@besales/mcp 0.1.0 → 0.11.1

package/README.md

@@ -6,7 +6,13 @@ Status: public npm package candidate.
 
 ## Install
 
-Production users can run the MCP server with `npx`:
+Requirements:
+
+- Node.js 20+
+- BeSales account with an active workspace
+- Claude Desktop, Claude Code, Codex CLI, or another MCP-capable host
+
+No global install is required. Production users can run the package with `npx`:
 
 ```bash
 npx -y @besales/mcp connect
@@ -14,6 +20,189 @@ npx -y @besales/mcp status
 npx -y @besales/mcp
 ```
 
+`connect` opens the browser consent flow and stores an MCP API key plus the
+selected workspace in the local keychain. Workspace-level tools use that
+connected workspace by default, so normal users should not provide
+`workspace_id` manually.
+
+For production, do not set `BESALES_API_BASE_URL` or
+`BESALES_OAUTH_AUTHORIZE_URL`. They default to:
+
+- `BESALES_API_BASE_URL` → `https://core.besales.ai/api/v2` (backend API host —
+  used for MCP tool calls)
+- `BESALES_OAUTH_AUTHORIZE_URL` →
+  `https://app.besales.ai/settings/mcp/consent` (frontend bridge page — opened
+  in the browser during `connect`; it mints a one-time setup ticket and forwards
+  to the backend consent page. After approval `connect` receives a one-time `code`
+  on the loopback callback and exchanges it with the PKCE `code_verifier` at
+  `/api/v2/auth/mcp-token` — the API key never travels in a URL)
+
+For staging or local development override them per command:
+
+```bash
+BESALES_API_BASE_URL=http://localhost:3000/api/v2 \
+BESALES_OAUTH_AUTHORIZE_URL=http://localhost:5173/settings/mcp/consent \
+  npx -y @besales/mcp connect
+```
+
+## Configure Your MCP Host
+
+After `connect`, add the server to your MCP host and restart the host.
+
+Claude Desktop config:
+
+```json
+{
+  "mcpServers": {
+    "besales": {
+      "command": "npx",
+      "args": ["-y", "@besales/mcp"]
+    }
+  }
+}
+```
+
+Claude Code:
+
+```bash
+claude mcp add --scope user besales -- npx -y @besales/mcp
+```
+
+Codex CLI:
+
+```bash
+codex mcp add besales -- npx -y @besales/mcp
+```
+
+Equivalent Codex config:
+
+```toml
+[mcp_servers.besales]
+command = "npx"
+args = ["-y", "@besales/mcp"]
+```
+
+For staging/local backends, include both backend and frontend bridge URLs in the
+host env. For example:
+
+```toml
+[mcp_servers.besales.env]
+BESALES_API_BASE_URL = "http://localhost:3000/api/v2"
+BESALES_OAUTH_AUTHORIZE_URL = "http://localhost:5173/settings/mcp/consent"
+```
+
+## Multiple Workspaces
+
+`besales-mcp` can hold keys for several workspaces at once — even across
+different accounts. Connect each one **once** (switch the account/workspace in
+the browser before each `connect`); keys are cached in your OS keychain and
+switching afterwards needs no browser.
+
+```bash
+npx -y @besales/mcp connect          # workspace A (browser logged into account A)
+npx -y @besales/mcp connect          # workspace B (re-login in the browser first)
+npx -y @besales/mcp connections      # list all connections, marks the active one
+```
+
+Bind a host session to a specific workspace with `BESALES_WORKSPACE_ID` in that
+server's `env` block — the cleanest "one session = one workspace" setup (one
+project/profile per workspace):
+
+```json
+{
+  "mcpServers": {
+    "besales": {
+      "command": "npx",
+      "args": ["-y", "@besales/mcp"],
+      "env": { "BESALES_WORKSPACE_ID": "<workspace-uuid>" }
+    }
+  }
+}
+```
+
+```toml
+[mcp_servers.besales.env]
+BESALES_WORKSPACE_ID = "<workspace-uuid>"
+```
+
+Workspace selection precedence, per tool call:
+
+1. `BESALES_WORKSPACE_ID` (env) — authoritative; an explicit, mismatching
