Implement CLI commands and admin API endpoints

- Add bootstrap command with direct DB access for initial setup - Implement auth login/logout/status CLI commands - Implement user create/confirm-email CLI commands - Implement org create/list/add-site CLI commands - Add admin.orgs.* and admin.users.* API endpoints - Add password hashing utility with scrypt - Add token hashing and authentication utility - Add superuser runtime checks for admin endpoints - Wrap multi-step operations in transactions - Fix config file permissions (0o600) for security - Remove token display from status command - Add return statements to void handlers - Add reviq CLI command to devenv Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 15:30:10 +08:00
parent 30ee35b25c
commit 410b937f9f
20 changed files with 1267 additions and 85 deletions
--- a/apps/api-server/package.json
+++ b/apps/api-server/package.json
@@ -11,6 +11,7 @@
    "clean": "rm -rf dist .eslintcache"
  },
  "dependencies": {
    "@noble/hashes": "^2.0.1",
    "@orpc/server": "^1.13.2",
    "@reviq/api-contract": "workspace:*",
    "@reviq/db": "workspace:*",
--- a/apps/api-server/src/context.ts
+++ b/apps/api-server/src/context.ts
@@ -34,7 +34,8 @@ export interface SessionUser {
 * Session information
 */
 export interface Session {
-  id: number;
+  /** Session ID (stored as bigint in DB, returned as string) */
  id: string;
  trustedMode: boolean;
  createdAt: Date;
 }
@@ -58,3 +59,12 @@ export interface LoginRequestContext extends APIContext {
  /** User associated with the login request */
  user: SessionUser;
 }
 /**
 * Superuser context for admin procedures
 * Requires user to have is_superuser = true
 */
 export interface SuperuserContext extends AuthenticatedContext {
  /** User with superuser privileges */
  user: SessionUser & { isSuperuser: true };
 }
--- a/apps/api-server/src/router.ts
+++ b/apps/api-server/src/router.ts
@@ -2,6 +2,7 @@ import type {
  APIContext,
  AuthenticatedContext,
  LoginRequestContext,
  SuperuserContext,
 } from "./context.js";
 import { implement } from "@orpc/server";
 import { contract } from "@reviq/api-contract";
@@ -16,6 +17,18 @@ import {
 const os = implement(contract);
 /**
 * Helper to require superuser context with runtime validation
 */
 const requireSuperuser = (context: unknown): SuperuserContext => {
  // Cast to partial type first to allow runtime checks
  const ctx = context as Partial<SuperuserContext>;
  if (!ctx.user?.isSuperuser) {
    throw new Error("Unauthorized: Superuser access required");
  }
  return context as SuperuserContext;
 };
 // Auth procedures
 const signup = os.auth.signup.handler(async () => {
  throw new Error("Not implemented");
@@ -31,9 +44,59 @@ const resendVerificationEmail = os.auth.resendVerificationEmail.handler(
  },
 );
-const createLoginRequest = os.auth.createLoginRequest.handler(async () => {
+const createLoginRequest = os.auth.createLoginRequest.handler(
-  throw new Error("Not implemented");
+  async ({ input, context }) => {
-});
+    const ctx = context as APIContext;
    const email = input.email.toLowerCase();
    const user = await ctx.db
      .selectFrom("users")
      .where("email", "=", email)
      .select(["id", "password_hash"])
      .executeTakeFirst();
    // Check for passkeys
    const hasPasskey = user
      ? (await ctx.db
          .selectFrom("passkeys")
          .where("user_id", "=", user.id)
          .select("id")
          .executeTakeFirst()) !== undefined
      : false;
    const hasPassword = user?.password_hash !== null && user !== undefined;
    if (!user) {
      // Anti-enumeration: return fake response for non-existent users
      return {
        hasPasskey: false,
        hasPassword: false,
        isTrustedDevice: false,
        email,
      };
    }
    // Create login request
    await ctx.db
      .insertInto("login_requests")
      .values({
        user_id: user.id,
        email,
        expires_at: new Date(Date.now() + 15 * 60 * 1000), // 15 min
      })
      .execute();
    // TODO: Set login_request cookie
    // TODO: Check device fingerprint for trusted device
    return {
      hasPasskey,
      hasPassword,
      isTrustedDevice: false,
      email,
    };
  },
 );
 const loginPassword = os.auth.loginPassword.handler(async () => {
  throw new Error("Not implemented");
@@ -57,8 +120,17 @@ const resetPassword = os.auth.resetPassword.handler(async () => {
  throw new Error("Not implemented");
 });
-const logout = os.auth.logout.handler(async () => {
+const logout = os.auth.logout.handler(async ({ context }) => {
-  throw new Error("Not implemented");
+  const ctx = context as AuthenticatedContext;
  // Revoke the current session by setting revoked_at
  await ctx.db
    .updateTable("sessions")
    .set({ revoked_at: new Date() })
    .where("id", "=", ctx.session.id)
    .execute();
  return undefined;
 });
 // WebAuthn procedures
@@ -84,6 +156,8 @@ const verifyRegistration = os.auth.webauthn.verifyRegistration.handler(
    const rpInfo = getRPInfo(ctx.origin, ctx.allowedOrigins, ctx.rpName);
    await verifyReg(ctx.db, rpInfo, ctx.user.id, challengeId, response);
    return undefined;
  },
 );
@@ -113,6 +187,8 @@ const verifyAuthentication = os.auth.webauthn.verifyAuthentication.handler(
    if (!verified) {
      throw new Error("Authentication failed");
    }
    return undefined;
  },
 );
@@ -161,6 +237,8 @@ const passkeysRename = os.me.passkeys.rename.handler(
      .where("id", "=", String(passkeyId))
      .where("user_id", "=", ctx.user.id)
      .execute();
    return undefined;
  },
 );
