@apicircle/core 1.0.2 → 1.0.4

package/dist/index.js

@@ -2174,6 +2174,20 @@ function mergeWithAutoHeaders(userHeaders, overrides = {}) {
 }
 
 // src/request/buildRequest.ts
+function missingAttachmentMessage(slotId, filename) {
+  const label = filename ? `${filename} (${slotId})` : slotId;
+  return `Attachment ${label} is required for this request but is not downloaded locally. Download the missing attachments before sending or running the plan.`;
+}
+async function requireAttachment(slotId, resolveAttachment, filename) {
+  if (!resolveAttachment) {
+    throw new Error(missingAttachmentMessage(slotId, filename));
+  }
+  const file = await resolveAttachment(slotId);
+  if (!file) {
+    throw new Error(missingAttachmentMessage(slotId, filename));
+  }
+  return file;
+}
 var PATH_PLACEHOLDER = /(?::([A-Za-z_][\w-]*)|(?<!\{)\{([A-Za-z_][\w-]*)\}(?!\}))/g;
 function splitOnQuery(rawUrl) {
   const q = rawUrl.indexOf("?");
@@ -2324,17 +2338,21 @@ async function composeBody(body, resolveAttachment) {
       if (!row.enabled || !row.key.trim()) continue;
       if (row.kind === "text") {
         fd.append(row.key, row.value);
-      } else if (row.slotId && resolveAttachment) {
-        const file = await resolveAttachment(row.slotId);
-        if (file) fd.append(row.key, file.blob, file.filename);
+      } else if (row.slotId) {
+        const file = await requireAttachment(row.slotId, resolveAttachment, row.filename);
+        fd.append(row.key, file.blob, file.filename);
       }
     }
     return fd;
   }
   if (body.type === "binary") {
-    if (body.attachment?.slotId && resolveAttachment) {
-      const file = await resolveAttachment(body.attachment.slotId);
-      if (file) return file.blob;
+    if (body.attachment?.slotId) {
+      const file = await requireAttachment(
+        body.attachment.slotId,
+        resolveAttachment,
+        body.attachment.filename
+      );
+      return file.blob;
     }
     return null;
   }
@@ -2926,30 +2944,33 @@ function resolveLocation(from, location) {
   }
 }
 async function executeRequest(req, opts = {}) {
-  const built = await buildRequest(req, {
-    resolveAttachment: opts.resolveAttachment,
-    authOptions: opts.authOptions,
-    autoHeaderOverrides: opts.autoHeaderOverrides
-  });
   const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
   const timeoutMs = opts.timeoutMs === void 0 ? DEFAULT_TIMEOUT_MS : opts.timeoutMs;
   const startedAt = (/* @__PURE__ */ new Date()).toISOString();
   const t0 = typeof performance !== "undefined" && typeof performance.now === "function" ? performance.now() : Date.now();
+  let built = null;
   const controller = new AbortController();
   const externalAbort = () => controller.abort(opts.signal.reason);
   if (opts.signal) {
     if (opts.signal.aborted) controller.abort(opts.signal.reason);
     else opts.signal.addEventListener("abort", externalAbort, { once: true });
   }
-  const timeoutHandle = timeoutMs === null ? null : setTimeout(
-    () => controller.abort(new Error(`Request timed out after ${timeoutMs}ms`)),
-    timeoutMs
-  );
+  let timeoutHandle = null;
   try {
-    let currentUrl = built.url;
-    let currentHeaders = { ...built.headers };
-    let currentMethod = built.method;
-    let currentBody = built.body;
+    built = await buildRequest(req, {
+      resolveAttachment: opts.resolveAttachment,
+      authOptions: opts.authOptions,
+      autoHeaderOverrides: opts.autoHeaderOverrides
+    });
+    const builtRequest = built;
+    timeoutHandle = timeoutMs === null ? null : setTimeout(
+      () => controller.abort(new Error(`Request timed out after ${timeoutMs}ms`)),
+      timeoutMs
+    );
+    let currentUrl = builtRequest.url;
+    let currentHeaders = { ...builtRequest.headers };
+    let currentMethod = builtRequest.method;
+    let currentBody = builtRequest.body;
     let response = await fetchImpl(currentUrl, {
       method: currentMethod,
       headers: currentHeaders,
@@ -3038,7 +3059,7 @@ async function executeRequest(req, opts = {}) {
       bodyKind,
       url: currentUrl,
       method: currentMethod,
-      authWarnings: built.authWarnings,
+      authWarnings: builtRequest.authWarnings,
       ...truncated ? { responseTruncated: true } : {}
     };
   } catch (err) {
@@ -3055,9 +3076,9 @@ async function executeRequest(req, opts = {}) {
       error: err instanceof Error ? err.message : String(err),
       // We may have already followed redirects before throwing — report the
       // last URL we tried so the user sees where the error originated.
