@secapi/cli 0.5.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +189 -6
  2. package/dist/index.js +4360 -394
  3. package/package.json +8 -8
package/README.md CHANGED
@@ -8,6 +8,42 @@ Command-line interface for SEC API factor data, SEC filings, financial statement
8
8
  npm install -g @secapi/cli
9
9
  ```
10
10
 
11
+ ## Local development
12
+
13
+ Run the TypeScript entrypoint directly while iterating. Keep credentials in the
14
+ environment or stdin; never add real keys to command history, fixtures, or docs:
15
+
16
+ ```bash
17
+ bun packages/cli/src/index.ts --help
18
+ bun packages/cli/src/index.ts agent-context --output secapi-cli-context.json
19
+ SECAPI_API_KEY="$SECAPI_API_KEY" bun packages/cli/src/index.ts me --json=false
20
+ printf "%s" "$SECAPI_API_KEY" | bun packages/cli/src/index.ts health --api-key-stdin
21
+ ```
22
+
23
+ Use the focused package checks before committing CLI changes:
24
+
25
+ ```bash
26
+ bun --filter @secapi/cli test
27
+ bun --filter @secapi/cli typecheck
28
+ bun run bench:cli-response-shape
29
+ bun run smoke:cli-release
30
+ bun run scripts/validate/check_cli_doc_snippets.ts
31
+ ```
32
+
33
+ `bun run bench:cli-response-shape` exercises representative local-only help,
34
+ example, config, and agent discovery commands with no credentials and fails if
35
+ their latency or output size drifts past conservative agent-friendly budgets.
36
+
37
+ `bun run smoke:cli-release` builds, packs, installs the tarball in a clean
38
+ temporary project, and verifies the installed `secapi` and `omni-sec` binaries.
39
+ Run `bun run scripts/validate/check_cli_doc_snippets.ts` whenever CLI examples,
40
+ command names, or public Mintlify snippets change; it rewrites
41
+ `ops/docs-health/cli-doc-snippets/latest.json`.
42
+
43
+ Release order: publish `@secapi/sdk-js@1.0.2` before `@secapi/cli@1.0.2`.
44
+ The CLI package depends on `@secapi/sdk-js@^1.0.2`; validating the CLI against a
45
+ local sibling SDK is not enough until the SDK version is available on npm.
46
+
11
47
  ## Connect an agent
12
48
 
13
49
  Wire the hosted MCP server into your agent client in one command:
@@ -19,35 +55,164 @@ secapi init --client claude-desktop # writes the Claude Desktop config
19
55
  secapi init --client windsurf # writes ~/.codeium/windsurf/mcp_config.json
20
56
  secapi init --client project # writes ./.mcp.json
21
57
  secapi init --client cursor --print # dry-run: print the config, write nothing
58
+ secapi mcp install --client cursor # alias for agent-client MCP setup
22
59
  ```
23
60
 
24
61
  `secapi init` reads your key from `SECAPI_API_KEY` (or `--api-key-stdin`) and never
25
62
  accepts it as an argv flag. `secapi agent-context` prints a machine-readable JSON
26
- description of the whole CLI surface so an agent can learn the tool in one call.
63
+ description of the whole CLI surface, including the full current command group
64
+ inventory, auth needs, mutating/read-only posture, output shape, required flags,
65
+ and examples, so an agent can learn the tool in one call.
27
66
 
28
67
  ## Configuration
29
68
 
30
69
  ```bash
31
- export SECAPI_API_KEY="ods_..."
70
+ export SECAPI_API_KEY="secapi_live_..."
32
71
  export SECAPI_BASE_URL="https://api.secapi.ai"
33
72
  ```
34
73
 