@@ -193,6 +271,8 @@ const passkeysDelete = os.me.passkeys.delete.handler(
      .where("id", "=", String(passkeyId))
      .where("user_id", "=", ctx.user.id)
      .execute();
    return undefined;
  },
 );
@@ -291,63 +371,341 @@ const sitesList = os.orgs.sites.list.handler(async () => {
 });
 // Admin orgs procedures
-const adminOrgsList = os.admin.orgs.list.handler(async () => {
+const adminOrgsList = os.admin.orgs.list.handler(async ({ context }) => {
-  throw new Error("Not implemented");
+  const ctx = requireSuperuser(context);
  const orgs = await ctx.db.selectFrom("orgs").selectAll().execute();
  return orgs.map((org) => ({
    id: org.id,
    slug: org.slug,
    displayName: org.display_name,
    logoUrl: org.logo_url,
    createdAt: org.created_at,
  }));
 });
-const adminOrgsGet = os.admin.orgs.get.handler(async () => {
+const adminOrgsGet = os.admin.orgs.get.handler(async ({ input, context }) => {
-  throw new Error("Not implemented");
+  const ctx = requireSuperuser(context);
  const org = await ctx.db
    .selectFrom("orgs")
    .where("slug", "=", input.slug)
    .selectAll()
    .executeTakeFirst();
  if (!org) {
    throw new Error("Org not found");
  }
  return {
    id: org.id,
    slug: org.slug,
    displayName: org.display_name,
    logoUrl: org.logo_url,
    createdAt: org.created_at,
  };
 });
-const adminOrgsCreate = os.admin.orgs.create.handler(async () => {
+const adminOrgsCreate = os.admin.orgs.create.handler(
-  throw new Error("Not implemented");
+  async ({ input, context }) => {
    const ctx = requireSuperuser(context);
    const { slug, displayName, ownerEmail } = input;
    // Use transaction to ensure atomicity
    const orgSlug = await ctx.db.transaction().execute(async (trx) => {
      // Find or create owner user
      let owner = await trx
        .selectFrom("users")
        .where("email", "=", ownerEmail.toLowerCase())
        .select("id")
        .executeTakeFirst();
      if (!owner) {
        const result = await trx
          .insertInto("users")
          .values({ email: ownerEmail.toLowerCase() })
          .returning("id")
          .executeTakeFirst();
        owner = result;
      }
      if (!owner) {
        throw new Error("Failed to create owner user");
      }
      // Create org
      const org = await trx
        .insertInto("orgs")
        .values({ slug, display_name: displayName })
        .returning(["id", "slug"])
        .executeTakeFirst();
      if (!org) {
        throw new Error("Failed to create org");
      }
      // Add owner membership
      await trx
        .insertInto("org_members")
        .values({ org_id: org.id, user_id: owner.id, role: "owner" })
        .execute();
      return org.slug;
    });
-const adminOrgsUpdate = os.admin.orgs.update.handler(async () => {
+    return { slug: orgSlug };
-  throw new Error("Not implemented");
+  },
-});
+);
-const adminOrgsDelete = os.admin.orgs.delete.handler(async () => {
+const adminOrgsUpdate = os.admin.orgs.update.handler(
-  throw new Error("Not implemented");
+  async ({ input, context }) => {
-});
+    const ctx = requireSuperuser(context);
    const { slug, displayName, logoUrl } = input;
-const adminOrgsListSites = os.admin.orgs.listSites.handler(async () => {
+    const updates: Record<string, string | undefined> = {};
-  throw new Error("Not implemented");
+    if (displayName !== undefined) {
-});
+      updates.display_name = displayName;
    }
    if (logoUrl !== undefined) {
      updates.logo_url = logoUrl;
    }
-const adminOrgsAddSite = os.admin.orgs.addSite.handler(async () => {
+    if (Object.keys(updates).length > 0) {
-  throw new Error("Not implemented");
+      await ctx.db
-});
+        .updateTable("orgs")
        .set(updates)
        .where("slug", "=", slug)
        .execute();
    }
-const adminOrgsRemoveSite = os.admin.orgs.removeSite.handler(async () => {
+    return undefined;
-  throw new Error("Not implemented");
+  },
-});
+);
 const adminOrgsDelete = os.admin.orgs.delete.handler(
  async ({ input, context }) => {
    const ctx = requireSuperuser(context);
    await ctx.db.deleteFrom("orgs").where("slug", "=", input.slug).execute();
    return undefined;
  },
 );
 const adminOrgsListSites = os.admin.orgs.listSites.handler(
  async ({ input, context }) => {
    const ctx = requireSuperuser(context);
    const org = await ctx.db
      .selectFrom("orgs")
      .where("slug", "=", input.slug)
      .select("id")
      .executeTakeFirst();
    if (!org) {
      throw new Error("Org not found");
    }
    const sites = await ctx.db
      .selectFrom("org_sites")
      .where("org_id", "=", org.id)
      .selectAll()
      .execute();
    return sites.map((site) => ({
      id: site.id,
      domain: site.domain,
      createdAt: site.created_at,
    }));
  },
 );
 const adminOrgsAddSite = os.admin.orgs.addSite.handler(
  async ({ input, context }) => {
    const ctx = requireSuperuser(context);
    const { slug, domain } = input;
    const org = await ctx.db
      .selectFrom("orgs")
      .where("slug", "=", slug)
      .select("id")
      .executeTakeFirst();
    if (!org) {
      throw new Error("Org not found");
    }
    await ctx.db
      .insertInto("org_sites")
      .values({ org_id: org.id, domain })
      .execute();
    return undefined;
  },
 );
 const adminOrgsRemoveSite = os.admin.orgs.removeSite.handler(
  async ({ input, context }) => {
    const ctx = requireSuperuser(context);
    const { slug, domain } = input;
    const org = await ctx.db
      .selectFrom("orgs")
      .where("slug", "=", slug)
      .select("id")
      .executeTakeFirst();
    if (!org) {
