oopsdb 1.5.0 → 1.6.0

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2025 OopsDB Contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2025 OopsDB Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,127 +1,146 @@
-# OopsDB
-
-**Don't let AI nuke your database.**
-
-Auto-backup and 1-click restore for developers using Claude Code, Cursor, Windsurf, and other AI coding agents.
-
-<p align="center">
-  <img src="website/assets/oopsdb_demo.gif" alt="OopsDB Demo Screen Recording" style="max-width: 100%; border-radius: 8px; box-shadow: 0 4px 6px rgba(0,0,0,0.1)">
-</p>
-
----
-
-## The Problem
-
-You're vibing. Claude Code is cranking through tasks. Then it decides the fastest way to fix a migration is `DROP TABLE users`. Or it runs `DELETE FROM orders` without a `WHERE` clause. Or it helpfully "cleans up" your SQLite file.
-
-Your data is gone. Your afternoon is gone. Your will to live is negotiable.
-
-## The Fix
-
-```bash
-npm install -g oopsdb
-oopsdb init      # connect your DB (Supabase, Postgres, MySQL, SQLite)
-oopsdb watch     # auto-backup every 5 min
-# ... AI nukes your DB ...
-oopsdb restore   # pick a snapshot, roll back instantly
-```
-
-That's it. Three commands. Your data survives the AI apocalypse.
-
-## What It Does
-
-- **Auto-backups** on a timer (`oopsdb watch`) — set it and forget it
-- **Manual snapshots** (`oopsdb snapshot`) — before risky migrations or YOLO prompts
-- **Interactive restore** (`oopsdb restore`) — pick any snapshot, roll back in seconds
-- **Safety snapshots** — automatically backs up your current state before restoring, so you can't oops your oops
-- **Encrypted at rest** — AES-256-CBC encryption on every backup file
-- **Zero cloud, zero accounts** — everything stays on your machine
-- **Streaming backups** — near-zero memory footprint regardless of DB size
-
-## Supported Databases
-
-| Database | Backup Tool | Restore Tool |
-|----------|------------|--------------|
-| **Supabase** | `pg_dump` (with Supabase flags) | `psql` |
-| PostgreSQL (Neon, local, other hosted) | `pg_dump` | `psql` |
-| MySQL / MariaDB | `mysqldump` | `mysql` |
-| SQLite | `sqlite3` | `sqlite3` |
-
-### Supabase (first-class support)
-
-OopsDB has dedicated Supabase support. Just paste your connection string:
-
-```bash
-oopsdb init
-# → Select "Supabase"
-# → Paste your connection string from Supabase Dashboard → Settings → Database
-# → Done. SSL and Supabase-specific pg_dump flags are handled automatically.
-```
-
-Supabase-specific flags applied automatically: `--no-owner`, `--no-privileges`, `--no-subscriptions`, `sslmode=require`.
-
-## Commands
-
-```
-oopsdb init                Set up your database connection
-oopsdb watch               Auto-backup every 5 minutes
-oopsdb watch -i 1          Auto-backup every 1 minute (paranoid mode)
-oopsdb snapshot            One-time manual backup
-oopsdb restore             Interactive restore from any snapshot
-oopsdb status              View backup history and stats
-oopsdb secure              Immutable cloud backups (Coming Soon)
-oopsdb activate <key>      Activate a Secure license
-oopsdb deactivate          Deactivate your license on this machine
-oopsdb license             Show current license status
-oopsdb clean               Remove all OopsDB data from project
-```
-
-## How It Works
-
-1. `oopsdb init` walks you through connecting your database. Credentials are encrypted and saved locally in `.oopsdb/config.json`.
-2. `oopsdb watch` runs the native dump tool (`pg_dump`, `mysqldump`, or `sqlite3 .backup`) at your chosen interval. Output is streamed through AES-256-CBC encryption directly to disk — memory usage stays flat even for large databases.
-3. `oopsdb restore` shows your snapshots with timestamps and sizes. Pick one, confirm, and your database is rolled back. It takes a safety snapshot first, so you can always undo the undo.
-
-## Quick Demo
-
-Want to see OopsDB in action without touching your real database? We built a safe demo playground just for you.
-
-1. Clone or download this repository.
