@keystrokehq/cli 0.0.11 → 0.0.12

package/dist/{accept.handler-DWuxmMuY.mjs → accept.handler-BU6kg8ET.mjs}

@@ -2,7 +2,7 @@
 
 import { n as ui } from "./keystroke.mjs";
 import { i as writeJson } from "./output-CGdYhH0p.mjs";
-import { i as requireClient } from "./context-1VgRbzr-.mjs";
+import { i as requireClient } from "./context-DQ4IA0yO.mjs";
 import { n as isIamJsonMode, t as handleIamError } from "./iam-command-utils-ByLX0A-V.mjs";
 //#region src/commands/invites/accept.handler.ts
 async function handleInvitesAccept(options, ctx) {

package/dist/{admin-BK4bFTTd.mjs → admin-B4GNbCl5.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-CGdYhH0p.mjs";
-import { t as createTypedCommand } from "./commander-DcftG6dX.mjs";
+import { t as createTypedCommand } from "./commander-BwtBoukr.mjs";
 import { t as OrgRoleSchema } from "./schema-_FQrHcIS.mjs";
 import { z } from "zod";
 //#region src/commands/admin/orgs.command.ts
@@ -28,21 +28,21 @@ function createAdminOrgsCommand() {
 		description: "Manage organizations as a platform admin",
 		schema: AdminOrgsListOptionsSchema,
 		optionsConfig: { ...JSON_OPTION_CONFIG },
-		loadHandler: async () => (await import("./orgs.list.handler-fuDLNI5X.mjs")).handleAdminOrgsList,
+		loadHandler: async () => (await import("./orgs.list.handler-wWAg6cKg.mjs")).handleAdminOrgsList,
 		subcommands: [
 			createTypedCommand({
 				name: "create",
 				description: "Create an organization (requires system.create_org)",
 				schema: AdminOrgsCreateOptionsSchema,
 				optionsConfig: CREATE_OPTIONS_CONFIG,
-				loadHandler: async () => (await import("./orgs.create.handler-DRILhxdn.mjs")).handleAdminOrgsCreate
+				loadHandler: async () => (await import("./orgs.create.handler-Mv5CTGcG.mjs")).handleAdminOrgsCreate
 			}),
 			createTypedCommand({
 				name: "list",
 				description: "List organizations (requires system.view_orgs)",
 				schema: AdminOrgsListOptionsSchema,
 				optionsConfig: { ...JSON_OPTION_CONFIG },
-				loadHandler: async () => (await import("./orgs.list.handler-fuDLNI5X.mjs")).handleAdminOrgsList
+				loadHandler: async () => (await import("./orgs.list.handler-wWAg6cKg.mjs")).handleAdminOrgsList
 			}),
 			createTypedCommand({
 				name: "get",
@@ -54,7 +54,7 @@ function createAdminOrgsCommand() {
 					description: "Organization ID",
 					key: "orgId"
 				},
-				loadHandler: async () => (await import("./orgs.get.handler-Cue6stoX.mjs")).handleAdminOrgsGet
+				loadHandler: async () => (await import("./orgs.get.handler-DvvOhshX.mjs")).handleAdminOrgsGet
 			})
 		]
 	});
@@ -157,14 +157,14 @@ function createAdminUsersCommand() {
 		description: "Manage platform users",
 		schema: AdminUsersListOptionsSchema,
 		optionsConfig: { ...JSON_OPTION_CONFIG },
-		loadHandler: async () => (await import("./users.list.handler-CpOWwzBb.mjs")).handleAdminUsersList,
+		loadHandler: async () => (await import("./users.list.handler-BplFTjv3.mjs")).handleAdminUsersList,
 		subcommands: [
 			createTypedCommand({
 				name: "list",
 				description: "List platform users",
 				schema: AdminUsersListOptionsSchema,
 				optionsConfig: { ...JSON_OPTION_CONFIG },
-				loadHandler: async () => (await import("./users.list.handler-CpOWwzBb.mjs")).handleAdminUsersList
+				loadHandler: async () => (await import("./users.list.handler-BplFTjv3.mjs")).handleAdminUsersList
 			}),
 			createTypedCommand({
 				name: "get",
@@ -176,7 +176,7 @@ function createAdminUsersCommand() {
 					description: "User ID",
 					key: "userId"
 				},
-				loadHandler: async () => (await import("./users.get.handler-CzaYM2bi.mjs")).handleAdminUsersGet
+				loadHandler: async () => (await import("./users.get.handler-B20PMSbl.mjs")).handleAdminUsersGet
 			}),
 			createTypedCommand({
 				name: "set-role",
@@ -188,7 +188,7 @@ function createAdminUsersCommand() {
 					description: "User ID",
 					key: "userId"
 				},
-				loadHandler: async () => (await import("./users.set-role.handler-BjiSNP2d.mjs")).handleAdminUsersSetRole
+				loadHandler: async () => (await import("./users.set-role.handler-wdmI6o3G.mjs")).handleAdminUsersSetRole
 			})
 		]
 	});

