writbase 0.1.0

package/dist/writbase.js

@@ -0,0 +1,707 @@
+#!/usr/bin/env node
+
+// src/bin/writbase.ts
+import { Command } from "commander";
+
+// src/commands/init.ts
+import { webcrypto } from "crypto";
+import { execSync } from "child_process";
+import { existsSync } from "fs";
+import { join as join2 } from "path";
+import { confirm, input, select } from "@inquirer/prompts";
+import { createSpinner } from "nanospinner";
+
+// src/lib/config.ts
+import dotenv from "dotenv";
+import { writeFileSync, renameSync } from "fs";
+import { join } from "path";
+
+// src/lib/output.ts
+import pc from "picocolors";
+function success(msg) {
+  console.log(pc.green("\u2713 ") + msg);
+}
+function error(msg) {
+  console.error(pc.red("\u2717 ") + msg);
+}
+function warn(msg) {
+  console.log(pc.yellow("\u26A0 ") + msg);
+}
+function info(msg) {
+  console.log(pc.cyan("\u2139 ") + msg);
+}
+function table(headers, rows) {
+  const colWidths = headers.map(
+    (h, i) => Math.max(h.length, ...rows.map((r) => (r[i] ?? "").length))
+  );
+  const sep = colWidths.map((w) => "\u2500".repeat(w + 2)).join("\u253C");
+  const formatRow = (row) => row.map((cell, i) => ` ${(cell ?? "").padEnd(colWidths[i])} `).join("\u2502");
+  console.log(pc.bold(formatRow(headers)));
+  console.log(sep);
+  for (const row of rows) {
+    console.log(formatRow(row));
+  }
+}
+
+// src/lib/config.ts
+function loadConfigPartial() {
+  dotenv.config();
+  return {
+    supabaseUrl: process.env.SUPABASE_URL,
+    supabaseServiceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY,
+    databaseUrl: process.env.DATABASE_URL,
+    workspaceId: process.env.WRITBASE_WORKSPACE_ID
+  };
+}
+function loadConfig() {
+  const partial = loadConfigPartial();
+  const missing = [];
+  if (!partial.supabaseUrl) missing.push("SUPABASE_URL");
+  if (!partial.supabaseServiceRoleKey) missing.push("SUPABASE_SERVICE_ROLE_KEY");
+  if (!partial.databaseUrl) missing.push("DATABASE_URL");
+  if (!partial.workspaceId) missing.push("WRITBASE_WORKSPACE_ID");
+  if (missing.length > 0) {
+    error(`Missing required environment variables: ${missing.join(", ")}`);
+    console.log("Run `writbase init` to configure.");
+    process.exit(1);
+  }
+  return partial;
+}
+function writeEnv(vars) {
+  const envPath = join(process.cwd(), ".env");
+  const tmpPath = join(process.cwd(), ".env.tmp");
+  const content = Object.entries(vars).map(([key2, value]) => `${key2}=${value}`).join("\n") + "\n";
+  writeFileSync(tmpPath, content, { mode: 384 });
+  renameSync(tmpPath, envPath);
+}
+
+// src/lib/supabase.ts
+import { createClient } from "@supabase/supabase-js";
+function createAdminClient(url, key2) {
+  return createClient(url, key2, {
+    auth: {
+      autoRefreshToken: false,
+      persistSession: false
+    }
+  });
+}
+
+// src/commands/init.ts
+async function initCommand() {
+  console.log();
+  info("WritBase \u2014 Interactive Setup");
+  console.log();
+  const envPath = join2(process.cwd(), ".env");
+  if (existsSync(envPath)) {
+    const overwrite = await confirm({
+      message: ".env file already exists. Reconfigure?",
+      default: false
+    });
+    if (!overwrite) return;
+  }
+  const existing = loadConfigPartial();
+  let supabaseUrl = existing.supabaseUrl ?? "";
+  let serviceRoleKey = existing.supabaseServiceRoleKey ?? "";
+  let databaseUrl = existing.databaseUrl ?? "";
+  const hasExisting = await confirm({
+    message: "Do you have an existing Supabase project?",
+    default: true
+  });
+  if (hasExisting) {
+    const hosting = await select({
+      message: "Where is your Supabase instance?",
+      choices: [
+        { name: "Hosted (supabase.co)", value: "hosted" },
+        { name: "Local (supabase start)", value: "local" }
+      ]
+    });
+    if (hosting === "local") {
+      try {
+        const statusJson = execSync("supabase status --output json", {
+          encoding: "utf-8",
+          stdio: ["ignore", "pipe", "pipe"]
+        });
+        const status = JSON.parse(statusJson);
+        supabaseUrl = status.API_URL ?? supabaseUrl;
+        serviceRoleKey = status.SERVICE_ROLE_KEY ?? serviceRoleKey;