-2. Navigate to the `demo/` folder: `cd demo`
-3. Generate the dummy database: `sqlite3 test.db < seed.sql`
-4. Initialize OopsDB (it won't affect your global config because `.oopsdb` is gitignored here): `oopsdb init`
-5. Try running `oopsdb shield` and firing a `DROP TABLE users` against it to watch the interceptor catch the query!
-
-## Requirements
-
-Your system needs the native database CLI tools:
-
-- **PostgreSQL**: `pg_dump` + `psql`
-- **MySQL**: `mysqldump` + `mysql`
-- **SQLite**: `sqlite3`
-
-OopsDB checks for these on `init` and gives install instructions if they're missing.
-
-## Security
-
-- Credentials encrypted at rest (AES-256-CBC, machine-local key)
-- Backup files encrypted at rest (AES-256-CBC, streaming encryption)
-- Nothing leaves your machine — no cloud, no telemetry, no accounts
-- Add `.oopsdb/` to `.gitignore` (already in ours)
-
-## Pricing
-
-**Free** — Everything local. All databases, unlimited snapshots, encrypted backups. No limits, no accounts, no strings attached.
-
-**Secure** ($9/mo) — Immutable cloud backups that even a rogue AI can't delete. Local backups are great until the AI decides to `rm -rf .oopsdb/`. `oopsdb secure` pushes encrypted snapshots to tamper-proof cloud storage with write-once retention policies. Even if your entire machine gets wiped, your backups survive.
-
-Learn more at [oopsdb.com](https://oopsdb.com).
-
-## Support
-
-If OopsDB saved your database (and your afternoon), consider buying me a coffee!
-[ko-fi.com/pintayo](https://ko-fi.com/pintayo)
-
-## License
-
-MIT
+# OopsDB
+
+**Don't let AI nuke your database.**
+
+Auto-backup and 1-click restore for developers using Claude Code, Cursor, Windsurf, and other AI coding agents.
+
+<p align="center">
+  <img src="website/assets/oopsdb_demo.gif" alt="OopsDB Demo Screen Recording" style="max-width: 100%; border-radius: 8px; box-shadow: 0 4px 6px rgba(0,0,0,0.1)">
+</p>
+
+---
+
+## The Problem
+
+You're vibing. Claude Code is cranking through tasks. Then it decides the fastest way to fix a migration is `DROP TABLE users`. Or it runs `DELETE FROM orders` without a `WHERE` clause. Or it helpfully "cleans up" your SQLite file.
+
+Your data is gone. Your afternoon is gone. Your will to live is negotiable.
+
+## The Fix
+
+```bash
+npm install -g oopsdb
+oopsdb init      # connect your DB (Supabase, Postgres, MySQL, SQLite)
+oopsdb watch     # auto-backup every 5 min
+# ... AI nukes your DB ...
+oopsdb restore   # pick a snapshot, roll back instantly
+```
+
+That's it. Three commands. Your data survives the AI apocalypse.
+
+## What It Does
+
+- **Auto-backups** on a timer (`oopsdb watch`) — set it and forget it
+- **Manual snapshots** (`oopsdb snapshot`) — before risky migrations or YOLO prompts
+- **Interactive restore** (`oopsdb restore`) — pick any snapshot, roll back in seconds
+- **Safety snapshots** — automatically backs up your current state before restoring, so you can't oops your oops
+- **Encrypted at rest** — AES-256-CBC encryption on every backup file
+- **Zero cloud, zero accounts** — everything stays on your machine
+- **Streaming backups** — near-zero memory footprint regardless of DB size
+
+## Supported Databases
+
+| Database | Backup Tool | Restore Tool |
+|----------|------------|--------------|
+| **Supabase** | `pg_dump` (with Supabase flags) | `psql` |
+| PostgreSQL (Neon, local, other hosted) | `pg_dump` | `psql` |
+| MySQL / MariaDB | `mysqldump` | `mysql` |
+| SQLite | `sqlite3` | `sqlite3` |
+
+### Supabase (first-class support)
+
+OopsDB has dedicated Supabase support. Just paste your connection string:
+
+```bash
+oopsdb init
+# → Select "Supabase"
+# → Paste your connection string from Supabase Dashboard → Settings → Database
+# → Done. SSL and Supabase-specific pg_dump flags are handled automatically.
+```
+
+Supabase-specific flags applied automatically: `--no-owner`, `--no-privileges`, `--no-subscriptions`, `sslmode=require`.
+
+## Commands
+
+```
+oopsdb init                Set up your database connection
