raqeb-cli 1.0.0 → 1.3.0

package/README.md

@@ -1,53 +1,133 @@
-# raqeb-cli
+# Raqeb CLI
 
-Official Raqeb CLI - Command-line tool for Database PAM and Developer Secrets Management.
+Official command-line tool for **Raqeb Privileged Access Management (PAM)** platform.
 
-## Installation
+## 🚀 Features
 
-### Via npm (Recommended)
+- 🔐 **Database PAM**: Get temporary database credentials with auto-expiration
+- 🔑 **Secrets Management**: Securely retrieve application secrets
+- 👤 **Service Accounts**: Programmatic API access for applications
+- 📊 **API Keys**: Personal access tokens for developers
+- 🔒 **Zero Trust**: Dynamic credentials that automatically expire
+- 📝 **Audit Logging**: Track all access activities
+
+## 📦 Installation
+
+### npm (Node.js)
 
 ```bash
 npm install -g raqeb-cli
 ```
 
-### Via yarn
+### PyPI (Python)
 
 ```bash
-yarn global add raqeb-cli
+pip install raqeb-cli
 ```
 
-## Quick Start
+### Homebrew (macOS/Linux)
+
+```bash
+brew tap Tzamun-Arabia-IT-Co/raqeb
+brew install raqeb-cli
+```
+
+### Chocolatey (Windows)
+
+```powershell
+choco install raqeb-cli
+```
 
-### 1. Login
+### RPM (RedHat/Fedora/CentOS)
 
 ```bash
-raqeb login --api-key sa_your_api_key_here
+# Download from GitHub Releases
+curl -LO https://github.com/Tzamun-Arabia-IT-Co/raqeb-cli/releases/latest/download/raqeb-cli.rpm
+sudo rpm -ivh raqeb-cli.rpm
 ```
 
-### 2. Get Secret
+## 🎯 Quick Start
+
+### 1. Login with Service Account
 
 ```bash
-raqeb secrets get <secret-id>
+# Using service account API key (for applications/CI/CD)
+raqeb login --api-key sa_your_service_account_key
+
+# Or using personal API key (for developers)
+raqeb login --api-key ak_your_personal_key
 ```
 
-### 3. Get Database Credentials
+### 2. Get Temporary Database Credentials
 
 ```bash
-raqeb db connect <database-id> --ttl 4 --access-level read-only
+# Get read-only access for 2 hours
+raqeb db connect prod-mysql --ttl 2 --access-level read-only
+
+# Returns:
+# Username: temp_user_abc123
+# Password: random_secure_password
+# Host: mysql.example.com
+# Port: 3306
+# Expires: 2026-02-14 20:00:00
 ```
 
-### 4. Revoke Credentials
+### 3. Retrieve Application Secrets
 
 ```bash
-raqeb db revoke <lease-id>
+# Get secret value
+raqeb secrets get stripe-api-key
+
+# Returns the decrypted secret value
 ```
 
-## Commands
+### 4. Manage API Keys
+
+```bash
+# List your API keys
+raqeb keys list
+
+# Create new API key
+raqeb keys create "My Dev Key" --scopes secrets:read,databases:read
+
+# Delete API key
+raqeb keys delete <key-id>
+```
+
+## 📖 Commands Reference
 
 ### Authentication
 
 ```bash
+# Login with API key
 raqeb login --api-key <key>
+
+# Login with interactive prompt
+raqeb login
+
+# Logout
+raqeb logout
+
+# Show current user
+raqeb whoami
+```
+
+### Database PAM
+
+```bash
+# Get temporary database credentials
+raqeb db connect <database-id> [options]
+  --ttl <hours>              Time to live in hours (default: 4, max: 24)
+  --access-level <level>     Access level: read-only, read-write, admin (default: read-only)
+
+# List active database leases
+raqeb db leases
+
+# Revoke database credentials
+raqeb db revoke <lease-id>
+
+# List available databases
+raqeb db list
 ```
 
 ### Secrets Management
@@ -55,80 +135,254 @@ raqeb login --api-key <key>
 ```bash
 # Get secret value
 raqeb secrets get <secret-id>
-```
 
-### Database Access
+# List all secrets (names only, not values)
+raqeb secrets list
 
-```bash
-# Get temporary credentials
-raqeb db connect <database-id> [options]
-  --ttl <hours>              Time to live (default: 4)
-  --access-level <level>     read-only, read-write, or admin (default: read-only)
+# Create new secret
+raqeb secrets create <name> <value> [--description <desc>]
 
-# Revoke credentials
-raqeb db revoke <lease-id>
+# Update secret
+raqeb secrets update <secret-id> <new-value>
+
+# Delete secret
+raqeb secrets delete <secret-id>
 ```
 
-### API Keys
+### API Keys (Personal)
 
 ```bash
-# List API keys
+# List your API keys
 raqeb keys list
 
 # Create new API key
-raqeb keys create <name> [--scopes <scopes>]
+raqeb keys create <name> [options]
+  --scopes <scopes>          Comma-separated scopes (default: secrets:read)
+  --expires-in <days>        Expiration in days (default: 90, max: 365)
 
 # Delete API key
 raqeb keys delete <key-id>
+
+# Rotate API key
+raqeb keys rotate <key-id>
 ```
 
