@switchboard.spot/cli 0.2.0 → 0.2.2

package/lib/credentialStore.js

@@ -9,12 +9,16 @@
 
 import { execFile } from "node:child_process";
 import { spawn } from "node:child_process";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
 import { promisify } from "node:util";
 
 const execFileAsync = promisify(execFile);
 const SERVICE = "Switchboard CLI";
 const ACCOUNT = "account-session";
 const PROJECT_SECRET_PREFIX = "project-secret";
+const ACCOUNT_SESSION_FILE = "account-session.json";
 
 /**
  * Reads the current account session token from the OS keychain.
@@ -54,6 +58,30 @@ export async function getAccountToken() {
   }
 }
 
+/**
+ * Reads the current account session token from the isolated CLI config dir.
+ */
+export function getConfigDirAccountToken(configDir = switchboardConfigDir()) {
+  const file = accountSessionFile(configDir);
+
+  if (!fs.existsSync(file)) {
+    return null;
+  }
+
+  let data;
+  try {
+    data = JSON.parse(fs.readFileSync(file, "utf8"));
+  } catch (error) {
+    throw new Error(`Could not read Switchboard config-dir account session: ${error.message}`);
+  }
+
+  if (!data || typeof data.token !== "string" || data.token.trim() === "") {
+    throw new Error("Switchboard config-dir account session is invalid");
+  }
+
+  return data.token;
+}
+
 /**
  * Writes the current account session token to the OS keychain.
  */
@@ -92,6 +120,23 @@ export async function setAccountToken(token) {
   }
 }
 
+/**
+ * Writes the current account session token to the isolated CLI config dir.
+ */
+export function setConfigDirAccountToken(token, configDir = switchboardConfigDir()) {
+  if (!token) {
+    throw new Error("Cannot store an empty Switchboard account token");
+  }
+
+  fs.mkdirSync(configDir, { recursive: true });
+  fs.writeFileSync(
+    accountSessionFile(configDir),
+    `${JSON.stringify({ token }, null, 2)}\n`,
+    { mode: 0o600 },
+  );
+  chmodAccountSessionFile(configDir);
+}
+
 /**
  * Deletes the current account session token from the OS keychain.
  */
@@ -129,6 +174,29 @@ export async function deleteAccountToken() {
   }
 }
 
+/**
+ * Deletes the current account session token from the isolated CLI config dir.
+ */
+export function deleteConfigDirAccountToken(configDir = switchboardConfigDir()) {
+  fs.rmSync(accountSessionFile(configDir), { force: true });
+}
+
+export function accountSessionFile(configDir = switchboardConfigDir()) {
+  return path.join(configDir, ACCOUNT_SESSION_FILE);
+}
+
+function switchboardConfigDir() {
+  return process.env.SWITCHBOARD_CONFIG_DIR || path.join(os.homedir(), ".switchboard");
+}
+
+function chmodAccountSessionFile(configDir) {
+  try {
+    fs.chmodSync(accountSessionFile(configDir), 0o600);
+  } catch {
+    /* best effort on platforms that do not support chmod */
+  }
+}
+
 /**
  * Reads a stored project secret key from the OS keychain.
  */

