@keystrokehq/cli 0.1.38 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. package/dist/{dist-DkLbeW8l.mjs → dist-BOhrc_Nv.mjs} +198 -561
  2. package/dist/dist-BOhrc_Nv.mjs.map +1 -0
  3. package/dist/{dist-B6z1wti6.mjs → dist-D-cLLjHv.mjs} +87 -2017
  4. package/dist/dist-D-cLLjHv.mjs.map +1 -0
  5. package/dist/{dist-GSI9JDuz.mjs → dist-DGKF3FGu.mjs} +31 -265
  6. package/dist/dist-DGKF3FGu.mjs.map +1 -0
  7. package/dist/dist-DMuIdus5.mjs +3 -0
  8. package/dist/{dist-gAvgHBlr.mjs → dist-Re6HHSqz.mjs} +2 -2
  9. package/dist/{dist-gAvgHBlr.mjs.map → dist-Re6HHSqz.mjs.map} +1 -1
  10. package/dist/index.mjs +177 -463
  11. package/dist/index.mjs.map +1 -1
  12. package/dist/{maybe-auto-update-Dv4MJvWb.mjs → maybe-auto-update-q5MthdI8.mjs} +2 -2
  13. package/dist/{maybe-auto-update-Dv4MJvWb.mjs.map → maybe-auto-update-q5MthdI8.mjs.map} +1 -1
  14. package/dist/skills-bundle/_AGENTS.mcp.md +5 -9
  15. package/dist/skills-bundle/_AGENTS.md +112 -243
  16. package/dist/skills-bundle/skills/keystroke-actions/SKILL.md +160 -0
  17. package/dist/skills-bundle/skills/keystroke-actions/references/catalog-and-imports.md +71 -0
  18. package/dist/skills-bundle/skills/keystroke-agents/SKILL.md +115 -0
  19. package/dist/skills-bundle/skills/keystroke-agents/references/models.md +23 -0
  20. package/dist/skills-bundle/skills/keystroke-agents/references/tools-mcp-codemode.md +73 -0
  21. package/dist/skills-bundle/skills/keystroke-agents/references/workflows-and-testing.md +26 -0
  22. package/dist/skills-bundle/skills/keystroke-apps/SKILL.md +151 -0
  23. package/dist/skills-bundle/skills/keystroke-apps/references/cli-and-catalog.md +104 -0
  24. package/dist/skills-bundle/skills/keystroke-channels/SKILL.md +66 -0
  25. package/dist/skills-bundle/skills/keystroke-channels/references/slack-setup.md +41 -0
  26. package/dist/skills-bundle/skills/keystroke-cli/SKILL.md +93 -0
  27. package/dist/skills-bundle/skills/keystroke-deploy/SKILL.md +93 -0
  28. package/dist/skills-bundle/skills/keystroke-deploy/references/build-and-full-deploy.md +30 -0
  29. package/dist/skills-bundle/skills/keystroke-deploy/references/filtered-deploy.md +50 -0
  30. package/dist/skills-bundle/skills/keystroke-deploy/references/wip-ignore.md +35 -0
  31. package/dist/skills-bundle/skills/keystroke-files/SKILL.md +43 -0
  32. package/dist/skills-bundle/skills/keystroke-skills/SKILL.md +42 -0
  33. package/dist/skills-bundle/skills/keystroke-triggers/SKILL.md +143 -0
  34. package/dist/skills-bundle/skills/keystroke-workflows/SKILL.md +78 -0
  35. package/dist/skills-bundle/skills/keystroke-workflows/references/authoring.md +168 -0
  36. package/dist/skills-bundle/skills/keystroke-workflows/references/testing.md +138 -0
  37. package/dist/templates/hello-world/.env.example +4 -0
  38. package/dist/templates/hello-world/README.md +3 -4
  39. package/dist/templates/hello-world/package.json +0 -1
  40. package/dist/templates/hello-world/src/actions/greet.ts +0 -1
  41. package/dist/templates/hello-world/src/agents/hello.ts +0 -2
  42. package/dist/templates/hello-world/src/workflows/greeting.ts +0 -1
  43. package/dist/{version-CiFlKPyE.mjs → version-DcR3O1UD.mjs} +3 -2
  44. package/dist/version-DcR3O1UD.mjs.map +1 -0
  45. package/package.json +5 -5
  46. package/dist/dist-B6z1wti6.mjs.map +0 -1
  47. package/dist/dist-CjWXZCN7.mjs +0 -3
  48. package/dist/dist-DkLbeW8l.mjs.map +0 -1
  49. package/dist/dist-GSI9JDuz.mjs.map +0 -1
  50. package/dist/version-CiFlKPyE.mjs.map +0 -1
@@ -0,0 +1,71 @@
1
+ # Integration actions
2
+
3
+ ## Official catalog integrations
4
+
5
+ 1. Discover: `keystroke app search <query>` → `app show <slug>` → `app actions <slug>`
6
+ 2. Connect: `keystroke connect <slug>`
7
+ 3. Add npm package (e.g. `@keystrokehq/exa`, `@keystrokehq/googlesuper`, `@keystrokehq/slack`)
8
+ 4. Import in `src/workflows/` or on `defineAgent` `tools` — not in `src/actions/`:
9
+
10
+ ```ts
11
+ import { exaSearch, exaAnswer } from "@keystrokehq/exa/actions";
12
+ import { slackSendMessage } from "@keystrokehq/slack/actions";
13
+ import { googlesuperSendEmail } from "@keystrokehq/googlesuper/actions";
14
+ ```
15
+
16
+ Catalog packages ship a pre-built app + actions — you do not author `src/apps/` for these.
