@upend/cli 0.1.2 → 0.1.5

package/README.md

@@ -193,6 +193,40 @@ Neon needs to reach your JWKS URL to validate JWTs for the Data API. After your
 bunx upend setup:jwks
 ```
 
+### Operations
+
+```bash
+# check service health, disk, memory, cron jobs
+bunx upend status
+
+# tail logs (all services, or pick one)
+bunx upend logs
+bunx upend logs api
+bunx upend logs claude
+bunx upend logs -f              # follow in realtime
+
+# SSH into the remote instance
+bunx upend ssh                  # interactive shell, cd'd to project
+bunx upend ssh "bun -v"         # run a command
+```
+
+### Workflows
+
+Workflows are TypeScript files in `workflows/` that run on a cron schedule or manually:
+
+```bash
+# list workflows and their schedules
+bunx upend workflows
+
+# run one manually
+bunx upend workflows run cleanup-sessions
+
+# install cron schedules (also happens on deploy)
+bunx upend workflows install
+```
+
+Workflows are also visible in the dashboard with a manual trigger button.
+
 ## CLI Commands
 
 | Command | What |
@@ -201,6 +235,11 @@ bunx upend setup:jwks
 | `upend dev` | Start gateway + claude + caddy locally |
 | `upend migrate` | Run SQL migrations from `migrations/` |
 | `upend deploy` | rsync to remote, install, migrate, restart |
+| `upend status` | Check remote service health |
+| `upend logs [service]` | Tail remote logs (`-f` to follow) |
+| `upend ssh [cmd]` | SSH into remote instance |
+| `upend workflows` | List, run, or install workflow cron schedules |
+| `upend env:set <K> <V>` | Set an env var (decrypts, sets, re-encrypts) |
 | `upend infra:aws` | Provision an EC2 instance |
 
 ## Config

package/bin/cli.ts

@@ -21,6 +21,10 @@ const commands: Record<string, () => Promise<void>> = {
   migrate: () => import("../src/commands/migrate").then((m) => m.default(args.slice(1))),
   infra: () => import("../src/commands/infra").then((m) => m.default(args.slice(1))),
   env: () => import("../src/commands/env").then((m) => m.default(args.slice(1))),
+  workflows: () => import("../src/commands/workflows").then((m) => m.default(args.slice(1))),
+  logs: () => import("../src/commands/logs").then((m) => m.default(args.slice(1))),
+  status: () => import("../src/commands/status").then((m) => m.default(args.slice(1))),
+  ssh: () => import("../src/commands/ssh").then((m) => m.default(args.slice(1))),
 };
 
 if (!command || command === "--help" || command === "-h") {
@@ -33,6 +37,13 @@ if (!command || command === "--help" || command === "-h") {
     upend deploy             deploy to remote instance
     upend migrate            run database migrations
     upend env:set <K> <V>    set an env var (decrypts, sets, re-encrypts)
+    upend workflows          list workflows
+    upend workflows run <n>  run a workflow manually
+    upend workflows install  install cron schedules
+    upend logs [service]     tail remote logs (api|claude|caddy|all)
+    upend logs -f            follow logs in realtime
+    upend status             check remote service health
+    upend ssh [cmd]          SSH into remote (or run a command)
     upend infra:aws          provision AWS infrastructure
 
   options:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@upend/cli",
-  "version": "0.1.2",
+  "version": "0.1.5",
   "description": "Anti-SaaS stack. Deploy live apps with Claude, Postgres, and rsync.",
   "type": "module",
   "bin": {
@@ -9,7 +9,8 @@
   "files": [
     "bin",
     "src",
-    "templates"
+    "templates",
+    "src/apps"
   ],
   "keywords": ["cli", "deploy", "postgres", "claude", "rsync", "caddy", "bun"],
   "author": "cif",

package/src/apps/users/index.html

@@ -0,0 +1,227 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>users</title>
+  <script src="https://cdn.tailwindcss.com"></script>
+  <script>tailwind.config = { theme: { extend: { colors: { bg: '#0a0a0a', surface: '#141414', border: '#262626', accent: '#f97316', muted: '#737373' } } } }</script>
+  <style>body { background: #0a0a0a; font-family: ui-monospace, monospace; }</style>
+</head>