package/lib/docsClient.js

@@ -0,0 +1,157 @@
+/**
+ * Public docs client used by CLI docs commands and the embedded MCP server.
+ */
+
+import { gatewayApiUrl, resolveAccountConfig, resolveConfig, accountApiUrl } from "./config.js";
+import { redactSecrets } from "./output.js";
+
+const DEFAULT_TIMEOUT_MS = 15_000;
+
+export function docsBaseUrl(config = resolveConfig()) {
+  return gatewayApiUrl(config);
+}
+
+export async function listDocs({ config } = {}) {
+  const data = await publicJson("/docs", { config });
+  return redactSecrets(data);
+}
+
+export async function readDoc(id, { config } = {}) {
+  const data = await publicJson(`/docs/${encodeURIComponent(id)}`, { config });
+  return redactSecrets(data);
+}
+
+export async function searchDocs(query, { limit, config } = {}) {
+  const params = new URLSearchParams({ q: query });
+  if (limit != null) params.set("limit", String(limit));
+  const data = await publicJson(`/docs/search?${params}`, { config });
+  return redactSecrets(data);
+}
+
+export async function docsCapabilities({ config } = {}) {
+  const data = await publicJson("/docs/capabilities", { config });
+  return redactSecrets(data);
+}
+
+export async function openApi({ config } = {}) {
+  const data = await publicJson("/openapi.json", { config });
+  return redactSecrets(data);
+}
+
+export async function models({ config } = {}) {
+  const data = await publicJson("/models", { config });
+  return redactSecrets(data);
+}
+
+export async function integrationKit({ stack, config } = {}) {
+  let cfg;
+  try {
+    cfg = await resolveAccountConfig(config || resolveConfig());
+  } catch (error) {
+    return {
+      ok: false,
+      error: {
+        type: "keychain_unavailable",
+        message: error.message || "Could not read Switchboard account session from the OS keychain.",
+      },
+    };
+  }
+
+  if (!cfg.accountToken) {
+    return {
+      ok: false,
+      error: {
+        type: "authentication_required",
+        message: "Run `switchboard auth login`, then select a project with `switchboard projects use <id>`.",
+      },
+    };
+  }
+
+  if (!cfg.projectId) {
+    return {
+      ok: false,
+      error: {
+        type: "project_required",
+        message: "Select a project with `switchboard projects use <id>` or set SWITCHBOARD_PROJECT_ID.",
+      },
+    };
+  }
+
+  const params = new URLSearchParams({ project_id: cfg.projectId });
+  if (stack) params.set("stack", stack);
+
+  const url = `${accountApiUrl(cfg)}/integration_kit?${params}`;
+  const data = await fetchJson(url, {
+    headers: {
+      Authorization: `Bearer ${cfg.accountToken}`,
+      Accept: "application/json",
+    },
+  });
+
+  return redactSecrets(data);
+}
+
+export async function publicResource(name, options = {}) {
+  switch (name) {
+    case "docs":
+      return listDocs(options);
+    case "llms":
+      return readDoc("llms", options);
+    case "knowledge":
+      return readDoc("knowledge", options);
+    case "openapi":
+      return openApi(options);
+    case "integration-kit":
+      return integrationKit(options);
+    case "capabilities":
+      return docsCapabilities(options);
+    default:
+      throw new DocsClientError(`Unknown Switchboard resource: ${name}`, "not_found", 404);
+  }
+}
+
+async function publicJson(path, { config } = {}) {
+  const cfg = config || resolveConfig();
+  return fetchJson(`${docsBaseUrl(cfg)}${path}`, {
+    headers: { Accept: "application/json" },
+  });
+}
+
+async function fetchJson(url, init = {}) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT_MS);
+
+  let res;
+  try {
+    res = await fetch(url, { ...init, signal: controller.signal });
+  } catch (error) {
+    throw new DocsClientError(error.message || "Switchboard request failed.", "network_error", 3);
+  } finally {
+    clearTimeout(timeout);
+  }
+
+  const text = await res.text();
+  let data;
+  try {
+    data = text ? JSON.parse(text) : null;
+  } catch {
+    data = { raw: text };
+  }
+
+  if (!res.ok) {
+    const message = data?.error?.message || text || `HTTP ${res.status}`;
+    const type = data?.error?.type || "http_error";
+    throw new DocsClientError(message, type, res.status);
+  }
+
+  return data;
+}
+
+export class DocsClientError extends Error {
+  constructor(message, type = "error", status = 1) {
+    super(message);
+    this.name = "DocsClientError";
+    this.type = type;
+    this.status = status;
+  }
+}

