@keystrokehq/keystroke 0.0.173 → 0.0.174

package/dist/{dist-bGasqeNy.mjs → dist-BX0Upt63.mjs}

@@ -1,5 +1,5 @@
 import { Bn as __require, Ln as __commonJSMin, Vn as __toESM } from "./dist-IaCcrwur.mjs";
-import { C as mcpEntityId, _ as CREDENTIAL_SCOPE_LEVEL_TO_SCOPE_TYPE, w as normalizeCredentialList } from "./dist-BF5yN9sB.mjs";
+import { S as normalizeCredentialList, x as mcpEntityId } from "./dist-CFy63Npi.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";
 import "node:fs";
 import { ZodFirstPartyTypeKind } from "zod/v3";
@@ -13251,7 +13251,7 @@ async function connectMcpServer(name, options) {
 }
 async function createTransport(url, transport, requestInit, fetchImpl) {
 	if (transport === "sse") {
-		const { SSEClientTransport } = await import("./sse-U_LwOMpt.mjs");
+		const { SSEClientTransport } = await import("./sse-DqYCbW54.mjs");
 		return new SSEClientTransport(url, {
 			requestInit,
 			fetch: fetchImpl
@@ -17156,12 +17156,6 @@ function credentialScopeAnd(scopeType, ...conditions) {
 async function selectCredentialInstanceById$1(id) {
 	return (await getDb$1().select().from(credentialInstances).where(eq(credentialInstances.id, id)).limit(1))[0];
 }
-async function listCredentialInstancesByScope$1(options) {
-	const db = getDb$1();
-	const conditions = [options.scopeId === null ? and(eq(credentialInstances.scopeType, options.scopeType), isNull(credentialInstances.scopeId)) : and(eq(credentialInstances.scopeType, options.scopeType), eq(credentialInstances.scopeId, options.scopeId))];
-	if (options.slug) conditions.push(eq(credentialInstances.slug, options.slug));
-	return db.select().from(credentialInstances).where(credentialScopeAnd(options.scopeType, ...conditions));
-}
 async function selectCredentialInstancesForScope$1(slug, scopeType, scopeId) {
 	const db = getDb$1();
 	const scopeCondition = scopeId === null ? and(eq(credentialInstances.scopeType, scopeType), isNull(credentialInstances.scopeId)) : and(eq(credentialInstances.scopeType, scopeType), eq(credentialInstances.scopeId, scopeId));
@@ -17841,9 +17835,6 @@ async function selectCredentialInstanceById(id) {
 async function selectCredentialInstancesForScope(key, scopeType, scopeId) {
 	return (await selectCredentialInstancesForScope$1(key, scopeType, scopeId)).map(normalizeLocalRow);
 }
-async function listCredentialInstancesByScope(options) {
-	return (await listCredentialInstancesByScope$1(options)).map(normalizeLocalRow);
-}
 //#endregion
 //#region ../credentials/dist/index.mjs
 var MissingCredentialsError = class extends Error {
@@ -18019,20 +18010,6 @@ function createCredentialBackend(options = {}) {
 	}
 	return createLocalCredentialBackend(options);
 }
-const CHAIN_TO_SCOPE = {
-	organization: {
-		scopeType: CREDENTIAL_SCOPE_LEVEL_TO_SCOPE_TYPE.organization,
-		contextKey: "orgId"
-	},
-	project: {
-		scopeType: CREDENTIAL_SCOPE_LEVEL_TO_SCOPE_TYPE.project,
-		contextKey: "projectId"
-	},
-	user: {
-		scopeType: CREDENTIAL_SCOPE_LEVEL_TO_SCOPE_TYPE.user,
-		contextKey: "userId"
-	}
-};
 function toSelectionOption(row) {
 	return {
 		id: row.id,
@@ -18105,21 +18082,12 @@ function withTenantScope(context) {
 		orgId: getServerTenantScopeId()
 	};
 }
-async function listSelectionOptions(key, context) {
-	const scoped = withTenantScope(context);
-	const rows = [];
-	rows.push(...await listCredentialInstancesByScope({
-		key,
-		scopeType: "organization",
-		scopeId: scoped.orgId
-	}));
-	const userId = resolveUserId(key, scoped);
-	if (userId) rows.push(...await listCredentialInstancesByScope({
-		key,
-		scopeType: "user",
-		scopeId: userId
-	}));
-	return rows.map(toSelectionOption);
+function scopeIdForScope(scope, key, context) {
+	switch (scope) {
+		case "organization": return context.orgId;
+		case "project": return context.projectId;
+		case "user": return resolveUserId(key, context);
+	}
 }
 async function resolveAtScope(key, scopeType, scopeId, consumer) {
 	const rows = await selectCredentialInstancesForScope(key, scopeType, scopeId);
