@keystrokehq/cli 0.0.21 → 0.0.23

package/dist/{credentials-Dr5lD7Hm.mjs → credentials-CELZ0QHu.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BWcVRt-T.mjs";
-import { t as createTypedCommand } from "./commander-9Kro0Dl3.mjs";
+import { t as createTypedCommand } from "./commander-BTMzBiLq.mjs";
 import { i as CredentialScopeValues, r as CredentialScopeSchema } from "./schema-DFJiNWyd.mjs";
 import { z } from "zod";
 //#region src/commands/credentials/list/list.command.ts
@@ -46,7 +46,7 @@ function createCredentialsListCommand() {
 		description: "List credential sets on the server",
 		schema: ListOptionsSchema,
 		optionsConfig: LIST_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./list.handler-CLGQDuo5.mjs")).handleCredentialsList
+		loadHandler: async () => (await import("./list.handler-cK8Y-daR.mjs")).handleCredentialsList
 	});
 }
 //#endregion
@@ -65,7 +65,7 @@ function createCredentialsRequirementsCommand() {
 		description: "Show what credentials built workflows need (keys, KEYSTROKE_* env names, workflows) — from dist manifests, no API call",
 		schema: RequirementsOptionsSchema,
 		optionsConfig: REQUIREMENTS_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./requirements.handler-BKFocUof.mjs")).handleCredentialsRequirements
+		loadHandler: async () => (await import("./requirements.handler-ZZfHV6f0.mjs")).handleCredentialsRequirements
 	});
 }
 //#endregion
@@ -126,7 +126,7 @@ function createCredentialsUploadCommand() {
 		description: "Upload credentials from env vars to the server. Default: reads requirements from built workflow manifests. Use --integration for an official integration or --credential-set + --keys for a custom explicit upload.",
 		schema: UploadOptionsSchema,
 		optionsConfig: UPLOAD_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./upload.handler-DXVx2u3A.mjs")).handleCredentialsUpload
+		loadHandler: async () => (await import("./upload.handler-81mbKHTY.mjs")).handleCredentialsUpload
 	});
 }
 //#endregion
@@ -157,7 +157,7 @@ function createCredentialsCommand() {
 			}
 		},
 		handler: async (opts, ctx) => {
-			const { handleCredentialsList } = await import("./list.handler-CLGQDuo5.mjs");
+			const { handleCredentialsList } = await import("./list.handler-cK8Y-daR.mjs");
 			await handleCredentialsList({
 				...opts,
 				scope: void 0,

package/dist/{current-deployment-workflow-qMfOrRIu.mjs → current-deployment-workflow-CnzlDCBv.mjs}

@@ -3,9 +3,9 @@
 import { A as WorkflowResolutionError, a as ui, g as getHttpStatus, h as getApiErrorCode } from "./keystroke.mjs";
 import { t as assertWorkflowProjectRoot } from "./project-config-DudGRFPO.mjs";
 import { a as readManifestsFromOutDir } from "./dist-Br4m3sFZ.mjs";
-import { t as requireWorkflowsDir } from "./resolve-project-Cj3MFnU0.mjs";
+import { t as requireWorkflowsDir } from "./resolve-project-DJJZIOmu.mjs";
 import { t as createSpinnerProgress } from "./spinner-progress-BtEIJRX4.mjs";
-import { a as runWorkflowBuild, n as renderBuildFailure } from "./workflow-build-Bi1Aacc5.mjs";
+import { a as runWorkflowBuild, n as renderBuildFailure } from "./workflow-build-CVG4DSCw.mjs";
 //#region src/commands/workflows/_shared/current-deployment-workflow.ts
 /**
 * Lightweight resolution: gets projectId from keystroke.config.ts and authoredWorkflowId

package/dist/{current.handler-Cm_-JLyZ.mjs → current.handler-BXec-Bhy.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { a as ui } from "./keystroke.mjs";
-import { i as requireClient } from "./context-B2cQ-Nt3.mjs";
+import { i as requireClient } from "./context-DHOTSgPb.mjs";
 //#region src/commands/org/current.handler.ts
 async function handleOrgCurrent(_options, ctx) {
 	if (!ctx.organizationId) {

