@keystrokehq/keystroke 1.0.7 → 1.0.9

package/dist/{dist-IUl7Bexl.mjs → dist-UzTnzZem.mjs}

@@ -1,5 +1,5 @@
 import { a as __toESM, i as __require, t as __commonJSMin } from "./chunk-D0VCBZRD.mjs";
-import { C as mcpEntityId, w as normalizeCredentialList } from "./dist-DqFdFpiB.mjs";
+import { E as normalizeCredentialList, T as mcpEntityId } from "./dist-CppO7361.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";
 import "node:fs";
 import "node:path";
@@ -3115,6 +3115,9 @@ const requestHandle = new AsyncLocalStorage();
 function getRequestDatabaseHandle() {
 	return requestHandle.getStore();
 }
+function isDatabaseInitialized() {
+	return getRequestDatabaseHandle() !== void 0 || false;
+}
 function getDatabaseHandle$1() {
 	const scoped = getRequestDatabaseHandle();
 	if (scoped) return scoped;
@@ -3141,7 +3144,7 @@ const agents = pgTable("agents", {
 	systemPrompt: text$1("system_prompt").notNull(),
 	toolCount: integer$1("tool_count"),
 	credentialCount: integer$1("credential_count"),
-	credentialKeys: jsonb("credential_keys").$type(),
+	appSlugs: jsonb("app_slugs").$type(),
 	registeredAt: timestamp("registered_at", { withTimezone: true }).notNull(),
 	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull(),
 	deletedAt: timestamp("deleted_at", { withTimezone: true })
@@ -3158,7 +3161,7 @@ const agentsSqlite = sqliteTable("agents", {
 	systemPrompt: text("system_prompt").notNull(),
 	toolCount: integer("tool_count"),
 	credentialCount: integer("credential_count"),
-	credentialKeys: text("credential_keys", { mode: "json" }).$type(),
+	appSlugs: text("app_slugs", { mode: "json" }).$type(),
 	registeredAt: integer("registered_at", { mode: "timestamp_ms" }).notNull(),
 	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull(),
 	deletedAt: integer("deleted_at", { mode: "timestamp_ms" })
@@ -3426,7 +3429,9 @@ const workflowHooksSqlite = sqliteTable("workflow_hooks", {
 const credentialInstances = pgTable("credential_instances", {
 	id: text$1("id").primaryKey(),
 	projectId: text$1("project_id").notNull(),
+	appSlug: text$1("app_slug").notNull(),
 	slug: text$1("slug").notNull(),
+	name: text$1("name"),
 	scopeType: text$1("scope_type").$type().notNull(),
 	scopeId: text$1("scope_id"),
 	label: text$1("label"),
@@ -3438,11 +3443,13 @@ const credentialInstances = pgTable("credential_instances", {
 	sharedConnectionId: text$1("shared_connection_id"),
 	createdAt: timestamp("created_at", { withTimezone: true }).notNull(),
 	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull()
-}, (table) => [uniqueIndex$1("credential_instances_project_slug_scope_label_unique").on(table.projectId, table.slug, table.scopeType, table.scopeId, table.label), index$1("credential_instances_project_slug_scope_idx").on(table.projectId, table.slug, table.scopeType, table.scopeId)]);
+}, (table) => [uniqueIndex$1("credential_instances_project_scope_slug_unique").on(table.projectId, table.scopeType, table.scopeId, table.slug), index$1("credential_instances_project_app_slug_scope_idx").on(table.projectId, table.appSlug, table.scopeType, table.scopeId)]);
 const credentialInstancesSqlite = sqliteTable("credential_instances", {
 	id: text("id").primaryKey(),
 	projectId: text("project_id").notNull(),
+	appSlug: text("app_slug").notNull(),
 	slug: text("slug").notNull(),
+	name: text("name"),
 	scopeType: text("scope_type").$type().notNull(),
 	scopeId: text("scope_id"),
 	label: text("label"),
@@ -3454,7 +3461,30 @@ const credentialInstancesSqlite = sqliteTable("credential_instances", {
