@switchboard.spot/cli 0.2.2 → 0.2.3

package/README.md

@@ -55,9 +55,7 @@ If a first publish fails, `npm view @switchboard.spot/cli` will continue to retu
 ```bash
 switchboard auth login
 switchboard projects create --name "My App" --slug my-app
-switchboard setup --target client --json
-switchboard projects update <project-id> --allowed-origins http://localhost:5173 --virtual-microservice-enabled true
-switchboard projects provision-turnstile <project-id>
+switchboard setup project --origin http://localhost:5173 --json
 switchboard verify setup
 switchboard launch prepare --production-origin https://app.example.com --end-user-terms-url https://app.example.com/terms --end-user-privacy-url https://app.example.com/privacy --support-email support@example.com --contact-email owner@example.com --use-case "Browser chat for signed-in customers"
 switchboard verify publish
@@ -65,7 +63,7 @@ switchboard verify publish
 
 Use `--json` for automation, CI, and coding agents.
 
-`setup --target client` writes public Client Gateway environment values such as `VITE_SWITCHBOARD_CLIENT_URL`; it does not prove chat or session readiness. Before SDK browser testing, configure the exact local or preview origin and provision Switchboard-managed Turnstile.
+`setup project --origin <origin>` writes public Client Gateway environment values such as `VITE_SWITCHBOARD_CLIENT_URL`, configures the exact local or preview origin, enables Client Gateway, and provisions Switchboard-managed Turnstile. It reports browser chat verification as a manual SDK check.
 
 CLI account login does not create Client Gateway end-user sessions. End-user sign-up, sign-in, and refresh require the SDK-managed browser challenge; curl, Node scripts, CI, and CLI account login cannot mint browser sessions without running that real browser/mobile flow.
 
@@ -76,11 +74,11 @@ Model discovery is global. Use `GET /v1/models` for OpenAI-compatible discovery
 Switchboard-managed Turnstile is the default production path. Developers do not paste Cloudflare secrets into the CLI or repo files:
 
 ```bash
-switchboard projects provision-turnstile <project-id>
+switchboard setup project --origin <origin> --json
 switchboard projects turnstile <project-id> --clear
 ```
 
-If `switchboard projects provision-turnstile --help` is missing, upgrade with `npm install -g @switchboard.spot/cli@latest` before trying dashboard automation or manual Cloudflare keys.
+`switchboard projects provision-turnstile` remains available as a low-level admin/debug command. If its help is missing, upgrade with `npm install -g @switchboard.spot/cli@latest` before trying dashboard automation or manual Cloudflare keys.
 
 ## Configuration
 

package/lib/commands/doctor.js

@@ -21,92 +21,109 @@ export function registerDoctorCommand(program) {
     .description("Check health, auth, project, catalog, and gateway readiness")
     .action(async (_opts, cmd) => {
       const flags = globalFlags(cmd);
-      const config = resolveConfig();
-      const accountConfig = await resolveAccountConfig(config);
+      const report = await runDoctorChecks();
+      emit(report, flags);
+      if (!report.ok) process.exit(1);
+      process.exit(0);
+    });
+}
 
-      const checks = [];
+export async function runDoctorChecks({
+  config = resolveConfig(),
+  request = accountRequest,
+  health = healthCheck,
+  fetchImpl = fetch,
+  resolveAccount = resolveAccountConfig,
+} = {}) {
+  const accountConfig = await resolveAccount(config);
 
-      checks.push(
-        await check("health", async () => {
-          const result = await healthCheck(config);
-          return { status: result.status, data: result.data };
-        }),
-      );
+  const checks = [];
 
-      checks.push(
-        await check("catalog", async () => {
-          const res = await fetch(`${gatewayApiUrl(config)}/catalog/models`);
-          const data = await res.json();
-          const status = res.status;
-          if (!res.ok) throw new Error(`HTTP ${status}`);
-          return { status, count: Array.isArray(data?.data) ? data.data.length : 0 };
-        }),
-      );
+  checks.push(
+    await check("health", async () => {
+      const result = await health(config);
+      return { status: result.status, data: result.data };
+    }),
+  );
 
-      if (accountConfig.accountToken) {
-        checks.push(
-          await check("account", async () => {
-            const { status, data } = await accountRequest("GET", "/me", {