      throw new Error("Org not found");
    }
    await ctx.db
      .deleteFrom("org_sites")
      .where("org_id", "=", org.id)
      .where("domain", "=", domain)
      .execute();
    return undefined;
  },
 );
 // Admin users procedures
-const adminUsersList = os.admin.users.list.handler(async () => {
+const adminUsersList = os.admin.users.list.handler(async ({ context }) => {
-  throw new Error("Not implemented");
+  const ctx = requireSuperuser(context);
  const users = await ctx.db.selectFrom("users").selectAll().execute();
  return users.map((user) => ({
    id: user.id,
    email: user.email,
    displayName: user.display_name,
    fullName: user.full_name,
    phoneNumber: user.phone_number,
    avatarUrl: user.avatar_url,
    emailVerified: user.email_verified_at !== null,
    needsSetup: user.display_name === null,
    isSuperuser: user.is_superuser,
  }));
 });
-const adminUsersGet = os.admin.users.get.handler(async () => {
+const adminUsersGet = os.admin.users.get.handler(async ({ input, context }) => {
-  throw new Error("Not implemented");
+  const ctx = requireSuperuser(context);
  const user = await ctx.db
    .selectFrom("users")
    .where("email", "=", input.email.toLowerCase())
    .selectAll()
    .executeTakeFirst();
  if (!user) {
    throw new Error("User not found");
  }
  return {
    id: user.id,
    email: user.email,
    displayName: user.display_name,
    fullName: user.full_name,
    phoneNumber: user.phone_number,
    avatarUrl: user.avatar_url,
    emailVerified: user.email_verified_at !== null,
    needsSetup: user.display_name === null,
    isSuperuser: user.is_superuser,
  };
 });
-const adminUsersCreate = os.admin.users.create.handler(async () => {
+const adminUsersCreate = os.admin.users.create.handler(
-  throw new Error("Not implemented");
+  async ({ input, context }) => {
    const ctx = requireSuperuser(context);
    const { email, name, orgSlug, orgRole } = input;
    // Use transaction to ensure atomicity when adding to org
    await ctx.db.transaction().execute(async (trx) => {
      const result = await trx
        .insertInto("users")
        .values({
          email: email.toLowerCase(),
          display_name: name ?? null,
        })
        .returning("id")
        .executeTakeFirst();
      if (!result) {
        throw new Error("Failed to create user");
      }
      // Add to org if specified
      if (orgSlug) {
        const org = await trx
          .selectFrom("orgs")
          .where("slug", "=", orgSlug)
          .select("id")
          .executeTakeFirst();
        if (org) {
          await trx
            .insertInto("org_members")
            .values({
              org_id: org.id,
              user_id: result.id,
              role: orgRole ?? "member",
            })
            .execute();
        }
      }
    });
-const adminUsersUpdate = os.admin.users.update.handler(async () => {
+    return undefined;
-  throw new Error("Not implemented");
+  },
-});
+);
-const adminUsersConfirmEmail = os.admin.users.confirmEmail.handler(async () => {
+const adminUsersUpdate = os.admin.users.update.handler(
-  throw new Error("Not implemented");
+  async ({ input, context }) => {
-});
+    const ctx = requireSuperuser(context);
    const { email, isSuperuser } = input;
    if (isSuperuser !== undefined) {
      await ctx.db
        .updateTable("users")
        .set({ is_superuser: isSuperuser })
        .where("email", "=", email.toLowerCase())
        .execute();
    }
    return undefined;
  },
 );
 const adminUsersConfirmEmail = os.admin.users.confirmEmail.handler(
  async ({ input, context }) => {
    const ctx = requireSuperuser(context);
    await ctx.db
      .updateTable("users")
      .set({ email_verified_at: new Date() })
      .where("email", "=", input.email.toLowerCase())
      .execute();
    return undefined;
  },
 );
 // Admin auth procedures
-const adminAuthCompleteLogin = os.admin.auth.completeLogin.handler(async () => {
+const adminAuthCompleteLogin = os.admin.auth.completeLogin.handler(
-  throw new Error("Not implemented");
+  async ({ input, context }) => {
-});
+    const ctx = requireSuperuser(context);
    // Find user by email
    const user = await ctx.db
      .selectFrom("users")
      .where("email", "=", input.email.toLowerCase())
      .select("id")
      .executeTakeFirst();
    if (!user) {
      throw new Error("User not found");
    }
    // Complete the most recent pending login request for this user
    await ctx.db
      .updateTable("login_requests")
      .set({ completed_at: new Date() })
      .where("user_id", "=", user.id)
      .where("completed_at", "is", null)
      .where("expires_at", ">", new Date())
      .execute();
    return undefined;
  },
 );
 // Build the router
 export const router = os.router({
--- a/apps/api-server/src/utils/auth.ts
+++ b/apps/api-server/src/utils/auth.ts
@@ -0,0 +1,82 @@
 /**
 * Authentication utilities for token handling
 */
 import type { Database } from "@reviq/db-schema";
 import type { Kysely } from "kysely";
 import { sha256 } from "@noble/hashes/sha2.js";
 export interface AuthenticatedUser {
  id: number;
  email: string;
  isSuperuser: boolean;
 }
 /**
 * Hash a token using SHA-256
 */
 export const hashToken = (token: string): string => {
  return Buffer.from(sha256(Buffer.from(token))).toString("hex");
 };
 /**
 * Authenticate a request using session token or API key
 * Returns the authenticated user or null if not authenticated
 */
 export const authenticateRequest = async (
  db: Kysely<Database>,
  sessionToken?: string,
  apiKey?: string,