+   `workspace_id` argument is refused.
+2. an explicit `workspace_id` argument (only when the env var is not set).
+3. the session binding set by the `besales_workspace_use` tool (in-memory, this
+   session/process only — see below).
+4. the global active workspace set by `besales-mcp use <id>`.
+5. the only connected workspace (error if several are connected and none chosen).
+
+`active` is global across all env-less sessions, and `BESALES_WORKSPACE_ID`
+always overrides it. Get workspace ids from `besales-mcp connections`.
+
+### GUI hosts without per-session env (e.g. Claude Desktop)
+
+When the host has no place to set `BESALES_WORKSPACE_ID` per session (you just
+click "new session"), there are two ways to keep several workspaces apart.
+
+**Recommended — one pinned named server per workspace (survives reconnects).**
+Run once per workspace:
+
+```bash
+yarn install:claude-desktop --name besales-acme   --workspace <uuid-A>
+yarn install:claude-desktop --name besales-globex --workspace <uuid-B>
+```
+
+This adds env-pinned `mcpServers` entries (with a timestamped config backup);
+restart Claude Desktop. Their tools appear namespaced —
+`mcp__besales-acme__besales_*` (always workspace A) and
+`mcp__besales-globex__besales_*` (always B). Because the pin lives in the host
+config, it **survives MCP reconnects** and **never silently drifts** to the wrong
+workspace. Both toolsets are visible in every session; you just address the one
+you mean.
+
+**Quick / in-session — `besales_workspace_use` (does NOT survive a reconnect).**
+Ask the assistant to call **`besales_workspace_use <workspaceId>`** to bind the
+current session in-memory. Each host session runs its own `besales-mcp` process,
+so it is per-session and touches neither the global `active` nor other sessions.
+Caveat: the binding is **in-memory only** — when the host respawns the server
+(reconnect, which GUI hosts do often), it is **lost and falls back to the global
+`active`**. Use it for a stable stretch, not as a durable lock; for that use the
+pinned named servers above. `besales_workspace_current` shows the current binding
++ source and lists connected workspaces; it is **refused** under a
+`BESALES_WORKSPACE_ID` pin (env wins).
+
+- `BESALES_WORKSPACE_ID` is read **once at process start** — exporting it after a
+  session is already open has no effect. Restart the session to re-pin via env.
+
+## First Smoke
+
+Start a fresh host session after changing MCP config, then ask a natural
+business request:
+
+```text
+Use besales MCP to create an ICP for SaaS B2B sales automation.
+```
+
+The assistant should discover and call the relevant `besales_*` tools itself.
+Users should not mention `tool_search` and should not be asked for a
+`workspace_id`.
+
+Expected quick checks:
+
+1. `npx -y @besales/mcp status` shows connected credentials.
+2. The host shows the `besales` MCP server as connected.
+3. Direct tools such as `besales_icp_create` work.
+4. External flows use `*_get_instructions`, execute stages locally in the host,
+   then call the matching `*_submit` tool.
+
+To switch workspace, connect each one once (see [Multiple Workspaces](#multiple-workspaces))
+and either set `BESALES_WORKSPACE_ID` per host session or run
+`npx -y @besales/mcp use <workspaceId>`. No browser re-auth is needed once a
+workspace is connected.
+
+If the host still asks for `workspace_id`, it is usually using an old cached
+tool schema or an old package version. Restart the host/session and use
+`@besales/mcp@latest` in the host args if needed.
+
 ## Development
 
 ```bash
@@ -56,40 +245,98 @@ yarn dev:mock:clear
 ## CLI
 