 	sharedConnectionId: text("shared_connection_id"),
 	createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
 	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull()
-}, (table) => [uniqueIndex("credential_instances_project_slug_scope_label_unique").on(table.projectId, table.slug, table.scopeType, table.scopeId, table.label), index("credential_instances_project_slug_scope_idx").on(table.projectId, table.slug, table.scopeType, table.scopeId)]);
+}, (table) => [uniqueIndex("credential_instances_project_scope_slug_unique").on(table.projectId, table.scopeType, table.scopeId, table.slug), index("credential_instances_project_app_slug_scope_idx").on(table.projectId, table.appSlug, table.scopeType, table.scopeId)]);
+const credentialAssignments = pgTable("credential_assignments", {
+	id: text$1("id").primaryKey(),
+	projectId: text$1("project_id").notNull(),
+	targetType: text$1("target_type").$type().notNull(),
+	targetKey: text$1("target_key").notNull(),
+	/** '*' = wildcard; else runtime consumer id (step correlation id or tool slug). */
+	consumerId: text$1("consumer_id").notNull(),
+	credentialSlug: text$1("credential_slug").notNull(),
+	instanceId: text$1("instance_id").notNull(),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull()
+}, (table) => [uniqueIndex$1("credential_assignments_project_target_consumer_slug").on(table.projectId, table.targetType, table.targetKey, table.consumerId, table.credentialSlug), index$1("credential_assignments_project_target_idx").on(table.projectId, table.targetType, table.targetKey)]);
+const credentialAssignmentsSqlite = sqliteTable("credential_assignments", {
+	id: text("id").primaryKey(),
+	projectId: text("project_id").notNull(),
+	targetType: text("target_type").$type().notNull(),
+	targetKey: text("target_key").notNull(),
+	consumerId: text("consumer_id").notNull(),
+	credentialSlug: text("credential_slug").notNull(),
+	instanceId: text("instance_id").notNull(),
+	createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
+	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull()
+}, (table) => [uniqueIndex("credential_assignments_project_target_consumer_slug").on(table.projectId, table.targetType, table.targetKey, table.consumerId, table.credentialSlug), index("credential_assignments_project_target_idx").on(table.projectId, table.targetType, table.targetKey)]);
 const jobs = pgTable("jobs", {
 	id: text$1("id").primaryKey(),
 	projectId: text$1("project_id").notNull(),
@@ -3691,6 +3721,10 @@ const tableRegistry$1 = {
 		pg: credentialInstances,
 		sqlite: credentialInstancesSqlite
 	},
+	credentialAssignments: {
+		pg: credentialAssignments,
+		sqlite: credentialAssignmentsSqlite
+	},
 	jobs: {
 		pg: jobs,
 		sqlite: jobsSqlite
@@ -3813,13 +3847,16 @@ function credentialScopeAnd(scopeType, ...conditions) {
 	if (scopeType === "project") return scopedAnd$1(credentialInstances, ...conditions);
 	return and(...conditions.filter(Boolean));
 }
-async function selectCredentialInstanceById$1(id) {
+async function selectCredentialInstanceById(id) {
 	return (await getDb$1().select().from(credentialInstances).where(eq(credentialInstances.id, id)).limit(1))[0];
 }
-async function selectCredentialInstancesForScope$1(slug, scopeType, scopeId) {
+async function selectCredentialInstancesForScope(appSlug, scopeType, scopeId) {
 	const db = getDb$1();