+<body class="text-gray-200 min-h-screen p-6">
+  <div class="max-w-4xl mx-auto">
+    <div class="flex items-center justify-between mb-6">
+      <h1 class="text-accent font-bold text-lg">users</h1>
+      <div class="flex items-center gap-3">
+        <span id="my-info" class="text-xs text-muted"></span>
+        <button id="btn-add" onclick="showModal('add')" class="bg-accent text-black text-xs px-3 py-1.5 rounded font-bold cursor-pointer hidden">+ add user</button>
+      </div>
+    </div>
+
+    <table class="w-full text-sm">
+      <thead>
+        <tr class="text-muted text-xs text-left border-b border-border">
+          <th class="pb-2 font-normal">email</th>
+          <th class="pb-2 font-normal">role</th>
+          <th class="pb-2 font-normal">created</th>
+          <th class="pb-2 font-normal w-40"></th>
+        </tr>
+      </thead>
+      <tbody id="users-table"></tbody>
+    </table>
+  </div>
+
+  <!-- edit modal -->
+  <div id="edit-modal" class="fixed inset-0 bg-black/60 flex items-center justify-center z-50 hidden" onclick="if(event.target===this)hideModal('edit')">
+    <form onsubmit="saveUser(event)" class="bg-surface border border-border rounded-xl p-6 w-96 flex flex-col gap-4">
+      <h3 class="text-accent font-bold text-sm" id="edit-title">edit user</h3>
+      <input id="edit-email" type="email" placeholder="email"
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <div id="edit-role-wrap">
+        <select id="edit-role"
+          class="w-full bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+          <option value="user">user</option>
+          <option value="admin">admin</option>
+        </select>
+      </div>
+      <input type="hidden" id="edit-id">
+      <div class="flex gap-2 justify-end">
+        <button type="button" onclick="hideModal('edit')"
+          class="text-muted text-xs px-3 py-1.5 rounded border border-border cursor-pointer hover:text-gray-200 font-mono">cancel</button>
+        <button type="submit"
+          class="bg-accent text-black text-xs px-4 py-1.5 rounded font-bold cursor-pointer font-mono">save</button>
+      </div>
+    </form>
+  </div>
+
+  <!-- add modal -->
+  <div id="add-modal" class="fixed inset-0 bg-black/60 flex items-center justify-center z-50 hidden" onclick="if(event.target===this)hideModal('add')">
+    <form onsubmit="addUser(event)" class="bg-surface border border-border rounded-xl p-6 w-96 flex flex-col gap-4">
+      <h3 class="text-accent font-bold text-sm">add user</h3>
+      <input id="add-email" type="email" placeholder="email" required
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <input id="add-password" type="password" placeholder="password" required
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <select id="add-role"
+        class="bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+        <option value="user">user</option>
+        <option value="admin">admin</option>
+      </select>
+      <div class="flex gap-2 justify-end">
+        <button type="button" onclick="hideModal('add')"
+          class="text-muted text-xs px-3 py-1.5 rounded border border-border cursor-pointer hover:text-gray-200 font-mono">cancel</button>
+        <button type="submit"
+          class="bg-accent text-black text-xs px-4 py-1.5 rounded font-bold cursor-pointer font-mono">create</button>
+      </div>
+    </form>
+  </div>
+
+  <!-- impersonation banner -->
+  <div id="imp-banner" class="fixed top-0 left-0 right-0 bg-yellow-500/20 border-b border-yellow-500/50 text-yellow-400 text-xs text-center py-1.5 z-50 hidden font-mono">
+    viewing as <span id="imp-email"></span>
+    <button onclick="exitImpersonation()" class="ml-3 underline cursor-pointer">exit</button>
+  </div>
+
+<script>
+const token = localStorage.getItem('upend_token');
+if (!token) window.location.href = '/';
+
+const claims = JSON.parse(atob(token.split('.')[1]));
+const isAdmin = claims.app_role === 'admin';
+const myId = claims.sub;
+
+// impersonation check
+const realToken = localStorage.getItem('upend_real_token');
