@keystrokehq/cli 0.0.12 → 0.0.14

package/dist/{import-module-DEI7R8Yh-Xz-KAPvB.mjs → import-module-DEI7R8Yh-L32hhSoh.mjs}

@@ -1,10 +1,11 @@
 #!/usr/bin/env node
 
 import { n as findProjectRoot } from "./project-config-CJGSh2RQ.mjs";
-import { c as optionalDescriptionString, i as createStructuralSchema, l as optionalTrimmedNonEmptyString, o as idNoSpacesString, r as anyZodSchemaSchema, s as jsonSchemaObject, t as CredentialSetManifestSchema, u as trimmedNonEmptyString } from "./schemas-DodkHgnS.mjs";
+import { c as optionalDescriptionString$1, i as createStructuralSchema$1, l as optionalTrimmedNonEmptyString$1, o as idNoSpacesString, r as anyZodSchemaSchema$1, s as jsonSchemaObject$1, t as CredentialSetManifestSchema$1, u as trimmedNonEmptyString$1 } from "./schemas-DodkHgnS.mjs";
 import { n as DeclaredCredentialRequirementSchema } from "./credential-requirements-FtBk5JVB.mjs";
 import { a as FlowGraphSchema, i as WorkflowCoreManifestSchema, n as WORKFLOW_MANIFEST_SCHEMA_VERSION } from "./workflow-build-manifest-OPFqFD6f.mjs";
-import { t as runWithConcurrency } from "./concurrency-gXn9Rw8x-CaI6Vtbu.mjs";
+import { t as parseCronExpression } from "./cron-parser-C2eJD0yD.mjs";
+import { t as runWithConcurrency } from "./concurrency-gXn9Rw8x-BI6HQNfC.mjs";
 import { createRequire } from "node:module";
 import * as os from "node:os";
 import * as path$1 from "node:path";
@@ -13,9 +14,8 @@ import { z } from "zod";
 import { execFile } from "node:child_process";
 import { randomUUID } from "node:crypto";
 import { promisify } from "node:util";
-import { cronTriggerManifestSchema, pollingTriggerManifestSchema, webhookTriggerManifestSchema } from "@keystrokehq/core/trigger";
 //#region ../../packages/core/src/mcp-server/schemas.ts
-const credentialSetInstanceSchema$1 = createStructuralSchema([
+const credentialSetInstanceSchema$3 = createStructuralSchema$1([
 	"id",
 	"auth",
 	"connections"
@@ -23,27 +23,27 @@ const credentialSetInstanceSchema$1 = createStructuralSchema([
 const McpTransportSchema = z.discriminatedUnion("type", [
 	z.object({
 		type: z.literal("stdio"),
-		command: trimmedNonEmptyString("Command"),
+		command: trimmedNonEmptyString$1("Command"),
 		args: z.array(z.string()).optional(),
 		env: z.record(z.string(), z.string()).optional()
 	}),
 	z.object({
 		type: z.literal("http"),
-		url: trimmedNonEmptyString("URL"),
+		url: trimmedNonEmptyString$1("URL"),
 		headers: z.record(z.string(), z.string()).optional()
 	}),
 	z.object({
 		type: z.literal("sse"),
-		url: trimmedNonEmptyString("URL"),
+		url: trimmedNonEmptyString$1("URL"),
 		headers: z.record(z.string(), z.string()).optional()
 	})
 ]);
 z.object({
-	id: trimmedNonEmptyString("MCP server ID"),
-	name: optionalTrimmedNonEmptyString("MCP server name"),
-	description: optionalDescriptionString("MCP server description"),
+	id: trimmedNonEmptyString$1("MCP server ID"),
+	name: optionalTrimmedNonEmptyString$1("MCP server name"),
+	description: optionalDescriptionString$1("MCP server description"),
 	transport: McpTransportSchema,
-	credentialSets: z.array(credentialSetInstanceSchema$1).optional(),
+	credentialSets: z.array(credentialSetInstanceSchema$3).optional(),
 	credentials: z.function().optional()
 });
 const McpServerManifestSchema = z.object({
@@ -53,7 +53,7 @@ const McpServerManifestSchema = z.object({
 	name: z.string().min(1),
 	description: z.string().optional(),
 	transport: McpTransportSchema,
-	credentialSets: z.array(CredentialSetManifestSchema),
+	credentialSets: z.array(CredentialSetManifestSchema$1),
 	credentialInjection: z.object({
 		env: z.record(z.string(), z.object({
 			credentialSetId: z.string().min(1),
@@ -67,7 +67,7 @@ const McpServerManifestSchema = z.object({
 });
 //#endregion
 //#region ../../packages/core/src/messaging-gateway/schemas.ts
-const credentialSetInstanceSchema = createStructuralSchema([
+const credentialSetInstanceSchema$2 = createStructuralSchema$1([
 	"id",
 	"auth",
 	"connections"
@@ -76,11 +76,11 @@ const MessagingGatewayModeSchema = z.enum(["platform", "custom"]);
 const MessagingGatewayCredentialScopeSchema = z.enum(["organization", "project"]);
 z.object({
 	id: idNoSpacesString("MessagingGateway id"),
-	name: optionalDescriptionString("MessagingGateway name"),
-	description: optionalDescriptionString("MessagingGateway description"),
+	name: optionalDescriptionString$1("MessagingGateway name"),
+	description: optionalDescriptionString$1("MessagingGateway description"),
 	provider: z.string().min(1, "MessagingGateway provider is required"),
 	mode: MessagingGatewayModeSchema,
-	credentialSet: credentialSetInstanceSchema,
+	credentialSet: credentialSetInstanceSchema$2,
