@switchboard.spot/cli 0.2.0 → 0.2.2

package/README.md

@@ -7,13 +7,13 @@ tests.
 ## Install
 
 ```bash
-npm install -g @switchboard.spot/cli
+npm install -g @switchboard.spot/cli@latest
 ```
 
 You can also run commands without a global install:
 
 ```bash
-npx @switchboard.spot/cli auth login
+npx @switchboard.spot/cli@latest auth login
 ```
 
 ## Build for local testing
@@ -54,21 +54,34 @@ If a first publish fails, `npm view @switchboard.spot/cli` will continue to retu
 
 ```bash
 switchboard auth login
+switchboard projects create --name "My App" --slug my-app
 switchboard setup --target client --json
-switchboard chat test --json
+switchboard projects update <project-id> --allowed-origins http://localhost:5173 --virtual-microservice-enabled true
+switchboard projects provision-turnstile <project-id>
+switchboard verify setup
+switchboard launch prepare --production-origin https://app.example.com --end-user-terms-url https://app.example.com/terms --end-user-privacy-url https://app.example.com/privacy --support-email support@example.com --contact-email owner@example.com --use-case "Browser chat for signed-in customers"
+switchboard verify publish
 ```
 
 Use `--json` for automation, CI, and coding agents.
 
-CLI account login does not create Client Gateway end-user sessions. End-user sign-up, sign-in, and refresh require a real browser/mobile challenge flow; use `@switchboard/sdk` in the app, or use trusted-server/account APIs for automation.
+`setup --target client` writes public Client Gateway environment values such as `VITE_SWITCHBOARD_CLIENT_URL`; it does not prove chat or session readiness. Before SDK browser testing, configure the exact local or preview origin and provision Switchboard-managed Turnstile.
 
-Project-owned browser challenge keys are managed through the CLI:
+CLI account login does not create Client Gateway end-user sessions. End-user sign-up, sign-in, and refresh require the SDK-managed browser challenge; curl, Node scripts, CI, and CLI account login cannot mint browser sessions without running that real browser/mobile flow.
+
+For local Switchboard development, `switchboard verify setup --client-url http://localhost:4000/m/<slug>/v1` uses the built-in `dev_browser_challenge` token unless a scenario supplies an explicit `browserChallengeToken`. Hosted Switchboard should use managed Turnstile and the SDK-managed real browser challenge. A local sandbox smoke path is: configure allowed origin plus legal/support fields, create an anonymous session through the SDK or browser verification flow, then call Client Gateway chat.
+
+Model discovery is global. Use `GET /v1/models` for OpenAI-compatible discovery or `GET /v1/catalog/models` for catalog/pricing metadata; Client Gateway chat is project-scoped at `/m/<slug>/v1/chat/completions`.
+
+Switchboard-managed Turnstile is the default production path. Developers do not paste Cloudflare secrets into the CLI or repo files:
 
 ```bash
-switchboard projects turnstile <project-id> --site-key <site-key> --secret-key <secret-key>
+switchboard projects provision-turnstile <project-id>
 switchboard projects turnstile <project-id> --clear
 ```
 
+If `switchboard projects provision-turnstile --help` is missing, upgrade with `npm install -g @switchboard.spot/cli@latest` before trying dashboard automation or manual Cloudflare keys.
+
 ## Configuration
 
 The CLI stores non-secret settings in `~/.switchboard/config.json` by default.
@@ -82,14 +95,21 @@ Environment variables:
 | `SWITCHBOARD_PROJECT_ID` | Project context for project-scoped commands. |
 | `SWITCHBOARD_API_KEY` | Secret project key for trusted-server gateway smoke tests. |
 | `SWITCHBOARD_CLIENT_URL` | Public Client Gateway URL for browser/mobile end-user auth and chat. |
+| `VITE_SWITCHBOARD_CLIENT_URL` | Vite-safe public Client Gateway URL for browser apps. |
 | `SWITCHBOARD_END_USER_SESSION` | Existing end-user session for Client Gateway checks; the CLI cannot mint one without browser challenge execution. |
 | `SWITCHBOARD_CONFIG_DIR` | Alternate CLI config directory. |
 
 Account sessions are stored in the OS keychain and are not read from
 environment variables.
 
