@keystrokehq/cli 0.0.21 → 0.0.23

package/dist/{accept.handler-C6KBLKmW.mjs → accept.handler-tvT9pleH.mjs}

@@ -2,7 +2,7 @@
 
 import { a as ui } from "./keystroke.mjs";
 import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-B2cQ-Nt3.mjs";
+import { i as requireClient } from "./context-DHOTSgPb.mjs";
 import { n as isIamJsonMode, t as handleIamError } from "./iam-command-utils-CSZj4XlH.mjs";
 //#region src/commands/invites/accept.handler.ts
 async function handleInvitesAccept(options, ctx) {

package/dist/{admin-D2CQoZAN.mjs → admin-DsAQ0WWj.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BWcVRt-T.mjs";
-import { t as createTypedCommand } from "./commander-9Kro0Dl3.mjs";
+import { t as createTypedCommand } from "./commander-BTMzBiLq.mjs";
 import { t as OrgRoleSchema } from "./schema-Lbp5lGJu.mjs";
 import { z } from "zod";
 //#region src/commands/admin/orgs.command.ts
@@ -28,21 +28,21 @@ function createAdminOrgsCommand() {
 		description: "Manage organizations as a platform admin",
 		schema: AdminOrgsListOptionsSchema,
 		optionsConfig: { ...JSON_OPTION_CONFIG },
-		loadHandler: async () => (await import("./orgs.list.handler-DDVvSbsT.mjs")).handleAdminOrgsList,
+		loadHandler: async () => (await import("./orgs.list.handler-ZRdb-yu5.mjs")).handleAdminOrgsList,
 		subcommands: [
 			createTypedCommand({
 				name: "create",
 				description: "Create an organization (requires system.create_org)",
 				schema: AdminOrgsCreateOptionsSchema,
 				optionsConfig: CREATE_OPTIONS_CONFIG,
-				loadHandler: async () => (await import("./orgs.create.handler-DF4eEL-2.mjs")).handleAdminOrgsCreate
+				loadHandler: async () => (await import("./orgs.create.handler-B_7WjV3s.mjs")).handleAdminOrgsCreate
 			}),
 			createTypedCommand({
 				name: "list",
 				description: "List organizations (requires system.view_orgs)",
 				schema: AdminOrgsListOptionsSchema,
 				optionsConfig: { ...JSON_OPTION_CONFIG },
-				loadHandler: async () => (await import("./orgs.list.handler-DDVvSbsT.mjs")).handleAdminOrgsList
+				loadHandler: async () => (await import("./orgs.list.handler-ZRdb-yu5.mjs")).handleAdminOrgsList
 			}),
 			createTypedCommand({
 				name: "get",
@@ -54,7 +54,7 @@ function createAdminOrgsCommand() {
 					description: "Organization ID",
 					key: "orgId"
 				},
-				loadHandler: async () => (await import("./orgs.get.handler-BmJnseQa.mjs")).handleAdminOrgsGet
+				loadHandler: async () => (await import("./orgs.get.handler-BgjeDmfl.mjs")).handleAdminOrgsGet
 			})
 		]
 	});
@@ -157,14 +157,14 @@ function createAdminUsersCommand() {
 		description: "Manage platform users",
 		schema: AdminUsersListOptionsSchema,
 		optionsConfig: { ...JSON_OPTION_CONFIG },
-		loadHandler: async () => (await import("./users.list.handler-DZSPvpGF.mjs")).handleAdminUsersList,
+		loadHandler: async () => (await import("./users.list.handler-CRk2J8mi.mjs")).handleAdminUsersList,
 		subcommands: [
 			createTypedCommand({
 				name: "list",
 				description: "List platform users",
 				schema: AdminUsersListOptionsSchema,
 				optionsConfig: { ...JSON_OPTION_CONFIG },
-				loadHandler: async () => (await import("./users.list.handler-DZSPvpGF.mjs")).handleAdminUsersList
+				loadHandler: async () => (await import("./users.list.handler-CRk2J8mi.mjs")).handleAdminUsersList
 			}),
 			createTypedCommand({
 				name: "get",
@@ -176,7 +176,7 @@ function createAdminUsersCommand() {
 					description: "User ID",
 					key: "userId"
 				},
-				loadHandler: async () => (await import("./users.get.handler-DqD2ELK2.mjs")).handleAdminUsersGet
+				loadHandler: async () => (await import("./users.get.handler-DoajzImx.mjs")).handleAdminUsersGet
 			}),
 			createTypedCommand({
 				name: "set-role",
@@ -188,7 +188,7 @@ function createAdminUsersCommand() {
 					description: "User ID",
 					key: "userId"
 				},
-				loadHandler: async () => (await import("./users.set-role.handler-73smNUVF.mjs")).handleAdminUsersSetRole
+				loadHandler: async () => (await import("./users.set-role.handler-CHYjbx5M.mjs")).handleAdminUsersSetRole
 			})
 		]
 	});

