@switchboard.spot/cli 0.2.1 → 0.2.3

package/lib/commands/doctor.js

@@ -21,54 +21,120 @@ export function registerDoctorCommand(program) {
     .description("Check health, auth, project, catalog, and gateway readiness")
     .action(async (_opts, cmd) => {
       const flags = globalFlags(cmd);
-      const config = resolveConfig();
-      const accountConfig = await resolveAccountConfig(config);
+      const report = await runDoctorChecks();
+      emit(report, flags);
+      if (!report.ok) process.exit(1);
+      process.exit(0);
+    });
+}
+
+export async function runDoctorChecks({
+  config = resolveConfig(),
+  request = accountRequest,
+  health = healthCheck,
+  fetchImpl = fetch,
+  resolveAccount = resolveAccountConfig,
+} = {}) {
+  const accountConfig = await resolveAccount(config);
+
+  const checks = [];
 
-      const checks = [];
+  checks.push(
+    await check("health", async () => {
+      const result = await health(config);
+      return { status: result.status, data: result.data };
+    }),
+  );
 
-      checks.push(
-        await check("health", async () => {
-          const result = await healthCheck(config);
-          return { status: result.status, data: result.data };
-        }),
-      );
+  checks.push(
+    await check("catalog", async () => {
+      const res = await fetchImpl(`${gatewayApiUrl(config)}/catalog/models`);
+      const data = await res.json();
+      const status = res.status;
+      if (!res.ok) throw new Error(`HTTP ${status}`);
+      return { status, count: Array.isArray(data?.data) ? data.data.length : 0 };
+    }),
+  );
 
-      checks.push(
-        await check("catalog", async () => {
-          const res = await fetch(`${gatewayApiUrl(config)}/catalog/models`);
-          const data = await res.json();
-          const status = res.status;
-          if (!res.ok) throw new Error(`HTTP ${status}`);
-          return { status, count: Array.isArray(data?.data) ? data.data.length : 0 };
-        }),
-      );
+  if (accountConfig.accountToken) {
+    checks.push(
+      await check("account", async () => {
+        const { status, data } = await request("GET", "/me", {
+          config: accountConfig,
+          json: true,
+        });
+        return {
+          status,
+          email: data?.user?.email || null,
+          tokenSource: accountConfig.accountTokenSource,
+        };
+      }),
+    );
+  } else {
+    checks.push({ name: "account", ok: false, error: "Run switchboard auth login" });
+  }
+
+  if (config.projectId) {
+    checks.push({ name: "project", ok: true, projectId: config.projectId });
+  } else {
+    checks.push({ name: "project", ok: false, error: "No project selected" });
+  }
 
-      if (accountConfig.accountToken) {
-        checks.push(
-          await check("account", async () => {
-            const { status, data } = await accountRequest("GET", "/me", {
-              config: accountConfig,
-              json: true,
-            });
-            return {
-              status,
-              email: data?.user?.email || null,
-              tokenSource: accountConfig.accountTokenSource,
-            };
-          }),
+  if (config.virtualMicroserviceUrl) {
+    checks.push(
+      await check("client_gateway_config", async () => {
+        const res = await fetchImpl(
+          new URL("client/config", ensureTrailingSlash(config.virtualMicroserviceUrl)).href,
+          {
+            headers: { Accept: "application/json" },
+          },
         );
-      } else {
-        checks.push({ name: "account", ok: false, error: "Run switchboard auth login" });
-      }
+        const data = await readJson(res);
+        if (!res.ok) {
+          throw new Error(data?.error?.message || data?.message || `HTTP ${res.status}`);
+        }
 
-      if (config.projectId) {
-        checks.push({ name: "project", ok: true, projectId: config.projectId });
-      } else {
-        checks.push({ name: "project", ok: false, error: "No project selected" });
-      }
+        const productionSafety = data?.production_safety ?? null;
+        const productionBlocked = productionSafety?.status === "blocked";
 