+For isolated agent automation, `switchboard auth login --token-store config-dir`
+stores the account session in `SWITCHBOARD_CONFIG_DIR/account-session.json` with
+0600 permissions. The default remains keychain-only. `switchboard auth logout`
+clears both keychain and config-dir account sessions.
+
 ## Credential safety
 
 Do not paste `sb_sess_`, `sb_test_`, `sb_live_`, provider keys, private keys, or
 webhook secrets into frontend, mobile, or public code. Browser and mobile code
-should use `SWITCHBOARD_CLIENT_URL` plus end-user sessions.
+should use `VITE_SWITCHBOARD_CLIENT_URL` in Vite apps or `SWITCHBOARD_CLIENT_URL`
+in non-Vite tooling, plus end-user sessions.

package/bin/switchboard.js

@@ -18,11 +18,13 @@ import { registerBillingCommands } from "../lib/commands/billing.js";
 import { registerEnvCommands } from "../lib/commands/env.js";
 import { registerUsageCommands } from "../lib/commands/usage.js";
 import { registerIntegrationCommands } from "../lib/commands/integration.js";
+import { registerDocsCommands } from "../lib/commands/docs.js";
 import { registerInitCommand } from "../lib/commands/init.js";
 import { registerSetupCommand } from "../lib/commands/setup.js";
 import { registerHealthCommand } from "../lib/commands/health.js";
 import { registerDoctorCommand } from "../lib/commands/doctor.js";
 import { registerVerifyCommands } from "../lib/commands/verify.js";
+import { registerLaunchCommands } from "../lib/commands/launch.js";
 
 const program = new Command();
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -42,6 +44,7 @@ registerSetupCommand(program);
 registerHealthCommand(program);
 registerDoctorCommand(program);
 registerVerifyCommands(program);
+registerLaunchCommands(program);
 registerAuth(program);
 registerAccountCommands(program);
 registerWorkspacesCommands(program);
@@ -53,8 +56,9 @@ registerBillingCommands(program);
 registerEnvCommands(program);
 registerUsageCommands(program);
 registerIntegrationCommands(program);
+registerDocsCommands(program);
 
-program.parse();
+await program.parseAsync();
 
 if (!process.argv.slice(2).length) {
   program.outputHelp();

package/lib/commands/auth.js

@@ -4,7 +4,12 @@
 
 import { accountPublicRequest, accountRequest } from "../client.js";
 import { accountApiUrl, resolveAccountConfig, resolveConfig, saveConfig } from "../config.js";
-import { deleteAccountToken, setAccountToken } from "../credentialStore.js";
+import {
+  deleteAccountToken,
+  deleteConfigDirAccountToken,
+  setAccountToken,
+  setConfigDirAccountToken,
+} from "../credentialStore.js";
 import { emit, fail, globalFlags } from "../output.js";
 import crypto from "node:crypto";
 import http from "node:http";
@@ -33,10 +38,15 @@ export function registerCommand(program) {
 
   auth
     .command("login")
-    .description("Sign in through the browser and save session in the OS keychain")
+    .description("Sign in through the browser and save an account session")
     .option("--email <email>")
     .option("--password <password>")
     .option("--timeout-seconds <seconds>", "Seconds to wait for browser login", "120")
+    .option(
+      "--token-store <store>",
+      "Where to save the session: keychain, config-dir, or both",
+      "keychain",
+    )
     .action(async (opts, cmd) => {
       const flags = globalFlags(cmd);
 
@@ -49,9 +59,18 @@ export function registerCommand(program) {
         fail("timeout-seconds must be a positive integer", 1, flags.json);
       }
 
-      const data = await browserLogin(flags, timeoutSeconds);
+      const tokenStore = normalizeTokenStore(opts.tokenStore, flags.json);
+      const data = await browserLogin(flags, timeoutSeconds, tokenStore);
+      const sessionLocation =
+        tokenStore === "keychain"
+          ? "the OS keychain"
+          : tokenStore === "config-dir"
+            ? "the Switchboard config directory"
+            : "the OS keychain and Switchboard config directory";
       emit(
-        flags.json ? data : `Logged in as ${data.user.email}. Session saved in the OS keychain.`,
+        flags.json
+          ? data
+          : `Logged in as ${data.user.email}. Session saved in ${sessionLocation}.`,
         flags,
       );
     });
@@ -61,8 +80,9 @@ export function registerCommand(program) {
     .description("Revoke current session and clear saved token")
     .action(async (_opts, cmd) => {
       const flags = globalFlags(cmd);
-      await revokeKeychainSession();
-      await deleteAccountToken();
+      await revokeSavedSession();
+      await deleteKeychainTokenIfAvailable();
+      deleteConfigDirAccountToken();
       saveConfig({
         projectId: null,
         apiKey: null,
@@ -91,8 +111,30 @@ export function registerCommand(program) {
     });
 }
 