 	credentialScope: MessagingGatewayCredentialScopeSchema.optional(),
 	appRef: z.string().min(1).optional()
 });
@@ -92,7 +92,7 @@ const MessagingGatewayManifestSchema = z.object({
 	description: z.string().optional(),
 	provider: z.string().min(1),
 	mode: MessagingGatewayModeSchema,
-	credentialSet: CredentialSetManifestSchema,
+	credentialSet: CredentialSetManifestSchema$1,
 	credentialScope: MessagingGatewayCredentialScopeSchema.optional(),
 	appRef: z.string().min(1).optional()
 });
@@ -118,7 +118,7 @@ const SandboxRuntimeSchema = z.object({
 const SandboxFileSourceSchema = z.discriminatedUnion("type", [z.object({
 	type: z.literal("git"),
 	/** Remote git URL to clone. */
-	url: trimmedNonEmptyString("Git URL"),
+	url: trimmedNonEmptyString$1("Git URL"),
 	/** Branch to clone. Omit for default branch. */
 	branch: z.string().optional(),
 	/**
@@ -130,7 +130,7 @@ const SandboxFileSourceSchema = z.discriminatedUnion("type", [z.object({
 }), z.object({
 	type: z.literal("local"),
 	/** Source path on the host (the dev's machine), resolved against project root. */
-	path: trimmedNonEmptyString("Local path"),
+	path: trimmedNonEmptyString$1("Local path"),
 	/**
 	* Where the file/dir lands inside the VM. Relative paths resolve
 	* against the sandbox `workdir`; absolute paths must stay under
@@ -139,9 +139,9 @@ const SandboxFileSourceSchema = z.discriminatedUnion("type", [z.object({
 	target: z.string().optional()
 })]);
 z.object({
-	id: optionalTrimmedNonEmptyString("Sandbox ID"),
-	name: optionalTrimmedNonEmptyString("Sandbox name"),
-	description: optionalDescriptionString("Sandbox description"),
+	id: optionalTrimmedNonEmptyString$1("Sandbox ID"),
+	name: optionalTrimmedNonEmptyString$1("Sandbox name"),
+	description: optionalDescriptionString$1("Sandbox description"),
 	runtime: SandboxRuntimeSchema.optional(),
 	fileSources: z.array(SandboxFileSourceSchema).optional(),
 	setupCommands: z.array(z.string()).optional()
@@ -170,18 +170,18 @@ const AgentThinkingLevelSchema = z.enum([
 	"high",
 	"xhigh"
 ]);
-const mcpServerInstanceSchema = createStructuralSchema([
+const mcpServerInstanceSchema = createStructuralSchema$1([
 	"id",
 	"transport",
 	"credentialSets"
 ], "a McpServer instance");
-const sandboxInstanceSchema = createStructuralSchema([
+const sandboxInstanceSchema = createStructuralSchema$1([
 	"id",
 	"runtime",
 	"fileSources",
 	"setupCommands"
 ], "a Sandbox instance");
-const messagingGatewayInstanceSchema = createStructuralSchema([
+const messagingGatewayInstanceSchema = createStructuralSchema$1([
 	"id",
 	"provider",
 	"mode",
@@ -199,14 +199,14 @@ const AgentToolCredentialSetReferenceSchema = z.object({
 	required: z.boolean()
 });
 z.object({
-	id: trimmedNonEmptyString("Agent ID"),
-	name: trimmedNonEmptyString("Agent name"),
-	description: optionalDescriptionString("Agent description"),
+	id: trimmedNonEmptyString$1("Agent ID"),
+	name: trimmedNonEmptyString$1("Agent name"),
+	description: optionalDescriptionString$1("Agent description"),
 	systemPrompt: z.string().min(1, { error: "System prompt is required" }),
-	model: trimmedNonEmptyString("Model"),
+	model: trimmedNonEmptyString$1("Model"),
 	thinkingLevel: AgentThinkingLevelSchema.optional(),
-	input: anyZodSchemaSchema.optional(),
-	output: anyZodSchemaSchema.optional(),
+	input: anyZodSchemaSchema$1.optional(),
+	output: anyZodSchemaSchema$1.optional(),
 	tools: z.array(z.unknown()).optional(),
 	mcpServers: z.array(mcpServerInstanceSchema).optional(),
 	sandbox: sandboxInstanceSchema.optional(),
@@ -230,10 +230,10 @@ const AgentManifestSchema = z.object({
 	systemPrompt: z.string(),
 	model: z.string(),
 	thinkingLevel: AgentThinkingLevelSchema,
-	input: jsonSchemaObject,
-	output: jsonSchemaObject,
+	input: jsonSchemaObject$1,
+	output: jsonSchemaObject$1,
 	maxSteps: z.number(),
-	credentialSets: z.array(CredentialSetManifestSchema).optional(),
+	credentialSets: z.array(CredentialSetManifestSchema$1).optional(),
 	tools: z.array(z.object({
 		id: z.string(),
 		displayName: z.string(),
@@ -253,6 +253,789 @@ const AgentManifestSchema = z.object({
 	sandbox: SandboxManifestSchema.optional(),
 	messaging: z.array(MessagingGatewayManifestSchema).optional()
 });
+z.string().length(64, "Must be 64 characters").regex(/^[a-f0-9]{64}$/i, "Must be hexadecimal").transform((value) => value);
+const JsonSchemaSchema = z.record(z.string(), z.unknown());
+z.object({
+	constant: z.object({
+		attempts: z.number().int().min(1).max(10),
+		seconds: z.number().positive()
+	}).optional(),
+	exponential: z.object({
+		attempts: z.number().int().min(1).max(10),
+		base: z.number().min(1).optional(),
+		multiplier: z.number().positive().optional()
+	}).optional()
+}).refine((data) => {
