@keystrokehq/cli 0.0.11 → 0.0.13

package/dist/{connect.handler-CWSLgf87.mjs → connect.handler-ToY6qmMz.mjs}

@@ -2,227 +2,41 @@
 
 import { N as throwReportedCliExit, b as isNetworkError, h as AUTH_HINT, n as ui, x as toErrorMessage } from "./keystroke.mjs";
 import { i as writeJson } from "./output-CGdYhH0p.mjs";
-import { n as CredentialScopeSchema, t as ConnectionStatusSchema } from "./schema-BgGlAs8a.mjs";
-import { t as openBrowser } from "./browser-CvuyMLhI.mjs";
-import { t as getIntegrationCatalog } from "./integration-catalog-DtNWaMvh.mjs";
-import { z } from "zod";
-//#region ../../packages/shared-types/src/connections/api.ts
-/**
-* API request/response types for the integration catalog and connection endpoints.
-*
-* These types are shared between the server route handlers, the Keystroke SDK, and
-* any in-repo consumer (CLI, web). They divide the surface into two clearly-scoped
-* endpoints:
-*
-*   GET /api/v1/integrations  — the static Keystroke integration catalog (what can
-*     be connected). Auth required; not org-scoped; long-cached.
-*
-*   GET /api/v1/connections   — the caller's configured connections for the current
-*     org (what has been connected). Auth + org required; no-cache.
-*
-* Each endpoint validates its query string with the exported `*QuerySchema`, and
-* the SDK types its method signatures against the same schema so that invalid
-* params cannot be sent or accepted.
-*/
-const ShopifyShopDomainSchema = z.string().min(1).regex(/^[a-z0-9][a-z0-9-]*\.myshopify\.com$/i, "Shopify store domain must look like \"example.myshopify.com\".");
-const InitiateConnectionRequestSchema = z.object({
-	providerAppId: z.string().optional(),
-	shopDomain: ShopifyShopDomainSchema.optional(),
-	requestedScopes: z.array(z.string()).optional()
-});
-const InitiateConnectionResponseSchema = z.object({
-	authUrl: z.string(),
-	initiatedAt: z.number()
-});
-const ConnectionFailureReasonSchema = z.enum([
-	"missing_state",
-	"invalid_state",
-	"provider_denied",
-	"unknown_integration",
-	"provider_app_not_configured",
-	"token_exchange_failed",
-	"installation_metadata_invalid",
-	"validation_failed",
-	"persist_failed",
-	"unknown_error"
-]);
-const ConnectionStatusNotStartedSchema = z.object({ status: z.literal("not_started") });
-const ConnectionStatusPendingSchema = z.object({ status: z.literal("pending") });
-const ConnectionStatusConnectedSchema = z.object({ status: z.literal("connected") });
-const ConnectionStatusFailedSchema = z.object({
-	status: z.literal("failed"),
-	reason: ConnectionFailureReasonSchema,
-	/**
-	* Optional human-readable detail. Truncated by the server to
-	* {@link CONNECTION_FAILURE_DETAIL_MAX_CHARS} characters before being
-	* persisted in `credential_sets.last_callback_error_detail` and
-	* before being echoed in the callback redirect query.
-	*/
-	message: z.string().max(300).optional(),
-	/** ISO-8601 timestamp of when the failure was recorded. */
-	failedAt: z.string()
-});
-const ConnectionStatusResponseSchema = z.discriminatedUnion("status", [
-	ConnectionStatusNotStartedSchema,
-	ConnectionStatusPendingSchema,
-	ConnectionStatusConnectedSchema,
-	ConnectionStatusFailedSchema
-]);
-const ConnectionKindSchema = z.enum([
-	"oauth",
-	"manual",
-	"credentials-exchange"
-]);
-const InternalCredentialSetEntrySchema = z.object({
-	resolvedCredentialSetId: z.string(),
-	publicId: z.string(),
-	displayName: z.string(),
-	/**
-	* Internal credential-set role. Currently the only first-class role is
-	* `'provider-app-definition'`; other values are accepted for forward-compat
-	* so newer servers can introduce roles without breaking older SDKs.