+if (realToken) {
+  document.getElementById('imp-banner').classList.remove('hidden');
+  document.getElementById('imp-email').textContent = claims.email;
+}
+
+document.getElementById('my-info').textContent = `${claims.email} (${claims.app_role || 'user'})`;
+if (isAdmin) document.getElementById('btn-add').classList.remove('hidden');
+
+const headers = { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' };
+
+async function api(url, opts = {}) {
+  const res = await fetch(url, { headers, ...opts });
+  if (res.status === 401) { localStorage.removeItem('upend_token'); window.location.href = '/'; }
+  return res;
+}
+
+async function load() {
+  // everyone sees all users
+  const res = await api('/api/data/users?select=id,email,role,created_at&order=created_at.desc');
+  if (!res.ok) { console.error('failed to load users', await res.text()); return; }
+  const users = await res.json();
+  render(users);
+}
+
+function render(users) {
+  document.getElementById('users-table').innerHTML = users.map(u => {
+    const isMe = u.id === myId;
+    const canEdit = isMe || isAdmin;
+    return `
+    <tr class="border-b border-border/50 hover:bg-surface/50">
+      <td class="py-2.5">${u.email} ${isMe ? '<span class="text-accent text-xs">(you)</span>' : ''}</td>
+      <td class="py-2.5">
+        <span class="px-2 py-0.5 rounded text-xs ${u.role === 'admin' ? 'bg-accent/20 text-accent' : 'bg-border text-muted'}">${u.role}</span>
+      </td>
+      <td class="py-2.5 text-muted text-xs">${new Date(u.created_at).toLocaleDateString()}</td>
+      <td class="py-2.5 text-right space-x-2">
+        ${canEdit ? `<button onclick='editUser(${JSON.stringify(u).replace(/'/g, "&#39;")})' class="text-muted text-xs hover:text-gray-200 cursor-pointer">edit</button>` : ''}
+        ${isAdmin && !isMe ? `<button onclick='impersonate("${u.id}")' class="text-muted text-xs hover:text-yellow-400 cursor-pointer">impersonate</button>` : ''}
+        ${isAdmin && !isMe ? `<button onclick='deleteUser("${u.id}")' class="text-muted text-xs hover:text-red-400 cursor-pointer">delete</button>` : ''}
+      </td>
+    </tr>`;
+  }).join('');
+}
+
+function showModal(name) {
+  document.getElementById(name + '-modal').classList.remove('hidden');
+  const input = document.getElementById(name + '-email');
+  if (input) setTimeout(() => input.focus(), 50);
+}
+function hideModal(name) { document.getElementById(name + '-modal').classList.add('hidden'); }
+
+function editUser(user) {
+  const isMe = user.id === myId;
+  document.getElementById('edit-id').value = user.id;
+  document.getElementById('edit-email').value = user.email;
+  document.getElementById('edit-email').readOnly = !isAdmin && !isMe;
+  document.getElementById('edit-role').value = user.role;
+  document.getElementById('edit-title').textContent = isMe ? 'my profile' : 'edit user';
+
+  // only admins can change role, and not their own
+  const roleWrap = document.getElementById('edit-role-wrap');
+  if (!isAdmin || isMe) {
+    roleWrap.innerHTML = `<input type="text" value="${user.role}" readonly class="w-full bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-400 font-mono">`;
+  } else {
+    roleWrap.innerHTML = `<select id="edit-role" class="w-full bg-bg border border-border rounded-md px-3 py-2 text-sm text-gray-200 font-mono outline-none focus:border-accent">
+      <option value="user" ${user.role === 'user' ? 'selected' : ''}>user</option>
+      <option value="admin" ${user.role === 'admin' ? 'selected' : ''}>admin</option>
+    </select>`;
+  }
+  showModal('edit');
+}
+
+async function saveUser(e) {
+  e.preventDefault();
+  const id = document.getElementById('edit-id').value;
+  const email = document.getElementById('edit-email').value;
+  const roleEl = document.getElementById('edit-role');
+  const body = { email };
+  if (roleEl && roleEl.tagName === 'SELECT') body.role = roleEl.value;
+  await api(`/api/data/users?id=eq.${id}`, { method: 'PATCH', body: JSON.stringify(body) });
+  hideModal('edit');
+  load();
