@switchboard.spot/cli 0.2.0

package/lib/verify/index.js

@@ -0,0 +1,762 @@
+import fs from "fs";
+import path from "path";
+
+export const DEFAULT_ARTIFACTS_DIR = "switchboard-verification";
+
+export const CHECK_IDS = {
+  PAGE_LOADS: "page_loads",
+  NO_CONSOLE_ERRORS: "no_console_errors",
+  NO_FAILED_REQUESTS: "no_failed_requests",
+  CLIENT_CONFIG_REACHABLE: "client_config_reachable",
+  ANONYMOUS_SESSION_CREATED: "anonymous_session_created",
+  CHAT_COMPLETION_SUCCEEDS: "chat_completion_succeeds",
+  SWITCHBOARD_REQUEST_OBSERVED: "switchboard_request_observed",
+  NO_SERVER_SECRET_EXPOSED: "no_server_secret_exposed",
+  NO_PROVIDER_SECRET_EXPOSED: "no_provider_secret_exposed",
+  NO_BROWSER_AUTHORIZATION_HEADER: "no_browser_authorization_header",
+  ORIGIN_ALLOWED: "origin_allowed",
+  PRODUCTION_SAFETY_READY: "production_safety_ready",
+  CORS_CREDENTIALS_SAFE: "cors_credentials_safe",
+};
+
+export const DEFAULT_SCENARIO = {
+  checks: [
+    { type: "visit", url: "/" },
+    { type: "noConsoleErrors" },
+    { type: "noFailedRequests" },
+    { type: "switchboardClientConfig" },
+    { type: "switchboardAnonymousSession" },
+    {
+      type: "switchboardChat",
+      prompt: "Reply with exactly: switchboard verification ok",
+    },
+    { type: "noSecretExposure" },
+  ],
+};
+
+const CHECK_TYPE_TO_ID = new Map([
+  ["visit", CHECK_IDS.PAGE_LOADS],
+  ["noConsoleErrors", CHECK_IDS.NO_CONSOLE_ERRORS],
+  ["noFailedRequests", CHECK_IDS.NO_FAILED_REQUESTS],
+  ["switchboardClientConfig", CHECK_IDS.CLIENT_CONFIG_REACHABLE],
+  ["switchboardAnonymousSession", CHECK_IDS.ANONYMOUS_SESSION_CREATED],
+  ["switchboardChat", CHECK_IDS.CHAT_COMPLETION_SUCCEEDS],
+  ["switchboardRequestObserved", CHECK_IDS.SWITCHBOARD_REQUEST_OBSERVED],
+  ["noSecretExposure", CHECK_IDS.NO_SERVER_SECRET_EXPOSED],
+  ["noBrowserAuthorizationHeader", CHECK_IDS.NO_BROWSER_AUTHORIZATION_HEADER],
+  ["corsCredentialsSafe", CHECK_IDS.CORS_CREDENTIALS_SAFE],
+]);
+
+const SERVER_SECRET_PATTERNS = [
+  { name: "SWITCHBOARD_API_KEY", pattern: /\bSWITCHBOARD_API_KEY\b/ },
+  { name: "switchboard live key", pattern: /\bsb_live_[A-Za-z0-9_-]{6,}\b/ },
+  { name: "switchboard test key", pattern: /\bsb_test_[A-Za-z0-9_-]{6,}\b/ },
+  { name: "account session token", pattern: /\bsb_sess_[A-Za-z0-9_-]{6,}\b/ },
+];
+
+const PROVIDER_SECRET_PATTERNS = [
+  { name: "OpenAI API key", pattern: /\bsk-[A-Za-z0-9][A-Za-z0-9_-]{16,}\b/ },
+  { name: "Anthropic API key", pattern: /\bsk-ant-[A-Za-z0-9_-]{16,}\b/ },
+  { name: "Google API key", pattern: /\bAIza[0-9A-Za-z_-]{20,}\b/ },
+];
+
+const PROTECTED_AUTH_HOST_PATTERNS = [
+  /(^|\.)switchboard\.spot$/i,
+  /(^|\.)api\.openai\.com$/i,
+  /(^|\.)api\.anthropic\.com$/i,
+  /(^|\.)generativelanguage\.googleapis\.com$/i,
+  /(^|\.)api\.mistral\.ai$/i,
+  /(^|\.)api\.groq\.com$/i,
+];
+
+const LOCAL_HOSTS = new Set(["localhost", "127.0.0.1", "::1", "0.0.0.0"]);
+
+export function loadScenario(filePath) {
+  if (!filePath) return DEFAULT_SCENARIO;
+
+  let parsed;
+  try {
+    parsed = JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch (error) {
+    throw new VerificationInputError(`Could not read scenario JSON: ${error.message}`);
+  }
+
+  return validateScenario(parsed);
+}
+
+export function validateScenario(scenario) {
+  if (!scenario || typeof scenario !== "object" || !Array.isArray(scenario.checks)) {
+    throw new VerificationInputError("Scenario must be a JSON object with a checks array.");
+  }