package/dist/{agent-manifest-sJFbH5H8.mjs → agent-manifest-CZdlCTFs.mjs}

@@ -35,7 +35,7 @@ const CredentialSetProxyConfigSchema = z.object({
 	hostPatterns: z.array(z.string().min(1)).optional(),
 	injection: CredentialSetProxyInjectionSchema.optional()
 });
-const ResolvedCredentialSetIdSchema = z.string().trim().min(1).max(255).refine((value) => /^[a-zA-Z0-9_-]+(:[a-zA-Z0-9_-]+)?$/.test(value), { error: "resolvedId must be a valid credential set ID, optionally namespaced (e.g. \"slack\" or \"keystroke:slack\")" });
+const CredentialDefinitionIdSchema = z.string().trim().min(1).max(255).refine((value) => /^[a-zA-Z0-9_-]+$/.test(value), { error: "resolvedId must be a valid credential definition id (e.g. \"slack\")" });
 const McpTransportSchema = z.discriminatedUnion("type", [
 	z.object({
 		type: z.literal("stdio"),
@@ -64,7 +64,7 @@ const McpCredentialBindingsSchema = z.object({
 });
 const AgentMcpCredentialSetSchema = z.object({
 	id: z.string().trim().min(1),
-	resolvedId: ResolvedCredentialSetIdSchema,
+	resolvedId: CredentialDefinitionIdSchema,
 	credentialKeys: z.array(z.string()),
 	/** Persistence-layer schema fingerprint (same contract as workflow manifests). */
 	schemaFingerprint: z.string().min(1).optional()
@@ -201,7 +201,7 @@ const AgentVersionManifestSchema = z.object({
 		midSessionSnapshot: z.boolean().optional(),
 		suspensions: z.array(AgentToolSuspensionReasonSchema).optional(),
 		credentialSets: z.array(z.object({
-			id: ResolvedCredentialSetIdSchema,
+			id: CredentialDefinitionIdSchema,
 			required: z.boolean().default(true)
 		})).optional(),
 		/**
@@ -213,7 +213,7 @@ const AgentVersionManifestSchema = z.object({
 		outputSchemaIsTabular: z.boolean().optional()
 	})).optional(),
 	credentialSets: z.array(z.object({
-		resolvedId: ResolvedCredentialSetIdSchema,
+		resolvedId: CredentialDefinitionIdSchema,
 		scope: IntegrationScopeSchema.optional(),
 		credentialKeys: z.array(z.string()),
 		/** Subset of `credentialKeys` that may be absent from the vault
@@ -232,7 +232,7 @@ const AgentVersionManifestSchema = z.object({
 		provider: z.string(),
 		mode: z.enum(["platform", "custom"]),
 		credentialSet: z.object({
-			resolvedId: ResolvedCredentialSetIdSchema,
+			resolvedId: CredentialDefinitionIdSchema,
 			credentialKeys: z.array(z.string()),
 			/** Persistence-layer schema fingerprint (same contract as workflow manifests). */
 			schemaFingerprint: z.string().min(1).optional()

