@keystrokehq/cli 0.0.21 → 0.0.23

package/dist/dist-DuJjDZIf.mjs

@@ -1,1094 +0,0 @@
-#!/usr/bin/env node
-
-import { n as getKeystrokeBaseDir, t as KEYSTROKE_DIR } from "./paths-JzzFkXQA-CEipIeVl.mjs";
-import * as os from "node:os";
-import * as path$1 from "node:path";
-import * as fs from "node:fs/promises";
-import { z } from "zod";
-//#region ../../packages/local-memory/dist/index.mjs
-/**
-* Writes `data` to `filePath` atomically.
-*
-* The contents are first written to a sibling temp file in the same directory,
-* fsynced, chmodded, and then renamed onto the target path. On POSIX (and on
-* Windows when the source and destination are on the same volume), `fs.rename`
-* is atomic — readers see either the previous contents or the new contents,
-* never a partial write.
-*
-* The temp filename embeds the process PID and a high-resolution timestamp
-* (`${path}.tmp.${pid}.${ts}`) so concurrent writers do not collide.
-*
-* The parent directory is created with `recursive: true` if it does not already
-* exist, so callers do not need to mkdir beforehand.
-*
-* If anything fails after the temp file is created (write, fsync, rename), the
-* temp file is best-effort unlinked so we don't leak files.
-*/
-async function atomicWriteFile(filePath, data, options = {}) {
-	const mode = options.mode ?? 420;
-	const dir = path$1.dirname(filePath);
-	await fs.mkdir(dir, { recursive: true });
-	const tmpPath = `${filePath}.tmp.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 10)}`;
-	let handleClosed = false;
-	const handle = await fs.open(tmpPath, "w", mode);
-	try {
-		await handle.writeFile(data, "utf-8");
-		await handle.sync();
-		await handle.close();
-		handleClosed = true;
-		try {
-			await fs.chmod(tmpPath, mode);
-		} catch {}
-		await fs.rename(tmpPath, filePath);
-	} catch (error) {
-		if (!handleClosed) try {
-			await handle.close();
-		} catch {}
-		try {
-			await fs.unlink(tmpPath);
-		} catch {}
-		throw error;
-	}
-}
-/**
-* Removes `filePath`. Returns `true` if the file existed and was removed,
-* `false` if it did not exist (`ENOENT`). Other errors propagate.
-*/
-async function unlinkFileIfExists(filePath) {
-	try {
-		await fs.unlink(filePath);
-		return true;
-	} catch (error) {
-		if (error.code === "ENOENT") return false;
-		throw error;
-	}
-}
-/**
-* Reads a UTF-8 file and parses it as JSON.
-*
-* - Returns `null` when the file does not exist (`ENOENT`).
-* - Throws on any other read error.
-* - Throws (with the underlying `SyntaxError`) when the contents are not valid JSON.
-*
-* The return type is `unknown` — callers must validate the shape before using the
-* value (typically via a Zod schema).
-*/
-async function readJsonFile(filePath) {
-	let raw;
-	try {
-		raw = await fs.readFile(filePath, "utf-8");
-	} catch (error) {
-		if (error.code === "ENOENT") return null;
-		throw error;
-	}
-	return JSON.parse(raw);
-}
-/**
-* Migrates `raw` to the current schema shape.
-*
-* Strategy:
-*   1. Try the current schema first. If it matches, return immediately.
-*   2. Otherwise find the migration whose `fromSchema` matches `raw`, run its
-*      `up`, and re-enter the loop with the result.
-*   3. Continue until the current schema validates the value, or no migration
-*      matches — in which case throw.
-*
-* This handles single-hop and chained migrations (V1 → V2 → V3 → ...) without
-* requiring the caller to order migrations carefully.
-*
-* Throws if the value matches no known schema. Callers typically wrap with a
-* descriptive error referencing the file path.
