@switchboard.spot/cli 0.2.0

package/lib/credentialStore.js

@@ -0,0 +1,312 @@
+/**
+ * Stores the account session token in the operating system credential store.
+ *
+ * The CLI intentionally never persists account tokens in ~/.switchboard/config.json
+ * or reads them from environment variables. Browser login writes the token here,
+ * and authenticated commands read it back only when they need to call the account
+ * API.
+ */
+
+import { execFile } from "node:child_process";
+import { spawn } from "node:child_process";
+import { promisify } from "node:util";
+
+const execFileAsync = promisify(execFile);
+const SERVICE = "Switchboard CLI";
+const ACCOUNT = "account-session";
+const PROJECT_SECRET_PREFIX = "project-secret";
+
+/**
+ * Reads the current account session token from the OS keychain.
+ */
+export async function getAccountToken() {
+  try {
+    if (process.platform === "darwin") {
+      const { stdout } = await execFileAsync("security", [
+        "find-generic-password",
+        "-a",
+        ACCOUNT,
+        "-s",
+        SERVICE,
+        "-w",
+      ]);
+      return stdout.trim() || null;
+    }
+
+    if (process.platform === "linux") {
+      const { stdout } = await execFileAsync("secret-tool", [
+        "lookup",
+        "service",
+        SERVICE,
+        "account",
+        ACCOUNT,
+      ]);
+      return stdout.trim() || null;
+    }
+
+    throw unsupportedPlatformError();
+  } catch (error) {
+    if (credentialMissing(error)) {
+      return null;
+    }
+
+    throw normalizeKeychainError(error);
+  }
+}
+
+/**
+ * Writes the current account session token to the OS keychain.
+ */
+export async function setAccountToken(token) {
+  if (!token) {
+    throw new Error("Cannot store an empty Switchboard account token");
+  }
+
+  try {
+    if (process.platform === "darwin") {
+      await execFileAsync("security", [
+        "add-generic-password",
+        "-a",
+        ACCOUNT,
+        "-s",
+        SERVICE,
+        "-w",
+        token,
+        "-U",
+      ]);
+      return;
+    }
+
+    if (process.platform === "linux") {
+      await execFileWithInput(
+        "secret-tool",
+        ["store", "--label", SERVICE, "service", SERVICE, "account", ACCOUNT],
+        token,
+      );
+      return;
+    }
+
+    throw unsupportedPlatformError();
+  } catch (error) {
+    throw normalizeKeychainError(error);
+  }
+}
+
+/**
+ * Deletes the current account session token from the OS keychain.
+ */
+export async function deleteAccountToken() {
+  try {
+    if (process.platform === "darwin") {
+      await execFileAsync("security", [
+        "delete-generic-password",
+        "-a",
+        ACCOUNT,
+        "-s",
+        SERVICE,
+      ]);
+      return;
+    }
+
+    if (process.platform === "linux") {
+      await execFileAsync("secret-tool", [
+        "clear",
+        "service",
+        SERVICE,
+        "account",
+        ACCOUNT,
+      ]);
+      return;
+    }
+
+    throw unsupportedPlatformError();
+  } catch (error) {
+    if (credentialMissing(error)) {
+      return;
+    }
+
+    throw normalizeKeychainError(error);
+  }
+}
+
+/**
+ * Reads a stored project secret key from the OS keychain.
+ */
+export async function getProjectSecretKey(projectId, mode = "sandbox") {
+  return getCredential(projectSecretAccount(projectId, mode));
+}
+
+/**
+ * Stores a project secret key in the OS keychain.
+ */
+export async function setProjectSecretKey(projectId, mode, token) {
+  if (!token) {
+    throw new Error("Cannot store an empty Switchboard project secret key");
+  }
+
+  return setCredential(projectSecretAccount(projectId, mode), token);
+}
+
+/**
+ * Deletes a stored project secret key from the OS keychain.
+ */
+export async function deleteProjectSecretKey(projectId, mode = "sandbox") {
+  return deleteCredential(projectSecretAccount(projectId, mode));
+}
+
+function projectSecretAccount(projectId, mode) {
+  if (!projectId) {
+    throw new Error("Project id is required for Switchboard project secret storage");
+  }
+
+  return `${PROJECT_SECRET_PREFIX}:${projectId}:${mode}`;
+}
+
+async function getCredential(account) {
+  try {
+    if (process.platform === "darwin") {
+      const { stdout } = await execFileAsync("security", [
+        "find-generic-password",
+        "-a",
+        account,
+        "-s",
+        SERVICE,
+        "-w",
+      ]);
+      return stdout.trim() || null;
+    }
+
+    if (process.platform === "linux") {
+      const { stdout } = await execFileAsync("secret-tool", [
+        "lookup",
+        "service",
+        SERVICE,
+        "account",
+        account,
+      ]);
+      return stdout.trim() || null;
+    }
+
+    throw unsupportedPlatformError();
+  } catch (error) {
+    if (credentialMissing(error)) {
+      return null;
+    }
+
+    throw normalizeKeychainError(error);
+  }
+}
+
+async function setCredential(account, token) {
+  try {
+    if (process.platform === "darwin") {
+      await execFileAsync("security", [
+        "add-generic-password",
+        "-a",
+        account,
+        "-s",
+        SERVICE,
+        "-w",
+        token,
+        "-U",
+      ]);
+      return;
+    }
+
+    if (process.platform === "linux") {
+      await execFileWithInput(
+        "secret-tool",
+        ["store", "--label", SERVICE, "service", SERVICE, "account", account],
+        token,
+      );
+      return;
+    }
+
+    throw unsupportedPlatformError();
+  } catch (error) {
+    throw normalizeKeychainError(error);
+  }
+}
+
+async function deleteCredential(account) {
+  try {
+    if (process.platform === "darwin") {
+      await execFileAsync("security", [
+        "delete-generic-password",
+        "-a",
+        account,
+        "-s",
+        SERVICE,
+      ]);
+      return;
+    }
+
+    if (process.platform === "linux") {
+      await execFileAsync("secret-tool", [
+        "clear",
+        "service",
+        SERVICE,
+        "account",
+        account,
+      ]);
+      return;
+    }
+
+    throw unsupportedPlatformError();
+  } catch (error) {
+    if (credentialMissing(error)) {
+      return;
+    }
+
+    throw normalizeKeychainError(error);
+  }
+}
+
+function credentialMissing(error) {
+  return error?.code === 44 || error?.code === 1;
+}
+
+function execFileWithInput(command, args, input) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(command, args, { stdio: ["pipe", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk;
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk;
+    });
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve({ stdout, stderr });
+      } else {
+        const error = new Error(stderr || `${command} exited with ${code}`);
+        error.code = code;
+        error.stdout = stdout;
+        error.stderr = stderr;
+        reject(error);
+      }
+    });
+
+    child.stdin.end(input);
+  });
+}
+
+function unsupportedPlatformError() {
+  return new Error(
+    "Switchboard account login requires an OS keychain. This CLI currently supports macOS Keychain and Linux Secret Service.",
+  );
+}
+
+function normalizeKeychainError(error) {
+  if (error?.code === "ENOENT") {
+    return new Error(
+      "Switchboard account login requires an OS keychain command. On Linux, install libsecret's `secret-tool`; on macOS, ensure the `security` command is available.",
+    );
+  }
+
+  return error;
+}