package/dist/{agents-DYnw2VPX.mjs → agents-DDqXmmFV.mjs}

@@ -3,12 +3,12 @@
 import { N as throwReportedCliExit, f as ANSI, n as ui, p as style, x as toErrorMessage } from "./keystroke.mjs";
 import { d as trackProject } from "./dist-BF6r1hfv.mjs";
 import { i as writeJson, n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-CGdYhH0p.mjs";
-import { t as createTypedCommand } from "./commander-DcftG6dX.mjs";
-import { i as readAgentManifestsFromOutDir } from "./dist-DvO0q6Fo.mjs";
-import { t as requireWorkflowsDir } from "./resolve-project-C6UAOfAG.mjs";
-import { t as createSpinnerProgress } from "./spinner-progress-Bt8zXPOc.mjs";
-import { a as runWorkflowBuild, n as renderBuildFailure } from "./workflow-build-Z2_jkOsZ.mjs";
-import { i as resolveTypeHint } from "./schema-display-DuWBmkwk.mjs";
+import { t as createTypedCommand } from "./commander-BwtBoukr.mjs";
+import { i as readAgentManifestsFromOutDir } from "./dist-BMkNN03r.mjs";
+import { t as requireWorkflowsDir } from "./resolve-project-bVPMcs-y.mjs";
+import { t as createSpinnerProgress } from "./spinner-progress-CS1BEdNB.mjs";
+import { a as runWorkflowBuild, n as renderBuildFailure } from "./workflow-build-CoJMwpPO.mjs";
+import { i as resolveTypeHint } from "./schema-display-CyCWSgfY.mjs";
 import { z } from "zod";
 //#region src/commands/agents/inspect-display.ts
 function renderAgentManifestInspect(manifest, options = {}) {