-              config: accountConfig,
-              json: true,
-            });
-            return {
-              status,
-              email: data?.user?.email || null,
-              tokenSource: accountConfig.accountTokenSource,
-            };
-          }),
-        );
-      } else {
-        checks.push({ name: "account", ok: false, error: "Run switchboard auth login" });
-      }
+  checks.push(
+    await check("catalog", async () => {
+      const res = await fetchImpl(`${gatewayApiUrl(config)}/catalog/models`);
+      const data = await res.json();
+      const status = res.status;
+      if (!res.ok) throw new Error(`HTTP ${status}`);
+      return { status, count: Array.isArray(data?.data) ? data.data.length : 0 };
+    }),
+  );
 
-      if (config.projectId) {
-        checks.push({ name: "project", ok: true, projectId: config.projectId });
-      } else {
-        checks.push({ name: "project", ok: false, error: "No project selected" });
-      }
-
-      if (config.virtualMicroserviceUrl) {
-        checks.push(
-          await check("client_gateway_config", async () => {
-            const res = await fetch(new URL("client/config", ensureTrailingSlash(config.virtualMicroserviceUrl)).href, {
-              headers: { Accept: "application/json" },
-            });
-            const data = await readJson(res);
-            if (!res.ok) {
-              throw new Error(data?.error?.message || data?.message || `HTTP ${res.status}`);
-            }
+  if (accountConfig.accountToken) {
+    checks.push(
+      await check("account", async () => {
+        const { status, data } = await request("GET", "/me", {
+          config: accountConfig,
+          json: true,
+        });
+        return {
+          status,
+          email: data?.user?.email || null,
+          tokenSource: accountConfig.accountTokenSource,
+        };
+      }),
+    );
+  } else {
+    checks.push({ name: "account", ok: false, error: "Run switchboard auth login" });
+  }
 
-            const productionSafety = data?.production_safety ?? null;
-            const productionBlocked = productionSafety?.status === "blocked";
+  if (config.projectId) {
+    checks.push({ name: "project", ok: true, projectId: config.projectId });
+  } else {
+    checks.push({ name: "project", ok: false, error: "No project selected" });
+  }
 
-            return {
-              status: res.status,
-              clientUrl: config.virtualMicroserviceUrl,
-              browserChallengeProvider: data?.browser_challenge?.provider ?? null,
-              production_safety: productionSafety,
-              warning: productionBlocked,
-              warningCode: productionBlocked ? "production_safety_blocked" : null,
-              warningMessage: productionBlocked
-                ? "Sandbox Client Gateway config is reachable, but production launch blockers remain."
-                : null,
-            };
-          }),
+  if (config.virtualMicroserviceUrl) {
+    checks.push(
+      await check("client_gateway_config", async () => {
+        const res = await fetchImpl(
+          new URL("client/config", ensureTrailingSlash(config.virtualMicroserviceUrl)).href,
+          {
+            headers: { Accept: "application/json" },
+          },
         );
-      } else {
-        checks.push({
-          name: "client_gateway_config",
-          ok: false,
-          error: "No SWITCHBOARD_CLIENT_URL or VITE_SWITCHBOARD_CLIENT_URL configured",
-        });
-      }
+        const data = await readJson(res);
+        if (!res.ok) {
+          throw new Error(data?.error?.message || data?.message || `HTTP ${res.status}`);
+        }
 
-      const ok = checks.every((item) => item.ok);
-      emit({ object: "doctor_report", ok, baseUrl: config.baseUrl, checks }, flags);
-      if (!ok) process.exit(1);
-      process.exit(0);
+        const productionSafety = data?.production_safety ?? null;
+        const productionBlocked = productionSafety?.status === "blocked";
+
+        return {
+          status: res.status,
+          clientUrl: config.virtualMicroserviceUrl,
+          browserChallengeProvider: data?.browser_challenge?.provider ?? null,
+          production_safety: productionSafety,
+          warning: productionBlocked,
+          warningCode: productionBlocked ? "production_safety_blocked" : null,
+          warningMessage: productionBlocked
+            ? "Sandbox Client Gateway config is reachable, but production launch blockers remain."
