@keystrokehq/cli 0.0.38 → 0.0.40

package/dist/{connect.handler-D6JzuFuT.mjs → connect.handler-BsMTctjd.mjs}

@@ -1,45 +1,14 @@
 #!/usr/bin/env node
 
-import { P as throwReportedCliExit, S as toErrorMessage, h as AUTH_HINT, p as ui, x as isNetworkError } from "./keystroke.mjs";
-import { t as assertWorkflowProjectRoot } from "./project-config-DudGRFPO.mjs";
-import { i as writeJson } from "./output-BPydP5tG.mjs";
-import { n as resolveWorkflowsDir } from "./resolve-project-CoCN9xfi.mjs";
-import { t as openBrowser } from "./browser-Dvv5OQrt.mjs";
-import { i as InitiateConnectionResponseSchema, n as ConnectionStatusResponseSchema, r as InitiateConnectionRequestSchema } from "./api-sWkB_Wta.mjs";
-import { t as getIntegrationCatalog } from "./integration-catalog-mZs6EAlN.mjs";
-//#region src/commands/connect/connect.handler.ts
-function formatIntegrationLabel(catalog, integrationId) {
-	return catalog.lookupByPublicId(integrationId)?.name ?? integrationId;
-}
-function formatConnectionLabel(connection) {
-	return connection.label ?? connection.id;
-}
-function formatConnectionFlags(connection) {
-	const flags = [connection.recommended === true ? "recommended" : null, connection.advanced === true ? "advanced" : null].filter((flag) => flag !== null);
-	return flags.length > 0 ? `, ${flags.join(", ")}` : "";
-}
-function availableOAuthConnectionHint(connections) {
-	const oauthConnections = connections?.filter((connection) => connection.kind === "oauth") ?? [];
-	if (oauthConnections.length === 0) return "Run `keystroke integrations list --kind oauth` to see integrations with OAuth connection paths.";
-	return `Available OAuth connection IDs: ${oauthConnections.map((connection) => `${connection.id}${connection.recommended ? " (recommended)" : ""}`).join(", ")}.`;
-}
-function selectOAuthConnection(params) {
-	const { catalogEntry, requestedCredentialConnectionId, ctx, integrationId } = params;
-	const connections = catalogEntry?.connections ?? [];
-	if (requestedCredentialConnectionId) {
-		const selected = connections.find((connection) => connection.id === requestedCredentialConnectionId);
-		if (!selected) exitWithError(ctx, `Credential connection "${requestedCredentialConnectionId}" is not defined for "${integrationId}".`, {
-			code: "UNKNOWN_CREDENTIAL_CONNECTION",
-			hint: availableOAuthConnectionHint(connections)
-		});
-		if (selected.kind !== "oauth") exitWithError(ctx, `Credential connection "${selected.id}" for "${integrationId}" is "${selected.kind}", not oauth.`, {
-			code: "UNSUPPORTED_CREDENTIAL_CONNECTION",
-			hint: availableOAuthConnectionHint(connections)
-		});
-		return selected;
-	}
-	return connections.find((connection) => connection.kind === "oauth" && connection.recommended === true) ?? connections.find((connection) => connection.kind === "oauth");
-}
+import { P as throwReportedCliExit, S as toErrorMessage, h as AUTH_HINT, p as ui, x as isNetworkError, y as getHttpStatus } from "./keystroke.mjs";
+import { t as assertWorkflowProjectRoot } from "./project-config-VloWJirJ.mjs";
+import { i as writeJson } from "./output-C0pbsv39.mjs";
+import { i as requireClient } from "./context-DaBLwEWi.mjs";
+import { n as resolveWorkflowsDir } from "./resolve-project-Cto7y-K3.mjs";
+import { t as openBrowser } from "./browser-CvuyMLhI.mjs";
+import { i as InitiateConnectionResponseSchema, n as ConnectionStatusResponseSchema, r as InitiateConnectionRequestSchema } from "./api-b0DzMwXP.mjs";
+import { t as getIntegrationCatalog } from "./integration-catalog-DEHwWAO6.mjs";
+//#region src/commands/connect/connect.errors.ts
 /**
 * Per-reason CLI hint table for `failed` status responses.