package/dist/{delete.handler-DtP_zUaq.mjs → delete.handler-CpYOMtsv.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { a as ui, j as throwReportedCliExit, y as toErrorMessage } from "./keystroke.mjs";
-import { i as requireClient } from "./context-B2cQ-Nt3.mjs";
+import { i as requireClient } from "./context-DHOTSgPb.mjs";
 //#region src/commands/api-keys/delete.handler.ts
 async function handleApiKeysDelete(options, ctx) {
 	const client = requireClient(ctx);

package/dist/{deploy-CB6pfCuB.mjs → deploy-Cn3jN7Rl.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { t as createTypedCommand } from "./commander-9Kro0Dl3.mjs";
+import { t as createTypedCommand } from "./commander-BTMzBiLq.mjs";
 import { z } from "zod";
 //#region src/commands/deploy/deploy.command.ts
 /**
@@ -64,7 +64,7 @@ function createDeployCommand() {
 		schema: DeployOptionsSchema,
 		optionsConfig: DEPLOY_OPTIONS_CONFIG,
 		contextMode: "auth",
-		loadHandler: async () => (await import("./deploy.handler-Bg0dpSTj.mjs")).handleDeploy
+		loadHandler: async () => (await import("./deploy.handler-BikVS9ER.mjs")).handleDeploy
 	});
 	cmd.enablePositionalOptions();
 	cmd.passThroughOptions();

package/dist/{deploy.handler-Bg0dpSTj.mjs → deploy.handler-BikVS9ER.mjs}

@@ -1,16 +1,16 @@
 #!/usr/bin/env node
 
 import { D as CliExitError, P as logger, a as ui, l as isLocalMode, n as style, t as ANSI } from "./keystroke.mjs";
-import { i as projects } from "./dist-DuJjDZIf.mjs";
+import { i as projects } from "./dist-D_KgdxW5.mjs";
 import { t as assertWorkflowProjectRoot } from "./project-config-DudGRFPO.mjs";
-import { r as requireAuthOptions, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-B2cQ-Nt3.mjs";
+import { r as requireAuthOptions, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-DHOTSgPb.mjs";
 import { i as readAgentManifestsFromOutDir, o as readWorkflowsFromDisk } from "./dist-Br4m3sFZ.mjs";
-import { t as requireWorkflowsDir } from "./resolve-project-Cj3MFnU0.mjs";
-import { n as renderBuildFailure, r as renderBuildHeader } from "./workflow-build-Bi1Aacc5.mjs";
+import { t as requireWorkflowsDir } from "./resolve-project-DJJZIOmu.mjs";
+import { n as renderBuildFailure, r as renderBuildHeader } from "./workflow-build-CVG4DSCw.mjs";
 import { t as createBuildProgress } from "./build-progress-nYa14iBP.mjs";
 import { t as createDeployProgress } from "./deploy-progress-Dlp9aBDW.mjs";
 import { t as withErrorBoundary } from "./error-boundary-DVZipk-A.mjs";
-import { t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-qMfOrRIu.mjs";
+import { t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-CnzlDCBv.mjs";
 import { t as computeWorkflowDiff } from "./diff-utils-CXKNQUXO.mjs";
 import path from "node:path";
 import { access } from "node:fs/promises";
@@ -198,7 +198,7 @@ async function handleDeploy(options, ctx) {
 		let outDir;
 		let artifactFilter;
 		try {
-			const { runWorkflowBuild } = await import("./workflow-build-Bi1Aacc5.mjs").then((n) => n.o);
+			const { runWorkflowBuild } = await import("./workflow-build-CVG4DSCw.mjs").then((n) => n.o);
 			const buildOutcome = await runWorkflowBuild({
 				workflowsDir,
 				verbose: options.verbose,
@@ -271,7 +271,7 @@ function emitNewWebhookCredentials(result) {
 }
 async function handleTaskTargetDeploy(options) {
 	renderBuildHeader(void 0);
-	const buildResult = await (deployHandlerDependencies.buildTaskTargets ?? (await import("./task-target-build-CTgl4L42.mjs")).buildTaskTargets)({
+	const buildResult = await (deployHandlerDependencies.buildTaskTargets ?? (await import("./task-target-build-CrPLSXnu.mjs")).buildTaskTargets)({
 		projectRoot: options.workflowsDir,
 		targetFiles: options.targetFiles,
 		disableSourcemaps: options.options.disableSourcemaps

package/dist/{diff.handler-CJPrszL1.mjs → diff.handler-C3EWVBOj.mjs}

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 
 import { D as CliExitError, a as ui, j as throwReportedCliExit, y as toErrorMessage } from "./keystroke.mjs";
-import { i as projects } from "./dist-DuJjDZIf.mjs";
+import { i as projects } from "./dist-D_KgdxW5.mjs";
 import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-B2cQ-Nt3.mjs";
-import { n as resolveLocalWorkflowManifest, t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-qMfOrRIu.mjs";
+import { i as requireClient, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-DHOTSgPb.mjs";
+import { n as resolveLocalWorkflowManifest, t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-CnzlDCBv.mjs";
 import { n as renderDiff, t as computeWorkflowDiff } from "./diff-utils-CXKNQUXO.mjs";
 //#region src/commands/workflows/diff/diff.handler.ts
 async function handleWorkflowsDiff(options, ctx) {

package/dist/dist-D_KgdxW5.mjs

@@ -0,0 +1,539 @@
+#!/usr/bin/env node
+
+import { n as getKeystrokeBaseDir, t as KEYSTROKE_DIR } from "./paths-JzzFkXQA-CEipIeVl.mjs";
+import * as os from "node:os";
+import * as path$1 from "node:path";
+import * as fs from "node:fs/promises";
+import { z } from "zod";
+//#region ../../packages/local-memory/dist/index.mjs
+/**
+* Writes `data` to `filePath` atomically.
+*
+* The contents are first written to a sibling temp file in the same directory,
+* fsynced, chmodded, and then renamed onto the target path. On POSIX (and on
+* Windows when the source and destination are on the same volume), `fs.rename`
+* is atomic — readers see either the previous contents or the new contents,
+* never a partial write.
+*
+* The temp filename embeds the process PID and a high-resolution timestamp
+* (`${path}.tmp.${pid}.${ts}`) so concurrent writers do not collide.
+*
+* The parent directory is created with `recursive: true` if it does not already
+* exist, so callers do not need to mkdir beforehand.
+*
+* If anything fails after the temp file is created (write, fsync, rename), the
+* temp file is best-effort unlinked so we don't leak files.
+*/
+async function atomicWriteFile(filePath, data, options = {}) {
+	const mode = options.mode ?? 420;
+	const dir = path$1.dirname(filePath);
+	await fs.mkdir(dir, { recursive: true });
+	const tmpPath = `${filePath}.tmp.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 10)}`;
+	let handleClosed = false;
+	const handle = await fs.open(tmpPath, "w", mode);
+	try {
+		await handle.writeFile(data, "utf-8");
+		await handle.sync();
+		await handle.close();
+		handleClosed = true;
+		try {
+			await fs.chmod(tmpPath, mode);
+		} catch {}
+		await fs.rename(tmpPath, filePath);
+	} catch (error) {
+		if (!handleClosed) try {
+			await handle.close();
+		} catch {}
+		try {
+			await fs.unlink(tmpPath);
+		} catch {}
+		throw error;
+	}
+}
+/**
+* Removes `filePath`. Returns `true` if the file existed and was removed,
+* `false` if it did not exist (`ENOENT`). Other errors propagate.
+*/
+async function unlinkFileIfExists(filePath) {
+	try {
+		await fs.unlink(filePath);
+		return true;
+	} catch (error) {
+		if (error.code === "ENOENT") return false;
+		throw error;
+	}
+}
+/**
+* Reads a UTF-8 file and parses it as JSON.
+*
+* - Returns `null` when the file does not exist (`ENOENT`).
+* - Throws on any other read error.
+* - Throws (with the underlying `SyntaxError`) when the contents are not valid JSON.
+*
+* The return type is `unknown` — callers must validate the shape before using the
+* value (typically via a Zod schema).
+*/
+async function readJsonFile(filePath) {
+	let raw;
+	try {
+		raw = await fs.readFile(filePath, "utf-8");
+	} catch (error) {
+		if (error.code === "ENOENT") return null;
