@keystrokehq/cli 0.0.11 → 0.0.12

package/dist/credentials-Bu1MBiCL.mjs

@@ -0,0 +1,182 @@
+#!/usr/bin/env node
+
+import { d as collectCredentialRequirementEntries } from "./credential-requirements-FtBk5JVB.mjs";
+//#region ../../packages/workflow-deploy/dist/credentials/index.mjs
+/**
+* Resolves credential values from environment using KEYSTROKE_<KEY> convention.
+* Optional keyToEnv override maps credential key -> env var name.
+*/
+/**
+* Resolves credential values from env.
+* Convention: KEYSTROKE_<KEY> (e.g. SLACK_BOT_TOKEN -> KEYSTROKE_SLACK_BOT_TOKEN).
+* Use keyToEnv to override: { SLACK_BOT_TOKEN: "MY_SLACK_TOKEN" }.
+* Returns null if any required value is missing.
+*/
+function resolveCredentialValuesFromEnv(keys, env, keyToEnv) {
+	const values = {};
+	const envForKey = keyToEnv ?? Object.fromEntries(keys.map((key) => [key, `KEYSTROKE_${key}`]));
+	for (const credentialKey of keys) {
+		const value = env[envForKey[credentialKey] ?? `KEYSTROKE_${credentialKey}`];
+		if (!value || value.trim() === "") return null;
+		values[credentialKey] = value;
+	}
+	return values;
+}
+function addEntriesToGroups(groups, entries) {
+	for (const entry of entries) {
+		const scopeKey = entry.scope ?? "__default__";
+		const key = `${entry.credentialSetId}:${scopeKey}`;
+		const existing = groups.get(key);
+		const keys = [...new Set(entry.credentialKeys)];
+		if (existing) {
+			for (const credentialKey of keys) if (!existing.keys.includes(credentialKey)) existing.keys.push(credentialKey);
+		} else groups.set(key, {
+			credentialSetId: entry.credentialSetId,
+			scope: entry.scope ?? null,
+			keys
+		});
+	}
+}
+function groupCredentialRequirements(manifest) {
+	const groups = /* @__PURE__ */ new Map();
+	addEntriesToGroups(groups, collectCredentialRequirementEntries(manifest.credentials));
+	return [...groups.values()];
+}
+function buildScopes(params) {
+	const { scope, organizationId, projectId } = params;
+	switch (scope) {
+		case "organization":
+			if (!organizationId) throw new Error("organizationId is required when scope is organization");
+			return [{
+				scope: "organization",
+				organizationId
+			}];
+		case "project":
+			if (!projectId) throw new Error("projectId is required when scope is project");
+			return [{
+				scope: "project",
+				projectId
+			}];
+		case "user": return [{ scope: "user" }];
+		default: throw new Error(`Unknown scope: ${scope}`);
+	}
+}
+function buildListParams(params) {
+	const listParams = {
+		credentialSetId: params.credentialSetId,
+		scope: params.scope,
+		limit: 100,
+		offset: 0
+	};
+	if (params.scope === "project" && params.projectId) listParams.projectId = params.projectId;
+	return listParams;
+}
+function handleExistingMatch(match, params) {
+	if (params.updateExisting) return handleUpdateExisting(match, params);
+	if (!match.isDefault) return handleMarkDefault(match, params.client);
+	return Promise.resolve({
+		action: "unchanged",
+		credentialSetId: match.id
+	});
+}
+async function handleUpdateExisting(match, params) {
+	if (!match.isDefault) await params.client.credentials.update(match.id, { isDefault: true });
+	await params.client.credentials.updateValues(match.id, {
+		...params.credentialConnectionId ? { credentialConnectionId: params.credentialConnectionId } : {},
+		values: params.values
+	});
+	return {
+		action: "updated-values",
+		credentialSetId: match.id
+	};
+}
+async function handleMarkDefault(match, client) {
+	await client.credentials.update(match.id, { isDefault: true });
+	return {
+		action: "marked-default",
+		credentialSetId: match.id
+	};
+}
+/** Ensures a credential set exists for the given integration and is marked as default. */
+async function uploadCredential(params) {
+	const { client, credentialSetId, name, values, updateExisting = false } = params;
+	const scopes = buildScopes(params);
+	const listParams = buildListParams(params);
+	const match = ((await client.credentials.list(listParams)).credentialSets ?? []).find((credentialSet) => credentialSet.name === name);
+	if (match) return handleExistingMatch(match, {
+		updateExisting,
+		...params.credentialConnectionId ? { credentialConnectionId: params.credentialConnectionId } : {},
+		values,
+		client
+	});
+	try {
+		const created = (await client.credentials.create({
+			credentialSetId,
+			...params.credentialConnectionId ? { credentialConnectionId: params.credentialConnectionId } : {},
+			name,
+			scopes,
+			isDefault: true,
+			values,
+			...params.schemaFingerprint ? { schemaFingerprint: params.schemaFingerprint } : {}
+		})).credentialSets?.[0];
+		if (created) return {
+			action: "created",
+			credentialSetId: created.id
+		};
+		throw new Error("Create succeeded but no credential set in response");
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		if (message.includes("duplicate key") || message.includes("unique constraint")) {
+			const retryMatch = (await client.credentials.list(listParams)).credentialSets?.find((credentialSet) => credentialSet.name === name);
+			if (retryMatch) return handleExistingMatch(retryMatch, {
+				updateExisting,
+				values,
+				client
+			});
+		}
+		throw error;
+	}
+}
+/** Verifies that credentials are resolvable by calling the resolve endpoint. */
+async function verifyCredentialResolvable(params) {
+	const { client, credentialSetId, keys, scope, projectId } = params;
+	const resolveParams = {
+		credentialSetId,
+		keys
+	};
+	if (scope) resolveParams.scope = scope;
+	if (projectId) resolveParams.projectId = projectId;
+	const response = await client.credentials.resolve(resolveParams);
+	const resolvedKeys = Object.keys(response.credentials ?? {});
+	return {
+		success: keys.every((key) => resolvedKeys.includes(key)),
+		resolvedKeys
+	};
+}
+/**
+* Run the manual `validate` hook for an official integration's credential
+* set, if one is defined.
+*
+* Returns `{ status: 'skipped' }` when the credential set has no hook or is
+* not an official integration. User-authored credential sets get the
+* skipped path today; a separate cluster will add server-side validation
+* for workspace-authored integrations.
+*
+* @example
+* ```ts
+* const validation = await validateManualCredentialWithHook({
+*   credentialSetId: 'stripe',
+*   values: { STRIPE_SECRET_KEY: 'sk_live_...' },
+* });
+* if (validation.status === 'failed') {
+*   throw new Error(validation.error);
+* }
+* ```
+*
+* @throws Never. Errors thrown by the hook are normalized onto the result.
+*/
+async function validateManualCredentialWithHook(params) {
+	return { status: "skipped" };
+}
+//#endregion
+export { verifyCredentialResolvable as a, validateManualCredentialWithHook as i, resolveCredentialValuesFromEnv as n, uploadCredential as r, groupCredentialRequirements as t };

