@secapi/cli 0.4.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +201 -5
  2. package/dist/index.js +4404 -369
  3. package/package.json +8 -8
package/README.md CHANGED
@@ -8,29 +8,207 @@ Command-line interface for SEC API factor data, SEC filings, financial statement
8
8
  npm install -g @secapi/cli
9
9
  ```
10
10
 
11
+ ## Local development
12
+
13
+ Run the TypeScript entrypoint directly while iterating. Keep credentials in the
14
+ environment or stdin; never add real keys to command history, fixtures, or docs:
15
+
16
+ ```bash
17
+ bun packages/cli/src/index.ts --help
18
+ bun packages/cli/src/index.ts agent-context --output secapi-cli-context.json
19
+ SECAPI_API_KEY="$SECAPI_API_KEY" bun packages/cli/src/index.ts me --json=false
20
+ printf "%s" "$SECAPI_API_KEY" | bun packages/cli/src/index.ts health --api-key-stdin
21
+ ```
22
+
23
+ Use the focused package checks before committing CLI changes:
24
+
25
+ ```bash
26
+ bun --filter @secapi/cli test
27
+ bun --filter @secapi/cli typecheck
28
+ bun run bench:cli-response-shape
29
+ bun run smoke:cli-release
30
+ bun run scripts/validate/check_cli_doc_snippets.ts
31
+ ```
32
+
33
+ `bun run bench:cli-response-shape` exercises representative local-only help,
34
+ example, config, and agent discovery commands with no credentials and fails if
35
+ their latency or output size drifts past conservative agent-friendly budgets.
36
+
37
+ `bun run smoke:cli-release` builds, packs, installs the tarball in a clean
38
+ temporary project, and verifies the installed `secapi` and `omni-sec` binaries.
39
+ Run `bun run scripts/validate/check_cli_doc_snippets.ts` whenever CLI examples,
40
+ command names, or public Mintlify snippets change; it rewrites
41
+ `ops/docs-health/cli-doc-snippets/latest.json`.
42
+
43
+ ## Connect an agent
44
+
45
+ Wire the hosted MCP server into your agent client in one command:
46
+
47
+ ```bash
48
+ secapi init --client claude-code # prints the `claude mcp add` command
49
+ secapi init --client cursor # writes .cursor/mcp.json
50
+ secapi init --client claude-desktop # writes the Claude Desktop config
51
+ secapi init --client windsurf # writes ~/.codeium/windsurf/mcp_config.json
52
+ secapi init --client project # writes ./.mcp.json
53
+ secapi init --client cursor --print # dry-run: print the config, write nothing
54
+ secapi mcp install --client cursor # alias for agent-client MCP setup
55
+ ```
56
+
57
+ `secapi init` reads your key from `SECAPI_API_KEY` (or `--api-key-stdin`) and never
58
+ accepts it as an argv flag. `secapi agent-context` prints a machine-readable JSON
59
+ description of the whole CLI surface, including the full current command group
60
+ inventory, auth needs, mutating/read-only posture, output shape, required flags,
61
+ and examples, so an agent can learn the tool in one call.
62
+
11
63
  ## Configuration
12
64
 
13
65
  ```bash
14
- export SECAPI_API_KEY="ods_..."
66
+ export SECAPI_API_KEY="secapi_live_..."
15
67
  export SECAPI_BASE_URL="https://api.secapi.ai"
16
68
  ```
17
69
 
18
70
  `SECAPI_BASE_URL` is optional. The CLI defaults to `https://api.secapi.ai`.
71
+ Use `--base-url <url>` when a single command should target a local, staging,
72
+ proxy, or replay origin without changing your shell environment:
73
+
74
+ ```bash
75
+ secapi health --base-url http://127.0.0.1:8787
76
+ ```
77
+
78
+ Use a no-secret profile when you switch between local, staging, and production
79
+ often. Profiles live at `~/.config/secapi/profiles.json` by default and may set
80
+ `baseUrl`, `apiKeyEnv`, and `bearerTokenEnv`. The file stores environment
81
+ variable names, not credential values. Set `SECAPI_CONFIG_FILE` when CI or an
82
+ agent runner should read profiles from a different path:
83
+
84
+ ```json
85
+ {
86
+ "profiles": {
87
+ "local": {
88
+ "baseUrl": "http://127.0.0.1:8787",
89
+ "apiKeyEnv": "SECAPI_LOCAL_API_KEY"
90
+ }
91
+ }
92
+ }
93
+ ```
94
+
95
+ ```bash
96
+ export SECAPI_LOCAL_API_KEY="secapi_live_..."
