@bagdock/cli 0.4.0 → 0.5.0

package/README.md

@@ -1,3 +1,17 @@
+```
+  ----++                                ----++                    ---+++     
+  ---+++                                ---++                     ---++      
+ ----+---     -----     ---------  --------++ ------     -----   ----++----- 
+ ---------+ --------++----------++--------+++--------+ --------++---++---++++
+ ---+++---++ ++++---++---+++---++---+++---++---+++---++---++---++------++++  
+----++ ---++--------++---++----++---++ ---++---++ ---+---++     -------++    
+----++----+---+++---++---++----++---++----++---++---+++--++ --------+---++   
+---------++--------+++--------+++--------++ -------+++ -------++---++----++  
+ +++++++++   +++++++++- +++---++   ++++++++    ++++++    ++++++  ++++  ++++  
+                     --------+++                                             
+                       +++++++                                               
+```
+
 # @bagdock/cli
 
 The official CLI for Bagdock. Built for humans, AI agents, and CI/CD pipelines.
@@ -160,6 +174,42 @@ The CLI resolves your API key using the following priority chain:
 
 If no key is found from any source, the CLI errors with code `auth_error`.
 
+## Environment context
+
+The CLI supports Stripe-style live/test mode switching. Login is universal — you authenticate once, then select which operator and environment to target.
+
+### Operator + environment resolution
+
+| Priority | Source | How to set |
+|----------|--------|-----------|
+| 1 (highest) | `--env` global flag | `bagdock --env test deploy` |
+| 2 | `.bagdock/link.json` | `bagdock link --env test` |
+| 3 | Profile stored value | `bagdock switch` |
+| 4 (lowest) | Default | `live` |
+
+For operator slug:
+
+| Priority | Source | How to set |
+|----------|--------|-----------|
+| 1 (highest) | `BAGDOCK_OPERATOR` env var | `export BAGDOCK_OPERATOR=wisestorage` |
+| 2 (lowest) | Profile stored value | `bagdock switch` or `bagdock login` |
+
+### Typical workflow
+
+```bash
+# Login (universal identity)
+bagdock login
+
+# Select operator and environment
+bagdock switch
+
+# Or override per-command
+bagdock --env test deploy --target staging
+bagdock --env live apps list
+```
+
+All API requests include `X-Environment` and `X-Operator-Slug` headers, ensuring the backend resolves the correct tenant database.
+
 ## Commands
 
 ### `bagdock login`
@@ -246,6 +296,7 @@ bagdock doctor
 |-------|------|------|------|
 | CLI Version | Running latest | Update available or registry unreachable | — |
 | API Key | Key found (shows masked key + source) | — | No key found |
+| Operator Context | Operator + environment set | No operator selected | — |
 | Project Config | Valid `bagdock.json` found | No config or incomplete | — |
 | AI Agents | Lists detected agents (or none) | — | — |
 
@@ -300,6 +351,46 @@ Exits `0` when all checks pass or warn. Exits `1` if any check fails.
 
 ---
 
+### `bagdock switch`
+
+Switch operator and environment context. After login, use this to select which operator (live or sandbox) to target.
+
+```bash
+bagdock switch
+```
+
+#### Interactive mode
+
+```
+? Select operator:
+  1. WiseStorage (wisestorage)
+  2. Ardran REIT (ardran-reit)
+> 1
+
+? Select environment:
+  1. Live
+  2. Sandbox: crm-integration (default)
+  3. Sandbox: access-testing
+> 2
+
+Switched to wisestorage [test] (sandbox: crm-integration)
+```
+
+#### Non-interactive mode (CI/CD)
+
+```bash
+bagdock switch --operator wisestorage --env test
+```
+
+#### JSON output
+
+```bash
+bagdock switch --operator wisestorage --env live --json
+# => {"operator":{"id":"opreg_xxx","slug":"wisestorage","name":"WiseStorage"},"environment":"live"}
+```
+
+---
+
 ### Switch between profiles
 
 If you work across multiple Bagdock operators, the CLI supports named profiles.
@@ -700,6 +791,7 @@ bagdock [global options] <command> [command options]
 |------|-------------|
 | `--api-key <key>` | Override API key for this invocation (takes highest priority) |
 | `-p, --profile <name>` | Profile to use (overrides `BAGDOCK_PROFILE` env var) |
+| `--env <live\|test>` | Override environment for this invocation |
 | `--json` | Force JSON output even in interactive terminals |
 | `-q, --quiet` | Suppress spinners and status output (implies `--json`) |
 | `--version` | Print version and exit |

