@switchboard.spot/cli 0.2.3 → 0.2.5

package/lib/commands/env.js

@@ -4,22 +4,11 @@
 
 import fs from "fs";
 import path from "path";
-import { spawn } from "node:child_process";
 import { accountRequest } from "../client.js";
-import { resolveAccountConfig, resolveConfig } from "../config.js";
-import {
-  getProjectSecretKey,
-  setProjectSecretKey,
-} from "../credentialStore.js";
+import { resolveConfig } from "../config.js";
 import { emit, fail, globalFlags } from "../output.js";
 
 const DEFAULT_ENV_FILE = ".env.local";
-const SECRET_ENV_NAMES = ["SWITCHBOARD_API_KEY"];
-const SECRET_PATTERNS = [
-  /sb_test_[A-Za-z0-9_-]+/g,
-  /sb_live_[A-Za-z0-9_-]+/g,
-  /sb_sess_[A-Za-z0-9_-]+/g,
-];
 
 export function registerEnvCommands(program) {
   const env = program.command("env").description("Agent-safe environment setup");
@@ -27,10 +16,8 @@ export function registerEnvCommands(program) {
   env
     .command("configure")
     .description("Configure Switchboard environment values without printing secrets")
-    .option("--mode <mode>", "client, server, or both", "client")
+    .option("--mode <mode>", "client", "client")
     .option("--file <path>", "Local env file to update", DEFAULT_ENV_FILE)
-    .option("--target <target>", "local or exec", "local")
-    .option("--secret-command <command>", "Command that stores secrets from stdin JSON")
     .option("--project-id <id>", "Override selected project")
     .option("--force", "Replace existing Switchboard-managed values")
     .action(async (opts, cmd) => {
@@ -41,12 +28,12 @@ export function registerEnvCommands(program) {
 
   env
     .command("run")
-    .description("Run a command with Switchboard managed secrets injected")
+    .description("Deprecated: server secret injection has been removed")
     .allowUnknownOption(true)
     .argument("[command...]", "Command to run")
     .action(async (command, _opts, cmd) => {
       const flags = globalFlags(cmd);
-      await runWithEnvironment(command, { json: flags.json });
+      runWithEnvironment(command, { json: flags.json });
     });
 }
 
@@ -54,162 +41,81 @@ export async function configureEnvironment(
   opts,
   {
     request = accountRequest,
-    getSecret = getProjectSecretKey,
-    setSecret = setProjectSecretKey,
     cwd = process.cwd(),
     json = false,
-    runSecretCommand = runSecretSinkCommand,
   } = {},
 ) {
   const mode = normalizeMode(opts.mode);
-  const target = normalizeTarget(opts.target);
   const projectId = opts.projectId;
   const force = Boolean(opts.force);
 
-  if (target === "exec" && !opts.secretCommand) {
-    fail("--secret-command is required when --target exec is used", 1, json);
-  }
-
-  const { data: kit } = await request("GET", "/integration_kit", {
-    json,
-    projectId,
-  });
-
-  const selectedProjectId = String(projectId || kit.project_id || resolveConfig().projectId || "");
+  const project = await resolveProjectContext({ projectId, request, json });
+  const selectedProjectId = String(project.id || resolveConfig().projectId || "");
   if (!selectedProjectId) {
     fail("Could not determine the selected Switchboard project id", 1, json);
   }
 
   const changed = [];
   const skipped = [];
-  const secrets = [];
   const envFile = path.resolve(cwd, opts.file || DEFAULT_ENV_FILE);
 
   const envUpdates = {};
 
-  if (mode === "client" || mode === "both") {
-    const clientUrl = kit.client_url || kit.virtual_microservice_url;
-    envUpdates.SWITCHBOARD_CLIENT_URL = clientUrl;
-    envUpdates.VITE_SWITCHBOARD_CLIENT_URL = clientUrl;
-  }
-
-  if (mode === "server" || mode === "both") {
-    envUpdates.SWITCHBOARD_BASE_URL = kit.server_base_url || kit.base_url;
-  }
+  const clientUrl = project.client_gateway_url;
+  envUpdates.SWITCHBOARD_CLIENT_URL = clientUrl;
+  envUpdates.VITE_SWITCHBOARD_CLIENT_URL = clientUrl;
 
   const fileResult = updateEnvFile(envFile, envUpdates, { force });
   changed.push(...fileResult.changed);
   skipped.push(...fileResult.skipped);
 