-## Configuration
+### Service Accounts (Admin Only)
+
+```bash
+# List service accounts
+raqeb sa list
+
+# Create service account
+raqeb sa create <name> [options]
+  --scopes <scopes>          Comma-separated scopes
+  --allowed-databases <ids>  Comma-separated database IDs
+  --allowed-secrets <ids>    Comma-separated secret IDs
+
+# Delete service account
+raqeb sa delete <account-id>
+
+# View service account details
+raqeb sa get <account-id>
+```
+
+### Audit Logs
+
+```bash
+# View audit logs
+raqeb audit list [options]
+  --limit <n>                Number of records (default: 50)
+  --user <user-id>           Filter by user
+  --action <action>          Filter by action type
+  --from <date>              Start date (YYYY-MM-DD)
+  --to <date>                End date (YYYY-MM-DD)
+
+# Export audit logs
+raqeb audit export --format csv --output audit.csv
+```
+
+## ⚙️ Configuration
 
 Configuration is stored in `~/.raqeb/config.json`
 
 ```json
 {
   "base_url": "https://app.raqeb.cloud/api/v1",
-  "api_key": "sa_your_api_key"
+  "api_key": "sa_your_service_account_key",
+  "tenant": "your-tenant-subdomain"
 }
 ```
 
-## Examples
+### Environment Variables
 
-### CI/CD Integration
+You can also use environment variables:
+
+```bash
+export RAQEB_API_KEY="sa_your_api_key"
+export RAQEB_BASE_URL="https://app.raqeb.cloud/api/v1"
+export RAQEB_TENANT="your-tenant"
+```
+
+### Multi-Tenant Support
+
+If you work with multiple Raqeb tenants:
+
+```bash
+# Switch tenant
+raqeb config set-tenant production-tenant
+
+# Or specify tenant per command
+raqeb --tenant staging-tenant db connect staging-db
+```
+
+## 💡 Use Cases & Examples
+
+### 1. CI/CD Pipeline Integration
 
 ```bash
 #!/bin/bash
-# Get database credentials for deployment
+# GitHub Actions / Jenkins / GitLab CI
+
+# Login with service account (stored in CI secrets)
+raqeb login --api-key $RAQEB_SERVICE_ACCOUNT_KEY
 
-# Login (use environment variable)
+# Get temporary database credentials for migration
+CREDS=$(raqeb db connect prod-mysql --ttl 1 --access-level read-write)
+DB_USER=$(echo "$CREDS" | grep "Username:" | awk '{print $2}')
+DB_PASS=$(echo "$CREDS" | grep "Password:" | awk '{print $2}')
+
+# Run database migration
+mysql -h prod-mysql.example.com -u $DB_USER -p$DB_PASS < migration.sql
+
+# Credentials automatically expire after 1 hour
+```
+
+### 2. Application Secrets Retrieval
+
+```bash
+#!/bin/bash
+# Retrieve secrets for application startup
+
+# Login
 raqeb login --api-key $RAQEB_API_KEY
 
-# Get temporary credentials
-raqeb db connect prod-mysql-db --ttl 1 --access-level read-write
+# Get all required secrets
+export STRIPE_API_KEY=$(raqeb secrets get stripe-api-key)
+export AWS_ACCESS_KEY=$(raqeb secrets get aws-access-key)
+export DATABASE_URL=$(raqeb secrets get database-url)
+
+# Start application
+npm start
+```
+
+### 3. Developer Local Access
+
+```bash
+# Developer needs temporary access to staging database
+
+# Login with personal API key
+raqeb login --api-key ak_developer_key
+
+# Get 4-hour read-only access
+raqeb db connect staging-postgres --ttl 4 --access-level read-only
+
+# Connect with provided credentials
+psql -h staging-db.example.com -U temp_user_xyz789 -d staging
 
-# ... your deployment script ...
+# Credentials auto-expire after 4 hours
+```
+
+### 4. Automated Testing
+
+```bash
+#!/bin/bash
+# Integration tests with temporary database
+
+# Login
+raqeb login --api-key $RAQEB_TEST_KEY
+
+# Get test database credentials
+raqeb db connect test-mysql --ttl 1 --access-level read-write
 
-# Revoke when done
+# Run tests
+npm test
+
+# Cleanup (optional - auto-expires anyway)
 raqeb db revoke $LEASE_ID
 ```
 
-### Retrieve Application Secrets
+### 5. Service Account Management (Admin)
 
 ```bash
-# Get API key from secrets vault
-raqeb secrets get api-key-prod
+# Admin creates service account for production app
+
+raqeb sa create "Production Backend" \
+  --scopes "databases:read,databases:write,secrets:read" \
+  --allowed-databases "prod-mysql,prod-postgres" \
+  --allowed-secrets "stripe-key,aws-key"
 
-# Use in your application
-export EXTERNAL_API_KEY=$(raqeb secrets get api-key-prod | grep "Value:" | cut -d' ' -f2)
+# Returns service account API key (sa_xxx)
+# Store in production environment variables
 ```
 