+
+  for (const [index, check] of scenario.checks.entries()) {
+    if (!check || typeof check !== "object" || typeof check.type !== "string") {
+      throw new VerificationInputError(`Scenario check ${index} must have a string type.`);
+    }
+
+    if (!CHECK_TYPE_TO_ID.has(check.type)) {
+      throw new VerificationInputError(`Unknown scenario check type: ${check.type}`);
+    }
+
+    if (check.type === "visit") {
+      validateVisitPath(check.url ?? "/");
+    }
+  }
+
+  return scenario;
+}
+
+export async function verifySwitchboardSetup(options = {}) {
+  return runVerification({ ...options, mode: "setup" });
+}
+
+export async function verifySwitchboardPublish(options = {}) {
+  return runVerification({ ...options, mode: "publish" });
+}
+
+export async function verifySwitchboardBrowser(options = {}) {
+  return runVerification({ ...options, mode: "browser" });
+}
+
+export async function runVerification(options = {}) {
+  const mode = options.mode ?? "setup";
+  const scenario = validateScenario(options.scenario ?? loadScenario(options.scenarioPath));
+  const report = createReport(mode);
+  const artifactsDir = options.artifactsDir ?? DEFAULT_ARTIFACTS_DIR;
+  const appUrl = parseRequiredUrl(options.url, "--url");
+  const clientUrl = options.clientUrl ? parseRequiredUrl(options.clientUrl, "--client-url") : null;
+  const timeoutMs = normalizeTimeoutMs(options.timeoutMs);
+  let productionOrigin = options.productionOrigin;
+
+  if (mode === "publish") {
+    validatePublishUrl(appUrl, "--url");
+    if (!options.productionOrigin) {
+      addFailure(report, CHECK_IDS.ORIGIN_ALLOWED, "--production-origin is required in publish mode.", {
+        severity: "critical",
+        code: "missing_production_origin",
+      });
+    } else {
+      const parsedProductionOrigin = parseRequiredUrl(options.productionOrigin, "--production-origin");
+      validatePublishUrl(parsedProductionOrigin, "--production-origin");
+      productionOrigin = parsedProductionOrigin.origin;
+    }
+  }
+
+  if (scenarioNeedsClientUrl(scenario) && !clientUrl) {
+    addFailure(report, CHECK_IDS.CLIENT_CONFIG_REACHABLE, "--client-url is required for Switchboard scenario checks.", {
+      severity: "critical",
+      code: "missing_client_url",
+    });
+  }
+
+  if (!hasCriticalFindings(report)) {
+    await runBrowserScenario({
+      report,
+      mode,
+      appUrl,
+      clientUrl,
+      scenario,
+      artifactsDir,
+      headed: Boolean(options.headed),
+      timeoutMs,
+      prompt: options.prompt,
+    });
+  }
+
+  if (mode === "publish") {
+    applyProjectProductionSafety(report, {
+      productionOrigin,
+      project: options.project,
+    });
+  } else {
+    report.production_safety = "not_checked";
+  }
+
+  finalizeReport(report);
+  return report;
+}
+
+export function createReport(mode) {
+  return {
+    object: "verification_report",
+    mode,
+    status: "failed",
+    publishable: false,
+    functional: false,
+    secure: false,
+    production_safety: "blocked",
+    checks: [],
+    findings: [],
+    artifacts: {},
+  };
+}
+
+export function evaluateEvidence(report, evidence) {
+  const consoleErrors = evidence.consoleMessages.filter((message) => message.type === "error");
+  addCheck(report, {
+    id: CHECK_IDS.NO_CONSOLE_ERRORS,
+    status: consoleErrors.length === 0 ? "passed" : "failed",
+    message:
+      consoleErrors.length === 0
+        ? "No browser console errors were observed."
