@upend/cli 0.1.2 → 0.1.5

package/src/commands/workflows.ts

@@ -0,0 +1,142 @@
+import { log } from "../lib/log";
+import { exec } from "../lib/exec";
+import { readdirSync, readFileSync } from "fs";
+import { join, resolve } from "path";
+
+type Workflow = {
+  name: string;
+  file: string;
+  cron: string | null;
+  description: string;
+  installed: boolean;
+};
+
+export default async function workflows(args: string[]) {
+  const sub = args[0];
+  const projectDir = resolve(".");
+  const workflowsDir = join(projectDir, "workflows");
+
+  switch (sub) {
+    case "list":
+    case undefined:
+      await list(workflowsDir);
+      break;
+    case "run":
+      await run(workflowsDir, args[1]);
+      break;
+    case "install":
+      await install(workflowsDir);
+      break;
+    case "uninstall":
+      await uninstall();
+      break;
+    default:
+      // treat it as a workflow name to run
+      await run(workflowsDir, sub);
+  }
+}
+
+function parseWorkflows(dir: string): Workflow[] {
+  let files: string[];
+  try {
+    files = readdirSync(dir).filter(f => f.endsWith(".ts") || f.endsWith(".js"));
+  } catch {
+    return [];
+  }
+
+  return files.map(file => {
+    const content = readFileSync(join(dir, file), "utf-8");
+    const cronMatch = content.match(/\/\/\s*@cron\s+(.+)/);
+    const descMatch = content.match(/\/\/\s*@description\s+(.+)/);
+    const cron = cronMatch ? cronMatch[1].trim() : null;
+    const description = descMatch ? descMatch[1].trim() : "";
+    const name = file.replace(/\.(ts|js)$/, "");
+    return { name, file, cron, description, installed: false };
+  });
+}
+
+async function getCrontab(): Promise<string> {
+  const { stdout } = await exec(["crontab", "-l"], { silent: true });
+  return stdout;
+}
+
+async function list(dir: string) {
+  const wfs = parseWorkflows(dir);
+  if (wfs.length === 0) {
+    log.info("no workflows found in workflows/");
+    return;
+  }
+
+  const crontab = await getCrontab();
+
+  log.header("workflows");
+  for (const wf of wfs) {
+    const installed = crontab.includes(`workflows/${wf.file}`);
+    const status = installed ? "installed" : wf.cron ? "not installed" : "manual only";
+    const statusColor = installed ? "\x1b[32m" : "\x1b[90m";
+    console.log(`  ${wf.name}`);
+    if (wf.description) console.log(`    ${wf.description}`);
+    if (wf.cron) console.log(`    cron: ${wf.cron}  [${statusColor}${status}\x1b[0m]`);
+    else console.log(`    [manual only]`);
+    console.log();
+  }
+}
+
+async function run(dir: string, name?: string) {
+  if (!name) {
+    log.error("usage: upend workflows run <name>");
+    process.exit(1);
+  }
+
+  const file = name.endsWith(".ts") || name.endsWith(".js") ? name : `${name}.ts`;
+  const path = join(dir, file);
+
+  log.info(`running ${file}...`);
+  const { stdout, stderr, exitCode } = await exec(["bun", path]);
+  if (stdout) console.log(stdout);
+  if (stderr) console.error(stderr);
+
+  if (exitCode === 0) {
+    log.success(`${file} complete`);
+  } else {
+    log.error(`${file} failed (exit ${exitCode})`);
+  }
+}
+
+async function install(dir: string) {
+  const wfs = parseWorkflows(dir).filter(w => w.cron);
+  if (wfs.length === 0) {
+    log.info("no workflows with @cron found");
+    return;
+  }
+
+  const crontab = await getCrontab();
+  const lines = crontab.split("\n").filter(l => !l.includes("# upend-workflow:"));
+  const projectDir = resolve(".");
+
+  for (const wf of wfs) {
+    lines.push(`${wf.cron} cd ${projectDir} && bun workflows/${wf.file} >> /tmp/upend-workflow-${wf.name}.log 2>&1 # upend-workflow: ${wf.name}`);
+    log.info(`installing ${wf.name}: ${wf.cron}`);
+  }
+
+  const newCrontab = lines.filter(Boolean).join("\n") + "\n";
+  const proc = Bun.spawn(["crontab", "-"], { stdin: "pipe" });
+  proc.stdin.write(newCrontab);
+  proc.stdin.end();
+  await proc.exited;
+
+  log.success(`${wfs.length} workflow(s) installed`);
+}
+
+async function uninstall() {
+  const crontab = await getCrontab();
+  const lines = crontab.split("\n").filter(l => !l.includes("# upend-workflow:"));
+  const newCrontab = lines.filter(Boolean).join("\n") + "\n";
+
+  const proc = Bun.spawn(["crontab", "-"], { stdin: "pipe" });
+  proc.stdin.write(newCrontab);
+  proc.stdin.end();
+  await proc.exited;
+
+  log.success("all upend workflows removed from crontab");
+}