 *
@@ -64,7 +33,7 @@ const FAILURE_REASON_HINTS = {
 function formatFailureHint(reason, label) {
 	return FAILURE_REASON_HINTS[reason].replaceAll("{label}", label);
 }
-function exitWithError(ctx, message, opts) {
+function exitWithConnectError(ctx, message, opts) {
 	if (ctx.jsonMode) {
 		process.stdout.write(`${JSON.stringify({
 			error: message,
@@ -77,88 +46,265 @@ function exitWithError(ctx, message, opts) {
 	if (opts?.hint) ui.hint(opts.hint);
 	throwReportedCliExit(message);
 }
+function exitOnConnectionInitiateError(ctx, error, params) {
+	if (error instanceof Error && error.name === "CliExitError") throw error;
+	const status = getHttpStatus(error);
+	if (status === 404) exitWithConnectError(ctx, `Integration "${params.integrationLabel}" is not supported for platform OAuth.`, {
+		code: "UNSUPPORTED_INTEGRATION",
+		hint: `Currently supported official OAuth integrations: ${params.catalog.oauthPublicIds.join(", ")}. Custom OAuth connect flows are not available yet.`
+	});
+	if (status === 503) exitWithConnectError(ctx, `Platform credentials not configured for "${params.integrationLabel}".`, {
+		code: "PLATFORM_NOT_CONFIGURED",
+		hint: `Ask a Keystroke developer to configure the ${params.integrationLabel} account OAuth client for this environment.`
+	});
+	if (status === 401) exitWithConnectError(ctx, "Not authenticated.", {
+		code: "AUTH_ERROR",
+		hint: AUTH_HINT
+	});
+	if (status === 403) exitWithConnectError(ctx, `You do not have permission to connect ${params.integrationLabel} in the current organization.`, {
+		code: "FORBIDDEN",
+		hint: "Verify your active organization and your permissions in that organization."
+	});
+	if (status !== null && status >= 500) exitWithConnectError(ctx, `The Keystroke server failed while starting the ${params.integrationLabel} connection.`, {
+		code: "SERVER_ERROR",
+		hint: `Server returned HTTP ${status}. Check the server logs and try again.`
+	});
+	if (status !== null) exitWithConnectError(ctx, `Failed to initiate the ${params.integrationLabel} connection.`, {
+		code: "INITIATE_FAILED",
+		hint: `Server returned HTTP ${status}.`
+	});
+	if (isNetworkError(error)) exitWithConnectError(ctx, `Could not reach the Keystroke server to start the ${params.integrationLabel} connection.`, {
+		code: "NETWORK_ERROR",
+		hint: `Check that your local services are running and that the CLI is pointed at ${params.baseUrl}.`
+	});
+	exitWithConnectError(ctx, `Failed to initiate the ${params.integrationLabel} connection.`, {
+		code: "INITIATE_FAILED",
+		hint: toErrorMessage(error)
+	});
+}
+//#endregion
+//#region src/commands/connect/connect.input.ts
+function parseConnectionInput(rawInputs, ctx) {
+	const input = {};
+	for (const rawInput of rawInputs) {
+		const separatorIndex = rawInput.indexOf("=");
+		if (separatorIndex <= 0) exitWithConnectError(ctx, `Invalid --input value "${rawInput}".`, {
+			code: "USAGE_ERROR",
+			hint: "Use --input key=value. Repeat --input for multiple fields."
+		});
+		const key = rawInput.slice(0, separatorIndex).trim();
+		const value = rawInput.slice(separatorIndex + 1);
+		if (!key) exitWithConnectError(ctx, `Invalid --input value "${rawInput}".`, {
+			code: "USAGE_ERROR",
+			hint: "Input keys must be non-empty: --input key=value"
+		});
+		input[key] = value;
+	}
+	return input;
+}
+//#endregion
+//#region src/commands/connect/connect.poll.ts
+async function pollConnectionStatus(params) {
+	const { ctx, apiIntegrationId, integrationLabel, initiatedAt, timeoutSeconds, authUrl, oauthConnection } = params;
+	const client = ctx.client;
+	if (!client) exitWithConnectError(ctx, "Not authenticated.", {
+		code: "AUTH_ERROR",
+		hint: AUTH_HINT
+	});
+	ui.br();
+	ui.text(`Waiting for approval in ${integrationLabel}...`);
+	ui.text("Return to this terminal after you approve access.");
+	ui.text("Press Ctrl+C to cancel.");
+	const timeoutMs = timeoutSeconds * 1e3;
+	const pollIntervalMs = 2e3;
+	const startTime = Date.now();
+	let consecutivePollFailures = 0;
+	let pollingWarningShown = false;
+	while (Date.now() - startTime < timeoutMs) {
+		await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+		try {
+			const data = ConnectionStatusResponseSchema.parse(await client.connections.getStatus(apiIntegrationId, {
+				since: initiatedAt,
+				...oauthConnection ? { credentialConnectionId: oauthConnection.id } : {}
+			}));
+			consecutivePollFailures = 0;
+			if (data.status === "connected") {
+				ui.br();
+				ui.success(`Connected ${integrationLabel} successfully.`);
+				ui.hint(`Your ${integrationLabel} account is now available to Keystroke workflows.`);
+				return;
+			}
+			if (data.status === "failed") {
+				ui.br();
+				const headline = data.message ? `Could not finish the ${integrationLabel} connection: ${data.message}` : `Could not finish the ${integrationLabel} connection (${data.reason}).`;
+				ui.error(headline);
+				ui.hint(formatFailureHint(data.reason, integrationLabel));
+				throwReportedCliExit(headline);
+			}
+		} catch (error) {
+			if (error instanceof Error && error.name === "CliExitError") throw error;
+			const status = getHttpStatus(error);
+			if (status === 401) exitWithConnectError(ctx, "Your CLI session is no longer authenticated.", {
+				code: "AUTH_ERROR",
+				hint: AUTH_HINT
+			});
+			if (status === 403) exitWithConnectError(ctx, `You do not have permission to finish the ${integrationLabel} connection in the current organization.`, {
+				code: "FORBIDDEN",
+				hint: "Verify your active organization and your permissions in that organization."