package/dist/bagdock.js

@@ -2088,6 +2088,12 @@ import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 function setProfileOverride(name) {
   profileOverride = name;
 }
+function setEnvironmentOverride(env) {
+  envOverride = env;
+}
+function getEnvironmentOverride() {
+  return envOverride;
+}
 function ensureConfigDir() {
   if (!existsSync(CONFIG_DIR)) {
     mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
@@ -2153,6 +2159,8 @@ function listProfiles() {
     name,
     email: creds.email,
     operatorId: creds.operatorId,
+    operatorSlug: creds.operatorSlug,
+    environment: creds.environment,
     active: name === store.activeProfile
   }));
 }
@@ -2167,6 +2175,46 @@ function switchProfile(name) {
 function getActiveProfileName() {
   return resolveProfile();
 }
+function resolveLinkEnvironment() {
+  try {
+    const p = join(process.cwd(), ".bagdock", "link.json");
+    if (!existsSync(p))
+      return;
+    const data = JSON.parse(readFileSync(p, "utf-8"));
+    if (data.environment === "live" || data.environment === "test")
+      return data.environment;
+    return;
+  } catch {
+    return;
+  }
+}
+function resolveEnvironment() {
+  if (envOverride)
+    return envOverride;
+  const envVar = process.env.BAGDOCK_ENV;
+  if (envVar === "test" || envVar === "live")
+    return envVar;
+  const creds = loadCredentials();
+  return creds?.environment ?? "live";
+}
+function resolveOperatorSlug() {
+  const envVar = process.env.BAGDOCK_OPERATOR;
+  if (envVar)
+    return envVar;
+  const creds = loadCredentials();
+  return creds?.operatorSlug;
+}
+function updateProfileContext(operatorId, operatorSlug, environment) {
+  const creds = loadCredentials();
+  if (!creds)
+    return;
+  saveCredentials({
+    ...creds,
+    operatorId,
+    operatorSlug,
+    environment
+  });
+}
 function loadBagdockJson(dir) {
   const file = join(dir, "bagdock.json");
   if (!existsSync(file))
@@ -2177,7 +2225,7 @@ function loadBagdockJson(dir) {
     return null;
   }
 }
-var CONFIG_DIR, CREDENTIALS_FILE, API_BASE, DASHBOARD_BASE, profileOverride;
+var CONFIG_DIR, CREDENTIALS_FILE, API_BASE, DASHBOARD_BASE, profileOverride, envOverride;
 var init_config = __esm(() => {
   CONFIG_DIR = join(homedir(), ".bagdock");
   CREDENTIALS_FILE = join(CONFIG_DIR, "credentials.json");
@@ -3341,15 +3389,27 @@ Requesting device authorization...
         refreshToken: tokens.refresh_token,
         expiresAt: tokens.expires_in ? Date.now() + tokens.expires_in * 1000 : undefined,
         email: tokens.email,
-        operatorId: tokens.operator_id
+        operatorId: tokens.operator_id,
+        operatorSlug: tokens.operator_slug,
+        environment: "live"
       });
       console.log(source_default.green(`
   Logged in successfully!`));
       if (tokens.email)
         console.log("  Email:", source_default.bold(tokens.email));
-      if (tokens.operator_id)
-        console.log("  Operator:", source_default.bold(tokens.operator_id));
+      if (tokens.operator_slug) {
+        console.log("  Operator:", source_default.bold(tokens.operator_slug));
+      } else if (tokens.operator_id) {
+        console.log("  Operator ID:", source_default.bold(tokens.operator_id));
+      }
+      console.log("  Environment:", source_default.bold("live"));
       console.log("  Profile:", source_default.bold(getActiveProfileName()));
+      if (!tokens.operator_slug) {
+        await resolveOperatorAfterLogin(tokens.access_token);
+      } else {
+        console.log();
+        console.log(source_default.dim("  Tip: run"), source_default.cyan("bagdock switch"), source_default.dim("to change operator or environment."));
+      }
       return;
     }
     const error = await tokenRes.json().catch(() => ({ error: "unknown" }));
@@ -3396,12 +3456,22 @@ async function whoami() {
       process.exit(1);
     }
     const user = await res.json();
+    const creds = loadCredentials();
     if (isJsonMode()) {
-      outputSuccess({ ...user, profile: getActiveProfileName() });
+      outputSuccess({
+        ...user,
+        profile: getActiveProfileName(),
+        operator_slug: creds?.operatorSlug,
+        environment: creds?.environment ?? "live"
+      });
     } else {
       console.log(source_default.green("Logged in as"), source_default.bold(user.email));
-      if (user.operator_id)
-        console.log("Operator:", source_default.bold(user.operator_id));
+      if (creds?.operatorSlug) {
+        console.log("Operator:", source_default.bold(creds.operatorSlug));
+      } else if (user.operator_id) {
+        console.log("Operator ID:", source_default.bold(user.operator_id));
+      }
+      console.log("Environment:", source_default.bold(creds?.environment ?? "live"));
       if (user.name)
         console.log("Name:", user.name);
       console.log("Profile:", source_default.bold(getActiveProfileName()));
@@ -3428,8 +3498,9 @@ async function authList() {
     const marker = p.active ? source_default.green("* ") : "  ";
     const label = p.active ? source_default.bold(p.name) : p.name;
     const email = p.email ? source_default.dim(` (${p.email})`) : "";
-    const op = p.operatorId ? source_default.dim(` [${p.operatorId}]`) : "";
-    console.log(`  ${marker}${label}${email}${op}`);
+    const operator = p.operatorSlug ? source_default.dim(` ${p.operatorSlug}`) : p.operatorId ? source_default.dim(` ${p.operatorId}`) : "";
+    const env2 = p.environment ? source_default.dim(` [${p.environment}]`) : "";
+    console.log(`  ${marker}${label}${email}${operator}${env2}`);
   }
   console.log();
 }
@@ -3482,6 +3553,28 @@ Available profiles:
     process.exit(1);
   }
 }
+async function resolveOperatorAfterLogin(accessToken) {
+  try {
+    const res = await fetch(`${API_BASE}/api/v1/me/operators`, {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!res.ok)
+      return;
+    const body = await res.json();
+    const operators = body.data ?? [];
+    if (operators.length === 1) {
+      const op = operators[0];
+      updateProfileContext(op.id, op.slug, "live");
+      console.log("  Operator:", source_default.bold(`${op.name} (${op.slug})`));
+      console.log();
+      console.log(source_default.dim("  Tip: run"), source_default.cyan("bagdock switch"), source_default.dim("to change environment to test/sandbox."));
+    } else if (operators.length > 1) {
+      console.log();
+      console.log(source_default.dim(`  You have access to ${operators.length} operators.`));
+      console.log(source_default.dim("  Run"), source_default.cyan("bagdock switch"), source_default.dim("to select one."));
+    }
+  } catch {}
+}
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
@@ -3492,6 +3585,175 @@ var init_auth = __esm(() => {
   init_output();
 });
 