+		throw error;
+	}
+	return JSON.parse(raw);
+}
+/**
+* Migrates `raw` to the current schema shape.
+*
+* Strategy:
+*   1. Try the current schema first. If it matches, return immediately.
+*   2. Otherwise find the migration whose `fromSchema` matches `raw`, run its
+*      `up`, and re-enter the loop with the result.
+*   3. Continue until the current schema validates the value, or no migration
+*      matches — in which case throw.
+*
+* This handles single-hop and chained migrations (V1 → V2 → V3 → ...) without
+* requiring the caller to order migrations carefully.
+*
+* Throws if the value matches no known schema. Callers typically wrap with a
+* descriptive error referencing the file path.
+*/
+function migrateRead(raw, def) {
+	const direct = def.schema.safeParse(raw);
+	if (direct.success) return {
+		value: direct.data,
+		migrated: false
+	};
+	const migrations = def.migrations ?? [];
+	if (migrations.length === 0) throw new Error("Stored value does not match the current schema and no migrations are configured.");
+	let current = raw;
+	const visited = /* @__PURE__ */ new Set();
+	for (let hop = 0; hop <= migrations.length; hop++) {
+		const match = def.schema.safeParse(current);
+		if (match.success) return {
+			value: match.data,
+			migrated: hop > 0
+		};
+		const next = migrations.find((m) => !visited.has(m) && m.fromSchema.safeParse(current).success);
+		if (!next) throw new Error("Stored value does not match the current schema or any known migration source.");
+		visited.add(next);
+		const validated = next.fromSchema.parse(current);
+		current = next.up(validated);
+	}
+	throw new Error(`Migration chain did not converge after ${migrations.length} hops. Possible cycle in migrations.`);
+}
+const FORBIDDEN_NAME_PATTERNS = [
+	{
+		test: (n) => n.length === 0,
+		message: "must not be empty"
+	},
+	{
+		test: (n) => n.includes("\\"),
+		message: "must not contain backslashes"
+	},
+	{
+		test: (n) => n.split("/").some((seg) => seg === ".."),
+		message: "must not contain \"..\" segments"
+	},
+	{
+		test: (n) => n.startsWith("/"),
+		message: "must be relative (cannot start with \"/\")"
+	}
+];
+function validateStoreName(name) {
+	for (const { test, message } of FORBIDDEN_NAME_PATTERNS) if (test(name)) throw new Error(`Invalid Store name ${JSON.stringify(name)}: ${message}.`);
+}
+/**
+* Typed, schema-validated, atomically-written abstraction over a single JSON
+* file under `~/.keystroke/`.
+*
+* `Store` is an internal primitive of `@keystroke/local-memory`. It is not
+* exported from the package's public API — domain controllers (`Credentials`,
+* `Projects`, etc.) construct stores internally and expose domain-shaped methods
+* to consumers.
+*/
+var Store = class {
+	/** Absolute path to the file this store manages. */
+	filePath;
+	options;
+	constructor(options) {
+		validateStoreName(options.name);
+		this.options = options;
+		const homeDir = options.homeDir ?? os.homedir();
+		this.filePath = path$1.join(getKeystrokeBaseDir(homeDir), ...options.name.split("/"));
+	}
+	/**
+	* Returns the parsed contents of the file, or `null` when the file does not
+	* exist. If the on-disk shape does not match the current schema, registered
+	* migrations are applied and the upgraded value is persisted back.
+	*
+	* Throws when the file exists but matches no known schema, or when the file
+	* is unreadable for reasons other than ENOENT.
+	*/
+	async read() {
+		const raw = await readJsonFile(this.filePath);
+		if (raw === null) return null;
+		let result;
+		try {
+			result = migrateRead(raw, {
+				schema: this.options.schema,
+				migrations: this.options.migrations
+			});
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			throw new Error(`Invalid file at ${this.filePath}: ${message}`);
