@keystrokehq/keystroke 1.0.11 → 1.0.12

package/dist/{dist-CziP-YTK.mjs → dist-D53HZMV9.mjs}

@@ -1,5 +1,5 @@
 import { a as __toESM, i as __require, t as __commonJSMin } from "./chunk-D0VCBZRD.mjs";
-import { E as normalizeCredentialList, T as mcpEntityId } from "./dist-CppO7361.mjs";
+import { D as normalizeCredentialList, E as mcpEntityId, x as buildConnectDeeplink } from "./dist-DtejauR-.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";
 import "node:fs";
 import "node:path";
@@ -17248,7 +17248,7 @@ async function connectMcpServer(name, options) {
 }
 async function createTransport(url, transport, requestInit, fetchImpl) {
 	if (transport === "sse") {
-		const { SSEClientTransport } = await import("./sse-BDeUGz09.mjs");
+		const { SSEClientTransport } = await import("./sse-CSbz_aIR.mjs");
 		return new SSEClientTransport(url, {
 			requestInit,
 			fetch: fetchImpl
@@ -17899,6 +17899,12 @@ function requireOrganizationScopeId() {
 function getDb() {
 	return getDbFromContext();
 }
+async function selectOrganizationById(id) {
+	return (await getDb().select().from(organizations).where(eq(organizations.id, id)).limit(1))[0];
+}
+async function selectProjectById(projectId) {
+	return (await getDb().select().from(projects).where(eq(projects.id, projectId)).limit(1))[0];
+}
 new AsyncLocalStorage();
 function eqOrganizationScope(table) {
 	return eq(table.organizationId, requireOrganizationScopeId());
@@ -18130,6 +18136,31 @@ async function readCredentialInstanceSecret(instanceId) {
 }
 //#endregion
 //#region ../credentials/dist/index.mjs
+function formatCredentialErrorMessage(error, connect) {
+	switch (error.code) {
+		case "missing_credentials":
+			if (connect) {
+				const connectUrl = buildConnectDeeplink({
+					webUrl: connect.webUrl,
+					orgSlug: connect.orgSlug,
+					appSlug: error.key
+				});
+				return `This agent needs the \`${error.key}\` credential. Connect it here: ${connectUrl}`;
+			}
+			return `This agent needs the \`${error.key}\` credential. Run \`keystroke connect ${error.key}\` or \`keystroke credentials set ${error.key}\` to configure it.`;
+		case "needs_selection":
+			if (connect) {
+				const connectUrl = buildConnectDeeplink({
+					webUrl: connect.webUrl,
+					orgSlug: connect.orgSlug,
+					appSlug: error.key
+				});
+				return `Multiple \`${error.key}\` credentials are available. Pick one here: ${connectUrl}`;
+			}
+			return `Multiple \`${error.key}\` credentials are available. Pick one in the Keystroke dashboard before running this agent.`;
+		case "oauth_not_configured": return error.message;
+	}
+}
 var MissingCredentialsError = class extends Error {
 	code = "missing_credentials";
 	key;
@@ -18182,6 +18213,132 @@ function credentialScopeMatchesContext(scopeType, scopeId, context) {
 		case "user": return scopeId === context.userId;
 	}
 }
+function createLocalCredentialBackend(options = {}) {
+	const { tokenRefresh } = options;
+	return {
+		async resolveApiKey(instanceId, schema) {
+			const row = await selectCredentialInstanceById(instanceId);
+			if (!row) throw new MissingCredentialsError({
+				key: instanceId,
+				chainAttempted: ["api_key"]
+			});
+			if (row.ciphertext) {
+				const plaintext = decryptCredentialPayload(row.ciphertext);
+				return schema.parse(JSON.parse(plaintext));
+			}
+			const secret = await readCredentialInstanceSecret(instanceId);
+			if (secret) return schema.parse(JSON.parse(secret));
+			throw new MissingCredentialsError({
+				key: row.appSlug,
+				chainAttempted: ["api_key"]
+			});
+		},
+		async getOAuthAccessToken(connectionId) {
+			const connection = await getDecryptedOAuthConnectionById(connectionId);
+			if (!connection) throw new Error(`OAuth connection not found: ${connectionId}`);
+			const app = await getDecryptedOAuthAppById(connection.appId);
+			if (!app) throw new Error(`OAuth app not found for connection: ${connectionId}`);
+			return { accessToken: await resolveOAuthAccessToken(connection, app, tokenRefresh) };
+		}
+	};
+}
+function materializeUrl(baseUrl, projectId) {
+	return `${baseUrl}/internal/projects/${encodeURIComponent(projectId)}/credentials/materialize`;
+}
+function requireProjectScopeId() {
+	const projectId = getBoundProjectScopeId();
+	if (!projectId) throw new Error("Credential backend requires project scope");
+	return projectId;
+}
+function createPlatformCredentialBackend(options) {
+	const baseUrl = options.platformUrl.replace(/\/+$/, "");