+// src/api.ts
+function resolveFullEnvironment() {
+  const flagOverride = getEnvironmentOverride();
+  if (flagOverride)
+    return flagOverride;
+  const linkEnv = resolveLinkEnvironment();
+  if (linkEnv)
+    return linkEnv;
+  return resolveEnvironment();
+}
+async function apiFetch(path2, init2) {
+  const token = getAuthToken();
+  if (!token) {
+    outputError("auth_error", "Not authenticated. Run bagdock login or set BAGDOCK_API_KEY.");
+    process.exit(1);
+  }
+  const env2 = resolveFullEnvironment();
+  const opSlug = resolveOperatorSlug();
+  const headers = new Headers(init2?.headers);
+  headers.set("Authorization", `Bearer ${token}`);
+  headers.set("X-Environment", env2);
+  if (opSlug)
+    headers.set("X-Operator-Slug", opSlug);
+  return fetch(`${API_BASE}${path2}`, { ...init2, headers });
+}
+async function apiFetchJson(path2, method, body) {
+  return apiFetch(path2, {
+    method,
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+}
+var init_api = __esm(() => {
+  init_config();
+  init_auth();
+  init_output();
+});
+
+// src/switch.ts
+var exports_switch = {};
+__export(exports_switch, {
+  switchContext: () => switchContext
+});
+async function fetchOperators() {
+  const res = await apiFetch("/api/v1/me/operators");
+  if (!res.ok) {
+    const err = await res.json().catch(() => ({}));
+    throw new Error(err?.error?.message || `API returned ${res.status}`);
+  }
+  const body = await res.json();
+  return body.data ?? [];
+}
+async function fetchSandboxes() {
+  const res = await apiFetch("/api/v1/me/sandboxes");
+  if (!res.ok)
+    return [];
+  const body = await res.json();
+  return body.data ?? [];
+}
+function prompt(question) {
+  const readline = __require("readline");
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => rl.question(question, (answer) => {
+    rl.close();
+    resolve(answer.trim());
+  }));
+}
+async function switchContext(opts) {
+  status("Fetching your operators...");
+  let operators;
+  try {
+    operators = await fetchOperators();
+  } catch (err) {
+    outputError("api_error", `Failed to list operators: ${err.message}`);
+    return;
+  }
+  if (!operators.length) {
+    outputError("no_operators", "No operators found for your account.");
+    return;
+  }
+  let selected;
+  if (opts.operator) {
+    const match = operators.find((o) => o.slug === opts.operator || o.id === opts.operator);
+    if (!match) {
+      outputError("not_found", `Operator "${opts.operator}" not found. Available: ${operators.map((o) => o.slug).join(", ")}`);
+      return;
+    }
+    selected = match;
+  } else if (operators.length === 1) {
+    selected = operators[0];
+    if (!isJsonMode()) {
+      console.log(source_default.dim(`  Auto-selected: ${selected.name} (${selected.slug})`));
+    }
+  } else if (!process.stdout.isTTY || isJsonMode()) {
+    outputError("operator_required", `Multiple operators available. Pass --operator <slug>. Available: ${operators.map((o) => o.slug).join(", ")}`);
+    return;
+  } else {
+    console.log(source_default.bold(`
+  Select operator:
+`));
+    operators.forEach((op, i) => {
+      console.log(`    ${source_default.cyan(String(i + 1))} ${op.name} ${source_default.dim(`(${op.slug})`)}`);
+    });
+    console.log();
+    const answer = await prompt("  > ");
+    const idx = parseInt(answer, 10) - 1;
+    if (isNaN(idx) || idx < 0 || idx >= operators.length) {
+      outputError("invalid_selection", "Invalid selection.");
+      return;
+    }
+    selected = operators[idx];
+  }
+  let environment = "live";
+  if (opts.env) {
+    if (opts.env !== "live" && opts.env !== "test") {
+      outputError("invalid_env", 'Environment must be "live" or "test".');
+      return;
+    }
+    environment = opts.env;
+  } else if (process.stdout.isTTY && !isJsonMode()) {
+    status("Fetching sandboxes...");
+    updateProfileContext(selected.id, selected.slug, "live");
+    const sandboxes = await fetchSandboxes();
+    console.log(source_default.bold(`
+  Select environment:
+`));
+    console.log(`    ${source_default.cyan("1")} Live`);
+    if (sandboxes.length > 0) {
+      sandboxes.forEach((sb, i) => {
+        const tag = sb.is_default ? source_default.dim(" (default)") : "";
+        console.log(`    ${source_default.cyan(String(i + 2))} Sandbox: ${sb.name}${tag}`);
+      });
+    } else {
+      console.log(`    ${source_default.cyan("2")} Test ${source_default.dim("(default sandbox)")}`);
+    }
+    console.log();
+    const envAnswer = await prompt("  > ");
+    const envIdx = parseInt(envAnswer, 10);
+    if (envIdx === 1) {
+      environment = "live";
+    } else if (sandboxes.length > 0 && envIdx >= 2 && envIdx <= sandboxes.length + 1) {
+      environment = "test";
+    } else if (envIdx === 2 && sandboxes.length === 0) {
+      environment = "test";
+    } else {
+      outputError("invalid_selection", "Invalid selection.");
+      return;
+    }
+  }
+  updateProfileContext(selected.id, selected.slug, environment);
+  if (isJsonMode()) {
+    outputSuccess({
+      operator: { id: selected.id, slug: selected.slug, name: selected.name },
+      environment
+    });
+  } else {
+    const envLabel = environment === "test" ? source_default.yellow("test") : source_default.green("live");
+    console.log();
+    console.log(source_default.green("  Switched to"), source_default.bold(selected.name), source_default.dim(`(${selected.slug})`), `[${envLabel}]`);
+    console.log();
+  }
+}
+var init_switch = __esm(() => {
+  init_source();
+  init_config();
+  init_api();
+  init_output();
+});
+
 // src/doctor.ts
 var exports_doctor = {};
 __export(exports_doctor, {
@@ -3579,11 +3841,30 @@ function checkAgents() {
   }
   return { name: "AI Agents", status: "pass", message: `Detected: ${detected.join(", ")}` };
 }
+function checkOperatorContext() {
+  const creds = loadCredentials();
+  const slug = resolveOperatorSlug();
+  const env2 = resolveEnvironment();
+  const profile = getActiveProfileName();
+  if (!slug) {
+    return {
+      name: "Operator Context",
+      status: "warn",
+      message: `No operator selected (profile: ${profile}). Run \`bagdock switch\` to set one.`
+    };
+  }
+  return {
+    name: "Operator Context",
+    status: "pass",
+    message: `${slug} [${env2}] (profile: ${profile})`
+  };
+}
 async function doctor() {
   const checks = [];
   if (isJsonMode()) {
     checks.push(await checkVersion());
     checks.push(checkAuth());
+    checks.push(checkOperatorContext());
     checks.push(checkProjectConfig());
     checks.push(checkAgents());
     const ok = checks.every((c) => c.status !== "fail");
@@ -3601,6 +3882,9 @@ async function doctor() {
   const authCheck = checkAuth();
   checks.push(authCheck);
   console.log(`  ${ICON[authCheck.status]} ${authCheck.name}: ${authCheck.message}`);
+  const contextCheck = checkOperatorContext();
+  checks.push(contextCheck);
+  console.log(`  ${ICON[contextCheck.status]} ${contextCheck.name}: ${contextCheck.message}`);
   const configCheck = checkProjectConfig();
   checks.push(configCheck);
   console.log(`  ${ICON[configCheck.status]} ${configCheck.name}: ${configCheck.message}`);
@@ -3825,10 +4109,10 @@ Deploying ${config.slug}@${config.version} → ${envLabel}
     process.exit(1);
   }
 }
-function confirm(prompt) {
+function confirm(prompt2) {
   return new Promise((resolve) => {
     const rl = createInterface({ input: process.stdin, output: process.stdout });
-    rl.question(prompt, (answer) => {
+    rl.question(prompt2, (answer) => {
       rl.close();
       resolve(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
@@ -3931,6 +4215,7 @@ function requireSlug(slugArg) {
 }
 async function link(opts) {
   let slug = opts.slug;
+  const linkEnv = opts.env === "test" || opts.env === "live" ? opts.env : undefined;
   if (!slug) {
     const config = loadBagdockJson(process.cwd());
     if (config?.slug) {
@@ -3946,9 +4231,7 @@ async function link(opts) {
     }
     status("Fetching your apps...");
     try {
-      const res = await fetch(`${API_BASE}/v1/developer/apps`, {
-        headers: { Authorization: `Bearer ${token}` }
-      });
+      const res = await apiFetch("/api/v1/developer/apps");
       if (!res.ok)
         throw new Error(`API returned ${res.status}`);
       const { data } = await res.json();
@@ -3983,12 +4266,13 @@ Your apps:
   const dir = join6(process.cwd(), LINK_DIR);
   if (!existsSync6(dir))
     mkdirSync3(dir, { recursive: true });
-  const linkData = { slug, linkedAt: new Date().toISOString() };
+  const linkData = { slug, environment: linkEnv, linkedAt: new Date().toISOString() };
   writeFileSync4(join6(dir, LINK_FILE), JSON.stringify(linkData, null, 2));
   if (isJsonMode()) {
-    outputSuccess({ slug, path: join6(dir, LINK_FILE) });
+    outputSuccess({ slug, environment: linkEnv, path: join6(dir, LINK_FILE) });
   } else {
-    console.log(source_default.green(`Linked to ${source_default.bold(slug)}`));
+    const envLabel = linkEnv ? ` [${linkEnv}]` : "";
+    console.log(source_default.green(`Linked to ${source_default.bold(slug)}${envLabel}`));
     console.log(source_default.dim(`  Stored in ${LINK_DIR}/${LINK_FILE}`));
   }
 }
@@ -3997,6 +4281,7 @@ var init_link = __esm(() => {
   init_source();
   init_config();
   init_auth();
+  init_api();
   init_output();
 });
 
