@keystrokehq/cli 0.0.31 → 0.0.37

package/dist/{run.handler-BG7xitEK.mjs → run.handler-BKD5Xu0A.mjs}

@@ -1,30 +1,32 @@
 #!/usr/bin/env node
 
-import { D as CliExitError, a as ui, j as throwReportedCliExit, y as toErrorMessage } from "./keystroke.mjs";
-import { i as projects } from "./dist-Dw7gCE7y.mjs";
+import { N as throwReportedCliExit, k as CliExitError, p as ui, x as toErrorMessage } from "./keystroke.mjs";
+import { i as projects } from "./dist-B5jy238v.mjs";
 import { t as assertWorkflowProjectRoot } from "./project-config-DudGRFPO.mjs";
-import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-sgKhRc5v.mjs";
-import { n as resolveWorkflowsDir } from "./resolve-project-E9mrh_el.mjs";
-import { t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-B1VQCYC-.mjs";
-import { i as resolveWorkflowGlobals, o as validateInputOrExit, r as resolveRunInput, s as validateWorkflowGlobalsOrExit, t as pollForCompletion } from "./run-polling-DawiBus-.mjs";
+import { i as writeJson } from "./output-DnIFEmi5.mjs";
+import { i as requireClient, t as assertProjectConfigMatchesAuthenticatedOrg } from "./context-ebZssGCY.mjs";
+import { n as resolveWorkflowsDir } from "./resolve-project-DLKlAy0z.mjs";
+import { t as lookupCurrentDeploymentWorkflow } from "./current-deployment-workflow-C6x65imE.mjs";
+import { i as resolveWorkflowGlobals, o as validateInputOrExit, r as resolveRunInput, s as validateWorkflowGlobalsOrExit, t as pollForCompletion } from "./run-polling-C5fI7xTp.mjs";
+import { n as assertAuthoredWorkflowId, t as WORKFLOW_ID_COMMANDS } from "./authored-workflow-ref-fkHEEVnd.mjs";
 //#region src/commands/workflows/run.handler.ts
 async function handleWorkflowsRun(options, ctx) {
 	const client = requireClient(ctx);
-	const projectId = await resolveProjectId(options, ctx);
+	const { projectId, authoredWorkflowId, workflowsDir } = await resolveRunWorkflowTarget(options, ctx);
 	const input = await resolveRunInput(options);
 	const globals = await resolveWorkflowGlobals(options);
-	const deploymentLookup = await loadCurrentDeploymentWorkflow(client, {
+	const workflow = (await requireDeploymentWorkflowFound(await loadCurrentDeploymentWorkflow(client, {
 		projectId,
-		authoredWorkflowId: options.workflow
-	});
-	assertDeploymentWorkflowFound(deploymentLookup, options.workflow);
-	const workflow = deploymentLookup.workflow;
+		authoredWorkflowId
+	}), {
+		authoredWorkflowId,
+		workflowsDir
+	})).workflow;
 	const inputSchema = workflow.manifest.workflowSchemas.input;
-	const validatedInput = isJsonObjectSchema(inputSchema) && inputSchema.type !== "unknown" ? validateInputOrExit(workflow.workflowName, input, inputSchema) : input;
+	const validatedInput = isJsonObjectSchema(inputSchema) && inputSchema.type !== "unknown" ? validateInputOrExit(authoredWorkflowId, input, inputSchema) : input;
 	const globalsSchema = workflow.manifest.workflowGlobals;
 	const validatedGlobals = resolveValidatedWorkflowGlobals({
-		workflowName: workflow.workflowName,
+		authoredWorkflowId,
 		schema: globalsSchema,
 		globals
 	});
@@ -62,18 +64,27 @@ async function handleWorkflowsRun(options, ctx) {
 	}
 	renderWaitResult(runId, snapshot, options.timeout);
 }
-async function resolveProjectId(options, ctx) {
-	if (options.projectId) return options.projectId;
+async function resolveRunWorkflowTarget(options, ctx) {
+	const authoredWorkflowId = options.workflow;
