Improve API token format and enhance auth status command

- Change token format to reviq_<base58> prefix instead of raw hex
- Add me.authStatus API endpoint for detailed auth information
- Enhance CLI `reviq auth status` to show token details from API
- Add comprehensive tests for token generation (18 tests)
- Extract bootstrap logic to @reviq/db for reusability and testing
- Remove default db export; callers must use createDb() directly

Token changes:
- New format: reviq_<base58-encoded-32-bytes>
- Added parseToken() for validation
- Added isValidTokenFormat() helper

Auth status endpoint returns:
- User profile information
- Auth method (api_token or session)
- Token/session details (name, expiration, last used)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/cli/package.json

@@ -12,13 +12,15 @@
     "cli": "bun run src/bin/reviq.ts",
     "typecheck": "tsc --noEmit",
     "lint": "eslint . --cache",
-    "clean": "rm -rf dist .eslintcache"
+    "clean": "rm -rf dist .eslintcache",
+    "test": "bun test"
   },
   "dependencies": {
-    "@stricli/core": "^1.2.5",
-    "@stricli/auto-complete": "^1.0.0",
+    "@noble/hashes": "^2.0.1",
     "@reviq/db": "workspace:*",
-    "@noble/hashes": "^2.0.1"
+    "@scure/base": "^2.0.0",
+    "@stricli/auto-complete": "^1.0.0",
+    "@stricli/core": "^1.2.5"
   },
   "devDependencies": {
     "@macalinao/eslint-config": "catalog:",

apps/cli/src/routes/auth/status.ts

@@ -1,6 +1,61 @@
 import type { LocalContext } from "../../context.js";
 import { buildCommand } from "@stricli/core";
+import { createApiClient } from "../../utils/api-client.js";
 import { getConfigPath, readConfig } from "../../utils/config.js";
+import { TOKEN_PREFIX } from "../../utils/token.js";
+
+interface AuthStatusResponse {
+  user: {
+    id: number;
+    email: string;
+    displayName: string | null;
+    fullName: string | null;
+    isSuperuser: boolean;
+    emailVerified: boolean;
+  };
+  auth:
+    | {
+        method: "api_token";
+        tokenId: string;
+        tokenName: string;
+        expiresAt: string;
+        lastUsedAt: string | null;
+        createdAt: string;
+      }
+    | {
+        method: "session";
+        sessionId: string;
+        expiresAt: string;
+        createdAt: string;
+      };
+}
+
+function formatDate(dateStr: string): string {
+  const date = new Date(dateStr);
+  return date.toLocaleString();
+}
+
+function formatRelativeTime(dateStr: string): string {
+  const date = new Date(dateStr);
+  const now = new Date();
+  const diffMs = date.getTime() - now.getTime();
+  const diffDays = Math.floor(diffMs / (1000 * 60 * 60 * 24));
+
+  if (diffDays < 0) {
+    return `${String(Math.abs(diffDays))} days ago`;
+  }
+  if (diffDays === 0) {
+    const diffHours = Math.floor(diffMs / (1000 * 60 * 60));
+    if (diffHours <= 0) {
+      return "expired";
+    }
+    return `in ${String(diffHours)} hours`;
+  }
+  if (diffDays === 1) {
+    return "tomorrow";
+  }
+  return `in ${String(diffDays)} days`;
+}
 
 async function status(this: LocalContext): Promise<void> {
   const config = await readConfig();
@@ -16,10 +71,66 @@ async function status(this: LocalContext): Promise<void> {
 
