keystone-cli 0.5.1 → 0.6.1

package/README.md

@@ -25,6 +25,8 @@ Keystone allows you to define complex automation workflows using a simple YAML s
 - 🛠️ **Extensible:** Support for shell, file, HTTP request, LLM, and sub-workflow steps.
 - 🔌 **MCP Support:** Integrated Model Context Protocol server.
 - 🛡️ **Secret Redaction:** Automatically redacts environment variables and secrets from logs and outputs.
+- 🧠 **Semantic Memory:** Store and retrieve step outputs using vector embeddings/RAG.
+- 🎯 **Prompt Optimization:** Automatically optimize prompts using iterative evaluation (DSPy-style).
 
 ---
 
@@ -281,10 +283,26 @@ Keystone supports several specialized step types:
 - `script`: Run arbitrary JavaScript in a sandbox. On Bun, uses `node:vm` (since `isolated-vm` requires V8).
   - ⚠️ **Security Note:** The `node:vm` sandbox is not secure against malicious code. Only run scripts from trusted sources.
 - `sleep`: Pause execution for a specified duration.
+- `memory`: Store or retrieve information from the semantic memory vector database.
 
-All steps support common features like `needs` (dependencies), `if` (conditionals), `retry`, `timeout`, `foreach` (parallel iteration), `concurrency` (max parallel items for foreach), and `transform` (post-process output using expressions).
+All steps support common features like `needs` (dependencies), `if` (conditionals), `retry`, `timeout`, `foreach` (parallel iteration), `concurrency` (max parallel items for foreach), `transform` (post-process output using expressions), `learn` (auto-index for few-shot), and `reflexion` (self-correction loop).
 
-Workflows also support a top-level `concurrency` field to limit how many steps can run in parallel across the entire workflow.
+Workflows also support a top-level `concurrency` field to limit how many steps can run in parallel across the entire workflow. This must be a positive integer.
+
+### Self-Healing Steps
+Steps can be configured to automatically recover from failures using an LLM agent.
+
+```yaml
+- id: build
+  type: shell
+  run: bun build
+  auto_heal:
+    agent: debugger_agent
+    maxAttempts: 3
+    model: gpt-4o # Optional override
+```
+
+When a step fails, the specified agent is invoked with the error details. The agent proposes a fix (e.g., a corrected command), and the step is automatically retried.
 
 #### Example: Transform & Foreach Concurrency
 ```yaml
@@ -297,13 +315,14 @@ Workflows also support a top-level `concurrency` field to limit how many steps c
 - id: process_files
   type: shell
   foreach: ${{ steps.list_files.output }}
-  concurrency: 5 # Process 5 files at a time
+  concurrency: 5 # Process 5 files at a time (must be a positive integer)
   run: echo "Processing ${{ item }}"
 
 #### Example: Script Step
 ```yaml
 - id: calculate
   type: script
+  allowInsecure: true
   run: |
     const data = context.steps.fetch_data.output;
     return data.map(i => i.value * 2).reduce((a, b) => a + b, 0);
@@ -427,7 +446,8 @@ In these examples, the agent will have access to all tools provided by the MCP s
 | Command | Description |
 | :--- | :--- |
 | `init` | Initialize a new Keystone project |
-| `run <workflow>` | Execute a workflow (use `-i key=val` for inputs, `--dry-run` to test) |
+| `run <workflow>` | Execute a workflow (use `-i key=val` for inputs, `--dry-run` to test, `--debug` for REPL) |
+| `optimize <workflow>` | Optimize a specific step in a workflow (requires --target) |
 | `resume <run_id>` | Resume a failed or paused workflow |
 | `validate [path]` | Check workflow files for errors |
 | `workflows` | List available workflows |
@@ -442,11 +462,38 @@ In these examples, the agent will have access to all tools provided by the MCP s
 | `mcp start` | Start the Keystone MCP server |
 | `mcp login <server>` | Login to a remote MCP server |
 | `completion [shell]` | Generate shell completion script (zsh, bash) |
-| `prune [--days N]` | Cleanup old run data from the database |
+| `maintenance [--days N]` | Perform database maintenance (prune old runs and vacuum) |
 
 ---
-
-## 📂 Project Structure
+ 
+ ## 🛡️ Security
+ 
+ ### Shell Execution
+ By default, Keystone analyzes shell commands for potentially dangerous patterns (like shell injection, `rm -rf`, piped commands). If a risk is detected:
+ - In interactive mode, the user is prompted for confirmation.
+ - In non-interactive mode, the step is suspended or failed.
+ 
+ You can bypass this check if you trust the command:
+ ```yaml
+ - id: deploy
+   type: shell
+   run: ./deploy.sh ${{ inputs.env }}
+   allowInsecure: true
+ ```
+ 
+ ### Expression Safety
+ Expressions `${{ }}` are evaluated using a safe AST parser (`jsep`) which:
+ - Prevents arbitrary code execution (no `eval` or `Function`).
+ - Whitelists safe global objects (`Math`, `JSON`, `Date`, etc.).
+ - Blocks access to sensitive properties (`constructor`, `__proto__`).
+ - Enforces a maximum template length to prevent ReDoS attacks.
+ 
+ ### Script Sandboxing
+ The `script` step uses Node.js `vm` module. While it provides isolation for variables, it is **not a security boundary** for malicious code. Only run scripts from trusted sources.
+ 
+ ---
+ 
+ ## 📂 Project Structure
 
 - `src/db/`: SQLite persistence layer.
 - `src/runner/`: The core execution engine, handles parallelization and retries.
@@ -460,4 +507,4 @@ In these examples, the agent will have access to all tools provided by the MCP s
 
 ## 📄 License
 
-MIT
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keystone-cli",
-  "version": "0.5.1",
+  "version": "0.6.1",
   "description": "A local-first, declarative, agentic workflow orchestrator built on Bun",
   "type": "module",
   "bin": {
@@ -13,13 +13,7 @@
     "lint:fix": "biome check --write .",
     "format": "biome format --write ."
   },
-  "keywords": [
-    "workflow",
-    "orchestrator",
-    "agentic",
-    "automation",
-    "bun"
-  ],
+  "keywords": ["workflow", "orchestrator", "agentic", "automation", "bun"],
   "author": "Mark Hingston",
   "license": "MIT",
   "repository": {
@@ -27,16 +21,12 @@
     "url": "https://github.com/mhingston/keystone-cli.git"
   },
   "homepage": "https://github.com/mhingston/keystone-cli#readme",
-  "files": [
-    "src",
-    "README.md",
-    "LICENSE",
-    "logo.png"
-  ],
+  "files": ["src", "README.md", "LICENSE", "logo.png"],
   "dependencies": {
     "@jsep-plugin/arrow": "^1.0.6",
     "@jsep-plugin/object": "^1.2.2",
-    "@types/react": "^19.2.7",
+    "@types/react": "^19.0.0",
+    "@xenova/transformers": "^2.17.2",
     "commander": "^12.1.0",
     "dagre": "^0.8.5",
     "ink": "^6.5.1",
@@ -44,7 +34,8 @@
     "ink-spinner": "^5.0.0",
     "js-yaml": "^4.1.0",
     "jsep": "^1.4.0",
-    "react": "^19.2.3",
+    "react": "^19.0.0",
+    "sqlite-vec": "0.1.6",
     "zod": "^3.23.8"
   },
   "devDependencies": {
@@ -57,4 +48,4 @@
   "engines": {
     "bun": ">=1.0.0"
   }
-}
+}

package/src/cli.ts

@@ -9,9 +9,10 @@ import architectAgent from './templates/agents/keystone-architect.md' with { typ
 // Default templates
 import scaffoldWorkflow from './templates/scaffold-feature.yaml' with { type: 'text' };
 
-import { WorkflowDb } from './db/workflow-db.ts';
+import { WorkflowDb, type WorkflowRun } from './db/workflow-db.ts';
 import { WorkflowParser } from './parser/workflow-parser.ts';
 import { ConfigLoader } from './utils/config-loader.ts';
+import { ConsoleLogger } from './utils/logger.ts';
 import { generateMermaidGraph, renderWorkflowAsAscii } from './utils/mermaid.ts';
 import { WorkflowRegistry } from './utils/workflow-registry.ts';
 
@@ -226,6 +227,7 @@ program
   .argument('<workflow>', 'Workflow name or path to workflow file')
   .option('-i, --input <key=value...>', 'Input values')
   .option('--dry-run', 'Show what would be executed without actually running it')
+  .option('--debug', 'Enable interactive debug mode on failure')
   .action(async (workflowPath, options) => {
     // Parse inputs
     const inputs: Record<string, unknown> = {};
@@ -250,25 +252,15 @@ program
       const resolvedPath = WorkflowRegistry.resolvePath(workflowPath);
       const workflow = WorkflowParser.loadWorkflow(resolvedPath);
 
