@keystrokehq/cli 0.0.16 → 0.0.18

package/dist/dist-CIInPRGh.mjs

@@ -0,0 +1,1071 @@
+#!/usr/bin/env node
+
+import { n as getKeystrokeBaseDir, t as KEYSTROKE_DIR } from "./paths-JzzFkXQA-CEipIeVl.mjs";
+import * as os from "node:os";
+import * as path$1 from "node:path";
+import * as fs from "node:fs/promises";
+import { z } from "zod";
+//#region ../../packages/local-memory/dist/index.mjs
+/**
+* Writes `data` to `filePath` atomically.
+*
+* The contents are first written to a sibling temp file in the same directory,
+* fsynced, chmodded, and then renamed onto the target path. On POSIX (and on
+* Windows when the source and destination are on the same volume), `fs.rename`
+* is atomic — readers see either the previous contents or the new contents,
+* never a partial write.
+*
+* The temp filename embeds the process PID and a high-resolution timestamp
+* (`${path}.tmp.${pid}.${ts}`) so concurrent writers do not collide.
+*
+* The parent directory is created with `recursive: true` if it does not already
+* exist, so callers do not need to mkdir beforehand.
+*
+* If anything fails after the temp file is created (write, fsync, rename), the
+* temp file is best-effort unlinked so we don't leak files.
+*/
+async function atomicWriteFile(filePath, data, options = {}) {
+	const mode = options.mode ?? 420;
+	const dir = path$1.dirname(filePath);
+	await fs.mkdir(dir, { recursive: true });
+	const tmpPath = `${filePath}.tmp.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 10)}`;
+	let handleClosed = false;
+	const handle = await fs.open(tmpPath, "w", mode);
+	try {
+		await handle.writeFile(data, "utf-8");
+		await handle.sync();
+		await handle.close();
+		handleClosed = true;
+		try {
+			await fs.chmod(tmpPath, mode);
+		} catch {}
+		await fs.rename(tmpPath, filePath);
+	} catch (error) {
+		if (!handleClosed) try {
+			await handle.close();
+		} catch {}
+		try {
+			await fs.unlink(tmpPath);
+		} catch {}
+		throw error;
+	}
+}
+/**
+* Removes `filePath`. Returns `true` if the file existed and was removed,
+* `false` if it did not exist (`ENOENT`). Other errors propagate.
+*/
+async function unlinkFileIfExists(filePath) {
+	try {
+		await fs.unlink(filePath);
+		return true;
+	} catch (error) {
+		if (error.code === "ENOENT") return false;
+		throw error;
+	}
+}
+/**
+* Reads a UTF-8 file and parses it as JSON.
+*
+* - Returns `null` when the file does not exist (`ENOENT`).
+* - Throws on any other read error.
+* - Throws (with the underlying `SyntaxError`) when the contents are not valid JSON.
+*
+* The return type is `unknown` — callers must validate the shape before using the
+* value (typically via a Zod schema).
+*/
+async function readJsonFile(filePath) {
+	let raw;
+	try {
+		raw = await fs.readFile(filePath, "utf-8");
+	} catch (error) {
+		if (error.code === "ENOENT") return null;
+		throw error;
+	}
+	return JSON.parse(raw);
+}
+/**
+* Migrates `raw` to the current schema shape.
+*
+* Strategy:
+*   1. Try the current schema first. If it matches, return immediately.
+*   2. Otherwise find the migration whose `fromSchema` matches `raw`, run its
+*      `up`, and re-enter the loop with the result.
+*   3. Continue until the current schema validates the value, or no migration
+*      matches — in which case throw.
+*
+* This handles single-hop and chained migrations (V1 → V2 → V3 → ...) without
+* requiring the caller to order migrations carefully.
+*
+* Throws if the value matches no known schema. Callers typically wrap with a
+* descriptive error referencing the file path.