   console.log("Authentication Status");
   console.log("=====================\n");
-  console.log(`Email: ${config.email}`);
-  console.log(`API URL: ${config.apiUrl}`);
-  console.log(`Config file: ${getConfigPath()}`);
-  console.log("Token: [configured]");
+
+  // Show local config info
+  console.log("Local Configuration:");
+  console.log(`  Config file: ${getConfigPath()}`);
+  console.log(`  API URL: ${config.apiUrl}`);
+
+  // Show token format info
+  const hasNewFormat = config.token.startsWith(TOKEN_PREFIX);
+  console.log(
+    `  Token format: ${hasNewFormat ? "reviq_<base58>" : "legacy (hex)"}`,
+  );
+
+  // Try to fetch status from API
+  console.log("\nAPI Status:");
+  try {
+    const client = await createApiClient();
+    const response = await client.call<AuthStatusResponse>("me.authStatus");
+
+    // User info
+    console.log("\n  User:");
+    console.log(`    Email: ${response.user.email}`);
+    if (response.user.displayName) {
+      console.log(`    Display name: ${response.user.displayName}`);
+    }
+    if (response.user.fullName) {
+      console.log(`    Full name: ${response.user.fullName}`);
+    }
+    console.log(
+      `    Email verified: ${response.user.emailVerified ? "yes" : "no"}`,
+    );
+    console.log(`    Superuser: ${response.user.isSuperuser ? "yes" : "no"}`);
+
+    // Auth method info
+    if (response.auth.method === "api_token") {
+      console.log("\n  API Token:");
+      console.log(`    Name: ${response.auth.tokenName}`);
+      console.log(`    Token ID: ${response.auth.tokenId}`);
+      console.log(`    Created: ${formatDate(response.auth.createdAt)}`);
+      console.log(
+        `    Expires: ${formatDate(response.auth.expiresAt)} (${formatRelativeTime(response.auth.expiresAt)})`,
+      );
+      if (response.auth.lastUsedAt) {
+        console.log(`    Last used: ${formatDate(response.auth.lastUsedAt)}`);
+      }
+    } else {
+      console.log("\n  Session:");
+      console.log(`    Session ID: ${response.auth.sessionId}`);
+      console.log(`    Created: ${formatDate(response.auth.createdAt)}`);
+      console.log(
+        `    Expires: ${formatDate(response.auth.expiresAt)} (${formatRelativeTime(response.auth.expiresAt)})`,
+      );
+    }
+  } catch (error) {
+    console.log(
+      `  Error: ${error instanceof Error ? error.message : String(error)}`,
+    );
+    console.log(
+      "\n  Unable to connect to API. Local credentials may be invalid.",
+    );
+  }
 }
 
 export const statusCommand = buildCommand({

apps/cli/src/routes/bootstrap.ts

@@ -1,9 +1,7 @@
 import type { LocalContext } from "../context.js";
-import { createDb } from "@reviq/db";
+import { createDb, executeBootstrap } from "@reviq/db";
 import { buildCommand } from "@stricli/core";
 import { writeConfig } from "../utils/config.js";
-import { hashPassword } from "../utils/password.js";
-import { generateToken, hashToken } from "../utils/token.js";
 
 interface BootstrapFlags {
   email: string;
@@ -17,98 +15,23 @@ async function bootstrap(
   console.log("RevIQ Bootstrap - Create Superuser");
   console.log("===================================\n");
 
-  // Validate password length
-  if (flags.password.length < 8) {
-    console.error("Error: Password must be at least 8 characters");
-    this.process.exit(1);
-  }
-
   const db = createDb();
 
   try {
-    // Check if user already exists
-    const existing = await db
-      .selectFrom("users")
-      .where("email", "=", flags.email.toLowerCase())
-      .select("id")
-      .executeTakeFirst();
+    // Execute the bootstrap operation
+    const result = await executeBootstrap(db, {
+      email: flags.email,
+      password: flags.password,
+    });
 
-    if (existing) {
-      console.error(`Error: User with email ${flags.email} already exists`);
-      await db.destroy();
-      this.process.exit(1);
-    }
-
-    // Hash the password
-    const passwordHash = hashPassword(flags.password);
-
-    // Create superuser
-    const [user] = await db
-      .insertInto("users")
-      .values({
-        email: flags.email.toLowerCase(),
-        password_hash: passwordHash,
-        is_superuser: true,
-        email_verified_at: new Date(),
-      })
-      .returning(["id", "email"])
-      .execute();
-
-    if (!user) {
-      console.error("Error: Failed to create user");
-      await db.destroy();
-      this.process.exit(1);
-    }
-
-    console.log(`Created superuser: ${user.email}`);
-
-    // Create "reviq" org
-    const [org] = await db
-      .insertInto("orgs")
-      .values({
-        slug: "reviq",
-        display_name: "RevIQ",
-      })
-      .returning(["id", "slug"])
-      .execute();
-
-    if (!org) {
-      console.error("Error: Failed to create org");
-      await db.destroy();
-      this.process.exit(1);
-    }
-
-    // Add user as owner of the org
-    await db
-      .insertInto("org_members")
-      .values({
-        org_id: org.id,
-        user_id: user.id,
-        role: "owner",
-      })
-      .execute();
-
-    console.log(`Created org: ${org.slug}`);
-
-    // Generate API token
-    const token = generateToken();
-    const tokenHashValue = hashToken(token);
-
-    await db
-      .insertInto("api_tokens")
-      .values({
-        user_id: user.id,
-        token_hash: tokenHashValue,
-        name: "CLI bootstrap token",
-        expires_at: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000), // 1 year
-      })
-      .execute();
+    console.log(`Created superuser: ${result.user.email}`);
+    console.log(`Created org: ${result.org.slug}`);
 
