@switchbot/openapi-cli 2.7.2 → 3.1.0

package/dist/commands/scenes.js

@@ -121,4 +121,144 @@ Example:
             handleError(error);
         }
     });
+    // switchbot scenes validate [sceneId...]
+    scenes
+        .command('validate')
+        .description('Verify that one or more scenes exist. If no IDs are given, validates all scenes are reachable.')
+        .argument('[sceneId...]', 'Scene IDs to validate (default: all scenes)')
+        .addHelpText('after', `
+Note: SwitchBot API v1.1 does not expose scene steps; validation only confirms
+the scene IDs exist in your account.
+
+Examples:
+  $ switchbot scenes validate
+  $ switchbot scenes validate T12345678 T87654321
+`)
+        .action(async (sceneIds) => {
+        try {
+            const sceneList = await fetchScenes();
+            const sceneMap = new Map(sceneList.map((s) => [s.sceneId, s.sceneName]));
+            const targets = sceneIds.length > 0 ? sceneIds : sceneList.map((s) => s.sceneId);
+            const results = targets.map((id) => ({
+                sceneId: id,
+                sceneName: sceneMap.get(id) ?? null,
+                valid: sceneMap.has(id),
+            }));
+            const allValid = results.every((r) => r.valid);
+            if (isJsonMode()) {
+                printJson({ ok: allValid, results });
+                if (!allValid)
+                    process.exit(1);
+                return;
+            }
+            for (const r of results) {
+                const icon = r.valid ? '✓' : '✗';
+                const label = r.valid ? r.sceneName : '(not found)';
+                console.log(`${icon} ${r.sceneId}  ${label}`);
+            }
+            if (!allValid)
+                process.exit(1);
+        }
+        catch (error) {
+            handleError(error);
+        }
+    });
+    // switchbot scenes simulate <sceneId>
+    scenes
+        .command('simulate')
+        .description('Show what `scenes execute` would do without actually executing the scene.')
+        .argument('<sceneId>', 'Scene ID from "scenes list"')
+        .addHelpText('after', `
+Note: SwitchBot API v1.1 does not expose scene step details. Simulation reports
+the scene name, confirms it exists, and shows the POST that would be issued.
+
+Example:
+  $ switchbot scenes simulate T12345678
+`)
+        .action(async (sceneId) => {
+        try {
+            const sceneList = await fetchScenes();
+            const found = sceneList.find((s) => s.sceneId === sceneId);
+            if (!found) {
+                throw new StructuredUsageError(`scene not found: ${sceneId}`, {
+                    error: 'scene_not_found',
+                    sceneId,
+                    candidates: sceneList.map((s) => ({ sceneId: s.sceneId, sceneName: s.sceneName })),
+                });
+            }
+            const simulation = {
+                sceneId: found.sceneId,
+                sceneName: found.sceneName,
+                wouldSend: { method: 'POST', url: `/v1.1/scenes/${sceneId}/execute` },
+                note: 'SwitchBot API v1.1 does not expose individual scene steps.',
+            };
+            if (isJsonMode()) {
+                printJson({ simulated: true, ...simulation });
+                return;
+            }
+            console.log(`sceneId:   ${simulation.sceneId}`);
+            console.log(`sceneName: ${simulation.sceneName}`);
+            console.log(`wouldSend: ${simulation.wouldSend.method} ${simulation.wouldSend.url}`);
+            console.log(`note:      ${simulation.note}`);
+        }
+        catch (error) {
+            handleError(error);
+        }
+    });
+    // switchbot scenes explain <sceneId>
+    scenes
+        .command('explain')
+        .description('Explain in plain language what a scene does and how to execute it safely.')
+        .argument('<sceneId>', 'Scene ID from "scenes list"')
+        .addHelpText('after', `
+Shows the scene name, action description, risk level, and the exact command to
+run. Unlike "simulate" (which shows raw HTTP detail), "explain" is aimed at a
+human or agent deciding whether to proceed.
