@keystrokehq/cli 0.0.19 → 0.0.21

package/dist/{import-module--8x5SLum-DjPUZr4i.mjs → import-module-y0glInUe-DxX0-BRO.mjs}

@@ -1,11 +1,10 @@
 #!/usr/bin/env node
 
 import { n as findProjectRoot } from "./project-config-DudGRFPO.mjs";
-import { c as optionalDescriptionString$1, i as createStructuralSchema$1, l as optionalTrimmedNonEmptyString$1, o as idNoSpacesString, r as anyZodSchemaSchema$1, s as jsonSchemaObject$1, t as CredentialSetManifestSchema$1, u as trimmedNonEmptyString$1 } from "./schemas-BxFPUGWT.mjs";
-import { n as DeclaredCredentialRequirementSchema } from "./credential-requirements-Ob-7H-0F.mjs";
-import { a as FlowGraphSchema, i as WorkflowCoreManifestSchema, n as WORKFLOW_MANIFEST_SCHEMA_VERSION } from "./workflow-build-manifest-BKKW9D05.mjs";
-import { t as parseCronExpression } from "./cron-parser-Dw_cWzFu.mjs";
-import { t as runWithConcurrency } from "./concurrency-gXn9Rw8x-BTlfau8D.mjs";
+import { _ as descriptionString, b as trimmedNonEmptyString, g as createStructuralSchema, h as anyZodSchemaSchema, l as TriggerTypeSchema, m as CredentialSetManifestSchema, n as DeclaredCredentialRequirementSchema, r as ExecutionIdentityPolicySchema, v as jsonSchemaObject, y as jsonValueSchema } from "./credential-requirements-D0mavK8j-CFMf0Xwu.mjs";
+import { a as FlowGraphSchema, i as WorkflowCoreManifestSchema, n as WORKFLOW_MANIFEST_SCHEMA_VERSION } from "./workflow-build-manifest-1sC52TIG.mjs";
+import { c as optionalDescriptionString, f as parseCronExpression, i as createStructuralSchema$1, l as optionalTrimmedNonEmptyString, o as idNoSpacesString, r as anyZodSchemaSchema$1, s as jsonSchemaObject$1, t as CredentialSetManifestSchema$1, u as trimmedNonEmptyString$1 } from "./schemas-D2zfmyC-.mjs";
+import { t as runWithConcurrency } from "./concurrency-gXn9Rw8x-CnBnF2cg.mjs";
 import { createRequire } from "node:module";
 import * as os from "node:os";
 import * as path$1 from "node:path";
@@ -15,7 +14,7 @@ import { execFile } from "node:child_process";
 import { randomUUID } from "node:crypto";
 import { promisify } from "node:util";
 //#region ../../packages/core/src/mcp-server/schemas.ts
-const credentialSetInstanceSchema$3 = createStructuralSchema$1([
+const credentialSetInstanceSchema$2 = createStructuralSchema$1([
 	"id",
 	"auth",
 	"connections"
@@ -40,10 +39,10 @@ const McpTransportSchema = z.discriminatedUnion("type", [
 ]);
 z.object({
 	id: trimmedNonEmptyString$1("MCP server ID"),
-	name: optionalTrimmedNonEmptyString$1("MCP server name"),
-	description: optionalDescriptionString$1("MCP server description"),
+	name: optionalTrimmedNonEmptyString("MCP server name"),
+	description: optionalDescriptionString("MCP server description"),
 	transport: McpTransportSchema,
-	credentialSets: z.array(credentialSetInstanceSchema$3).optional(),
+	credentialSets: z.array(credentialSetInstanceSchema$2).optional(),
 	credentials: z.function().optional()
 });
 const McpServerManifestSchema = z.object({
@@ -67,7 +66,7 @@ const McpServerManifestSchema = z.object({
 });
 //#endregion
 //#region ../../packages/core/src/messaging-gateway/schemas.ts
-const credentialSetInstanceSchema$2 = createStructuralSchema$1([
+const credentialSetInstanceSchema$1 = createStructuralSchema$1([
 	"id",
 	"auth",
 	"connections"
@@ -76,11 +75,11 @@ const MessagingGatewayModeSchema = z.enum(["platform", "custom"]);
 const MessagingGatewayCredentialScopeSchema = z.enum(["organization", "project"]);
 z.object({
 	id: idNoSpacesString("MessagingGateway id"),
-	name: optionalDescriptionString$1("MessagingGateway name"),
-	description: optionalDescriptionString$1("MessagingGateway description"),
+	name: optionalDescriptionString("MessagingGateway name"),
+	description: optionalDescriptionString("MessagingGateway description"),
 	provider: z.string().min(1, "MessagingGateway provider is required"),
 	mode: MessagingGatewayModeSchema,
-	credentialSet: credentialSetInstanceSchema$2,
+	credentialSet: credentialSetInstanceSchema$1,
 	credentialScope: MessagingGatewayCredentialScopeSchema.optional(),
 	appRef: z.string().min(1).optional()
 });
@@ -139,9 +138,9 @@ const SandboxFileSourceSchema = z.discriminatedUnion("type", [z.object({
 	target: z.string().optional()
 })]);
 z.object({
-	id: optionalTrimmedNonEmptyString$1("Sandbox ID"),
-	name: optionalTrimmedNonEmptyString$1("Sandbox name"),
-	description: optionalDescriptionString$1("Sandbox description"),
+	id: optionalTrimmedNonEmptyString("Sandbox ID"),
+	name: optionalTrimmedNonEmptyString("Sandbox name"),
+	description: optionalDescriptionString("Sandbox description"),
 	runtime: SandboxRuntimeSchema.optional(),
 	fileSources: z.array(SandboxFileSourceSchema).optional(),
 	setupCommands: z.array(z.string()).optional()