     // Save to config
     await writeConfig({
       apiUrl: Bun.env.API_URL ?? "http://localhost:9861",
-      token,
-      email: user.email,
+      token: result.token,
+      email: result.user.email,
     });
 
     console.log("Saved credentials to ~/.config/reviq/credentials.json");

apps/cli/src/utils/token.test.ts

@@ -0,0 +1,170 @@
+/**
+ * Tests for token generation and parsing utilities
+ */
+
+import { describe, expect, test } from "bun:test";
+import { generateToken, hashToken, parseToken, TOKEN_PREFIX } from "./token.js";
+
+describe("TOKEN_PREFIX", () => {
+  test("should be 'reviq_'", () => {
+    expect(TOKEN_PREFIX).toBe("reviq_");
+  });
+});
+
+describe("generateToken", () => {
+  test("should generate a token with the reviq_ prefix", () => {
+    const token = generateToken();
+    expect(token.startsWith(TOKEN_PREFIX)).toBe(true);
+  });
+
+  test("should generate tokens of consistent length", () => {
+    const token1 = generateToken();
+    const token2 = generateToken();
+    const token3 = generateToken();
+
+    // Base58 encoding of 32 bytes produces 43-44 characters
+    // Plus 6 chars for "reviq_" prefix = 49-50 total
+    expect(token1.length).toBeGreaterThanOrEqual(49);
+    expect(token1.length).toBeLessThanOrEqual(50);
+    expect(token2.length).toBeGreaterThanOrEqual(49);
+    expect(token2.length).toBeLessThanOrEqual(50);
+    expect(token3.length).toBeGreaterThanOrEqual(49);
+    expect(token3.length).toBeLessThanOrEqual(50);
+  });
+
+  test("should generate unique tokens", () => {
+    const tokens = new Set<string>();
+    for (let i = 0; i < 100; i++) {
+      tokens.add(generateToken());
+    }
+    expect(tokens.size).toBe(100);
+  });
+
+  test("should only contain valid base58 characters after prefix", () => {
+    const token = generateToken();
+    const base58Part = token.slice(TOKEN_PREFIX.length);
+    // Base58 alphabet: 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz
+    // (excludes 0, O, I, l)
+    const base58Regex =
+      /^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]+$/;
+    expect(base58Regex.test(base58Part)).toBe(true);
+  });
+});
+
+describe("parseToken", () => {
+  test("should parse a valid token and return 32 bytes", () => {
+    const token = generateToken();
+    const bytes = parseToken(token);
+    expect(bytes).not.toBeNull();
+    expect(bytes?.length).toBe(32);
+  });
+
+  test("should return null for tokens without the prefix", () => {
+    const bytes = parseToken("invalid_token");
+    expect(bytes).toBeNull();
+  });
+
+  test("should return null for tokens with wrong prefix", () => {
+    const bytes = parseToken(
+      "wrong_5HueCGU8rMjxEXxiPuD5BDku4MkFqeZyd4dZ1jvhTVqvbTLvyTJ",
+    );
+    expect(bytes).toBeNull();
+  });
+
+  test("should return null for tokens with invalid base58 characters", () => {
+    // 'O', '0', 'I', 'l' are not valid base58 characters
+    const bytes = parseToken("reviq_0InvalidBase58");
+    expect(bytes).toBeNull();
+  });
+
+  test("should return null for tokens with incorrect byte length", () => {
+    // A shorter base58 string (less than 32 bytes)
+    const bytes = parseToken("reviq_abc123");
+    expect(bytes).toBeNull();
+  });
+
+  test("should round-trip correctly", () => {
+    const originalToken = generateToken();
+    const bytes = parseToken(originalToken);
+    expect(bytes).not.toBeNull();
+
+    // Verify the bytes are the same entropy
