@switchboard.spot/cli 0.2.0 → 0.2.1

package/README.md

@@ -60,7 +60,7 @@ switchboard chat test --json
 
 Use `--json` for automation, CI, and coding agents.
 
-CLI account login does not create Client Gateway end-user sessions. End-user sign-up, sign-in, and refresh require a real browser/mobile challenge flow; use `@switchboard/sdk` in the app, or use trusted-server/account APIs for automation.
+CLI account login does not create Client Gateway end-user sessions. End-user sign-up, sign-in, and refresh require a real browser/mobile challenge flow; use `@switchboard.spot/sdk` in the app, or use trusted-server/account APIs for automation.
 
 Project-owned browser challenge keys are managed through the CLI:
 
@@ -82,14 +82,21 @@ Environment variables:
 | `SWITCHBOARD_PROJECT_ID` | Project context for project-scoped commands. |
 | `SWITCHBOARD_API_KEY` | Secret project key for trusted-server gateway smoke tests. |
 | `SWITCHBOARD_CLIENT_URL` | Public Client Gateway URL for browser/mobile end-user auth and chat. |
+| `VITE_SWITCHBOARD_CLIENT_URL` | Vite-safe public Client Gateway URL for browser apps. |
 | `SWITCHBOARD_END_USER_SESSION` | Existing end-user session for Client Gateway checks; the CLI cannot mint one without browser challenge execution. |
 | `SWITCHBOARD_CONFIG_DIR` | Alternate CLI config directory. |
 
 Account sessions are stored in the OS keychain and are not read from
 environment variables.
 
+For isolated agent automation, `switchboard auth login --token-store config-dir`
+stores the account session in `SWITCHBOARD_CONFIG_DIR/account-session.json` with
+0600 permissions. The default remains keychain-only. `switchboard auth logout`
+clears both keychain and config-dir account sessions.
+
 ## Credential safety
 
 Do not paste `sb_sess_`, `sb_test_`, `sb_live_`, provider keys, private keys, or
 webhook secrets into frontend, mobile, or public code. Browser and mobile code
-should use `SWITCHBOARD_CLIENT_URL` plus end-user sessions.
+should use `VITE_SWITCHBOARD_CLIENT_URL` in Vite apps or `SWITCHBOARD_CLIENT_URL`
+in non-Vite tooling, plus end-user sessions.

package/lib/commands/auth.js

@@ -4,7 +4,12 @@
 
 import { accountPublicRequest, accountRequest } from "../client.js";
 import { accountApiUrl, resolveAccountConfig, resolveConfig, saveConfig } from "../config.js";
-import { deleteAccountToken, setAccountToken } from "../credentialStore.js";
+import {
+  deleteAccountToken,
+  deleteConfigDirAccountToken,
+  setAccountToken,
+  setConfigDirAccountToken,
+} from "../credentialStore.js";
 import { emit, fail, globalFlags } from "../output.js";
 import crypto from "node:crypto";
 import http from "node:http";
@@ -33,10 +38,15 @@ export function registerCommand(program) {
 
   auth
     .command("login")
-    .description("Sign in through the browser and save session in the OS keychain")
+    .description("Sign in through the browser and save an account session")
     .option("--email <email>")
     .option("--password <password>")
     .option("--timeout-seconds <seconds>", "Seconds to wait for browser login", "120")
+    .option(
+      "--token-store <store>",
+      "Where to save the session: keychain, config-dir, or both",
+      "keychain",
+    )
     .action(async (opts, cmd) => {
       const flags = globalFlags(cmd);
 
@@ -49,9 +59,18 @@ export function registerCommand(program) {
         fail("timeout-seconds must be a positive integer", 1, flags.json);
       }
 