 	const workflowsDir = await resolveWorkflowsDir(options.path);
-	if (!workflowsDir) {
-		ui.error("No keystroke.config.ts found in this directory or any parent directory.");
-		ui.hint("Run inside a Keystroke project or pass --project-id <uuid>.");
-		throwReportedCliExit("No keystroke.config.ts found");
+	if (workflowsDir) {
+		await assertAuthoredWorkflowId(authoredWorkflowId, workflowsDir, WORKFLOW_ID_COMMANDS.run);
+		const projectConfig = await assertWorkflowProjectRoot(workflowsDir);
+		await assertProjectConfigMatchesAuthenticatedOrg(requireClient(ctx), projectConfig);
+		projects.track(workflowsDir);
+		return {
+			projectId: options.projectId ?? projectConfig.projectId,
+			authoredWorkflowId,
+			workflowsDir
+		};
 	}
-	const projectConfig = await assertWorkflowProjectRoot(workflowsDir);
-	await assertProjectConfigMatchesAuthenticatedOrg(requireClient(ctx), projectConfig);
-	projects.track(workflowsDir);
-	return projectConfig.projectId;
+	if (options.projectId) return {
+		projectId: options.projectId,
+		authoredWorkflowId
+	};
+	ui.error("No keystroke.config.ts found in this directory or any parent directory.");
+	ui.hint("Run inside a Keystroke project or pass --project-id <uuid>.");
+	throwReportedCliExit("No keystroke.config.ts found");
 }
 async function loadCurrentDeploymentWorkflow(client, params) {
 	try {
@@ -83,17 +94,18 @@ async function loadCurrentDeploymentWorkflow(client, params) {
 		throwReportedCliExit(`Failed to load current deployment workflow: ${toErrorMessage(error)}`, { cause: error });
 	}
 }
-function assertDeploymentWorkflowFound(deploymentLookup, workflowRef) {
-	if (deploymentLookup.status === "found") return;
+async function requireDeploymentWorkflowFound(deploymentLookup, options) {
+	if (deploymentLookup.status === "found") return deploymentLookup;
 	if (deploymentLookup.status === "missingCurrentDeployment") {
 		ui.error("This project has no current deployment.");
 		ui.hint("Run `keystroke deploy` to create the current deployment, then try again.");
 		throwReportedCliExit("This project has no current deployment.");
 	}
 	if (deploymentLookup.status === "missingWorkflow") {
-		ui.error(`Workflow "${workflowRef}" is not part of the current deployment.`);
+		if (options.workflowsDir) await assertAuthoredWorkflowId(options.authoredWorkflowId, options.workflowsDir, WORKFLOW_ID_COMMANDS.run, { refreshManifests: true });
+		ui.error(`Workflow "${options.authoredWorkflowId}" is not part of the current deployment.`);
 		ui.hint("Run `keystroke deploy` to include it in the current deployment, then try again.");
-		throwReportedCliExit(`Workflow "${workflowRef}" is not part of the current deployment.`);
+		throwReportedCliExit(`Workflow "${options.authoredWorkflowId}" is not part of the current deployment.`);
 	}
 	throw new Error(`Unhandled deployment lookup status: ${JSON.stringify(deploymentLookup)}`);
 }
@@ -103,7 +115,7 @@ function resolveValidatedWorkflowGlobals(params) {
 		value: params.globals.value
 	} : { shouldSend: false };
 	const candidate = params.globals.value ?? {};
-	const validated = validateWorkflowGlobalsOrExit(params.workflowName, candidate, params.schema);
+	const validated = validateWorkflowGlobalsOrExit(params.authoredWorkflowId, candidate, params.schema);
 	if (params.globals.provided || Object.keys(validated).length > 0) return {
 		shouldSend: true,
 		value: validated

package/dist/{runs-swYYBT6C.mjs → runs-CT31dczt.mjs}

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
-import { a as ui, j as throwReportedCliExit, n as style, t as ANSI, y as toErrorMessage } from "./keystroke.mjs";
-import { i as writeJson, n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BWcVRt-T.mjs";
-import { t as createTypedCommand } from "./commander-BlrSdFcu.mjs";
-import { i as requireClient } from "./context-sgKhRc5v.mjs";
+import { N as throwReportedCliExit, n as style, p as ui, t as ANSI, x as toErrorMessage } from "./keystroke.mjs";
+import { i as writeJson, n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-DnIFEmi5.mjs";
+import { t as createTypedCommand } from "./commander-C6SSTQJ2.mjs";
+import { i as requireClient } from "./context-ebZssGCY.mjs";
 import { z } from "zod";
 //#region src/commands/runs/inspect-display.ts
 function renderRunInspect(input) {

package/dist/{schema-display-FvI8QjOQ.mjs → schema-display-sZ6ConJd.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { a as ui } from "./keystroke.mjs";
+import { p as ui } from "./keystroke.mjs";
 //#region src/lib/schema-display.ts
 /**
 * Returns true when the schema is the fallback "unknown" sentinel emitted
@@ -11,8 +11,9 @@ function isUnknownSchema(schema) {
 }
 /**
 * Generates a minimal placeholder JSON object for a given JSON Schema.
-* Walks `properties` recursively to produce sensible default values so the
-* user has a copy-pasteable `--input` example.
+* Walks `properties` recursively to produce structural `--input` examples
+* (required keys and rough types). Examples are not guaranteed to pass
+* validation (e.g. minLength, format, unions, or const constraints).
 *
 * Examples:
 *   { type: "number" }           => 0
@@ -26,6 +27,26 @@ function generateExampleJson(schema) {
 	if (schema == null || typeof schema !== "object") return null;
 	return generateValue(schema);
 }
+/**
+* JSON string for a workflow `--input` value derived from the input schema.
+* See {@link generateExampleJson} for placeholder semantics.
+*/
+function formatExampleInputJson(inputSchema) {
+	if (inputSchema == null || typeof inputSchema !== "object" || isUnknownSchema(inputSchema)) return "{}";
+	const example = generateExampleJson(inputSchema);
+	return JSON.stringify(example ?? {});
+}
+/** Wraps a string in single quotes with POSIX-safe `'` escaping for shell snippets. */
+function shellEscapeSingleQuoted(value) {
+	return `'${value.replace(/'/g, "'\"'\"'")}'`;
+}
+/** Shell-safe `--input '...'` flag generated from a workflow input JSON Schema. */
+function formatWorkflowInputFlag(inputSchema) {
+	return `--input ${shellEscapeSingleQuoted(formatExampleInputJson(inputSchema))}`;
+}
+function formatWorkflowTestExampleCommand(authoredWorkflowId, inputSchema) {
+	return `$ keystroke workflows test ${authoredWorkflowId} ${formatWorkflowInputFlag(inputSchema)}`;
+}
 function generateValue(schema) {
 	if (Array.isArray(schema.enum) && schema.enum.length > 0) return schema.enum[0];
 	switch (Array.isArray(schema.type) ? schema.type[0] : schema.type) {
@@ -105,12 +126,12 @@ function resolveTypeHint(fieldSchema) {
 /**
 * Formats a missing-required-fields error into a descriptive CLI message.
 */
-function formatMissingInputError(workflowName, missingFields, inputSchema) {
+function formatMissingInputError(authoredWorkflowId, missingFields, inputSchema) {
 	const lines = [];
-	lines.push(`Missing required input for workflow "${workflowName}"\n`);
+	lines.push(`Missing required input for workflow "${authoredWorkflowId}"\n`);
 	if (inputSchema == null || typeof inputSchema !== "object") {
 		lines.push("  (input schema unavailable)\n");
-		lines.push(`  $ keystroke workflows test "${workflowName}" --input '{}'`);
+		lines.push(`  ${formatWorkflowTestExampleCommand(authoredWorkflowId)}`);
 		return lines.join("\n");
 	}
 	const properties = inputSchema.properties && typeof inputSchema.properties === "object" ? inputSchema.properties : {};
@@ -120,38 +141,24 @@ function formatMissingInputError(workflowName, missingFields, inputSchema) {
 		lines.push(`  ${field} (${typeHint}): Required`);
 	}
 	lines.push("");
-	const exampleValue = generateExampleJson(inputSchema);
-	const exampleJson = JSON.stringify(exampleValue);
 	lines.push("Expected input:");
-	lines.push(`  $ keystroke workflows test "${workflowName}" --input '${exampleJson}'`);
+	lines.push(`  ${formatWorkflowTestExampleCommand(authoredWorkflowId, inputSchema)}`);
 	return lines.join("\n");
 }
 /**
 * Formats validation issues into a descriptive CLI message.
-*
-* Example output:
-*
-*   Invalid input for workflow "Addition"
-*
-*     num: Required
-*     num2: Required
-*
-*   Expected input:
-*     $ keystroke workflows test "Addition" --input '{"num":0,"num2":0}'
 */
-function formatValidationError(workflowName, issues, inputSchema) {
+function formatValidationError(authoredWorkflowId, issues, inputSchema) {
 	const lines = [];
-	lines.push(`Invalid input for workflow "${workflowName}"\n`);
+	lines.push(`Invalid input for workflow "${authoredWorkflowId}"\n`);
 	for (const issue of issues) {
 		const fieldPath = issue.path.length === 0 || issue.path.length === 1 && issue.path[0] === "" ? "(root)" : issue.path.join(".");
 		lines.push(`  ${fieldPath}: ${issue.message}`);
 	}
 	lines.push("");
-	const exampleValue = inputSchema != null && typeof inputSchema === "object" ? generateExampleJson(inputSchema) : null;
-	const exampleJson = JSON.stringify(exampleValue);
-	lines.push(`Expected input:`);
-	lines.push(`  $ keystroke workflows test "${workflowName}" --input '${exampleJson}'`);
+	lines.push("Expected input:");
+	lines.push(`  ${formatWorkflowTestExampleCommand(authoredWorkflowId, inputSchema)}`);
 	return lines.join("\n");
 }
 //#endregion
-export { resolveTypeHint as a, renderJsonSchema as i, formatValidationError as n, validateRequiredFields as o, isUnknownSchema as r, formatMissingInputError as t };
+export { isUnknownSchema as a, validateRequiredFields as c, formatWorkflowInputFlag as i, formatMissingInputError as n, renderJsonSchema as o, formatValidationError as r, resolveTypeHint as s, formatExampleInputJson as t };

package/dist/schemas-ClAIoIrX.mjs

@@ -0,0 +1,281 @@
+#!/usr/bin/env node
+
+import { z } from "zod";
+//#region ../../packages/core/src/shared/schema.ts
+const MAX_JSON_DEPTH = 20;
+function buildJsonValueSchema(depth) {
+	const primitives = z.union([
+		z.string(),
+		z.number(),
+		z.boolean(),
+		z.null()
+	]);
+	if (depth <= 0) return primitives;
+	const nested = buildJsonValueSchema(depth - 1);
+	return z.union([
+		primitives,
+		z.array(nested),
+		z.record(z.string(), nested)
+	]);
+}
+const jsonValueSchema = buildJsonValueSchema(MAX_JSON_DEPTH);
+const jsonSchemaObject = z.record(z.string(), jsonValueSchema);
+const anyZodSchemaSchema = z.custom((value) => value instanceof z.ZodType, "Expected a Zod schema");
+const zodObjectSchema = z.custom((value) => value instanceof z.ZodObject, "Expected a Zod object schema");
+/**
+* Creates a Zod schema that validates an object structurally by checking
+* for required properties. This avoids `instanceof` checks which fail
+* when class definitions are duplicated across bundle boundaries.
+*/
+function createStructuralSchema(requiredKeys, label) {
+	return z.custom((value) => value != null && (typeof value === "object" || typeof value === "function") && requiredKeys.every((key) => key in value), `Expected ${label}`);
+}
+function trimmedNonEmptyString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` });
+}
+/** Trimmed string with at least one character; no upper length limit. */
+function trimmedNonEmptyStringUnbounded(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` });
+}
+/**
+* Non-empty trimmed string restricted to URL-safe characters.
+* Use for IDs (workflow, step, etc.) that must be safe in URLs, env vars, and as object keys.
+*/
+function idNoSpacesString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` }).refine((s) => /^[a-zA-Z0-9_-]+$/.test(s), { error: `${fieldName} must only contain letters, numbers, hyphens, and underscores` });
+}
+/**
+* Non-empty trimmed string for credential definition ids.
+* Allows namespaced ids such as `keystroke:slack` plus letters, numbers,
+* hyphens, and underscores.
+*/
+function credentialSetIdString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` }).refine((s) => /^[a-zA-Z0-9_:-]+$/.test(s), { error: `${fieldName} must only contain letters, numbers, hyphens, underscores, and colons` });
+}
+function optionalTrimmedNonEmptyString(fieldName) {
+	return trimmedNonEmptyString(fieldName).optional();
+}
+function descriptionString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(1024, { error: `${fieldName} cannot exceed 1024 characters` });
+}
+function optionalDescriptionString(fieldName) {
+	return descriptionString(fieldName).optional();
+}
+//#endregion
+//#region ../../packages/core/src/credential-set/constants.ts
+/**
+* Shared constants for the credential/connection system.
+* Defined in core (bottom of dependency chain) so all packages can import them.
+*/
+const CREDENTIAL_EXPOSURES = {
+	"user-runtime": "user-runtime",
+	"platform-only": "platform-only"
+};
+//#endregion
+//#region ../../packages/core/src/credential-set/schemas.ts
+const credentialSetProxyInjectionSchema = z.object({
+	/** Substitute placeholder in HTTP headers (default: true). */
+	headers: z.boolean().optional(),
+	/** Substitute placeholder in the HTTP Basic Auth credential (default: true). */
+	basicAuth: z.boolean().optional(),
+	/** Substitute placeholder in URL query params (default: false).
+	*  Use for APIs that authenticate via `?api_key=...` (Google Maps, OWM, etc.). */
+	queryParams: z.boolean().optional(),
+	/** Substitute placeholder in the HTTP request body (default: false).
+	*  Use for form-encoded auth payloads (Stripe, AWS SigV4 query, etc.). */
+	body: z.boolean().optional()
+});
+const credentialSetProxyConfigSchema = z.object({
+	/** Exact-match host allowlist (forwarded to SecretBuilder.allowHost). */
+	hosts: z.array(z.string().min(1)).optional(),
+	/** Wildcard host allowlist (forwarded to SecretBuilder.allowHostPattern).
+	*  Example: `["*.browserbase.com"]` covers any subdomain. */
+	hostPatterns: z.array(z.string().min(1)).optional(),
+	/** Per-scope substitution toggles. Omit to use SDK defaults. */
+	injection: credentialSetProxyInjectionSchema.optional()
+});
+const onCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
+const credentialExposureSchema = z.enum([CREDENTIAL_EXPOSURES["user-runtime"], CREDENTIAL_EXPOSURES["platform-only"]]);
+const connectionMetadataConfigSchema = z.object({
+	id: credentialSetIdString("Credential connection id").optional(),
+	label: optionalTrimmedNonEmptyString("Credential connection label"),
+	description: optionalDescriptionString("Credential connection description"),
+	recommended: z.boolean().optional(),
+	advanced: z.boolean().optional(),
+	needsRawSecret: z.boolean().optional()
+});
+const connectionMetadataManifestSchema = connectionMetadataConfigSchema;
+const registeredDescriptorSchema = z.object({
+	id: trimmedNonEmptyString("Registered descriptor id"),
+	config: z.record(z.string(), z.unknown()).optional()
+});
+const registeredResolverDescriptorSchema = registeredDescriptorSchema.extend({ cacheMs: z.number().int().nonnegative().optional() });
+const manualConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("manual"),
+	input: zodObjectSchema.optional(),
+	instructions: z.string().min(1).optional(),
+	validate: z.function().optional()
+});
+const manualConnectionFieldManifestSchema = z.object({
+	key: z.string().min(1),
+	label: z.string().min(1),
+	description: z.string().min(1).optional(),
+	optional: z.boolean(),
+	secret: z.literal(true)
+});
+const manualConnectionConfigManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("manual"),
+	input: jsonSchemaObject.optional(),
+	fields: z.array(manualConnectionFieldManifestSchema).optional(),
+	generated: z.boolean().optional(),
+	instructions: z.string().min(1).optional()
+});
+/** Declarative form of `Vault` — strings typed against the credential set's
+* stored/auth schema keys at the {@link CredentialSetConfig} boundary; the Zod
+* schema here enforces non-empty strings only. `CredentialSet` itself performs
+* the schema-key membership check at construction time. */
+const vaultMappingSchema = z.object({
+	accessToken: z.string().min(1),
+	refreshToken: z.string().min(1).optional(),
+	instanceUrl: z.string().min(1).optional(),
+	raw: z.record(z.string().min(1), z.string().min(1)).optional()
+});
+/** Function form of `Vault` — an object pairing the access-token vault key
+*  (`accessTokenKey`) with the `build` function that computes the full vault
+*  write map. The explicit key keeps the disconnect path's revocation read
+*  reliable even when `build` transforms the access token. */
+const vaultMappingFnSchema = z.object({
+	accessTokenKey: z.string().min(1),
+	build: z.custom((val) => typeof val === "function", { message: "vault.build must be a function." })
+});
+/** Runtime shape of `Vault`. Accepts either the declarative mapping or the
+*  function-form object `{ accessTokenKey, build }`. */
+const vaultConfigSchema = z.union([vaultMappingSchema, vaultMappingFnSchema], { error: "vault must be a declarative mapping object or a `{ accessTokenKey, build }` object." });
+/** Manifest projection of `Vault` — declarative mappings serialize verbatim;
+* function-form mappings serialize as `{ kind: 'function', accessTokenKey }`
+* since closures are not manifest-safe but the access-token key is. */
+const vaultManifestSchema = z.discriminatedUnion("kind", [z.object({
+	kind: z.literal("declarative"),
+	accessToken: z.string().min(1),
+	refreshToken: z.string().min(1).optional(),
+	instanceUrl: z.string().min(1).optional(),
+	raw: z.record(z.string().min(1), z.string().min(1)).optional()
+}), z.object({
+	kind: z.literal("function"),
+	accessTokenKey: z.string().min(1)
+})]);
+const oauthConnectionConfigBaseSchema = z.object({
+	kind: z.literal("oauth"),
+	authUrl: z.string().url(),
+	tokenUrl: z.string().url(),
+	scopes: z.array(z.string()).readonly(),
+	revokeUrl: z.string().url().nullable().optional(),
+	tokenType: z.enum(["long-lived", "refreshable"]),
+	pkce: z.boolean().optional(),
+	/** Fallback token lifetime when the provider omits `expires_in`. Positive
+	*  integer seconds. Shared between config + manifest schemas (both extend
+	*  this base). */
+	defaultExpiresInSeconds: z.number().int().positive().optional()
+});
+const oauthConnectionConfigSchema = oauthConnectionConfigBaseSchema.extend({
+	...connectionMetadataConfigSchema.shape,
+	vault: vaultConfigSchema,
