@keystrokehq/cli 0.0.32 → 0.0.38

package/dist/schemas-ClAIoIrX.mjs

@@ -0,0 +1,281 @@
+#!/usr/bin/env node
+
+import { z } from "zod";
+//#region ../../packages/core/src/shared/schema.ts
+const MAX_JSON_DEPTH = 20;
+function buildJsonValueSchema(depth) {
+	const primitives = z.union([
+		z.string(),
+		z.number(),
+		z.boolean(),
+		z.null()
+	]);
+	if (depth <= 0) return primitives;
+	const nested = buildJsonValueSchema(depth - 1);
+	return z.union([
+		primitives,
+		z.array(nested),
+		z.record(z.string(), nested)
+	]);
+}
+const jsonValueSchema = buildJsonValueSchema(MAX_JSON_DEPTH);
+const jsonSchemaObject = z.record(z.string(), jsonValueSchema);
+const anyZodSchemaSchema = z.custom((value) => value instanceof z.ZodType, "Expected a Zod schema");
+const zodObjectSchema = z.custom((value) => value instanceof z.ZodObject, "Expected a Zod object schema");
+/**
+* Creates a Zod schema that validates an object structurally by checking
+* for required properties. This avoids `instanceof` checks which fail
+* when class definitions are duplicated across bundle boundaries.
+*/
+function createStructuralSchema(requiredKeys, label) {
+	return z.custom((value) => value != null && (typeof value === "object" || typeof value === "function") && requiredKeys.every((key) => key in value), `Expected ${label}`);
+}
+function trimmedNonEmptyString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` });
+}
+/** Trimmed string with at least one character; no upper length limit. */
+function trimmedNonEmptyStringUnbounded(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` });
+}
+/**
+* Non-empty trimmed string restricted to URL-safe characters.
+* Use for IDs (workflow, step, etc.) that must be safe in URLs, env vars, and as object keys.
+*/
+function idNoSpacesString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` }).refine((s) => /^[a-zA-Z0-9_-]+$/.test(s), { error: `${fieldName} must only contain letters, numbers, hyphens, and underscores` });
+}
+/**
+* Non-empty trimmed string for credential definition ids.
+* Allows namespaced ids such as `keystroke:slack` plus letters, numbers,
+* hyphens, and underscores.
+*/
+function credentialSetIdString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(255, { error: `${fieldName} cannot exceed 255 characters` }).refine((s) => /^[a-zA-Z0-9_:-]+$/.test(s), { error: `${fieldName} must only contain letters, numbers, hyphens, underscores, and colons` });
+}
+function optionalTrimmedNonEmptyString(fieldName) {
+	return trimmedNonEmptyString(fieldName).optional();
+}
+function descriptionString(fieldName) {
+	return z.string().trim().min(1, { error: `${fieldName} cannot be empty` }).max(1024, { error: `${fieldName} cannot exceed 1024 characters` });
+}
+function optionalDescriptionString(fieldName) {
+	return descriptionString(fieldName).optional();
+}
+//#endregion
+//#region ../../packages/core/src/credential-set/constants.ts
+/**
+* Shared constants for the credential/connection system.
+* Defined in core (bottom of dependency chain) so all packages can import them.
+*/
+const CREDENTIAL_EXPOSURES = {
+	"user-runtime": "user-runtime",
+	"platform-only": "platform-only"
+};
+//#endregion
+//#region ../../packages/core/src/credential-set/schemas.ts
+const credentialSetProxyInjectionSchema = z.object({
+	/** Substitute placeholder in HTTP headers (default: true). */
+	headers: z.boolean().optional(),
+	/** Substitute placeholder in the HTTP Basic Auth credential (default: true). */
+	basicAuth: z.boolean().optional(),
+	/** Substitute placeholder in URL query params (default: false).
+	*  Use for APIs that authenticate via `?api_key=...` (Google Maps, OWM, etc.). */
+	queryParams: z.boolean().optional(),
+	/** Substitute placeholder in the HTTP request body (default: false).
+	*  Use for form-encoded auth payloads (Stripe, AWS SigV4 query, etc.). */
+	body: z.boolean().optional()
+});
+const credentialSetProxyConfigSchema = z.object({
+	/** Exact-match host allowlist (forwarded to SecretBuilder.allowHost). */
+	hosts: z.array(z.string().min(1)).optional(),
+	/** Wildcard host allowlist (forwarded to SecretBuilder.allowHostPattern).
+	*  Example: `["*.browserbase.com"]` covers any subdomain. */
+	hostPatterns: z.array(z.string().min(1)).optional(),
+	/** Per-scope substitution toggles. Omit to use SDK defaults. */
+	injection: credentialSetProxyInjectionSchema.optional()
+});