+
+Note: SwitchBot API v1.1 does not expose scene step details; risk is reported
+as "low" because scenes only trigger pre-configured automations in the app.
+
+Example:
+  $ switchbot scenes explain T12345678
+`)
+        .action(async (sceneId) => {
+        try {
+            const sceneList = await fetchScenes();
+            const found = sceneList.find((s) => s.sceneId === sceneId);
+            if (!found) {
+                throw new StructuredUsageError(`scene not found: ${sceneId}`, {
+                    error: 'scene_not_found',
+                    sceneId,
+                    candidates: sceneList.map((s) => ({ sceneId: s.sceneId, sceneName: s.sceneName })),
+                });
+            }
+            const explanation = {
+                sceneId: found.sceneId,
+                sceneName: found.sceneName,
+                action: `Trigger scene (POST /v1.1/scenes/${found.sceneId}/execute)`,
+                riskLevel: 'low',
+                idempotent: null,
+                toExecute: `switchbot scenes execute ${found.sceneId}`,
+                dryRun: isDryRun(),
+                note: 'SwitchBot API v1.1 does not expose individual scene steps.',
+            };
+            if (isJsonMode()) {
+                printJson(explanation);
+                return;
+            }
+            console.log(`sceneId:    ${explanation.sceneId}`);
+            console.log(`sceneName:  ${explanation.sceneName}`);
+            console.log(`action:     ${explanation.action}`);
+            console.log(`riskLevel:  ${explanation.riskLevel}`);
+            console.log(`idempotent: unknown (scene steps not exposed by API)`);
+            console.log(`toExecute:  ${explanation.toExecute}`);
+            if (explanation.dryRun) {
+                console.log(`dryRun:     true  (pass --dry-run to execute would be a no-op)`);
+            }
+            console.log(`note:       ${explanation.note}`);
+        }
+        catch (error) {
+            handleError(error);
+        }
+    });
 }

package/dist/commands/schema.js

@@ -25,7 +25,6 @@ function toSchemaCommand(c, entry) {
         commandType: (c.commandType ?? 'command'),
         idempotent: Boolean(c.idempotent),
         safetyTier: tier,
-        destructive: tier === 'destructive',
         ...(reason ? { safetyReason: reason } : {}),
         ...(c.exampleParams ? { exampleParams: c.exampleParams } : {}),
     };
@@ -44,7 +43,6 @@ function toCompactEntry(e) {
                 commandType: (c.commandType ?? 'command'),
                 idempotent: Boolean(c.idempotent),
                 safetyTier: tier,
-                destructive: tier === 'destructive',
             };
         }),
         statusFields: e.statusFields ?? [],

package/dist/commands/status-sync.js

@@ -0,0 +1,131 @@
+import { stringArg } from '../utils/arg-parsers.js';
+import { handleError, isJsonMode, printJson } from '../utils/output.js';
+import { getStatusSyncStatus, runStatusSyncForeground, startStatusSync, stopStatusSync, } from '../status-sync/manager.js';
+function printHumanStatus(status) {
+    if (!status.running) {
+        console.log('status-sync is not running');
+        console.log(`state:  ${status.stateDir}`);
+        console.log(`stdout: ${status.stdoutLog}`);
+        console.log(`stderr: ${status.stderrLog}`);
+        return;
+    }
+    console.log(`status-sync is running (PID ${status.pid})`);
+    console.log(`started: ${status.startedAt}`);
+    console.log(`state:   ${status.stateDir}`);
+    console.log(`stdout:  ${status.stdoutLog}`);
+    console.log(`stderr:  ${status.stderrLog}`);
+}
+export function registerStatusSyncCommand(program) {
+    const statusSync = program
+        .command('status-sync')
+        .description('Manage a background MQTT -> OpenClaw status-sync bridge powered by events mqtt-tail');
+    statusSync
+        .command('run')
+        .description('Run the status-sync bridge in the foreground for a supervisor or terminal session')
+        .option('--openclaw-url <url>', 'OpenClaw gateway URL (default: http://localhost:18789)', stringArg('--openclaw-url'))
+        .option('--openclaw-token <token>', 'Bearer token for OpenClaw (or env OPENCLAW_TOKEN)', stringArg('--openclaw-token'))
+        .option('--openclaw-model <id>', 'OpenClaw agent model ID to route events to (or env OPENCLAW_MODEL)', stringArg('--openclaw-model'))
+        .option('--topic <pattern>', 'MQTT topic filter (default: SwitchBot shadow topic from credential)', stringArg('--topic'))
+        .addHelpText('after', `
+Runs the same MQTT -> OpenClaw bridge logic as \'status-sync start\',
+but keeps the process attached to the current terminal. This is the best fit
+for agent supervisors, service managers, or container entrypoints that want
+foreground process semantics.