-      // Auto-prune old runs
-      try {
-        const config = ConfigLoader.load();
-        const db = new WorkflowDb();
-        const deleted = await db.pruneRuns(config.storage.retention_days);
-        if (deleted > 0) {
-          await db.vacuum();
-        }
-        db.close();
-      } catch (error) {
-        // Non-fatal
-      }
-
       // Import WorkflowRunner dynamically
       const { WorkflowRunner } = await import('./runner/workflow-runner.ts');
+      const logger = new ConsoleLogger();
       const runner = new WorkflowRunner(workflow, {
         inputs,
         workflowDir: dirname(resolvedPath),
         dryRun: !!options.dryRun,
+        debug: !!options.debug,
+        logger,
       });
 
       const outputs = await runner.run();
@@ -287,6 +279,80 @@ program
     }
   });
 
+// ===== keystone workflows =====
+program
+  .command('workflows')
+  .description('List available workflows')
+  .action(() => {
+    const workflows = WorkflowRegistry.listWorkflows();
+    if (workflows.length === 0) {
+      console.log('No workflows found. Run "keystone init" to seed default workflows.');
+      return;
+    }
+
+    console.log('\n🏛️  Available Workflows:');
+    for (const w of workflows) {
+      console.log(`\n  ${w.name}`);
+      if (w.description) {
+        console.log(`    ${w.description}`);
+      }
+    }
+    console.log('');
+  });
+
+// ===== keystone optimize =====
+program
+  .command('optimize')
+  .description('Optimize a specific step in a workflow using iterative evaluation')
+  .argument('<workflow>', 'Workflow name or path to workflow file')
+  .requiredOption('-t, --target <step_id>', 'Target step ID to optimize')
+  .option('-n, --iterations <number>', 'Number of optimization iterations', '5')
+  .option('-i, --input <key=value...>', 'Input values for evaluation')
+  .action(async (workflowPath, options) => {
+    try {
+      const { OptimizationRunner } = await import('./runner/optimization-runner.ts');
+      const resolvedPath = WorkflowRegistry.resolvePath(workflowPath);
+      const workflow = WorkflowParser.loadWorkflow(resolvedPath);
+
+      // Parse inputs
+      const inputs: Record<string, unknown> = {};
+      if (options.input) {
+        for (const pair of options.input) {
+          const index = pair.indexOf('=');
+          if (index > 0) {
+            const key = pair.slice(0, index);
+            const value = pair.slice(index + 1);
+            try {
+              inputs[key] = JSON.parse(value);
+            } catch {
+              inputs[key] = value;
+            }
+          }
+        }
+      }
+
+      const runner = new OptimizationRunner(workflow, {
+        workflowPath: resolvedPath,
+        targetStepId: options.target,
+        iterations: Number.parseInt(options.iterations, 10),
+        inputs,
+      });
+
+      console.log('🏛️  Keystone Prompt Optimization');
+      const { bestPrompt, bestScore } = await runner.optimize();
+
+      console.log('\n✨ Optimization Complete!');
+      console.log(`🏆 Best Score: ${bestScore}/100`);
+      console.log('\nBest Prompt/Command:');
+      console.log(''.padEnd(80, '-'));
+      console.log(bestPrompt);
+      console.log(''.padEnd(80, '-'));
+    } catch (error) {
+      console.error('✗ Optimization failed:', error instanceof Error ? error.message : error);
+      process.exit(1);
+    }
+  });
+
 // ===== keystone resume =====
 program
   .command('resume')
@@ -295,21 +361,10 @@ program
   .option('-w, --workflow <path>', 'Path to workflow file (auto-detected if not specified)')
   .action(async (runId, options) => {
     try {
-      const config = ConfigLoader.load();
       const db = new WorkflowDb();
 
-      // Auto-prune old runs
-      try {
-        const deleted = await db.pruneRuns(config.storage.retention_days);
-        if (deleted > 0) {
-          await db.vacuum();
-        }
-      } catch (error) {
-        // Non-fatal
-      }
-
       // Load run from database to get workflow name
-      const run = db.getRun(runId);
+      const run = await db.getRun(runId);
 
       if (!run) {
         console.error(`✗ Run not found: ${runId}`);
@@ -344,9 +399,11 @@ program
 