 ```bash
-node bin/besales-mcp.js connect
-node bin/besales-mcp.js status
-node bin/besales-mcp.js disconnect
-node bin/besales-mcp.js
+node bin/besales-mcp.js connect              # connect (or refresh) a workspace
+node bin/besales-mcp.js connections          # list connected workspaces (* = active)
+node bin/besales-mcp.js use <workspaceId>    # set the active (default) workspace
+node bin/besales-mcp.js status               # show the active workspace
+node bin/besales-mcp.js disconnect           # disconnect the active workspace only
+node bin/besales-mcp.js disconnect <id>      # disconnect one workspace
+node bin/besales-mcp.js disconnect --all     # disconnect every workspace
+node bin/besales-mcp.js                       # start the MCP server
 ```
 
-`BESALES_API_BASE_URL` defaults to `https://app.besales.ai/api/v2`. For local
-development, set it to `http://localhost:3000/api/v2`.
+`BESALES_API_BASE_URL` defaults to `https://core.besales.ai/api/v2` (backend).
+`BESALES_OAUTH_AUTHORIZE_URL` defaults to
+`https://app.besales.ai/settings/mcp/consent` (frontend bridge). For local
+development point them at your local backend and frontend respectively.
 
 Tool calls require stored credentials. Run `node bin/besales-mcp.js connect`
-against a backend that implements `/api/v2/auth/mcp-connect`, or run
+against a backend that implements the MCP OAuth endpoints
+(`/api/v2/auth/mcp-connect*` + `/api/v2/auth/mcp-token`), or run
 `yarn dev:mock:seed` for mock-only smoke tests.
 
-For production users, do not set `BESALES_API_BASE_URL`. Run:
+For production users, do not set `BESALES_API_BASE_URL` or
+`BESALES_OAUTH_AUTHORIZE_URL`. Run:
 