+*/
+function migrateRead(raw, def) {
+	const direct = def.schema.safeParse(raw);
+	if (direct.success) return {
+		value: direct.data,
+		migrated: false
+	};
+	const migrations = def.migrations ?? [];
+	if (migrations.length === 0) throw new Error("Stored value does not match the current schema and no migrations are configured.");
+	let current = raw;
+	const visited = /* @__PURE__ */ new Set();
+	for (let hop = 0; hop <= migrations.length; hop++) {
+		const match = def.schema.safeParse(current);
+		if (match.success) return {
+			value: match.data,
+			migrated: hop > 0
+		};
+		const next = migrations.find((m) => !visited.has(m) && m.fromSchema.safeParse(current).success);
+		if (!next) throw new Error("Stored value does not match the current schema or any known migration source.");
+		visited.add(next);
+		const validated = next.fromSchema.parse(current);
+		current = next.up(validated);
+	}
+	throw new Error(`Migration chain did not converge after ${migrations.length} hops. Possible cycle in migrations.`);
+}
+const KEYRING_PACKAGE = ["@napi-rs", "keyring"].join("/");
+async function createDefaultEntry(service, account) {
+	const { Entry } = await import(KEYRING_PACKAGE);
+	return new Entry(service, account);
+}
+var KeychainVault = class {
+	kind = "keychain";
+	service;
+	createEntry;
+	constructor(options) {
+		this.service = options.service;
+		this.createEntry = options.createEntry ?? createDefaultEntry;
+	}
+	async get(account) {
+		return (await this.createEntry(this.service, account)).getPassword();
+	}
+	async set(account, secret) {
+		(await this.createEntry(this.service, account)).setPassword(secret);
+	}
+	async delete(account) {
+		return (await this.createEntry(this.service, account)).deleteCredential();
+	}
+};
+const FORBIDDEN_NAME_PATTERNS = [
+	{
+		test: (n) => n.length === 0,
+		message: "must not be empty"
+	},
+	{
+		test: (n) => n.includes("\\"),
+		message: "must not contain backslashes"
+	},
+	{
+		test: (n) => n.split("/").some((seg) => seg === ".."),
+		message: "must not contain \"..\" segments"
+	},
+	{
+		test: (n) => n.startsWith("/"),
+		message: "must be relative (cannot start with \"/\")"
+	}
+];
+function validateStoreName(name) {
+	for (const { test, message } of FORBIDDEN_NAME_PATTERNS) if (test(name)) throw new Error(`Invalid Store name ${JSON.stringify(name)}: ${message}.`);
+}
+/**
+* Typed, schema-validated, atomically-written abstraction over a single JSON
+* file under `~/.keystroke/`.
+*
+* `Store` is an internal primitive of `@keystroke/local-memory`. It is not
+* exported from the package's public API — domain controllers (`Credentials`,
+* `Projects`, etc.) construct stores internally and expose domain-shaped methods
+* to consumers.
+*/
+var Store = class {
+	/** Absolute path to the file this store manages. */
+	filePath;
+	options;
+	constructor(options) {
+		validateStoreName(options.name);
+		this.options = options;
+		const homeDir = options.homeDir ?? os.homedir();
+		this.filePath = path$1.join(getKeystrokeBaseDir(homeDir), ...options.name.split("/"));
+	}
+	/**
+	* Returns the parsed contents of the file, or `null` when the file does not
+	* exist. If the on-disk shape does not match the current schema, registered
+	* migrations are applied and the upgraded value is persisted back.
+	*
+	* Throws when the file exists but matches no known schema, or when the file
+	* is unreadable for reasons other than ENOENT.
+	*/
+	async read() {
+		const raw = await readJsonFile(this.filePath);
+		if (raw === null) return null;
+		let result;
+		try {
+			result = migrateRead(raw, {
+				schema: this.options.schema,
+				migrations: this.options.migrations
+			});
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			throw new Error(`Invalid file at ${this.filePath}: ${message}`);
+		}
+		if (result.migrated) await this.write(result.value);
+		return result.value;
+	}
+	/**
+	* Replaces the file with `value`. Validates against the schema first (throws
+	* synchronously on invalid input, before any I/O). The write is atomic:
+	* write-temp + rename, never visible mid-write.
+	*/
+	async write(value) {
+		const validated = this.options.schema.parse(value);
+		const json = `${JSON.stringify(validated, null, 2)}\n`;
+		await atomicWriteFile(this.filePath, json, { mode: this.options.fileMode });
+	}
+	/**
+	* Read-modify-write. Reads the current value (or `defaults` if the file does
+	* not exist), passes it to `fn`, validates the result, and writes it back
+	* atomically. Returns the new value.
+	*
+	* Throws if the file does not exist and no `defaults` were configured.
+	*/
+	async update(fn) {
+		const current = await this.read();
+		let base;
+		if (current !== null) base = current;
+		else if (this.options.defaults !== void 0) base = this.options.defaults;
+		else throw new Error(`Cannot update ${this.filePath}: file does not exist and no defaults are configured.`);
+		const next = fn(base);
+		await this.write(next);
+		return next;
+	}
+	/**
+	* Returns the value at `key`, or `undefined` if the file does not exist.
+	* Each call re-reads the file (no caching).
+	*/
+	async get(key) {
+		const value = await this.read();
+		if (value === null) return void 0;
+		return value[key];
+	}
+	/**
+	* Sets the value at `key`. Other keys are preserved. Uses `defaults` if the
+	* file does not exist (throws if missing and no defaults).
+	*/
+	async set(key, value) {
+		await this.update((current) => ({
+			...current,
+			[key]: value
+		}));
+	}
+	/**
+	* Returns true if the file exists and the value at `key` is not `undefined`.
+	*/
+	async has(key) {
+		return await this.get(key) !== void 0;
+	}
+	/**
+	* Removes the file. Returns `true` if the file existed, `false` if it did
+	* not.