+        databaseUrl = status.DB_URL ?? databaseUrl;
+        success("Auto-detected local Supabase credentials");
+      } catch {
+        warn("Could not auto-detect. Please enter credentials manually.");
+      }
+    }
+    if (!supabaseUrl) {
+      supabaseUrl = await input({
+        message: "Supabase URL:",
+        default: existing.supabaseUrl
+      });
+    }
+    if (!serviceRoleKey) {
+      serviceRoleKey = await input({
+        message: "Service Role Key:",
+        default: existing.supabaseServiceRoleKey
+      });
+    }
+    if (!databaseUrl) {
+      databaseUrl = await input({
+        message: "Database URL (postgresql://...):",
+        default: existing.databaseUrl
+      });
+    }
+  } else {
+    try {
+      execSync("which supabase", { stdio: "ignore" });
+    } catch {
+      error("Supabase CLI not found.");
+      info("Install: https://supabase.com/docs/guides/cli");
+      process.exit(1);
+    }
+    const startLocal = await confirm({
+      message: "Start a new local Supabase instance? (runs `supabase init` + `supabase start`)",
+      default: true
+    });
+    if (!startLocal) {
+      info("Set up a Supabase project first, then run `writbase init` again.");
+      return;
+    }
+    const spinner2 = createSpinner("Starting local Supabase...").start();
+    try {
+      execSync("supabase init --force", { stdio: "ignore" });
+      execSync("supabase start", { stdio: "ignore", timeout: 12e4 });
+      const statusJson = execSync("supabase status --output json", {
+        encoding: "utf-8",
+        stdio: ["ignore", "pipe", "pipe"]
+      });
+      const status = JSON.parse(statusJson);
+      supabaseUrl = status.API_URL;
+      serviceRoleKey = status.SERVICE_ROLE_KEY;
+      databaseUrl = status.DB_URL;
+      spinner2.success({ text: "Local Supabase started" });
+    } catch (err) {
+      spinner2.error({ text: "Failed to start Supabase" });
+      error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  }
+  const spinner = createSpinner("Validating connection...").start();
+  const supabase = createAdminClient(supabaseUrl, serviceRoleKey);
+  try {
+    const { error: connError } = await supabase.from("_does_not_exist").select("*").limit(1);
+    if (connError && !connError.message.includes("does not exist")) {
+      spinner.error({ text: "Connection failed" });
+      error(connError.message);
+      process.exit(1);
+    }
+    spinner.success({ text: "Connection validated" });
+  } catch (err) {
+    spinner.error({ text: "Connection failed" });
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+  const { error: schemaError } = await supabase.from("workspaces").select("id").limit(1);
+  const schemaExists = !schemaError;
+  if (!schemaExists) {
+    warn("Schema not initialized. Run `writbase migrate` first.");
+    writeEnv({
+      SUPABASE_URL: supabaseUrl,
+      SUPABASE_SERVICE_ROLE_KEY: serviceRoleKey,
+      DATABASE_URL: databaseUrl
+    });
+    success(".env written (partial \u2014 no workspace yet)");
+    console.log();
+    info("Next steps:");
+    console.log("  1. writbase migrate");
+    console.log("  2. writbase init    (re-run to complete setup)");
+    console.log();
+    return;
+  }
+  const { data: workspaces } = await supabase.from("workspaces").select("id, name, slug");
+  let workspaceId;
+  if (workspaces && workspaces.length > 0) {
+    if (workspaces.length === 1) {
+      workspaceId = workspaces[0].id;
+      info(`Using workspace: ${workspaces[0].name} (${workspaces[0].slug})`);
+    } else {
+      workspaceId = await select({
+        message: "Select workspace:",
+        choices: workspaces.map((w) => ({
+          name: `${w.name} (${w.slug})`,
+          value: w.id
+        }))
+      });
+    }
+  } else {
+    info("No workspaces found. Creating one...");
+    const spinner2 = createSpinner("Creating system user and workspace...").start();
+    try {
+      const { data: user, error: userError } = await supabase.auth.admin.createUser({
+        email: "system@writbase.local",
+        password: webcrypto.randomUUID(),
+        email_confirm: true
+      });
+      let userId;
+      if (userError) {
