@keystrokehq/cli 0.0.11 → 0.0.13

package/dist/credential-requirements-BCW8aQWS.mjs

@@ -1,480 +0,0 @@
-#!/usr/bin/env node
-
-import { t as JsonSchemaSchema } from "./common-B3bLe3Mk.mjs";
-import { c as optionalDescriptionString, f as trimmedNonEmptyString, h as zodObjectSchema, l as optionalTrimmedNonEmptyString, o as jsonSchemaObject, r as credentialSetIdString, u as resolvedCredentialSetIdString } from "./schema-B-Wgo4rJ.mjs";
-import { a as SourceLocationSchema, i as ImportSourceSchema, t as CallKindSchema } from "./source-analysis-CHkWMC40.mjs";
-import { z } from "zod";
-//#region ../../packages/core/src/credential-set/constants.ts
-/**
-* Kinds describe what a credential set represents at the platform level.
-*/
-const CREDENTIAL_KINDS = {
-	"user-connection": "user-connection",
-	"provider-app": "provider-app"
-};
-/**
-* Visibility determines whether credential values may be injected into user code.
-*/
-const CREDENTIAL_VISIBILITIES = {
-	"user-visible": "user-visible",
-	internal: "internal"
-};
-//#endregion
-//#region ../../packages/core/src/credential-set/schemas.ts
-const credentialPlatformMetadataSchema = z.object({
-	kind: z.enum([CREDENTIAL_KINDS["user-connection"], CREDENTIAL_KINDS["provider-app"]]),
-	visibility: z.enum([CREDENTIAL_VISIBILITIES["user-visible"], CREDENTIAL_VISIBILITIES.internal])
-});
-const credentialPlatformMetadataJsonSchema = z.object({
-	kind: z.enum([CREDENTIAL_KINDS["user-connection"], CREDENTIAL_KINDS["provider-app"]]),
-	visibility: z.enum([CREDENTIAL_VISIBILITIES["user-visible"], CREDENTIAL_VISIBILITIES.internal])
-});
-const credentialSetProxyInjectionSchema = z.object({
-	/** Substitute placeholder in HTTP headers (default: true). */
-	headers: z.boolean().optional(),
-	/** Substitute placeholder in the HTTP Basic Auth credential (default: true). */
-	basicAuth: z.boolean().optional(),
-	/** Substitute placeholder in URL query params (default: false).
-	*  Use for APIs that authenticate via `?api_key=...` (Google Maps, OWM, etc.). */
-	queryParams: z.boolean().optional(),
-	/** Substitute placeholder in the HTTP request body (default: false).
-	*  Use for form-encoded auth payloads (Stripe, AWS SigV4 query, etc.). */
-	body: z.boolean().optional()
-});
-const credentialSetProxyConfigSchema = z.object({
-	/** Exact-match host allowlist (forwarded to SecretBuilder.allowHost). */
-	hosts: z.array(z.string().min(1)).optional(),
-	/** Wildcard host allowlist (forwarded to SecretBuilder.allowHostPattern).
-	*  Example: `["*.browserbase.com"]` covers any subdomain. */
-	hostPatterns: z.array(z.string().min(1)).optional(),
-	/** Per-scope substitution toggles. Omit to use SDK defaults. */
-	injection: credentialSetProxyInjectionSchema.optional()
-});
-const onCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
-const manualConnectionConfigSchema = z.object({
-	kind: z.literal("manual"),
-	instructions: z.string().min(1).optional(),
-	validate: z.function().optional()
-});
-const manualConnectionConfigManifestSchema = z.object({
-	kind: z.literal("manual"),
-	instructions: z.string().min(1).optional()
-});
-/** Declarative form of `Vault` — strings typed against the credential set's
-* stored/auth schema keys at the {@link CredentialSetConfig} boundary; the Zod
-* schema here enforces non-empty strings only. `CredentialSet` itself performs
-* the schema-key membership check at construction time. */
-const vaultMappingSchema = z.object({
-	accessToken: z.string().min(1),
-	instanceUrl: z.string().min(1).optional(),
-	raw: z.record(z.string().min(1), z.string().min(1)).optional()
-});
-/** Function form of `Vault` — an object pairing the access-token vault key
-*  (`accessTokenKey`) with the `build` function that computes the full vault
-*  write map. The explicit key keeps the disconnect path's revocation read
-*  reliable even when `build` transforms the access token. */
-const vaultMappingFnSchema = z.object({
-	accessTokenKey: z.string().min(1),
-	build: z.custom((val) => typeof val === "function", { message: "vault.build must be a function." })
-});
-/** Runtime shape of `Vault`. Accepts either the declarative mapping or the
-*  function-form object `{ accessTokenKey, build }`. */
-const vaultConfigSchema = z.union([vaultMappingSchema, vaultMappingFnSchema], { error: "vault must be a declarative mapping object or a `{ accessTokenKey, build }` object." });
-/** Manifest projection of `Vault` — declarative mappings serialize verbatim;
-* function-form mappings serialize as `{ kind: 'function', accessTokenKey }`
-* since closures are not manifest-safe but the access-token key is. */
-const vaultManifestSchema = z.discriminatedUnion("kind", [z.object({
-	kind: z.literal("declarative"),
-	accessToken: z.string().min(1),
-	instanceUrl: z.string().min(1).optional(),
-	raw: z.record(z.string().min(1), z.string().min(1)).optional()
-}), z.object({
-	kind: z.literal("function"),
-	accessTokenKey: z.string().min(1)
-})]);
-/** Structural check: any object exposing the core {@link AnyCredentialSet}
-*  shape (id, resolvedCredentialSetId, credentialKeys, platformMetadata).
