@keystrokehq/keystroke 1.0.8 → 1.0.9

package/dist/{dist-C5otI4u3.cjs → dist-DivFQzKG.cjs}

@@ -1,5 +1,5 @@
 const require_chunk = require("./chunk-DHdmVzO2.cjs");
-const require_dist$1 = require("./dist-DOMwPx7V.cjs");
+const require_dist$1 = require("./dist-HI6bM6LK.cjs");
 let node_async_hooks = require("node:async_hooks");
 require("node:fs");
 require("node:path");
@@ -3119,6 +3119,9 @@ const requestHandle = new node_async_hooks.AsyncLocalStorage();
 function getRequestDatabaseHandle() {
 	return requestHandle.getStore();
 }
+function isDatabaseInitialized() {
+	return getRequestDatabaseHandle() !== void 0 || false;
+}
 function getDatabaseHandle$1() {
 	const scoped = getRequestDatabaseHandle();
 	if (scoped) return scoped;
@@ -3145,7 +3148,7 @@ const agents = pgTable("agents", {
 	systemPrompt: text$1("system_prompt").notNull(),
 	toolCount: integer$1("tool_count"),
 	credentialCount: integer$1("credential_count"),
-	credentialKeys: jsonb("credential_keys").$type(),
+	appSlugs: jsonb("app_slugs").$type(),
 	registeredAt: timestamp("registered_at", { withTimezone: true }).notNull(),
 	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull(),
 	deletedAt: timestamp("deleted_at", { withTimezone: true })
@@ -3162,7 +3165,7 @@ const agentsSqlite = sqliteTable("agents", {
 	systemPrompt: text("system_prompt").notNull(),
 	toolCount: integer("tool_count"),
 	credentialCount: integer("credential_count"),
-	credentialKeys: text("credential_keys", { mode: "json" }).$type(),
+	appSlugs: text("app_slugs", { mode: "json" }).$type(),
 	registeredAt: integer("registered_at", { mode: "timestamp_ms" }).notNull(),
 	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull(),
 	deletedAt: integer("deleted_at", { mode: "timestamp_ms" })
@@ -3430,7 +3433,9 @@ const workflowHooksSqlite = sqliteTable("workflow_hooks", {
 const credentialInstances = pgTable("credential_instances", {
 	id: text$1("id").primaryKey(),
 	projectId: text$1("project_id").notNull(),
+	appSlug: text$1("app_slug").notNull(),
 	slug: text$1("slug").notNull(),
+	name: text$1("name"),
 	scopeType: text$1("scope_type").$type().notNull(),
 	scopeId: text$1("scope_id"),
 	label: text$1("label"),
@@ -3442,11 +3447,13 @@ const credentialInstances = pgTable("credential_instances", {
 	sharedConnectionId: text$1("shared_connection_id"),
 	createdAt: timestamp("created_at", { withTimezone: true }).notNull(),
 	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull()
-}, (table) => [uniqueIndex$1("credential_instances_project_slug_scope_label_unique").on(table.projectId, table.slug, table.scopeType, table.scopeId, table.label), index$1("credential_instances_project_slug_scope_idx").on(table.projectId, table.slug, table.scopeType, table.scopeId)]);
+}, (table) => [uniqueIndex$1("credential_instances_project_scope_slug_unique").on(table.projectId, table.scopeType, table.scopeId, table.slug), index$1("credential_instances_project_app_slug_scope_idx").on(table.projectId, table.appSlug, table.scopeType, table.scopeId)]);
 const credentialInstancesSqlite = sqliteTable("credential_instances", {
 	id: text("id").primaryKey(),
 	projectId: text("project_id").notNull(),
+	appSlug: text("app_slug").notNull(),
 	slug: text("slug").notNull(),
+	name: text("name"),
 	scopeType: text("scope_type").$type().notNull(),
 	scopeId: text("scope_id"),
 	label: text("label"),
@@ -3458,7 +3465,30 @@ const credentialInstancesSqlite = sqliteTable("credential_instances", {
 	sharedConnectionId: text("shared_connection_id"),
 	createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
 	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull()
-}, (table) => [uniqueIndex("credential_instances_project_slug_scope_label_unique").on(table.projectId, table.slug, table.scopeType, table.scopeId, table.label), index("credential_instances_project_slug_scope_idx").on(table.projectId, table.slug, table.scopeType, table.scopeId)]);
+}, (table) => [uniqueIndex("credential_instances_project_scope_slug_unique").on(table.projectId, table.scopeType, table.scopeId, table.slug), index("credential_instances_project_app_slug_scope_idx").on(table.projectId, table.appSlug, table.scopeType, table.scopeId)]);
+const credentialAssignments = pgTable("credential_assignments", {
