npm - @switchboard.spot/cli - Versions diffs - 0.2.2 → 0.2.4 - Mend

@switchboard.spot/cli 0.2.2 → 0.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md CHANGED Viewed

@@ -55,32 +55,30 @@ If a first publish fails, `npm view @switchboard.spot/cli` will continue to retu
 ```bash
 switchboard auth login
 switchboard projects create --name "My App" --slug my-app
-switchboard setup --target client --json
-switchboard projects update <project-id> --allowed-origins http://localhost:5173 --virtual-microservice-enabled true
-switchboard projects provision-turnstile <project-id>
-switchboard verify setup
+switchboard setup project --origin http://localhost:5173 --json
+switchboard verify setup --app-url <app-url>
 switchboard launch prepare --production-origin https://app.example.com --end-user-terms-url https://app.example.com/terms --end-user-privacy-url https://app.example.com/privacy --support-email support@example.com --contact-email owner@example.com --use-case "Browser chat for signed-in customers"
-switchboard verify publish
+switchboard verify publish --app-url <preview-url>
 ```
 Use `--json` for automation, CI, and coding agents.
-`setup --target client` writes public Client Gateway environment values such as `VITE_SWITCHBOARD_CLIENT_URL`; it does not prove chat or session readiness. Before SDK browser testing, configure the exact local or preview origin and provision Switchboard-managed Turnstile.
+`setup project --origin <origin>` writes public Client Gateway environment values such as `VITE_SWITCHBOARD_CLIENT_URL`, configures the exact local or preview origin, enables Client Gateway, and provisions Switchboard-managed Turnstile. It reports browser chat verification as a manual SDK check.
 CLI account login does not create Client Gateway end-user sessions. End-user sign-up, sign-in, and refresh require the SDK-managed browser challenge; curl, Node scripts, CI, and CLI account login cannot mint browser sessions without running that real browser/mobile flow.
-For local Switchboard development, `switchboard verify setup --client-url http://localhost:4000/m/<slug>/v1` uses the built-in `dev_browser_challenge` token unless a scenario supplies an explicit `browserChallengeToken`. Hosted Switchboard should use managed Turnstile and the SDK-managed real browser challenge. A local sandbox smoke path is: configure allowed origin plus legal/support fields, create an anonymous session through the SDK or browser verification flow, then call Client Gateway chat.
+For local Switchboard development, `switchboard verify setup --app-url <app-url> --client-url http://localhost:4000/m/<slug>/v1` uses the built-in `dev_browser_challenge` token unless a scenario supplies an explicit `browserChallengeToken`. Hosted Switchboard should use managed Turnstile and the SDK-managed real browser challenge. A local sandbox smoke path is: configure allowed origin plus legal/support fields, create an anonymous session through the SDK or browser verification flow, then call Client Gateway chat.
 Model discovery is global. Use `GET /v1/models` for OpenAI-compatible discovery or `GET /v1/catalog/models` for catalog/pricing metadata; Client Gateway chat is project-scoped at `/m/<slug>/v1/chat/completions`.
 Switchboard-managed Turnstile is the default production path. Developers do not paste Cloudflare secrets into the CLI or repo files:
 ```bash
-switchboard projects provision-turnstile <project-id>
+switchboard setup project --origin <origin> --json
 switchboard projects turnstile <project-id> --clear
 ```
-If `switchboard projects provision-turnstile --help` is missing, upgrade with `npm install -g @switchboard.spot/cli@latest` before trying dashboard automation or manual Cloudflare keys.
+`switchboard projects provision-turnstile` remains available as a low-level admin/debug command. If its help is missing, upgrade with `npm install -g @switchboard.spot/cli@latest` before trying dashboard automation or manual Cloudflare keys.
 ## Configuration