+oopsdb watch               Auto-backup every 5 minutes
+oopsdb watch -i 1          Auto-backup every 1 minute (paranoid mode)
+oopsdb snapshot            One-time manual backup
+oopsdb shield              Active query interceptor (blocks DROP/DELETE)
+oopsdb restore             Interactive restore from any snapshot
+oopsdb status              View backup history and stats
+oopsdb secure              Immutable cloud backups
+oopsdb activate <key>      Activate a Secure license
+oopsdb deactivate          Deactivate your license on this machine
+oopsdb license             Show current license status
+oopsdb lock                Lock schema with Postgres event triggers
+oopsdb unlock              Temporarily unlock schema for migrations
+oopsdb clean               Remove all OopsDB data from project
+```
+
+## The Shield (Query Interceptor)
+
+OopsDB Shield acts as a proxy between your application and your database. It monitors incoming SQL traffic and automatically takes a safety snapshot if it detects destructive commands like `DROP TABLE` or `DELETE` without a `WHERE` clause.
+
+```bash
+oopsdb shield --port 5433
+# Now connect your app to port 5433 instead of the default DB port.
+```
+
+## Antigravity (PostgreSQL / Supabase)
+
+OopsDB Antigravity provides database-level protection using native Postgres event triggers. Even if an AI agent bypasses the OopsDB proxy or connects directly to the DB, destructive DDL commands will be blocked at the database level.
+
+- `oopsdb lock`: Creates a trigger that blocks `DROP`, `ALTER`, and `TRUNCATE` operations.
+- `oopsdb unlock`: Takes a safety snapshot, drops the trigger, and allows schema modifications for 60 seconds before automatically re-locking.
+
+## How It Works
+
+1. `oopsdb init` walks you through connecting your database. Credentials are encrypted and saved locally in `.oopsdb/config.json`.
+2. `oopsdb watch` runs the native dump tool (`pg_dump`, `mysqldump`, or `sqlite3 .backup`) at your chosen interval. Output is streamed through AES-256-CBC encryption directly to disk — memory usage stays flat even for large databases.
+3. `oopsdb restore` shows your snapshots with timestamps and sizes. Pick one, confirm, and your database is rolled back. It takes a safety snapshot first, so you can always undo the undo.
+
+## Quick Demo
+
+Want to see OopsDB in action without touching your real database? We built a safe demo playground just for you.
+
+1. Clone or download this repository.
+2. Navigate to the `demo/` folder: `cd demo`
+3. Generate the dummy database: `sqlite3 test.db < seed.sql`
+4. Initialize OopsDB (it won't affect your global config because `.oopsdb` is gitignored here): `oopsdb init`
+5. Try running `oopsdb shield` and firing a `DROP TABLE users` against it to watch the interceptor catch the query!
+
+## Requirements
+
+Your system needs the native database CLI tools:
+
+- **PostgreSQL**: `pg_dump` + `psql`
+- **MySQL**: `mysqldump` + `mysql`
+- **SQLite**: `sqlite3`
+
+OopsDB checks for these on `init` and gives install instructions if they're missing.
+
+## Security
+
+- Credentials encrypted at rest (AES-256-CBC, machine-local key)
+- Backup files encrypted at rest (AES-256-CBC, streaming encryption)
+- Nothing leaves your machine — no cloud, no telemetry, no accounts
+- Add `.oopsdb/` to `.gitignore` (already in ours)
+
+## Pricing
+
+**Free** — Everything local. All databases, unlimited snapshots, encrypted backups. No limits, no accounts, no strings attached.
+
+**Secure** ($9/mo) — Immutable cloud backups that even a rogue AI can't delete. Local backups are great until the AI decides to `rm -rf .oopsdb/`. `oopsdb secure` pushes encrypted snapshots to tamper-proof cloud storage with write-once retention policies. Even if your entire machine gets wiped, your backups survive.
+
+Learn more at [oopsdb.com](https://oopsdb.com).
+
+## Support
+
+If OopsDB saved your database (and your afternoon), consider buying me a coffee!
+[ko-fi.com/pintayo](https://ko-fi.com/pintayo)
+
+## License
+
+MIT