@@ -201,7 +200,7 @@ const AgentToolCredentialSetReferenceSchema = z.object({
 z.object({
 	id: trimmedNonEmptyString$1("Agent ID"),
 	name: trimmedNonEmptyString$1("Agent name"),
-	description: optionalDescriptionString$1("Agent description"),
+	description: optionalDescriptionString("Agent description"),
 	systemPrompt: z.string().min(1, { error: "System prompt is required" }),
 	model: trimmedNonEmptyString$1("Model"),
 	thinkingLevel: AgentThinkingLevelSchema.optional(),
@@ -253,21 +252,6 @@ const AgentManifestSchema = z.object({
 	sandbox: SandboxManifestSchema.optional(),
 	messaging: z.array(MessagingGatewayManifestSchema).optional()
 });
-z.string().length(64, "Must be 64 characters").regex(/^[a-f0-9]{64}$/i, "Must be hexadecimal").transform((value) => value);
-const JsonSchemaSchema = z.record(z.string(), z.unknown());
-z.object({
-	constant: z.object({
-		attempts: z.number().int().min(1).max(10),
-		seconds: z.number().positive()
-	}).optional(),
-	exponential: z.object({
-		attempts: z.number().int().min(1).max(10),
-		base: z.number().min(1).optional(),
-		multiplier: z.number().positive().optional()
-	}).optional()
-}).refine((data) => {
-	return data.constant !== void 0 !== (data.exponential !== void 0);
-}, { error: "Retry config must specify exactly one of constant or exponential strategy" });
 z.union([z.number().int().positive().finite(), z.string().regex(/^[1-9]\d*[smhdwy]$/)]);
 const DurationStringSchema = z.string().refine((val) => /^\d+[smhdwy]$/.test(val), { message: "Invalid duration format. Must be a positive integer followed by s, m, h, d, w, or y (e.g., \"5m\", \"1h\")" }).refine((val) => {
 	const match = val.match(/^(\d+)[smhdwy]$/);
@@ -347,539 +331,54 @@ const IANATimezoneSchema = z.enum([
 	"Asia/Doha"
 ]);
 //#endregion
-//#region ../../packages/core/dist/chunks/schema-RilQR7M-.mjs
-const MAX_JSON_DEPTH = 20;
-function buildJsonValueSchema(depth) {
-	const primitives = z.union([
-		z.string(),
-		z.number(),
-		z.boolean(),
-		z.null()
-	]);
-	if (depth <= 0) return primitives;
-	const nested = buildJsonValueSchema(depth - 1);
-	return z.union([
-		primitives,
-		z.array(nested),
-		z.record(z.string(), nested)
-	]);
-}
-const jsonValueSchema = buildJsonValueSchema(MAX_JSON_DEPTH);
-const jsonSchemaObject = z.record(z.string(), jsonValueSchema);
-const anyZodSchemaSchema = z.custom((value) => value instanceof z.ZodType, "Expected a Zod schema");
-const zodObjectSchema = z.custom((value) => value instanceof z.ZodObject, "Expected a Zod object schema");
-/**
-* Creates a Zod schema that validates an object structurally by checking
-* for required properties. This avoids `instanceof` checks which fail
-* when class definitions are duplicated across bundle boundaries.
-*/
-function createStructuralSchema(requiredKeys, label) {
-	return z.custom((value) => value != null && (typeof value === "object" || typeof value === "function") && requiredKeys.every((key) => key in value), `Expected ${label}`);
-}
-function trimmedNonEmptyString(fieldName) {
-	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` });
-}
-/**
-* Non-empty trimmed string for credential definition ids.
-* Allows namespaced ids such as `keystroke:slack` plus letters, numbers,
-* hyphens, and underscores.
-*/
-function credentialSetIdString(fieldName) {
-	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` }).refine((s) => /^[a-zA-Z0-9_:-]+$/.test(s), { error: `${fieldName} must only contain letters, numbers, hyphens, underscores, and colons` });
-}
-function optionalTrimmedNonEmptyString(fieldName) {
-	return trimmedNonEmptyString(fieldName).optional();
-}
-function descriptionString(fieldName) {
-	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(1024, { error: `${fieldName} cannot exceed 1024 characters` });
-}
-function optionalDescriptionString(fieldName) {
-	return descriptionString(fieldName).optional();
-}
-//#endregion
-//#region ../../packages/core/dist/chunks/schemas-CUxIyWrr.mjs
-/**
-* Shared constants for the credential/connection system.
-* Defined in core (bottom of dependency chain) so all packages can import them.
-*/
-const CREDENTIAL_EXPOSURES = {
-	"user-runtime": "user-runtime",
-	"platform-only": "platform-only"
-};
-const credentialSetProxyInjectionSchema = z.object({
-	/** Substitute placeholder in HTTP headers (default: true). */
-	headers: z.boolean().optional(),
-	/** Substitute placeholder in the HTTP Basic Auth credential (default: true). */
-	basicAuth: z.boolean().optional(),
-	/** Substitute placeholder in URL query params (default: false).
-	*  Use for APIs that authenticate via `?api_key=...` (Google Maps, OWM, etc.). */
-	queryParams: z.boolean().optional(),
-	/** Substitute placeholder in the HTTP request body (default: false).