17
+
18
+ ## Custom integrations
19
+
20
+ Two supported paths. Pick based on whether actions share a connection.
21
+
22
+ ### Standalone credential (simplest)
23
+
24
+ Declare a `defineCredential` and consume it from a plain `defineAction`:
25
+
26
+ ```ts
27
+ import { defineAction } from "@keystrokehq/keystroke/action";
28
+ import { defineCredential } from "@keystrokehq/keystroke/credentials";
29
+ import { z } from "zod";
30
+
31
+ const acme = defineCredential({ key: "acme", fields: { apiKey: z.string() } });
32
+
33
+ export const fetchStatus = defineAction({
34
+ slug: "fetch-status",
35
+ input: z.object({}),
36
+ output: z.object({ ok: z.boolean() }),
37
+ credentials: [acme] as const,
38
+ async run(_input, credentials) {
39
+ const { apiKey } = credentials.acme;
40
+ return { ok: true };
41
+ },
42
+ });
43
+ ```
44
+
45
+ Connect it with `keystroke credentials set acme --set apiKey=@env:ACME_API_KEY --scope org`.
46
+
47
+ ### App wrapper (shared connection / synced apps)
48
+
49
+ Use an app when several actions share one connection, or when you've synced a custom/catalog app:
50
+
51
+ 1. Create the app (dashboard or `keystroke app create --name ... --field ...`)
52
+ 2. Sync: `keystroke app sync <slug>` → `src/apps/<name>/app.ts`
53
+ 3. Connect: `keystroke connect <slug>`
54
+ 4. Author actions in `src/actions/` with `app.action()`:
55
+
56
+ ```ts
57
+ import { z } from "zod";
58
+ import { internalApi } from "../apps/internal-api/app";
59
+
60
+ export const fetchStatus = internalApi.action({
61
+ slug: "fetch-status",
62
+ input: z.object({}),
63
+ output: z.object({ ok: z.boolean() }),
64
+ async run(_input, credentials) {
65
+ const { apiKey } = credentials["acme/internal-api"];
66
+ return { ok: true };
67
+ },
68
+ });
69
+ ```
70
+
71
+ Re-run `keystroke app sync <slug>` after template changes on the platform. Full app lifecycle: [apps skill](../../keystroke-apps/SKILL.md).
@@ -0,0 +1,115 @@
1
+ ---
2
+ name: keystroke-agents
3
+ description: Build keystroke agents with defineAgent — models, integration tools (Exa, Google, Slack), skills, files, and sandbox. Use when authoring src/agents/ or debugging agent sessions.
4
+ metadata:
5
+ keystroke-domain: agents
6
+ ---
7
+
8
+ # Agents
9
+
10
+ Agents are **autonomous LLM runs** with a sandbox, optional skills/files, and **tools** (your actions + integration actions).
11
+
12
+ ## Typical patterns
13
+
14
+ **Integration tools** — import actions from an integration package:
15
+
16
+ ```ts
17
+ import { defineAgent } from "@keystrokehq/keystroke/agent";
18
+ import { exaSearch, exaAnswer } from "@keystrokehq/exa/actions";
19
+
20
+ export default defineAgent({
21
+ slug: "signup-researcher",
22
+ systemPrompt: "Research signups with Exa. Stay concise; cite sources.",
23
+ model: "anthropic/claude-sonnet-4.6",
24
+ tools: [exaSearch, exaAnswer],
25
+ });
26
+ ```
27
+
28
+ **Skills + files** — static playbooks and docs in the workspace:
29
+
30
+ ```ts
31
+ import { defineAgent } from "@keystrokehq/keystroke/agent";
32
+ import { defineSandbox } from "@keystrokehq/keystroke/sandbox";
33
+
34
+ defineAgent({
35
+ slug: "support",
36
+ systemPrompt: "Read /workspace/agent/product-guide.md before answering.",
37
+ skills: ["support"],
38
+ sandbox: defineSandbox({ files: true }),
39
+ });
40
+ ```
41
+
42
+ Import actions from `@keystrokehq/<integration>/actions` (e.g. `@keystrokehq/exa/actions`, `@keystrokehq/googlesuper/actions`).