+	id: text$1("id").primaryKey(),
+	projectId: text$1("project_id").notNull(),
+	targetType: text$1("target_type").$type().notNull(),
+	targetKey: text$1("target_key").notNull(),
+	/** '*' = wildcard; else runtime consumer id (step correlation id or tool slug). */
+	consumerId: text$1("consumer_id").notNull(),
+	credentialSlug: text$1("credential_slug").notNull(),
+	instanceId: text$1("instance_id").notNull(),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull()
+}, (table) => [uniqueIndex$1("credential_assignments_project_target_consumer_slug").on(table.projectId, table.targetType, table.targetKey, table.consumerId, table.credentialSlug), index$1("credential_assignments_project_target_idx").on(table.projectId, table.targetType, table.targetKey)]);
+const credentialAssignmentsSqlite = sqliteTable("credential_assignments", {
+	id: text("id").primaryKey(),
+	projectId: text("project_id").notNull(),
+	targetType: text("target_type").$type().notNull(),
+	targetKey: text("target_key").notNull(),
+	consumerId: text("consumer_id").notNull(),
+	credentialSlug: text("credential_slug").notNull(),
+	instanceId: text("instance_id").notNull(),
+	createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
+	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull()
+}, (table) => [uniqueIndex("credential_assignments_project_target_consumer_slug").on(table.projectId, table.targetType, table.targetKey, table.consumerId, table.credentialSlug), index("credential_assignments_project_target_idx").on(table.projectId, table.targetType, table.targetKey)]);
 const jobs = pgTable("jobs", {
 	id: text$1("id").primaryKey(),
 	projectId: text$1("project_id").notNull(),
@@ -3695,6 +3725,10 @@ const tableRegistry$1 = {
 		pg: credentialInstances,
 		sqlite: credentialInstancesSqlite
 	},
+	credentialAssignments: {
+		pg: credentialAssignments,
+		sqlite: credentialAssignmentsSqlite
+	},
 	jobs: {
 		pg: jobs,
 		sqlite: jobsSqlite
@@ -3817,13 +3851,16 @@ function credentialScopeAnd(scopeType, ...conditions) {
 	if (scopeType === "project") return scopedAnd$1(credentialInstances, ...conditions);
 	return and(...conditions.filter(Boolean));
 }
-async function selectCredentialInstanceById$1(id) {
+async function selectCredentialInstanceById(id) {
 	return (await getDb$1().select().from(credentialInstances).where(eq(credentialInstances.id, id)).limit(1))[0];
 }
-async function selectCredentialInstancesForScope$1(slug, scopeType, scopeId) {
+async function selectCredentialInstancesForScope(appSlug, scopeType, scopeId) {
 	const db = getDb$1();
 	const scopeCondition = scopeId === null ? and(eq(credentialInstances.scopeType, scopeType), isNull(credentialInstances.scopeId)) : and(eq(credentialInstances.scopeType, scopeType), eq(credentialInstances.scopeId, scopeId));
-	return db.select().from(credentialInstances).where(credentialScopeAnd(scopeType, eq(credentialInstances.slug, slug), scopeCondition));
+	return db.select().from(credentialInstances).where(credentialScopeAnd(scopeType, eq(credentialInstances.appSlug, appSlug), scopeCondition));
+}
+async function listCredentialAssignmentsByTarget(options) {
+	return getDb$1().select().from(credentialAssignments).where(scopedAnd$1(credentialAssignments, eq(credentialAssignments.targetType, options.targetType), eq(credentialAssignments.targetKey, options.targetKey)));
 }
 async function selectTraceSpanById(id) {
 	const db = getDb$1();
@@ -17218,7 +17255,7 @@ async function connectMcpServer(name, options) {
 }
 async function createTransport(url, transport, requestInit, fetchImpl) {
 	if (transport === "sse") {
-		const { SSEClientTransport } = await Promise.resolve().then(() => require("./sse-Dzs73rQw.cjs"));
+		const { SSEClientTransport } = await Promise.resolve().then(() => require("./sse-CZOklzgA.cjs"));
 		return new SSEClientTransport(url, {
 			requestInit,
 			fetch: fetchImpl
@@ -18008,6 +18045,26 @@ async function resolveOAuthAccessToken(connection, app, tokenRefresh) {
 	return refreshed.accessToken;
 }
 //#endregion
+//#region ../credentials/dist/store-BokhwcCi.mjs
+function normalizeRow(row) {
+	const { projectId: _projectId, ...rest } = row;
+	return rest;
+}
+async function listCredentialAssignmentsByTarget$1(options) {
+	return (await listCredentialAssignmentsByTarget(options)).map(normalizeRow);
+}
+function normalizeLocalRow(row) {
+	const { projectId: _projectId, ...rest } = row;
+	return rest;
+}
+async function selectCredentialInstanceById$1(id) {
+	const row = await selectCredentialInstanceById(id);
+	return row ? normalizeLocalRow(row) : void 0;
+}
+async function selectCredentialInstancesForScope$1(appSlug, scopeType, scopeId) {
+	return (await selectCredentialInstancesForScope(appSlug, scopeType, scopeId)).map(normalizeLocalRow);
+}
+//#endregion
 //#region ../secrets/dist/index.mjs
 const ALGORITHM = "aes-256-gcm";
 const IV_LENGTH = 12;
@@ -18079,19 +18136,6 @@ async function readCredentialInstanceSecret(instanceId) {
 	});
 }
 //#endregion
-//#region ../credentials/dist/store/index.mjs
-function normalizeLocalRow(row) {
-	const { projectId: _projectId, ...rest } = row;
-	return rest;
-}
-async function selectCredentialInstanceById(id) {
-	const row = await selectCredentialInstanceById$1(id);
-	return row ? normalizeLocalRow(row) : void 0;
-}
-async function selectCredentialInstancesForScope(key, scopeType, scopeId) {
-	return (await selectCredentialInstancesForScope$1(key, scopeType, scopeId)).map(normalizeLocalRow);
-}
-//#endregion
 //#region ../credentials/dist/index.mjs
 var MissingCredentialsError = class extends Error {
 	code = "missing_credentials";
@@ -18170,6 +18214,93 @@ function captureCredentialToolErrors(tools) {
 		}
 	};
 }
+const EMPTY_ASSIGNMENT_SET = {
+	byConsumer: {},
+	wildcard: {}
+};
+function selectAssignedInstanceId(assignments, consumerId, credentialSlug) {
+	if (!assignments) return;
+	if (consumerId) {
+		const specific = assignments.byConsumer[consumerId]?.[credentialSlug];
+		if (specific) return specific;
+	}
+	return assignments.wildcard[credentialSlug];
+}
+function buildAssignmentSet(rows) {
+	const byConsumer = {};
+	const wildcard = {};
+	for (const row of rows) {
+		if (row.consumerId === "*") {
+			wildcard[row.credentialSlug] = row.instanceId;
+			continue;
+		}
+		const bucket = byConsumer[row.consumerId] ?? {};
+		bucket[row.credentialSlug] = row.instanceId;
+		byConsumer[row.consumerId] = bucket;
+	}
+	return {
+		byConsumer,
+		wildcard
+	};
+}
+async function loadCredentialAssignments(options) {
+	if (!isDatabaseInitialized()) return EMPTY_ASSIGNMENT_SET;
+	return buildAssignmentSet(await listCredentialAssignmentsByTarget$1(options));
+}
+async function withCredentialAssignments(context, options) {
+	const assignments = await loadCredentialAssignments(options);
+	return {
+		...context,
+		assignments
+	};
+}
+function pickKeystrokeInstanceRow(rows, key, consumer) {
+	if (rows.length === 0) return;
+	if (rows.length === 1) return rows[0];
+	const defaults = rows.filter((row) => row.isDefault);
+	if (defaults.length === 1) return defaults[0];
+	if (consumer !== void 0) throw new NeedsSelectionError({
+		key,
+		options: rows.map((row) => ({
+			id: row.id,
+			label: row.name ?? row.label,
+			scopeType: row.scopeType,
+			scopeId: row.scopeId
+		})),
+		consumer
+	});
+	return rows.find((row) => row.isDefault) ?? rows[0];
+}
+async function resolveAssignedKeystrokeInstance(app, assignments, consumerId) {
+	const assignedId = selectAssignedInstanceId(assignments, consumerId, app);
+	if (!assignedId) return;
+	const row = await selectCredentialInstanceById$1(assignedId);
+	if (!row || row.authKind !== "keystroke" || !row.connectionId || row.appSlug !== app) return;
+	return {
+		instanceId: assignedId,
+		scopeType: row.scopeType,
+		scopeId: row.scopeId
+	};
+}
+/** Assignment lookup (when assignments provided) then ordered scope walk. User scope only when included in scopes. */
+async function resolveKeystrokeInstanceId(options) {
+	const assignments = options.assignments ?? (options.assignmentTarget ? await loadCredentialAssignments({
+		targetType: options.assignmentTarget.type,
+		targetKey: options.assignmentTarget.key
+	}) : void 0);
+	if (assignments) {
+		const assigned = await resolveAssignedKeystrokeInstance(options.app, assignments, options.consumerId);
+		if (assigned) return assigned;
+	}
+	for (const [scopeType, scopeId] of options.scopes) {
+		const row = pickKeystrokeInstanceRow((await selectCredentialInstancesForScope$1(options.app, scopeType, scopeId)).filter((row) => row.authKind === "keystroke" && row.connectionId), options.app, options.consumer);
+		if (row) return {
+			instanceId: row.id,
+			scopeType: row.scopeType,
+			scopeId: row.scopeId
+		};
+	}
+}
 function buildCredentialRunContext(input) {
 	const subscription = input.subscription;
 	const request = input.request ?? {};
@@ -18187,7 +18318,7 @@ function createLocalCredentialBackend(options = {}) {
 	const { tokenRefresh } = options;
 	return {
 		async resolveApiKey(instanceId, schema) {
-			const row = await selectCredentialInstanceById$1(instanceId);
+			const row = await selectCredentialInstanceById(instanceId);
 			if (!row) throw new MissingCredentialsError({
 				key: instanceId,
 				chainAttempted: ["api_key"]
@@ -18199,7 +18330,7 @@ function createLocalCredentialBackend(options = {}) {
 			const secret = await readCredentialInstanceSecret(instanceId);
 			if (secret) return schema.parse(JSON.parse(secret));
 			throw new MissingCredentialsError({
-				key: row.slug,
+				key: row.appSlug,
 				chainAttempted: ["api_key"]
 			});
 		},
@@ -18279,7 +18410,7 @@ function createCredentialBackend(options = {}) {
 function toSelectionOption(row) {
 	return {
 		id: row.id,
-		label: row.label,
+		label: row.name ?? row.label,
 		scopeType: row.scopeType,
 		scopeId: row.scopeId
 	};
@@ -18305,12 +18436,12 @@ function pickInstance(rows, key, consumer) {
 async function resolveInstanceValue(row, requirement, backend) {
 	if (row.authKind === "keystroke") {
 		if (!row.connectionId) throw new MissingCredentialsError({
-			key: row.slug,
+			key: row.appSlug,
 			chainAttempted: ["keystroke"]
 		});
 		const scopeId = row.scopeType === "organization" ? getServerTenantScopeId() : row.scopeId ?? "";
 		if (!scopeId) throw new MissingCredentialsError({
-			key: row.slug,
+			key: row.appSlug,
 			chainAttempted: ["keystroke"]
 		});
 		const value = {
@@ -18322,7 +18453,7 @@ async function resolveInstanceValue(row, requirement, backend) {
 	}
 	if (row.authKind === "oauth_managed") {
 		if (!row.connectionId) throw new MissingCredentialsError({
-			key: row.slug,
+			key: row.appSlug,
 			chainAttempted: ["oauth_managed"]
 		});
 		const token = await backend.getOAuthAccessToken(row.connectionId);
@@ -18333,8 +18464,8 @@ async function resolveInstanceValue(row, requirement, backend) {
 	return backend.resolveApiKey(row.id, requirement.schema);
 }
 async function resolveSelectedInstance(key, instanceId, context, consumer) {
-	const row = await selectCredentialInstanceById(instanceId);
-	if (!row || row.slug !== key) throw new MissingCredentialsError({
+	const row = await selectCredentialInstanceById$1(instanceId);
+	if (!row || row.appSlug !== key) throw new MissingCredentialsError({
 		key,
 		chainAttempted: ["selection"],
 		consumer
@@ -18356,26 +18487,58 @@ function scopeIdForScope(scope, key, context) {
 	}
 }
 async function resolveAtScope(key, scopeType, scopeId, consumer) {
-	const rows = await selectCredentialInstancesForScope(key, scopeType, scopeId);
+	const rows = await selectCredentialInstancesForScope$1(key, scopeType, scopeId);
 	if (rows.length === 0) return;
-	try {
-		return pickInstance(rows, key, consumer);
-	} catch (error) {
-		if (error instanceof NeedsSelectionError) throw error;
-		throw error;
+	return pickInstance(rows, key, consumer);
+}
+async function resolveBoundInstance(instanceId, requirement, context, consumer, backend) {
+	const row = await selectCredentialInstanceById$1(instanceId);
+	if (!row || row.appSlug !== requirement.key) throw new MissingCredentialsError({
+		key: requirement.key,
+		chainAttempted: ["binding"],
+		consumer
+	});
+	if (!bindingTenantReachable(row, context)) throw new CredentialAccessDeniedError(instanceId);
+	return resolveInstanceValue(row, requirement, backend ?? createCredentialBackend());
+}
+function bindingTenantReachable(row, context) {
+	switch (row.scopeType) {
+		case "organization": return row.scopeId === context.orgId;
+		case "project": return row.scopeId === context.projectId;
+		case "user": return Boolean(row.scopeId);
+		default: return false;
 	}
 }
 /**
 * Resolution order:
-*   1. A platform-provided binding (explicit instance id in `context.selection`) wins.