-	*  Use for form-encoded auth payloads (Stripe, AWS SigV4 query, etc.). */
-	body: z.boolean().optional()
-});
-const credentialSetProxyConfigSchema = z.object({
-	/** Exact-match host allowlist (forwarded to SecretBuilder.allowHost). */
-	hosts: z.array(z.string().min(1)).optional(),
-	/** Wildcard host allowlist (forwarded to SecretBuilder.allowHostPattern).
-	*  Example: `["*.browserbase.com"]` covers any subdomain. */
-	hostPatterns: z.array(z.string().min(1)).optional(),
-	/** Per-scope substitution toggles. Omit to use SDK defaults. */
-	injection: credentialSetProxyInjectionSchema.optional()
-});
-const onCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
-const credentialExposureSchema = z.enum([CREDENTIAL_EXPOSURES["user-runtime"], CREDENTIAL_EXPOSURES["platform-only"]]);
-const connectionMetadataConfigSchema = z.object({
-	id: credentialSetIdString("Credential connection id").optional(),
-	label: optionalTrimmedNonEmptyString("Credential connection label"),
-	description: optionalDescriptionString("Credential connection description"),
-	recommended: z.boolean().optional(),
-	advanced: z.boolean().optional(),
-	needsRawSecret: z.boolean().optional()
-});
-const connectionMetadataManifestSchema = connectionMetadataConfigSchema;
-const registeredDescriptorSchema = z.object({
-	id: trimmedNonEmptyString("Registered descriptor id"),
-	config: z.record(z.string(), z.unknown()).optional()
-});
-const registeredResolverDescriptorSchema = registeredDescriptorSchema.extend({ cacheMs: z.number().int().nonnegative().optional() });
-const manualConnectionConfigSchema = connectionMetadataConfigSchema.extend({
-	kind: z.literal("manual"),
-	input: zodObjectSchema.optional(),
-	instructions: z.string().min(1).optional(),
-	validate: z.function().optional()
-});
-const manualConnectionFieldManifestSchema = z.object({
-	key: z.string().min(1),
-	label: z.string().min(1),
-	description: z.string().min(1).optional(),
-	optional: z.boolean(),
-	secret: z.literal(true)
-});
-const manualConnectionConfigManifestSchema = connectionMetadataManifestSchema.extend({
-	kind: z.literal("manual"),
-	input: jsonSchemaObject.optional(),
-	fields: z.array(manualConnectionFieldManifestSchema).optional(),
-	generated: z.boolean().optional(),
-	instructions: z.string().min(1).optional()
-});
-/** Declarative form of `Vault` — strings typed against the credential set's
-* stored/auth schema keys at the {@link CredentialSetConfig} boundary; the Zod
-* schema here enforces non-empty strings only. `CredentialSet` itself performs
-* the schema-key membership check at construction time. */
-const vaultMappingSchema = z.object({
-	accessToken: z.string().min(1),
-	refreshToken: z.string().min(1).optional(),
-	instanceUrl: z.string().min(1).optional(),
-	raw: z.record(z.string().min(1), z.string().min(1)).optional()
-});
-/** Function form of `Vault` — an object pairing the access-token vault key
-*  (`accessTokenKey`) with the `build` function that computes the full vault
-*  write map. The explicit key keeps the disconnect path's revocation read
-*  reliable even when `build` transforms the access token. */
-const vaultMappingFnSchema = z.object({
-	accessTokenKey: z.string().min(1),
-	build: z.custom((val) => typeof val === "function", { message: "vault.build must be a function." })
-});
-/** Runtime shape of `Vault`. Accepts either the declarative mapping or the
-*  function-form object `{ accessTokenKey, build }`. */
-const vaultConfigSchema = z.union([vaultMappingSchema, vaultMappingFnSchema], { error: "vault must be a declarative mapping object or a `{ accessTokenKey, build }` object." });
-/** Manifest projection of `Vault` — declarative mappings serialize verbatim;
-* function-form mappings serialize as `{ kind: 'function', accessTokenKey }`
-* since closures are not manifest-safe but the access-token key is. */
-const vaultManifestSchema = z.discriminatedUnion("kind", [z.object({
-	kind: z.literal("declarative"),
-	accessToken: z.string().min(1),
-	refreshToken: z.string().min(1).optional(),
-	instanceUrl: z.string().min(1).optional(),
-	raw: z.record(z.string().min(1), z.string().min(1)).optional()
-}), z.object({
-	kind: z.literal("function"),
-	accessTokenKey: z.string().min(1)
-})]);
-const oauthConnectionConfigBaseSchema = z.object({
-	kind: z.literal("oauth"),
-	authUrl: z.string().url(),
-	tokenUrl: z.string().url(),
-	scopes: z.array(z.string()).readonly(),
-	revokeUrl: z.string().url().nullable().optional(),
-	tokenType: z.enum(["long-lived", "refreshable"]),
-	pkce: z.boolean().optional(),
-	/** Fallback token lifetime when the provider omits `expires_in`. Positive
-	*  integer seconds. Shared between config + manifest schemas (both extend
-	*  this base). */
-	defaultExpiresInSeconds: z.number().int().positive().optional()
-});
-const oauthConnectionConfigSchema = oauthConnectionConfigBaseSchema.extend({
-	...connectionMetadataConfigSchema.shape,
-	vault: vaultConfigSchema,
-	oauth: registeredDescriptorSchema.optional(),
-	buildAuthUrl: z.function().optional(),
-	exchangeCode: z.function().optional(),
-	refreshToken: z.function().optional(),
-	extractInstallationInfo: z.function().optional(),
-	validate: z.function().optional()
-});
-const oauthConnectionConfigManifestSchema = oauthConnectionConfigBaseSchema.extend({
-	...connectionMetadataManifestSchema.shape,
-	vault: vaultManifestSchema,
-	oauth: registeredDescriptorSchema.optional()
-});
-const credentialsExchangeConnectionConfigSchema = connectionMetadataConfigSchema.extend({
-	kind: z.literal("credentials-exchange"),
-	instructions: z.string().min(1).optional(),
-	input: zodObjectSchema
-}).extend({
-	exchange: z.function(),
-	rotate: z.function().optional(),
-	validate: z.function().optional()
-});
-/** Manifest projection of `CredentialsExchangeConnectionConfig` — only the