package/dist/{credentials-D8_AwH9o.mjs → credentials-CZiu-534.mjs}

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 
 import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-CGdYhH0p.mjs";
-import { t as createTypedCommand } from "./commander-DcftG6dX.mjs";
-import { n as CredentialScopeSchema, r as CredentialScopeValues } from "./schema-BgGlAs8a.mjs";
+import { t as createTypedCommand } from "./commander-BwtBoukr.mjs";
+import { i as CredentialScopeValues, r as CredentialScopeSchema } from "./schema-DFJiNWyd.mjs";
 import { z } from "zod";
 //#region src/commands/credentials/list/list.command.ts
 const ListOptionsSchema = JsonOptionSchema.extend({
@@ -21,7 +21,7 @@ const LIST_OPTIONS_CONFIG = {
 	},
 	credentialSetId: {
 		flag: "--credential-set-id <id>",
-		description: "Filter by credential set ID (e.g. keystroke:slack)"
+		description: "Filter by credential set ID (e.g. slack)"
 	},
 	projectId: {
 		flag: "--project-id <id>",
@@ -46,7 +46,7 @@ function createCredentialsListCommand() {
 		description: "List credential sets on the server",
 		schema: ListOptionsSchema,
 		optionsConfig: LIST_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./list.handler-B6IByHHB.mjs")).handleCredentialsList
+		loadHandler: async () => (await import("./list.handler-DXl8igi2.mjs")).handleCredentialsList
 	});
 }
 //#endregion
@@ -65,13 +65,14 @@ function createCredentialsRequirementsCommand() {
 		description: "Show what credentials built workflows need (keys, KEYSTROKE_* env names, workflows) — from dist manifests, no API call",
 		schema: RequirementsOptionsSchema,
 		optionsConfig: REQUIREMENTS_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./requirements.handler-CX13XiXT.mjs")).handleCredentialsRequirements
+		loadHandler: async () => (await import("./requirements.handler-CnDTBcH5.mjs")).handleCredentialsRequirements
 	});
 }
 //#endregion
 //#region src/commands/credentials/upload/upload.command.ts
 const UploadOptionsSchema = JsonOptionSchema.extend({
 	integration: z.string().optional(),
+	credentialConnectionId: z.string().optional().describe("Credential connection ID to use for catalog-backed uploads"),
 	credentialSet: z.string().optional(),
 	keys: z.string().optional(),
 	name: z.string().optional(),
@@ -86,6 +87,10 @@ const UPLOAD_OPTIONS_CONFIG = {
 		flag: "--integration <public-id>",
 		description: "Official integration public ID (e.g. slack, github, linear). Derives the internal credential identity and keys automatically."
 	},
+	credentialConnectionId: {
+		flag: "--credential-connection-id <id>",
+		description: "Credential connection ID to use for catalog-backed uploads"
+	},
 	credentialSet: {
 		flag: "--credential-set <id>",
 		description: "Explicit custom credential set ID. Requires --keys."
@@ -121,7 +126,7 @@ function createCredentialsUploadCommand() {
 		description: "Upload credentials from env vars to the server. Default: reads requirements from built workflow manifests. Use --integration for an official integration or --credential-set + --keys for a custom explicit upload.",
 		schema: UploadOptionsSchema,
 		optionsConfig: UPLOAD_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./upload.handler-BFDM6n_6.mjs")).handleCredentialsUpload
+		loadHandler: async () => (await import("./upload.handler-DemogvI1.mjs")).handleCredentialsUpload
 	});
 }
 //#endregion
@@ -152,7 +157,7 @@ function createCredentialsCommand() {
 			}
 		},
 		handler: async (opts, ctx) => {
-			const { handleCredentialsList } = await import("./list.handler-B6IByHHB.mjs");
+			const { handleCredentialsList } = await import("./list.handler-DXl8igi2.mjs");
 			await handleCredentialsList({
 				...opts,
 				scope: void 0,