package/dist/{agents-Bn0g5o0o.mjs → agents-Ccw0IZCx.mjs}

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
 
 import { a as ui, j as throwReportedCliExit, n as style, t as ANSI, y as toErrorMessage } from "./keystroke.mjs";
-import { i as projects } from "./dist-DuJjDZIf.mjs";
+import { i as projects } from "./dist-D_KgdxW5.mjs";
 import { i as writeJson, n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BWcVRt-T.mjs";
-import { t as createTypedCommand } from "./commander-9Kro0Dl3.mjs";
+import { t as createTypedCommand } from "./commander-BTMzBiLq.mjs";
 import { i as readAgentManifestsFromOutDir } from "./dist-Br4m3sFZ.mjs";
-import { t as requireWorkflowsDir } from "./resolve-project-Cj3MFnU0.mjs";
+import { t as requireWorkflowsDir } from "./resolve-project-DJJZIOmu.mjs";
 import { t as createSpinnerProgress } from "./spinner-progress-BtEIJRX4.mjs";
-import { a as runWorkflowBuild, n as renderBuildFailure } from "./workflow-build-Bi1Aacc5.mjs";
+import { a as runWorkflowBuild, n as renderBuildFailure } from "./workflow-build-CVG4DSCw.mjs";
 import { i as resolveTypeHint } from "./schema-display-XrRCdFL0.mjs";
 import { z } from "zod";
 //#region src/commands/agents/inspect-display.ts

package/dist/{api-J9UL8pqZ.mjs → api-O5tdGdzc.mjs}

@@ -29,7 +29,33 @@ const InitiateConnectionRequestSchema = z.object({
 	* tenant-specific authorize URL.
 	*/
 	input: z.record(z.string(), z.unknown()).optional(),
-	requestedScopes: z.array(z.string()).optional()
+	requestedScopes: z.array(z.string()).optional(),
+	/**
+	* Scope target for the resulting credential set. Optional — the
+	* server resolves the default at request time: an explicit value
+	* wins; absent that, the presence of `projectId` selects
+	* `project`, and otherwise the request defaults to
+	* `organization`. User scope must always be explicit.
+	*/
+	scope: CredentialScopeSchema.optional(),
+	/**
+	* Required when `scope === 'project'` (whether explicit or
+	* resolved). Must not be present for the other scopes.
+	*/
+	projectId: z.uuid().optional(),
+	/**
+	* Optional caller-supplied display name for the resulting
+	* connection. Falls back to the integration's display name on
+	* persist; collisions at the same scope target are auto-suffixed
+	* server-side.
+	*/
+	name: z.string().min(1).max(255).optional()
+}).refine((data) => !(data.scope === "project" && !data.projectId), {
+	message: "projectId is required when scope is 'project'",
+	path: ["projectId"]
+}).refine((data) => !(data.projectId && data.scope && data.scope !== "project"), {
+	message: "projectId must not be supplied when scope is not 'project'",
+	path: ["projectId"]
 });
 const InitiateConnectionResponseSchema = z.object({
 	authUrl: z.string(),
@@ -56,8 +82,8 @@ const ConnectionStatusFailedSchema = z.object({
 	/**
 	* Optional human-readable detail. Truncated by the server to
 	* {@link CONNECTION_FAILURE_DETAIL_MAX_CHARS} characters before being
-	* persisted in `credential_sets.last_callback_error_detail` and
-	* before being echoed in the callback redirect query.
+	* persisted in `connection_flows.error_detail` and before being
+	* echoed in the callback redirect query.
 	*/
 	message: z.string().max(300).optional(),
 	/** ISO-8601 timestamp of when the failure was recorded. */