+            : null,
+        };
+      }),
+    );
+  } else {
+    checks.push({
+      name: "client_gateway_config",
+      ok: false,
+      error: "No SWITCHBOARD_CLIENT_URL or VITE_SWITCHBOARD_CLIENT_URL configured",
     });
+  }
+
+  return {
+    object: "doctor_report",
+    ok: checks.every((item) => item.ok),
+    baseUrl: config.baseUrl,
+    checks,
+  };
 }
 
 function ensureTrailingSlash(value) {

package/lib/commands/endUsers.js

@@ -8,7 +8,7 @@ import { emit, globalFlags, printList } from "../output.js";
 export function registerEndUsersCommands(program) {
   const endUsers = program
     .command("end-users")
-    .description("Anonymous Pro-bono Embed end users");
+    .description("Anonymous Client Gateway end users");
 
   endUsers
     .command("list")

package/lib/commands/init.js

@@ -8,9 +8,9 @@ import { resolveConfig, gatewayApiUrl } from "../config.js";
 import { emit } from "../output.js";
 
 /**
- * Builds default frontend environment placeholders for Pro-bono Embed apps.
+ * Builds default frontend environment placeholders for Client Gateway apps.
  *
- * The generated Pro-bono Embed URL is the only value a browser app needs by default.
+ * The generated Client Gateway URL is the only value a browser app needs by default.
  */
 function envBlock(clientUrl) {
   return `SWITCHBOARD_CLIENT_URL=${clientUrl}
@@ -32,7 +32,7 @@ export function agentManifest(config) {
     account_api: `${config.baseUrl.replace(/\/$/, "")}/v1/account`,
     env: envBlock(clientUrl),
     checklist: [
-      "switchboard setup --target client --json",
+      "switchboard setup project --origin <origin> --json",
       "export VITE_SWITCHBOARD_CLIENT_URL=<client_url from integration kit>",
       "Use mountSwitchboardWidget({ clientUrl, target }) in browser apps",
       "Use createSwitchboardClient({ clientUrl, storage }) only for custom UI",
@@ -47,7 +47,7 @@ mountSwitchboardWidget({
   target: "#switchboard",
 });`,
     automation_note:
-      "Pro-bono Embed auth is browser/mobile only and requires a real browser challenge. Use account/CLI APIs only for project configuration automation.",
+      "Client Gateway auth is browser/mobile only and requires a real browser challenge. Use account/CLI APIs only for project configuration automation.",
   };
 }
 

package/lib/commands/launch.js

@@ -51,7 +51,7 @@ export function registerLaunchCommands(program) {
     });
 }
 
-function validateLaunchOptions(opts, flags) {
+export function validateLaunchOptions(opts, flags) {
   if (!productionHttpsOrigin(opts.productionOrigin)) {
     fail("--production-origin must be an exact HTTPS production origin", 1, flags.json);
   }
@@ -60,19 +60,23 @@ function validateLaunchOptions(opts, flags) {
   }
 }
 
-async function ensureProject(opts, flags) {
-  if (opts.projectId) return fetchProject(opts.projectId, flags);
+export async function ensureProject(opts, flags, { request = accountRequest, save = saveProjectConfig } = {}) {
+  if (opts.projectId) {
+    const project = await fetchProject(opts.projectId, flags, { request });
+    save(project);
+    return project;
+  }
 
   if (opts.projectName) {
-    const { data } = await accountRequest("POST", "/projects", {
+    const { data } = await request("POST", "/projects", {
       body: { name: opts.projectName, slug: opts.projectSlug },
       json: flags.json,
     });
-    saveProjectConfig(data);
+    save(data);
     return data;
   }
 
-  const { data } = await accountRequest("GET", "/me", { json: flags.json });
+  const { data } = await request("GET", "/me", { json: flags.json });
   if (!data.project?.id) {
     fail(
       "No default project is selected. Use --project-id or --project-name with --project-slug.",
