@ishlabs/cli 0.12.0 → 0.12.2

package/dist/auth.d.ts

@@ -18,8 +18,8 @@
  * server's `local` mode keeps reading them without changes.
  */
 export declare function getAppUrl(): string;
-export declare function getSupabaseUrl(): string;
-export declare function getSupabaseAnonKey(): string;
+export declare function getSupabaseUrl(dev?: boolean): string;
+export declare function getSupabaseAnonKey(dev?: boolean): string;
 /**
  * Resolve the Supabase project (URL + anon key) that issued the given JWT.
  * Falls back to env vars / production defaults when the token is unparsable
@@ -32,7 +32,9 @@ export declare function resolveSupabaseProjectFromToken(accessToken: string | un
 export declare function decodeJwtExp(token: string): number;
 export declare function decodeJwtClaims(token: string): Record<string, unknown> | undefined;
 export declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
-export declare function login(): Promise<{
+export declare function login(opts?: {
+    dev?: boolean;
+}): Promise<{
     accessToken: string;
     refreshToken: string;
     clientId: string;

package/dist/auth.js

@@ -19,7 +19,7 @@
  */
 import * as http from "node:http";
 import * as crypto from "node:crypto";
-import { execFile } from "node:child_process";
+import { spawn } from "node:child_process";
 const LOGIN_TIMEOUT = 5 * 60 * 1000; // 5 minutes
 const CLIENT_NAME = "ish CLI";
 const DEFAULT_APP_URL = "https://app.ishlabs.io";
@@ -29,26 +29,32 @@ const DEFAULT_APP_URL = "https://app.ishlabs.io";
 // must send refresh requests back to that same project (with its matching
 // publishable/anon key) or Supabase will reject them.
 const SUPABASE_PROJECTS = {
-    // Development (default — local dev work hits this project)
-    "muqvgnqyubmqnfnqwxuk.supabase.co": {
-        url: "https://muqvgnqyubmqnfnqwxuk.supabase.co",
-        anonKey: "sb_publishable_pxXwY9EaWFwkR7h728NWvQ_NFqGfh8K",
-    },
-    // Production
+    // Production (default — end users hit this)
     "hngymyxdyamokpbeakps.supabase.co": {
         url: "https://hngymyxdyamokpbeakps.supabase.co",
         anonKey: "sb_publishable_JlS-HfwNyDqLNbrfbrkUlw_PSdZJdo2",
     },
+    // Development (opt-in via --dev or ISH_SUPABASE_URL/_ANON_KEY env vars)
+    "muqvgnqyubmqnfnqwxuk.supabase.co": {
+        url: "https://muqvgnqyubmqnfnqwxuk.supabase.co",
+        anonKey: "sb_publishable_pxXwY9EaWFwkR7h728NWvQ_NFqGfh8K",
+    },
 };
-const DEFAULT_SUPABASE_PROJECT = SUPABASE_PROJECTS["muqvgnqyubmqnfnqwxuk.supabase.co"];
+const PROD_SUPABASE_PROJECT = SUPABASE_PROJECTS["hngymyxdyamokpbeakps.supabase.co"];
+const DEV_SUPABASE_PROJECT = SUPABASE_PROJECTS["muqvgnqyubmqnfnqwxuk.supabase.co"];
 export function getAppUrl() {
     return process.env.ISH_APP_URL ?? DEFAULT_APP_URL;
 }
-export function getSupabaseUrl() {
-    return process.env.ISH_SUPABASE_URL ?? DEFAULT_SUPABASE_PROJECT.url;
+// Precedence (matches resolveApiUrl): --dev > ISH_SUPABASE_URL env > prod default.
+export function getSupabaseUrl(dev) {
+    if (dev)
+        return DEV_SUPABASE_PROJECT.url;
+    return process.env.ISH_SUPABASE_URL ?? PROD_SUPABASE_PROJECT.url;
 }
-export function getSupabaseAnonKey() {
-    return process.env.ISH_SUPABASE_ANON_KEY ?? DEFAULT_SUPABASE_PROJECT.anonKey;
+export function getSupabaseAnonKey(dev) {
+    if (dev)
+        return DEV_SUPABASE_PROJECT.anonKey;
+    return process.env.ISH_SUPABASE_ANON_KEY ?? PROD_SUPABASE_PROJECT.anonKey;
 }
 /**
  * Resolve the Supabase project (URL + anon key) that issued the given JWT.
@@ -73,7 +79,7 @@ export function resolveSupabaseProjectFromToken(accessToken) {
                 // default key for apikey (best-effort; will likely fail without env override).
                 return {
                     url: `https://${host}`,
-                    anonKey: envKey ?? DEFAULT_SUPABASE_PROJECT.anonKey,
+                    anonKey: envKey ?? PROD_SUPABASE_PROJECT.anonKey,
                 };
             }
         }
@@ -82,21 +88,21 @@ export function resolveSupabaseProjectFromToken(accessToken) {
         }
     }
     return {
-        url: envUrl ?? DEFAULT_SUPABASE_PROJECT.url,
-        anonKey: envKey ?? DEFAULT_SUPABASE_PROJECT.anonKey,
+        url: envUrl ?? PROD_SUPABASE_PROJECT.url,
+        anonKey: envKey ?? PROD_SUPABASE_PROJECT.anonKey,
     };
 }
 // --- Browser open ---
 function openBrowser(url) {
-    if (process.platform === "win32") {
-        execFile("cmd", ["/c", "start", "", url]);
-    }
-    else if (process.platform === "darwin") {
-        execFile("open", [url]);
-    }
-    else {
-        execFile("xdg-open", [url]);
-    }
+    // detached + unref so the child doesn't keep our event loop alive after the
+    // login flow finishes. stdio: "ignore" so we don't pipe-buffer its output.
+    const opts = { detached: true, stdio: "ignore" };
+    const child = process.platform === "win32"
+        ? spawn("cmd", ["/c", "start", "", url], opts)