+
+Examples:
+  $ switchbot status-sync run --openclaw-model home-agent
+  $ OPENCLAW_TOKEN=abc OPENCLAW_MODEL=home-agent switchbot status-sync run
+`)
+        .action(async (options) => {
+        try {
+            const exitCode = await runStatusSyncForeground(options);
+            if (exitCode !== 0) {
+                process.exit(exitCode);
+            }
+        }
+        catch (error) {
+            handleError(error);
+        }
+    });
+    statusSync
+        .command('start')
+        .description('Start the background status-sync bridge')
+        .option('--openclaw-url <url>', 'OpenClaw gateway URL (default: http://localhost:18789)', stringArg('--openclaw-url'))
+        .option('--openclaw-token <token>', 'Bearer token for OpenClaw (or env OPENCLAW_TOKEN)', stringArg('--openclaw-token'))
+        .option('--openclaw-model <id>', 'OpenClaw agent model ID to route events to (or env OPENCLAW_MODEL)', stringArg('--openclaw-model'))
+        .option('--topic <pattern>', 'MQTT topic filter (default: SwitchBot shadow topic from credential)', stringArg('--topic'))
+        .option('--state-dir <path>', 'Override the status-sync state directory (or env SWITCHBOT_STATUS_SYNC_HOME)', stringArg('--state-dir'))
+        .option('--force', 'Stop any existing status-sync bridge before starting a new one')
+        .addHelpText('after', `
+Starts a detached child process that runs:
+  switchbot status-sync run ...
+
+State files:
+  state.json   process metadata (pid, startedAt, command)
+  stdout.log   redirected stdout from the child process
+  stderr.log   redirected stderr from the child process
+
+Examples:
+  $ switchbot status-sync start --openclaw-model home-agent
+  $ OPENCLAW_TOKEN=abc OPENCLAW_MODEL=home-agent switchbot status-sync start
+  $ switchbot status-sync start --state-dir ~/.switchbot/custom-status-sync --force
+`)
+        .action((options) => {
+        try {
+            const status = startStatusSync(options);
+            if (isJsonMode()) {
+                printJson(status);
+                return;
+            }
+            console.log(`Started status-sync (PID ${status.pid}).`);
+            console.log(`state:  ${status.stateDir}`);
+            console.log(`stdout: ${status.stdoutLog}`);
+            console.log(`stderr: ${status.stderrLog}`);
+        }
+        catch (error) {
+            handleError(error);
+        }
+    });
+    statusSync
+        .command('stop')
+        .description('Stop the background status-sync bridge')
+        .option('--state-dir <path>', 'Override the status-sync state directory (or env SWITCHBOT_STATUS_SYNC_HOME)', stringArg('--state-dir'))
+        .action((options) => {
+        try {
+            const result = stopStatusSync(options);
+            if (isJsonMode()) {
+                printJson(result);
+                return;
+            }
+            if (result.stopped) {
+                console.log(`Stopped status-sync (PID ${result.pid}).`);
+            }
+            else if (result.stale) {
+                console.log(`Removed stale status-sync state for PID ${result.pid}.`);
+            }
+            else {
+                console.log('status-sync is not running');
+            }
+        }
+        catch (error) {
+            handleError(error);
+        }
+    });
+    statusSync
+        .command('status')
+        .description('Inspect the current status-sync bridge state')
+        .option('--state-dir <path>', 'Override the status-sync state directory (or env SWITCHBOT_STATUS_SYNC_HOME)', stringArg('--state-dir'))
+        .action((options) => {
+        try {
+            const status = getStatusSyncStatus(options);
+            if (isJsonMode()) {
+                printJson(status);
+                return;
+            }
+            printHumanStatus(status);
+        }
+        catch (error) {
+            handleError(error);
+        }
+    });
+}

package/dist/commands/uninstall.js

@@ -0,0 +1,237 @@
+/**
+ * `switchbot uninstall` — reverse of `switchbot install`.