 ): Promise<AuthenticatedUser | null> => {
  // Try session cookie first, then API key
  const token = sessionToken ?? apiKey;
  if (!token) {
    return null;
  }
  const tokenHash = hashToken(token);
  // Check sessions table
  const session = await db
    .selectFrom("sessions")
    .innerJoin("users", "users.id", "sessions.user_id")
    .where("sessions.token_hash", "=", tokenHash)
    .where("sessions.expires_at", ">", new Date())
    .where("sessions.revoked_at", "is", null)
    .select(["users.id", "users.email", "users.is_superuser"])
    .executeTakeFirst();
  if (session) {
    return {
      id: session.id,
      email: session.email,
      isSuperuser: session.is_superuser,
    };
  }
  // Check API tokens table
  const apiToken = await db
    .selectFrom("api_tokens")
    .innerJoin("users", "users.id", "api_tokens.user_id")
    .where("api_tokens.token_hash", "=", tokenHash)
    .where("api_tokens.expires_at", ">", new Date())
    .select(["users.id", "users.email", "users.is_superuser"])
    .executeTakeFirst();
  if (apiToken) {
    // Update last_used_at
    await db
      .updateTable("api_tokens")
      .set({ last_used_at: new Date() })
      .where("token_hash", "=", tokenHash)
      .execute();
    return {
      id: apiToken.id,
      email: apiToken.email,
      isSuperuser: apiToken.is_superuser,
    };
  }
  return null;
 };
--- a/apps/api-server/src/utils/password.ts
+++ b/apps/api-server/src/utils/password.ts
@@ -0,0 +1,58 @@
 /**
 * Password hashing utilities using scrypt from @noble/hashes
 */
 import { scrypt as nobleScrypt } from "@noble/hashes/scrypt.js";
 import { randomBytes } from "@noble/hashes/utils.js";
 // scrypt parameters: N=2^17, r=8, p=1, dkLen=32
 const N = 131072;
 const r = 8;
 const p = 1;
 const dkLen = 32;
 /**
 * Hash a password using scrypt
 * Format: scrypt$17$8$1$<salt-base64>$<hash-base64>
 */
 export const hashPassword = (password: string): string => {
  const salt = randomBytes(16);
  const hash = nobleScrypt(password, salt, { N, r, p, dkLen });
  return `scrypt$17$8$1$${Buffer.from(salt).toString("base64")}$${Buffer.from(hash).toString("base64")}`;
 };
 /**
 * Verify a password against a stored hash
 * Uses constant-time comparison to prevent timing attacks
 */
 export const verifyPassword = (password: string, stored: string): boolean => {
  const parts = stored.split("$");
  if (parts.length !== 5 || parts[0] !== "scrypt") {
    return false;
  }
  const saltStr = parts[3];
  const hashStr = parts[4];
  if (!(saltStr && hashStr)) {
    return false;
  }
  const salt = Buffer.from(saltStr, "base64");
  const storedHash = Buffer.from(hashStr, "base64");
  const computedHash = nobleScrypt(password, salt, { N, r, p, dkLen });
  // Constant-time comparison
  if (storedHash.length !== computedHash.length) {
    return false;
  }
  let diff = 0;
  for (let i = 0; i < storedHash.length; i++) {
    const storedByte = storedHash[i];
    const computedByte = computedHash[i];
    if (storedByte === undefined || computedByte === undefined) {
      return false;
    }
    diff |= storedByte ^ computedByte;
  }
  return diff === 0;
 };
--- a/apps/cli/src/routes/auth/login.ts
+++ b/apps/cli/src/routes/auth/login.ts
@@ -1,15 +1,163 @@
 import type { LocalContext } from "../../context.js";
 import { buildCommand } from "@stricli/core";
 import { readConfig } from "../../utils/config.js";
 import { generateToken, hashToken } from "../../utils/token.js";
-function login(this: LocalContext): void {
+interface LoginFlags {
-  console.log("Auth login command - Not implemented");
+  email: string;
-  console.log("This command will authenticate a user and store credentials");
+  "api-url"?: string;
 }
 interface LoginStatusOutput {
  status: "pending" | "completed" | "expired";
 }
 async function login(this: LocalContext, flags: LoginFlags): Promise<void> {
  const apiUrl = flags["api-url"] ?? "http://localhost:9861";
  // Check if already logged in
  const existingConfig = await readConfig();
  if (existingConfig) {
    console.log(`Already logged in as ${existingConfig.email}`);
    console.log(`Use 'reviq auth logout' to logout first.`);
    return;
  }
  console.log("Starting login flow...\n");
  // Generate a unique callback token for this login request
  const callbackToken = generateToken();
  const callbackTokenHash = hashToken(callbackToken);
  try {
    // Create login request
    const createResponse = await fetch(
      `${apiUrl}/api/v1/rpc/auth.createLoginRequest`,
      {
        method: "POST",
        headers: {
          "Content-Type": "application/json",
        },
        body: JSON.stringify({ email: flags.email }),
      },
    );
    if (!createResponse.ok) {
      const text = await createResponse.text();
      console.error(`Error creating login request: ${text}`);
      this.process.exit(1);
    }
    // Construct the login URL
    const loginUrl = new URL(`${apiUrl}/login`);
    loginUrl.searchParams.set("email", flags.email);
    loginUrl.searchParams.set("cli_callback", callbackTokenHash);
    console.log("Opening browser for authentication...");
    console.log(`\nIf the browser doesn't open, visit:`);
    console.log(`  ${loginUrl.toString()}\n`);
    // Try to open the browser
    const openCommand =
      process.platform === "darwin"
        ? "open"
        : process.platform === "win32"
          ? "start"
          : "xdg-open";
    try {
      const proc = Bun.spawn([openCommand, loginUrl.toString()], {
        stdout: "ignore",
        stderr: "ignore",
      });
      await proc.exited;
    } catch {
      // Ignore errors opening browser - user can use the URL