 ```bash
 npx -y @besales/mcp connect
 ```
 
-The browser consent flow stores the selected workspace in the local keychain.
-Workspace-level tools default to that connected workspace, so users should not
-provide `workspace_id` manually. To switch workspace, run `besales-mcp
-disconnect`, switch/create the desired workspace in the web app if needed, then
-run `besales-mcp connect` again.
+The browser consent flow stores the connected workspace key in the local
+keychain. Workspace-level tools default to the session's workspace, so users
+should not provide `workspace_id` manually. To work with several workspaces,
+connect each once and pin sessions via `BESALES_WORKSPACE_ID` (or switch the
+global default with `besales-mcp use <id>`) — see
+[Multiple Workspaces](#multiple-workspaces).
+
+## Available tools (128 tools by category)
+
+Counts are derived from `src/schemas/mcp-tools.json` (`summary.tools_by_category`)
+and asserted in `src/tools/registry.spec.ts`:
+
+| Category | Tools | Notes |
+|---|---|---|
+| ICP (profiles, dialogue import, analysis) | 5 | incl. `besales_icp_analysis_*` external pair |
+| ICP — read (profile / segments / scenarios / samples) | 4 | `besales_icp_list` / `_get` / `_scenarios_list` / `_sample_messages` (read-only over existing GET `/api/v2/icp/*`) |
+| Prompt generation / analysis / lint / patch sessions | 13 | `besales_prompt_*`, `besales_qa_generation_*` external pairs |
+| Sandbox / simulation / test-scenario generation | 7 | `besales_sandbox_*`, `besales_simulation_*`, `besales_test_scenario_*` |
+| Model comparison (bake-off) | 4 | `besales_model_catalog_list` + `besales_model_comparison_run_start` / `_get` / `_eval_submit` (on-demand multi-model prompt comparison) |
+| Agent / router / triggers / behavior / facts | 13 | Platform Setup Bridge (incl. `besales_behavior_update`, `besales_pipeline_settings_update`, `besales_platform_settings_update`) + `besales_facts_*` |
+| Knowledge — spaces | 6 | `besales_knowledge_space_*` |
+| Knowledge — documents | 4 | incl. `besales_knowledge_document_upload` |
+| Knowledge — Q&A | 7 | CRUD + semantic search + move |
+| Knowledge — websites | 4 | crawl + Pinecone upsert |
+| Knowledge — tables | 6 | Google Sheets link + reindex |
+| Workbook ingestion (xlsx / Google Sheets) | 3 | `besales_workbook_*` |
+| Feedback sheets (Google Sheets QA) | 5 | `besales_feedback_sheet_*` |
+| Variables (unified) | 5 | `besales_variable_*` |
+| CRM — pipelines, statuses, platform link | 11 | `besales_crm_pipeline_*`, `besales_platform_pipeline_*` |
+| CRM — connection / field mapping / operators / activate | 7 | `besales_crm_create_*` (AmoCRM/Bitrix24 via browser-secrets), `besales_crm_field_mapping_*`, `besales_crm_operator_*`, `besales_crm_activate` (live token check + activate, deactivates other workspace CRMs) |
+| Platform — provisioning / OAuth | 3 | `besales_platform_create_init`, `besales_platform_create_status`, `besales_platform_create_oauth_init` (Instagram/Avito) |
+| Platform — clone | 3 | `besales_platform_clone_*` |
+| Data sources (1С, категория «БД») | 9 | `besales_datasource_create_*` (Setup URL pattern), `_list` / `_health` / `_catalogs` / `_catalog_roles` / `_role_assign` / `_enable` / `_vectorize`. 1С — товарная БД через OData; чтение/запись — действия триггеров, не tools агента |
+| Files | 3 | `besales_file_upload_request` + status + list |
+| Context / overview / audit | 3 | `besales_workspace_overview`, `besales_platform_context_get`, `besales_audit_revert` |
+| Session / workspace binding | 2 | `besales_workspace_use`, `besales_workspace_current` (in-memory per-session, local — no backend) |
+
+Recent capabilities:
+
+- **OAuth PKCE provisioning** — `besales_platform_create_oauth_init` opens the
+  authorization flow in the browser for Instagram/Avito so the OAuth code never
+  passes through the LLM.
+- **CRM connection via browser-secrets** — `besales_crm_create_init` provisions
+  AmoCRM/Bitrix24 (and GetCourse/Telegram) using the Setup URL pattern, where the
+  user pastes credentials in the browser instead of through the chat.
+- **Setup URL pattern** — `*_init` returns a one-time URL; the user completes
+  sensitive input in the browser and the host polls `*_status` until ready.
+- **File upload** — two-step flow (`besales_file_upload_request` →
+  `besales_file_upload_status`) so binaries are uploaded directly, not via MCP.
+- **Platform provisioning & clone** — create channels and clone an existing
+  platform configuration (`besales_platform_clone_preview` / `_execute`).
+- **Knowledge ingestion** — full namespace/document/Q&A/website/table CRUD plus
+  workbook ingestion from xlsx and Google Sheets.
 
 ## Resources
 
-The package exposes 5 MCP concept resources:
+The package exposes 7 MCP concept resources:
 
 - `besales://concepts/icp`
 - `besales://concepts/triggers`
 - `besales://concepts/sandbox`
 - `besales://concepts/handoff`
 - `besales://concepts/external-execution`
+- `besales://concepts/feedback-sheets`
+- `besales://concepts/workbook-classification`
 
 Inspect them locally:
 
@@ -97,7 +344,7 @@ Inspect them locally:
 yarn dlx @modelcontextprotocol/inspector node bin/besales-mcp.js
 ```
 
-The Inspector should show 31 tools and 5 resources.
+The Inspector should show 128 tools and 23 resources.
 
 ## Claude Desktop
 
@@ -124,4 +371,12 @@ Claude Code, and Codex CLI are documented in
 - This package calls Animaly only through `ai-aniomaly` `/api/v2/*`.
 - Direct calls to `prompt-services` are intentionally out of scope.
 
-The package exposes 31 active MCP tools from `src/schemas/mcp-tools.json`.
+The package exposes 128 active MCP tools from `src/schemas/mcp-tools.json`.
+
+### Token scopes
+
+Read and PromptHub/ICP/sandbox operations are covered by the composite `mcp:*`
+scope granted during `connect`. Setup mutations (knowledge ingestion, variables,
+CRM pipelines, platform settings/provisioning, clone, the Platform Setup Bridge,
+etc.) additionally require the `mcp:platform-setup` scope — a plain `mcp:*` key
+on its own does not authorize setup mutations.