+	*/
+	async delete() {
+		return unlinkFileIfExists(this.filePath);
+	}
+};
+const CREDENTIAL_SECRET_STORAGE_UNAVAILABLE = "CREDENTIAL_SECRET_STORAGE_UNAVAILABLE";
+const CREDENTIAL_SECRET_READ_FAILED = "CREDENTIAL_SECRET_READ_FAILED";
+const CREDENTIAL_SECRET_WRITE_FAILED = "CREDENTIAL_SECRET_WRITE_FAILED";
+const CREDENTIAL_SECRET_DELETE_FAILED = "CREDENTIAL_SECRET_DELETE_FAILED";
+var CredentialSecretError = class extends Error {
+	constructor(message, options) {
+		super(message, options);
+		this.name = new.target.name;
+	}
+};
+var CredentialSecretStorageUnavailableError = class extends CredentialSecretError {
+	code = CREDENTIAL_SECRET_STORAGE_UNAVAILABLE;
+};
+var CredentialSecretReadError = class extends CredentialSecretError {
+	code = CREDENTIAL_SECRET_READ_FAILED;
+};
+var CredentialSecretWriteError = class extends CredentialSecretError {
+	code = CREDENTIAL_SECRET_WRITE_FAILED;
+};
+var CredentialSecretDeleteError = class extends CredentialSecretError {
+	code = CREDENTIAL_SECRET_DELETE_FAILED;
+};
+const credentialUserSchema = z.object({
+	id: z.string().min(1),
+	email: z.email(),
+	name: z.string().optional()
+});
+/**
+* Metadata about an organization the user is authenticated against.
+* Note: `apiKey` is NOT in this shape — it lives in the secrets file.
+*
+* Strict on purpose: extra fields (like the legacy `apiKey`) cause the schema
+* to fail, which routes the read through the migration chain rather than
+* silently stripping the unknown field at parse time.
+*/
+const orgEntrySchema = z.object({
+	organizationId: z.uuid(),
+	organizationName: z.string().min(1),
+	apiKeyId: z.uuid().optional(),
+	createdAt: z.string().min(1)
+}).strict();
+const credentialSecretStorageSchema = z.discriminatedUnion("kind", [z.object({
+	kind: z.literal("keychain"),
+	service: z.string().min(1)
+}).strict(), z.object({
+	kind: z.literal("file"),
+	reason: z.enum([
+		"legacy",
+		"insecure-storage",
+		"test"
+	]).optional()
+}).strict()]);
+const credentialsMetadataSchema = z.object({
+	version: z.literal(3),
+	serverUrl: z.url(),
+	webUrl: z.url(),
+	user: credentialUserSchema.optional(),
+	activeOrgId: z.uuid().optional(),
+	orgs: z.array(orgEntrySchema),
+	secretStorage: credentialSecretStorageSchema
+}).strict();
+const orgSecretsSchema = z.object({
+	version: z.literal(1),
+	/** Map of organizationId → API key. Empty when no orgs configured. */
+	byOrgId: z.record(z.uuid(), z.string().min(1))
+});
+const credentialsMetadataSchemaV2 = z.object({
+	version: z.literal(2),
+	serverUrl: z.url(),
+	webUrl: z.url(),
+	user: credentialUserSchema.optional(),
+	activeOrgId: z.uuid().optional(),
+	orgs: z.array(orgEntrySchema)
+}).strict();
+/**
+* Old V2 shape: same as current metadata, but each org carried its own
+* `apiKey` field. Migration: strip `apiKey` from each org. The actual key
+* bytes are recovered separately by the controller's legacy import step.
+*
+* `oldV2OrgEntrySchema` extends the current strict org schema with a required
+* `apiKey`. Strict so a V2-new entry (no apiKey) does NOT match this schema.
+*/
+const oldV2OrgEntrySchema = orgEntrySchema.extend({ apiKey: z.string().min(1) }).strict();
+const credentialsSchemaV2OldShape = z.object({
+	version: z.literal(2),
+	serverUrl: z.url(),
+	webUrl: z.url(),
+	user: credentialUserSchema.optional(),
+	activeOrgId: z.uuid().optional(),
+	orgs: z.array(oldV2OrgEntrySchema)
+}).strict();
+/**
+* V1 shape: a single embedded apiKey + organization. Migration: collapse to a
+* one-org metadata record. The apiKey bytes are recovered separately.