package/dist/{current-deployment-workflow-B05z0EQa.mjs → current-deployment-workflow-B4IufKqe.mjs}

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 
 import { M as WorkflowResolutionError, _ as getApiErrorCode, n as ui, v as getHttpStatus } from "./keystroke.mjs";
-import { t as assertWorkflowProjectRoot } from "./project-config-D9eFU8Jk.mjs";
-import { a as readManifestsFromOutDir } from "./dist-DvO0q6Fo.mjs";
-import { t as requireWorkflowsDir } from "./resolve-project-C6UAOfAG.mjs";
-import { t as createSpinnerProgress } from "./spinner-progress-Bt8zXPOc.mjs";
-import { a as runWorkflowBuild, n as renderBuildFailure } from "./workflow-build-Z2_jkOsZ.mjs";
+import { t as assertWorkflowProjectRoot } from "./project-config-CJGSh2RQ.mjs";
+import { a as readManifestsFromOutDir } from "./dist-BMkNN03r.mjs";
+import { t as requireWorkflowsDir } from "./resolve-project-bVPMcs-y.mjs";
+import { t as createSpinnerProgress } from "./spinner-progress-CS1BEdNB.mjs";
+import { a as runWorkflowBuild, n as renderBuildFailure } from "./workflow-build-CoJMwpPO.mjs";
 //#region src/commands/workflows/_shared/current-deployment-workflow.ts
 /**
 * Lightweight resolution: gets projectId from keystroke.config.ts and authoredWorkflowId

package/dist/{current.handler-CuAtMZmm.mjs → current.handler-DA4FGfUP.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { n as ui } from "./keystroke.mjs";
-import { i as requireClient } from "./context-1VgRbzr-.mjs";
+import { i as requireClient } from "./context-DQ4IA0yO.mjs";
 //#region src/commands/org/current.handler.ts
 async function handleOrgCurrent(_options, ctx) {
 	if (!ctx.organizationId) {

package/dist/{declared-credential-requirements-BtlcsEVn.mjs → declared-credential-requirements-B6h4WRv4.mjs}