package/lib/commands/auth.js CHANGED Viewed

@@ -320,8 +320,8 @@ function waitForCallback(callbackServer, timeoutSeconds, json) {
 export function callbackPage(title, message, tone) {
   const success = tone === "success";
   const accent = success ? "#14b8a6" : "#ef4444";
-  const accentSoft = success ? "#ccfbf1" : "#fee2e2";
-  const mark = success ? "✓" : "!";
+  const mark = success ? "✓" : "×";
+  const ariaLabel = success ? "Switchboard CLI login complete" : "Switchboard CLI login failed";
   return `<!doctype html>
 <html lang="en">
@@ -340,114 +340,41 @@ export function callbackPage(title, message, tone) {
       body {
         min-height: 100vh;
         margin: 0;
+        display: grid;
+        place-items: center;
         color: #1f2937;
         background:
           repeating-linear-gradient(125deg, transparent, transparent 6px, #e8e8e8 6px, #e8e8e8 7px),
           #ffffff;
       }
-      .page {
-        min-height: 100vh;
-        width: min(100%, 80rem);
-        margin: 0 auto;
-        display: flex;
-        flex-direction: column;
-        border-inline: 1px solid #e5e7eb;
-        background:
-          repeating-linear-gradient(125deg, transparent, transparent 6px, #e8e8e8 6px, #e8e8e8 7px),
-          #ffffff;
-      }
-      header {
-        height: 4.5rem;
-        display: flex;
-        align-items: center;
-        justify-content: space-between;
-        padding: 0 1.5rem;
-        border-bottom: 1px solid #e5e7eb;
-        background: rgba(255, 255, 255, 0.88);
-        backdrop-filter: blur(12px);
-      }
-      .logo {
-        color: #1f2937;
-        font-size: 0.95rem;
-        font-weight: 800;
-        letter-spacing: 0;
-      }
-      .pill {
-        border: 1px solid #e5e7eb;
-        border-radius: 999px;
-        padding: 0.45rem 0.8rem;
-        background: #ffffff;
-        color: #4b5563;
-        font-size: 0.82rem;
-        font-weight: 600;
-      }
-      main {
-        flex: 1;
+      .panel {
+        width: min(100%, 12rem);
+        aspect-ratio: 1;
         display: grid;
         place-items: center;
-        padding: 5rem 1.5rem;
-      }
-      .panel {
-        width: min(100%, 34rem);
         border: 1px solid #e5e7eb;
         border-radius: 0.5rem;
-        padding: clamp(1.5rem, 5vw, 2.25rem);
+        padding: 1.5rem;
         background: rgba(255, 255, 255, 0.94);
         box-shadow:
           0 1.34368px 0.537473px -0.625px rgba(0, 0, 0, 0.09),
           0 15.5969px 6.23877px -3.125px rgba(0, 0, 0, 0.07),
           0 43.962px 17.5848px -4.375px rgba(0, 0, 0, 0.04);
-        text-align: center;
-      }
-      .eyebrow {
-        margin: 0 0 1.25rem;
-        color: #4b5563;
-        font-size: 0.78rem;
-        font-weight: 700;
-        letter-spacing: 0.12em;
-        text-transform: uppercase;
       }
       .mark {
-        width: 4rem;
-        height: 4rem;
-        margin: 0 auto 1.25rem;
+        width: 5rem;
+        height: 5rem;
         display: grid;
         place-items: center;
         border: 1px solid ${accent};
         border-radius: 0.5rem;
         background: ${accent};
         color: #111827;
-        font-size: 1.9rem;
+        font-size: 3rem;
+        line-height: 1;
         font-weight: 900;
         box-shadow: 0 18px 40px -20px ${accent};
       }
-      h1 {
-        margin: 0;
-        color: #1f2937;
-        font-size: clamp(2rem, 7vw, 3.5rem);
-        line-height: 0.98;
-        letter-spacing: 0;
-      }
-      p {
-        margin: 1rem auto 0;
-        max-width: 26rem;
-        color: #4b5563;
-        font-size: 1rem;
-        line-height: 1.65;
-      }
-      .status {
-        display: inline-flex;
-        align-items: center;
-        gap: 0.5rem;
-        margin-top: 1.5rem;
-        border: 1px solid ${accent};
-        border-radius: 999px;
-        padding: 0.5rem 0.8rem;
-        background: ${accentSoft};
-        color: #1f2937;
-        font-size: 0.86rem;
-        font-weight: 700;
-      }
       @media (prefers-color-scheme: dark) {
         :root {
           background: #020617;
@@ -459,53 +386,20 @@ export function callbackPage(title, message, tone) {
             repeating-linear-gradient(125deg, transparent, transparent 6px, rgba(55, 65, 81, 0.6) 6px, rgba(55, 65, 81, 0.6) 7px),
             #020617;
         }
-        .page {
-          border-color: #1f2937;
-          background:
-            repeating-linear-gradient(125deg, transparent, transparent 6px, rgba(55, 65, 81, 0.6) 6px, rgba(55, 65, 81, 0.6) 7px),
-            #020617;
-        }
-        header,
         .panel {
           border-color: #1f2937;
           background: rgba(2, 6, 23, 0.94);
         }
-        .logo,
-        h1 {
-          color: #f3f4f6;
-        }
-        .pill,
-        .eyebrow,
-        p {
-          color: #d1d5db;
-        }
-        .pill {
-          border-color: #1f2937;
-          background: #111827;
-        }
-        .mark,
-        .status {
+        .mark {
           color: #020617;
         }
       }
     </style>
   </head>
   <body>
-    <div class="page">
-      <header>
-        <div class="logo">Switchboard</div>
-        <div class="pill">CLI session</div>
-      </header>
-      <main>
-        <section class="panel" aria-labelledby="callback-title">
-          <p class="eyebrow">Switchboard CLI</p>
-          <div class="mark" aria-hidden="true">${mark}</div>
-          <h1 id="callback-title">${escapeHtml(title)}</h1>
-          <p>${escapeHtml(message)}</p>
-          <div class="status">${success ? "Session approved" : "Session not approved"}</div>
-        </section>
-      </main>
-    </div>
+    <main class="panel" aria-label="${ariaLabel}">
+      <div class="mark" aria-hidden="true">${mark}</div>
+    </main>
   </body>
 </html>`;
 }