-      url: built.url,
-      method: built.method,
-      authWarnings: built.authWarnings
+      url: built?.url ?? req.url,
+      method: built?.method ?? req.method,
+      authWarnings: built?.authWarnings ?? []
     };
   } finally {
     if (timeoutHandle !== null) clearTimeout(timeoutHandle);
@@ -4452,8 +4473,45 @@ function collectAttachmentSlots(synced) {
       }
     }
   }
+  for (const server of Object.values(synced.mockServers ?? {})) {
+    for (const endpoint of server.endpoints) {
+      collectMockResponseAttachment(endpoint.defaultResponse, seen);
+      for (const rule of endpoint.requestValidation) {
+        collectMockResponseAttachment(rule.failResponse, seen);
+      }
+      for (const rule of endpoint.responseRules) {
+        collectMockResponseAttachment(rule.response, seen);
+      }
+    }
+  }
+  for (const file of Object.values(synced.globalAssets.files ?? {})) {
+    if (!seen.has(file.slotId)) {
+      seen.set(file.slotId, {
+        slotId: file.slotId,
+        sha256: file.sha256,
+        filename: file.filename,
+        mimeType: file.mimeType,
+        size: file.size
+      });
+    }
+  }
   return [...seen.values()];
 }
+function collectMockResponseAttachment(response, seen) {
+  collectMockResponseBodyAttachment(response.body, seen);
+}
+function collectMockResponseBodyAttachment(body, seen) {
+  if (body.type !== "binary") return;
+  const ref = body.attachment;
+  if (!ref?.slotId || seen.has(ref.slotId)) return;
+  seen.set(ref.slotId, {
+    slotId: ref.slotId,
+    sha256: ref.sha256,
+    filename: ref.filename,
+    mimeType: ref.mimeType,
+    size: ref.size
+  });
+}
 
 // src/release/semver.ts
 var SEMVER_RE = /^(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?(?:\+([0-9A-Za-z.-]+))?$/;
@@ -4809,6 +4867,16 @@ var dictBuckets = [
       return v?.name ?? key;
     }
   },
+  {
+    // Reusable file assets registered at workspace scope. The metadata
+    // travels in workspace.json; bytes travel as Git blobs by slotId.