+	return data.constant !== void 0 !== (data.exponential !== void 0);
+}, { error: "Retry config must specify exactly one of constant or exponential strategy" });
+z.union([z.number().int().positive().finite(), z.string().regex(/^[1-9]\d*[smhdwy]$/)]);
+const DurationStringSchema = z.string().refine((val) => /^\d+[smhdwy]$/.test(val), { message: "Invalid duration format. Must be a positive integer followed by s, m, h, d, w, or y (e.g., \"5m\", \"1h\")" }).refine((val) => {
+	const match = val.match(/^(\d+)[smhdwy]$/);
+	if (!match?.[1]) return false;
+	const num = Number.parseInt(match[1], 10);
+	return num > 0 && Number.isFinite(num);
+}, { message: "Duration value must be a positive integer greater than 0" });
+const CronExpressionSchema = z.string().superRefine((val, ctx) => {
+	try {
+		parseCronExpression(val);
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : "Invalid cron expression format";
+		ctx.addIssue({
+			code: "custom",
+			message: `Invalid cron expression: ${errorMessage}. Must be a valid 5-field cron: minute hour day month weekday (e.g., "0 9 * * *", "*/15 * * * *")`
+		});
+	}
+});
+const ScheduleSchema = z.union([
+	z.number().refine((val) => val > 0, { message: "Duration in milliseconds must be positive" }).refine(Number.isFinite, { message: "Duration in milliseconds must be finite" }).refine(Number.isInteger, { message: "Duration in milliseconds must be an integer" }),
+	DurationStringSchema,
+	CronExpressionSchema
+]);
+const IANATimezoneSchema = z.enum([
+	"UTC",
+	"GMT",
+	"Etc/UTC",
+	"Etc/GMT",
+	"America/New_York",
+	"America/Chicago",
+	"America/Denver",
+	"America/Los_Angeles",
+	"America/Phoenix",
+	"America/Anchorage",
+	"America/Toronto",
+	"America/Vancouver",
+	"America/Mexico_City",
+	"America/Sao_Paulo",
+	"America/Buenos_Aires",
+	"Europe/London",
+	"Europe/Paris",
+	"Europe/Berlin",
+	"Europe/Rome",
+	"Europe/Madrid",
+	"Europe/Amsterdam",
+	"Europe/Stockholm",
+	"Europe/Vienna",
+	"Europe/Zurich",
+	"Europe/Moscow",
+	"Europe/Athens",
+	"Europe/Dublin",
+	"Asia/Tokyo",
+	"Asia/Shanghai",
+	"Asia/Hong_Kong",
+	"Asia/Singapore",
+	"Asia/Seoul",
+	"Asia/Dubai",
+	"Asia/Kolkata",
+	"Asia/Bangkok",
+	"Asia/Jakarta",
+	"Asia/Manila",
+	"Asia/Taipei",
+	"Australia/Sydney",
+	"Australia/Melbourne",
+	"Australia/Brisbane",
+	"Australia/Perth",
+	"Australia/Adelaide",
+	"Pacific/Auckland",
+	"Pacific/Honolulu",
+	"Africa/Cairo",
+	"Africa/Johannesburg",
+	"Africa/Lagos",
+	"Africa/Nairobi",
+	"Asia/Riyadh",
+	"Asia/Tehran",
+	"Asia/Jerusalem",
+	"Asia/Doha"
+]);
+//#endregion
+//#region ../../packages/core/dist/chunks/schema-DTrryPH_.mjs
+const MAX_JSON_DEPTH = 20;
+function buildJsonValueSchema(depth) {
+	const primitives = z.union([
+		z.string(),
+		z.number(),
+		z.boolean(),
+		z.null()
+	]);
+	if (depth <= 0) return primitives;
+	const nested = buildJsonValueSchema(depth - 1);
+	return z.union([
+		primitives,
+		z.array(nested),
+		z.record(z.string(), nested)
+	]);
+}
+const jsonValueSchema = buildJsonValueSchema(MAX_JSON_DEPTH);
+const jsonSchemaObject = z.record(z.string(), jsonValueSchema);
+const anyZodSchemaSchema = z.custom((value) => value instanceof z.ZodType, "Expected a Zod schema");
+const zodObjectSchema = z.custom((value) => value instanceof z.ZodObject, "Expected a Zod object schema");
+/**
+* Creates a Zod schema that validates an object structurally by checking
+* for required properties. This avoids `instanceof` checks which fail
+* when class definitions are duplicated across bundle boundaries.
+*/
+function createStructuralSchema(requiredKeys, label) {
+	return z.custom((value) => value != null && (typeof value === "object" || typeof value === "function") && requiredKeys.every((key) => key in value), `Expected ${label}`);
+}
+function trimmedNonEmptyString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` });
+}
+/**
+* Non-empty trimmed string for credential definition ids.
+* Only allows letters, numbers, hyphens, and underscores.
+*/
+function credentialSetIdString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` }).refine((s) => /^[a-zA-Z0-9_-]+$/.test(s), { error: `${fieldName} must only contain letters, numbers, hyphens, and underscores` });
+}
+function optionalTrimmedNonEmptyString(fieldName) {
+	return trimmedNonEmptyString(fieldName).optional();
+}
+function descriptionString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(1024, { error: `${fieldName} cannot exceed 1024 characters` });
+}
+function optionalDescriptionString(fieldName) {
+	return descriptionString(fieldName).optional();
+}
+//#endregion
+//#region ../../packages/core/dist/chunks/schemas-DcgZIQvs.mjs
+/**
+* Shared constants for the credential/connection system.