    }
    console.log("Waiting for login to complete...");
    console.log("(Press Ctrl+C to cancel)\n");
    // Poll for completion
    const maxAttempts = 120; // 2 minutes at 1 second intervals
    let attempts = 0;
    while (attempts < maxAttempts) {
      await new Promise((resolve) => setTimeout(resolve, 1000));
      attempts++;
      try {
        const statusResponse = await fetch(
          `${apiUrl}/api/v1/rpc/auth.loginIfRequestIsCompleted`,
          {
            method: "POST",
            headers: {
              "Content-Type": "application/json",
              "X-CLI-Callback-Token": callbackToken,
            },
          },
        );
        if (statusResponse.ok) {
          const status = (await statusResponse.json()) as LoginStatusOutput;
          if (status.status === "completed") {
            // Login completed - we should have received a token
            // For now, we'll need the API to return the token
            console.log("Login completed successfully!");
            // TODO: The API needs to return the session token when login completes
            // For now, this is a placeholder
            console.log(
              "\nNote: Browser-based login flow requires API integration.",
            );
            console.log("Use 'reviq bootstrap' to create initial credentials.");
            return;
          }
          if (status.status === "expired") {
            console.error("Login request expired. Please try again.");
            this.process.exit(1);
          }
        }
      } catch {
        // Ignore polling errors and continue
      }
      // Show progress indicator
      process.stdout.write(".");
    }
    console.log("\n\nLogin timed out. Please try again.");
    this.process.exit(1);
  } catch (error) {
    console.error(
      "Error:",
      error instanceof Error ? error.message : String(error),
    );
    this.process.exit(1);
  }
 }
 export const loginCommand = buildCommand({
  func: login,
-  parameters: {},
+  parameters: {
    flags: {
      email: {
        kind: "parsed",
        parse: String,
        brief: "Email address to login with",
      },
      "api-url": {
        kind: "parsed",
        parse: String,
        brief: "API URL (default: http://localhost:9861)",
        optional: true,
      },
    },
  },
  docs: {
    brief: "Login to RevIQ",
    fullDescription:
      "Opens a browser to complete authentication and stores the credentials locally.",
  },
 });
--- a/apps/cli/src/routes/auth/logout.ts
+++ b/apps/cli/src/routes/auth/logout.ts
@@ -1,9 +1,20 @@
 import type { LocalContext } from "../../context.js";
 import { buildCommand } from "@stricli/core";
 import { deleteConfig, getConfigPath, readConfig } from "../../utils/config.js";
-function logout(this: LocalContext): void {
+async function logout(this: LocalContext): Promise<void> {
-  console.log("Auth logout command - Not implemented");
+  const config = await readConfig();
-  console.log("This command will clear stored authentication credentials");
+
  if (!config) {
    console.log("Not logged in");
    return;
  }
  // Delete the config file
  await deleteConfig();
  console.log("Logged out successfully");
  console.log(`Removed credentials from ${getConfigPath()}`);
 }
 export const logoutCommand = buildCommand({
@@ -11,5 +22,7 @@ export const logoutCommand = buildCommand({
  parameters: {},
  docs: {
    brief: "Logout from RevIQ",
    fullDescription:
      "Removes stored authentication credentials from the local config file.",
  },
 });
--- a/apps/cli/src/routes/auth/status.ts
+++ b/apps/cli/src/routes/auth/status.ts
@@ -1,9 +1,25 @@
 import type { LocalContext } from "../../context.js";
 import { buildCommand } from "@stricli/core";
 import { getConfigPath, readConfig } from "../../utils/config.js";
-function status(this: LocalContext): void {
+async function status(this: LocalContext): Promise<void> {
-  console.log("Auth status command - Not implemented");
+  const config = await readConfig();
-  console.log("This command will show current authentication status");
+
  if (!config) {
    console.log("Not logged in");
    console.log(`\nConfig file: ${getConfigPath()} (not found)`);
    console.log(
      "\nRun 'reviq bootstrap' to create a superuser or 'reviq auth login' to authenticate.",
    );
    return;
  }
  console.log("Authentication Status");
  console.log("=====================\n");
  console.log(`Email: ${config.email}`);
  console.log(`API URL: ${config.apiUrl}`);
  console.log(`Config file: ${getConfigPath()}`);
  console.log("Token: [configured]");
 }
 export const statusCommand = buildCommand({
@@ -11,5 +27,7 @@ export const statusCommand = buildCommand({
  parameters: {},
  docs: {
    brief: "Check authentication status",
    fullDescription:
      "Shows the current authentication status and config file location.",
  },
 });
--- a/apps/cli/src/routes/bootstrap.ts
+++ b/apps/cli/src/routes/bootstrap.ts
@@ -1,25 +1,150 @@
 import type { LocalContext } from "../context.js";
 import { createDb } from "@reviq/db";
 import { buildCommand } from "@stricli/core";
 import { writeConfig } from "../utils/config.js";
 import { hashPassword } from "../utils/password.js";
 import { generateToken, hashToken } from "../utils/token.js";
-function bootstrap(this: LocalContext): void {
+interface BootstrapFlags {
  email: string;
  password: string;
 }
 async function bootstrap(
  this: LocalContext,
  flags: BootstrapFlags,
 ): Promise<void> {
  console.log("RevIQ Bootstrap - Create Superuser");
  console.log("===================================\n");
