@keystrokehq/cli 0.0.1

package/dist/upload.handler-DCtiznQp.mjs

@@ -0,0 +1,441 @@
+#!/usr/bin/env node
+
+import { D as throwReportedCliExit, h as toErrorMessage, t as ui } from "./keystroke.mjs";
+import { t as assertWorkflowProjectRoot } from "./project-config-D1qsQlO7.mjs";
+import { a as writeJsonError, i as writeJson } from "./output-DM4b7KgY.mjs";
+import { a as readManifestsFromOutDir, t as collectCredentialFingerprintMapFromProjectDist } from "./dist-BkJUoBiG.mjs";
+import { t as requireWorkflowsDir } from "./resolve-project-DDJ29sCF.mjs";
+import { n as getProcessEnv } from "./env-91KwMKov.mjs";
+import { i as requireClient } from "./context-T7HZuB97.mjs";
+import { t as getIntegrationCatalog } from "./integration-catalog-Bt-L3GjF.mjs";
+import { t as readCredentialEnvMap } from "./credential-env-map-CI8yWHVy.mjs";
+import { a as verifyCredentialResolvable, i as validateManualCredentialWithHook, n as resolveCredentialValuesFromEnv, r as uploadCredential, t as groupCredentialRequirements } from "./credentials-OfVHOtG3.mjs";
+import { n as renderCredentialSchemaMismatchText, r as writeCredentialSchemaMismatchJson, t as isCredentialSchemaMismatchErrorLike } from "./credential-schema-mismatch-BKo5PjcQ.mjs";
+import * as path$1 from "node:path";
+import { confirm, isCancel } from "@clack/prompts";
+//#region src/commands/credentials/upload/upload.handler.ts
+function resolveEnvVarName(credentialSetId, key, envMap) {
+	return envMap?.[credentialSetId]?.[key] ?? `KEYSTROKE_${key}`;
+}
+function resolveExpectedEnvVarNames(credentialSetId, keys, envMap) {
+	return keys.map((key) => resolveEnvVarName(credentialSetId, key, envMap));
+}
+function quoteCliArg(value) {
+	return /\s/.test(value) ? `"${value.replace(/"/g, "\\\"")}"` : value;
+}
+function getCredentialDisplayName(catalog, credentialSetId) {
+	const info = catalog.byResolvedCredentialSetId.get(credentialSetId);
+	if (info?.role === "connection" && info.integrationPublicId) return info.integrationPublicId;
+	return credentialSetId;
+}
+function isCatalogCredentialSet(catalog, credentialSetId) {
+	return catalog.byResolvedCredentialSetId.has(credentialSetId);
+}
+function buildMissingSchemaFingerprintMessage(params) {
+	return `Cannot upload non-official credential set "${params.credentialSetId}" because the CLI could not discover its schema fingerprint from local build artifacts. Run \`keystroke workflows build\` in "${params.projectRoot}" and retry. Use --path to point at the owning Keystroke project if needed.`;
+}
+function buildRerunCommand(options) {
+	const parts = ["keystroke credentials upload"];
+	if (options.credentialSet && options.keys) {
+		parts.push(`--credential-set ${quoteCliArg(options.credentialSet)}`);
+		parts.push(`--keys ${quoteCliArg(options.keys)}`);
+	} else if (options.integration) parts.push(`--integration ${quoteCliArg(options.integration)}`);
+	if (options.update) parts.push("--update");
+	if (options.scope !== "user") parts.push(`--scope ${options.scope}`);
+	if (options.path) parts.push(`--path ${quoteCliArg(options.path)}`);
+	return parts.join(" ");
+}
+function formatUploadOutcomeMessage(params) {
+	const { credentialSetId, uploadedCredentialSetId, action, scope, keyCount } = params;
+	const scopeLabel = `scope: ${scope}`;
+	if (action === "created") return {
+		level: "success",
+		message: `${credentialSetId}: created credential set ${uploadedCredentialSetId} (${scopeLabel}) and uploaded ${keyCount} key(s).`
+	};
+	if (action === "updated-values") return {
+		level: "success",
+		message: `${credentialSetId}: updated values for existing credential set ${uploadedCredentialSetId} (${scopeLabel}) using ${keyCount} key(s) from your current env vars.`
+	};
+	if (action === "marked-default") return {
+		level: "warn",
+		message: `${credentialSetId}: already configured (${uploadedCredentialSetId}, ${scopeLabel}). Marked as default; values unchanged — use --update to refresh from env vars.`
+	};
+	return {
+		level: "warn",
