Implement CLI commands and admin API endpoints

- Add bootstrap command with direct DB access for initial setup
- Implement auth login/logout/status CLI commands
- Implement user create/confirm-email CLI commands
- Implement org create/list/add-site CLI commands
- Add admin.orgs.* and admin.users.* API endpoints
- Add password hashing utility with scrypt
- Add token hashing and authentication utility
- Add superuser runtime checks for admin endpoints
- Wrap multi-step operations in transactions
- Fix config file permissions (0o600) for security
- Remove token display from status command
- Add return statements to void handlers
- Add reviq CLI command to devenv

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/cli/src/routes/bootstrap.ts

@@ -1,25 +1,150 @@
 import type { LocalContext } from "../context.js";
+import { createDb } from "@reviq/db";
 import { buildCommand } from "@stricli/core";
+import { writeConfig } from "../utils/config.js";
+import { hashPassword } from "../utils/password.js";
+import { generateToken, hashToken } from "../utils/token.js";
 
-function bootstrap(this: LocalContext): void {
+interface BootstrapFlags {
+  email: string;
+  password: string;
+}
+
+async function bootstrap(
+  this: LocalContext,
+  flags: BootstrapFlags,
+): Promise<void> {
   console.log("RevIQ Bootstrap - Create Superuser");
   console.log("===================================\n");
 
-  console.log("TODO: Implement bootstrap command");
-  console.log("\nThis command will:");
-  console.log("  1. Prompt for email address");
-  console.log("  2. Prompt for password (with confirmation)");
-  console.log("  3. Hash password using scrypt (@noble/hashes)");
-  console.log("  4. Create user in database with is_superuser=true");
-  console.log("\nRequirements:");
-  console.log("  - Database must be migrated (run 'dbmate up' first)");
-  console.log("  - DATABASE_URL environment variable must be set");
+  // Validate password length
+  if (flags.password.length < 8) {
+    console.error("Error: Password must be at least 8 characters");
+    this.process.exit(1);
+  }
+
+  const db = createDb();
+
+  try {
+    // Check if user already exists
+    const existing = await db
+      .selectFrom("users")
+      .where("email", "=", flags.email.toLowerCase())
+      .select("id")
+      .executeTakeFirst();
+
+    if (existing) {
+      console.error(`Error: User with email ${flags.email} already exists`);
+      await db.destroy();
+      this.process.exit(1);
+    }
+
+    // Hash the password
+    const passwordHash = hashPassword(flags.password);
+
+    // Create superuser
+    const [user] = await db
+      .insertInto("users")
+      .values({
+        email: flags.email.toLowerCase(),
+        password_hash: passwordHash,
+        is_superuser: true,
+        email_verified_at: new Date(),
+      })
+      .returning(["id", "email"])
+      .execute();
+
+    if (!user) {
+      console.error("Error: Failed to create user");
+      await db.destroy();
+      this.process.exit(1);
+    }
+
+    console.log(`Created superuser: ${user.email}`);
+
+    // Create "reviq" org
+    const [org] = await db
+      .insertInto("orgs")
+      .values({
+        slug: "reviq",
+        display_name: "RevIQ",
+      })
+      .returning(["id", "slug"])
+      .execute();
+
+    if (!org) {
+      console.error("Error: Failed to create org");
+      await db.destroy();
+      this.process.exit(1);
+    }
+
+    // Add user as owner of the org
+    await db
+      .insertInto("org_members")
+      .values({
+        org_id: org.id,
+        user_id: user.id,
+        role: "owner",
+      })
+      .execute();
+
+    console.log(`Created org: ${org.slug}`);
+
+    // Generate API token
+    const token = generateToken();
+    const tokenHashValue = hashToken(token);
+
+    await db
+      .insertInto("api_tokens")
+      .values({
+        user_id: user.id,
+        token_hash: tokenHashValue,
+        name: "CLI bootstrap token",
+        expires_at: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000), // 1 year
+      })
+      .execute();
+
+    // Save to config
+    await writeConfig({
+      apiUrl: Bun.env.API_URL ?? "http://localhost:9861",
+      token,
+      email: user.email,
+    });
+
+    console.log("Saved credentials to ~/.config/reviq/credentials.json");
+    console.log("\nBootstrap complete! You can now use the CLI.");
+
+    await db.destroy();
+  } catch (error) {
+    console.error(
+      "Error:",
+      error instanceof Error ? error.message : String(error),
+    );
+    await db.destroy();
+    this.process.exit(1);
+  }
 }
 
 export const bootstrapCommand = buildCommand({
   func: bootstrap,
-  parameters: {},
+  parameters: {
+    flags: {
+      email: {
+        kind: "parsed",
+        parse: String,
+        brief: "Email address for the superuser",
+      },
+      password: {
+        kind: "parsed",
+        parse: String,
+        brief: "Password for the superuser",
+      },
+    },
+  },
   docs: {
-    brief: "Create a superuser account",
+    brief: "Create a superuser account and initial organization",
+    fullDescription:
+      "Creates a superuser with the 'reviq' organization. " +
+      "Requires DATABASE_URL environment variable to be set.",
   },
 });