@@ -1,9 +1,8 @@
 #!/usr/bin/env node
 
-import { d as schemaToJsonSchema } from "./schema-B-Wgo4rJ.mjs";
 import "zod";
 import { createHash } from "node:crypto";
-//#region ../../packages/core/src/artifacts/schema-fingerprint.ts
+//#region ../../packages/workflow-build-contracts/src/schema-fingerprint.ts
 /**
 * schema-fingerprint.ts
 *
@@ -62,7 +61,7 @@ function sortDeep(value) {
 	return value;
 }
 //#endregion
-//#region ../../packages/core/src/shared/declared-credential-requirements.ts
+//#region ../../packages/workflow-build-contracts/src/declared-credential-requirements.ts
 function readSchemaKeys(schema, propertyKey) {
 	if (schema === null || typeof schema !== "object") return [];
 	const candidate = schema[propertyKey];
@@ -80,53 +79,25 @@ function readOptionalJsonSchemaKeys(schema) {
 	const requiredSet = new Set(Array.isArray(record.required) ? record.required : []);
 	return Object.keys(properties).filter((key) => !requiredSet.has(key)).sort();
 }
-function toDeclaredCredentialRequirement(credentialSet) {
-	const optionalAuthKeys = credentialSet.optionalCredentialKeys;
-	const optionalStoredKeys = credentialSet.optionalStoredCredentialKeys;
-	const schemaFingerprint = computeSchemaFingerprint(schemaToJsonSchema(credentialSet.auth), credentialSet.stored ? schemaToJsonSchema(credentialSet.stored) : void 0);
-	const onCredentialRevoked = credentialSet.onCredentialRevoked;
-	return {
-		credentialSetId: credentialSet.id,
-		...credentialSet.namespace ? { namespace: credentialSet.namespace } : {},
-		resolvedCredentialSetId: credentialSet.resolvedCredentialSetId,
-		credentialKeys: [...credentialSet.credentialKeys],
-		...optionalAuthKeys.length > 0 ? { optionalCredentialKeys: [...optionalAuthKeys] } : {},
-		storedCredentialKeys: [...credentialSet.storedCredentialKeys],
-		...optionalStoredKeys.length > 0 ? { optionalStoredCredentialKeys: [...optionalStoredKeys] } : {},
-		schemaFingerprint,
-		...credentialSet.needsResolve ? { needsResolve: true } : {},
-		...credentialSet.resolveCacheMs > 0 ? { resolveCacheMs: credentialSet.resolveCacheMs } : {},
-		...onCredentialRevoked ? { onCredentialRevoked } : {},
-		...credentialSet.proxy ? { proxy: credentialSet.proxy } : {},
-		...credentialSet.needsRawSecret === true ? { needsRawSecret: true } : {}
-	};
-}
-function toDeclaredCredentialRequirements(credentialSets) {
-	return credentialSets.map(toDeclaredCredentialRequirement);
-}
 function manifestToDeclaredCredentialRequirement(credentialSet) {
 	const authKeys = readSchemaKeys(credentialSet.auth, "properties");
 	const optionalAuthKeys = readOptionalJsonSchemaKeys(credentialSet.auth);
-	const storedSchema = credentialSet.stored ?? credentialSet.auth;
+	const storedSchema = credentialSet.auth;
 	const storedKeys = readSchemaKeys(storedSchema, "properties");
 	const optionalStoredKeys = readOptionalJsonSchemaKeys(storedSchema);
-	const schemaFingerprint = credentialSet.auth ? computeSchemaFingerprint(credentialSet.auth, credentialSet.stored) : void 0;
+	const schemaFingerprint = credentialSet.auth ? computeSchemaFingerprint(credentialSet.auth) : void 0;
 	const onCredentialRevoked = credentialSet.onCredentialRevoked;
 	return {
 		credentialSetId: credentialSet.id,
-		...credentialSet.namespace ? { namespace: credentialSet.namespace } : {},
-		resolvedCredentialSetId: credentialSet.resolvedCredentialSetId,
 		credentialKeys: authKeys,
 		...optionalAuthKeys.length > 0 ? { optionalCredentialKeys: optionalAuthKeys } : {},
 		storedCredentialKeys: storedKeys,
 		...optionalStoredKeys.length > 0 ? { optionalStoredCredentialKeys: optionalStoredKeys } : {},
 		...schemaFingerprint ? { schemaFingerprint } : {},
-		...credentialSet.needsResolve ? { needsResolve: true } : {},
-		...typeof credentialSet.resolveCacheMs === "number" && credentialSet.resolveCacheMs > 0 ? { resolveCacheMs: credentialSet.resolveCacheMs } : {},
 		...onCredentialRevoked ? { onCredentialRevoked } : {},
 		...credentialSet.proxy ? { proxy: credentialSet.proxy } : {},
 		...credentialSet.needsRawSecret === true ? { needsRawSecret: true } : {}
 	};
 }
 //#endregion
-export { readOptionalJsonSchemaKeys as n, toDeclaredCredentialRequirements as r, manifestToDeclaredCredentialRequirement as t };
+export { readOptionalJsonSchemaKeys as n, manifestToDeclaredCredentialRequirement as t };

package/dist/{delete.handler-DDY3X1Zm.mjs → delete.handler-CJcyvnUF.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { N as throwReportedCliExit, n as ui, x as toErrorMessage } from "./keystroke.mjs";
-import { i as requireClient } from "./context-1VgRbzr-.mjs";
+import { i as requireClient } from "./context-DQ4IA0yO.mjs";
 //#region src/commands/api-keys/delete.handler.ts
 async function handleApiKeysDelete(options, ctx) {
 	const client = requireClient(ctx);

package/dist/{deploy-B8TYutOi.mjs → deploy-BvaFgVvf.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { a as createKyInstance, n as auth, r as bundles, s as getClientEnv, t as projects } from "./projects-DN7dX6nN.mjs";
+import { a as createKyInstance, n as auth, r as bundles, s as getClientEnv, t as projects } from "./projects-CWLOF5x4.mjs";
 //#region ../../packages/workflow-sdk/src/deploy.ts
 function createDeployClient(config = {}) {
 	const env = getClientEnv();