+			});
+			consecutivePollFailures += 1;
+			if (!pollingWarningShown && consecutivePollFailures >= 3) {
+				pollingWarningShown = true;
+				ui.warn(`Still waiting for ${integrationLabel} authorization.`);
+				ui.hint(status !== null ? `Polling has hit temporary errors (latest HTTP ${status}). If you already approved access, wait a moment and try again.` : "Polling has hit temporary errors. If you already approved access, wait a moment and try again.");
+			}
+		}
+	}
+	ui.br();
+	ui.error(`Timed out waiting for ${integrationLabel} authorization.`);
+	ui.text("If authorization is still open in your browser, you can still finish it here:");
+	ui.text(`  ${authUrl}`);
+	throwReportedCliExit(`Timed out waiting for ${integrationLabel} authorization.`);
+}
+//#endregion
+//#region src/commands/connect/connect.scope.ts
 /**
 * Resolve the project id for this connect attempt.
 *
 * Precedence:
 *   1. Explicit `--project-id <uuid>` flag.
 *   2. `keystroke.config.ts` discovered from `--path` or by walking up
-*      from cwd. Best-effort — silently returns `null` when nothing is
-*      found.
+*      from cwd.
 *
-* Caller decides whether `null` is fatal: with `--scope project` it's
-* a usage error; with the default resolution it falls back to
-* organization scope.
+* A discovered-but-invalid config is a usage error. Silent fallback to org
+* scope would create credentials at a broader scope than the user likely meant.
 */
-async function resolveConnectProjectId(options) {
+async function resolveConnectProjectId(options, ctx) {
 	if (options.projectId) return options.projectId;
 	const workflowsDir = await resolveWorkflowsDir(options.path);
 	if (!workflowsDir) return null;
 	try {
 		return (await assertWorkflowProjectRoot(workflowsDir)).projectId;
-	} catch {
-		return null;
+	} catch (error) {
+		exitWithConnectError(ctx, `Could not read project configuration for ${workflowsDir}.${error instanceof Error ? ` ${error.message}` : ""}`, {
+			code: "PROJECT_CONFIG_ERROR",
+			hint: "Fix keystroke.config.ts, pass --project-id explicitly, or use --scope organization outside the project directory."
+		});
 	}
 }
-function parseConnectionInput(rawInputs, ctx) {
-	const input = {};
-	for (const rawInput of rawInputs) {
-		const separatorIndex = rawInput.indexOf("=");
-		if (separatorIndex <= 0) exitWithError(ctx, `Invalid --input value "${rawInput}".`, {
-			code: "USAGE_ERROR",
-			hint: "Use --input key=value. Repeat --input for multiple fields."
+async function resolveConnectScopeRequest(options, ctx) {
+	if (options.projectId && (options.scope === "organization" || options.scope === "user")) exitWithConnectError(ctx, `--project-id cannot be used with --scope ${options.scope}.`, {
+		code: "USAGE_ERROR",
+		hint: "Use --scope project for project-scoped connections, or omit --project-id for organization/user scope."
+	});
+	if (options.scope === "organization" || options.scope === "user") return {
+		scopeForRequest: options.scope,
+		projectIdForRequest: void 0
+	};
+	const resolvedProjectId = await resolveConnectProjectId(options, ctx);
+	if (options.scope === "project" && !resolvedProjectId) exitWithConnectError(ctx, "--scope project requires a project context. Pass --project-id <uuid>, --path <dir>, or run inside a project directory.", {
+		code: "USAGE_ERROR",
+		hint: "Use `keystroke init` to create a project, or pick a different scope."
+	});
+	return {
+		scopeForRequest: options.scope,
+		projectIdForRequest: resolvedProjectId ?? void 0
+	};
+}
+//#endregion
+//#region src/commands/connect/connect.selection.ts
+function formatIntegrationLabel(catalog, integrationId) {
+	return catalog.lookupByPublicId(integrationId)?.name ?? integrationId;
+}
+/**
+* Credential definition id sent to the connections API. Catalog aliases such as
+* `slack` may differ from the server row id (`keystroke:slack`).
+*/
+function resolveConnectApiIntegrationId(integrationId, catalogEntry) {
+	return catalogEntry?.credentialSet.credentialDefinitionId ?? integrationId;
+}
+function formatConnectionLabel(connection) {
+	return connection.label ?? connection.id;
+}
+function formatConnectionFlags(connection) {
+	const flags = [connection.recommended === true ? "recommended" : null, connection.advanced === true ? "advanced" : null].filter((flag) => flag !== null);
+	return flags.length > 0 ? `, ${flags.join(", ")}` : "";
+}
+function availableOAuthConnectionHint(connections) {
+	const oauthConnections = connections?.filter((connection) => connection.kind === "oauth") ?? [];
+	if (oauthConnections.length === 0) return "Run `keystroke integrations list --kind oauth` to see integrations with OAuth connection paths.";
+	return `Available OAuth connection IDs: ${oauthConnections.map((connection) => `${connection.id}${connection.recommended ? " (recommended)" : ""}`).join(", ")}.`;
+}
+function selectOAuthConnection(params) {
+	const { catalogEntry, requestedCredentialConnectionId, ctx, integrationId } = params;
+	const connections = catalogEntry?.connections ?? [];
+	if (requestedCredentialConnectionId) {
+		const selected = connections.find((connection) => connection.id === requestedCredentialConnectionId);
+		if (!selected) exitWithConnectError(ctx, `Credential connection "${requestedCredentialConnectionId}" is not defined for "${integrationId}".`, {
+			code: "UNKNOWN_CREDENTIAL_CONNECTION",
+			hint: availableOAuthConnectionHint(connections)
 		});
-		const key = rawInput.slice(0, separatorIndex).trim();
-		const value = rawInput.slice(separatorIndex + 1);
-		if (!key) exitWithError(ctx, `Invalid --input value "${rawInput}".`, {
-			code: "USAGE_ERROR",
-			hint: "Input keys must be non-empty: --input key=value"
+		if (selected.kind !== "oauth") exitWithConnectError(ctx, `Credential connection "${selected.id}" for "${integrationId}" is "${selected.kind}", not oauth.`, {
+			code: "UNSUPPORTED_CREDENTIAL_CONNECTION",
+			hint: availableOAuthConnectionHint(connections)
 		});
-		input[key] = value;
+		return selected;
 	}
-	return input;
+	return connections.find((connection) => connection.kind === "oauth" && connection.recommended === true) ?? connections.find((connection) => connection.kind === "oauth");
 }
+function resolveConnectTarget(params) {
+	const { catalog, ctx, integrationId, requestedCredentialConnectionId } = params;
+	const catalogEntry = catalog.lookupByPublicId(integrationId);
+	const oauthConnection = selectOAuthConnection({
+		catalogEntry,
+		requestedCredentialConnectionId,
+		ctx,
+		integrationId
+	});
+	return {
+		catalogEntry,
+		oauthConnection,
+		apiIntegrationId: resolveConnectApiIntegrationId(integrationId, catalogEntry),
+		integrationLabel: oauthConnection ? formatIntegrationLabel(catalog, integrationId) : integrationId
+	};
+}
+//#endregion
+//#region src/commands/connect/connect.handler.ts
 /**
 * Handle the `keystroke connect <integrationId>` command.