-      const ok = checks.every((item) => item.ok);
-      emit({ object: "doctor_report", ok, baseUrl: config.baseUrl, checks }, flags);
-      if (!ok) process.exit(1);
+        return {
+          status: res.status,
+          clientUrl: config.virtualMicroserviceUrl,
+          browserChallengeProvider: data?.browser_challenge?.provider ?? null,
+          production_safety: productionSafety,
+          warning: productionBlocked,
+          warningCode: productionBlocked ? "production_safety_blocked" : null,
+          warningMessage: productionBlocked
+            ? "Sandbox Client Gateway config is reachable, but production launch blockers remain."
+            : null,
+        };
+      }),
+    );
+  } else {
+    checks.push({
+      name: "client_gateway_config",
+      ok: false,
+      error: "No SWITCHBOARD_CLIENT_URL or VITE_SWITCHBOARD_CLIENT_URL configured",
     });
+  }
+
+  return {
+    object: "doctor_report",
+    ok: checks.every((item) => item.ok),
+    baseUrl: config.baseUrl,
+    checks,
+  };
+}
+
+function ensureTrailingSlash(value) {
+  return String(value).endsWith("/") ? String(value) : `${value}/`;
+}
+
+async function readJson(response) {
+  const text = await response.text();
+  try {
+    return text ? JSON.parse(text) : null;
+  } catch {
+    return { raw: text };
+  }
 }

package/lib/commands/endUsers.js

@@ -8,7 +8,7 @@ import { emit, globalFlags, printList } from "../output.js";
 export function registerEndUsersCommands(program) {
   const endUsers = program
     .command("end-users")
-    .description("Anonymous Pro-bono Embed end users");
+    .description("Anonymous Client Gateway end users");
 
   endUsers
     .command("list")

package/lib/commands/init.js

@@ -8,9 +8,9 @@ import { resolveConfig, gatewayApiUrl } from "../config.js";
 import { emit } from "../output.js";
 
 /**
- * Builds default frontend environment placeholders for Pro-bono Embed apps.
+ * Builds default frontend environment placeholders for Client Gateway apps.
  *
- * The generated Pro-bono Embed URL is the only value a browser app needs by default.
+ * The generated Client Gateway URL is the only value a browser app needs by default.
  */
 function envBlock(clientUrl) {
   return `SWITCHBOARD_CLIENT_URL=${clientUrl}
@@ -32,11 +32,13 @@ export function agentManifest(config) {
     account_api: `${config.baseUrl.replace(/\/$/, "")}/v1/account`,
     env: envBlock(clientUrl),
     checklist: [
-      "switchboard setup --target client --json",
-      "export VITE_SWITCHBOARD_CLIENT_URL=<client_url from integrations show>",
+      "switchboard setup project --origin <origin> --json",
+      "export VITE_SWITCHBOARD_CLIENT_URL=<client_url from integration kit>",
       "Use mountSwitchboardWidget({ clientUrl, target }) in browser apps",
       "Use createSwitchboardClient({ clientUrl, storage }) only for custom UI",
-      "switchboard billing top-up --amount-micros <micros>",
+      "switchboard verify setup",
+      "switchboard launch prepare --production-origin https://app.example.com --end-user-terms-url https://app.example.com/terms --end-user-privacy-url https://app.example.com/privacy --support-email support@example.com --contact-email owner@example.com --use-case \"Browser chat for signed-in customers\"",
+      "switchboard verify publish",
     ],
     browser_smoke_test: `import { mountSwitchboardWidget } from "@switchboard.spot/sdk";
 
@@ -45,7 +47,7 @@ mountSwitchboardWidget({
   target: "#switchboard",
 });`,
     automation_note:
-      "Pro-bono Embed auth is browser/mobile only and requires a real browser challenge. Use account/CLI APIs only for project configuration automation.",
+      "Client Gateway auth is browser/mobile only and requires a real browser challenge. Use account/CLI APIs only for project configuration automation.",
   };
 }
 