+    bucket: "globalFile",
+    extract: (s) => s.globalAssets.files ?? {},
+    label: (key, value) => {
+      const v = value;
+      return v?.name ?? v?.filename ?? key;
+    }
+  },
   {
     // Consumer-side patches to a linked workspace's requests. Keyed
     // `${linkedWorkspaceId}:${requestId}`; the label leans on the key
@@ -4908,6 +4976,7 @@ function computeThreeWayDiff(base, local, remote) {
       remote: r
     });
   }
+  resolveAutoMergeableTreeConflict(entries, base, local, remote);
   const conflicts = entries.filter((e) => e.status === "conflict");
   return { entries, conflicts };
 }
@@ -4929,6 +4998,85 @@ function classify(hasBase, base, local, remote) {
   if (structurallyEqual(local, remote)) return "both-equal";
   return "conflict";
 }
+function resolveAutoMergeableTreeConflict(entries, base, local, remote) {
+  if (!base) return;
+  const treeEntry = entries.find((entry) => entry.bucket === "tree" && entry.status === "conflict");
+  if (!treeEntry) return;
+  const merged = mergeRootTreeMembershipIfSafe(base, local, remote, entries);
+  if (!merged) return;
+  treeEntry.status = "remote-only";
+  treeEntry.remote = merged;
+}
+function mergeRootTreeMembershipIfSafe(base, local, remote, entries) {
+  const baseChildren = base.collections.tree.children;
+  const localChildren = local.collections.tree.children;
+  const remoteChildren = remote.collections.tree.children;
+  const baseKeys = treeKeySet(baseChildren);
+  const localKeys = treeKeySet(localChildren);
+  const remoteKeys = treeKeySet(remoteChildren);
+  if (!baseKeys || !localKeys || !remoteKeys) return null;
+  const changed = /* @__PURE__ */ new Set();
+  for (const key of /* @__PURE__ */ new Set([...baseKeys, ...localKeys, ...remoteKeys])) {
+    const localChanged = baseKeys.has(key) !== localKeys.has(key);
+    const remoteChanged = baseKeys.has(key) !== remoteKeys.has(key);
+    if (!localChanged && !remoteChanged) continue;
+    if (localChanged && remoteChanged) return null;
+    const entry = bucketEntryForTreeChild(entries, key);
+    if (!entry || entry.status === "conflict") return null;
+    if (localChanged && entry.status !== "local-only") return null;
+    if (remoteChanged && entry.status !== "remote-only") return null;
+    changed.add(key);
+  }
+  if (changed.size === 0) return null;
+  const stableBaseOrder = baseChildren.map(treeChildKey).filter((key) => !changed.has(key));
+  if (!sameOrder(
+    localChildren.map(treeChildKey).filter((key) => !changed.has(key)),
+    stableBaseOrder
+  )) {
+    return null;
+  }
+  if (!sameOrder(
+    remoteChildren.map(treeChildKey).filter((key) => !changed.has(key)),
+    stableBaseOrder
+  )) {
+    return null;
+  }
+  let children = [...localChildren];
+  for (const child of remoteChildren) {
+    const key = treeChildKey(child);
+    if (!changed.has(key) || !remoteKeys.has(key)) continue;
+    if (!children.some((existing) => treeChildKey(existing) === key)) children.push(child);
+  }
+  for (const key of changed) {
+    if (remoteKeys.has(key)) continue;
+    const entry = bucketEntryForTreeChild(entries, key);
+    if (entry?.status === "remote-only") {
+      children = children.filter((child) => treeChildKey(child) !== key);
+    }
+  }
+  return { ...local.collections.tree, children };
+}
+function bucketEntryForTreeChild(entries, key) {
+  const [kind, id] = key.split(":", 2);
+  if (kind !== "request" && kind !== "folder") return void 0;
+  return entries.find((entry) => entry.bucket === kind && entry.key === id);
+}
+function treeKeySet(children) {
+  const keys = /* @__PURE__ */ new Set();
+  for (const child of children) {
+    const key = treeChildKey(child);
+    if (keys.has(key)) return null;
+    keys.add(key);
+  }
+  return keys;
+}
+function treeChildKey(child) {
+  return `${child.kind}:${child.id}`;
+}
+function sameOrder(a, b) {
+  if (a.length !== b.length) return false;
+  return a.every((value, index) => value === b[index]);
+}
 function applyMerge(local, remote, diff, resolutions) {
   let merged = local;
   for (const entry of diff.entries) {
@@ -4967,7 +5115,14 @@ function applyEntry(local, remote, entry, chosen) {