+* Defined in core (bottom of dependency chain) so all packages can import them.
+*/
+const CREDENTIAL_EXPOSURES = {
+	"user-runtime": "user-runtime",
+	"platform-only": "platform-only"
+};
+const credentialSetProxyInjectionSchema = z.object({
+	/** Substitute placeholder in HTTP headers (default: true). */
+	headers: z.boolean().optional(),
+	/** Substitute placeholder in the HTTP Basic Auth credential (default: true). */
+	basicAuth: z.boolean().optional(),
+	/** Substitute placeholder in URL query params (default: false).
+	*  Use for APIs that authenticate via `?api_key=...` (Google Maps, OWM, etc.). */
+	queryParams: z.boolean().optional(),
+	/** Substitute placeholder in the HTTP request body (default: false).
+	*  Use for form-encoded auth payloads (Stripe, AWS SigV4 query, etc.). */
+	body: z.boolean().optional()
+});
+const credentialSetProxyConfigSchema = z.object({
+	/** Exact-match host allowlist (forwarded to SecretBuilder.allowHost). */
+	hosts: z.array(z.string().min(1)).optional(),
+	/** Wildcard host allowlist (forwarded to SecretBuilder.allowHostPattern).
+	*  Example: `["*.browserbase.com"]` covers any subdomain. */
+	hostPatterns: z.array(z.string().min(1)).optional(),
+	/** Per-scope substitution toggles. Omit to use SDK defaults. */
+	injection: credentialSetProxyInjectionSchema.optional()
+});
+const onCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
+const credentialExposureSchema = z.enum([CREDENTIAL_EXPOSURES["user-runtime"], CREDENTIAL_EXPOSURES["platform-only"]]);
+const connectionMetadataConfigSchema = z.object({
+	id: credentialSetIdString("Credential connection id").optional(),
+	label: optionalTrimmedNonEmptyString("Credential connection label"),
+	description: optionalDescriptionString("Credential connection description"),
+	recommended: z.boolean().optional(),
+	advanced: z.boolean().optional(),
+	needsRawSecret: z.boolean().optional()
+});
+const connectionMetadataManifestSchema = connectionMetadataConfigSchema;
+const registeredDescriptorSchema = z.object({
+	id: trimmedNonEmptyString("Registered descriptor id"),
+	config: z.record(z.string(), z.unknown()).optional()
+});
+const registeredResolverDescriptorSchema = registeredDescriptorSchema.extend({ cacheMs: z.number().int().nonnegative().optional() });
+const manualConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("manual"),
+	input: zodObjectSchema.optional(),
+	instructions: z.string().min(1).optional(),
+	validate: z.function().optional()
+});
+const manualConnectionFieldManifestSchema = z.object({
+	key: z.string().min(1),
+	label: z.string().min(1),
+	description: z.string().min(1).optional(),
+	optional: z.boolean(),
+	secret: z.literal(true)
+});
+const manualConnectionConfigManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("manual"),
+	input: jsonSchemaObject.optional(),
+	fields: z.array(manualConnectionFieldManifestSchema).optional(),
+	generated: z.boolean().optional(),
+	instructions: z.string().min(1).optional()
+});
+/** Declarative form of `Vault` — strings typed against the credential set's
+* stored/auth schema keys at the {@link CredentialSetConfig} boundary; the Zod
+* schema here enforces non-empty strings only. `CredentialSet` itself performs
+* the schema-key membership check at construction time. */
+const vaultMappingSchema = z.object({
+	accessToken: z.string().min(1),
+	refreshToken: z.string().min(1).optional(),
+	instanceUrl: z.string().min(1).optional(),
+	raw: z.record(z.string().min(1), z.string().min(1)).optional()
+});
+/** Function form of `Vault` — an object pairing the access-token vault key
+*  (`accessTokenKey`) with the `build` function that computes the full vault
+*  write map. The explicit key keeps the disconnect path's revocation read
+*  reliable even when `build` transforms the access token. */
+const vaultMappingFnSchema = z.object({
+	accessTokenKey: z.string().min(1),
+	build: z.custom((val) => typeof val === "function", { message: "vault.build must be a function." })
+});
+/** Runtime shape of `Vault`. Accepts either the declarative mapping or the
+*  function-form object `{ accessTokenKey, build }`. */
+const vaultConfigSchema = z.union([vaultMappingSchema, vaultMappingFnSchema], { error: "vault must be a declarative mapping object or a `{ accessTokenKey, build }` object." });
+/** Manifest projection of `Vault` — declarative mappings serialize verbatim;
+* function-form mappings serialize as `{ kind: 'function', accessTokenKey }`
+* since closures are not manifest-safe but the access-token key is. */
+const vaultManifestSchema = z.discriminatedUnion("kind", [z.object({
+	kind: z.literal("declarative"),
+	accessToken: z.string().min(1),
+	refreshToken: z.string().min(1).optional(),
+	instanceUrl: z.string().min(1).optional(),
+	raw: z.record(z.string().min(1), z.string().min(1)).optional()
+}), z.object({
+	kind: z.literal("function"),
+	accessTokenKey: z.string().min(1)
+})]);
+const oauthConnectionConfigBaseSchema = z.object({
+	kind: z.literal("oauth"),
+	authUrl: z.string().url(),
+	tokenUrl: z.string().url(),
+	scopes: z.array(z.string()).readonly(),
+	revokeUrl: z.string().url().nullable().optional(),
+	tokenType: z.enum(["long-lived", "refreshable"]),
+	pkce: z.boolean().optional(),
+	/** Fallback token lifetime when the provider omits `expires_in`. Positive
+	*  integer seconds. Shared between config + manifest schemas (both extend
+	*  this base). */
+	defaultExpiresInSeconds: z.number().int().positive().optional()
+});
+const oauthConnectionConfigSchema = oauthConnectionConfigBaseSchema.extend({
+	...connectionMetadataConfigSchema.shape,
+	vault: vaultConfigSchema,
+	oauth: registeredDescriptorSchema.optional(),