package/dist/auth/connection-store.d.ts

@@ -0,0 +1,58 @@
+import { type CredentialStore } from './token-storage.js';
+export declare const INDEX_ACCOUNT = "index";
+export declare const ACTIVE_ACCOUNT = "active";
+/** Имя keychain-account'а, хранящего api_key конкретного воркспейса. */
+export declare function keyAccount(workspaceId: string): string;
+/** Метаданные подключения (без секрета) — то, что лежит в `index`. */
+export interface ConnectionMeta {
+    workspaceId: string;
+    keyPrefix: string;
+    connectedAt: string;
+}
+/**
+ * Ошибка резолва воркспейса: не подключён / неоднозначно / env-конфликт / нет ключа.
+ * Несёт КОНКРЕТНОЕ сообщение для агента и мапится в `result.ts` ДО `ApiClientError`,
+ * иначе схлопнулась бы в generic «Not connected. Run `besales-mcp connect`».
+ */
+export declare class WorkspaceResolutionError extends Error {
+    constructor(message: string);
+}
+/**
+ * Мульти-воркспейс хранилище поверх keychain: несколько ключей (по одному на
+ * воркспейс), индекс метаданных без секретов и указатель `active`. Источник
+ * выбора воркспейса для сессии — см. resolveWorkspace() в tools/registry.ts.
+ */
+export declare class ConnectionStore {
+    private readonly storage;
+    private legacyMigrationPromise?;
+    constructor(storage?: CredentialStore);
+    /**
+     * Одноразовая миграция legacy-пары (`api_key` + `workspace_id`) в новую схему.
+     * Мемоизирована per-instance; promise сбрасывается при ошибке, чтобы не залипнуть
+     * на rejected состоянии и повторить при следующем вызове.
+     */
+    migrateLegacy(): Promise<void>;
+    list(): Promise<ConnectionMeta[]>;
+    getKey(workspaceId: string): Promise<string | null>;
+    getActive(): Promise<string | null>;
+    setActive(workspaceId: string): Promise<void>;
+    /**
+     * Добавить/обновить подключение воркспейса. Атомарно: при сбое любой записи
+     * восстанавливает прежние key/index/active (refresh того же воркспейса не теряет
+     * рабочий ключ). Первое подключение становится `active`.
+     */
+    addOrReplace(workspaceId: string, apiKey: string): Promise<void>;
+    remove(workspaceId: string): Promise<void>;
+    /**
+     * Полная очистка (best-effort): удаляет ВСЕ `key:*` (включая osиротевшие после
+     * краша между записью ключа и индекса), `index`, `active` и legacy-пару. Каждое
+     * удаление независимо (Promise.allSettled) — частичный сбой не оставляет
+     * неудалённый секрет молча, а поднимает ошибку.
+     */
+    clear(): Promise<void>;
+    private runLegacyMigration;
+    private readIndex;
+    private writeIndex;
+    private restore;
+    private restoreAccount;
+}