-  if (mode === "server" || mode === "both") {
-    const secretResult = await ensureServerSecret({
-      projectId: selectedProjectId,
-      force,
-      request,
-      getSecret,
-      setSecret,
-      target,
-      secretCommand: opts.secretCommand,
-      runSecretCommand,
-      json,
-    });
-
-    changed.push(...secretResult.changed);
-    skipped.push(...secretResult.skipped);
-    secrets.push(secretResult.secret);
-  }
-
   return {
     ok: true,
     project_id: selectedProjectId,
     mode,
-    target,
     env_file: envFile,
     changed,
     skipped,
-    secrets,
   };
 }
 
-export async function runWithEnvironment(
-  command,
-  {
-    config,
-    getSecret = getProjectSecretKey,
-    env = process.env,
-    spawnProcess = spawn,
-    exitProcess = process.exit,
-    killProcess = process.kill,
-    json = false,
-  } = {},
-) {
-  if (!command || command.length === 0) {
-    fail("Usage: switchboard env run -- <command>", 1, json);
+async function resolveProjectContext({ projectId, request, json }) {
+  if (projectId) {
+    const { data } = await request("GET", `/projects/${projectId}`, { json });
+    return data;
   }
 
-  const cfg = await resolveAccountConfig(config || resolveConfig());
-  if (!cfg.projectId) {
-    fail(
-      "Specify a project before this command. Run: switchboard projects list, then switchboard projects use <id>.",
-      1,
-      json,
-      "project_required",
-    );
+  const configProjectId = resolveConfig().projectId;
+  if (configProjectId) {
+    const { data } = await request("GET", `/projects/${configProjectId}`, { json });
+    return data;
   }
 
-  const secret = await getSecret(cfg.projectId, "sandbox");
-  if (!secret) {
-    fail(
-      "No managed Switchboard server secret found. Run: switchboard env configure --mode server",
-      1,
-      json,
-      "secret_required",
-    );
+  const { data } = await request("GET", "/me", { json });
+  const project = data.project || data.projects?.[0];
+  if (!project) {
+    fail("No Switchboard project is available. Run switchboard setup project first.", 1, json);
   }
+  return project;
+}
 
-  const child = spawnProcess(command[0], command.slice(1), {
-    stdio: "inherit",
-    env: {
-      ...env,
-      SWITCHBOARD_API_KEY: secret,
-      SWITCHBOARD_PROJECT_ID: cfg.projectId,
-    },
-  });
-
-  return new Promise((resolve, reject) => {
-    child.on("exit", (code, signal) => {
-      try {
-        if (signal) {
-          killProcess(process.pid, signal);
-          return;
-        }
-
-        resolve(exitProcess(code ?? 0));
-      } catch (error) {
-        reject(error);
-      }
-    });
-  });
+export async function runWithEnvironment(
+  _command,
+  { json = false } = {},
+) {
+  fail("switchboard env run was removed with project secret injection", 1, json);
 }
 
 function normalizeMode(mode) {
-  if (mode === "client" || mode === "server" || mode === "both") {
-    return mode;
+  if (mode === "client" || mode === undefined) {
+    return "client";
   }
 
   if (mode === "virtual") {
     return "client";
   }
 
-  fail("--mode must be client, server, or both");
-}
-
-function normalizeTarget(target) {
-  if (target === "local" || target === "exec") {
-    return target;
-  }
-
-  fail("--target must be local or exec");
+  fail("--mode must be client");
 }
 
 function updateEnvFile(file, updates, { force }) {
@@ -268,126 +174,6 @@ function trimTrailingBlankLines(lines) {
   return next;
 }
 