+		message: `${credentialSetId}: already configured (${uploadedCredentialSetId}, ${scopeLabel}). Values unchanged — use --update to refresh from env vars.`
+	};
+}
+function renderSkippedCredentials(skipped) {
+	if (skipped.length === 0) return;
+	ui.br();
+	ui.warn(`Skipped ${skipped.length} credential set(s) — env vars not found:`);
+	for (const item of skipped) ui.text(`  - ${item.displayName} (missing: ${item.missingEnvVars.join(", ")})`);
+}
+function renderSummary(results) {
+	const created = results.filter((r) => r.action === "created").length;
+	const updated = results.filter((r) => r.action === "updated-values").length;
+	const unchanged = results.filter((r) => r.action === "unchanged" || r.action === "marked-default").length;
+	const parts = [];
+	if (created > 0) parts.push(`${created} created`);
+	if (updated > 0) parts.push(`${updated} updated`);
+	if (unchanged > 0) parts.push(`${unchanged} unchanged`);
+	if (parts.length > 0) {
+		ui.br();
+		ui.text(`Done: ${parts.join(", ")}.`);
+	}
+}
+async function resolveProjectIdForUpload(params) {
+	const { client, projectRoot } = params;
+	const projectConfig = await assertWorkflowProjectRoot(projectRoot);
+	const auth = await client.public.auth.validate();
+	if (projectConfig.organizationId !== auth.organizationId) {
+		const message = `This checkout is configured for organization "${projectConfig.organizationId}", but the current credentials are scoped to "${auth.organizationId}".`;
+		ui.error(message);
+		ui.hint("Switch organizations or update your local project config before running this command.");
+		throwReportedCliExit(message);
+	}
+	return projectConfig.projectId;
+}
+async function resolveUploadScopeContext(params) {
+	const { client, scope, projectRoot } = params;
+	if (scope === "user") return {};
+	if (scope === "organization") return { organizationId: (await client.public.auth.validate()).organizationId };
+	return { projectId: await resolveProjectIdForUpload({
+		client,
+		projectRoot
+	}) };
+}
+function resolveEnvVarStatus(keys, credentialSetId, envMap, env) {
+	return keys.map((key) => {
+		const envVar = resolveEnvVarName(credentialSetId, key, envMap);
+		const value = env[envVar];
+		return {
+			key,
+			envVar,
+			present: !!value && value.trim().length > 0
+		};
+	});
+}
+async function handleCredentialsUpload(options, ctx) {
+	const client = requireClient(ctx);
+	const isExplicitCredentialSetMode = !!options.credentialSet;
+	const isExplicitIntegrationMode = !!options.integration;
+	const isExplicitMode = isExplicitCredentialSetMode || isExplicitIntegrationMode;
+	const hasKeys = !!options.keys;
+	if (isExplicitCredentialSetMode && isExplicitIntegrationMode) {
+		ui.error("--integration cannot be combined with --credential-set");
+		throwReportedCliExit("--integration cannot be combined with --credential-set");
+	}
+	if (isExplicitCredentialSetMode && !hasKeys) {
+		ui.error("--credential-set requires --keys (comma-separated credential keys)");
+		throwReportedCliExit("--credential-set requires --keys (comma-separated credential keys)");
+	}
+	if (hasKeys && !isExplicitCredentialSetMode) {
+		ui.error("--keys requires --credential-set");
+		throwReportedCliExit("--keys requires --credential-set");
+	}
+	if (!isExplicitMode && options.name) {
+		ui.error("--name can only be used when specifying --integration or --credential-set");
+		throwReportedCliExit("--name can only be used when specifying --integration or --credential-set");
+	}
+	const scope = options.scope;
+	const projectRoot = isExplicitMode && hasKeys ? options.path ? path$1.resolve(options.path) : process.cwd() : await requireWorkflowsDir(options.path);
+	const { organizationId, projectId } = await resolveUploadScopeContext({
+		client,
+		scope,
+		projectRoot
+	});
+	const envMap = await readCredentialEnvMap(projectRoot);
+	const catalog = await getIntegrationCatalog(ctx);
+	const fingerprintByCredentialSetId = isExplicitIntegrationMode ? /* @__PURE__ */ new Map() : await collectCredentialFingerprintMapFromProjectDist(projectRoot);
