refactor(safegres): use inquirerer for CLI plumbing

Drop the hand-rolled argv parser in favor of inquirerer's CLI class +
@inquirerer/utils helpers — same convention as cnc, pgpm, and csdk.

- Remove src/util/args.ts
- Add src/cli/commands.ts (router via extractFirst)
- Add src/cli/pg.ts (pg command handler)
- src/cli.ts now constructs the inquirerer CLI

CLI surface is unchanged (`safegres pg --connection ...`).

Author: pyramation

graphql/safegres/package.json

@@ -41,7 +41,9 @@
     "constructive"
   ],
   "dependencies": {
+    "@inquirerer/utils": "^3.3.5",
     "@pgsql/types": "^17.6.2",
+    "inquirerer": "^4.7.0",
     "node-type-registry": "workspace:^",
     "pg": "^8.16.0",
     "pgsql-deparser": "^17.18.2",

graphql/safegres/src/cli.ts

@@ -1,104 +1,28 @@
 #!/usr/bin/env node
 /* eslint-disable no-console */
-import { Client } from 'pg';
+import { CLI, CLIOptions, getPackageJson } from 'inquirerer';
 
-import { auditPg } from './commands/pg';
-import { renderJson } from './report/json';
-import { renderPretty } from './report/pretty';
-import type { Severity } from './types';
-import { meetsThreshold, SEVERITY_ORDER } from './types';
-import { boolFlag, listFlag, parseArgs, stringFlag } from './util/args';
+import { commands } from './cli/commands';
 
-const HELP = `\
-safegres — pure-PostgreSQL RLS auditor
-
-Usage:
-  safegres pg   [options]
-  safegres help
-
-Options (pg):
-  --connection <url>       PostgreSQL connection string (or env DATABASE_URL)
-  --schemas <csv>          Limit to these schemas (default: all non-system)
-  --exclude-schemas <csv>  Skip these schemas (default: pg_catalog,information_schema,pg_toast)
-  --roles <csv>            Audit grants only for these roles (default: all)
-  --exclude-roles <csv>    Skip grants for these roles
-  --format <fmt>           "pretty" (default) | "json" | "json-pretty"
-  --fail-on <severity>     Exit non-zero if any finding >= severity
-                           (critical|high|medium|low|info; default: none)
-  --skip-ast               Skip AST-level anti-pattern checks (faster)
-  --no-color               Disable ANSI colors in pretty output
-`;
-
-async function main(): Promise<number> {
-  const args = parseArgs(process.argv.slice(2));
-  const cmd = args.command ?? 'help';
-
-  if (cmd === 'help' || cmd === '-h' || cmd === '--help' || args.flags.help === true) {
-    process.stdout.write(HELP);
-    return 0;
-  }
-
-  if (cmd !== 'pg') {
-    process.stderr.write(`Unknown command: ${cmd}\n\n${HELP}`);
-    return 2;
-  }
+if (process.argv.includes('--version') || process.argv.includes('-v')) {
+  const pkg = getPackageJson(__dirname);
+  console.log(pkg.version);
+  process.exit(0);
+}
 
-  const connection = stringFlag(args.flags, 'connection') ?? process.env.DATABASE_URL;
-  if (!connection) {
-    process.stderr.write('error: --connection <url> or DATABASE_URL env required\n');
-    return 2;
+const options: Partial<CLIOptions> = {
+  minimistOpts: {
+    alias: {
+      v: 'version',
+      h: 'help'
+    },
+    boolean: ['skip-ast', 'no-color', 'color', 'help']
   }
+};
 
-  const client = new Client({ connectionString: connection });
-  await client.connect();
-  try {
-    const report = await auditPg(client, {
-      schemas: listFlag(args.flags, 'schemas'),
-      excludeSchemas: listFlag(args.flags, 'exclude-schemas'),
-      includeRoles: listFlag(args.flags, 'roles'),
-      excludeRoles: listFlag(args.flags, 'exclude-roles'),
-      skipAstChecks: boolFlag(args.flags, 'skip-ast')
-    });
-
-    const fmt = stringFlag(args.flags, 'format') ?? 'pretty';
-    let output: string;
-    switch (fmt) {
-    case 'json':
-      output = renderJson(report);
-      break;
-    case 'json-pretty':
-      output = renderJson(report, { pretty: true });
-      break;
-    case 'pretty':
-      output = renderPretty(report, { color: !boolFlag(args.flags, 'no-color') });
-      break;
-    default:
-      process.stderr.write(`Unknown --format: ${fmt}\n`);
-      return 2;
-    }
-    process.stdout.write(output);
-    process.stdout.write('\n');
-
-    const failOn = stringFlag(args.flags, 'fail-on') as Severity | undefined;
-    if (failOn) {
-      if (!(failOn in SEVERITY_ORDER)) {
-        process.stderr.write(`Unknown --fail-on severity: ${failOn}\n`);
-        return 2;
-      }
-      if (report.findings.some((f) => meetsThreshold(f.severity, failOn))) {
-        return 1;
-      }
-    }
-    return 0;
-  } finally {
-    await client.end();
-  }
-}
+const app = new CLI(commands, options);
 