+        : `${consoleErrors.length} browser console error(s) were observed.`,
+  });
+
+  addCheck(report, {
+    id: CHECK_IDS.NO_FAILED_REQUESTS,
+    status: evidence.failedRequests.length === 0 ? "passed" : "failed",
+    message:
+      evidence.failedRequests.length === 0
+        ? "No failed browser requests were observed."
+        : `${evidence.failedRequests.length} failed browser request(s) were observed.`,
+  });
+
+  const authLeak = browserAuthorizationFinding(evidence.requests);
+  addCheck(report, {
+    id: CHECK_IDS.NO_BROWSER_AUTHORIZATION_HEADER,
+    status: authLeak ? "failed" : "passed",
+    message: authLeak
+      ? "A browser-visible Authorization bearer header was sent to Switchboard or a provider endpoint."
+      : "No browser-visible Authorization bearer header was sent to protected endpoints.",
+  });
+  if (authLeak) report.findings.push(authLeak);
+
+  const secretFindings = secretExposureFindings(evidence.texts);
+  const serverFindings = secretFindings.filter((finding) => finding.category === "server_secret");
+  const providerFindings = secretFindings.filter((finding) => finding.category === "provider_secret");
+
+  addCheck(report, {
+    id: CHECK_IDS.NO_SERVER_SECRET_EXPOSED,
+    status: serverFindings.length === 0 ? "passed" : "failed",
+    message:
+      serverFindings.length === 0
+        ? "No Switchboard server secrets were visible to the browser."
+        : "Switchboard server secrets were visible to the browser.",
+  });
+
+  addCheck(report, {
+    id: CHECK_IDS.NO_PROVIDER_SECRET_EXPOSED,
+    status: providerFindings.length === 0 ? "passed" : "failed",
+    message:
+      providerFindings.length === 0
+        ? "No provider secrets were visible to the browser."
+        : "Provider secrets were visible to the browser.",
+  });
+
+  report.findings.push(...secretFindings);
+
+  const corsFinding = corsCredentialsFinding(evidence.responses ?? []);
+  addCheck(report, {
+    id: CHECK_IDS.CORS_CREDENTIALS_SAFE,
+    status: corsFinding ? "failed" : "passed",
+    message: corsFinding
+      ? "A response allowed credentials with a wildcard CORS origin."
+      : "No wildcard credentialed CORS response was observed.",
+  });
+  if (corsFinding) report.findings.push(corsFinding);
+}
+
+export function applyProjectProductionSafety(report, { productionOrigin, project }) {
+  if (!project) {
+    addFailure(report, CHECK_IDS.PRODUCTION_SAFETY_READY, "Project production safety could not be checked.", {
+      severity: "critical",
+      code: "production_safety_unchecked",
+    });
+    report.production_safety = "blocked";
+    return;
+  }
+
+  const allowedOrigins = Array.isArray(project.allowed_origins) ? project.allowed_origins : [];
+  const originAllowed = allowedOrigins.includes(productionOrigin);
+  addCheck(report, {
+    id: CHECK_IDS.ORIGIN_ALLOWED,
+    status: originAllowed ? "passed" : "failed",
+    message: originAllowed
+      ? "Production origin is present in project allowed_origins."
