npm - @switchboard.spot/cli - Versions diffs - 0.2.1 → 0.2.2 - Mend

@switchboard.spot/cli 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/lib/output.js CHANGED Viewed

@@ -2,16 +2,30 @@
  * Human-readable and JSON output helpers for the Switchboard CLI.
  */
+const REDACTED = "[REDACTED]";
+const SECRET_PATTERNS = [
+  /\bsb_(?:test|live|sess|eusr)_[A-Za-z0-9._-]+\b/g,
+  /\bsk-(?:proj-|ant-)?[A-Za-z0-9._-]{20,}\b/g,
+  /\bsk_(?:live|test)_[A-Za-z0-9._-]+\b/g,
+  /\brk_(?:live|test)_[A-Za-z0-9._-]+\b/g,
+  /\bpk_(?:live|test)_[A-Za-z0-9._-]+\b/g,
+  /\bwhsec_[A-Za-z0-9._-]+\b/g,
+  /\b0x[0-9A-Za-z_-]{20,}\b/g,
+  /\b[A-Za-z0-9_-]{24,}\.[A-Za-z0-9_-]{24,}\.[A-Za-z0-9_-]{24,}\b/g,
+  /\b(?:OPENAI|ANTHROPIC|GROQ|MISTRAL|GOOGLE|STRIPE|CLOUDFLARE)_[A-Z0-9_]*(?:KEY|TOKEN|SECRET)\s*=\s*[^\s]+/gi,
+];
 /**
  * Prints data as JSON or a human message depending on global flags.
  */
 export function emit(data, { json, quiet } = {}) {
   if (json) {
-    console.log(JSON.stringify(data, null, 2));
+    console.log(JSON.stringify(redactSecrets(data), null, 2));
     return;
   }
   if (!quiet && typeof data === "string") {
-    console.log(data);
+    console.log(redactSecrets(data));
   }
 }
@@ -35,13 +49,13 @@ export function fail(message, code = 1, json = false, type = "invalid_request")
   if (json) {
     console.log(
       JSON.stringify(
-        {
+        redactSecrets({
           ok: false,
           error: {
             type,
             message,
           },
-        },
+        }),
         null,
         2,
       ),
@@ -49,7 +63,7 @@ export function fail(message, code = 1, json = false, type = "invalid_request")
     process.exit(code);
   }
-  console.error(message);
+  console.error(redactSecrets(message));
   process.exit(code);
 }
@@ -93,9 +107,9 @@ export function normalizeError(data, text, status) {
 export function emitHttpError(error, status, flags = {}) {
   if (flags.json) {
-    console.log(JSON.stringify({ ok: false, status, error }, null, 2));
+    console.log(JSON.stringify(redactSecrets({ ok: false, status, error }), null, 2));
   } else {
-    console.error(error.message);
+    console.error(redactSecrets(error.message));
   }
   process.exit(exitCodeForStatus(status));
@@ -105,8 +119,50 @@ export function emitHttpError(error, status, flags = {}) {
  * Formats a simple key-value listing for human output.
  */
 export function printList(title, items, formatter) {
-  console.log(title);
+  console.log(redactSecrets(title));
   for (const item of items) {
-    console.log(formatter(item));
+    console.log(redactSecrets(formatter(item)));
+  }
+}
+export function redactSecrets(value) {
+  if (typeof value === "string") return redactString(value);
+  if (Array.isArray(value)) return value.map((entry) => redactSecrets(entry));
+  if (!value || typeof value !== "object") return value;
+  const redacted = {};
+  for (const [key, entry] of Object.entries(value)) {
+    redacted[key] = isSecretKeyName(key) ? redactKnownPublicKey(key, entry) : redactSecrets(entry);
   }
+  return redacted;
+}
+function redactKnownPublicKey(key, value) {
+  if (key === "site_key" || key === "turnstile_site_key") return redactSecrets(value);
+  return typeof value === "boolean" || value == null ? value : REDACTED;
+}
+function redactString(value) {
+  return SECRET_PATTERNS.reduce(
+    (text, pattern) => text.replace(pattern, (match) => redactAssignment(match)),
+    value,
+  );
+}
+function redactAssignment(match) {
+  const index = match.indexOf("=");
+  if (index === -1) return REDACTED;
+  return `${match.slice(0, index + 1)}${REDACTED}`;
+}
+function isSecretKeyName(key) {
+  const normalized = key.replace(/[A-Z]/g, "_$&").toLowerCase();
+  if (normalized.endsWith("_count") || normalized.endsWith("_configured")) return false;
+  if (normalized === "site_key" || normalized === "turnstile_site_key") return false;
+  return (
+    /(^|_)(secret|token|password|plaintext|session)($|_)/.test(normalized) ||
+    /(^|_)api_key($|_)/.test(normalized)
+  );
 }