-## License
+## 🔐 Security Best Practices
+
+### API Key Management
+
+- **Never commit API keys** to version control
+- **Use environment variables** in CI/CD pipelines
+- **Rotate keys regularly** (every 90 days recommended)
+- **Use service accounts** for applications, personal keys for development
+- **Limit scopes** to minimum required permissions
+
+### Database Access
+
+- **Request minimum TTL** needed for your task
+- **Use read-only access** when possible
+- **Revoke credentials** when done (optional - auto-expires)
+- **Monitor audit logs** for suspicious activity
+
+### Secrets Management
+
+- **Encrypt secrets** at rest (handled by Raqeb)
+- **Limit secret access** to specific service accounts
+- **Rotate secrets** regularly
+- **Use different secrets** for different environments
+
+## 📚 Documentation
+
+- **Full Documentation**: https://docs.raqeb.cloud
+- **API Reference**: https://docs.raqeb.cloud/api
+- **Service Accounts Guide**: https://docs.raqeb.cloud/service-accounts
+- **Database PAM Guide**: https://docs.raqeb.cloud/database-pam
+- **Secrets Management**: https://docs.raqeb.cloud/secrets
+
+## 🆘 Support
+
+- **Email**: support@tzamun.sa
+- **Website**: https://raqeb.cloud
+- **GitHub Issues**: https://github.com/Tzamun-Arabia-IT-Co/raqeb-cli/issues
+- **Documentation**: https://docs.raqeb.cloud
+
+## 📝 License
+
+MIT License - Copyright (c) 2026 Tzamun Arabia IT Co
+
+## 🌟 Features Roadmap
+
+- [ ] Multi-factor authentication support
+- [ ] SSH key management
+- [ ] Certificate management
+- [ ] Kubernetes secrets integration
+- [ ] Terraform provider
+- [ ] Ansible integration
+
+## 🤝 Contributing
+
+Contributions are welcome! Please read our contributing guidelines before submitting PRs.
 
-MIT
+## 📊 Version
 
-## Support
+Current version: 1.0.0
 
-- Documentation: https://docs.raqeb.cloud
-- Email: support@raqeb.cloud
-- GitHub: https://github.com/raqeb/cli
+See [CHANGELOG.md](CHANGELOG.md) for release notes.

package/bin/raqeb-completion.js

@@ -0,0 +1,32 @@
+#!/usr/bin/env node
+
+// Generate shell completion scripts
+
+const fs = require('fs');
+const path = require('path');
+
+const shell = process.argv[2] || 'bash';
+
+const completionsDir = path.join(__dirname, '..', 'completions');
+
+switch (shell) {
+  case 'bash':
+    const bashScript = fs.readFileSync(path.join(completionsDir, 'bash', 'raqeb-completion.sh'), 'utf8');
+    console.log(bashScript);
+    break;
+    
+  case 'zsh':
+    const zshScript = fs.readFileSync(path.join(completionsDir, 'zsh', '_raqeb'), 'utf8');
+    console.log(zshScript);
+    break;
+    
+  case 'fish':
+    console.log('# Fish completion not yet implemented');
+    console.log('# Use: raqeb completion bash > ~/.config/fish/completions/raqeb.fish');
+    break;
+    
+  default:
+    console.error(`Unknown shell: ${shell}`);
+    console.error('Supported shells: bash, zsh, fish');
+    process.exit(1);
+}

package/bin/raqeb.js

@@ -6,6 +6,8 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 const chalk = require('chalk');
+const inquirer = require('inquirer');
+const Table = require('cli-table3');
 
 const CONFIG_DIR = path.join(os.homedir(), '.raqeb');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
@@ -45,6 +47,15 @@ function getClient() {
   });
 }
 
+// Format output (table or JSON)
+function formatOutput(data, options = {}) {
+  if (options.json) {
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+  return data;
+}
+
 // Login command
 program
   .command('login')
@@ -84,11 +95,97 @@ secrets
 const db = program.command('db').description('Manage database access');
 