package/dist/{deploy-Cn6FFnOM.mjs → deploy-CqXOhecY.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { t as createTypedCommand } from "./commander-DcftG6dX.mjs";
+import { t as createTypedCommand } from "./commander-BwtBoukr.mjs";
 import { z } from "zod";
 //#region src/commands/deploy/deploy.command.ts
 /**
@@ -64,7 +64,7 @@ function createDeployCommand() {
 		schema: DeployOptionsSchema,
 		optionsConfig: DEPLOY_OPTIONS_CONFIG,
 		contextMode: "auth",
-		loadHandler: async () => (await import("./deploy.handler-D1DcAe-h.mjs")).handleDeploy
+		loadHandler: async () => (await import("./deploy.handler-DQg_rXgs.mjs")).handleDeploy
 	});
 	cmd.enablePositionalOptions();
 	cmd.passThroughOptions();

package/dist/{deploy-progress-XAfautnA.mjs → deploy-progress-CLO-yidq.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { n as ui } from "./keystroke.mjs";
-import { t as createSpinnerProgress } from "./spinner-progress-Bt8zXPOc.mjs";
+import { t as createSpinnerProgress } from "./spinner-progress-CS1BEdNB.mjs";
 //#region src/lib/deploy-progress.ts
 function renderItemFailure(event, kind, spinner) {
 	if (event.result === "failure") spinner.fail(`${kind} failed (${event.name})`, void 0, event.error);

package/dist/{deploy.handler-D1DcAe-h.mjs → deploy.handler-DQg_rXgs.mjs}

@@ -2,16 +2,16 @@
 
 import { f as ANSI, k as CliExitError, n as ui, o as isLocalMode, p as style, u as logger } from "./keystroke.mjs";
 import { d as trackProject } from "./dist-BF6r1hfv.mjs";
-import { t as assertWorkflowProjectRoot } from "./project-config-D9eFU8Jk.mjs";
-import { r as requireAuthOptions, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-1VgRbzr-.mjs";
-import { i as readAgentManifestsFromOutDir, o as readWorkflowsFromDisk } from "./dist-DvO0q6Fo.mjs";
-import { t as requireWorkflowsDir } from "./resolve-project-C6UAOfAG.mjs";
-import { n as renderBuildFailure, r as renderBuildHeader } from "./workflow-build-Z2_jkOsZ.mjs";
-import { t as createBuildProgress } from "./build-progress-DigAP-BN.mjs";
-import { t as createDeployProgress } from "./deploy-progress-XAfautnA.mjs";
-import { t as withErrorBoundary } from "./error-boundary-CpaVvFXk.mjs";
-import { t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-B05z0EQa.mjs";
-import { t as computeWorkflowDiff } from "./diff-utils-AATn2n56.mjs";
+import { t as assertWorkflowProjectRoot } from "./project-config-CJGSh2RQ.mjs";
+import { r as requireAuthOptions, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-DQ4IA0yO.mjs";
+import { i as readAgentManifestsFromOutDir, o as readWorkflowsFromDisk } from "./dist-BMkNN03r.mjs";
+import { t as requireWorkflowsDir } from "./resolve-project-bVPMcs-y.mjs";
+import { n as renderBuildFailure, r as renderBuildHeader } from "./workflow-build-CoJMwpPO.mjs";
+import { t as createBuildProgress } from "./build-progress-CITED2tv.mjs";
+import { t as createDeployProgress } from "./deploy-progress-CLO-yidq.mjs";
+import { t as withErrorBoundary } from "./error-boundary-B2ZKRkZI.mjs";
+import { t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-B4IufKqe.mjs";
+import { t as computeWorkflowDiff } from "./diff-utils-BoXI705D.mjs";
 import { access } from "node:fs/promises";
 import path from "node:path";
 //#region src/commands/deploy/deploy-diff.ts
@@ -198,7 +198,7 @@ async function handleDeploy(options, ctx) {
 		let outDir;
 		let artifactFilter;
 		try {
-			const { runWorkflowBuild } = await import("./workflow-build-Z2_jkOsZ.mjs").then((n) => n.o);
+			const { runWorkflowBuild } = await import("./workflow-build-CoJMwpPO.mjs").then((n) => n.o);
 			const buildOutcome = await runWorkflowBuild({
 				workflowsDir,
 				verbose: options.verbose,
@@ -233,7 +233,7 @@ async function handleDeploy(options, ctx) {
 		const progress = createDeployProgress();
 		let result;
 		try {
-			result = await (deployHandlerDependencies.deployFromDir ?? (await import("./dist-DvO0q6Fo.mjs").then((n) => n.r)).deployFromDir)({
+			result = await (deployHandlerDependencies.deployFromDir ?? (await import("./dist-BMkNN03r.mjs").then((n) => n.r)).deployFromDir)({
 				outDir,
 				workflowsDir,
 				client,
@@ -260,7 +260,7 @@ async function handleDeploy(options, ctx) {
 }
 async function handleTaskTargetDeploy(options) {
 	renderBuildHeader(void 0);
-	const buildResult = await (deployHandlerDependencies.buildTaskTargets ?? (await import("./task-target-build-D5IrHqSl.mjs")).buildTaskTargets)({
+	const buildResult = await (deployHandlerDependencies.buildTaskTargets ?? (await import("./task-target-build-atWwwnSF.mjs")).buildTaskTargets)({
 		projectRoot: options.workflowsDir,
 		targetFiles: options.targetFiles,
 		disableSourcemaps: options.options.disableSourcemaps
@@ -278,7 +278,7 @@ async function handleTaskTargetDeploy(options) {
 	const progress = createDeployProgress();
 	let result;
 	try {
-		result = await (deployHandlerDependencies.deployTaskTargets ?? (await import("./task-target-deploy-Bzfftyru.mjs")).deployTaskTargets)({
+		result = await (deployHandlerDependencies.deployTaskTargets ?? (await import("./task-target-deploy-CRsrQTOy.mjs")).deployTaskTargets)({
 			preparedTasks: buildResult.preparedTasks,
 			client,
 			organizationId: options.projectConfig.organizationId,
@@ -300,7 +300,7 @@ async function handleTaskTargetDeploy(options) {
 }
 async function createFullDeployClient(ctx) {
 	const authOptions = requireAuthOptions(ctx);
-	const { createClient } = await import("./src--fCtOxNX.mjs");
+	const { createClient } = await import("./src-D-dFmoAF.mjs");
 	return createClient({
 		...authOptions,
 		onRequest: (info) => logger.debug(`-> ${info.method} ${info.url}`, {
@@ -315,7 +315,7 @@ async function createFullDeployClient(ctx) {
 }
 async function createTaskDeployClient(ctx) {
 	const authOptions = requireAuthOptions(ctx);
-	return (deployHandlerDependencies.createDeployClient ?? (await import("./deploy-B8TYutOi.mjs")).createDeployClient)(authOptions);
+	return (deployHandlerDependencies.createDeployClient ?? (await import("./deploy-BvaFgVvf.mjs")).createDeployClient)(authOptions);
 }
 function renderSuccessSummary(result) {
 	const tasks = result.tasks || [];