97
+ SECAPI_PROFILE=local secapi health
98
+ secapi --profile local config show
99
+ secapi config profiles
100
+ ```
19
101
 
20
102
  Two binaries are installed: the preferred `secapi` and the compatibility alias `omni-sec`.
21
103
 
22
104
  ```bash
23
- secapi --version # prints the bare package version, e.g. 0.4.0
24
- secapi --help # lists every command group
105
+ secapi --version # prints the bare package version, e.g. 1.0.1
106
+ secapi --help # short task-oriented help for common workflows
107
+ secapi help all # full command inventory
108
+ secapi examples # local starter workflows for humans and agents
109
+ secapi config show # local config/auth-source summary; no API request
110
+ secapi config profiles # list no-secret profiles; no API request
111
+ secapi doctor # checks base URL, auth source, health, account context, and MCP setup
112
+ secapi filings latest --help # command-specific help; no API request
113
+ secapi completion zsh # shell completions for secapi and omni-sec
114
+ ```
115
+
116
+ Unknown commands fail locally with nearest-command suggestions, so a typo like
117
+ `secapi filings latset` points back to `secapi filings latest` without making an
118
+ API request.
119
+
120
+ Unknown option typos fail locally too, so `secapi filings search --limt 5`
121
+ points back to `--limit` before credentials are read or an API request is sent.
122
+
123
+ Preview high-impact mutating commands before they touch account state by adding
124
+ `--dry-run`. The CLI prints the method, endpoint, and JSON body locally without
125
+ reading credentials or making an API request:
126
+
127
+ ```bash
128
+ secapi api-keys create --label local-dev --scopes read:sec --dry-run
129
+ secapi billing checkout --plan personal --dry-run
130
+ secapi webhooks create --destination-url https://example.com/hooks/sec --event-types artifact.created --dry-run
131
+ secapi streams create --event-types artifact.created --transport poll --dry-run
132
+ ```
133
+
134
+ Supported dry-run previews: `api-keys create`, `billing budget`, `billing
135
+ checkout`, `billing portal`, `webhooks create`, `webhooks rotate-secret`,
136
+ `webhooks replay-delivery`, and `streams create`.
137
+
138
+ Boolean flags accept bare flags plus explicit `true`, `false`, `yes`, `no`,
139
+ `on`, `off`, `1`, and `0` values. Use `--include-v2=false` or `--print=false`
140
+ when generated commands need to force an opt-in flag off without changing the
141
+ command shape.
142
+
143
+ Write structured JSON or generated scripts directly to a file with
144
+ `--output <path>`, for example:
145
+
146
+ ```bash
147
+ secapi agent-context --output secapi-cli-context.json
148
+ ```
149
+
150
+ When you need diagnostics without breaking a stdout pipeline, add
151
+ `--request-summary`. The command response stays on stdout while a compact JSON
152
+ summary of method, path, status, request id, trace context, cost, token count,
153
+ cache status, maturity, and duration is written to stderr.
154
+ On nonzero exits, stderr includes the formatted error before the summary JSON.
155
+
156
+ ```bash
157
+ secapi health --request-summary
158
+ ```
159
+
160
+ Run `secapi doctor` when local setup is suspect. It reports the active base URL,
161
+ credential source names, API health, authenticated account context when
162
+ available, and the hosted MCP URL without printing credential values.
163
+
164
+ Run `secapi config show` when you only need the local CLI configuration. It
165
+ prints the active base URL, source names for configured credentials, and hosted
166
+ MCP URL without reading stdin, calling the API, or printing credential values.