+*/
+const credentialsSchemaV1 = z.object({
+	version: z.literal(1),
+	apiKey: z.string().min(1),
+	apiKeyId: z.uuid().optional(),
+	serverUrl: z.url(),
+	webUrl: z.url(),
+	createdAt: z.string().min(1),
+	organizationId: z.uuid().optional(),
+	organizationName: z.string().optional(),
+	user: credentialUserSchema.optional()
+});
+const SECRETS_FILE = "secrets.json";
+const SECRETS_VERSION = 1;
+const SECRETS_DEFAULTS = {
+	version: SECRETS_VERSION,
+	byOrgId: {}
+};
+const CREDENTIAL_KEYCHAIN_SERVICE = "io.keystroke.cli";
+var CredentialSecrets = class {
+	legacySecrets;
+	vault;
+	constructor(options = {}) {
+		this.vault = options.vault;
+		this.legacySecrets = new Store({
+			name: SECRETS_FILE,
+			version: SECRETS_VERSION,
+			schema: orgSecretsSchema,
+			defaults: SECRETS_DEFAULTS,
+			fileMode: 384,
+			homeDir: options.homeDir
+		});
+	}
+	get legacySecretsFilePath() {
+		return this.legacySecrets.filePath;
+	}
+	async getApiKey(ref, storageKind) {
+		if (storageKind === "file") return (await this.legacySecrets.read())?.byOrgId[ref.orgId] ?? null;
+		const vault = this.requireVault();
+		try {
+			return await vault.get(getCredentialSecretAccountName(ref));
+		} catch (error) {
+			throw new CredentialSecretReadError("Could not read the Keystroke API key from the credential store.", { cause: error });
+		}
+	}
+	async setApiKey(ref, apiKey, storageKind) {
+		if (storageKind === "file") {
+			await this.legacySecrets.update((secrets) => ({
+				...secrets,
+				byOrgId: {
+					...secrets.byOrgId,
+					[ref.orgId]: apiKey
+				}
+			}));
+			return;
+		}
+		const vault = this.requireVault();
+		try {
+			await vault.set(getCredentialSecretAccountName(ref), apiKey);
+		} catch (error) {
+			throw new CredentialSecretWriteError("Could not save the Keystroke API key to the credential store.", { cause: error });
+		}
+	}
+	async deleteApiKey(ref, storageKind) {
+		if (storageKind === "file") {
+			const current = await this.legacySecrets.read();
+			if (!current || current.byOrgId[ref.orgId] === void 0) return false;
+			await this.legacySecrets.update((secrets) => {
+				const { [ref.orgId]: _removed, ...rest } = secrets.byOrgId;
+				return {
+					...secrets,
+					byOrgId: rest
+				};
+			});
+			return true;
+		}
+		const vault = this.requireVault();
+		try {
+			return await vault.delete(getCredentialSecretAccountName(ref));
+		} catch (error) {
+			throw new CredentialSecretDeleteError("Could not delete the Keystroke API key from the credential store.", { cause: error });
+		}
+	}
+	async clearLegacySecrets() {
+		return this.legacySecrets.delete();
+	}
+	async writeLegacySecrets(secrets) {
+		await this.legacySecrets.write(secrets);
+	}
+	async readLegacySecrets() {
+		return this.legacySecrets.read();
+	}
+	requireVault() {
+		if (!this.vault) throw new CredentialSecretStorageUnavailableError("Credential store is not configured for secure secret storage.");
+		return this.vault;
+	}
+};
+function getCredentialSecretAccountName(ref) {
+	return `api-key:${normalizeCredentialServerUrl(ref.serverUrl)}:${ref.orgId}`;
+}
+function normalizeCredentialServerUrl(rawUrl) {
+	const parsed = new URL(rawUrl);
+	parsed.protocol = parsed.protocol.toLowerCase();
+	parsed.hostname = parsed.hostname.toLowerCase();
+	const normalized = parsed.toString();
+	return normalized.endsWith("/") ? normalized.slice(0, -1) : normalized;
+}
+const CREDENTIALS_FILE = "credentials.json";
+const METADATA_VERSION = 3;
+const KEYCHAIN_STORAGE = {
+	kind: "keychain",
+	service: CREDENTIAL_KEYCHAIN_SERVICE
+};
+const TEST_FILE_STORAGE = {
+	kind: "file",
+	reason: "test"
+};
+const LEGACY_FILE_STORAGE = {
+	kind: "file",
+	reason: "legacy"
+};
+const INSECURE_FILE_STORAGE = {
+	kind: "file",
+	reason: "insecure-storage"
+};
+function createKeychainVault() {
+	return new KeychainVault({ service: CREDENTIAL_KEYCHAIN_SERVICE });
+}
+function resolveDefaultSecretStorage(options) {
+	if (options.secretStorage === "file") return TEST_FILE_STORAGE;
+	if (options.secretStorage === "keychain") return KEYCHAIN_STORAGE;
+	if (options.vault) return KEYCHAIN_STORAGE;
+	return options.homeDir ? TEST_FILE_STORAGE : KEYCHAIN_STORAGE;
+}
+function toSecretStorage(preference, fallback) {
+	if (preference === "file") return INSECURE_FILE_STORAGE;
+	if (preference === "keychain") return KEYCHAIN_STORAGE;
+	return fallback;
+}
+/**
+* Domain controller for Keystroke credentials.
+*
+* Currently backed by two files under `~/.keystroke/`:
+*   - `credentials.json` — metadata (org list, server URLs, active org pointer)
+*   - `secrets.json` — `{ version, byOrgId: { [orgId]: apiKey } }`
+*
+* Secret reads and writes go through `CredentialSecrets`, keeping the storage
+* mechanism behind this controller as PR 9 moves API keys to the OS keychain.
+*
+* Production code uses the `credentials` singleton exported below. Tests
+* construct a fresh instance with `homeDir` pointing at a tempdir.