-*  declarative `input` schema (rendered as JSON Schema) and `instructions`
-*  copy survive serialization. The three hooks (`exchange`, `rotate`,
-*  `validate`) are runtime closures and are stripped. */
-const credentialsExchangeConnectionConfigManifestSchema = z.object({
-	kind: z.literal("credentials-exchange"),
-	...connectionMetadataManifestSchema.shape,
-	instructions: z.string().min(1).optional(),
-	input: jsonSchemaObject
-});
-const exchangeCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
-	kind: z.literal("exchange"),
-	input: zodObjectSchema,
-	exchange: registeredDescriptorSchema
-});
-const exchangeCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
-	kind: z.literal("exchange"),
-	input: jsonSchemaObject,
-	exchange: registeredDescriptorSchema
-});
-const dynamicCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
-	kind: z.literal("dynamic"),
-	input: zodObjectSchema.optional(),
-	resolver: registeredResolverDescriptorSchema
-});
-const dynamicCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
-	kind: z.literal("dynamic"),
-	input: jsonSchemaObject.optional(),
-	resolver: registeredResolverDescriptorSchema
-});
-const platformCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({ kind: z.literal("platform") });
-const platformCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({ kind: z.literal("platform") });
-const connectionConfigSchema = z.discriminatedUnion("kind", [
-	manualConnectionConfigSchema,
-	oauthConnectionConfigSchema,
-	credentialsExchangeConnectionConfigSchema,
-	exchangeCredentialConnectionConfigSchema,
-	dynamicCredentialConnectionConfigSchema,
-	platformCredentialConnectionConfigSchema
-]);
-/** Manifest projection of `ConnectionConfig` — declarative metadata only. */
-const connectionConfigManifestSchema = z.discriminatedUnion("kind", [
-	manualConnectionConfigManifestSchema,
-	oauthConnectionConfigManifestSchema,
-	credentialsExchangeConnectionConfigManifestSchema,
-	exchangeCredentialConnectionManifestSchema,
-	dynamicCredentialConnectionManifestSchema,
-	platformCredentialConnectionManifestSchema
-]);
-const CredentialSetManifestSchema = z.object({
-	manifestVersion: z.literal(1),
-	type: z.literal("credentialSet"),
-	id: credentialSetIdString("Credential set id"),
-	name: trimmedNonEmptyString("Credential set name"),
-	description: optionalDescriptionString("Credential set description"),
-	auth: jsonSchemaObject,
-	exposure: credentialExposureSchema.optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
-	needsRawSecret: z.boolean().optional(),
-	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
-	onCredentialRevoked: onCredentialRevokedSchema.optional(),
-	connections: z.array(connectionConfigManifestSchema).optional()
-});
-z.object({
-	id: credentialSetIdString("Credential set id"),
-	name: optionalTrimmedNonEmptyString("Credential set name"),
-	description: optionalDescriptionString("Credential set description"),
-	auth: zodObjectSchema,
-	exposure: credentialExposureSchema.optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
-	needsRawSecret: z.boolean().optional(),
-	onCredentialRevoked: onCredentialRevokedSchema.optional(),
-	connections: z.array(connectionConfigSchema).readonly().optional()
-});
-//#endregion
-//#region ../../packages/core/dist/chunks/schemas-B8U1MF_0.mjs
-const SourceLocationSchema = z.object({
-	filePath: z.string().min(1),
-	absoluteFilePath: z.string().min(1).optional(),
-	line: z.number().int().positive(),
-	column: z.number().int().positive(),
-	position: z.number().int().nonnegative().optional(),
-	endLine: z.number().int().positive(),
-	endColumn: z.number().int().positive(),
-	endPosition: z.number().int().nonnegative().optional(),
-	synthetic: z.boolean().optional()
-});
-z.string().min(1);
-const ImportSourceSchema = z.object({
-	kind: z.enum([
-		"local",
-		"module-import",
-		"namespace-import",
-		"dynamic"
-	]),
-	moduleSpecifier: z.string().min(1).optional(),
-	importName: z.string().min(1).optional(),
-	localName: z.string().min(1).optional(),
-	resolvedPath: z.string().min(1).optional()
-});
-const CallKindSchema = z.enum([
-	"workflow-step",
-	"agent",
-	"tool",
-	"hook",
-	"child-workflow",
-	"function-call",
-	"method-call",
-	"dynamic-call",
-	"parallel-call",
-	"process-exit",
-	"iife",
-	"expression"
-]);
-const CapturedVariableSourceKindSchema = z.enum([
-	"local-const",
-	"relative-import",
-	"package-import"
-]);
-const CapturedVariableValueTypeSchema = z.enum([
-	"string",
-	"number",
-	"boolean",
-	"object",
-	"array",
-	"function",
-	"unknown"
-]);
-z.object({
-	name: z.string().min(1),
-	value: z.union([
-		z.string(),
-		z.number(),
-		z.boolean()
-	]).optional(),
-	sourceText: z.string().optional(),
-	valueType: CapturedVariableValueTypeSchema,
-	resolvable: z.boolean(),
-	source: CapturedVariableSourceKindSchema,
-	importPath: z.string().optional(),
-	declaration: z.object({
-		filePath: z.string().min(1),
-		line: z.number().int().positive()
-	})
-});
-const IntegrationScopeSchema = z.enum([
-	"organization",
-	"project",
-	"user_provided_credential"
-]);
-const IntegrationCredentialRefSchema = z.discriminatedUnion("type", [z.object({
-	type: z.literal("id"),
-	id: z.string().startsWith("cset_")
-}), z.object({
-	type: z.literal("name"),
-	name: z.string().trim().min(1)
-})]);
-function hasProjectOrOrganizationScope(scope) {
-	return scope === "organization" || scope === "project";
-}
-const CredentialRefTokenKeyNameSchema = z.string().regex(/^[A-Za-z0-9_]+$/, "Credential key must contain only letters, digits, and underscores (required for ref-token proxying)");
-/** Shared enum for top-level credential-set `onCredentialRevoked` policy. */
-const OnCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
-/** A credential set after resolution in a built manifest. Contains definition id, scope, alias, and credential keys.*/