+	oauth: registeredDescriptorSchema.optional(),
+	buildAuthUrl: z.function().optional(),
+	exchangeCode: z.function().optional(),
+	refreshToken: z.function().optional(),
+	extractInstallationInfo: z.function().optional(),
+	validate: z.function().optional()
+});
+const oauthConnectionConfigManifestSchema = oauthConnectionConfigBaseSchema.extend({
+	...connectionMetadataManifestSchema.shape,
+	vault: vaultManifestSchema,
+	oauth: registeredDescriptorSchema.optional()
+});
+const credentialsExchangeConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("credentials-exchange"),
+	instructions: z.string().min(1).optional(),
+	input: zodObjectSchema
+}).extend({
+	exchange: z.function(),
+	rotate: z.function().optional(),
+	validate: z.function().optional()
+});
+/** Manifest projection of `CredentialsExchangeConnectionConfig` — only the
+*  declarative `input` schema (rendered as JSON Schema) and `instructions`
+*  copy survive serialization. The three hooks (`exchange`, `rotate`,
+*  `validate`) are runtime closures and are stripped. */
+const credentialsExchangeConnectionConfigManifestSchema = z.object({
+	kind: z.literal("credentials-exchange"),
+	...connectionMetadataManifestSchema.shape,
+	instructions: z.string().min(1).optional(),
+	input: jsonSchemaObject
+});
+const exchangeCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("exchange"),
+	input: zodObjectSchema,
+	exchange: registeredDescriptorSchema
+});
+const exchangeCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("exchange"),
+	input: jsonSchemaObject,
+	exchange: registeredDescriptorSchema
+});
+const dynamicCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("dynamic"),
+	input: zodObjectSchema.optional(),
+	resolver: registeredResolverDescriptorSchema
+});
+const dynamicCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("dynamic"),
+	input: jsonSchemaObject.optional(),
+	resolver: registeredResolverDescriptorSchema
+});
+const platformCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({ kind: z.literal("platform") });
+const platformCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({ kind: z.literal("platform") });
+const connectionConfigSchema = z.discriminatedUnion("kind", [
+	manualConnectionConfigSchema,
+	oauthConnectionConfigSchema,
+	credentialsExchangeConnectionConfigSchema,
+	exchangeCredentialConnectionConfigSchema,
+	dynamicCredentialConnectionConfigSchema,
+	platformCredentialConnectionConfigSchema
+]);
+/** Manifest projection of `ConnectionConfig` — declarative metadata only. */
+const connectionConfigManifestSchema = z.discriminatedUnion("kind", [
+	manualConnectionConfigManifestSchema,
+	oauthConnectionConfigManifestSchema,
+	credentialsExchangeConnectionConfigManifestSchema,
+	exchangeCredentialConnectionManifestSchema,
+	dynamicCredentialConnectionManifestSchema,
+	platformCredentialConnectionManifestSchema
+]);
+const CredentialSetManifestSchema = z.object({
+	manifestVersion: z.literal(1),
+	type: z.literal("credentialSet"),
+	id: credentialSetIdString("Credential set id"),
+	name: trimmedNonEmptyString("Credential set name"),
+	description: optionalDescriptionString("Credential set description"),
+	auth: jsonSchemaObject,
+	exposure: credentialExposureSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
+	needsRawSecret: z.boolean().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: onCredentialRevokedSchema.optional(),
+	connections: z.array(connectionConfigManifestSchema).optional()
+});
+z.object({
+	id: credentialSetIdString("Credential set id"),
+	name: optionalTrimmedNonEmptyString("Credential set name"),
+	description: optionalDescriptionString("Credential set description"),
+	auth: zodObjectSchema,
+	exposure: credentialExposureSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
+	needsRawSecret: z.boolean().optional(),
+	onCredentialRevoked: onCredentialRevokedSchema.optional(),
+	connections: z.array(connectionConfigSchema).readonly().optional()
+});
+//#endregion
+export { descriptionString as a, optionalDescriptionString as c, trimmedNonEmptyStringUnbounded as d, createStructuralSchema as i, optionalTrimmedNonEmptyString as l, credentialSetProxyConfigSchema as n, idNoSpacesString as o, anyZodSchemaSchema as r, jsonSchemaObject as s, CredentialSetManifestSchema as t, trimmedNonEmptyString as u };