+      : "Production origin is not present in project allowed_origins.",
+  });
+  if (!originAllowed) {
+    report.findings.push({
+      severity: "critical",
+      code: "origin_not_allowed",
+      check_id: CHECK_IDS.ORIGIN_ALLOWED,
+      message: "Add the production origin to the project allowed_origins before publishing.",
+    });
+  }
+
+  const safety = project.production_safety ?? {};
+  const safetyReady = safety.status === "ready";
+  addCheck(report, {
+    id: CHECK_IDS.PRODUCTION_SAFETY_READY,
+    status: safetyReady ? "passed" : "failed",
+    message: safetyReady
+      ? "Project production safety is ready."
+      : "Project production safety is blocked.",
+    details: safety,
+  });
+  if (!safetyReady) {
+    report.findings.push({
+      severity: "critical",
+      code: "production_safety_blocked",
+      check_id: CHECK_IDS.PRODUCTION_SAFETY_READY,
+      message: "Resolve project production_safety blockers before publishing.",
+      details: safety,
+    });
+  }
+
+  report.production_safety = safetyReady && originAllowed ? "ready" : "blocked";
+}
+
+export function finalizeReport(report) {
+  const failedChecks = report.checks.filter((check) => check.status === "failed");
+  const criticalFindings = report.findings.filter((finding) => finding.severity === "critical");
+
+  report.functional = !failedChecks.some((check) =>
+    [
+      CHECK_IDS.PAGE_LOADS,
+      CHECK_IDS.NO_CONSOLE_ERRORS,
+      CHECK_IDS.NO_FAILED_REQUESTS,
+      CHECK_IDS.CLIENT_CONFIG_REACHABLE,
+      CHECK_IDS.ANONYMOUS_SESSION_CREATED,
+      CHECK_IDS.CHAT_COMPLETION_SUCCEEDS,
+      CHECK_IDS.SWITCHBOARD_REQUEST_OBSERVED,
+    ].includes(check.id),
+  );
+  report.secure = criticalFindings.length === 0;
+  report.publishable =
+    report.mode === "publish" &&
+    report.functional &&
+    report.secure &&
+    report.production_safety === "ready";
+  report.status = report.publishable || (report.mode !== "publish" && report.functional && report.secure)
+    ? "passed"
+    : "failed";
+}
+
+async function runBrowserScenario({
+  report,
+  appUrl,
+  clientUrl,
+  scenario,
+  artifactsDir,
+  headed,
+  timeoutMs = 30000,
+  prompt,
+}) {
+  let chromium;
+  try {
+    ({ chromium } = await import("playwright"));
+  } catch {
+    throw new VerificationInputError(
+      "Playwright is required for browser verification. Install CLI dependencies with npm install in packages/cli.",
+    );
+  }
+
+  fs.mkdirSync(artifactsDir, { recursive: true });
+  const evidence = emptyEvidence();
+  const browser = await chromium.launch({ headless: !headed });
+  const context = await browser.newContext();
+  const page = await context.newPage();
+
+  wireEvidence(page, evidence);
+
+  try {
+    for (const check of scenario.checks) {
+      await executeScenarioCheck({
+        check,
+        report,
+        page,
+        context,
+        appUrl,
+        clientUrl,
+        evidence,
+        timeoutMs,
+        prompt,
+      });
+    }
+
+    await collectBrowserState(page, context, evidence);
+    const screenshot = path.join(artifactsDir, "final.png");
+    await page.screenshot({ path: screenshot, fullPage: true });
+    report.artifacts.screenshot = screenshot;
+  } finally {
+    await browser.close();
+  }
+
+  evaluateEvidence(report, evidence);
+}
+
+async function executeScenarioCheck({
+  check,
+  report,
+  page,
+  appUrl,
+  clientUrl,
+  evidence,
+  timeoutMs,
+  prompt,
+}) {
+  switch (check.type) {
+    case "visit": {
+      const target = new URL(check.url ?? "/", appUrl);
+      const response = await page.goto(target.href, {
+        waitUntil: "networkidle",