-const ResolvedCredentialSetSchema = z.object({
-	resolvedId: z.string(),
-	scope: IntegrationScopeSchema.optional(),
-	alias: z.string().optional(),
-	credentialRef: IntegrationCredentialRefSchema.optional(),
-	/** Auth-shape keys expected post-resolve. */
-	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
-	/** Subset of `credentialKeys` that are optional in the auth shape. */
-	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Auth-shaped vault keys required for vault reads and upload flows. */
-	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Subset of auth-shaped vault keys that may be absent from the vault without
-	* failing resolution. Derived from the credential set's `auth` schema. */
-	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	/** When true, resolved values are passed raw (no ref-token proxy) for this set. */
-	needsRawSecret: z.boolean().optional(),
-	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
-	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
-	/** Persistence-layer schema fingerprint stamped at build time. The
-	* resolver's phase 2 compares this against the vault row's stored
-	* fingerprint and raises `CredentialSchemaMismatchError` on drift.
-	* Optional here so pre-fingerprint artifacts still parse; the
-	* workflow builder populates it for every authored credential set
-	* that has a resolvable fingerprint. */
-	schemaFingerprint: z.string().optional()
-}).superRefine((value, ctx) => {
-	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
-		code: z.ZodIssueCode.custom,
-		path: ["credentialRef"],
-		message: "credentialRef requires scope to be \"project\" or \"organization\""
-	});
-});
-z.object({
-	credentialSetId: z.string(),
-	/** Auth-shape keys expected post-resolve. */
-	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
-	/** Optional subset of the auth-shape keys. */
-	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Stored-shape keys required for vault reads. */
-	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Optional subset of the stored-shape keys. */
-	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	schemaFingerprint: z.string().optional(),
-	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
-	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	needsRawSecret: z.boolean().optional(),
-	requiredOAuthScopes: z.array(z.string()).optional()
-});
-const CredentialRequirementEntrySchema = z.object({
-	credentialSetId: z.string(),
-	scope: IntegrationScopeSchema.optional(),
-	alias: z.string().optional(),
-	credentialRef: IntegrationCredentialRefSchema.optional(),
-	/** Auth-shape keys expected post-resolve. */
-	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
-	/** Optional subset of the auth-shape keys. */
-	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Auth-shaped vault keys required for vault reads. */
-	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	/** Optional subset of the stored-shape keys. */
-	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
-	schemaFingerprint: z.string().optional(),
-	proxy: credentialSetProxyConfigSchema.optional(),
-	needsRawSecret: z.boolean().optional(),
-	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
-	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
-	requiredOAuthScopes: z.array(z.string()).optional()
-}).superRefine((value, ctx) => {
-	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
-		code: z.ZodIssueCode.custom,
-		path: ["credentialRef"],
-		message: "credentialRef requires scope to be \"project\" or \"organization\""
-	});
-});
-z.object({
-	required: z.array(z.string()),
-	byStep: z.record(z.string(), z.array(CredentialRequirementEntrySchema))
-});
-const TriggerCallbackNameSchema = z.enum([
-	"filter",
-	"idempotencyKey",
-	"verify",
-	"callback"
-]);
-const TriggerCredentialRequirementEntrySchema = CredentialRequirementEntrySchema;
-const TriggerCredentialRequirementsSchema = z.object({
-	required: z.array(z.string()),
-	byCallback: z.partialRecord(TriggerCallbackNameSchema, z.array(TriggerCredentialRequirementEntrySchema))
-});
-const ExecutionIdentityPolicySchema = z.object({ subjectMode: z.enum(["never", "requiredWhenUserProvidedCredential"]) });
-z.object({
-	nodeId: z.string().min(1),
-	stepName: z.string().min(1),
-	label: z.string().min(1),
-	callKind: CallKindSchema,
-	stepId: z.string().min(1).optional(),
-	source: SourceLocationSchema.optional(),
-	astKind: z.string().min(1).optional(),
-	importSource: ImportSourceSchema.optional(),
-	outputBinding: z.string().min(1).optional(),
-	scopeOverride: IntegrationScopeSchema.optional(),
-	description: z.string().optional(),
-	sourceCode: z.string().optional(),
-	exportName: z.string().optional(),
-	inputSchema: JsonSchemaSchema.optional(),
-	outputSchema: JsonSchemaSchema.optional(),
-	credentialSets: z.array(ResolvedCredentialSetSchema).optional()
-});
-const TriggerTypeSchema = z.enum([
-	"webhook",
-	"cron",
-	"polling"
+//#region ../../packages/core/dist/chunks/schemas-CRXLuZkZ.mjs
+const trimmedString = z.string().trim().min(1);
+const payloadHashSchema = z.object({
+	from: z.literal("payload"),
+	strategy: z.literal("hash")
+});
+const payloadPathSchema = z.object({
+	from: z.literal("payload"),
+	path: trimmedString
+});
+const headerHashSchema = z.object({
+	from: z.literal("header"),
+	strategy: z.literal("hash")
+});
+const headerNameSchema = z.object({
+	from: z.literal("header"),
+	name: trimmedString
+});
+const idempotencyKeyConfigSchema = z.union([
+	payloadHashSchema,
+	payloadPathSchema,
+	headerHashSchema,
+	headerNameSchema
 ]);
-/**
-* Persisted on `deployment_triggers.trigger_source`. Mirrors the
-* `webhookTrigger({ source: { type } })` discriminator so the server
-* can index-filter app-source rows during provider-webhook fanout.