@@ -80,10 +84,16 @@ async function ensureProject(opts, flags) {
       flags.json,
     );
   }
+  save(data.project);
   return data.project;
 }
 
-async function updateLaunchProject(projectId, opts, flags) {
+export async function updateLaunchProject(
+  projectId,
+  opts,
+  flags,
+  { request = accountRequest, save = saveProjectConfig } = {},
+) {
   const body = {
     allowed_origins: [opts.productionOrigin],
     end_user_terms_url: opts.endUserTermsUrl,
@@ -94,23 +104,34 @@ async function updateLaunchProject(projectId, opts, flags) {
 
   if (opts.supportUrl) body.support_url = opts.supportUrl;
 
-  const { data } = await accountRequest("PATCH", `/projects/${projectId}`, {
+  const { data } = await request("PATCH", `/projects/${projectId}`, {
     body,
     json: flags.json,
   });
-  saveProjectConfig(data);
+  save(data);
   return data;
 }
 
-async function provisionManagedTurnstile(projectId, idempotencyKey, flags) {
-  const { data } = await accountRequest("POST", `/projects/${projectId}/turnstile/provision`, {
+export async function provisionManagedTurnstile(
+  projectId,
+  idempotencyKey,
+  flags,
+  { request = accountRequest } = {},
+) {
+  const { data } = await request("POST", `/projects/${projectId}/turnstile/provision`, {
     body: { idempotency_key: `${idempotencyKey}:turnstile` },
     json: flags.json,
   });
   return data;
 }
 
-async function requestAccessIfNeeded(projectId, project, opts, flags) {
+export async function requestAccessIfNeeded(
+  projectId,
+  project,
+  opts,
+  flags,
+  { request = accountRequest } = {},
+) {
   if (project.production_access_status === "approved") {
     return {
       object: "production_access_request",
@@ -120,19 +141,19 @@ async function requestAccessIfNeeded(projectId, project, opts, flags) {
     };
   }
 
-  const { data } = await accountRequest("POST", `/projects/${projectId}/production_access_request`, {
+  const { data } = await request("POST", `/projects/${projectId}/production_access_request`, {
     body: buildProductionAccessRequestBody(opts),
     json: flags.json,
   });
   return data;
 }
 
-async function fetchProject(projectId, flags) {
-  const { data } = await accountRequest("GET", `/projects/${projectId}`, { json: flags.json });
+export async function fetchProject(projectId, flags, { request = accountRequest } = {}) {
+  const { data } = await request("GET", `/projects/${projectId}`, { json: flags.json });
   return data;
 }
 
-function saveProjectConfig(project) {
+export function saveProjectConfig(project) {
   saveConfig({
     projectId: String(project.id),
     apiKey: null,
@@ -141,7 +162,7 @@ function saveProjectConfig(project) {
   });
 }
 
-function launchSummary(project, challenge, access) {
+export function launchSummary(project, challenge, access) {
   return {
     object: "launch_prepare_result",
     project_id: project.id,
@@ -158,7 +179,7 @@ function launchSummary(project, challenge, access) {
   };
 }
 
-function humanLaunchSummary(project, access) {
+export function humanLaunchSummary(project, access) {
   const blocked = (project.production_safety?.checks || [])
     .filter((check) => check.status !== "ready")
     .map((check) => check.id);
@@ -173,7 +194,7 @@ function humanLaunchSummary(project, access) {
   ].join("\n");
 }
 
-function productionHttpsOrigin(origin) {
+export function productionHttpsOrigin(origin) {
   try {
     const url = new URL(origin);
     return (

package/lib/commands/projects.js

@@ -21,6 +21,7 @@ export function registerProjectsCommands(program) {
         printList("Projects:", data.data || [], (p) =>
           `  ${p.id} ${p.name} (${p.slug}) — ${p.api_key_count} keys`,