+	buildAuthUrl: z.function().optional(),
+	exchangeCode: z.function().optional(),
+	refreshToken: z.function().optional(),
+	extractInstallationInfo: z.function().optional(),
+	validate: z.function().optional()
+});
+const oauthConnectionConfigManifestSchema = oauthConnectionConfigBaseSchema.extend({
+	...connectionMetadataManifestSchema.shape,
+	vault: vaultManifestSchema,
+	oauth: registeredDescriptorSchema.optional()
+});
+const credentialsExchangeConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("credentials-exchange"),
+	instructions: z.string().min(1).optional(),
+	input: zodObjectSchema
+}).extend({
+	exchange: z.function(),
+	rotate: z.function().optional(),
+	validate: z.function().optional()
+});
+/** Manifest projection of `CredentialsExchangeConnectionConfig` — only the
+*  declarative `input` schema (rendered as JSON Schema) and `instructions`
+*  copy survive serialization. The three hooks (`exchange`, `rotate`,
+*  `validate`) are runtime closures and are stripped. */
+const credentialsExchangeConnectionConfigManifestSchema = z.object({
+	kind: z.literal("credentials-exchange"),
+	...connectionMetadataManifestSchema.shape,
+	instructions: z.string().min(1).optional(),
+	input: jsonSchemaObject
+});
+const exchangeCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("exchange"),
+	input: zodObjectSchema,
+	exchange: registeredDescriptorSchema
+});
+const exchangeCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("exchange"),
+	input: jsonSchemaObject,
+	exchange: registeredDescriptorSchema
+});
+const dynamicCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("dynamic"),
+	input: zodObjectSchema.optional(),
+	resolver: registeredResolverDescriptorSchema
+});
+const dynamicCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("dynamic"),
+	input: jsonSchemaObject.optional(),
+	resolver: registeredResolverDescriptorSchema
+});
+const platformCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({ kind: z.literal("platform") });
+const platformCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({ kind: z.literal("platform") });
+const connectionConfigSchema = z.discriminatedUnion("kind", [
+	manualConnectionConfigSchema,
+	oauthConnectionConfigSchema,
+	credentialsExchangeConnectionConfigSchema,
+	exchangeCredentialConnectionConfigSchema,
+	dynamicCredentialConnectionConfigSchema,
+	platformCredentialConnectionConfigSchema
+]);
+/** Manifest projection of `ConnectionConfig` — declarative metadata only. */
+const connectionConfigManifestSchema = z.discriminatedUnion("kind", [
+	manualConnectionConfigManifestSchema,
+	oauthConnectionConfigManifestSchema,
+	credentialsExchangeConnectionConfigManifestSchema,
+	exchangeCredentialConnectionManifestSchema,
+	dynamicCredentialConnectionManifestSchema,
+	platformCredentialConnectionManifestSchema
+]);
+const CredentialSetManifestSchema = z.object({
+	manifestVersion: z.literal(1),
+	type: z.literal("credentialSet"),
+	id: credentialSetIdString("Credential set id"),
+	name: trimmedNonEmptyString("Credential set name"),
+	description: optionalDescriptionString("Credential set description"),
+	auth: jsonSchemaObject,
+	exposure: credentialExposureSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
+	needsRawSecret: z.boolean().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: onCredentialRevokedSchema.optional(),
+	connections: z.array(connectionConfigManifestSchema).optional()
+});
+z.object({
+	id: credentialSetIdString("Credential set id"),
+	name: optionalTrimmedNonEmptyString("Credential set name"),
+	description: optionalDescriptionString("Credential set description"),
+	auth: zodObjectSchema,
+	exposure: credentialExposureSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
+	needsRawSecret: z.boolean().optional(),
+	onCredentialRevoked: onCredentialRevokedSchema.optional(),
+	connections: z.array(connectionConfigSchema).readonly().optional()
+});
+//#endregion
+//#region ../../packages/core/dist/chunks/schemas-Dehm2ijP.mjs
+const SourceLocationSchema = z.object({
+	filePath: z.string().min(1),
+	absoluteFilePath: z.string().min(1).optional(),
+	line: z.number().int().positive(),
+	column: z.number().int().positive(),
+	position: z.number().int().nonnegative().optional(),
+	endLine: z.number().int().positive(),
+	endColumn: z.number().int().positive(),
+	endPosition: z.number().int().nonnegative().optional(),
+	synthetic: z.boolean().optional()
+});
+z.string().min(1);
+const ImportSourceSchema = z.object({
+	kind: z.enum([
+		"local",
+		"module-import",
+		"namespace-import",
+		"dynamic"
+	]),
+	moduleSpecifier: z.string().min(1).optional(),
+	importName: z.string().min(1).optional(),
+	localName: z.string().min(1).optional(),
+	resolvedPath: z.string().min(1).optional()
+});
+const CallKindSchema = z.enum([
+	"workflow-step",
+	"agent",
+	"tool",
+	"hook",
+	"child-workflow",
+	"function-call",
+	"method-call",
+	"dynamic-call",
+	"parallel-call",
+	"process-exit",
+	"iife",
+	"expression"
+]);
+const CapturedVariableSourceKindSchema = z.enum([
+	"local-const",
+	"relative-import",
+	"package-import"
+]);
+const CapturedVariableValueTypeSchema = z.enum([
+	"string",
+	"number",
+	"boolean",
+	"object",
+	"array",
+	"function",
+	"unknown"
+]);
+z.object({
+	name: z.string().min(1),
+	value: z.union([
+		z.string(),
+		z.number(),
+		z.boolean()
+	]).optional(),
+	sourceText: z.string().optional(),
+	valueType: CapturedVariableValueTypeSchema,
+	resolvable: z.boolean(),
+	source: CapturedVariableSourceKindSchema,
+	importPath: z.string().optional(),
+	declaration: z.object({
+		filePath: z.string().min(1),
+		line: z.number().int().positive()
+	})
+});
+const IntegrationScopeSchema = z.enum([