package/lib/commands/launch.js

@@ -0,0 +1,213 @@
+/**
+ * Production launch orchestration commands.
+ */
+
+import { accountRequest } from "../client.js";
+import { saveConfig } from "../config.js";
+import { emit, fail, globalFlags } from "../output.js";
+import { buildProductionAccessRequestBody } from "./projects.js";
+
+export function registerLaunchCommands(program) {
+  const launch = program.command("launch").description("Production launch workflows");
+
+  launch
+    .command("prepare")
+    .description("Prepare a project for production Client Gateway launch")
+    .option("--project-id <id>", "Existing project id")
+    .option("--project-name <name>", "Create a project when no project id is provided")
+    .option("--project-slug <slug>", "Slug for a project created by this command")
+    .requiredOption(
+      "--production-origin <origin>",
+      "Exact HTTPS production origin, for example https://app.example.com",
+    )
+    .requiredOption("--end-user-terms-url <url>")
+    .requiredOption("--end-user-privacy-url <url>")
+    .option("--support-url <url>")
+    .requiredOption("--support-email <email>")
+    .requiredOption("--contact-email <email>")
+    .requiredOption("--use-case <text>")
+    .option("--expected-monthly-volume <volume>")
+    .option("--needed-billing-mode <mode>", "Billing mode needed for production", "developer_paid")
+    .option("--notes <text>")
+    .option("--idempotency-key <key>")
+    .action(async (opts, cmd) => {
+      const flags = globalFlags(cmd);
+      validateLaunchOptions(opts, flags);
+
+      const project = await ensureProject(opts, flags);
+      const idempotencyKey = opts.idempotencyKey || `launch-prepare-project-${project.id}`;
+
+      const configured = await updateLaunchProject(project.id, opts, flags);
+      const challenge = await provisionManagedTurnstile(project.id, idempotencyKey, flags);
+      const access = await requestAccessIfNeeded(project.id, configured, opts, flags);
+      const readiness = await fetchProject(project.id, flags);
+
+      emit(
+        flags.json
+          ? launchSummary(readiness, challenge, access)
+          : humanLaunchSummary(readiness, access),
+        flags,
+      );
+    });
+}
+
+export function validateLaunchOptions(opts, flags) {
+  if (!productionHttpsOrigin(opts.productionOrigin)) {
+    fail("--production-origin must be an exact HTTPS production origin", 1, flags.json);
+  }
+  if ((opts.projectName && !opts.projectSlug) || (!opts.projectName && opts.projectSlug)) {
+    fail("--project-name and --project-slug must be provided together", 1, flags.json);
+  }
+}
+
+export async function ensureProject(opts, flags, { request = accountRequest, save = saveProjectConfig } = {}) {
+  if (opts.projectId) {
+    const project = await fetchProject(opts.projectId, flags, { request });
+    save(project);
+    return project;
+  }
+
+  if (opts.projectName) {
+    const { data } = await request("POST", "/projects", {
+      body: { name: opts.projectName, slug: opts.projectSlug },
+      json: flags.json,
+    });
+    save(data);
+    return data;
+  }
+
+  const { data } = await request("GET", "/me", { json: flags.json });
+  if (!data.project?.id) {
+    fail(
+      "No default project is selected. Use --project-id or --project-name with --project-slug.",
+      1,
+      flags.json,
+    );
+  }
+  save(data.project);
+  return data.project;
+}
+
+export async function updateLaunchProject(
+  projectId,
+  opts,
+  flags,
+  { request = accountRequest, save = saveProjectConfig } = {},
+) {
+  const body = {
+    allowed_origins: [opts.productionOrigin],
+    end_user_terms_url: opts.endUserTermsUrl,
+    end_user_privacy_url: opts.endUserPrivacyUrl,
+    support_email: opts.supportEmail,
+    virtual_microservice_enabled: true,
+  };
+
+  if (opts.supportUrl) body.support_url = opts.supportUrl;
+
+  const { data } = await request("PATCH", `/projects/${projectId}`, {
+    body,
+    json: flags.json,
+  });
+  save(data);
+  return data;
+}
+
+export async function provisionManagedTurnstile(
+  projectId,
+  idempotencyKey,
+  flags,
+  { request = accountRequest } = {},
+) {
+  const { data } = await request("POST", `/projects/${projectId}/turnstile/provision`, {
+    body: { idempotency_key: `${idempotencyKey}:turnstile` },
+    json: flags.json,
+  });
+  return data;
+}
+
+export async function requestAccessIfNeeded(
+  projectId,
+  project,
+  opts,
+  flags,
+  { request = accountRequest } = {},
+) {
+  if (project.production_access_status === "approved") {
+    return {
+      object: "production_access_request",
+      project_id: project.id,
+      project_production_access_status: "approved",
+      status: "approved",
+    };
+  }
+
+  const { data } = await request("POST", `/projects/${projectId}/production_access_request`, {
+    body: buildProductionAccessRequestBody(opts),
+    json: flags.json,
+  });
+  return data;
+}
+
+export async function fetchProject(projectId, flags, { request = accountRequest } = {}) {
+  const { data } = await request("GET", `/projects/${projectId}`, { json: flags.json });
+  return data;
+}
+
+export function saveProjectConfig(project) {
+  saveConfig({
+    projectId: String(project.id),
+    apiKey: null,
+    virtualMicroserviceUrl: project.virtual_microservice_url || null,
+    endUserSession: null,
+  });
+}
+
+export function launchSummary(project, challenge, access) {
+  return {
+    object: "launch_prepare_result",
+    project_id: project.id,
+    project_slug: project.slug,
+    virtual_microservice_url: project.virtual_microservice_url,
+    browser_challenge: challenge,
+    production_access: access,
+    production_safety: project.production_safety,
+    next_steps: [
+      "Run switchboard verify setup.",
+      "Use the SDK-managed browser challenge to mint browser sessions.",
+      "Run switchboard verify publish after approval and billing readiness are complete.",
+    ],
+  };
+}
+
+export function humanLaunchSummary(project, access) {
+  const blocked = (project.production_safety?.checks || [])
+    .filter((check) => check.status !== "ready")
+    .map((check) => check.id);
+
+  return [
+    `Prepared project ${project.name} (${project.id})`,
+    `Client Gateway: ${project.virtual_microservice_url}`,
+    `Production access: ${access.project_production_access_status || access.status}`,
+    `Readiness: ${project.production_safety?.status || "unknown"}`,
+    blocked.length ? `Blocked checks: ${blocked.join(", ")}` : "Blocked checks: none",
+    "Next: run switchboard verify setup, then switchboard verify publish after approval and billing readiness.",
+  ].join("\n");
+}
+
+export function productionHttpsOrigin(origin) {
+  try {
+    const url = new URL(origin);
+    return (
+      url.protocol === "https:" &&
+      url.username === "" &&
+      url.password === "" &&
+      url.pathname === "/" &&
+      url.search === "" &&
+      url.hash === "" &&
+      !["localhost", "127.0.0.1", "::1"].includes(url.hostname) &&
+      !url.hostname.includes("*")
+    );
+  } catch {
+    return false;
+  }
+}