 *
 * Initiates a platform OAuth flow:
 * 1. Calls POST /api/v1/connections/:integrationId/initiate to get an auth URL + state token
 * 2. Opens the browser to the auth URL
-* 3. Polls GET /api/v1/connections/:integrationId/status?state=XXX until connected or timeout
+* 3. Polls GET /api/v1/connections/:integrationId/status?since=... until connected or timeout
 */
 async function handleConnect(options, ctx) {
 	const integrationId = options.integrationId?.trim().toLowerCase();
-	const { baseUrl, apiKey } = ctx;
-	if (!baseUrl || !apiKey) exitWithError(ctx, "Not authenticated.", {
+	const { baseUrl } = ctx;
+	const client = requireClient(ctx);
+	if (!baseUrl) exitWithConnectError(ctx, "Not authenticated.", {
 		code: "AUTH_ERROR",
 		hint: AUTH_HINT
 	});
-	if (!integrationId) exitWithError(ctx, "Usage: keystroke connect <integrationId>", {
+	if (!integrationId) exitWithConnectError(ctx, "Usage: keystroke connect <integrationId>", {
 		code: "USAGE_ERROR",
 		hint: "Example: keystroke connect github"
 	});
 	const catalog = await getIntegrationCatalog(ctx);
-	const catalogEntry = catalog.lookupByPublicId(integrationId);
-	const oauthConnection = selectOAuthConnection({
-		catalogEntry,
-		requestedCredentialConnectionId: options.connection,
+	const { catalogEntry, oauthConnection, apiIntegrationId, integrationLabel } = resolveConnectTarget({
+		catalog,
 		ctx,
-		integrationId
+		integrationId,
+		requestedCredentialConnectionId: options.connection
 	});
-	const integrationLabel = Boolean(oauthConnection) ? formatIntegrationLabel(catalog, integrationId) : integrationId;
 	const connectionInput = parseConnectionInput(options.input ?? [], ctx);
 	if (!ctx.jsonMode) {
 		ui.text(`Connect ${integrationLabel}`);
+		ui.hint(`API URL: ${baseUrl}`);
 		if (oauthConnection && ((catalogEntry?.connections.length ?? 0) > 1 || options.connection)) ui.text(`Connection: ${formatConnectionLabel(oauthConnection)} (id: ${oauthConnection.id}${formatConnectionFlags(oauthConnection)})`);
 		ui.br();
 	}
-	const resolvedProjectId = await resolveConnectProjectId(options);
-	if (options.scope === "project" && !resolvedProjectId) exitWithError(ctx, "--scope project requires a project context. Pass --project-id <uuid>, --path <dir>, or run inside a project directory.", {
-		code: "USAGE_ERROR",
-		hint: "Use `keystroke init` to create a project, or pick a different scope."
-	});
-	const scopeForRequest = options.scope;
-	const projectIdForRequest = scopeForRequest === "user" || scopeForRequest === "organization" ? void 0 : resolvedProjectId ?? void 0;
+	const { scopeForRequest, projectIdForRequest } = await resolveConnectScopeRequest(options, ctx);
 	let authUrl;
 	let initiatedAt;
 	try {
@@ -170,58 +316,20 @@ async function handleConnect(options, ctx) {
 			...options.name ? { name: options.name } : {}
 		});
 		const hasRequestBody = Object.keys(requestBody).length > 0;
-		const response = await fetch(`${baseUrl}/api/v1/connections/${integrationId}/initiate`, {
-			method: "POST",
-			headers: {
-				Authorization: `Bearer ${apiKey}`,
-				...hasRequestBody ? { "Content-Type": "application/json" } : {}
-			},
-			...hasRequestBody ? { body: JSON.stringify(requestBody) } : {}
-		});
-		if (!response.ok) {
-			if (response.status === 404) exitWithError(ctx, `Integration "${integrationId}" is not supported for platform OAuth.`, {
-				code: "UNSUPPORTED_INTEGRATION",
-				hint: `Currently supported official OAuth integrations: ${catalog.oauthPublicIds.join(", ")}. Custom OAuth connect flows are not available yet.`
-			});
-			if (response.status === 503) exitWithError(ctx, `Platform credentials not configured for "${integrationId}".`, {
-				code: "PLATFORM_NOT_CONFIGURED",
-				hint: `Ask a Keystroke developer to configure the ${integrationLabel} account OAuth client for this environment.`
-			});
-			if (response.status === 401) exitWithError(ctx, "Not authenticated.", {
-				code: "AUTH_ERROR",
-				hint: AUTH_HINT
-			});
-			if (response.status === 403) exitWithError(ctx, `You do not have permission to connect ${integrationLabel} in the current organization.`, {
-				code: "FORBIDDEN",
-				hint: "Verify your active organization and your permissions in that organization."