-*  The runtime validator inside `CredentialSet.ts` does the deeper
-*  visibility / key-coverage check.
-*
-*  Intentionally `z.custom` rather than a structural subschema — Zod cannot
-*  express `z.ZodObject<any>` on the `auth` field, and we only need enough
-*  structure for the runtime validator to walk the value. */
-const oauthClientSourceCredentialSetRef = z.custom((val) => val !== null && typeof val === "object" && "id" in val && "credentialKeys" in val, { message: "oauthClientSource.credentialSet must be a CredentialSet instance." });
-const oauthClientSourceSchema = z.discriminatedUnion("kind", [z.object({ kind: z.literal("keystroke-platform") }), z.object({
-	kind: z.literal("workspace-provider-app"),
-	credentialSet: oauthClientSourceCredentialSetRef,
-	keyMap: z.object({
-		clientId: z.string().min(1).optional(),
-		clientSecret: z.string().min(1).optional()
-	}).optional()
-})]);
-const oauthClientSourceManifestSchema = z.discriminatedUnion("kind", [z.object({ kind: z.literal("keystroke-platform") }), z.object({
-	kind: z.literal("workspace-provider-app"),
-	credentialSetId: z.string().min(1),
-	keyMap: z.object({
-		clientId: z.string().min(1).optional(),
-		clientSecret: z.string().min(1).optional()
-	}).optional()
-})]);
-const oauthConnectionConfigBaseSchema = z.object({
-	kind: z.literal("oauth"),
-	authUrl: z.string().url(),
-	tokenUrl: z.string().url(),
-	scopes: z.array(z.string()).readonly(),
-	revokeUrl: z.string().url().nullable().optional(),
-	tokenType: z.enum(["long-lived", "refreshable"]),
-	pkce: z.boolean().optional(),
-	/** Fallback token lifetime when the provider omits `expires_in`. Positive
-	*  integer seconds. Shared between config + manifest schemas (both extend
-	*  this base). */
-	defaultExpiresInSeconds: z.number().int().positive().optional()
-});
-const oauthConnectionConfigSchema = oauthConnectionConfigBaseSchema.extend({
-	vault: vaultConfigSchema,
-	buildAuthUrl: z.function().optional(),
-	exchangeCode: z.function().optional(),
-	refreshToken: z.function().optional(),
-	extractInstallationInfo: z.function().optional(),
-	validate: z.function().optional(),
-	oauthClientSource: oauthClientSourceSchema.optional()
-});
-const oauthConnectionConfigManifestSchema = oauthConnectionConfigBaseSchema.extend({
-	vault: vaultManifestSchema,
-	oauthClientSource: oauthClientSourceManifestSchema.optional()
-});
-const credentialsExchangeConnectionConfigSchema = z.object({
-	kind: z.literal("credentials-exchange"),
-	instructions: z.string().min(1).optional(),
-	input: zodObjectSchema
-}).extend({
-	exchange: z.function(),
-	rotate: z.function().optional(),
-	validate: z.function().optional()
-});
-/** Manifest projection of `CredentialsExchangeConnectionConfig` — only the
-*  declarative `input` schema (rendered as JSON Schema) and `instructions`
-*  copy survive serialization. The three hooks (`exchange`, `rotate`,
-*  `validate`) are runtime closures and are stripped. */
-const credentialsExchangeConnectionConfigManifestSchema = z.object({
-	kind: z.literal("credentials-exchange"),
-	instructions: z.string().min(1).optional(),
-	input: jsonSchemaObject
-});
-const connectionConfigSchema = z.discriminatedUnion("kind", [
-	manualConnectionConfigSchema,
-	oauthConnectionConfigSchema,
-	credentialsExchangeConnectionConfigSchema
-]);
-/** Manifest projection of `ConnectionConfig` — declarative metadata only. */
-const connectionConfigManifestSchema = z.discriminatedUnion("kind", [
-	manualConnectionConfigManifestSchema,