+*/
+var Credentials = class {
+	metadata;
+	secrets;
+	defaultSecretStorage;
+	legacyImportComplete = false;
+	constructor(options = {}) {
+		const defaultSecretStorage = resolveDefaultSecretStorage(options);
+		this.defaultSecretStorage = defaultSecretStorage;
+		this.metadata = new Store({
+			name: CREDENTIALS_FILE,
+			version: METADATA_VERSION,
+			schema: credentialsMetadataSchema,
+			fileMode: 384,
+			homeDir: options.homeDir,
+			migrations: [
+				{
+					fromVersion: 2,
+					fromSchema: credentialsMetadataSchemaV2,
+					up: (raw) => {
+						const v2 = raw;
+						return {
+							version: METADATA_VERSION,
+							serverUrl: v2.serverUrl,
+							webUrl: v2.webUrl,
+							user: v2.user,
+							activeOrgId: v2.activeOrgId,
+							orgs: v2.orgs,
+							secretStorage: LEGACY_FILE_STORAGE
+						};
+					}
+				},
+				{
+					fromVersion: 2,
+					fromSchema: credentialsSchemaV2OldShape,
+					up: (raw) => {
+						const old = raw;
+						return {
+							version: METADATA_VERSION,
+							serverUrl: old.serverUrl,
+							webUrl: old.webUrl,
+							user: old.user,
+							activeOrgId: old.activeOrgId,
+							orgs: old.orgs.map(({ apiKey: _apiKey, ...rest }) => rest),
+							secretStorage: LEGACY_FILE_STORAGE
+						};
+					}
+				},
+				{
+					fromVersion: 1,
+					fromSchema: credentialsSchemaV1,
+					up: (raw) => {
+						const v1 = raw;
+						return {
+							version: METADATA_VERSION,
+							serverUrl: v1.serverUrl,
+							webUrl: v1.webUrl,
+							user: v1.user,
+							activeOrgId: v1.organizationId,
+							orgs: v1.organizationId ? [{
+								organizationId: v1.organizationId,
+								organizationName: v1.organizationName ?? "Unknown",
+								apiKeyId: v1.apiKeyId,
+								createdAt: v1.createdAt
+							}] : [],
+							secretStorage: LEGACY_FILE_STORAGE
+						};
+					}
+				}
+			]
+		});
+		this.secrets = new CredentialSecrets({
+			homeDir: options.homeDir,
+			vault: options.vault ?? (defaultSecretStorage.kind === "keychain" ? createKeychainVault() : void 0)
+		});
+	}
+	/** Absolute path to the credentials metadata file. */
+	get metadataFilePath() {
+		return this.metadata.filePath;
+	}
+	/** Absolute path to the secrets file. */
+	get secretsFilePath() {
+		return this.secrets.legacySecretsFilePath;
+	}
+	/**
+	* Returns the active org and its API key, or `null` when there are no
+	* stored credentials, no active org, or no key found for the active org.
+	*/
+	async getActiveOrg() {
+		await this.importLegacyIfNeeded();
+		const meta = await this.metadata.read();
+		if (!meta?.activeOrgId) return null;
+		const org = meta.orgs.find((o) => o.organizationId === meta.activeOrgId);
+		if (!org) return null;
+		const apiKey = await this.secrets.getApiKey({
+			orgId: meta.activeOrgId,
+			serverUrl: meta.serverUrl
+		}, meta.secretStorage.kind);
+		if (!apiKey) return null;
+		return {
+			org,
+			apiKey
+		};
+	}
+	/** All known orgs (without secrets). Empty when no credentials stored. */
+	async listOrgs() {
+		await this.importLegacyIfNeeded();
+		return (await this.metadata.read())?.orgs ?? [];
+	}
+	/** API key for a specific org, or `null` if not stored. */
+	async getApiKey(orgId) {
+		await this.importLegacyIfNeeded();
+		const meta = await this.metadata.read();
+		if (!meta) return null;
+		return this.secrets.getApiKey({
+			orgId,
+			serverUrl: meta.serverUrl
+		}, meta.secretStorage.kind);
+	}
+	/** Server URLs (shared across all orgs in the file). `null` when unset. */
+	async getServerUrls() {
+		await this.importLegacyIfNeeded();
+		const meta = await this.metadata.read();
+		return meta ? {
+			serverUrl: meta.serverUrl,
+			webUrl: meta.webUrl
+		} : null;
+	}
+	/** The user identity associated with stored credentials, if any. */
+	async getUser() {
+		await this.importLegacyIfNeeded();
+		return (await this.metadata.read())?.user;
+	}
+	/** Active organization ID, or `undefined` when none is set. */
+	async getActiveOrgId() {
+		await this.importLegacyIfNeeded();
+		return (await this.metadata.read())?.activeOrgId;
+	}
+	/**
+	* Returns `true` when credential metadata contains at least one org. Callers
+	* that need the actual API key should use `getActiveOrg()` or `getApiKey()`.
+	*/
+	async hasStoredCredentials() {
+		await this.importLegacyIfNeeded();
+		const meta = await this.metadata.read();
+		return meta !== null && meta.orgs.length > 0;
+	}
+	async getStorageInfo() {
+		await this.importLegacyIfNeeded();
+		const storage = (await this.metadata.read())?.secretStorage ?? this.defaultSecretStorage;
+		return {
+			metadataFilePath: this.metadata.filePath,
+			legacySecretsFilePath: this.secrets.legacySecretsFilePath,
+			secretStorageKind: storage.kind,
+			...storage.kind === "keychain" ? { keychainService: storage.service } : {},
+			insecureFileStorage: storage.kind === "file"
+		};
+	}
+	/**
+	* Adds or replaces an org entry. Sets it as the active org. Creates both
+	* files if neither exists. Atomic per-file (each file is a Store write).