package/lib/commands/doctor.js CHANGED Viewed

@@ -21,92 +21,113 @@ export function registerDoctorCommand(program) {
     .description("Check health, auth, project, catalog, and gateway readiness")
     .action(async (_opts, cmd) => {
       const flags = globalFlags(cmd);
-      const config = resolveConfig();
-      const accountConfig = await resolveAccountConfig(config);
-      const checks = [];
-      checks.push(
-        await check("health", async () => {
-          const result = await healthCheck(config);
-          return { status: result.status, data: result.data };
-        }),
-      );
-      checks.push(
-        await check("catalog", async () => {
-          const res = await fetch(`${gatewayApiUrl(config)}/catalog/models`);
-          const data = await res.json();
-          const status = res.status;
-          if (!res.ok) throw new Error(`HTTP ${status}`);
-          return { status, count: Array.isArray(data?.data) ? data.data.length : 0 };
-        }),
-      );
-      if (accountConfig.accountToken) {
-        checks.push(
-          await check("account", async () => {
-            const { status, data } = await accountRequest("GET", "/me", {
-              config: accountConfig,
-              json: true,
-            });
-            return {
-              status,
-              email: data?.user?.email || null,
-              tokenSource: accountConfig.accountTokenSource,
-            };
-          }),
-        );
-      } else {
-        checks.push({ name: "account", ok: false, error: "Run switchboard auth login" });
-      }
+      const report = await runDoctorChecks();
+      emit(report, flags);
+      if (!report.ok) process.exit(1);
+      process.exit(0);
+    });
+}
-      if (config.projectId) {
-        checks.push({ name: "project", ok: true, projectId: config.projectId });
-      } else {
-        checks.push({ name: "project", ok: false, error: "No project selected" });
+export async function runDoctorChecks({
+  config = resolveConfig(),
+  request = accountRequest,
+  health = healthCheck,
+  fetchImpl = fetch,
+  resolveAccount = resolveAccountConfig,
+} = {}) {
+  const accountConfig = await resolveAccount(config);
+  const checks = [];
+  checks.push(
+    await check("health", async () => {
+      const result = await health(config);
+      if (!result.ok) {
+        throw new Error(result.data?.status || result.data?.message || `HTTP ${result.status}`);
       }
-      if (config.virtualMicroserviceUrl) {
-        checks.push(
-          await check("client_gateway_config", async () => {
-            const res = await fetch(new URL("client/config", ensureTrailingSlash(config.virtualMicroserviceUrl)).href, {
-              headers: { Accept: "application/json" },
-            });
-            const data = await readJson(res);
-            if (!res.ok) {
-              throw new Error(data?.error?.message || data?.message || `HTTP ${res.status}`);
-            }
-            const productionSafety = data?.production_safety ?? null;
-            const productionBlocked = productionSafety?.status === "blocked";
-            return {
-              status: res.status,
-              clientUrl: config.virtualMicroserviceUrl,
-              browserChallengeProvider: data?.browser_challenge?.provider ?? null,
-              production_safety: productionSafety,
-              warning: productionBlocked,
-              warningCode: productionBlocked ? "production_safety_blocked" : null,
-              warningMessage: productionBlocked
-                ? "Sandbox Client Gateway config is reachable, but production launch blockers remain."
-                : null,
-            };
-          }),
-        );
-      } else {
-        checks.push({
-          name: "client_gateway_config",
-          ok: false,
-          error: "No SWITCHBOARD_CLIENT_URL or VITE_SWITCHBOARD_CLIENT_URL configured",
+      return { status: result.status, data: result.data };
+    }),
+  );
+  checks.push(
+    await check("catalog", async () => {
+      const res = await fetchImpl(`${gatewayApiUrl(config)}/catalog/models`);
+      const data = await res.json();
+      const status = res.status;
+      if (!res.ok) throw new Error(`HTTP ${status}`);
+      return { status, count: Array.isArray(data?.data) ? data.data.length : 0 };
+    }),
+  );
+  if (accountConfig.accountToken) {
+    checks.push(
+      await check("account", async () => {
+        const { status, data } = await request("GET", "/me", {
+          config: accountConfig,
+          json: true,
         });
-      }
+        return {
+          status,
+          email: data?.user?.email || null,
+          tokenSource: accountConfig.accountTokenSource,
+        };
+      }),
+    );
+  } else {
+    checks.push({ name: "account", ok: false, error: "Run switchboard auth login" });
+  }
-      const ok = checks.every((item) => item.ok);
-      emit({ object: "doctor_report", ok, baseUrl: config.baseUrl, checks }, flags);
-      if (!ok) process.exit(1);
-      process.exit(0);
+  if (config.projectId) {
+    checks.push({ name: "project", ok: true, projectId: config.projectId });
+  } else {
+    checks.push({ name: "project", ok: false, error: "No project selected" });
+  }
+  if (config.virtualMicroserviceUrl) {
+    checks.push(
+      await check("client_gateway_config", async () => {
+        const res = await fetchImpl(
+          new URL("client/config", ensureTrailingSlash(config.virtualMicroserviceUrl)).href,
+          {
+            headers: { Accept: "application/json" },
+          },
+        );
+        const data = await readJson(res);
+        if (!res.ok) {
+          throw new Error(data?.error?.message || data?.message || `HTTP ${res.status}`);
+        }
+        const productionSafety = data?.production_safety ?? null;
+        const productionBlocked = productionSafety?.status === "blocked";
+        return {
+          status: res.status,
+          clientUrl: config.virtualMicroserviceUrl,
+          browserChallengeProvider: data?.browser_challenge?.provider ?? null,
+          production_safety: productionSafety,
+          warning: productionBlocked,
+          warningCode: productionBlocked ? "production_safety_blocked" : null,
+          warningMessage: productionBlocked
+            ? "Sandbox Client Gateway config is reachable, but production launch blockers remain."
+            : null,
+        };
+      }),
+    );
+  } else {
+    checks.push({
+      name: "client_gateway_config",
+      ok: false,
+      error: "No SWITCHBOARD_CLIENT_URL or VITE_SWITCHBOARD_CLIENT_URL configured",
     });
+  }
+  return {
+    object: "doctor_report",
+    ok: checks.every((item) => item.ok),
+    baseUrl: config.baseUrl,
+    checks,
+  };
 }
 function ensureTrailingSlash(value) {