-	oauthConnectionConfigManifestSchema,
-	credentialsExchangeConnectionConfigManifestSchema
-]);
-const CredentialSetManifestSchema = z.object({
-	manifestVersion: z.literal(1),
-	type: z.literal("credentialSet"),
-	id: credentialSetIdString("Credential set id"),
-	namespace: credentialSetIdString("Credential set namespace").optional(),
-	resolvedCredentialSetId: resolvedCredentialSetIdString("Resolved credential set id"),
-	name: trimmedNonEmptyString("Credential set name"),
-	description: optionalDescriptionString("Credential set description"),
-	auth: jsonSchemaObject,
-	stored: jsonSchemaObject.optional(),
-	needsResolve: z.boolean().optional(),
-	/** Run-scoped cache TTL in milliseconds for the credential set's `resolve`
-	*  hook. `0` or absence means no cache hint. Populated from top-level
-	*  `resolveCacheMs` in the authored config. */
-	resolveCacheMs: z.number().int().nonnegative().optional(),
-	/** Where the `stored`→`auth` transform runs (cluster 15). `'sandbox'`
-	*  for `resolve`, `'platform'` for `resolveAtPlatform`, `'none'` when
-	*  the credential set has no transform. Omitted in the manifest when
-	*  `'none'` to keep serialized output compact. */
-	resolveLocation: z.enum(["sandbox", "platform"]).optional(),
-	/** Platform-side env allowlist (cluster 15). Only meaningful when
-	*  `resolveLocation === 'platform'`. */
-	platformEnvAllowlist: z.array(z.string().min(1)).optional(),
-	platformMetadata: credentialPlatformMetadataJsonSchema.optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
-	needsRawSecret: z.boolean().optional(),
-	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
-	onCredentialRevoked: onCredentialRevokedSchema.optional(),
-	connection: connectionConfigManifestSchema.optional()
-});
-const credentialSetConfigSchema = z.object({
-	id: credentialSetIdString("Credential set id"),
-	namespace: credentialSetIdString("Credential set namespace").optional(),
-	name: optionalTrimmedNonEmptyString("Credential set name"),
-	description: optionalDescriptionString("Credential set description"),
-	auth: zodObjectSchema,
-	stored: zodObjectSchema.optional(),
-	resolve: z.function().optional(),
-	/** Run-scoped cache TTL in milliseconds for `resolve` output. Requires `resolve`. */
-	resolveCacheMs: z.number().int().nonnegative().optional(),
-	/** Platform-side `stored`→`auth` transform (cluster 15). Runs on the
-	*  trusted host with a scoped fetch + allowlisted env. Mutually
-	*  exclusive with `resolve`. */
-	resolveAtPlatform: z.function().optional(),
-	platformEnvAllowlist: z.array(z.string().min(1)).optional(),
-	platformMetadata: credentialPlatformMetadataSchema.optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
-	needsRawSecret: z.boolean().optional(),
-	onCredentialRevoked: onCredentialRevokedSchema.optional(),
-	connection: connectionConfigSchema.optional()
-}).refine((c) => !(c.resolve === void 0 && c.resolveCacheMs !== void 0), { message: "`resolveCacheMs` requires `resolve`." }).refine((config) => !(config.namespace === "keystroke" && config.platformMetadata === void 0), { message: "platformMetadata is required when namespace is 'keystroke'" }).refine((config) => !(config.namespace !== "keystroke" && config.connection?.kind === "oauth" && config.connection.oauthClientSource === void 0), { message: "OAuth connections on user-authored (non-keystroke-namespaced) credential sets require `oauthClientSource` to point at a workspace-provider-app credential set. Example: `oauthClientSource: { kind: \"workspace-provider-app\", credentialSet: myClientApp }`." }).refine((config) => {