+ *
+ * Unlike install, uninstall is not rollback-safe (there's nothing to
+ * roll back to). It removes individual pieces independently and keeps
+ * going if any single removal fails — the user gets a report and can
+ * clean up leftovers manually. Every destructive step defaults to
+ * confirmation; `--yes` skips the prompt.
+ *
+ * What it removes, from least to most destructive:
+ *   1. skill symlink  (~/.claude/skills/switchbot)     — default: yes
+ *   2. credentials    (keychain entry for the profile) — default: yes  (requires --remove-creds OR --yes)
+ *   3. policy.yaml    (only on --remove-policy)         — default: no  (user edits may live here)
+ *
+ * The CLI itself is never uninstalled: install did not install it,
+ * and yanking your own binary mid-run is impolite. Users who want it
+ * gone run `npm rm -g @switchbot/openapi-cli`.
+ */
+import { InvalidArgumentError } from 'commander';
+import fs from 'node:fs';
+import readline from 'node:readline';
+import { resolvePolicyPath } from '../policy/load.js';
+import { skillLinkPathFor } from '../install/default-steps.js';
+import { selectCredentialStore } from '../credentials/keychain.js';
+import { isJsonMode, printJson } from '../utils/output.js';
+import { getActiveProfile } from '../lib/request-context.js';
+import chalk from 'chalk';
+const AGENT_VALUES = ['claude-code', 'cursor', 'copilot', 'none'];
+function parseAgent(value) {
+    if (!value)
+        return 'claude-code';
+    if (!AGENT_VALUES.includes(value)) {
+        throw new InvalidArgumentError(`--agent must be one of ${AGENT_VALUES.join(', ')} (got "${value}")`);
+    }
+    return value;
+}
+async function prompt(question, defaultYes) {
+    if (!process.stdin.isTTY)
+        return defaultYes;
+    const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+    return new Promise((resolve) => {
+        const suffix = defaultYes ? ' [Y/n] ' : ' [y/N] ';
+        rl.question(question + suffix, (ans) => {
+            rl.close();
+            const a = ans.trim().toLowerCase();
+            if (!a)
+                return resolve(defaultYes);
+            resolve(a === 'y' || a === 'yes');
+        });
+    });
+}
+export function registerUninstallCommand(program) {
+    program
+        .command('uninstall')
+        .description('Reverse of `switchbot install`: remove skill link, credentials, (optionally) policy')
+        .option('--agent <name>', `target agent: ${AGENT_VALUES.join(' | ')} (default: claude-code)`)
+        .option('--remove-creds', 'delete credentials from the OS keychain (default: prompt)')
+        .option('--remove-policy', 'also delete policy.yaml (default: keep — user edits may live there)')
+        .option('-y, --yes', 'assume yes to every confirmation prompt (non-interactive)')
+        .option('--purge', 'shorthand for --yes --remove-creds --remove-policy: remove everything without prompting')
+        .addHelpText('after', `
+The global --dry-run flag previews what would be removed.