package/dist/{api-keys-BixCnZJW.mjs → api-keys-tle_m3kk.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BWcVRt-T.mjs";
-import { t as createTypedCommand } from "./commander-9Kro0Dl3.mjs";
+import { t as createTypedCommand } from "./commander-BTMzBiLq.mjs";
 import { z } from "zod";
 //#region src/commands/api-keys/api-keys.command.ts
 const ApiKeysCreateOptionsSchema = JsonOptionSchema.extend({ name: z.string().optional() });
@@ -23,21 +23,21 @@ function createApiKeysCommand() {
 		description: "Manage API keys for your organization",
 		schema: JsonOptionSchema,
 		optionsConfig: { ...JSON_OPTION_CONFIG },
-		loadHandler: async () => (await import("./list.handler-Do2tVOnu.mjs")).handleApiKeysList,
+		loadHandler: async () => (await import("./list.handler-DrY5bgm1.mjs")).handleApiKeysList,
 		subcommands: [
 			createTypedCommand({
 				name: "list",
 				description: "List all API keys for your organization",
 				schema: JsonOptionSchema,
 				optionsConfig: { ...JSON_OPTION_CONFIG },
-				loadHandler: async () => (await import("./list.handler-Do2tVOnu.mjs")).handleApiKeysList
+				loadHandler: async () => (await import("./list.handler-DrY5bgm1.mjs")).handleApiKeysList
 			}),
 			createTypedCommand({
 				name: "create",
 				description: "Create a new API key (raw key shown once)",
 				schema: ApiKeysCreateOptionsSchema,
 				optionsConfig: CREATE_OPTIONS_CONFIG,
-				loadHandler: async () => (await import("./create.handler-v9B0Z9Yf.mjs")).handleApiKeysCreate
+				loadHandler: async () => (await import("./create.handler-BuxP18uj.mjs")).handleApiKeysCreate
 			}),
 			createTypedCommand({
 				name: "delete",
@@ -49,7 +49,7 @@ function createApiKeysCommand() {
 					description: "API key ID to delete",
 					key: "apiKeyId"
 				},
-				loadHandler: async () => (await import("./delete.handler-DtP_zUaq.mjs")).handleApiKeysDelete
+				loadHandler: async () => (await import("./delete.handler-CpYOMtsv.mjs")).handleApiKeysDelete
 			})
 		]
 	});

package/dist/{auth-yCNMT8sJ.mjs → auth-DLaY5yCZ.mjs}

@@ -2,24 +2,19 @@
 
 import { n as DEFAULT_CLI_WEB_URL } from "./default-urls-BoSm4s9C.mjs";
 import { b as AUTH_TIMEOUT_SECONDS } from "./keystroke.mjs";
-import { t as createTypedCommand } from "./commander-9Kro0Dl3.mjs";
+import { t as createTypedCommand } from "./commander-BTMzBiLq.mjs";
 import { z } from "zod";
 //#region src/commands/auth/auth.command.ts
 const AuthOptionsSchema = z.object({
 	webUrl: z.url().optional().describe("Keystroke web URL"),
-	insecureStorage: z.boolean().default(false).describe("Store API keys in plaintext file storage instead of the OS credential store"),
 	timeout: z.coerce.number().int().min(AUTH_TIMEOUT_SECONDS.min).max(AUTH_TIMEOUT_SECONDS.max).default(AUTH_TIMEOUT_SECONDS.default).describe("Timeout in seconds")
 });
-const AuthClearOptionsSchema = z.object({ localOnly: z.boolean().default(false).describe("Remove local credentials without reading the OS credential store for server revocation") });
+const AuthClearOptionsSchema = z.object({ localOnly: z.boolean().default(false).describe("Remove local credentials without reading the saved API key for server revocation") });
 const AUTH_OPTIONS_CONFIG = {
 	webUrl: {
 		flag: "--web-url <url>",
 		description: `Keystroke web URL (default: saved credentials, WEB_URL env, or ${DEFAULT_CLI_WEB_URL})`
 	},
-	insecureStorage: {
-		flag: "--insecure-storage",
-		description: "Store the API key in plaintext file storage instead of the OS credential store"
-	},
 	timeout: {
 		flag: "--timeout <seconds>",
 		description: `Authentication timeout in seconds (default: ${AUTH_TIMEOUT_SECONDS.default})`
@@ -36,7 +31,7 @@ function createAuthCommand() {
 		schema: AuthOptionsSchema,
 		optionsConfig: AUTH_OPTIONS_CONFIG,
 		contextMode: "auth-metadata",
-		loadHandler: async () => (await import("./auth.handler-BedGpKh1.mjs")).handleAuth,
+		loadHandler: async () => (await import("./auth.handler-Dq2fXO3S.mjs")).handleAuth,
 		subcommands: [
 			createTypedCommand({
 				name: "clear",
@@ -44,21 +39,21 @@ function createAuthCommand() {
 				schema: AuthClearOptionsSchema,
 				optionsConfig: AUTH_CLEAR_OPTIONS_CONFIG,
 				contextMode: "auth-metadata",
-				loadHandler: async () => (await import("./clear.handler-Cvb9chs4.mjs")).handleAuthClear
+				loadHandler: async () => (await import("./clear.handler-FzohTmpU.mjs")).handleAuthClear
 			}),
 			createTypedCommand({
 				name: "test",
 				description: "Verify that the saved API key is valid",
 				schema: z.object({}),
 				optionsConfig: {},
-				loadHandler: async () => (await import("./test.handler-CAsVgOpT.mjs")).handleAuthTest
+				loadHandler: async () => (await import("./test.handler-CLqnDqY6.mjs")).handleAuthTest
 			}),
 			createTypedCommand({
 				name: "status",
 				description: "Show the current signed-in identity and organization context",
 				schema: z.object({}),
 				optionsConfig: {},
-				loadHandler: async () => (await import("./status.handler-CW-EFhy3.mjs")).handleAuthStatus
+				loadHandler: async () => (await import("./status.handler-Ch_DtyBp.mjs")).handleAuthStatus
 			})
 		]
 	});