-*/
-const TriggerSourceSchema = z.enum(["custom", "app"]);
-const WebhookMethodSchema$1 = z.enum([
-	"GET",
-	"POST",
-	"PUT",
-	"PATCH"
-]);
-const TriggerCallbackBundleUploadSchema = z.object({
-	code: z.string(),
-	hash: z.string(),
-	size: z.number()
-});
-const TriggerCallbackExportsSchema = z.object({
-	verify: z.string().min(1).optional(),
-	filter: z.string().min(1).optional(),
-	idempotencyKey: z.string().min(1).optional(),
-	callback: z.string().min(1).optional()
-});
-const TransformCallbackExportsSchema = z.object({ transform: z.string().min(1).optional() });
-z.object({
-	id: z.string(),
-	type: TriggerTypeSchema,
-	/**
-	* Source-of-truth discriminator for webhook triggers. `'custom'` means
-	* the trigger owns its own HTTP path; `'app'` means it is fanned out by
-	* a Keystroke-managed provider app. Undefined for non-webhook triggers.
-	*/
-	triggerSource: TriggerSourceSchema.optional(),
-	enabled: z.boolean(),
-	path: z.string().optional(),
-	method: WebhookMethodSchema$1.optional(),
-	schedule: z.string().optional(),
-	timezone: z.string().optional(),
-	config: z.record(z.string(), z.unknown()).optional(),
-	requiredCredentials: TriggerCredentialRequirementsSchema.optional(),
-	storagePath: z.string().min(1).optional(),
-	callbackBundle: TriggerCallbackBundleUploadSchema.optional(),
-	callbackExports: TriggerCallbackExportsSchema.optional(),
-	transformCallbackBundle: TriggerCallbackBundleUploadSchema.optional(),
-	transformCallbackExports: TransformCallbackExportsSchema.optional()
-});
-const credentialSetInstanceSchema$1 = createStructuralSchema([
+const credentialSetInstanceSchema = createStructuralSchema([
 	"id",
 	"auth",
 	"connections"
 ], "a CredentialSet instance");
 const TriggerModeDefaultSchema = z.enum(["managed", "subscribable"]);
-const TriggerCallbackPresenceSchema = z.object({
-	filter: z.boolean(),
-	idempotencyKey: z.boolean(),
+const TriggerRuntimeDescriptorSchema = z.object({
+	/**
+	* True when this trigger bundles a `poll` export executed inside a
+	* microsandbox VM at trigger time. Polling-only — webhook/cron always
+	* leave this undefined. Replaces the legacy `callbacks: { poll, ... }`
+	* descriptor (the other callbacks are gone now that filter/idempotency/
+	* verify/transform are declarative or run in the workflow VM).