-async function revokeKeychainSession() {
-  const config = await resolveAccountConfig();
+async function deleteKeychainTokenIfAvailable() {
+  try {
+    await deleteAccountToken();
+  } catch {
+    /* Local logout should still clear config-dir credentials without a keychain backend. */
+  }
+}
+
+function normalizeTokenStore(tokenStore, json) {
+  if (tokenStore === "keychain" || tokenStore === "config-dir" || tokenStore === "both") {
+    return tokenStore;
+  }
+
+  fail("--token-store must be keychain, config-dir, or both", 1, json);
+}
+
+async function revokeSavedSession() {
+  let config;
+
+  try {
+    config = await resolveAccountConfig();
+  } catch {
+    return;
+  }
 
   if (!config.accountToken) {
     return;
@@ -114,7 +156,7 @@ async function revokeKeychainSession() {
 /**
  * Starts the loopback callback server, opens the browser handoff URL, and saves the exchanged session.
  */
-async function browserLogin(flags, timeoutSeconds) {
+async function browserLogin(flags, timeoutSeconds, tokenStore) {
   const state = randomState();
   const server = await startCallbackServer();
   const callbackUrl = `http://127.0.0.1:${server.port}/callback`;
@@ -133,6 +175,7 @@ async function browserLogin(flags, timeoutSeconds) {
       code: callback.code,
       state: callback.state,
       expectedState: state,
+      tokenStore,
       json: flags.json,
     });
 
@@ -149,10 +192,11 @@ export async function exchangeCliLogin({
   code,
   state,
   expectedState,
+  tokenStore = "keychain",
   json,
   request = accountPublicRequest,
   save = saveConfig,
-  credentials = { setAccountToken },
+  credentials = { setAccountToken, setConfigDirAccountToken },
 }) {
   if (!code) {
     fail("Browser login did not return a code. Run `switchboard auth login` again.", 2, json);
@@ -167,7 +211,7 @@ export async function exchangeCliLogin({
     json,
   });
 
-  await credentials.setAccountToken(data.token);
+  await storeAccountToken(data.token, tokenStore, credentials);
 
   save({
     projectId: null,
@@ -178,6 +222,26 @@ export async function exchangeCliLogin({
   return sanitizeSession(data);
 }
 
+async function storeAccountToken(token, tokenStore, credentials) {
+  if (tokenStore === "keychain") {
+    await credentials.setAccountToken(token);
+    return;
+  }
+
+  if (tokenStore === "config-dir") {
+    await credentials.setConfigDirAccountToken(token);
+    return;
+  }
+
+  if (tokenStore === "both") {
+    await credentials.setAccountToken(token);
+    await credentials.setConfigDirAccountToken(token);
+    return;
+  }
+
+  throw new Error("Unsupported Switchboard account token store");
+}
+
 function sanitizeSession(data) {
   const rest = { ...data };
   delete rest.token;
@@ -253,9 +317,11 @@ function waitForCallback(callbackServer, timeoutSeconds, json) {
   });
 }
 
-function callbackPage(title, message, tone) {
-  const accent = tone === "success" ? "#28d17c" : "#ff6b6b";
-  const mark = tone === "success" ? "✓" : "!";
+export function callbackPage(title, message, tone) {
+  const success = tone === "success";
+  const accent = success ? "#14b8a6" : "#ef4444";
+  const accentSoft = success ? "#ccfbf1" : "#fee2e2";
+  const mark = success ? "✓" : "!";
 