43
+
44
+ ## Built-in capabilities (on by default)
45
+
46
+ Two capabilities are enabled automatically — you don't add them to `tools`:
47
+
48
+ - **Memory** — agents persist memory across sessions by default. Disable with `memory: false`.
49
+ - **Web** — built-in `web_search` / `web_fetch` host tools are available by default. Disable with `web: false`.
50
+
51
+ ```ts
52
+ defineAgent({
53
+ slug: "researcher",
54
+ systemPrompt: "…",
55
+ model: "anthropic/claude-sonnet-4.6",
56
+ memory: false, // opt out of persistent memory
57
+ web: false, // opt out of built-in web tools
58
+ });
59
+ ```
60
+
61
+ Delegate to other agents with subagents (`defineSubagentTool`) — see [tools-mcp-codemode.md](references/tools-mcp-codemode.md).
62
+
63
+ ## Structured output (`outputSchema`)
64
+
65
+ `outputSchema` is a **per-prompt** option, not a `defineAgent` field — the same agent can return free text on one call and a schema-validated object on the next. Pass a Zod schema to `prompt(...)` and read the parsed result from `result.output` (typed from the schema):
66
+
67
+ ```ts
68
+ import { z } from "zod";
69
+ import researcher from "../agents/signup-researcher";
70
+
71
+ const Summary = z.object({ company: z.string(), summary: z.string() });
72
+
73
+ const result = await researcher.prompt({
74
+ message: "Research Acme Corp",
75
+ outputSchema: Summary,
76
+ });
77
+ if (result.error) throw new Error(result.error);
78
+
79
+ const { company, summary } = result.output!; // typed { company: string; summary: string }
80
+ ```
81
+
82
+ Without `outputSchema`, `result.output` is `undefined` and you read the reply from `result.messages`. This is an in-process TypeScript API (workflows, actions, scripts) — structured output is **not** exposed over the HTTP route or `keystroke agent prompt`.
83
+
84
+ ## Run & audit
85
+
86
+ ```bash
87
+ keystroke agent prompt signup-researcher --message "Research Acme Corp"
88
+ keystroke agent sessions list signup-researcher
89
+ keystroke agent sessions get signup-researcher <session-id> --include messages,trace
90
+ ```
91
+
92
+ Follow up in the same session: `--session-id <id>`.
93
+
94
+ ## How agents get invoked
95
+
96
+ | From | How |
97
+ | --------------- | --------------------------------------------------------- |
98
+ | CLI | `keystroke agent prompt {slug} --message "…"` |
99
+ | Workflow action | `await myAgent.prompt({ message })` inside `defineAction` |
100
+ | Channel | Slack message to a bound agent (see channels skill) |
101
+
102
+ The agent's identity field is `slug` — it's also the route id (`POST /agents/{slug}`) and the CLI `<agentId>` argument.
103
+
104
+ ## Workspace
105
+
106
+ - Skills → `/workspace/agent/skills/{skill-name}/` (the skill's folder name)
107
+ - Files from `src/files/{slug}/` → `/workspace/agent/` (`{slug}` is the agent slug when `files: true`)
108
+
109
+ ## Next references
110
+
111
+ - [models.md](references/models.md) — model ids, platform LLM proxy
112
+ - [tools-mcp-codemode.md](references/tools-mcp-codemode.md) — actions as tools, MCP, codemode
113
+ - [workflows-and-testing.md](references/workflows-and-testing.md) — sessions, workflow handoff
114
+
115
+ Related: [actions](.agents/skills/keystroke-actions/SKILL.md), [workflows](.agents/skills/keystroke-workflows/SKILL.md), [files](.agents/skills/keystroke-files/SKILL.md), [apps](.agents/skills/keystroke-apps/SKILL.md).
@@ -0,0 +1,23 @@
1
+ # Models
2
+
3
+ ```ts
4
+ model: "google/gemini-2.5-flash"; // vendor/model-id — any pi-ai or gateway catalog id
5
+ thinkingLevel: "high"; // optional — defaults to "medium"; use "none" to disable reasoning
6
+ ```
7
+
8
+ `thinkingLevel` accepts `off`, `minimal`, `low`, `medium`, `high`, `xhigh` (`off` disables reasoning).
9
+
10
+ Per-prompt override via API: `{ "message": "...", "thinkingLevel": "low" }`.
11
+
12
+ Set `model` to any `vendor/model-id` and deploy — the platform routes agents through its managed LLM proxy automatically, so there are **no provider keys to configure**.