+const onCredentialRevokedSchema = z.enum(["fail", "retry-once"]);
+const credentialExposureSchema = z.enum([CREDENTIAL_EXPOSURES["user-runtime"], CREDENTIAL_EXPOSURES["platform-only"]]);
+const connectionMetadataConfigSchema = z.object({
+	id: credentialSetIdString("Credential connection id").optional(),
+	label: optionalTrimmedNonEmptyString("Credential connection label"),
+	description: optionalDescriptionString("Credential connection description"),
+	recommended: z.boolean().optional(),
+	advanced: z.boolean().optional(),
+	needsRawSecret: z.boolean().optional()
+});
+const connectionMetadataManifestSchema = connectionMetadataConfigSchema;
+const registeredDescriptorSchema = z.object({
+	id: trimmedNonEmptyString("Registered descriptor id"),
+	config: z.record(z.string(), z.unknown()).optional()
+});
+const registeredResolverDescriptorSchema = registeredDescriptorSchema.extend({ cacheMs: z.number().int().nonnegative().optional() });
+const manualConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("manual"),
+	input: zodObjectSchema.optional(),
+	instructions: z.string().min(1).optional(),
+	validate: z.function().optional()
+});
+const manualConnectionFieldManifestSchema = z.object({
+	key: z.string().min(1),
+	label: z.string().min(1),
+	description: z.string().min(1).optional(),
+	optional: z.boolean(),
+	secret: z.literal(true)
+});
+const manualConnectionConfigManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("manual"),
+	input: jsonSchemaObject.optional(),
+	fields: z.array(manualConnectionFieldManifestSchema).optional(),
+	generated: z.boolean().optional(),
+	instructions: z.string().min(1).optional()
+});
+/** Declarative form of `Vault` — strings typed against the credential set's
+* stored/auth schema keys at the {@link CredentialSetConfig} boundary; the Zod
+* schema here enforces non-empty strings only. `CredentialSet` itself performs
+* the schema-key membership check at construction time. */
+const vaultMappingSchema = z.object({
+	accessToken: z.string().min(1),
+	refreshToken: z.string().min(1).optional(),
+	instanceUrl: z.string().min(1).optional(),
+	raw: z.record(z.string().min(1), z.string().min(1)).optional()
+});
+/** Function form of `Vault` — an object pairing the access-token vault key
+*  (`accessTokenKey`) with the `build` function that computes the full vault
+*  write map. The explicit key keeps the disconnect path's revocation read
+*  reliable even when `build` transforms the access token. */
+const vaultMappingFnSchema = z.object({
+	accessTokenKey: z.string().min(1),
+	build: z.custom((val) => typeof val === "function", { message: "vault.build must be a function." })
+});
+/** Runtime shape of `Vault`. Accepts either the declarative mapping or the
+*  function-form object `{ accessTokenKey, build }`. */
+const vaultConfigSchema = z.union([vaultMappingSchema, vaultMappingFnSchema], { error: "vault must be a declarative mapping object or a `{ accessTokenKey, build }` object." });
+/** Manifest projection of `Vault` — declarative mappings serialize verbatim;
+* function-form mappings serialize as `{ kind: 'function', accessTokenKey }`
+* since closures are not manifest-safe but the access-token key is. */
+const vaultManifestSchema = z.discriminatedUnion("kind", [z.object({
+	kind: z.literal("declarative"),
+	accessToken: z.string().min(1),
+	refreshToken: z.string().min(1).optional(),
+	instanceUrl: z.string().min(1).optional(),
+	raw: z.record(z.string().min(1), z.string().min(1)).optional()
+}), z.object({
+	kind: z.literal("function"),
+	accessTokenKey: z.string().min(1)
+})]);
+const oauthConnectionConfigBaseSchema = z.object({
+	kind: z.literal("oauth"),
+	authUrl: z.string().url(),
+	tokenUrl: z.string().url(),
+	scopes: z.array(z.string()).readonly(),
+	revokeUrl: z.string().url().nullable().optional(),
+	tokenType: z.enum(["long-lived", "refreshable"]),
+	pkce: z.boolean().optional(),
+	/** Fallback token lifetime when the provider omits `expires_in`. Positive
+	*  integer seconds. Shared between config + manifest schemas (both extend
+	*  this base). */
+	defaultExpiresInSeconds: z.number().int().positive().optional()
+});
+const oauthConnectionConfigSchema = oauthConnectionConfigBaseSchema.extend({
+	...connectionMetadataConfigSchema.shape,
+	vault: vaultConfigSchema,
+	oauth: registeredDescriptorSchema.optional(),
+	buildAuthUrl: z.function().optional(),
+	exchangeCode: z.function().optional(),
