@vm0/cli 9.102.10 → 9.103.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vm0/cli",
-  "version": "9.102.10",
+  "version": "9.103.1",
   "description": "CLI application",
   "repository": {
     "type": "git",

package/zero.js

@@ -115,7 +115,7 @@ import {
   upsertZeroOrgModelProvider,
   withErrorHandler,
   zeroAgentCustomSkillNameSchema
-} from "./chunk-OCZK25RZ.js";
+} from "./chunk-LQZNYDKG.js";
 
 // src/zero.ts
 import { Command as Command77 } from "commander";
@@ -2246,8 +2246,7 @@ Notes:
       );
     }
     if (!hasPermission) {
-      const path = agentId ? `/team/${agentId}` : "/team";
-      const url = `${platformUrl.origin}${path}?tab=authorization`;
+      const url = agentId ? `${platformUrl.origin}/connectors/${connectorType}/authorize?agentId=${agentId}` : `${platformUrl.origin}/connectors`;
       issues.push(
         `The ${label} connector is not authorized for this agent. Ask the user to enable it at: [Authorize ${label}](${url})`
       );
@@ -2266,6 +2265,9 @@ Notes:
 );
 
 // src/commands/zero/doctor/firewall-deny.ts
+import { Command as Command37, Option as Option2 } from "commander";
+
+// src/commands/zero/doctor/firewall-permissions-change.ts
 import { Command as Command36, Option } from "commander";
 
 // src/commands/zero/doctor/resolve-role.ts
@@ -2295,92 +2297,7 @@ async function resolveAgentRole(agentId) {
   }
 }
 
