@keystrokehq/keystroke 1.0.8 → 1.0.9

package/dist/app.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_dist = require("./dist-DOMwPx7V.cjs");
+const require_dist = require("./dist-HI6bM6LK.cjs");
 require("zod");
 //#region ../app/dist/index.mjs
 function appCredentialFor(slug, input) {

package/dist/app.d.cts

@@ -1,5 +1,5 @@
-import { n as Credential, v as ResolvedCredentials } from "./index-e9f4pcX4.cjs";
-import { c as WorkflowActionDefinition, r as ActionDefinitionInput } from "./index-Dgy9MjuX.cjs";
+import { n as Credential, y as ResolvedCredentials } from "./index-WT4ULMiw.cjs";
+import { l as WorkflowActionDefinition, r as ActionDefinitionInput } from "./index-D4dAsbJr.cjs";
 import { z } from "zod";
 
 //#region ../app/dist/index.d.mts

package/dist/app.d.mts

@@ -1,5 +1,5 @@
-import { n as Credential, v as ResolvedCredentials } from "./index-e9f4pcX4.mjs";
-import { c as WorkflowActionDefinition, r as ActionDefinitionInput } from "./index-Bl4VEelg.mjs";
+import { n as Credential, y as ResolvedCredentials } from "./index-WT4ULMiw.mjs";
+import { l as WorkflowActionDefinition, r as ActionDefinitionInput } from "./index-Sx9T2i0u.mjs";
 import { z } from "zod";
 
 //#region ../app/dist/index.d.mts

package/dist/app.mjs

@@ -1,4 +1,4 @@
-import { r as defineAction, y as credential } from "./dist-DqFdFpiB.mjs";
+import { r as defineAction, x as credential } from "./dist-CppO7361.mjs";
 import "zod";
 //#region ../app/dist/index.mjs
 function appCredentialFor(slug, input) {

package/dist/client.cjs

@@ -1,6 +1,6 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const require_chunk = require("./chunk-DHdmVzO2.cjs");
-const require_dist = require("./dist-DOMwPx7V.cjs");
+const require_dist = require("./dist-HI6bM6LK.cjs");
 let ky = require("ky");
 ky = require_chunk.__toESM(ky, 1);
 //#region src/client.ts
@@ -24,18 +24,24 @@ function resolveKeystrokeClientTarget(options = {}) {
 		headers: apiKey ? { "x-api-key": apiKey } : {}
 	};
 }
+function buildExecutePayload(input) {
+	const context = require_dist.getRegisteredMcpCredentialContext();
+	return {
+		app: input.app,
+		tool: input.tool,
+		arguments: input.arguments ?? {},
+		version: input.version,
+		...context?.assignmentTarget ? { assignmentTarget: context.assignmentTarget } : {},
+		...context?.consumerId ? { consumerId: context.consumerId } : {}
+	};
+}
 function createKeystrokeClient(options = {}) {
 	const api = ky.default.create({ ...options.ky });
 	return { tools: { execute: (input) => {
 		const target = resolveKeystrokeClientTarget(options);
 		return api.post(target.executePath, {
 			headers: target.headers,
-			json: {
-				app: input.app,
-				tool: input.tool,
-				arguments: input.arguments ?? {},
-				version: input.version
-			}
+			json: buildExecutePayload(input)
 		}).json();
 	} } };
 }

package/dist/client.cjs.map

@@ -1 +1 @@
-{"version":3,"file":"client.cjs","names":["getRegisteredProjectScopeId"],"sources":["../src/client.ts"],"sourcesContent":["import { getRegisteredProjectScopeId } from \"@keystrokehq/action\";\nimport ky, { type KyInstance, type Options } from \"ky\";\n\nexport type KeystrokeClientOptions = {\n  /** Defaults to process.env.KEYSTROKE_API_KEY */\n  apiKey?: string;\n  /** Defaults to PUBLIC_PLATFORM_URL, PLATFORM_URL, or http://localhost:3002 */\n  platformUrl?: string;\n  ky?: Options;\n};\n\ntype KeystrokeClientTarget = {\n  executePath: string;\n  headers: Record<string, string>;\n};\n\nfunction resolveKeystrokePlatformUrl(options: KeystrokeClientOptions): string {\n  return (\n    options.platformUrl ??\n    process.env.PUBLIC_PLATFORM_URL ??\n    process.env.PLATFORM_URL ??\n    \"http://localhost:3002\"\n  ).replace(/\\/+$/, \"\");\n}\n\n/** Worker containers use PLATFORM_URL + /internal/projects/:id/mcp; CLI uses /mcp + org API key. */\nexport function resolveKeystrokeClientTarget(\n  options: KeystrokeClientOptions = {},\n): KeystrokeClientTarget {\n  const platformUrl = resolveKeystrokePlatformUrl(options);\n  const workerToken = process.env.WORKER_INTERNAL_TOKEN?.trim();\n\n  // The machine token identifies a worker. The project is the one bound for this run — the job\n  // handler resolves it from the agent DB record (resolveAgentProjectId), binds it via\n  // runWithProjectScope, and registers the getter so the facade reads it without importing\n  // `@keystrokehq/database`. The platform resolves the credential instance server-side from\n  // {app, project} (project → org → user). No PROJECT_ID env var.\n  if (workerToken) {\n    const projectId = getRegisteredProjectScopeId() ?? \"default\";\n    return {\n      executePath: `${platformUrl}/internal/projects/${encodeURIComponent(projectId)}/mcp/execute`,\n      headers: { Authorization: `Bearer ${workerToken}` },\n    };\n  }\n\n  const apiKey = options.apiKey ?? process.env.KEYSTROKE_API_KEY;\n  return {\n    executePath: `${platformUrl}/mcp/execute`,\n    headers: apiKey ? { \"x-api-key\": apiKey } : {},\n  };\n}\n\nexport type ExecuteToolInput = {\n  app: string;\n  tool: string;\n  arguments?: Record<string, unknown>;\n  /** Pinned provider toolkit version (e.g. `20260501_01`); forwarded to the provider on execute. */\n  version: string;\n};\n\nexport type KeystrokeClient = {\n  tools: {\n    execute: (input: ExecuteToolInput) => Promise<{ ok: boolean; result: unknown }>;\n  };\n};\n\nexport function createKeystrokeClient(options: KeystrokeClientOptions = {}): KeystrokeClient {\n  const api: KyInstance = ky.create({\n    ...options.ky,\n  });\n\n  return {\n    tools: {\n      execute: (input) => {\n        const target = resolveKeystrokeClientTarget(options);\n        return api\n          .post(target.executePath, {\n            headers: target.headers,\n            json: {\n              app: input.app,\n              tool: input.tool,\n              arguments: input.arguments ?? {},\n              version: input.version,\n            },\n          })\n          .json<{ ok: boolean; result: unknown }>();\n      },\n    },\n  };\n}\n"],"mappings":";;;;;;AAgBA,SAAS,4BAA4B,SAAyC;CAC5E,QACE,QAAQ,eACR,QAAQ,IAAI,uBACZ,QAAQ,IAAI,gBACZ,yBACA,QAAQ,QAAQ,EAAE;AACtB;;AAGA,SAAgB,6BACd,UAAkC,CAAC,GACZ;CACvB,MAAM,cAAc,4BAA4B,OAAO;CACvD,MAAM,cAAc,QAAQ,IAAI,uBAAuB,KAAK;CAO5D,IAAI,aAAa;EACf,MAAM,YAAYA,aAAAA,4BAA4B,KAAK;EACnD,OAAO;GACL,aAAa,GAAG,YAAY,qBAAqB,mBAAmB,SAAS,EAAE;GAC/E,SAAS,EAAE,eAAe,UAAU,cAAc;EACpD;CACF;CAEA,MAAM,SAAS,QAAQ,UAAU,QAAQ,IAAI;CAC7C,OAAO;EACL,aAAa,GAAG,YAAY;EAC5B,SAAS,SAAS,EAAE,aAAa,OAAO,IAAI,CAAC;CAC/C;AACF;AAgBA,SAAgB,sBAAsB,UAAkC,CAAC,GAAoB;CAC3F,MAAM,MAAkB,GAAA,QAAG,OAAO,EAChC,GAAG,QAAQ,GACb,CAAC;CAED,OAAO,EACL,OAAO,EACL,UAAU,UAAU;EAClB,MAAM,SAAS,6BAA6B,OAAO;EACnD,OAAO,IACJ,KAAK,OAAO,aAAa;GACxB,SAAS,OAAO;GAChB,MAAM;IACJ,KAAK,MAAM;IACX,MAAM,MAAM;IACZ,WAAW,MAAM,aAAa,CAAC;IAC/B,SAAS,MAAM;GACjB;EACF,CAAC,EACA,KAAuC;CAC5C,EACF,EACF;AACF"}
+{"version":3,"file":"client.cjs","names":["getRegisteredProjectScopeId","getRegisteredMcpCredentialContext"],"sources":["../src/client.ts"],"sourcesContent":["import {\n  getRegisteredMcpCredentialContext,\n  getRegisteredProjectScopeId,\n} from \"@keystrokehq/action\";\nimport ky, { type KyInstance, type Options } from \"ky\";\n\nexport type KeystrokeClientOptions = {\n  /** Defaults to process.env.KEYSTROKE_API_KEY */\n  apiKey?: string;\n  /** Defaults to PUBLIC_PLATFORM_URL, PLATFORM_URL, or http://localhost:3002 */\n  platformUrl?: string;\n  ky?: Options;\n};\n\ntype KeystrokeClientTarget = {\n  executePath: string;\n  headers: Record<string, string>;\n};\n\nfunction resolveKeystrokePlatformUrl(options: KeystrokeClientOptions): string {\n  return (\n    options.platformUrl ??\n    process.env.PUBLIC_PLATFORM_URL ??\n    process.env.PLATFORM_URL ??\n    \"http://localhost:3002\"\n  ).replace(/\\/+$/, \"\");\n}\n\n/** Worker containers use PLATFORM_URL + /internal/projects/:id/mcp; CLI uses /mcp + org API key. */\nexport function resolveKeystrokeClientTarget(\n  options: KeystrokeClientOptions = {},\n): KeystrokeClientTarget {\n  const platformUrl = resolveKeystrokePlatformUrl(options);\n  const workerToken = process.env.WORKER_INTERNAL_TOKEN?.trim();\n\n  // The machine token identifies a worker. The project is the one bound for this run — the job\n  // handler resolves it from the agent DB record (resolveAgentProjectId), binds it via\n  // runWithProjectScope, and registers the getter so the facade reads it without importing\n  // `@keystrokehq/database`. The platform resolves the credential instance server-side from\n  // {app, project} (project → org). User-scoped creds require an explicit binding.\n  if (workerToken) {\n    const projectId = getRegisteredProjectScopeId() ?? \"default\";\n    return {\n      executePath: `${platformUrl}/internal/projects/${encodeURIComponent(projectId)}/mcp/execute`,\n      headers: { Authorization: `Bearer ${workerToken}` },\n    };\n  }\n\n  const apiKey = options.apiKey ?? process.env.KEYSTROKE_API_KEY;\n  return {\n    executePath: `${platformUrl}/mcp/execute`,\n    headers: apiKey ? { \"x-api-key\": apiKey } : {},\n  };\n}\n\nexport type ExecuteToolInput = {\n  app: string;\n  tool: string;\n  arguments?: Record<string, unknown>;\n  /** Pinned provider toolkit version (e.g. `20260501_01`); forwarded to the provider on execute. */\n  version: string;\n};\n\nfunction buildExecutePayload(input: ExecuteToolInput) {\n  const context = getRegisteredMcpCredentialContext();\n  return {\n    app: input.app,\n    tool: input.tool,\n    arguments: input.arguments ?? {},\n    version: input.version,\n    ...(context?.assignmentTarget ? { assignmentTarget: context.assignmentTarget } : {}),\n    ...(context?.consumerId ? { consumerId: context.consumerId } : {}),\n  };\n}\n\nexport type KeystrokeClient = {\n  tools: {\n    execute: (input: ExecuteToolInput) => Promise<{ ok: boolean; result: unknown }>;\n  };\n};\n\nexport function createKeystrokeClient(options: KeystrokeClientOptions = {}): KeystrokeClient {\n  const api: KyInstance = ky.create({\n    ...options.ky,\n  });\n\n  return {\n    tools: {\n      execute: (input) => {\n        const target = resolveKeystrokeClientTarget(options);\n        return api\n          .post(target.executePath, {\n            headers: target.headers,\n            json: buildExecutePayload(input),\n          })\n          .json<{ ok: boolean; result: unknown }>();\n      },\n    },\n  };\n}\n"],"mappings":";;;;;;AAmBA,SAAS,4BAA4B,SAAyC;CAC5E,QACE,QAAQ,eACR,QAAQ,IAAI,uBACZ,QAAQ,IAAI,gBACZ,yBACA,QAAQ,QAAQ,EAAE;AACtB;;AAGA,SAAgB,6BACd,UAAkC,CAAC,GACZ;CACvB,MAAM,cAAc,4BAA4B,OAAO;CACvD,MAAM,cAAc,QAAQ,IAAI,uBAAuB,KAAK;CAO5D,IAAI,aAAa;EACf,MAAM,YAAYA,aAAAA,4BAA4B,KAAK;EACnD,OAAO;GACL,aAAa,GAAG,YAAY,qBAAqB,mBAAmB,SAAS,EAAE;GAC/E,SAAS,EAAE,eAAe,UAAU,cAAc;EACpD;CACF;CAEA,MAAM,SAAS,QAAQ,UAAU,QAAQ,IAAI;CAC7C,OAAO;EACL,aAAa,GAAG,YAAY;EAC5B,SAAS,SAAS,EAAE,aAAa,OAAO,IAAI,CAAC;CAC/C;AACF;AAUA,SAAS,oBAAoB,OAAyB;CACpD,MAAM,UAAUC,aAAAA,kCAAkC;CAClD,OAAO;EACL,KAAK,MAAM;EACX,MAAM,MAAM;EACZ,WAAW,MAAM,aAAa,CAAC;EAC/B,SAAS,MAAM;EACf,GAAI,SAAS,mBAAmB,EAAE,kBAAkB,QAAQ,iBAAiB,IAAI,CAAC;EAClF,GAAI,SAAS,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;CAClE;AACF;AAQA,SAAgB,sBAAsB,UAAkC,CAAC,GAAoB;CAC3F,MAAM,MAAkB,GAAA,QAAG,OAAO,EAChC,GAAG,QAAQ,GACb,CAAC;CAED,OAAO,EACL,OAAO,EACL,UAAU,UAAU;EAClB,MAAM,SAAS,6BAA6B,OAAO;EACnD,OAAO,IACJ,KAAK,OAAO,aAAa;GACxB,SAAS,OAAO;GAChB,MAAM,oBAAoB,KAAK;EACjC,CAAC,EACA,KAAuC;CAC5C,EACF,EACF;AACF"}