-if (require.main === module) {
-  main().then((code) => process.exit(code)).catch((err) => {
-    // eslint-disable-next-line no-console
-    console.error(err);
-    process.exit(3);
-  });
-}
+app.run().catch((error) => {
+  console.error(error);
+  process.exit(1);
+});

graphql/safegres/src/cli/commands.ts

@@ -0,0 +1,42 @@
+/* eslint-disable no-console */
+import { CLIOptions, extractFirst, Inquirerer, ParsedArgs } from 'inquirerer';
+
+import pg from './pg';
+
+const usage = `
+safegres — pure-PostgreSQL RLS auditor
+
+Usage:
+  safegres <command> [OPTIONS]
+
+Commands:
+  pg              Audit grants, RLS flags, policy coverage, and anti-patterns
+  help            Show this help message
+
+Run \`safegres <command> --help\` for command-specific options.
+`;
+
+const commandMap: Record<string, (argv: ParsedArgs, prompter: Inquirerer, options: CLIOptions) => unknown> = {
+  pg
+};
+
+export const commands = async (
+  argv: ParsedArgs,
+  prompter: Inquirerer,
+  options: CLIOptions
+): Promise<void> => {
+  const { first: command, newArgv } = extractFirst(argv);
+
+  if (!command || command === 'help' || argv.help || argv.h) {
+    console.log(usage);
+    return;
+  }
+
+  const handler = commandMap[command];
+  if (!handler) {
+    console.error(`Unknown command: ${command}\n${usage}`);
+    process.exit(2);
+  }
+
+  await handler(newArgv as ParsedArgs, prompter, options);
+};

graphql/safegres/src/cli/pg.ts

@@ -0,0 +1,108 @@
+/* eslint-disable no-console */
+import { CLIOptions, Inquirerer, ParsedArgs } from 'inquirerer';
+import { Client } from 'pg';
+
+import { auditPg } from '../commands/pg';
+import { renderJson } from '../report/json';
+import { renderPretty } from '../report/pretty';
+import type { Severity } from '../types';
+import { meetsThreshold, SEVERITY_ORDER } from '../types';
+
+const usage = `
+safegres pg — pure-PostgreSQL RLS auditor
+
+  safegres pg [OPTIONS]
+
+Options:
+  --connection <url>       PostgreSQL connection string (or env DATABASE_URL)
+  --schemas <csv>          Limit to these schemas (default: all non-system)
+  --exclude-schemas <csv>  Skip these schemas (default: pg_catalog,information_schema,pg_toast)
+  --roles <csv>            Audit grants only for these roles (default: all)
+  --exclude-roles <csv>    Skip grants for these roles
+  --format <fmt>           "pretty" (default) | "json" | "json-pretty"
+  --fail-on <severity>     Exit non-zero if any finding >= severity
+                           (critical|high|medium|low|info; default: none)
+  --skip-ast               Skip AST-level anti-pattern checks (faster)
+  --no-color               Disable ANSI colors in pretty output
+  --help, -h               Show this help message
+`;
+
+function csv(value: unknown): string[] | undefined {
+  if (typeof value !== 'string' || value.length === 0) return undefined;
+  return value
+    .split(',')
+    .map((p) => p.trim())
+    .filter(Boolean);
+}
+
+function string(value: unknown): string | undefined {
+  return typeof value === 'string' && value.length > 0 ? value : undefined;
+}
+
+function bool(value: unknown): boolean {
+  return value === true || value === 'true';
+}
+
+export default async (
+  argv: ParsedArgs,
+  _prompter: Inquirerer,
+  _options: CLIOptions
+): Promise<void> => {
+  if (argv.help || argv.h) {
+    console.log(usage);
+    return;
+  }
+
+  const connection = string(argv.connection) ?? process.env.DATABASE_URL;
+  if (!connection) {
+    console.error('error: --connection <url> or DATABASE_URL env required');
+    process.exit(2);
+  }
+
+  // `--no-color` is parsed by minimist as `color: false` (negation of `--color`).
+  const colorFlag = 'color' in argv ? argv.color !== false : !bool(argv['no-color']);
+
+  const client = new Client({ connectionString: connection });
+  await client.connect();
+  try {
+    const report = await auditPg(client, {
+      schemas: csv(argv.schemas),
+      excludeSchemas: csv(argv['exclude-schemas']),
+      includeRoles: csv(argv.roles),
+      excludeRoles: csv(argv['exclude-roles']),
+      skipAstChecks: bool(argv['skip-ast'])
+    });
+
+    const fmt = string(argv.format) ?? 'pretty';
+    let output: string;
+    switch (fmt) {
+    case 'json':
+      output = renderJson(report);
+      break;
+    case 'json-pretty':
+      output = renderJson(report, { pretty: true });
+      break;
+    case 'pretty':
+      output = renderPretty(report, { color: colorFlag });
+      break;
+    default:
+      console.error(`Unknown --format: ${fmt}`);
+      process.exit(2);
+    }
+    process.stdout.write(output);
+    process.stdout.write('\n');
+
+    const failOn = string(argv['fail-on']) as Severity | undefined;
+    if (failOn) {
+      if (!(failOn in SEVERITY_ORDER)) {
+        console.error(`Unknown --fail-on severity: ${failOn}`);
+        process.exit(2);
+      }
+      if (report.findings.some((f) => meetsThreshold(f.severity, failOn))) {
+        process.exit(1);
+      }
+    }
+  } finally {
+    await client.end();
+  }
+};

graphql/safegres/src/util/args.ts

@@ -1,2 +1,2 @@
 // Auto-synced from package.json during publish.
-export const version = '0.0.1';
+export const version = '0.1.0';