package/dist/api-DuKKdCpF.mjs

@@ -0,0 +1,246 @@
+#!/usr/bin/env node
+
+import { n as CredentialConnectionIdSchema, r as CredentialScopeSchema, t as ConnectionStatusSchema } from "./schema-DFJiNWyd.mjs";
+import { z } from "zod";
+//#region ../../packages/shared-types/src/connections/api.ts
+/**
+* API request/response types for the integration catalog and connection endpoints.
+*
+* These types are shared between the server route handlers, the Keystroke SDK, and
+* any in-repo consumer (CLI, web). They divide the surface into two clearly-scoped
+* endpoints:
+*
+*   GET /api/v1/integrations  — the static Keystroke integration catalog (what can
+*     be connected). Auth required; not org-scoped; long-cached.
+*
+*   GET /api/v1/connections   — the caller's configured connections for the current
+*     org (what has been connected). Auth + org required; no-cache.
+*
+* Each endpoint validates its query string with the exported `*QuerySchema`, and
+* the SDK types its method signatures against the same schema so that invalid
+* params cannot be sent or accepted.
+*/
+const InitiateConnectionRequestSchema = z.object({
+	credentialConnectionId: CredentialConnectionIdSchema.optional(),
+	providerAppId: z.string().optional(),
+	/**
+	* Connection-specific setup input. For example, a Shopify OAuth connection
+	* can require `{ shopDomain: "example.myshopify.com" }` to build a
+	* tenant-specific authorize URL.
+	*/
+	input: z.record(z.string(), z.unknown()).optional(),
+	requestedScopes: z.array(z.string()).optional()
+});
+const InitiateConnectionResponseSchema = z.object({
+	authUrl: z.string(),
+	initiatedAt: z.number()
+});
+const ConnectionFailureReasonSchema = z.enum([
+	"missing_state",
+	"invalid_state",
+	"provider_denied",
+	"unknown_integration",
+	"provider_app_not_configured",
+	"token_exchange_failed",
+	"installation_metadata_invalid",
+	"validation_failed",
+	"persist_failed",
+	"unknown_error"
+]);
+const ConnectionStatusNotStartedSchema = z.object({ status: z.literal("not_started") });
+const ConnectionStatusPendingSchema = z.object({ status: z.literal("pending") });
+const ConnectionStatusConnectedSchema = z.object({ status: z.literal("connected") });
+const ConnectionStatusFailedSchema = z.object({
+	status: z.literal("failed"),
+	reason: ConnectionFailureReasonSchema,
+	/**
+	* Optional human-readable detail. Truncated by the server to
+	* {@link CONNECTION_FAILURE_DETAIL_MAX_CHARS} characters before being
+	* persisted in `credential_sets.last_callback_error_detail` and
+	* before being echoed in the callback redirect query.
+	*/
+	message: z.string().max(300).optional(),
+	/** ISO-8601 timestamp of when the failure was recorded. */
+	failedAt: z.string()
+});
+const ConnectionStatusResponseSchema = z.discriminatedUnion("status", [
+	ConnectionStatusNotStartedSchema,
+	ConnectionStatusPendingSchema,
+	ConnectionStatusConnectedSchema,
+	ConnectionStatusFailedSchema
+]);
+const ConnectionKindValues = [
+	"oauth",
+	"manual",
+	"credentials-exchange"
+];
+const ConnectionKindSchema = z.enum(ConnectionKindValues);
+const InternalCredentialSetEntrySchema = z.object({
+	credentialDefinitionId: z.string(),
+	publicId: z.string(),
+	displayName: z.string(),
+	/**
+	* Internal credential-set role. Currently the only first-class role is
+	* `'provider-app-definition'`; other values are accepted for forward-compat
+	* so newer servers can introduce roles without breaking older SDKs.
+	*/
+	role: z.string()
+});
+const CredentialConnectionCatalogEntrySchema = z.object({
+	id: z.string(),
+	kind: z.string(),
+	label: z.string().optional(),
+	description: z.string().optional(),
+	recommended: z.boolean().optional(),
+	advanced: z.boolean().optional(),
+	needsRawSecret: z.boolean().optional(),
+	generated: z.boolean().optional(),
+	instructions: z.string().optional(),
+	input: z.record(z.string(), z.unknown()).optional(),
+	fields: z.array(z.record(z.string(), z.unknown())).optional(),
+	authUrl: z.string().optional(),
+	tokenUrl: z.string().optional(),
+	scopes: z.array(z.string()).optional(),
+	tokenType: z.enum(["long-lived", "refreshable"]).optional(),
+	vault: z.record(z.string(), z.unknown()).optional(),
+	oauth: z.record(z.string(), z.unknown()).optional(),
+	revokeUrl: z.string().nullable().optional(),
+	pkce: z.boolean().optional(),
+	defaultExpiresInSeconds: z.number().optional(),
+	exchange: z.record(z.string(), z.unknown()).optional(),
+	resolver: z.record(z.string(), z.unknown()).optional()
+});
+const IntegrationCatalogEntryBaseSchema = z.object({
+	publicId: z.string(),
+	/**
+	* Public-facing aliases that resolve to this canonical `publicId`
+	* (e.g., `"github"` aliases `"github-account"`). Includes the canonical
+	* ID itself — callers can key a lookup table by every entry in this
+	* list and get the same catalog record back.
+	*/
+	aliases: z.array(z.string()),
+	name: z.string(),
+	description: z.string().optional(),
+	/**
+	* Credential definition metadata for the integration's primary connection.
+	* `storedKeys` drives upload flows (what the vault stores), while
+	* `authKeys` describes the post-resolve runtime shape.
+	*/
+	credentialSet: z.object({
+		credentialDefinitionId: z.string(),