package/dist/client.d.cts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.cts","names":[],"sources":["../src/client.ts"],"mappings":";;;KAGY,sBAAA;kDAEV,MAAA,WAFgC;EAIhC,WAAA;EACA,EAAA,GAAK,OAAO;AAAA;AAAA,KAGT,qBAAA;EACH,WAAA;EACA,OAAA,EAAS,MAAM;AAAA;AALH;AAAA,iBAkBE,4BAAA,CACd,OAAA,GAAS,sBAAA,GACR,qBAAqB;AAAA,KAwBZ,gBAAA;EACV,GAAA;EACA,IAAA;EACA,SAAA,GAAY,MAAM,mBA1ClB;EA4CA,OAAA;AAAA;AAAA,KAGU,eAAA;EACV,KAAA;IACE,OAAA,GAAU,KAAA,EAAO,gBAAA,KAAqB,OAAO;MAAG,EAAA;MAAa,MAAA;IAAA;EAAA;AAAA;AAAA,iBAIjD,qBAAA,CAAsB,OAAA,GAAS,sBAAA,GAA8B,eAAe"}
+{"version":3,"file":"client.d.cts","names":[],"sources":["../src/client.ts"],"mappings":";;;KAMY,sBAAA;kDAEV,MAAA,WAFgC;EAIhC,WAAA;EACA,EAAA,GAAK,OAAO;AAAA;AAAA,KAGT,qBAAA;EACH,WAAA;EACA,OAAA,EAAS,MAAM;AAAA;AALH;AAAA,iBAkBE,4BAAA,CACd,OAAA,GAAS,sBAAA,GACR,qBAAqB;AAAA,KAwBZ,gBAAA;EACV,GAAA;EACA,IAAA;EACA,SAAA,GAAY,MAAM,mBA1ClB;EA4CA,OAAA;AAAA;AAAA,KAeU,eAAA;EACV,KAAA;IACE,OAAA,GAAU,KAAA,EAAO,gBAAA,KAAqB,OAAO;MAAG,EAAA;MAAa,MAAA;IAAA;EAAA;AAAA;AAAA,iBAIjD,qBAAA,CAAsB,OAAA,GAAS,sBAAA,GAA8B,eAAe"}

package/dist/client.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.mts","names":[],"sources":["../src/client.ts"],"mappings":";;;KAGY,sBAAA;kDAEV,MAAA,WAFgC;EAIhC,WAAA;EACA,EAAA,GAAK,OAAO;AAAA;AAAA,KAGT,qBAAA;EACH,WAAA;EACA,OAAA,EAAS,MAAM;AAAA;AALH;AAAA,iBAkBE,4BAAA,CACd,OAAA,GAAS,sBAAA,GACR,qBAAqB;AAAA,KAwBZ,gBAAA;EACV,GAAA;EACA,IAAA;EACA,SAAA,GAAY,MAAM,mBA1ClB;EA4CA,OAAA;AAAA;AAAA,KAGU,eAAA;EACV,KAAA;IACE,OAAA,GAAU,KAAA,EAAO,gBAAA,KAAqB,OAAO;MAAG,EAAA;MAAa,MAAA;IAAA;EAAA;AAAA;AAAA,iBAIjD,qBAAA,CAAsB,OAAA,GAAS,sBAAA,GAA8B,eAAe"}
+{"version":3,"file":"client.d.mts","names":[],"sources":["../src/client.ts"],"mappings":";;;KAMY,sBAAA;kDAEV,MAAA,WAFgC;EAIhC,WAAA;EACA,EAAA,GAAK,OAAO;AAAA;AAAA,KAGT,qBAAA;EACH,WAAA;EACA,OAAA,EAAS,MAAM;AAAA;AALH;AAAA,iBAkBE,4BAAA,CACd,OAAA,GAAS,sBAAA,GACR,qBAAqB;AAAA,KAwBZ,gBAAA;EACV,GAAA;EACA,IAAA;EACA,SAAA,GAAY,MAAM,mBA1ClB;EA4CA,OAAA;AAAA;AAAA,KAeU,eAAA;EACV,KAAA;IACE,OAAA,GAAU,KAAA,EAAO,gBAAA,KAAqB,OAAO;MAAG,EAAA;MAAa,MAAA;IAAA;EAAA;AAAA;AAAA,iBAIjD,qBAAA,CAAsB,OAAA,GAAS,sBAAA,GAA8B,eAAe"}

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { o as getRegisteredProjectScopeId } from "./dist-DqFdFpiB.mjs";
+import { o as getRegisteredMcpCredentialContext, s as getRegisteredProjectScopeId } from "./dist-CppO7361.mjs";
 import ky from "ky";
 //#region src/client.ts
 function resolveKeystrokePlatformUrl(options) {
@@ -21,18 +21,24 @@ function resolveKeystrokeClientTarget(options = {}) {
 		headers: apiKey ? { "x-api-key": apiKey } : {}
 	};
 }
+function buildExecutePayload(input) {
+	const context = getRegisteredMcpCredentialContext();
+	return {
+		app: input.app,
+		tool: input.tool,
+		arguments: input.arguments ?? {},
+		version: input.version,
+		...context?.assignmentTarget ? { assignmentTarget: context.assignmentTarget } : {},
+		...context?.consumerId ? { consumerId: context.consumerId } : {}
+	};
+}
 function createKeystrokeClient(options = {}) {
 	const api = ky.create({ ...options.ky });
 	return { tools: { execute: (input) => {
 		const target = resolveKeystrokeClientTarget(options);
 		return api.post(target.executePath, {
 			headers: target.headers,
-			json: {
-				app: input.app,
-				tool: input.tool,
-				arguments: input.arguments ?? {},
-				version: input.version
-			}
+			json: buildExecutePayload(input)
 		}).json();
 	} } };
 }