-// src/commands/zero/doctor/firewall-deny.ts
-var firewallDenyCommand = new Command36().name("firewall-deny").description(
-  "Diagnose a firewall denial and find the permission that covers it"
-).argument("<firewall-ref>", "The firewall connector type (e.g. github)").addOption(
-  new Option(
-    "--method <method>",
-    "The denied HTTP method"
-  ).makeOptionMandatory()
-).addOption(
-  new Option("--path <path>", "The denied path").makeOptionMandatory()
-).addHelpText(
-  "after",
-  `
-Examples:
-  zero doctor firewall-deny github --method GET --path /repos/owner/repo/pulls
-  zero doctor firewall-deny slack --method POST --path /chat.postMessage
-
-Notes:
-  - Identifies which named permission covers a denied request
-  - Outputs a platform URL for the user to allow the permission`
-).action(
-  withErrorHandler(
-    async (firewallRef, opts) => {
-      if (!isFirewallConnectorType(firewallRef)) {
-        throw new Error(`Unknown firewall connector type: ${firewallRef}`);
-      }
-      const { label } = CONNECTOR_TYPES[firewallRef];
-      const config = getConnectorFirewall(firewallRef);
-      const permissions = findMatchingPermissions(
-        opts.method,
-        opts.path,
-        config
-      );
-      const platformOrigin = await getPlatformOrigin();
-      const agentId = process.env.ZERO_AGENT_ID;
-      const urlParams = new URLSearchParams({
-        ref: firewallRef,
-        method: opts.method,
-        path: opts.path
-      });
-      if (permissions.length > 0) {
-        urlParams.set("permission", permissions[0]);
-      }
-      const pagePath = agentId ? `/agents/${agentId}/permissions` : "/agents";
-      const url = `${platformOrigin}${pagePath}?${urlParams.toString()}`;
-      console.log(
-        `The ${label} firewall blocked ${opts.method} ${opts.path}.`
-      );
-      if (permissions.length > 0) {
-        console.log(`This is covered by the "${permissions[0]}" permission.`);
-      } else {
-        console.log("No named permission was found covering this request.");
-      }
-      if (firewallRef === "slack" && permissions[0] === "chat:write") {
-        console.log("");
-        console.log(
-          "IMPORTANT: Granting chat:write allows sending messages AS THE USER's identity, not as a bot."
-        );
-        console.log(
-          "Use `zero slack message send -c <channel> -t <text>` to send messages as the bot instead \u2014 this is the recommended approach for most use cases."
-        );
-        console.log(
-          "Only request user approval below if acting as the user is specifically required."
-        );
-        console.log("");
-      }
-      const role = agentId ? await resolveAgentRole(agentId) : "unknown";
-      if (role === "admin" || role === "owner") {
-        console.log(
-          `You can allow this permission directly: [Manage ${label} firewall](${url})`
-        );
-      } else if (role === "member") {
-        console.log(
-          `This change requires admin approval. Request access at: [Request ${label} access](${url})`
-        );
-      } else {
-        console.log(
-          `Ask the user to allow it at: [Allow ${label} access](${url})`
-        );
-      }
-    }
-  )
-);
-
 // src/commands/zero/doctor/firewall-permissions-change.ts
-import { Command as Command37, Option as Option2 } from "commander";
 function findPermissionInConfig(ref, permissionName) {
   if (!isFirewallConnectorType(ref)) return false;
   const config = getConnectorFirewall(ref);
@@ -2392,17 +2309,62 @@ function findPermissionInConfig(ref, permissionName) {
   }
   return false;
 }
-var firewallPermissionsChangeCommand = new Command37().name("firewall-permissions-change").description("Request a firewall permission change (enable or disable)").argument("<firewall-ref>", "The firewall connector type (e.g. github)").addOption(
-  new Option2(
+async function outputPermissionChangeMessage(firewallRef, permission, action) {
+  const { label } = CONNECTOR_TYPES[firewallRef];
+  const platformOrigin = await getPlatformOrigin();
+  const agentId = process.env.ZERO_AGENT_ID;
+  const urlParams = new URLSearchParams({
+    ref: firewallRef,
+    permission,
+    action: action === "enable" ? "allow" : "deny"
+  });
+  const pagePath = agentId ? `/agents/${agentId}/permissions` : "/agents";
+  const url = `${platformOrigin}${pagePath}?${urlParams.toString()}`;
+  if (firewallRef === "slack" && permission === "chat:write" && action === "enable") {
+    console.log("");
+    console.log(
+      "IMPORTANT: Granting chat:write allows sending messages AS THE USER's identity, not as a bot."
+    );
+    console.log(
+      "Use `zero slack message send -c <channel> -t <text>` to send messages as the bot instead \u2014 this is the recommended approach for most use cases."
+    );
+    console.log(
+      "Only request user approval below if acting as the user is specifically required."
+    );
+    console.log("");
+  }
+  const role = agentId ? await resolveAgentRole(agentId) : "unknown";
+  if (role === "admin" || role === "owner") {
+    console.log(
+      `You can ${action} the "${permission}" permission directly: [Manage ${label} firewall](${url})`
+    );
+  } else if (role === "member") {
+    if (action === "enable") {
+      console.log(
+        `Permission changes require admin approval. Request access at: [Request ${label} access](${url})`
+      );
+    } else {
+      console.log(
+        `Permission changes require admin approval. Contact an org admin to disable this permission: [View ${label} firewall](${url})`
+      );
+    }
+  } else {
+    console.log(
+      `To ${action} the "${permission}" permission on the ${label} firewall: [Manage ${label} firewall](${url})`
+    );
+  }
+}
+var firewallPermissionsChangeCommand = new Command36().name("firewall-permissions-change").description("Request a firewall permission change (enable or disable)").argument("<firewall-ref>", "The firewall connector type (e.g. github)").addOption(
+  new Option(
     "--permission <name>",
     "The permission name to change"
   ).makeOptionMandatory()
 ).addOption(
-  new Option2("--enable", "Request to enable the permission").conflicts(
+  new Option("--enable", "Request to enable the permission").conflicts(
     "disable"
   )
 ).addOption(
-  new Option2("--disable", "Request to disable the permission").conflicts(
+  new Option("--disable", "Request to disable the permission").conflicts(
     "enable"
   )
 ).addHelpText(
@@ -2429,36 +2391,59 @@ Notes:
           `Unknown permission "${opts.permission}" for ${firewallRef} firewall`
         );
       }
-      const { label } = CONNECTOR_TYPES[firewallRef];
       const action = opts.enable ? "enable" : "disable";
-      const platformOrigin = await getPlatformOrigin();
-      const agentId = process.env.ZERO_AGENT_ID;
-      const urlParams = new URLSearchParams({
-        ref: firewallRef,
-        permission: opts.permission
-      });
-      const pagePath = agentId ? `/agents/${agentId}/permissions` : "/agents";
-      const url = `${platformOrigin}${pagePath}?${urlParams.toString()}`;
-      const role = agentId ? await resolveAgentRole(agentId) : "unknown";
-      if (role === "admin" || role === "owner") {
-        console.log(
-          `You can ${action} the "${opts.permission}" permission directly: [Manage ${label} firewall](${url})`
-        );
-      } else if (role === "member") {
-        if (action === "enable") {
-          console.log(
-            `Permission changes require admin approval. Request access at: [Request ${label} access](${url})`
-          );
-        } else {
-          console.log(
-            `Permission changes require admin approval. Contact an org admin to disable this permission: [View ${label} firewall](${url})`
-          );
-        }
-      } else {
-        console.log(
-          `To ${action} the "${opts.permission}" permission on the ${label} firewall: [Manage ${label} firewall](${url})`
-        );
+      await outputPermissionChangeMessage(
+        firewallRef,
+        opts.permission,
+        action
+      );
+    }
+  )
+);
+
+// src/commands/zero/doctor/firewall-deny.ts
+var firewallDenyCommand = new Command37().name("firewall-deny").description(
+  "Diagnose a firewall denial and find the permission that covers it"
+).argument("<firewall-ref>", "The firewall connector type (e.g. github)").addOption(
+  new Option2(
+    "--method <method>",
+    "The denied HTTP method"
+  ).makeOptionMandatory()
+).addOption(
+  new Option2("--path <path>", "The denied path").makeOptionMandatory()
+).addHelpText(
+  "after",
+  `
+Examples:
+  zero doctor firewall-deny github --method GET --path /repos/owner/repo/pulls
+  zero doctor firewall-deny slack --method POST --path /chat.postMessage
+
+Notes:
+  - Identifies which named permission covers a denied request
+  - Outputs a platform URL for the user to allow the permission`
+).action(
+  withErrorHandler(
+    async (firewallRef, opts) => {
+      if (!isFirewallConnectorType(firewallRef)) {
+        throw new Error(`Unknown firewall connector type: ${firewallRef}`);
+      }
+      const { label } = CONNECTOR_TYPES[firewallRef];
+      const config = getConnectorFirewall(firewallRef);
+      const permissions = findMatchingPermissions(
+        opts.method,
+        opts.path,
+        config
+      );
+      console.log(
+        `The ${label} firewall blocked ${opts.method} ${opts.path}.`
+      );
+      if (permissions.length === 0) {
+        console.log("No named permission was found covering this request.");
+        return;
       }
+      const permission = permissions[0];
+      console.log(`This is covered by the "${permission}" permission.`);
+      await outputPermissionChangeMessage(firewallRef, permission, "enable");
     }
   )
 );
@@ -5753,7 +5738,7 @@ function registerZeroCommands(prog, commands) {
 var program = new Command77();
 program.name("zero").description(
   "Zero CLI \u2014 interact with the zero platform from inside the sandbox"
-).version("9.102.10").addHelpText(
+).version("9.103.1").addHelpText(
   "after",
   `
 Examples: