npm - komplian - Versions diffs - 0.5.2 → 0.6.0 - Mend

komplian 0.5.2 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +2 -0
package/komplian-db-all-dev.mjs +256 -0
package/komplian-db.mjs +162 -100
package/komplian-localhost.mjs +48 -36
package/komplian-onboard.mjs +14 -7
package/komplian-postman.mjs +17 -0
package/package.json +3 -3
package/KOMPLIAN_DATABASE_URLS.env.example +0 -28

package/README.md CHANGED Viewed

@@ -6,6 +6,8 @@
 2. Browser login: `gh auth login -h github.com -s repo -s read:org -w`
 3. `npx komplian onboard --yes` (sin `@versión`: usa `latest` del registry público).
+**Orden típico del equipo:** onboard → `postman login` / `postman --yes` → `mcp-tools --yes` → **`db:all:dev`** → `localhost --yes`. Ver **`ONBOARDING.md`**.
 **`npm ERR! ETARGET` / “No matching version”** (también si falló **`postman`**, no solo `onboard`): es el mismo paquete npm. Usa **`npx komplian postman login`** / **`npx komplian postman --yes`** **sin** `@0.4.x`; comprueba `npm config get registry` → `https://registry.npmjs.org/`; `npm cache clean --force`. Detalle: `ONBOARDING.md` en el monorepo.
 ### Postman (colección + entornos)

package/komplian-db-all-dev.mjs ADDED Viewed

@@ -0,0 +1,256 @@
+#!/usr/bin/env node
+/**
+ * db:all:dev — Verificación empleado @komplian.com (Postman GET /me, misma clave que postman login),
+ * guarda las 3 URLs de desarrollo en ~/.komplian/dev-databases.json (600) y las propaga a
+ * app|api|web|admin/.env.local. No usa archivos secretos en la raíz del monorepo.
+ *
+ * No interactivo: export KOMPLIAN_DEV_APP_DATABASE_URL, _ADMIN_, _WEB_ y npx komplian db:all:dev --yes
+ */
+import {
+  chmodSync,
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  writeFileSync,
+} from "node:fs";
+import { join, resolve } from "node:path";
+import { homedir } from "node:os";
+import { createInterface } from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+import { assertKomplianEmployeePostman } from "./komplian-postman.mjs";
+import {
+  applyOverridesToEnvContent,
+  formatEnvValue,
+  findWorkspaceRoot,
+  writeAtomic,
+} from "./komplian-localhost.mjs";
+import {
+  loadHomeDevDatabases,
+  maskDatabaseUrl,
+} from "./komplian-db.mjs";
+const c = {
+  reset: "\x1b[0m",
+  dim: "\x1b[2m",
+  bold: "\x1b[1m",
+  cyan: "\x1b[36m",
+  green: "\x1b[32m",
+  red: "\x1b[31m",
+  yellow: "\x1b[33m",
+};
+function log(s = "") {
+  console.log(s);
+}
+const PLACEHOLDER = "komplian_localhost_placeholder";
+const DEV_DB_NAME = "dev-databases.json";
+function ensureKomplianHome() {
+  const dir = join(homedir(), ".komplian");
+  mkdirSync(dir, { recursive: true, mode: 0o700 });
+  try {
+    chmodSync(dir, 0o700);
+  } catch {
+    /* ignore */
+  }
+  return dir;
+}
+function devDbPath() {
+  return join(ensureKomplianHome(), DEV_DB_NAME);
+}
+function writeSavedDevDatabases(data) {
+  const p = devDbPath();
+  const body = JSON.stringify(
+    {
+      schemaVersion: 1,
+      app: data.app,
+      admin: data.admin,
+      web: data.web,
+      savedAt: new Date().toISOString(),
+    },
+    null,
+    2
+  );
+  writeFileSync(p, body, { encoding: "utf8", mode: 0o600 });
+  try {
+    chmodSync(p, 0o600);
+  } catch {
+    /* ignore */
+  }
+}
+function isValidPostgresUrl(s) {
+  const t = (s || "").trim();
+  if (!t.startsWith("postgresql://") && !t.startsWith("postgres://")) return false;
+  if (t.includes(PLACEHOLDER)) return false;
+  try {
+    const u = new URL(t);
+    return !!u.hostname;
+  } catch {
+    return false;
+  }
+}
+function isValidTriplet(d) {
+  return (
+    isValidPostgresUrl(d.app) &&
+    isValidPostgresUrl(d.admin) &&
+    isValidPostgresUrl(d.web)
+  );
+}
+function headerDbAllDev() {
+  return `# KOMPLIAN — development databases (komplian db:all:dev · no commitear)\n`;
+}
+function patchEnvLocal(workspaceRoot, project, overrides) {
+  const envPath = join(workspaceRoot, project, ".env.local");
+  const examplePath = join(workspaceRoot, project, ".env.example");
+  let body;
+  let prefix = "";
+  if (existsSync(envPath)) {
+    body = applyOverridesToEnvContent(readFileSync(envPath, "utf8"), overrides);
+  } else if (existsSync(examplePath)) {
+    prefix = headerDbAllDev();
+    body = applyOverridesToEnvContent(readFileSync(examplePath, "utf8"), overrides);
+  } else {
+    prefix = headerDbAllDev();
+    body = Object.entries(overrides)
+      .map(([k, v]) => `${k}=${formatEnvValue(v)}`)
+      .join("\n");
+  }
+  writeAtomic(envPath, prefix + body);
+}
+function propagateToMonorepo(workspaceRoot, data) {
+  patchEnvLocal(workspaceRoot, "app", { DATABASE_URL: data.app });
+  patchEnvLocal(workspaceRoot, "admin", { DATABASE_URL: data.admin });
+  patchEnvLocal(workspaceRoot, "web", { DATABASE_URL: data.web });
+  patchEnvLocal(workspaceRoot, "api", {
+    APP_DATABASE_URL: data.app,
+    ADMIN_DATABASE_URL: data.admin,
+    WEB_DATABASE_URL: data.web,
+  });
+}
+function collectUrlsFromEnv() {
+  return {
+    app: process.env.KOMPLIAN_DEV_APP_DATABASE_URL?.trim() || "",
+    admin: process.env.KOMPLIAN_DEV_ADMIN_DATABASE_URL?.trim() || "",
+    web: process.env.KOMPLIAN_DEV_WEB_DATABASE_URL?.trim() || "",
+  };
+}
+async function collectUrlsInteractive(rl) {
+  log(`  ${c.dim}postgresql://… desde Neon (rama development) u homólogo.${c.reset}`);
+  const app = (await rl.question(`${c.bold}URL APP${c.reset} (app + API): `)).trim();
+  const admin = (await rl.question(`${c.bold}URL ADMIN${c.reset}: `)).trim();
+  const web = (await rl.question(`${c.bold}URL WEB${c.reset} (pilot): `)).trim();
+  return { app, admin, web };
+}
+function parseArgs(argv) {
+  const opts = {
+    yes: false,
+    force: false,
+    workspace: "",
+    help: false,
+  };
+  const rest = [];
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--yes" || a === "-y") opts.yes = true;
+    else if (a === "--force") opts.force = true;
+    else if (a === "-w" || a === "--workspace") opts.workspace = argv[++i] || "";
+    else if (a === "-h" || a === "--help") opts.help = true;
+    else if (a.startsWith("-")) {
+      log(`${c.red}✗${c.reset} Opción desconocida: ${a}`);
+      process.exit(1);
+    } else rest.push(a);
+  }
+  if (rest[0]) opts.workspace = rest[0];
+  return opts;
+}
+function usage() {
+  log(`Uso: npx komplian db:all:dev [opciones] [monorepo]`);
+  log(``);
+  log(`  Tras ${c.bold}npx komplian postman login${c.reset}: verifica @komplian.com y configura las 3 bases de desarrollo.`);
+  log(`  Guarda en ${c.dim}~/.komplian/dev-databases.json${c.reset} y actualiza ${c.dim}app|api|web|admin/.env.local${c.reset}.`);
+  log(``);
+  log(`  Sin prompts: ${c.dim}KOMPLIAN_DEV_APP_DATABASE_URL${c.reset}, ${c.dim}_ADMIN_${c.reset}, ${c.dim}_WEB_${c.reset} + ${c.bold}--yes${c.reset}`);
+  log(`  ${c.bold}--force${c.reset}     Volver a pedir URLs (o usar env) aunque exista el JSON`);
+  log(`  -w, --workspace  Raíz del monorepo`);
+  log(`  -h, --help`);
+}
+export async function runDbAllDev(argv) {
+  const opts = parseArgs(argv);
+  if (opts.help) {
+    usage();
+    return;
+  }
+  const workspaceRoot = opts.workspace.trim()
+    ? resolve(opts.workspace.replace(/^~(?=$|[/\\])/, process.env.HOME || ""))
+    : findWorkspaceRoot(process.cwd());
+  if (!existsSync(join(workspaceRoot, "api", "package.json"))) {
+    log(`${c.red}✗${c.reset} No parece un monorepo Komplian: ${workspaceRoot}`);
+    process.exit(1);
+  }
+  log(`${c.cyan}━━ Komplian — bases de datos (development) ━━${c.reset}`);
+  await assertKomplianEmployeePostman();
+  const fromEnv = collectUrlsFromEnv();
+  const envOk = isValidTriplet(fromEnv);
+  const saved = loadHomeDevDatabases();
+  const savedOk = saved && isValidTriplet(saved);
+  /** @type {{ app: string; admin: string; web: string }} */
+  let data;
+  if (envOk) {
+    data = fromEnv;
+    log(`${c.green}✓${c.reset} URLs desde variables de entorno (KOMPLIAN_DEV_*_DATABASE_URL).`);
+  } else if (savedOk && !opts.force && !envOk) {
+    data = saved;
+    log(
+      `${c.dim}○${c.reset} Usando ${c.bold}~/.komplian/dev-databases.json${c.reset} (${c.dim}--force${c.reset} para cambiar).`
+    );
+  } else if (opts.yes && !envOk) {
+    log(
+      `${c.red}✗${c.reset} Con ${c.bold}--yes${c.reset} define las tres variables ${c.dim}KOMPLIAN_DEV_APP_DATABASE_URL${c.reset}, ${c.dim}_ADMIN_${c.reset}, ${c.dim}_WEB_${c.reset}, o ejecuta sin ${c.bold}--yes${c.reset} para modo interactivo.`
+    );
+    process.exit(1);
+  } else {
+    const rl = createInterface({ input, output });
+    log(``);
+    log(`${c.bold}Introduce las connection strings de desarrollo (3).${c.reset}`);
+    data = await collectUrlsInteractive(rl);
+    rl.close();
+  }
+  if (!isValidTriplet(data)) {
+    log(`${c.red}✗${c.reset} Las tres URLs deben ser postgres:// o postgresql:// válidas (sin placeholder).`);
+    process.exit(1);
+  }
+  writeSavedDevDatabases(data);
+  propagateToMonorepo(workspaceRoot, data);
+  log(``);
+  log(`${c.green}✓${c.reset} Guardado ${c.dim}~/.komplian/${DEV_DB_NAME}${c.reset} y .env.local en app, api, web, admin.`);
+  log(`  ${c.dim}APP${c.reset}   ${maskDatabaseUrl(data.app)}`);
+  log(`  ${c.dim}ADMIN${c.reset} ${maskDatabaseUrl(data.admin)}`);
+  log(`  ${c.dim}WEB${c.reset}   ${maskDatabaseUrl(data.web)}`);
+  log(``);
+  log(`${c.dim}Siguiente: ${c.reset}${c.cyan}npx komplian localhost --yes${c.reset}`);
+  log(`${c.dim}psql: ${c.reset}${c.cyan}npx komplian db:app:development${c.reset} …`);
+}

package/komplian-db.mjs CHANGED Viewed

@@ -7,11 +7,8 @@
  *   npx komplian db:admin:staging
  *   npx komplian db:web:production
  *
- * URLs (prioridad: process.env → KOMPLIAN_DATABASE_URLS.env → KOMPLIAN_LOCALHOST_SECRETS.env → .env.local solo development):
- *   KOMPLIAN_DATABASE_URL_APP_DEVELOPMENT | _STAGING | _PRODUCTION
- *   KOMPLIAN_DATABASE_URL_ADMIN_*
- *   KOMPLIAN_DATABASE_URL_WEB_*
- * Legacy development: KOMPLIAN_LOCALHOST_*_DATABASE_URL
+ * Development: 1) .env.local por repo; 2) ~/.komplian/dev-databases.json (db:all:dev); 3) variables de sesión KOMPLIAN_*.
+ * Staging/producción: solo KOMPLIAN_DATABASE_URL_*_STAGING|_PRODUCTION (env o archivos en raíz), nunca .env.local.
  *
  * Producción: solo emails @komplian.com en KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST
  * (por defecto josue.santana@komplian.com). Operador: KOMPLIAN_DATABASE_OPERATOR_EMAIL o git config user.email.
@@ -22,6 +19,7 @@
 import { spawn, spawnSync } from "node:child_process";
 import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
 import { dirname, join, resolve } from "node:path";
 import { createInterface } from "node:readline/promises";
 import { stdin as input, stdout as output } from "node:process";
@@ -56,23 +54,26 @@ const DEFAULT_PRODUCTION_ALLOWLIST = ["josue.santana@komplian.com"];
 /** Misma cadena que `komplian-localhost.mjs` cuando no hay URL real. */
 const LOCALHOST_DB_PLACEHOLDER = "komplian_localhost_placeholder";
-function assertNotPlaceholderDbUrl(url, platform, environment) {
-  if (!url.includes(LOCALHOST_DB_PLACEHOLDER)) return;
-  const key = platformToDbKey(platform);
+export function isPlaceholderDbUrl(url) {
+  return !!(url && String(url).includes(LOCALHOST_DB_PLACEHOLDER));
+}
+/** Primera URL no vacía que no sea el placeholder de localhost. */
+export function pickFirstNonPlaceholder(...candidates) {
+  for (const c of candidates) {
+    const u = (c ?? "").trim();
+    if (u && !isPlaceholderDbUrl(u)) return u;
+  }
+  return "";
+}
+function assertNotPlaceholderDbUrl(url) {
+  if (!isPlaceholderDbUrl(url)) return;
   log(
     `${c.red}✗${c.reset} La URL es el ${c.bold}placeholder${c.reset} de \`komplian localhost\` (no apunta a una base de datos real).`
   );
   log(``);
-  log(`  Pon una URL real en la raíz del monorepo, por ejemplo:`);
-  log(
-    `  ${c.dim}KOMPLIAN_LOCALHOST_${key}_DATABASE_URL=postgresql://…${c.reset}`
-  );
-  log(
-    `  o ${c.dim}KOMPLIAN_DATABASE_URL_${key}_${environment.toUpperCase()}=…${c.reset} en ${c.dim}KOMPLIAN_DATABASE_URLS.env${c.reset}`
-  );
-  log(
-    `  (${c.dim}KOMPLIAN_LOCALHOST_SECRETS.env${c.reset} / ${c.dim}.komplian/${c.reset}…). Luego vuelve a ejecutar el comando.`
-  );
+  log(`  Pon una URL real (${c.bold}npx komplian db:all:dev${c.reset}, ${c.dim}--url${c.reset}, o variables en sesión).`);
   process.exit(1);
 }
@@ -96,25 +97,21 @@ function parseEnvFile(content) {
   return out;
 }
-function loadMergedEnvFiles(workspaceRoot) {
-  const out = {};
-  const paths = [
-    join(workspaceRoot, "KOMPLIAN_DATABASE_URLS.env"),
-    join(workspaceRoot, ".komplian", "KOMPLIAN_DATABASE_URLS.env"),
-    join(workspaceRoot, "KOMPLIAN_LOCALHOST_SECRETS.env"),
-    join(workspaceRoot, ".komplian", "KOMPLIAN_LOCALHOST_SECRETS.env"),
-    join(workspaceRoot, "komplian-localhost.secrets.env"),
-    join(workspaceRoot, ".komplian", "localhost-secrets.env"),
-  ];
-  for (const p of paths) {
-    if (!existsSync(p)) continue;
-    try {
-      Object.assign(out, parseEnvFile(readFileSync(p, "utf8")));
-    } catch {
-      /* ignore */
-    }
+/** ~/.komplian/dev-databases.json (creado por db:all:dev). No se leen secretos en la raíz del monorepo. */
+export function loadHomeDevDatabases() {
+  const p = join(homedir(), ".komplian", "dev-databases.json");
+  if (!existsSync(p)) return null;
+  try {
+    const j = JSON.parse(readFileSync(p, "utf8"));
+    if (!j || typeof j !== "object") return null;
+    return {
+      app: String(j.app || "").trim(),
+      admin: String(j.admin || "").trim(),
+      web: String(j.web || "").trim(),
+    };
+  } catch {
+    return null;
   }
-  return out;
 }
 function readEnvLocalKey(workspaceRoot, project, keys) {
@@ -149,7 +146,7 @@ function findWorkspaceRoot(start) {
   return resolve(start);
 }
-function maskDatabaseUrl(url) {
+export function maskDatabaseUrl(url) {
   try {
     const u = new URL(url);
     if (u.password) u.password = "***";
@@ -168,7 +165,7 @@ function platformToDbKey(platform) {
   return null;
 }
-function loadProductionAllowlist(workspaceRoot) {
+function loadProductionAllowlist() {
   const raw = process.env.KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST?.trim();
   if (raw) {
     return raw
@@ -176,21 +173,6 @@ function loadProductionAllowlist(workspaceRoot) {
       .map((s) => s.trim().toLowerCase())
       .filter(Boolean);
   }
-  const p = join(
-    workspaceRoot,
-    ".komplian",
-    "KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST"
-  );
-  if (existsSync(p)) {
-    try {
-      return readFileSync(p, "utf8")
-        .split(/\r?\n/)
-        .map((l) => l.trim().toLowerCase())
-        .filter((l) => l && !l.startsWith("#"));
-    } catch {
-      /* ignore */
-    }
-  }
   return DEFAULT_PRODUCTION_ALLOWLIST.map((e) => e.toLowerCase());
 }
@@ -245,7 +227,7 @@ async function resolveOperatorEmail() {
   return (ans || "").trim();
 }
-function assertProductionAccess(email, allowlist) {
+function assertProductionAccessLocalAllowlist(email, allowlist) {
   const e = email.toLowerCase();
   if (!e || !e.endsWith("@komplian.com")) {
     log(
@@ -255,51 +237,123 @@ function assertProductionAccess(email, allowlist) {
   }
   if (!allowlist.includes(e)) {
     log(
-      `${c.red}✗${c.reset} Producción: este email no está autorizado. Añádelo en ${c.bold}KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST${c.reset} o en ${c.dim}.komplian/KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST${c.reset}.`
+      `${c.red}✗${c.reset} Producción: email no autorizado (local). Usa Admin → ${c.bold}Prod DB CLI${c.reset} o ${c.dim}KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST${c.reset} / ${c.dim}KOMPLIAN_API_URL${c.reset}+${c.dim}ADMIN_API_KEY${c.reset}.`
     );
     process.exit(1);
   }
 }
+/** Si hay KOMPLIAN_API_URL + ADMIN_API_KEY, la API central decide (lista en Admin, super admin). */
+async function verifyProductionAccessViaApi(email) {
+  const base = (process.env.KOMPLIAN_API_URL || "").trim().replace(/\/$/, "");
+  const apiKey = (process.env.ADMIN_API_KEY || "").trim();
+  if (!base || !apiKey) return null;
+  try {
+    const ac = new AbortController();
+    const t = setTimeout(() => ac.abort(), 15000);
+    const r = await fetch(`${base}/api/admin/production-db-cli/verify`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-API-Key": apiKey,
+      },
+      body: JSON.stringify({ email: email.toLowerCase() }),
+      signal: ac.signal,
+    });
+    clearTimeout(t);
+    const j = await r.json().catch(() => ({}));
+    if (!r.ok || j.success !== true || typeof j.allowed !== "boolean") return null;
+    return j.allowed;
+  } catch {
+    return null;
+  }
+}
+async function assertProductionAccessResolved(email, quiet) {
+  const e = (email || "").toLowerCase().trim();
+  if (!e || !e.endsWith("@komplian.com")) {
+    log(
+      `${c.red}✗${c.reset} Producción: solo cuentas ${c.bold}@komplian.com${c.reset}. Define ${c.dim}KOMPLIAN_DATABASE_OPERATOR_EMAIL${c.reset} o ${c.dim}git config user.email${c.reset}.`
+    );
+    process.exit(1);
+  }
+  const verdict = await verifyProductionAccessViaApi(e);
+  if (verdict === true) {
+    if (!quiet) {
+      log(
+        `${c.dim}○${c.reset} Producción: allowlist desde ${c.bold}API central${c.reset} (Admin → Prod DB CLI).`
+      );
+    }
+    return;
+  }
+  if (verdict === false) {
+    log(
+      `${c.red}✗${c.reset} Producción: este email no está en la lista (Admin → Prod DB CLI, solo super admin).`
+    );
+    process.exit(1);
+  }
+  assertProductionAccessLocalAllowlist(e, loadProductionAllowlist());
+}
 function resolveDatabaseUrl(workspaceRoot, platform, environment) {
   const dbKey = platformToDbKey(platform);
   if (!dbKey) return "";
-  const file = loadMergedEnvFiles(workspaceRoot);
   const envU = environment.toUpperCase();
   const primaryKey = `KOMPLIAN_DATABASE_URL_${dbKey}_${envU}`;
+  const home = loadHomeDevDatabases();
-  let url =
-    process.env[primaryKey]?.trim() || file[primaryKey]?.trim() || "";
-  if (environment === "development" && !url) {
-    const single =
-      process.env.KOMPLIAN_LOCALHOST_DATABASE_URL?.trim() ||
-      file.KOMPLIAN_LOCALHOST_DATABASE_URL?.trim();
-    if (dbKey === "APP") {
-      url =
-        process.env.KOMPLIAN_LOCALHOST_APP_DATABASE_URL?.trim() ||
-        file.KOMPLIAN_LOCALHOST_APP_DATABASE_URL?.trim() ||
-        single ||
-        readEnvLocalKey(workspaceRoot, "app", ["DATABASE_URL"]) ||
-        readEnvLocalKey(workspaceRoot, "api", ["APP_DATABASE_URL"]);
-    } else if (dbKey === "ADMIN") {
-      url =
-        process.env.KOMPLIAN_LOCALHOST_ADMIN_DATABASE_URL?.trim() ||
-        file.KOMPLIAN_LOCALHOST_ADMIN_DATABASE_URL?.trim() ||
-        single ||
-        readEnvLocalKey(workspaceRoot, "admin", ["DATABASE_URL"]) ||
-        readEnvLocalKey(workspaceRoot, "api", ["ADMIN_DATABASE_URL"]);
-    } else if (dbKey === "WEB") {
-      url =
-        process.env.KOMPLIAN_LOCALHOST_WEB_DATABASE_URL?.trim() ||
-        file.KOMPLIAN_LOCALHOST_WEB_DATABASE_URL?.trim() ||
-        single ||
-        readEnvLocalKey(workspaceRoot, "web", ["DATABASE_URL"]) ||
-        readEnvLocalKey(workspaceRoot, "api", ["WEB_DATABASE_URL"]);
-    }
+  if (environment !== "development") {
+    return pickFirstNonPlaceholder(process.env[primaryKey]);
+  }
+  const single = (process.env.KOMPLIAN_LOCALHOST_DATABASE_URL || "").trim();
+  let fromRepos = "";
+  if (dbKey === "APP") {
+    fromRepos = pickFirstNonPlaceholder(
+      readEnvLocalKey(workspaceRoot, "app", ["DATABASE_URL"]),
+      readEnvLocalKey(workspaceRoot, "api", ["APP_DATABASE_URL"])
+    );
+  } else if (dbKey === "ADMIN") {
+    fromRepos = pickFirstNonPlaceholder(
+      readEnvLocalKey(workspaceRoot, "admin", ["DATABASE_URL"]),
+      readEnvLocalKey(workspaceRoot, "api", ["ADMIN_DATABASE_URL"])
+    );
+  } else if (dbKey === "WEB") {
+    fromRepos = pickFirstNonPlaceholder(
+      readEnvLocalKey(workspaceRoot, "web", ["DATABASE_URL"]),
+      readEnvLocalKey(workspaceRoot, "api", ["WEB_DATABASE_URL"])
+    );
   }
-  return url;
+  if (dbKey === "APP") {
+    return pickFirstNonPlaceholder(
+      fromRepos,
+      process.env[primaryKey],
+      home?.app,
+      process.env.KOMPLIAN_LOCALHOST_APP_DATABASE_URL,
+      single
+    );
+  }
+  if (dbKey === "ADMIN") {
+    return pickFirstNonPlaceholder(
+      fromRepos,
+      process.env[primaryKey],
+      home?.admin,
+      process.env.KOMPLIAN_LOCALHOST_ADMIN_DATABASE_URL,
+      single
+    );
+  }
+  if (dbKey === "WEB") {
+    return pickFirstNonPlaceholder(
+      fromRepos,
+      process.env[primaryKey],
+      home?.web,
+      process.env.KOMPLIAN_LOCALHOST_WEB_DATABASE_URL,
+      single
+    );
+  }
+  return "";
 }
 function findPsqlBinary() {
@@ -376,15 +430,15 @@ function usageDb() {
   log(`  Plataformas: ${c.dim}app | admin | web | api-app | api-admin | api-web${c.reset}`);
   log(`  Entornos:    ${c.dim}development | staging | production${c.reset}`);
   log(``);
-  log(`  Variables KOMPLIAN (recomendado):`);
-  log(`  ${c.dim}KOMPLIAN_DATABASE_URL_APP_DEVELOPMENT${c.reset}`);
-  log(`  ${c.dim}KOMPLIAN_DATABASE_URL_APP_STAGING / _PRODUCTION${c.reset} (idem ADMIN, WEB)`);
-  log(`  Archivo opcional: ${c.dim}KOMPLIAN_DATABASE_URLS.env${c.reset} (gitignored)`);
+  log(`  ${c.bold}db:all:dev${c.reset}  Configura las 3 DB de desarrollo (Postman @komplian.com) → ~/.komplian + cada repo /.env.local`);
+  log(`  Development: ${c.dim}.env.local por repo${c.reset}, ${c.dim}~/.komplian/dev-databases.json${c.reset}, variables en sesión.`);
+  log(`  Staging/producción: solo ${c.dim}KOMPLIAN_DATABASE_URL_*_STAGING|_PRODUCTION${c.reset} en el entorno (nunca .env.local).`);
   log(`  Neon: ${c.dim}staging/producción${c.reset} exigen host *.neon.tech; ${c.dim}development${c.reset} permite Postgres local (aviso).`);
   log(``);
   log(`  Producción:`);
-  log(`  ${c.dim}KOMPLIAN_DATABASE_OPERATOR_EMAIL${c.reset} o git user.email`);
-  log(`  ${c.dim}KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST${c.reset} (coma) o .komplian/KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST`);
+  log(`  ${c.dim}KOMPLIAN_DATABASE_OPERATOR_EMAIL${c.reset} o git user.email (@komplian.com)`);
+  log(`  Preferido: ${c.bold}Admin → Prod DB CLI${c.reset} (super admin) + ${c.dim}KOMPLIAN_API_URL${c.reset} + ${c.dim}ADMIN_API_KEY${c.reset} en la sesión del operador.`);
+  log(`  Sin API: ${c.dim}KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST${c.reset} (coma) en el entorno local.`);
   log(``);
   log(`  -c, --command   SQL no interactivo`);
   log(`  -u, --url       URL explícita (sigue reglas Neon / producción)`);
@@ -417,14 +471,12 @@ export async function runDb(argv) {
     ? resolve(opts.workspace.replace(/^~(?=$|[/\\])/, process.env.HOME || ""))
     : findWorkspaceRoot(process.cwd());
-  const allowlist = loadProductionAllowlist(workspaceRoot);
   if (opts.environment === "production") {
     const email = await resolveOperatorEmail();
-    assertProductionAccess(email, allowlist);
+    await assertProductionAccessResolved(email, opts.quiet);
     if (!opts.quiet) {
       log(
-        `${c.yellow}⚠${c.reset} Producción · operador ${c.bold}${email.toLowerCase()}${c.reset} (allowlist Komplian)`
+        `${c.yellow}⚠${c.reset} Producción · operador ${c.bold}${email.toLowerCase()}${c.reset}`
       );
     }
   }
@@ -443,13 +495,23 @@ export async function runDb(argv) {
   if (!url) {
     log(`${c.red}✗${c.reset} Sin URL para ${opts.platform} / ${opts.environment}.`);
-    log(
-      `  Define ${c.bold}KOMPLIAN_DATABASE_URL_${platformToDbKey(opts.platform)}_${opts.environment.toUpperCase()}${c.reset} o ${c.dim}KOMPLIAN_DATABASE_URLS.env${c.reset}.`
-    );
+    if (opts.environment === "development") {
+      const pk = platformToDbKey(opts.platform);
+      log(
+        `  Pon la URL de Neon (rama dev) en ${c.bold}${opts.platform === "web" || opts.platform === "api-web" ? "web" : opts.platform === "admin" || opts.platform === "api-admin" ? "admin" : "app"}/.env.local${c.reset} (${c.dim}DATABASE_URL${c.reset}) o en ${c.dim}api/.env.local${c.reset} (${c.dim}${pk === "WEB" ? "WEB_DATABASE_URL" : pk === "ADMIN" ? "ADMIN_DATABASE_URL" : "APP_DATABASE_URL"}${c.reset}).`
+      );
+      log(
+        `  ${c.dim}(Placeholders ignorados; ${c.bold}npx komplian db:all:dev${c.reset} o ${c.bold}KOMPLIAN_DATABASE_URL_${pk}_DEVELOPMENT${c.reset} en el entorno.)${c.reset}`
+      );
+    } else {
+      log(
+        `  Exporta ${c.bold}KOMPLIAN_DATABASE_URL_${platformToDbKey(opts.platform)}_${opts.environment.toUpperCase()}${c.reset} en el entorno (CI / operador).`
+      );
+    }
     process.exit(1);
   }
-  assertNotPlaceholderDbUrl(url, opts.platform, opts.environment);
+  assertNotPlaceholderDbUrl(url);
   assertNeonHost(url, opts.environment);