package/dist/client.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"client.mjs","names":[],"sources":["../src/client.ts"],"sourcesContent":["import { getRegisteredProjectScopeId } from \"@keystrokehq/action\";\nimport ky, { type KyInstance, type Options } from \"ky\";\n\nexport type KeystrokeClientOptions = {\n  /** Defaults to process.env.KEYSTROKE_API_KEY */\n  apiKey?: string;\n  /** Defaults to PUBLIC_PLATFORM_URL, PLATFORM_URL, or http://localhost:3002 */\n  platformUrl?: string;\n  ky?: Options;\n};\n\ntype KeystrokeClientTarget = {\n  executePath: string;\n  headers: Record<string, string>;\n};\n\nfunction resolveKeystrokePlatformUrl(options: KeystrokeClientOptions): string {\n  return (\n    options.platformUrl ??\n    process.env.PUBLIC_PLATFORM_URL ??\n    process.env.PLATFORM_URL ??\n    \"http://localhost:3002\"\n  ).replace(/\\/+$/, \"\");\n}\n\n/** Worker containers use PLATFORM_URL + /internal/projects/:id/mcp; CLI uses /mcp + org API key. */\nexport function resolveKeystrokeClientTarget(\n  options: KeystrokeClientOptions = {},\n): KeystrokeClientTarget {\n  const platformUrl = resolveKeystrokePlatformUrl(options);\n  const workerToken = process.env.WORKER_INTERNAL_TOKEN?.trim();\n\n  // The machine token identifies a worker. The project is the one bound for this run — the job\n  // handler resolves it from the agent DB record (resolveAgentProjectId), binds it via\n  // runWithProjectScope, and registers the getter so the facade reads it without importing\n  // `@keystrokehq/database`. The platform resolves the credential instance server-side from\n  // {app, project} (project → org → user). No PROJECT_ID env var.\n  if (workerToken) {\n    const projectId = getRegisteredProjectScopeId() ?? \"default\";\n    return {\n      executePath: `${platformUrl}/internal/projects/${encodeURIComponent(projectId)}/mcp/execute`,\n      headers: { Authorization: `Bearer ${workerToken}` },\n    };\n  }\n\n  const apiKey = options.apiKey ?? process.env.KEYSTROKE_API_KEY;\n  return {\n    executePath: `${platformUrl}/mcp/execute`,\n    headers: apiKey ? { \"x-api-key\": apiKey } : {},\n  };\n}\n\nexport type ExecuteToolInput = {\n  app: string;\n  tool: string;\n  arguments?: Record<string, unknown>;\n  /** Pinned provider toolkit version (e.g. `20260501_01`); forwarded to the provider on execute. */\n  version: string;\n};\n\nexport type KeystrokeClient = {\n  tools: {\n    execute: (input: ExecuteToolInput) => Promise<{ ok: boolean; result: unknown }>;\n  };\n};\n\nexport function createKeystrokeClient(options: KeystrokeClientOptions = {}): KeystrokeClient {\n  const api: KyInstance = ky.create({\n    ...options.ky,\n  });\n\n  return {\n    tools: {\n      execute: (input) => {\n        const target = resolveKeystrokeClientTarget(options);\n        return api\n          .post(target.executePath, {\n            headers: target.headers,\n            json: {\n              app: input.app,\n              tool: input.tool,\n              arguments: input.arguments ?? {},\n              version: input.version,\n            },\n          })\n          .json<{ ok: boolean; result: unknown }>();\n      },\n    },\n  };\n}\n"],"mappings":";;;AAgBA,SAAS,4BAA4B,SAAyC;CAC5E,QACE,QAAQ,eACR,QAAQ,IAAI,uBACZ,QAAQ,IAAI,gBACZ,yBACA,QAAQ,QAAQ,EAAE;AACtB;;AAGA,SAAgB,6BACd,UAAkC,CAAC,GACZ;CACvB,MAAM,cAAc,4BAA4B,OAAO;CACvD,MAAM,cAAc,QAAQ,IAAI,uBAAuB,KAAK;CAO5D,IAAI,aAAa;EACf,MAAM,YAAY,4BAA4B,KAAK;EACnD,OAAO;GACL,aAAa,GAAG,YAAY,qBAAqB,mBAAmB,SAAS,EAAE;GAC/E,SAAS,EAAE,eAAe,UAAU,cAAc;EACpD;CACF;CAEA,MAAM,SAAS,QAAQ,UAAU,QAAQ,IAAI;CAC7C,OAAO;EACL,aAAa,GAAG,YAAY;EAC5B,SAAS,SAAS,EAAE,aAAa,OAAO,IAAI,CAAC;CAC/C;AACF;AAgBA,SAAgB,sBAAsB,UAAkC,CAAC,GAAoB;CAC3F,MAAM,MAAkB,GAAG,OAAO,EAChC,GAAG,QAAQ,GACb,CAAC;CAED,OAAO,EACL,OAAO,EACL,UAAU,UAAU;EAClB,MAAM,SAAS,6BAA6B,OAAO;EACnD,OAAO,IACJ,KAAK,OAAO,aAAa;GACxB,SAAS,OAAO;GAChB,MAAM;IACJ,KAAK,MAAM;IACX,MAAM,MAAM;IACZ,WAAW,MAAM,aAAa,CAAC;IAC/B,SAAS,MAAM;GACjB;EACF,CAAC,EACA,KAAuC;CAC5C,EACF,EACF;AACF"}
+{"version":3,"file":"client.mjs","names":[],"sources":["../src/client.ts"],"sourcesContent":["import {\n  getRegisteredMcpCredentialContext,\n  getRegisteredProjectScopeId,\n} from \"@keystrokehq/action\";\nimport ky, { type KyInstance, type Options } from \"ky\";\n\nexport type KeystrokeClientOptions = {\n  /** Defaults to process.env.KEYSTROKE_API_KEY */\n  apiKey?: string;\n  /** Defaults to PUBLIC_PLATFORM_URL, PLATFORM_URL, or http://localhost:3002 */\n  platformUrl?: string;\n  ky?: Options;\n};\n\ntype KeystrokeClientTarget = {\n  executePath: string;\n  headers: Record<string, string>;\n};\n\nfunction resolveKeystrokePlatformUrl(options: KeystrokeClientOptions): string {\n  return (\n    options.platformUrl ??\n    process.env.PUBLIC_PLATFORM_URL ??\n    process.env.PLATFORM_URL ??\n    \"http://localhost:3002\"\n  ).replace(/\\/+$/, \"\");\n}\n\n/** Worker containers use PLATFORM_URL + /internal/projects/:id/mcp; CLI uses /mcp + org API key. */\nexport function resolveKeystrokeClientTarget(\n  options: KeystrokeClientOptions = {},\n): KeystrokeClientTarget {\n  const platformUrl = resolveKeystrokePlatformUrl(options);\n  const workerToken = process.env.WORKER_INTERNAL_TOKEN?.trim();\n\n  // The machine token identifies a worker. The project is the one bound for this run — the job\n  // handler resolves it from the agent DB record (resolveAgentProjectId), binds it via\n  // runWithProjectScope, and registers the getter so the facade reads it without importing\n  // `@keystrokehq/database`. The platform resolves the credential instance server-side from\n  // {app, project} (project → org). User-scoped creds require an explicit binding.\n  if (workerToken) {\n    const projectId = getRegisteredProjectScopeId() ?? \"default\";\n    return {\n      executePath: `${platformUrl}/internal/projects/${encodeURIComponent(projectId)}/mcp/execute`,\n      headers: { Authorization: `Bearer ${workerToken}` },\n    };\n  }\n\n  const apiKey = options.apiKey ?? process.env.KEYSTROKE_API_KEY;\n  return {\n    executePath: `${platformUrl}/mcp/execute`,\n    headers: apiKey ? { \"x-api-key\": apiKey } : {},\n  };\n}\n\nexport type ExecuteToolInput = {\n  app: string;\n  tool: string;\n  arguments?: Record<string, unknown>;\n  /** Pinned provider toolkit version (e.g. `20260501_01`); forwarded to the provider on execute. */\n  version: string;\n};\n\nfunction buildExecutePayload(input: ExecuteToolInput) {\n  const context = getRegisteredMcpCredentialContext();\n  return {\n    app: input.app,\n    tool: input.tool,\n    arguments: input.arguments ?? {},\n    version: input.version,\n    ...(context?.assignmentTarget ? { assignmentTarget: context.assignmentTarget } : {}),\n    ...(context?.consumerId ? { consumerId: context.consumerId } : {}),\n  };\n}\n\nexport type KeystrokeClient = {\n  tools: {\n    execute: (input: ExecuteToolInput) => Promise<{ ok: boolean; result: unknown }>;\n  };\n};\n\nexport function createKeystrokeClient(options: KeystrokeClientOptions = {}): KeystrokeClient {\n  const api: KyInstance = ky.create({\n    ...options.ky,\n  });\n\n  return {\n    tools: {\n      execute: (input) => {\n        const target = resolveKeystrokeClientTarget(options);\n        return api\n          .post(target.executePath, {\n            headers: target.headers,\n            json: buildExecutePayload(input),\n          })\n          .json<{ ok: boolean; result: unknown }>();\n      },\n    },\n  };\n}\n"],"mappings":";;;AAmBA,SAAS,4BAA4B,SAAyC;CAC5E,QACE,QAAQ,eACR,QAAQ,IAAI,uBACZ,QAAQ,IAAI,gBACZ,yBACA,QAAQ,QAAQ,EAAE;AACtB;;AAGA,SAAgB,6BACd,UAAkC,CAAC,GACZ;CACvB,MAAM,cAAc,4BAA4B,OAAO;CACvD,MAAM,cAAc,QAAQ,IAAI,uBAAuB,KAAK;CAO5D,IAAI,aAAa;EACf,MAAM,YAAY,4BAA4B,KAAK;EACnD,OAAO;GACL,aAAa,GAAG,YAAY,qBAAqB,mBAAmB,SAAS,EAAE;GAC/E,SAAS,EAAE,eAAe,UAAU,cAAc;EACpD;CACF;CAEA,MAAM,SAAS,QAAQ,UAAU,QAAQ,IAAI;CAC7C,OAAO;EACL,aAAa,GAAG,YAAY;EAC5B,SAAS,SAAS,EAAE,aAAa,OAAO,IAAI,CAAC;CAC/C;AACF;AAUA,SAAS,oBAAoB,OAAyB;CACpD,MAAM,UAAU,kCAAkC;CAClD,OAAO;EACL,KAAK,MAAM;EACX,MAAM,MAAM;EACZ,WAAW,MAAM,aAAa,CAAC;EAC/B,SAAS,MAAM;EACf,GAAI,SAAS,mBAAmB,EAAE,kBAAkB,QAAQ,iBAAiB,IAAI,CAAC;EAClF,GAAI,SAAS,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;CAClE;AACF;AAQA,SAAgB,sBAAsB,UAAkC,CAAC,GAAoB;CAC3F,MAAM,MAAkB,GAAG,OAAO,EAChC,GAAG,QAAQ,GACb,CAAC;CAED,OAAO,EACL,OAAO,EACL,UAAU,UAAU;EAClB,MAAM,SAAS,6BAA6B,OAAO;EACnD,OAAO,IACJ,KAAK,OAAO,aAAa;GACxB,SAAS,OAAO;GAChB,MAAM,oBAAoB,KAAK;EACjC,CAAC,EACA,KAAuC;CAC5C,EACF,EACF;AACF"}

package/dist/config.d.cts

@@ -1,4 +1,4 @@
-import { h as OAuthTokenRefreshRegistry } from "./index-e9f4pcX4.cjs";
+import { g as OAuthTokenRefreshRegistry } from "./index-WT4ULMiw.cjs";
 import { Context, Hono } from "hono";
 
 //#region ../oauth/dist/index.d.mts

package/dist/config.d.mts

@@ -1,4 +1,4 @@
-import { h as OAuthTokenRefreshRegistry } from "./index-e9f4pcX4.mjs";
+import { g as OAuthTokenRefreshRegistry } from "./index-WT4ULMiw.mjs";
 import { Context, Hono } from "hono";
 
 //#region ../oauth/dist/index.d.mts

package/dist/credentials.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_dist = require("./dist-DOMwPx7V.cjs");
+const require_dist = require("./dist-HI6bM6LK.cjs");
 exports.CREDENTIAL_SCOPE_TYPES = require_dist.CREDENTIAL_SCOPE_TYPES;
 exports.credential = require_dist.credential;
 exports.credentialInputSchema = require_dist.credentialInputSchema;

package/dist/credentials.d.cts

@@ -1,2 +1,2 @@
-import { C as isCredentialInput, S as defineCredential, T as toCredentialRequirement, a as CredentialInput, b as credential, d as DefineOAuthCredentialInput, f as DefineStaticCredentialInput, l as CredentialScopeType, n as Credential, o as CredentialList, p as NormalizeCredential, r as CredentialAuthKind, s as CredentialRequirement, t as CREDENTIAL_SCOPE_TYPES, u as DefineCredentialInput, v as ResolvedCredentials, w as normalizeCredentialList, x as credentialInputSchema } from "./index-e9f4pcX4.cjs";
+import { C as defineCredential, E as toCredentialRequirement, S as credentialInputSchema, T as normalizeCredentialList, c as CredentialRequirement, d as DefineCredentialInput, f as DefineOAuthCredentialInput, i as CredentialAuthKind, m as NormalizeCredential, n as Credential, o as CredentialInput, p as DefineStaticCredentialInput, s as CredentialList, t as CREDENTIAL_SCOPE_TYPES, u as CredentialScopeType, w as isCredentialInput, x as credential, y as ResolvedCredentials } from "./index-WT4ULMiw.cjs";
 export { CREDENTIAL_SCOPE_TYPES, type Credential, type CredentialAuthKind, type CredentialInput, type CredentialList, type CredentialRequirement, type CredentialScopeType, type DefineCredentialInput, type DefineOAuthCredentialInput, type DefineStaticCredentialInput, type NormalizeCredential, type ResolvedCredentials, credential, credentialInputSchema, defineCredential, isCredentialInput, normalizeCredentialList, toCredentialRequirement };

package/dist/credentials.d.mts

@@ -1,2 +1,2 @@
-import { C as isCredentialInput, S as defineCredential, T as toCredentialRequirement, a as CredentialInput, b as credential, d as DefineOAuthCredentialInput, f as DefineStaticCredentialInput, l as CredentialScopeType, n as Credential, o as CredentialList, p as NormalizeCredential, r as CredentialAuthKind, s as CredentialRequirement, t as CREDENTIAL_SCOPE_TYPES, u as DefineCredentialInput, v as ResolvedCredentials, w as normalizeCredentialList, x as credentialInputSchema } from "./index-e9f4pcX4.mjs";
+import { C as defineCredential, E as toCredentialRequirement, S as credentialInputSchema, T as normalizeCredentialList, c as CredentialRequirement, d as DefineCredentialInput, f as DefineOAuthCredentialInput, i as CredentialAuthKind, m as NormalizeCredential, n as Credential, o as CredentialInput, p as DefineStaticCredentialInput, s as CredentialList, t as CREDENTIAL_SCOPE_TYPES, u as CredentialScopeType, w as isCredentialInput, x as credential, y as ResolvedCredentials } from "./index-WT4ULMiw.mjs";
 export { CREDENTIAL_SCOPE_TYPES, type Credential, type CredentialAuthKind, type CredentialInput, type CredentialList, type CredentialRequirement, type CredentialScopeType, type DefineCredentialInput, type DefineOAuthCredentialInput, type DefineStaticCredentialInput, type NormalizeCredential, type ResolvedCredentials, credential, credentialInputSchema, defineCredential, isCredentialInput, normalizeCredentialList, toCredentialRequirement };

package/dist/credentials.mjs

@@ -1,2 +1,2 @@
-import { S as isCredentialInput, T as toCredentialRequirement, b as credentialInputSchema, v as CREDENTIAL_SCOPE_TYPES, w as normalizeCredentialList, x as defineCredential, y as credential } from "./dist-DqFdFpiB.mjs";
+import { C as defineCredential, D as toCredentialRequirement, E as normalizeCredentialList, S as credentialInputSchema, b as CREDENTIAL_SCOPE_TYPES, w as isCredentialInput, x as credential } from "./dist-CppO7361.mjs";
 export { CREDENTIAL_SCOPE_TYPES, credential, credentialInputSchema, defineCredential, isCredentialInput, normalizeCredentialList, toCredentialRequirement };