package/dist/{search-BEfy2fG9.mjs → search-BeQW_pf4.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
-import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BWcVRt-T.mjs";
-import { t as createTypedCommand } from "./commander-BlrSdFcu.mjs";
+import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-DnIFEmi5.mjs";
+import { t as createTypedCommand } from "./commander-C6SSTQJ2.mjs";
 import { z } from "zod";
 //#region src/commands/search/search.command.ts
 const SearchTypeValues = [
@@ -46,7 +46,7 @@ function createSearchCommand() {
 			description: "Search query (matches name and related fields per --type)",
 			key: "query"
 		},
-		loadHandler: async () => (await import("./search.handler-V7ObLGjN.mjs")).handleSearch
+		loadHandler: async () => (await import("./search.handler-BJ-ZlDL4.mjs")).handleSearch
 	});
 }
 //#endregion

package/dist/{search.handler-V7ObLGjN.mjs → search.handler-BJ-ZlDL4.mjs}

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 
-import { a as ui } from "./keystroke.mjs";
-import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-sgKhRc5v.mjs";
-import { t as renderCredential } from "./render-credential-Bn15FEUC.mjs";
-import { n as formatPackageInstallCommand, t as detectPackageManager } from "./package-manager-DT1EhOkS.mjs";
-import { t as renderOperation } from "./render-operation-Bc7Wu1sP.mjs";
+import { p as ui } from "./keystroke.mjs";
+import { i as writeJson } from "./output-DnIFEmi5.mjs";
+import { i as requireClient } from "./context-ebZssGCY.mjs";
+import { t as renderCredential } from "./render-credential-D-H1ECDt.mjs";
+import { i as formatPackageInstallCommand, r as detectPackageManager } from "./package-manager-BP3-q8hh.mjs";
+import { t as renderOperation } from "./render-operation-VdEPhoII.mjs";
 //#region src/lib/render-integration.ts
 function renderIntegration(i, { full = false, packageManager } = {}) {
 	ui.br();