+        if (userError.message?.includes("already") || userError.status === 422) {
+          const { data: existingUsers } = await supabase.auth.admin.listUsers();
+          const existing2 = existingUsers?.users?.find(
+            (u) => u.email === "system@writbase.local"
+          );
+          if (!existing2) {
+            spinner2.error({ text: "Could not find existing system user" });
+            process.exit(1);
+          }
+          userId = existing2.id;
+        } else {
+          throw userError;
+        }
+      } else {
+        userId = user.user.id;
+      }
+      await new Promise((resolve) => setTimeout(resolve, 1e3));
+      const { data: ws } = await supabase.from("workspaces").select("id, name, slug").eq("owner_id", userId).single();
+      if (!ws) {
+        spinner2.error({ text: "Workspace not created by trigger" });
+        error("The handle_new_user() trigger may not be set up. Run `writbase migrate` first.");
+        process.exit(1);
+      }
+      workspaceId = ws.id;
+      spinner2.success({ text: `Workspace created: ${ws.name}` });
+    } catch (err) {
+      spinner2.error({ text: "Failed to create workspace" });
+      error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  }
+  writeEnv({
+    SUPABASE_URL: supabaseUrl,
+    SUPABASE_SERVICE_ROLE_KEY: serviceRoleKey,
+    DATABASE_URL: databaseUrl,
+    WRITBASE_WORKSPACE_ID: workspaceId
+  });
+  console.log();
+  success(".env written");
+  console.log();
+  info("Next steps:");
+  if (!schemaExists) {
+    console.log("  1. writbase migrate");
+    console.log("  2. writbase key create");
+  } else {
+    console.log("  1. writbase key create");
+  }
+  console.log("  Then: writbase status");
+  console.log();
+}
+
+// src/commands/migrate.ts
+import { execSync as execSync2 } from "child_process";
+import { mkdtempSync, mkdirSync, cpSync, writeFileSync as writeFileSync2, rmSync } from "fs";
+import { join as join3 } from "path";
+import { tmpdir } from "os";
+import { fileURLToPath } from "url";
+import { createSpinner as createSpinner2 } from "nanospinner";
+var CONFIG_TOML = `project_id = "writbase"
+
+[api]
+enabled = false
+
+[db]
+port = 54322
+major_version = 15
+
+[auth]
+enabled = false
+`;
+async function migrateCommand(opts) {
+  const config = loadConfig();
+  try {
+    execSync2("which supabase", { stdio: "ignore" });
+  } catch {
+    error("Supabase CLI not found. Install it: https://supabase.com/docs/guides/cli");
+    process.exit(1);
+  }
+  const packageRoot = fileURLToPath(new URL("..", import.meta.url));
+  const migrationsSource = join3(packageRoot, "migrations");
+  const spinner = createSpinner2("Running migrations...").start();
+  const tmpDir = mkdtempSync(join3(tmpdir(), "writbase-migrate-"));
+  try {
+    const supabaseDir = join3(tmpDir, "supabase");
+    mkdirSync(supabaseDir);
+    writeFileSync2(join3(supabaseDir, "config.toml"), CONFIG_TOML);
+    cpSync(migrationsSource, join3(supabaseDir, "migrations"), { recursive: true });
+    const args = [`--db-url "${config.databaseUrl}"`, `--workdir ${tmpDir}`];
+    if (opts.dryRun) args.push("--dry-run");
+    const cmd = `supabase migration up ${args.join(" ")}`;
+    const output = execSync2(cmd, {
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    spinner.success({ text: "Migrations applied" });
+    if (output.trim()) {
+      console.log(output.trim());
+    }
+    if (opts.dryRun) {
+      warn("Dry run \u2014 no changes applied");
+    } else {
+      success("Database schema is up to date");
+    }
+  } catch (err) {
+    spinner.error({ text: "Migration failed" });
+    if (err instanceof Error && "stderr" in err) {
+      error(String(err.stderr));
+    } else {
+      error(err instanceof Error ? err.message : String(err));
+    }
+    process.exit(1);
+  } finally {
+    rmSync(tmpDir, { recursive: true, force: true });
+  }
+}
+
+// src/commands/key.ts
+import { confirm as confirm2, input as input2, select as select2 } from "@inquirer/prompts";
+import { createSpinner as createSpinner3 } from "nanospinner";
+
+// src/lib/agent-keys.ts
+import { webcrypto as webcrypto2 } from "crypto";
+
+// src/lib/event-log.ts