package/dist/{auth.handler-BedGpKh1.mjs → auth.handler-Dq2fXO3S.mjs}

@@ -2,7 +2,7 @@
 
 import { n as DEFAULT_CLI_WEB_URL, t as DEFAULT_CLI_SERVER_URL } from "./default-urls-BoSm4s9C.mjs";
 import { C as CALLBACK_LOOPBACK_ORIGIN, D as CliExitError, P as logger, S as CALLBACK_LOOPBACK_HOST, T as CLI_AUTH_COMMAND, a as ui, d as resolveCliWebUrl, u as resolveCliServerUrl, w as CALLBACK_PATH, x as AUTH_URL_PATH, y as toErrorMessage } from "./keystroke.mjs";
-import { n as credentials } from "./dist-DuJjDZIf.mjs";
+import { n as credentials } from "./dist-D_KgdxW5.mjs";
 import { t as openBrowser } from "./browser-Dvv5OQrt.mjs";
 import { hostname } from "node:os";
 import { z } from "zod";
@@ -283,7 +283,7 @@ function printResolvedHosts(hosts) {
 async function confirmLoopbackHostsOrExit(hosts) {
 	ui.br();
 	ui.warn("About to authenticate against a local development environment");
-	if (hosts.webMatchesSaved || hosts.serverMatchesSaved) ui.hint(`Saved at: ${credentials.metadataFilePath} (from a previous keystroke auth run)`);
+	if (hosts.webMatchesSaved || hosts.serverMatchesSaved) ui.hint(`Saved at: ${credentials.credentialsFilePath} (from a previous keystroke auth run)`);
 	else ui.hint("Resolved from your environment (WEB_URL / SERVER_URL).");
 	ui.hint(`CLI default is ${DEFAULT_CLI_WEB_URL} / ${DEFAULT_CLI_SERVER_URL}.`);
 	ui.hint("To switch hosts:");
@@ -326,26 +326,7 @@ function printAuthSuccess(params) {
 	ui.success("Authentication successful.");
 	if (params.email) ui.hint(`Connected as: ${params.email}`);
 	if (params.organizationName) ui.hint(`Organization: ${params.organizationName}`);
-	ui.hint(`Credentials metadata saved to ${credentials.metadataFilePath}`);
-	if (params.insecureStorage) {
-		ui.warn(`API key saved to plaintext file storage at ${credentials.secretsFilePath}`);
-		return;
-	}
-	ui.hint("Secret saved to OS credential store.");
-}
-function isCredentialStoreError(message) {
-	const normalized = message.toLowerCase();
-	return normalized.includes("credential store") || normalized.includes("keychain");
-}
-function exitCredentialStoreSaveFailed(error) {
-	const message = toErrorMessage(error);
-	ui.error("Could not save the API key to the OS credential store.");
-	ui.hint("Unlock your keychain or credential store, then rerun `keystroke auth`.");
-	ui.hint("For intentional plaintext file storage, rerun `keystroke auth --insecure-storage`.");
-	throw new CliExitError(message, {
-		cause: error,
-		reported: true
-	});
+	ui.hint(`Credentials saved to ${credentials.credentialsFilePath}`);
 }
 function warnIfSavedCredentialsExist(ctx) {
 	if (ctx.storedOrgs.length === 0) return;
@@ -361,10 +342,6 @@ async function handleAuth(options, ctx, overrides) {
 	warnIfSavedCredentialsExist(ctx);
 	const hosts = resolveAuthHosts(options, ctx);
 	printResolvedHosts(hosts);
-	if (options.insecureStorage) {
-		ui.warn("Using insecure plaintext file storage for this API key.");
-		ui.hint("For CI/headless usage, prefer KEYSTROKE_API_KEY.");