-	*/
-	role: z.string()
-});
-const IntegrationCatalogEntryBaseSchema = z.object({
-	publicId: z.string(),
-	/**
-	* Public-facing aliases that resolve to this canonical `publicId`
-	* (e.g., `"github"` aliases `"github-account"`). Includes the canonical
-	* ID itself — callers can key a lookup table by every entry in this
-	* list and get the same catalog record back.
-	*/
-	aliases: z.array(z.string()),
-	name: z.string(),
-	description: z.string().optional(),
-	/**
-	* Resolved credential-set metadata for the integration's primary connection.
-	* `storedKeys` drives upload flows (what the vault stores), while
-	* `authKeys` describes the post-resolve runtime shape.
-	*/
-	credentialSet: z.object({
-		resolvedCredentialSetId: z.string(),
-		authKeys: z.array(z.string()),
-		storedKeys: z.array(z.string()),
-		optionalStoredKeys: z.array(z.string()).optional(),
-		schemaFingerprint: z.string().optional()
-	}),
-	/**
-	* Internal credential sets associated with the integration (e.g., provider
-	* app definitions). Populated only when the caller requests
-	* `includeInternal=true`; otherwise empty.
-	*/
-	internalCredentialSets: z.array(InternalCredentialSetEntrySchema)
-});
-const OAuthIntegrationCatalogEntrySchema = IntegrationCatalogEntryBaseSchema.extend({
-	connectionKind: z.literal("oauth"),
-	tokenType: z.enum(["long-lived", "refreshable"]),
-	scopes: z.array(z.string())
-});
-const ManualIntegrationCatalogEntrySchema = IntegrationCatalogEntryBaseSchema.extend({ connectionKind: z.literal("manual") });
-/**
-* Catalog entry for `credentials-exchange`-kind integrations.
-*
-* Carries the JSON-schema projection of the connection's `input` schema so
-* the CLI and web UI can render an input form without re-loading the
-* original Zod schema (which only exists in the integration bundle's
-* runtime module). `credentialSet.storedKeys` reflects the stored-schema
-* keys that get persisted after exchange.
-*
-* @see packages/core/src/credential-set/connection.ts CredentialsExchangeConnectionConfig
-*/
-const CredentialsExchangeIntegrationCatalogEntrySchema = IntegrationCatalogEntryBaseSchema.extend({
-	connectionKind: z.literal("credentials-exchange"),
-	/** JSON-schema projection of the connection's `input` schema. */
-	input: z.record(z.string(), z.unknown()),
-	/** Optional free-form copy rendered above the input form. */
-	instructions: z.string().optional()
-});
-const IntegrationCatalogEntrySchema = z.discriminatedUnion("connectionKind", [
-	OAuthIntegrationCatalogEntrySchema,
-	ManualIntegrationCatalogEntrySchema,
-	CredentialsExchangeIntegrationCatalogEntrySchema
-]);
-z.object({
-	/** Restrict results to one connection kind. */
-	connectionKind: ConnectionKindSchema.optional(),
-	/**
-	* Return only the integration whose `publicId` (or alias) matches.
-	* When no integration matches, the endpoint returns an empty array.
-	*/
-	publicId: z.string().min(1).optional(),
-	/**
-	* Case-insensitive substring match against `publicId`, `aliases`, and `name`.
-	*/
-	q: z.string().min(1).optional(),
-	/**
-	* Opt into `internalCredentialSets[]` on each entry. Defaults to `false`
-	* so the common catalog call stays lean. CLI commands that need to render
-	* credential-set display names set this to `true`.