package/lib/commands/projects.js

@@ -21,6 +21,7 @@ export function registerProjectsCommands(program) {
         printList("Projects:", data.data || [], (p) =>
           `  ${p.id} ${p.name} (${p.slug}) — ${p.api_key_count} keys`,
         );
+        warnForLocalhostCorsOrigins(data.data || [], flags);
       }
     });
 
@@ -51,6 +52,7 @@ export function registerProjectsCommands(program) {
       const flags = globalFlags(cmd);
       const { data } = await accountRequest("GET", `/projects/${id}`, { json: flags.json });
       emit(flags.json ? data : JSON.stringify(data, null, 2), flags);
+      warnForLocalhostCorsOrigins(data, flags);
     });
 
   projects
@@ -66,7 +68,7 @@ export function registerProjectsCommands(program) {
     .option("--support-email <email>")
     .option(
       "--allowed-origins <urls>",
-      "Comma-separated browser origins for Pro-bono Embed requests",
+      "Comma-separated browser origins for Client Gateway requests",
     )
     .option(
       "--allowed-ios-bundle-ids <ids>",
@@ -86,14 +88,14 @@ export function registerProjectsCommands(program) {
         json: flags.json,
       });
       emit(flags.json ? data : `Updated project ${data.name}`, flags);
+      warnForLocalhostCorsOrigins(data, flags);
     });
 
   projects
     .command("turnstile <id>")
-    .description("Configure project-owned Turnstile keys")
+    .description("Configure project-owned public Turnstile metadata")
     .option("--site-key <key>")
-    .option("--secret-key <key>")
-    .option("--clear", "Remove project-owned Turnstile keys")
+    .option("--clear", "Remove project-owned Turnstile metadata")
     .action(async (id, opts, cmd) => {
       const flags = globalFlags(cmd);
       const body = buildTurnstileBody(opts);
@@ -104,6 +106,39 @@ export function registerProjectsCommands(program) {
       emit(flags.json ? data : `Updated Turnstile settings for ${data.name}`, flags);
     });
 