       const requests = { ...local.collections.requests };
       const treeOp = value === void 0 ? { kind: "remove" } : { kind: "upsert", parent: value.folderId ?? null };
       if (value === void 0) delete requests[entry.key];
-      else requests[entry.key] = value;
+      else {
+        const remoteRequest = value;
+        const localRequest = local.collections.requests[entry.key];
+        requests[entry.key] = localRequest && remoteRequest.auth ? {
+          ...remoteRequest,
+          auth: preserveLocalCredentialPlaceholders(localRequest.auth, remoteRequest.auth)
+        } : remoteRequest;
+      }
       const tree = reconcileTreeForEntry(local.collections.tree, "request", entry.key, treeOp);
       return { ...local, collections: { ...local.collections, requests, tree } };
     }
@@ -4975,7 +5130,14 @@ function applyEntry(local, remote, entry, chosen) {
       const folders = { ...local.collections.folders };
       const treeOp = value === void 0 ? { kind: "remove" } : { kind: "upsert", parent: value.parentId ?? null };
       if (value === void 0) delete folders[entry.key];
-      else folders[entry.key] = value;
+      else {
+        const remoteFolder = value;
+        const localFolder = local.collections.folders[entry.key];
+        folders[entry.key] = localFolder?.auth && remoteFolder.auth ? {
+          ...remoteFolder,
+          auth: preserveLocalCredentialPlaceholders(localFolder.auth, remoteFolder.auth)
+        } : remoteFolder;
+      }
       const tree = reconcileTreeForEntry(local.collections.tree, "folder", entry.key, treeOp);
       return { ...local, collections: { ...local.collections, folders, tree } };
     }
@@ -5022,6 +5184,13 @@ function applyEntry(local, remote, entry, chosen) {
       else graphql[entry.key] = value;
       return { ...local, globalAssets: { ...local.globalAssets, graphql } };
     }
+    case "globalFile": {
+      const files = { ...local.globalAssets.files ?? {} };
+      if (value === void 0) delete files[entry.key];
+      else
+        files[entry.key] = value;
+      return { ...local, globalAssets: { ...local.globalAssets, files } };
+    }
     case "linkedRequestOverride": {
       const requests = { ...local.linkedOverrides.requests };
       if (value === void 0) delete requests[entry.key];
@@ -5041,7 +5210,13 @@ function applyEntry(local, remote, entry, chosen) {
       return { ...local, releases: { ...local.releases, perLink } };
     }
     case "tree":
-      return { ...local, collections: { ...local.collections, tree: remote.collections.tree } };
+      return {
+        ...local,
+        collections: {
+          ...local.collections,
+          tree: value ?? remote.collections.tree
+        }
+      };
     case "environmentsActive":
       return {
         ...local,
@@ -5061,6 +5236,63 @@ function applyEntry(local, remote, entry, chosen) {
       return { ...local, secretCrypto: remote.secretCrypto ?? null };
   }
 }
+function preserveLocalCredentialPlaceholders(localAuth, remoteAuth) {
+  if (localAuth.type !== remoteAuth.type) return remoteAuth;
+  switch (remoteAuth.type) {
+    case "basic":
+    case "digest":
+    case "ntlm":
+      return preserveBlankStringFields(localAuth, remoteAuth, ["password"]);
+    case "bearer":
+      return preserveBlankStringFields(localAuth, remoteAuth, ["token"]);
+    case "api-key":
+      return preserveBlankStringFields(localAuth, remoteAuth, ["value"]);
+    case "hawk":
+      return preserveBlankStringFields(localAuth, remoteAuth, ["hawkKey"]);
+    case "jwt-bearer":
+      return preserveBlankStringFields(localAuth, remoteAuth, ["secretOrKey", "token"]);
+    case "aws-sigv4":
+      return preserveBlankStringFields(localAuth, remoteAuth, ["secretAccessKey", "sessionToken"]);
+    case "oauth2-client-credentials":
+    case "oauth2-auth-code":
+    case "oauth2-pkce":
+      return preserveBlankStringFields(localAuth, remoteAuth, [
+        "clientSecret",
+        "accessToken",
+        "refreshToken"
+      ]);
+    case "oauth2-password":
+      return preserveBlankStringFields(localAuth, remoteAuth, [