+	*/
 	poll: z.boolean().optional(),
-	transformAllowed: z.boolean(),
-	verify: z.boolean().optional()
+	filterSchema: jsonSchemaObject.optional(),
+	/** Webhook-only declarative idempotency-key resolver. */
+	idempotencyConfig: idempotencyKeyConfigSchema.optional()
 });
-const TriggerRuntimeDescriptorSchema = z.object({ callbacks: TriggerCallbackPresenceSchema });
 z.object({
 	manifestVersion: z.literal(1),
 	type: z.literal("trigger"),
 	triggerType: TriggerTypeSchema,
-	name: trimmedNonEmptyString("Trigger name"),
+	id: trimmedNonEmptyString("Trigger id"),
 	description: descriptionString("Trigger description"),
 	enabled: z.boolean(),
 	modeDefault: TriggerModeDefaultSchema,
@@ -888,12 +387,12 @@ z.object({
 	runtime: TriggerRuntimeDescriptorSchema
 });
 const triggerBaseConfigSchema = z.object({
-	credentialSets: z.array(credentialSetInstanceSchema$1).optional(),
+	credentialSets: z.array(credentialSetInstanceSchema).optional(),
 	description: descriptionString("Trigger description"),
 	enabled: z.boolean().default(true),
 	executionIdentityPolicy: ExecutionIdentityPolicySchema.optional(),
 	modeDefault: TriggerModeDefaultSchema.default("managed"),
-	name: trimmedNonEmptyString("Trigger name")
+	id: trimmedNonEmptyString("Trigger id")
 });
 triggerBaseConfigSchema.extend({
 	input: anyZodSchemaSchema,
@@ -913,7 +412,7 @@ const cronTriggerManifestSchema = z.object({
 	manifestVersion: z.literal(1),
 	type: z.literal("trigger"),
 	triggerType: z.literal("cron"),
-	name: trimmedNonEmptyString("Trigger name"),
+	id: trimmedNonEmptyString("Trigger id"),
 	description: descriptionString("Trigger description"),
 	enabled: z.boolean(),
 	modeDefault: z.enum(["managed", "subscribable"]),
@@ -929,8 +428,7 @@ z.object({
 });
 triggerBaseConfigSchema.extend({
 	poll: z.function(),
-	filter: z.function().optional(),
-	idempotencyKey: z.function().optional(),
+	filter: anyZodSchemaSchema.optional(),
 	response: anyZodSchemaSchema,
 	schedule: ScheduleSchema
 });
@@ -946,7 +444,7 @@ const pollingTriggerManifestSchema = z.object({
 	manifestVersion: z.literal(1),
 	type: z.literal("trigger"),
 	triggerType: z.literal("polling"),
-	name: trimmedNonEmptyString("Trigger name"),
+	id: trimmedNonEmptyString("Trigger id"),
 	description: descriptionString("Trigger description"),
 	enabled: z.boolean(),
 	modeDefault: z.enum(["managed", "subscribable"]),
@@ -954,11 +452,6 @@ const pollingTriggerManifestSchema = z.object({
 	credentialSets: z.array(CredentialSetManifestSchema).optional(),
 	runtime: pollingTriggerRuntimeSchema
 });
-const WebhookMethodSchema = z.enum([
-	"PATCH",
-	"POST",
-	"PUT"
-]);
 z.object({
 	method: z.string(),
 	path: z.string(),
@@ -970,45 +463,13 @@ z.object({
 	headers: z.record(z.string(), z.string().optional()),
 	rawBody: z.string()
 });
-const WebhookResponseConfigSchema = z.object({
-	ignoredBody: jsonValueSchema.optional(),
-	ignoredStatus: z.number().int().positive().optional(),
-	successBody: jsonValueSchema.optional(),
-	successStatus: z.number().int().positive().optional()
-});
-/**
-* Custom webhook trigger paths describe the suffix that a request URL has
-* after the organization id. The router serves these triggers at
-* `/api/v1/webhooks/{orgId}{path}` (e.g. `path: '/orders'` → request
-* `/api/v1/webhooks/{orgId}/orders`). Authors must therefore supply only the
-* trailing path segment, not the `/webhooks/` prefix that the route already
-* provides.
-*/
-const webhookPathSchema = z.string().trim().min(1, { error: "Webhook path cannot be empty" }).max(50, { error: "Webhook path cannot exceed 50 characters" }).refine((s) => !/\s/.test(s), { error: "Webhook path cannot contain spaces or whitespace" }).refine((s) => s.startsWith("/"), { error: "Webhook path must start with /" }).refine((s) => s.length > 1, { error: "Webhook path must include a path segment after the leading \"/\"" }).refine((s) => !/^\/webhooks(\/|$)/i.test(s), { error: "Webhook path must not start with \"/webhooks\". Provide just the suffix that follows the organization id in the URL — e.g. use \"/orders\" for a webhook served at \"/api/v1/webhooks/{orgId}/orders\"." });
-const credentialSetInstanceSchema = createStructuralSchema([
-	"id",
-	"auth",
-	"connections"
-], "a CredentialSet instance");
-const webhookCustomSourceConfigSchema = z.object({
-	type: z.literal("custom"),
-	method: WebhookMethodSchema,
-	path: webhookPathSchema,
-	verify: z.function().optional(),
-	response: WebhookResponseConfigSchema.optional(),
-	credentialSets: z.array(credentialSetInstanceSchema).optional()
-});
+const webhookCustomSourceConfigSchema = z.object({ type: z.literal("custom") });
 const webhookAppSourceConfigSchema = z.object({
 	type: z.literal("app"),
 	appRef: trimmedNonEmptyString("appRef")
 });
 const webhookSourceConfigSchema = z.discriminatedUnion("type", [webhookCustomSourceConfigSchema, webhookAppSourceConfigSchema]);
-const webhookCustomSourceManifestSchema = z.object({
-	type: z.literal("custom"),
-	method: WebhookMethodSchema,
-	path: z.string().min(1).max(1024),
-	response: WebhookResponseConfigSchema.optional()
-});
+const webhookCustomSourceManifestSchema = z.object({ type: z.literal("custom") });
 const webhookAppSourceManifestSchema = z.object({
 	type: z.literal("app"),
 	appRef: trimmedNonEmptyString("appRef")
@@ -1017,8 +478,8 @@ const WebhookSourceManifestSchema = z.discriminatedUnion("type", [webhookCustomS