+Global --json emits a structured removal report.
+
+What is never removed here:
+  - the CLI itself (use: npm rm -g @switchbot/openapi-cli)
+  - audit.log (it's your receipt; delete by hand if you want)
+
+Examples:
+  # Interactive: prompts before each destructive step
+  switchbot uninstall
+
+  # Non-interactive, remove everything including the policy
+  switchbot uninstall --yes --remove-policy
+
+  # One-shot: remove absolutely everything without prompting
+  switchbot uninstall --purge
+`)
+        .action(async (opts, command) => {
+        const agent = parseAgent(opts.agent);
+        const profile = getActiveProfile() ?? 'default';
+        const purge = Boolean(opts.purge);
+        const yes = Boolean(opts.yes) || purge;
+        const removePolicy = Boolean(opts.removePolicy) || purge;
+        const removeCreds = Boolean(opts.removeCreds) || yes;
+        const globalOpts = command.parent?.opts() ?? {};
+        const dryRun = Boolean(globalOpts.dryRun);
+        const policyPath = resolvePolicyPath();
+        const skillLink = skillLinkPathFor(agent);
+        const plan = [];
+        // --- Plan: skill symlink removal (default yes) ---
+        if (skillLink) {
+            plan.push({
+                action: 'remove-skill-link',
+                detail: skillLink,
+                run: async () => {
+                    if (!fs.existsSync(skillLink)) {
+                        return { action: 'remove-skill-link', status: 'absent', detail: skillLink };
+                    }
+                    const stat = fs.lstatSync(skillLink);
+                    if (!stat.isSymbolicLink()) {
+                        return {
+                            action: 'remove-skill-link',
+                            status: 'skipped',
+                            detail: `${skillLink} exists but is not a symlink — leaving it alone`,
+                        };
+                    }
+                    const ok = yes ? true : await prompt(`Remove skill link ${skillLink}?`, true);
+                    if (!ok)
+                        return { action: 'remove-skill-link', status: 'skipped', detail: skillLink };
+                    try {
+                        fs.unlinkSync(skillLink);
+                        return { action: 'remove-skill-link', status: 'removed', detail: skillLink };
+                    }
+                    catch (err) {
+                        return {
+                            action: 'remove-skill-link',
+                            status: 'failed',
+                            detail: skillLink,
+                            error: err instanceof Error ? err.message : String(err),
+                        };
+                    }
+                },
+            });
+        }
+        // --- Plan: credential removal (requires --remove-creds OR --yes) ---
+        plan.push({
+            action: 'remove-credentials',
+            detail: `profile=${profile}`,
+            run: async () => {
+                if (!removeCreds) {
+                    return {
+                        action: 'remove-credentials',
+                        status: 'skipped',
+                        detail: 'pass --remove-creds to delete keychain entry',
+                    };
+                }
+                const ok = yes ? true : await prompt(`Delete credentials for profile "${profile}" from the keychain?`, false);
+                if (!ok)
+                    return { action: 'remove-credentials', status: 'skipped', detail: `profile=${profile}` };
+                try {
+                    const store = await selectCredentialStore();
+                    await store.delete(profile);
+                    return {
+                        action: 'remove-credentials',
+                        status: 'removed',
+                        detail: `profile=${profile} (backend=${store.describe().tag})`,
+                    };
+                }
+                catch (err) {
+                    return {
+                        action: 'remove-credentials',
+                        status: 'failed',
+                        detail: `profile=${profile}`,
+                        error: err instanceof Error ? err.message : String(err),
+                    };
+                }
+            },
+        });
+        // --- Plan: policy.yaml removal (opt-in) ---
+        plan.push({
+            action: 'remove-policy',
+            detail: policyPath,
+            run: async () => {
+                if (!removePolicy) {
+                    return {
+                        action: 'remove-policy',
+                        status: 'skipped',
+                        detail: 'pass --remove-policy to delete policy.yaml',
+                    };
+                }
+                if (!fs.existsSync(policyPath)) {