+        : process.platform === "darwin"
+            ? spawn("open", [url], opts)
+            : spawn("xdg-open", [url], opts);
+    child.unref();
 }
 // --- JWT decode ---
 export function decodeJwtExp(token) {
@@ -130,10 +136,15 @@ function startCallbackServer() {
         const callbackPromise = new Promise((res) => {
             resolveCallback = res;
         });
+        // Track every socket the server accepts so we can destroy them on close.
+        // Browsers open multiple keep-alive connections (favicon prefetch, parallel
+        // request slots) and Node's server.close() waits for those to drain — that
+        // wait is what was hanging `ish login` after success.
+        const sockets = new Set();
         const server = http.createServer((req, res) => {
             const reqUrl = new URL(req.url ?? "/", "http://127.0.0.1");
             if (reqUrl.pathname !== "/callback") {
-                res.writeHead(404);
+                res.writeHead(404, { Connection: "close" });
                 res.end();
                 return;
             }
@@ -148,11 +159,21 @@ function startCallbackServer() {
                 ? `${cb.error}${cb.errorDescription ? `: ${cb.errorDescription}` : ""}`
                 : "You can close this window and return to your terminal.";
             const html = `<!doctype html><html><head><meta charset="utf-8"><title>${headline}</title></head><body style="font-family:system-ui,-apple-system,sans-serif;padding:3em;text-align:center;color:#1f2937"><h1 style="font-weight:600;margin-bottom:1em">${headline}</h1><p style="color:#6b7280">${subline}</p></body></html>`;
-            res.writeHead(cb.error ? 400 : 200, { "Content-Type": "text/html; charset=utf-8" });
+            // Connection: close so the browser tears down the socket immediately;
+            // otherwise HTTP/1.1 keep-alive holds the socket open and prevents
+            // server.close() from freeing the event loop, hanging `ish login`.
+            res.writeHead(cb.error ? 400 : 200, {
+                "Content-Type": "text/html; charset=utf-8",
+                Connection: "close",
+            });
             res.end(html);
             if (resolveCallback)
                 resolveCallback(cb);
         });
+        server.on("connection", (socket) => {
+            sockets.add(socket);
+            socket.on("close", () => sockets.delete(socket));
+        });
         server.on("error", reject);
         server.listen(0, "127.0.0.1", () => {
             const addr = server.address();
@@ -165,6 +186,14 @@ function startCallbackServer() {
                 waitForCallback: () => callbackPromise,
                 close: () => {
                     server.close();
+                    // Force-destroy every socket — Connection: close + closeAllConnections
+                    // alone weren't enough on macOS, where the browser kept enough idle
+                    // sockets alive to hold the event loop open.
+                    server.closeAllConnections?.();
+                    for (const socket of sockets)
+                        socket.destroy();
+                    sockets.clear();
+                    server.unref();
                 },
             });
         });
@@ -198,8 +227,8 @@ function generatePkcePair() {
     const challenge = crypto.createHash("sha256").update(verifier).digest("base64url");
     return { verifier, challenge };
 }
-export async function login() {
-    const supabaseUrl = getSupabaseUrl();
+export async function login(opts = {}) {
+    const supabaseUrl = getSupabaseUrl(opts.dev);
     const server = await startCallbackServer();
     const redirectUri = `http://127.0.0.1:${server.port}/callback`;
     try {
@@ -218,10 +247,20 @@ export async function login() {
         console.error(`If the browser doesn't open, visit:\n  ${authorizeUrl.toString()}\n`);
         openBrowser(authorizeUrl.toString());
         console.error("Waiting for authentication...");
+        let timeoutHandle;
         const timeoutPromise = new Promise((_, reject) => {
-            setTimeout(() => reject(new Error("Login timed out. Please try again.")), LOGIN_TIMEOUT);
+            timeoutHandle = setTimeout(() => reject(new Error("Login timed out. Please try again.")), LOGIN_TIMEOUT);
         });
-        const cb = await Promise.race([server.waitForCallback(), timeoutPromise]);
+        let cb;
+        try {
+            cb = await Promise.race([server.waitForCallback(), timeoutPromise]);
+        }
+        finally {
+            // Without this, the 5-minute timer keeps the event loop alive long
+            // after the callback fires, hanging `ish login` until expiry.
+            if (timeoutHandle)
+                clearTimeout(timeoutHandle);
+        }
         if (cb.error) {
             throw new Error(`OAuth error: ${cb.error}${cb.errorDescription ? ` — ${cb.errorDescription}` : ""}`);
         }