-	*/
-	includeInternal: z.stringbool().optional().default(false)
-}).strict();
-z.object({ integrations: z.array(IntegrationCatalogEntrySchema) });
-const ConnectionEntrySchema = z.object({
-	id: z.string(),
-	/**
-	* Public-facing integration ID this connection is associated with
-	* (post alias resolution). `null` when the underlying credential set is
-	* not backed by an official Keystroke integration (e.g., user-defined
-	* custom credential sets).
-	*/
-	integrationPublicId: z.string().nullable(),
-	/**
-	* Resolved credential-set ID, e.g., `"keystroke:slack"` or a custom set's
-	* identifier. Stable across alias resolution.
-	*/
-	credentialSetId: z.string(),
-	name: z.string(),
-	scope: CredentialScopeSchema,
-	platformConnected: z.boolean(),
-	connectionStatus: ConnectionStatusSchema,
-	expiresAt: z.string().nullable(),
-	isDefault: z.boolean(),
-	createdAt: z.string()
-});
-/**
-* Coerces a `status` query-param value that may arrive as a single string,
-* a comma-separated string, or (in Hono/ky's query handling) an array of
-* strings, into a canonical `ConnectionStatus[]`. Invalid entries cause the
-* surrounding Zod parse to fail with a helpful issue.
-*
-* The field itself is made optional at the object level (see
-* `ListConnectionsQuerySchema`), so passing `undefined` / omitting the key
-* is always valid; this preprocessor only runs when a value is actually
-* present.
-*/
-const ConnectionStatusQueryParam = z.preprocess((value) => {
-	if (value === void 0 || value === null || value === "") return void 0;
-	const trimmed = (Array.isArray(value) ? value : String(value).split(",")).flatMap((entry) => String(entry).split(",")).map((entry) => entry.trim()).filter((entry) => entry.length > 0);
-	return trimmed.length === 0 ? void 0 : trimmed;
-}, z.array(ConnectionStatusSchema));
-z.object({
-	/** Filter to connections for a specific integration's public ID (alias-resolved). */
-	integrationPublicId: z.string().min(1).optional(),
-	/**
-	* Filter by one or more connection statuses. Accepts a single value, a
-	* comma-separated string, or repeated query keys. Omit to return all statuses.
-	*/
-	status: ConnectionStatusQueryParam.optional(),
-	scope: CredentialScopeSchema.optional(),
-	projectId: z.uuid().optional()
-}).strict();
-z.object({ connections: z.array(ConnectionEntrySchema) });
-//#endregion
+import { t as openBrowser } from "./browser-B4K0VW8p.mjs";
+import { i as InitiateConnectionResponseSchema, n as ConnectionStatusResponseSchema, r as InitiateConnectionRequestSchema } from "./api-DuKKdCpF.mjs";
+import { t as getIntegrationCatalog } from "./integration-catalog-BRrJIAVz.mjs";
 //#region src/commands/connect/connect.handler.ts
 function formatIntegrationLabel(catalog, integrationId) {
 	return catalog.lookupByPublicId(integrationId)?.name ?? integrationId;
 }
-function normalizeShopifyShopDomain(shop) {
-	const trimmed = shop?.trim().toLowerCase();
-	if (!trimmed) return;
-	const normalized = trimmed.endsWith(".myshopify.com") ? trimmed : `${trimmed}.myshopify.com`;
-	return ShopifyShopDomainSchema.parse(normalized);
+function formatConnectionLabel(connection) {
+	return connection.label ?? connection.id;
+}
+function formatConnectionFlags(connection) {
+	const flags = [connection.recommended === true ? "recommended" : null, connection.advanced === true ? "advanced" : null].filter((flag) => flag !== null);
+	return flags.length > 0 ? `, ${flags.join(", ")}` : "";
+}
+function availableOAuthConnectionHint(connections) {
+	const oauthConnections = connections?.filter((connection) => connection.kind === "oauth") ?? [];
+	if (oauthConnections.length === 0) return "Run `keystroke integrations list --kind oauth` to see integrations with OAuth connection paths.";
+	return `Available OAuth connection IDs: ${oauthConnections.map((connection) => `${connection.id}${connection.recommended ? " (recommended)" : ""}`).join(", ")}.`;
