npm - @keystrokehq/cli - Versions diffs - 0.0.20 → 0.0.21 - Mend

@keystrokehq/cli 0.0.20 → 0.0.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (142) hide show

package/dist/{create.handler-CQCRk-Na.mjs → create.handler-v9B0Z9Yf.mjs} RENAMED Viewed

@@ -2,7 +2,7 @@
 import { a as ui, j as throwReportedCliExit, y as toErrorMessage } from "./keystroke.mjs";
 import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-BUzxM3QI.mjs";
+import { i as requireClient } from "./context-B2cQ-Nt3.mjs";
 //#region src/commands/api-keys/create.handler.ts
 async function handleApiKeysCreate(options, ctx) {
 	const client = requireClient(ctx);

package/dist/{credential-env-map-qLCR_QbO.mjs → credential-env-map-Dvp00a4M.mjs} RENAMED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { r as getKeystrokeProjectPath } from "./paths-JzzFkXQA-CEipIeVl.mjs";
-import "./dist-CIInPRGh.mjs";
+import "./dist-DuJjDZIf.mjs";
 import * as fs from "node:fs/promises";
 import { z } from "zod";
 //#region src/lib/credential-env-map.ts

package/dist/credential-requirements-D0mavK8j-CFMf0Xwu.mjs ADDED Viewed

@@ -0,0 +1,619 @@
+#!/usr/bin/env node
+import { z } from "zod";
+//#region ../../packages/core/dist/chunks/schema-DsHGh6YT.mjs
+const MAX_JSON_DEPTH = 20;
+function buildJsonValueSchema(depth) {
+	const primitives = z.union([
+		z.string(),
+		z.number(),
+		z.boolean(),
+		z.null()
+	]);
+	if (depth <= 0) return primitives;
+	const nested = buildJsonValueSchema(depth - 1);
+	return z.union([
+		primitives,
+		z.array(nested),
+		z.record(z.string(), nested)
+	]);
+}
+const jsonValueSchema = buildJsonValueSchema(MAX_JSON_DEPTH);
+const jsonSchemaObject = z.record(z.string(), jsonValueSchema);
+const anyZodSchemaSchema = z.custom((value) => value instanceof z.ZodType, "Expected a Zod schema");
+const zodObjectSchema = z.custom((value) => value instanceof z.ZodObject, "Expected a Zod object schema");
+/**
+* Creates a Zod schema that validates an object structurally by checking
+* for required properties. This avoids `instanceof` checks which fail
+* when class definitions are duplicated across bundle boundaries.
+*/
+function createStructuralSchema(requiredKeys, label) {
+	return z.custom((value) => value != null && (typeof value === "object" || typeof value === "function") && requiredKeys.every((key) => key in value), `Expected ${label}`);
+}
+function trimmedNonEmptyString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` });
+}
+/**
+* Non-empty trimmed string for credential definition ids.
+* Allows namespaced ids such as `keystroke:slack` plus letters, numbers,
+* hyphens, and underscores.
+*/
+function credentialSetIdString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` }).refine((s) => /^[a-zA-Z0-9_:-]+$/.test(s), { error: `${fieldName} must only contain letters, numbers, hyphens, underscores, and colons` });
+}
+function optionalTrimmedNonEmptyString(fieldName) {
+	return trimmedNonEmptyString(fieldName).optional();
+}
+function descriptionString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(1024, { error: `${fieldName} cannot exceed 1024 characters` });
+}
+function optionalDescriptionString(fieldName) {
+	return descriptionString(fieldName).optional();
+}
+//#endregion
+//#region ../../packages/core/dist/chunks/schemas-BhQu9ko9.mjs
+/**
+* Shared constants for the credential/connection system.
+* Defined in core (bottom of dependency chain) so all packages can import them.
+*/
+const CREDENTIAL_EXPOSURES = {
+	"user-runtime": "user-runtime",
+	"platform-only": "platform-only"
+};
+const credentialSetProxyInjectionSchema = z.object({
+	/** Substitute placeholder in HTTP headers (default: true). */
+	headers: z.boolean().optional(),
+	/** Substitute placeholder in the HTTP Basic Auth credential (default: true). */
+	basicAuth: z.boolean().optional(),
+	/** Substitute placeholder in URL query params (default: false).