package/dist/{show.handler-C_VDYU91.mjs → show.handler-BrIHUH28.mjs}

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
-import { a as ui } from "./keystroke.mjs";
-import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-sgKhRc5v.mjs";
-import { n as formatPackageInstallCommand, t as detectPackageManager } from "./package-manager-DT1EhOkS.mjs";
+import { p as ui } from "./keystroke.mjs";
+import { i as writeJson } from "./output-DnIFEmi5.mjs";
+import { i as requireClient } from "./context-ebZssGCY.mjs";
+import { i as formatPackageInstallCommand, r as detectPackageManager } from "./package-manager-BP3-q8hh.mjs";
 //#region src/commands/integrations/show.handler.ts
 async function handleIntegrationShow(options, ctx) {
 	const client = requireClient(ctx);

package/dist/{show.handler-CsidInW8.mjs → show.handler-Cqe_hCqU.mjs}

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 
-import { a as ui } from "./keystroke.mjs";
-import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-sgKhRc5v.mjs";
-import { i as renderJsonSchema } from "./schema-display-FvI8QjOQ.mjs";
-import { t as renderCredential } from "./render-credential-Bn15FEUC.mjs";
+import { p as ui } from "./keystroke.mjs";
+import { i as writeJson } from "./output-DnIFEmi5.mjs";
+import { i as requireClient } from "./context-ebZssGCY.mjs";
+import { o as renderJsonSchema } from "./schema-display-sZ6ConJd.mjs";
+import { t as renderCredential } from "./render-credential-D-H1ECDt.mjs";
 //#region src/commands/credentials/definitions/show.handler.ts
 async function handleCredentialDefinitionShow(options, ctx) {
 	const { credential } = await requireClient(ctx).credentials.definitions.get(options.id);

package/dist/{show.handler-Wmv0tkxx.mjs → show.handler-DB8xl5FU.mjs}

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 
-import { a as ui } from "./keystroke.mjs";
-import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-sgKhRc5v.mjs";
-import { i as renderJsonSchema } from "./schema-display-FvI8QjOQ.mjs";
-import { t as detectPackageManager } from "./package-manager-DT1EhOkS.mjs";
-import { t as renderOperation } from "./render-operation-Bc7Wu1sP.mjs";
+import { p as ui } from "./keystroke.mjs";
+import { i as writeJson } from "./output-DnIFEmi5.mjs";
+import { i as requireClient } from "./context-ebZssGCY.mjs";
+import { o as renderJsonSchema } from "./schema-display-sZ6ConJd.mjs";
+import { r as detectPackageManager } from "./package-manager-BP3-q8hh.mjs";
+import { t as renderOperation } from "./render-operation-VdEPhoII.mjs";
 //#region src/commands/operations/show.handler.ts
 async function handleOperationShow(options, ctx) {
 	const { operation } = await requireClient(ctx).operations.get(options.id);

package/dist/{skill-installer-D6j9IA3Z.mjs → skill-installer-DuMhavmM.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { D as CliExitError, a as ui } from "./keystroke.mjs";
+import { k as CliExitError, p as ui } from "./keystroke.mjs";
 import { createRequire } from "node:module";
 import path from "node:path";
 import { access, cp, mkdir, readFile, readdir, rm, symlink, writeFile } from "node:fs/promises";
@@ -487,6 +487,8 @@ async function resolveSkillInstallChoices(options) {
 //#region src/lib/skill-installer/summary.ts
 function summarizeSkillInstall(result, verb) {
 	ui.success(`${verb} ${result.skills.length} Keystroke skill(s) to ${result.canonicalDir}: ${result.skills.join(", ")}`);
+	const universalCanonicalAgents = result.agentTargets.filter((target) => target.slug !== "universal" && target.action === "canonical");
+	if (universalCanonicalAgents.length > 0) ui.hint(`${universalCanonicalAgents.map((target) => target.label).join(", ")} read skills from ${result.canonicalDir} (no separate agent skill folder).`);
 	const additionalTargets = result.agentTargets.filter((target) => target.action !== "canonical");
 	if (additionalTargets.length > 0) ui.success(`Provisioned ${additionalTargets.length} agent target(s): ${additionalTargets.map((target) => `${target.label} (${target.path}, ${target.action})`).join(", ")}`);
 	const changedGuidance = result.guidanceFiles.filter((file) => file.action !== "skipped");