package/lib/commands/endUsers.js CHANGED Viewed

@@ -8,7 +8,7 @@ import { emit, globalFlags, printList } from "../output.js";
 export function registerEndUsersCommands(program) {
   const endUsers = program
     .command("end-users")
-    .description("Anonymous Pro-bono Embed end users");
+    .description("Anonymous Client Gateway end users");
   endUsers
     .command("list")

package/lib/commands/init.js CHANGED Viewed

@@ -8,9 +8,9 @@ import { resolveConfig, gatewayApiUrl } from "../config.js";
 import { emit } from "../output.js";
 /**
- * Builds default frontend environment placeholders for Pro-bono Embed apps.
+ * Builds default frontend environment placeholders for Client Gateway apps.
  *
- * The generated Pro-bono Embed URL is the only value a browser app needs by default.
+ * The generated Client Gateway URL is the only value a browser app needs by default.
  */
 function envBlock(clientUrl) {
   return `SWITCHBOARD_CLIENT_URL=${clientUrl}
@@ -32,7 +32,7 @@ export function agentManifest(config) {
     account_api: `${config.baseUrl.replace(/\/$/, "")}/v1/account`,
     env: envBlock(clientUrl),
     checklist: [
-      "switchboard setup --target client --json",
+      "switchboard setup project --origin <origin> --json",
       "export VITE_SWITCHBOARD_CLIENT_URL=<client_url from integration kit>",
       "Use mountSwitchboardWidget({ clientUrl, target }) in browser apps",
       "Use createSwitchboardClient({ clientUrl, storage }) only for custom UI",
@@ -47,7 +47,7 @@ mountSwitchboardWidget({
   target: "#switchboard",
 });`,
     automation_note:
-      "Pro-bono Embed auth is browser/mobile only and requires a real browser challenge. Use account/CLI APIs only for project configuration automation.",
+      "Client Gateway auth is browser/mobile only and requires a real browser challenge. Use account/CLI APIs only for project configuration automation.",
   };
 }

package/lib/commands/launch.js CHANGED Viewed

@@ -51,7 +51,7 @@ export function registerLaunchCommands(program) {
     });
 }
-function validateLaunchOptions(opts, flags) {
+export function validateLaunchOptions(opts, flags) {
   if (!productionHttpsOrigin(opts.productionOrigin)) {
     fail("--production-origin must be an exact HTTPS production origin", 1, flags.json);
   }
@@ -60,19 +60,23 @@ function validateLaunchOptions(opts, flags) {
   }
 }
-async function ensureProject(opts, flags) {
-  if (opts.projectId) return fetchProject(opts.projectId, flags);
+export async function ensureProject(opts, flags, { request = accountRequest, save = saveProjectConfig } = {}) {
+  if (opts.projectId) {
+    const project = await fetchProject(opts.projectId, flags, { request });
+    save(project);
+    return project;
+  }
   if (opts.projectName) {
-    const { data } = await accountRequest("POST", "/projects", {
+    const { data } = await request("POST", "/projects", {
       body: { name: opts.projectName, slug: opts.projectSlug },
       json: flags.json,
     });
-    saveProjectConfig(data);
+    save(data);
     return data;
   }
-  const { data } = await accountRequest("GET", "/me", { json: flags.json });
+  const { data } = await request("GET", "/me", { json: flags.json });
   if (!data.project?.id) {
     fail(
       "No default project is selected. Use --project-id or --project-name with --project-slug.",
@@ -80,10 +84,16 @@ async function ensureProject(opts, flags) {
       flags.json,
     );
   }
+  save(data.project);
   return data.project;
 }
-async function updateLaunchProject(projectId, opts, flags) {
+export async function updateLaunchProject(
+  projectId,
+  opts,
+  flags,
+  { request = accountRequest, save = saveProjectConfig } = {},
+) {
   const body = {
     allowed_origins: [opts.productionOrigin],
     end_user_terms_url: opts.endUserTermsUrl,
@@ -94,23 +104,34 @@ async function updateLaunchProject(projectId, opts, flags) {
   if (opts.supportUrl) body.support_url = opts.supportUrl;
-  const { data } = await accountRequest("PATCH", `/projects/${projectId}`, {
+  const { data } = await request("PATCH", `/projects/${projectId}`, {
     body,
     json: flags.json,
   });
-  saveProjectConfig(data);
+  save(data);
   return data;
 }
-async function provisionManagedTurnstile(projectId, idempotencyKey, flags) {
-  const { data } = await accountRequest("POST", `/projects/${projectId}/turnstile/provision`, {
+export async function provisionManagedTurnstile(
+  projectId,
+  idempotencyKey,
+  flags,
+  { request = accountRequest } = {},
+) {
+  const { data } = await request("POST", `/projects/${projectId}/turnstile/provision`, {
     body: { idempotency_key: `${idempotencyKey}:turnstile` },
     json: flags.json,
   });
   return data;
 }
-async function requestAccessIfNeeded(projectId, project, opts, flags) {
+export async function requestAccessIfNeeded(
+  projectId,
+  project,
+  opts,
+  flags,
+  { request = accountRequest } = {},
+) {
   if (project.production_access_status === "approved") {
     return {
       object: "production_access_request",
@@ -120,19 +141,19 @@ async function requestAccessIfNeeded(projectId, project, opts, flags) {
     };
   }
-  const { data } = await accountRequest("POST", `/projects/${projectId}/production_access_request`, {
+  const { data } = await request("POST", `/projects/${projectId}/production_access_request`, {
     body: buildProductionAccessRequestBody(opts),
     json: flags.json,
   });
   return data;
 }
-async function fetchProject(projectId, flags) {
-  const { data } = await accountRequest("GET", `/projects/${projectId}`, { json: flags.json });
+export async function fetchProject(projectId, flags, { request = accountRequest } = {}) {
+  const { data } = await request("GET", `/projects/${projectId}`, { json: flags.json });
   return data;
 }
-function saveProjectConfig(project) {
+export function saveProjectConfig(project) {
   saveConfig({
     projectId: String(project.id),
     apiKey: null,
@@ -141,7 +162,7 @@ function saveProjectConfig(project) {
   });
 }
-function launchSummary(project, challenge, access) {
+export function launchSummary(project, challenge, access) {
   return {
     object: "launch_prepare_result",
     project_id: project.id,
@@ -158,7 +179,7 @@ function launchSummary(project, challenge, access) {
   };
 }
-function humanLaunchSummary(project, access) {
+export function humanLaunchSummary(project, access) {
   const blocked = (project.production_safety?.checks || [])
     .filter((check) => check.status !== "ready")
     .map((check) => check.id);
@@ -173,7 +194,7 @@ function humanLaunchSummary(project, access) {
   ].join("\n");
 }
-function productionHttpsOrigin(origin) {
+export function productionHttpsOrigin(origin) {
   try {
     const url = new URL(origin);
     return (