167
+
168
+ Run `secapi config profiles` to list configured profiles, normalized base URLs,
169
+ credential environment variable names, and whether each referenced env var is
170
+ currently set. It is also local-only and never prints credential values.
171
+
172
+ Install shell completions by printing the script for your shell and wiring it
173
+ into that shell's normal completion loader:
174
+
175
+ ```bash
176
+ mkdir -p ~/.zfunc && secapi completion zsh > ~/.zfunc/_secapi
177
+ echo 'fpath=(~/.zfunc $fpath); autoload -Uz compinit; compinit' >> ~/.zshrc
178
+
179
+ secapi completion bash > ~/.secapi-completion.bash
180
+ echo 'source ~/.secapi-completion.bash' >> ~/.bashrc
181
+
182
+ mkdir -p ~/.config/fish/completions
183
+ secapi completion fish > ~/.config/fish/completions/secapi.fish
25
184
  ```
26
185
 
27
186
  ## Five-minute Quickstart
28
187
 
29
- Five copy-paste examples that exercise the core surfaces. Each reads
188
+ Start local, then run five copy-paste API examples that exercise the core
189
+ surfaces:
190
+
191
+ ```bash
192
+ secapi examples
193
+ secapi examples --json=false
194
+ ```
195
+
196
+ The API examples read
30
197
  `SECAPI_API_KEY` from the environment — credentials are never accepted as
31
198
  argv flags (they leak through shell history); pipe them via `--api-key-stdin`
32
199
  if you cannot set an env var.
33
200
 
201
+ Account-oriented commands keep JSON as the default for pipes and agents. In an
202
+ interactive terminal they render compact human summaries; pass `--json=false`
203
+ when you want that same summary explicitly:
204
+
205
+ ```bash
206
+ secapi me --json=false
207
+ secapi billing show --json=false
208
+ secapi usage show --json=false
209
+ secapi limits show --json=false
210
+ ```
211
+
34
212
  ```bash
35
213
  # 1. Confirm auth and see your plan/limits
36
214
  secapi me
@@ -48,6 +226,24 @@ secapi search semantic --q "revenue concentration risk" --ticker AAPL --mode hyb
48
226
  secapi facts get --ticker AAPL --tag Assets --form 10-K
49
227
  ```
50
228
 
229
+ `secapi examples` is local-only. It prints a structured starter catalog by
230
+ default and a concise human version with `--json=false`. Portfolio and model
231
+ workflow examples include reusable `holdings.json`, `benchmark.json`, and
232
+ `model.json` templates so you can avoid fragile inline shell JSON.
233
+
234
+ ## Trace Hydration
235
+
236
+ When filing-derived or source-backed responses include a trace reference, use
237
+ the CLI to hydrate the trace without switching back to curl or an SDK script.
238
+
239
+ ```bash
240
+ # Resolve one trace id
241
+ secapi traces get --trace-id trc_...
242
+
243
+ # Batch resolve up to 50 trace ids
244
+ secapi traces list --ids trc_1,trc_2
245
+ ```
246
+
51
247
  ## Search
52
248
 
53
249
  ```bash
@@ -63,7 +259,7 @@ secapi sections search --ticker AAPL --q risk --form 10-K
63
259
 
64
260
  ## Factor Quickstart
65
261
 
66
- Use `--response-mode compact` when you are feeding an agent, LLM, notebook, or UI card and want the smallest useful payload. Add `--include trust` when you need freshness, methodology, and materialization metadata for citations or launch checks.
262
+ Use `--response-mode compact` when you are feeding an agent, LLM, notebook, or UI card and want the smallest useful payload. Add `--include trust` when you need freshness, methodology, and materialization metadata for citations or launch checks. Compact catalog responses still include readiness/proof summaries for catalog/tool-discovery calls, while the full trust/provenance envelope plus full methodology/materialization/revision/source-rights objects are available when auditors need them. The full trust envelope can be larger than a simple picker payload, so prefer compact mode for interactive discovery and expand only when you need citation-grade provenance.
67
263
 
68
264
  ```bash
69
265
  # Factor catalog for picker UIs and agent tool discovery