+}
+function selectOAuthConnection(params) {
+	const { catalogEntry, requestedCredentialConnectionId, ctx, integrationId } = params;
+	const connections = catalogEntry?.connections ?? [];
+	if (requestedCredentialConnectionId) {
+		const selected = connections.find((connection) => connection.id === requestedCredentialConnectionId);
+		if (!selected) exitWithError(ctx, `Credential connection "${requestedCredentialConnectionId}" is not defined for "${integrationId}".`, {
+			code: "UNKNOWN_CREDENTIAL_CONNECTION",
+			hint: availableOAuthConnectionHint(connections)
+		});
+		if (selected.kind !== "oauth") exitWithError(ctx, `Credential connection "${selected.id}" for "${integrationId}" is "${selected.kind}", not oauth.`, {
+			code: "UNSUPPORTED_CREDENTIAL_CONNECTION",
+			hint: availableOAuthConnectionHint(connections)
+		});
+		return selected;
+	}
+	return connections.find((connection) => connection.kind === "oauth" && connection.recommended === true) ?? connections.find((connection) => connection.kind === "oauth");
 }
 /**
 * Per-reason CLI hint table for `failed` status responses.
@@ -261,6 +75,24 @@ function exitWithError(ctx, message, opts) {
 	if (opts?.hint) ui.hint(opts.hint);
 	throwReportedCliExit(message);
 }
+function parseConnectionInput(rawInputs, ctx) {
+	const input = {};
+	for (const rawInput of rawInputs) {
+		const separatorIndex = rawInput.indexOf("=");
+		if (separatorIndex <= 0) exitWithError(ctx, `Invalid --input value "${rawInput}".`, {
+			code: "USAGE_ERROR",
+			hint: "Use --input key=value. Repeat --input for multiple fields."
+		});
+		const key = rawInput.slice(0, separatorIndex).trim();
+		const value = rawInput.slice(separatorIndex + 1);
+		if (!key) exitWithError(ctx, `Invalid --input value "${rawInput}".`, {
+			code: "USAGE_ERROR",
+			hint: "Input keys must be non-empty: --input key=value"
+		});
+		input[key] = value;
+	}
+	return input;
+}
 /**
 * Handle the `keystroke connect <integrationId>` command.
 *
@@ -281,20 +113,27 @@ async function handleConnect(options, ctx) {
 		hint: "Example: keystroke connect github"
 	});
 	const catalog = await getIntegrationCatalog(ctx);
-	const integrationLabel = catalog.oauthPublicIds.includes(integrationId) ? formatIntegrationLabel(catalog, integrationId) : integrationId;
-	const shopDomain = integrationId === "shopify" ? normalizeShopifyShopDomain(options.shop) : void 0;
-	if (integrationId === "shopify" && !shopDomain) exitWithError(ctx, "Shopify connections require a store domain.", {
-		code: "USAGE_ERROR",
-		hint: "Example: keystroke connect shopify --shop example.myshopify.com"
+	const catalogEntry = catalog.lookupByPublicId(integrationId);
+	const oauthConnection = selectOAuthConnection({
+		catalogEntry,
+		requestedCredentialConnectionId: options.connection,
+		ctx,
+		integrationId
 	});
+	const integrationLabel = Boolean(oauthConnection) ? formatIntegrationLabel(catalog, integrationId) : integrationId;
+	const connectionInput = parseConnectionInput(options.input ?? [], ctx);
 	if (!ctx.jsonMode) {
 		ui.text(`Connect ${integrationLabel}`);
+		if (oauthConnection && ((catalogEntry?.connections.length ?? 0) > 1 || options.connection)) ui.text(`Connection: ${formatConnectionLabel(oauthConnection)} (id: ${oauthConnection.id}${formatConnectionFlags(oauthConnection)})`);
 		ui.br();
 	}
 	let authUrl;
 	let initiatedAt;
 	try {
-		const requestBody = InitiateConnectionRequestSchema.parse({ ...shopDomain ? { shopDomain } : {} });
+		const requestBody = InitiateConnectionRequestSchema.parse({
+			...oauthConnection ? { credentialConnectionId: oauthConnection.id } : {},
+			...Object.keys(connectionInput).length > 0 ? { input: connectionInput } : {}
+		});
 		const hasRequestBody = Object.keys(requestBody).length > 0;