@@ -4098,22 +4383,11 @@ __export(exports_submission, {
   submissionStatus: () => submissionStatus,
   submissionList: () => submissionList
 });
-function requireAuth() {
-  const token = getAuthToken();
-  if (!token) {
-    outputError("auth_error", "Not authenticated. Run bagdock login or set BAGDOCK_API_KEY.");
-    process.exit(1);
-  }
-  return token;
-}
 async function submissionList(opts) {
-  const token = requireAuth();
   const slug = requireSlug(opts.app);
   status(`Fetching submissions for ${slug}...`);
   try {
-    const res = await fetch(`${API_BASE}/v1/developer/apps/${slug}/submissions`, {
-      headers: { Authorization: `Bearer ${token}` }
-    });
+    const res = await apiFetch(`/api/v1/developer/apps/${slug}/submissions`);
     if (res.status === 404) {
       outputError("not_found", `App "${slug}" not found or no submissions exist.`);
     }
@@ -4144,13 +4418,10 @@ Submissions for ${slug}:
   }
 }
 async function submissionStatus(id, opts) {
-  const token = requireAuth();
   const slug = requireSlug(opts.app);
   status(`Fetching submission ${id}...`);
   try {
-    const res = await fetch(`${API_BASE}/v1/developer/apps/${slug}/submissions/${id}`, {
-      headers: { Authorization: `Bearer ${token}` }
-    });
+    const res = await apiFetch(`/api/v1/developer/apps/${slug}/submissions/${id}`);
     if (res.status === 404) {
       outputError("not_found", `Submission "${id}" not found.`);
     }
@@ -4184,13 +4455,11 @@ async function submissionStatus(id, opts) {
   }
 }
 async function submissionWithdraw(id, opts) {
-  const token = requireAuth();
   const slug = requireSlug(opts.app);
   status(`Withdrawing submission ${id}...`);
   try {
-    const res = await fetch(`${API_BASE}/v1/developer/apps/${slug}/submissions/${id}/withdraw`, {
-      method: "POST",
-      headers: { Authorization: `Bearer ${token}` }
+    const res = await apiFetch(`/api/v1/developer/apps/${slug}/submissions/${id}/withdraw`, {
+      method: "POST"
     });
     if (res.status === 404) {
       outputError("not_found", `App "${slug}" not found.`);
@@ -4215,8 +4484,7 @@ async function submissionWithdraw(id, opts) {
 }
 var init_submission = __esm(() => {
   init_source();
-  init_config();
-  init_auth();
+  init_api();
   init_output();
   init_link();
 });
@@ -4228,9 +4496,16 @@ __export(exports_open2, {
 });
 async function open2(slugArg) {
   const slug = requireSlug(slugArg);
-  const url = `${DASHBOARD_BASE}/developer/apps/${slug}`;
+  const operatorSlug = resolveOperatorSlug();
+  const env2 = resolveEnvironment();
+  if (!operatorSlug) {
+    outputError("no_operator", "No operator context. Run bagdock switch or bagdock login to set one.");
+    return;
+  }
+  const envSegment = env2 === "test" ? "/test" : "";
+  const url = `${DASHBOARD_BASE}/${operatorSlug}${envSegment}/developer/apps/${slug}`;
   if (isJsonMode()) {
-    outputSuccess({ url, slug });
+    outputSuccess({ url, slug, operator: operatorSlug, environment: env2 });
     return;
   }
   status(`Opening ${url}`);
@@ -4251,17 +4526,10 @@ __export(exports_inspect, {
   inspect: () => inspect
 });
 async function inspect(slugArg) {
-  const token = getAuthToken();
-  if (!token) {
-    outputError("auth_error", "Not authenticated. Run bagdock login or set BAGDOCK_API_KEY.");
-    process.exit(1);
-  }
   const slug = requireSlug(slugArg);
   status(`Inspecting ${slug}...`);
   try {
-    const res = await fetch(`${API_BASE}/v1/developer/apps/${slug}`, {
-      headers: { Authorization: `Bearer ${token}` }
-    });
+    const res = await apiFetch(`/api/v1/developer/apps/${slug}`);
     if (res.status === 404)
       outputError("not_found", `App "${slug}" not found.`);
     if (!res.ok)
@@ -4301,8 +4569,7 @@ async function inspect(slugArg) {
 }
 var init_inspect = __esm(() => {
   init_source();
-  init_config();
-  init_auth();
+  init_api();
   init_output();
   init_link();
 });
@@ -4317,14 +4584,6 @@ __export(exports_env_cmd, {
 });
 import { writeFileSync as writeFileSync5 } from "fs";
 import { resolve } from "path";
-function requireAuth2() {
-  const token = getAuthToken();
-  if (!token) {
-    console.error(source_default.red("Not authenticated. Run"), source_default.cyan("bagdock login"), source_default.red("or set BAGDOCK_API_KEY."));
-    process.exit(1);
-  }
-  return token;
-}
 function requireConfig() {
   const config = loadBagdockJson(process.cwd());
   if (!config) {
@@ -4334,12 +4593,9 @@ function requireConfig() {
   return config;
 }
 async function envList() {
-  const token = requireAuth2();
   const config = requireConfig();
   try {
-    const res = await fetch(`${API_BASE}/v1/developer/apps/${config.slug}/env`, {
-      headers: { Authorization: `Bearer ${token}` }
-    });
+    const res = await apiFetch(`/api/v1/developer/apps/${config.slug}/env`);
     if (!res.ok) {
       console.error(source_default.red(`Failed to list env vars (${res.status})`));
       process.exit(1);
@@ -4363,17 +4619,9 @@ Environment variables for ${config.slug}:
   }
 }
 async function envSet(key, value) {
-  const token = requireAuth2();
   const config = requireConfig();
   try {
-    const res = await fetch(`${API_BASE}/v1/developer/apps/${config.slug}/env`, {
-      method: "PUT",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${token}`
-      },
-      body: JSON.stringify({ key, value })
-    });
+    const res = await apiFetchJson(`/api/v1/developer/apps/${config.slug}/env`, "PUT", { key, value });
     if (!res.ok) {
       const body = await res.text();
       console.error(source_default.red(`Failed to set ${key} (${res.status}):`), body.slice(0, 200));
@@ -4386,13 +4634,9 @@ async function envSet(key, value) {
   }
 }
 async function envRemove(key) {
-  const token = requireAuth2();
   const config = requireConfig();
   try {
-    const res = await fetch(`${API_BASE}/v1/developer/apps/${config.slug}/env/${key}`, {
-      method: "DELETE",
-      headers: { Authorization: `Bearer ${token}` }
-    });
+    const res = await apiFetch(`/api/v1/developer/apps/${config.slug}/env/${key}`, { method: "DELETE" });
     if (!res.ok) {
       console.error(source_default.red(`Failed to remove ${key} (${res.status})`));
       process.exit(1);
@@ -4404,14 +4648,11 @@ async function envRemove(key) {
   }
 }
 async function envPull(file) {
-  const token = requireAuth2();
   const slug = requireSlug();
   const target = resolve(file ?? ".env.local");
   status(`Pulling env vars for ${slug}...`);
   try {
-    const res = await fetch(`${API_BASE}/v1/developer/apps/${slug}/env`, {
-      headers: { Authorization: `Bearer ${token}` }
-    });
+    const res = await apiFetch(`/api/v1/developer/apps/${slug}/env`);
     if (!res.ok) {
       outputError("api_error", `Failed to pull env vars (${res.status})`);
       process.exit(1);
@@ -4446,7 +4687,7 @@ async function envPull(file) {
 var init_env_cmd = __esm(() => {
   init_source();
   init_config();
-  init_auth();
+  init_api();
   init_output();
   init_link();
 });
@@ -4458,23 +4699,9 @@ __export(exports_keys, {
   keysDelete: () => keysDelete,
   keysCreate: () => keysCreate
 });
-async function apiRequest(method, path2, body) {
-  const token = getAuthToken();
-  if (!token) {
-    outputError("UNAUTHENTICATED", "Not logged in. Run `bagdock login` or set BAGDOCK_API_KEY.");
-  }
-  const headers = { Authorization: `Bearer ${token}` };
-  const init2 = { method, headers };
-  if (body) {
-    headers["Content-Type"] = "application/json";
-    init2.body = JSON.stringify(body);
-  }
-  const res = await fetch(`${API_BASE}${path2}`, init2);
-  return res;
-}
 async function keysCreate(opts) {
   status("Creating API key...");
-  const res = await apiRequest("POST", "/api/v1/operator/api-keys", {
+  const res = await apiFetchJson("/api/v1/operator/api-keys", "POST", {
     name: opts.name,
     key_type: opts.type || "secret",
     key_category: opts.category || "standard",
@@ -4511,7 +4738,7 @@ async function keysList(opts) {
   let path2 = "/api/v1/operator/api-keys";
   if (opts.environment)
     path2 += `?environment=${opts.environment}`;
-  const res = await apiRequest("GET", path2);
+  const res = await apiFetch(path2);
   if (!res.ok) {
     const err = await res.json().catch(() => ({ error: { message: res.statusText } }));
     outputError(err.error?.code || "API_ERROR", err.error?.message || `HTTP ${res.status}`);
@@ -4541,7 +4768,7 @@ async function keysDelete(id, opts) {
     outputError("CONFIRMATION_REQUIRED", "Pass --yes to confirm deletion in non-interactive mode.");
   }
   status(`Revoking API key ${id}...`);
-  const res = await apiRequest("DELETE", `/api/v1/operator/api-keys/${id}`, {
+  const res = await apiFetchJson(`/api/v1/operator/api-keys/${id}`, "DELETE", {
     reason: opts.reason
   });
   if (!res.ok) {
@@ -4558,8 +4785,7 @@ async function keysDelete(id, opts) {
 }
 var init_keys = __esm(() => {
   init_source();
-  init_config();
-  init_auth();
+  init_api();
   init_output();
 });
 