package/dist/commands/lock.d.ts

@@ -0,0 +1 @@
+export declare function lockCommand(): Promise<void>;

package/dist/commands/lock.js

@@ -0,0 +1,52 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.lockCommand = lockCommand;
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const config_1 = require("../utils/config");
+const psql_1 = require("../utils/psql");
+async function lockCommand() {
+    const config = (0, config_1.loadConfig)();
+    if (!config) {
+        console.log(chalk_1.default.red('\n  No config found. Run `oopsdb init` first.\n'));
+        process.exit(1);
+        return;
+    }
+    if (config.db.type !== 'postgres') {
+        console.log(chalk_1.default.yellow('\n  OopsDB Antigravity (Lock/Unlock) is currently only supported for PostgreSQL (including Supabase).\n'));
+        return;
+    }
+    console.log(chalk_1.default.bold('\n  OopsDB Antigravity ' + chalk_1.default.green('LOCK')));
+    console.log(chalk_1.default.gray(`  Securing ${config.db.database} at ${config.db.host || 'localhost'}...\n`));
+    const spinner = (0, ora_1.default)('Engaging database-level event triggers...').start();
+    const sql = `
+CREATE OR REPLACE FUNCTION oopsdb_block_ddl()
+RETURNS event_trigger AS $$
+BEGIN
+  RAISE EXCEPTION 'OopsDB Antigravity Lock is ACTIVE. Schema changes (DROP, ALTER, etc.) are blocked. Run \`oopsdb unlock\` to modify the schema.';
+END;
+$$ LANGUAGE plpgsql;
+
+DROP EVENT TRIGGER IF EXISTS oopsdb_protect_schema;
+
+CREATE EVENT TRIGGER oopsdb_protect_schema
+  ON ddl_command_start
+  EXECUTE FUNCTION oopsdb_block_ddl();
+`;
+    try {
+        await (0, psql_1.runPsqlCommand)(config.db, sql);
+        spinner.succeed('Antigravity Lock engaged.');
+        console.log(chalk_1.default.green('\n  Your database schema is now bulletproof.'));
+        console.log(chalk_1.default.gray('  Any attempt to DROP, ALTER, or TRUNCATE will be rejected by the database engine itself.'));
+        console.log(chalk_1.default.gray('  Need to run migrations? Use ') + chalk_1.default.cyan('oopsdb unlock') + chalk_1.default.gray(' first.\n'));
+    }
+    catch (err) {
+        spinner.fail(`Failed to engage lock: ${err.message}`);
+        // Suggest that they might need superuser depending on the environment
+        console.log(chalk_1.default.gray('\n  Note: Creating event triggers in Postgres requires superuser privileges.'));
+        console.log(chalk_1.default.gray('  Ensure the user configured in OopsDB has sufficient permissions.\n'));
+    }
+}