-async function ensureServerSecret({
-  projectId,
-  force,
-  request,
-  getSecret,
-  setSecret,
-  target,
-  secretCommand,
-  runSecretCommand,
-  json,
-}) {
-  const existing = await getSecret(projectId, "sandbox");
-  const changed = [];
-  const skipped = [];
-  let plaintext = existing;
-  let metadata = null;
-
-  if (!plaintext || force) {
-    const { data } = await request("POST", "/keys", {
-      body: {
-        mode: "sandbox",
-        name: "Managed server secret",
-        key_type: "secret",
-      },
-      json,
-      projectId,
-    });
-
-    plaintext = data.plaintext;
-    metadata = redactedKeyMetadata(data);
-    changed.push("SWITCHBOARD_API_KEY");
-  } else {
-    skipped.push("SWITCHBOARD_API_KEY");
-  }
-
-  if (!plaintext) {
-    fail("Switchboard did not return a one-time project secret key", 1, json);
-  }
-
-  if (target === "local") {
-    await setSecret(projectId, "sandbox", plaintext);
-  } else {
-    await runSecretCommand(secretCommand, {
-      secrets: SECRET_ENV_NAMES.map((name) => ({
-        name,
-        value: plaintext,
-        metadata: metadata || { project_id: projectId, mode: "sandbox" },
-      })),
-      redactValues: [plaintext],
-    });
-  }
-
-  return {
-    changed,
-    skipped,
-    secret: {
-      name: "SWITCHBOARD_API_KEY",
-      stored: target,
-      ...metadata,
-      redacted: true,
-    },
-  };
-}
-
-function redactedKeyMetadata(data) {
-  return {
-    key_id: data.id,
-    project_id: data.project_id != null ? String(data.project_id) : undefined,
-    mode: data.mode,
-    key_type: data.key_type,
-    last_four: data.last_four,
-  };
-}
-
-async function runSecretSinkCommand(command, { secrets, redactValues }) {
-  const redactions = [...SECRET_PATTERNS, ...redactValues.map((value) => new RegExp(escapeRegExp(value), "g"))];
-  const payload = JSON.stringify({ secrets });
-
-  await new Promise((resolve, reject) => {
-    const child = spawn(command, {
-      shell: true,
-      stdio: ["pipe", "pipe", "pipe"],
-    });
-
-    let stdout = "";
-    let stderr = "";
-
-    child.stdout.on("data", (chunk) => {
-      stdout += redact(String(chunk), redactions);
-    });
-    child.stderr.on("data", (chunk) => {
-      stderr += redact(String(chunk), redactions);
-    });
-    child.on("error", reject);
-    child.on("close", (code) => {
-      if (code === 0) {
-        resolve();
-      } else {
-        const error = new Error(stderr || stdout || `Secret command exited with ${code}`);
-        error.code = code;
-        reject(error);
-      }
-    });
-
-    child.stdin.end(payload);
-  });
-}
-
-function redact(text, redactions) {
-  return redactions.reduce((acc, pattern) => acc.replace(pattern, "[REDACTED]"), text);
-}
-
-function escapeRegExp(value) {
-  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-
-function appOriginFromApiBase(baseUrl) {
-  return String(baseUrl || "").replace(/\/v1\/?$/, "");
-}
-
 function humanConfigureMessage(result) {
   const changed = result.changed.length > 0 ? result.changed.join(", ") : "none";
   const skipped = result.skipped.length > 0 ? ` Skipped existing: ${result.skipped.join(", ")}.` : "";