+		authKeys: z.array(z.string()),
+		storedKeys: z.array(z.string()),
+		optionalStoredKeys: z.array(z.string()).optional(),
+		schemaFingerprint: z.string().optional()
+	}),
+	/** Serialized credential acquisition paths rendered by connect/upload UIs. */
+	connections: z.array(CredentialConnectionCatalogEntrySchema),
+	/**
+	* Internal credential sets associated with the integration (e.g., provider
+	* app definitions). Populated only when the caller requests
+	* `includeInternal=true`; otherwise empty.
+	*/
+	internalCredentialSets: z.array(InternalCredentialSetEntrySchema)
+});
+const OAuthIntegrationCatalogEntrySchema = IntegrationCatalogEntryBaseSchema.extend({
+	connectionKind: z.literal("oauth"),
+	tokenType: z.enum(["long-lived", "refreshable"]),
+	scopes: z.array(z.string())
+});
+const ManualIntegrationCatalogEntrySchema = IntegrationCatalogEntryBaseSchema.extend({ connectionKind: z.literal("manual") });
+/**
+* Catalog entry for `credentials-exchange`-kind integrations.
+*
+* Carries the JSON-schema projection of the connection's `input` schema so
+* the CLI and web UI can render an input form without re-loading the
+* original Zod schema (which only exists in the integration bundle's
+* runtime module). `credentialSet.storedKeys` reflects the stored-schema
+* keys that get persisted after exchange.
+*
+* @see packages/core/src/credential-set/connection.ts CredentialsExchangeConnectionConfig
+*/
+const CredentialsExchangeIntegrationCatalogEntrySchema = IntegrationCatalogEntryBaseSchema.extend({
+	connectionKind: z.literal("credentials-exchange"),
+	/** JSON-schema projection of the connection's `input` schema. */
+	input: z.record(z.string(), z.unknown()),
+	/** Optional free-form copy rendered above the input form. */
+	instructions: z.string().optional()
+});
+const IntegrationCatalogEntrySchema = z.discriminatedUnion("connectionKind", [
+	OAuthIntegrationCatalogEntrySchema,
+	ManualIntegrationCatalogEntrySchema,
+	CredentialsExchangeIntegrationCatalogEntrySchema
+]);
+z.object({
+	/** Restrict results to one connection kind. */
+	connectionKind: ConnectionKindSchema.optional(),
+	/**
+	* Return only the integration whose `publicId` (or alias) matches.
+	* When no integration matches, the endpoint returns an empty array.
+	*/
+	publicId: z.string().min(1).optional(),
+	/**
+	* Case-insensitive substring match against `publicId`, `aliases`, and `name`.
+	*/
+	q: z.string().min(1).optional(),
+	/**
+	* Opt into `internalCredentialSets[]` on each entry. Defaults to `false`
+	* so the common catalog call stays lean. CLI commands that need to render
+	* credential-set display names set this to `true`.
+	*/
+	includeInternal: z.stringbool().optional().default(false)
+}).strict();
+z.object({ integrations: z.array(IntegrationCatalogEntrySchema) });
+const ConnectionEntrySchema = z.object({
+	id: z.string(),
+	credentialConnectionId: CredentialConnectionIdSchema,
+	/**
+	* Public-facing integration ID this connection is associated with
+	* (post alias resolution). `null` when the underlying credential set is
+	* not backed by an official Keystroke integration (e.g., user-defined
+	* custom credential sets).
+	*/
+	integrationPublicId: z.string().nullable(),
+	/**
+	* Credential definition id, e.g., `"slack"` or a custom set's
+	* identifier. Stable across alias resolution.
+	*/
+	credentialSetId: z.string(),
+	name: z.string(),
+	scope: CredentialScopeSchema,
+	platformConnected: z.boolean(),
+	connectionStatus: ConnectionStatusSchema,
+	expiresAt: z.string().nullable(),
+	isDefault: z.boolean(),
+	createdAt: z.string()
+});
+/**
+* Coerces a `status` query-param value that may arrive as a single string,
+* a comma-separated string, or (in Hono/ky's query handling) an array of
+* strings, into a canonical `ConnectionStatus[]`. Invalid entries cause the
+* surrounding Zod parse to fail with a helpful issue.
+*
+* The field itself is made optional at the object level (see
+* `ListConnectionsQuerySchema`), so passing `undefined` / omitting the key
+* is always valid; this preprocessor only runs when a value is actually
+* present.
+*/
+const ConnectionStatusQueryParam = z.preprocess((value) => {
+	if (value === void 0 || value === null || value === "") return void 0;
+	const trimmed = (Array.isArray(value) ? value : String(value).split(",")).flatMap((entry) => String(entry).split(",")).map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+	return trimmed.length === 0 ? void 0 : trimmed;
+}, z.array(ConnectionStatusSchema));
+z.object({
+	/** Filter to connections for a specific integration's public ID (alias-resolved). */
+	integrationPublicId: z.string().min(1).optional(),
+	/**
+	* Filter by one or more connection statuses. Accepts a single value, a
+	* comma-separated string, or repeated query keys. Omit to return all statuses.
+	*/
+	status: ConnectionStatusQueryParam.optional(),
+	scope: CredentialScopeSchema.optional(),
+	projectId: z.uuid().optional()
+}).strict();
+z.object({ connections: z.array(ConnectionEntrySchema) });
+//#endregion
+export { InitiateConnectionResponseSchema as i, ConnectionStatusResponseSchema as n, InitiateConnectionRequestSchema as r, ConnectionKindValues as t };