+	*  Use for APIs that authenticate via `?api_key=...` (Google Maps, OWM, etc.). */
+	queryParams: z.boolean().optional(),
+	/** Substitute placeholder in the HTTP request body (default: false).
+	*  Use for form-encoded auth payloads (Stripe, AWS SigV4 query, etc.). */
+	body: z.boolean().optional()
+});
+const credentialSetProxyConfigSchema = z.object({
+	/** Exact-match host allowlist (forwarded to SecretBuilder.allowHost). */
+	hosts: z.array(z.string().min(1)).optional(),
+	/** Wildcard host allowlist (forwarded to SecretBuilder.allowHostPattern).
+	*  Example: `["*.browserbase.com"]` covers any subdomain. */
+	hostPatterns: z.array(z.string().min(1)).optional(),
+	/** Per-scope substitution toggles. Omit to use SDK defaults. */
+	injection: credentialSetProxyInjectionSchema.optional()
+});
+const onCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
+const credentialExposureSchema = z.enum([CREDENTIAL_EXPOSURES["user-runtime"], CREDENTIAL_EXPOSURES["platform-only"]]);
+const connectionMetadataConfigSchema = z.object({
+	id: credentialSetIdString("Credential connection id").optional(),
+	label: optionalTrimmedNonEmptyString("Credential connection label"),
+	description: optionalDescriptionString("Credential connection description"),
+	recommended: z.boolean().optional(),
+	advanced: z.boolean().optional(),
+	needsRawSecret: z.boolean().optional()
+});
+const connectionMetadataManifestSchema = connectionMetadataConfigSchema;
+const registeredDescriptorSchema = z.object({
+	id: trimmedNonEmptyString("Registered descriptor id"),
+	config: z.record(z.string(), z.unknown()).optional()
+});
+const registeredResolverDescriptorSchema = registeredDescriptorSchema.extend({ cacheMs: z.number().int().nonnegative().optional() });
+const manualConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("manual"),
+	input: zodObjectSchema.optional(),
+	instructions: z.string().min(1).optional(),
+	validate: z.function().optional()
+});
+const manualConnectionFieldManifestSchema = z.object({
+	key: z.string().min(1),
+	label: z.string().min(1),
+	description: z.string().min(1).optional(),
+	optional: z.boolean(),
+	secret: z.literal(true)
+});
+const manualConnectionConfigManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("manual"),
+	input: jsonSchemaObject.optional(),
+	fields: z.array(manualConnectionFieldManifestSchema).optional(),
+	generated: z.boolean().optional(),
+	instructions: z.string().min(1).optional()
+});
+/** Declarative form of `Vault` — strings typed against the credential set's
+* stored/auth schema keys at the {@link CredentialSetConfig} boundary; the Zod
+* schema here enforces non-empty strings only. `CredentialSet` itself performs
+* the schema-key membership check at construction time. */
+const vaultMappingSchema = z.object({
+	accessToken: z.string().min(1),
+	refreshToken: z.string().min(1).optional(),
+	instanceUrl: z.string().min(1).optional(),
+	raw: z.record(z.string().min(1), z.string().min(1)).optional()
+});
+/** Function form of `Vault` — an object pairing the access-token vault key
+*  (`accessTokenKey`) with the `build` function that computes the full vault
+*  write map. The explicit key keeps the disconnect path's revocation read
+*  reliable even when `build` transforms the access token. */
+const vaultMappingFnSchema = z.object({
+	accessTokenKey: z.string().min(1),
+	build: z.custom((val) => typeof val === "function", { message: "vault.build must be a function." })
+});
+/** Runtime shape of `Vault`. Accepts either the declarative mapping or the
+*  function-form object `{ accessTokenKey, build }`. */
+const vaultConfigSchema = z.union([vaultMappingSchema, vaultMappingFnSchema], { error: "vault must be a declarative mapping object or a `{ accessTokenKey, build }` object." });
+/** Manifest projection of `Vault` — declarative mappings serialize verbatim;
+* function-form mappings serialize as `{ kind: 'function', accessTokenKey }`
+* since closures are not manifest-safe but the access-token key is. */
+const vaultManifestSchema = z.discriminatedUnion("kind", [z.object({
+	kind: z.literal("declarative"),
+	accessToken: z.string().min(1),
+	refreshToken: z.string().min(1).optional(),
+	instanceUrl: z.string().min(1).optional(),
+	raw: z.record(z.string().min(1), z.string().min(1)).optional()
+}), z.object({
+	kind: z.literal("function"),
+	accessTokenKey: z.string().min(1)
+})]);
+const oauthConnectionConfigBaseSchema = z.object({
+	kind: z.literal("oauth"),