-  console.log("TODO: Implement bootstrap command");
+  // Validate password length
-  console.log("\nThis command will:");
+  if (flags.password.length < 8) {
-  console.log("  1. Prompt for email address");
+    console.error("Error: Password must be at least 8 characters");
-  console.log("  2. Prompt for password (with confirmation)");
+    this.process.exit(1);
-  console.log("  3. Hash password using scrypt (@noble/hashes)");
+  }
-  console.log("  4. Create user in database with is_superuser=true");
+
-  console.log("\nRequirements:");
+  const db = createDb();
-  console.log("  - Database must be migrated (run 'dbmate up' first)");
+
-  console.log("  - DATABASE_URL environment variable must be set");
+  try {
    // Check if user already exists
    const existing = await db
      .selectFrom("users")
      .where("email", "=", flags.email.toLowerCase())
      .select("id")
      .executeTakeFirst();
    if (existing) {
      console.error(`Error: User with email ${flags.email} already exists`);
      await db.destroy();
      this.process.exit(1);
    }
    // Hash the password
    const passwordHash = hashPassword(flags.password);
    // Create superuser
    const [user] = await db
      .insertInto("users")
      .values({
        email: flags.email.toLowerCase(),
        password_hash: passwordHash,
        is_superuser: true,
        email_verified_at: new Date(),
      })
      .returning(["id", "email"])
      .execute();
    if (!user) {
      console.error("Error: Failed to create user");
      await db.destroy();
      this.process.exit(1);
    }
    console.log(`Created superuser: ${user.email}`);
    // Create "reviq" org
    const [org] = await db
      .insertInto("orgs")
      .values({
        slug: "reviq",
        display_name: "RevIQ",
      })
      .returning(["id", "slug"])
      .execute();
    if (!org) {
      console.error("Error: Failed to create org");
      await db.destroy();
      this.process.exit(1);
    }
    // Add user as owner of the org
    await db
      .insertInto("org_members")
      .values({
        org_id: org.id,
        user_id: user.id,
        role: "owner",
      })
      .execute();
    console.log(`Created org: ${org.slug}`);
    // Generate API token
    const token = generateToken();
    const tokenHashValue = hashToken(token);
    await db
      .insertInto("api_tokens")
      .values({
        user_id: user.id,
        token_hash: tokenHashValue,
        name: "CLI bootstrap token",
        expires_at: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000), // 1 year
      })
      .execute();
    // Save to config
    await writeConfig({
      apiUrl: Bun.env.API_URL ?? "http://localhost:9861",
      token,
      email: user.email,
    });
    console.log("Saved credentials to ~/.config/reviq/credentials.json");
    console.log("\nBootstrap complete! You can now use the CLI.");
    await db.destroy();
  } catch (error) {
    console.error(
      "Error:",
      error instanceof Error ? error.message : String(error),
    );
    await db.destroy();
    this.process.exit(1);
  }
 }
 export const bootstrapCommand = buildCommand({
  func: bootstrap,
-  parameters: {},
+  parameters: {
    flags: {
      email: {
        kind: "parsed",
        parse: String,
        brief: "Email address for the superuser",
      },
      password: {
        kind: "parsed",
        parse: String,
        brief: "Password for the superuser",
      },
    },
  },
  docs: {
-    brief: "Create a superuser account",
+    brief: "Create a superuser account and initial organization",
    fullDescription:
      "Creates a superuser with the 'reviq' organization. " +
      "Requires DATABASE_URL environment variable to be set.",
  },
 });
--- a/apps/cli/src/routes/org/add-site.ts
+++ b/apps/cli/src/routes/org/add-site.ts
@@ -1,15 +1,49 @@
 import type { LocalContext } from "../../context.js";
 import { buildCommand } from "@stricli/core";
 import { createApiClient } from "../../utils/api-client.js";
-function addSite(this: LocalContext): void {
+interface AddSiteFlags {
-  console.log("Org add-site command - Not implemented");
+  org: string;
-  console.log("This command will add a site to an organization");
+  domain: string;
 }
 async function addSite(this: LocalContext, flags: AddSiteFlags): Promise<void> {
  try {
    const client = await createApiClient();
    await client.call("admin.orgs.addSite", {
      slug: flags.org,
      domain: flags.domain,
    });
    console.log(`Added site ${flags.domain} to org ${flags.org}`);
  } catch (error) {
    console.error(
      "Error:",
      error instanceof Error ? error.message : String(error),
    );
    this.process.exit(1);
  }
 }
 export const addSiteCommand = buildCommand({
  func: addSite,
-  parameters: {},
+  parameters: {
    flags: {
      org: {
        kind: "parsed",
        parse: String,
        brief: "Org slug to add the site to",
      },
      domain: {
        kind: "parsed",
        parse: String,
        brief: "Domain to add (e.g. example.com)",
      },
    },
  },
  docs: {
    brief: "Add a site to an organization",
    fullDescription: "Adds a site domain to an organization via the admin API.",
  },
 });
--- a/apps/cli/src/routes/org/create.ts
+++ b/apps/cli/src/routes/org/create.ts
@@ -1,15 +1,61 @@
 import type { LocalContext } from "../../context.js";
 import { buildCommand } from "@stricli/core";
 import { createApiClient } from "../../utils/api-client.js";
-function create(this: LocalContext): void {
+interface CreateOrgFlags {
-  console.log("Org create command - Not implemented");