 db
-  .command('connect <database-id>')
+  .command('list')
+  .description('List all available databases')
+  .option('--json', 'Output in JSON format')
+  .addHelpText('after', `
+
+Examples:
+  $ raqeb db list
+  $ raqeb db list --json
+`)
+  .action(async (options) => {
+    try {
+      const client = getClient();
+      const response = await client.get('/databases');
+      const databases = response.data;
+      
+      if (options.json) {
+        console.log(JSON.stringify(databases, null, 2));
+        return;
+      }
+      
+      if (databases.length === 0) {
+        console.log(chalk.yellow('No databases available'));
+        return;
+      }
+      
+      const table = new Table({
+        head: ['ID', 'Name', 'Type', 'Host', 'Status'],
+        style: { head: ['cyan'] }
+      });
+      
+      databases.forEach(db => {
+        table.push([
+          db.id,
+          db.name,
+          db.type,
+          db.host || 'N/A',
+          db.is_active ? chalk.green('Active') : chalk.red('Inactive')
+        ]);
+      });
+      
+      console.log('\n' + table.toString());
+      console.log(chalk.gray(`\nTotal: ${databases.length} database(s)`));
+    } catch (error) {
+      console.error(chalk.red(`❌ Error: ${error.response?.data?.detail || error.message}`));
+      process.exit(1);
+    }
+  });
+
+db
+  .command('connect [database-id]')
   .description('Get temporary database credentials')
   .option('--ttl <hours>', 'Time to live in hours', '4')
   .option('--access-level <level>', 'Access level (read-only, read-write, admin)', 'read-only')
+  .option('--reason <text>', 'Reason for access (for audit trail)')
+  .option('--json', 'Output in JSON format')
+  .addHelpText('after', `
+
+Examples:
+  $ raqeb db connect prod-mysql --ttl 2
+  $ raqeb db connect staging-postgres --access-level read-write --reason "Migration"
+  $ raqeb db connect dev-mongodb --json
+  $ raqeb db connect  # Interactive mode - prompts for database
+`)
   .action(async (databaseId, options) => {
+    // Interactive prompt if database-id not provided
+    if (!databaseId) {
+      try {
+        const client = getClient();
+        const dbResponse = await client.get('/databases');
+        const databases = dbResponse.data;
+        
+        if (databases.length === 0) {
+          console.log(chalk.yellow('No databases available'));
+          return;
+        }
+        
+        const answer = await inquirer.prompt([{
+          type: 'list',
+          name: 'database',
+          message: 'Which database?',
+          choices: databases.map(db => ({
+            name: `${db.name} (${db.type})`,
+            value: db.id
+          }))
+        }]);
+        databaseId = answer.database;
+      } catch (error) {
+        console.error(chalk.red(`❌ Error fetching databases: ${error.message}`));
+        process.exit(1);
+      }
+    }
     try {
       const client = getClient();
       const response = await client.post('/service-accounts/databases/dynamic-credentials', {
@@ -98,6 +195,11 @@ db
       });
       const data = response.data;
       
+      if (options.json) {
+        console.log(JSON.stringify(data, null, 2));
+        return;
+      }
+      
       console.log(chalk.cyan('\n🔑 Temporary Database Credentials'));
       console.log(chalk.gray('━'.repeat(40)));
       console.log(chalk.white(`Username: ${data.username}`));
@@ -204,6 +306,57 @@ keys
     }
   });
 
+// Interactive command
+program
+  .command('interactive')
+  .alias('i')
+  .alias('shell')
+  .description('Launch interactive mode')
+  .addHelpText('after', `
+
+Interactive mode provides a guided experience with:
+  - Command discovery with /
+  - Tab completion
+  - Command history
+  - Interactive prompts
+
+Examples:
+  $ raqeb interactive
+  $ raqeb -i
+  $ raqeb shell
+`)
+  .action(() => {
+    const InteractiveShell = require('../lib/interactive');
+    const client = getClient();
+    const shell = new InteractiveShell(client);
+    shell.start();
+  });
+
+// Completion command
+program
+  .command('completion <shell>')
+  .description('Generate shell completion script')
+  .addHelpText('after', `
+
+Supported shells: bash, zsh, fish
+
+Installation:
+  Bash:
+    $ raqeb completion bash > /etc/bash_completion.d/raqeb
+    $ source /etc/bash_completion.d/raqeb
+  
+  Zsh:
+    $ raqeb completion zsh > ~/.zsh/completion/_raqeb
+    $ fpath=(~/.zsh/completion $fpath)
+  
+  Fish:
+    $ raqeb completion fish > ~/.config/fish/completions/raqeb.fish
+`)
+  .action((shell) => {
+    const completionScript = require('./raqeb-completion.js');
+    // Script will output to stdout
+  });
+
 program
   .name('raqeb')
   .description('Raqeb CLI - Database PAM and Secrets Management')