35
74
  `SECAPI_BASE_URL` is optional. The CLI defaults to `https://api.secapi.ai`.
75
+ Use `--base-url <url>` when a single command should target a local, staging,
76
+ proxy, or replay origin without changing your shell environment:
77
+
78
+ ```bash
79
+ secapi health --base-url http://127.0.0.1:8787
80
+ ```
81
+
82
+ Use a no-secret profile when you switch between local, staging, and production
83
+ often. Profiles live at `~/.config/secapi/profiles.json` by default and may set
84
+ `baseUrl`, `apiKeyEnv`, and `bearerTokenEnv`. The file stores environment
85
+ variable names, not credential values. Set `SECAPI_CONFIG_FILE` when CI or an
86
+ agent runner should read profiles from a different path:
87
+
88
+ ```json
89
+ {
90
+ "profiles": {
91
+ "local": {
92
+ "baseUrl": "http://127.0.0.1:8787",
93
+ "apiKeyEnv": "SECAPI_LOCAL_API_KEY"
94
+ }
95
+ }
96
+ }
97
+ ```
98
+
99
+ ```bash
100
+ export SECAPI_LOCAL_API_KEY="secapi_live_..."
101
+ SECAPI_PROFILE=local secapi health
102
+ secapi --profile local config show
103
+ secapi config profiles
104
+ ```
36
105
 
37
106
  Two binaries are installed: the preferred `secapi` and the compatibility alias `omni-sec`.
38
107
 
39
108
  ```bash
40
- secapi --version # prints the bare package version, e.g. 0.4.0
41
- secapi --help # lists every command group
109
+ secapi --version # prints the bare package version, e.g. 1.0.2
110
+ secapi --help # short task-oriented help for common workflows
111
+ secapi help all # full command inventory
112
+ secapi examples # local starter workflows for humans and agents
113
+ secapi config show # local config/auth-source summary; no API request
114
+ secapi config profiles # list no-secret profiles; no API request
115
+ secapi doctor # checks base URL, auth source, health, account context, and MCP setup
116
+ secapi filings latest --help # command-specific help; no API request
117
+ secapi completion zsh # shell completions for secapi and omni-sec
118
+ ```
119
+
120
+ Unknown commands fail locally with nearest-command suggestions, so a typo like
121
+ `secapi filings latset` points back to `secapi filings latest` without making an
122
+ API request.
123
+
124
+ Unknown option typos fail locally too, so `secapi filings search --limt 5`
125
+ points back to `--limit` before credentials are read or an API request is sent.
126
+
127
+ Preview high-impact mutating commands before they touch account state by adding
128
+ `--dry-run`. The CLI prints the method, endpoint, and JSON body locally without
129
+ reading credentials or making an API request:
130
+
131
+ ```bash
132
+ secapi api-keys create --label local-dev --scopes read:sec --dry-run
133
+ secapi billing checkout --plan personal --dry-run
134
+ secapi webhooks create --destination-url https://example.com/hooks/sec --event-types artifact.created --dry-run
135
+ secapi streams create --event-types artifact.created --transport poll --dry-run
136
+ ```
137
+
138
+ Supported dry-run previews: `api-keys create`, `billing budget`, `billing
139
+ checkout`, `billing portal`, `webhooks create`, `webhooks rotate-secret`,
140
+ `webhooks replay-delivery`, and `streams create`.
141
+
142
+ Boolean flags accept bare flags plus explicit `true`, `false`, `yes`, `no`,
143
+ `on`, `off`, `1`, and `0` values. Use `--include-v2=false` or `--print=false`
144
+ when generated commands need to force an opt-in flag off without changing the
145
+ command shape.
146
+
147
+ Write structured JSON or generated scripts directly to a file with
148
+ `--output <path>`, for example:
149
+
150
+ ```bash
151
+ secapi agent-context --output secapi-cli-context.json
152
+ ```
153
+
154
+ When you need diagnostics without breaking a stdout pipeline, add
155
+ `--request-summary`. The command response stays on stdout while a compact JSON
156
+ summary of method, path, status, request id, trace context, cost, token count,
157
+ cache status, maturity, and duration is written to stderr.
158
+ On nonzero exits, stderr includes the formatted error before the summary JSON.
159
+
160
+ ```bash
161
+ secapi health --request-summary
162
+ ```
163
+
164
+ Run `secapi doctor` when local setup is suspect. It reports the active base URL,
165
+ credential source names, API health, authenticated account context when
166
+ available, and the hosted MCP URL without printing credential values.
167
+
168
+ Run `secapi config show` when you only need the local CLI configuration. It
169
+ prints the active base URL, source names for configured credentials, and hosted
170
+ MCP URL without reading stdin, calling the API, or printing credential values.
171
+
172
+ Run `secapi config profiles` to list configured profiles, normalized base URLs,
173
+ credential environment variable names, and whether each referenced env var is
174
+ currently set. It is also local-only and never prints credential values.
175
+
176
+ Install shell completions by printing the script for your shell and wiring it
177
+ into that shell's normal completion loader:
178
+
179
+ ```bash
180
+ mkdir -p ~/.zfunc && secapi completion zsh > ~/.zfunc/_secapi
181
+ echo 'fpath=(~/.zfunc $fpath); autoload -Uz compinit; compinit' >> ~/.zshrc
182
+
183
+ secapi completion bash > ~/.secapi-completion.bash
184
+ echo 'source ~/.secapi-completion.bash' >> ~/.bashrc
185
+
186
+ mkdir -p ~/.config/fish/completions
187
+ secapi completion fish > ~/.config/fish/completions/secapi.fish
42
188
  ```
43
189
 