       // Import WorkflowRunner dynamically
       const { WorkflowRunner } = await import('./runner/workflow-runner.ts');
+      const logger = new ConsoleLogger();
       const runner = new WorkflowRunner(workflow, {
         resumeRunId: runId,
         workflowDir: dirname(workflowPath),
+        logger,
       });
 
       const outputs = await runner.run();
@@ -362,55 +419,44 @@ program
     }
   });
 
-// ===== keystone workflows =====
-program
-  .command('workflows')
-  .description('List available workflows')
-  .action(() => {
-    try {
-      const workflows = WorkflowRegistry.listWorkflows();
-      if (workflows.length === 0) {
-        console.log('No workflows found.');
-        return;
-      }
-
-      console.log('\nAvailable workflows:\n');
-      for (const w of workflows) {
-        const description = w.description ? ` - ${w.description}` : '';
-        console.log(`  ${w.name.padEnd(25)}${description}`);
-      }
-      console.log();
-    } catch (error) {
-      console.error('✗ Failed to list workflows:', error instanceof Error ? error.message : error);
-      process.exit(1);
-    }
-  });
-
 // ===== keystone history =====
 program
   .command('history')
-  .description('List recent workflow runs')
-  .option('-n, --limit <number>', 'Number of runs to show', '20')
-  .action((options) => {
+  .description('Show recent workflow runs')
+  .option('-l, --limit <number>', 'Limit the number of runs to show', '50')
+  .action(async (options) => {
     try {
       const db = new WorkflowDb();
-      const runs = db.listRuns(Number.parseInt(options.limit));
+      const limit = Number.parseInt(options.limit, 10);
+      const runs = await db.listRuns(limit);
+      db.close();
 
       if (runs.length === 0) {
         console.log('No workflow runs found.');
         return;
       }
 
-      console.log('\nRecent workflow runs:\n');
+      console.log('\n🏛️  Workflow Run History:');
+      console.log(''.padEnd(100, '-'));
+      console.log(
+        `${'ID'.padEnd(10)} ${'Workflow'.padEnd(25)} ${'Status'.padEnd(15)} ${'Started At'}`
+      );
+      console.log(''.padEnd(100, '-'));
+
       for (const run of runs) {
-        const status = run.status.toUpperCase().padEnd(10);
-        const date = new Date(run.started_at).toLocaleString();
+        const id = run.id.slice(0, 8);
+        const status = run.status;
+        const color =
+          status === 'success' ? '\x1b[32m' : status === 'failed' ? '\x1b[31m' : '\x1b[33m';
+        const reset = '\x1b[0m';
+
         console.log(
-          `${run.id.substring(0, 8)}  ${status}  ${run.workflow_name.padEnd(20)}  ${date}`
+          `${id.padEnd(10)} ${run.workflow_name.padEnd(25)} ${color}${status.padEnd(
+            15
+          )}${reset} ${new Date(run.started_at).toLocaleString()}`
         );
       }
-
-      db.close();
+      console.log('');
     } catch (error) {
       console.error('✗ Failed to list runs:', error instanceof Error ? error.message : error);
       process.exit(1);
@@ -420,86 +466,33 @@ program
 // ===== keystone logs =====
 program
   .command('logs')
-  .description('Show logs for a workflow run')
-  .argument('<run_id>', 'Run ID')
-  .option('-v, --verbose', 'Show full output without truncation')
-  .action((runId, options) => {
+  .description('Show logs for a specific workflow run')
+  .argument('<run_id>', 'Run ID to show logs for')
+  .option('-v, --verbose', 'Show detailed step outputs')
+  .action(async (runId, options) => {
     try {
       const db = new WorkflowDb();
-      const run = db.getRun(runId);
+      const run = await db.getRun(runId);
 