+		}
+		if (result.migrated) await this.write(result.value);
+		return result.value;
+	}
+	/**
+	* Replaces the file with `value`. Validates against the schema first (throws
+	* synchronously on invalid input, before any I/O). The write is atomic:
+	* write-temp + rename, never visible mid-write.
+	*/
+	async write(value) {
+		const validated = this.options.schema.parse(value);
+		const json = `${JSON.stringify(validated, null, 2)}\n`;
+		await atomicWriteFile(this.filePath, json, { mode: this.options.fileMode });
+	}
+	/**
+	* Read-modify-write. Reads the current value (or `defaults` if the file does
+	* not exist), passes it to `fn`, validates the result, and writes it back
+	* atomically. Returns the new value.
+	*
+	* Throws if the file does not exist and no `defaults` were configured.
+	*/
+	async update(fn) {
+		const current = await this.read();
+		let base;
+		if (current !== null) base = current;
+		else if (this.options.defaults !== void 0) base = this.options.defaults;
+		else throw new Error(`Cannot update ${this.filePath}: file does not exist and no defaults are configured.`);
+		const next = fn(base);
+		await this.write(next);
+		return next;
+	}
+	/**
+	* Returns the value at `key`, or `undefined` if the file does not exist.
+	* Each call re-reads the file (no caching).
+	*/
+	async get(key) {
+		const value = await this.read();
+		if (value === null) return void 0;
+		return value[key];
+	}
+	/**
+	* Sets the value at `key`. Other keys are preserved. Uses `defaults` if the
+	* file does not exist (throws if missing and no defaults).
+	*/
+	async set(key, value) {
+		await this.update((current) => ({
+			...current,
+			[key]: value
+		}));
+	}
+	/**
+	* Returns true if the file exists and the value at `key` is not `undefined`.
+	*/
+	async has(key) {
+		return await this.get(key) !== void 0;
+	}
+	/**
+	* Removes the file. Returns `true` if the file existed, `false` if it did
+	* not.
+	*/
+	async delete() {
+		return unlinkFileIfExists(this.filePath);
+	}
+};
+const credentialUserSchema = z.object({
+	id: z.string().min(1),
+	email: z.email(),
+	name: z.string().optional()
+});
+const storedOrgEntrySchema = z.object({
+	organizationId: z.uuid(),
+	organizationName: z.string().min(1),
+	apiKeyId: z.uuid().optional(),
+	createdAt: z.string().min(1)
+}).strict().extend({ apiKey: z.string().min(1) });
+const credentialsMetadataSchema = z.object({
+	version: z.literal(3),
+	serverUrl: z.url(),
+	webUrl: z.url(),
+	user: credentialUserSchema.optional(),
+	activeOrgId: z.uuid().optional(),
+	orgs: z.array(storedOrgEntrySchema)
+}).strict();
+const CREDENTIALS_FILE = "credentials.json";
+const METADATA_VERSION = 3;
+/**
+* Domain controller for Keystroke credentials.
+*
+* Backed by one `~/.keystroke/credentials.json` file with mode `0600`.
+*/
+var Credentials = class {
+	credentials;
+	constructor(options = {}) {
+		this.credentials = new Store({
+			name: CREDENTIALS_FILE,
+			version: METADATA_VERSION,
+			schema: credentialsMetadataSchema,
+			fileMode: 384,
+			homeDir: options.homeDir
+		});
+	}
+	get credentialsFilePath() {
+		return this.credentials.filePath;
+	}
+	async getActiveOrg() {
+		const meta = await this.credentials.read();
+		if (!meta?.activeOrgId) return null;
+		const org = meta.orgs.find((o) => o.organizationId === meta.activeOrgId);
+		if (!org) return null;
+		return {
+			org: toOrgEntry(org),
+			apiKey: org.apiKey
+		};
+	}
+	async listOrgs() {
+		return (await this.credentials.read())?.orgs.map(toOrgEntry) ?? [];
+	}
+	async getApiKey(orgId) {
+		return (await this.credentials.read())?.orgs.find((org) => org.organizationId === orgId)?.apiKey ?? null;
+	}
+	async getServerUrls() {
+		const meta = await this.credentials.read();