package/lib/interactive.js

@@ -0,0 +1,668 @@
+const readline = require('readline');
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+const Table = require('cli-table3');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+class InteractiveShell {
+  constructor(apiClient) {
+    this.client = apiClient;
+    this.history = [];
+    this.rl = null;
+    this.config = this.loadConfig();
+    this.userInfo = null;
+  }
+
+  loadConfig() {
+    try {
+      const configPath = path.join(os.homedir(), '.raqeb', 'config.json');
+      if (fs.existsSync(configPath)) {
+        return JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      }
+    } catch (error) {
+      // Config not found or invalid
+    }
+    return null;
+  }
+
+  async fetchUserInfo() {
+    try {
+      const response = await this.client.get('/auth/me');
+      this.userInfo = response.data;
+    } catch (error) {
+      this.userInfo = null;
+    }
+  }
+
+  async start() {
+    await this.fetchUserInfo();
+    this.showWelcome();
+    this.setupReadline();
+    this.rl.prompt();
+  }
+
+  setupReadline() {
+    this.rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+      prompt: chalk.cyan('raqeb> '),
+      completer: this.completer.bind(this)
+    });
+
+    this.rl.on('line', async (line) => {
+      const input = line.trim();
+      
+      if (input) {
+        this.history.push(input);
+        await this.handleCommand(input);
+      }
+      
+      this.rl.prompt();
+    });
+
+    this.rl.on('close', () => {
+      console.log(chalk.gray('\nGoodbye! 👋'));
+      process.exit(0);
+    });
+  }
+
+  completer(line) {
+    const commands = [
+      '/', '/help', '/exit', '/clear',
+      '/db', '/db list', '/db connect', '/db sessions', '/db revoke',
+      '/secrets', '/secrets list', '/secrets get', '/secrets set', '/secrets delete',
+      '/keys', '/keys list', '/keys create', '/keys delete',
+      '/audit', '/audit logs'
+    ];
+    
+    const hits = commands.filter((c) => c.startsWith(line));
+    return [hits.length ? hits : commands, line];
+  }
+
+  showWelcome() {
+    console.clear();
+    
+    // ASCII Logo
+    console.log(chalk.cyan.bold(`
+    ██████╗  ██████╗  ██████╗ ███████╗██████╗ 
+    ██╔══██╗██╔═══██╗██╔═══██╗██╔════╝██╔══██╗
+    ██████╔╝███████║██║   ██║█████╗  ██████╔╝
+    ██╔══██╗██╔══██║██║▄▄ ██║██╔══╝  ██╔══██╗
+    ██║  ██║██║  ██║╚██████╔╝███████╗██████╔╝
+    ╚═╝  ╚═╝╚═╝  ╚═╝ ╚══▀▀═╝ ╚══════╝╚═════╝ 
+`));
+    
+    console.log(chalk.cyan('╔═══════════════════════════════════════════════════════════╗'));
+    console.log(chalk.cyan('║         Raqeb CLI - Interactive Mode v1.3.0              ║'));
+    console.log(chalk.cyan('╚═══════════════════════════════════════════════════════════╝'));
+    
+    // Show user info if available
+    if (this.userInfo) {
+      console.log(chalk.gray('\n📊 Session Information:'));
+      console.log(chalk.white(`   User: ${chalk.green(this.userInfo.email || 'Unknown')}`));
+      console.log(chalk.white(`   Tenant: ${chalk.green(this.userInfo.tenant_name || this.userInfo.tenant_id || 'Unknown')}`));
+      console.log(chalk.white(`   Role: ${chalk.yellow(this.userInfo.role || 'user')}`));
+    }
+    
+    console.log(chalk.cyan('\n💡 Type / to see all commands, or /help for help\n'));
+  }
+
+  async handleCommand(input) {
+    try {
+      if (input === '/') {
+        this.showAllCommands();
+      } else if (input === '/help') {
+        this.showHelp();
+      } else if (input === '/exit' || input === '/quit') {
+        this.rl.close();
+      } else if (input === '/clear') {
+        console.clear();
+        this.showWelcome();
+      } else if (input.startsWith('/db')) {
+        await this.handleDatabase(input);
+      } else if (input.startsWith('/secrets')) {
+        await this.handleSecrets(input);
+      } else if (input.startsWith('/keys')) {
+        await this.handleKeys(input);
+      } else if (input.startsWith('/audit')) {
+        await this.handleAudit(input);
+      } else {
+        console.log(chalk.red(`Unknown command: ${input}`));
+        console.log(chalk.gray('Type / to see all commands'));
+      }
+    } catch (error) {
+      console.error(chalk.red(`❌ Error: ${error.message}`));
+    }
+  }
+
+  showAllCommands() {
+    console.log(chalk.bold('\n📋 Available Commands:\n'));
+    console.log(chalk.cyan('  /db') + '          Database operations');
+    console.log(chalk.cyan('  /secrets') + '     Secrets management');
+    console.log(chalk.cyan('  /keys') + '        API keys management');
+    console.log(chalk.cyan('  /audit') + '       Audit logs');
+    console.log(chalk.cyan('  /help') + '        Show this help');
+    console.log(chalk.cyan('  /clear') + '       Clear screen');
+    console.log(chalk.cyan('  /exit') + '        Exit interactive mode');
+    console.log();
+  }
+
+  showHelp() {
+    console.log(chalk.bold('\n📖 Interactive Mode Help\n'));
+    console.log(chalk.white('Commands:'));
+    console.log('  /                  Show all available commands');
+    console.log('  /db                Database operations');
+    console.log('  /db list           List all databases');
+    console.log('  /db connect        Connect to a database');
+    console.log('  /secrets           Secrets management');