-*/
-function migrateRead(raw, def) {
-	const direct = def.schema.safeParse(raw);
-	if (direct.success) return {
-		value: direct.data,
-		migrated: false
-	};
-	const migrations = def.migrations ?? [];
-	if (migrations.length === 0) throw new Error("Stored value does not match the current schema and no migrations are configured.");
-	let current = raw;
-	const visited = /* @__PURE__ */ new Set();
-	for (let hop = 0; hop <= migrations.length; hop++) {
-		const match = def.schema.safeParse(current);
-		if (match.success) return {
-			value: match.data,
-			migrated: hop > 0
-		};
-		const next = migrations.find((m) => !visited.has(m) && m.fromSchema.safeParse(current).success);
-		if (!next) throw new Error("Stored value does not match the current schema or any known migration source.");
-		visited.add(next);
-		const validated = next.fromSchema.parse(current);
-		current = next.up(validated);
-	}
-	throw new Error(`Migration chain did not converge after ${migrations.length} hops. Possible cycle in migrations.`);
-}
-const KEYRING_PACKAGE = ["@napi-rs", "keyring"].join("/");
-async function createDefaultEntry(service, account) {
-	const { Entry } = await import(KEYRING_PACKAGE);
-	return new Entry(service, account);
-}
-var KeychainVault = class {
-	kind = "keychain";
-	service;
-	createEntry;
-	constructor(options) {
-		this.service = options.service;
-		this.createEntry = options.createEntry ?? createDefaultEntry;
-	}
-	async get(account) {
-		return (await this.createEntry(this.service, account)).getPassword();
-	}
-	async set(account, secret) {
-		const entry = await this.createEntry(this.service, account);
-		try {
-			entry.setPassword(secret);
-			return;
-		} catch (error) {
-			try {
-				await this.verifyWritableKeychain(account);
-				entry.deleteCredential();
-				(await this.createEntry(this.service, account)).setPassword(secret);
-			} catch (replacementError) {
-				throw new AggregateError([error, replacementError], "Could not replace the existing keychain credential.");
-			}
-		}
-	}
-	async verifyWritableKeychain(account) {
-		const probeAccount = `${account}:replacement-probe:${process.pid}:${Date.now()}`;
-		const probeEntry = await this.createEntry(this.service, probeAccount);
-		try {
-			probeEntry.setPassword("probe");
-		} finally {
-			try {
-				probeEntry.deleteCredential();
-			} catch {}
-		}
-	}
-	async delete(account) {
-		return (await this.createEntry(this.service, account)).deleteCredential();
-	}
-};
-const FORBIDDEN_NAME_PATTERNS = [
-	{
-		test: (n) => n.length === 0,
-		message: "must not be empty"
-	},
-	{
-		test: (n) => n.includes("\\"),
-		message: "must not contain backslashes"
-	},
-	{
-		test: (n) => n.split("/").some((seg) => seg === ".."),
-		message: "must not contain \"..\" segments"
-	},
-	{
-		test: (n) => n.startsWith("/"),
-		message: "must be relative (cannot start with \"/\")"
-	}
-];
-function validateStoreName(name) {
-	for (const { test, message } of FORBIDDEN_NAME_PATTERNS) if (test(name)) throw new Error(`Invalid Store name ${JSON.stringify(name)}: ${message}.`);
-}
-/**
-* Typed, schema-validated, atomically-written abstraction over a single JSON
-* file under `~/.keystroke/`.
-*
-* `Store` is an internal primitive of `@keystroke/local-memory`. It is not
-* exported from the package's public API — domain controllers (`Credentials`,
-* `Projects`, etc.) construct stores internally and expose domain-shaped methods
-* to consumers.
-*/
-var Store = class {
-	/** Absolute path to the file this store manages. */
-	filePath;
-	options;
-	constructor(options) {
-		validateStoreName(options.name);
-		this.options = options;
-		const homeDir = options.homeDir ?? os.homedir();
-		this.filePath = path$1.join(getKeystrokeBaseDir(homeDir), ...options.name.split("/"));
-	}
-	/**
-	* Returns the parsed contents of the file, or `null` when the file does not
-	* exist. If the on-disk shape does not match the current schema, registered
-	* migrations are applied and the upgraded value is persisted back.
-	*
-	* Throws when the file exists but matches no known schema, or when the file
-	* is unreadable for reasons other than ENOENT.
-	*/
-	async read() {
-		const raw = await readJsonFile(this.filePath);
-		if (raw === null) return null;
-		let result;
-		try {
-			result = migrateRead(raw, {
-				schema: this.options.schema,
-				migrations: this.options.migrations
-			});
-		} catch (error) {
-			const message = error instanceof Error ? error.message : String(error);
-			throw new Error(`Invalid file at ${this.filePath}: ${message}`);
-		}
-		if (result.migrated) await this.write(result.value);
-		return result.value;
-	}
-	/**
-	* Replaces the file with `value`. Validates against the schema first (throws
-	* synchronously on invalid input, before any I/O). The write is atomic:
-	* write-temp + rename, never visible mid-write.
-	*/
-	async write(value) {
-		const validated = this.options.schema.parse(value);
-		const json = `${JSON.stringify(validated, null, 2)}\n`;
-		await atomicWriteFile(this.filePath, json, { mode: this.options.fileMode });
-	}
-	/**
-	* Read-modify-write. Reads the current value (or `defaults` if the file does
-	* not exist), passes it to `fn`, validates the result, and writes it back
-	* atomically. Returns the new value.
-	*
-	* Throws if the file does not exist and no `defaults` were configured.
-	*/
-	async update(fn) {
-		const current = await this.read();
-		let base;
-		if (current !== null) base = current;
-		else if (this.options.defaults !== void 0) base = this.options.defaults;
-		else throw new Error(`Cannot update ${this.filePath}: file does not exist and no defaults are configured.`);
-		const next = fn(base);
-		await this.write(next);
-		return next;
-	}
-	/**
-	* Returns the value at `key`, or `undefined` if the file does not exist.
-	* Each call re-reads the file (no caching).
-	*/
-	async get(key) {
-		const value = await this.read();
-		if (value === null) return void 0;
-		return value[key];
-	}
-	/**
-	* Sets the value at `key`. Other keys are preserved. Uses `defaults` if the
-	* file does not exist (throws if missing and no defaults).
-	*/
-	async set(key, value) {
-		await this.update((current) => ({
-			...current,
-			[key]: value
-		}));
-	}
-	/**
-	* Returns true if the file exists and the value at `key` is not `undefined`.
-	*/
-	async has(key) {
-		return await this.get(key) !== void 0;
-	}
-	/**
-	* Removes the file. Returns `true` if the file existed, `false` if it did
-	* not.
-	*/
-	async delete() {
-		return unlinkFileIfExists(this.filePath);
-	}
-};
-const CREDENTIAL_SECRET_STORAGE_UNAVAILABLE = "CREDENTIAL_SECRET_STORAGE_UNAVAILABLE";
-const CREDENTIAL_SECRET_READ_FAILED = "CREDENTIAL_SECRET_READ_FAILED";
-const CREDENTIAL_SECRET_WRITE_FAILED = "CREDENTIAL_SECRET_WRITE_FAILED";
-const CREDENTIAL_SECRET_DELETE_FAILED = "CREDENTIAL_SECRET_DELETE_FAILED";
-var CredentialSecretError = class extends Error {
-	constructor(message, options) {
-		super(message, options);
-		this.name = new.target.name;
-	}
-};
-var CredentialSecretStorageUnavailableError = class extends CredentialSecretError {
-	code = CREDENTIAL_SECRET_STORAGE_UNAVAILABLE;
-};
-var CredentialSecretReadError = class extends CredentialSecretError {
-	code = CREDENTIAL_SECRET_READ_FAILED;
-};
-var CredentialSecretWriteError = class extends CredentialSecretError {
-	code = CREDENTIAL_SECRET_WRITE_FAILED;
-};
-var CredentialSecretDeleteError = class extends CredentialSecretError {
-	code = CREDENTIAL_SECRET_DELETE_FAILED;
-};
-const credentialUserSchema = z.object({
-	id: z.string().min(1),
-	email: z.email(),
-	name: z.string().optional()
-});
-/**
-* Metadata about an organization the user is authenticated against.
-* Note: `apiKey` is NOT in this shape — it lives in the secrets file.
-*
-* Strict on purpose: extra fields (like the legacy `apiKey`) cause the schema
-* to fail, which routes the read through the migration chain rather than
-* silently stripping the unknown field at parse time.
-*/
-const orgEntrySchema = z.object({
-	organizationId: z.uuid(),
-	organizationName: z.string().min(1),
-	apiKeyId: z.uuid().optional(),
-	createdAt: z.string().min(1)
-}).strict();
-const credentialSecretStorageSchema = z.discriminatedUnion("kind", [z.object({
-	kind: z.literal("keychain"),
-	service: z.string().min(1)
-}).strict(), z.object({
-	kind: z.literal("file"),
-	reason: z.enum([
-		"legacy",
-		"insecure-storage",
-		"test"
-	]).optional()
-}).strict()]);
-const credentialsMetadataSchema = z.object({
-	version: z.literal(3),
-	serverUrl: z.url(),
-	webUrl: z.url(),
-	user: credentialUserSchema.optional(),
-	activeOrgId: z.uuid().optional(),
-	orgs: z.array(orgEntrySchema),
-	secretStorage: credentialSecretStorageSchema
-}).strict();
-const orgSecretsSchema = z.object({
-	version: z.literal(1),
-	/** Map of organizationId → API key. Empty when no orgs configured. */
-	byOrgId: z.record(z.uuid(), z.string().min(1))
-});
-const credentialsMetadataSchemaV2 = z.object({
-	version: z.literal(2),
-	serverUrl: z.url(),
-	webUrl: z.url(),
-	user: credentialUserSchema.optional(),
-	activeOrgId: z.uuid().optional(),
-	orgs: z.array(orgEntrySchema)
-}).strict();
-/**
-* Old V2 shape: same as current metadata, but each org carried its own
-* `apiKey` field. Migration: strip `apiKey` from each org. The actual key
-* bytes are recovered separately by the controller's legacy import step.
-*
-* `oldV2OrgEntrySchema` extends the current strict org schema with a required
-* `apiKey`. Strict so a V2-new entry (no apiKey) does NOT match this schema.
-*/
-const oldV2OrgEntrySchema = orgEntrySchema.extend({ apiKey: z.string().min(1) }).strict();
-const credentialsSchemaV2OldShape = z.object({
-	version: z.literal(2),
-	serverUrl: z.url(),
-	webUrl: z.url(),
-	user: credentialUserSchema.optional(),
-	activeOrgId: z.uuid().optional(),
-	orgs: z.array(oldV2OrgEntrySchema)
-}).strict();
-/**
-* V1 shape: a single embedded apiKey + organization. Migration: collapse to a
-* one-org metadata record. The apiKey bytes are recovered separately.
-*/
-const credentialsSchemaV1 = z.object({
-	version: z.literal(1),
-	apiKey: z.string().min(1),
-	apiKeyId: z.uuid().optional(),
-	serverUrl: z.url(),
-	webUrl: z.url(),
-	createdAt: z.string().min(1),
-	organizationId: z.uuid().optional(),
-	organizationName: z.string().optional(),
-	user: credentialUserSchema.optional()
-});
-const SECRETS_FILE = "secrets.json";
-const SECRETS_VERSION = 1;
-const SECRETS_DEFAULTS = {
-	version: SECRETS_VERSION,
-	byOrgId: {}
-};
-const CREDENTIAL_KEYCHAIN_SERVICE = "io.keystroke.cli";
-var CredentialSecrets = class {
-	legacySecrets;
-	vault;
-	constructor(options = {}) {
-		this.vault = options.vault;
-		this.legacySecrets = new Store({
-			name: SECRETS_FILE,
-			version: SECRETS_VERSION,
-			schema: orgSecretsSchema,
-			defaults: SECRETS_DEFAULTS,
-			fileMode: 384,
-			homeDir: options.homeDir
-		});
-	}
-	get legacySecretsFilePath() {
-		return this.legacySecrets.filePath;
-	}
-	async getApiKey(ref, storageKind) {
-		if (storageKind === "file") return (await this.legacySecrets.read())?.byOrgId[ref.orgId] ?? null;
-		const vault = this.requireVault();
-		try {
-			return await vault.get(getCredentialSecretAccountName(ref));
-		} catch (error) {
-			throw new CredentialSecretReadError("Could not read the Keystroke API key from the credential store.", { cause: error });
-		}
-	}
-	async setApiKey(ref, apiKey, storageKind) {
-		if (storageKind === "file") {
-			await this.legacySecrets.update((secrets) => ({
-				...secrets,
-				byOrgId: {
-					...secrets.byOrgId,
-					[ref.orgId]: apiKey
-				}
-			}));
-			return;
-		}
-		const vault = this.requireVault();
-		try {
-			await vault.set(getCredentialSecretAccountName(ref), apiKey);
-		} catch (error) {
-			throw new CredentialSecretWriteError("Could not save the Keystroke API key to the credential store.", { cause: error });
-		}
-	}
-	async deleteApiKey(ref, storageKind) {
-		if (storageKind === "file") {
-			const current = await this.legacySecrets.read();
-			if (!current || current.byOrgId[ref.orgId] === void 0) return false;
-			await this.legacySecrets.update((secrets) => {
-				const { [ref.orgId]: _removed, ...rest } = secrets.byOrgId;
-				return {
-					...secrets,
-					byOrgId: rest
-				};
-			});
-			return true;
-		}
-		const vault = this.requireVault();
-		try {
-			return await vault.delete(getCredentialSecretAccountName(ref));
-		} catch (error) {
-			throw new CredentialSecretDeleteError("Could not delete the Keystroke API key from the credential store.", { cause: error });
-		}
-	}
-	async clearLegacySecrets() {
-		return this.legacySecrets.delete();
-	}
-	async writeLegacySecrets(secrets) {
-		await this.legacySecrets.write(secrets);
-	}
-	async readLegacySecrets() {
-		return this.legacySecrets.read();
-	}
-	requireVault() {
-		if (!this.vault) throw new CredentialSecretStorageUnavailableError("Credential store is not configured for secure secret storage.");
-		return this.vault;
-	}
-};
-function getCredentialSecretAccountName(ref) {
-	return `api-key:${normalizeCredentialServerUrl(ref.serverUrl)}:${ref.orgId}`;
-}
-function normalizeCredentialServerUrl(rawUrl) {
-	const parsed = new URL(rawUrl);
-	parsed.protocol = parsed.protocol.toLowerCase();
-	parsed.hostname = parsed.hostname.toLowerCase();
-	const normalized = parsed.toString();
-	return normalized.endsWith("/") ? normalized.slice(0, -1) : normalized;
-}
-const CREDENTIALS_FILE = "credentials.json";
-const METADATA_VERSION = 3;
-const KEYCHAIN_STORAGE = {
-	kind: "keychain",
-	service: CREDENTIAL_KEYCHAIN_SERVICE
-};
-const TEST_FILE_STORAGE = {
-	kind: "file",
-	reason: "test"
-};
-const LEGACY_FILE_STORAGE = {
-	kind: "file",
-	reason: "legacy"
-};
-const INSECURE_FILE_STORAGE = {
-	kind: "file",
-	reason: "insecure-storage"
-};
-function createKeychainVault() {
-	return new KeychainVault({ service: CREDENTIAL_KEYCHAIN_SERVICE });
-}
-function resolveDefaultSecretStorage(options) {
-	if (options.secretStorage === "file") return TEST_FILE_STORAGE;
-	if (options.secretStorage === "keychain") return KEYCHAIN_STORAGE;
-	if (options.vault) return KEYCHAIN_STORAGE;
-	return options.homeDir ? TEST_FILE_STORAGE : KEYCHAIN_STORAGE;
-}
-function toSecretStorage(preference, fallback) {
-	if (preference === "file") return INSECURE_FILE_STORAGE;
-	if (preference === "keychain") return KEYCHAIN_STORAGE;
-	return fallback;
-}
-/**
-* Domain controller for Keystroke credentials.
-*
-* Currently backed by two files under `~/.keystroke/`:
-*   - `credentials.json` — metadata (org list, server URLs, active org pointer)
-*   - `secrets.json` — `{ version, byOrgId: { [orgId]: apiKey } }`
-*
-* Secret reads and writes go through `CredentialSecrets`, keeping the storage
-* mechanism behind this controller as PR 9 moves API keys to the OS keychain.
-*
-* Production code uses the `credentials` singleton exported below. Tests
-* construct a fresh instance with `homeDir` pointing at a tempdir.
-*/
-var Credentials = class {
-	metadata;
-	secrets;
-	defaultSecretStorage;
-	legacyImportComplete = false;
-	constructor(options = {}) {
-		const defaultSecretStorage = resolveDefaultSecretStorage(options);
-		this.defaultSecretStorage = defaultSecretStorage;
-		this.metadata = new Store({
-			name: CREDENTIALS_FILE,
-			version: METADATA_VERSION,
-			schema: credentialsMetadataSchema,
-			fileMode: 384,
-			homeDir: options.homeDir,
-			migrations: [
-				{
-					fromVersion: 2,
-					fromSchema: credentialsMetadataSchemaV2,
-					up: (raw) => {
-						const v2 = raw;
-						return {
-							version: METADATA_VERSION,
-							serverUrl: v2.serverUrl,
-							webUrl: v2.webUrl,
-							user: v2.user,
-							activeOrgId: v2.activeOrgId,
-							orgs: v2.orgs,
-							secretStorage: LEGACY_FILE_STORAGE
-						};
-					}
-				},
-				{
-					fromVersion: 2,
-					fromSchema: credentialsSchemaV2OldShape,
-					up: (raw) => {
-						const old = raw;
-						return {
-							version: METADATA_VERSION,
-							serverUrl: old.serverUrl,
-							webUrl: old.webUrl,
-							user: old.user,
-							activeOrgId: old.activeOrgId,
-							orgs: old.orgs.map(({ apiKey: _apiKey, ...rest }) => rest),
-							secretStorage: LEGACY_FILE_STORAGE
-						};
-					}
-				},
-				{
-					fromVersion: 1,
-					fromSchema: credentialsSchemaV1,
-					up: (raw) => {
-						const v1 = raw;
-						return {
-							version: METADATA_VERSION,
-							serverUrl: v1.serverUrl,
-							webUrl: v1.webUrl,
-							user: v1.user,
-							activeOrgId: v1.organizationId,
-							orgs: v1.organizationId ? [{
-								organizationId: v1.organizationId,
-								organizationName: v1.organizationName ?? "Unknown",
-								apiKeyId: v1.apiKeyId,
-								createdAt: v1.createdAt
-							}] : [],
-							secretStorage: LEGACY_FILE_STORAGE
-						};
-					}
-				}
-			]
-		});
-		this.secrets = new CredentialSecrets({
-			homeDir: options.homeDir,
-			vault: options.vault ?? (defaultSecretStorage.kind === "keychain" ? createKeychainVault() : void 0)
-		});
-	}
-	/** Absolute path to the credentials metadata file. */
-	get metadataFilePath() {
-		return this.metadata.filePath;
-	}
-	/** Absolute path to the secrets file. */
-	get secretsFilePath() {
-		return this.secrets.legacySecretsFilePath;
-	}
-	/**
-	* Returns the active org and its API key, or `null` when there are no
-	* stored credentials, no active org, or no key found for the active org.
-	*/
-	async getActiveOrg() {
-		await this.importLegacyIfNeeded();
-		const meta = await this.metadata.read();
-		if (!meta?.activeOrgId) return null;
-		const org = meta.orgs.find((o) => o.organizationId === meta.activeOrgId);
-		if (!org) return null;
-		const apiKey = await this.secrets.getApiKey({
-			orgId: meta.activeOrgId,
-			serverUrl: meta.serverUrl
-		}, meta.secretStorage.kind);
-		if (!apiKey) return null;
-		return {
-			org,
-			apiKey
-		};
-	}
-	/** All known orgs (without secrets). Empty when no credentials stored. */
-	async listOrgs() {
-		await this.importLegacyIfNeeded();
-		return (await this.metadata.read())?.orgs ?? [];
-	}
-	/** API key for a specific org, or `null` if not stored. */
-	async getApiKey(orgId) {
-		await this.importLegacyIfNeeded();
-		const meta = await this.metadata.read();
-		if (!meta) return null;
-		return this.secrets.getApiKey({
-			orgId,
-			serverUrl: meta.serverUrl
-		}, meta.secretStorage.kind);
-	}
-	/** Server URLs (shared across all orgs in the file). `null` when unset. */
-	async getServerUrls() {
-		await this.importLegacyIfNeeded();
-		const meta = await this.metadata.read();
-		return meta ? {
-			serverUrl: meta.serverUrl,
-			webUrl: meta.webUrl
-		} : null;
-	}
-	/** The user identity associated with stored credentials, if any. */
-	async getUser() {
-		await this.importLegacyIfNeeded();
-		return (await this.metadata.read())?.user;
-	}
-	/** Active organization ID, or `undefined` when none is set. */
-	async getActiveOrgId() {
-		await this.importLegacyIfNeeded();
-		return (await this.metadata.read())?.activeOrgId;
-	}
-	/**
-	* Returns `true` when credential metadata contains at least one org. Callers
-	* that need the actual API key should use `getActiveOrg()` or `getApiKey()`.
-	*/
-	async hasStoredCredentials() {
-		await this.importLegacyIfNeeded();
-		const meta = await this.metadata.read();
-		return meta !== null && meta.orgs.length > 0;
-	}
-	async getStorageInfo() {
-		await this.importLegacyIfNeeded();
-		const storage = (await this.metadata.read())?.secretStorage ?? this.defaultSecretStorage;
-		return {
-			metadataFilePath: this.metadata.filePath,
-			legacySecretsFilePath: this.secrets.legacySecretsFilePath,
-			secretStorageKind: storage.kind,
-			...storage.kind === "keychain" ? { keychainService: storage.service } : {},
-			insecureFileStorage: storage.kind === "file"
-		};
-	}
-	/**
-	* Adds or replaces an org entry. Sets it as the active org. Creates both
-	* files if neither exists. Atomic per-file (each file is a Store write).
-	*/
-	async upsertOrg(input) {
-		await this.importLegacyIfNeeded();
-		const existing = await this.metadata.read();
-		const secretStorage = toSecretStorage(input.secretStorage, this.defaultSecretStorage);
-		if (existing?.secretStorage.kind === "file" && secretStorage.kind === "keychain") await this.migrateFileSecretsToKeychain(existing);
-		const newMeta = existing ? {
-			...existing,
-			serverUrl: input.serverUrl,
-			webUrl: input.webUrl,
-			user: input.user ?? existing.user,
-			activeOrgId: input.org.organizationId,
-			secretStorage,
-			orgs: [...existing.orgs.filter((o) => o.organizationId !== input.org.organizationId), input.org]
-		} : {
-			version: METADATA_VERSION,
-			serverUrl: input.serverUrl,
-			webUrl: input.webUrl,
-			user: input.user,
-			activeOrgId: input.org.organizationId,
-			secretStorage,
-			orgs: [input.org]
-		};
-		await this.secrets.setApiKey({
-			orgId: input.org.organizationId,
-			serverUrl: input.serverUrl
-		}, input.apiKey, secretStorage.kind);
-		await this.metadata.write(newMeta);
-		if (existing) {
-			const previousOrg = existing.orgs.find((org) => org.organizationId === input.org.organizationId);
-			const serverUrlChanged = normalizeCredentialServerUrl(existing.serverUrl) !== normalizeCredentialServerUrl(input.serverUrl);
-			if (previousOrg && serverUrlChanged && (existing.secretStorage.kind === "keychain" || secretStorage.kind === "keychain")) await this.secrets.deleteApiKey({
-				orgId: input.org.organizationId,
-				serverUrl: existing.serverUrl
-			}, "keychain");
-		}
-	}
-	/**
-	* Switches the active org. Throws when no credentials exist or the org is
-	* not in the stored orgs array.
-	*/
-	async setActiveOrg(orgId) {
-		await this.importLegacyIfNeeded();
-		const meta = await this.metadata.read();
-		if (!meta) throw new Error("No stored credentials found. Run `keystroke auth` first.");
-		if (!meta.orgs.some((o) => o.organizationId === orgId)) throw new Error(`No stored API key for organization ${orgId}. Run \`keystroke auth\` to add credentials for this org.`);
-		await this.metadata.update((m) => ({
-			...m,
-			activeOrgId: orgId
-		}));
-	}
-	/**
-	* Removes a single org. If it was the active org, switches to the first
-	* remaining org. When the last org is removed, both files are deleted.
-	* Returns the removed org, or `null` if not stored.
-	*/
-	async removeOrg(orgId) {
-		await this.importLegacyIfNeeded();
-		const meta = await this.metadata.read();
-		if (!meta) return null;
-		const removed = meta.orgs.find((o) => o.organizationId === orgId);
-		if (!removed) return null;
-		const remaining = meta.orgs.filter((o) => o.organizationId !== orgId);
-		await this.secrets.deleteApiKey({
-			orgId,
-			serverUrl: meta.serverUrl
-		}, meta.secretStorage.kind);
-		if (remaining.length === 0) {
-			if (meta.secretStorage.kind === "file") await this.secrets.clearLegacySecrets();
-			await this.metadata.delete();
-			return removed;
-		}
-		const newActiveId = meta.activeOrgId === orgId ? remaining[0]?.organizationId : meta.activeOrgId;
-		await this.metadata.write({
-			...meta,
-			orgs: remaining,
-			activeOrgId: newActiveId
-		});
-		return removed;
-	}
-	/** Wipes both files. After this, `getActiveOrg` returns `null`. */
-	async clear() {
-		await this.importLegacyIfNeeded();
-		const meta = await this.metadata.read();
-		if (meta) for (const org of meta.orgs) await this.secrets.deleteApiKey({
-			orgId: org.organizationId,
-			serverUrl: meta.serverUrl
-		}, meta.secretStorage.kind);
-		await this.secrets.clearLegacySecrets();
-		await this.metadata.delete();
-		this.legacyImportComplete = false;
-	}
-	/**
-	* Detects pre-split shapes on disk (V1, or V2-old with embedded apiKeys) and
-	* writes the secrets file out before the Store-level migration strips the
-	* apiKeys from metadata. Idempotent: caches a per-instance flag so repeated
-	* calls after the first cost only the flag check.
-	*
-	* Implementation note: this runs BEFORE every `metadata.read()` in the
-	* controller's API methods. The first call detects-and-imports; subsequent
-	* calls are no-ops. Once import is done (or skipped because the file already
-	* matches the new shape), `metadata.read()` runs the V2-old/V1 migration
-	* which is purely a metadata reshape.