+async function logEvent(supabase, params) {
+  const { error: error2 } = await supabase.from("event_log").insert({
+    event_category: params.eventCategory,
+    target_type: params.targetType,
+    target_id: params.targetId,
+    event_type: params.eventType,
+    field_name: params.fieldName ?? null,
+    old_value: params.oldValue ?? null,
+    new_value: params.newValue ?? null,
+    actor_type: params.actorType,
+    actor_id: params.actorId,
+    actor_label: params.actorLabel,
+    source: params.source,
+    workspace_id: params.workspaceId
+  });
+  if (error2) {
+    console.error(
+      "Failed to log event:",
+      JSON.stringify({
+        event_type: params.eventType,
+        target_id: params.targetId,
+        error: error2.message
+      })
+    );
+  }
+}
+
+// src/lib/agent-keys.ts
+async function hashSecret(secret) {
+  const data = new TextEncoder().encode(secret);
+  const hashBuffer = await webcrypto2.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function generateKey(keyId) {
+  const randomBytes = new Uint8Array(32);
+  webcrypto2.getRandomValues(randomBytes);
+  const secret = Array.from(randomBytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const hash = await hashSecret(secret);
+  const prefix = secret.slice(0, 8);
+  const fullKey = `wb_${keyId}_${secret}`;
+  return { fullKey, prefix, hash };
+}
+var KEY_COLUMNS = "id, name, role, key_prefix, is_active, special_prompt, created_at, last_used_at, created_by, project_id, department_id";
+async function listAgentKeys(supabase, workspaceId) {
+  const { data, error: error2 } = await supabase.from("agent_keys").select(KEY_COLUMNS).eq("workspace_id", workspaceId).order("created_at", { ascending: false });
+  if (error2) throw error2;
+  return data;
+}
+async function createAgentKey(supabase, params) {
+  const keyId = webcrypto2.randomUUID();
+  const { fullKey, prefix, hash } = await generateKey(keyId);
+  const { data, error: error2 } = await supabase.from("agent_keys").insert({
+    id: keyId,
+    name: params.name,
+    role: params.role ?? "worker",
+    key_hash: hash,
+    key_prefix: prefix,
+    special_prompt: null,
+    created_by: "writbase-cli",
+    workspace_id: params.workspaceId,
+    project_id: params.projectId ?? null,
+    department_id: params.departmentId ?? null
+  }).select(KEY_COLUMNS).single();
+  if (error2) throw error2;
+  await logEvent(supabase, {
+    eventCategory: "admin",
+    targetType: "agent_key",
+    targetId: data.id,
+    eventType: "agent_key.created",
+    actorType: "system",
+    actorId: "writbase-cli",
+    actorLabel: "writbase-cli",
+    source: "system",
+    workspaceId: params.workspaceId
+  });
+  return { key: data, fullKey };
+}
+async function rotateAgentKey(supabase, params) {
+  const { fullKey, prefix, hash } = await generateKey(params.id);
+  const { data, error: error2 } = await supabase.from("agent_keys").update({ key_hash: hash, key_prefix: prefix }).eq("id", params.id).eq("workspace_id", params.workspaceId).select(KEY_COLUMNS).single();
+  if (error2) throw error2;
+  await logEvent(supabase, {
+    eventCategory: "admin",
+    targetType: "agent_key",
+    targetId: params.id,
+    eventType: "agent_key.rotated",
+    actorType: "system",
+    actorId: "writbase-cli",
+    actorLabel: "writbase-cli",
+    source: "system",
+    workspaceId: params.workspaceId
+  });
+  return { key: data, fullKey };
+}
+async function deactivateAgentKey(supabase, params) {
+  const { data, error: error2 } = await supabase.from("agent_keys").update({ is_active: false }).eq("id", params.id).eq("workspace_id", params.workspaceId).select(KEY_COLUMNS).single();
+  if (error2) throw error2;
+  await logEvent(supabase, {
+    eventCategory: "admin",
+    targetType: "agent_key",
+    targetId: params.id,
+    eventType: "agent_key.deactivated",
+    actorType: "system",
+    actorId: "writbase-cli",
+    actorLabel: "writbase-cli",
+    source: "system",
+    workspaceId: params.workspaceId
+  });
+  return data;
+}
+
+// src/commands/key.ts
+async function resolveKeyByNameOrId(supabase, workspaceId, nameOrId) {
+  const keys = await listAgentKeys(supabase, workspaceId);
+  const byName = keys.find(