-	}
 	if (shouldConfirmLoopback(hosts)) await confirmLoopbackHostsOrExit(hosts);
 	const { webUrl, serverUrl } = hosts;
 	const timeoutMs = options.timeout * 1e3;
@@ -402,33 +379,25 @@ async function handleAuth(options, ctx, overrides) {
 			email: callbackPayload.userEmail,
 			name: callbackPayload.userName
 		} : void 0;
-		if (callbackPayload.organizationId) try {
-			await credentials.upsertOrg({
-				org: {
-					organizationId: callbackPayload.organizationId,
-					organizationName: callbackPayload.organizationName ?? "Unknown",
-					apiKeyId: callbackPayload.apiKeyId,
-					createdAt: (/* @__PURE__ */ new Date()).toISOString()
-				},
-				apiKey: callbackPayload.apiKey,
-				serverUrl: callbackPayload.serverUrl,
-				webUrl,
-				user,
-				secretStorage: options.insecureStorage ? "file" : "keychain"
-			});
-		} catch (error) {
-			const message = toErrorMessage(error);
-			if (!options.insecureStorage && isCredentialStoreError(message)) exitCredentialStoreSaveFailed(error);
-			throw error;
-		}
+		if (callbackPayload.organizationId) await credentials.upsertOrg({
+			org: {
+				organizationId: callbackPayload.organizationId,
+				organizationName: callbackPayload.organizationName ?? "Unknown",
+				apiKeyId: callbackPayload.apiKeyId,
+				createdAt: (/* @__PURE__ */ new Date()).toISOString()
+			},
+			apiKey: callbackPayload.apiKey,
+			serverUrl: callbackPayload.serverUrl,
+			webUrl,
+			user
+		});
 		logger.info("Auth successful", {
 			email: callbackPayload.userEmail,
 			organizationId: callbackPayload.organizationId
 		});
 		printAuthSuccess({
 			email: callbackPayload.userEmail,
-			organizationName: callbackPayload.organizationName,
-			insecureStorage: options.insecureStorage
+			organizationName: callbackPayload.organizationName
 		});
 	} catch (error) {
 		if (toErrorMessage(error).includes("Timed out waiting for device authentication")) ui.error(`Authentication timed out after ${options.timeout}s. Re-run ${CLI_AUTH_COMMAND} and complete the browser prompt before timeout.`);

package/dist/{build.handler-CyDc8jiZ.mjs → build.handler-ChqSwsT_.mjs}

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
 import { D as CliExitError } from "./keystroke.mjs";
-import { i as projects } from "./dist-DuJjDZIf.mjs";
-import { t as requireWorkflowsDir } from "./resolve-project-Cj3MFnU0.mjs";
-import { a as runWorkflowBuild, i as renderBuildSummary, n as renderBuildFailure, r as renderBuildHeader } from "./workflow-build-Bi1Aacc5.mjs";
+import { i as projects } from "./dist-D_KgdxW5.mjs";
+import { t as requireWorkflowsDir } from "./resolve-project-DJJZIOmu.mjs";
+import { a as runWorkflowBuild, i as renderBuildSummary, n as renderBuildFailure, r as renderBuildHeader } from "./workflow-build-CVG4DSCw.mjs";
 import { t as createBuildProgress } from "./build-progress-nYa14iBP.mjs";
 import { t as withErrorBoundary } from "./error-boundary-DVZipk-A.mjs";
 //#region src/commands/workflows/build.handler.ts