package/lib/verify/index.js CHANGED Viewed

@@ -70,6 +70,8 @@ const PROTECTED_AUTH_HOST_PATTERNS = [
 ];
 const LOCAL_HOSTS = new Set(["localhost", "127.0.0.1", "::1", "0.0.0.0"]);
+const DEV_BROWSER_CHALLENGE_TOKEN = "dev_browser_challenge";
+const DEFAULT_BROWSER_CHALLENGE_TOKEN = "switchboard-verification";
 export function loadScenario(filePath) {
   if (!filePath) return DEFAULT_SCENARIO;
@@ -427,7 +429,7 @@ async function executeScenarioCheck({
       const result = await browserFetchJson(page, clientUrl, "/auth/anonymous/session", {
         method: "POST",
         body: {
-          browser_challenge_token: check.browserChallengeToken ?? "switchboard-verification",
+          browser_challenge_token: browserChallengeTokenFor(check, clientUrl),
         },
       });
       if (result.data?.token) {
@@ -478,14 +480,16 @@ async function executeScenarioCheck({
 }
 async function browserFetchJson(page, clientUrl, endpointPath, init) {
+  const endpointUrl = clientEndpointUrl(clientUrl, endpointPath);
   return page.evaluate(
-    async ({ clientUrl, endpointPath, init }) => {
+    async ({ endpointUrl, init }) => {
       try {
         const headers = new Headers(init.headers ?? {});
         headers.set("Accept", "application/json");
         if (init.body) headers.set("Content-Type", "application/json");
-        const response = await fetch(new URL(endpointPath, clientUrl).href, {
+        const response = await fetch(endpointUrl, {
           method: init.method,
           headers,
           body: init.body ? JSON.stringify(init.body) : undefined,
@@ -508,10 +512,18 @@ async function browserFetchJson(page, clientUrl, endpointPath, init) {
         return { ok: false, status: 0, data: null, error: error.message };
       }
     },
-    { clientUrl: clientUrl.href, endpointPath, init },
+    { endpointUrl, init },
   );
 }
+function clientEndpointUrl(clientUrl, endpointPath) {
+  const endpoint = endpointPath.startsWith("/") ? endpointPath.slice(1) : endpointPath;
+  const basePath = clientUrl.pathname.endsWith("/") ? clientUrl.pathname : `${clientUrl.pathname}/`;
+  const url = new URL(clientUrl.href);
+  url.pathname = `${basePath}${endpoint}`.replace(/\/{2,}/g, "/");
+  return url.href;
+}
 function wireEvidence(page, evidence) {
   page.on("console", (message) => {
     evidence.consoleMessages.push({
@@ -709,6 +721,22 @@ function normalizedHostname(url) {
   return url.hostname.replace(/^\[|\]$/g, "");
 }
+function browserChallengeTokenFor(check, clientUrl) {
+  if (Object.prototype.hasOwnProperty.call(check, "browserChallengeToken")) {
+    return check.browserChallengeToken;
+  }
+  if (isLocalSwitchboardUrl(clientUrl)) {
+    return DEV_BROWSER_CHALLENGE_TOKEN;
+  }
+  return DEFAULT_BROWSER_CHALLENGE_TOKEN;
+}
+function isLocalSwitchboardUrl(url) {
+  return url instanceof URL && LOCAL_HOSTS.has(normalizedHostname(url));
+}
 function addFailure(report, checkId, message, finding) {
   addCheck(report, { id: checkId, status: "failed", message });
   report.findings.push({

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@switchboard.spot/cli",
-  "version": "0.2.1",
+  "version": "0.2.2",
   "description": "Switchboard CLI — full dashboard parity for agents and testing",
   "type": "module",
   "bin": {
@@ -17,8 +17,10 @@
     "coverage": "node --test --experimental-test-coverage --test-coverage-include='bin/**/*.js' --test-coverage-include='lib/**/*.js' test/*.test.js"
   },
   "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "commander": "^13.1.0",
-    "playwright": "^1.61.0"
+    "playwright": "^1.61.0",
+    "zod": "^4.4.3"
   },
   "files": [
     "bin/",