+	"organization",
+	"project",
+	"user_provided_credential"
+]);
+const IntegrationCredentialRefSchema = z.discriminatedUnion("type", [z.object({
+	type: z.literal("id"),
+	id: z.string().startsWith("cset_")
+}), z.object({
+	type: z.literal("name"),
+	name: z.string().trim().min(1)
+})]);
+function hasProjectOrOrganizationScope(scope) {
+	return scope === "organization" || scope === "project";
+}
+const CredentialRefTokenKeyNameSchema = z.string().regex(/^[A-Za-z0-9_]+$/, "Credential key must contain only letters, digits, and underscores (required for ref-token proxying)");
+/** Shared enum for top-level credential-set `onCredentialRevoked` policy. */
+const OnCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
+/** A credential set after resolution in a built manifest. Contains definition id, scope, alias, and credential keys.*/
+const ResolvedCredentialSetSchema = z.object({
+	resolvedId: z.string(),
+	scope: IntegrationScopeSchema.optional(),
+	alias: z.string().optional(),
+	credentialRef: IntegrationCredentialRefSchema.optional(),
+	/** Auth-shape keys expected post-resolve. */
+	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
+	/** Subset of `credentialKeys` that are optional in the auth shape. */
+	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Auth-shaped vault keys required for vault reads and upload flows. */
+	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Subset of auth-shaped vault keys that may be absent from the vault without
+	* failing resolution. Derived from the credential set's `auth` schema. */
+	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed raw (no ref-token proxy) for this set. */
+	needsRawSecret: z.boolean().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
+	/** Persistence-layer schema fingerprint stamped at build time. The
+	* resolver's phase 2 compares this against the vault row's stored
+	* fingerprint and raises `CredentialSchemaMismatchError` on drift.
+	* Optional here so pre-fingerprint artifacts still parse; the
+	* workflow builder populates it for every authored credential set
+	* that has a resolvable fingerprint. */
+	schemaFingerprint: z.string().optional()
+}).superRefine((value, ctx) => {
+	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		path: ["credentialRef"],
+		message: "credentialRef requires scope to be \"project\" or \"organization\""
+	});
+});
+z.object({
+	credentialSetId: z.string(),
+	/** Auth-shape keys expected post-resolve. */
+	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
+	/** Optional subset of the auth-shape keys. */
+	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Stored-shape keys required for vault reads. */
+	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Optional subset of the stored-shape keys. */
+	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	schemaFingerprint: z.string().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	needsRawSecret: z.boolean().optional(),
+	requiredOAuthScopes: z.array(z.string()).optional()
+});
+const CredentialRequirementEntrySchema = z.object({
+	credentialSetId: z.string(),
+	scope: IntegrationScopeSchema.optional(),
+	alias: z.string().optional(),
+	credentialRef: IntegrationCredentialRefSchema.optional(),
+	/** Auth-shape keys expected post-resolve. */
+	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
+	/** Optional subset of the auth-shape keys. */
+	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Auth-shaped vault keys required for vault reads. */
+	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Optional subset of the stored-shape keys. */
+	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	schemaFingerprint: z.string().optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	needsRawSecret: z.boolean().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
+	requiredOAuthScopes: z.array(z.string()).optional()
+}).superRefine((value, ctx) => {
+	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		path: ["credentialRef"],
+		message: "credentialRef requires scope to be \"project\" or \"organization\""
+	});
+});
+z.object({
+	required: z.array(z.string()),
+	byStep: z.record(z.string(), z.array(CredentialRequirementEntrySchema))
+});
+const TriggerCallbackNameSchema = z.enum([
+	"filter",
+	"idempotencyKey",
+	"verify",
+	"callback"
+]);
+const TriggerCredentialRequirementEntrySchema = CredentialRequirementEntrySchema;
+const TriggerCredentialRequirementsSchema = z.object({
+	required: z.array(z.string()),
+	byCallback: z.partialRecord(TriggerCallbackNameSchema, z.array(TriggerCredentialRequirementEntrySchema))
+});
+const ExecutionIdentityPolicySchema = z.object({ subjectMode: z.enum(["never", "requiredWhenUserProvidedCredential"]) });
+z.object({
+	nodeId: z.string().min(1),
+	stepName: z.string().min(1),
+	label: z.string().min(1),
+	callKind: CallKindSchema,
+	stepId: z.string().min(1).optional(),
+	source: SourceLocationSchema.optional(),
+	astKind: z.string().min(1).optional(),
+	importSource: ImportSourceSchema.optional(),
+	outputBinding: z.string().min(1).optional(),
+	scopeOverride: IntegrationScopeSchema.optional(),
+	description: z.string().optional(),
+	sourceCode: z.string().optional(),
+	exportName: z.string().optional(),
+	inputSchema: JsonSchemaSchema.optional(),
+	outputSchema: JsonSchemaSchema.optional(),
+	credentialSets: z.array(ResolvedCredentialSetSchema).optional()
+});
+const TriggerTypeSchema = z.enum([
+	"webhook",
+	"cron",
+	"polling"
+]);
+/**
+* Persisted on `deployment_triggers.trigger_source`. Mirrors the
+* `webhookTrigger({ source: { type } })` discriminator so the server
+* can index-filter app-source rows during provider-webhook fanout.