-			});
-			if (response.status >= 500) exitWithError(ctx, `The Keystroke server failed while starting the ${integrationLabel} connection.`, {
-				code: "SERVER_ERROR",
-				hint: `Server returned HTTP ${response.status}. Check the server logs and try again.`
-			});
-			exitWithError(ctx, `Failed to initiate the ${integrationLabel} connection.`, {
-				code: "INITIATE_FAILED",
-				hint: `Server returned HTTP ${response.status}.`
-			});
-		}
-		const data = InitiateConnectionResponseSchema.parse(await response.json());
+		const data = InitiateConnectionResponseSchema.parse(await client.connections.initiate(apiIntegrationId, hasRequestBody ? requestBody : void 0));
 		authUrl = data.authUrl;
 		initiatedAt = data.initiatedAt;
 	} catch (error) {
-		if (error instanceof Error && error.name === "CliExitError") throw error;
-		if (isNetworkError(error)) exitWithError(ctx, `Could not reach the Keystroke server to start the ${integrationLabel} connection.`, {
-			code: "NETWORK_ERROR",
-			hint: `Check that your local services are running and that the CLI is pointed at ${baseUrl}.`
-		});
-		exitWithError(ctx, `Failed to initiate the ${integrationLabel} connection.`, {
-			code: "INITIATE_FAILED",
-			hint: toErrorMessage(error)
+		exitOnConnectionInitiateError(ctx, error, {
+			integrationLabel,
+			catalog,
+			baseUrl
 		});
 	}
 	if (ctx.jsonMode) {
 		writeJson({
 			status: "authorization_required",
-			integrationId,
+			integrationId: apiIntegrationId,
 			credentialConnectionId: oauthConnection?.id,
 			...oauthConnection ? { selectedConnection: {
 				id: oauthConnection.id,
@@ -247,69 +355,15 @@ async function handleConnect(options, ctx) {
 		ui.text("Open this URL manually to continue:");
 		ui.text(`  ${authUrl}`);
 	}
-	ui.br();
-	ui.text(`Waiting for approval in ${integrationLabel}...`);
-	ui.text("Return to this terminal after you approve access.");
-	ui.text("Press Ctrl+C to cancel.");
-	const timeoutMs = options.timeout * 1e3;
-	const pollIntervalMs = 2e3;
-	const startTime = Date.now();
-	let consecutivePollFailures = 0;
-	let pollingWarningShown = false;
-	while (Date.now() - startTime < timeoutMs) {
-		await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
-		try {
-			const statusUrl = new URL(`${baseUrl}/api/v1/connections/${integrationId}/status`);
-			statusUrl.searchParams.set("since", String(initiatedAt));
-			if (oauthConnection) statusUrl.searchParams.set("credentialConnectionId", oauthConnection.id);
-			const response = await fetch(statusUrl.toString(), { headers: { Authorization: `Bearer ${apiKey}` } });
-			if (!response.ok) {
-				consecutivePollFailures += 1;
-				if (response.status === 401) exitWithError(ctx, "Your CLI session is no longer authenticated.", {
-					code: "AUTH_ERROR",
-					hint: AUTH_HINT
-				});
-				if (response.status === 403) exitWithError(ctx, `You do not have permission to finish the ${integrationLabel} connection in the current organization.`, {
-					code: "FORBIDDEN",
-					hint: "Verify your active organization and your permissions in that organization."
-				});
-				if (!pollingWarningShown && consecutivePollFailures >= 3) {
-					pollingWarningShown = true;
-					ui.warn(`Still waiting for ${integrationLabel} authorization.`);
-					ui.hint(`Polling has hit temporary errors (latest HTTP ${response.status}). If you already approved access, wait a moment and try again.`);
-				}
-				continue;
-			}
-			consecutivePollFailures = 0;
-			const data = ConnectionStatusResponseSchema.parse(await response.json());
-			if (data.status === "connected") {
-				ui.br();
-				ui.success(`Connected ${integrationLabel} successfully.`);
-				ui.hint(`Your ${integrationLabel} account is now available to Keystroke workflows.`);
-				return;
-			}
-			if (data.status === "failed") {
-				ui.br();
-				const headline = data.message ? `Could not finish the ${integrationLabel} connection: ${data.message}` : `Could not finish the ${integrationLabel} connection (${data.reason}).`;
-				ui.error(headline);
-				ui.hint(formatFailureHint(data.reason, integrationLabel));
-				throwReportedCliExit(headline);
-			}