package/lib/commands/projects.js CHANGED Viewed

@@ -21,6 +21,7 @@ export function registerProjectsCommands(program) {
         printList("Projects:", data.data || [], (p) =>
           `  ${p.id} ${p.name} (${p.slug}) — ${p.api_key_count} keys`,
         );
+        warnForLocalhostCorsOrigins(data.data || [], flags);
       }
     });
@@ -51,6 +52,7 @@ export function registerProjectsCommands(program) {
       const flags = globalFlags(cmd);
       const { data } = await accountRequest("GET", `/projects/${id}`, { json: flags.json });
       emit(flags.json ? data : JSON.stringify(data, null, 2), flags);
+      warnForLocalhostCorsOrigins(data, flags);
     });
   projects
@@ -66,7 +68,7 @@ export function registerProjectsCommands(program) {
     .option("--support-email <email>")
     .option(
       "--allowed-origins <urls>",
-      "Comma-separated browser origins for Pro-bono Embed requests",
+      "Comma-separated browser origins for Client Gateway requests",
     )
     .option(
       "--allowed-ios-bundle-ids <ids>",
@@ -86,6 +88,7 @@ export function registerProjectsCommands(program) {
         json: flags.json,
       });
       emit(flags.json ? data : `Updated project ${data.name}`, flags);
+      warnForLocalhostCorsOrigins(data, flags);
     });
   projects
@@ -149,6 +152,7 @@ export function registerProjectsCommands(program) {
         endUserSession: null,
       });
       emit(flags.json ? data : `Using project ${data.name} (${data.id})`, flags);
+      warnForLocalhostCorsOrigins(data, flags);
     });
   projects
@@ -211,6 +215,19 @@ export function buildProjectUpdateBody(opts) {
   return body;
 }
+export function localhostCorsOriginWarning(project) {
+  const origins = Array.isArray(project?.allowed_origins) ? project.allowed_origins : [];
+  const localOrigins = origins.filter(isLocalhostOrigin);
+  if (!localOrigins.length) return null;
+  return [
+    `Warning: project ${project.name || project.id || "unknown"} allows localhost CORS origins`,
+    `(${localOrigins.join(", ")}).`,
+    "Use them only for development and remove them before production launch.",
+  ].join(" ");
+}
 export function buildTurnstileBody(opts) {
   if (opts.clear) {
     return { turnstile_site_key: "", turnstile_secret_key: "" };
@@ -241,3 +258,28 @@ function parseBoolean(value) {
   if (value === false || value === "false") return false;
   throw new Error(`Expected boolean value true or false, got ${value}`);
 }
+function warnForLocalhostCorsOrigins(projectOrProjects, flags) {
+  if (flags.json || flags.quiet) return;
+  const projects = Array.isArray(projectOrProjects) ? projectOrProjects : [projectOrProjects];
+  for (const project of projects) {
+    const warning = localhostCorsOriginWarning(project);
+    if (warning) console.error(warning);
+  }
+}
+function isLocalhostOrigin(origin) {
+  try {
+    const hostname = new URL(origin).hostname.toLowerCase();
+    return (
+      hostname === "localhost" ||
+      hostname === "127.0.0.1" ||
+      hostname === "0.0.0.0" ||
+      hostname === "::1" ||
+      hostname === "[::1]"
+    );
+  } catch {
+    return false;
+  }
+}