package/dist/{dist-DQL6zTI5.cjs → dist-C0fPHFaM.cjs}

@@ -1,5 +1,5 @@
-const require_dist = require("./dist-DOMwPx7V.cjs");
-const require_dist$1 = require("./dist-C5otI4u3.cjs");
+const require_dist = require("./dist-HI6bM6LK.cjs");
+const require_dist$1 = require("./dist-DivFQzKG.cjs");
 let zod = require("zod");
 let node_async_hooks = require("node:async_hooks");
 //#region ../workflow/dist/index.mjs
@@ -305,7 +305,7 @@ async function runDurableStep(state, options) {
 		metadata
 	}, async () => require_dist$1.captureConsole(async () => {
 		try {
-			const result = await options.execute();
+			const result = await options.execute(correlationId);
 			await eventLog.append({
 				id: `step_completed:${runId}:${correlationId}`,
 				runId,
@@ -344,17 +344,22 @@ function createActionRunner(state, options = {}) {
 		metadataKey: "actionKey",
 		replayMessage: "action replayed from checkpoint",
 		parseCached: (cached) => action.output.parse(cached),
-		execute: async () => {
+		execute: async (correlationId) => {
 			const requirements = withCredentialScopeOverride(require_dist.getActionCredentialRequirements(action), runOptions?.credentialScope);
-			return require_dist.executeAction(action, input, requirements?.length ? await require_dist$1.resolveActionCredentials(requirements, {
+			const credentials = requirements?.length ? await require_dist$1.resolveActionCredentials(requirements, {
 				resolveCredentials: options.resolveCredentials,
 				context: options.credentialContext,
 				oauthAdapter: options.oauthAdapter,
 				consumer: {
 					kind: "action",
-					name: action.slug
+					name: action.slug,
+					id: correlationId
 				}
-			}) : {});
+			}) : {};
+			return require_dist.runWithMcpCredentialContext({
+				...options.mcpCredentialContext,
+				consumerId: correlationId
+			}, () => require_dist.executeAction(action, input, credentials));
 		}
 	});
 }
@@ -373,7 +378,7 @@ function createAgentStepRunner(state, runAgent) {
 			id: options?.id,
 			metadataKey: "agentKey",
 			replayMessage: "agent step replayed from checkpoint",
-			execute: () => runAgent(agent, input, options?.runPrompt)
+			execute: (_correlationId) => runAgent(agent, input, options?.runPrompt)
 		});
 	};
 }
@@ -390,7 +395,7 @@ function createLlmStepRunner(state, runLlm) {
 		metadataKey: "llmKey",
 		replayMessage: "llm step replayed from checkpoint",
 		parseCached: (cached) => opts.outputSchema ? opts.outputSchema.parse(cached) : cached,
-		execute: () => runLlm(opts)
+		execute: (_correlationId) => runLlm(opts)
 	});
 }
 const storage = new node_async_hooks.AsyncLocalStorage();
@@ -455,7 +460,11 @@ async function executeWorkflow(workflow, input, options = {}) {
 	const actionRunner = createActionRunner(state, {
 		resolveCredentials: options.resolveCredentials,
 		credentialContext: options.credentialContext,
-		oauthAdapter: options.oauthAdapter
+		oauthAdapter: options.oauthAdapter,
+		mcpCredentialContext: { assignmentTarget: {
+			type: "workflow",
+			key: workflow.slug
+		} }
 	});
 	const ctx = {
 		runId,
@@ -591,4 +600,4 @@ Object.defineProperty(exports, "serializeWorkflowError", {
 	}
 });
 
-//# sourceMappingURL=dist-DQL6zTI5.cjs.map
+//# sourceMappingURL=dist-C0fPHFaM.cjs.map