+	*/
+	async upsertOrg(input) {
+		await this.importLegacyIfNeeded();
+		const existing = await this.metadata.read();
+		const secretStorage = toSecretStorage(input.secretStorage, this.defaultSecretStorage);
+		if (existing?.secretStorage.kind === "file" && secretStorage.kind === "keychain") await this.migrateFileSecretsToKeychain(existing);
+		const newMeta = existing ? {
+			...existing,
+			serverUrl: input.serverUrl,
+			webUrl: input.webUrl,
+			user: input.user ?? existing.user,
+			activeOrgId: input.org.organizationId,
+			secretStorage,
+			orgs: [...existing.orgs.filter((o) => o.organizationId !== input.org.organizationId), input.org]
+		} : {
+			version: METADATA_VERSION,
+			serverUrl: input.serverUrl,
+			webUrl: input.webUrl,
+			user: input.user,
+			activeOrgId: input.org.organizationId,
+			secretStorage,
+			orgs: [input.org]
+		};
+		await this.metadata.write(newMeta);
+		await this.secrets.setApiKey({
+			orgId: input.org.organizationId,
+			serverUrl: input.serverUrl
+		}, input.apiKey, secretStorage.kind);
+		if (existing) {
+			const previousOrg = existing.orgs.find((org) => org.organizationId === input.org.organizationId);
+			const serverUrlChanged = normalizeCredentialServerUrl(existing.serverUrl) !== normalizeCredentialServerUrl(input.serverUrl);
+			if (previousOrg && serverUrlChanged && (existing.secretStorage.kind === "keychain" || secretStorage.kind === "keychain")) await this.secrets.deleteApiKey({
+				orgId: input.org.organizationId,
+				serverUrl: existing.serverUrl
+			}, "keychain");
+		}
+	}
+	/**
+	* Switches the active org. Throws when no credentials exist or the org is
+	* not in the stored orgs array.
+	*/
+	async setActiveOrg(orgId) {
+		await this.importLegacyIfNeeded();
+		const meta = await this.metadata.read();
+		if (!meta) throw new Error("No stored credentials found. Run `keystroke auth` first.");
+		if (!meta.orgs.some((o) => o.organizationId === orgId)) throw new Error(`No stored API key for organization ${orgId}. Run \`keystroke auth\` to add credentials for this org.`);
+		await this.metadata.update((m) => ({
+			...m,
+			activeOrgId: orgId
+		}));
+	}
+	/**
+	* Removes a single org. If it was the active org, switches to the first
+	* remaining org. When the last org is removed, both files are deleted.
+	* Returns the removed org, or `null` if not stored.
+	*/
+	async removeOrg(orgId) {
+		await this.importLegacyIfNeeded();
+		const meta = await this.metadata.read();
+		if (!meta) return null;
+		const removed = meta.orgs.find((o) => o.organizationId === orgId);
+		if (!removed) return null;
+		const remaining = meta.orgs.filter((o) => o.organizationId !== orgId);
+		await this.secrets.deleteApiKey({
+			orgId,
+			serverUrl: meta.serverUrl
+		}, meta.secretStorage.kind);
+		if (remaining.length === 0) {
+			if (meta.secretStorage.kind === "file") await this.secrets.clearLegacySecrets();
+			await this.metadata.delete();
+			return removed;
+		}
+		const newActiveId = meta.activeOrgId === orgId ? remaining[0]?.organizationId : meta.activeOrgId;
+		await this.metadata.write({
+			...meta,
+			orgs: remaining,
+			activeOrgId: newActiveId
+		});
+		return removed;
+	}
+	/** Wipes both files. After this, `getActiveOrg` returns `null`. */
+	async clear() {
+		await this.importLegacyIfNeeded();
+		const meta = await this.metadata.read();
+		if (meta) for (const org of meta.orgs) await this.secrets.deleteApiKey({
+			orgId: org.organizationId,
+			serverUrl: meta.serverUrl
+		}, meta.secretStorage.kind);
+		await this.secrets.clearLegacySecrets();
+		await this.metadata.delete();
+		this.legacyImportComplete = false;
+	}
+	/**
+	* Detects pre-split shapes on disk (V1, or V2-old with embedded apiKeys) and
+	* writes the secrets file out before the Store-level migration strips the
+	* apiKeys from metadata. Idempotent: caches a per-instance flag so repeated
+	* calls after the first cost only the flag check.
+	*
+	* Implementation note: this runs BEFORE every `metadata.read()` in the
+	* controller's API methods. The first call detects-and-imports; subsequent
+	* calls are no-ops. Once import is done (or skipped because the file already
+	* matches the new shape), `metadata.read()` runs the V2-old/V1 migration
+	* which is purely a metadata reshape.