package/dist/commands/chat.js

@@ -619,6 +619,69 @@ Examples:
         });
     });
 }
+function attachChatEndpointMap(parent) {
+    parent
+        .command("map")
+        .description("Map a chatbot contract from documentation (and optionally a saved endpoint draft) via /chat/test-and-map")
+        .option("--docs <file>", 'Path to documentation file (curl, JSON, OpenAPI snippet, freeform). Use "-" for stdin')
+        .option("--endpoint <id>", "Saved endpoint alias or UUID — its config seeds the draft endpoint. Optional.")
+        .option("--workspace <id>", "Workspace ID")
+        .addHelpText("after", `
+Use this when you have documentation for a customer's chatbot (a curl example,
+an OpenAPI excerpt, a README chunk, freeform docs) and want a fully-mapped
+ChatbotEndpointConfig back. The backend wraps the same inference engine
+behind \`init\` but layers two things on top: it fuses your draft endpoint's
+URL / headers with the documentation, and when the URL is probable it can
+run an iterative LLM agent that probes the live bot to refine the mapping.
+
+The output is read-only — pipe \`inferred_config\` into
+\`ish chat endpoint create --endpoint-config -\` to persist, or into
+\`update --endpoint-config -\` to overwrite an existing endpoint.
+
+Examples:
+  $ ish chat endpoint map --docs ./api.md | jq '.inferred_config'
+  $ ish chat endpoint map --docs - < bot.curl
+  $ ish chat endpoint map --endpoint ep-abc --docs ./refined.md`)
+        .action(async (opts, cmd) => {
+        await withClient(cmd, async (client, globals) => {
+            if (!opts.docs) {
+                throw new Error("Pass --docs <file> (or --docs - for stdin).");
+            }
+            const ws = resolveWorkspace(opts.workspace);
+            const documentation = await readFileOrStdin(opts.docs);
+            if (!documentation.trim()) {
+                throw new Error("Documentation is empty. Provide a non-empty paste.");
+            }
+            let draftEndpoint = {};
+            if (opts.endpoint !== undefined) {
+                const rid = resolveChatEndpoint(undefined, opts.endpoint);
+                const saved = await client.get(`/chatbot-endpoints/${rid}`, undefined, { timeout: 30_000 });
+                if (saved.id)
+                    tagAlias(ALIAS_PREFIX.chatEndpoint, saved.id);
+                draftEndpoint = {
+                    ...(saved.config ?? {}),
+                    isTunnelBacked: saved.isTunnelBacked,
+                };
+            }
+            const res = await client.post(`/products/${ws}/chat/test-and-map`, { endpoint: draftEndpoint, documentation }, { timeout: 180_000 });
+            if (res.kind === "failure") {
+                const err = new Error(res.errorMessage ?? "test-and-map failed.");
+                err.error_kind = res.errorKind;
+                throw err;
+            }
+            const result = {
+                success: true,
+                inferred_config: res.inferredConfig,
+                confidence: res.confidence ?? null,
+                missing_signals: res.missingSignals ?? [],
+                tunnel_backed_detected: res.tunnelBackedDetected ?? false,
+                raw_response: res.rawResponse ?? null,
+                dispatched_body: res.dispatchedBody ?? null,
+            };
+            output(result, globals.json, { writePath: true });
+        });
+    });
+}
 // ---------------------------------------------------------------------------
 // Command registration
 // ---------------------------------------------------------------------------
@@ -650,6 +713,7 @@ mirrors that editing model.`);
     attachChatEndpointCommands(endpoint);
     attachChatEndpointInit(endpoint);
     attachChatEndpointTest(endpoint);
+    attachChatEndpointMap(endpoint);
 }
 // Re-exported for tests / external integration if needed.
 export { envelopeFromRow };