44
190
  ## Five-minute Quickstart
45
191
 
46
- Five copy-paste examples that exercise the core surfaces. Each reads
192
+ Start local, then run five copy-paste API examples that exercise the core
193
+ surfaces:
194
+
195
+ ```bash
196
+ secapi examples
197
+ secapi examples --json=false
198
+ ```
199
+
200
+ The API examples read
47
201
  `SECAPI_API_KEY` from the environment — credentials are never accepted as
48
202
  argv flags (they leak through shell history); pipe them via `--api-key-stdin`
49
203
  if you cannot set an env var.
50
204
 
205
+ Account-oriented commands keep JSON as the default for pipes and agents. In an
206
+ interactive terminal they render compact human summaries; pass `--json=false`
207
+ when you want that same summary explicitly:
208
+
209
+ ```bash
210
+ secapi me --json=false
211
+ secapi billing show --json=false
212
+ secapi usage show --json=false
213
+ secapi limits show --json=false
214
+ ```
215
+
51
216
  ```bash
52
217
  # 1. Confirm auth and see your plan/limits
53
218
  secapi me
@@ -65,6 +230,24 @@ secapi search semantic --q "revenue concentration risk" --ticker AAPL --mode hyb
65
230
  secapi facts get --ticker AAPL --tag Assets --form 10-K
66
231
  ```
67
232
 
233
+ `secapi examples` is local-only. It prints a structured starter catalog by
234
+ default and a concise human version with `--json=false`. Portfolio and model
235
+ workflow examples include reusable `holdings.json`, `benchmark.json`, and
236
+ `model.json` templates so you can avoid fragile inline shell JSON.
237
+
238
+ ## Trace Hydration
239
+
240
+ When filing-derived or source-backed responses include a trace reference, use
241
+ the CLI to hydrate the trace without switching back to curl or an SDK script.
242
+
243
+ ```bash
244
+ # Resolve one trace id
245
+ secapi traces get --trace-id trc_...
246
+
247
+ # Batch resolve up to 50 trace ids
248
+ secapi traces list --ids trc_1,trc_2
249
+ ```
250
+
68
251
  ## Search
69
252
 
70
253
  ```bash
@@ -80,7 +263,7 @@ secapi sections search --ticker AAPL --q risk --form 10-K
80
263
 
81
264
  ## Factor Quickstart
82
265
 
83
- Use `--response-mode compact` when you are feeding an agent, LLM, notebook, or UI card and want the smallest useful payload. Add `--include trust` when you need freshness, methodology, and materialization metadata for citations or launch checks.
266
+ Use `--response-mode compact` when you are feeding an agent, LLM, notebook, or UI card and want the smallest useful payload. Add `--include trust` when you need freshness, methodology, and materialization metadata for citations or launch checks. Compact catalog responses still include readiness/proof summaries for catalog/tool-discovery calls, while the full trust/provenance envelope plus full methodology/materialization/revision/source-rights objects are available when auditors need them. The full trust envelope can be larger than a simple picker payload, so prefer compact mode for interactive discovery and expand only when you need citation-grade provenance.
84
267
 
85
268
  ```bash
86
269
  # Factor catalog for picker UIs and agent tool discovery