13
+
14
+ | Vendor | Example id |
15
+ | --------- | ----------------------------- |
16
+ | Anthropic | `anthropic/claude-sonnet-4.5` |
17
+ | OpenAI | `openai/gpt-5.5` |
18
+ | Google | `google/gemini-3.5-flash` |
19
+ | DeepSeek | `deepseek/deepseek-v3` |
20
+ | Moonshot | `moonshotai/kimi-k2.5` |
21
+ | Zhipu GLM | `zai/glm-4.5` |
22
+
23
+ After changing model, smoke-test: `keystroke agent prompt <key> --message "Hi"`.
@@ -0,0 +1,73 @@
1
+ # Tools, MCP, and codemode
2
+
3
+ ## Integration actions as tools
4
+
5
+ Most agents use imported integration actions:
6
+
7
+ ```ts
8
+ import { exaSearch, exaAnswer } from "@keystrokehq/exa/actions";
9
+ import { googlesuperFetchEmails, googlesuperSendEmail } from "@keystrokehq/googlesuper/actions";
10
+
11
+ tools: [exaSearch, exaAnswer, googlesuperFetchEmails, googlesuperSendEmail],
12
+ ```
13
+
14
+ See each integration package's `actions` export for available tools.
15
+
16
+ ## Your own actions as tools
17
+
18
+ ```ts
19
+ import { triage } from "../actions/triage";
20
+ tools: [triage],
21
+ ```
22
+
23
+ Same action works in workflows and on agents.
24
+
25
+ ## Subagents (delegate to another agent)
26
+
27
+ Wrap any agent as a tool with `defineSubagentTool` (from `@keystrokehq/keystroke/agent`) and add it to `tools`. The parent delegates a scoped task to the child agent:
28
+
29
+ ```ts
30
+ import { defineAgent, defineSubagentTool } from "@keystrokehq/keystroke/agent";
31
+ import { z } from "zod";
32
+ import researcher from "./researcher";
33
+
34
+ export default defineAgent({
35
+ slug: "planner",
36
+ systemPrompt: "Plan work. Delegate research to the researcher subagent.",
37
+ model: "anthropic/claude-sonnet-4.6",
38
+ tools: [
39
+ defineSubagentTool({
40
+ agent: researcher,
41
+ name: "research",
42
+ label: "Research a topic",
43
+ parameters: z.object({ message: z.string() }), // default toMessage reads params.message
44
+ }),
45
+ ],
46
+ });
47
+ ```
48
+
49
+ ## MCP
50
+
51
+ Point an agent at an MCP server with `defineMcp` (from `@keystrokehq/keystroke/agent`) and add the definition to `tools` alongside actions. Each tool the server lists becomes available, prefixed with the server `key` (e.g. `mcp__deepwiki__ask_question`).
52
+
53
+ ```ts
54
+ import { defineAgent, defineMcp } from "@keystrokehq/keystroke/agent";
55
+
56
+ const deepwiki = defineMcp({
57
+ key: "deepwiki",
58
+ transport: { type: "http", url: "https://mcp.deepwiki.com/mcp" },
59
+ });
60
+
61
+ export default defineAgent({
62
+ slug: "researcher",
63
+ systemPrompt: "Use the DeepWiki tools to answer questions about repos.",
64
+ model: "anthropic/claude-sonnet-4.6",
65
+ tools: [deepwiki],
66
+ });
67
+ ```
68
+
69
+ For servers that require auth, declare credentials on the definition.
70
+
71
+ ## Codemode (advanced)
72
+
73
+ Default sandbox has bash. For batch tool calls, agents can run js-exec scripts that call `await tools['action-slug'](args)` (the tool name is the action's slug; MCP tools keep their `mcp__<key>__<tool>` prefix). Optional VM runtime via `sandbox: defineSandbox({ mode: "vm" })` (from `@keystrokehq/keystroke/sandbox`).
@@ -0,0 +1,26 @@
1
+ # Sessions and workflow handoff
2
+
3
+ ## Multi-turn CLI
4
+
5
+ ```bash
6
+ keystroke agent prompt support --message "What is the refund policy?"
7
+ keystroke agent sessions list support
8
+ keystroke agent prompt support --message "Summarize that" --session-id <id>
9
+ ```
10
+
11
+ ## Inspect a session
12
+
13
+ ```bash
14
+ keystroke agent sessions get support <session-id> --include messages,trace
15
+ ```
16
+
17
+ Use this when an agent misbehaves or a channel reply looks wrong.