 	const scopeCondition = scopeId === null ? and(eq(credentialInstances.scopeType, scopeType), isNull(credentialInstances.scopeId)) : and(eq(credentialInstances.scopeType, scopeType), eq(credentialInstances.scopeId, scopeId));
-	return db.select().from(credentialInstances).where(credentialScopeAnd(scopeType, eq(credentialInstances.slug, slug), scopeCondition));
+	return db.select().from(credentialInstances).where(credentialScopeAnd(scopeType, eq(credentialInstances.appSlug, appSlug), scopeCondition));
+}
+async function listCredentialAssignmentsByTarget(options) {
+	return getDb$1().select().from(credentialAssignments).where(scopedAnd$1(credentialAssignments, eq(credentialAssignments.targetType, options.targetType), eq(credentialAssignments.targetKey, options.targetKey)));
 }
 async function selectTraceSpanById(id) {
 	const db = getDb$1();
@@ -17211,7 +17248,7 @@ async function connectMcpServer(name, options) {
 }
 async function createTransport(url, transport, requestInit, fetchImpl) {
 	if (transport === "sse") {
-		const { SSEClientTransport } = await import("./sse-DI7TsPKG.mjs");
+		const { SSEClientTransport } = await import("./sse-CDOw-yuH.mjs");
 		return new SSEClientTransport(url, {
 			requestInit,
 			fetch: fetchImpl
@@ -18001,6 +18038,26 @@ async function resolveOAuthAccessToken(connection, app, tokenRefresh) {
 	return refreshed.accessToken;
 }
 //#endregion
+//#region ../credentials/dist/store-BokhwcCi.mjs
+function normalizeRow(row) {
+	const { projectId: _projectId, ...rest } = row;
+	return rest;
+}
+async function listCredentialAssignmentsByTarget$1(options) {
+	return (await listCredentialAssignmentsByTarget(options)).map(normalizeRow);
+}
+function normalizeLocalRow(row) {
+	const { projectId: _projectId, ...rest } = row;
+	return rest;
+}
+async function selectCredentialInstanceById$1(id) {
+	const row = await selectCredentialInstanceById(id);
+	return row ? normalizeLocalRow(row) : void 0;
+}
+async function selectCredentialInstancesForScope$1(appSlug, scopeType, scopeId) {
+	return (await selectCredentialInstancesForScope(appSlug, scopeType, scopeId)).map(normalizeLocalRow);
+}
+//#endregion
 //#region ../secrets/dist/index.mjs
 const ALGORITHM = "aes-256-gcm";
 const IV_LENGTH = 12;
@@ -18072,19 +18129,6 @@ async function readCredentialInstanceSecret(instanceId) {
 	});
 }
 //#endregion
-//#region ../credentials/dist/store/index.mjs
-function normalizeLocalRow(row) {
-	const { projectId: _projectId, ...rest } = row;
-	return rest;
-}
-async function selectCredentialInstanceById(id) {
-	const row = await selectCredentialInstanceById$1(id);
-	return row ? normalizeLocalRow(row) : void 0;
-}
-async function selectCredentialInstancesForScope(key, scopeType, scopeId) {
-	return (await selectCredentialInstancesForScope$1(key, scopeType, scopeId)).map(normalizeLocalRow);
-}
-//#endregion
 //#region ../credentials/dist/index.mjs
 var MissingCredentialsError = class extends Error {
 	code = "missing_credentials";
@@ -18163,6 +18207,93 @@ function captureCredentialToolErrors(tools) {
 		}
 	};
 }
+const EMPTY_ASSIGNMENT_SET = {
+	byConsumer: {},
+	wildcard: {}
+};
+function selectAssignedInstanceId(assignments, consumerId, credentialSlug) {
+	if (!assignments) return;
+	if (consumerId) {
+		const specific = assignments.byConsumer[consumerId]?.[credentialSlug];
+		if (specific) return specific;
+	}
+	return assignments.wildcard[credentialSlug];
+}
+function buildAssignmentSet(rows) {
+	const byConsumer = {};
+	const wildcard = {};
+	for (const row of rows) {
+		if (row.consumerId === "*") {