package/dist/{api-keys-Dizx3YqE.mjs → api-keys-BE_hLonn.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-CGdYhH0p.mjs";
-import { t as createTypedCommand } from "./commander-DcftG6dX.mjs";
+import { t as createTypedCommand } from "./commander-BwtBoukr.mjs";
 import { z } from "zod";
 //#region src/commands/api-keys/api-keys.command.ts
 const ApiKeysCreateOptionsSchema = JsonOptionSchema.extend({ name: z.string().optional() });
@@ -23,21 +23,21 @@ function createApiKeysCommand() {
 		description: "Manage API keys for your organization",
 		schema: JsonOptionSchema,
 		optionsConfig: { ...JSON_OPTION_CONFIG },
-		loadHandler: async () => (await import("./list.handler-CsODcH6e.mjs")).handleApiKeysList,
+		loadHandler: async () => (await import("./list.handler-Cp767f5l.mjs")).handleApiKeysList,
 		subcommands: [
 			createTypedCommand({
 				name: "list",
 				description: "List all API keys for your organization",
 				schema: JsonOptionSchema,
 				optionsConfig: { ...JSON_OPTION_CONFIG },
-				loadHandler: async () => (await import("./list.handler-CsODcH6e.mjs")).handleApiKeysList
+				loadHandler: async () => (await import("./list.handler-Cp767f5l.mjs")).handleApiKeysList
 			}),
 			createTypedCommand({
 				name: "create",
 				description: "Create a new API key (raw key shown once)",
 				schema: ApiKeysCreateOptionsSchema,
 				optionsConfig: CREATE_OPTIONS_CONFIG,
-				loadHandler: async () => (await import("./create.handler-C2CkPWsy.mjs")).handleApiKeysCreate
+				loadHandler: async () => (await import("./create.handler-BAyG0PmG.mjs")).handleApiKeysCreate
 			}),
 			createTypedCommand({
 				name: "delete",
@@ -49,7 +49,7 @@ function createApiKeysCommand() {
 					description: "API key ID to delete",
 					key: "apiKeyId"
 				},
-				loadHandler: async () => (await import("./delete.handler-DDY3X1Zm.mjs")).handleApiKeysDelete
+				loadHandler: async () => (await import("./delete.handler-CJcyvnUF.mjs")).handleApiKeysDelete
 			})
 		]
 	});