18
+
19
+ ## Agent called from a workflow
20
+
21
+ Actions invoke agents with `.prompt()` inside `defineAction`. Audit the workflow run, not just the agent session:
22
+
23
+ ```bash
24
+ keystroke workflow runs list signup-pipeline
25
+ keystroke workflow runs get signup-pipeline <run-id> --include steps,trace
26
+ ```
@@ -0,0 +1,151 @@
1
+ ---
2
+ name: keystroke-apps
3
+ description: Connectable apps — defineApp, app.action, catalog discovery via keystroke app search, custom app create/sync, and connect. Use when wiring integrations, OAuth, API keys, or a deployed run fails because an app is not connected.
4
+ metadata:
5
+ keystroke-domain: apps
6
+ ---
7
+
8
+ # Apps
9
+
10
+ An **app** is a connectable integration: a slug, an auth kind, and (for custom apps) a field template. **Connected** = secrets for that app have been uploaded via the connect flow.
11
+
12
+ Secrets never live in source or `.env`. `keystroke deploy` uploads code only, not connections — connect the apps your project needs with the connect flow.
13
+
14
+ Custom actions that call external APIs need a **credential**. The simplest path is a standalone `defineCredential` declared on a `defineAction`. Reach for an **app** (`defineApp` + `app.action()`) when several actions share one connection, or when you've synced a catalog/custom app into `src/apps/`. See [actions skill](.agents/skills/keystroke-actions/SKILL.md).
15
+
16
+ ## Two sources of apps
17
+
18
+ | Source | How you get it | Author in code |
19
+ | ------ | -------------- | -------------- |
20
+ | **Catalog** | ~1000 Composio integrations + first-party (`exa`, `slack`, `googlesuper`) | npm package `@keystrokehq/<slug>` — discover via CLI |
21
+ | **Custom** | Dashboard UI or `keystroke app create`, then `keystroke app sync <slug>` | `src/apps/<name>/app.ts` from sync |
22
+
23
+ ## Discover catalog integrations
24
+
25
+ ```bash
26
+ keystroke auth login
27
+ keystroke app search github # live Composio catalog
28
+ keystroke app show github
29
+ keystroke app actions github --search issue
30
+ keystroke app action GITHUB_CREATE_ISSUE
31
+ keystroke app list # apps registered in your org
32
+ ```
33
+
34
+ Discovery is read-only — there is no `app install` yet. To connect an app, its slug must be in your org registry (`app list`).
35
+
36
+ ## Create and sync custom apps
37
+
38
+ Create in the dashboard or CLI, then pull the template into your project:
39
+
40
+ ```bash
41
+ # Manual custom app (api_key fields)
42
+ keystroke app create \
43
+ --name "Internal API" \
44
+ --description "Our internal service" \
45
+ --field apiKey:secret
46
+
47
+ # Auto-detect from URL (same as dashboard Create custom app)
48
+ keystroke app create --mcp https://mcp.example.com/mcp --preview
49
+ keystroke app create --openapi https://example.com/openapi.yaml --name "Example API"
50
+
51
+ keystroke app sync acme/internal-api # writes src/apps/internal-api/app.ts
52
+ ```
53
+
54
+ Re-run `sync` after template changes on the platform. Then author actions with `app.action()` in `src/actions/`.
55
+
56
+ ## Author with defineApp
57
+
58
+ Synced apps land as `defineApp` in `src/apps/<name>/app.ts`:
59
+
60
+ ```ts
61
+ import { defineApp } from "@keystrokehq/keystroke/app";
62
+ import { z } from "zod";
63
+
64
+ export const kwatch = defineApp({
65
+ slug: "keystroke/kwatch",
66
+ auth: "api_key",
67
+ credential: { apiKey: z.string() },
68
+ });
69
+ ```
70
+
71
+ Actions use `app.action()` — the app binding is automatic:
72
+
73
+ ```ts
74
+ import { kwatch } from "../apps/kwatch/app";
75
+
76
+ export const kwatchListAlerts = kwatch.action({
77
+ slug: "kwatch-list-alerts",
78
+ input: z.object({}),
79
+ output: z.object({ ok: z.boolean(), alertCount: z.number() }),
80
+ async run(_input, credentials) {
81
+ const { apiKey } = credentials["keystroke/kwatch"];
82
+ return { ok: true, alertCount: 0 };
83
+ },
84
+ });
85
+ ```
86
+
87
+ Auth kinds: `keystroke` (MCP/Composio catalog apps), `api_key` (custom fields), `oauth` (token resolved at runtime). In `run`, read connected fields as `credentials[app.slug]`.
88
+
89
+ ## Connect an app
90
+
91
+ `keystroke connect <slug>` opens the web app connect flow (OAuth or API-key form, depending on the app). This is how secrets get attached to an app — not via `.env`.
92
+
93
+ **Official integrations** — the cleanest path:
94
+
95
+ ```bash
96
+ keystroke connect google
97
+ keystroke connect slack
98
+ keystroke connect exa
99
+ ```
100
+
101
+ **Custom apps** — sync the template first, then connect:
102
+
103
+ ```bash
104
+ keystroke app sync acme/internal-api
105
+ keystroke connect acme/internal-api
106
+ ```
107
+
108
+ The web app **Apps** page offers the same flow.