package/dist/auth/connection-store.js

@@ -0,0 +1,208 @@
+import { logger } from '../utils/logger.js';
+import { maskApiKey } from '../utils/mask.js';
+import { LEGACY_API_KEY_ACCOUNT, LEGACY_WORKSPACE_ID_ACCOUNT, TokenStorage, } from './token-storage.js';
+export const INDEX_ACCOUNT = 'index';
+export const ACTIVE_ACCOUNT = 'active';
+const KEY_ACCOUNT_PREFIX = 'key:';
+/** Имя keychain-account'а, хранящего api_key конкретного воркспейса. */
+export function keyAccount(workspaceId) {
+    return `${KEY_ACCOUNT_PREFIX}${workspaceId}`;
+}
+/**
+ * Ошибка резолва воркспейса: не подключён / неоднозначно / env-конфликт / нет ключа.
+ * Несёт КОНКРЕТНОЕ сообщение для агента и мапится в `result.ts` ДО `ApiClientError`,
+ * иначе схлопнулась бы в generic «Not connected. Run `besales-mcp connect`».
+ */
+export class WorkspaceResolutionError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'WorkspaceResolutionError';
+    }
+}
+/**
+ * Мульти-воркспейс хранилище поверх keychain: несколько ключей (по одному на
+ * воркспейс), индекс метаданных без секретов и указатель `active`. Источник
+ * выбора воркспейса для сессии — см. resolveWorkspace() в tools/registry.ts.
+ */
+export class ConnectionStore {
+    storage;
+    legacyMigrationPromise;
+    constructor(storage = new TokenStorage()) {
+        this.storage = storage;
+    }
+    /**
+     * Одноразовая миграция legacy-пары (`api_key` + `workspace_id`) в новую схему.
+     * Мемоизирована per-instance; promise сбрасывается при ошибке, чтобы не залипнуть
+     * на rejected состоянии и повторить при следующем вызове.
+     */
+    async migrateLegacy() {
+        if (!this.legacyMigrationPromise) {
+            this.legacyMigrationPromise = this.runLegacyMigration().catch((error) => {
+                this.legacyMigrationPromise = undefined;
+                throw error;
+            });
+        }
+        return this.legacyMigrationPromise;
+    }
+    async list() {
+        return this.readIndex();
+    }
+    async getKey(workspaceId) {
+        return this.storage.get(keyAccount(workspaceId));
+    }
+    async getActive() {
+        return this.storage.get(ACTIVE_ACCOUNT);
+    }
+    async setActive(workspaceId) {
+        const index = await this.readIndex();
+        if (!index.some((connection) => connection.workspaceId === workspaceId)) {
+            throw new WorkspaceResolutionError(`Workspace ${workspaceId} is not connected. Run \`besales-mcp connect\` first.`);
+        }
+        await this.storage.set(ACTIVE_ACCOUNT, workspaceId);
+    }
+    /**
+     * Добавить/обновить подключение воркспейса. Атомарно: при сбое любой записи
+     * восстанавливает прежние key/index/active (refresh того же воркспейса не теряет
+     * рабочий ключ). Первое подключение становится `active`.
+     */
+    async addOrReplace(workspaceId, apiKey) {
+        const [prevKey, prevIndexRaw, prevActive] = await Promise.all([
+            this.storage.get(keyAccount(workspaceId)),
+            this.storage.get(INDEX_ACCOUNT),
+            this.storage.get(ACTIVE_ACCOUNT),
+        ]);
+        try {
+            await this.storage.set(keyAccount(workspaceId), apiKey);
+            const index = await this.readIndex();
+            const meta = {
+                workspaceId,
+                keyPrefix: maskApiKey(apiKey),
+                connectedAt: new Date().toISOString(),
+            };
+            const next = [
+                ...index.filter((connection) => connection.workspaceId !== workspaceId),
+                meta,
+            ];
+            await this.writeIndex(next);
+            if (!prevActive) {
+                await this.storage.set(ACTIVE_ACCOUNT, workspaceId);
+            }
+        }
+        catch (error) {
+            await this.restore(workspaceId, prevKey, prevIndexRaw, prevActive);
+            throw error;
+        }
+    }
+    async remove(workspaceId) {
+        // index пишем ДО удаления ключа: при сбое останется orphan-ключ (его подметёт
+        // clear()), а не висячая запись index без ключа.
+        const index = await this.readIndex();
+        await this.writeIndex(index.filter((connection) => connection.workspaceId !== workspaceId));