@@ -4569,19 +4795,9 @@ __export(exports_apps, {
   appsList: () => appsList,
   appsGet: () => appsGet
 });
-async function apiRequest2(method, path2) {
-  const token = getAuthToken();
-  if (!token) {
-    outputError("UNAUTHENTICATED", "Not logged in. Run `bagdock login` or set BAGDOCK_API_KEY.");
-  }
-  return fetch(`${API_BASE}${path2}`, {
-    method,
-    headers: { Authorization: `Bearer ${token}` }
-  });
-}
 async function appsList() {
   status("Fetching apps...");
-  const res = await apiRequest2("GET", "/api/v1/developer/apps");
+  const res = await apiFetch("/api/v1/developer/apps");
   if (!res.ok) {
     const err = await res.json().catch(() => ({ error: { message: res.statusText } }));
     outputError(err.error?.code || "API_ERROR", err.error?.message || `HTTP ${res.status}`);
@@ -4611,7 +4827,7 @@ async function appsList() {
 }
 async function appsGet(slug) {
   status(`Fetching app ${slug}...`);
-  const res = await apiRequest2("GET", `/api/v1/developer/apps/${slug}`);
+  const res = await apiFetch(`/api/v1/developer/apps/${slug}`);
   if (!res.ok) {
     if (res.status === 404) {
       outputError("NOT_FOUND", `App "${slug}" not found`);
@@ -4645,8 +4861,7 @@ async function appsGet(slug) {
 }
 var init_apps = __esm(() => {
   init_source();
-  init_config();
-  init_auth();
+  init_api();
   init_output();
 });
 