   return `<!doctype html>
 <html lang="en">
@@ -265,74 +331,181 @@ function callbackPage(title, message, tone) {
     <title>${escapeHtml(title)}</title>
     <style>
       :root {
-        color-scheme: dark;
+        color-scheme: light dark;
         font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
-        background: #05070d;
-        color: #f7f7fb;
+        background: #ffffff;
+        color: #1f2937;
       }
+      * { box-sizing: border-box; }
       body {
         min-height: 100vh;
         margin: 0;
-        display: grid;
-        place-items: center;
+        color: #1f2937;
         background:
-          radial-gradient(circle at 20% 20%, rgba(68, 109, 255, 0.22), transparent 32rem),
-          radial-gradient(circle at 80% 10%, rgba(40, 209, 124, 0.16), transparent 26rem),
-          linear-gradient(135deg, #05070d 0%, #101526 100%);
+          repeating-linear-gradient(125deg, transparent, transparent 6px, #e8e8e8 6px, #e8e8e8 7px),
+          #ffffff;
+      }
+      .page {
+        min-height: 100vh;
+        width: min(100%, 80rem);
+        margin: 0 auto;
+        display: flex;
+        flex-direction: column;
+        border-inline: 1px solid #e5e7eb;
+        background:
+          repeating-linear-gradient(125deg, transparent, transparent 6px, #e8e8e8 6px, #e8e8e8 7px),
+          #ffffff;
+      }
+      header {
+        height: 4.5rem;
+        display: flex;
+        align-items: center;
+        justify-content: space-between;
+        padding: 0 1.5rem;
+        border-bottom: 1px solid #e5e7eb;
+        background: rgba(255, 255, 255, 0.88);
+        backdrop-filter: blur(12px);
+      }
+      .logo {
+        color: #1f2937;
+        font-size: 0.95rem;
+        font-weight: 800;
+        letter-spacing: 0;
+      }
+      .pill {
+        border: 1px solid #e5e7eb;
+        border-radius: 999px;
+        padding: 0.45rem 0.8rem;
+        background: #ffffff;
+        color: #4b5563;
+        font-size: 0.82rem;
+        font-weight: 600;
       }
       main {
-        width: min(92vw, 34rem);
-        border: 1px solid rgba(255, 255, 255, 0.12);
-        border-radius: 1.5rem;
-        padding: 2rem;
-        background: rgba(10, 14, 27, 0.82);
-        box-shadow: 0 2rem 6rem rgba(0, 0, 0, 0.38);
+        flex: 1;
+        display: grid;
+        place-items: center;
+        padding: 5rem 1.5rem;
+      }
+      .panel {
+        width: min(100%, 34rem);
+        border: 1px solid #e5e7eb;
+        border-radius: 0.5rem;
+        padding: clamp(1.5rem, 5vw, 2.25rem);
+        background: rgba(255, 255, 255, 0.94);
+        box-shadow:
+          0 1.34368px 0.537473px -0.625px rgba(0, 0, 0, 0.09),
+          0 15.5969px 6.23877px -3.125px rgba(0, 0, 0, 0.07),
+          0 43.962px 17.5848px -4.375px rgba(0, 0, 0, 0.04);
         text-align: center;
-        backdrop-filter: blur(18px);
       }
-      .brand {
-        margin: 0 0 1.5rem;
-        color: rgba(247, 247, 251, 0.58);
+      .eyebrow {
+        margin: 0 0 1.25rem;
+        color: #4b5563;
         font-size: 0.78rem;
         font-weight: 700;
-        letter-spacing: 0.18em;
+        letter-spacing: 0.12em;
         text-transform: uppercase;
       }
       .mark {
-        width: 3.5rem;
-        height: 3.5rem;
+        width: 4rem;
+        height: 4rem;
         margin: 0 auto 1.25rem;
         display: grid;
         place-items: center;
-        border-radius: 999px;
+        border: 1px solid ${accent};
+        border-radius: 0.5rem;
         background: ${accent};
-        color: #05070d;
-        font-size: 1.8rem;
+        color: #111827;
+        font-size: 1.9rem;
         font-weight: 900;
-        box-shadow: 0 0 2.5rem ${accent}55;
+        box-shadow: 0 18px 40px -20px ${accent};
       }
       h1 {
         margin: 0;
-        font-size: clamp(1.75rem, 5vw, 2.45rem);
-        line-height: 1.05;
-        letter-spacing: -0.04em;
+        color: #1f2937;
+        font-size: clamp(2rem, 7vw, 3.5rem);
+        line-height: 0.98;
+        letter-spacing: 0;
       }
       p {
         margin: 1rem auto 0;
         max-width: 26rem;
-        color: rgba(247, 247, 251, 0.66);
+        color: #4b5563;
         font-size: 1rem;
         line-height: 1.65;
       }
+      .status {
+        display: inline-flex;
+        align-items: center;
+        gap: 0.5rem;
+        margin-top: 1.5rem;
+        border: 1px solid ${accent};
+        border-radius: 999px;
+        padding: 0.5rem 0.8rem;
+        background: ${accentSoft};
+        color: #1f2937;
+        font-size: 0.86rem;
+        font-weight: 700;
+      }
+      @media (prefers-color-scheme: dark) {
+        :root {
+          background: #020617;
+          color: #f3f4f6;
+        }
+        body {
+          color: #f3f4f6;
+          background:
+            repeating-linear-gradient(125deg, transparent, transparent 6px, rgba(55, 65, 81, 0.6) 6px, rgba(55, 65, 81, 0.6) 7px),
+            #020617;
+        }
+        .page {
+          border-color: #1f2937;
+          background:
+            repeating-linear-gradient(125deg, transparent, transparent 6px, rgba(55, 65, 81, 0.6) 6px, rgba(55, 65, 81, 0.6) 7px),
+            #020617;
+        }
+        header,
+        .panel {
+          border-color: #1f2937;
+          background: rgba(2, 6, 23, 0.94);
+        }
+        .logo,
+        h1 {
+          color: #f3f4f6;
+        }
+        .pill,
+        .eyebrow,
+        p {
+          color: #d1d5db;
+        }
+        .pill {
+          border-color: #1f2937;
+          background: #111827;
+        }
+        .mark,
+        .status {
+          color: #020617;
+        }
+      }
     </style>
   </head>
   <body>
-    <main>
-      <p class="brand">Switchboard CLI</p>
-      <div class="mark" aria-hidden="true">${mark}</div>
-      <h1>${escapeHtml(title)}</h1>
-      <p>${escapeHtml(message)}</p>
-    </main>
+    <div class="page">
+      <header>
+        <div class="logo">Switchboard</div>
+        <div class="pill">CLI session</div>
+      </header>
+      <main>
+        <section class="panel" aria-labelledby="callback-title">
+          <p class="eyebrow">Switchboard CLI</p>
+          <div class="mark" aria-hidden="true">${mark}</div>
+          <h1 id="callback-title">${escapeHtml(title)}</h1>
+          <p>${escapeHtml(message)}</p>
+          <div class="status">${success ? "Session approved" : "Session not approved"}</div>
+        </section>
+      </main>
+    </div>
   </body>
 </html>`;
 }