+	*/
+	async importLegacyIfNeeded() {
+		if (this.legacyImportComplete) return;
+		this.legacyImportComplete = true;
+		let raw;
+		try {
+			raw = await readJsonFile(this.metadata.filePath);
+		} catch {
+			return;
+		}
+		if (raw === null) return;
+		const v2Old = credentialsSchemaV2OldShape.safeParse(raw);
+		if (v2Old.success) {
+			const byOrgId = {};
+			for (const org of v2Old.data.orgs) byOrgId[org.organizationId] = org.apiKey;
+			const secretStorage = await this.importLegacySecrets({
+				metadata: {
+					version: METADATA_VERSION,
+					serverUrl: v2Old.data.serverUrl,
+					webUrl: v2Old.data.webUrl,
+					user: v2Old.data.user,
+					activeOrgId: v2Old.data.activeOrgId,
+					orgs: v2Old.data.orgs.map(({ apiKey: _apiKey, ...rest }) => rest),
+					secretStorage: this.defaultSecretStorage
+				},
+				byOrgId
+			});
+			await this.metadata.write({
+				version: METADATA_VERSION,
+				serverUrl: v2Old.data.serverUrl,
+				webUrl: v2Old.data.webUrl,
+				user: v2Old.data.user,
+				activeOrgId: v2Old.data.activeOrgId,
+				orgs: v2Old.data.orgs.map(({ apiKey: _apiKey, ...rest }) => rest),
+				secretStorage
+			});
+			return;
+		}
+		const v2 = credentialsMetadataSchemaV2.safeParse(raw);
+		if (v2.success) {
+			const legacySecrets = await this.secrets.readLegacySecrets();
+			const secretStorage = await this.importLegacySecrets({
+				metadata: {
+					version: METADATA_VERSION,
+					serverUrl: v2.data.serverUrl,
+					webUrl: v2.data.webUrl,
+					user: v2.data.user,
+					activeOrgId: v2.data.activeOrgId,
+					orgs: v2.data.orgs,
+					secretStorage: this.defaultSecretStorage
+				},
+				byOrgId: legacySecrets?.byOrgId ?? {}
+			});
+			await this.metadata.write({
+				version: METADATA_VERSION,
+				serverUrl: v2.data.serverUrl,
+				webUrl: v2.data.webUrl,
+				user: v2.data.user,
+				activeOrgId: v2.data.activeOrgId,
+				orgs: v2.data.orgs,
+				secretStorage
+			});
+			return;
+		}
+		const v1 = credentialsSchemaV1.safeParse(raw);
+		if (v1.success && v1.data.organizationId && v1.data.apiKey) {
+			const orgs = [{
+				organizationId: v1.data.organizationId,
+				organizationName: v1.data.organizationName ?? "Unknown",
+				apiKeyId: v1.data.apiKeyId,
+				createdAt: v1.data.createdAt
+			}];
+			const secretStorage = await this.importLegacySecrets({
+				metadata: {
+					version: METADATA_VERSION,
+					serverUrl: v1.data.serverUrl,
+					webUrl: v1.data.webUrl,
+					user: v1.data.user,
+					activeOrgId: v1.data.organizationId,
+					orgs,
+					secretStorage: this.defaultSecretStorage
+				},
+				byOrgId: { [v1.data.organizationId]: v1.data.apiKey }
+			});
+			await this.metadata.write({
+				version: METADATA_VERSION,
+				serverUrl: v1.data.serverUrl,
+				webUrl: v1.data.webUrl,
+				user: v1.data.user,
+				activeOrgId: v1.data.organizationId,
+				orgs,
+				secretStorage
+			});
+		}
+	}
+	async importLegacySecrets(input) {
+		if (this.defaultSecretStorage.kind === "file") {
+			await this.secrets.writeLegacySecrets({
+				version: 1,
+				byOrgId: input.byOrgId
+			});
+			return this.defaultSecretStorage;
+		}
+		try {
+			await this.writeSecretsToStorage(input.metadata, input.byOrgId, "keychain");
+			await this.secrets.clearLegacySecrets();
+			return KEYCHAIN_STORAGE;
+		} catch {
+			await this.secrets.writeLegacySecrets({
+				version: 1,
+				byOrgId: input.byOrgId
+			});
+			return LEGACY_FILE_STORAGE;
+		}
+	}
+	async migrateFileSecretsToKeychain(metadata) {
+		const legacySecrets = await this.secrets.readLegacySecrets();
+		if (!legacySecrets) return;
+		await this.writeSecretsToStorage(metadata, legacySecrets.byOrgId, "keychain");
+		await this.secrets.clearLegacySecrets();
+	}
+	async writeSecretsToStorage(metadata, byOrgId, storageKind) {
+		for (const org of metadata.orgs) {
+			const apiKey = byOrgId[org.organizationId];
+			if (!apiKey) continue;
+			const ref = {
+				orgId: org.organizationId,
+				serverUrl: metadata.serverUrl
+			};
+			await this.secrets.setApiKey(ref, apiKey, storageKind);
+			if (await this.secrets.getApiKey(ref, storageKind) !== apiKey) throw new Error(`Could not verify stored API key for organization ${org.organizationId}.`);
+		}
+	}
+};
+/**
+* Production singleton — the primary public API for credential storage. Tests
+* should construct `new Credentials({ homeDir })` instead.