+        "clientSecret",
+        "password",
+        "accessToken",
+        "refreshToken"
+      ]);
+    case "oauth2-implicit":
+      return preserveBlankStringFields(localAuth, remoteAuth, ["accessToken"]);
+    case "oauth2-device":
+      return preserveBlankStringFields(localAuth, remoteAuth, ["accessToken", "refreshToken"]);
+    case "none":
+    case "inherit":
+    case "custom-header":
+      return remoteAuth;
+    default: {
+      const _exhaustive = remoteAuth;
+      void _exhaustive;
+      return remoteAuth;
+    }
+  }
+}
+function preserveBlankStringFields(localAuth, remoteAuth, fields) {
+  const next = { ...remoteAuth };
+  const local = localAuth;
+  for (const field of fields) {
+    if (next[field] === "" && typeof local[field] === "string" && local[field] !== "") {
+      next[field] = local[field];
+    }
+  }
+  return next;
+}
 
 // src/git/summarizeUnpushedChanges.ts
 var BUCKET_ORDER = [
@@ -5077,6 +5309,7 @@ var BUCKET_ORDER = [
   "executionPlan",
   "globalSchema",
   "globalGraphql",
+  "globalFile",
   "secretKey",
   "secretCrypto",
   "releaseSelf",
@@ -5092,10 +5325,12 @@ var EMPTY_SUMMARY = {
 };
 function summarizeUnpushedChanges(base, current, options = {}) {
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  const gitCurrent = redactForGit(current);
   if (!base) {
-    return summarizeAllAsAdded(current, now().toISOString());
+    return summarizeAllAsAdded(gitCurrent, now().toISOString());
   }
-  const diff = computeThreeWayDiff(base, current, base);
+  const gitBase = redactForGit(base);
+  const diff = computeThreeWayDiff(gitBase, gitCurrent, gitBase);
   const changes = [];
   for (const entry of diff.entries) {
     if (entry.status !== "local-only") continue;
@@ -5212,6 +5447,16 @@ function summarizeAllAsAdded(synced, computedAt) {
       local: gql
     });
   }
+  for (const [id, file] of Object.entries(synced.globalAssets.files ?? {})) {
+    changes.push({
+      bucket: "globalFile",
+      key: id,
+      label: file.name || file.filename || id,
+      kind: "added",
+      base: void 0,
+      local: file
+    });
+  }
   for (const [key, override] of Object.entries(synced.linkedOverrides.requests)) {
     changes.push({
       bucket: "linkedRequestOverride",
@@ -5992,6 +6237,106 @@ function resolvePlanRef(synced, ref) {
   }
   return { ok: false, error: `No plan named "${ref}" in this workspace.`, available };
 }
+function lookupPlanStepRequest(step, synced, local) {
+  if (!step.linkedWorkspaceId) {
+    const request2 = synced.collections.requests[step.requestId];
+    return request2 ? { request: request2 } : { request: null, error: "Request no longer exists in workspace." };
+  }
+  const link = synced.linkedWorkspaces[step.linkedWorkspaceId];
+  if (!link) return { request: null, error: "Linked workspace was unlinked." };
+  const snapshot2 = local.linkedCollections[step.linkedWorkspaceId];
+  if (!snapshot2) {
+    return {
+      request: null,
+      error: `No cached snapshot for "${link.name}". Refresh the link before running this plan.`
+    };
+  }
+  const baseRequest = snapshot2.collections.requests[step.requestId];
+  if (!baseRequest) {
+    return {
+      request: null,
+      error: `Request not present in the cached snapshot of "${link.name}".`
+    };
+  }
+  const overrideKey = `${step.linkedWorkspaceId}:${step.requestId}`;
+  const override = synced.linkedOverrides.requests[overrideKey];
+  const request = override ? mergeRequestOverride(baseRequest, override.patch) : baseRequest;
+  return {
+    request,
+    linkedEnvironments: applyEnvironmentOverrides(
+      snapshot2.environments,
+      step.linkedWorkspaceId,
+      synced
+    ),
+    linkedFolders: snapshot2.collections.folders,
+    linkedGlobalAssets: snapshot2.globalAssets
+  };
+}
+function mergeRequestOverride(base, patch) {
+  const merged = { ...base };
+  if (patch.name !== void 0) merged.name = patch.name;
+  if (patch.method !== void 0) merged.method = patch.method;
+  if (patch.url !== void 0) merged.url = patch.url;
+  if (patch.headers !== void 0) merged.headers = patch.headers;