+	let toUpload = [];
+	const skipped = [];
+	if (isExplicitCredentialSetMode && hasKeys) {
+		const credentialSetId = options.credentialSet;
+		const keysArg = options.keys;
+		if (!credentialSetId || !keysArg) {
+			ui.error("--credential-set and --keys are required for explicit upload");
+			throwReportedCliExit("--credential-set and --keys are required for explicit upload");
+		}
+		const keys = keysArg.split(",").map((k) => k.trim()).filter(Boolean);
+		const keyToEnv = envMap?.[credentialSetId];
+		const values = resolveCredentialValuesFromEnv(keys, getProcessEnv(), keyToEnv);
+		if (!values) {
+			const expectedEnvVars = resolveExpectedEnvVarNames(credentialSetId, keys, envMap);
+			ui.error(`Missing env vars for ${credentialSetId}. Set: ${expectedEnvVars.join(", ")}`);
+			throwReportedCliExit(`Missing env vars for ${credentialSetId}. Set: ${expectedEnvVars.join(", ")}`);
+		}
+		const info = catalog.byResolvedCredentialSetId.get(credentialSetId);
+		toUpload = [{
+			credentialSetId,
+			displayName: getCredentialDisplayName(catalog, credentialSetId),
+			groupScope: null,
+			keys,
+			values,
+			...fingerprintByCredentialSetId.get(credentialSetId) ? { schemaFingerprint: fingerprintByCredentialSetId.get(credentialSetId) } : {},
+			...info?.connectionKind ? { connectionKind: info.connectionKind } : {}
+		}];
+	} else if (isExplicitIntegrationMode) {
+		const integrationId = options.integration?.trim().toLowerCase();
+		const entry = catalog.lookupByPublicId(integrationId);
+		if (!integrationId || !entry) {
+			ui.error(integrationId ? `Official integration "${integrationId}" is not supported for direct upload.` : "--integration is required for official integration upload");
+			throwReportedCliExit(integrationId ? `Official integration "${integrationId}" is not supported for direct upload.` : "--integration is required for official integration upload");
+		}
+		const publicId = entry.publicId;
+		const credentialSetId = entry.credentialSet.resolvedCredentialSetId;
+		const storedKeys = entry.credentialSet.storedKeys;
+		const authKeys = entry.credentialSet.authKeys;
+		const keyToEnv = envMap?.[credentialSetId];
+		const values = resolveCredentialValuesFromEnv(storedKeys, getProcessEnv(), keyToEnv);
+		if (!values) {
+			const expectedEnvVars = resolveExpectedEnvVarNames(credentialSetId, storedKeys, envMap);
+			ui.error(`Missing env vars for ${publicId}. Set: ${expectedEnvVars.join(", ")}`);
+			throwReportedCliExit(`Missing env vars for ${publicId}. Set: ${expectedEnvVars.join(", ")}`);
+		}
+		toUpload = [{
+			credentialSetId,
+			displayName: publicId,
+			groupScope: null,
+			keys: [...storedKeys],
+			verifyKeys: [...authKeys],
+			values,
+			connectionKind: entry.connectionKind
+		}];
+	} else {
+		const manifests = await readManifestsFromOutDir(projectRoot);
+		if (manifests.length === 0) {
+			ui.warn("No built manifests found. Run `keystroke workflows build` first.");
+			return;
+		}
+		const seen = /* @__PURE__ */ new Set();
+		const env = getProcessEnv();
+		for (const { manifest } of manifests) {
+			const groups = groupCredentialRequirements(manifest);
+			for (const group of groups) {
+				const groupKey = `${group.credentialSetId}:${group.scope ?? "__default__"}`;
+				if (seen.has(groupKey)) continue;
+				seen.add(groupKey);
+				const keyToEnv = envMap?.[group.credentialSetId];
+				const values = resolveCredentialValuesFromEnv(group.keys, env, keyToEnv);
+				if (values) {
+					const info = catalog.byResolvedCredentialSetId.get(group.credentialSetId);
+					toUpload.push({
+						credentialSetId: group.credentialSetId,
+						displayName: getCredentialDisplayName(catalog, group.credentialSetId),
+						groupScope: group.scope,
+						keys: group.keys,
+						values,
+						...fingerprintByCredentialSetId.get(group.credentialSetId) ? { schemaFingerprint: fingerprintByCredentialSetId.get(group.credentialSetId) } : {},