package/dist/dist-C0fPHFaM.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"dist-C0fPHFaM.cjs","names":["z","withSpan","logSystem","captureConsole","normalizeCredentialList","getActionCredentialRequirements","resolveActionCredentials","runWithMcpCredentialContext","executeAction","AsyncLocalStorage","registerWorkflowRunGetter","getRunSignal","getWorkflowRunHandle"],"sources":["../../workflow/dist/index.mjs"],"sourcesContent":["import { z } from \"zod\";\nimport { executeAction, getActionCredentialRequirements, getRunSignal, getWorkflowRunHandle, normalizeCredentialList, registerWorkflowRunGetter, runWithMcpCredentialContext } from \"@keystrokehq/action\";\nimport { captureConsole, logSystem, withSpan } from \"@keystrokehq/tracing\";\nimport { resolveActionCredentials } from \"@keystrokehq/credentials\";\nimport { AsyncLocalStorage } from \"node:async_hooks\";\n//#region src/run-canceled-error.ts\nvar RunCanceledError = class extends Error {\n\tconstructor(runId) {\n\t\tsuper(runId ? `Workflow run ${runId} was canceled` : \"Workflow run was canceled\");\n\t\tthis.name = \"RunCanceledError\";\n\t}\n};\nfunction isRunCanceledError(error) {\n\treturn error instanceof RunCanceledError;\n}\n//#endregion\n//#region src/workflow-definition.ts\nconst zodSchema = z.custom((v) => v instanceof z.ZodType, \"must be a Zod schema\");\n/** Runtime validation for an unbranded workflow definition. */\nconst workflowCoreSchema = z.object({\n\tslug: z.string().trim().min(1),\n\tname: z.string().optional(),\n\tdescription: z.string().optional(),\n\tsubscription: z.object({ mode: z.enum([\"system\", \"subscribable\"]).optional() }).optional(),\n\tinput: zodSchema,\n\toutput: zodSchema,\n\trun: z.function()\n});\nconst WORKFLOW = Symbol.for(\"keystroke.workflow\");\n/**\n* Validates brand + shape via `workflowCoreSchema` so discovery and guards\n* reject malformed definitions.\n*/\nfunction isWorkflow(value) {\n\tif (typeof value !== \"object\" || value === null) return false;\n\tif (!(WORKFLOW in value) || value[WORKFLOW] !== true) return false;\n\treturn workflowCoreSchema.safeParse(value).success;\n}\n//#endregion\n//#region src/define-workflow.ts\nfunction defineWorkflow(def) {\n\tconst result = workflowCoreSchema.safeParse(def);\n\tif (!result.success) throw new Error(`Invalid workflow definition: ${formatIssues(result.error.issues)}`);\n\treturn {\n\t\t...result.data,\n\t\t[WORKFLOW]: true\n\t};\n}\nfunction formatIssues(issues) {\n\treturn issues.map((issue) => {\n\t\treturn `${issue.path.length > 0 ? `${issue.path.join(\".\")}: ` : \"\"}${issue.message}`;\n\t}).join(\"; \");\n}\n//#endregion\n//#region src/replay/error.ts\nfunction serializeWorkflowError(error) {\n\tif (error instanceof Error) return {\n\t\tname: error.name,\n\t\tmessage: error.message\n\t};\n\treturn { message: String(error) };\n}\n/** Rebuild an Error from a recorded error so replay re-raises the same failure. */\nfunction deserializeWorkflowError(data) {\n\tconst serialized = data;\n\tconst error = new Error(serialized?.message ?? \"Workflow step failed\");\n\tif (serialized?.name) error.name = serialized.name;\n\treturn error;\n}\n//#endregion\n//#region src/replay/duration.ts\nconst UNIT_MS = {\n\tms: 1,\n\ts: 1e3,\n\tm: 6e4,\n\th: 36e5,\n\td: 864e5\n};\n/** Resolve a sleep duration to an absolute resume time. */\nfunction resolveResumeAt(duration, now = /* @__PURE__ */ new Date()) {\n\tif (duration instanceof Date) return duration;\n\tif (typeof duration === \"number\") return new Date(now.getTime() + Math.max(0, duration));\n\treturn new Date(now.getTime() + parseDurationToMs(duration));\n}\nfunction parseDurationToMs(value) {\n\tconst match = /^(\\d+(?:\\.\\d+)?)\\s*(ms|s|m|h|d)$/.exec(value.trim());\n\tif (!match) throw new Error(`Invalid sleep duration \"${value}\". Use a number of ms, a Date, or a string like \"5s\", \"10m\", \"1h\".`);\n\tconst amount = Number(match[1]);\n\tconst unit = match[2];\n\treturn Math.round(amount * UNIT_MS[unit]);\n}\n//#endregion\n//#region src/replay/events-consumer.ts\n/** Indexes replay events by correlationId for O(1) cache-hit checks during replay. */\nvar EventsConsumer = class {\n\tbyCorrelationId = /* @__PURE__ */ new Map();\n\tconstructor(events) {\n\t\tfor (const event of events) {\n\t\t\tif (!event.correlationId) continue;\n\t\t\tconst list = this.byCorrelationId.get(event.correlationId);\n\t\t\tif (list) list.push(event);\n\t\t\telse this.byCorrelationId.set(event.correlationId, [event]);\n\t\t}\n\t}\n\tevents(correlationId) {\n\t\treturn this.byCorrelationId.get(correlationId) ?? [];\n\t}\n\thasEventType(correlationId, type) {\n\t\treturn this.events(correlationId).some((event) => event.type === type);\n\t}\n\t/**\n\t* Cache lookup for a step. Returns the recorded output on a `step_completed`,\n\t* re-raises the recorded error on a terminal `step_failed` (so a permanently\n\t* failed step is not re-executed), and otherwise reports a miss — including\n\t* when only `step_retrying` events exist (the step re-runs on the next pass).\n\t*/\n\tgetStepResult(correlationId) {\n\t\tconst events = this.events(correlationId);\n\t\tconst failed = events.find((event) => event.type === \"step_failed\");\n\t\tif (failed) throw deserializeWorkflowError(failed.data);\n\t\tconst completed = events.find((event) => event.type === \"step_completed\");\n\t\tif (completed) return {\n\t\t\tcompleted: true,\n\t\t\tresult: completed.data\n\t\t};\n\t\treturn { completed: false };\n\t}\n\t/** Number of prior `step_retrying` events recorded for a step (= failed attempts so far). */\n\tcountRetrying(correlationId) {\n\t\treturn this.events(correlationId).filter((event) => event.type === \"step_retrying\").length;\n\t}\n\tisSleepCompleted(correlationId) {\n\t\treturn this.hasEventType(correlationId, \"sleep_completed\");\n\t}\n\t/** Returns the persisted resumeAt for a scheduled-but-not-completed sleep, if any. */\n\tgetSleepResumeAt(correlationId) {\n\t\tconst scheduled = this.events(correlationId).find((event) => event.type === \"sleep_scheduled\");\n\t\tif (!scheduled) return;\n\t\tconst data = scheduled.data;\n\t\treturn data?.resumeAt ? new Date(data.resumeAt) : void 0;\n\t}\n\tgetHookToken(correlationId) {\n\t\treturn (this.events(correlationId).find((event) => event.type === \"hook_created\")?.data)?.token;\n\t}\n\tgetHookResult(correlationId) {\n\t\tconst resumed = this.events(correlationId).find((event) => event.type === \"hook_resumed\");\n\t\tif (!resumed) return { resolved: false };\n\t\treturn {\n\t\t\tresolved: true,\n\t\t\tpayload: resumed.data?.payload\n\t\t};\n\t}\n};\n//#endregion\n//#region src/replay/suspension.ts\n/** A promise that never settles — returned by a suspending primitive so the body parks. */\nfunction createPendingPromise() {\n\treturn new Promise(() => {});\n}\n/**\n* Collects pending items requested within a single tick and resolves once, so\n* parallel suspensions (e.g. Promise.all of two sleeps) batch into one suspension.\n*/\nvar SuspensionCoordinator = class {\n\titems = /* @__PURE__ */ new Map();\n\tscheduled = false;\n\tresolve;\n\tpromise;\n\tconstructor() {\n\t\tthis.promise = new Promise((resolve) => {\n\t\t\tthis.resolve = resolve;\n\t\t});\n\t}\n\trequest(item) {\n\t\tthis.items.set(item.correlationId, item);\n\t\tif (!this.scheduled) {\n\t\t\tthis.scheduled = true;\n\t\t\tqueueMicrotask(() => {\n\t\t\t\tthis.resolve([...this.items.values()]);\n\t\t\t});\n\t\t}\n\t}\n\twaitForSuspension() {\n\t\treturn this.promise;\n\t}\n};\n//#endregion\n//#region src/replay/replay-context.ts\nfunction createReplayState(params) {\n\treturn {\n\t\trunId: params.runId,\n\t\tconsumer: params.consumer,\n\t\tcoordinator: params.coordinator,\n\t\teventLog: params.eventLog,\n\t\tnewEvents: [],\n\t\tnow: params.now ?? /* @__PURE__ */ new Date(),\n\t\thookBaseUrl: params.hookBaseUrl,\n\t\tsleepCounter: 0,\n\t\thookCounter: 0,\n\t\tstepOccurrences: /* @__PURE__ */ new Map(),\n\t\tstepCorrelationIds: /* @__PURE__ */ new Set()\n\t};\n}\n/**\n* Allocate the correlation id for a step. An explicit `.stepId(x)` maps to\n* `step:x` (and must be unique within a run); otherwise the key is\n* `step:<actionKey>#<occurrence>` so that two calls to the same action get\n* distinct, replay-stable ids and inserting an unrelated call never shifts the\n* ids of later calls (unlike a single global ordinal).\n*/\nfunction nextStepCorrelationId(state, actionKey, explicitId) {\n\tif (explicitId !== void 0) {\n\t\tconst correlationId = `step:${explicitId}`;\n\t\tif (state.stepCorrelationIds.has(correlationId)) throw new Error(`Duplicate step id \"${explicitId}\" in workflow run ${state.runId}`);\n\t\tstate.stepCorrelationIds.add(correlationId);\n\t\treturn correlationId;\n\t}\n\tconst occurrence = state.stepOccurrences.get(actionKey) ?? 0;\n\tstate.stepOccurrences.set(actionKey, occurrence + 1);\n\tconst correlationId = `step:${actionKey}#${occurrence}`;\n\tstate.stepCorrelationIds.add(correlationId);\n\treturn correlationId;\n}\nfunction createSleep(state) {\n\treturn function sleep(duration) {\n\t\tconst correlationId = `sleep#${state.sleepCounter++}`;\n\t\tif (state.consumer.isSleepCompleted(correlationId)) return Promise.resolve();\n\t\tconst scheduledResumeAt = state.consumer.getSleepResumeAt(correlationId);\n\t\tconst resumeAt = scheduledResumeAt ?? resolveResumeAt(duration, state.now);\n\t\tif (scheduledResumeAt && resumeAt.getTime() <= state.now.getTime()) {\n\t\t\tstate.newEvents.push({\n\t\t\t\tid: `sleep_completed:${state.runId}:${correlationId}`,\n\t\t\t\trunId: state.runId,\n\t\t\t\ttype: \"sleep_completed\",\n\t\t\t\tcorrelationId\n\t\t\t});\n\t\t\treturn Promise.resolve();\n\t\t}\n\t\tif (!scheduledResumeAt) state.newEvents.push({\n\t\t\tid: `sleep_scheduled:${state.runId}:${correlationId}`,\n\t\t\trunId: state.runId,\n\t\t\ttype: \"sleep_scheduled\",\n\t\t\tcorrelationId,\n\t\t\tdata: { resumeAt: resumeAt.toISOString() }\n\t\t});\n\t\tstate.coordinator.request({\n\t\t\tkind: \"sleep\",\n\t\t\tcorrelationId,\n\t\t\tresumeAt\n\t\t});\n\t\treturn createPendingPromise();\n\t};\n}\nfunction createHook(state) {\n\treturn function hook(options) {\n\t\tconst correlationId = `hook#${state.hookCounter++}`;\n\t\tconst token = options?.token ?? state.consumer.getHookToken(correlationId) ?? `hook_${crypto.randomUUID()}`;\n\t\treturn {\n\t\t\ttoken,\n\t\t\tresumeUrl: state.hookBaseUrl ? `${state.hookBaseUrl}/hooks/${token}/resume` : `/hooks/${token}/resume`,\n\t\t\tthen(onFulfilled, onRejected) {\n\t\t\t\tconst result = state.consumer.getHookResult(correlationId);\n\t\t\t\tif (result.resolved) {\n\t\t\t\t\tconst payload = options?.schema ? options.schema.parse(result.payload) : result.payload;\n\t\t\t\t\treturn Promise.resolve(payload).then(onFulfilled, onRejected);\n\t\t\t\t}\n\t\t\t\tif (!state.consumer.hasEventType(correlationId, \"hook_created\")) state.newEvents.push({\n\t\t\t\t\tid: `hook_created:${state.runId}:${correlationId}`,\n\t\t\t\t\trunId: state.runId,\n\t\t\t\t\ttype: \"hook_created\",\n\t\t\t\t\tcorrelationId,\n\t\t\t\t\tdata: { token }\n\t\t\t\t});\n\t\t\t\tstate.coordinator.request({\n\t\t\t\t\tkind: \"hook\",\n\t\t\t\t\tcorrelationId,\n\t\t\t\t\ttoken\n\t\t\t\t});\n\t\t\t\treturn createPendingPromise().then(onFulfilled, onRejected);\n\t\t\t}\n\t\t};\n\t};\n}\n//#endregion\n//#region src/run-durable-step.ts\n/**\n* Shared durable-step shell: resolve a stable `correlation_id`, short-circuit\n* from the event log on a cache hit, otherwise execute and append\n* `step_completed` immediately (per-step crash durability). A thrown step\n* appends `step_retrying` (non-fatal, re-run on the next attempt) and\n* rethrows; the terminal `step_failed` is written by the job handler once the\n* queue exhausts retries.