+}
+
+async function addUser(e) {
+  e.preventDefault();
+  const res = await api('/api/auth/signup', {
+    method: 'POST',
+    body: JSON.stringify({
+      email: document.getElementById('add-email').value,
+      password: document.getElementById('add-password').value,
+      role: document.getElementById('add-role').value,
+    }),
+  });
+  if (res.ok) { hideModal('add'); load(); }
+  else { const err = await res.json(); alert(err.error || 'failed'); }
+}
+
+async function deleteUser(id) {
+  if (!confirm('delete this user?')) return;
+  await api(`/api/data/users?id=eq.${id}`, { method: 'DELETE' });
+  load();
+}
+
+async function impersonate(userId) {
+  const res = await api('/api/auth/impersonate', {
+    method: 'POST',
+    body: JSON.stringify({ user_id: userId }),
+  });
+  if (res.ok) {
+    const { token: newToken } = await res.json();
+    localStorage.setItem('upend_real_token', token);
+    localStorage.setItem('upend_token', newToken);
+    window.location.reload();
+  } else {
+    const err = await res.json();
+    alert(err.error || 'impersonation failed');
+  }
+}
+
+function exitImpersonation() {
+  const real = localStorage.getItem('upend_real_token');
+  if (real) {
+    localStorage.setItem('upend_token', real);
+    localStorage.removeItem('upend_real_token');
+    window.location.reload();
+  }
+}
+
+load();
+</script>
+</body>
+</html>

package/src/commands/deploy.ts

@@ -57,6 +57,23 @@ export default async function deploy(args: string[]) {
     sleep 3
     curl -s -o /dev/null -w "API: %{http_code}\\n" http://localhost:3001/
     curl -s -o /dev/null -w "Caddy: %{http_code}\\n" http://localhost:80/
+
+    # install workflow cron schedules
+    if [ -d ${appDir}/workflows ]; then
+      # strip old upend entries
+      crontab -l 2>/dev/null | grep -v "# upend-workflow:" > /tmp/upend-crontab-clean || true
+      # add new entries from @cron comments
+      for f in ${appDir}/workflows/*.ts; do
+        [ -f "$f" ] || continue
+        name=$(basename "$f" .ts)
+        cron=$(grep -oP "//\\s*@cron\\s+\\K.+" "$f" || true)
+        if [ -n "$cron" ]; then
+          echo "$cron cd ${appDir} && bun $f >> /tmp/upend-workflow-$name.log 2>&1 # upend-workflow: $name" >> /tmp/upend-crontab-clean
+        fi
+      done
+      crontab /tmp/upend-crontab-clean
+      echo "workflows installed: $(crontab -l 2>/dev/null | grep -c upend-workflow) cron entries"
+    fi
   '`);
   log.success("deployed");
 

package/src/commands/init.ts

@@ -215,10 +215,36 @@ CREATE TABLE IF NOT EXISTS users (
 
   // apps + services
   mkdirSync(join(projectDir, "apps"), { recursive: true });
-  writeFile(projectDir, "apps/.gitkeep", "");
+  // copy built-in users app
+  const usersAppSrc = new URL("../apps/users/index.html", import.meta.url).pathname;
+  mkdirSync(join(projectDir, "apps/users"), { recursive: true });
+  writeFileSync(join(projectDir, "apps/users/index.html"), readFileSync(usersAppSrc, "utf-8"));
   mkdirSync(join(projectDir, "services"), { recursive: true });
   writeFile(projectDir, "services/.gitkeep", "");
 
+  // workflows
+  mkdirSync(join(projectDir, "workflows"), { recursive: true });
+  writeFile(projectDir, "workflows/example.ts", `// example workflow — runs on a schedule or manually
+// @cron 0 */6 * * *
+// @description clean up ended sessions older than 7 days
+
+import postgres from "postgres";
+
+const sql = postgres(process.env.DATABASE_URL!);
+
+export async function run() {
+  const deleted = await sql\`
+    DELETE FROM upend.editing_sessions
+    WHERE status = 'ended' AND created_at < now() - interval '7 days'
+    RETURNING id
+  \`;
+  console.log(\`cleaned up \${deleted.length} old sessions\`);
+}
+
+// run directly: bun workflows/example.ts
+run().then(() => process.exit(0));
+`);
+
   // CLAUDE.md
   writeFile(projectDir, "CLAUDE.md", `# ${name}
 
@@ -247,6 +273,43 @@ Apps talk to Neon Data API at \`/api/data/<table>\`:
 - DELETE \`/api/data/example?id=eq.5\` — delete
 All requests need \`Authorization: Bearer <jwt>\` header.