+	refreshToken: z.function().optional(),
+	extractInstallationInfo: z.function().optional(),
+	validate: z.function().optional()
+});
+const oauthConnectionConfigManifestSchema = oauthConnectionConfigBaseSchema.extend({
+	...connectionMetadataManifestSchema.shape,
+	vault: vaultManifestSchema,
+	oauth: registeredDescriptorSchema.optional()
+});
+const credentialsExchangeConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("credentials-exchange"),
+	instructions: z.string().min(1).optional(),
+	input: zodObjectSchema
+}).extend({
+	exchange: z.function(),
+	rotate: z.function().optional(),
+	validate: z.function().optional()
+});
+/** Manifest projection of `CredentialsExchangeConnectionConfig` — only the
+*  declarative `input` schema (rendered as JSON Schema) and `instructions`
+*  copy survive serialization. The three hooks (`exchange`, `rotate`,
+*  `validate`) are runtime closures and are stripped. */
+const credentialsExchangeConnectionConfigManifestSchema = z.object({
+	kind: z.literal("credentials-exchange"),
+	...connectionMetadataManifestSchema.shape,
+	instructions: z.string().min(1).optional(),
+	input: jsonSchemaObject
+});
+const exchangeCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("exchange"),
+	input: zodObjectSchema,
+	exchange: registeredDescriptorSchema
+});
+const exchangeCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("exchange"),
+	input: jsonSchemaObject,
+	exchange: registeredDescriptorSchema
+});
+const dynamicCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({
+	kind: z.literal("dynamic"),
+	input: zodObjectSchema.optional(),
+	resolver: registeredResolverDescriptorSchema
+});
+const dynamicCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({
+	kind: z.literal("dynamic"),
+	input: jsonSchemaObject.optional(),
+	resolver: registeredResolverDescriptorSchema
+});
+const platformCredentialConnectionConfigSchema = connectionMetadataConfigSchema.extend({ kind: z.literal("platform") });
+const platformCredentialConnectionManifestSchema = connectionMetadataManifestSchema.extend({ kind: z.literal("platform") });
+const connectionConfigSchema = z.discriminatedUnion("kind", [
+	manualConnectionConfigSchema,
+	oauthConnectionConfigSchema,
+	credentialsExchangeConnectionConfigSchema,
+	exchangeCredentialConnectionConfigSchema,
+	dynamicCredentialConnectionConfigSchema,
+	platformCredentialConnectionConfigSchema
+]);
+/** Manifest projection of `ConnectionConfig` — declarative metadata only. */
+const connectionConfigManifestSchema = z.discriminatedUnion("kind", [
+	manualConnectionConfigManifestSchema,
+	oauthConnectionConfigManifestSchema,
+	credentialsExchangeConnectionConfigManifestSchema,
+	exchangeCredentialConnectionManifestSchema,
+	dynamicCredentialConnectionManifestSchema,
+	platformCredentialConnectionManifestSchema
+]);
+const CredentialSetManifestSchema = z.object({
+	manifestVersion: z.literal(1),
+	type: z.literal("credentialSet"),
+	id: credentialSetIdString("Credential set id"),
+	name: trimmedNonEmptyString("Credential set name"),
+	description: optionalDescriptionString("Credential set description"),
+	auth: jsonSchemaObject,
+	exposure: credentialExposureSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
+	needsRawSecret: z.boolean().optional(),
+	/** Policy when a step throws `CredentialRevokedError` against this credential set. */
+	onCredentialRevoked: onCredentialRevokedSchema.optional(),
+	connections: z.array(connectionConfigManifestSchema).optional()
+});
+z.object({
+	id: credentialSetIdString("Credential set id"),
+	name: optionalTrimmedNonEmptyString("Credential set name"),
+	description: optionalDescriptionString("Credential set description"),
+	auth: zodObjectSchema,
+	exposure: credentialExposureSchema.optional(),
+	proxy: credentialSetProxyConfigSchema.optional(),
+	/** When true, resolved values are passed into execution as raw secrets (no ref-token proxy). */
+	needsRawSecret: z.boolean().optional(),
+	onCredentialRevoked: onCredentialRevokedSchema.optional(),
+	connections: z.array(connectionConfigSchema).readonly().optional()
+});
+//#endregion
+export { descriptionString as a, optionalDescriptionString as c, trimmedNonEmptyStringUnbounded as d, createStructuralSchema as i, optionalTrimmedNonEmptyString as l, credentialSetProxyConfigSchema as n, idNoSpacesString as o, anyZodSchemaSchema as r, jsonSchemaObject as s, CredentialSetManifestSchema as t, trimmedNonEmptyString as u };