package/lib/mcpServer.js

@@ -0,0 +1,193 @@
+/**
+ * Embedded Switchboard MCP stdio server.
+ */
+
+import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+import {
+  docsCapabilities,
+  integrationKit,
+  listDocs,
+  models,
+  openApi,
+  publicResource,
+  readDoc,
+  searchDocs,
+} from "./docsClient.js";
+import { redactSecrets } from "./output.js";
+
+const SERVER_VERSION = "0.1.0";
+
+export async function runMcpServer() {
+  const server = createMcpServer();
+  await server.connect(new StdioServerTransport());
+}
+
+export function createMcpServer() {
+  const server = new McpServer({
+    name: "@switchboard.spot/cli",
+    version: SERVER_VERSION,
+  });
+
+  registerResources(server);
+  registerTools(server);
+
+  return server;
+}
+
+function registerResources(server) {
+  registerJsonResource(server, "switchboard_docs", "switchboard://docs", "Public Switchboard docs catalog", () =>
+    listDocs(),
+  );
+  registerJsonResource(server, "switchboard_llms", "switchboard://llms", "Public llms.txt context", () =>
+    publicResource("llms"),
+  );
+  registerJsonResource(
+    server,
+    "switchboard_knowledge",
+    "switchboard://knowledge",
+    "Public Switchboard knowledge context",
+    () => publicResource("knowledge"),
+  );
+  registerJsonResource(server, "switchboard_openapi", "switchboard://openapi", "Switchboard OpenAPI schema", () =>
+    openApi(),
+  );
+  registerJsonResource(
+    server,
+    "switchboard_integration_kit",
+    "switchboard://integration-kit",
+    "Project Integration Kit for the selected CLI project",
+    () => integrationKit(),
+  );
+  registerJsonResource(
+    server,
+    "switchboard_capabilities",
+    "switchboard://capabilities",
+    "Switchboard hosted MCP capabilities",
+    () => docsCapabilities(),
+  );
+
+  server.registerResource(
+    "switchboard_doc",
+    new ResourceTemplate("switchboard://docs/{id}", {
+      list: async () => {
+        const catalog = await listDocs();
+        return {
+          resources: (catalog.data || []).map((doc) => ({
+            uri: `switchboard://docs/${doc.id}`,
+            name: doc.id,
+            title: doc.title,
+            description: doc.description,
+            mimeType: "text/markdown",
+          })),
+        };
+      },
+    }),
+    {
+      title: "Switchboard doc",
+      description: "Read one public Switchboard doc by stable id.",
+      mimeType: "text/markdown",
+    },
+    async (_uri, variables) => {
+      const doc = await readDoc(String(variables.id));
+      return {
+        contents: [
+          {
+            uri: `switchboard://docs/${doc.data.id}`,
+            mimeType: doc.data.content_type || "text/markdown",
+            text: redactText(doc.data.content),
+          },
+        ],
+      };
+    },
+  );
+}
+
+function registerTools(server) {
+  server.registerTool(
+    "switchboard_docs_search",
+    {
+      title: "Search Switchboard docs",
+      description: "Search public Switchboard docs and return bounded snippets.",
+      inputSchema: {
+        query: z.string().min(1),
+        limit: z.number().int().min(1).max(20).optional(),
+      },
+      annotations: { readOnlyHint: true },
+    },
+    async ({ query, limit }) => jsonTool(await searchDocs(query, { limit })),
+  );
+
+  server.registerTool(
+    "switchboard_docs_read",
+    {
+      title: "Read Switchboard doc",
+      description: "Read one public Switchboard doc by stable id.",
+      inputSchema: {
+        id: z.string().min(1),
+      },
+      annotations: { readOnlyHint: true },
+    },
+    async ({ id }) => jsonTool(await readDoc(id)),
+  );
+
+  server.registerTool(
+    "switchboard_integration_kit",
+    {
+      title: "Switchboard Integration Kit",
+      description: "Return Integration Kit data for the logged-in selected CLI project.",
+      inputSchema: {
+        stack: z.string().optional(),
+      },
+      annotations: { readOnlyHint: true },
+    },
+    async ({ stack }) => jsonTool(await integrationKit({ stack })),
+  );
+
+  server.registerTool(
+    "switchboard_models",
+    {
+      title: "Switchboard models",
+      description: "List public OpenAI-compatible Switchboard models.",
+      annotations: { readOnlyHint: true },
+    },
+    async () => jsonTool(await models()),
+  );
+}
+
+function registerJsonResource(server, name, uri, description, loader) {
+  server.registerResource(
+    name,
+    uri,
+    {
+      title: name,
+      description,
+      mimeType: "application/json",
+    },
+    async () => ({
+      contents: [
+        {
+          uri,
+          mimeType: "application/json",
+          text: JSON.stringify(redactSecrets(await loader()), null, 2),
+        },
+      ],
+    }),
+  );
+}
+
+function jsonTool(data) {
+  return {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify(redactSecrets(data), null, 2),
+      },
+    ],
+  };
+}
+
+function redactText(text) {
+  return typeof text === "string" ? redactSecrets(text) : JSON.stringify(redactSecrets(text), null, 2);
+}

package/lib/output.js

@@ -2,16 +2,30 @@
  * Human-readable and JSON output helpers for the Switchboard CLI.
  */
 