+*/
+const TriggerSourceSchema = z.enum(["custom", "app"]);
+const WebhookMethodSchema$1 = z.enum([
+	"GET",
+	"POST",
+	"PUT",
+	"PATCH"
+]);
+const TriggerCallbackBundleUploadSchema = z.object({
+	code: z.string(),
+	hash: z.string(),
+	size: z.number()
+});
+const TriggerCallbackExportsSchema = z.object({
+	verify: z.string().min(1).optional(),
+	filter: z.string().min(1).optional(),
+	idempotencyKey: z.string().min(1).optional(),
+	callback: z.string().min(1).optional()
+});
+const TransformCallbackExportsSchema = z.object({ transform: z.string().min(1).optional() });
+z.object({
+	id: z.string(),
+	type: TriggerTypeSchema,
+	/**
+	* Source-of-truth discriminator for webhook triggers. `'custom'` means
+	* the trigger owns its own HTTP path; `'app'` means it is fanned out by
+	* a Keystroke-managed provider app. Undefined for non-webhook triggers.
+	*/
+	triggerSource: TriggerSourceSchema.optional(),
+	enabled: z.boolean(),
+	path: z.string().optional(),
+	method: WebhookMethodSchema$1.optional(),
+	schedule: z.string().optional(),
+	timezone: z.string().optional(),
+	config: z.record(z.string(), z.unknown()).optional(),
+	requiredCredentials: TriggerCredentialRequirementsSchema.optional(),
+	storagePath: z.string().min(1).optional(),
+	callbackBundle: TriggerCallbackBundleUploadSchema.optional(),
+	callbackExports: TriggerCallbackExportsSchema.optional(),
+	transformCallbackBundle: TriggerCallbackBundleUploadSchema.optional(),
+	transformCallbackExports: TransformCallbackExportsSchema.optional()
+});
+const credentialSetInstanceSchema$1 = createStructuralSchema([
+	"id",
+	"auth",
+	"connections"
+], "a CredentialSet instance");
+const TriggerModeDefaultSchema = z.enum(["managed", "subscribable"]);
+const TriggerCallbackPresenceSchema = z.object({
+	filter: z.boolean(),
+	idempotencyKey: z.boolean(),
+	poll: z.boolean().optional(),
+	transformAllowed: z.boolean(),
+	verify: z.boolean().optional()
+});
+const TriggerRuntimeDescriptorSchema = z.object({ callbacks: TriggerCallbackPresenceSchema });
+z.object({
+	manifestVersion: z.literal(1),
+	type: z.literal("trigger"),
+	triggerType: TriggerTypeSchema,
+	name: trimmedNonEmptyString("Trigger name"),
+	description: descriptionString("Trigger description"),
+	enabled: z.boolean(),
+	modeDefault: TriggerModeDefaultSchema,
+	executionIdentityPolicy: ExecutionIdentityPolicySchema.optional(),
+	credentialSets: z.array(CredentialSetManifestSchema).optional(),
+	runtime: TriggerRuntimeDescriptorSchema
+});
+const triggerBaseConfigSchema = z.object({
+	credentialSets: z.array(credentialSetInstanceSchema$1).optional(),
+	description: descriptionString("Trigger description"),
+	enabled: z.boolean().default(true),
+	executionIdentityPolicy: ExecutionIdentityPolicySchema.optional(),
+	modeDefault: TriggerModeDefaultSchema.default("managed"),
+	name: trimmedNonEmptyString("Trigger name")
+});
+triggerBaseConfigSchema.extend({
+	input: anyZodSchemaSchema,
+	payload: z.custom((value) => {
+		return jsonValueSchema.safeParse(value).success;
+	}, "Expected a JSON-serializable payload"),
+	schedule: ScheduleSchema,
+	timezone: IANATimezoneSchema.optional()
+});
+const cronTriggerRuntimeSchema = TriggerRuntimeDescriptorSchema.extend({
+	input: jsonSchemaObject,
+	payloadMode: z.literal("static"),
+	schedule: z.string(),
+	timezone: z.string().optional()
+});
+const cronTriggerManifestSchema = z.object({
+	manifestVersion: z.literal(1),
+	type: z.literal("trigger"),
+	triggerType: z.literal("cron"),
+	name: trimmedNonEmptyString("Trigger name"),
+	description: descriptionString("Trigger description"),
+	enabled: z.boolean(),
+	modeDefault: z.enum(["managed", "subscribable"]),
+	executionIdentityPolicy: triggerBaseConfigSchema.shape.executionIdentityPolicy,
+	credentialSets: z.array(CredentialSetManifestSchema).optional(),
+	runtime: cronTriggerRuntimeSchema,
+	/** Static payload for cron triggers — the workflow input when this trigger fires */
+	payload: jsonValueSchema.optional()
+});
+z.object({
+	lastPolledAt: z.string().optional(),
+	lastResponse: z.unknown().optional()
+});
+triggerBaseConfigSchema.extend({
+	poll: z.function(),
+	filter: z.function().optional(),
+	idempotencyKey: z.function().optional(),
+	response: anyZodSchemaSchema,
+	schedule: ScheduleSchema
+});
+const pollingTriggerRuntimeSchema = TriggerRuntimeDescriptorSchema.extend({
+	response: jsonSchemaObject,
+	schedule: z.string(),
+	state: z.object({