+						...info?.connectionKind ? { connectionKind: info.connectionKind } : {}
+					});
+				} else {
+					const missingEnvVars = resolveExpectedEnvVarNames(group.credentialSetId, group.keys, envMap);
+					skipped.push({
+						credentialSetId: group.credentialSetId,
+						displayName: getCredentialDisplayName(catalog, group.credentialSetId),
+						missingEnvVars
+					});
+				}
+			}
+		}
+		if (toUpload.length === 0) {
+			ui.warn("No credential requirements had matching env vars.");
+			renderSkippedCredentials(skipped);
+			ui.hint("Set the missing env vars, then rerun: keystroke credentials upload");
+			return;
+		}
+	}
+	const jsonOut = ctx.jsonMode;
+	if (options.update && !jsonOut && !options.dryRun && toUpload.length > 0) {
+		const shouldContinue = await confirm({ message: `Update ${toUpload.length} existing credential set(s) from current env vars?` });
+		if (isCancel(shouldContinue) || !shouldContinue) {
+			ui.text("Cancelled.");
+			return;
+		}
+	}
+	if (options.dryRun) {
+		const env = getProcessEnv();
+		if (jsonOut) {
+			writeJson({
+				dryRun: true,
+				update: options.update,
+				items: toUpload.map((item) => ({
+					credentialSetId: item.credentialSetId,
+					displayName: item.displayName,
+					scope,
+					keys: item.keys,
+					envVars: Object.fromEntries(resolveEnvVarStatus(item.keys, item.credentialSetId, envMap, env).map((s) => [s.key, {
+						envVar: s.envVar,
+						present: s.present
+					}]))
+				})),
+				...skipped.length > 0 ? { skipped } : {}
+			});
+			return;
+		}
+		ui.text(options.update ? `Would create or update ${toUpload.length} credential set(s) with scope ${scope}:` : `Would ensure ${toUpload.length} credential set(s) exist with scope ${scope}:`);
+		for (const item of toUpload) {
+			const envDetails = resolveEnvVarStatus(item.keys, item.credentialSetId, envMap, env).map((s) => `${s.envVar} (${s.present ? "set" : "missing"})`).join(", ");
+			ui.text(`  - ${item.displayName} (${item.keys.length} key(s)): ${envDetails}`);
+		}
+		renderSkippedCredentials(skipped);
+		return;
+	}
+	const results = [];
+	let unchangedCount = 0;
+	for (const item of toUpload) {
+		const credName = options.name ?? `[CLI] ${item.displayName}`;
+		if (item.connectionKind === "credentials-exchange") {
+			try {
+				const exchangeResponse = await client.credentials.exchange({
+					credentialSetId: item.credentialSetId,
+					input: item.values,
+					scope,
+					...projectId ? { projectId } : {},
+					name: credName,
+					isDefault: true
+				});
+				if (exchangeResponse.status === "needs-reinput") {
+					const msg = exchangeResponse.message ? `Exchange rejected for ${item.displayName}: ${exchangeResponse.message}` : `Exchange for ${item.displayName} returned needs-reinput; re-run after correcting your input.`;
+					if (jsonOut) writeJsonError(msg, { code: "EXCHANGE_NEEDS_REINPUT" });
+					else {
+						ui.warn(msg);
+						unchangedCount += 1;
+					}
+					continue;
+				}
+				results.push({
+					requestedCredentialSetId: item.displayName,
+					uploadedCredentialSetId: exchangeResponse.credentialSetId,
+					action: "created",
+					scope,
+					verified: true,
+					valuesUpdated: true
+				});
+				if (!jsonOut) ui.success(`${item.displayName}: exchanged credentials and persisted ${exchangeResponse.keys.length} key(s) (scope: ${scope}).`);
+			} catch (e) {
+				const msg = `Exchange failed for ${item.displayName}: ${toErrorMessage(e)}`;
+				if (jsonOut) writeJsonError(msg, { code: "EXCHANGE_FAILED" });
+				else {
+					ui.error(msg);
+					throwReportedCliExit(msg, { cause: e });
+				}
+			}
+			continue;
+		}
+		const validation = await validateManualCredentialWithHook({
+			credentialSetId: item.credentialSetId,
+			values: item.values
+		});
+		if (validation.status === "failed") {
+			const msg = `Validation failed for ${item.displayName}: ${validation.error}`;
+			if (jsonOut) {
+				writeJsonError(msg, { code: "VALIDATE_FAILED" });
+				continue;
+			}
+			ui.error(msg);
+			throwReportedCliExit(msg);