+        await this.storage.delete(keyAccount(workspaceId));
+        const active = await this.storage.get(ACTIVE_ACCOUNT);
+        if (active === workspaceId) {
+            await this.storage.delete(ACTIVE_ACCOUNT);
+        }
+    }
+    /**
+     * Полная очистка (best-effort): удаляет ВСЕ `key:*` (включая osиротевшие после
+     * краша между записью ключа и индекса), `index`, `active` и legacy-пару. Каждое
+     * удаление независимо (Promise.allSettled) — частичный сбой не оставляет
+     * неудалённый секрет молча, а поднимает ошибку.
+     */
+    async clear() {
+        const targets = new Set([
+            INDEX_ACCOUNT,
+            ACTIVE_ACCOUNT,
+            LEGACY_API_KEY_ACCOUNT,
+            LEGACY_WORKSPACE_ID_ACCOUNT,
+        ]);
+        for (const connection of await this.readIndex()) {
+            targets.add(keyAccount(connection.workspaceId));
+        }
+        try {
+            for (const account of await this.storage.accounts()) {
+                if (account.startsWith(KEY_ACCOUNT_PREFIX)) {
+                    targets.add(account);
+                }
+            }
+        }
+        catch {
+            logger.warn('Could not enumerate keychain accounts during clear — using index only');
+        }
+        const results = await Promise.allSettled([...targets].map((account) => this.storage.delete(account)));
+        const failed = results.filter((result) => result.status === 'rejected').length;
+        if (failed > 0) {
+            throw new Error(`Failed to remove ${failed} keychain entr${failed === 1 ? 'y' : 'ies'} during clear`);
+        }
+    }
+    async runLegacyMigration() {
+        const existing = await this.readIndex();
+        if (existing.length > 0) {
+            return;
+        }
+        const [legacyKey, legacyWorkspaceId] = await Promise.all([
+            this.storage.get(LEGACY_API_KEY_ACCOUNT),
+            this.storage.get(LEGACY_WORKSPACE_ID_ACCOUNT),
+        ]);
+        if (!legacyKey || !legacyWorkspaceId) {
+            return;
+        }
+        // crash-safe: key + index + active пишутся ДО удаления legacy.
+        await this.storage.set(keyAccount(legacyWorkspaceId), legacyKey);
+        await this.writeIndex([
+            {
+                workspaceId: legacyWorkspaceId,
+                keyPrefix: maskApiKey(legacyKey),
+                connectedAt: new Date().toISOString(),
+            },
+        ]);
+        await this.storage.set(ACTIVE_ACCOUNT, legacyWorkspaceId);
+        await this.storage.delete(LEGACY_API_KEY_ACCOUNT);
+        await this.storage.delete(LEGACY_WORKSPACE_ID_ACCOUNT);
+        logger.info({ workspaceId: legacyWorkspaceId }, 'Migrated legacy credentials to multi-workspace store');
+    }
+    async readIndex() {
+        const raw = await this.storage.get(INDEX_ACCOUNT);
+        if (!raw) {
+            return [];
+        }
+        try {
+            const parsed = JSON.parse(raw);
+            if (!Array.isArray(parsed)) {
+                return [];
+            }
+            return parsed.filter(isConnectionMeta);
+        }
+        catch {
+            logger.warn('Connection index is corrupt — treating as empty');
+            return [];
+        }
+    }
+    async writeIndex(connections) {
+        await this.storage.set(INDEX_ACCOUNT, JSON.stringify(connections));
+    }
+    async restore(workspaceId, prevKey, prevIndexRaw, prevActive) {
+        await this.restoreAccount(keyAccount(workspaceId), prevKey);
+        await this.restoreAccount(INDEX_ACCOUNT, prevIndexRaw);
+        await this.restoreAccount(ACTIVE_ACCOUNT, prevActive);
+    }
+    async restoreAccount(account, previousValue) {
+        if (previousValue === null) {
+            await this.storage.delete(account);
+        }
+        else {
+            await this.storage.set(account, previousValue);
+        }
+    }
+}
+function isConnectionMeta(value) {
+    if (!value || typeof value !== 'object') {
+        return false;
+    }
+    const candidate = value;
+    return (typeof candidate.workspaceId === 'string' &&
+        typeof candidate.keyPrefix === 'string' &&
+        typeof candidate.connectedAt === 'string');
+}
+//# sourceMappingURL=connection-store.js.map