 
+## Access control
+Apps read JWT claims to decide what to show:
+\`\`\`js
+const token = localStorage.getItem('upend_token');
+const claims = JSON.parse(atob(token.split('.')[1]));
+const isAdmin = claims.app_role === 'admin';
+const myId = claims.sub;
+\`\`\`
+
+The data API at \`/api/data/:table\` sets JWT claims as Postgres session variables before each query,
+so RLS policies have access to the current user.
+
+When the user asks for access control, create RLS policies in a migration:
+\`\`\`sql
+ALTER TABLE projects ENABLE ROW LEVEL SECURITY;
+ALTER TABLE projects FORCE ROW LEVEL SECURITY;
+
+-- everyone can read
+CREATE POLICY "read" ON projects FOR SELECT USING (true);
+
+-- users can only update their own rows
+CREATE POLICY "update_own" ON projects FOR UPDATE
+  USING (owner_id = current_setting('request.jwt.sub')::uuid);
+
+-- only admins can delete
+CREATE POLICY "admin_delete" ON projects FOR DELETE
+  USING (current_setting('request.jwt.role') = 'admin');
+\`\`\`
+
+Available session variables in RLS policies:
+- \`current_setting('request.jwt.sub')\` — user ID
+- \`current_setting('request.jwt.role')\` — user role (admin/user)
+- \`current_setting('request.jwt.email')\` — user email
+
+The dashboard data tab shows active RLS policies per table so users can see what rules are in place.
+The \`apps/users/\` app is an example of the access control pattern.
+
 ## Conventions
 - Migrations: plain SQL in \`migrations/\`, numbered \`001_name.sql\`
 - Apps: static HTML/JS/CSS in \`apps/<name>/\`

package/src/commands/logs.ts

@@ -0,0 +1,43 @@
+import { log } from "../lib/log";
+import { exec } from "../lib/exec";
+
+export default async function logs(args: string[]) {
+  const host = process.env.DEPLOY_HOST;
+  const sshKey = process.env.DEPLOY_SSH_KEY || `${process.env.HOME}/.ssh/upend.pem`;
+
+  if (!host) {
+    log.error("DEPLOY_HOST not set. Add it to .env");
+    process.exit(1);
+  }
+
+  const service = args[0]; // api, claude, caddy, workflow-<name>, or blank for all
+  let logFiles: string;
+
+  if (service === "api") {
+    logFiles = "/tmp/upend-api.log";
+  } else if (service === "claude") {
+    logFiles = "/tmp/upend-claude.log";
+  } else if (service === "caddy") {
+    logFiles = "/tmp/upend-caddy.log";
+  } else if (service?.startsWith("workflow-")) {
+    logFiles = `/tmp/upend-workflow-${service.replace("workflow-", "")}.log`;
+  } else {
+    logFiles = "/tmp/upend-api.log /tmp/upend-claude.log /tmp/upend-caddy.log";
+  }
+
+  const lines = args.includes("-n") ? args[args.indexOf("-n") + 1] || "50" : "50";
+  const follow = args.includes("-f") || args.includes("--follow");
+
+  const tailCmd = follow
+    ? `tail -f ${logFiles}`
+    : `tail -n ${lines} ${logFiles}`;
+
+  log.dim(`ssh ${host} → ${tailCmd}`);
+
+  // use spawn for streaming output (especially -f)
+  const proc = Bun.spawn(["ssh", "-i", sshKey, host, tailCmd], {