+const REDACTED = "[REDACTED]";
+
+const SECRET_PATTERNS = [
+  /\bsb_(?:test|live|sess|eusr)_[A-Za-z0-9._-]+\b/g,
+  /\bsk-(?:proj-|ant-)?[A-Za-z0-9._-]{20,}\b/g,
+  /\bsk_(?:live|test)_[A-Za-z0-9._-]+\b/g,
+  /\brk_(?:live|test)_[A-Za-z0-9._-]+\b/g,
+  /\bpk_(?:live|test)_[A-Za-z0-9._-]+\b/g,
+  /\bwhsec_[A-Za-z0-9._-]+\b/g,
+  /\b0x[0-9A-Za-z_-]{20,}\b/g,
+  /\b[A-Za-z0-9_-]{24,}\.[A-Za-z0-9_-]{24,}\.[A-Za-z0-9_-]{24,}\b/g,
+  /\b(?:OPENAI|ANTHROPIC|GROQ|MISTRAL|GOOGLE|STRIPE|CLOUDFLARE)_[A-Z0-9_]*(?:KEY|TOKEN|SECRET)\s*=\s*[^\s]+/gi,
+];
+
 /**
  * Prints data as JSON or a human message depending on global flags.
  */
 export function emit(data, { json, quiet } = {}) {
   if (json) {
-    console.log(JSON.stringify(data, null, 2));
+    console.log(JSON.stringify(redactSecrets(data), null, 2));
     return;
   }
   if (!quiet && typeof data === "string") {
-    console.log(data);
+    console.log(redactSecrets(data));
   }
 }
 
@@ -35,13 +49,13 @@ export function fail(message, code = 1, json = false, type = "invalid_request")
   if (json) {
     console.log(
       JSON.stringify(
-        {
+        redactSecrets({
           ok: false,
           error: {
             type,
             message,
           },
-        },
+        }),
         null,
         2,
       ),
@@ -49,7 +63,7 @@ export function fail(message, code = 1, json = false, type = "invalid_request")
     process.exit(code);
   }
 
-  console.error(message);
+  console.error(redactSecrets(message));
   process.exit(code);
 }
 
@@ -93,9 +107,9 @@ export function normalizeError(data, text, status) {
 
 export function emitHttpError(error, status, flags = {}) {
   if (flags.json) {
-    console.log(JSON.stringify({ ok: false, status, error }, null, 2));
+    console.log(JSON.stringify(redactSecrets({ ok: false, status, error }), null, 2));
   } else {
-    console.error(error.message);
+    console.error(redactSecrets(error.message));
   }
 
   process.exit(exitCodeForStatus(status));
@@ -105,8 +119,50 @@ export function emitHttpError(error, status, flags = {}) {
  * Formats a simple key-value listing for human output.
  */
 export function printList(title, items, formatter) {
-  console.log(title);
+  console.log(redactSecrets(title));
   for (const item of items) {
-    console.log(formatter(item));
+    console.log(redactSecrets(formatter(item)));
+  }
+}
+
+export function redactSecrets(value) {
+  if (typeof value === "string") return redactString(value);
+  if (Array.isArray(value)) return value.map((entry) => redactSecrets(entry));
+  if (!value || typeof value !== "object") return value;
+
+  const redacted = {};
+  for (const [key, entry] of Object.entries(value)) {
+    redacted[key] = isSecretKeyName(key) ? redactKnownPublicKey(key, entry) : redactSecrets(entry);
   }
+
+  return redacted;
+}
+
+function redactKnownPublicKey(key, value) {
+  if (key === "site_key" || key === "turnstile_site_key") return redactSecrets(value);
+  return typeof value === "boolean" || value == null ? value : REDACTED;
+}
+
+function redactString(value) {
+  return SECRET_PATTERNS.reduce(
+    (text, pattern) => text.replace(pattern, (match) => redactAssignment(match)),
+    value,
+  );
+}
+
+function redactAssignment(match) {
+  const index = match.indexOf("=");
+  if (index === -1) return REDACTED;
+  return `${match.slice(0, index + 1)}${REDACTED}`;
+}
+
+function isSecretKeyName(key) {
+  const normalized = key.replace(/[A-Z]/g, "_$&").toLowerCase();
+  if (normalized.endsWith("_count") || normalized.endsWith("_configured")) return false;
+  if (normalized === "site_key" || normalized === "turnstile_site_key") return false;
+
+  return (
+    /(^|_)(secret|token|password|plaintext|session)($|_)/.test(normalized) ||
+    /(^|_)api_key($|_)/.test(normalized)
+  );
 }