package/lib/commands/projects.js

@@ -2,6 +2,7 @@
  * Project management commands.
  */
 
+import { readFileSync } from "node:fs";
 import { accountRequest } from "../client.js";
 import { saveConfig } from "../config.js";
 import { emit, globalFlags, printList } from "../output.js";
@@ -38,8 +39,7 @@ export function registerProjectsCommands(program) {
       });
       saveConfig({
         projectId: String(data.id),
-        apiKey: null,
-        virtualMicroserviceUrl: data.virtual_microservice_url || null,
+        clientGatewayUrl: data.client_gateway_url || null,
         endUserSession: null,
       });
       emit(flags.json ? data : `Created project ${data.name} (${data.id})`, flags);
@@ -70,15 +70,22 @@ export function registerProjectsCommands(program) {
       "--allowed-origins <urls>",
       "Comma-separated browser origins for Client Gateway requests",
     )
-    .option(
-      "--allowed-ios-bundle-ids <ids>",
-      "Comma-separated iOS bundle IDs",
-    )
-    .option(
-      "--allowed-android-packages <packages>",
-      "Comma-separated Android package names",
-    )
-    .option("--virtual-microservice-enabled <boolean>")
+    .option("--client-gateway-enabled <boolean>")
+    .option("--project-chat-limit <number>")
+    .option("--project-chat-window-seconds <number>")
+    .option("--end-user-chat-limit <number>")
+    .option("--end-user-chat-window-seconds <number>")
+    .option("--ip-chat-limit <number>")
+    .option("--ip-chat-window-seconds <number>")
+    .option("--anonymous-sessions-per-ip-limit <number>")
+    .option("--anonymous-sessions-per-ip-window-seconds <number>")
+    .option("--session-refresh-per-end-user-limit <number>")
+    .option("--session-refresh-per-end-user-window-seconds <number>")
+    .option("--allowed-models <slugs>", "Comma-separated Switchboard catalog model slugs")
+    .option("--clear-allowed-models", "Clear the project model allowlist")
+    .option("--system-prompt <text>", "Configure a private service-side system prompt")
+    .option("--system-prompt-file <path>", "Read private service-side system prompt from a file")
+    .option("--clear-system-prompt", "Clear the private service-side system prompt")
     .action(async (id, opts, cmd) => {
       const flags = globalFlags(cmd);
       const body = buildProjectUpdateBody(opts);
@@ -122,23 +129,6 @@ export function registerProjectsCommands(program) {
       emit(flags.json ? data : `Provisioned managed Turnstile for project ${id}`, flags);
     });
 
-  projects
-    .command("request-production-access <id>")
-    .description("Submit a production access request")
-    .requiredOption("--contact-email <email>")
-    .requiredOption("--use-case <text>")
-    .option("--expected-monthly-volume <volume>")
-    .option("--needed-billing-mode <mode>", "Billing mode needed for production", "developer_paid")
-    .option("--notes <text>")
-    .action(async (id, opts, cmd) => {
-      const flags = globalFlags(cmd);
-      const { data } = await accountRequest("POST", `/projects/${id}/production_access_request`, {
-        body: buildProductionAccessRequestBody(opts),
-        json: flags.json,
-      });
-      emit(flags.json ? data : `Submitted production access request for project ${id}`, flags);
-    });
-
   projects
     .command("use <id>")
     .description("Set default project for subsequent commands")
@@ -147,8 +137,7 @@ export function registerProjectsCommands(program) {
       const { data } = await accountRequest("GET", `/projects/${id}`, { json: flags.json });
       saveConfig({
         projectId: String(data.id),
-        apiKey: null,
-        virtualMicroserviceUrl: data.virtual_microservice_url || null,
+        clientGatewayUrl: data.client_gateway_url || null,
         endUserSession: null,
       });
       emit(flags.json ? data : `Using project ${data.name} (${data.id})`, flags);
@@ -165,17 +154,6 @@ export function registerProjectsCommands(program) {
       });
       emit(flags.json ? data : `Deleted project ${data.name}`, flags);
     });
-
-  projects
-    .command("restore <id>")
-    .description("Restore a deleted project")
-    .action(async (id, _opts, cmd) => {
-      const flags = globalFlags(cmd);
-      const { data } = await accountRequest("POST", `/projects/${id}/restore`, {
-        json: flags.json,
-      });
-      emit(flags.json ? data : `Restored project ${data.name}`, flags);
-    });
 }
 