-	if (config.connection?.kind !== "oauth") return true;
-	const source = config.connection.oauthClientSource;
-	if (!source || source.kind !== "workspace-provider-app") return true;
-	return source.credentialSet.platformMetadata?.visibility === "internal";
-}, { message: "oauthClientSource.credentialSet must be marked `platformMetadata: { visibility: 'internal' }`. This prevents the sandbox from injecting clientSecret into user step code." }).refine((c) => !(c.resolve !== void 0 && c.resolveAtPlatform !== void 0), { message: "`resolve` and `resolveAtPlatform` are mutually exclusive. Pick one: `resolve` for sandbox-side shape transforms, `resolveAtPlatform` for host-side external-secrets calls." }).refine((c) => !(c.platformEnvAllowlist !== void 0 && c.resolveAtPlatform === void 0), { message: "`platformEnvAllowlist` requires `resolveAtPlatform`." });
-const IntegrationScopeSchema = z.enum([
-	"organization",
-	"project",
-	"user_provided_credential"
-]);
-const IntegrationCredentialRefSchema = z.discriminatedUnion("type", [z.object({
-	type: z.literal("id"),
-	id: z.string().startsWith("cset_")
-}), z.object({
-	type: z.literal("name"),
-	name: z.string().trim().min(1)
-})]);
-function hasProjectOrOrganizationScope(scope) {
-	return scope === "organization" || scope === "project";
-}
-const CredentialRefTokenKeyNameSchema = z.string().regex(/^[A-Za-z0-9_]+$/, "Credential key must contain only letters, digits, and underscores (required for ref-token proxying)");
-/** Shared enum for top-level credential-set `onCredentialRevoked` policy. */
-const OnCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
-/** A credential set after resolution in a built manifest. Contains resolved ID, scope, alias, and credential keys.*/
-const ResolvedCredentialSetSchema = z.object({
-	resolvedId: z.string(),
-	scope: IntegrationScopeSchema.optional(),
-	alias: z.string().optional(),
-	credentialRef: IntegrationCredentialRefSchema.optional(),
-	/** Auth-shape keys expected post-resolve. */
-	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
-	/** Subset of `credentialKeys` that are optional in the auth shape. */
-	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Stored-shape keys required for vault reads and upload flows. */
-	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Subset of `storedCredentialKeys` that may be absent from the vault without
-	* failing resolution. Derived from the credential set's `stored` schema:
-	* a Zod field wrapped in `.optional()` / `.default()` or a JSON Schema
-	* property not listed in `required` is considered optional. */
-	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	/** When true, resolved values are passed raw (no ref-token proxy) for this set. */
-	needsRawSecret: z.boolean().optional(),
-	/** When true, the credential set has a user `resolve` callback that runs in
-	* the sandbox before each step. Routes credentials to env (not Secret.env). */
-	needsResolve: z.boolean().optional(),
-	/** Run-scoped cache TTL in milliseconds for the credential set's `resolve`
-	* hook output. `0` or absence means no cache hint. */
-	resolveCacheMs: z.number().int().nonnegative().optional(),
-	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
-	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
-	/** Persistence-layer schema fingerprint stamped at build time. The
-	* resolver's phase 2 compares this against the vault row's stored
-	* fingerprint and raises `CredentialSchemaMismatchError` on drift.