package/dist/{clear-cache.handler-FmJPHdWG.mjs → clear-cache.handler-DpP1VlbR.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { a as ui } from "./keystroke.mjs";
-import { i as projects } from "./dist-DuJjDZIf.mjs";
+import { i as projects } from "./dist-D_KgdxW5.mjs";
 //#region src/commands/projects/clear-cache.handler.ts
 async function handleProjectsClearCache(_options, _ctx) {
 	if (await projects.clear()) ui.success("Projects cache cleared.");

package/dist/{clear.handler-Cvb9chs4.mjs → clear.handler-FzohTmpU.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { P as logger, a as ui, p as AUTH_HINT, y as toErrorMessage } from "./keystroke.mjs";
-import { n as credentials } from "./dist-DuJjDZIf.mjs";
+import { n as credentials } from "./dist-D_KgdxW5.mjs";
 import { createClient } from "./src-DNhUmpSl.mjs";
 //#region src/commands/auth/clear.handler.ts
 async function tryRevokeKey(apiKey, apiKeyId, baseUrl, organizationId) {
@@ -45,10 +45,7 @@ async function handleAuthClear(options, ctx) {
 			return;
 		}
 		let apiKey = null;
-		if (!options.localOnly && serverUrl) {
-			ui.hint("Your OS credential store may ask for permission to read the saved API key.");
-			apiKey = await readApiKeyForRevocation(ctx.organizationId);
-		}
+		if (!options.localOnly && serverUrl) apiKey = await readApiKeyForRevocation(ctx.organizationId);
 		const removed = await credentials.removeOrg(ctx.organizationId);
 		if (!removed) {
 			ui.warn(`No stored credentials for organization ${ctx.organizationId}.`);
@@ -63,7 +60,6 @@ async function handleAuthClear(options, ctx) {
 	if (options.localOnly) ui.hint("Skipped server revocation because --local-only was provided.");
 	else {
 		const revocableOrgs = storedOrgs.filter((org) => org.apiKeyId && serverUrl);
-		if (revocableOrgs.length > 0) ui.hint("Your OS credential store may ask for permission to read saved API keys.");
 		for (const org of revocableOrgs) if (org.apiKeyId && serverUrl) {
 			const apiKey = await readApiKeyForRevocation(org.organizationId);
 			if (apiKey) revokeInputs.push({

package/dist/{commander-9Kro0Dl3.mjs → commander-BTMzBiLq.mjs}

@@ -78,7 +78,7 @@ function createTypedCommand(params) {
 			const globalOpts = cmd.optsWithGlobals();
 			if (globalOpts.debug) setDebug(true);
 			const contextMode = params.contextMode ?? "full";
-			const contextModule = await import("./context-B2cQ-Nt3.mjs").then((n) => n.n);
+			const contextModule = await import("./context-DHOTSgPb.mjs").then((n) => n.n);
 			const contextOptions = {
 				apiKey: globalOpts.apiKey,
 				serverUrl: globalOpts.serverUrl,

package/dist/{connect-DzVxjeYr.mjs → connect-BUu2ojK7.mjs}

@@ -1,13 +1,21 @@
 #!/usr/bin/env node
 
 import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BWcVRt-T.mjs";
-import { t as createTypedCommand } from "./commander-9Kro0Dl3.mjs";
+import { t as createTypedCommand } from "./commander-BTMzBiLq.mjs";
 import { z } from "zod";
 //#region src/commands/connect/connect.command.ts
 const ConnectOptionsSchema = JsonOptionSchema.extend({
 	integrationId: z.string().optional(),
 	connection: z.string().optional().describe("Credential connection path to use when an integration has multiple OAuth paths"),
 	input: z.array(z.string()).optional().describe("Connection input as key=value. Repeat for multiple fields."),
+	scope: z.enum([
+		"organization",
+		"project",
+		"user"
+	]).optional().describe("Connection scope (organization | project | user). Defaults to project when a project is detected, otherwise organization. Use 'user' for personal credentials."),
+	projectId: z.string().optional().describe("Project to scope the connection to. Auto-detected from keystroke.config.ts when run inside a project directory."),
+	path: z.string().optional().describe("Path to the project root (default: nearest keystroke.config.ts walking up from cwd)"),
+	name: z.string().optional().describe("Display name for the resulting connection. Defaults to the integration name; duplicates are auto-suffixed."),
 	timeout: z.coerce.number().int().min(30).max(600).default(300).describe("Timeout in seconds (default: 5 minutes)"),
 	noOpen: z.boolean().optional().describe("Print the authorization URL instead of opening a browser")
 });
@@ -21,6 +29,22 @@ const CONNECT_OPTIONS_CONFIG = {
 		description: "Connection input as key=value. Repeat for multiple fields.",
 		collect: true
 	},
+	scope: {
+		flag: "--scope <organization|project|user>",
+		description: "Connection scope. Defaults to 'project' when a project is detected, otherwise 'organization'."
+	},
+	projectId: {
+		flag: "--project-id <uuid>",
+		description: "Project to scope the connection to. Required when --scope project is used outside a project directory."
+	},
+	path: {
+		flag: "--path <dir>",
+		description: "Path to the project root (default: walk up from cwd looking for keystroke.config.ts)"
+	},
+	name: {
+		flag: "--name <name>",
+		description: "Display name for the resulting connection."
+	},
 	timeout: {
 		flag: "--timeout <seconds>",
 		description: "Timeout in seconds (default: 300)"
@@ -37,7 +61,7 @@ function createConnectCommand() {
 		description: "Connect an official integration via OAuth (e.g., keystroke connect slack)",
 		schema: ConnectOptionsSchema,
 		optionsConfig: CONNECT_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./connect.handler-DFQdxkWZ.mjs")).handleConnect,
+		loadHandler: async () => (await import("./connect.handler-D7oO_5WS.mjs")).handleConnect,
 		argument: {
 			name: "integrationId",
 			description: "Integration to connect (e.g., slack, linear)",