package/komplian-localhost.mjs CHANGED Viewed

@@ -6,8 +6,8 @@
  * Seguridad: los `.env*` no van en el paquete npm `komplian` (solo *.mjs + JSON + README).
  * No imprime secretos. Tras generar, muestra tabla de URLs locales (puertos fijos).
  *
- * Neon: KOMPLIAN_LOCALHOST_APP_DATABASE_URL, …_ADMIN_…, …_WEB_… o KOMPLIAN_LOCALHOST_SECRETS.env
- * (plantilla en la raíz del monorepo: KOMPLIAN_LOCALHOST_SECRETS.env.example).
+ * Bases de datos: primero cada repo `/.env.local`; luego ~/.komplian/dev-databases.json (npx komplian db:all:dev);
+ * opcional en la sesión: KOMPLIAN_LOCALHOST_*_DATABASE_URL (sin archivos secretos en la raíz del monorepo).
  */
 import { randomBytes } from "node:crypto";
@@ -18,6 +18,11 @@ import { fileURLToPath } from "node:url";
 import { createInterface } from "node:readline/promises";
 import { stdin as input, stdout as output } from "node:process";
+import {
+  loadHomeDevDatabases,
+  pickFirstNonPlaceholder,
+} from "./komplian-db.mjs";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const c = {
@@ -61,41 +66,41 @@ function parseEnvFile(content) {
   return out;
 }
-function loadSecretsFromDisk(workspaceRoot) {
-  const paths = [
-    join(workspaceRoot, "KOMPLIAN_LOCALHOST_SECRETS.env"),
-    join(workspaceRoot, ".komplian", "KOMPLIAN_LOCALHOST_SECRETS.env"),
-    join(workspaceRoot, "komplian-localhost.secrets.env"),
-    join(workspaceRoot, ".komplian", "localhost-secrets.env"),
-  ];
-  for (const p of paths) {
-    if (!existsSync(p)) continue;
-    try {
-      return parseEnvFile(readFileSync(p, "utf8"));
-    } catch {
-      /* ignore */
-    }
+function readEnvLocalDbUrl(workspaceRoot, project, key) {
+  const p = join(workspaceRoot, project, ".env.local");
+  if (!existsSync(p)) return "";
+  try {
+    const m = parseEnvFile(readFileSync(p, "utf8"));
+    return String(m[key] || "").trim();
+  } catch {
+    return "";
   }
-  return {};
 }
 function resolveDatabaseUrls(workspaceRoot) {
-  const file = loadSecretsFromDisk(workspaceRoot);
-  const single =
-    process.env.KOMPLIAN_LOCALHOST_DATABASE_URL?.trim() ||
-    file.KOMPLIAN_LOCALHOST_DATABASE_URL?.trim();
-  const app =
-    process.env.KOMPLIAN_LOCALHOST_APP_DATABASE_URL?.trim() ||
-    file.KOMPLIAN_LOCALHOST_APP_DATABASE_URL?.trim() ||
-    single;
-  const admin =
-    process.env.KOMPLIAN_LOCALHOST_ADMIN_DATABASE_URL?.trim() ||
-    file.KOMPLIAN_LOCALHOST_ADMIN_DATABASE_URL?.trim() ||
-    single;
-  const web =
-    process.env.KOMPLIAN_LOCALHOST_WEB_DATABASE_URL?.trim() ||
-    file.KOMPLIAN_LOCALHOST_WEB_DATABASE_URL?.trim() ||
-    single;
+  const home = loadHomeDevDatabases();
+  const single = (process.env.KOMPLIAN_LOCALHOST_DATABASE_URL || "").trim();
+  const app = pickFirstNonPlaceholder(
+    readEnvLocalDbUrl(workspaceRoot, "app", "DATABASE_URL"),
+    readEnvLocalDbUrl(workspaceRoot, "api", "APP_DATABASE_URL"),
+    home?.app,
+    process.env.KOMPLIAN_LOCALHOST_APP_DATABASE_URL,
+    single
+  );
+  const admin = pickFirstNonPlaceholder(
+    readEnvLocalDbUrl(workspaceRoot, "admin", "DATABASE_URL"),
+    readEnvLocalDbUrl(workspaceRoot, "api", "ADMIN_DATABASE_URL"),
+    home?.admin,
+    process.env.KOMPLIAN_LOCALHOST_ADMIN_DATABASE_URL,
+    single
+  );
+  const web = pickFirstNonPlaceholder(
+    readEnvLocalDbUrl(workspaceRoot, "web", "DATABASE_URL"),
+    readEnvLocalDbUrl(workspaceRoot, "api", "WEB_DATABASE_URL"),
+    home?.web,
+    process.env.KOMPLIAN_LOCALHOST_WEB_DATABASE_URL,
+    single
+  );
   const hasReal =
     !!(app && admin && web) &&
     !String(app).includes("komplian_localhost_placeholder");
@@ -421,7 +426,7 @@ function usageLocalhost() {
   log(`Uso: npx komplian localhost [opciones] [carpeta-monorepo]`);
   log(``);
   log(`  Genera .env.local completos (desde cada .env.example + secretos KOMPLIAN) y arranca todos los dev servers.`);
-  log(`  ${c.dim}Neon: KOMPLIAN_LOCALHOST_APP_DATABASE_URL, …_ADMIN_…, …_WEB_… o archivo KOMPLIAN_LOCALHOST_SECRETS.env${c.reset}`);
+  log(`  ${c.dim}DBs: npx komplian db:all:dev antes (o ~/.komplian/dev-databases.json / variables en sesión).${c.reset}`);
   log(``);
   log(`  -y, --yes       Sin confirmación`);
   log(`  --force         Regenerar .env.local`);
@@ -506,9 +511,8 @@ export async function runLocalhost(argv) {
   if (!db.hasReal && !opts.minimal) {
     log(
-      `${c.yellow}⚠${c.reset} Sin Neon: exporta ${c.bold}KOMPLIAN_LOCALHOST_APP_DATABASE_URL${c.reset} / ${c.bold}ADMIN${c.reset} / ${c.bold}WEB${c.reset} o usa ${c.bold}KOMPLIAN_LOCALHOST_SECRETS.env${c.reset} (plantilla: KOMPLIAN_LOCALHOST_SECRETS.env.example).`
+      `${c.yellow}⚠${c.reset} Sin URLs de desarrollo reales. Ejecuta ${c.bold}npx komplian db:all:dev${c.reset} y luego vuelve a lanzar localhost (o ${c.bold}--minimal${c.reset}).`
     );
-    log(`${c.dim}   O ${c.bold}--minimal${c.reset} (solo app + web + docs).${c.reset}`);
     log("");
   }
@@ -573,3 +577,11 @@ export async function runLocalhost(argv) {
     process.exit(code ?? 0);
   });
 }
+export {
+  applyOverridesToEnvContent,
+  formatEnvValue,
+  parseEnvFile,
+  writeAtomic,
+  findWorkspaceRoot,
+};