-	* Optional here so pre-fingerprint artifacts still parse; the
-	* workflow builder populates it for every authored credential set
-	* that has a resolvable fingerprint. */
-	schemaFingerprint: z.string().optional()
-}).superRefine((value, ctx) => {
-	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
-		code: z.ZodIssueCode.custom,
-		path: ["credentialRef"],
-		message: "credentialRef requires scope to be \"project\" or \"organization\""
-	});
-});
-const DeclaredCredentialRequirementSchema = z.object({
-	credentialSetId: z.string(),
-	namespace: z.string().optional(),
-	resolvedCredentialSetId: z.string(),
-	/** Auth-shape keys expected post-resolve. */
-	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
-	/** Optional subset of the auth-shape keys. */
-	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Stored-shape keys required for vault reads. */
-	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Optional subset of the stored-shape keys. */
-	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	schemaFingerprint: z.string().optional(),
-	needsResolve: z.boolean().optional(),
-	/** Run-scoped cache TTL in milliseconds for the credential set's `resolve`
-	*  hook output. `0` or absence means no cache hint. */
-	resolveCacheMs: z.number().int().nonnegative().optional(),
-	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
-	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	needsRawSecret: z.boolean().optional(),
-	requiredOAuthScopes: z.array(z.string()).optional()
-});
-const CredentialRequirementEntrySchema = z.object({
-	credentialSetId: z.string(),
-	scope: IntegrationScopeSchema.optional(),
-	alias: z.string().optional(),
-	credentialRef: IntegrationCredentialRefSchema.optional(),
-	/** Auth-shape keys expected post-resolve. */
-	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
-	/** Optional subset of the auth-shape keys. */
-	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Stored-shape keys required for vault reads. */
-	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Optional subset of the stored-shape keys. */
-	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	schemaFingerprint: z.string().optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	needsRawSecret: z.boolean().optional(),
-	/** When true, the credential set has a user `resolve` callback. Routes
-	* credentials to env (not Secret.env) so the callback can transform them. */
-	needsResolve: z.boolean().optional(),
-	/** Run-scoped cache TTL in milliseconds for the credential set's `resolve`
-	*  hook output. `0` or absence means no cache hint. */
-	resolveCacheMs: z.number().int().nonnegative().optional(),
-	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
-	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
-	requiredOAuthScopes: z.array(z.string()).optional()
-}).superRefine((value, ctx) => {
-	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
-		code: z.ZodIssueCode.custom,
-		path: ["credentialRef"],
-		message: "credentialRef requires scope to be \"project\" or \"organization\""
-	});
-});
-const CredentialRequirementsSchema = z.object({
-	required: z.array(z.string()),
-	byStep: z.record(z.string(), z.array(CredentialRequirementEntrySchema))
-});
-const TriggerCallbackNameSchema = z.enum([
-	"filter",
-	"idempotencyKey",
-	"verify",
-	"callback"
-]);
-const TriggerCredentialRequirementEntrySchema = CredentialRequirementEntrySchema;
-const TriggerCredentialRequirementsSchema = z.object({
-	required: z.array(z.string()),
-	byCallback: z.partialRecord(TriggerCallbackNameSchema, z.array(TriggerCredentialRequirementEntrySchema))
-});
-function buildCredentialRequirementEntryKey(entry) {
-	const credentialRefKey = entry.credentialRef ? entry.credentialRef.type === "id" ? `id:${entry.credentialRef.id}` : `name:${entry.credentialRef.name}` : "";
-	return [
-		entry.credentialSetId,
-		entry.scope ?? "",
-		entry.alias ?? "",
-		credentialRefKey,
-		entry.schemaFingerprint ?? "",
-		[...entry.credentialKeys].sort().join(","),
-		[...entry.optionalCredentialKeys ?? []].sort().join(","),
-		[...entry.storedCredentialKeys ?? []].sort().join(","),
-		[...entry.optionalStoredCredentialKeys ?? []].sort().join(","),
-		entry.needsRawSecret === true ? "1" : "0",
-		entry.needsResolve === true ? "1" : "0",
-		typeof entry.resolveCacheMs === "number" ? String(entry.resolveCacheMs) : "",
-		entry.onCredentialRevoked ?? "",
-		entry.proxy ? JSON.stringify(entry.proxy) : ""
-	].join("|");
-}
-function deduplicateCredentialRequirementEntries(entries) {