+		}
+		if (validation.status === "ok" && !jsonOut) ui.text(`Validated credentials against ${item.displayName}.`);
+		try {
+			if (!item.schemaFingerprint && !isCatalogCredentialSet(catalog, item.credentialSetId)) {
+				const message = buildMissingSchemaFingerprintMessage({
+					credentialSetId: item.credentialSetId,
+					projectRoot
+				});
+				if (jsonOut) writeJsonError(message, { code: "SCHEMA_FINGERPRINT_REQUIRED" });
+				else {
+					ui.error(message);
+					throwReportedCliExit(message);
+				}
+				continue;
+			}
+			const result = await uploadCredential({
+				client,
+				scope,
+				organizationId,
+				projectId,
+				credentialSetId: item.credentialSetId,
+				name: credName,
+				values: item.values,
+				updateExisting: options.update,
+				...item.schemaFingerprint ? { schemaFingerprint: item.schemaFingerprint } : {}
+			});
+			let verified = true;
+			const verifyKeys = item.verifyKeys ?? item.keys;
+			const verify = await verifyCredentialResolvable({
+				client,
+				credentialSetId: item.credentialSetId,
+				keys: verifyKeys,
+				scope,
+				projectId
+			});
+			if (!verify.success) {
+				verified = false;
+				const missing = verifyKeys.filter((k) => !verify.resolvedKeys.includes(k));
+				const msg = `Verify failed for ${item.displayName}: missing keys [${missing.join(", ")}]`;
+				if (jsonOut) writeJsonError(msg, { code: "VERIFY_FAILED" });
+				else {
+					ui.error(msg);
+					throwReportedCliExit(msg);
+				}
+			}
+			results.push({
+				requestedCredentialSetId: item.displayName,
+				uploadedCredentialSetId: result.credentialSetId,
+				action: result.action,
+				scope,
+				verified,
+				valuesUpdated: result.action === "created" || result.action === "updated-values"
+			});
+			if (!jsonOut) {
+				const outcome = formatUploadOutcomeMessage({
+					credentialSetId: item.displayName,
+					uploadedCredentialSetId: result.credentialSetId,
+					action: result.action,
+					scope,
+					keyCount: item.keys.length
+				});
+				if (outcome.level === "success") ui.success(outcome.message);
+				else {
+					unchangedCount += 1;
+					ui.warn(outcome.message);
+				}
+			}
+		} catch (e) {
+			if (isCredentialSchemaMismatchErrorLike(e)) {
+				if (jsonOut) {
+					writeCredentialSchemaMismatchJson(e);
+					throwReportedCliExit(e.message ?? `Credential schema mismatch for "${e.manifestId}"`, { cause: e });
+				}
+				renderCredentialSchemaMismatchText(ui, e);
+				throwReportedCliExit(e.message ?? `Credential schema mismatch for "${e.manifestId}"`, { cause: e });
+			}
+			const msg = `Failed for ${item.displayName}: ${toErrorMessage(e)}`;
+			if (jsonOut) writeJsonError(msg, { code: "UPLOAD_FAILED" });
+			else {
+				ui.error(msg);
+				throwReportedCliExit(msg, { cause: e });
+			}
+		}
+	}
+	if (jsonOut) {
+		writeJson({
+			results,
+			...skipped.length > 0 ? { skipped } : {}
+		});
+		return;
+	}
+	renderSkippedCredentials(skipped);
+	renderSummary(results);
+	if (unchangedCount > 0) {
+		const updateCommand = buildRerunCommand({
+			...options,
+			update: true
+		});
+		ui.hint(`To update values from your current env vars, rerun with --update: \`${updateCommand}\`.`);
+	}
+}
+//#endregion
+export { handleCredentialsUpload };

package/dist/utils-CywxCDM7.mjs

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+
+import { i as readProjectConfig } from "./project-config-D1qsQlO7.mjs";
+import { h as resolveBuildOutputDir } from "./layout-CbMtQ2tm.mjs";
+import path from "node:path";
+//#region ../../packages/project-config/src/utils.ts
+function resolveConfiguredBuildOutputDir(projectRoot, buildConfig) {
+	return buildConfig?.outDir ? path.resolve(projectRoot, buildConfig.outDir) : resolveBuildOutputDir(projectRoot);
+}
+async function resolveProjectBuildOutputDir(projectRoot) {
+	return resolveConfiguredBuildOutputDir(projectRoot, (await readProjectConfig(projectRoot))?.build);
+}
+//#endregion
+export { resolveProjectBuildOutputDir as n, resolveConfiguredBuildOutputDir as t };