@@ -4657,16 +4872,6 @@ __export(exports_logs, {
   logsList: () => logsList,
   logsGet: () => logsGet
 });
-async function apiRequest3(method, path2) {
-  const token = getAuthToken();
-  if (!token) {
-    outputError("UNAUTHENTICATED", "Not logged in. Run `bagdock login` or set BAGDOCK_API_KEY.");
-  }
-  return fetch(`${API_BASE}${path2}`, {
-    method,
-    headers: { Authorization: `Bearer ${token}` }
-  });
-}
 function resolveSlug2(slug) {
   if (slug)
     return slug;
@@ -4680,7 +4885,7 @@ async function logsList(opts) {
   const slug = resolveSlug2(opts.app);
   const limit = opts.limit || "50";
   status(`Fetching logs for ${slug}...`);
-  const res = await apiRequest3("GET", `/api/v1/developer/apps/${slug}/logs?limit=${limit}`);
+  const res = await apiFetch(`/api/v1/developer/apps/${slug}/logs?limit=${limit}`);
   if (!res.ok) {
     if (res.status === 404) {
       outputError("NOT_FOUND", `App "${slug}" not found or no logs available`);
@@ -4710,7 +4915,7 @@ async function logsList(opts) {
 async function logsGet(id, opts) {
   const slug = resolveSlug2(opts.app);
   status(`Fetching log entry ${id}...`);
-  const res = await apiRequest3("GET", `/api/v1/developer/apps/${slug}/logs/${id}`);
+  const res = await apiFetch(`/api/v1/developer/apps/${slug}/logs/${id}`);
   if (!res.ok) {
     const err = await res.json().catch(() => ({ error: { message: res.statusText } }));
     outputError(err.error?.code || "API_ERROR", err.error?.message || `HTTP ${res.status}`);
@@ -4733,7 +4938,7 @@ async function logsTail(opts) {
   let lastTimestamp = new Date().toISOString();
   const poll = async () => {
     try {
-      const res = await apiRequest3("GET", `/api/v1/developer/apps/${slug}/logs?since=${encodeURIComponent(lastTimestamp)}&limit=100`);
+      const res = await apiFetch(`/api/v1/developer/apps/${slug}/logs?since=${encodeURIComponent(lastTimestamp)}&limit=100`);
       if (res.ok) {
         const result = await res.json();
         for (const entry of result.data || []) {
@@ -4759,7 +4964,7 @@ async function logsTail(opts) {
 var init_logs = __esm(() => {
   init_source();
   init_config();
-  init_auth();
+  init_api();
   init_output();
 });
 