package/dist/{connect.handler-DFQdxkWZ.mjs → connect.handler-D7oO_5WS.mjs}

@@ -1,10 +1,12 @@
 #!/usr/bin/env node
 
 import { a as ui, j as throwReportedCliExit, p as AUTH_HINT, v as isNetworkError, y as toErrorMessage } from "./keystroke.mjs";
+import { t as assertWorkflowProjectRoot } from "./project-config-DudGRFPO.mjs";
 import { i as writeJson } from "./output-BWcVRt-T.mjs";
+import { n as resolveWorkflowsDir } from "./resolve-project-DJJZIOmu.mjs";
 import { t as openBrowser } from "./browser-Dvv5OQrt.mjs";
-import { i as InitiateConnectionResponseSchema, n as ConnectionStatusResponseSchema, r as InitiateConnectionRequestSchema } from "./api-J9UL8pqZ.mjs";
-import { t as getIntegrationCatalog } from "./integration-catalog-cYlTmOSb.mjs";
+import { i as InitiateConnectionResponseSchema, n as ConnectionStatusResponseSchema, r as InitiateConnectionRequestSchema } from "./api-O5tdGdzc.mjs";
+import { t as getIntegrationCatalog } from "./integration-catalog-Cub_7xCw.mjs";
 //#region src/commands/connect/connect.handler.ts
 function formatIntegrationLabel(catalog, integrationId) {
 	return catalog.lookupByPublicId(integrationId)?.name ?? integrationId;
@@ -75,6 +77,29 @@ function exitWithError(ctx, message, opts) {
 	if (opts?.hint) ui.hint(opts.hint);
 	throwReportedCliExit(message);
 }
+/**
+* Resolve the project id for this connect attempt.
+*
+* Precedence:
+*   1. Explicit `--project-id <uuid>` flag.
+*   2. `keystroke.config.ts` discovered from `--path` or by walking up
+*      from cwd. Best-effort — silently returns `null` when nothing is
+*      found.
+*
+* Caller decides whether `null` is fatal: with `--scope project` it's
+* a usage error; with the default resolution it falls back to
+* organization scope.
+*/
+async function resolveConnectProjectId(options) {
+	if (options.projectId) return options.projectId;
+	const workflowsDir = await resolveWorkflowsDir(options.path);
+	if (!workflowsDir) return null;
+	try {
+		return (await assertWorkflowProjectRoot(workflowsDir)).projectId;
+	} catch {
+		return null;
+	}
+}
 function parseConnectionInput(rawInputs, ctx) {
 	const input = {};
 	for (const rawInput of rawInputs) {
@@ -127,12 +152,22 @@ async function handleConnect(options, ctx) {
 		if (oauthConnection && ((catalogEntry?.connections.length ?? 0) > 1 || options.connection)) ui.text(`Connection: ${formatConnectionLabel(oauthConnection)} (id: ${oauthConnection.id}${formatConnectionFlags(oauthConnection)})`);
 		ui.br();
 	}
+	const resolvedProjectId = await resolveConnectProjectId(options);
+	if (options.scope === "project" && !resolvedProjectId) exitWithError(ctx, "--scope project requires a project context. Pass --project-id <uuid>, --path <dir>, or run inside a project directory.", {
+		code: "USAGE_ERROR",
+		hint: "Use `keystroke init` to create a project, or pick a different scope."
+	});
+	const scopeForRequest = options.scope;
+	const projectIdForRequest = scopeForRequest === "user" || scopeForRequest === "organization" ? void 0 : resolvedProjectId ?? void 0;
 	let authUrl;
 	let initiatedAt;
 	try {
 		const requestBody = InitiateConnectionRequestSchema.parse({
 			...oauthConnection ? { credentialConnectionId: oauthConnection.id } : {},
-			...Object.keys(connectionInput).length > 0 ? { input: connectionInput } : {}
+			...Object.keys(connectionInput).length > 0 ? { input: connectionInput } : {},
+			...scopeForRequest ? { scope: scopeForRequest } : {},
+			...projectIdForRequest ? { projectId: projectIdForRequest } : {},
+			...options.name ? { name: options.name } : {}
 		});
 		const hasRequestBody = Object.keys(requestBody).length > 0;
 		const response = await fetch(`${baseUrl}/api/v1/connections/${integrationId}/initiate`, {