package/dist/{auth-BqsKd4IA.mjs → auth-DNK5MYm4.mjs}

@@ -2,7 +2,7 @@
 
 import { n as DEFAULT_CLI_WEB_URL } from "./default-urls-BS4twrsS.mjs";
 import { S as AUTH_TIMEOUT_SECONDS } from "./keystroke.mjs";
-import { t as createTypedCommand } from "./commander-DcftG6dX.mjs";
+import { t as createTypedCommand } from "./commander-BwtBoukr.mjs";
 import { z } from "zod";
 //#region src/commands/auth/auth.command.ts
 const AuthOptionsSchema = z.object({
@@ -25,28 +25,28 @@ function createAuthCommand() {
 		description: "Authenticate Keystroke CLI via device flow",
 		schema: AuthOptionsSchema,
 		optionsConfig: AUTH_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./auth.handler-BsoWeCFD.mjs")).handleAuth,
+		loadHandler: async () => (await import("./auth.handler-DrjDODhZ.mjs")).handleAuth,
 		subcommands: [
 			createTypedCommand({
 				name: "clear",
 				description: "Revoke the saved API key and remove local credentials",
 				schema: z.object({}),
 				optionsConfig: {},
-				loadHandler: async () => (await import("./clear.handler-BR97yudD.mjs")).handleAuthClear
+				loadHandler: async () => (await import("./clear.handler-B1c17nAi.mjs")).handleAuthClear
 			}),
 			createTypedCommand({
 				name: "test",
 				description: "Verify that the saved API key is valid",
 				schema: z.object({}),
 				optionsConfig: {},
-				loadHandler: async () => (await import("./test.handler-B5GF5txS.mjs")).handleAuthTest
+				loadHandler: async () => (await import("./test.handler-St9sBXyH.mjs")).handleAuthTest
 			}),
 			createTypedCommand({
 				name: "status",
 				description: "Show the current signed-in identity and organization context",
 				schema: z.object({}),
 				optionsConfig: {},
-				loadHandler: async () => (await import("./status.handler-6cuHa0R0.mjs")).handleAuthStatus
+				loadHandler: async () => (await import("./status.handler-Cm9aNUBn.mjs")).handleAuthStatus
 			})
 		]
 	});