 		const response = await fetch(`${baseUrl}/api/v1/connections/${integrationId}/initiate`, {
 			method: "POST",
@@ -348,6 +187,14 @@ async function handleConnect(options, ctx) {
 		writeJson({
 			status: "authorization_required",
 			integrationId,
+			credentialConnectionId: oauthConnection?.id,
+			...oauthConnection ? { selectedConnection: {
+				id: oauthConnection.id,
+				kind: oauthConnection.kind,
+				...oauthConnection.label ? { label: oauthConnection.label } : {},
+				...oauthConnection.recommended === true ? { recommended: true } : {},
+				...oauthConnection.advanced === true ? { advanced: true } : {}
+			} } : {},
 			authUrl,
 			initiatedAt,
 			timeoutSeconds: options.timeout
@@ -377,7 +224,10 @@ async function handleConnect(options, ctx) {
 	while (Date.now() - startTime < timeoutMs) {
 		await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
 		try {
-			const response = await fetch(`${baseUrl}/api/v1/connections/${integrationId}/status?since=${initiatedAt}`, { headers: { Authorization: `Bearer ${apiKey}` } });
+			const statusUrl = new URL(`${baseUrl}/api/v1/connections/${integrationId}/status`);
+			statusUrl.searchParams.set("since", String(initiatedAt));
+			if (oauthConnection) statusUrl.searchParams.set("credentialConnectionId", oauthConnection.id);
+			const response = await fetch(statusUrl.toString(), { headers: { Authorization: `Bearer ${apiKey}` } });
 			if (!response.ok) {
 				consecutivePollFailures += 1;
 				if (response.status === 401) exitWithError(ctx, "Your CLI session is no longer authenticated.", {

package/dist/{context-1VgRbzr-.mjs → context-DQ4IA0yO.mjs}

@@ -36,7 +36,7 @@ async function resolveBaseContext(overrides = {}) {
 	const authContext = await resolveAuthContext(overrides);
 	let client = null;
 	if (authContext.apiKey && authContext.baseUrl) try {
-		const { createClient } = await import("./src--fCtOxNX.mjs");
+		const { createClient } = await import("./src-D-dFmoAF.mjs");
 		client = createClient({
 			apiKey: authContext.apiKey,
 			baseUrl: authContext.baseUrl,

package/dist/{create.handler-C2CkPWsy.mjs → create.handler-BAyG0PmG.mjs}

@@ -2,7 +2,7 @@
 
 import { N as throwReportedCliExit, n as ui, x as toErrorMessage } from "./keystroke.mjs";
 import { i as writeJson } from "./output-CGdYhH0p.mjs";
-import { i as requireClient } from "./context-1VgRbzr-.mjs";
+import { i as requireClient } from "./context-DQ4IA0yO.mjs";
 //#region src/commands/api-keys/create.handler.ts
 async function handleApiKeysCreate(options, ctx) {
 	const client = requireClient(ctx);

package/dist/credential-requirements-FtBk5JVB.mjs

@@ -0,0 +1,250 @@
+#!/usr/bin/env node
+
+import { t as JsonSchemaSchema } from "./common-BaGFkj3n.mjs";
+import { n as credentialSetProxyConfigSchema } from "./schemas-DodkHgnS.mjs";
+import { a as SourceLocationSchema, i as ImportSourceSchema, t as CallKindSchema } from "./source-analysis-CJPymdaA.mjs";
+import { z } from "zod";
+const IntegrationScopeSchema = z.enum([
+	"organization",
+	"project",
+	"user_provided_credential"
+]);
+const IntegrationCredentialRefSchema = z.discriminatedUnion("type", [z.object({
+	type: z.literal("id"),
+	id: z.string().startsWith("cset_")
+}), z.object({
+	type: z.literal("name"),
+	name: z.string().trim().min(1)
+})]);
+function hasProjectOrOrganizationScope(scope) {
+	return scope === "organization" || scope === "project";
+}
+const CredentialRefTokenKeyNameSchema = z.string().regex(/^[A-Za-z0-9_]+$/, "Credential key must contain only letters, digits, and underscores (required for ref-token proxying)");
+/** Shared enum for top-level credential-set `onCredentialRevoked` policy. */
+const OnCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
+/** A credential set after resolution in a built manifest. Contains definition id, scope, alias, and credential keys.*/