+        timeout: timeoutMs,
+      });
+      const ok = Boolean(response?.ok());
+      addCheck(report, {
+        id: CHECK_IDS.PAGE_LOADS,
+        status: ok ? "passed" : "failed",
+        message: ok ? "Page loaded successfully." : `Page load returned HTTP ${response?.status() ?? "unknown"}.`,
+      });
+      evidence.texts.push({ source: target.href, text: await page.content() });
+      return;
+    }
+
+    case "switchboardClientConfig": {
+      const result = await browserFetchJson(page, clientUrl, "/client/config", { method: "GET" });
+      addCheck(report, {
+        id: CHECK_IDS.CLIENT_CONFIG_REACHABLE,
+        status: result.ok ? "passed" : "failed",
+        message: result.ok ? "Switchboard client config is reachable." : result.error,
+      });
+      return;
+    }
+
+    case "switchboardAnonymousSession": {
+      const result = await browserFetchJson(page, clientUrl, "/auth/anonymous/session", {
+        method: "POST",
+        body: {
+          browser_challenge_token: check.browserChallengeToken ?? "switchboard-verification",
+        },
+      });
+      if (result.data?.token) {
+        await page.evaluate((token) => window.sessionStorage.setItem("sb_verify_session", token), result.data.token);
+      }
+      addCheck(report, {
+        id: CHECK_IDS.ANONYMOUS_SESSION_CREATED,
+        status: result.ok && Boolean(result.data?.token) ? "passed" : "failed",
+        message:
+          result.ok && result.data?.token
+            ? "Anonymous end-user session was created."
+            : result.error || "Anonymous end-user session response did not include a token.",
+      });
+      return;
+    }
+
+    case "switchboardChat": {
+      const session = await page.evaluate(() => window.sessionStorage.getItem("sb_verify_session"));
+      const result = await browserFetchJson(page, clientUrl, "/chat/completions", {
+        method: "POST",
+        headers: session ? { "X-Switchboard-End-User-Session": session } : {},
+        body: {
+          model: check.model ?? "default",
+          messages: [{ role: "user", content: prompt ?? check.prompt }],
+        },
+      });
+      addCheck(report, {
+        id: CHECK_IDS.CHAT_COMPLETION_SUCCEEDS,
+        status: result.ok ? "passed" : "failed",
+        message: result.ok ? "Chat completion succeeded through the client gateway." : result.error,
+      });
+      return;
+    }
+
+    case "switchboardRequestObserved": {
+      const observed = evidence.requests.some((request) => isSwitchboardEmbedPath(request.url));
+      addCheck(report, {
+        id: CHECK_IDS.SWITCHBOARD_REQUEST_OBSERVED,
+        status: observed ? "passed" : "failed",
+        message: observed ? "Switchboard embed request was observed." : "No Switchboard embed request was observed.",
+      });
+      return;
+    }
+
+    default:
+      return;
+  }
+}
+
+async function browserFetchJson(page, clientUrl, endpointPath, init) {
+  return page.evaluate(
+    async ({ clientUrl, endpointPath, init }) => {
+      try {
+        const headers = new Headers(init.headers ?? {});
+        headers.set("Accept", "application/json");
+        if (init.body) headers.set("Content-Type", "application/json");
+
+        const response = await fetch(new URL(endpointPath, clientUrl).href, {
+          method: init.method,
+          headers,
+          body: init.body ? JSON.stringify(init.body) : undefined,
+        });
+        const text = await response.text();
+        let data = null;
+        try {
+          data = text ? JSON.parse(text) : null;
+        } catch {
+          data = { raw: text };
+        }
+
+        return {
+          ok: response.ok,