+	async function materialize(body) {
+		const response = await fetch(materializeUrl(baseUrl, requireProjectScopeId()), {
+			method: "POST",
+			headers: {
+				Authorization: `Bearer ${options.workerToken}`,
+				"Content-Type": "application/json"
+			},
+			body: JSON.stringify(body)
+		});
+		if (!response.ok) {
+			const payload = await response.json().catch(() => null);
+			throw new Error(payload?.message ?? `Platform credential materialize failed (${response.status})`);
+		}
+		const payload = await response.json();
+		if (payload.kind === "api_key") return { value: payload.value };
+		return { accessToken: payload.accessToken };
+	}
+	return {
+		async resolveApiKey(instanceId, schema) {
+			const { value } = await materialize({
+				kind: "api_key",
+				instanceId
+			});
+			return schema.parse(value);
+		},
+		async getOAuthAccessToken(connectionId) {
+			const { accessToken } = await materialize({
+				kind: "oauth",
+				connectionId
+			});
+			if (!accessToken) throw new Error(`Platform did not return an access token for connection: ${connectionId}`);
+			return { accessToken };
+		}
+	};
+}
+/**
+* A hosted worker is identified by the platform connection it must route through:
+* `PLATFORM_URL` + `WORKER_INTERNAL_TOKEN`. Workers never hold the decryption key, so
+* they always materialize secrets over the platform internal API; everything else
+* (platform process, standalone CLI) resolves locally against its own database.
+*
+* Org workers share one platform backend; project id comes from async job scope at
+* resolve time, not from env.
+*/
+function isWorkerRuntime(env = process.env) {
+	return Boolean(env.WORKER_INTERNAL_TOKEN?.trim() && env.PLATFORM_URL?.trim());
+}
+function createCredentialBackend(options = {}) {
+	if (isWorkerRuntime()) return createPlatformCredentialBackend({
+		platformUrl: process.env.PLATFORM_URL.trim(),
+		workerToken: process.env.WORKER_INTERNAL_TOKEN.trim()
+	});
+	return createLocalCredentialBackend(options);
+}
+/**
+* Web connect context (org slug + web URL) for the current project scope, or
+* `null` when unavailable — standalone, no bound project scope, or no
+* `PUBLIC_WEB_URL`. Org slug comes from the platform internal API on workers
+* (no decryption key, so no direct DB), otherwise the platform DB.
+*/
+async function resolveAgentConnectContext() {
+	const projectId = getBoundProjectScopeId();
+	if (!projectId) return null;
+	const webUrl = process.env.PUBLIC_WEB_URL?.trim();
+	if (!webUrl) return null;
+	const orgSlug = await resolveOrgSlug(projectId);
+	if (!orgSlug) return null;
+	return {
+		orgSlug,
+		webUrl
+	};
+}
+async function resolveOrgSlug(projectId) {
+	if (isWorkerRuntime()) return fetchOrgSlugFromPlatform(projectId);
+	const project = await selectProjectById(projectId);
+	if (!project) return null;
+	return (await selectOrganizationById(project.organizationId))?.slug.trim() || null;
+}
+async function fetchOrgSlugFromPlatform(projectId) {
+	const platformUrl = process.env.PLATFORM_URL?.trim();
+	const workerToken = process.env.WORKER_INTERNAL_TOKEN?.trim();
+	if (!platformUrl || !workerToken) return null;
+	const baseUrl = platformUrl.replace(/\/+$/, "");
+	const response = await fetch(`${baseUrl}/internal/projects/${encodeURIComponent(projectId)}/connect-context`, { headers: { Authorization: `Bearer ${workerToken}` } });
+	if (!response.ok) return null;
+	return (await response.json()).orgSlug?.trim() || null;
+}
 function captureCredentialToolErrors(tools) {
 	let captured;
 	return {
@@ -18194,7 +18351,12 @@ function captureCredentialToolErrors(tools) {
 					try {
 						return await execute(...args);
 					} catch (error) {
-						if (isCredentialError(error)) captured = error;
+						if (isCredentialError(error)) {
+							captured = error;
+							try {
+								error.message = formatCredentialErrorMessage(error, await resolveAgentConnectContext() ?? void 0);
+							} catch {}
+						}
 						throw error;
 					}
 				}
@@ -18307,99 +18469,6 @@ function buildCredentialRunContext(input) {
 		}
 	};
 }
-function createLocalCredentialBackend(options = {}) {
-	const { tokenRefresh } = options;
-	return {
-		async resolveApiKey(instanceId, schema) {
-			const row = await selectCredentialInstanceById(instanceId);
-			if (!row) throw new MissingCredentialsError({
-				key: instanceId,
-				chainAttempted: ["api_key"]
-			});
-			if (row.ciphertext) {