package/lib/commands/billing.js

@@ -2,6 +2,7 @@
  * Developer billing commands.
  */
 
+import { spawn } from "node:child_process";
 import { accountRequest } from "../client.js";
 import { emit, globalFlags, printList } from "../output.js";
 
@@ -51,6 +52,40 @@ export function registerBillingCommands(program) {
       emit(flags.json ? data : `Created top-up ${data.id}`, flags);
     });
 
+  billing
+    .command("checkout")
+    .description("Create a Stripe-hosted developer billing checkout URL")
+    .requiredOption("--success-url <url>")
+    .requiredOption("--cancel-url <url>")
+    .option("--open", "Open checkout URL in the default browser")
+    .action(async (opts, cmd) => {
+      const flags = globalFlags(cmd);
+      const { data } = await accountRequest("POST", "/billing/checkout", {
+        body: {
+          success_url: opts.successUrl,
+          cancel_url: opts.cancelUrl,
+        },
+        json: flags.json,
+      });
+      if (opts.open) openUrl(data.checkout_url);
+      emit(flags.json ? data : data.checkout_url, flags);
+    });
+
+  billing
+    .command("portal")
+    .description("Create a Stripe-hosted developer billing portal URL")
+    .requiredOption("--return-url <url>")
+    .option("--open", "Open portal URL in the default browser")
+    .action(async (opts, cmd) => {
+      const flags = globalFlags(cmd);
+      const { data } = await accountRequest("POST", "/billing/portal", {
+        body: { return_url: opts.returnUrl },
+        json: flags.json,
+      });
+      if (opts.open) openUrl(data.url);
+      emit(flags.json ? data : data.url, flags);
+    });
+
   billing
     .command("prepaid")
     .description("Update prepaid wallet settings")
@@ -85,3 +120,11 @@ export function registerBillingCommands(program) {
       emit(flags.json ? data : "Updated prepaid settings", flags);
     });
 }
+
+function openUrl(url) {
+  const command =
+    process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
+  const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
+  const child = spawn(command, args, { stdio: "ignore", detached: true });
+  child.unref();
+}