-      const data = await browserLogin(flags, timeoutSeconds);
+      const tokenStore = normalizeTokenStore(opts.tokenStore, flags.json);
+      const data = await browserLogin(flags, timeoutSeconds, tokenStore);
+      const sessionLocation =
+        tokenStore === "keychain"
+          ? "the OS keychain"
+          : tokenStore === "config-dir"
+            ? "the Switchboard config directory"
+            : "the OS keychain and Switchboard config directory";
       emit(
-        flags.json ? data : `Logged in as ${data.user.email}. Session saved in the OS keychain.`,
+        flags.json
+          ? data
+          : `Logged in as ${data.user.email}. Session saved in ${sessionLocation}.`,
         flags,
       );
     });
@@ -61,8 +80,9 @@ export function registerCommand(program) {
     .description("Revoke current session and clear saved token")
     .action(async (_opts, cmd) => {
       const flags = globalFlags(cmd);
-      await revokeKeychainSession();
-      await deleteAccountToken();
+      await revokeSavedSession();
+      await deleteKeychainTokenIfAvailable();
+      deleteConfigDirAccountToken();
       saveConfig({
         projectId: null,
         apiKey: null,
@@ -91,8 +111,30 @@ export function registerCommand(program) {
     });
 }
 
-async function revokeKeychainSession() {
-  const config = await resolveAccountConfig();
+async function deleteKeychainTokenIfAvailable() {
+  try {
+    await deleteAccountToken();
+  } catch {
+    /* Local logout should still clear config-dir credentials without a keychain backend. */
+  }
+}
+
+function normalizeTokenStore(tokenStore, json) {
+  if (tokenStore === "keychain" || tokenStore === "config-dir" || tokenStore === "both") {
+    return tokenStore;
+  }
+
+  fail("--token-store must be keychain, config-dir, or both", 1, json);
+}
+
+async function revokeSavedSession() {
+  let config;
+
+  try {
+    config = await resolveAccountConfig();
+  } catch {
+    return;
+  }
 
   if (!config.accountToken) {
     return;
@@ -114,7 +156,7 @@ async function revokeKeychainSession() {
 /**
  * Starts the loopback callback server, opens the browser handoff URL, and saves the exchanged session.
  */
-async function browserLogin(flags, timeoutSeconds) {
+async function browserLogin(flags, timeoutSeconds, tokenStore) {
   const state = randomState();
   const server = await startCallbackServer();
   const callbackUrl = `http://127.0.0.1:${server.port}/callback`;
@@ -133,6 +175,7 @@ async function browserLogin(flags, timeoutSeconds) {
       code: callback.code,
       state: callback.state,
       expectedState: state,
+      tokenStore,
       json: flags.json,
     });
 
@@ -149,10 +192,11 @@ export async function exchangeCliLogin({
   code,
   state,
   expectedState,
+  tokenStore = "keychain",
   json,
   request = accountPublicRequest,
   save = saveConfig,
-  credentials = { setAccountToken },
+  credentials = { setAccountToken, setConfigDirAccountToken },
 }) {
   if (!code) {
     fail("Browser login did not return a code. Run `switchboard auth login` again.", 2, json);
@@ -167,7 +211,7 @@ export async function exchangeCliLogin({
     json,
   });
 
-  await credentials.setAccountToken(data.token);
+  await storeAccountToken(data.token, tokenStore, credentials);
 
   save({
     projectId: null,
@@ -178,6 +222,26 @@ export async function exchangeCliLogin({
   return sanitizeSession(data);
 }
 
+async function storeAccountToken(token, tokenStore, credentials) {
+  if (tokenStore === "keychain") {
+    await credentials.setAccountToken(token);
+    return;
+  }
+
+  if (tokenStore === "config-dir") {
+    await credentials.setConfigDirAccountToken(token);
+    return;
+  }
+
+  if (tokenStore === "both") {
+    await credentials.setAccountToken(token);
+    await credentials.setConfigDirAccountToken(token);
+    return;
+  }
+
+  throw new Error("Unsupported Switchboard account token store");
+}
+
 function sanitizeSession(data) {
   const rest = { ...data };
   delete rest.token;