package/komplian-onboard.mjs CHANGED Viewed

@@ -394,13 +394,15 @@ function npmInstallEach(workspace) {
 }
 function usage() {
-  log(`Uso: komplian onboard | postman | localhost | mcp-tools | db [opciones]`);
-  log(`  npx komplian onboard --yes`);
-  log(`  npx komplian postman login   ${c.dim}(una vez · guarda API key)${c.reset}`);
-  log(`  npx komplian postman --yes    ${c.dim}(email @komplian.com)${c.reset}`);
-  log(`  npx komplian localhost --yes  ${c.dim}(env local + api app web admin docs)${c.reset}`);
-  log(`  npx komplian mcp-tools --yes  ${c.dim}(.cursor/mcp.json + guía MCP Komplian)${c.reset}`);
-  log(`  npx komplian db:app:development  ${c.dim}(psql Neon · KOMPLIAN_DATABASE_URL_*)${c.reset}`);
+  log(`Uso: komplian onboard | postman | mcp-tools | db:all:dev | localhost | db …`);
+  log(`  ${c.bold}Setup estándar (orden):${c.reset}`);
+  log(`  1. npx komplian onboard --yes`);
+  log(`  2. npx komplian postman login → npx komplian postman --yes  ${c.dim}(@komplian.com)${c.reset}`);
+  log(`  3. npx komplian mcp-tools --yes`);
+  log(`  4. npx komplian db:all:dev  ${c.dim}(Postman + 3 URLs dev → ~/.komplian + .env.local)${c.reset}`);
+  log(`  5. npx komplian localhost --yes`);
+  log(``);
+  log(`  npx komplian db:app:development  ${c.dim}(psql una DB)${c.reset}`);
   log(``);
   log(`  Antes (una vez): gh auth login -h github.com -s repo -s read:org -w`);
   log(`  Requisitos: Node 18+, git, GitHub CLI (gh)`);
@@ -499,6 +501,11 @@ async function main() {
     await runMcpTools(rawArgv.slice(1));
     return;
   }
+  if (rawArgv[0] === "db:all:dev") {
+    const { runDbAllDev } = await import("./komplian-db-all-dev.mjs");
+    await runDbAllDev(rawArgv.slice(1));
+    return;
+  }
   if (rawArgv[0]?.startsWith("db:")) {
     const { runDb } = await import("./komplian-db.mjs");
     const seg = rawArgv[0].split(":").filter(Boolean);

package/komplian-postman.mjs CHANGED Viewed

@@ -938,3 +938,20 @@ export async function runPostman(argv) {
     );
   }
 }
+/**
+ * Misma verificación que `postman --yes`: GET /me y dominio @komplian.com.
+ * Requiere `npx komplian postman login` (o POSTMAN_API_KEY en la sesión).
+ */
+export async function assertKomplianEmployeePostman() {
+  const domain = (process.env.KOMPLIAN_EMAIL_DOMAIN || "komplian.com").trim();
+  const { key, source } = resolveApiKey();
+  if (!key) {
+    printMissingKeyHelp();
+    process.exit(1);
+  }
+  if (source && source !== "POSTMAN_API_KEY") {
+    log(`${c.dim}→ Postman API key desde: ${formatHomePath(source)}${c.reset}`);
+  }
+  return verifyKomplianEmail(key, domain);
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "komplian",
-  "version": "0.5.2",
+  "version": "0.6.0",
   "description": "Komplian CLI: onboard, Postman, localhost, mcp-tools, db (psql). Node 18+. Published tarball has no .env / secrets.",
   "type": "module",
   "engines": {
@@ -15,7 +15,7 @@
     "komplian-localhost.mjs",
     "komplian-mcp-tools.mjs",
     "komplian-db.mjs",
-    "KOMPLIAN_DATABASE_URLS.env.example",
+    "komplian-db-all-dev.mjs",
     "komplian-team-repos.json",
     "README.md"
   ],
@@ -23,7 +23,7 @@
     "access": "public"
   },
   "scripts": {
-    "prepublishOnly": "node --check komplian-onboard.mjs && node --check komplian-postman.mjs && node --check komplian-localhost.mjs && node --check komplian-mcp-tools.mjs && node --check komplian-db.mjs"
+    "prepublishOnly": "node --check komplian-onboard.mjs && node --check komplian-postman.mjs && node --check komplian-localhost.mjs && node --check komplian-mcp-tools.mjs && node --check komplian-db.mjs && node --check komplian-db-all-dev.mjs"
   },
   "keywords": [
     "komplian",

package/KOMPLIAN_DATABASE_URLS.env.example DELETED Viewed

@@ -1,28 +0,0 @@
-# Copia a KOMPLIAN_DATABASE_URLS.env (raíz del monorepo) y rellena.
-# No commitees URLs con contraseña. Hosts: Neon (*.neon.tech).
-# --- App DB (Prisma en app/, raw SQL en api/) ---
-KOMPLIAN_DATABASE_URL_APP_DEVELOPMENT=
-KOMPLIAN_DATABASE_URL_APP_STAGING=
-KOMPLIAN_DATABASE_URL_APP_PRODUCTION=
-# --- Admin DB ---
-KOMPLIAN_DATABASE_URL_ADMIN_DEVELOPMENT=
-KOMPLIAN_DATABASE_URL_ADMIN_STAGING=
-KOMPLIAN_DATABASE_URL_ADMIN_PRODUCTION=
-# --- Web / pilot DB ---
-KOMPLIAN_DATABASE_URL_WEB_DEVELOPMENT=postgresql://neondb_owner:npg_1crYb3PaCjlf@ep-frosty-bird-agql4oq5-pooler.c-2.eu-central-1.aws.neon.tech/neondb?sslmode=require&channel_binding=require
-KOMPLIAN_DATABASE_URL_WEB_STAGING=
-KOMPLIAN_DATABASE_URL_WEB_PRODUCTION=
-# Producción: solo @komplian.com; lista separada por comas (opcional; por defecto josue.santana@komplian.com).
-# KOMPLIAN_DATABASE_PRODUCTION_ALLOWLIST=josue.santana@komplian.com,otro@komplian.com
-# Operador para comprobar acceso a producción (alternativa: git config user.email).
-# KOMPLIAN_DATABASE_OPERATOR_EMAIL=josue.santana@komplian.com
-# Staging/producción: host debe ser Neon (*.neon.tech), salvo:
-# KOMPLIAN_DATABASE_ALLOW_NON_NEON=1
-# Development: Postgres local está permitido (mensaje informativo). Para exigir Neon también en dev:
-# KOMPLIAN_DATABASE_REQUIRE_NEON_DEVELOPMENT=1