+	authUrl: z.string().url(),
+	tokenUrl: z.string().url(),
+	scopes: z.array(z.string()).readonly(),
+	revokeUrl: z.string().url().nullable().optional(),
+	tokenType: z.enum(["long-lived", "refreshable"]),
+	pkce: z.boolean().optional(),
+	/** Fallback token lifetime when the provider omits `expires_in`. Positive
+	*  integer seconds. Shared between config + manifest schemas (both extend
+	*  this base). */
+	defaultExpiresInSeconds: z.number().int().positive().optional()
+});
+const oauthConnectionConfigSchema = oauthConnectionConfigBaseSchema.extend({
+	...connectionMetadataConfigSchema.shape,
+	vault: vaultConfigSchema,
+	oauth: registeredDescriptorSchema.optional(),
+	buildAuthUrl: z.function().optional(),
+	exchangeCode: z.function().optional(),
+	refreshToken: z.function().optional(),
+	extractInstallationInfo: z.function().optional(),
+	validate: z.function().optional()
+});
+const oauthConnectionConfigManifestSchema = oauthConnectionConfigBaseSchema.extend({
+	...connectionMetadataManifestSchema.shape,
+	vault: vaultManifestSchema,
+	oauth: registeredDescriptorSchema.optional()
+});
+const credentialsExchangeConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("credentials-exchange"),
+	instructions: z.string().min(1).optional(),
+	input: zodObjectSchema
+}).extend({
+	exchange: z.function(),
+	rotate: z.function().optional(),
+	validate: z.function().optional()
+});
+/** Manifest projection of `CredentialsExchangeConnectionConfig` — only the
+*  declarative `input` schema (rendered as JSON Schema) and `instructions`
+*  copy survive serialization. The three hooks (`exchange`, `rotate`,
+*  `validate`) are runtime closures and are stripped. */
+const credentialsExchangeConnectionConfigManifestSchema = z.object({
+	kind: z.literal("credentials-exchange"),
+	...connectionMetadataManifestSchema.shape,
+	instructions: z.string().min(1).optional(),
+	input: jsonSchemaObject
+});
+const exchangeCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("exchange"),
+	input: zodObjectSchema,
+	exchange: registeredDescriptorSchema
+});
+const exchangeCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("exchange"),
+	input: jsonSchemaObject,
+	exchange: registeredDescriptorSchema
+});
+const dynamicCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("dynamic"),
+	input: zodObjectSchema.optional(),
+	resolver: registeredResolverDescriptorSchema
+});
+const dynamicCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("dynamic"),
+	input: jsonSchemaObject.optional(),
+	resolver: registeredResolverDescriptorSchema
+});
+const platformCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({ kind: z.literal("platform") });
+const platformCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({ kind: z.literal("platform") });
+const connectionConfigSchema = z.discriminatedUnion("kind", [
+	manualConnectionConfigSchema,
+	oauthConnectionConfigSchema,
+	credentialsExchangeConnectionConfigSchema,
+	exchangeCredentialConnectionConfigSchema,
+	dynamicCredentialConnectionConfigSchema,
+	platformCredentialConnectionConfigSchema
+]);
+/** Manifest projection of `ConnectionConfig` — declarative metadata only. */
+const connectionConfigManifestSchema = z.discriminatedUnion("kind", [
+	manualConnectionConfigManifestSchema,
+	oauthConnectionConfigManifestSchema,
+	credentialsExchangeConnectionConfigManifestSchema,
+	exchangeCredentialConnectionManifestSchema,
+	dynamicCredentialConnectionManifestSchema,
+	platformCredentialConnectionManifestSchema
+]);
+const CredentialSetManifestSchema = z.object({
+	manifestVersion: z.literal(1),
+	type: z.literal("credentialSet"),
+	id: credentialSetIdString("Credential set id"),
+	name: trimmedNonEmptyString("Credential set name"),
+	description: optionalDescriptionString("Credential set description"),
+	auth: jsonSchemaObject,
+	exposure: credentialExposureSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
+	needsRawSecret: z.boolean().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: onCredentialRevokedSchema.optional(),
+	connections: z.array(connectionConfigManifestSchema).optional()
+});
+z.object({
+	id: credentialSetIdString("Credential set id"),
+	name: optionalTrimmedNonEmptyString("Credential set name"),
+	description: optionalDescriptionString("Credential set description"),
+	auth: zodObjectSchema,
+	exposure: credentialExposureSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
+	needsRawSecret: z.boolean().optional(),
+	onCredentialRevoked: onCredentialRevokedSchema.optional(),