\n*/\nasync function runDurableStep(state, options) {\n\tconst { runId, consumer, eventLog } = state;\n\tgetRunSignal().throwIfAborted();\n\tconst correlationId = nextStepCorrelationId(state, options.key, options.id);\n\tconst cached = consumer.getStepResult(correlationId);\n\tconst metadata = {\n\t\trunId,\n\t\t[options.metadataKey]: options.key,\n\t\tcorrelationId\n\t};\n\tif (cached.completed) {\n\t\tawait withSpan({\n\t\t\tkind: options.kind,\n\t\t\tname: options.key,\n\t\t\trefId: `${runId}:${correlationId}`,\n\t\t\tmetadata: {\n\t\t\t\t...metadata,\n\t\t\t\treplayed: true\n\t\t\t}\n\t\t}, async () => {\n\t\t\tawait logSystem(\"info\", options.replayMessage, metadata);\n\t\t});\n\t\treturn options.parseCached ? options.parseCached(cached.result) : cached.result;\n\t}\n\treturn withSpan({\n\t\tkind: options.kind,\n\t\tname: options.key,\n\t\trefId: `${runId}:${correlationId}`,\n\t\tmetadata\n\t}, async () => captureConsole(async () => {\n\t\ttry {\n\t\t\tconst result = await options.execute(correlationId);\n\t\t\tawait eventLog.append({\n\t\t\t\tid: `step_completed:${runId}:${correlationId}`,\n\t\t\t\trunId,\n\t\t\t\ttype: \"step_completed\",\n\t\t\t\tcorrelationId,\n\t\t\t\tdata: result\n\t\t\t});\n\t\t\treturn result;\n\t\t} catch (error) {\n\t\t\tconst attempt = consumer.countRetrying(correlationId);\n\t\t\tawait eventLog.append({\n\t\t\t\tid: `step_retrying:${runId}:${correlationId}:${attempt}`,\n\t\t\t\trunId,\n\t\t\t\ttype: \"step_retrying\",\n\t\t\t\tcorrelationId,\n\t\t\t\tdata: serializeWorkflowError(error)\n\t\t\t});\n\t\t\tstate.failedCorrelationId = correlationId;\n\t\t\tthrow error;\n\t\t}\n\t}));\n}\n//#endregion\n//#region src/create-action-runner.ts\nfunction withCredentialScopeOverride(requirements, scope) {\n\tif (!requirements || !scope) return requirements;\n\treturn normalizeCredentialList(requirements).map((requirement) => ({\n\t\t...requirement,\n\t\tscope\n\t}));\n}\n/** Builds the per-run action runner; durability lives in {@link runDurableStep}. */\nfunction createActionRunner(state, options = {}) {\n\treturn (action, input, runOptions) => runDurableStep(state, {\n\t\tkind: \"action\",\n\t\tkey: action.slug,\n\t\tid: runOptions?.id,\n\t\tmetadataKey: \"actionKey\",\n\t\treplayMessage: \"action replayed from checkpoint\",\n\t\tparseCached: (cached) => action.output.parse(cached),\n\t\texecute: async (correlationId) => {\n\t\t\tconst requirements = withCredentialScopeOverride(getActionCredentialRequirements(action), runOptions?.credentialScope);\n\t\t\tconst credentials = requirements?.length ? await resolveActionCredentials(requirements, {\n\t\t\t\tresolveCredentials: options.resolveCredentials,\n\t\t\t\tcontext: options.credentialContext,\n\t\t\t\toauthAdapter: options.oauthAdapter,\n\t\t\t\tconsumer: {\n\t\t\t\t\tkind: \"action\",\n\t\t\t\t\tname: action.slug,\n\t\t\t\t\tid: correlationId\n\t\t\t\t}\n\t\t\t}) : {};\n\t\t\treturn runWithMcpCredentialContext({\n\t\t\t\t...options.mcpCredentialContext,\n\t\t\t\tconsumerId: correlationId\n\t\t\t}, () => executeAction(action, input, credentials));\n\t\t}\n\t});\n}\n//#endregion\n//#region src/create-agent-step-runner.ts\n/**\n* Builds the per-run agent runner: each `agent.prompt()` in a workflow body\n* becomes a durable step keyed `step:<agentKey>#<occurrence>` (same scheme as\n* actions). The actual prompt execution is delegated to `runAgent`, supplied\n* by the host (server) via `executeWorkflow({ runAgent })`.\n*/\nfunction createAgentStepRunner(state, runAgent) {\n\treturn (agent, input, options) => {\n\t\tconst slug = agent.slug;\n\t\treturn runDurableStep(state, {\n\t\t\tkind: \"agent_session\",\n\t\t\tkey: slug,\n\t\t\tid: options?.id,\n\t\t\tmetadataKey: \"agentKey\",\n\t\t\treplayMessage: \"agent step replayed from checkpoint\",\n\t\t\texecute: (_correlationId) => runAgent(agent, input, options?.runPrompt)\n\t\t});\n\t};\n}\n//#endregion\n//#region src/create-llm-step-runner.ts\n/**\n* Builds the per-run LLM runner: each `promptLlm()` in a workflow body becomes a\n* durable step keyed `step:promptLlm#<occurrence>`. The actual LLM call is\n* delegated to `runLlm`, supplied by the host (server) via `executeWorkflow({ runLlm })`.\n*/\nfunction createLlmStepRunner(state, runLlm) {\n\treturn (opts) => runDurableStep(state, {\n\t\tkind: \"llm\",\n\t\tkey: \"promptLlm\",\n\t\tid: opts.stepId,\n\t\tmetadataKey: \"llmKey\",\n\t\treplayMessage: \"llm step replayed from checkpoint\",\n\t\tparseCached: (cached) => opts.outputSchema ? opts.outputSchema.parse(cached) : cached,\n\t\texecute: (_correlationId) => runLlm(opts)\n\t});\n}\n//#endregion\n//#region src/run-context.ts\nconst storage = new AsyncLocalStorage();\nregisterWorkflowRunGetter(() => {\n\tconst store = storage.getStore();\n\tif (!store) return;\n\treturn {\n\t\tactionRunner: store.actionRunner,\n\t\tagentRunner: store.agentRunner,\n\t\tllmRunner: store.llmRunner\n\t};\n});\nfunction runWithWorkflowContext(store, fn) {\n\treturn storage.run(store, fn);\n}\n//#endregion\n//#region src/replay/memory-event-log.ts\n/** In-memory durable log for inline execution and tests. */\nvar MemoryEventLog = class {\n\tevents = [];\n\tids = /* @__PURE__ */ new Set();\n\tasync append(event) {\n\t\tconst id = event.id ?? crypto.randomUUID();\n\t\tif (this.ids.has(id)) return false;\n\t\tthis.ids.add(id);\n\t\tthis.events.push({\n\t\t\tid,\n\t\t\trunId: event.runId,\n\t\t\tseq: this.events.length,\n\t\t\ttype: event.type,\n\t\t\tcorrelationId: event.correlationId ?? null,\n\t\t\tdata: event.data ?? null\n\t\t});\n\t\treturn true;\n\t}\n\tasync listReplay(runId) {\n\t\treturn this.events.filter((event) => event.runId === runId).map((event) => ({ ...event }));\n\t}\n};\n//#endregion\n//#region src/execute-workflow.ts\n/**\n* The single way to run a workflow: replay its event log from the top, execute\n* un-cached primitives, and either complete/fail or suspend at the first\n* un-satisfied sleep/hook. New events (sleep_scheduled/sleep_completed/\n* hook_created/run_completed/run_failed) are flushed before returning.\n*\n* Durability comes entirely from the log — a suspended run resumes by calling\n* this again with the same `runId` and event log once the sleep is due or the\n* hook is resumed.\n*/\nasync function executeWorkflow(workflow, input, options = {}) {\n\tconst runId = options.runId ?? crypto.randomUUID();\n\tconst eventLog = options.eventLog ?? new MemoryEventLog();\n\tconst signal = getRunSignal();\n\tconst consumer = new EventsConsumer(await eventLog.listReplay(runId));\n\tconst coordinator = new SuspensionCoordinator();\n\tconst state = createReplayState({\n\t\trunId,\n\t\tconsumer,\n\t\tcoordinator,\n\t\teventLog,\n\t\thookBaseUrl: options.hookBaseUrl,\n\t\tnow: options.now\n\t});\n\tconst actionRunner = createActionRunner(state, {\n\t\tresolveCredentials: options.resolveCredentials,\n\t\tcredentialContext: options.credentialContext,\n\t\toauthAdapter: options.oauthAdapter,\n\t\tmcpCredentialContext: { assignmentTarget: {\n\t\t\ttype: \"workflow\",\n\t\t\tkey: workflow.slug\n\t\t} }\n\t});\n\tconst ctx = {\n\t\trunId,\n\t\tsleep: createSleep(state),\n\t\thook: createHook(state),\n\t\t...options.context\n\t};\n\tconst agentRunner = options.runAgent ? createAgentStepRunner(state, options.runAgent) : void 0;\n\tconst llmRunner = options.runLlm ? createLlmStepRunner(state, options.runLlm) : void 0;\n\tconst validatedInput = workflow.input.parse(input);\n\tconst bodyPromise = runWithWorkflowContext({\n\t\tactionRunner,\n\t\tagentRunner,\n\t\tllmRunner,\n\t\trunId\n\t}, () => captureConsole(async () => workflow.run(validatedInput, ctx)));\n\tlet onAbort;\n\tconst waitForAbort = signal.aborted ? Promise.resolve({ type: \"canceled\" }) : new Promise((resolve) => {\n\t\tonAbort = () => resolve({ type: \"canceled\" });\n\t\tsignal.addEventListener(\"abort\", onAbort, { once: true });\n\t});\n\tconst outcome = await Promise.race([\n\t\tbodyPromise.then((output) => ({\n\t\t\ttype: \"done\",\n\t\t\toutput\n\t\t}), (error) => ({\n\t\t\ttype: \"error\",\n\t\t\terror\n\t\t})),\n\t\tcoordinator.waitForSuspension().then((items) => ({\n\t\t\ttype: \"suspended\",\n\t\t\titems\n\t\t})),\n\t\twaitForAbort\n\t]);\n\tif (onAbort) signal.removeEventListener(\"abort\", onAbort);\n\tlet result;\n\tif (outcome.type === \"suspended\") {\n\t\tbodyPromise.catch(() => {});\n\t\tresult = {\n\t\t\tstatus: \"suspended\",\n\t\t\titems: outcome.items\n\t\t};\n\t} else if (outcome.type === \"done\") {\n\t\tconst output = workflow.output.parse(outcome.output);\n\t\tstate.newEvents.push({\n\t\t\tid: `run_completed:${runId}`,\n\t\t\trunId,\n\t\t\ttype: \"run_completed\",\n\t\t\tdata: { output }\n\t\t});\n\t\tresult = {\n\t\t\tstatus: \"completed\",\n\t\t\toutput\n\t\t};\n\t} else if (outcome.type === \"canceled\" || isRunCanceledError(outcome.error)) {\n\t\tbodyPromise.catch(() => {});\n\t\tstate.newEvents.push({\n\t\t\tid: `run_canceled:${runId}`,\n\t\t\trunId,\n\t\t\ttype: \"run_canceled\"\n\t\t});\n\t\tresult = { status: \"canceled\" };\n\t} else result = {\n\t\tstatus: \"failed\",\n\t\terror: outcome.error,\n\t\tfailedCorrelationId: state.failedCorrelationId\n\t};\n\tfor (const event of state.newEvents) await eventLog.append(event);\n\treturn result;\n}\n//#endregion\n//#region src/prompt-llm.ts\nfunction promptLlm(prompt, opts) {\n\tconst handle = getWorkflowRunHandle();\n\tif (!handle?.llmRunner) throw new Error(\"promptLlm must run inside a workflow with an injected llm executor (executeWorkflow({ runLlm })).