package/dist/commands/secure.js

@@ -42,6 +42,7 @@ const ora_1 = __importDefault(require("ora"));
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const config_1 = require("../utils/config");
+const license_1 = require("../utils/license");
 const dumper_1 = require("../utils/dumper");
 async function secureCommand(options) {
     console.log(chalk_1.default.bold('\n  OopsDB Secure'));
@@ -50,7 +51,13 @@ async function secureCommand(options) {
     if (!config) {
         console.log(chalk_1.default.red('  No config found. Run `oopsdb init` first.\n'));
         process.exit(1);
-        return; // Keeps TS happy
+        return;
+    }
+    const license = (0, license_1.loadLicense)();
+    if (!license || license.tier !== 'secure') {
+        console.log(chalk_1.default.yellow('  Secure features require a Secure license.'));
+        console.log(chalk_1.default.gray('  Get one at ') + chalk_1.default.cyan('https://oopsdb.com\n'));
+        return;
     }
     // Find the latest snapshot
     const snapshots = (0, dumper_1.listSnapshots)();
@@ -63,14 +70,13 @@ async function secureCommand(options) {
     const fileSizeInBytes = fs.statSync(latestFile).size;
     const fileSizeMB = (fileSizeInBytes / (1024 * 1024)).toFixed(2);
     console.log(chalk_1.default.blue(`  Found latest snapshot: ${fileName} (${fileSizeMB} MB)`));
-    // In production, hit the live endpoint. If testing locally, hit the wrangler dev server.
     const baseUrl = process.env.TEST_LOCAL_API ? 'http://localhost:8788' : 'https://oopsdb.com';
-    console.log(chalk_1.default.gray(`  Requesting secure upload token from ${baseUrl}...\n`));
+    console.log(chalk_1.default.gray(`  Requesting secure upload token...\n`));
     let actualUploadUrl = '';
     try {
         const res = await fetch(`${baseUrl}/api/upload-url?fileName=${fileName}`, {
             headers: {
-                'Authorization': 'Bearer oops_sec_9f8b2c7d4e5a1b3c8f9d0e2a5b7c8d9e'
+                'Authorization': `Bearer ${license.licenseKey}`
             }
         });
         if (!res.ok) {
@@ -84,7 +90,6 @@ async function secureCommand(options) {
     }
     catch (err) {
         console.log(chalk_1.default.red(`  Network error reaching backend: ${err.message}\n`));
-        console.log(chalk_1.default.yellow(`  Tip: If testing locally, ensure you ran 'npx wrangler pages dev website' first and set TEST_LOCAL_API=1\n`));
         return;
     }
     await uploadToS3(latestFile, actualUploadUrl);
@@ -104,9 +109,8 @@ async function uploadToS3(filePath, uploadUrl) {
             }
         });
         if (!response.ok) {
-            spinner.fail(`Upload intercepted for MVP. The pre-signed URL must be provided by the backend.`);
-            console.log(chalk_1.default.yellow(`  Reason: ${response.status} ${response.statusText}\n`));
-            console.log(chalk_1.default.gray(`  (This is expected until the Cloudflare backend endpoint is reachable)\n`));
+            spinner.fail(`Upload failed: ${response.status} ${response.statusText}`);
+            console.log(chalk_1.default.gray(`  Check your connection or license status.\n`));
         }
         else {
             spinner.succeed('Snapshot safely stored in immutable S3 Cloud Vault.');
@@ -115,6 +119,5 @@ async function uploadToS3(filePath, uploadUrl) {
     }
     catch (err) {
         spinner.fail(`Upload failed: ${err.message}`);
-        console.log(chalk_1.default.gray(`  (Ensure the backend feature is fully implemented to receive a valid S3 URL)\n`));
     }
 }

package/dist/commands/shield.js

@@ -38,6 +38,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.shieldCommand = shieldCommand;
 const net = __importStar(require("net"));
+const tls = __importStar(require("tls"));
 const chalk_1 = __importDefault(require("chalk"));
 const ora_1 = __importDefault(require("ora"));
 const config_1 = require("../utils/config");
@@ -52,14 +53,30 @@ async function shieldCommand(options) {
     const proxyPort = parseInt(options.port || '5433', 10);
     const targetPort = config.db.port || (config.db.type === 'postgres' ? 5432 : 3306);
     const targetHost = config.db.host || 'localhost';
+    const isSsl = config.db.supabase || config.db.sslmode === 'require';
     console.log(chalk_1.default.bold('\n  OopsDB Shield ' + chalk_1.default.green('ACTIVE')));
     console.log(chalk_1.default.gray(`  Listening on port ${proxyPort} -> Forwarding to ${config.db.type} on ${targetPort}\n`));
+    if (isSsl) {
+        console.log(chalk_1.default.yellow('  [SSL Detected] Proxy running in Pass-Through mode.'));
+        console.log(chalk_1.default.gray('  Deep-packet inspection (destructive command detection) is DISABLED.'));
+        console.log(chalk_1.default.gray('  To enable interception on SSL connections, local certificates/MITM are required.\n'));
+    }
     const DESTRUCTIVE_REGEX = /(DROP\s+TABLE|TRUNCATE\s+TABLE|DELETE\s+FROM)/i;
     const server = net.createServer((clientSocket) => {
-        const targetSocket = net.createConnection({
-            host: targetHost,
-            port: targetPort
-        });
+        let targetSocket;
+        if (isSsl) {
+            targetSocket = tls.connect({
+                host: targetHost,
+                port: targetPort,
+                servername: targetHost
+            });
+        }
+        else {
+            targetSocket = net.createConnection({
+                host: targetHost,
+                port: targetPort
+            });
+        }
         targetSocket.on('error', (err) => {
             console.log(chalk_1.default.red(`\n  Database connection error: ${err.message}`));
             clientSocket.destroy(err);
@@ -71,6 +88,12 @@ async function shieldCommand(options) {
         targetSocket.pipe(clientSocket);
         // Handle traffic from Client to DB (with interception)
         clientSocket.on('data', async (chunk) => {
+            // If SSL is active, we bypass deep-packet inspection because the traffic is encrypted
+            // (or we are acting as a simple TLS pass-through for the application)
+            if (isSsl) {
+                targetSocket.write(chunk);
+                return;
+            }
             const dataString = chunk.toString();
             if (DESTRUCTIVE_REGEX.test(dataString)) {
                 // Destructive command detected!