package/dist/index.js

@@ -1,5 +1,8 @@
 #!/usr/bin/env node
 import { program, Option } from "commander";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import * as os from "node:os";
 import { runTunnel, runDetached, connectStatus, disconnect } from "./connect.js";
 import { login, decodeJwtClaims } from "./auth.js";
 import { loadConfig, saveConfig } from "./config.js";
@@ -22,6 +25,7 @@ import { ApiClient } from "./lib/api-client.js";
 import { tagAlias, ALIAS_PREFIX } from "./lib/alias-store.js";
 import { output } from "./lib/output.js";
 import { ishDir } from "./lib/paths.js";
+import { findInstalledSkill } from "./lib/skill-content.js";
 import pkg from "../package.json" with { type: "json" };
 const { version } = pkg;
 program
@@ -69,7 +73,7 @@ program.exitOverride((err) => {
 program
     .option("-t, --token <token>", "Auth token (or set ISH_TOKEN env var)")
     .option("--token-file <path>", "Read auth token from a file (preferred over --token / ISH_TOKEN)")
-    .option("--api-url <url>", "Backend API URL (default: ISH_API_URL or https://api.ishlabs.io)")
+    .addOption(new Option("--api-url <url>", "Override backend API URL (internal — also via ISH_API_URL)").hideHelp())
     .addOption(new Option("--dev", "Use local dev API (http://localhost:8000)").hideHelp())
     .option("--workspace <id>", "Default workspace ID; per-subcommand --workspace overrides")
     .option("--json", "Output as JSON (auto-enabled when piped)")
@@ -85,7 +89,7 @@ program
     .description("Authenticate with ish via your browser")
     .action(async (_opts, cmd) => {
     await runInline(cmd, async (globals) => {
-        const tokens = await login();
+        const tokens = await login({ dev: globals.dev });
         const config = loadConfig();
         config.access_token = tokens.accessToken;
         config.refresh_token = tokens.refreshToken;
@@ -185,11 +189,22 @@ program
                 catch { /* keep id+alias only */ }
             }
         }
+        // Best-effort skill detection: walks parent directories from cwd so an
+        // agent invoked from a subfolder still sees a project-level skill.
+        const skillHit = findInstalledSkill(process.cwd(), fs, path, os.homedir());
+        const skill = skillHit
+            ? { installed: true, path: skillHit.root, target: skillHit.target.key }
+            : {
+                installed: false,
+                hint: "Run `ish init` in your project root to install the agent skill " +
+                    "(.claude/skills/ish or .agents/skills/ish).",
+            };
         const payload = {
             user,
             workspace,
             study,
             ask,
+            skill,
             api_url: apiUrl,
             home: ishDir(),
         };
@@ -213,6 +228,7 @@ program
         console.log(`Workspace:  ${workspace ? `${workspace.name ?? "(name unavailable)"} (${workspace.alias})` : "—"}`);
         console.log(`Study:      ${study ? `${study.name ?? "(name unavailable)"} (${study.alias})` : "—"}`);
         console.log(`Ask:        ${ask ? `${ask.name ?? "(name unavailable)"} (${ask.alias})` : "—"}`);
+        console.log(`Skill:      ${skillHit ? skillHit.root : "not installed (run `ish init` to install the agent skill)"}`);
         console.log(`Home:       ${ishDir()}`);
         console.log(`API:        ${apiUrl}`);
         if (tokenError && !token)

package/dist/lib/docs.js

@@ -2244,7 +2244,7 @@ export function getPage(slug) {
 export const AGENT_HELP_FOOTER = "\nFor agents: run `ish docs overview` for the mental model, " +
     "`ish docs list` for every concept page, " +
     "or `ish docs search <query>` for keyword lookup. Every command supports `--json`.\n\n" +
-    "Global flags (--json, --fields, --verbose, --quiet, --token, --api-url) apply to all subcommands. " +
+    "Global flags (--json, --fields, --verbose, --quiet, --token) apply to all subcommands. " +
     "Run `ish --help` to see them.";
 /**
  * Substring search over title + description + body. Title hits score

package/dist/lib/skill-content.js

@@ -842,7 +842,6 @@ is expected. Full UUIDs always work too. See
 | \`--verbose\`      | Include UUIDs + timestamps in JSON                       |
 | \`-q, --quiet\`    | Suppress progress messages on stderr                     |
 | \`-t, --token\`    | Auth token (else ISH_TOKEN env, else \`ish login\` saved)  |
-| \`--api-url\`      | Override backend (default https://api.ishlabs.io)        |
 
 See \`ish docs get-page reference/json-mode\` for the full display-vs-
 capture-vs-chain decision rule.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ishlabs/cli",
-  "version": "0.12.0",
+  "version": "0.12.2",
   "description": "The command-line interface for ish",
   "type": "module",
   "bin": {