\");\n\treturn handle.llmRunner({\n\t\tprompt,\n\t\t...opts\n\t});\n}\n//#endregion\nexport { MemoryEventLog, RunCanceledError, defineWorkflow, deserializeWorkflowError, executeWorkflow, isRunCanceledError, isWorkflow, promptLlm, serializeWorkflowError };\n\n//# sourceMappingURL=index.mjs.map"],"mappings":";;;;;AAMA,IAAI,mBAAmB,cAAc,MAAM;CAC1C,YAAY,OAAO;EAClB,MAAM,QAAQ,gBAAgB,MAAM,iBAAiB,2BAA2B;EAChF,KAAK,OAAO;CACb;AACD;AACA,SAAS,mBAAmB,OAAO;CAClC,OAAO,iBAAiB;AACzB;AAGA,MAAM,YAAYA,IAAAA,EAAE,QAAQ,MAAM,aAAaA,IAAAA,EAAE,SAAS,sBAAsB;;AAEhF,MAAM,qBAAqBA,IAAAA,EAAE,OAAO;CACnC,MAAMA,IAAAA,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC;CAC7B,MAAMA,IAAAA,EAAE,OAAO,EAAE,SAAS;CAC1B,aAAaA,IAAAA,EAAE,OAAO,EAAE,SAAS;CACjC,cAAcA,IAAAA,EAAE,OAAO,EAAE,MAAMA,IAAAA,EAAE,KAAK,CAAC,UAAU,cAAc,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,SAAS;CACzF,OAAO;CACP,QAAQ;CACR,KAAKA,IAAAA,EAAE,SAAS;AACjB,CAAC;AACD,MAAM,WAAW,OAAO,IAAI,oBAAoB;;;;;AAKhD,SAAS,WAAW,OAAO;CAC1B,IAAI,OAAO,UAAU,YAAY,UAAU,MAAM,OAAO;CACxD,IAAI,EAAE,YAAY,UAAU,MAAM,cAAc,MAAM,OAAO;CAC7D,OAAO,mBAAmB,UAAU,KAAK,EAAE;AAC5C;AAGA,SAAS,eAAe,KAAK;CAC5B,MAAM,SAAS,mBAAmB,UAAU,GAAG;CAC/C,IAAI,CAAC,OAAO,SAAS,MAAM,IAAI,MAAM,gCAAgC,aAAa,OAAO,MAAM,MAAM,GAAG;CACxG,OAAO;EACN,GAAG,OAAO;GACT,WAAW;CACb;AACD;AACA,SAAS,aAAa,QAAQ;CAC7B,OAAO,OAAO,KAAK,UAAU;EAC5B,OAAO,GAAG,MAAM,KAAK,SAAS,IAAI,GAAG,MAAM,KAAK,KAAK,GAAG,EAAE,MAAM,KAAK,MAAM;CAC5E,CAAC,EAAE,KAAK,IAAI;AACb;AAGA,SAAS,uBAAuB,OAAO;CACtC,IAAI,iBAAiB,OAAO,OAAO;EAClC,MAAM,MAAM;EACZ,SAAS,MAAM;CAChB;CACA,OAAO,EAAE,SAAS,OAAO,KAAK,EAAE;AACjC;;AAEA,SAAS,yBAAyB,MAAM;CACvC,MAAM,aAAa;CACnB,MAAM,QAAQ,IAAI,MAAM,YAAY,WAAW,sBAAsB;CACrE,IAAI,YAAY,MAAM,MAAM,OAAO,WAAW;CAC9C,OAAO;AACR;AAGA,MAAM,UAAU;CACf,IAAI;CACJ,GAAG;CACH,GAAG;CACH,GAAG;CACH,GAAG;AACJ;;AAEA,SAAS,gBAAgB,UAAU,sBAAsB,IAAI,KAAK,GAAG;CACpE,IAAI,oBAAoB,MAAM,OAAO;CACrC,IAAI,OAAO,aAAa,UAAU,OAAO,IAAI,KAAK,IAAI,QAAQ,IAAI,KAAK,IAAI,GAAG,QAAQ,CAAC;CACvF,OAAO,IAAI,KAAK,IAAI,QAAQ,IAAI,kBAAkB,QAAQ,CAAC;AAC5D;AACA,SAAS,kBAAkB,OAAO;CACjC,MAAM,QAAQ,mCAAmC,KAAK,MAAM,KAAK,CAAC;CAClE,IAAI,CAAC,OAAO,MAAM,IAAI,MAAM,2BAA2B,MAAM,mEAAmE;CAChI,MAAM,SAAS,OAAO,MAAM,EAAE;CAC9B,MAAM,OAAO,MAAM;CACnB,OAAO,KAAK,MAAM,SAAS,QAAQ,KAAK;AACzC;;AAIA,IAAI,iBAAiB,MAAM;CAC1B,kCAAkC,IAAI,IAAI;CAC1C,YAAY,QAAQ;EACnB,KAAK,MAAM,SAAS,QAAQ;GAC3B,IAAI,CAAC,MAAM,eAAe;GAC1B,MAAM,OAAO,KAAK,gBAAgB,IAAI,MAAM,aAAa;GACzD,IAAI,MAAM,KAAK,KAAK,KAAK;QACpB,KAAK,gBAAgB,IAAI,MAAM,eAAe,CAAC,KAAK,CAAC;EAC3D;CACD;CACA,OAAO,eAAe;EACrB,OAAO,KAAK,gBAAgB,IAAI,aAAa,KAAK,CAAC;CACpD;CACA,aAAa,eAAe,MAAM;EACjC,OAAO,KAAK,OAAO,aAAa,EAAE,MAAM,UAAU,MAAM,SAAS,IAAI;CACtE;;;;;;;CAOA,cAAc,eAAe;EAC5B,MAAM,SAAS,KAAK,OAAO,aAAa;EACxC,MAAM,SAAS,OAAO,MAAM,UAAU,MAAM,SAAS,aAAa;EAClE,IAAI,QAAQ,MAAM,yBAAyB,OAAO,IAAI;EACtD,MAAM,YAAY,OAAO,MAAM,UAAU,MAAM,SAAS,gBAAgB;EACxE,IAAI,WAAW,OAAO;GACrB,WAAW;GACX,QAAQ,UAAU;EACnB;EACA,OAAO,EAAE,WAAW,MAAM;CAC3B;;CAEA,cAAc,eAAe;EAC5B,OAAO,KAAK,OAAO,aAAa,EAAE,QAAQ,UAAU,MAAM,SAAS,eAAe,EAAE;CACrF;CACA,iBAAiB,eAAe;EAC/B,OAAO,KAAK,aAAa,eAAe,iBAAiB;CAC1D;;CAEA,iBAAiB,eAAe;EAC/B,MAAM,YAAY,KAAK,OAAO,aAAa,EAAE,MAAM,UAAU,MAAM,SAAS,iBAAiB;EAC7F,IAAI,CAAC,WAAW;EAChB,MAAM,OAAO,UAAU;EACvB,OAAO,MAAM,WAAW,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK;CACxD;CACA,aAAa,eAAe;EAC3B,QAAQ,KAAK,OAAO,aAAa,EAAE,MAAM,UAAU,MAAM,SAAS,cAAc,GAAG,OAAO;CAC3F;CACA,cAAc,eAAe;EAC5B,MAAM,UAAU,KAAK,OAAO,aAAa,EAAE,MAAM,UAAU,MAAM,SAAS,cAAc;EACxF,IAAI,CAAC,SAAS,OAAO,EAAE,UAAU,MAAM;EACvC,OAAO;GACN,UAAU;GACV,SAAS,QAAQ,MAAM;EACxB;CACD;AACD;;AAIA,SAAS,uBAAuB;CAC/B,OAAO,IAAI,cAAc,CAAC,CAAC;AAC5B;;;;;AAKA,IAAI,wBAAwB,MAAM;CACjC,wBAAwB,IAAI,IAAI;CAChC,YAAY;CACZ;CACA;CACA,cAAc;EACb,KAAK,UAAU,IAAI,SAAS,YAAY;GACvC,KAAK,UAAU;EAChB,CAAC;CACF;CACA,QAAQ,MAAM;EACb,KAAK,MAAM,IAAI,KAAK,eAAe,IAAI;EACvC,IAAI,CAAC,KAAK,WAAW;GACpB,KAAK,YAAY;GACjB,qBAAqB;IACpB,KAAK,QAAQ,CAAC,GAAG,KAAK,MAAM,OAAO,CAAC,CAAC;GACtC,CAAC;EACF;CACD;CACA,oBAAoB;EACnB,OAAO,KAAK;CACb;AACD;AAGA,SAAS,kBAAkB,QAAQ;CAClC,OAAO;EACN,OAAO,OAAO;EACd,UAAU,OAAO;EACjB,aAAa,OAAO;EACpB,UAAU,OAAO;EACjB,WAAW,CAAC;EACZ,KAAK,OAAO,uBAAuB,IAAI,KAAK;EAC5C,aAAa,OAAO;EACpB,cAAc;EACd,aAAa;EACb,iCAAiC,IAAI,IAAI;EACzC,oCAAoC,IAAI,IAAI;CAC7C;AACD;;;;;;;;AAQA,SAAS,sBAAsB,OAAO,WAAW,YAAY;CAC5D,IAAI,eAAe,KAAK,GAAG;EAC1B,MAAM,gBAAgB,QAAQ;EAC9B,IAAI,MAAM,mBAAmB,IAAI,aAAa,GAAG,MAAM,IAAI,MAAM,sBAAsB,WAAW,oBAAoB,MAAM,OAAO;EACnI,MAAM,mBAAmB,IAAI,aAAa;EAC1C,OAAO;CACR;CACA,MAAM,aAAa,MAAM,gBAAgB,IAAI,SAAS,KAAK;CAC3D,MAAM,gBAAgB,IAAI,WAAW,aAAa,CAAC;CACnD,MAAM,gBAAgB,QAAQ,UAAU,GAAG;CAC3C,MAAM,mBAAmB,IAAI,aAAa;CAC1C,OAAO;AACR;AACA,SAAS,YAAY,OAAO;CAC3B,OAAO,SAAS,MAAM,UAAU;EAC/B,MAAM,gBAAgB,SAAS,MAAM;EACrC,IAAI,MAAM,SAAS,iBAAiB,aAAa,GAAG,OAAO,QAAQ,QAAQ;EAC3E,MAAM,oBAAoB,MAAM,SAAS,iBAAiB,aAAa;EACvE,MAAM,WAAW,qBAAqB,gBAAgB,UAAU,MAAM,GAAG;EACzE,IAAI,qBAAqB,SAAS,QAAQ,KAAK,MAAM,IAAI,QAAQ,GAAG;GACnE,MAAM,UAAU,KAAK;IACpB,IAAI,mBAAmB,MAAM,MAAM,GAAG;IACtC,OAAO,MAAM;IACb,MAAM;IACN;GACD,CAAC;GACD,OAAO,QAAQ,QAAQ;EACxB;EACA,IAAI,CAAC,mBAAmB,MAAM,UAAU,KAAK;GAC5C,IAAI,mBAAmB,MAAM,MAAM,GAAG;GACtC,OAAO,MAAM;GACb,MAAM;GACN;GACA,MAAM,EAAE,UAAU,SAAS,YAAY,EAAE;EAC1C,CAAC;EACD,MAAM,YAAY,QAAQ;GACzB,MAAM;GACN;GACA;EACD,CAAC;EACD,OAAO,qBAAqB;CAC7B;AACD;AACA,SAAS,WAAW,OAAO;CAC1B,OAAO,SAAS,KAAK,SAAS;EAC7B,MAAM,gBAAgB,QAAQ,MAAM;EACpC,MAAM,QAAQ,SAAS,SAAS,MAAM,SAAS,aAAa,aAAa,KAAK,QAAQ,OAAO,WAAW;EACxG,OAAO;GACN;GACA,WAAW,MAAM,cAAc,GAAG,MAAM,YAAY,SAAS,MAAM,WAAW,UAAU,MAAM;GAC9F,KAAK,aAAa,YAAY;IAC7B,MAAM,SAAS,MAAM,SAAS,cAAc,aAAa;IACzD,IAAI,OAAO,UAAU;KACpB,MAAM,UAAU,SAAS,SAAS,QAAQ,OAAO,MAAM,OAAO,OAAO,IAAI,OAAO;KAChF,OAAO,QAAQ,QAAQ,OAAO,EAAE,KAAK,aAAa,UAAU;IAC7D;IACA,IAAI,CAAC,MAAM,SAAS,aAAa,eAAe,cAAc,GAAG,MAAM,UAAU,KAAK;KACrF,IAAI,gBAAgB,MAAM,MAAM,GAAG;KACnC,OAAO,MAAM;KACb,MAAM;KACN;KACA,MAAM,EAAE,MAAM;IACf,CAAC;IACD,MAAM,YAAY,QAAQ;KACzB,MAAM;KACN;KACA;IACD,CAAC;IACD,OAAO,qBAAqB,EAAE,KAAK,aAAa,UAAU;GAC3D;EACD;CACD;AACD;;;;;;;;;AAWA,eAAe,eAAe,OAAO,SAAS;CAC7C,MAAM,EAAE,OAAO,UAAU,aAAa;CACtC,aAAA,aAAa,EAAE,eAAe;CAC9B,MAAM,gBAAgB,sBAAsB,OAAO,QAAQ,KAAK,QAAQ,EAAE;CAC1E,MAAM,SAAS,SAAS,cAAc,aAAa;CACnD,MAAM,WAAW;EAChB;GACC,QAAQ,cAAc,QAAQ;EAC/B;CACD;CACA,IAAI,OAAO,WAAW;EACrB,MAAMC,eAAAA,SAAS;GACd,MAAM,QAAQ;GACd,MAAM,QAAQ;GACd,OAAO,GAAG,MAAM,GAAG;GACnB,UAAU;IACT,GAAG;IACH,UAAU;GACX;EACD,GAAG,YAAY;GACd,MAAMC,eAAAA,UAAU,QAAQ,QAAQ,eAAe,QAAQ;EACxD,CAAC;EACD,OAAO,QAAQ,cAAc,QAAQ,YAAY,OAAO,MAAM,IAAI,OAAO;CAC1E;CACA,OAAOD,eAAAA,SAAS;EACf,MAAM,QAAQ;EACd,MAAM,QAAQ;EACd,OAAO,GAAG,MAAM,GAAG;EACnB;CACD,GAAG,YAAYE,eAAAA,eAAe,YAAY;EACzC,IAAI;GACH,MAAM,SAAS,MAAM,QAAQ,QAAQ,aAAa;GAClD,MAAM,SAAS,OAAO;IACrB,IAAI,kBAAkB,MAAM,GAAG;IAC/B;IACA,MAAM;IACN;IACA,MAAM;GACP,CAAC;GACD,OAAO;EACR,SAAS,OAAO;GACf,MAAM,UAAU,SAAS,cAAc,aAAa;GACpD,MAAM,SAAS,OAAO;IACrB,IAAI,iBAAiB,MAAM,GAAG,cAAc,GAAG;IAC/C;IACA,MAAM;IACN;IACA,MAAM,uBAAuB,KAAK;GACnC,CAAC;GACD,MAAM,sBAAsB;GAC5B,MAAM;EACP;CACD,CAAC,CAAC;AACH;AAGA,SAAS,4BAA4B,cAAc,OAAO;CACzD,IAAI,CAAC,gBAAgB,CAAC,OAAO,OAAO;CACpC,OAAOC,aAAAA,wBAAwB,YAAY,EAAE,KAAK,iBAAiB;EAClE,GAAG;EACH;CACD,EAAE;AACH;;AAEA,SAAS,mBAAmB,OAAO,UAAU,CAAC,GAAG;CAChD,QAAQ,QAAQ,OAAO,eAAe,eAAe,OAAO;EAC3D,MAAM;EACN,KAAK,OAAO;EACZ,IAAI,YAAY;EAChB,aAAa;EACb,eAAe;EACf,cAAc,WAAW,OAAO,OAAO,MAAM,MAAM;EACnD,SAAS,OAAO,kBAAkB;GACjC,MAAM,eAAe,4BAA4BC,aAAAA,gCAAgC,MAAM,GAAG,YAAY,eAAe;GACrH,MAAM,cAAc,cAAc,SAAS,MAAMC,eAAAA,yBAAyB,cAAc;IACvF,oBAAoB,QAAQ;IAC5B,SAAS,QAAQ;IACjB,cAAc,QAAQ;IACtB,UAAU;KACT,MAAM;KACN,MAAM,OAAO;KACb,IAAI;IACL;GACD,CAAC,IAAI,CAAC;GACN,OAAOC,aAAAA,4BAA4B;IAClC,GAAG,QAAQ;IACX,YAAY;GACb,SAASC,aAAAA,cAAc,QAAQ,OAAO,WAAW,CAAC;EACnD;CACD,CAAC;AACF;;;;;;;AASA,SAAS,sBAAsB,OAAO,UAAU;CAC/C,QAAQ,OAAO,OAAO,YAAY;EACjC,MAAM,OAAO,MAAM;EACnB,OAAO,eAAe,OAAO;GAC5B,MAAM;GACN,KAAK;GACL,IAAI,SAAS;GACb,aAAa;GACb,eAAe;GACf,UAAU,mBAAmB,SAAS,OAAO,OAAO,SAAS,SAAS;EACvE,CAAC;CACF;AACD;;;;;;AAQA,SAAS,oBAAoB,OAAO,QAAQ;CAC3C,QAAQ,SAAS,eAAe,OAAO;EACtC,MAAM;EACN,KAAK;EACL,IAAI,KAAK;EACT,aAAa;EACb,eAAe;EACf,cAAc,WAAW,KAAK,eAAe,KAAK,aAAa,MAAM,MAAM,IAAI;EAC/E,UAAU,mBAAmB,OAAO,IAAI;CACzC,CAAC;AACF;AAGA,MAAM,UAAU,IAAIC,iBAAAA,kBAAkB;AACtCC,aAAAA,gCAAgC;CAC/B,MAAM,QAAQ,QAAQ,SAAS;CAC/B,IAAI,CAAC,OAAO;CACZ,OAAO;EACN,cAAc,MAAM;EACpB,aAAa,MAAM;EACnB,WAAW,MAAM;CAClB;AACD,CAAC;AACD,SAAS,uBAAuB,OAAO,IAAI;CAC1C,OAAO,QAAQ,IAAI,OAAO,EAAE;AAC7B;;AAIA,IAAI,iBAAiB,MAAM;CAC1B,SAAS,CAAC;CACV,sBAAsB,IAAI,IAAI;CAC9B,MAAM,OAAO,OAAO;EACnB,MAAM,KAAK,MAAM,MAAM,OAAO,WAAW;EACzC,IAAI,KAAK,IAAI,IAAI,EAAE,GAAG,OAAO;EAC7B,KAAK,IAAI,IAAI,EAAE;EACf,KAAK,OAAO,KAAK;GAChB;GACA,OAAO,MAAM;GACb,KAAK,KAAK,OAAO;GACjB,MAAM,MAAM;GACZ,eAAe,MAAM,iBAAiB;GACtC,MAAM,MAAM,QAAQ;EACrB,CAAC;EACD,OAAO;CACR;CACA,MAAM,WAAW,OAAO;EACvB,OAAO,KAAK,OAAO,QAAQ,UAAU,MAAM,UAAU,KAAK,EAAE,KAAK,WAAW,EAAE,GAAG,MAAM,EAAE;CAC1F;AACD;;;;;;;;;;;AAaA,eAAe,gBAAgB,UAAU,OAAO,UAAU,CAAC,GAAG;CAC7D,MAAM,QAAQ,QAAQ,SAAS,OAAO,WAAW;CACjD,MAAM,WAAW,QAAQ,YAAY,IAAI,eAAe;CACxD,MAAM,SAASC,aAAAA,aAAa;CAC5B,MAAM,WAAW,IAAI,eAAe,MAAM,SAAS,WAAW,KAAK,CAAC;CACpE,MAAM,cAAc,IAAI,sBAAsB;CAC9C,MAAM,QAAQ,kBAAkB;EAC/B;EACA;EACA;EACA;EACA,aAAa,QAAQ;EACrB,KAAK,QAAQ;CACd,CAAC;CACD,MAAM,eAAe,mBAAmB,OAAO;EAC9C,oBAAoB,QAAQ;EAC5B,mBAAmB,QAAQ;EAC3B,cAAc,QAAQ;EACtB,sBAAsB,EAAE,kBAAkB;GACzC,MAAM;GACN,KAAK,SAAS;EACf,EAAE;CACH,CAAC;CACD,MAAM,MAAM;EACX;EACA,OAAO,YAAY,KAAK;EACxB,MAAM,WAAW,KAAK;EACtB,GAAG,QAAQ;CACZ;CACA,MAAM,cAAc,QAAQ,WAAW,sBAAsB,OAAO,QAAQ,QAAQ,IAAI,KAAK;CAC7F,MAAM,YAAY,QAAQ,SAAS,oBAAoB,OAAO,QAAQ,MAAM,IAAI,KAAK;CACrF,MAAM,iBAAiB,SAAS,MAAM,MAAM,KAAK;CACjD,MAAM,cAAc,uBAAuB;EAC1C;EACA;EACA;EACA;CACD,SAASR,eAAAA,eAAe,YAAY,SAAS,IAAI,gBAAgB,GAAG,CAAC,CAAC;CACtE,IAAI;CACJ,MAAM,eAAe,OAAO,UAAU,QAAQ,QAAQ,EAAE,MAAM,WAAW,CAAC,IAAI,IAAI,SAAS,YAAY;EACtG,gBAAgB,QAAQ,EAAE,MAAM,WAAW,CAAC;EAC5C,OAAO,iBAAiB,SAAS,SAAS,EAAE,MAAM,KAAK,CAAC;CACzD,CAAC;CACD,MAAM,UAAU,MAAM,QAAQ,KAAK;EAClC,YAAY,MAAM,YAAY;GAC7B,MAAM;GACN;EACD,KAAK,WAAW;GACf,MAAM;GACN;EACD,EAAE;EACF,YAAY,kBAAkB,EAAE,MAAM,WAAW;GAChD,MAAM;GACN;EACD,EAAE;EACF;CACD,CAAC;CACD,IAAI,SAAS,OAAO,oBAAoB,SAAS,OAAO;CACxD,IAAI;CACJ,IAAI,QAAQ,SAAS,aAAa;EACjC,YAAY,YAAY,CAAC,CAAC;EAC1B,SAAS;GACR,QAAQ;GACR,OAAO,QAAQ;EAChB;CACD,OAAO,IAAI,QAAQ,SAAS,QAAQ;EACnC,MAAM,SAAS,SAAS,OAAO,MAAM,QAAQ,MAAM;EACnD,MAAM,UAAU,KAAK;GACpB,IAAI,iBAAiB;GACrB;GACA,MAAM;GACN,MAAM,EAAE,OAAO;EAChB,CAAC;EACD,SAAS;GACR,QAAQ;GACR;EACD;CACD,OAAO,IAAI,QAAQ,SAAS,cAAc,mBAAmB,QAAQ,KAAK,GAAG;EAC5E,YAAY,YAAY,CAAC,CAAC;EAC1B,MAAM,UAAU,KAAK;GACpB,IAAI,gBAAgB;GACpB;GACA,MAAM;EACP,CAAC;EACD,SAAS,EAAE,QAAQ,WAAW;CAC/B,OAAO,SAAS;EACf,QAAQ;EACR,OAAO,QAAQ;EACf,qBAAqB,MAAM;CAC5B;CACA,KAAK,MAAM,SAAS,MAAM,WAAW,MAAM,SAAS,OAAO,KAAK;CAChE,OAAO;AACR;AAGA,SAAS,UAAU,QAAQ,MAAM;CAChC,MAAM,SAASS,aAAAA,qBAAqB;CACpC,IAAI,CAAC,QAAQ,WAAW,MAAM,IAAI,MAAM,mGAAmG;CAC3I,OAAO,OAAO,UAAU;EACvB;EACA,GAAG;CACJ,CAAC;AACF"}