package/dist/{detect-env-access-CwkOYeYM-D4o8gRZs.mjs → detect-env-access-CwkOYeYM-EmkYvbfJ.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { n as __exportAll } from "./chunk-CH6r78ws.mjs";
-import { t as __exportAll$1 } from "./rolldown-runtime-twds-ZHy-RuJszab7.mjs";
+import { t as __exportAll$1 } from "./rolldown-runtime-twds-ZHy-3DMm_Sby.mjs";
 import path from "node:path";
 //#region ../../packages/workflow-builder/dist/detect-env-access-CwkOYeYM.mjs
 var detect_env_access_CwkOYeYM_exports = /* @__PURE__ */ __exportAll({

package/dist/{diff.handler-BU6IewNG.mjs → diff.handler-BXg47NIZ.mjs}

@@ -3,9 +3,9 @@
 import { N as throwReportedCliExit, k as CliExitError, n as ui, x as toErrorMessage } from "./keystroke.mjs";
 import { d as trackProject } from "./dist-BF6r1hfv.mjs";
 import { i as writeJson } from "./output-CGdYhH0p.mjs";
-import { i as requireClient, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-1VgRbzr-.mjs";
-import { n as resolveLocalWorkflowManifest, t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-B05z0EQa.mjs";
-import { n as renderDiff, t as computeWorkflowDiff } from "./diff-utils-AATn2n56.mjs";
+import { i as requireClient, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-DQ4IA0yO.mjs";
+import { n as resolveLocalWorkflowManifest, t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-B4IufKqe.mjs";
+import { n as renderDiff, t as computeWorkflowDiff } from "./diff-utils-BoXI705D.mjs";
 //#region src/commands/workflows/diff/diff.handler.ts
 async function handleWorkflowsDiff(options, ctx) {
 	const resolved = await resolveLocalWorkflowManifest(options.workflow, options.path, { jsonMode: ctx.jsonMode });