package/lib/commands/env.js

@@ -88,7 +88,9 @@ export async function configureEnvironment(
   const envUpdates = {};
 
   if (mode === "client" || mode === "both") {
-    envUpdates.SWITCHBOARD_CLIENT_URL = kit.client_url || kit.virtual_microservice_url;
+    const clientUrl = kit.client_url || kit.virtual_microservice_url;
+    envUpdates.SWITCHBOARD_CLIENT_URL = clientUrl;
+    envUpdates.VITE_SWITCHBOARD_CLIENT_URL = clientUrl;
   }
 
   if (mode === "server" || mode === "both") {

package/lib/commands/init.js

@@ -14,6 +14,7 @@ import { emit } from "../output.js";
  */
 function envBlock(clientUrl) {
   return `SWITCHBOARD_CLIENT_URL=${clientUrl}
+VITE_SWITCHBOARD_CLIENT_URL=${clientUrl}
 `;
 }
 
@@ -32,15 +33,15 @@ export function agentManifest(config) {
     env: envBlock(clientUrl),
     checklist: [
       "switchboard setup --target client --json",
-      "export SWITCHBOARD_CLIENT_URL=<client_url from integrations show>",
+      "export VITE_SWITCHBOARD_CLIENT_URL=<client_url from integrations show>",
       "Use mountSwitchboardWidget({ clientUrl, target }) in browser apps",
       "Use createSwitchboardClient({ clientUrl, storage }) only for custom UI",
       "switchboard billing top-up --amount-micros <micros>",
     ],
-    browser_smoke_test: `import { mountSwitchboardWidget } from "@switchboard/sdk";
+    browser_smoke_test: `import { mountSwitchboardWidget } from "@switchboard.spot/sdk";
 
 mountSwitchboardWidget({
-  clientUrl: process.env.SWITCHBOARD_CLIENT_URL ?? "${clientUrl}",
+  clientUrl: import.meta.env.VITE_SWITCHBOARD_CLIENT_URL ?? "${clientUrl}",
   target: "#switchboard",
 });`,
     automation_note:

package/lib/commands/setup.js

@@ -53,13 +53,16 @@ function normalizeSetupTarget(target, json) {
 }
 
 function smokeCheck(result) {
+  const clientEnvConfigured =
+    result.changed.includes("VITE_SWITCHBOARD_CLIENT_URL") ||
+    result.skipped.includes("VITE_SWITCHBOARD_CLIENT_URL") ||
+    result.changed.includes("SWITCHBOARD_CLIENT_URL") ||
+    result.skipped.includes("SWITCHBOARD_CLIENT_URL");
+
   return {
     ok: true,
     checks: [
-      result.changed.includes("SWITCHBOARD_CLIENT_URL") ||
-        result.skipped.includes("SWITCHBOARD_CLIENT_URL")
-        ? "client_env"
-        : null,
+      clientEnvConfigured ? "client_env" : null,
       result.changed.includes("SWITCHBOARD_BASE_URL") ||
         result.skipped.includes("SWITCHBOARD_BASE_URL")
         ? "server_env"

package/lib/config.js

@@ -6,7 +6,7 @@
 import fs from "fs";
 import os from "os";
 import path from "path";
-import { getAccountToken } from "./credentialStore.js";
+import { getAccountToken, getConfigDirAccountToken } from "./credentialStore.js";
 
 const CONFIG_DIR =
   process.env.SWITCHBOARD_CONFIG_DIR || path.join(os.homedir(), ".switchboard");
@@ -106,15 +106,43 @@ export async function resolveAccountConfig(config) {
   }
 
   const base = config || resolveConfig();
-  const token = await getAccountToken();
+  const keychain = await readKeychainAccountToken();
+  if (keychain.token) {
+    return {
+      ...base,
+      accountToken: keychain.token,
+      accountTokenSource: "keychain",
+    };
+  }
+
+  const configDirToken = getConfigDirAccountToken();
+  if (configDirToken) {
+    return {
+      ...base,
+      accountToken: configDirToken,
+      accountTokenSource: "config-dir",
+    };
+  }
+
+  if (keychain.error) {
+    throw keychain.error;
+  }
 
   return {
     ...base,
-    accountToken: token,
-    accountTokenSource: token ? "keychain" : null,
+    accountToken: null,
+    accountTokenSource: null,
   };
 }
 