package/dist/commands/status.js

@@ -39,6 +39,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.statusCommand = statusCommand;
 const chalk_1 = __importDefault(require("chalk"));
 const config_1 = require("../utils/config");
+const license_1 = require("../utils/license");
 const dumper_1 = require("../utils/dumper");
 const path = __importStar(require("path"));
 function formatSize(bytes) {
@@ -74,6 +75,12 @@ async function statusCommand() {
         console.log(`    Host:     ${chalk_1.default.cyan(config.db.host + ':' + config.db.port)}`);
     }
     console.log(`    Since:    ${chalk_1.default.cyan(new Date(config.createdAt).toLocaleDateString())}`);
+    const license = (0, license_1.loadLicense)();
+    const tierLabel = license ? license.tier.toUpperCase() : 'FREE';
+    console.log(`    Plan:     ${chalk_1.default.green(tierLabel)}`);
+    if (tierLabel === 'FREE') {
+        console.log(chalk_1.default.yellow('    ⚠️  Local snapshots only. Rogue AI or disk failure could wipe these.'));
+    }
     console.log();
     console.log(chalk_1.default.gray('  Backups'));
     console.log(`    Location: ${chalk_1.default.cyan((0, config_1.getBackupsDir)())}`);

package/dist/commands/unlock.d.ts

@@ -0,0 +1 @@
+export declare function unlockCommand(): Promise<void>;