package/dist/{dist-DvO0q6Fo.mjs → dist-BMkNN03r.mjs}

@@ -1,18 +1,18 @@
 #!/usr/bin/env node
 
 import { n as __exportAll } from "./chunk-CH6r78ws.mjs";
-import { t as assertWorkflowProjectRoot } from "./project-config-D9eFU8Jk.mjs";
-import { r as SHA256HashSchema } from "./common-B3bLe3Mk.mjs";
-import { f as collectCredentialRequirementEntries, l as TriggerUploadDataSchema } from "./credential-requirements-BCW8aQWS.mjs";
-import { a as FlowGraphSchema, i as WorkflowManifestSchema } from "./workflow-manifest-BfL74mjp.mjs";
-import { t as AgentVersionManifestSchema } from "./agent-manifest-sJFbH5H8.mjs";
-import { n as TaskBuildManifestSchema } from "./task-1qz1XNq7.mjs";
-import { n as FileMetadataSchema } from "./file-metadata-BvGM-B2v.mjs";
-import { t as computeProjectSnapshotHash } from "./task-target-deploy-Bf5i3ox1-2K0hAwzk.mjs";
-import { a as MANIFEST_FILE_NAME, d as getMetadataRoot, f as getTriggersDir, m as getWorkflowManifestPath, p as getWorkflowArtifactPaths, t as BUILD_DIR_NAME } from "./layout-CXkZEsXI.mjs";
-import { n as resolveProjectBuildOutputDir } from "./utils-C_qCshBA.mjs";
-import { t as TriggerBuildManifestSchema } from "./trigger-manifest-B3Gq1739.mjs";
-import { t as batchUpload } from "./upload-C1qFWMm0.mjs";
+import { t as assertWorkflowProjectRoot } from "./project-config-CJGSh2RQ.mjs";
+import { n as SHA256HashSchema } from "./common-BaGFkj3n.mjs";
+import { c as TriggerUploadDataSchema, d as collectCredentialRequirementEntries } from "./credential-requirements-FtBk5JVB.mjs";
+import { a as FlowGraphSchema, r as WorkflowBuildManifestSchema } from "./workflow-build-manifest-OPFqFD6f.mjs";
+import { t as AgentVersionManifestSchema } from "./agent-manifest-CZdlCTFs.mjs";
+import { n as TaskBuildManifestSchema } from "./task-BBgEvdG1.mjs";
+import { n as FileMetadataSchema } from "./file-metadata-Dwy9KKq_.mjs";
+import { t as computeProjectSnapshotHash } from "./task-target-deploy-CZBGNC0H-BwPSfaJQ.mjs";
+import { a as MANIFEST_FILE_NAME, d as getMetadataRoot, f as getTriggersDir, m as getWorkflowManifestPath, p as getWorkflowArtifactPaths, t as BUILD_DIR_NAME } from "./layout-DRf9qUf8.mjs";
+import { n as resolveProjectBuildOutputDir } from "./utils-DpEtybzI.mjs";
+import { t as TriggerBuildManifestSchema } from "./trigger-manifest-D5rnpPkA.mjs";
+import { t as batchUpload } from "./upload-C0kaZu08.mjs";
 import { createReadStream } from "node:fs";
 import * as fs from "node:fs/promises";
 import { stat } from "node:fs/promises";
@@ -53,7 +53,7 @@ async function readManifestsFromOutDir(workflowsDir, ref) {
 		const manifestPath = getWorkflowManifestPath(distDir, entry.name);
 		try {
 			const raw = await fs.readFile(manifestPath, "utf-8");
-			const parsed = WorkflowManifestSchema.safeParse(JSON.parse(raw));
+			const parsed = WorkflowBuildManifestSchema.safeParse(JSON.parse(raw));
 			if (!parsed.success) continue;
 			if (ref === void 0) {
 				all.push({
@@ -103,7 +103,7 @@ async function readAgentManifestsFromOutDir(workflowsDir) {
 	return results;
 }
 /**
-* Collects `resolvedCredentialSetId` → `schemaFingerprint` from a built agent
+* Collects `credentialDefinitionId` → `schemaFingerprint` from a built agent
 * manifest (top-level credential sets, MCP servers, and messaging gateways).
 */
 function collectSchemaFingerprintsFromAgentManifest(manifest) {
@@ -117,7 +117,7 @@ function collectSchemaFingerprintsFromAgentManifest(manifest) {
 	return map;
 }
 /**
-* Builds `resolvedCredentialSetId` → `schemaFingerprint` from all workflow
+* Builds `credentialDefinitionId` → `schemaFingerprint` from all workflow
 * manifests and agent version manifests under a project's build output dir.
 */
 async function collectCredentialFingerprintMapFromProjectDist(projectRoot) {
@@ -642,7 +642,7 @@ async function readWorkflowsFromDisk(outDir, options) {
 		const artifactPaths = getWorkflowArtifactPaths(outDir, entryName);
 		try {
 			const manifestRaw = await fs.readFile(artifactPaths.manifestPath, "utf-8");
-			const manifestData = WorkflowManifestSchema.parse(JSON.parse(manifestRaw));
+			const manifestData = WorkflowBuildManifestSchema.parse(JSON.parse(manifestRaw));
 			if (filterSet && !filterSet.has(manifestData.name) && !filterSet.has(manifestData.id)) continue;
 			const flowRaw = await fs.readFile(artifactPaths.flowPath, "utf-8");
 			const flowData = FlowGraphSchema.parse(JSON.parse(flowRaw));