+			wildcard[row.credentialSlug] = row.instanceId;
+			continue;
+		}
+		const bucket = byConsumer[row.consumerId] ?? {};
+		bucket[row.credentialSlug] = row.instanceId;
+		byConsumer[row.consumerId] = bucket;
+	}
+	return {
+		byConsumer,
+		wildcard
+	};
+}
+async function loadCredentialAssignments(options) {
+	if (!isDatabaseInitialized()) return EMPTY_ASSIGNMENT_SET;
+	return buildAssignmentSet(await listCredentialAssignmentsByTarget$1(options));
+}
+async function withCredentialAssignments(context, options) {
+	const assignments = await loadCredentialAssignments(options);
+	return {
+		...context,
+		assignments
+	};
+}
+function pickKeystrokeInstanceRow(rows, key, consumer) {
+	if (rows.length === 0) return;
+	if (rows.length === 1) return rows[0];
+	const defaults = rows.filter((row) => row.isDefault);
+	if (defaults.length === 1) return defaults[0];
+	if (consumer !== void 0) throw new NeedsSelectionError({
+		key,
+		options: rows.map((row) => ({
+			id: row.id,
+			label: row.name ?? row.label,
+			scopeType: row.scopeType,
+			scopeId: row.scopeId
+		})),
+		consumer
+	});
+	return rows.find((row) => row.isDefault) ?? rows[0];
+}
+async function resolveAssignedKeystrokeInstance(app, assignments, consumerId) {
+	const assignedId = selectAssignedInstanceId(assignments, consumerId, app);
+	if (!assignedId) return;
+	const row = await selectCredentialInstanceById$1(assignedId);
+	if (!row || row.authKind !== "keystroke" || !row.connectionId || row.appSlug !== app) return;
+	return {
+		instanceId: assignedId,
+		scopeType: row.scopeType,
+		scopeId: row.scopeId
+	};
+}
+/** Assignment lookup (when assignments provided) then ordered scope walk. User scope only when included in scopes. */
+async function resolveKeystrokeInstanceId(options) {
+	const assignments = options.assignments ?? (options.assignmentTarget ? await loadCredentialAssignments({
+		targetType: options.assignmentTarget.type,
+		targetKey: options.assignmentTarget.key
+	}) : void 0);
+	if (assignments) {
+		const assigned = await resolveAssignedKeystrokeInstance(options.app, assignments, options.consumerId);
+		if (assigned) return assigned;
+	}
+	for (const [scopeType, scopeId] of options.scopes) {
+		const row = pickKeystrokeInstanceRow((await selectCredentialInstancesForScope$1(options.app, scopeType, scopeId)).filter((row) => row.authKind === "keystroke" && row.connectionId), options.app, options.consumer);
+		if (row) return {
+			instanceId: row.id,
+			scopeType: row.scopeType,
+			scopeId: row.scopeId
+		};
+	}
+}
 function buildCredentialRunContext(input) {
 	const subscription = input.subscription;
 	const request = input.request ?? {};
@@ -18180,7 +18311,7 @@ function createLocalCredentialBackend(options = {}) {
 	const { tokenRefresh } = options;
 	return {
 		async resolveApiKey(instanceId, schema) {
-			const row = await selectCredentialInstanceById$1(instanceId);
+			const row = await selectCredentialInstanceById(instanceId);
 			if (!row) throw new MissingCredentialsError({
 				key: instanceId,
 				chainAttempted: ["api_key"]
@@ -18192,7 +18323,7 @@ function createLocalCredentialBackend(options = {}) {
 			const secret = await readCredentialInstanceSecret(instanceId);
 			if (secret) return schema.parse(JSON.parse(secret));
 			throw new MissingCredentialsError({
-				key: row.slug,
+				key: row.appSlug,
 				chainAttempted: ["api_key"]
 			});
 		},
@@ -18272,7 +18403,7 @@ function createCredentialBackend(options = {}) {
 function toSelectionOption(row) {