+const ResolvedCredentialSetSchema = z.object({
+	resolvedId: z.string(),
+	scope: IntegrationScopeSchema.optional(),
+	alias: z.string().optional(),
+	credentialRef: IntegrationCredentialRefSchema.optional(),
+	/** Auth-shape keys expected post-resolve. */
+	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
+	/** Subset of `credentialKeys` that are optional in the auth shape. */
+	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Stored-shape keys required for vault reads and upload flows. */
+	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Subset of `storedCredentialKeys` that may be absent from the vault without
+	* failing resolution. Derived from the credential set's `stored` schema:
+	* a Zod field wrapped in `.optional()` / `.default()` or a JSON Schema
+	* property not listed in `required` is considered optional. */
+	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed raw (no ref-token proxy) for this set. */
+	needsRawSecret: z.boolean().optional(),
+	/** When true, this requirement uses a registered dynamic resolver phase. */
+	needsDynamicResolution: z.boolean().optional(),
+	/** Cache TTL in milliseconds for registered dynamic resolver output.
+	* `0` or absence means no cache hint. */
+	dynamicResolutionCacheMs: z.number().int().nonnegative().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
+	/** Persistence-layer schema fingerprint stamped at build time. The
+	* resolver's phase 2 compares this against the vault row's stored
+	* fingerprint and raises `CredentialSchemaMismatchError` on drift.
+	* Optional here so pre-fingerprint artifacts still parse; the
+	* workflow builder populates it for every authored credential set
+	* that has a resolvable fingerprint. */
+	schemaFingerprint: z.string().optional()
+}).superRefine((value, ctx) => {
+	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		path: ["credentialRef"],
+		message: "credentialRef requires scope to be \"project\" or \"organization\""
+	});
+});
+const DeclaredCredentialRequirementSchema = z.object({
+	credentialSetId: z.string(),
+	/** Auth-shape keys expected post-resolve. */
+	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
+	/** Optional subset of the auth-shape keys. */
+	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Stored-shape keys required for vault reads. */
+	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Optional subset of the stored-shape keys. */
+	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	schemaFingerprint: z.string().optional(),
+	needsDynamicResolution: z.boolean().optional(),
+	/** Cache TTL in milliseconds for registered dynamic resolver output.
+	*  `0` or absence means no cache hint. */
+	dynamicResolutionCacheMs: z.number().int().nonnegative().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	needsRawSecret: z.boolean().optional(),
+	requiredOAuthScopes: z.array(z.string()).optional()
+});
+const CredentialRequirementEntrySchema = z.object({
+	credentialSetId: z.string(),
+	scope: IntegrationScopeSchema.optional(),
+	alias: z.string().optional(),
+	credentialRef: IntegrationCredentialRefSchema.optional(),
+	/** Auth-shape keys expected post-resolve. */
+	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
+	/** Optional subset of the auth-shape keys. */
+	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Stored-shape keys required for vault reads. */
+	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Optional subset of the stored-shape keys. */
+	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	schemaFingerprint: z.string().optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	needsRawSecret: z.boolean().optional(),
+	/** When true, this requirement uses a registered dynamic resolver phase. */
+	needsDynamicResolution: z.boolean().optional(),
+	/** Cache TTL in milliseconds for registered dynamic resolver output.