package/dist/{search-CA0J5NOY.mjs → search-CQMgdp51.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
-import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BWcVRt-T.mjs";
-import { t as createTypedCommand } from "./commander-BlrSdFcu.mjs";
+import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BPydP5tG.mjs";
+import { t as createTypedCommand } from "./commander-B_8QwPpe.mjs";
 import { z } from "zod";
 //#region src/commands/search/search.command.ts
 const SearchTypeValues = [
@@ -46,7 +46,7 @@ function createSearchCommand() {
 			description: "Search query (matches name and related fields per --type)",
 			key: "query"
 		},
-		loadHandler: async () => (await import("./search.handler-BVDsYZlJ.mjs")).handleSearch
+		loadHandler: async () => (await import("./search.handler-Dn5jjyF-.mjs")).handleSearch
 	});
 }
 //#endregion

package/dist/{search.handler-BVDsYZlJ.mjs → search.handler-Dn5jjyF-.mjs}

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 
-import { a as ui } from "./keystroke.mjs";
-import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-sgKhRc5v.mjs";
-import { t as renderCredential } from "./render-credential-Bn15FEUC.mjs";
-import { n as detectPackageManager, r as formatPackageInstallCommand } from "./package-manager-CvY4IW7X.mjs";
-import { t as renderOperation } from "./render-operation-DWbMwhfc.mjs";
+import { p as ui } from "./keystroke.mjs";
+import { i as writeJson } from "./output-BPydP5tG.mjs";
+import { i as requireClient } from "./context-Brc9VGV9.mjs";
+import { t as renderCredential } from "./render-credential-D-H1ECDt.mjs";
+import { i as formatPackageInstallCommand, r as detectPackageManager } from "./package-manager-BwJ6muas.mjs";
+import { t as renderOperation } from "./render-operation-iF7Wblv2.mjs";
 //#region src/lib/render-integration.ts
 function renderIntegration(i, { full = false, packageManager } = {}) {
 	ui.br();

package/dist/show.handler-CdZF0aao.mjs

@@ -0,0 +1,79 @@
+#!/usr/bin/env node
+
+import { P as throwReportedCliExit, S as toErrorMessage, b as isAuthError, g as REAUTH_HINT, p as ui, v as getApiErrorMessage, x as isNetworkError, y as getHttpStatus } from "./keystroke.mjs";
+import { a as writeJsonError, i as writeJson } from "./output-BPydP5tG.mjs";
+import { i as requireClient } from "./context-Brc9VGV9.mjs";
+import { i as formatPackageInstallCommand, r as detectPackageManager } from "./package-manager-BwJ6muas.mjs";
+//#region src/commands/integrations/show.handler.ts
+async function reportIntegrationShowFailure(ctx, integrationId, error) {
+	if (getHttpStatus(error) === 404) {
+		const message = await getApiErrorMessage(error) ?? `Integration "${integrationId}" was not found.`;
+		if (ctx.jsonMode) writeJsonError(message, {
+			code: "NOT_FOUND",
+			cause: error
+		});
+		else ui.error(message);
+		throwReportedCliExit(message, { cause: error });
+	}
+	if (isAuthError(error)) {
+		const message = `Not authenticated. ${REAUTH_HINT}`;
+		if (ctx.jsonMode) writeJsonError(message, {
+			code: "AUTH_ERROR",
+			hint: REAUTH_HINT,
+			cause: error
+		});
+		else ui.error(message);
+		throwReportedCliExit(message, { cause: error });
+	}
+	if (isNetworkError(error)) {
+		const url = ctx.baseUrl ?? "the Keystroke server";
+		const message = `Could not reach ${url} to load integration "${integrationId}".`;
+		const hint = `Check that your local services are running and that the CLI is pointed at ${url}.`;
+		if (ctx.jsonMode) writeJsonError(message, {
+			code: "NETWORK_ERROR",
+			hint,
+			cause: error
+		});
+		else {
+			ui.error(message);
+			ui.hint(hint);
+		}
+		throwReportedCliExit(message, { cause: error });
+	}
+	const message = `Failed to load integration "${integrationId}": ${toErrorMessage(error)}`;
+	if (ctx.jsonMode) writeJsonError(message, {
+		code: "INTEGRATION_SHOW_FAILED",
+		cause: error
+	});
+	else ui.error(message);
+	throwReportedCliExit(message, { cause: error });
+}
+async function handleIntegrationShow(options, ctx) {
+	const client = requireClient(ctx);
+	const integrationId = options.id;
+	try {
+		const [integration, operations] = await Promise.all([client.integrations.get(integrationId), client.integrations.listOperations(integrationId)]);
+		if (ctx.jsonMode) {
+			writeJson({
+				integration: integration.integration,
+				operations: operations.operations
+			});
+			return;
+		}
+		const entry = integration.integration;
+		const packageManager = detectPackageManager();
+		const npmPackageName = entry.npmPackageName ?? `@keystrokehq/${entry.publicId}`;
+		ui.text(entry.publicId);
+		ui.text(`  ${entry.name}`);
+		if (entry.description) ui.text(`  ${entry.description}`);
+		ui.text(`  install: ${formatPackageInstallCommand(npmPackageName, { packageManager })}`);
+		ui.text(`  operations (${operations.operations.length}):`);
+		for (const op of operations.operations) ui.text(`    ${op.id}  —  ${op.name}`);
+		ui.br();
+		ui.hint(`Usage examples are in ${entry.npmPackageName ?? `@keystrokehq/${entry.publicId}`}'s TSDoc — open in your IDE for hover docs.`);
+	} catch (error) {
+		await reportIntegrationShowFailure(ctx, integrationId, error);
+	}
+}
+//#endregion
+export { handleIntegrationShow };

package/dist/{show.handler-CsidInW8.mjs → show.handler-D3nDc1MJ.mjs}

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 
-import { a as ui } from "./keystroke.mjs";
-import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-sgKhRc5v.mjs";
-import { i as renderJsonSchema } from "./schema-display-FvI8QjOQ.mjs";
-import { t as renderCredential } from "./render-credential-Bn15FEUC.mjs";
+import { p as ui } from "./keystroke.mjs";
+import { i as writeJson } from "./output-BPydP5tG.mjs";
+import { i as requireClient } from "./context-Brc9VGV9.mjs";
+import { o as renderJsonSchema } from "./schema-display-sZ6ConJd.mjs";
+import { t as renderCredential } from "./render-credential-D-H1ECDt.mjs";
 //#region src/commands/credentials/definitions/show.handler.ts
 async function handleCredentialDefinitionShow(options, ctx) {
 	const { credential } = await requireClient(ctx).credentials.definitions.get(options.id);