+  slug: string;
-  console.log("This command will create a new organization");
+  name: string;
  owner: string;
 }
 async function create(
  this: LocalContext,
  flags: CreateOrgFlags,
 ): Promise<void> {
  try {
    const client = await createApiClient();
    const result = await client.call<{ slug: string }>("admin.orgs.create", {
      slug: flags.slug,
      displayName: flags.name,
      ownerEmail: flags.owner,
    });
    console.log(`Created org: ${result.slug}`);
    console.log(`Owner: ${flags.owner}`);
  } catch (error) {
    console.error(
      "Error:",
      error instanceof Error ? error.message : String(error),
    );
    this.process.exit(1);
  }
 }
 export const createCommand = buildCommand({
  func: create,
-  parameters: {},
+  parameters: {
    flags: {
      slug: {
        kind: "parsed",
        parse: String,
        brief: "URL-friendly slug for the org",
      },
      name: {
        kind: "parsed",
        parse: String,
        brief: "Display name for the org",
      },
      owner: {
        kind: "parsed",
        parse: String,
        brief: "Email of the org owner",
      },
    },
  },
  docs: {
    brief: "Create an organization",
    fullDescription:
      "Creates a new organization with the specified owner via the admin API.",
  },
 });
--- a/apps/cli/src/routes/org/list.ts
+++ b/apps/cli/src/routes/org/list.ts
@@ -1,9 +1,44 @@
 import type { LocalContext } from "../../context.js";
 import { buildCommand } from "@stricli/core";
 import { createApiClient } from "../../utils/api-client.js";
-function list(this: LocalContext): void {
+interface OrgOutput {
-  console.log("Org list command - Not implemented");
+  id: number;
-  console.log("This command will list all organizations");
+  slug: string;
  displayName: string;
  logoUrl: string | null;
  createdAt: string;
 }
 async function list(this: LocalContext): Promise<void> {
  try {
    const client = await createApiClient();
    const orgs = await client.call<OrgOutput[]>("admin.orgs.list", {});
    if (orgs.length === 0) {
      console.log("No organizations found");
      return;
    }
    console.log("Organizations:");
    console.log("==============\n");
    for (const org of orgs) {
      console.log(org.slug);
      console.log(`  Name: ${org.displayName}`);
      console.log(`  Created: ${new Date(org.createdAt).toLocaleDateString()}`);
      console.log();
    }
    console.log(`Total: ${String(orgs.length)} organization(s)`);
  } catch (error) {
    console.error(
      "Error:",
      error instanceof Error ? error.message : String(error),
    );
    this.process.exit(1);
  }
 }
 export const listCommand = buildCommand({
@@ -11,5 +46,6 @@ export const listCommand = buildCommand({
  parameters: {},
  docs: {
    brief: "List organizations",
    fullDescription: "Lists all organizations via the admin API.",
  },
 });
--- a/apps/cli/src/routes/user/confirm-email.ts
+++ b/apps/cli/src/routes/user/confirm-email.ts
@@ -1,15 +1,46 @@
 import type { LocalContext } from "../../context.js";
 import { buildCommand } from "@stricli/core";
 import { createApiClient } from "../../utils/api-client.js";
-function confirmEmail(this: LocalContext): void {
+interface ConfirmEmailFlags {
-  console.log("User confirm-email command - Not implemented");
+  email: string;
-  console.log("This command will confirm a user's email address");
+}
 async function confirmEmail(
  this: LocalContext,
  flags: ConfirmEmailFlags,
 ): Promise<void> {
  try {
    const client = await createApiClient();
    await client.call("admin.users.confirmEmail", {
      email: flags.email,
    });
    console.log(`Confirmed email for: ${flags.email}`);
  } catch (error) {
    console.error(
      "Error:",
      error instanceof Error ? error.message : String(error),
    );
    this.process.exit(1);
  }
 }
 export const confirmEmailCommand = buildCommand({
  func: confirmEmail,
-  parameters: {},
+  parameters: {
    flags: {
      email: {
        kind: "parsed",
        parse: String,
        brief: "Email address to confirm",
      },
    },
  },
  docs: {
    brief: "Confirm user email",
    fullDescription:
      "Confirms a user's email address via the admin API. This is useful for development when email sending is not configured.",
  },
 });
--- a/apps/cli/src/routes/user/create.ts
+++ b/apps/cli/src/routes/user/create.ts
@@ -1,15 +1,72 @@
 import type { LocalContext } from "../../context.js";
 import { buildCommand } from "@stricli/core";
 import { createApiClient } from "../../utils/api-client.js";
-function create(this: LocalContext): void {
+interface CreateUserFlags {
-  console.log("User create command - Not implemented");
+  email: string;
-  console.log("This command will create a new user account");
+  name?: string;
  org?: string;
  role?: string;
 }
 async function create(
  this: LocalContext,
  flags: CreateUserFlags,
 ): Promise<void> {
  try {
    const client = await createApiClient();
    await client.call("admin.users.create", {
      email: flags.email,
      name: flags.name,
      orgSlug: flags.org,
      orgRole: flags.role,
    });
    console.log(`Created user: ${flags.email}`);
    if (flags.org) {
      console.log(`Added to org: ${flags.org} as ${flags.role ?? "member"}`);
    }
  } catch (error) {
    console.error(
      "Error:",
      error instanceof Error ? error.message : String(error),
    );
    this.process.exit(1);
  }
 }
 export const createCommand = buildCommand({
  func: create,
-  parameters: {},
+  parameters: {
    flags: {
      email: {
        kind: "parsed",
        parse: String,
