+
+  console.log(`[workflow] ${name} triggered by ${user.email}`);
+  const proc = Bun.spawn(["bun", path], {
+    cwd: process.env.UPEND_PROJECT || process.cwd(),
+    env: process.env,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+
+  const stdout = await new Response(proc.stdout).text();
+  const stderr = await new Response(proc.stderr).text();
+  const exitCode = await proc.exited;
+
+  console.log(`[workflow] ${name} exit=${exitCode}`);
+  await audit("workflow.run", { actorId: user.sub, actorEmail: user.email, targetType: "workflow", targetId: name, detail: { exitCode, stdout: stdout.slice(0, 500) } });
+  return c.json({ name, exitCode, stdout, stderr });
+});
 
 const port = Number(process.env.API_PORT) || 3001;
 console.log(`[api] running on :${port}`);