+		lastPolledAt: z.literal(true),
+		lastResponse: z.literal(true)
+	})
+});
+const pollingTriggerManifestSchema = z.object({
+	manifestVersion: z.literal(1),
+	type: z.literal("trigger"),
+	triggerType: z.literal("polling"),
+	name: trimmedNonEmptyString("Trigger name"),
+	description: descriptionString("Trigger description"),
+	enabled: z.boolean(),
+	modeDefault: z.enum(["managed", "subscribable"]),
+	executionIdentityPolicy: triggerBaseConfigSchema.shape.executionIdentityPolicy,
+	credentialSets: z.array(CredentialSetManifestSchema).optional(),
+	runtime: pollingTriggerRuntimeSchema
+});
+const WebhookMethodSchema = z.enum([
+	"PATCH",
+	"POST",
+	"PUT"
+]);
+z.object({
+	method: z.string(),
+	path: z.string(),
+	query: z.record(z.string(), z.union([
+		z.string(),
+		z.array(z.string()),
+		z.undefined()
+	])),
+	headers: z.record(z.string(), z.string().optional()),
+	rawBody: z.string()
+});
+const WebhookResponseConfigSchema = z.object({
+	ignoredBody: jsonValueSchema.optional(),
+	ignoredStatus: z.number().int().positive().optional(),
+	successBody: jsonValueSchema.optional(),
+	successStatus: z.number().int().positive().optional()
+});
+/**
+* Custom webhook trigger paths describe the suffix that a request URL has
+* after the organization id. The router serves these triggers at
+* `/api/v1/webhooks/{orgId}{path}` (e.g. `path: '/orders'` → request
+* `/api/v1/webhooks/{orgId}/orders`). Authors must therefore supply only the
+* trailing path segment, not the `/webhooks/` prefix that the route already
+* provides.
+*/
+const webhookPathSchema = z.string().trim().min(1, { error: "Webhook path cannot be empty" }).max(50, { error: "Webhook path cannot exceed 50 characters" }).refine((s) => !/\s/.test(s), { error: "Webhook path cannot contain spaces or whitespace" }).refine((s) => s.startsWith("/"), { error: "Webhook path must start with /" }).refine((s) => s.length > 1, { error: "Webhook path must include a path segment after the leading \"/\"" }).refine((s) => !/^\/webhooks(\/|$)/i.test(s), { error: "Webhook path must not start with \"/webhooks\". Provide just the suffix that follows the organization id in the URL — e.g. use \"/orders\" for a webhook served at \"/api/v1/webhooks/{orgId}/orders\"." });
+const credentialSetInstanceSchema = createStructuralSchema([
+	"id",
+	"auth",
+	"connections"
+], "a CredentialSet instance");
+const webhookCustomSourceConfigSchema = z.object({
+	type: z.literal("custom"),
+	method: WebhookMethodSchema,
+	path: webhookPathSchema,
+	verify: z.function().optional(),
+	response: WebhookResponseConfigSchema.optional(),
+	credentialSets: z.array(credentialSetInstanceSchema).optional()
+});
+const webhookAppSourceConfigSchema = z.object({
+	type: z.literal("app"),
+	appRef: trimmedNonEmptyString("appRef")
+});
+const webhookSourceConfigSchema = z.discriminatedUnion("type", [webhookCustomSourceConfigSchema, webhookAppSourceConfigSchema]);
+const webhookCustomSourceManifestSchema = z.object({
+	type: z.literal("custom"),
+	method: WebhookMethodSchema,
+	path: z.string().min(1).max(1024),
+	response: WebhookResponseConfigSchema.optional()
+});
+const webhookAppSourceManifestSchema = z.object({
+	type: z.literal("app"),
+	appRef: trimmedNonEmptyString("appRef")
+});
+const WebhookSourceManifestSchema = z.discriminatedUnion("type", [webhookCustomSourceManifestSchema, webhookAppSourceManifestSchema]);
+triggerBaseConfigSchema.omit({ credentialSets: true }).extend({
+	source: webhookSourceConfigSchema,
+	payload: anyZodSchemaSchema.optional(),
+	filter: z.function().optional(),
+	idempotencyKey: z.function().optional()
+});
+const webhookTriggerRuntimeSchema = TriggerRuntimeDescriptorSchema.extend({
+	source: WebhookSourceManifestSchema,
+	payload: jsonSchemaObject
+});
+const webhookTriggerManifestSchema = z.object({
+	manifestVersion: z.literal(1),
+	type: z.literal("trigger"),
+	triggerType: z.literal("webhook"),
+	name: trimmedNonEmptyString("Trigger name"),
+	description: descriptionString("Trigger description"),
+	enabled: z.boolean(),
+	modeDefault: z.enum(["managed", "subscribable"]),
+	executionIdentityPolicy: triggerBaseConfigSchema.shape.executionIdentityPolicy,
+	credentialSets: z.array(CredentialSetManifestSchema).optional(),
+	runtime: webhookTriggerRuntimeSchema
+});
+z.unknown();
 //#endregion
 //#region ../../packages/workflow-builder/dist/import-module-DEI7R8Yh.mjs
 var DiscoveryError = class extends Error {