+  if (patch.query !== void 0) merged.query = patch.query;
+  if (patch.pathParams !== void 0) merged.pathParams = patch.pathParams;
+  if (patch.cookies !== void 0) merged.cookies = patch.cookies;
+  if (patch.body !== void 0) merged.body = patch.body;
+  if (patch.auth !== void 0) merged.auth = patch.auth;
+  if (patch.contextVars !== void 0) merged.contextVars = patch.contextVars;
+  if (patch.extractions !== void 0) merged.extractions = patch.extractions;
+  if (patch.assertions !== void 0) merged.assertions = patch.assertions;
+  return merged;
+}
+function applyEnvironmentOverrides(source, linkedWorkspaceId, synced) {
+  const overrides = Object.values(synced.linkedOverrides.environmentVars).filter(
+    (override) => override.linkedWorkspaceId === linkedWorkspaceId
+  );
+  if (overrides.length === 0) return source;
+  const items = {};
+  for (const [envName, env] of Object.entries(source.items)) {
+    const envOverrides = overrides.filter((override) => override.envName === envName);
+    if (envOverrides.length === 0) {
+      items[envName] = env;
+      continue;
+    }
+    const removed = new Set(
+      envOverrides.filter((override) => override.removed).map((override) => override.varKey)
+    );
+    const replaceMap = /* @__PURE__ */ new Map();
+    for (const override of envOverrides) {
+      if (!override.removed) replaceMap.set(override.varKey, override);
+    }
+    const variables = [];
+    const seenKeys = /* @__PURE__ */ new Set();
+    for (const variable of env.variables) {
+      if (removed.has(variable.key)) continue;
+      const override = replaceMap.get(variable.key);
+      if (override) {
+        variables.push({
+          key: variable.key,
+          value: override.value ?? variable.value,
+          encrypted: override.encrypted ?? variable.encrypted,
+          ...override.secretKeyId !== void 0 ? { secretKeyId: override.secretKeyId } : variable.secretKeyId !== void 0 ? { secretKeyId: variable.secretKeyId } : {}
+        });
+      } else {
+        variables.push(variable);
+      }
+      seenKeys.add(variable.key);
+    }
+    for (const override of envOverrides) {
+      if (override.removed || seenKeys.has(override.varKey)) continue;
+      variables.push({
+        key: override.varKey,
+        value: override.value ?? "",
+        encrypted: override.encrypted ?? false,
+        ...override.secretKeyId !== void 0 ? { secretKeyId: override.secretKeyId } : {}
+      });
+    }
+    items[envName] = { ...env, variables };
+  }
+  return { ...source, items };
+}
 async function runPlan(state, planId, opts = {}) {
   const plan = state.synced.executionPlans?.[planId];
   if (!plan) throw new Error(`Plan "${planId}" not found in workspace`);
@@ -6003,7 +6348,7 @@ async function runPlan(state, planId, opts = {}) {
   const bail = opts.bail ?? false;
   const stopOnAssertion = withAssertions && (plan.stopOnAssertionFailure ?? false);
   const secretsById = opts.secretsById ?? {};
-  const flatEnvs = buildEnvMaps(state.synced, secretsById);
+  const flatEnvs = buildEnvMaps(state.synced, secretsById, state.local);
   const secretsByLabel = buildSecretsByLabel(state.synced, secretsById);
   const baseRefs = plan.envPriorityOrder.length > 0 ? plan.envPriorityOrder : state.synced.environments.priorityOrder;
   const envRefs = opts.env ? [{ kind: "local", name: opts.env }, ...baseRefs] : baseRefs;
@@ -6038,36 +6383,17 @@ async function runPlan(state, planId, opts = {}) {
       continue;
     }
     if (opts.signal?.aborted) break;
-    if (step.linkedWorkspaceId) {
-      const runId = generateId2();
-      const error = "Linked-workspace plan steps are not supported by the headless runner. Run this plan from the desktop app.";
-      newRequestRuns.push(orphanRun(runId, step.requestId, error));
-      stepRecords.push({ requestRunId: runId, passed: false });
-      record({
-        stepIndex: i,
-        requestId: step.requestId,
-        requestName: "(linked request)",
-        requestMethod: "\u2014",
-        skipped: false,
-        result: null,
-        assertionResults: [],
-        missingVariables: [],
-        passed: false,
-        error