package/lib/verify/index.js

@@ -70,6 +70,8 @@ const PROTECTED_AUTH_HOST_PATTERNS = [
 ];
 
 const LOCAL_HOSTS = new Set(["localhost", "127.0.0.1", "::1", "0.0.0.0"]);
+const DEV_BROWSER_CHALLENGE_TOKEN = "dev_browser_challenge";
+const DEFAULT_BROWSER_CHALLENGE_TOKEN = "switchboard-verification";
 
 export function loadScenario(filePath) {
   if (!filePath) return DEFAULT_SCENARIO;
@@ -427,7 +429,7 @@ async function executeScenarioCheck({
       const result = await browserFetchJson(page, clientUrl, "/auth/anonymous/session", {
         method: "POST",
         body: {
-          browser_challenge_token: check.browserChallengeToken ?? "switchboard-verification",
+          browser_challenge_token: browserChallengeTokenFor(check, clientUrl),
         },
       });
       if (result.data?.token) {
@@ -478,14 +480,16 @@ async function executeScenarioCheck({
 }
 
 async function browserFetchJson(page, clientUrl, endpointPath, init) {
+  const endpointUrl = clientEndpointUrl(clientUrl, endpointPath);
+
   return page.evaluate(
-    async ({ clientUrl, endpointPath, init }) => {
+    async ({ endpointUrl, init }) => {
       try {
         const headers = new Headers(init.headers ?? {});
         headers.set("Accept", "application/json");
         if (init.body) headers.set("Content-Type", "application/json");
 
-        const response = await fetch(new URL(endpointPath, clientUrl).href, {
+        const response = await fetch(endpointUrl, {
           method: init.method,
           headers,
           body: init.body ? JSON.stringify(init.body) : undefined,
@@ -508,10 +512,18 @@ async function browserFetchJson(page, clientUrl, endpointPath, init) {
         return { ok: false, status: 0, data: null, error: error.message };
       }
     },
-    { clientUrl: clientUrl.href, endpointPath, init },
+    { endpointUrl, init },
   );
 }
 
+function clientEndpointUrl(clientUrl, endpointPath) {
+  const endpoint = endpointPath.startsWith("/") ? endpointPath.slice(1) : endpointPath;
+  const basePath = clientUrl.pathname.endsWith("/") ? clientUrl.pathname : `${clientUrl.pathname}/`;
+  const url = new URL(clientUrl.href);
+  url.pathname = `${basePath}${endpoint}`.replace(/\/{2,}/g, "/");
+  return url.href;
+}
+
 function wireEvidence(page, evidence) {
   page.on("console", (message) => {
     evidence.consoleMessages.push({
@@ -709,6 +721,22 @@ function normalizedHostname(url) {
   return url.hostname.replace(/^\[|\]$/g, "");
 }
 
+function browserChallengeTokenFor(check, clientUrl) {
+  if (Object.prototype.hasOwnProperty.call(check, "browserChallengeToken")) {
+    return check.browserChallengeToken;
+  }
+
+  if (isLocalSwitchboardUrl(clientUrl)) {
+    return DEV_BROWSER_CHALLENGE_TOKEN;
+  }
+
+  return DEFAULT_BROWSER_CHALLENGE_TOKEN;
+}
+
+function isLocalSwitchboardUrl(url) {
+  return url instanceof URL && LOCAL_HOSTS.has(normalizedHostname(url));
+}
+
 function addFailure(report, checkId, message, finding) {
   addCheck(report, { id: checkId, status: "failed", message });
   report.findings.push({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@switchboard.spot/cli",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Switchboard CLI — full dashboard parity for agents and testing",
   "type": "module",
   "bin": {
@@ -17,8 +17,10 @@
     "coverage": "node --test --experimental-test-coverage --test-coverage-include='bin/**/*.js' --test-coverage-include='lib/**/*.js' test/*.test.js"
   },
   "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "commander": "^13.1.0",
-    "playwright": "^1.61.0"
+    "playwright": "^1.61.0",
+    "zod": "^4.4.3"
   },
   "files": [
     "bin/",