package/dist/{show.handler-CwwnCmbp.mjs → show.handler-DUDxnNiZ.mjs}

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 
-import { a as ui } from "./keystroke.mjs";
-import { i as writeJson } from "./output-BWcVRt-T.mjs";
-import { i as requireClient } from "./context-sgKhRc5v.mjs";
-import { i as renderJsonSchema } from "./schema-display-FvI8QjOQ.mjs";
-import { n as detectPackageManager } from "./package-manager-CvY4IW7X.mjs";
-import { t as renderOperation } from "./render-operation-DWbMwhfc.mjs";
+import { p as ui } from "./keystroke.mjs";
+import { i as writeJson } from "./output-BPydP5tG.mjs";
+import { i as requireClient } from "./context-Brc9VGV9.mjs";
+import { o as renderJsonSchema } from "./schema-display-sZ6ConJd.mjs";
+import { r as detectPackageManager } from "./package-manager-BwJ6muas.mjs";
+import { t as renderOperation } from "./render-operation-iF7Wblv2.mjs";
 //#region src/commands/operations/show.handler.ts
 async function handleOperationShow(options, ctx) {
 	const { operation } = await requireClient(ctx).operations.get(options.id);

package/dist/{skill-installer-DG8kTaQR.mjs → skill-installer-DYNH_MJT.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { D as CliExitError, a as ui } from "./keystroke.mjs";
+import { A as CliExitError, p as ui } from "./keystroke.mjs";
 import { createRequire } from "node:module";
 import path from "node:path";
 import { access, cp, mkdir, readFile, readdir, rm, symlink, writeFile } from "node:fs/promises";
@@ -487,6 +487,8 @@ async function resolveSkillInstallChoices(options) {
 //#region src/lib/skill-installer/summary.ts
 function summarizeSkillInstall(result, verb) {
 	ui.success(`${verb} ${result.skills.length} Keystroke skill(s) to ${result.canonicalDir}: ${result.skills.join(", ")}`);
+	const universalCanonicalAgents = result.agentTargets.filter((target) => target.slug !== "universal" && target.action === "canonical");
+	if (universalCanonicalAgents.length > 0) ui.hint(`${universalCanonicalAgents.map((target) => target.label).join(", ")} read skills from ${result.canonicalDir} (no separate agent skill folder).`);
 	const additionalTargets = result.agentTargets.filter((target) => target.action !== "canonical");
 	if (additionalTargets.length > 0) ui.success(`Provisioned ${additionalTargets.length} agent target(s): ${additionalTargets.map((target) => `${target.label} (${target.path}, ${target.action})`).join(", ")}`);
 	const changedGuidance = result.guidanceFiles.filter((file) => file.action !== "skipped");

package/dist/{skills-sync.handler-yRmi3OgP.mjs → skills-sync.handler-_LVhIMRH.mjs}