package/dist/{env.handler-C6YAmHLi.mjs → env.handler-DFKzjIQT.mjs}

@@ -3,12 +3,12 @@
 import { N as throwReportedCliExit, b as isNetworkError, f as ANSI, g as REAUTH_HINT, k as CliExitError, n as ui, p as style, x as toErrorMessage, y as isAuthError } from "./keystroke.mjs";
 import { d as trackProject } from "./dist-BF6r1hfv.mjs";
 import { i as writeJson } from "./output-CGdYhH0p.mjs";
-import { i as requireClient } from "./context-1VgRbzr-.mjs";
-import { n as CredentialScopeSchema, t as ConnectionStatusSchema } from "./schema-BgGlAs8a.mjs";
-import { a as readManifestsFromOutDir } from "./dist-DvO0q6Fo.mjs";
-import { t as requireWorkflowsDir } from "./resolve-project-C6UAOfAG.mjs";
-import { t as groupCredentialRequirements } from "./credentials-DAQfKqn0.mjs";
-import { t as getIntegrationCatalog } from "./integration-catalog-DtNWaMvh.mjs";
+import { i as requireClient } from "./context-DQ4IA0yO.mjs";
+import { n as CredentialConnectionIdSchema, r as CredentialScopeSchema, t as ConnectionStatusSchema } from "./schema-DFJiNWyd.mjs";
+import { a as readManifestsFromOutDir } from "./dist-BMkNN03r.mjs";
+import { t as requireWorkflowsDir } from "./resolve-project-bVPMcs-y.mjs";
+import { t as getIntegrationCatalog } from "./integration-catalog-BRrJIAVz.mjs";
+import { t as groupCredentialRequirements } from "./credentials-Bu1MBiCL.mjs";
 import { z } from "zod";
 import Table from "cli-table3";
 //#region ../../packages/shared-types/src/credentials/api/responses.ts
@@ -22,6 +22,7 @@ const CredentialSetResponseSchema = z.object({
 	id: z.string(),
 	organizationId: z.string(),
 	credentialSetId: z.string(),
+	credentialConnectionId: CredentialConnectionIdSchema,
 	name: z.string(),
 	scope: CredentialScopeSchema,
 	userId: z.string().nullable(),
@@ -94,6 +95,8 @@ z.discriminatedUnion("status", [z.object({
 	status: z.literal("exchanged"),
 	/** The credential set the server persisted values into. */
 	credentialSetId: z.string(),
+	/** Selected acquisition path persisted on the credential set row. */
+	credentialConnectionId: CredentialConnectionIdSchema,
 	/** Keys persisted from the exchange hook's returned `stored` payload. */
 	keys: z.array(z.string()),
 	/** ISO timestamp when the stored payload expires, if any. */
@@ -267,7 +270,7 @@ async function readCredentialResolutionError(error) {
 }
 function getCredentialSourceLabel(catalog, credentialSetId) {
 	if (!credentialSetId) return null;
-	return catalog.byResolvedCredentialSetId.get(credentialSetId)?.label ?? credentialSetId;
+	return catalog.byCredentialDefinitionId.get(credentialSetId)?.label ?? credentialSetId;
 }
 function addWorkflowFix(fixes, fix) {
 	if (fixes.some((existing) => existing.summary === fix.summary)) return;

package/dist/{error-boundary-CpaVvFXk.mjs → error-boundary-B2ZKRkZI.mjs}

@@ -2,7 +2,7 @@
 
 import { b as isNetworkError, k as CliExitError, n as ui, u as logger, x as toErrorMessage } from "./keystroke.mjs";
 import { r as isJsonMode } from "./output-CGdYhH0p.mjs";
-import { n as renderCredentialSchemaMismatchText, r as writeCredentialSchemaMismatchJson, t as isCredentialSchemaMismatchErrorLike } from "./credential-schema-mismatch-DM9Y91jL.mjs";
+import { n as renderCredentialSchemaMismatchText, r as writeCredentialSchemaMismatchJson, t as isCredentialSchemaMismatchErrorLike } from "./credential-schema-mismatch-8pqwvswO.mjs";
 //#region src/lib/error-boundary.ts
 async function withErrorBoundary(commandName, fn, options = {}) {
 	const jsonMode = options.json ?? isJsonMode({});