package/src/lib/middleware.ts

@@ -27,7 +27,7 @@ export const requireAuth = createMiddleware<{
     const user = {
       sub: payload.sub as string,
       email: payload.email as string,
-      role: (payload.role as string) || "user",
+      role: (payload.app_role as string) || (payload.role as string) || "user",
     };
     console.log(`[auth] ${user.email} → ${method} ${path}`);
     c.set("user", user);

package/src/services/claude/index.ts

@@ -59,8 +59,8 @@ app.post("/sessions", async (c) => {
 
   const activeSessions = await sql`
     SELECT es.*,
-      (SELECT sm.content FROM session_messages sm WHERE sm.session_id = es.id ORDER BY sm.created_at DESC LIMIT 1) as last_message
-    FROM editing_sessions es WHERE es.status = 'active' ORDER BY es.created_at DESC
+      (SELECT sm.content FROM upend.session_messages sm WHERE sm.session_id = es.id ORDER BY sm.created_at DESC LIMIT 1) as last_message
+    FROM upend.editing_sessions es WHERE es.status = 'active' ORDER BY es.created_at DESC
   `;
 
   if (activeSessions.length > 0 && !force) {
@@ -87,13 +87,13 @@ app.post("/sessions", async (c) => {
   const claudeSessionId = crypto.randomUUID();
 
   const [session] = await sql`
-    INSERT INTO editing_sessions (prompt, status, claude_session_id, snapshot_name, title, context)
+    INSERT INTO upend.editing_sessions (prompt, status, claude_session_id, snapshot_name, title, context)
     VALUES (${prompt}, 'active', ${claudeSessionId}, ${sessionName}, ${title || null}, ${JSON.stringify({ root: worktree.path, worktree: sessionName, branch: worktree.branch })})
     RETURNING *
   `;
 
   const [msg] = await sql`
-    INSERT INTO session_messages (session_id, role, content, status)
+    INSERT INTO upend.session_messages (session_id, role, content, status)
     VALUES (${session.id}, 'user', ${prompt}, 'pending')
     RETURNING *
   `;
@@ -108,17 +108,17 @@ app.post("/sessions/:id/messages", async (c) => {
   const { prompt } = await c.req.json();
   if (!prompt) return c.json({ error: "prompt is required" }, 400);
 
-  const [session] = await sql`SELECT * FROM editing_sessions WHERE id = ${sessionId}`;
+  const [session] = await sql`SELECT * FROM upend.editing_sessions WHERE id = ${sessionId}`;
   if (!session) return c.json({ error: "session not found" }, 404);
   if (session.status !== "active") return c.json({ error: `session is ${session.status}` }, 400);
 
   const [running] = await sql`
-    SELECT id FROM session_messages WHERE session_id = ${sessionId} AND status = 'running'
+    SELECT id FROM upend.session_messages WHERE session_id = ${sessionId} AND status = 'running'
   `;
   if (running) return c.json({ error: "a message is already running" }, 409);
 
   const [msg] = await sql`
-    INSERT INTO session_messages (session_id, role, content, status)
+    INSERT INTO upend.session_messages (session_id, role, content, status)
     VALUES (${sessionId}, 'user', ${prompt}, 'pending')
     RETURNING *
   `;
@@ -133,20 +133,20 @@ app.post("/sessions/:id/messages", async (c) => {
 
 app.get("/sessions/:id", async (c) => {
   const id = c.req.param("id");
-  const [session] = await sql`SELECT * FROM editing_sessions WHERE id = ${id}`;
+  const [session] = await sql`SELECT * FROM upend.editing_sessions WHERE id = ${id}`;
   if (!session) return c.json({ error: "not found" }, 404);
-  const messages = await sql`SELECT * FROM session_messages WHERE session_id = ${id} ORDER BY created_at`;
+  const messages = await sql`SELECT * FROM upend.session_messages WHERE session_id = ${id} ORDER BY created_at`;
   return c.json({ ...session, messages });
 });
 
 app.get("/sessions", async (c) => {
-  const rows = await sql`SELECT * FROM editing_sessions ORDER BY created_at DESC LIMIT 50`;
+  const rows = await sql`SELECT * FROM upend.editing_sessions ORDER BY created_at DESC LIMIT 50`;
   return c.json(rows);
 });
 
 app.post("/sessions/:id/end", async (c) => {
   const id = c.req.param("id");
-  await sql`UPDATE editing_sessions SET status = 'ended' WHERE id = ${id}`;
+  await sql`UPDATE upend.editing_sessions SET status = 'ended' WHERE id = ${id}`;
   activeProcesses.delete(Number(id));
   return c.json({ ended: true });
 });
@@ -157,7 +157,7 @@ app.post("/sessions/:id/kill", async (c) => {
   if (!proc) return c.json({ error: "nothing running" }, 404);
   proc.kill();
   activeProcesses.delete(id);
-  await sql`UPDATE session_messages SET status = 'killed' WHERE session_id = ${id} AND status = 'running'`;
+  await sql`UPDATE upend.session_messages SET status = 'killed' WHERE session_id = ${id} AND status = 'running'`;
   broadcast(id, { type: "status", status: "killed" });
   return c.json({ killed: true });
 });
@@ -167,7 +167,7 @@ app.post("/sessions/:id/kill", async (c) => {
 // check if a session can merge cleanly
 app.get("/sessions/:id/mergeable", async (c) => {
   const id = c.req.param("id");
-  const [session] = await sql`SELECT * FROM editing_sessions WHERE id = ${id}`;
+  const [session] = await sql`SELECT * FROM upend.editing_sessions WHERE id = ${id}`;
   if (!session) return c.json({ error: "not found" }, 404);
 
   const ctx = typeof session.context === 'string' ? JSON.parse(session.context) : session.context;
@@ -187,7 +187,7 @@ app.get("/sessions/:id/mergeable", async (c) => {
 app.post("/sessions/:id/commit", async (c) => {
   const id = c.req.param("id");
   const user = c.get("user") as { sub: string; email: string };
-  const [session] = await sql`SELECT * FROM editing_sessions WHERE id = ${id}`;
+  const [session] = await sql`SELECT * FROM upend.editing_sessions WHERE id = ${id}`;
   if (!session) return c.json({ error: "not found" }, 404);
   if (session.status !== "active") return c.json({ error: `session is ${session.status}` }, 400);
 
@@ -206,7 +206,7 @@ app.post("/sessions/:id/commit", async (c) => {
     }
 
     // mark session as committed
-    await sql`UPDATE editing_sessions SET status = 'committed' WHERE id = ${id}`;
+    await sql`UPDATE upend.editing_sessions SET status = 'committed' WHERE id = ${id}`;
 
     // restart live services so changes take effect
     restartServices();
@@ -310,7 +310,7 @@ async function runMessage(
   cwd: string = PROJECT_ROOT
 ) {
   try {
-    await sql`UPDATE session_messages SET status = 'running' WHERE id = ${messageId}`;
+    await sql`UPDATE upend.session_messages SET status = 'running' WHERE id = ${messageId}`;
     broadcast(sessionId, { type: "status", status: "running", messageId });
     console.log(`[claude:${sessionId}] message ${messageId} → running (user: ${user.email})`);
 
@@ -383,7 +383,7 @@ async function runMessage(
               if (block.type === "text") {
                 resultText += block.text;
                 // update DB with partial result as it streams
-                await sql`UPDATE session_messages SET result = ${resultText} WHERE id = ${messageId}`;
+                await sql`UPDATE upend.session_messages SET result = ${resultText} WHERE id = ${messageId}`;
                 broadcast(sessionId, { type: "text", text: block.text, messageId });
               } else if (block.type === "tool_use") {
                 broadcast(sessionId, { type: "tool_use", name: block.name, input: block.input, messageId });
@@ -419,12 +419,12 @@ async function runMessage(
       const errMsg = `claude error: ${errorDetail}`;
       console.error(`[claude:${sessionId}] FULL OUTPUT:\n${fullOutput}`);
       console.error(`[claude:${sessionId}] ERROR: ${errMsg}`);
-      await sql`UPDATE session_messages SET status = 'error', result = ${errMsg} WHERE id = ${messageId}`;
+      await sql`UPDATE upend.session_messages SET status = 'error', result = ${errMsg} WHERE id = ${messageId}`;
       broadcast(sessionId, { type: "status", status: "error", error: errMsg, messageId });
       return;
     }
 
-    await sql`UPDATE session_messages SET status = 'complete', result = ${resultText} WHERE id = ${messageId}`;
+    await sql`UPDATE upend.session_messages SET status = 'complete', result = ${resultText} WHERE id = ${messageId}`;
     broadcast(sessionId, { type: "status", status: "complete", messageId });
     console.log(`[claude:${sessionId}] complete: "${resultText.slice(0, 100)}"`);
 
@@ -433,7 +433,7 @@ async function runMessage(
   } catch (err: any) {
     console.error(`[claude:${sessionId}] EXCEPTION:`, err);
     activeProcesses.delete(sessionId);
-    await sql`UPDATE session_messages SET status = 'error', result = ${err.message} WHERE id = ${messageId}`;
+    await sql`UPDATE upend.session_messages SET status = 'error', result = ${err.message} WHERE id = ${messageId}`;
     broadcast(sessionId, { type: "status", status: "error", error: err.message, messageId });
   }
 }

package/src/services/dashboard/public/index.html

@@ -63,6 +63,12 @@
       <button @click="rightPanel = 'data'"
         :class="rightPanel === 'data' ? 'text-accent bg-accent-dim' : 'text-muted hover:text-gray-200 hover:bg-border'"
         class="px-3 py-1 text-xs rounded cursor-pointer font-mono">data</button>
+      <button @click="rightPanel = 'workflows'; loadWorkflows()"
+        :class="rightPanel === 'workflows' ? 'text-accent bg-accent-dim' : 'text-muted hover:text-gray-200 hover:bg-border'"
+        class="px-3 py-1 text-xs rounded cursor-pointer font-mono">workflows</button>
+      <button @click="rightPanel = 'audit'; loadAuditLog()"
+        :class="rightPanel === 'audit' ? 'text-accent bg-accent-dim' : 'text-muted hover:text-gray-200 hover:bg-border'"
+        class="px-3 py-1 text-xs rounded cursor-pointer font-mono">audit</button>
       <div class="relative" @click.away="appsOpen = false">
         <button @click="appsOpen = !appsOpen; loadApps()"
           :class="rightPanel !== 'data' && rightPanel !== 'home' ? 'text-accent bg-accent-dim' : 'text-muted hover:text-gray-200 hover:bg-border'"
@@ -257,8 +263,8 @@
   <!-- right panel -->
   <div class="flex-1 min-h-0 min-w-0 overflow-y-auto" id="panel-right">
     <!-- app iframe -->
-    <iframe x-show="rightPanel !== 'data' && rightPanel !== 'home'" x-ref="rightIframe" class="w-full h-full border-none"
-      :src="token && rightPanel !== 'data' && rightPanel !== 'home' ? appUrl(rightPanel) : 'about:blank'"></iframe>
+    <iframe x-show="!['data','home','workflows','audit'].includes(rightPanel)" x-ref="rightIframe" class="w-full h-full border-none"
+      :src="token && !['data','home','workflows','audit'].includes(rightPanel) ? appUrl(rightPanel) : 'about:blank'"></iframe>
 
     <!-- home panel -->
     <div x-show="rightPanel === 'home'" class="p-8 max-w-2xl mx-auto">
@@ -285,6 +291,87 @@
       </div>
     </div>
 
+    <!-- audit panel -->
+    <div x-show="rightPanel === 'audit'" class="flex flex-col h-full overflow-y-auto">
+      <div class="px-4 py-3 border-b border-border flex items-center justify-between">
+        <span class="text-sm font-bold text-gray-200 font-mono">audit log</span>
+        <button @click="loadAuditLog()" class="text-xs text-muted border border-border px-2 py-1 rounded cursor-pointer hover:text-accent hover:border-accent font-mono">refresh</button>
+      </div>
+
+      <div x-show="auditEntries.length === 0" class="p-8 text-center text-muted text-sm">
+        no audit entries yet
+      </div>
+
+      <table x-show="auditEntries.length > 0" class="w-full text-xs">
+        <thead>
+          <tr class="border-b border-border text-muted sticky top-0 bg-surface">
+            <th class="text-left px-3 py-2 font-normal">time</th>
+            <th class="text-left px-3 py-2 font-normal">actor</th>
+            <th class="text-left px-3 py-2 font-normal">action</th>
+            <th class="text-left px-3 py-2 font-normal">target</th>
+            <th class="text-left px-3 py-2 font-normal">detail</th>
+          </tr>
+        </thead>
+        <tbody>
+          <template x-for="entry in auditEntries" :key="entry.id">
+            <tr class="border-b border-border/50 hover:bg-surface/50">
+              <td class="px-3 py-2 text-muted whitespace-nowrap" x-text="new Date(entry.ts).toLocaleString()"></td>
+              <td class="px-3 py-2 text-gray-200 font-mono" x-text="entry.actorEmail || entry.actorId || '—'"></td>
+              <td class="px-3 py-2">
+                <span class="px-1.5 py-0.5 rounded text-[10px] font-bold"
+                  :class="{
+                    'bg-green-500/20 text-green-400': entry.action?.includes('login'),
+                    'bg-blue-500/20 text-blue-400': entry.action?.includes('signup'),
+                    'bg-yellow-500/20 text-yellow-400': entry.action?.includes('impersonate'),
+                    'bg-accent/20 text-accent': entry.action?.includes('session'),
+                    'bg-purple-500/20 text-purple-400': entry.action?.includes('workflow'),
+                    'bg-red-500/20 text-red-400': entry.action?.includes('commit'),
+                  }"
+                  x-text="entry.action"></span>
+              </td>
+              <td class="px-3 py-2 text-muted font-mono" x-text="entry.targetType ? entry.targetType + ':' + (entry.targetId || '') : '—'"></td>
+              <td class="px-3 py-2 text-muted font-mono max-w-[200px] truncate" x-text="entry.detail && Object.keys(entry.detail).length ? JSON.stringify(entry.detail) : ''"></td>
+            </tr>
+          </template>
+        </tbody>
+      </table>
+    </div>
+
+    <!-- workflows panel -->
+    <div x-show="rightPanel === 'workflows'" class="flex flex-col h-full overflow-y-auto">
+      <div class="px-4 py-3 border-b border-border flex items-center justify-between">
+        <span class="text-sm font-bold text-gray-200 font-mono">workflows</span>
+        <button @click="prompt = 'create a new workflow in workflows/ that '; $refs.chatInput.focus()"
+          class="text-xs text-muted border border-border px-3 py-1 rounded cursor-pointer hover:text-accent hover:border-accent font-mono">+ new workflow</button>
+      </div>
+
+      <div x-show="workflowsList.length === 0" class="p-8 text-center text-muted text-sm">
+        no workflows yet — ask Claude to create one, or add a .ts file to workflows/
+      </div>
+
+      <template x-for="wf in workflowsList" :key="wf.name">
+        <div class="px-4 py-3 border-b border-border/50 hover:bg-surface/50">
+          <div class="flex items-center justify-between mb-1">
+            <div class="flex items-center gap-2">
+              <span class="text-sm font-mono text-gray-200" x-text="wf.name"></span>
+              <span x-show="wf.cron" class="text-[10px] text-muted bg-border px-1.5 py-0.5 rounded font-mono" x-text="wf.cron"></span>
+            </div>
+            <div class="flex items-center gap-2">
+              <span x-show="wf._running" class="text-xs text-accent animate-pulse">running...</span>
+              <span x-show="wf._result !== undefined && !wf._running"
+                :class="wf._result === 0 ? 'text-green-400' : 'text-red-400'"
+                class="text-xs" x-text="wf._result === 0 ? 'success' : 'failed'"></span>
+              <button @click="runWorkflow(wf)"