+    console.log('  /secrets list      List all secrets');
+    console.log('  /secrets get       Get a secret value');
+    console.log('  /keys              API keys management');
+    console.log('  /audit             View audit logs');
+    console.log('  /help              Show this help');
+    console.log('  /clear             Clear the screen');
+    console.log('  /exit              Exit interactive mode');
+    console.log();
+    console.log(chalk.gray('Tips:'));
+    console.log(chalk.gray('  - Use TAB for autocomplete'));
+    console.log(chalk.gray('  - Use UP/DOWN arrows for command history'));
+    console.log(chalk.gray('  - Press Ctrl+C or type /exit to quit'));
+    console.log();
+  }
+
+  async handleDatabase(input) {
+    const parts = input.split(' ');
+    const subcommand = parts[1];
+
+    if (!subcommand || subcommand === 'help') {
+      console.log(chalk.bold('\n🗄️  Database Commands:\n'));
+      console.log('  /db list           List all databases');
+      console.log('  /db connect        Connect to a database');
+      console.log('  /db sessions       View active sessions');
+      console.log('  /db revoke <id>    Revoke credentials');
+      console.log();
+      return;
+    }
+
+    switch (subcommand) {
+      case 'list':
+        await this.listDatabases();
+        break;
+      case 'connect':
+        await this.connectDatabase(parts[2]);
+        break;
+      case 'sessions':
+        await this.showSessions();
+        break;
+      case 'revoke':
+        await this.revokeCredentials(parts[2]);
+        break;
+      default:
+        console.log(chalk.red(`Unknown database command: ${subcommand}`));
+        console.log(chalk.gray('Type /db for available commands'));
+    }
+  }
+
+  async listDatabases() {
+    try {
+      const response = await this.client.get('/databases');
+      const databases = response.data;
+
+      if (databases.length === 0) {
+        console.log(chalk.yellow('\nNo databases available'));
+        return;
+      }
+
+      const table = new Table({
+        head: ['ID', 'Name', 'Type', 'Host', 'Status'],
+        style: { head: ['cyan'] }
+      });
+
+      databases.forEach(db => {
+        table.push([
+          db.id,
+          db.name,
+          db.type,
+          db.host || 'N/A',
+          db.is_active ? chalk.green('●') + ' Active' : chalk.red('●') + ' Inactive'
+        ]);
+      });
+
+      console.log('\n' + table.toString());
+      console.log(chalk.gray(`\nTotal: ${databases.length} database(s)\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async connectDatabase(databaseId) {
+    try {
+      // If no database ID provided, prompt for it
+      if (!databaseId) {
+        const response = await this.client.get('/databases');
+        const databases = response.data;
+
+        if (databases.length === 0) {
+          console.log(chalk.yellow('\nNo databases available'));
+          return;
+        }
+
+        const answer = await inquirer.prompt([{
+          type: 'list',
+          name: 'database',
+          message: 'Which database?',
+          choices: databases.map(db => ({
+            name: `${db.name} (${db.type})`,
+            value: db.id
+          }))
+        }]);
+        databaseId = answer.database;
+      }
+
+      // Prompt for connection options
+      const options = await inquirer.prompt([
+        {
+          type: 'list',
+          name: 'accessLevel',
+          message: 'Access level?',
+          choices: ['read-only', 'read-write', 'admin'],
+          default: 'read-only'
+        },
+        {
+          type: 'number',
+          name: 'ttl',
+          message: 'TTL (hours)?',
+          default: 2,
+          validate: (value) => value > 0 && value <= 24 || 'TTL must be between 1 and 24 hours'
+        },
+        {
+          type: 'input',
+          name: 'reason',
+          message: 'Reason for access? (optional)',
+          default: ''
+        }
+      ]);
+
+      // Request credentials
+      const response = await this.client.post('/service-accounts/databases/dynamic-credentials', {
+        database_id: databaseId,
+        ttl_hours: options.ttl,
+        access_level: options.accessLevel,
+        reason: options.reason || undefined
+      });
+
+      const data = response.data;
+
+      console.log(chalk.green('\n✓ Credentials Generated!\n'));
+      const table = new Table({
+        style: { head: ['cyan'] }
+      });
+      table.push(
+        ['Username', data.username],
+        ['Password', data.password],
+        ['Access Level', data.access_level],
+        ['Expires', data.expires_at],
+        ['Lease ID', data.lease_id]
+      );
+      console.log(table.toString());
+      console.log(chalk.yellow(`\n⚠️  These credentials will expire in ${options.ttl} hours`));
+      console.log(chalk.gray(`To revoke early: /db revoke ${data.lease_id}\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async showSessions() {
+    console.log(chalk.yellow('\n⚠️  Sessions view not yet implemented\n'));
+  }
+
+  async revokeCredentials(leaseId) {
+    if (!leaseId) {
+      console.log(chalk.red('\n❌ Lease ID required'));
+      console.log(chalk.gray('Usage: /db revoke <lease-id>\n'));
+      return;
+    }