@@ -5033,13 +5238,20 @@ function toPascalCase(s) {
 init_output();
 init_config();
 var program2 = new Command;
-program2.name("bagdock").description("Bagdock developer CLI — built for humans, AI agents, and CI/CD pipelines").version("0.4.0").option("--json", "Force JSON output (auto-enabled in non-TTY)").option("-q, --quiet", "Suppress status messages (implies --json)").option("--api-key <key>", "API key to use for this invocation").option("-p, --profile <name>", "Profile to use (overrides BAGDOCK_PROFILE)").hook("preAction", (_thisCommand, actionCommand) => {
+program2.name("bagdock").description("Bagdock developer CLI — built for humans, AI agents, and CI/CD pipelines").version("0.5.0").option("--json", "Force JSON output (auto-enabled in non-TTY)").option("-q, --quiet", "Suppress status messages (implies --json)").option("--api-key <key>", "API key to use for this invocation").option("-p, --profile <name>", "Profile to use (overrides BAGDOCK_PROFILE)").option("--env <environment>", "Override environment for this invocation (live, test)").hook("preAction", (_thisCommand, actionCommand) => {
   const opts = program2.opts();
   setOutputMode({ json: opts.json, quiet: opts.quiet });
   if (opts.apiKey)
     setApiKeyOverride(opts.apiKey);
   if (opts.profile)
     setProfileOverride(opts.profile);
+  if (opts.env) {
+    if (opts.env !== "live" && opts.env !== "test") {
+      console.error('Error: --env must be "live" or "test"');
+      process.exit(1);
+    }
+    setEnvironmentOverride(opts.env);
+  }
 });
 program2.command("login").description("Authenticate with Bagdock (opens browser)").action(login);
 program2.command("logout").description("Clear stored credentials").action(logout);
@@ -5047,6 +5259,10 @@ program2.command("whoami").description("Show current authenticated user").action
 var authCmd = program2.command("auth").description("Manage authentication profiles");
 authCmd.command("list").description("List all stored profiles").action(authList);
 authCmd.command("switch [name]").description("Switch active profile").action(async (name) => authSwitch(name));
+program2.command("switch").description("Switch operator and environment context (live/test)").option("--operator <slug>", "Operator slug (required in non-interactive mode)").option("--env <environment>", "Environment: live or test").action(async (opts) => {
+  const { switchContext: switchContext2 } = await Promise.resolve().then(() => (init_switch(), exports_switch));
+  await switchContext2(opts);
+});
 program2.command("doctor").description("Run environment diagnostics").action(async () => {
   const { doctor: doctor2 } = await Promise.resolve().then(() => (init_doctor(), exports_doctor));
   await doctor2();
@@ -5056,7 +5272,7 @@ program2.command("dev").description("Start local dev server").option("-p, --port
   const { dev: dev2 } = await Promise.resolve().then(() => (init_dev(), exports_dev));
   await dev2(opts);
 });
-program2.command("deploy").description("Build locally and deploy via Bagdock API").option("--env <environment>", "Target environment (preview, staging, production)", "staging").option("--preview", "Deploy an ephemeral preview ({slug}-{hash}.pre.bdok.dev)").option("--production", "Deploy to production ({slug}.bdok.dev)").option("-y, --yes", "Skip confirmation prompts").action(async (opts) => {
+program2.command("deploy").description("Build locally and deploy via Bagdock API").option("--target <target>", "Deploy target (preview, staging, production)", "staging").option("--preview", "Deploy an ephemeral preview ({slug}-{hash}.pre.bdok.dev)").option("--production", "Deploy to production ({slug}.bdok.dev)").option("-y, --yes", "Skip confirmation prompts").action(async (opts) => {
   const { deploy: deploy2 } = await Promise.resolve().then(() => (init_deploy(), exports_deploy));
   await deploy2(opts);
 });
@@ -5089,7 +5305,7 @@ program2.command("inspect [slug]").description("Show deployment details and stat
   const { inspect: inspect2 } = await Promise.resolve().then(() => (init_inspect(), exports_inspect));
   await inspect2(slug);
 });
-program2.command("link").description("Link current directory to a Bagdock app or edge").option("--slug <slug>", "Project slug (required in non-interactive mode)").action(async (opts) => {
+program2.command("link").description("Link current directory to a Bagdock app or edge").option("--slug <slug>", "App slug (required in non-interactive mode)").option("--env <environment>", "Default environment for this link (live, test)").action(async (opts) => {
   const { link: link2 } = await Promise.resolve().then(() => (init_link(), exports_link));
   await link2(opts);
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bagdock/cli",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Bagdock developer CLI — build, test, and deploy apps and edges on the Bagdock platform",
   "keywords": [
     "bagdock",