+*/
+const credentials = new Credentials();
+const projectEntrySchema = z.object({
+	lastAccessed: z.string().min(1),
+	name: z.string().min(1).optional()
+});
+const projectsSchema = z.object({
+	version: z.literal(1),
+	projects: z.record(z.string(), projectEntrySchema),
+	lastProject: z.string().optional()
+});
+const PROJECTS_FILE = "projects.json";
+const PROJECTS_VERSION = 1;
+const PROJECTS_DEFAULTS = {
+	version: PROJECTS_VERSION,
+	projects: {}
+};
+/**
+* Domain controller for tracked Keystroke projects.
+*
+* Backed by a single file under `~/.keystroke/projects.json`.
+*
+* Production code uses the `projects` singleton exported below. Tests
+* construct a fresh instance with `homeDir` pointing at a tempdir.
+*/
+var Projects = class {
+	store;
+	constructor(options = {}) {
+		this.store = new Store({
+			name: PROJECTS_FILE,
+			version: PROJECTS_VERSION,
+			schema: projectsSchema,
+			defaults: PROJECTS_DEFAULTS,
+			homeDir: options.homeDir
+		});
+	}
+	/** Absolute path to the projects file. */
+	get filePath() {
+		return this.store.filePath;
+	}
+	/**
+	* Upsert a project entry. Fire-and-forget safe — catches all errors
+	* internally. Never throws. Call without `await` if you don't need to wait.
+	*
+	* Tracking is best-effort telemetry; we never want a failed write to bubble
+	* up to a CLI command and degrade UX.
+	*/
+	async track(projectPath, options) {
+		const absolutePath = path$1.resolve(projectPath);
+		try {
+			await this.store.update((data) => {
+				const previous = data.projects[absolutePath];
+				const entry = {
+					lastAccessed: (/* @__PURE__ */ new Date()).toISOString(),
+					...options?.name ? { name: options.name } : previous?.name ? { name: previous.name } : {}
+				};
+				return {
+					...data,
+					projects: {
+						...data.projects,
+						[absolutePath]: entry
+					},
+					lastProject: absolutePath
+				};
+			});
+		} catch {}
+	}
+	/**
+	* Removes a project from tracking. Returns `true` if the project existed,
+	* `false` if it was not tracked. Errors propagate (this is invoked by an
+	* explicit user action; the caller should know if it failed).
+	*/
+	async untrack(projectPath) {
+		const absolutePath = path$1.resolve(projectPath);
+		const existing = await this.store.read();
+		if (!existing || !(absolutePath in existing.projects)) return false;
+		const { [absolutePath]: _removed, ...remaining } = existing.projects;
+		const newLastProject = existing.lastProject === absolutePath ? void 0 : existing.lastProject;
+		await this.store.write({
+			...existing,
+			projects: remaining,
+			lastProject: newLastProject
+		});
+		return true;
+	}
+	/**
+	* Returns all tracked projects as an array of `{ path, lastAccessed, name? }`.
+	* Empty array when nothing is tracked or the file is missing.
+	*
+	* Note: order is not guaranteed (matches `Object.entries` over a Record).
+	* Callers that need a sort order should sort explicitly.
+	*
+	* Best-effort: corrupt files are treated as "no projects" rather than
+	* throwing, since project tracking is telemetry data.
+	*/
+	async list() {
+		const data = await this.readSafe();
+		if (!data) return [];
+		return Object.entries(data.projects).map(([projectPath, entry]) => ({
+			path: projectPath,
+			...entry
+		}));
+	}
+	/**
+	* Returns the most-recently-tracked project path, or `undefined` when none
+	* has been recorded.
+	*/
+	async getLast() {
+		return (await this.readSafe())?.lastProject;
+	}
+	/**
+	* Removes the projects file. Returns `true` if the file existed, `false`
+	* if it did not.
+	*/
+	async clear() {
+		return this.store.delete();
+	}
+	/**
+	* Reads the underlying store but treats schema/JSON errors as "no projects"
+	* rather than propagating. This preserves the previous best-effort contract
+	* for the projects file.
+	*/
+	async readSafe() {
+		try {
+			return await this.store.read();
+		} catch (error) {
+			if (error instanceof SyntaxError) return null;
+			if (error instanceof Error && error.message.startsWith("Invalid file at")) return null;
+			throw error;
+		}
+	}
+};
+/**
+* Production singleton — the primary public API for project tracking. Tests
+* should construct `new Projects({ homeDir })` instead.
+*/
+const projects = new Projects();
+/**
+* Returns the Keystroke temp directory path.
+*
+* - `getKeystrokeTmpDir({ projectRoot })` → `projectRoot/.keystroke/tmp` — for build
+*   artifacts that require module resolution from the project (workflow-builder).
+* - `getKeystrokeTmpDir()` → `~/.keystroke/tmp` — for general temporary storage.
+*
+* Callers must create the directory (e.g. `mkdir(path, { recursive: true })`)
+* before use.
+*/
+function getKeystrokeTmpDir(options) {
+	const baseDir = options?.projectRoot ? path$1.resolve(options.projectRoot) : os.homedir();
+	return path$1.join(baseDir, KEYSTROKE_DIR, "tmp");
+}
+//#endregion
+export { projects as i, credentials as n, getKeystrokeTmpDir as r, Credentials as t };