+async function readKeychainAccountToken() {
+  try {
+    return { token: await getAccountToken(), error: null };
+  } catch (error) {
+    return { token: null, error };
+  }
+}
+
 /**
  * Account API base URL (host + /v1/account).
  */

package/lib/credentialStore.js

@@ -9,12 +9,16 @@
 
 import { execFile } from "node:child_process";
 import { spawn } from "node:child_process";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
 import { promisify } from "node:util";
 
 const execFileAsync = promisify(execFile);
 const SERVICE = "Switchboard CLI";
 const ACCOUNT = "account-session";
 const PROJECT_SECRET_PREFIX = "project-secret";
+const ACCOUNT_SESSION_FILE = "account-session.json";
 
 /**
  * Reads the current account session token from the OS keychain.
@@ -54,6 +58,30 @@ export async function getAccountToken() {
   }
 }
 
+/**
+ * Reads the current account session token from the isolated CLI config dir.
+ */
+export function getConfigDirAccountToken(configDir = switchboardConfigDir()) {
+  const file = accountSessionFile(configDir);
+
+  if (!fs.existsSync(file)) {
+    return null;
+  }
+
+  let data;
+  try {
+    data = JSON.parse(fs.readFileSync(file, "utf8"));
+  } catch (error) {
+    throw new Error(`Could not read Switchboard config-dir account session: ${error.message}`);
+  }
+
+  if (!data || typeof data.token !== "string" || data.token.trim() === "") {
+    throw new Error("Switchboard config-dir account session is invalid");
+  }
+
+  return data.token;
+}
+
 /**
  * Writes the current account session token to the OS keychain.
  */
@@ -92,6 +120,23 @@ export async function setAccountToken(token) {
   }
 }
 
+/**
+ * Writes the current account session token to the isolated CLI config dir.
+ */
+export function setConfigDirAccountToken(token, configDir = switchboardConfigDir()) {
+  if (!token) {
+    throw new Error("Cannot store an empty Switchboard account token");
+  }
+
+  fs.mkdirSync(configDir, { recursive: true });
+  fs.writeFileSync(
+    accountSessionFile(configDir),
+    `${JSON.stringify({ token }, null, 2)}\n`,
+    { mode: 0o600 },
+  );
+  chmodAccountSessionFile(configDir);
+}
+
 /**
  * Deletes the current account session token from the OS keychain.
  */
@@ -129,6 +174,29 @@ export async function deleteAccountToken() {
   }
 }
 
+/**
+ * Deletes the current account session token from the isolated CLI config dir.
+ */
+export function deleteConfigDirAccountToken(configDir = switchboardConfigDir()) {
+  fs.rmSync(accountSessionFile(configDir), { force: true });
+}
+
+export function accountSessionFile(configDir = switchboardConfigDir()) {
+  return path.join(configDir, ACCOUNT_SESSION_FILE);
+}
+
+function switchboardConfigDir() {
+  return process.env.SWITCHBOARD_CONFIG_DIR || path.join(os.homedir(), ".switchboard");
+}
+
+function chmodAccountSessionFile(configDir) {
+  try {
+    fs.chmodSync(accountSessionFile(configDir), 0o600);
+  } catch {
+    /* best effort on platforms that do not support chmod */
+  }
+}
+
 /**
  * Reads a stored project secret key from the OS keychain.
  */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@switchboard.spot/cli",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Switchboard CLI — full dashboard parity for agents and testing",
   "type": "module",
   "bin": {