+	*  `0` or absence means no cache hint. */
+	dynamicResolutionCacheMs: z.number().int().nonnegative().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
+	requiredOAuthScopes: z.array(z.string()).optional()
+}).superRefine((value, ctx) => {
+	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		path: ["credentialRef"],
+		message: "credentialRef requires scope to be \"project\" or \"organization\""
+	});
+});
+const CredentialRequirementsSchema = z.object({
+	required: z.array(z.string()),
+	byStep: z.record(z.string(), z.array(CredentialRequirementEntrySchema))
+});
+const TriggerCallbackNameSchema = z.enum([
+	"filter",
+	"idempotencyKey",
+	"verify",
+	"callback"
+]);
+const TriggerCredentialRequirementEntrySchema = CredentialRequirementEntrySchema;
+const TriggerCredentialRequirementsSchema = z.object({
+	required: z.array(z.string()),
+	byCallback: z.partialRecord(TriggerCallbackNameSchema, z.array(TriggerCredentialRequirementEntrySchema))
+});
+function buildCredentialRequirementEntryKey(entry) {
+	const credentialRefKey = entry.credentialRef ? entry.credentialRef.type === "id" ? `id:${entry.credentialRef.id}` : `name:${entry.credentialRef.name}` : "";
+	return [
+		entry.credentialSetId,
+		entry.scope ?? "",
+		entry.alias ?? "",
+		credentialRefKey,
+		entry.schemaFingerprint ?? "",
+		[...entry.credentialKeys].sort().join(","),
+		[...entry.optionalCredentialKeys ?? []].sort().join(","),
+		[...entry.storedCredentialKeys ?? []].sort().join(","),
+		[...entry.optionalStoredCredentialKeys ?? []].sort().join(","),
+		entry.needsRawSecret === true ? "1" : "0",
+		entry.needsDynamicResolution === true ? "1" : "0",
+		typeof entry.dynamicResolutionCacheMs === "number" ? String(entry.dynamicResolutionCacheMs) : "",
+		entry.onCredentialRevoked ?? "",
+		entry.proxy ? JSON.stringify(entry.proxy) : ""
+	].join("|");
+}
+function deduplicateCredentialRequirementEntries(entries) {
+	const deduped = /* @__PURE__ */ new Map();
+	for (const entry of entries) {
+		const key = buildCredentialRequirementEntryKey(entry);
+		const existing = deduped.get(key);
+		if (!existing) deduped.set(key, {
+			...entry,
+			credentialKeys: [...entry.credentialKeys].sort(),
+			...entry.optionalCredentialKeys ? { optionalCredentialKeys: [...entry.optionalCredentialKeys].sort() } : {},
+			...entry.storedCredentialKeys ? { storedCredentialKeys: [...entry.storedCredentialKeys].sort() } : {},
+			...entry.optionalStoredCredentialKeys ? { optionalStoredCredentialKeys: [...entry.optionalStoredCredentialKeys].sort() } : {}
+		});
+		else if (entry.requiredOAuthScopes?.length) {
+			const merged = new Set([...existing.requiredOAuthScopes ?? [], ...entry.requiredOAuthScopes]);
+			deduped.set(key, {
+				...existing,
+				requiredOAuthScopes: [...merged].sort()
+			});
+		}
+	}
+	return [...deduped.values()];
+}
+function collectCredentialRequirementEntries(credentialRequirements) {
+	if (!credentialRequirements) return [];
+	return deduplicateCredentialRequirementEntries(Object.values(credentialRequirements.byStep ?? {}).flat());
+}
+z.object({ subjectMode: z.enum(["never", "requiredWhenUserProvidedCredential"]) });