package/dist/commands/unlock.js

@@ -0,0 +1,77 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unlockCommand = unlockCommand;
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const config_1 = require("../utils/config");
+const dumper_1 = require("../utils/dumper");
+const psql_1 = require("../utils/psql");
+async function unlockCommand() {
+    const config = (0, config_1.loadConfig)();
+    if (!config) {
+        console.log(chalk_1.default.red('\n  No config found. Run `oopsdb init` first.\n'));
+        process.exit(1);
+        return;
+    }
+    if (config.db.type !== 'postgres') {
+        console.log(chalk_1.default.yellow('\n  OopsDB Antigravity (Lock/Unlock) is currently only supported for PostgreSQL (including Supabase).\n'));
+        return;
+    }
+    console.log(chalk_1.default.bold('\n  OopsDB Antigravity ' + chalk_1.default.yellow('UNLOCK')));
+    // 1. Take a snapshot
+    const snapSpinner = (0, ora_1.default)('Securing a fresh snapshot before unlocking...').start();
+    try {
+        await (0, dumper_1.createSnapshot)(config.db);
+        snapSpinner.succeed('Fresh safety snapshot secured.');
+    }
+    catch (err) {
+        snapSpinner.fail(`Failed to take safety snapshot: ${err.message}`);
+        console.log(chalk_1.default.red('\n  Aborting unlock. We must secure your data first.\n'));
+        return;
+    }
+    // 2. Drop the trigger
+    const sql = `DROP EVENT TRIGGER IF EXISTS oopsdb_protect_schema;`;
+    const unlockSpinner = (0, ora_1.default)('Dropping Antigravity locks...').start();
+    try {
+        await (0, psql_1.runPsqlCommand)(config.db, sql);
+        unlockSpinner.succeed('Lock removed.');
+        console.log(chalk_1.default.bgYellow.black.bold('\n  WARNING  ') + chalk_1.default.yellow(' Schema modifications are now ALLOWED.'));
+        console.log(chalk_1.default.gray('  You have 60 seconds to run your migrations.'));
+        // 3. Setup re-lock timeout
+        let timer = 60;
+        const interval = setInterval(() => {
+            process.stdout.write(`\r  ${chalk_1.default.cyan(timer)} seconds remaining...`);
+            timer--;
+            if (timer < 0) {
+                clearInterval(interval);
+                process.stdout.write('\n');
+                reLock(config.db);
+            }
+        }, 1000);
+    }
+    catch (err) {
+        unlockSpinner.fail(`Failed to remove lock: ${err.message}`);
+    }
+}
+async function reLock(dbConfig) {
+    const relockSpinner = (0, ora_1.default)('Time is up. Re-engaging Antigravity Lock...').start();
+    const sql = `
+CREATE EVENT TRIGGER oopsdb_protect_schema
+  ON ddl_command_start
+  EXECUTE FUNCTION oopsdb_block_ddl();
+`;
+    try {
+        await (0, psql_1.runPsqlCommand)(dbConfig, sql);
+        relockSpinner.succeed('Antigravity Lock re-engaged.');
+        console.log(chalk_1.default.green('\n  Your database schema is bulletproof again.\n'));
+        process.exit(0);
+    }
+    catch (err) {
+        relockSpinner.fail(`Failed to re-engage lock: ${err.message}`);
+        console.log(chalk_1.default.red('\n  CRITICAL WARNING: Database remains unprotected! Run `oopsdb lock` manually.\n'));
+        process.exit(1);
+    }
+}

package/dist/index.js

@@ -11,6 +11,8 @@ const secure_1 = require("./commands/secure");
 const clean_1 = require("./commands/clean");
 const activate_1 = require("./commands/activate");
 const shield_1 = require("./commands/shield");
+const lock_1 = require("./commands/lock");
+const unlock_1 = require("./commands/unlock");
 // Read version from package.json at runtime
 const pkg = require('../package.json');
 const program = new commander_1.Command();
@@ -45,6 +47,14 @@ program
     .description('Start a database proxy interceptor that prevents destructive queries')
     .option('-p, --port <port>', 'Proxy port', '5433')
     .action(shield_1.shieldCommand);
+program
+    .command('lock')
+    .description('Bulletproof your Postgres database against schema deletion')
+    .action(lock_1.lockCommand);
+program
+    .command('unlock')
+    .description('Temporarily allow schema migrations (auto-relocks after 60s)')
+    .action(unlock_1.unlockCommand);
 program
     .command('secure')
     .description('Immutable cloud backups — tamper-proof, AI-proof')

package/dist/utils/psql.d.ts

@@ -0,0 +1,2 @@
+import { DbConfig } from './config';
+export declare function runPsqlCommand(dbConfig: DbConfig, sql: string): Promise<void>;

package/dist/utils/psql.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runPsqlCommand = runPsqlCommand;
+const child_process_1 = require("child_process");
+function runPsqlCommand(dbConfig, sql) {
+    return new Promise((resolve, reject) => {
+        const env = { ...process.env };
+        if (dbConfig.password)
+            env.PGPASSWORD = dbConfig.password;
+        if (dbConfig.sslmode)
+            env.PGSSLMODE = dbConfig.sslmode;
+        const args = [
+            '-h', dbConfig.host || 'localhost',
+            '-p', String(dbConfig.port || 5432),
+            '-U', dbConfig.user || 'postgres',
+            '-c', sql,
+            dbConfig.database
+        ];
+        const child = (0, child_process_1.spawn)('psql', args, { env, stdio: ['ignore', 'pipe', 'pipe'] });
+        let stderr = '';
+        child.stderr.on('data', (chunk) => {
+            stderr += chunk.toString();
+        });
+        child.on('error', (err) => reject(err));
+        child.on('close', (code) => {
+            if (code !== 0) {
+                reject(new Error(stderr || `psql exited with code ${code}`));
+            }
+            else {
+                resolve();
+            }
+        });
+    });
+}