+		return meta ? {
+			serverUrl: meta.serverUrl,
+			webUrl: meta.webUrl
+		} : null;
+	}
+	async getUser() {
+		return (await this.credentials.read())?.user;
+	}
+	async getActiveOrgId() {
+		return (await this.credentials.read())?.activeOrgId;
+	}
+	async hasStoredCredentials() {
+		const meta = await this.credentials.read();
+		return meta !== null && meta.orgs.length > 0;
+	}
+	async getStorageInfo() {
+		await this.credentials.read();
+		return { credentialsFilePath: this.credentials.filePath };
+	}
+	async upsertOrg(input) {
+		const existing = await this.credentials.read();
+		const orgWithApiKey = {
+			...input.org,
+			apiKey: input.apiKey
+		};
+		const newMeta = existing ? {
+			...existing,
+			serverUrl: input.serverUrl,
+			webUrl: input.webUrl,
+			user: input.user ?? existing.user,
+			activeOrgId: input.org.organizationId,
+			orgs: [...existing.orgs.filter((o) => o.organizationId !== input.org.organizationId), orgWithApiKey]
+		} : {
+			version: METADATA_VERSION,
+			serverUrl: input.serverUrl,
+			webUrl: input.webUrl,
+			user: input.user,
+			activeOrgId: input.org.organizationId,
+			orgs: [orgWithApiKey]
+		};
+		await this.credentials.write(newMeta);
+	}
+	async setActiveOrg(orgId) {
+		const meta = await this.credentials.read();
+		if (!meta) throw new Error("No stored credentials found. Run `keystroke auth` first.");
+		if (!meta.orgs.some((o) => o.organizationId === orgId)) throw new Error(`No stored API key for organization ${orgId}. Run \`keystroke auth\` to add credentials for this org.`);
+		await this.credentials.update((m) => ({
+			...m,
+			activeOrgId: orgId
+		}));
+	}
+	async removeOrg(orgId) {
+		const meta = await this.credentials.read();
+		if (!meta) return null;
+		const removed = meta.orgs.find((o) => o.organizationId === orgId);
+		if (!removed) return null;
+		const remaining = meta.orgs.filter((o) => o.organizationId !== orgId);
+		if (remaining.length === 0) {
+			await this.credentials.delete();
+			return toOrgEntry(removed);
+		}
+		const newActiveId = meta.activeOrgId === orgId ? remaining[0]?.organizationId : meta.activeOrgId;
+		await this.credentials.write({
+			...meta,
+			orgs: remaining,
+			activeOrgId: newActiveId
+		});
+		return toOrgEntry(removed);
+	}
+	async clear() {
+		await this.credentials.delete();
+	}
+};
+/**
+* Production singleton — the primary public API for credential storage. Tests
+* should construct `new Credentials({ homeDir })` instead.
+*/
+const credentials = new Credentials();
+function toOrgEntry({ apiKey: _apiKey, ...org }) {
+	return org;
+}
+const projectEntrySchema = z.object({
+	lastAccessed: z.string().min(1),
+	name: z.string().min(1).optional()
+});
+const projectsSchema = z.object({
+	version: z.literal(1),
+	projects: z.record(z.string(), projectEntrySchema),
+	lastProject: z.string().optional()
+});
+const PROJECTS_FILE = "projects.json";
+const PROJECTS_VERSION = 1;
+const PROJECTS_DEFAULTS = {
+	version: PROJECTS_VERSION,
+	projects: {}
+};
+/**
+* Domain controller for tracked Keystroke projects.
+*
+* Backed by a single file under `~/.keystroke/projects.json`.
+*
+* Production code uses the `projects` singleton exported below. Tests
+* construct a fresh instance with `homeDir` pointing at a tempdir.
+*/
+var Projects = class {
+	store;
+	constructor(options = {}) {
+		this.store = new Store({
+			name: PROJECTS_FILE,
+			version: PROJECTS_VERSION,
+			schema: projectsSchema,
+			defaults: PROJECTS_DEFAULTS,
+			homeDir: options.homeDir
+		});
+	}
+	/** Absolute path to the projects file. */
+	get filePath() {
+		return this.store.filePath;
+	}
+	/**
+	* Upsert a project entry. Fire-and-forget safe — catches all errors