+	connections: z.array(connectionConfigSchema).readonly().optional()
+});
+z.string().length(64, "Must be 64 characters").regex(/^[a-f0-9]{64}$/i, "Must be hexadecimal").transform((value) => value);
+const JsonSchemaSchema = z.record(z.string(), z.unknown());
+z.object({
+	constant: z.object({
+		attempts: z.number().int().min(1).max(10),
+		seconds: z.number().positive()
+	}).optional(),
+	exponential: z.object({
+		attempts: z.number().int().min(1).max(10),
+		base: z.number().min(1).optional(),
+		multiplier: z.number().positive().optional()
+	}).optional()
+}).refine((data) => {
+	return data.constant !== void 0 !== (data.exponential !== void 0);
+}, { error: "Retry config must specify exactly one of constant or exponential strategy" });
+//#endregion
+//#region ../../packages/core/dist/chunks/credential-requirements-D0mavK8j.mjs
+const SourceLocationSchema = z.object({
+	filePath: z.string().min(1),
+	absoluteFilePath: z.string().min(1).optional(),
+	line: z.number().int().positive(),
+	column: z.number().int().positive(),
+	position: z.number().int().nonnegative().optional(),
+	endLine: z.number().int().positive(),
+	endColumn: z.number().int().positive(),
+	endPosition: z.number().int().nonnegative().optional(),
+	synthetic: z.boolean().optional()
+});
+z.string().min(1);
+const ImportSourceSchema = z.object({
+	kind: z.enum([
+		"local",
+		"module-import",
+		"namespace-import",
+		"dynamic"
+	]),
+	moduleSpecifier: z.string().min(1).optional(),
+	importName: z.string().min(1).optional(),
+	localName: z.string().min(1).optional(),
+	resolvedPath: z.string().min(1).optional()
+});
+const CallKindSchema = z.enum([
+	"workflow-step",
+	"agent",
+	"tool",
+	"hook",
+	"child-workflow",
+	"function-call",
+	"method-call",
+	"dynamic-call",
+	"parallel-call",
+	"process-exit",
+	"iife",
+	"expression"
+]);
+const CapturedVariableSourceKindSchema = z.enum([
+	"local-const",
+	"relative-import",
+	"package-import"
+]);
+const CapturedVariableValueTypeSchema = z.enum([
+	"string",
+	"number",
+	"boolean",
+	"object",
+	"array",
+	"function",
+	"unknown"
+]);
+z.object({
+	name: z.string().min(1),
+	value: z.union([
+		z.string(),
+		z.number(),
+		z.boolean()
+	]).optional(),
+	sourceText: z.string().optional(),
+	valueType: CapturedVariableValueTypeSchema,
+	resolvable: z.boolean(),
+	source: CapturedVariableSourceKindSchema,
+	importPath: z.string().optional(),
+	declaration: z.object({
+		filePath: z.string().min(1),
+		line: z.number().int().positive()
+	})
+});
+const IntegrationScopeSchema = z.enum([
+	"organization",
+	"project",
+	"user_provided_credential"
+]);
+const IntegrationCredentialRefSchema = z.discriminatedUnion("type", [z.object({
+	type: z.literal("id"),
+	id: z.string().startsWith("cset_")
+}), z.object({
+	type: z.literal("name"),
+	name: z.string().trim().min(1)
+})]);
+function hasProjectOrOrganizationScope(scope) {
+	return scope === "organization" || scope === "project";
+}
+const CredentialRefTokenKeyNameSchema = z.string().regex(/^[A-Za-z0-9_]+$/, "Credential key must contain only letters, digits, and underscores (required for ref-token proxying)");
+/** Shared enum for top-level credential-set `onCredentialRevoked` policy. */
+const OnCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
+/** A credential set after resolution in a built manifest. Contains definition id, scope, alias, and credential keys.*/
+const ResolvedCredentialSetSchema = z.object({
+	resolvedId: z.string(),
+	scope: IntegrationScopeSchema.optional(),
+	alias: z.string().optional(),
+	credentialRef: IntegrationCredentialRefSchema.optional(),
+	/** Auth-shape keys expected post-resolve. */
+	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
+	/** Subset of `credentialKeys` that are optional in the auth shape. */
+	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Auth-shaped vault keys required for vault reads and upload flows. */
+	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Subset of auth-shaped vault keys that may be absent from the vault without
+	* failing resolution. Derived from the credential set's `auth` schema. */
+	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed raw (no ref-token proxy) for this set. */
+	needsRawSecret: z.boolean().optional(),
+	/** When true, this requirement uses a registered dynamic resolver phase. */
+	needsDynamicResolution: z.boolean().optional(),
+	/** Cache TTL in milliseconds for registered dynamic resolver output.