package/lib/commands/setup.js CHANGED Viewed

@@ -3,22 +3,53 @@
  */
 import { configureEnvironment } from "./env.js";
-import { emit, fail, globalFlags } from "../output.js";
+import { accountRequest } from "../client.js";
+import { emit, fail, globalFlags, redactSecrets } from "../output.js";
+import { resolveConfig } from "../config.js";
+import { runDoctorChecks } from "./doctor.js";
+import {
+  ensureProject,
+  fetchProject,
+  provisionManagedTurnstile,
+  requestAccessIfNeeded,
+  saveProjectConfig,
+  validateLaunchOptions,
+} from "./launch.js";
 export function registerSetupCommand(program) {
-  program
+  const setup = program
     .command("setup")
-    .description("Configure Switchboard for client apps, server apps, or both")
+    .description("Configure browser-ready Switchboard projects");
+  setup
+    .command("project")
+    .description("Create or configure a browser-ready Switchboard project")
+    .option("--project-id <id>", "Existing project id")
+    .option("--project-name <name>", "Create a project when no project id is provided")
+    .option("--project-slug <slug>", "Slug for a project created by this command")
+    .requiredOption("--origin <origin>", "Exact local, preview, or sandbox browser origin")
     .option("--target <target>", "client, server, or both", "client")
     .option("--file <path>", "Local env file to update", ".env.local")
     .option("--secret-target <target>", "local or exec", "local")
     .option("--secret-command <command>", "Command that stores secrets from stdin JSON")
-    .option("--project-id <id>", "Override selected project")
-    .option("--force", "Replace existing Switchboard-managed values")
+    .option("--force", "Replace existing Switchboard-managed env values and project origins")
+    .option(
+      "--production-origin <origin>",
+      "Exact HTTPS production origin, for example https://app.example.com",
+    )
+    .option("--end-user-terms-url <url>")
+    .option("--end-user-privacy-url <url>")
+    .option("--support-url <url>")
+    .option("--support-email <email>")
+    .option("--contact-email <email>")
+    .option("--use-case <text>")
+    .option("--expected-monthly-volume <volume>")
+    .option("--needed-billing-mode <mode>", "Billing mode needed for production")
+    .option("--notes <text>")
     .action(async (opts, cmd) => {
       const flags = globalFlags(cmd);
-      const result = await setupSwitchboard(opts, { json: flags.json });
-      emit(flags.json ? result : humanSetupMessage(result), flags);
+      const result = await setupProject(opts, { json: flags.json });
+      emit(flags.json ? result : humanProjectSetupMessage(result), flags);
     });
 }
@@ -77,3 +108,247 @@ function humanSetupMessage(result) {
   const skipped = result.skipped.length > 0 ? ` Skipped existing: ${result.skipped.join(", ")}.` : "";
   return `Configured Switchboard setup (${result.target}) for project ${result.project_id}. Changed: ${changed}.${skipped}`;
 }
+export async function setupProject(
+  opts,
+  {
+    request = accountRequest,
+    configureEnv = configureEnvironment,
+    doctor = runDoctorChecks,
+    saveProject = saveProjectConfig,
+    config = resolveConfig(),
+    cwd,
+    json = false,
+    getSecret,
+    setSecret,
+    runSecretCommand,
+  } = {},
+) {
+  validateProjectSetupOptions(opts, { json });
+  const flags = { json };
+  const project = await ensureProject(opts, flags, { request, save: saveProject });
+  saveProject(project);
+  const origins = configuredOrigins(project, opts);
+  const configured = await updateSetupProject(project.id, opts, origins, flags, {
+    request,
+    save: saveProject,
+  });
+  const env = await configureEnv(
+    {
+      mode: normalizeSetupTarget(opts.target, json),
+      file: opts.file,
+      target: opts.secretTarget,
+      secretCommand: opts.secretCommand,
+      projectId: String(configured.id),
+      force: opts.force,
+    },
+    { request, cwd, json, getSecret, setSecret, runSecretCommand },
+  );
+  const idempotencyKey = `setup-project-${configured.id}`;
+  const challenge = await provisionManagedTurnstile(configured.id, idempotencyKey, flags, {
+    request,
+  });
+  let access = null;
+  if (hasProductionOptions(opts)) {
+    access = await requestAccessIfNeeded(configured.id, configured, opts, flags, { request });
+  }
+  const latest = await fetchProject(configured.id, flags, { request });
+  saveProject(latest);
+  const doctorConfig = {
+    ...config,
+    projectId: String(latest.id),
+    virtualMicroserviceUrl: latest.virtual_microservice_url || config.virtualMicroserviceUrl,
+  };
+  const readiness = await doctor({ config: doctorConfig, request });
+  return projectSetupSummary({
+    project: latest,
+    env,
+    challenge,
+    readiness,
+    access,
+    origin: opts.origin,
+    origins,
+  });
+}
+function validateProjectSetupOptions(opts, flags) {
+  if ((opts.projectName && !opts.projectSlug) || (!opts.projectName && opts.projectSlug)) {
+    fail("--project-name and --project-slug must be provided together", 1, flags.json);