+  projects
+    .command("provision-turnstile <id>")
+    .description("Provision Switchboard-managed Turnstile for a project")
+    .option("--idempotency-key <key>")
+    .action(async (id, opts, cmd) => {
+      const flags = globalFlags(cmd);
+      const body = {};
+      if (opts.idempotencyKey) body.idempotency_key = opts.idempotencyKey;
+
+      const { data } = await accountRequest("POST", `/projects/${id}/turnstile/provision`, {
+        body,
+        json: flags.json,
+      });
+      emit(flags.json ? data : `Provisioned managed Turnstile for project ${id}`, flags);
+    });
+
+  projects
+    .command("request-production-access <id>")
+    .description("Submit a production access request")
+    .requiredOption("--contact-email <email>")
+    .requiredOption("--use-case <text>")
+    .option("--expected-monthly-volume <volume>")
+    .option("--needed-billing-mode <mode>", "Billing mode needed for production", "developer_paid")
+    .option("--notes <text>")
+    .action(async (id, opts, cmd) => {
+      const flags = globalFlags(cmd);
+      const { data } = await accountRequest("POST", `/projects/${id}/production_access_request`, {
+        body: buildProductionAccessRequestBody(opts),
+        json: flags.json,
+      });
+      emit(flags.json ? data : `Submitted production access request for project ${id}`, flags);
+    });
+
   projects
     .command("use <id>")
     .description("Set default project for subsequent commands")
@@ -117,6 +152,7 @@ export function registerProjectsCommands(program) {
         endUserSession: null,
       });
       emit(flags.json ? data : `Using project ${data.name} (${data.id})`, flags);
+      warnForLocalhostCorsOrigins(data, flags);
     });
 
   projects
@@ -179,6 +215,19 @@ export function buildProjectUpdateBody(opts) {
   return body;
 }
 
+export function localhostCorsOriginWarning(project) {
+  const origins = Array.isArray(project?.allowed_origins) ? project.allowed_origins : [];
+  const localOrigins = origins.filter(isLocalhostOrigin);
+
+  if (!localOrigins.length) return null;
+
+  return [
+    `Warning: project ${project.name || project.id || "unknown"} allows localhost CORS origins`,
+    `(${localOrigins.join(", ")}).`,
+    "Use them only for development and remove them before production launch.",
+  ].join(" ");
+}
+
 export function buildTurnstileBody(opts) {
   if (opts.clear) {
     return { turnstile_site_key: "", turnstile_secret_key: "" };
@@ -186,7 +235,21 @@ export function buildTurnstileBody(opts) {
 
   const body = {};
   if (opts.siteKey) body.turnstile_site_key = opts.siteKey;
-  if (opts.secretKey) body.turnstile_secret_key = opts.secretKey;
+  return body;
+}
+
+export function buildProductionAccessRequestBody(opts) {
+  const body = {
+    contact_email: opts.contactEmail,
+    use_case: opts.useCase,
+    needed_billing_mode: opts.neededBillingMode || "developer_paid",
+  };
+
+  if (opts.expectedMonthlyVolume) {
+    body.expected_monthly_volume = opts.expectedMonthlyVolume;
+  }
+  if (opts.notes) body.notes = opts.notes;
+
   return body;
 }
 
@@ -195,3 +258,28 @@ function parseBoolean(value) {
   if (value === false || value === "false") return false;
   throw new Error(`Expected boolean value true or false, got ${value}`);
 }
+
+function warnForLocalhostCorsOrigins(projectOrProjects, flags) {
+  if (flags.json || flags.quiet) return;
+
+  const projects = Array.isArray(projectOrProjects) ? projectOrProjects : [projectOrProjects];
+  for (const project of projects) {
+    const warning = localhostCorsOriginWarning(project);
+    if (warning) console.error(warning);
+  }
+}
+
+function isLocalhostOrigin(origin) {
+  try {
+    const hostname = new URL(origin).hostname.toLowerCase();
+    return (
+      hostname === "localhost" ||
+      hostname === "127.0.0.1" ||
+      hostname === "0.0.0.0" ||
+      hostname === "::1" ||
+      hostname === "[::1]"
+    );
+  } catch {
+    return false;
+  }
+}