+    stdout: "inherit",
+    stderr: "inherit",
+  });
+  await proc.exited;
+}

package/src/commands/ssh.ts

@@ -0,0 +1,32 @@
+import { log } from "../lib/log";
+
+export default async function ssh(args: string[]) {
+  const host = process.env.DEPLOY_HOST;
+  const sshKey = process.env.DEPLOY_SSH_KEY || `${process.env.HOME}/.ssh/upend.pem`;
+  const appDir = process.env.DEPLOY_DIR || "/opt/upend";
+
+  if (!host) {
+    log.error("DEPLOY_HOST not set. Add it to .env");
+    process.exit(1);
+  }
+
+  // if args provided, run as remote command
+  if (args.length > 0) {
+    const cmd = args.join(" ");
+    log.dim(`ssh ${host} → ${cmd}`);
+    const proc = Bun.spawn(["ssh", "-i", sshKey, host, `cd ${appDir} && ${cmd}`], {
+      stdout: "inherit",
+      stderr: "inherit",
+    });
+    process.exit(await proc.exited);
+  }
+
+  // otherwise, interactive shell
+  log.dim(`ssh ${host} (cd ${appDir})`);
+  const proc = Bun.spawn(["ssh", "-i", sshKey, "-t", host, `cd ${appDir} && exec bash`], {
+    stdout: "inherit",
+    stderr: "inherit",
+    stdin: "inherit",
+  });
+  process.exit(await proc.exited);
+}

package/src/commands/status.ts

@@ -0,0 +1,47 @@
+import { log } from "../lib/log";
+import { exec } from "../lib/exec";
+
+export default async function status(args: string[]) {
+  const host = process.env.DEPLOY_HOST;
+  const sshKey = process.env.DEPLOY_SSH_KEY || `${process.env.HOME}/.ssh/upend.pem`;
+
+  if (!host) {
+    log.error("DEPLOY_HOST not set. Add it to .env");
+    process.exit(1);
+  }
+
+  const appDir = process.env.DEPLOY_DIR || "/opt/upend";
+
+  log.header(`${host}`);
+
+  // check services
+  const { stdout } = await exec(["ssh", "-i", sshKey, host, `bash -c '
+    echo "=== services ==="
+    pgrep -af "bun services/api" > /dev/null && echo "api: running" || echo "api: stopped"
+    pgrep -af "bun services/claude" > /dev/null && echo "claude: running" || echo "claude: stopped"
+    pgrep -af "caddy" > /dev/null && echo "caddy: running" || echo "caddy: stopped"
+
+    echo ""
+    echo "=== health ==="
+    curl -s -o /dev/null -w "api: %{http_code}" http://localhost:3001/ 2>/dev/null || echo "api: unreachable"
+    echo ""
+    curl -s -o /dev/null -w "caddy: %{http_code}" http://localhost:80/ 2>/dev/null || echo "caddy: unreachable"
+    echo ""
+
+    echo ""
+    echo "=== system ==="
+    uptime
+    df -h / | tail -1 | awk "{print \"disk: \" \\$3 \" used / \" \\$2 \" (\" \\$5 \")\"}"
+    free -h 2>/dev/null | awk "/Mem:/{print \"memory: \" \\$3 \" used / \" \\$2}" || echo "memory: n/a"
+
+    echo ""
+    echo "=== workflows (crontab) ==="
+    crontab -l 2>/dev/null | grep "upend-workflow" || echo "none installed"
+
+    echo ""
+    echo "=== last deploy ==="
+    cd ${appDir} && git log --oneline -1 2>/dev/null || echo "no git history"
+  '`]);
+
+  console.log(stdout);
+}