-	*/
-	async importLegacyIfNeeded() {
-		if (this.legacyImportComplete) return;
-		this.legacyImportComplete = true;
-		let raw;
-		try {
-			raw = await readJsonFile(this.metadata.filePath);
-		} catch {
-			return;
-		}
-		if (raw === null) return;
-		const v2Old = credentialsSchemaV2OldShape.safeParse(raw);
-		if (v2Old.success) {
-			const byOrgId = {};
-			for (const org of v2Old.data.orgs) byOrgId[org.organizationId] = org.apiKey;
-			const secretStorage = await this.importLegacySecrets({
-				metadata: {
-					version: METADATA_VERSION,
-					serverUrl: v2Old.data.serverUrl,
-					webUrl: v2Old.data.webUrl,
-					user: v2Old.data.user,
-					activeOrgId: v2Old.data.activeOrgId,
-					orgs: v2Old.data.orgs.map(({ apiKey: _apiKey, ...rest }) => rest),
-					secretStorage: this.defaultSecretStorage
-				},
-				byOrgId
-			});
-			await this.metadata.write({
-				version: METADATA_VERSION,
-				serverUrl: v2Old.data.serverUrl,
-				webUrl: v2Old.data.webUrl,
-				user: v2Old.data.user,
-				activeOrgId: v2Old.data.activeOrgId,
-				orgs: v2Old.data.orgs.map(({ apiKey: _apiKey, ...rest }) => rest),
-				secretStorage
-			});
-			return;
-		}
-		const v2 = credentialsMetadataSchemaV2.safeParse(raw);
-		if (v2.success) {
-			const legacySecrets = await this.secrets.readLegacySecrets();
-			const secretStorage = await this.importLegacySecrets({
-				metadata: {
-					version: METADATA_VERSION,
-					serverUrl: v2.data.serverUrl,
-					webUrl: v2.data.webUrl,
-					user: v2.data.user,
-					activeOrgId: v2.data.activeOrgId,
-					orgs: v2.data.orgs,
-					secretStorage: this.defaultSecretStorage
-				},
-				byOrgId: legacySecrets?.byOrgId ?? {}
-			});
-			await this.metadata.write({
-				version: METADATA_VERSION,
-				serverUrl: v2.data.serverUrl,
-				webUrl: v2.data.webUrl,
-				user: v2.data.user,
-				activeOrgId: v2.data.activeOrgId,
-				orgs: v2.data.orgs,
-				secretStorage
-			});
-			return;
-		}
-		const v1 = credentialsSchemaV1.safeParse(raw);
-		if (v1.success && v1.data.organizationId && v1.data.apiKey) {
-			const orgs = [{
-				organizationId: v1.data.organizationId,
-				organizationName: v1.data.organizationName ?? "Unknown",
-				apiKeyId: v1.data.apiKeyId,
-				createdAt: v1.data.createdAt
-			}];
-			const secretStorage = await this.importLegacySecrets({
-				metadata: {
-					version: METADATA_VERSION,
-					serverUrl: v1.data.serverUrl,
-					webUrl: v1.data.webUrl,
-					user: v1.data.user,
-					activeOrgId: v1.data.organizationId,
-					orgs,
-					secretStorage: this.defaultSecretStorage
-				},
-				byOrgId: { [v1.data.organizationId]: v1.data.apiKey }
-			});
-			await this.metadata.write({
-				version: METADATA_VERSION,
-				serverUrl: v1.data.serverUrl,
-				webUrl: v1.data.webUrl,
-				user: v1.data.user,
-				activeOrgId: v1.data.organizationId,
-				orgs,
-				secretStorage
-			});
-		}
-	}
-	async importLegacySecrets(input) {
-		if (this.defaultSecretStorage.kind === "file") {
-			await this.secrets.writeLegacySecrets({
-				version: 1,
-				byOrgId: input.byOrgId
-			});
-			return this.defaultSecretStorage;
-		}
-		try {
-			await this.writeSecretsToStorage(input.metadata, input.byOrgId, "keychain");
-			await this.secrets.clearLegacySecrets();
-			return KEYCHAIN_STORAGE;
-		} catch {
-			await this.secrets.writeLegacySecrets({
-				version: 1,
-				byOrgId: input.byOrgId
-			});
-			return LEGACY_FILE_STORAGE;
-		}
-	}
-	async migrateFileSecretsToKeychain(metadata) {
-		const legacySecrets = await this.secrets.readLegacySecrets();
-		if (!legacySecrets) return;
-		await this.writeSecretsToStorage(metadata, legacySecrets.byOrgId, "keychain");
-		await this.secrets.clearLegacySecrets();
-	}
-	async writeSecretsToStorage(metadata, byOrgId, storageKind) {
-		for (const org of metadata.orgs) {
-			const apiKey = byOrgId[org.organizationId];
-			if (!apiKey) continue;
-			const ref = {
-				orgId: org.organizationId,
-				serverUrl: metadata.serverUrl
-			};
-			await this.secrets.setApiKey(ref, apiKey, storageKind);
-			if (await this.secrets.getApiKey(ref, storageKind) !== apiKey) throw new Error(`Could not verify stored API key for organization ${org.organizationId}.`);
-		}
-	}
-};
-/**
-* Production singleton — the primary public API for credential storage. Tests
-* should construct `new Credentials({ homeDir })` instead.