-      });
-      if (bail) break;
-      continue;
-    }
-    const baseRequest = requests[step.requestId];
+    const lookup2 = lookupPlanStepRequest(step, state.synced, state.local);
+    const baseRequest = lookup2.request;
     if (!baseRequest) {
       const runId = generateId2();
-      const error = "Request no longer exists in workspace.";
+      const error = lookup2.error ?? "Request no longer exists in workspace.";
       newRequestRuns.push(orphanRun(runId, step.requestId, error));
       stepRecords.push({ requestRunId: runId, passed: false });
       record({
         stepIndex: i,
         requestId: step.requestId,
-        requestName: "(missing request)",
+        requestName: step.linkedWorkspaceId ? "(linked request)" : "(missing request)",
         requestMethod: "\u2014",
         skipped: false,
         result: null,
@@ -6079,22 +6405,33 @@ async function runPlan(state, planId, opts = {}) {
       if (bail) break;
       continue;
     }
+    const resolveSynced = step.linkedWorkspaceId && lookup2.linkedEnvironments ? {
+      ...state.synced,
+      environments: lookup2.linkedEnvironments,
+      globalAssets: lookup2.linkedGlobalAssets ?? state.synced.globalAssets,
+      collections: {
+        ...state.synced.collections,
+        folders: lookup2.linkedFolders ?? {}
+      }
+    } : state.synced;
+    const stepEnvRefs = step.linkedWorkspaceId && plan.envPriorityOrder.length === 0 ? lookup2.linkedEnvironments?.priorityOrder ?? envRefs : envRefs;
     const { request: resolved, missing } = resolveRequest(
       baseRequest,
-      state.synced,
+      resolveSynced,
       plan,
-      envRefs,
+      stepEnvRefs,
       globalContext,
-      flatEnvs,
+      step.linkedWorkspaceId ? buildEnvMaps(resolveSynced, secretsById, state.local) : flatEnvs,
       secretsByLabel
     );
     const result = await executeRequest(resolved, {
       fetchImpl: opts.fetchImpl,
       signal: opts.signal,
       timeoutMs: opts.timeoutMs,
+      resolveAttachment: opts.resolveAttachment,
       authOptions: {
         onTokenRefreshed: (refreshedAuth) => {
-          tokenRefreshes.set(baseRequest.id, refreshedAuth);
+          if (!step.linkedWorkspaceId) tokenRefreshes.set(baseRequest.id, refreshedAuth);
         }
       }
     });
@@ -6118,7 +6455,7 @@ async function runPlan(state, planId, opts = {}) {
       const { extracted } = extractContext(result, baseRequest.extractions);
       globalContext = { ...globalContext, ...extracted };
     }
-    const refreshed = tokenRefreshes.get(baseRequest.id);
+    const refreshed = step.linkedWorkspaceId ? void 0 : tokenRefreshes.get(baseRequest.id);
     if (refreshed) {
       requests = {
         ...requests,
@@ -6153,7 +6490,7 @@ async function runPlan(state, planId, opts = {}) {
   const passed = executed.every((s) => s.passed);
   return { planRun, steps: stepResults, nextState, passed };
 }
-function buildEnvMaps(synced, secretsById) {
+function buildEnvMaps(synced, secretsById, local) {
   const flat = {};
   for (const [name, env] of Object.entries(synced.environments.items)) {
     const vars = {};
@@ -6169,6 +6506,25 @@ function buildEnvMaps(synced, secretsById) {
     }
     flat[envPriorityKey2({ kind: "local", name })] = vars;
   }
+  if (local) {
+    for (const [linkId, snapshot2] of Object.entries(local.linkedCollections)) {
+      const overridden = applyEnvironmentOverrides(snapshot2.environments, linkId, synced);
+      for (const [envName, env] of Object.entries(overridden.items)) {
+        const vars = {};
+        for (const variable of env.variables) {
+          if (!variable.key) continue;
+          if (variable.encrypted) {
+            const supplied = variable.secretKeyId ? secretsById[variable.secretKeyId] : void 0;
+            if (supplied === void 0) continue;
+            vars[variable.key] = supplied;
+          } else {
+            vars[variable.key] = variable.value;
+          }
+        }
+        flat[envPriorityKey2({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
+      }
+    }
+  }
   return flat;
 }
 function buildSecretsByLabel(synced, secretsById) {