       if (!run) {
-        console.error(`✗ Run not found: ${runId}`);
-        process.exit(1);
-      }
-
-      console.log(`\n📋 Workflow: ${run.workflow_name}`);
-      console.log(`Status: ${run.status}`);
-      console.log(`Started: ${new Date(run.started_at).toLocaleString()}`);
-      if (run.completed_at) {
-        console.log(`Completed: ${new Date(run.completed_at).toLocaleString()}`);
-      }
-      if (run.error) {
-        console.log(`\n❌ Error: ${run.error}`);
-      }
-
-      const steps = db.getStepsByRun(runId);
-      if (steps.length > 0) {
-        console.log('\nSteps:');
-        for (const step of steps) {
-          const statusColors: Record<string, string> = {
-            success: '\x1b[32m', // green
-            failed: '\x1b[31m', // red
-            pending: '\x1b[33m', // yellow
-            skipped: '\x1b[90m', // gray
-            suspended: '\x1b[35m', // magenta
-          };
-          const RESET = '\x1b[0m';
-          const color = statusColors[step.status] || '';
-          const status = `${color}${step.status.toUpperCase().padEnd(10)}${RESET}`;
-          const iteration = step.iteration_index !== null ? ` [${step.iteration_index}]` : '';
-          console.log(`  ${(step.step_id + iteration).padEnd(25)}  ${status}`);
-
-          // Show error if present
-          if (step.error) {
-            console.log(`    ❌ Error: ${step.error}`);
-          }
-
-          // Show output if present
-          if (step.output) {
-            try {
-              const output = JSON.parse(step.output);
-              let outputStr = JSON.stringify(output, null, 2);
-              if (!options.verbose && outputStr.length > 500) {
-                outputStr = `${outputStr.substring(0, 500)}... (use --verbose for full output)`;
-              }
-              // Indent output
-              const indentedOutput = outputStr
-                .split('\n')
-                .map((line: string) => `      ${line}`)
-                .join('\n');
-              console.log(`    📤 Output:\n${indentedOutput}`);
-            } catch {
-              console.log(`    📤 Output: ${step.output.substring(0, 200)}`);
-            }
-          }
-
-          // Show usage if present
-          if (step.usage) {
-            try {
-              const usage = JSON.parse(step.usage);
-              if (usage.total_tokens) {
-                console.log(
-                  `    📊 Tokens: ${usage.total_tokens} (prompt: ${usage.prompt_tokens}, completion: ${usage.completion_tokens})`
-                );
-              }
-            } catch {
-              // Ignore parse errors
-            }
+        // Try searching by short ID
+        const allRuns = await db.listRuns(200);
+        const matching = allRuns.find((r) => r.id.startsWith(runId));
+        if (matching) {
+          const detailedRun = await db.getRun(matching.id);
+          if (detailedRun) {
+            await showRunLogs(detailedRun, db, !!options.verbose);
+            db.close();
+            return;
           }
         }
+
+        console.error(`✗ Run not found: ${runId}`);
+        db.close();
+        process.exit(1);
       }
 
+      await showRunLogs(run, db, !!options.verbose);
       db.close();
     } catch (error) {
       console.error('✗ Failed to show logs:', error instanceof Error ? error.message : error);
@@ -507,31 +500,97 @@ program
     }
   });
 
-// ===== keystone prune =====
-program
-  .command('prune')
-  .description('Delete old workflow runs from the database')
-  .option('--days <days>', 'Delete runs older than this many days', '7')
-  .action(async (options) => {
-    try {
-      const days = Number.parseInt(options.days, 10);
-      if (Number.isNaN(days) || days < 0) {
-        console.error('✗ Invalid days value. Must be a positive number.');
-        process.exit(1);
-      }
+async function showRunLogs(run: WorkflowRun, db: WorkflowDb, verbose: boolean) {
+  console.log(`\n🏛️  Run: ${run.workflow_name} (${run.id})`);
+  console.log(`   Status: ${run.status}`);
+  console.log(`   Started: ${new Date(run.started_at).toLocaleString()}`);
+  if (run.completed_at) {
+    console.log(`   Completed: ${new Date(run.completed_at).toLocaleString()}`);
+  }
 
-      const db = new WorkflowDb();
-      const deleted = await db.pruneRuns(days);
-      if (deleted > 0) {
-        await db.vacuum();
+  const steps = await db.getStepsByRun(run.id);
+  console.log(`\nSteps (${steps.length}):`);
+  console.log(''.padEnd(100, '-'));
+
+  for (const step of steps) {
+    const statusColor =
+      step.status === 'success' ? '\x1b[32m' : step.status === 'failed' ? '\x1b[31m' : '\x1b[33m';
+    const reset = '\x1b[0m';
+
+    let label = step.step_id;
+    if (step.iteration_index !== null) {
+      label += ` [${step.iteration_index}]`;
+    }
+
+    console.log(`${statusColor}${step.status.toUpperCase().padEnd(10)}${reset} ${label}`);
+
+    if (step.error) {
+      console.log(`           \x1b[31mError: ${step.error}\x1b[0m`);
+    }
+
+    if (verbose && step.output) {
+      try {
+        const output = JSON.parse(step.output);
+        console.log(
+          `           Output: ${JSON.stringify(output, null, 2).replace(/\n/g, '\n           ')}`
+        );
+      } catch {
+        console.log(`           Output: ${step.output}`);
       }
-      db.close();
+    }
+  }
 