+
+    try {
+      await this.client.post(`/service-accounts/leases/${leaseId}/revoke`);
+      console.log(chalk.green(`\n✓ Lease ${leaseId} revoked successfully\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async handleSecrets(input) {
+    const parts = input.split(' ');
+    const subcommand = parts[1];
+
+    if (!subcommand || subcommand === 'help') {
+      console.log(chalk.bold('\n🔐 Secrets Commands:\n'));
+      console.log('  /secrets list           List all secrets');
+      console.log('  /secrets get <name>     Get secret value');
+      console.log('  /secrets set            Create/update secret');
+      console.log('  /secrets delete <name>  Delete secret');
+      console.log();
+      return;
+    }
+
+    switch (subcommand) {
+      case 'list':
+        await this.listSecrets();
+        break;
+      case 'get':
+        await this.getSecret(parts[2]);
+        break;
+      case 'set':
+        await this.setSecret();
+        break;
+      case 'delete':
+        await this.deleteSecret(parts[2]);
+        break;
+      default:
+        console.log(chalk.red(`Unknown secrets command: ${subcommand}`));
+        console.log(chalk.gray('Type /secrets for available commands'));
+    }
+  }
+
+  async listSecrets() {
+    try {
+      const response = await this.client.get('/service-accounts/secrets');
+      const secrets = response.data;
+
+      if (!secrets || secrets.length === 0) {
+        console.log(chalk.yellow('\nNo secrets found\n'));
+        return;
+      }
+
+      console.log(chalk.bold('\n🔐 Secrets:\n'));
+      const table = new Table({
+        head: [chalk.cyan('Name'), chalk.cyan('Created'), chalk.cyan('Updated')],
+        style: { head: ['cyan'] }
+      });
+
+      secrets.forEach(secret => {
+        table.push([
+          secret.name,
+          new Date(secret.created_at).toLocaleString(),
+          secret.updated_at ? new Date(secret.updated_at).toLocaleString() : 'Never'
+        ]);
+      });
+
+      console.log(table.toString());
+      console.log(chalk.gray(`\nTotal: ${secrets.length} secret(s)\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async getSecret(secretId) {
+    if (!secretId) {
+      console.log(chalk.red('\n❌ Secret name required'));
+      console.log(chalk.gray('Usage: /secrets get <name>\n'));
+      return;
+    }
+
+    try {
+      const response = await this.client.post('/service-accounts/secrets/retrieve', null, {
+        params: { secret_id: secretId }
+      });
+      const data = response.data;
+      
+      console.log(chalk.cyan(`\n🔐 Secret: ${data.name}`));
+      console.log(chalk.white(`Value: ${data.value}`));
+      console.log(chalk.gray(`Retrieved at: ${data.retrieved_at}\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async setSecret() {
+    try {
+      const answers = await inquirer.prompt([
+        {
+          type: 'input',
+          name: 'name',
+          message: 'Secret name:',
+          validate: (value) => value.trim() !== '' || 'Name is required'
+        },
+        {
+          type: 'password',
+          name: 'value',
+          message: 'Secret value:',
+          mask: '*',
+          validate: (value) => value.trim() !== '' || 'Value is required'
+        },
+        {
+          type: 'input',
+          name: 'description',
+          message: 'Description (optional):',
+          default: ''
+        }
+      ]);
+
+      await this.client.post('/service-accounts/secrets', {
+        name: answers.name,
+        value: answers.value,
+        description: answers.description || undefined
+      });
+
+      console.log(chalk.green(`\n✓ Secret '${answers.name}' created successfully\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async deleteSecret(secretName) {
+    if (!secretName) {
+      console.log(chalk.red('\n❌ Secret name required'));
+      console.log(chalk.gray('Usage: /secrets delete <name>\n'));
+      return;
+    }
+
+    try {
+      const confirm = await inquirer.prompt([{
+        type: 'confirm',
+        name: 'confirmed',
+        message: `Delete secret '${secretName}'?`,
+        default: false
+      }]);
+
+      if (!confirm.confirmed) {
+        console.log(chalk.gray('\nCancelled\n'));
+        return;
+      }
+
+      await this.client.delete(`/service-accounts/secrets/${secretName}`);
+      console.log(chalk.green(`\n✓ Secret '${secretName}' deleted successfully\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async handleKeys(input) {
+    const parts = input.split(' ');
+    const subcommand = parts[1];
+
+    if (!subcommand || subcommand === 'help') {
+      console.log(chalk.bold('\n🔑 API Keys Commands:\n'));
+      console.log('  /keys list              List all API keys');
+      console.log('  /keys create            Create new API key');
+      console.log('  /keys delete <id>       Delete API key');
+      console.log();
+      return;
+    }
+
+    switch (subcommand) {
+      case 'list':
+        await this.listKeys();
+        break;
+      case 'create':
+        await this.createKey();
+        break;
+      case 'delete':
+        await this.deleteKey(parts[2]);
+        break;
+      default:
+        console.log(chalk.red(`Unknown keys command: ${subcommand}`));