         );
+        warnForLocalhostCorsOrigins(data.data || [], flags);
       }
     });
 
@@ -51,6 +52,7 @@ export function registerProjectsCommands(program) {
       const flags = globalFlags(cmd);
       const { data } = await accountRequest("GET", `/projects/${id}`, { json: flags.json });
       emit(flags.json ? data : JSON.stringify(data, null, 2), flags);
+      warnForLocalhostCorsOrigins(data, flags);
     });
 
   projects
@@ -66,7 +68,7 @@ export function registerProjectsCommands(program) {
     .option("--support-email <email>")
     .option(
       "--allowed-origins <urls>",
-      "Comma-separated browser origins for Pro-bono Embed requests",
+      "Comma-separated browser origins for Client Gateway requests",
     )
     .option(
       "--allowed-ios-bundle-ids <ids>",
@@ -86,6 +88,7 @@ export function registerProjectsCommands(program) {
         json: flags.json,
       });
       emit(flags.json ? data : `Updated project ${data.name}`, flags);
+      warnForLocalhostCorsOrigins(data, flags);
     });
 
   projects
@@ -149,6 +152,7 @@ export function registerProjectsCommands(program) {
         endUserSession: null,
       });
       emit(flags.json ? data : `Using project ${data.name} (${data.id})`, flags);
+      warnForLocalhostCorsOrigins(data, flags);
     });
 
   projects
@@ -211,6 +215,19 @@ export function buildProjectUpdateBody(opts) {
   return body;
 }
 
+export function localhostCorsOriginWarning(project) {
+  const origins = Array.isArray(project?.allowed_origins) ? project.allowed_origins : [];
+  const localOrigins = origins.filter(isLocalhostOrigin);
+
+  if (!localOrigins.length) return null;
+
+  return [
+    `Warning: project ${project.name || project.id || "unknown"} allows localhost CORS origins`,
+    `(${localOrigins.join(", ")}).`,
+    "Use them only for development and remove them before production launch.",
+  ].join(" ");
+}
+
 export function buildTurnstileBody(opts) {
   if (opts.clear) {
     return { turnstile_site_key: "", turnstile_secret_key: "" };
@@ -241,3 +258,28 @@ function parseBoolean(value) {
   if (value === false || value === "false") return false;
   throw new Error(`Expected boolean value true or false, got ${value}`);
 }
+
+function warnForLocalhostCorsOrigins(projectOrProjects, flags) {
+  if (flags.json || flags.quiet) return;
+
+  const projects = Array.isArray(projectOrProjects) ? projectOrProjects : [projectOrProjects];
+  for (const project of projects) {
+    const warning = localhostCorsOriginWarning(project);
+    if (warning) console.error(warning);
+  }
+}
+
+function isLocalhostOrigin(origin) {
+  try {
+    const hostname = new URL(origin).hostname.toLowerCase();
+    return (
+      hostname === "localhost" ||
+      hostname === "127.0.0.1" ||
+      hostname === "0.0.0.0" ||
+      hostname === "::1" ||
+      hostname === "[::1]"
+    );
+  } catch {
+    return false;
+  }
+}

package/lib/commands/setup.js

@@ -3,22 +3,53 @@
  */
 
 import { configureEnvironment } from "./env.js";
-import { emit, fail, globalFlags } from "../output.js";
+import { accountRequest } from "../client.js";
+import { emit, fail, globalFlags, redactSecrets } from "../output.js";
+import { resolveConfig } from "../config.js";
+import { runDoctorChecks } from "./doctor.js";
+import {
+  ensureProject,
+  fetchProject,
+  provisionManagedTurnstile,
+  requestAccessIfNeeded,
+  saveProjectConfig,
+  validateLaunchOptions,
+} from "./launch.js";
 
 export function registerSetupCommand(program) {
-  program
+  const setup = program
     .command("setup")
-    .description("Configure Switchboard for client apps, server apps, or both")
+    .description("Configure browser-ready Switchboard projects");