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 
-import { D as CliExitError, a as ui } from "./keystroke.mjs";
-import { i as writeJson, r as isJsonMode } from "./output-BWcVRt-T.mjs";
-import { i as UnknownSkillAgentError, n as resolveSkillInstallChoices, r as installKeystrokeAgentSkills, t as summarizeSkillInstall } from "./skill-installer-DG8kTaQR.mjs";
+import { A as CliExitError } from "./keystroke.mjs";
+import { a as writeJsonError, i as writeJson, r as isJsonMode } from "./output-BPydP5tG.mjs";
+import { i as UnknownSkillAgentError, n as resolveSkillInstallChoices, r as installKeystrokeAgentSkills, t as summarizeSkillInstall } from "./skill-installer-DYNH_MJT.mjs";
 import path from "node:path";
 //#region src/commands/skills/skills-sync.handler.ts
 async function handleSkillsSync(options, _ctx) {
@@ -12,7 +12,7 @@ async function handleSkillsSync(options, _ctx) {
 		const choices = await resolveSkillInstallChoices({
 			agentSlugs: options.agent,
 			method: options.method,
-			interactive: process.stdin.isTTY && !isJsonMode(options)
+			interactive: Boolean(process.stdin.isTTY) && !isJsonMode(options)
 		});
 		result = await installKeystrokeAgentSkills({
 			projectDir,
@@ -20,7 +20,13 @@ async function handleSkillsSync(options, _ctx) {
 			method: choices.method
 		});
 	} catch (error) {
-		if (error instanceof UnknownSkillAgentError) throw new CliExitError(error.message, { cause: error });
+		if (error instanceof UnknownSkillAgentError) {
+			if (isJsonMode(options)) writeJsonError(error.message, {
+				code: "UNKNOWN_AGENT",
+				cause: error
+			});
+			throw new CliExitError(error.message, { cause: error });
+		}
 		throw error;
 	}
 	if (isJsonMode(options)) {
@@ -40,8 +46,8 @@ async function handleSkillsSync(options, _ctx) {
 		summarizeSkillInstall(result, "Synced");
 		return;
 	}
-	if (result.reason === "not_installed") throw new CliExitError("Could not resolve @keystrokehq/skills from this project or the installed CLI. Reinstall the CLI or add @keystrokehq/skills to devDependencies, run install, then run `keystroke skills sync`.", { exitCode: 1 });
-	ui.warn(`@keystrokehq/skills is installed at ${result.packageRoot} but no skill directories with SKILL.md were found.`);
+	if (result.reason === "not_installed") throw new CliExitError("Could not resolve @keystrokehq/skills from the installed CLI. Reinstall the CLI, then run `keystroke skills sync`.", { exitCode: 1 });
+	throw new CliExitError(`@keystrokehq/skills is installed at ${result.packageRoot} but no skill directories with SKILL.md were found.`, { exitCode: 1 });
 }
 //#endregion
 export { handleSkillsSync };

package/dist/{skills.command-COYd3k4Z.mjs → skills.command-DSHGwXPX.mjs}

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 
-import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BWcVRt-T.mjs";
-import { t as createTypedCommand } from "./commander-BlrSdFcu.mjs";
-import { t as SKILL_INSTALL_METHODS } from "./types-AlA-ifK9.mjs";
+import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BPydP5tG.mjs";
+import { t as createTypedCommand } from "./commander-B_8QwPpe.mjs";
+import { t as SKILL_INSTALL_METHODS } from "./types-Cb0eWmUU.mjs";
 import { z } from "zod";
 //#region src/commands/skills/skills.command.ts
 const SkillsCommandOptionsSchema = JsonOptionSchema.extend({
@@ -32,13 +32,13 @@ function createSkillsCommand() {
 		description: "Sync Keystroke agent skills (SKILL.md) from @keystrokehq/skills",
 		schema: SkillsCommandOptionsSchema,
 		optionsConfig: SKILLS_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./skills.handler-DYIQK0Vu.mjs")).handleSkillsParent,
+		loadHandler: async () => (await import("./skills.handler-DqLXJepA.mjs")).handleSkillsParent,
 		subcommands: [createTypedCommand({
 			name: "sync",
 			description: "Install bundled Keystroke skills into selected agent skill directories",
 			schema: SkillsCommandOptionsSchema,
 			optionsConfig: SKILLS_OPTIONS_CONFIG,
-			loadHandler: async () => (await import("./skills-sync.handler-yRmi3OgP.mjs")).handleSkillsSync
+			loadHandler: async () => (await import("./skills-sync.handler-_LVhIMRH.mjs")).handleSkillsSync
 		})]
 	});
 	cmd.enablePositionalOptions();

package/dist/skills.handler-DqLXJepA.mjs

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+
+import { p as ui } from "./keystroke.mjs";
+//#region src/commands/skills/skills.handler.ts
+async function handleSkillsParent(_options, _ctx) {
+	ui.hint("Run `keystroke skills sync` to refresh bundled skills in `.agents/skills`, or `keystroke skills sync --agent claude-code --method symlink` for agent-specific folders.");
+}
+//#endregion
+export { handleSkillsParent };