@@ -18131,35 +18099,45 @@ async function resolveAtScope(key, scopeType, scopeId, consumer) {
 		throw error;
 	}
 }
+/**
+* Resolution order:
+*   1. A platform-provided binding (explicit instance id in `context.selection`) wins.
+*   2. A scope pinned on the requirement (`.scope("user")`) resolves only at that scope.
+*   3. Otherwise the project default, then the org default. No configurable chain.
+* If nothing matches, throw — there is no binding.
+*/
 async function resolvePolicy(requirement, context, consumer, backend) {
-	const chainAttempted = [];
-	const selectionId = context.selection?.[requirement.key];
+	const attempted = [];
 	const materialBackend = backend ?? createCredentialBackend();
 	const scoped = withTenantScope(context);
-	for (let index = 0; index < requirement.chain.length; index++) {
-		const level = requirement.chain[index];
-		if (level === "selection") {
-			if (selectionId) {
-				chainAttempted.push("selection");
-				return resolveInstanceValue(await resolveSelectedInstance(requirement.key, selectionId, scoped, consumer), requirement, materialBackend);
-			}
-			if (index === requirement.chain.length - 1) throw new NeedsSelectionError({
-				key: requirement.key,
-				options: await listSelectionOptions(requirement.key, scoped),
-				consumer
-			});
-			continue;
-		}
-		const mapping = CHAIN_TO_SCOPE[level];
-		const scopeId = level === "user" ? resolveUserId(requirement.key, scoped) : scoped[mapping.contextKey];
-		if (!scopeId) continue;
-		chainAttempted.push(level);
-		const row = await resolveAtScope(requirement.key, mapping.scopeType, scopeId, consumer);
+	const selectionId = context.selection?.[requirement.key];
+	if (selectionId) return resolveInstanceValue(await resolveSelectedInstance(requirement.key, selectionId, scoped, consumer), requirement, materialBackend);
+	if (requirement.scope) {
+		const scopeId = scopeIdForScope(requirement.scope, requirement.key, scoped);
+		if (scopeId) {
+			attempted.push(requirement.scope);
+			const row = await resolveAtScope(requirement.key, requirement.scope, scopeId, consumer);
+			if (row) return resolveInstanceValue(row, requirement, materialBackend);
+		}
+		throw new MissingCredentialsError({
+			key: requirement.key,
+			chainAttempted: attempted.length > 0 ? attempted : [requirement.scope],
+			consumer
+		});
+	}
+	if (scoped.projectId) {
+		attempted.push("project");
+		const row = await resolveAtScope(requirement.key, "project", scoped.projectId, consumer);
+		if (row) return resolveInstanceValue(row, requirement, materialBackend);
+	}
+	if (scoped.orgId) {
+		attempted.push("organization");
+		const row = await resolveAtScope(requirement.key, "organization", scoped.orgId, consumer);
 		if (row) return resolveInstanceValue(row, requirement, materialBackend);
 	}
 	throw new MissingCredentialsError({
 		key: requirement.key,
-		chainAttempted,
+		chainAttempted: attempted,
 		consumer
 	});
 }
@@ -18285,4 +18263,4 @@ async function resolveActionCredentials(requirements, options) {
 //#endregion
 export { createFetchWithInit as A, connectMcpStdio as C, UnauthorizedError as D, createParser as E, zodToJsonSchema as M, JSONRPCMessageSchema as N, auth as O, connectMcpServer as S, isMcp as T, captureConsole as _, resolveActionCredentials as a, withSpan as b, addAgentSessionDuration as c, getAgentByRoute as d, getSession as f, touchSession as g, resolveRunSourceFromTraceContext as h, isCredentialError as i, normalizeHeaders as j, extractWWWAuthenticateParams as k, appendEvent as l, recordLlmUsageFromAssistantMessage as m, captureCredentialToolErrors as n, resolveMcpTools as o, listMessageEvents as p, createCredentialResolver as r, MESSAGE_EVENT_TYPE as s, buildCredentialRunContext as t, createSession as u, getTraceContext as v, defineMcp as w, connectMcpDefinition as x, logSystem as y };
 
-//# sourceMappingURL=dist-bGasqeNy.mjs.map
+//# sourceMappingURL=dist-BX0Upt63.mjs.map