+    (k) => k.name.toLowerCase() === nameOrId.toLowerCase()
+  );
+  if (byName) return byName;
+  const byId = keys.filter((k) => k.id.startsWith(nameOrId));
+  if (byId.length === 1) return byId[0];
+  if (byId.length > 1) {
+    error(`Ambiguous ID prefix "${nameOrId}" \u2014 matches ${byId.length} keys`);
+    process.exit(1);
+  }
+  error(`No agent key found matching "${nameOrId}"`);
+  process.exit(1);
+}
+async function keyCreateCommand() {
+  const config = loadConfig();
+  const supabase = createAdminClient(config.supabaseUrl, config.supabaseServiceRoleKey);
+  const name = await input2({ message: "Key name:" });
+  if (!name.trim()) {
+    error("Name is required");
+    process.exit(1);
+  }
+  const role = await select2({
+    message: "Role:",
+    choices: [
+      { name: "worker", value: "worker" },
+      { name: "manager", value: "manager" }
+    ],
+    default: "worker"
+  });
+  let projectId = null;
+  let departmentId = null;
+  const { data: projects } = await supabase.from("projects").select("id, name").eq("workspace_id", config.workspaceId).order("name");
+  if (projects && projects.length > 0) {
+    const projectChoice = await select2({
+      message: "Default project (optional):",
+      choices: [
+        { name: "(none)", value: "" },
+        ...projects.map((p) => ({
+          name: p.name,
+          value: p.id
+        }))
+      ]
+    });
+    if (projectChoice) {
+      projectId = projectChoice;
+      const { data: departments } = await supabase.from("departments").select("id, name").eq("project_id", projectId).order("name");
+      if (departments && departments.length > 0) {
+        const deptChoice = await select2({
+          message: "Default department (optional):",
+          choices: [
+            { name: "(none)", value: "" },
+            ...departments.map((d) => ({
+              name: d.name,
+              value: d.id
+            }))
+          ]
+        });
+        if (deptChoice) departmentId = deptChoice;
+      }
+    }
+  }
+  const spinner = createSpinner3("Creating agent key...").start();
+  try {
+    const { key: key2, fullKey } = await createAgentKey(supabase, {
+      name: name.trim(),
+      role,
+      workspaceId: config.workspaceId,
+      projectId,
+      departmentId
+    });
+    spinner.success({ text: "Agent key created" });
+    console.log();
+    table(
+      ["Field", "Value"],
+      [
+        ["Name", key2.name],
+        ["Role", key2.role],
+        ["ID", key2.id],
+        ["Prefix", key2.key_prefix],
+        ["Active", String(key2.is_active)]
+      ]
+    );
+    console.log();
+    warn("Save this key now \u2014 it cannot be retrieved later:");
+    console.log();
+    console.log(`  ${fullKey}`);
+    console.log();
+  } catch (err) {
+    spinner.error({ text: "Failed to create key" });
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+async function keyListCommand() {
+  const config = loadConfig();
+  const supabase = createAdminClient(config.supabaseUrl, config.supabaseServiceRoleKey);
+  const spinner = createSpinner3("Fetching agent keys...").start();
+  try {
+    const keys = await listAgentKeys(supabase, config.workspaceId);
+    spinner.success({ text: `Found ${keys.length} key(s)` });
+    if (keys.length === 0) return;
+    console.log();
+    table(
+      ["Name", "Role", "Prefix", "Active", "Created"],
+      keys.map((k) => [
+        k.name,
+        k.role,
+        k.key_prefix,
+        k.is_active ? "yes" : "no",
+        new Date(k.created_at).toLocaleDateString()
+      ])
+    );
+  } catch (err) {
+    spinner.error({ text: "Failed to list keys" });
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+async function keyRotateCommand(nameOrId) {
+  const config = loadConfig();
+  const supabase = createAdminClient(config.supabaseUrl, config.supabaseServiceRoleKey);
+  const key2 = await resolveKeyByNameOrId(supabase, config.workspaceId, nameOrId);
+  const confirmed = await confirm2({
+    message: `Rotate key "${key2.name}" (${key2.key_prefix}...)? The old key will stop working immediately.`,
+    default: false
+  });
+  if (!confirmed) return;