+
+  setup
+    .command("project")
+    .description("Create or configure a browser-ready Switchboard project")
+    .option("--project-id <id>", "Existing project id")
+    .option("--project-name <name>", "Create a project when no project id is provided")
+    .option("--project-slug <slug>", "Slug for a project created by this command")
+    .requiredOption("--origin <origin>", "Exact local, preview, or sandbox browser origin")
     .option("--target <target>", "client, server, or both", "client")
     .option("--file <path>", "Local env file to update", ".env.local")
     .option("--secret-target <target>", "local or exec", "local")
     .option("--secret-command <command>", "Command that stores secrets from stdin JSON")
-    .option("--project-id <id>", "Override selected project")
-    .option("--force", "Replace existing Switchboard-managed values")
+    .option("--force", "Replace existing Switchboard-managed env values and project origins")
+    .option(
+      "--production-origin <origin>",
+      "Exact HTTPS production origin, for example https://app.example.com",
+    )
+    .option("--end-user-terms-url <url>")
+    .option("--end-user-privacy-url <url>")
+    .option("--support-url <url>")
+    .option("--support-email <email>")
+    .option("--contact-email <email>")
+    .option("--use-case <text>")
+    .option("--expected-monthly-volume <volume>")
+    .option("--needed-billing-mode <mode>", "Billing mode needed for production")
+    .option("--notes <text>")
     .action(async (opts, cmd) => {
       const flags = globalFlags(cmd);
-      const result = await setupSwitchboard(opts, { json: flags.json });
-      emit(flags.json ? result : humanSetupMessage(result), flags);
+      const result = await setupProject(opts, { json: flags.json });
+      emit(flags.json ? result : humanProjectSetupMessage(result), flags);
     });
 }
 
@@ -77,3 +108,247 @@ function humanSetupMessage(result) {
   const skipped = result.skipped.length > 0 ? ` Skipped existing: ${result.skipped.join(", ")}.` : "";
   return `Configured Switchboard setup (${result.target}) for project ${result.project_id}. Changed: ${changed}.${skipped}`;
 }
+
+export async function setupProject(
+  opts,
+  {
+    request = accountRequest,
+    configureEnv = configureEnvironment,
+    doctor = runDoctorChecks,
+    saveProject = saveProjectConfig,
+    config = resolveConfig(),
+    cwd,
+    json = false,
+    getSecret,
+    setSecret,
+    runSecretCommand,
+  } = {},
+) {
+  validateProjectSetupOptions(opts, { json });
+
+  const flags = { json };
+  const project = await ensureProject(opts, flags, { request, save: saveProject });
+  saveProject(project);
+
+  const origins = configuredOrigins(project, opts);
+  const configured = await updateSetupProject(project.id, opts, origins, flags, {
+    request,
+    save: saveProject,
+  });
+
+  const env = await configureEnv(
+    {
+      mode: normalizeSetupTarget(opts.target, json),
+      file: opts.file,
+      target: opts.secretTarget,
+      secretCommand: opts.secretCommand,
+      projectId: String(configured.id),
+      force: opts.force,
+    },
+    { request, cwd, json, getSecret, setSecret, runSecretCommand },
+  );
+
+  const idempotencyKey = `setup-project-${configured.id}`;
+  const challenge = await provisionManagedTurnstile(configured.id, idempotencyKey, flags, {
+    request,
+  });
+
+  let access = null;
+  if (hasProductionOptions(opts)) {
+    access = await requestAccessIfNeeded(configured.id, configured, opts, flags, { request });
+  }
+
+  const latest = await fetchProject(configured.id, flags, { request });
+  saveProject(latest);
+