+                    return { action: 'remove-policy', status: 'absent', detail: policyPath };
+                }
+                const ok = yes ? true : await prompt(`Delete policy file ${policyPath}?`, false);
+                if (!ok)
+                    return { action: 'remove-policy', status: 'skipped', detail: policyPath };
+                try {
+                    fs.unlinkSync(policyPath);
+                    return { action: 'remove-policy', status: 'removed', detail: policyPath };
+                }
+                catch (err) {
+                    return {
+                        action: 'remove-policy',
+                        status: 'failed',
+                        detail: policyPath,
+                        error: err instanceof Error ? err.message : String(err),
+                    };
+                }
+            },
+        });
+        if (dryRun) {
+            if (isJsonMode()) {
+                printJson({
+                    dryRun: true,
+                    profile,
+                    agent,
+                    plan: plan.map(({ action, detail }) => ({ action, detail })),
+                });
+            }
+            else {
+                console.log(chalk.bold('switchbot uninstall — dry run'));
+                console.log(`  profile: ${profile}`);
+                console.log(`  agent:   ${agent}`);
+                console.log('');
+                console.log(chalk.bold('Would run:'));
+                for (const p of plan)
+                    console.log(`  • ${p.action}  — ${p.detail}`);
+                console.log('');
+                console.log(chalk.dim('No changes made. Re-run without --dry-run (add --yes to skip prompts).'));
+            }
+            return;
+        }
+        const outcomes = [];
+        for (const p of plan) {
+            outcomes.push(await p.run());
+        }
+        const anyFailed = outcomes.some((o) => o.status === 'failed');
+        if (isJsonMode()) {
+            printJson({ ok: !anyFailed, profile, agent, outcomes });
+        }
+        else {
+            console.log(chalk.bold('switchbot uninstall'));
+            for (const o of outcomes) {
+                const tag = o.status === 'removed' ? chalk.green('✓') :
+                    o.status === 'absent' ? chalk.dim('·') :
+                        o.status === 'skipped' ? chalk.yellow('↷') :
+                            chalk.red('✗');
+                console.log(`  ${tag} ${o.action} [${o.status}]  ${o.detail ?? ''}`);
+                if (o.error)
+                    console.log(`      ${chalk.red(o.error)}`);
+            }
+        }
+        if (anyFailed)
+            process.exit(3);
+    });
+}

package/dist/commands/upgrade-check.js

@@ -0,0 +1,88 @@
+import { createRequire } from 'node:module';
+import https from 'node:https';
+import { isJsonMode, printJson } from '../utils/output.js';
+import chalk from 'chalk';
+const require = createRequire(import.meta.url);
+const { name: pkgName, version: currentVersion } = require('../../package.json');
+function fetchLatestVersion(packageName, timeoutMs = 8000) {
+    const encoded = packageName.replace('/', '%2F');
+    const url = `https://registry.npmjs.org/${encoded}/latest`;
+    return new Promise((resolve, reject) => {
+        const req = https.get(url, { timeout: timeoutMs }, (res) => {
+            const chunks = [];
+            res.on('data', (c) => chunks.push(c));
+            res.on('end', () => {
+                try {
+                    const body = JSON.parse(Buffer.concat(chunks).toString('utf-8'));
+                    if (typeof body.version === 'string')
+                        resolve(body.version);
+                    else
+                        reject(new Error('version field missing from registry response'));
+                }
+                catch (err) {
+                    reject(err);
+                }
+            });
+        });
+        req.on('timeout', () => { req.destroy(); reject(new Error(`registry request timed out after ${timeoutMs}ms`)); });
+        req.on('error', reject);
+    });
+}
+function semverGt(a, b) {
+    const numParts = (v) => v.replace(/-.*$/, '').split('.').map((n) => Number.parseInt(n, 10));
+    const [aMaj, aMin, aPat] = numParts(a);
+    const [bMaj, bMin, bPat] = numParts(b);
+    if (aMaj !== bMaj)
+        return aMaj > bMaj;
+    if (aMin !== bMin)
+        return aMin > bMin;
+    if (aPat !== bPat)
+        return aPat > bPat;
+    // Same numeric version: release (no prerelease) > prerelease
+    return !a.includes('-') && b.includes('-');
+}
+export function registerUpgradeCheckCommand(program) {
+    program
+        .command('upgrade-check')
+        .description('Check whether a newer version of this CLI is available on npm.')