+  }
+  if (!exactOrigin(opts.origin)) {
+    fail("--origin must be an exact browser origin such as http://127.0.0.1:4173", 1, flags.json);
+  }
+  if (!hasProductionOptions(opts)) return;
+  validateLaunchOptions(opts, flags);
+  for (const name of [
+    "endUserTermsUrl",
+    "endUserPrivacyUrl",
+    "supportEmail",
+    "contactEmail",
+    "useCase",
+  ]) {
+    if (!opts[name]) {
+      fail(`--${dasherize(name)} is required when production launch fields are provided`, 1, flags.json);
+    }
+  }
+}
+function hasProductionOptions(opts) {
+  return [
+    "productionOrigin",
+    "endUserTermsUrl",
+    "endUserPrivacyUrl",
+    "supportUrl",
+    "supportEmail",
+    "contactEmail",
+    "useCase",
+    "expectedMonthlyVolume",
+    "neededBillingMode",
+    "notes",
+  ].some((key) => opts[key] != null);
+}
+function configuredOrigins(project, opts) {
+  const requested = [opts.origin];
+  if (opts.productionOrigin) requested.push(opts.productionOrigin);
+  if (opts.force) return uniqueStrings(requested);
+  const existing = Array.isArray(project.allowed_origins) ? project.allowed_origins : [];
+  return uniqueStrings([...existing, ...requested]);
+}
+async function updateSetupProject(projectId, opts, origins, flags, { request, save }) {
+  const body = {
+    allowed_origins: origins,
+    virtual_microservice_enabled: true,
+  };
+  if (hasProductionOptions(opts)) {
+    body.end_user_terms_url = opts.endUserTermsUrl;
+    body.end_user_privacy_url = opts.endUserPrivacyUrl;
+    body.support_email = opts.supportEmail;
+    if (opts.supportUrl) body.support_url = opts.supportUrl;
+  }
+  const { data } = await request("PATCH", `/projects/${projectId}`, {
+    body,
+    json: flags.json,
+  });
+  save(data);
+  return data;
+}
+function projectSetupSummary({ project, env, challenge, readiness, access, origin, origins }) {
+  const hardFailures = readiness.checks.filter((check) => !check.ok).map((check) => check.name);
+  const configured = hardFailures.length === 0;
+  const productionRequested = Boolean(access);
+  return {
+    object: "setup_project_result",
+    ok: configured,
+    status: !configured
+      ? "failed"
+      : productionRequested
+        ? "production_requested"
+        : "ready_for_browser_manual_check",
+    configured,
+    ready_for_browser_manual_check: configured,
+    production_requested: productionRequested,
+    project_id: project.id,
+    project_slug: project.slug,
+    client_gateway_url: project.virtual_microservice_url,
+    allowed_origins: origins,
+    local_origin: origin,
+    turnstile: challenge,
+    env_file: env.env_file,
+    env,
+    doctor: readiness,
+    hard_failures: hardFailures,
+    production_access: access,
+    next_steps: [
+      "Use the SDK-managed browser challenge in your app to confirm browser chat manually.",
+      "Run switchboard verify setup after the app integration is wired.",
+      productionRequested
+        ? "Run switchboard verify publish after approval and billing readiness are complete."
+        : "Use switchboard launch prepare when you are ready for production approval.",
+    ],
+  };
+}
+export function humanProjectSetupMessage(result) {
+  const lines = [
+    `Configured project ${result.project_slug || result.project_id} (${result.project_id})`,
+    `Client Gateway: ${result.client_gateway_url}`,
+    `Allowed origins: ${result.allowed_origins.join(", ")}`,
+    `Turnstile: ${turnstileStatus(result.turnstile)}`,
+    `Env file: ${result.env_file}`,
+    `Readiness: ${result.configured ? "ready for browser manual check" : "failed"}`,
+  ];
+  if (result.production_requested) {
+    lines.push(
+      `Production access: ${
+        result.production_access?.project_production_access_status ||
+        result.production_access?.status ||
+        "requested"
+      }`,
+    );
+  }
+  if (result.hard_failures.length > 0) {
+    lines.push(`Hard failures: ${result.hard_failures.join(", ")}`);
+  }
+  lines.push(
+    "Next: integrate the SDK browser challenge in your app, then run switchboard verify setup.",
+  );
+  if (result.production_requested) {
+    lines.push("Next: run switchboard verify publish after production approval and billing readiness.");
+  }
+  return lines.join("\n");
+}
+function turnstileStatus(challenge) {
+  if (!challenge) return "unknown";
+  return redactSecrets(challenge.status || challenge.provider || challenge.object || "provisioned");
+}
+function exactOrigin(origin) {
+  try {
+    const url = new URL(origin);
+    return (
+      (url.protocol === "http:" || url.protocol === "https:") &&
+      url.username === "" &&
+      url.password === "" &&
+      url.pathname === "/" &&
+      url.search === "" &&
+      url.hash === "" &&
+      !url.hostname.includes("*")
+    );
+  } catch {
+    return false;
+  }
+}
+function uniqueStrings(values) {
+  return [...new Set(values.filter(Boolean))];
+}
+function dasherize(value) {
+  return value.replace(/[A-Z]/g, (match) => `-${match.toLowerCase()}`);
+}