package/dist/{context-B2cQ-Nt3.mjs → context-DHOTSgPb.mjs}

@@ -2,8 +2,8 @@
 
 import { n as __exportAll } from "./chunk-CH6r78ws.mjs";
 import { D as CliExitError, E as AuthenticationError, P as logger, _ as isAuthError, a as ui, c as getProcessEnv, m as REAUTH_HINT, p as AUTH_HINT, s as getEnv, y as toErrorMessage } from "./keystroke.mjs";
-import { n as credentials } from "./dist-DuJjDZIf.mjs";
-import { t as resolveCliCredentials } from "./resolve-cli-credentials-DaMDaamj.mjs";
+import { n as credentials } from "./dist-D_KgdxW5.mjs";
+import { t as resolveCliCredentials } from "./resolve-cli-credentials-B4crOe_y.mjs";
 import { a as writeJsonError } from "./output-BWcVRt-T.mjs";
 //#region src/lib/context.ts
 var context_exports = /* @__PURE__ */ __exportAll({
@@ -110,7 +110,7 @@ async function resolveAuthContext(overrides = {}) {
 		storedServerUrls,
 		credentialStorageInfo,
 		credentialReadError: auth.readErrorMessage,
-		metadataFilePath: auth.metadataFilePath
+		credentialsFilePath: auth.credentialsFilePath
 	};
 }
 async function resolveAuthMetadataContext(overrides = {}) {
@@ -135,19 +135,14 @@ async function resolveAuthMetadataContext(overrides = {}) {
 		storedServerUrls,
 		credentialStorageInfo,
 		credentialReadError: void 0,
-		metadataFilePath: credentials.metadataFilePath
+		credentialsFilePath: credentials.credentialsFilePath
 	};
 }
 async function resolveCredentialStorageInfo() {
 	try {
 		return await credentials.getStorageInfo();
 	} catch {
-		return {
-			metadataFilePath: credentials.metadataFilePath,
-			legacySecretsFilePath: credentials.secretsFilePath,
-			secretStorageKind: "file",
-			insecureFileStorage: true
-		};
+		return { credentialsFilePath: credentials.credentialsFilePath };
 	}
 }
 /**

package/dist/{create.handler-v9B0Z9Yf.mjs → create.handler-BuxP18uj.mjs}

@@ -2,7 +2,7 @@
 
 import { a as ui, j as throwReportedCliExit, y as toErrorMessage } from "./keystroke.mjs";
 import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-B2cQ-Nt3.mjs";
+import { i as requireClient } from "./context-DHOTSgPb.mjs";
 //#region src/commands/api-keys/create.handler.ts
 async function handleApiKeysCreate(options, ctx) {
 	const client = requireClient(ctx);

package/dist/{credential-env-map-Dvp00a4M.mjs → credential-env-map-CtmzNkwU.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { r as getKeystrokeProjectPath } from "./paths-JzzFkXQA-CEipIeVl.mjs";
-import "./dist-DuJjDZIf.mjs";
+import "./dist-D_KgdxW5.mjs";
 import * as fs from "node:fs/promises";
 import { z } from "zod";
 //#region src/lib/credential-env-map.ts