package/skill-evals/bagdock-cli/evals.json

@@ -1,6 +1,6 @@
 {
   "skill": "bagdock-cli",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "evals": [
     {
       "id": "login-flow",
@@ -203,6 +203,48 @@
       "input": "Link this directory to my smart-entry adapter",
       "expected_commands": ["bagdock link --slug smart-entry"],
       "expected_behavior": "Creates .bagdock/link.json with slug, other commands use it as fallback"
+    },
+    {
+      "id": "switch-operator-sandbox",
+      "description": "Agent should switch to sandbox environment for testing",
+      "input": "Switch to test mode for the WiseStorage operator",
+      "expected_commands": ["bagdock switch --operator wisestorage --env test"],
+      "expected_behavior": "Updates active profile with operatorSlug=wisestorage and environment=test"
+    },
+    {
+      "id": "switch-interactive",
+      "description": "Agent should use interactive switch when operator unknown",
+      "input": "I want to switch to a different operator",
+      "expected_commands": ["bagdock switch"],
+      "expected_behavior": "Lists available operators, prompts selection, then prompts environment choice"
+    },
+    {
+      "id": "deploy-to-test",
+      "description": "Agent should deploy to sandbox environment",
+      "input": "Deploy my adapter to the sandbox for testing",
+      "expected_commands": ["bagdock --env test deploy --target staging --yes"],
+      "expected_behavior": "Deploys to staging target within the test/sandbox environment"
+    },
+    {
+      "id": "inspect-test-env",
+      "description": "Agent should inspect an app in test environment",
+      "input": "Show me the deployment details of my app in the sandbox",
+      "expected_commands": ["bagdock --env test inspect --json"],
+      "expected_behavior": "Returns app details from the sandbox tenant database"
+    },
+    {
+      "id": "link-with-env",
+      "description": "Agent should link directory with specific environment",
+      "input": "Link this directory to smart-entry in test mode",
+      "expected_commands": ["bagdock link --slug smart-entry --env test"],
+      "expected_behavior": "Creates .bagdock/link.json with slug and environment=test"
+    },
+    {
+      "id": "env-override-per-command",
+      "description": "Agent should use --env flag to override environment for a single command",
+      "input": "List apps on the live environment even though I'm currently in test mode",
+      "expected_commands": ["bagdock --env live apps list --json"],
+      "expected_behavior": "Lists apps from the live tenant database, does not change profile"
     }
   ]
 }

package/skills/bagdock-cli/SKILL.md

@@ -45,9 +45,19 @@ For CI/CD, set `BAGDOCK_API_KEY` in your environment. For interactive use, run `
 | `-q, --quiet` | Suppress status messages (implies `--json`) |
 | `--api-key <key>` | Override auth for this invocation |
 | `-p, --profile <name>` | Use a named profile (overrides `BAGDOCK_PROFILE`) |
+| `--env <live\|test>` | Override environment for this invocation |
 | `-V, --version` | Print version |
 | `-h, --help` | Print help |
 
+## Environment Context
+
+All API calls include `X-Environment` and `X-Operator-Slug` headers. Resolution:
+
+- **Environment**: `--env` flag > `.bagdock/link.json` > profile > `BAGDOCK_ENV` > `live`
+- **Operator**: `BAGDOCK_OPERATOR` env var > profile stored value
+
+Use `bagdock switch` to select operator and environment interactively, or pass `--env test` to any command.
+
 ## Available Commands
 
 | Command | Description |
@@ -73,8 +83,9 @@ For CI/CD, set `BAGDOCK_API_KEY` in your environment. For interactive use, run `
 | `open [slug]` | Open project in Bagdock dashboard |
 | `inspect [slug]` | Show deployment details and status |
 | `link` | Link directory to a Bagdock app or edge |
+| `switch` | Switch operator and environment context (live/test) |
 | `doctor` | Run environment diagnostics (version, auth, config, agents) |
-| `auth list` | List stored profiles |
+| `auth list` | List stored profiles (with operator + env) |
 | `auth switch [name]` | Switch active profile |
 | `apps list` | List deployed applications |
 | `apps get <slug>` | Show details for an application |