 	return {
 		id: row.id,
-		label: row.label,
+		label: row.name ?? row.label,
 		scopeType: row.scopeType,
 		scopeId: row.scopeId
 	};
@@ -18298,12 +18429,12 @@ function pickInstance(rows, key, consumer) {
 async function resolveInstanceValue(row, requirement, backend) {
 	if (row.authKind === "keystroke") {
 		if (!row.connectionId) throw new MissingCredentialsError({
-			key: row.slug,
+			key: row.appSlug,
 			chainAttempted: ["keystroke"]
 		});
 		const scopeId = row.scopeType === "organization" ? getServerTenantScopeId() : row.scopeId ?? "";
 		if (!scopeId) throw new MissingCredentialsError({
-			key: row.slug,
+			key: row.appSlug,
 			chainAttempted: ["keystroke"]
 		});
 		const value = {
@@ -18315,7 +18446,7 @@ async function resolveInstanceValue(row, requirement, backend) {
 	}
 	if (row.authKind === "oauth_managed") {
 		if (!row.connectionId) throw new MissingCredentialsError({
-			key: row.slug,
+			key: row.appSlug,
 			chainAttempted: ["oauth_managed"]
 		});
 		const token = await backend.getOAuthAccessToken(row.connectionId);
@@ -18326,8 +18457,8 @@ async function resolveInstanceValue(row, requirement, backend) {
 	return backend.resolveApiKey(row.id, requirement.schema);
 }
 async function resolveSelectedInstance(key, instanceId, context, consumer) {
-	const row = await selectCredentialInstanceById(instanceId);
-	if (!row || row.slug !== key) throw new MissingCredentialsError({
+	const row = await selectCredentialInstanceById$1(instanceId);
+	if (!row || row.appSlug !== key) throw new MissingCredentialsError({
 		key,
 		chainAttempted: ["selection"],
 		consumer
@@ -18349,26 +18480,58 @@ function scopeIdForScope(scope, key, context) {
 	}
 }
 async function resolveAtScope(key, scopeType, scopeId, consumer) {
-	const rows = await selectCredentialInstancesForScope(key, scopeType, scopeId);
+	const rows = await selectCredentialInstancesForScope$1(key, scopeType, scopeId);
 	if (rows.length === 0) return;
-	try {
-		return pickInstance(rows, key, consumer);
-	} catch (error) {
-		if (error instanceof NeedsSelectionError) throw error;
-		throw error;
+	return pickInstance(rows, key, consumer);
+}
+async function resolveBoundInstance(instanceId, requirement, context, consumer, backend) {
+	const row = await selectCredentialInstanceById$1(instanceId);
+	if (!row || row.appSlug !== requirement.key) throw new MissingCredentialsError({
+		key: requirement.key,
+		chainAttempted: ["binding"],
+		consumer
+	});
+	if (!bindingTenantReachable(row, context)) throw new CredentialAccessDeniedError(instanceId);
+	return resolveInstanceValue(row, requirement, backend ?? createCredentialBackend());
+}
+function bindingTenantReachable(row, context) {
+	switch (row.scopeType) {
+		case "organization": return row.scopeId === context.orgId;
+		case "project": return row.scopeId === context.projectId;
+		case "user": return Boolean(row.scopeId);
+		default: return false;
 	}
 }
 /**
 * Resolution order:
-*   1. A platform-provided binding (explicit instance id in `context.selection`) wins.
-*   2. A scope pinned on the requirement (`.scope("user")`) resolves only at that scope.
-*   3. Otherwise the project default, then the org default. No configurable chain.
-* If nothing matches, throw — there is no binding.
+*   1. Platform assignment (consumer-specific, then wildcard).
+*   2. Client selection in `context.selection`.
+*   3. Scope pinned on the requirement (`.scope("user")`).
+*   4. Project default, then org default.