109
+
110
+ Field names in the connect form match the app's synced template. You pick the scope (project / org / user) in the web connect flow — `keystroke connect` has no `--scope` flag. See [cli-and-catalog.md](references/cli-and-catalog.md).
111
+
112
+ ## Connect what your project needs
113
+
114
+ A new project starts with **no connected apps**. After deploy, connect the apps it uses:
115
+
116
+ ```bash
117
+ keystroke deploy --project <id>
118
+ keystroke connect google
119
+ keystroke connect exa
120
+ keystroke app list
121
+ ```
122
+
123
+ A runtime error about a missing connection almost always means the app hasn't been connected for this project.
124
+
125
+ ## Manage & bind credentials
126
+
127
+ `keystroke credentials list / get / update --default / rotate-key / delete` manage instances. When several instances share a scope and none is the default, a run can't auto-resolve — set a default, or **bind** an exact instance to one step/tool:
128
+
129
+ ```bash
130
+ keystroke credentials consumers list --workflow sync # step:<slug>#<n>
131
+ keystroke credentials assignments assign --workflow sync --credential org/work --consumer step:fetch-gmail#0
132
+ keystroke credentials assignments assign --agent support --credential vault-prod --consumer vault-lookup # tool slug
133
+ ```
134
+
135
+ An assignment is the explicit selection at the top of the resolution order, so it overrides scope defaults. Full surface: [cli-and-catalog.md](references/cli-and-catalog.md).
136
+
137
+ ## Audit
138
+
139
+ ```bash
140
+ keystroke app list # org-registered apps
141
+ keystroke credentials list # connected instances + scope + default
142
+ keystroke credentials assignments list --workflow <slug> # which instance is pinned where
143
+ ```
144
+
145
+ Failed integration call → confirm the app is connected for your project, the action uses the right slug, and (if multiple instances) a default or assignment resolves the right one.
146
+
147
+ ## Next references
148
+
149
+ - [cli-and-catalog.md](references/cli-and-catalog.md) — `keystroke app` commands, connect, scopes, credential management & binding
150
+
151
+ Related: [cli](.agents/skills/keystroke-cli/SKILL.md), [actions](.agents/skills/keystroke-actions/SKILL.md), [channels](.agents/skills/keystroke-channels/SKILL.md).
@@ -0,0 +1,104 @@
1
+ # CLI, catalog, connect
2
+
3
+ ## Log in once
4
+
5
+ ```bash
6
+ keystroke auth login
7
+ keystroke auth status
8
+ ```
9
+
10
+ Token is stored in the OS keychain and reused for all CLI commands. See [cli skill](.agents/skills/keystroke-cli/SKILL.md).
11
+
12
+ ## keystroke app commands
13
+
14
+ All org-scoped; output is JSON.
15
+
16
+ | Command | Purpose |
17
+ | ------- | ------- |
18
+ | `app list` | Apps registered/connectable in your org |
19
+ | `app search <query>` | Search live Composio catalog (`--category`, `--limit`, `--cursor`) |
20
+ | `app show <slug>` | Single catalog app details |
21
+ | `app actions [slug]` | List actions for an app, or global search with `--search` (no slug) |
22
+ | `app action <tool-slug>` | Full input/output JSON schema for one action |
23
+ | `app create` | Create custom org app — manual (`--name`, `--slug`, `--description`, `--field`) or auto-detect (`--mcp`, `--openapi`, `--graphql`, `--preview`, `--auth`) |
24
+ | `app sync <slug>` | Write `src/apps/<name>/app.ts` from platform template (`--dir`) |
25
+
26
+ `--field` syntax: `key`, `key:secret`, `key:optional`, `key:public`, or combinations like `key:secret:optional` (repeatable). A bare `key` is **secret by default**; `:public` forces a non-secret field. Manual custom apps require at least one `--field`, and at least one of them must be required (not `:optional`).
27
+
28
+ With `--mcp`, `--openapi`, or `--graphql`, auth and credential fields are auto-detected from the URL (same as the dashboard Create custom app dialog). Use `--preview` to print the assembled request without creating; override detected values with `--name`, `--slug`, `--description`, `--field`, or `--auth` (`oauth` / `api_key`, MCP only).