package/package.json

@@ -1,69 +1,69 @@
-{
-  "name": "oopsdb",
-  "version": "1.5.0",
-  "description": "Don't let AI nuke your database. Auto-backup and 1-click restore for developers using Claude Code, Cursor, Windsurf, and other AI coding agents.",
-  "main": "dist/index.js",
-  "bin": {
-    "oopsdb": "dist/index.js"
-  },
-  "scripts": {
-    "build": "tsc",
-    "dev": "ts-node src/index.ts",
-    "start": "node dist/index.js",
-    "prepublishOnly": "npm run build",
-    "test": "tsc && vitest run tests/unit.test.ts",
-    "test:e2e": "tsc && vitest run tests/e2e.test.ts",
-    "test:all": "tsc && vitest run"
-  },
-  "keywords": [
-    "database",
-    "backup",
-    "restore",
-    "rollback",
-    "claude-code",
-    "ai-safety",
-    "mysql",
-    "postgres",
-    "supabase",
-    "sqlite"
-  ],
-  "author": "",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/pintayo/oopsdb.git"
-  },
-  "homepage": "https://oopsdb.com",
-  "engines": {
-    "node": ">=16.0.0"
-  },
-  "files": [
-    "dist",
-    "README.md",
-    "LICENSE"
-  ],
-  "dependencies": {
-    "@aws-sdk/client-s3": "^3.1005.0",
-    "@aws-sdk/s3-request-presigner": "^3.1005.0",
-    "chalk": "^4.1.2",
-    "commander": "^12.1.0",
-    "inquirer": "^8.2.6",
-    "ora": "^5.4.1"
-  },
-  "devDependencies": {
-    "@cloudflare/workers-types": "^4.20260310.1",
-    "@types/inquirer": "^8.2.10",
-    "@types/node": "^22.0.0",
-    "dotenv": "^17.3.1",
-    "testcontainers": "^11.12.0",
-    "typescript": "^5.7.0",
-    "vitest": "^4.0.18"
-  },
-  "directories": {
-    "test": "tests"
-  },
-  "types": "./dist/index.d.ts",
-  "bugs": {
-    "url": "https://github.com/pintayo/oopsdb/issues"
-  }
-}
+{
+  "name": "oopsdb",
+  "version": "1.6.0",
+  "description": "Don't let AI nuke your database. Auto-backup and 1-click restore for developers using Claude Code, Cursor, Windsurf, and other AI coding agents.",
+  "main": "dist/index.js",
+  "bin": {
+    "oopsdb": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "ts-node src/index.ts",
+    "start": "node dist/index.js",
+    "prepublishOnly": "npm run build",
+    "test": "tsc && vitest run tests/unit.test.ts",
+    "test:e2e": "tsc && vitest run tests/e2e.test.ts",
+    "test:all": "tsc && vitest run"
+  },
+  "keywords": [
+    "database",
+    "backup",
+    "restore",
+    "rollback",
+    "claude-code",
+    "ai-safety",
+    "mysql",
+    "postgres",
+    "supabase",
+    "sqlite"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/pintayo/oopsdb.git"
+  },
+  "homepage": "https://oopsdb.com",
+  "engines": {
+    "node": ">=16.0.0"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.1005.0",
+    "@aws-sdk/s3-request-presigner": "^3.1005.0",
+    "chalk": "^4.1.2",
+    "commander": "^12.1.0",
+    "inquirer": "^8.2.6",
+    "ora": "^5.4.1"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260310.1",
+    "@types/inquirer": "^8.2.10",
+    "@types/node": "^22.0.0",
+    "dotenv": "^17.3.1",
+    "testcontainers": "^11.12.0",
+    "typescript": "^5.7.0",
+    "vitest": "^4.0.18"
+  },
+  "directories": {
+    "test": "tests"
+  },
+  "types": "./dist/index.d.ts",
+  "bugs": {
+    "url": "https://github.com/pintayo/oopsdb/issues"
+  }
+}