+                :disabled="wf._running"
+                class="text-xs text-muted border border-border px-2 py-1 rounded cursor-pointer hover:text-accent hover:border-accent font-mono disabled:opacity-40">run</button>
+            </div>
+          </div>
+          <p x-show="wf.description" class="text-xs text-muted" x-text="wf.description"></p>
+          <pre x-show="wf._output" class="mt-2 text-[11px] text-gray-400 bg-bg rounded p-2 overflow-x-auto font-mono max-h-32 overflow-y-auto" x-text="wf._output"></pre>
+        </div>
+      </template>
+    </div>
+
     <!-- data panel -->
     <div x-show="rightPanel === 'data'" class="flex flex-col h-full" x-init="$watch('rightPanel', v => { if (v === 'data') loadTables() })">
       <!-- table list sidebar + detail -->
@@ -379,6 +466,48 @@
                 </table>
               </div>
             </div>
+
+            <!-- RLS policies -->
+            <div class="border-t border-border">
+              <div class="px-4 py-2 text-xs border-b border-border flex items-center justify-between">
+                <div class="flex items-center gap-2">
+                  <span class="text-muted">access policies</span>
+                  <span x-show="tablePolicies.length > 0" class="text-muted" x-text="'(' + tablePolicies.length + ')'"></span>
+                </div>
+                <span x-show="tableRLSEnabled" class="text-green-500 text-xs">RLS enabled</span>
+                <span x-show="!tableRLSEnabled" class="text-muted text-xs">RLS not enabled</span>
+              </div>
+
+              <div x-show="tablePolicies.length === 0" class="px-4 py-4 text-xs text-muted">
+                <p>no policies — all authenticated users have full access.</p>
+                <button @click="prompt = 'enable RLS on the ' + selectedTable + ' table with sensible default policies: everyone can read, users can only update/delete their own rows (by owner_id or id), admins can do everything'; $refs.chatInput.focus()"
+                  class="mt-2 text-accent hover:underline cursor-pointer">+ add default policies</button>
+              </div>
+
+              <template x-for="p in tablePolicies" :key="p.policy">
+                <div class="px-4 py-2.5 border-b border-border/50 hover:bg-surface/50">
+                  <div class="flex items-center gap-2 mb-1">
+                    <span class="font-mono text-xs text-gray-200" x-text="p.policy"></span>
+                    <span class="px-1.5 py-0.5 rounded text-[10px] font-bold"
+                      :class="{
+                        'bg-green-500/20 text-green-400': p.operation === 'SELECT',
+                        'bg-blue-500/20 text-blue-400': p.operation === 'INSERT',
+                        'bg-yellow-500/20 text-yellow-400': p.operation === 'UPDATE',
+                        'bg-red-500/20 text-red-400': p.operation === 'DELETE',
+                        'bg-accent/20 text-accent': p.operation === 'ALL',
+                      }"
+                      x-text="p.operation"></span>
+                    <span class="text-[10px] text-muted" x-text="p.permissive === 'PERMISSIVE' ? '' : 'RESTRICTIVE'"></span>
+                  </div>
+                  <div x-show="p.usingExpr" class="text-[11px] text-muted font-mono">
+                    <span class="text-muted/60">USING</span> <span class="text-gray-400" x-text="p.usingExpr"></span>
+                  </div>
+                  <div x-show="p.checkExpr" class="text-[11px] text-muted font-mono">
+                    <span class="text-muted/60">CHECK</span> <span class="text-gray-400" x-text="p.checkExpr"></span>
+                  </div>
+                </div>
+              </template>
+            </div>
           </div>
         </div>
       </div>
@@ -425,6 +554,12 @@ function dashboard() {
     tableColumns: [],
     sampleRows: [],
     sampleRowKeys: [],
+    tablePolicies: [],
+    tableRLSEnabled: false,
+    allPolicies: [],
+    allRLSTables: [],
+    workflowsList: [],
+    auditEntries: [],
     rightPanel: 'home',
     apps: [],
     appsOpen: false,
@@ -763,6 +898,13 @@ function dashboard() {
       try {
         const res = await this.authFetch('/api/tables');
         if (res.ok) this.tables = (await res.json()).map(t => t.name);
+        // load policies for all tables
+        const polRes = await this.authFetch('/api/policies');
+        if (polRes.ok) {
+          const data = await polRes.json();
+          this.allPolicies = data.policies || [];
+          this.allRLSTables = (data.rlsTables || []).map(t => t.table);
+        }
       } catch {}
     },
 