-	const deduped = /* @__PURE__ */ new Map();
-	for (const entry of entries) {
-		const key = buildCredentialRequirementEntryKey(entry);
-		const existing = deduped.get(key);
-		if (!existing) deduped.set(key, {
-			...entry,
-			credentialKeys: [...entry.credentialKeys].sort(),
-			...entry.optionalCredentialKeys ? { optionalCredentialKeys: [...entry.optionalCredentialKeys].sort() } : {},
-			...entry.storedCredentialKeys ? { storedCredentialKeys: [...entry.storedCredentialKeys].sort() } : {},
-			...entry.optionalStoredCredentialKeys ? { optionalStoredCredentialKeys: [...entry.optionalStoredCredentialKeys].sort() } : {}
-		});
-		else if (entry.requiredOAuthScopes?.length) {
-			const merged = new Set([...existing.requiredOAuthScopes ?? [], ...entry.requiredOAuthScopes]);
-			deduped.set(key, {
-				...existing,
-				requiredOAuthScopes: [...merged].sort()
-			});
-		}
-	}
-	return [...deduped.values()];
-}
-function collectCredentialRequirementEntries(credentialRequirements) {
-	if (!credentialRequirements) return [];
-	return deduplicateCredentialRequirementEntries(Object.values(credentialRequirements.byStep ?? {}).flat());
-}
-const ExecutionIdentityPolicySchema = z.object({ subjectMode: z.enum(["never", "requiredWhenUserProvidedCredential"]) });
-/** A step's entry within a WorkflowManifest. Describes how a step is used in a workflow, not what the step itself is. */
-const WorkflowStepEntrySchema = z.object({
-	nodeId: z.string().min(1),
-	stepName: z.string().min(1),
-	label: z.string().min(1),
-	callKind: CallKindSchema,
-	stepId: z.string().min(1).optional(),
-	source: SourceLocationSchema.optional(),
-	astKind: z.string().min(1).optional(),
-	importSource: ImportSourceSchema.optional(),
-	outputBinding: z.string().min(1).optional(),
-	scopeOverride: IntegrationScopeSchema.optional(),
-	description: z.string().optional(),
-	sourceCode: z.string().optional(),
-	exportName: z.string().optional(),
-	inputSchema: JsonSchemaSchema.optional(),
-	outputSchema: JsonSchemaSchema.optional(),
-	credentialSets: z.array(ResolvedCredentialSetSchema).optional()
-});
-const TriggerTypeSchema = z.enum([
-	"webhook",
-	"cron",
-	"polling"
-]);
-/**
-* Persisted on `deployment_triggers.trigger_source`. Mirrors the
-* `webhookTrigger({ source: { type } })` discriminator so the server
-* can index-filter app-source rows during provider-webhook fanout.
-*/
-const TriggerSourceSchema = z.enum(["custom", "app"]);
-const WebhookMethodSchema = z.enum([
-	"GET",
-	"POST",
-	"PUT",
-	"PATCH"
-]);
-const TriggerCallbackBundleUploadSchema = z.object({
-	code: z.string(),
-	hash: z.string(),
-	size: z.number()
-});
-const TriggerCallbackExportsSchema = z.object({
-	verify: z.string().min(1).optional(),
-	filter: z.string().min(1).optional(),
-	idempotencyKey: z.string().min(1).optional(),
-	callback: z.string().min(1).optional()
-});
-const TransformCallbackExportsSchema = z.object({ transform: z.string().min(1).optional() });
-const TriggerUploadDataSchema = z.object({
-	id: z.string(),
-	type: TriggerTypeSchema,
-	/**
-	* Source-of-truth discriminator for webhook triggers. `'custom'` means
-	* the trigger owns its own HTTP path; `'app'` means it is fanned out by
-	* a Keystroke-managed provider app. Undefined for non-webhook triggers.
-	*/
-	triggerSource: TriggerSourceSchema.optional(),
-	enabled: z.boolean(),
-	path: z.string().optional(),
-	method: WebhookMethodSchema.optional(),
-	schedule: z.string().optional(),
-	timezone: z.string().optional(),
-	config: z.record(z.string(), z.unknown()).optional(),
-	requiredCredentials: TriggerCredentialRequirementsSchema.optional(),
-	storagePath: z.string().min(1).optional(),
-	callbackBundle: TriggerCallbackBundleUploadSchema.optional(),
-	callbackExports: TriggerCallbackExportsSchema.optional(),
-	transformCallbackBundle: TriggerCallbackBundleUploadSchema.optional(),
-	transformCallbackExports: TransformCallbackExportsSchema.optional()
-});
-//#endregion
-export { CREDENTIAL_VISIBILITIES as _, ResolvedCredentialSetSchema as a, TriggerTypeSchema as c, WorkflowStepEntrySchema as d, collectCredentialRequirementEntries as f, CREDENTIAL_KINDS as g, credentialSetConfigSchema as h, IntegrationScopeSchema as i, TriggerUploadDataSchema as l, CredentialSetManifestSchema as m, DeclaredCredentialRequirementSchema as n, TriggerCredentialRequirementsSchema as o, deduplicateCredentialRequirementEntries as p, ExecutionIdentityPolicySchema as r, TriggerSourceSchema as s, CredentialRequirementsSchema as t, WebhookMethodSchema as u };