-		} catch (error) {
-			if (error instanceof Error && error.name === "CliExitError") throw error;
-			consecutivePollFailures += 1;
-			if (!pollingWarningShown && consecutivePollFailures >= 3) {
-				pollingWarningShown = true;
-				ui.warn(`Still waiting for ${integrationLabel} authorization.`);
-				ui.hint(`Polling has hit temporary errors. If you already approved access, wait a moment and try again.`);
-			}
-		}
-	}
-	ui.br();
-	ui.error(`Timed out waiting for ${integrationLabel} authorization.`);
-	ui.text("If authorization is still open in your browser, you can still finish it here:");
-	ui.text(`  ${authUrl}`);
-	throwReportedCliExit(`Timed out waiting for ${integrationLabel} authorization.`);
+	await pollConnectionStatus({
+		ctx,
+		apiIntegrationId,
+		integrationLabel,
+		initiatedAt,
+		timeoutSeconds: options.timeout,
+		authUrl,
+		oauthConnection
+	});
 }
 //#endregion
 export { handleConnect };

package/dist/{context-Brc9VGV9.mjs → context-DaBLwEWi.mjs}

@@ -2,9 +2,9 @@
 
 import { n as __exportAll } from "./chunk-CH6r78ws.mjs";
 import { A as CliExitError, L as logger, S as toErrorMessage, b as isAuthError, c as getProcessEnv, g as REAUTH_HINT, h as AUTH_HINT, k as AuthenticationError, p as ui, s as getEnv } from "./keystroke.mjs";
-import { n as credentials } from "./dist-B5jy238v.mjs";
-import { t as resolveCliCredentials } from "./resolve-cli-credentials-GVOOedoQ.mjs";
-import { a as writeJsonError } from "./output-BPydP5tG.mjs";
+import { n as credentials } from "./dist-rsDq3fTk.mjs";
+import { t as resolveCliCredentials } from "./resolve-cli-credentials-BecTgRE7.mjs";
+import { a as writeJsonError } from "./output-C0pbsv39.mjs";
 //#region src/lib/context.ts
 var context_exports = /* @__PURE__ */ __exportAll({
 	assertProjectConfigMatchesAuthenticatedOrg: () => assertProjectConfigMatchesAuthenticatedOrg,
@@ -38,7 +38,7 @@ async function resolveBaseContext(overrides = {}) {
 	const authContext = await resolveAuthContext(overrides);
 	let client = null;
 	if (authContext.apiKey && authContext.baseUrl) try {
-		const { createClient } = await import("./src-DI-ybNjR.mjs");
+		const { createClient } = await import("./src-DOCKWJRW.mjs").then((n) => n.t);
 		client = createClient({
 			apiKey: authContext.apiKey,
 			baseUrl: authContext.baseUrl,

package/dist/{create.handler-D_tmjANR.mjs → create.handler-CAj7e5w2.mjs}

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 
 import { P as throwReportedCliExit, S as toErrorMessage, p as ui } from "./keystroke.mjs";
-import { i as writeJson } from "./output-BPydP5tG.mjs";
-import { i as requireClient } from "./context-Brc9VGV9.mjs";
+import { i as writeJson } from "./output-C0pbsv39.mjs";
+import { i as requireClient } from "./context-DaBLwEWi.mjs";
 //#region src/commands/api-keys/create.handler.ts
 async function handleApiKeysCreate(options, ctx) {
 	const client = requireClient(ctx);

package/dist/{credential-env-map-5a41jLwM.mjs → credential-env-map-rXDibCDT.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { r as getKeystrokeProjectPath } from "./paths-DpHfoaXN-CdPimpky.mjs";
-import "./dist-B5jy238v.mjs";
+import "./dist-rsDq3fTk.mjs";
 import * as fs from "node:fs/promises";
 import { z } from "zod";
 //#region src/lib/credential-env-map.ts

package/dist/{credential-schema-mismatch-CStYUB2h.mjs → credential-schema-mismatch-BvcO7KgE.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { i as writeJson } from "./output-BPydP5tG.mjs";
+import { i as writeJson } from "./output-C0pbsv39.mjs";
 //#region src/lib/credential-schema-mismatch.ts
 /**
 * Structured detection and rendering for `CredentialSchemaMismatchError`

package/dist/{credentials-DtwLbee6.mjs → credentials-Bud9r1JE.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { f as collectCredentialRequirementEntries } from "./credential-requirements-B5Alhu1v-DanlSKnT.mjs";
+import { f as collectCredentialRequirementEntries } from "./credential-requirements-B5Alhu1v-C26qMgU_.mjs";
 //#region ../../packages/workflow-deploy/dist/credentials/index.mjs
 /**
 * Resolves credential values from environment using KEYSTROKE_<KEY> convention.