29
+
30
+ ```bash
31
+ keystroke app create --mcp https://mcp.example.com/mcp --preview
32
+ keystroke app create --openapi https://example.com/openapi.yaml --name "Example API"
33
+ ```
34
+
35
+ ## Connect an app
36
+
37
+ `keystroke connect <slug>` attaches secrets to an app via the web app connect flow:
38
+
39
+ ```bash
40
+ keystroke connect google # official OAuth
41
+ keystroke connect slack
42
+ keystroke connect exa # official API key
43
+ keystroke connect acme/internal-api # custom app (sync first)
44
+ keystroke connect <slug> --print-url # deeplink without opening browser
45
+ ```
46
+
47
+ - **Official integrations** — always prefer `keystroke connect <slug>`
48
+ - **Custom apps** — `keystroke app sync <slug>` first, then `keystroke connect <slug>`
49
+ - Slug must exist in your org registry (`app list`)
50
+ - The web app **Apps** page offers the same flow
51
+
52
+ ## Scopes
53
+
54
+ A connection is stored at one scope. `keystroke connect` has **no** `--scope` flag — you choose the scope in the web connect flow. To set scope from the CLI, use `keystroke credentials set <key> --scope <scope> [--project-slug <slug>]` (that command defaults to `org`).
55
+
56
+ | Scope | When |
57
+ | ----- | ---- |
58
+ | `project` | Tie to one project |
59
+ | `org` | Share with every user and project |
60
+ | `user` | Single user's personal connection |
61
+
62
+ At runtime resolution prefers the **project default first, then the org default**. Get the active project id from `keystroke config show`.
63
+
64
+ ## Manage & bind credentials
65
+
66
+ Day-to-day management (output is JSON):
67
+
68
+ ```bash
69
+ keystroke credentials list # every instance + scope + default flag
70
+ keystroke credentials get <credential-id>
71
+ keystroke credentials update <credential-id> --label "Prod" --default
72
+ keystroke credentials rotate-key <credential-id> --set apiKey=@env:ACME_API_KEY
73
+ keystroke credentials delete <credential-id>
74
+ ```
75
+
76
+ `--default` marks one instance as the default for its app + scope. When several instances share a scope and none is the default, a run can't auto-resolve — set a default, or **bind** a specific instance to the step/tool that needs it.
77
+
78
+ ### Bind a specific instance to a step or tool
79
+
80
+ An assignment pins an exact credential instance to one consumer. It's the **explicit selection** at the top of the resolution order, so it wins over scope defaults. List the bindable consumers first, then assign:
81
+
82
+ ```bash
83
+ # Workflow consumers are step correlation ids from recent runs (step:<slug>#<n>)
84
+ keystroke credentials consumers list --workflow sync
85
+ keystroke credentials assignments assign --workflow sync --credential org/work --consumer step:fetch-gmail#0
86
+
87
+ # Agent consumers are tool slugs
88
+ keystroke credentials consumers list --agent support
89
+ keystroke credentials assignments assign --agent support --credential vault-prod --consumer vault-lookup
90
+
91
+ # Omit --consumer (or pass "*") to bind every consumer on the target
92
+ keystroke credentials assignments assign --workflow sync --credential work
93
+
94
+ keystroke credentials assignments list --workflow sync # inspect bindings
95
+ keystroke credentials assignments unassign <assignment-id> # remove one
96
+ ```
97
+
98
+ - Exactly one of `--workflow <slug>` or `--agent <slug>` is required.
99
+ - `--credential` takes an instance slug: `work`, `org/work`, or `<app>/<slug>` (e.g. `linear/work`).
100
+ - Workflow consumer ids only appear after a run has produced `step_completed` events; `consumers list` reads them from recent runs.
101
+
102
+ ## Where secrets live
103
+
104
+ App secrets are **not** read from `.env` and are **never** uploaded by `keystroke deploy` — it ships code only. Attach integration secrets by connecting the app with `keystroke connect <slug>`; they're resolved at runtime for your project.
@@ -0,0 +1,66 @@
1
+ ---
2
+ name: keystroke-channels
3
+ description: Let people use keystroke agents from Slack (external channels) — connect Slack, bind channels with `keystroke channel bind`, pick a listen mode. Use when setting up messaging for agents.
4
+ metadata:
5
+ keystroke-domain: channels
6
+ ---
7
+
8
+ # External channels
9
+
10
+ External channels route **Slack (and similar) messages** to an agent — people chat in-channel instead of using the CLI. Slack is the only channel today.
11
+
12
+ ## Setup (Slack)
13
+
14
+ 1. Deploy the agent you want to chat with (`keystroke deploy`)
15
+ 2. Connect Slack once for the org: `keystroke connect slack` (or the web app **Apps** page); complete OAuth
16
+ 3. Bind a channel to the agent (CLI below, or the agent's **External Channels** panel in the web app)
17
+ 4. Message the bound channel per its listen mode
18
+
19
+ ## Bind from the CLI
20
+
21
+ ```bash
22
+ keystroke channel platforms list # supported platforms
23
+ keystroke channel accounts --platform slack # connected workspaces (team ids)
24
+ keystroke channel directory --platform slack --account <team-id> # channels you can bind
25
+ keystroke channel bind \
26
+ --agent support \
27
+ --platform slack \
28
+ --account <team-id> \
29
+ --channel <channel-id> \
30
+ --mode mention
31
+ keystroke channel list --agent support # bindings for an agent
32
+ ```
33
+
34
+ Listen modes (`--mode`): `mention` (only when @mentioned), `all` (every message), `dm` (direct messages). Update or remove a binding with `keystroke channel update-binding --agent <id> --binding <id> --mode all` / `keystroke channel unbind --agent <id> --binding <id>`.