-      console.log(`✓ Deleted ${deleted} workflow run(s) older than ${days} days`);
-    } catch (error) {
-      console.error('✗ Failed to prune runs:', error instanceof Error ? error.message : error);
-      process.exit(1);
+  if (run.outputs) {
+    console.log('\nFinal Outputs:');
+    try {
+      const parsed = JSON.parse(run.outputs);
+      console.log(JSON.stringify(parsed, null, 2));
+    } catch {
+      console.log(run.outputs);
     }
+  }
+
+  if (run.error) {
+    console.log(`\n\x1b[31mWorkflow Error:\x1b[0m ${run.error}`);
+  }
+}
+
+// ===== keystone prune / maintenance =====
+async function performMaintenance(days: number) {
+  try {
+    console.log(`🧹 Starting maintenance (pruning runs older than ${days} days)...`);
+    const db = new WorkflowDb();
+    const count = await db.pruneRuns(days);
+    console.log(`   ✓ Pruned ${count} old run(s)`);
+
+    console.log('   Vacuuming database (reclaiming space)...');
+    await db.vacuum();
+    console.log('   ✓ Vacuum complete');
+
+    db.close();
+    console.log('\n✨ Maintenance completed successfully!');
+  } catch (error) {
+    console.error('✗ Maintenance failed:', error instanceof Error ? error.message : error);
+    process.exit(1);
+  }
+}
+
+program
+  .command('prune')
+  .description('Delete old workflow runs from the database (alias for maintenance)')
+  .option('--days <number>', 'Days to keep', '30')
+  .action(async (options) => {
+    const days = Number.parseInt(options.days, 10);
+    await performMaintenance(days);
+  });
+
+program
+  .command('maintenance')
+  .description('Perform database maintenance (prune old runs and vacuum)')
+  .option('--days <days>', 'Delete runs older than this many days', '30')
+  .action(async (options) => {
+    const days = Number.parseInt(options.days, 10);
+    await performMaintenance(days);
   });
 
 // ===== keystone ui =====
@@ -591,14 +650,8 @@ mcp
     console.log('   You can still manually provide an OAuth token below if you have one.');
     console.log('\n2. Paste the access token below:\n');
 
-    const prompt = 'Access Token: ';
-    process.stdout.write(prompt);
-
-    let token = '';
-    for await (const line of console) {
-      token = line.trim();
-      break;
-    }
+    const { promptSecret } = await import('./utils/prompt.ts');
+    const token = await promptSecret('Access Token: ');
 
     if (token) {
       const auth = AuthManager.load();
@@ -859,10 +912,10 @@ program.command('_list-workflows', { hidden: true }).action(() => {
   }
 });
 
-program.command('_list-runs', { hidden: true }).action(() => {
+program.command('_list-runs', { hidden: true }).action(async () => {
   try {
     const db = new WorkflowDb();
-    const runs = db.listRuns(50);
+    const runs = await db.listRuns(50);
     for (const run of runs) {
       console.log(run.id);
     }
@@ -959,11 +1012,11 @@ __keystone_runs() {
       console.log(`_keystone_completion() {
   local cur prev opts
   COMPREPLY=()
-  cur="${COMP_WORDS[COMP_CWORD]}"
-  prev="${COMP_WORDS[COMP_CWORD - 1]}"
+  cur="\${COMP_WORDS[COMP_CWORD]}"
+  prev="\${COMP_WORDS[COMP_CWORD - 1]}"
   opts="init validate graph run resume workflows history logs prune ui mcp config auth completion"
 
-  case "${prev}" in
+  case "\${prev}" in
     run|graph)
       local workflows=$(keystone _list-workflows 2>/dev/null)
       COMPREPLY=( $(compgen -W "\${workflows}" -- \${cur}) )