+  const doctorConfig = {
+    ...config,
+    projectId: String(latest.id),
+    virtualMicroserviceUrl: latest.virtual_microservice_url || config.virtualMicroserviceUrl,
+  };
+  const readiness = await doctor({ config: doctorConfig, request });
+
+  return projectSetupSummary({
+    project: latest,
+    env,
+    challenge,
+    readiness,
+    access,
+    origin: opts.origin,
+    origins,
+  });
+}
+
+function validateProjectSetupOptions(opts, flags) {
+  if ((opts.projectName && !opts.projectSlug) || (!opts.projectName && opts.projectSlug)) {
+    fail("--project-name and --project-slug must be provided together", 1, flags.json);
+  }
+
+  if (!exactOrigin(opts.origin)) {
+    fail("--origin must be an exact browser origin such as http://127.0.0.1:4173", 1, flags.json);
+  }
+
+  if (!hasProductionOptions(opts)) return;
+
+  validateLaunchOptions(opts, flags);
+
+  for (const name of [
+    "endUserTermsUrl",
+    "endUserPrivacyUrl",
+    "supportEmail",
+    "contactEmail",
+    "useCase",
+  ]) {
+    if (!opts[name]) {
+      fail(`--${dasherize(name)} is required when production launch fields are provided`, 1, flags.json);
+    }
+  }
+}
+
+function hasProductionOptions(opts) {
+  return [
+    "productionOrigin",
+    "endUserTermsUrl",
+    "endUserPrivacyUrl",
+    "supportUrl",
+    "supportEmail",
+    "contactEmail",
+    "useCase",
+    "expectedMonthlyVolume",
+    "neededBillingMode",
+    "notes",
+  ].some((key) => opts[key] != null);
+}
+
+function configuredOrigins(project, opts) {
+  const requested = [opts.origin];
+  if (opts.productionOrigin) requested.push(opts.productionOrigin);
+
+  if (opts.force) return uniqueStrings(requested);
+
+  const existing = Array.isArray(project.allowed_origins) ? project.allowed_origins : [];
+  return uniqueStrings([...existing, ...requested]);
+}
+
+async function updateSetupProject(projectId, opts, origins, flags, { request, save }) {
+  const body = {
+    allowed_origins: origins,
+    virtual_microservice_enabled: true,
+  };
+
+  if (hasProductionOptions(opts)) {
+    body.end_user_terms_url = opts.endUserTermsUrl;
+    body.end_user_privacy_url = opts.endUserPrivacyUrl;
+    body.support_email = opts.supportEmail;
+    if (opts.supportUrl) body.support_url = opts.supportUrl;
+  }
+
+  const { data } = await request("PATCH", `/projects/${projectId}`, {
+    body,
+    json: flags.json,
+  });
+  save(data);
+  return data;
+}
+
+function projectSetupSummary({ project, env, challenge, readiness, access, origin, origins }) {
+  const hardFailures = readiness.checks.filter((check) => !check.ok).map((check) => check.name);
+  const configured = hardFailures.length === 0;
+  const productionRequested = Boolean(access);
+
+  return {
+    object: "setup_project_result",
+    ok: configured,
+    status: !configured
+      ? "failed"
+      : productionRequested
+        ? "production_requested"
+        : "ready_for_browser_manual_check",
+    configured,
+    ready_for_browser_manual_check: configured,
+    production_requested: productionRequested,
+    project_id: project.id,
+    project_slug: project.slug,
+    client_gateway_url: project.virtual_microservice_url,
+    allowed_origins: origins,
+    local_origin: origin,
+    turnstile: challenge,
+    env_file: env.env_file,
+    env,
+    doctor: readiness,
+    hard_failures: hardFailures,
+    production_access: access,
+    next_steps: [
+      "Use the SDK-managed browser challenge in your app to confirm browser chat manually.",
+      "Run switchboard verify setup after the app integration is wired.",
+      productionRequested
+        ? "Run switchboard verify publish after approval and billing readiness are complete."