+	* `0` or absence means no cache hint. */
+	dynamicResolutionCacheMs: z.number().int().nonnegative().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
+	/** Persistence-layer schema fingerprint stamped at build time. The
+	* resolver's phase 2 compares this against the vault row's stored
+	* fingerprint and raises `CredentialSchemaMismatchError` on drift.
+	* Optional here so pre-fingerprint artifacts still parse; the
+	* workflow builder populates it for every authored credential set
+	* that has a resolvable fingerprint. */
+	schemaFingerprint: z.string().optional()
+}).superRefine((value, ctx) => {
+	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		path: ["credentialRef"],
+		message: "credentialRef requires scope to be \"project\" or \"organization\""
+	});
+});
+const DeclaredCredentialRequirementSchema = z.object({
+	credentialSetId: z.string(),
+	/** Auth-shape keys expected post-resolve. */
+	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
+	/** Optional subset of the auth-shape keys. */
+	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Stored-shape keys required for vault reads. */
+	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Optional subset of the stored-shape keys. */
+	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	schemaFingerprint: z.string().optional(),
+	needsDynamicResolution: z.boolean().optional(),
+	/** Cache TTL in milliseconds for registered dynamic resolver output.
+	*  `0` or absence means no cache hint. */
+	dynamicResolutionCacheMs: z.number().int().nonnegative().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	needsRawSecret: z.boolean().optional(),
+	requiredOAuthScopes: z.array(z.string()).optional()
+});
+const CredentialRequirementEntrySchema = z.object({
+	credentialSetId: z.string(),
+	scope: IntegrationScopeSchema.optional(),
+	alias: z.string().optional(),
+	credentialRef: IntegrationCredentialRefSchema.optional(),
+	/** Auth-shape keys expected post-resolve. */
+	credentialKeys: z.array(CredentialRefTokenKeyNameSchema),
+	/** Optional subset of the auth-shape keys. */
+	optionalCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Auth-shaped vault keys required for vault reads. */
+	storedCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	/** Optional subset of the stored-shape keys. */
+	optionalStoredCredentialKeys: z.array(CredentialRefTokenKeyNameSchema).optional(),
+	schemaFingerprint: z.string().optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	needsRawSecret: z.boolean().optional(),
+	/** When true, this requirement uses a registered dynamic resolver phase. */
+	needsDynamicResolution: z.boolean().optional(),
+	/** Cache TTL in milliseconds for registered dynamic resolver output.