package/lib/output.js

@@ -0,0 +1,112 @@
+/**
+ * Human-readable and JSON output helpers for the Switchboard CLI.
+ */
+
+/**
+ * Prints data as JSON or a human message depending on global flags.
+ */
+export function emit(data, { json, quiet } = {}) {
+  if (json) {
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+  if (!quiet && typeof data === "string") {
+    console.log(data);
+  }
+}
+
+/**
+ * Reads global flags from a Commander command regardless of nesting depth.
+ */
+export function globalFlags(cmd) {
+  let current = cmd;
+
+  while (current?.parent) {
+    current = current.parent;
+  }
+
+  return current?.opts?.() ?? cmd?.opts?.() ?? {};
+}
+
+/**
+ * Prints an error to stderr and exits with the given code.
+ */
+export function fail(message, code = 1, json = false, type = "invalid_request") {
+  if (json) {
+    console.log(
+      JSON.stringify(
+        {
+          ok: false,
+          error: {
+            type,
+            message,
+          },
+        },
+        null,
+        2,
+      ),
+    );
+    process.exit(code);
+  }
+
+  console.error(message);
+  process.exit(code);
+}
+
+/**
+ * Maps HTTP status to CLI exit codes per agent contract.
+ */
+export function exitCodeForStatus(status) {
+  if (status === 401 || status === 403) return 2;
+  if (status >= 500) return 3;
+  if (status >= 400) return 1;
+  return 0;
+}
+
+export async function parseErrorResponse(res) {
+  const text = await res.text();
+  let data;
+
+  try {
+    data = text ? JSON.parse(text) : {};
+  } catch {
+    data = { raw: text };
+  }
+
+  return normalizeError(data, text, res.status);
+}
+
+export function normalizeError(data, text, status) {
+  if (data?.error && typeof data.error === "object") {
+    return {
+      type: data.error.type || "error",
+      message: data.error.message || `HTTP ${status}`,
+    };
+  }
+
+  if (typeof data?.error === "string") {
+    return { type: "error", message: data.error };
+  }
+
+  return { type: "error", message: text || `HTTP ${status}` };
+}
+
+export function emitHttpError(error, status, flags = {}) {
+  if (flags.json) {
+    console.log(JSON.stringify({ ok: false, status, error }, null, 2));
+  } else {
+    console.error(error.message);
+  }
+
+  process.exit(exitCodeForStatus(status));
+}
+
+/**
+ * Formats a simple key-value listing for human output.
+ */
+export function printList(title, items, formatter) {
+  console.log(title);
+  for (const item of items) {
+    console.log(formatter(item));
+  }
+}