@@ -771,13 +913,15 @@ function dashboard() {
       this.tableColumns = [];
       this.sampleRows = [];
       this.sampleRowKeys = [];
+      this.tablePolicies = this.allPolicies.filter(p => p.table === name);
+      this.tableRLSEnabled = this.allRLSTables.includes(name);
       try {
         // fetch columns
         const colRes = await this.authFetch(`/api/tables/${name}`);
         if (colRes.ok) this.tableColumns = await colRes.json();
 
-        // fetch sample rows via Neon Data API
-        const dataRes = await this.authFetch(`/api/data/${name}?limit=5&order=id.desc`);
+        // fetch sample rows
+        const dataRes = await this.authFetch(`/api/data/${name}?limit=5&order=created_at.desc`);
         if (dataRes.ok) {
           const rows = await dataRes.json();
           this.sampleRows = rows;
@@ -863,11 +1007,39 @@ function dashboard() {
       this.sendPrompt();
     },
 
+    async loadAuditLog() {
+      try {
+        const res = await this.authFetch('/api/audit?limit=100');
+        if (res.ok) this.auditEntries = await res.json();
+      } catch {}
+    },
+
+    async loadWorkflows() {
+      try {
+        const res = await this.authFetch('/api/workflows');
+        if (res.ok) this.workflowsList = (await res.json()).map(w => ({ ...w, _running: false, _result: undefined, _output: '' }));
+      } catch {}
+    },
+
+    async runWorkflow(wf) {
+      wf._running = true;
+      wf._result = undefined;
+      wf._output = '';
+      try {
+        const res = await this.authFetch(`/api/workflows/${wf.name}/run`, { method: 'POST' });
+        const data = await res.json();
+        wf._result = data.exitCode;
+        wf._output = (data.stdout || '') + (data.stderr ? '\n' + data.stderr : '');
+      } catch (err) {
+        wf._result = 1;
+        wf._output = err.message;
+      }
+      wf._running = false;
+    },
+
     refreshRightPanel() {
-      // refresh app iframe if showing
       const iframe = this.$refs.rightIframe;
       if (iframe?.src && iframe.src !== 'about:blank') iframe.src = iframe.src;
-      // refresh data panel if showing
       this.loadTables();
       if (this.selectedTable) this.selectTable(this.selectedTable);
     },

package/src/services/gateway/auth-routes.ts

@@ -1,9 +1,18 @@
 import { Hono } from "hono";
 import { sql } from "../../lib/db";
-import { signToken, getJWKS } from "../../lib/auth";
+import { signToken, getJWKS, verifyToken } from "../../lib/auth";
 
 export const authRoutes = new Hono();
 
+async function audit(action: string, opts: { actorId?: string; actorEmail?: string; targetType?: string; targetId?: string; detail?: any; ip?: string } = {}) {
+  try {
+    await sql`INSERT INTO audit.log (actor_id, actor_email, action, target_type, target_id, detail, ip)
+      VALUES (${opts.actorId || null}, ${opts.actorEmail || null}, ${action}, ${opts.targetType || null}, ${opts.targetId || null}, ${JSON.stringify(opts.detail || {})}, ${opts.ip || null})`;
+  } catch (err) {
+    console.error("[audit] failed:", err);
+  }
+}
+
 // JWKS endpoint — public, Neon Authorize fetches this to validate JWTs
 authRoutes.get("/.well-known/jwks.json", async (c) => {
   const jwks = await getJWKS();
@@ -12,7 +21,17 @@ authRoutes.get("/.well-known/jwks.json", async (c) => {
 