+          status: response.status,
+          data,
+          error: response.ok ? null : `HTTP ${response.status}`,
+        };
+      } catch (error) {
+        return { ok: false, status: 0, data: null, error: error.message };
+      }
+    },
+    { clientUrl: clientUrl.href, endpointPath, init },
+  );
+}
+
+function wireEvidence(page, evidence) {
+  page.on("console", (message) => {
+    evidence.consoleMessages.push({
+      type: message.type(),
+      text: message.text(),
+    });
+  });
+  page.on("pageerror", (error) => {
+    evidence.consoleMessages.push({
+      type: "error",
+      text: error.message,
+    });
+  });
+  page.on("request", (request) => {
+    evidence.requests.push({
+      url: request.url(),
+      method: request.method(),
+      headers: request.headers(),
+    });
+  });
+  page.on("requestfailed", (request) => {
+    evidence.failedRequests.push({
+      url: request.url(),
+      method: request.method(),
+      failure: request.failure()?.errorText ?? "request failed",
+    });
+  });
+  page.on("response", async (response) => {
+    evidence.responses.push({
+      url: response.url(),
+      status: response.status(),
+      headers: response.headers(),
+    });
+
+    if (response.status() >= 400) {
+      evidence.failedRequests.push({
+        url: response.url(),
+        method: response.request().method(),
+        status: response.status(),
+      });
+    }
+
+    const contentType = response.headers()["content-type"] ?? "";
+    if (/text|javascript|json|css|html/i.test(contentType)) {
+      try {
+        evidence.texts.push({ source: response.url(), text: await response.text() });
+      } catch {
+        /* Response bodies are best-effort evidence only. */
+      }
+    }
+  });
+}
+
+async function collectBrowserState(page, context, evidence) {
+  const cookies = await context.cookies();
+  evidence.texts.push({ source: "cookies", text: JSON.stringify(cookies) });
+  const storage = await page.evaluate(() =>
+    JSON.stringify({
+      localStorage: Object.fromEntries(Object.entries(window.localStorage)),
+      sessionStorage: Object.fromEntries(Object.entries(window.sessionStorage)),
+    }),
+  );
+  evidence.texts.push({ source: "storage", text: storage });
+}
+
+function emptyEvidence() {
+  return {
+    consoleMessages: [],
+    failedRequests: [],
+    requests: [],
+    responses: [],
+    texts: [],
+  };
+}
+
+function browserAuthorizationFinding(requests) {
+  for (const request of requests) {
+    const authorization = request.headers?.authorization;
+    if (!/^Bearer\s+/i.test(authorization ?? "")) continue;
+
+    const host = safeHost(request.url);
+    if (PROTECTED_AUTH_HOST_PATTERNS.some((pattern) => pattern.test(host))) {
+      return {
+        severity: "critical",
+        category: "authorization_header",
+        code: "browser_authorization_header",
+        check_id: CHECK_IDS.NO_BROWSER_AUTHORIZATION_HEADER,
+        message: "Browser sent an Authorization bearer token to a protected AI gateway/provider endpoint.",
+        evidence: { url: request.url },
+      };
+    }
+  }
+
+  return null;
+}
+
+function secretExposureFindings(texts) {
+  const findings = [];
+  for (const text of texts) {
+    for (const rule of SERVER_SECRET_PATTERNS) {
+      if (rule.pattern.test(text.text)) {
+        findings.push(secretFinding("server_secret", CHECK_IDS.NO_SERVER_SECRET_EXPOSED, rule, text.source));
+      }
+    }
+
+    for (const rule of PROVIDER_SECRET_PATTERNS) {
+      if (rule.pattern.test(text.text)) {
+        findings.push(secretFinding("provider_secret", CHECK_IDS.NO_PROVIDER_SECRET_EXPOSED, rule, text.source));