package/dist/auth/connection-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection-store.js","sourceRoot":"","sources":["../../src/auth/connection-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAEL,sBAAsB,EACtB,2BAA2B,EAC3B,YAAY,GACb,MAAM,oBAAoB,CAAC;AAE5B,MAAM,CAAC,MAAM,aAAa,GAAG,OAAO,CAAC;AACrC,MAAM,CAAC,MAAM,cAAc,GAAG,QAAQ,CAAC;AACvC,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,wEAAwE;AACxE,MAAM,UAAU,UAAU,CAAC,WAAmB;IAC5C,OAAO,GAAG,kBAAkB,GAAG,WAAW,EAAE,CAAC;AAC/C,CAAC;AASD;;;;GAIG;AACH,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACjD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACzC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,eAAe;IAGG;IAFrB,sBAAsB,CAAiB;IAE/C,YAA6B,UAA2B,IAAI,YAAY,EAAE;QAA7C,YAAO,GAAP,OAAO,CAAsC;IAAG,CAAC;IAE9E;;;;OAIG;IACH,KAAK,CAAC,aAAa;QACjB,IAAI,CAAC,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACjC,IAAI,CAAC,sBAAsB,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;gBAC/E,IAAI,CAAC,sBAAsB,GAAG,SAAS,CAAC;gBACxC,MAAM,KAAK,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,CAAC,sBAAsB,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,IAAI;QACR,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,WAAmB;QAC9B,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,SAAS;QACb,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,WAAmB;QACjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,WAAW,KAAK,WAAW,CAAC,EAAE,CAAC;YACxE,MAAM,IAAI,wBAAwB,CAChC,aAAa,WAAW,uDAAuD,CAChF,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,WAAmB,EAAE,MAAc;QACpD,MAAM,CAAC,OAAO,EAAE,YAAY,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC5D,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;YACzC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;SACjC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,CAAC;YAExD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,GAAmB;gBAC3B,WAAW;gBACX,SAAS,EAAE,UAAU,CAAC,MAAM,CAAC;gBAC7B,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACtC,CAAC;YACF,MAAM,IAAI,GAAG;gBACX,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,WAAW,KAAK,WAAW,CAAC;gBACvE,IAAI;aACL,CAAC;YACF,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;YAE5B,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC;YACnE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,WAAmB;QAC9B,8EAA8E;QAC9E,iDAAiD;QACjD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,WAAW,KAAK,WAAW,CAAC,CAAC,CAAC;QAC5F,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;QAEnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACtD,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,KAAK;QACT,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS;YAC9B,aAAa;YACb,cAAc;YACd,sBAAsB;YACtB,2BAA2B;SAC5B,CAAC,CAAC;QAEH,KAAK,MAAM,UAAU,IAAI,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;QAClD,CAAC;QAED,IAAI,CAAC;YACH,KAAK,MAAM,OAAO,IAAI,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;gBACpD,IAAI,OAAO,CAAC,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBAC3C,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;QACvF,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,CAAC,GAAG,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAC5D,CAAC;QACF,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;QAC/E,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,oBAAoB,MAAM,iBAAiB,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,eAAe,CAAC,CAAC;QACxG,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,kBAAkB;QAC9B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACxC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO;QACT,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,iBAAiB,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACvD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;YACxC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;SAC9C,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACrC,OAAO;QACT,CAAC;QAED,+DAA+D;QAC/D,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,SAAS,CAAC,CAAC;QACjE,MAAM,IAAI,CAAC,UAAU,CAAC;YACpB;gBACE,WAAW,EAAE,iBAAiB;gBAC9B,SAAS,EAAE,UAAU,CAAC,SAAS,CAAC;gBAChC,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACtC;SACF,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC;QAE1D,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAClD,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC;QAEvD,MAAM,CAAC,IAAI,CACT,EAAE,WAAW,EAAE,iBAAiB,EAAE,EAClC,sDAAsD,CACvD,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAClD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3B,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,OAAO,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;YAC/D,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,WAA6B;QACpD,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;IACrE,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,WAAmB,EACnB,OAAsB,EACtB,YAA2B,EAC3B,UAAyB;QAEzB,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5D,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QACvD,MAAM,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;IACxD,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,OAAe,EAAE,aAA4B;QACxE,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,SAAS,GAAG,KAAgC,CAAC;IACnD,OAAO,CACL,OAAO,SAAS,CAAC,WAAW,KAAK,QAAQ;QACzC,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;QACvC,OAAO,SAAS,CAAC,WAAW,KAAK,QAAQ,CAC1C,CAAC;AACJ,CAAC"}