-*/
-const credentials = new Credentials();
-const projectEntrySchema = z.object({
-	lastAccessed: z.string().min(1),
-	name: z.string().min(1).optional()
-});
-const projectsSchema = z.object({
-	version: z.literal(1),
-	projects: z.record(z.string(), projectEntrySchema),
-	lastProject: z.string().optional()
-});
-const PROJECTS_FILE = "projects.json";
-const PROJECTS_VERSION = 1;
-const PROJECTS_DEFAULTS = {
-	version: PROJECTS_VERSION,
-	projects: {}
-};
-/**
-* Domain controller for tracked Keystroke projects.
-*
-* Backed by a single file under `~/.keystroke/projects.json`.
-*
-* Production code uses the `projects` singleton exported below. Tests
-* construct a fresh instance with `homeDir` pointing at a tempdir.
-*/
-var Projects = class {
-	store;
-	constructor(options = {}) {
-		this.store = new Store({
-			name: PROJECTS_FILE,
-			version: PROJECTS_VERSION,
-			schema: projectsSchema,
-			defaults: PROJECTS_DEFAULTS,
-			homeDir: options.homeDir
-		});
-	}
-	/** Absolute path to the projects file. */
-	get filePath() {
-		return this.store.filePath;
-	}
-	/**
-	* Upsert a project entry. Fire-and-forget safe — catches all errors
-	* internally. Never throws. Call without `await` if you don't need to wait.
-	*
-	* Tracking is best-effort telemetry; we never want a failed write to bubble
-	* up to a CLI command and degrade UX.
-	*/
-	async track(projectPath, options) {
-		const absolutePath = path$1.resolve(projectPath);
-		try {
-			await this.store.update((data) => {
-				const previous = data.projects[absolutePath];
-				const entry = {
-					lastAccessed: (/* @__PURE__ */ new Date()).toISOString(),
-					...options?.name ? { name: options.name } : previous?.name ? { name: previous.name } : {}
-				};
-				return {
-					...data,
-					projects: {
-						...data.projects,
-						[absolutePath]: entry
-					},
-					lastProject: absolutePath
-				};
-			});
-		} catch {}
-	}
-	/**
-	* Removes a project from tracking. Returns `true` if the project existed,
-	* `false` if it was not tracked. Errors propagate (this is invoked by an
-	* explicit user action; the caller should know if it failed).
-	*/
-	async untrack(projectPath) {
-		const absolutePath = path$1.resolve(projectPath);
-		const existing = await this.store.read();
-		if (!existing || !(absolutePath in existing.projects)) return false;
-		const { [absolutePath]: _removed, ...remaining } = existing.projects;
-		const newLastProject = existing.lastProject === absolutePath ? void 0 : existing.lastProject;
-		await this.store.write({
-			...existing,
-			projects: remaining,
-			lastProject: newLastProject
-		});
-		return true;
-	}
-	/**
-	* Returns all tracked projects as an array of `{ path, lastAccessed, name? }`.
-	* Empty array when nothing is tracked or the file is missing.
-	*
-	* Note: order is not guaranteed (matches `Object.entries` over a Record).
-	* Callers that need a sort order should sort explicitly.
-	*
-	* Best-effort: corrupt files are treated as "no projects" rather than
-	* throwing, since project tracking is telemetry data.
-	*/
-	async list() {
-		const data = await this.readSafe();
-		if (!data) return [];
-		return Object.entries(data.projects).map(([projectPath, entry]) => ({
-			path: projectPath,
-			...entry
-		}));
-	}
-	/**
-	* Returns the most-recently-tracked project path, or `undefined` when none
-	* has been recorded.
-	*/
-	async getLast() {
-		return (await this.readSafe())?.lastProject;
-	}
-	/**
-	* Removes the projects file. Returns `true` if the file existed, `false`
-	* if it did not.
-	*/
-	async clear() {
-		return this.store.delete();
-	}
-	/**
-	* Reads the underlying store but treats schema/JSON errors as "no projects"
-	* rather than propagating. This preserves the previous best-effort contract
-	* for the projects file.
-	*/
-	async readSafe() {
-		try {
-			return await this.store.read();
-		} catch (error) {
-			if (error instanceof SyntaxError) return null;
-			if (error instanceof Error && error.message.startsWith("Invalid file at")) return null;
-			throw error;
-		}
-	}
-};
-/**
-* Production singleton — the primary public API for project tracking. Tests
-* should construct `new Projects({ homeDir })` instead.
-*/
-const projects = new Projects();
-/**
-* Returns the Keystroke temp directory path.
-*
-* - `getKeystrokeTmpDir({ projectRoot })` → `projectRoot/.keystroke/tmp` — for build
-*   artifacts that require module resolution from the project (workflow-builder).
-* - `getKeystrokeTmpDir()` → `~/.keystroke/tmp` — for general temporary storage.
-*
-* Callers must create the directory (e.g. `mkdir(path, { recursive: true })`)
-* before use.
-*/
-function getKeystrokeTmpDir(options) {
-	const baseDir = options?.projectRoot ? path$1.resolve(options.projectRoot) : os.homedir();
-	return path$1.join(baseDir, KEYSTROKE_DIR, "tmp");
-}
-//#endregion
-export { projects as i, credentials as n, getKeystrokeTmpDir as r, Credentials as t };