 */
 async function resolvePolicy(requirement, context, consumer, backend) {
 	const attempted = [];
 	const materialBackend = backend ?? createCredentialBackend();
 	const scoped = withTenantScope(context);
+	const boundId = requirement.kind !== "keystroke" ? selectAssignedInstanceId(scoped.assignments, consumer?.id, requirement.key) : void 0;
+	if (boundId) return resolveBoundInstance(boundId, requirement, scoped, consumer, materialBackend);
+	if (requirement.kind === "keystroke") {
+		const bound = await resolveKeystrokeInstanceId({
+			app: requirement.key,
+			scopes: [],
+			assignments: scoped.assignments,
+			consumerId: consumer?.id
+		});
+		if (bound) {
+			const row = await selectCredentialInstanceById$1(bound.instanceId);
+			if (!row) throw new MissingCredentialsError({
+				key: requirement.key,
+				chainAttempted: ["binding"],
+				consumer
+			});
+			return resolveInstanceValue(row, requirement, materialBackend);
+		}
+	}
 	const selectionId = context.selection?.[requirement.key];
 	if (selectionId) return resolveInstanceValue(await resolveSelectedInstance(requirement.key, selectionId, scoped, consumer), requirement, materialBackend);
 	if (requirement.scope) {
@@ -18384,6 +18547,32 @@ async function resolvePolicy(requirement, context, consumer, backend) {
 			consumer
 		});
 	}
+	if (requirement.kind === "keystroke") {
+		const scopes = [];
+		if (scoped.projectId) {
+			attempted.push("project");
+			scopes.push(["project", scoped.projectId]);
+		}
+		if (scoped.orgId) {
+			attempted.push("organization");
+			scopes.push(["organization", scoped.orgId]);
+		}
+		const resolved = await resolveKeystrokeInstanceId({
+			app: requirement.key,
+			scopes,
+			consumerId: consumer?.id,
+			consumer
+		});
+		if (resolved) {
+			const row = await selectCredentialInstanceById$1(resolved.instanceId);
+			if (row) return resolveInstanceValue(row, requirement, materialBackend);
+		}
+		throw new MissingCredentialsError({
+			key: requirement.key,
+			chainAttempted: attempted,
+			consumer
+		});
+	}
 	if (scoped.projectId) {
 		attempted.push("project");
 		const row = await resolveAtScope(requirement.key, "project", scoped.projectId, consumer);
@@ -18520,6 +18709,6 @@ async function resolveActionCredentials(requirements, options) {
 	return parseResolvedCredentials(requirements, await resolveCredentials(requirements, options.consumer, options.contextOverride));
 }
 //#endregion
-export { resolveRunSourceFromTraceContext as A, clearLiveMessage as C, getSession as D, getProjectScopeId as E, getTraceContext as F, logSystem as I, withSpan as L, setSessionTitle as M, touchSession as N, listMessageEvents as O, captureConsole as P, appendEvent as S, getAgentByRoute as T, normalizeHeaders as _, resolveActionCredentials as a, MESSAGE_EVENT_TYPE as b, connectMcpServer as c, isMcp as d, createParser as f, createFetchWithInit as g, extractWWWAuthenticateParams as h, isCredentialError as i, setSessionLiveMessage as j, recordLlmUsageFromAssistantMessage as k, connectMcpStdio as l, auth as m, captureCredentialToolErrors as n, resolveMcpTools as o, UnauthorizedError as p, createCredentialResolver as r, connectMcpDefinition as s, buildCredentialRunContext as t, defineMcp as u, zodToJsonSchema as v, createSession as w, addAgentSessionDuration as x, JSONRPCMessageSchema as y };
+export { recordLlmUsageFromAssistantMessage as A, appendEvent as C, getProjectScopeId as D, getAgentByRoute as E, captureConsole as F, getTraceContext as I, logSystem as L, setSessionLiveMessage as M, setSessionTitle as N, getSession as O, touchSession as P, withSpan as R, addAgentSessionDuration as S, createSession as T, createFetchWithInit as _, resolveActionCredentials as a, JSONRPCMessageSchema as b, connectMcpDefinition as c, defineMcp as d, isMcp as f, extractWWWAuthenticateParams as g, auth as h, isCredentialError as i, resolveRunSourceFromTraceContext as j, listMessageEvents as k, connectMcpServer as l, UnauthorizedError as m, captureCredentialToolErrors as n, resolveMcpTools as o, createParser as p, createCredentialResolver as r, withCredentialAssignments as s, buildCredentialRunContext as t, connectMcpStdio as u, normalizeHeaders as v, clearLiveMessage as w, MESSAGE_EVENT_TYPE as x, zodToJsonSchema as y };
 
-//# sourceMappingURL=dist-IUl7Bexl.mjs.map
+//# sourceMappingURL=dist-UzTnzZem.mjs.map