+        console.log(chalk.gray('Type /keys for available commands'));
+    }
+  }
+
+  async listKeys() {
+    try {
+      const response = await this.client.get('/service-accounts/api-keys');
+      const keys = response.data;
+
+      if (!keys || keys.length === 0) {
+        console.log(chalk.yellow('\nNo API keys found\n'));
+        return;
+      }
+
+      console.log(chalk.bold('\n🔑 API Keys:\n'));
+      const table = new Table({
+        head: [chalk.cyan('ID'), chalk.cyan('Name'), chalk.cyan('Prefix'), chalk.cyan('Created'), chalk.cyan('Last Used')],
+        style: { head: ['cyan'] }
+      });
+
+      keys.forEach(key => {
+        table.push([
+          key.id.substring(0, 8) + '...',
+          key.name || 'Unnamed',
+          key.api_key_prefix || 'N/A',
+          new Date(key.created_at).toLocaleDateString(),
+          key.last_used_at ? new Date(key.last_used_at).toLocaleDateString() : 'Never'
+        ]);
+      });
+
+      console.log(table.toString());
+      console.log(chalk.gray(`\nTotal: ${keys.length} key(s)\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async createKey() {
+    try {
+      const answers = await inquirer.prompt([
+        {
+          type: 'input',
+          name: 'name',
+          message: 'Key name:',
+          validate: (value) => value.trim() !== '' || 'Name is required'
+        },
+        {
+          type: 'checkbox',
+          name: 'scopes',
+          message: 'Select scopes:',
+          choices: [
+            { name: 'Read Secrets', value: 'secrets:read', checked: true },
+            { name: 'Write Secrets', value: 'secrets:write' },
+            { name: 'Read Databases', value: 'databases:read', checked: true },
+            { name: 'Write Databases', value: 'databases:write' },
+            { name: 'Manage API Keys', value: 'api-keys:manage' }
+          ]
+        }
+      ]);
+
+      const response = await this.client.post('/service-accounts/api-keys', {
+        name: answers.name,
+        scopes: answers.scopes
+      });
+
+      console.log(chalk.green('\n✓ API Key Created!\n'));
+      console.log(chalk.yellow('⚠️  Save this key now - it won\'t be shown again:\n'));
+      console.log(chalk.white.bold(response.data.api_key));
+      console.log();
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async deleteKey(keyId) {
+    if (!keyId) {
+      console.log(chalk.red('\n❌ Key ID required'));
+      console.log(chalk.gray('Usage: /keys delete <id>\n'));
+      return;
+    }
+
+    try {
+      const confirm = await inquirer.prompt([{
+        type: 'confirm',
+        name: 'confirmed',
+        message: `Delete API key '${keyId}'?`,
+        default: false
+      }]);
+
+      if (!confirm.confirmed) {
+        console.log(chalk.gray('\nCancelled\n'));
+        return;
+      }
+
+      await this.client.delete(`/service-accounts/api-keys/${keyId}`);
+      console.log(chalk.green(`\n✓ API key deleted successfully\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+
+  async handleAudit(input) {
+    const parts = input.split(' ');
+    const subcommand = parts[1];
+
+    if (!subcommand || subcommand === 'help') {
+      console.log(chalk.bold('\n📋 Audit Commands:\n'));
+      console.log('  /audit logs             View recent audit logs');
+      console.log('  /audit logs <limit>     View last N logs');
+      console.log();
+      return;
+    }
+
+    switch (subcommand) {
+      case 'logs':
+        await this.showAuditLogs(parts[2] ? parseInt(parts[2]) : 10);
+        break;
+      default:
+        console.log(chalk.red(`Unknown audit command: ${subcommand}`));
+        console.log(chalk.gray('Type /audit for available commands'));
+    }
+  }
+
+  async showAuditLogs(limit = 10) {
+    try {
+      const response = await this.client.get('/audit/logs', {
+        params: { limit }
+      });
+      const logs = response.data;
+
+      if (!logs || logs.length === 0) {
+        console.log(chalk.yellow('\nNo audit logs found\n'));
+        return;
+      }
+
+      console.log(chalk.bold(`\n📋 Recent Audit Logs (Last ${limit}):\n`));
+      const table = new Table({
+        head: [chalk.cyan('Time'), chalk.cyan('User'), chalk.cyan('Action'), chalk.cyan('Resource')],
+        style: { head: ['cyan'] },
+        colWidths: [20, 25, 20, 30]
+      });
+
+      logs.forEach(log => {
+        table.push([
+          new Date(log.timestamp).toLocaleString(),
+          log.user_email || 'System',
+          log.action,
+          log.resource_type + '/' + (log.resource_id || 'N/A')
+        ]);
+      });
+
+      console.log(table.toString());
+      console.log(chalk.gray(`\nShowing ${logs.length} log(s)\n`));
+    } catch (error) {
+      throw new Error(error.response?.data?.detail || error.message);
+    }
+  }
+}
+
+module.exports = InteractiveShell;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "raqeb-cli",
-  "version": "1.0.0",
+  "version": "1.3.0",
   "description": "Raqeb CLI - Command-line tool for Database PAM and Developer Secrets Management",
   "main": "index.js",
   "bin": {
@@ -29,7 +29,8 @@
     "commander": "^11.0.0",
     "chalk": "^4.1.2",
     "ora": "^5.4.1",
-    "inquirer": "^8.2.5"
+    "inquirer": "^8.2.5",
+    "cli-table3": "^0.6.3"
   },
   "engines": {
     "node": ">=14.0.0"