+	*  `0` or absence means no cache hint. */
+	dynamicResolutionCacheMs: z.number().int().nonnegative().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: OnCredentialRevokedSchema.optional(),
+	requiredOAuthScopes: z.array(z.string()).optional()
+}).superRefine((value, ctx) => {
+	if (value.credentialRef && !hasProjectOrOrganizationScope(value.scope)) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		path: ["credentialRef"],
+		message: "credentialRef requires scope to be \"project\" or \"organization\""
+	});
+});
+const CredentialRequirementsSchema = z.object({
+	required: z.array(z.string()),
+	byStep: z.record(z.string(), z.array(CredentialRequirementEntrySchema))
+});
+const TriggerPollExportNameSchema = z.enum(["poll"]);
+const TriggerCredentialRequirementEntrySchema = CredentialRequirementEntrySchema;
+const TriggerCredentialRequirementsSchema = z.object({
+	required: z.array(z.string()),
+	byPollExport: z.partialRecord(TriggerPollExportNameSchema, z.array(TriggerCredentialRequirementEntrySchema))
+});
+function buildCredentialRequirementEntryKey(entry) {
+	const credentialRefKey = entry.credentialRef ? entry.credentialRef.type === "id" ? `id:${entry.credentialRef.id}` : `name:${entry.credentialRef.name}` : "";
+	return [
+		entry.credentialSetId,
+		entry.scope ?? "",
+		entry.alias ?? "",
+		credentialRefKey,
+		entry.schemaFingerprint ?? "",
+		[...entry.credentialKeys].sort().join(","),
+		[...entry.optionalCredentialKeys ?? []].sort().join(","),
+		[...entry.storedCredentialKeys ?? []].sort().join(","),
+		[...entry.optionalStoredCredentialKeys ?? []].sort().join(","),
+		entry.needsRawSecret === true ? "1" : "0",
+		entry.needsDynamicResolution === true ? "1" : "0",
+		typeof entry.dynamicResolutionCacheMs === "number" ? String(entry.dynamicResolutionCacheMs) : "",
+		entry.onCredentialRevoked ?? "",
+		entry.proxy ? JSON.stringify(entry.proxy) : ""
+	].join("|");
+}
+function deduplicateCredentialRequirementEntries(entries) {
+	const deduped = /* @__PURE__ */ new Map();
+	for (const entry of entries) {
+		const key = buildCredentialRequirementEntryKey(entry);
+		const existing = deduped.get(key);
+		if (!existing) deduped.set(key, {
+			...entry,
+			credentialKeys: [...entry.credentialKeys].sort(),
+			...entry.optionalCredentialKeys ? { optionalCredentialKeys: [...entry.optionalCredentialKeys].sort() } : {},
+			...entry.storedCredentialKeys ? { storedCredentialKeys: [...entry.storedCredentialKeys].sort() } : {},
+			...entry.optionalStoredCredentialKeys ? { optionalStoredCredentialKeys: [...entry.optionalStoredCredentialKeys].sort() } : {}
+		});
+		else if (entry.requiredOAuthScopes?.length) {
+			const merged = new Set([...existing.requiredOAuthScopes ?? [], ...entry.requiredOAuthScopes]);
+			deduped.set(key, {
+				...existing,
+				requiredOAuthScopes: [...merged].sort()
+			});
+		}
+	}
+	return [...deduped.values()];
+}
+function collectCredentialRequirementEntries(credentialRequirements) {
+	if (!credentialRequirements) return [];
+	return deduplicateCredentialRequirementEntries(Object.values(credentialRequirements.byStep ?? {}).flat());
+}
+const ExecutionIdentityPolicySchema = z.object({ subjectMode: z.enum(["never", "requiredWhenUserProvidedCredential"]) });
+/** A step's entry within a WorkflowManifest. Describes how a step is used in a workflow, not what the step itself is. */
+const WorkflowStepEntrySchema = z.object({
+	nodeId: z.string().min(1),
+	stepName: z.string().min(1),
+	label: z.string().min(1),
+	callKind: CallKindSchema,
+	stepId: z.string().min(1).optional(),
+	source: SourceLocationSchema.optional(),
+	astKind: z.string().min(1).optional(),
+	importSource: ImportSourceSchema.optional(),
+	outputBinding: z.string().min(1).optional(),
+	scopeOverride: IntegrationScopeSchema.optional(),
+	description: z.string().optional(),
+	sourceCode: z.string().optional(),
+	exportName: z.string().optional(),
+	inputSchema: JsonSchemaSchema.optional(),
+	outputSchema: JsonSchemaSchema.optional(),
+	credentialSets: z.array(ResolvedCredentialSetSchema).optional()
+});
+const TriggerTypeSchema = z.enum([
+	"webhook",
+	"cron",
+	"polling"
+]);
+/**
+* Persisted on `deployment_triggers.trigger_source`. Mirrors the
+* `webhookTrigger({ source: { type } })` discriminator so the server
+* can index-filter app-source rows during provider-webhook fanout.