package/dist/{auth.handler-BsoWeCFD.mjs → auth.handler-DrjDODhZ.mjs}

@@ -3,7 +3,7 @@
 import { n as DEFAULT_CLI_WEB_URL, t as DEFAULT_CLI_SERVER_URL } from "./default-urls-BS4twrsS.mjs";
 import { C as AUTH_URL_PATH, D as CLI_AUTH_COMMAND, E as CALLBACK_PATH, T as CALLBACK_LOOPBACK_ORIGIN, c as resolveCliWebUrl, k as CliExitError, n as ui, s as resolveCliServerUrl, u as logger, w as CALLBACK_LOOPBACK_HOST, x as toErrorMessage } from "./keystroke.mjs";
 import { f as upsertOrgCredentials, i as getCredentialsFilePath } from "./dist-BF6r1hfv.mjs";
-import { t as openBrowser } from "./browser-CvuyMLhI.mjs";
+import { t as openBrowser } from "./browser-B4K0VW8p.mjs";
 import { hostname } from "node:os";
 import { z } from "zod";
 import { confirm, isCancel } from "@clack/prompts";

package/dist/{build-agents-DfbiMZ_e-CgnKa9A6.mjs → build-agents-DseUtzd4-DIDGsZWL.mjs}

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 
-import { n as readOptionalJsonSchemaKeys, t as manifestToDeclaredCredentialRequirement } from "./declared-credential-requirements-BtlcsEVn.mjs";
-import { t as AgentVersionManifestSchema } from "./agent-manifest-sJFbH5H8.mjs";
-import { i as createAgentSandboxPackage, n as AGENT_VM_PI_SKILLS_ROOT, r as AGENT_VM_TOOLS_RUNTIME_RELATIVE_PATH, t as AGENT_VM_HOST_CALL_RELATIVE_PATH } from "./agent-bundle-package-DWV6B_5q-B-qzc3zC.mjs";
-import { t as readCredentialKeysFromSchemaObject } from "./read-credential-keys-77a91T8M-B0eiobOd.mjs";
-import { t as bundleSandboxAgentTarget } from "./workflow-bundler-BzHk73PM-tt09RbIA.mjs";
+import { n as readOptionalJsonSchemaKeys, t as manifestToDeclaredCredentialRequirement } from "./declared-credential-requirements-B6h4WRv4.mjs";
+import { t as AgentVersionManifestSchema } from "./agent-manifest-CZdlCTFs.mjs";
+import { i as createAgentSandboxPackage, n as AGENT_VM_PI_SKILLS_ROOT, r as AGENT_VM_TOOLS_RUNTIME_RELATIVE_PATH, t as AGENT_VM_HOST_CALL_RELATIVE_PATH } from "./agent-bundle-package-DWV6B_5q-cB76j6UL.mjs";
+import { t as readCredentialKeysFromSchemaObject } from "./read-credential-keys-77a91T8M-CzXPGxdU.mjs";
+import { t as bundleSandboxAgentTarget } from "./workflow-bundler-BzHk73PM-UJQa7Ubk.mjs";
 import { builtinModules } from "node:module";
 import { lstat, readFile, readdir, realpath } from "node:fs/promises";
 import path from "node:path";
@@ -166,7 +166,7 @@ const HOST_CALL_STUB_SOURCE = [
 	"}"
 ].join("\n");
 //#endregion
-//#region ../../packages/workflow-builder/dist/build-agents-DfbiMZ_e.mjs
+//#region ../../packages/workflow-builder/dist/build-agents-DseUtzd4.mjs
 const STAGED_LOCAL_SOURCES_PREFIX = ".keystroke/staged-local-sources";
 function normalizeRelativeSandboxPath(targetPath) {
 	const normalized = path.posix.normalize(targetPath);
@@ -246,11 +246,10 @@ async function resolveSkillSourceDirectory(projectRoot, skillPath) {
 		return resolveSkillSourceDirectory(projectRoot, resolvedPath);
 	}
 	if (!stats.isDirectory()) throw new Error(`Skill source path must point to a directory containing SKILL.md: ${skillPath}`);
-	const skillManifestStats = await lstat(path.join(absolutePath, "SKILL.md")).catch((error) => {
+	if (!(await lstat(path.join(absolutePath, "SKILL.md")).catch((error) => {
 		if (error && typeof error === "object" && "code" in error && error.code === "ENOENT") return null;
 		throw error;
-	});
-	if (!skillManifestStats || !skillManifestStats.isFile()) throw new Error(`Skill source directory must contain SKILL.md: ${skillPath}`);
+	}))?.isFile()) throw new Error(`Skill source directory must contain SKILL.md: ${skillPath}`);
 	return absolutePath;
 }
 function resolveSkillSourceTarget(absolutePath) {
@@ -299,7 +298,7 @@ async function buildAgentSandboxPackage(params) {
 }
 function schemaFingerprintForManifestCredentialSet(credentialSet) {
 	const { schemaFingerprint } = manifestToDeclaredCredentialRequirement(credentialSet);
-	if (!schemaFingerprint) throw new Error(`Cannot compute schema fingerprint for credential set "${credentialSet.resolvedCredentialSetId}"`);
+	if (!schemaFingerprint) throw new Error(`Cannot compute schema fingerprint for credential set "${credentialSet.id}"`);
 	return schemaFingerprint;
 }
 function createSessionRuntimePlacement() {
@@ -343,7 +342,7 @@ function createResolvedMcpServers(agentManifest) {
 			transport: server.transport,
 			credentialSets: server.credentialSets.map((credentialSet) => ({
 				id: credentialSet.id,
-				resolvedId: credentialSet.resolvedCredentialSetId,
+				resolvedId: credentialSet.id,
 				credentialKeys: readCredentialKeysFromSchemaObject(credentialSet.auth),
 				schemaFingerprint: schemaFingerprintForManifestCredentialSet(credentialSet)
 			})),
@@ -399,7 +398,7 @@ function createAgentVersionManifest(discoveredWorkflow, agentManifest, toolEnric
 		...runtimeCredentialSets.length > 0 ? { credentialSets: runtimeCredentialSets.map((credentialSet) => {
 			const optionalCredentialKeys = readOptionalJsonSchemaKeys(credentialSet.auth);
 			return {
-				resolvedId: credentialSet.resolvedCredentialSetId,
+				resolvedId: credentialSet.id,
 				credentialKeys: readCredentialKeysFromSchemaObject(credentialSet.auth),
 				schemaFingerprint: schemaFingerprintForManifestCredentialSet(credentialSet),
 				...optionalCredentialKeys.length > 0 ? { optionalCredentialKeys } : {},
@@ -414,7 +413,7 @@ function createAgentVersionManifest(discoveredWorkflow, agentManifest, toolEnric
 			provider: gateway.provider,
 			mode: gateway.mode,
 			credentialSet: {
-				resolvedId: gateway.credentialSet.resolvedCredentialSetId,
+				resolvedId: gateway.credentialSet.id,
 				credentialKeys: readCredentialKeysFromSchemaObject(gateway.credentialSet.auth),
 				schemaFingerprint: schemaFingerprintForManifestCredentialSet(gateway.credentialSet)
 			},