        brief: "Email address for the new user",
      },
      name: {
        kind: "parsed",
        parse: String,
        brief: "Display name for the user",
        optional: true,
      },
      org: {
        kind: "parsed",
        parse: String,
        brief: "Org slug to add the user to",
        optional: true,
      },
      role: {
        kind: "parsed",
        parse: String,
        brief: "Role in the org (owner, admin, member)",
        optional: true,
      },
    },
  },
  docs: {
    brief: "Create a new user",
    fullDescription: "Creates a new user account via the admin API.",
  },
 });
--- a/apps/cli/src/utils/api-client.ts
+++ b/apps/cli/src/utils/api-client.ts
@@ -0,0 +1,61 @@
 /**
 * API client utilities for CLI commands
 */
 import { readConfig } from "./config.js";
 export interface ApiClientError {
  code: string;
  message: string;
 }
 /**
 * Create an API client with the stored credentials
 * Throws an error if not logged in
 */
 export const createApiClient = async () => {
  const config = await readConfig();
  if (!config) {
    throw new Error(
      "Not logged in. Run 'reviq bootstrap' or 'reviq auth login' first.",
    );
  }
  return {
    /**
     * Call an oRPC procedure
     */
    call: async <T>(path: string, input?: unknown): Promise<T> => {
      const url = `${config.apiUrl}/api/v1/rpc/${path}`;
      const response = await fetch(url, {
        method: "POST",
        headers: {
          "Content-Type": "application/json",
          "X-API-Key": config.token,
        },
        body: input !== undefined ? JSON.stringify(input) : undefined,
      });
      if (!response.ok) {
        const text = await response.text();
        let errorMessage = `API error: ${String(response.status)} ${response.statusText}`;
        try {
          const error = JSON.parse(text) as ApiClientError;
          if (error.message) {
            errorMessage = error.message;
          }
        } catch {
          if (text) {
            errorMessage = text;
          }
        }
        throw new Error(errorMessage);
      }
      return response.json() as Promise<T>;
    },
    config,
  };
 };
 export type ApiClient = Awaited<ReturnType<typeof createApiClient>>;
--- a/apps/cli/src/utils/config.ts
+++ b/apps/cli/src/utils/config.ts
@@ -0,0 +1,58 @@
 /**
 * CLI configuration utilities
 * Stores credentials at ~/.config/reviq/credentials.json
 */
 import { mkdir, readFile, unlink, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { join } from "node:path";
 export interface Config {
  apiUrl: string;
  token: string;
  email: string;
 }
 const CONFIG_DIR = join(homedir(), ".config", "reviq");
 const CONFIG_FILE = join(CONFIG_DIR, "credentials.json");
 /**
 * Get the path to the config file
 */
 export const getConfigPath = (): string => CONFIG_FILE;
 /**
 * Read the config file
 * Returns null if the file doesn't exist or is invalid
 */
 export const readConfig = async (): Promise<Config | null> => {
  try {
    const data = await readFile(CONFIG_FILE, "utf-8");
    return JSON.parse(data) as Config;
  } catch {
    return null;
  }
 };
 /**
 * Write the config file
 * Creates the config directory if it doesn't exist
 */
 export const writeConfig = async (config: Config): Promise<void> => {
  await mkdir(CONFIG_DIR, { recursive: true, mode: 0o700 });
  await writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), {
    mode: 0o600,
  });
 };
 /**
 * Delete the config file
 * Ignores errors if the file doesn't exist
 */
 export const deleteConfig = async (): Promise<void> => {
  try {
    await unlink(CONFIG_FILE);
  } catch {
    // Ignore if doesn't exist
  }
 };
--- a/apps/cli/src/utils/password.ts
+++ b/apps/cli/src/utils/password.ts
@@ -0,0 +1,22 @@
 /**
 * Password hashing utilities using scrypt from @noble/hashes
 */
 import { scrypt as nobleScrypt } from "@noble/hashes/scrypt.js";
 import { randomBytes } from "@noble/hashes/utils.js";
 // scrypt parameters: N=2^17, r=8, p=1, dkLen=32
 const N = 131072;
 const r = 8;
 const p = 1;
 const dkLen = 32;
 /**
 * Hash a password using scrypt
 * Format: scrypt$17$8$1$<salt-base64>$<hash-base64>
 */
 export const hashPassword = (password: string): string => {
  const salt = randomBytes(16);
  const hash = nobleScrypt(password, salt, { N, r, p, dkLen });
  return `scrypt$17$8$1$${Buffer.from(salt).toString("base64")}$${Buffer.from(hash).toString("base64")}`;
 };
--- a/apps/cli/src/utils/token.ts
+++ b/apps/cli/src/utils/token.ts
@@ -0,0 +1,22 @@
 /**
 * Token generation and hashing utilities
 */
 import { sha256 } from "@noble/hashes/sha2.js";
 import { randomBytes } from "@noble/hashes/utils.js";
 /**
 * Generate a cryptographically secure random token
 * Returns a 32-byte hex string (64 characters)
 */
 export const generateToken = (): string => {
  return Buffer.from(randomBytes(32)).toString("hex");
 };
 /**
 * Hash a token using SHA-256
 * Returns a hex string
 */
 export const hashToken = (token: string): string => {
  return Buffer.from(sha256(Buffer.from(token))).toString("hex");
 };
--- a/bun.lock
+++ b/bun.lock
@@ -15,6 +15,7 @@
      "name": "api-server",
      "version": "0.0.0",
      "dependencies": {
        "@noble/hashes": "^2.0.1",
        "@orpc/server": "^1.13.2",
        "@reviq/api-contract": "workspace:*",
        "@reviq/db": "workspace:*",
--- a/devenv.nix
+++ b/devenv.nix
@@ -37,5 +37,6 @@
    "db-new".exec = "dbmate new \"$1\"";
    "db-status".exec = "dbmate status";
    "db-gen".exec = "bun run --cwd packages/db-schema generate";
    "reviq".exec = "bun run --cwd apps/cli cli \"$@\"";
  };
 }