+	* internally. Never throws. Call without `await` if you don't need to wait.
+	*
+	* Tracking is best-effort telemetry; we never want a failed write to bubble
+	* up to a CLI command and degrade UX.
+	*/
+	async track(projectPath, options) {
+		const absolutePath = path$1.resolve(projectPath);
+		try {
+			await this.store.update((data) => {
+				const previous = data.projects[absolutePath];
+				const entry = {
+					lastAccessed: (/* @__PURE__ */ new Date()).toISOString(),
+					...options?.name ? { name: options.name } : previous?.name ? { name: previous.name } : {}
+				};
+				return {
+					...data,
+					projects: {
+						...data.projects,
+						[absolutePath]: entry
+					},
+					lastProject: absolutePath
+				};
+			});
+		} catch {}
+	}
+	/**
+	* Removes a project from tracking. Returns `true` if the project existed,
+	* `false` if it was not tracked. Errors propagate (this is invoked by an
+	* explicit user action; the caller should know if it failed).
+	*/
+	async untrack(projectPath) {
+		const absolutePath = path$1.resolve(projectPath);
+		const existing = await this.store.read();
+		if (!existing || !(absolutePath in existing.projects)) return false;
+		const { [absolutePath]: _removed, ...remaining } = existing.projects;
+		const newLastProject = existing.lastProject === absolutePath ? void 0 : existing.lastProject;
+		await this.store.write({
+			...existing,
+			projects: remaining,
+			lastProject: newLastProject
+		});
+		return true;
+	}
+	/**
+	* Returns all tracked projects as an array of `{ path, lastAccessed, name? }`.
+	* Empty array when nothing is tracked or the file is missing.
+	*
+	* Note: order is not guaranteed (matches `Object.entries` over a Record).
+	* Callers that need a sort order should sort explicitly.
+	*
+	* Best-effort: corrupt files are treated as "no projects" rather than
+	* throwing, since project tracking is telemetry data.
+	*/
+	async list() {
+		const data = await this.readSafe();
+		if (!data) return [];
+		return Object.entries(data.projects).map(([projectPath, entry]) => ({
+			path: projectPath,
+			...entry
+		}));
+	}
+	/**
+	* Returns the most-recently-tracked project path, or `undefined` when none
+	* has been recorded.
+	*/
+	async getLast() {
+		return (await this.readSafe())?.lastProject;
+	}
+	/**
+	* Removes the projects file. Returns `true` if the file existed, `false`
+	* if it did not.
+	*/
+	async clear() {
+		return this.store.delete();
+	}
+	/**
+	* Reads the underlying store but treats schema/JSON errors as "no projects"
+	* rather than propagating. This preserves the previous best-effort contract
+	* for the projects file.
+	*/
+	async readSafe() {
+		try {
+			return await this.store.read();
+		} catch (error) {
+			if (error instanceof SyntaxError) return null;
+			if (error instanceof Error && error.message.startsWith("Invalid file at")) return null;
+			throw error;
+		}
+	}
+};
+/**
+* Production singleton — the primary public API for project tracking. Tests
+* should construct `new Projects({ homeDir })` instead.
+*/
+const projects = new Projects();
+/**
+* Returns the Keystroke temp directory path.
+*
+* - `getKeystrokeTmpDir({ projectRoot })` → `projectRoot/.keystroke/tmp` — for build
+*   artifacts that require module resolution from the project (workflow-builder).
+* - `getKeystrokeTmpDir()` → `~/.keystroke/tmp` — for general temporary storage.
+*
+* Callers must create the directory (e.g. `mkdir(path, { recursive: true })`)
+* before use.
+*/
+function getKeystrokeTmpDir(options) {
+	const baseDir = options?.projectRoot ? path$1.resolve(options.projectRoot) : os.homedir();
+	return path$1.join(baseDir, KEYSTROKE_DIR, "tmp");
+}
+//#endregion
+export { projects as i, credentials as n, getKeystrokeTmpDir as r, Credentials as t };