+  const spinner = createSpinner3("Rotating key...").start();
+  try {
+    const { fullKey } = await rotateAgentKey(supabase, {
+      id: key2.id,
+      workspaceId: config.workspaceId
+    });
+    spinner.success({ text: "Key rotated" });
+    console.log();
+    warn("Save this new key \u2014 it cannot be retrieved later:");
+    console.log();
+    console.log(`  ${fullKey}`);
+    console.log();
+  } catch (err) {
+    spinner.error({ text: "Failed to rotate key" });
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+async function keyDeactivateCommand(nameOrId) {
+  const config = loadConfig();
+  const supabase = createAdminClient(config.supabaseUrl, config.supabaseServiceRoleKey);
+  const key2 = await resolveKeyByNameOrId(supabase, config.workspaceId, nameOrId);
+  if (!key2.is_active) {
+    warn(`Key "${key2.name}" is already inactive`);
+    return;
+  }
+  const confirmed = await confirm2({
+    message: `Deactivate key "${key2.name}" (${key2.key_prefix}...)? This key will stop working immediately.`,
+    default: false
+  });
+  if (!confirmed) return;
+  const spinner = createSpinner3("Deactivating key...").start();
+  try {
+    await deactivateAgentKey(supabase, {
+      id: key2.id,
+      workspaceId: config.workspaceId
+    });
+    spinner.success({ text: `Key "${key2.name}" deactivated` });
+  } catch (err) {
+    spinner.error({ text: "Failed to deactivate key" });
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+
+// src/commands/status.ts
+import { createSpinner as createSpinner4 } from "nanospinner";
+async function statusCommand() {
+  const config = loadConfig();
+  const supabase = createAdminClient(config.supabaseUrl, config.supabaseServiceRoleKey);
+  const spinner = createSpinner4("Checking connection...").start();
+  try {
+    const { error: connError } = await supabase.from("app_settings").select("*").limit(1);
+    if (connError) {
+      spinner.error({ text: "Connection failed" });
+      error(connError.message);
+      process.exit(1);
+    }
+    spinner.success({ text: "Connected to Supabase" });
+    const wsId = config.workspaceId;
+    const [workspaces, keys, tasks, projects] = await Promise.all([
+      supabase.from("workspaces").select("*", { count: "exact", head: true }).eq("id", wsId),
+      supabase.from("agent_keys").select("*", { count: "exact", head: true }).eq("workspace_id", wsId),
+      supabase.from("tasks").select("*", { count: "exact", head: true }).eq("workspace_id", wsId),
+      supabase.from("projects").select("*", { count: "exact", head: true }).eq("workspace_id", wsId)
+    ]);
+    console.log();
+    info(`Workspace: ${wsId}`);
+    console.log();
+    table(
+      ["Resource", "Count"],
+      [
+        ["Workspaces", String(workspaces.count ?? 0)],
+        ["Agent Keys", String(keys.count ?? 0)],
+        ["Tasks", String(tasks.count ?? 0)],
+        ["Projects", String(projects.count ?? 0)]
+      ]
+    );
+    console.log();
+    success("WritBase is healthy");
+  } catch (err) {
+    spinner.error({ text: "Health check failed" });
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+
+// src/bin/writbase.ts
+var program = new Command();
+program.name("writbase").description("WritBase CLI \u2014 agent-first task management").version("0.1.0");
+program.command("init").description("Interactive setup \u2014 configure credentials and workspace").action(initCommand);
+program.command("migrate").description("Apply database migrations via supabase migration up").option("--dry-run", "Show what would be applied without making changes").action(migrateCommand);
+var key = program.command("key").description("Manage agent keys");
+key.command("create").description("Create a new agent key").action(keyCreateCommand);
+key.command("list").description("List all agent keys").action(keyListCommand);
+key.command("rotate <name-or-id>").description("Rotate an agent key (generates new secret)").action(keyRotateCommand);
+key.command("deactivate <name-or-id>").description("Deactivate an agent key").action(keyDeactivateCommand);
+program.command("status").description("Health check \u2014 verify connection and show counts").action(statusCommand);
+program.parse();