35
+
36
+ `channel bind` also takes an optional `--channel-name <name>` (defaults to the channel id). Every `keystroke channel` subcommand accepts `--project <slug>` to target a non-active project; otherwise they use the active project.
37
+
38
+ ## What happens at runtime
39
+
40
+ Inbound Slack event → lookup channel binding → `runPrompt` for the bound agent → reply in thread.
41
+
42
+ The agent acts **on behalf of the channel**, not the sender: it runs with its own tools, actions, and credentials regardless of who messaged. Only bind agents to channels whose members you trust with everything the agent can do.
43
+
44
+ ## Audit channel-driven sessions
45
+
46
+ The CLI session source is still named `gateway`:
47
+
48
+ ```bash
49
+ keystroke agent sessions list <agent-key> --source gateway
50
+ keystroke agent sessions get <agent-key> <session-id> --include messages,trace
51
+ ```
52
+
53
+ ## Troubleshooting
54
+
55
+ | Issue | Check |
56
+ | ----------- | ------------------------------------------------------------------- |
57
+ | Bot silent | `keystroke agent sessions list` for errors; agent on the binding |
58
+ | "Choose an agent" prompt | The channel has no agent bound — bind one with `keystroke channel bind` |
59
+ | OAuth fails | Slack redirect URLs match your project's web app origin |
60
+ | Wrong agent | Re-bind with `keystroke channel bind` (or the web app panel) |
61
+
62
+ ## Next references
63
+
64
+ - [slack-setup.md](references/slack-setup.md) — connect flow, testing against a deployed project
65
+
66
+ Related: [agents](.agents/skills/keystroke-agents/SKILL.md), [apps](.agents/skills/keystroke-apps/SKILL.md).
@@ -0,0 +1,41 @@
1
+ # Slack channel setup
2
+
3
+ ## Connect Slack
4
+
5
+ Connect the Slack app once for the org with `keystroke connect slack` — the Slack app credentials are entered in the web connect flow, not in your project's `.env`. The connected workspace stays connected; adding more agents is just a bind step.
6
+
7
+ Slack OAuth and the inbound routes mount automatically on your **deployed** project, so connecting against the cloud target works out of the box — you don't add Slack to `keystroke.config.ts`.
8
+
9
+ ## Bind a channel
10
+
11
+ ```bash
12
+ keystroke channel accounts --platform slack # find the team id
13
+ keystroke channel directory --platform slack --account <team-id> # find the channel id
14
+ keystroke channel bind --agent support --platform slack \
15
+ --account <team-id> --channel <channel-id> --mode mention
16
+ ```
17
+
18
+ `--mode` is `mention`, `all`, or `dm`. Thread follow-up is on by default; toggle it with `keystroke channel update-binding --agent <id> --binding <id> --threads` / `--no-threads`.
19
+
20
+ The web app offers the same flow from each agent's **External Channels** panel.
21
+
22
+ ## Testing
23
+
24
+ Slack OAuth and the inbound event routes are handled by your **deployed** project — `keystroke dev` (local watch/rebuild) is not in the Slack delivery path. To test Slack end-to-end: `keystroke deploy`, `keystroke connect slack`, `keystroke channel bind …`, then message the bound channel and inspect the session (below).
25
+
26
+ > Self-hosting the keystroke platform is a separate concern: that setup seeds Slack app credentials via platform env vars (`SLACK_CLIENT_ID/SECRET/SIGNING_SECRET`) and a public origin (`PUBLIC_PLATFORM_PROXY_URL`). Those are **platform** vars, not part of a scaffolded user project, and `keystroke dev` does not read them.
27
+
28
+ ## Audit
29
+
30
+ ```bash
31
+ keystroke agent sessions list <agent-key> --source gateway
32
+ keystroke agent sessions get <agent-key> <session-id> --include messages,trace
33
+ ```
34
+
35
+ ## Common fixes
36
+
37
+ | Issue | Fix |
38
+ | ------------- | -------------------------------------------------- |
39
+ | 401 on events | Check the signing secret in the Slack connection |
40
+ | No reply | Session errors via `keystroke agent sessions list` |
41
+ | Wrong agent | Re-bind with `keystroke channel bind` |