-				const plaintext = decryptCredentialPayload(row.ciphertext);
-				return schema.parse(JSON.parse(plaintext));
-			}
-			const secret = await readCredentialInstanceSecret(instanceId);
-			if (secret) return schema.parse(JSON.parse(secret));
-			throw new MissingCredentialsError({
-				key: row.appSlug,
-				chainAttempted: ["api_key"]
-			});
-		},
-		async getOAuthAccessToken(connectionId) {
-			const connection = await getDecryptedOAuthConnectionById(connectionId);
-			if (!connection) throw new Error(`OAuth connection not found: ${connectionId}`);
-			const app = await getDecryptedOAuthAppById(connection.appId);
-			if (!app) throw new Error(`OAuth app not found for connection: ${connectionId}`);
-			return { accessToken: await resolveOAuthAccessToken(connection, app, tokenRefresh) };
-		}
-	};
-}
-function materializeUrl(baseUrl, projectId) {
-	return `${baseUrl}/internal/projects/${encodeURIComponent(projectId)}/credentials/materialize`;
-}
-function requireProjectScopeId() {
-	const projectId = getBoundProjectScopeId();
-	if (!projectId) throw new Error("Credential backend requires project scope");
-	return projectId;
-}
-function createPlatformCredentialBackend(options) {
-	const baseUrl = options.platformUrl.replace(/\/+$/, "");
-	async function materialize(body) {
-		const response = await fetch(materializeUrl(baseUrl, requireProjectScopeId()), {
-			method: "POST",
-			headers: {
-				Authorization: `Bearer ${options.workerToken}`,
-				"Content-Type": "application/json"
-			},
-			body: JSON.stringify(body)
-		});
-		if (!response.ok) {
-			const payload = await response.json().catch(() => null);
-			throw new Error(payload?.message ?? `Platform credential materialize failed (${response.status})`);
-		}
-		const payload = await response.json();
-		if (payload.kind === "api_key") return { value: payload.value };
-		return { accessToken: payload.accessToken };
-	}
-	return {
-		async resolveApiKey(instanceId, schema) {
-			const { value } = await materialize({
-				kind: "api_key",
-				instanceId
-			});
-			return schema.parse(value);
-		},
-		async getOAuthAccessToken(connectionId) {
-			const { accessToken } = await materialize({
-				kind: "oauth",
-				connectionId
-			});
-			if (!accessToken) throw new Error(`Platform did not return an access token for connection: ${connectionId}`);
-			return { accessToken };
-		}
-	};
-}
-/**
-* A hosted worker is identified by the platform connection it must route through:
-* `PLATFORM_URL` + `WORKER_INTERNAL_TOKEN`. Workers never hold the decryption key, so
-* they always materialize secrets over the platform internal API; everything else
-* (platform process, standalone CLI) resolves locally against its own database.
-*
-* Org workers share one platform backend; project id comes from async job scope at
-* resolve time, not from env.
-*/
-function isWorkerRuntime(env = process.env) {
-	return Boolean(env.WORKER_INTERNAL_TOKEN?.trim() && env.PLATFORM_URL?.trim());
-}
-function createCredentialBackend(options = {}) {
-	if (isWorkerRuntime()) return createPlatformCredentialBackend({
-		platformUrl: process.env.PLATFORM_URL.trim(),
-		workerToken: process.env.WORKER_INTERNAL_TOKEN.trim()
-	});
-	return createLocalCredentialBackend(options);
-}
 function toSelectionOption(row) {
 	return {
 		id: row.id,
@@ -18711,4 +18780,4 @@ async function resolveActionCredentials(requirements, options) {
 //#endregion
 export { recordLlmUsageFromAssistantMessage as A, appendEvent as C, getProjectScopeId as D, getAgentByRoute as E, captureConsole as F, getTraceContext as I, logSystem as L, setSessionLiveMessage as M, setSessionTitle as N, getSession as O, touchSession as P, withSpan as R, addAgentSessionDuration as S, createSession as T, createFetchWithInit as _, resolveActionCredentials as a, JSONRPCMessageSchema as b, connectMcpDefinition as c, defineMcp as d, isMcp as f, extractWWWAuthenticateParams as g, auth as h, isCredentialError as i, resolveRunSourceFromTraceContext as j, listMessageEvents as k, connectMcpServer as l, UnauthorizedError as m, captureCredentialToolErrors as n, resolveMcpTools as o, createParser as p, createCredentialResolver as r, withCredentialAssignments as s, buildCredentialRunContext as t, connectMcpStdio as u, normalizeHeaders as v, clearLiveMessage as w, MESSAGE_EVENT_TYPE as x, zodToJsonSchema as y };
 
-//# sourceMappingURL=dist-CziP-YTK.mjs.map
+//# sourceMappingURL=dist-D53HZMV9.mjs.map