package/lib/commands/verify.js CHANGED Viewed

@@ -15,7 +15,8 @@ export function registerVerifyCommands(program) {
       .command("setup")
       .description("Verify a local or preview Switchboard integration setup")
       .option("--url <app-url>", "Application URL to test")
-      .option("--client-url <switchboard-client-url>", "Switchboard Pro-bono Embed client URL"),
+      .option("--app-url <app-url>", "Alias for --url")
+      .option("--client-url <switchboard-client-url>", "Switchboard Client Gateway client URL"),
   ).action(async (opts, cmd) => {
     await runVerifyCommand("setup", opts, cmd);
   });
@@ -25,7 +26,8 @@ export function registerVerifyCommands(program) {
       .command("publish")
       .description("Verify an HTTPS preview is safe to publish")
       .option("--url <preview-url>", "HTTPS preview URL to test")
-      .option("--client-url <switchboard-client-url>", "Switchboard Pro-bono Embed client URL")
+      .option("--app-url <preview-url>", "Alias for --url")
+      .option("--client-url <switchboard-client-url>", "Switchboard Client Gateway client URL")
       .option("--production-origin <origin>", "Production origin that must be allowed"),
   )
     .option("--project-id <id>", "Switchboard project id for production safety checks")
@@ -38,7 +40,8 @@ export function registerVerifyCommands(program) {
       .command("browser")
       .description("Run a declarative browser verification scenario")
       .option("--url <app-url>", "Application URL to test")
-      .option("--client-url <switchboard-client-url>", "Switchboard Pro-bono Embed client URL"),
+      .option("--app-url <app-url>", "Alias for --url")
+      .option("--client-url <switchboard-client-url>", "Switchboard Client Gateway client URL"),
   ).action(async (opts, cmd) => {
     await runVerifyCommand("browser", opts, cmd);
   });
@@ -60,6 +63,7 @@ async function runVerifyCommand(mode, opts, cmd) {
     const project = mode === "publish" ? await loadProject(opts, flags) : null;
     const report = await verifierForMode(mode)({
       url: opts.url,
+      appUrl: opts.appUrl,
       clientUrl: opts.clientUrl,
       productionOrigin: opts.productionOrigin,
       scenarioPath: opts.scenario,

package/lib/verify/index.js CHANGED Viewed

@@ -48,7 +48,6 @@ const CHECK_TYPE_TO_ID = new Map([
 ]);
 const SERVER_SECRET_PATTERNS = [
-  { name: "SWITCHBOARD_API_KEY", pattern: /\bSWITCHBOARD_API_KEY\b/ },
   { name: "switchboard live key", pattern: /\bsb_live_[A-Za-z0-9_-]{6,}\b/ },
   { name: "switchboard test key", pattern: /\bsb_test_[A-Za-z0-9_-]{6,}\b/ },
   { name: "account session token", pattern: /\bsb_sess_[A-Za-z0-9_-]{6,}\b/ },
@@ -125,7 +124,7 @@ export async function runVerification(options = {}) {
   const scenario = validateScenario(options.scenario ?? loadScenario(options.scenarioPath));
   const report = createReport(mode);
   const artifactsDir = options.artifactsDir ?? DEFAULT_ARTIFACTS_DIR;
-  const appUrl = parseRequiredUrl(options.url, "--url");
+  const appUrl = parseRequiredUrl(options.appUrl ?? options.url, options.appUrl ? "--app-url" : "--url");
   const clientUrl = options.clientUrl ? parseRequiredUrl(options.clientUrl, "--client-url") : null;
   const timeoutMs = normalizeTimeoutMs(options.timeoutMs);
   let productionOrigin = options.productionOrigin;
@@ -723,6 +722,7 @@ function normalizedHostname(url) {
 function browserChallengeTokenFor(check, clientUrl) {
   if (Object.prototype.hasOwnProperty.call(check, "browserChallengeToken")) {
+    validateBrowserChallengeToken(check.browserChallengeToken, clientUrl);
     return check.browserChallengeToken;
   }
@@ -730,13 +730,25 @@ function browserChallengeTokenFor(check, clientUrl) {
     return DEV_BROWSER_CHALLENGE_TOKEN;
   }
-  return DEFAULT_BROWSER_CHALLENGE_TOKEN;
+  throw new VerificationInputError(
+    "Hosted Switchboard verification cannot submit synthetic browser challenge tokens. Run the SDK-managed browser challenge in the real app, or target a localhost Switchboard URL for dev verification.",
+  );
 }
 function isLocalSwitchboardUrl(url) {
   return url instanceof URL && LOCAL_HOSTS.has(normalizedHostname(url));
 }
+export function validateBrowserChallengeToken(token, clientUrl) {
+  if (isLocalSwitchboardUrl(clientUrl)) return;
+  if (token === DEV_BROWSER_CHALLENGE_TOKEN || token === DEFAULT_BROWSER_CHALLENGE_TOKEN) {
+    throw new VerificationInputError(
+      "Synthetic browser challenge tokens are allowed only against localhost Switchboard URLs.",
+    );
+  }
+}
 function addFailure(report, checkId, message, finding) {
   addCheck(report, { id: checkId, status: "failed", message });
   report.findings.push({

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@switchboard.spot/cli",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "description": "Switchboard CLI — full dashboard parity for agents and testing",
   "type": "module",
   "bin": {