 triggerBaseConfigSchema.omit({ credentialSets: true }).extend({
 	source: webhookSourceConfigSchema,
 	payload: anyZodSchemaSchema.optional(),
-	filter: z.function().optional(),
-	idempotencyKey: z.function().optional()
+	filter: anyZodSchemaSchema.optional(),
+	idempotencyKey: idempotencyKeyConfigSchema.optional()
 });
 const webhookTriggerRuntimeSchema = TriggerRuntimeDescriptorSchema.extend({
 	source: WebhookSourceManifestSchema,
@@ -1028,7 +489,7 @@ const webhookTriggerManifestSchema = z.object({
 	manifestVersion: z.literal(1),
 	type: z.literal("trigger"),
 	triggerType: z.literal("webhook"),
-	name: trimmedNonEmptyString("Trigger name"),
+	id: trimmedNonEmptyString("Trigger id"),
 	description: descriptionString("Trigger description"),
 	enabled: z.boolean(),
 	modeDefault: z.enum(["managed", "subscribable"]),
@@ -1038,7 +499,7 @@ const webhookTriggerManifestSchema = z.object({
 });
 z.unknown();
 //#endregion
-//#region ../../packages/workflow-builder/dist/import-module--8x5SLum.mjs
+//#region ../../packages/workflow-builder/dist/import-module-y0glInUe.mjs
 var DiscoveryError = class extends Error {
 	code;
 	filePath;
@@ -2178,7 +1639,7 @@ function isTriggerLike(value) {
     value != null &&
     (typeof value === 'object' || typeof value === 'function') &&
     typeof value.toManifest === 'function' &&
-    typeof value.name === 'string'
+    typeof value.id === 'string'
   );
 }
 
@@ -2189,7 +1650,7 @@ function isBoundTriggerLike(value) {
     value.isBoundTrigger === true &&
     value.trigger != null &&
     typeof value.trigger.toManifest === 'function' &&
-    typeof value.trigger.name === 'string'
+    typeof value.trigger.id === 'string'
   );
 }
 
@@ -2206,18 +1667,17 @@ function getTriggerCandidate(value) {
 function describeTriggerEntry(entry) {
   if (entry && typeof entry === 'object') {
     if ('isBoundTrigger' in entry && entry.isBoundTrigger === true && entry.trigger) {
-      return entry.trigger.name ?? '<unknown trigger>';
+      return entry.trigger.id ?? '<unknown trigger>';
     }
-    if ('name' in entry && typeof entry.name === 'string') {
-      return entry.name;
+    if ('id' in entry && typeof entry.id === 'string') {
+      return entry.id;
     }
   }
   return '<unknown trigger>';
 }
 
 function findTriggerSource(entry, trigger, workflowMod, workflowFilePath, siblingModules) {
-  const triggerName = trigger.name;
-  // First, check if the trigger is re-exported from the workflow module (identity check)
+  const triggerId = trigger.id;
   for (const [name, exp] of Object.entries(workflowMod)) {
     const candidate = getTriggerCandidate(exp);
     if (exp === entry || exp === trigger || candidate === trigger) {
@@ -2233,13 +1693,13 @@ function findTriggerSource(entry, trigger, workflowMod, workflowFilePath, siblin
         exp === entry ||
         exp === trigger ||
         candidate === trigger ||
-        candidate?.name === triggerName
+        candidate?.id === triggerId
       ) {
         siblingMatches.push({ triggerExportName: name, sourceFilePath: filePath });
         continue;
       }
 
-      if (isBoundTriggerLike(exp) && exp.trigger.name === triggerName) {
+      if (isBoundTriggerLike(exp) && exp.trigger.id === triggerId) {
         siblingMatches.push({ triggerExportName: name, sourceFilePath: filePath });
       }
     }
@@ -2251,7 +1711,7 @@ function findTriggerSource(entry, trigger, workflowMod, workflowFilePath, siblin
       .join(', ');
     throw new Error(
       'Ambiguous trigger source for "' +
-        triggerName +
+        triggerId +
         '" in ' +
         workflowFilePath +
         '. Matching sibling exports: ' +
@@ -2280,9 +1740,6 @@ async function discoverTriggers(workflow, mod, workflowFilePath) {
       const trigger = isBound ? entry.trigger : entry;
       const triggerManifest = trigger.toManifest();
       const hasTransform = isBound && typeof entry.transform === 'function';
-      const hasFilter = isBound
-        ? typeof entry.filter === 'function'
-        : typeof trigger.filter === 'function';
       const { triggerExportName, sourceFilePath } = findTriggerSource(
         entry,
         trigger,
@@ -2290,7 +1747,6 @@ async function discoverTriggers(workflow, mod, workflowFilePath) {
         workflowFilePath,
         siblingModules
       );
-      // For cron triggers, capture the static payload for runtime use
       const staticPayload =
         triggerManifest.triggerType === 'cron' && 'payload' in trigger
           ? trigger.payload
@@ -2300,16 +1756,15 @@ async function discoverTriggers(workflow, mod, workflowFilePath) {
         triggerExportName,
         sourceFilePath,
         hasTransform,
-        hasFilter,
         staticPayload,
         triggerIndex,
       });
     } catch (error) {
-      const triggerName = describeTriggerEntry(entry);
+      const triggerLabel = describeTriggerEntry(entry);
       const message = serializeError(error);
       throw new Error(
         'Failed to discover trigger "' +
-          triggerName +
+          triggerLabel +
           '" for workflow "' +
           workflow.name +
           '": ' +
@@ -2508,7 +1963,6 @@ const LoadedWorkflowTriggerSchema = z.object({
 	triggerExportName: z.string().optional(),
 	sourceFilePath: z.string().optional(),
 	hasTransform: z.boolean(),
-	hasFilter: z.boolean(),
 	staticPayload: z.unknown().optional(),
 	triggerIndex: z.number()
 });