package/dist/{credentials-UDrvrKj-.mjs → credentials-CZ7HaiPb.mjs}

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
-import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-BPydP5tG.mjs";
-import { t as createTypedCommand } from "./commander-B_8QwPpe.mjs";
-import { i as CredentialScopeValues, n as CredentialConnectionIdSchema, r as CredentialScopeSchema } from "./schema-DFJiNWyd.mjs";
-import { t as ConnectionKindValues } from "./api-sWkB_Wta.mjs";
+import { n as JsonOptionSchema, t as JSON_OPTION_CONFIG } from "./output-C0pbsv39.mjs";
+import { t as createTypedCommand } from "./commander-DIOuj6NJ.mjs";
+import { i as CredentialScopeValues, n as CredentialConnectionIdSchema, r as CredentialScopeSchema } from "./schema-QbiBSbhG.mjs";
+import { t as ConnectionKindValues } from "./api-b0DzMwXP.mjs";
 import { z } from "zod";
 //#region ../../packages/shared-types/src/credentials/models/definition-records.ts
 const JsonRecordSchema = z.record(z.string(), z.unknown());
@@ -265,13 +265,13 @@ function createCredentialsDefinitionsCommand() {
 		description: "Browse and inspect credential definitions (catalog metadata; not per-org credential sets)",
 		schema: CredentialDefinitionsListOptionsSchema,
 		optionsConfig: DEFINITIONS_LIST_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./list.handler-DMvq96UA.mjs")).handleCredentialDefinitionsList,
+		loadHandler: async () => (await import("./list.handler-Dny_G7yA.mjs")).handleCredentialDefinitionsList,
 		subcommands: [createTypedCommand({
 			name: "list",
 			description: "List credential definitions",
 			schema: CredentialDefinitionsListOptionsSchema,
 			optionsConfig: DEFINITIONS_LIST_OPTIONS_CONFIG,
-			loadHandler: async () => (await import("./list.handler-DMvq96UA.mjs")).handleCredentialDefinitionsList
+			loadHandler: async () => (await import("./list.handler-Dny_G7yA.mjs")).handleCredentialDefinitionsList
 		}), createTypedCommand({
 			name: "show",
 			description: "Show one credential definition including auth schema",
@@ -282,7 +282,7 @@ function createCredentialsDefinitionsCommand() {
 				description: "Credential definition id, e.g. keystroke:aws-s3",
 				key: "id"
 			},
-			loadHandler: async () => (await import("./show.handler-D3nDc1MJ.mjs")).handleCredentialDefinitionShow
+			loadHandler: async () => (await import("./show.handler-BupYRNqw.mjs")).handleCredentialDefinitionShow
 		})]
 	});
 }
@@ -329,7 +329,7 @@ function createCredentialsListCommand() {
 		description: "List credential sets on the server",
 		schema: ListOptionsSchema,
 		optionsConfig: LIST_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./list.handler-Co32_F3n.mjs")).handleCredentialsList
+		loadHandler: async () => (await import("./list.handler-CXsHFhRg.mjs")).handleCredentialsList
 	});
 }
 //#endregion
@@ -348,7 +348,7 @@ function createCredentialsRequirementsCommand() {
 		description: "Show what credentials built workflows need (keys, KEYSTROKE_* env names, workflows) — from dist manifests, no API call",
 		schema: RequirementsOptionsSchema,
 		optionsConfig: REQUIREMENTS_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./requirements.handler-Bg3mRnER.mjs")).handleCredentialsRequirements
+		loadHandler: async () => (await import("./requirements.handler-CA4zeT3J.mjs")).handleCredentialsRequirements
 	});
 }
 //#endregion
@@ -409,7 +409,7 @@ function createCredentialsUploadCommand() {
 		description: "Upload credentials from env vars to the server. Default: reads requirements from built workflow manifests. Use --integration for an official integration or --credential-set + --keys for a custom explicit upload.",
 		schema: UploadOptionsSchema,
 		optionsConfig: UPLOAD_OPTIONS_CONFIG,
-		loadHandler: async () => (await import("./upload.handler-DscKDQ63.mjs")).handleCredentialsUpload
+		loadHandler: async () => (await import("./upload.handler-Y-yOXVYC.mjs")).handleCredentialsUpload
 	});
 }
 //#endregion
@@ -440,7 +440,7 @@ function createCredentialsCommand() {
 			}
 		},
 		handler: async (opts, ctx) => {
-			const { handleCredentialsList } = await import("./list.handler-Co32_F3n.mjs");
+			const { handleCredentialsList } = await import("./list.handler-CXsHFhRg.mjs");
 			await handleCredentialsList({
 				...opts,
 				scope: void 0,