+      }
+    }
+  }
+
+  return findings;
+}
+
+function secretFinding(category, checkId, rule, source) {
+  return {
+    severity: "critical",
+    category,
+    code: "browser_secret_exposure",
+    check_id: checkId,
+    message: `${rule.name} was visible in browser-accessible state or assets.`,
+    evidence: { source },
+  };
+}
+
+function corsCredentialsFinding(responses) {
+  for (const response of responses) {
+    if (
+      response.headers["access-control-allow-origin"] === "*" &&
+      /^true$/i.test(response.headers["access-control-allow-credentials"] ?? "")
+    ) {
+      return {
+        severity: "critical",
+        category: "cors",
+        code: "cors_credentials_wildcard_origin",
+        check_id: CHECK_IDS.CORS_CREDENTIALS_SAFE,
+        message: "Response used Access-Control-Allow-Credentials with wildcard Access-Control-Allow-Origin.",
+        evidence: { url: response.url },
+      };
+    }
+  }
+
+  return null;
+}
+
+function scenarioNeedsClientUrl(scenario) {
+  return scenario.checks.some((check) => check.type.startsWith("switchboard"));
+}
+
+function validateVisitPath(value) {
+  if (typeof value !== "string") {
+    throw new VerificationInputError("Visit check url must be a string.");
+  }
+
+  try {
+    new URL(value, "https://example.test");
+  } catch {
+    throw new VerificationInputError(`Malformed visit URL: ${value}`);
+  }
+}
+
+function parseRequiredUrl(value, flagName) {
+  if (!value) throw new VerificationInputError(`${flagName} is required.`);
+
+  try {
+    return new URL(value);
+  } catch {
+    throw new VerificationInputError(`${flagName} must be an absolute URL.`);
+  }
+}
+
+function normalizeTimeoutMs(value) {
+  if (value === undefined || value === null) return undefined;
+
+  const parsed = typeof value === "number" ? value : Number.parseInt(value, 10);
+  if (!Number.isInteger(parsed) || String(parsed) !== String(value).trim() || parsed <= 0) {
+    throw new VerificationInputError("--timeout-ms must be a positive integer.");
+  }
+
+  return parsed;
+}
+
+function validatePublishUrl(url, flagName) {
+  if (url.protocol !== "https:") {
+    throw new VerificationInputError(`${flagName} must use HTTPS in publish mode.`);
+  }
+
+  if (LOCAL_HOSTS.has(normalizedHostname(url))) {
+    throw new VerificationInputError(`${flagName} must not be localhost in publish mode.`);
+  }
+}
+
+function normalizedHostname(url) {
+  return url.hostname.replace(/^\[|\]$/g, "");
+}
+
+function addFailure(report, checkId, message, finding) {
+  addCheck(report, { id: checkId, status: "failed", message });
+  report.findings.push({
+    severity: finding.severity,
+    code: finding.code,
+    check_id: checkId,
+    message,
+  });
+}
+
+function addCheck(report, check) {
+  const existing = report.checks.find((item) => item.id === check.id);
+  if (existing) {
+    Object.assign(existing, check);
+    return;
+  }
+
+  report.checks.push(check);
+}
+
+function hasCriticalFindings(report) {
+  return report.findings.some((finding) => finding.severity === "critical");
+}
+
+function isSwitchboardEmbedPath(value) {
+  try {
+    const url = new URL(value);
+    return (
+      /\/m\/[^/]+\/v1\/client\/config$/.test(url.pathname) ||
+      /\/m\/[^/]+\/v1\/auth\/anonymous\/session$/.test(url.pathname) ||
+      /\/m\/[^/]+\/v1\/chat\/completions$/.test(url.pathname)
+    );
+  } catch {
+    return false;
+  }
+}
+
+function safeHost(value) {
+  try {
+    return new URL(value).hostname;
+  } catch {
+    return "";
+  }
+}
+
+export class VerificationInputError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "VerificationInputError";
+  }
+}