+*/
+const TriggerSourceSchema = z.enum(["custom", "app"]);
+z.enum([
+	"GET",
+	"POST",
+	"PUT",
+	"PATCH"
+]);
+const TriggerPollBundleUploadSchema = z.object({
+	code: z.string(),
+	hash: z.string(),
+	size: z.number()
+});
+/** Declarative idempotency-key spec resolved server-side (no VM). */
+const IdempotencyKeyConfigSchema = z.union([
+	z.object({
+		from: z.literal("payload"),
+		strategy: z.literal("hash")
+	}),
+	z.object({
+		from: z.literal("payload"),
+		path: z.string().trim().min(1)
+	}),
+	z.object({
+		from: z.literal("header"),
+		strategy: z.literal("hash")
+	}),
+	z.object({
+		from: z.literal("header"),
+		name: z.string().trim().min(1)
+	})
+]);
+const TriggerPollExportsSchema = z.object({ poll: z.string().min(1).optional() });
+const TriggerUploadDataSchema = z.object({
+	id: z.string(),
+	/**
+	* Authored trigger name from `xxxTrigger({ name: ... })`. Used by the workflow
+	* VM to look up the bound `transform`. Follows the `authoredWorkflowId` /
+	* `authoredAgentId` naming convention.
+	*/
+	authoredTriggerId: z.string().min(1),
+	type: TriggerTypeSchema,
+	/**
+	* Source-of-truth discriminator for webhook triggers. `'custom'` means
+	* the trigger owns its own HTTP path; `'app'` means it is fanned out by
+	* a Keystroke-managed provider app. Undefined for non-webhook triggers.
+	*/
+	triggerSource: TriggerSourceSchema.optional(),
+	/**
+	* Root-trigger name for `.narrow()` lineage so narrowed custom webhooks share
+	* the same `webhookSecretHash`/`webhookPublicId`. Equals `authoredTriggerId`
+	* for root triggers. Omitted for non-webhook triggers.
+	*/
+	webhookAuthGroupKey: z.string().min(1).optional(),
+	enabled: z.boolean(),
+	schedule: z.string().optional(),
+	timezone: z.string().optional(),
+	config: z.record(z.string(), z.unknown()).optional(),
+	requiredCredentials: TriggerCredentialRequirementsSchema.optional(),
+	/** Hex-encoded sha-256 of the Keystroke-issued webhook secret. */
+	webhookSecretHash: z.string().min(1).optional(),
+	/** Public id surfaced in the webhook URL (header-mode auth). */
+	webhookPublicId: z.string().min(1).optional(),
+	/** JSON Schema applied at the server before any VM hop. Built from a
+	*  pure Zod schema declared on the trigger primitive. */
+	filterSchema: JsonSchemaSchema.optional(),
+	/** Declarative idempotency-key resolver. Webhook-only. */
+	idempotencyConfig: IdempotencyKeyConfigSchema.optional(),
+	pollStoragePath: z.string().min(1).optional(),
+	pollBundle: TriggerPollBundleUploadSchema.optional(),
+	pollExports: TriggerPollExportsSchema.optional()
+});
+//#endregion
+export { descriptionString as _, IntegrationScopeSchema as a, trimmedNonEmptyString as b, TriggerSourceSchema as c, WorkflowStepEntrySchema as d, collectCredentialRequirementEntries as f, createStructuralSchema as g, anyZodSchemaSchema as h, IdempotencyKeyConfigSchema as i, TriggerTypeSchema as l, CredentialSetManifestSchema as m, DeclaredCredentialRequirementSchema as n, ResolvedCredentialSetSchema as o, deduplicateCredentialRequirementEntries as p, ExecutionIdentityPolicySchema as r, TriggerCredentialRequirementsSchema as s, CredentialRequirementsSchema as t, TriggerUploadDataSchema as u, jsonSchemaObject as v, jsonValueSchema as y };

package/dist/{credentials-xPtLFTjW.mjs → credentials-DQW8xxof.mjs} RENAMED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
-import { t as src_exports } from "./src-BHTjsZ9V.mjs";
+import { f as collectCredentialRequirementEntries } from "./credential-requirements-D0mavK8j-CFMf0Xwu.mjs";
 //#region ../../packages/workflow-deploy/dist/credentials/index.mjs
 /**
 * Resolves credential values from environment using KEYSTROKE_<KEY> convention.
@@ -39,7 +39,7 @@ function addEntriesToGroups(groups, entries) {
 }
 function groupCredentialRequirements(manifest) {
 	const groups = /* @__PURE__ */ new Map();
-	addEntriesToGroups(groups, (0, src_exports.collectCredentialRequirementEntries)(manifest.credentials));
+	addEntriesToGroups(groups, collectCredentialRequirementEntries(manifest.credentials));
 	return [...groups.values()];
 }
 function buildScopes(params) {