package/dist/{dist-DqFdFpiB.mjs → dist-CppO7361.mjs}

@@ -683,7 +683,8 @@ const storedRouteManifestEntryV2Schema = z.discriminatedUnion("kind", [
 		systemPrompt: z.string(),
 		toolCount: z.number().int().nonnegative(),
 		credentialCount: z.number().int().nonnegative(),
-		credentialKeys: z.array(z.string()).default([])
+		appSlugs: z.array(z.string()).default([]),
+		toolSlugs: z.array(z.string()).default([])
 	}),
 	z.object({
 		kind: z.literal("workflow"),
@@ -1117,6 +1118,45 @@ z.object({
 }).refine((input) => input.label !== void 0 || input.isDefault !== void 0 || input.value !== void 0, { message: "At least one field is required" });
 z.array(AppCredentialSummarySchema);
 z.array(AppCredentialSummarySchema);
+const CredentialAssignmentTargetTypeSchema = z.enum(["workflow", "agent"]);
+const CredentialAssignmentRecordSchema = z.object({
+	id: z.string(),
+	targetType: CredentialAssignmentTargetTypeSchema,
+	targetKey: z.string(),
+	consumerId: z.string(),
+	credentialSlug: z.string(),
+	instanceId: z.string(),
+	credential: z.string().optional(),
+	scopeType: z.enum([
+		"organization",
+		"project",
+		"user"
+	]).optional(),
+	createdAt: z.string(),
+	updatedAt: z.string()
+});
+z.object({ assignments: z.array(CredentialAssignmentRecordSchema) });
+z.object({
+	targetType: CredentialAssignmentTargetTypeSchema,
+	targetKey: z.string().min(1),
+	/** Omit or '*' for wildcard assignment. */
+	consumerId: z.string().optional(),
+	credential: z.string().min(1)
+});
+z.object({
+	targetType: CredentialAssignmentTargetTypeSchema,
+	targetKey: z.string().min(1)
+});
+z.object({
+	targetType: CredentialAssignmentTargetTypeSchema,
+	targetKey: z.string().min(1)
+});
+const CredentialConsumerSummarySchema = z.object({
+	consumerId: z.string(),
+	label: z.string(),
+	appSlugs: z.array(z.string())
+});
+z.object({ consumers: z.array(CredentialConsumerSummarySchema) });
 const McpConnectionStatusSchema = z.enum([
 	"INITIATED",
 	"ACTIVE",
@@ -1147,12 +1187,20 @@ const KeystrokeCredentialSchema = z.object({
 	entityId: z.string(),
 	instanceId: z.string()
 });
+const McpCredentialAssignmentTargetSchema = z.object({
+	type: CredentialAssignmentTargetTypeSchema,
+	key: z.string().trim().min(1)
+});
 z.object({
 	app: z.string().trim().min(1),
 	tool: z.string().trim().min(1),
 	arguments: z.record(z.string(), z.unknown()).default({}),
 	/** Pinned provider toolkit version, sourced from the app definition; forwarded to the provider. */
-	version: z.string().trim().min(1)
+	version: z.string().trim().min(1),
+	/** When set, platform MCP resolve checks credential assignments before scope defaults. */
+	assignmentTarget: McpCredentialAssignmentTargetSchema.optional(),
+	/** Tool/step consumer id for assignment lookup (action slug or workflow step correlation id). */
+	consumerId: z.string().trim().min(1).optional()
 });
 const TeamRequestTypeSchema = z.enum([
 	"org-deletion",
@@ -1794,7 +1842,9 @@ z.object({
 });
 const CredentialInstanceRecordSchema = z.object({
 	id: z.string(),
-	key: z.string(),
+	appSlug: z.string(),
+	slug: z.string(),
+	name: z.string().nullable(),
 	scopeType: CredentialScopeTypeSchema,
 	scopeId: z.string().nullable(),
 	label: z.string().nullable(),
@@ -1804,6 +1854,8 @@ const CredentialInstanceRecordSchema = z.object({
 z.object({ instances: z.array(CredentialInstanceRecordSchema) });
 z.object({
 	key: z.string().min(1),
+	slug: z.string().min(1).optional(),
+	name: z.string().nullable().optional(),
 	scopeType: CredentialScopeTypeSchema,
 	scopeId: z.string().nullable().optional(),
 	label: z.string().nullable().optional(),
@@ -1811,6 +1863,8 @@ z.object({
 	value: z.record(z.string(), z.unknown()).refine((value) => Object.keys(value).length > 0, { message: "value must be a non-empty object" })
 });
 z.object({
+	slug: z.string().min(1).optional(),
+	name: z.string().nullable().optional(),
 	label: z.string().nullable().optional(),
 	isDefault: z.boolean().optional(),
 	value: z.record(z.string(), z.unknown()).refine((value) => Object.keys(value).length > 0, { message: "value must be a non-empty object" }).optional()
@@ -2334,11 +2388,11 @@ function runWithRunSignal(signal, fn) {
 function getRunSignal() {
 	return runSignalStorage.getStore() ?? NEVER_ABORT;
 }
-const REGISTRY_KEY$1 = Symbol.for("keystroke.workflowRunGetter");
+const REGISTRY_KEY$2 = Symbol.for("keystroke.workflowRunGetter");
 function registry$1() {
 	const globalScope = globalThis;
-	if (!globalScope[REGISTRY_KEY$1]) globalScope[REGISTRY_KEY$1] = {};
-	return globalScope[REGISTRY_KEY$1];
+	if (!globalScope[REGISTRY_KEY$2]) globalScope[REGISTRY_KEY$2] = {};
+	return globalScope[REGISTRY_KEY$2];
 }
 function registerWorkflowRunGetter(fn) {
 	registry$1().getter = fn;
@@ -2429,6 +2483,32 @@ async function executeAction(action, input, credentials = {}) {
 	const result = await action.run(validatedInput, credentials);
 	return action.output.parse(result);
 }
+/**
+* The store lives in a global `Symbol.for` slot rather than a module-level `const` so a single
+* `AsyncLocalStorage` instance is shared even when the bundled `@keystrokehq/keystroke` facade
+* ships its own copy of this module: the worker sets context via `runWithMcpCredentialContext`
+* and the facade reads it via `getRegisteredMcpCredentialContext` against the same instance.
+*/
+const REGISTRY_KEY$1 = Symbol.for("keystroke.mcpCredentialContextStore");
+function store() {
+	const globalScope = globalThis;
+	if (!globalScope[REGISTRY_KEY$1]) globalScope[REGISTRY_KEY$1] = new AsyncLocalStorage();
+	return globalScope[REGISTRY_KEY$1];
+}
+function getRegisteredMcpCredentialContext() {
+	return store().getStore();
+}
+/**
+* Run `fn` with MCP credential context active for its entire async execution. Nested calls merge
+* over the enclosing context, so an agent's assignment target and a per-tool consumer id compose.
+*/
+function runWithMcpCredentialContext(context, fn) {
+	const als = store();
+	return als.run({
+		...als.getStore(),
+		...context
+	}, fn);
+}
 function resolveActionTool(action, options) {
 	const consumer = options?.consumer ?? {
 		kind: "tool",
@@ -2446,7 +2526,10 @@ function resolveActionTool(action, options) {
 				if (!options?.resolveCredentials) throw new Error(`Missing credential resolver for action "${action.slug}"`);
 				credentials = await options.resolveCredentials(requirements, consumer, options.contextOverride);
 			}
-			const output = await runOutsideActionExecution(() => executeAction(action, params, credentials));
+			const output = await runWithMcpCredentialContext({
+				...options?.mcpCredentialContext,
+				consumerId: consumer.id ?? consumer.name
+			}, () => runOutsideActionExecution(() => executeAction(action, params, credentials)));
 			return {
 				content: [{
 					type: "text",
@@ -2476,6 +2559,6 @@ function getRegisteredProjectScopeId() {
 	return registry().getter?.();
 }
 //#endregion
-export { mcpEntityId as C, toolParameters as E, isCredentialInput as S, toCredentialRequirement as T, runWithinActionExecution as _, getActionCredentialRequirements as a, credentialInputSchema as b, getWorkflowRunHandle as c, isWithinActionExecution as d, registerProjectScopeGetter as f, runWithRunSignal as g, runOutsideActionExecution as h, executeAction as i, isAction as l, resolveActionTool as m, createStepInvocation as n, getRegisteredProjectScopeId as o, registerWorkflowRunGetter as p, defineAction as r, getRunSignal as s, actionCoreSchema as t, isStepInvocation as u, CREDENTIAL_SCOPE_TYPES as v, normalizeCredentialList as w, defineCredential as x, credential as y };
+export { defineCredential as C, toCredentialRequirement as D, normalizeCredentialList as E, toolParameters as O, credentialInputSchema as S, mcpEntityId as T, runWithMcpCredentialContext as _, getActionCredentialRequirements as a, CREDENTIAL_SCOPE_TYPES as b, getRunSignal as c, isStepInvocation as d, isWithinActionExecution as f, runOutsideActionExecution as g, resolveActionTool as h, executeAction as i, getWorkflowRunHandle as l, registerWorkflowRunGetter as m, createStepInvocation as n, getRegisteredMcpCredentialContext as o, registerProjectScopeGetter as p, defineAction as r, getRegisteredProjectScopeId as s, actionCoreSchema as t, isAction as u, runWithRunSignal as v, isCredentialInput as w, credential as x, runWithinActionExecution as y };
 
-//# sourceMappingURL=dist-DqFdFpiB.mjs.map
+//# sourceMappingURL=dist-CppO7361.mjs.map