+    expect(bytes?.length).toBe(32);
+  });
+});
+
+describe("hashToken", () => {
+  test("should produce a 64-character hex string", () => {
+    const token = generateToken();
+    const hash = hashToken(token);
+    expect(hash.length).toBe(64);
+  });
+
+  test("should produce consistent hashes for the same token", () => {
+    const token = generateToken();
+    const hash1 = hashToken(token);
+    const hash2 = hashToken(token);
+    expect(hash1).toBe(hash2);
+  });
+
+  test("should produce different hashes for different tokens", () => {
+    const token1 = generateToken();
+    const token2 = generateToken();
+    const hash1 = hashToken(token1);
+    const hash2 = hashToken(token2);
+    expect(hash1).not.toBe(hash2);
+  });
+
+  test("should only contain hex characters", () => {
+    const token = generateToken();
+    const hash = hashToken(token);
+    const hexRegex = /^[0-9a-f]+$/;
+    expect(hexRegex.test(hash)).toBe(true);
+  });
+
+  test("should hash legacy tokens correctly", () => {
+    // Test with a legacy hex token (pre-reviq_ format)
+    const legacyToken = "a".repeat(64);
+    const hash = hashToken(legacyToken);
+    expect(hash.length).toBe(64);
+    expect(hash).not.toBe(legacyToken);
+  });
+});
+
+describe("token security properties", () => {
+  test("should have sufficient entropy (32 bytes = 256 bits)", () => {
+    const token = generateToken();
+    const bytes = parseToken(token);
+    expect(bytes).not.toBeNull();
+    expect(bytes?.length).toBe(32);
+    // 32 bytes * 8 bits = 256 bits of entropy
+  });
+
+  test("should be cryptographically random (statistical test)", () => {
+    // Generate many tokens and check that byte distribution is roughly uniform
+    const byteCounts: number[] = new Array<number>(256).fill(0);
+    const numTokens = 1000;
+
+    for (let i = 0; i < numTokens; i++) {
+      const token = generateToken();
+      const bytes = parseToken(token);
+      if (bytes) {
+        for (const byte of bytes) {
+          // byte is always 0-255, and byteCounts has 256 elements initialized to 0
+          byteCounts[byte] = (byteCounts[byte] ?? 0) + 1;
+        }
+      }
+    }
+
+    // Each byte value should appear roughly (numTokens * 32) / 256 times
+    const expectedCount = (numTokens * 32) / 256;
+    const tolerance = expectedCount * 0.5; // Allow 50% variance
+
+    // Check that no byte value is extremely over- or under-represented
+    for (let i = 0; i < 256; i++) {
+      const count: number = byteCounts[i] ?? 0;
+      expect(count).toBeGreaterThan(expectedCount - tolerance);
+      expect(count).toBeLessThan(expectedCount + tolerance);
+    }
+  });
+});

apps/cli/src/utils/token.ts

@@ -1,22 +1,12 @@
 /**
  * Token generation and hashing utilities
+ *
+ * Re-exports from @reviq/db for convenience
  */
 
-import { sha256 } from "@noble/hashes/sha2.js";
-import { randomBytes } from "@noble/hashes/utils.js";
-
-/**
- * Generate a cryptographically secure random token
- * Returns a 32-byte hex string (64 characters)
- */
-export const generateToken = (): string => {
-  return Buffer.from(randomBytes(32)).toString("hex");
-};
-
-/**
- * Hash a token using SHA-256
- * Returns a hex string
- */
-export const hashToken = (token: string): string => {
-  return Buffer.from(sha256(Buffer.from(token))).toString("hex");
-};
+export {
+  generateToken,
+  hashToken,
+  parseToken,
+  TOKEN_PREFIX,
+} from "@reviq/db";