+/** A step's entry within a WorkflowManifest. Describes how a step is used in a workflow, not what the step itself is. */
+const WorkflowStepEntrySchema = z.object({
+	nodeId: z.string().min(1),
+	stepName: z.string().min(1),
+	label: z.string().min(1),
+	callKind: CallKindSchema,
+	stepId: z.string().min(1).optional(),
+	source: SourceLocationSchema.optional(),
+	astKind: z.string().min(1).optional(),
+	importSource: ImportSourceSchema.optional(),
+	outputBinding: z.string().min(1).optional(),
+	scopeOverride: IntegrationScopeSchema.optional(),
+	description: z.string().optional(),
+	sourceCode: z.string().optional(),
+	exportName: z.string().optional(),
+	inputSchema: JsonSchemaSchema.optional(),
+	outputSchema: JsonSchemaSchema.optional(),
+	credentialSets: z.array(ResolvedCredentialSetSchema).optional()
+});
+const TriggerTypeSchema = z.enum([
+	"webhook",
+	"cron",
+	"polling"
+]);
+/**
+* Persisted on `deployment_triggers.trigger_source`. Mirrors the
+* `webhookTrigger({ source: { type } })` discriminator so the server
+* can index-filter app-source rows during provider-webhook fanout.
+*/
+const TriggerSourceSchema = z.enum(["custom", "app"]);
+const WebhookMethodSchema = z.enum([
+	"GET",
+	"POST",
+	"PUT",
+	"PATCH"
+]);
+const TriggerCallbackBundleUploadSchema = z.object({
+	code: z.string(),
+	hash: z.string(),
+	size: z.number()
+});
+const TriggerCallbackExportsSchema = z.object({
+	verify: z.string().min(1).optional(),
+	filter: z.string().min(1).optional(),
+	idempotencyKey: z.string().min(1).optional(),
+	callback: z.string().min(1).optional()
+});
+const TransformCallbackExportsSchema = z.object({ transform: z.string().min(1).optional() });
+const TriggerUploadDataSchema = z.object({
+	id: z.string(),
+	type: TriggerTypeSchema,
+	/**
+	* Source-of-truth discriminator for webhook triggers. `'custom'` means
+	* the trigger owns its own HTTP path; `'app'` means it is fanned out by
+	* a Keystroke-managed provider app. Undefined for non-webhook triggers.
+	*/
+	triggerSource: TriggerSourceSchema.optional(),
+	enabled: z.boolean(),
+	path: z.string().optional(),
+	method: WebhookMethodSchema.optional(),
+	schedule: z.string().optional(),
+	timezone: z.string().optional(),
+	config: z.record(z.string(), z.unknown()).optional(),
+	requiredCredentials: TriggerCredentialRequirementsSchema.optional(),
+	storagePath: z.string().min(1).optional(),
+	callbackBundle: TriggerCallbackBundleUploadSchema.optional(),
+	callbackExports: TriggerCallbackExportsSchema.optional(),
+	transformCallbackBundle: TriggerCallbackBundleUploadSchema.optional(),
+	transformCallbackExports: TransformCallbackExportsSchema.optional()
+});
+//#endregion
+export { TriggerCredentialRequirementsSchema as a, TriggerUploadDataSchema as c, collectCredentialRequirementEntries as d, deduplicateCredentialRequirementEntries as f, ResolvedCredentialSetSchema as i, WebhookMethodSchema as l, DeclaredCredentialRequirementSchema as n, TriggerSourceSchema as o, IntegrationScopeSchema as r, TriggerTypeSchema as s, CredentialRequirementsSchema as t, WorkflowStepEntrySchema as u };