package/dist/{spinner-progress-lrKDs4YF.mjs → spinner-progress-fLaD0sjH.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { F as originalConsole, P as logger, n as style, r as isTTY, t as ANSI } from "./keystroke.mjs";
+import { L as logger, R as originalConsole, n as style, r as isTTY, t as ANSI } from "./keystroke.mjs";
 import { writeSync } from "node:fs";
 import { Worker } from "node:worker_threads";
 //#region src/lib/spinner-progress.ts

package/dist/status.handler-1hEzX5oB.mjs

@@ -0,0 +1,72 @@
+#!/usr/bin/env node
+
+import { g as REAUTH_HINT, h as AUTH_HINT, p as ui } from "./keystroke.mjs";
+import { a as getApiKeyValidationStatus, c as resolveEffectiveOrganization, i as formatOrgSourceLabel, t as ORG_CONTEXT_HINT } from "./org-context-CNh2p2DP.mjs";
+//#region src/commands/auth/status.handler.ts
+async function getLiveUser(ctx, validation) {
+	if (!ctx.client || validation.kind !== "valid") return;
+	try {
+		const { user } = await ctx.client.users.getMe();
+		return user;
+	} catch {
+		return;
+	}
+}
+function printOrganization(effective) {
+	if (!effective) {
+		ui.warn(`No organization set. ${ORG_CONTEXT_HINT}`);
+		return;
+	}
+	if (effective.name) {
+		ui.text(`Current organization: ${effective.name}`);
+		return;
+	}
+	ui.text(`Current organization: ${effective.organizationId}`);
+}
+function printValidationStatus(validation) {
+	switch (validation.kind) {
+		case "valid":
+			ui.success("API key is valid.");
+			ui.hint(`Key ID: ${validation.apiKeyId}`);
+			return;
+		case "invalid":
+			ui.warn("Saved API key is invalid or expired.");
+			ui.hint(REAUTH_HINT);
+			ui.hint(`Validation error: ${validation.message}`);
+			return;
+		case "unavailable":
+			ui.warn(validation.reason === "network" ? "Could not reach the API to verify the saved API key." : "Could not verify the saved API key right now.");
+			ui.hint(`Validation error: ${validation.message}`);
+			return;
+		case "not_authenticated":
+			ui.warn(`Not authenticated. ${AUTH_HINT}`);
+			return;
+	}
+}
+function printCredentialStorage(ctx) {
+	if (ctx.credentialReadError) {
+		ui.warn("Saved credentials could not be read.");
+		ui.hint(`Credential read error: ${ctx.credentialReadError}`);
+		return;
+	}
+	if (ctx.storedOrgs.length === 0) return;
+	ui.hint(`Credentials: ${ctx.credentialStorageInfo.credentialsFilePath}`);
+}
+async function handleAuthStatus(_options, ctx) {
+	const validation = await getApiKeyValidationStatus(ctx);
+	const liveUser = await getLiveUser(ctx, validation);
+	const effective = await resolveEffectiveOrganization(ctx, liveUser?.organizations ?? []);
+	const userEmail = liveUser?.email ?? ctx.storedUser?.email;
+	ui.header("Keystroke CLI auth status");
+	if (userEmail) ui.text(`Signed in as: ${userEmail}`);
+	else if (validation.kind === "not_authenticated") ui.hint("No saved user identity found.");
+	else ui.warn("Signed-in user could not be determined from saved credentials.");
+	printOrganization(effective);
+	if (effective?.source) ui.hint(`Source: ${formatOrgSourceLabel(effective.source)}`);
+	else if (ctx.orgSource) ui.hint(`Source: ${formatOrgSourceLabel(ctx.orgSource)}`);
+	printValidationStatus(validation);
+	if (ctx.baseUrl) ui.hint(`API URL: ${ctx.baseUrl}`);
+	printCredentialStorage(ctx);
+}
+//#endregion
+export { handleAuthStatus };