+        .option('--timeout <ms>', 'Registry request timeout in milliseconds (default: 8000)', (v) => Number.parseInt(v, 10))
+        .action(async (opts) => {
+        let latestVersion;
+        try {
+            latestVersion = await fetchLatestVersion(pkgName, opts.timeout ?? 8000);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (isJsonMode()) {
+                printJson({ ok: false, error: msg, current: currentVersion });
+            }
+            else {
+                console.error(chalk.red(`upgrade-check failed: ${msg}`));
+            }
+            process.exit(1);
+        }
+        const upToDate = !semverGt(latestVersion, currentVersion);
+        const currentMajor = Number.parseInt(currentVersion.split('.')[0], 10);
+        const latestMajor = Number.parseInt(latestVersion.split('.')[0], 10);
+        const result = {
+            current: currentVersion,
+            latest: latestVersion,
+            upToDate,
+            updateAvailable: !upToDate,
+            breakingChange: latestMajor > currentMajor,
+            installCommand: upToDate ? null : `npm install -g ${pkgName}@${latestVersion}`,
+        };
+        if (isJsonMode()) {
+            printJson(result);
+            return;
+        }
+        if (upToDate) {
+            console.log(`${chalk.green('✓')} You are running the latest version (${currentVersion}).`);
+        }
+        else {
+            console.log(`${chalk.yellow('!')} Update available: ${chalk.bold(currentVersion)} → ${chalk.bold(latestVersion)}`);
+            console.log(`  Run: ${chalk.cyan(`npm install -g ${pkgName}@${latestVersion}`)}`);
+            process.exit(1);
+        }
+    });
+}

package/dist/config.js

@@ -4,6 +4,7 @@ import os from 'node:os';
 import { getConfigPath } from './utils/flags.js';
 import { getActiveProfile } from './lib/request-context.js';
 import { emitJsonError, isJsonMode } from './utils/output.js';
+import { getPrimedCredentials } from './credentials/prime.js';
 function sanitizeOptionalString(v) {
     if (typeof v !== 'string')
         return undefined;
@@ -46,6 +47,14 @@ export function loadConfig() {
     if (envToken && envSecret) {
         return { token: envToken, secret: envSecret };
     }
+    // After env, try the OS keychain (via the priming cache populated at
+    // command start). When --config is passed we skip the keychain so the
+    // override remains authoritative.
+    if (!getConfigPath()) {
+        const primed = getPrimedCredentials(getActiveProfile() ?? 'default');
+        if (primed)
+            return primed;
+    }
     const file = configFilePath();
     if (!fs.existsSync(file)) {
         const profile = getActiveProfile();
@@ -94,6 +103,11 @@ export function tryLoadConfig() {
     const envSecret = process.env.SWITCHBOT_SECRET;
     if (envToken && envSecret)
         return { token: envToken, secret: envSecret };
+    if (!getConfigPath()) {
+        const primed = getPrimedCredentials(getActiveProfile() ?? 'default');
+        if (primed)
+            return primed;
+    }
     const file = configFilePath();
     if (!fs.existsSync(file))
         return null;