-*   2. A scope pinned on the requirement (`.scope("user")`) resolves only at that scope.
-*   3. Otherwise the project default, then the org default. No configurable chain.
-* If nothing matches, throw — there is no binding.
+*   1. Platform assignment (consumer-specific, then wildcard).
+*   2. Client selection in `context.selection`.
+*   3. Scope pinned on the requirement (`.scope("user")`).
+*   4. Project default, then org default.
 */
 async function resolvePolicy(requirement, context, consumer, backend) {
 	const attempted = [];
 	const materialBackend = backend ?? createCredentialBackend();
 	const scoped = withTenantScope(context);
+	const boundId = requirement.kind !== "keystroke" ? selectAssignedInstanceId(scoped.assignments, consumer?.id, requirement.key) : void 0;
+	if (boundId) return resolveBoundInstance(boundId, requirement, scoped, consumer, materialBackend);
+	if (requirement.kind === "keystroke") {
+		const bound = await resolveKeystrokeInstanceId({
+			app: requirement.key,
+			scopes: [],
+			assignments: scoped.assignments,
+			consumerId: consumer?.id
+		});
+		if (bound) {
+			const row = await selectCredentialInstanceById$1(bound.instanceId);
+			if (!row) throw new MissingCredentialsError({
+				key: requirement.key,
+				chainAttempted: ["binding"],
+				consumer
+			});
+			return resolveInstanceValue(row, requirement, materialBackend);
+		}
+	}
 	const selectionId = context.selection?.[requirement.key];
 	if (selectionId) return resolveInstanceValue(await resolveSelectedInstance(requirement.key, selectionId, scoped, consumer), requirement, materialBackend);
 	if (requirement.scope) {
@@ -18391,6 +18554,32 @@ async function resolvePolicy(requirement, context, consumer, backend) {
 			consumer
 		});
 	}
+	if (requirement.kind === "keystroke") {
+		const scopes = [];
+		if (scoped.projectId) {
+			attempted.push("project");
+			scopes.push(["project", scoped.projectId]);
+		}
+		if (scoped.orgId) {
+			attempted.push("organization");
+			scopes.push(["organization", scoped.orgId]);
+		}
+		const resolved = await resolveKeystrokeInstanceId({
+			app: requirement.key,
+			scopes,
+			consumerId: consumer?.id,
+			consumer
+		});
+		if (resolved) {
+			const row = await selectCredentialInstanceById$1(resolved.instanceId);
+			if (row) return resolveInstanceValue(row, requirement, materialBackend);
+		}
+		throw new MissingCredentialsError({
+			key: requirement.key,
+			chainAttempted: attempted,
+			consumer
+		});
+	}
 	if (scoped.projectId) {
 		attempted.push("project");
 		const row = await resolveAtScope(requirement.key, "project", scoped.projectId, consumer);
@@ -18737,6 +18926,12 @@ Object.defineProperty(exports, "touchSession", {
 		return touchSession;
 	}
 });
+Object.defineProperty(exports, "withCredentialAssignments", {
+	enumerable: true,
+	get: function() {
+		return withCredentialAssignments;
+	}
+});
 Object.defineProperty(exports, "withSpan", {
 	enumerable: true,
 	get: function() {
@@ -18750,4 +18945,4 @@ Object.defineProperty(exports, "zodToJsonSchema", {
 	}
 });
 
-//# sourceMappingURL=dist-C5otI4u3.cjs.map
+//# sourceMappingURL=dist-DivFQzKG.cjs.map