 /**
@@ -203,16 +181,65 @@ export function buildProjectUpdateBody(opts) {
   if (opts.allowedOrigins != null) {
     body.allowed_origins = splitList(opts.allowedOrigins);
   }
-  if (opts.allowedIosBundleIds != null) {
-    body.allowed_ios_bundle_ids = splitList(opts.allowedIosBundleIds);
+  if (opts.clientGatewayEnabled != null) {
+    body.client_gateway_enabled = parseBoolean(opts.clientGatewayEnabled);
   }
-  if (opts.allowedAndroidPackages != null) {
-    body.allowed_android_packages = splitList(opts.allowedAndroidPackages);
+  const abuseProtection = buildAbuseProtectionBody(opts);
+  if (abuseProtection) body.abuse_protection = abuseProtection;
+  const aiPolicy = buildAiPolicyBody(opts);
+  if (aiPolicy) body.ai_policy = aiPolicy;
+  return body;
+}
+
+function buildAiPolicyBody(opts) {
+  const aiPolicy = {};
+
+  if (opts.clearAllowedModels) {
+    aiPolicy.allowed_model_slugs = [];
+  } else if (opts.allowedModels != null) {
+    aiPolicy.allowed_model_slugs = splitList(opts.allowedModels);
   }
-  if (opts.virtualMicroserviceEnabled != null) {
-    body.virtual_microservice_enabled = parseBoolean(opts.virtualMicroserviceEnabled);
+
+  if (opts.clearSystemPrompt) {
+    aiPolicy.system_prompt = "";
+  } else if (opts.systemPromptFile) {
+    aiPolicy.system_prompt = readFileSync(opts.systemPromptFile, "utf8");
+  } else if (opts.systemPrompt != null) {
+    aiPolicy.system_prompt = opts.systemPrompt;
+  }
+
+  return Object.keys(aiPolicy).length ? aiPolicy : null;
+}
+
+function buildAbuseProtectionBody(opts) {
+  const limits = {};
+  addLimit(limits, "project_chat", opts.projectChatLimit, opts.projectChatWindowSeconds);
+  addLimit(limits, "end_user_chat", opts.endUserChatLimit, opts.endUserChatWindowSeconds);
+  addLimit(limits, "ip_chat", opts.ipChatLimit, opts.ipChatWindowSeconds);
+  addLimit(
+    limits,
+    "anonymous_sessions_per_ip",
+    opts.anonymousSessionsPerIpLimit,
+    opts.anonymousSessionsPerIpWindowSeconds,
+  );
+  addLimit(
+    limits,
+    "session_refresh_per_end_user",
+    opts.sessionRefreshPerEndUserLimit,
+    opts.sessionRefreshPerEndUserWindowSeconds,
+  );
+
+  return Object.keys(limits).length ? { limits } : null;
+}
+
+function addLimit(limits, scope, limit, windowSeconds) {
+  if (limit == null && windowSeconds == null) return;
+
+  limits[scope] = {};
+  if (limit != null) limits[scope].limit = parsePositiveInteger(limit, `${scope} limit`);
+  if (windowSeconds != null) {
+    limits[scope].window_seconds = parsePositiveInteger(windowSeconds, `${scope} window seconds`);
   }
-  return body;
 }
 
 export function localhostCorsOriginWarning(project) {
@@ -238,27 +265,20 @@ export function buildTurnstileBody(opts) {
   return body;
 }
 
-export function buildProductionAccessRequestBody(opts) {
-  const body = {
-    contact_email: opts.contactEmail,
-    use_case: opts.useCase,
-    needed_billing_mode: opts.neededBillingMode || "developer_paid",
-  };
-
-  if (opts.expectedMonthlyVolume) {
-    body.expected_monthly_volume = opts.expectedMonthlyVolume;
-  }
-  if (opts.notes) body.notes = opts.notes;
-
-  return body;
-}
-
 function parseBoolean(value) {
   if (value === true || value === "true") return true;
   if (value === false || value === "false") return false;
   throw new Error(`Expected boolean value true or false, got ${value}`);
 }
 
+function parsePositiveInteger(value, label) {
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed < 1) {
+    throw new Error(`Expected ${label} to be an integer greater than or equal to 1`);
+  }
+  return parsed;
+}
+
 function warnForLocalhostCorsOrigins(projectOrProjects, flags) {
   if (flags.json || flags.quiet) return;