+        : "Use switchboard launch prepare when you are ready for production approval.",
+    ],
+  };
+}
+
+export function humanProjectSetupMessage(result) {
+  const lines = [
+    `Configured project ${result.project_slug || result.project_id} (${result.project_id})`,
+    `Client Gateway: ${result.client_gateway_url}`,
+    `Allowed origins: ${result.allowed_origins.join(", ")}`,
+    `Turnstile: ${turnstileStatus(result.turnstile)}`,
+    `Env file: ${result.env_file}`,
+    `Readiness: ${result.configured ? "ready for browser manual check" : "failed"}`,
+  ];
+
+  if (result.production_requested) {
+    lines.push(
+      `Production access: ${
+        result.production_access?.project_production_access_status ||
+        result.production_access?.status ||
+        "requested"
+      }`,
+    );
+  }
+
+  if (result.hard_failures.length > 0) {
+    lines.push(`Hard failures: ${result.hard_failures.join(", ")}`);
+  }
+
+  lines.push(
+    "Next: integrate the SDK browser challenge in your app, then run switchboard verify setup.",
+  );
+
+  if (result.production_requested) {
+    lines.push("Next: run switchboard verify publish after production approval and billing readiness.");
+  }
+
+  return lines.join("\n");
+}
+
+function turnstileStatus(challenge) {
+  if (!challenge) return "unknown";
+  return redactSecrets(challenge.status || challenge.provider || challenge.object || "provisioned");
+}
+
+function exactOrigin(origin) {
+  try {
+    const url = new URL(origin);
+    return (
+      (url.protocol === "http:" || url.protocol === "https:") &&
+      url.username === "" &&
+      url.password === "" &&
+      url.pathname === "/" &&
+      url.search === "" &&
+      url.hash === "" &&
+      !url.hostname.includes("*")
+    );
+  } catch {
+    return false;
+  }
+}
+
+function uniqueStrings(values) {
+  return [...new Set(values.filter(Boolean))];
+}
+
+function dasherize(value) {
+  return value.replace(/[A-Z]/g, (match) => `-${match.toLowerCase()}`);
+}

package/lib/commands/verify.js

@@ -15,7 +15,7 @@ export function registerVerifyCommands(program) {
       .command("setup")
       .description("Verify a local or preview Switchboard integration setup")
       .option("--url <app-url>", "Application URL to test")
-      .option("--client-url <switchboard-client-url>", "Switchboard Pro-bono Embed client URL"),
+      .option("--client-url <switchboard-client-url>", "Switchboard Client Gateway client URL"),
   ).action(async (opts, cmd) => {
     await runVerifyCommand("setup", opts, cmd);
   });
@@ -25,7 +25,7 @@ export function registerVerifyCommands(program) {
       .command("publish")
       .description("Verify an HTTPS preview is safe to publish")
       .option("--url <preview-url>", "HTTPS preview URL to test")
-      .option("--client-url <switchboard-client-url>", "Switchboard Pro-bono Embed client URL")
+      .option("--client-url <switchboard-client-url>", "Switchboard Client Gateway client URL")
       .option("--production-origin <origin>", "Production origin that must be allowed"),
   )
     .option("--project-id <id>", "Switchboard project id for production safety checks")
@@ -38,7 +38,7 @@ export function registerVerifyCommands(program) {
       .command("browser")
       .description("Run a declarative browser verification scenario")
       .option("--url <app-url>", "Application URL to test")
-      .option("--client-url <switchboard-client-url>", "Switchboard Pro-bono Embed client URL"),
+      .option("--client-url <switchboard-client-url>", "Switchboard Client Gateway client URL"),
   ).action(async (opts, cmd) => {
     await runVerifyCommand("browser", opts, cmd);
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@switchboard.spot/cli",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Switchboard CLI — full dashboard parity for agents and testing",
   "type": "module",
   "bin": {