 // signup (disabled by default — admin creates users, or set SIGNUP_ENABLED=true)
 authRoutes.post("/auth/signup", async (c) => {
-  if (process.env.SIGNUP_ENABLED !== "true") {
+  // allow if signup is enabled OR if request has a valid admin token
+  const authHeader = c.req.header("Authorization");
+  let isAdminRequest = false;
+  if (authHeader?.startsWith("Bearer ")) {
+    try {
+      const payload = await import("../../lib/auth").then(m => m.verifyToken(authHeader.slice(7)));
+      if ((payload as any).app_role === "admin") isAdminRequest = true;
+    } catch {}
+  }
+
+  if (process.env.SIGNUP_ENABLED !== "true" && !isAdminRequest) {
     return c.json({ error: "signup is disabled — contact the admin" }, 403);
   }
 
@@ -30,6 +49,7 @@ authRoutes.post("/auth/signup", async (c) => {
     `;
 
     const token = await signToken(user.id, user.email, user.role);
+    await audit("user.signup", { actorId: user.id, actorEmail: user.email, targetType: "user", targetId: user.id });
     return c.json({ user, token }, 201);
   } catch (err: any) {
     if (err.code === "23505") return c.json({ error: "email already exists" }, 409);
@@ -50,12 +70,38 @@ authRoutes.post("/auth/login", async (c) => {
   if (!valid) return c.json({ error: "invalid credentials" }, 401);
 
   const token = await signToken(user.id, user.email, user.role);
+  await audit("user.login", { actorId: user.id, actorEmail: user.email, targetType: "user", targetId: user.id });
   return c.json({
     user: { id: user.id, email: user.email, role: user.role },
     token,
   });
 });
 
+// impersonate — admin only, mint a token as another user
+authRoutes.post("/auth/impersonate", async (c) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) return c.json({ error: "unauthorized" }, 401);
+
+  try {
+    const payload = await verifyToken(authHeader.slice(7));
+    if ((payload as any).app_role !== "admin") return c.json({ error: "admin only" }, 403);
+  } catch {
+    return c.json({ error: "invalid token" }, 401);
+  }
+
+  const { user_id } = await c.req.json();
+  if (!user_id) return c.json({ error: "user_id required" }, 400);
+
+  const [user] = await sql`SELECT id, email, role FROM users WHERE id = ${user_id}`;
+  if (!user) return c.json({ error: "user not found" }, 404);
+
+  const token = await signToken(user.id, user.email, user.role);
+  const adminPayload = await verifyToken(authHeader!.slice(7));
+  await audit("user.impersonate", { actorId: (adminPayload as any).sub, actorEmail: (adminPayload as any).email, targetType: "user", targetId: user.id, detail: { impersonated: user.email } });
+  console.log(`[auth] impersonation: admin → ${user.email}`);
+  return c.json({ user, token });
+});
+
 // ---------- SSO / OAuth ----------
 // Generic OAuth flow: works with Google, GitHub, Okta, Azure AD, whatever
 // Configure via env: OAUTH_<PROVIDER>_CLIENT_ID, OAUTH_<PROVIDER>_CLIENT_SECRET, etc.
@@ -71,7 +117,7 @@ authRoutes.get("/auth/sso/:provider", async (c) => {
 
   // store state for CSRF validation
   await sql`
-    INSERT INTO oauth_states (state, provider, created_at)
+    INSERT INTO upend.oauth_states (state, provider, created_at)
     VALUES (${state}, ${provider}, now())
   `;
 
@@ -99,7 +145,7 @@ authRoutes.get("/auth/sso/:provider/callback", async (c) => {
 
   // validate state
   const [stateRow] = await sql`
-    DELETE FROM oauth_states WHERE state = ${state} AND provider = ${provider}
+    DELETE FROM upend.oauth_states WHERE state = ${state} AND provider = ${provider}
     AND created_at > now() - interval '10 minutes'
     RETURNING *
   `;