@vm0/cli 9.107.0 → 9.107.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vm0/cli",
-  "version": "9.107.0",
+  "version": "9.107.2",
   "description": "CLI application",
   "repository": {
     "type": "git",

package/zero.js

@@ -123,7 +123,7 @@ import {
   upsertZeroOrgModelProvider,
   withErrorHandler,
   zeroAgentCustomSkillNameSchema
-} from "./chunk-DCKQ3GVE.js";
+} from "./chunk-AJN5ZMHZ.js";
 
 // src/zero.ts
 init_esm_shims();
@@ -1288,7 +1288,7 @@ function getConnectorPermissionInfo(type, resolvedPolicies) {
   if (!isFirewallConnectorType(type)) {
     return {
       type,
-      hasFirewall: false,
+      hasPermissions: false,
       permissions: [],
       policies: null,
       allowed: 0,
@@ -1304,7 +1304,7 @@ function getConnectorPermissionInfo(type, resolvedPolicies) {
   const allowed = policies ? permissions.filter((p) => {
     return policies[p.name] === "allow";
   }).length : 0;
-  return { type, hasFirewall: true, permissions, policies, allowed, total };
+  return { type, hasPermissions: true, permissions, policies, allowed, total };
 }
 function formatConnectorIdentity(connector) {
   if (!connector) return "";
@@ -1315,7 +1315,7 @@ function formatConnectorIdentity(connector) {
 function formatConnectorSummary(info, identity) {
   const id = formatConnectorIdentity(identity);
   const idStr = id ? ` ${id}` : "";
-  if (!info.hasFirewall) return `${info.type}${idStr}`;
+  if (!info.hasPermissions) return `${info.type}${idStr}`;
   if (!info.policies) return `${info.type}${idStr} (full access)`;
   return `${info.type}${idStr} (${info.allowed}/${info.total} allowed)`;
 }
@@ -1363,7 +1363,7 @@ Examples:
       console.log();
       console.log(`Agent ID:     ${agent.agentId}`);
       const resolvedPolicies = resolveFirewallPolicies(
-        agent.firewallPolicies,
+        agent.permissionPolicies,
         connectorTypes
       );
       const connectorInfos = connectorTypes.map((type) => {
@@ -1387,7 +1387,7 @@ Examples:
         for (const info of connectorInfos) {
           const identity = formatDetailIdentity(identityMap.get(info.type));
           console.log(`  ${info.type.padEnd(14)}${identity}`);
-          if (!info.hasFirewall) continue;
+          if (!info.hasPermissions) continue;
           if (!info.policies) {
             console.log(
               source_default.dim("    full access \u2014 no permission rules configured")
@@ -2251,11 +2251,11 @@ ${rediagnoseHint}`
   })
 );
 
-// src/commands/zero/doctor/firewall-deny.ts
+// src/commands/zero/doctor/permission-deny.ts
 init_esm_shims();
-var firewallDenyCommand = new Command().name("firewall-deny").description(
-  "Diagnose a firewall denial and find the permission that covers it"
-).argument("<firewall-ref>", "The firewall connector type (e.g. github)").addOption(
+var permissionDenyCommand = new Command().name("permission-deny").description(
+  "Diagnose a permission denial and find the permission that covers it"
+).argument("<connector-ref>", "The connector type (e.g. github)").addOption(
   new Option(
     "--method <method>",
     "The denied HTTP method"
@@ -2266,42 +2266,54 @@ var firewallDenyCommand = new Command().name("firewall-deny").description(
   "after",
   `
 Examples:
-  zero doctor firewall-deny github --method GET --path /repos/owner/repo/pulls
-  zero doctor firewall-deny slack --method POST --path /chat.postMessage
+  zero doctor permission-deny github --method GET --path /repos/owner/repo/pulls
+  zero doctor permission-deny slack --method POST --path /chat.postMessage
 
 Notes:
   - Identifies which named permission covers a denied request
-  - Use firewall-permissions-change to request or enable the permission`
+  - Use permission-change to request or enable the permission`
 ).action(
   withErrorHandler(
-    async (firewallRef, opts) => {
-      if (!isFirewallConnectorType(firewallRef)) {
-        throw new Error(`Unknown firewall connector type: ${firewallRef}`);
+    async (connectorRef, opts) => {
+      if (!isFirewallConnectorType(connectorRef)) {
+        throw new Error(`Unknown connector type: ${connectorRef}`);
       }
-      const { label } = CONNECTOR_TYPES[firewallRef];
-      const config = getConnectorFirewall(firewallRef);
+      const { label } = CONNECTOR_TYPES[connectorRef];
+      const config = getConnectorFirewall(connectorRef);
       const permissions = findMatchingPermissions(
         opts.method,
         opts.path,
         config
       );
       console.log(
-        `The ${label} firewall blocked ${opts.method} ${opts.path}.`
+        `The ${label} permission filtered ${opts.method} ${opts.path}.`
       );
       if (permissions.length === 0) {
         console.log("No named permission was found covering this request.");
         return;
       }
-      const permission = permissions[0];
+      const ruleCount = /* @__PURE__ */ new Map();
+      for (const api of config.apis) {
+        if (!api.permissions) continue;
+        for (const perm of api.permissions) {
+          ruleCount.set(
+            perm.name,
+            (ruleCount.get(perm.name) ?? 0) + perm.rules.length
+          );
+        }
+      }
+      const permission = permissions.reduce((narrowest, current) => {
+        return (ruleCount.get(current) ?? Infinity) < (ruleCount.get(narrowest) ?? Infinity) ? current : narrowest;
+      });
       console.log(`This is covered by the "${permission}" permission.`);
       console.log(
-        `To request this permission, run: zero doctor firewall-permissions-change ${firewallRef} --permission ${permission} --enable --reason "why this is needed"`
+        `To request this permission, run: zero doctor permission-change ${connectorRef} --permission ${permission} --enable --reason "why this is needed"`
       );
     }
   )
 );
 
-// src/commands/zero/doctor/firewall-permissions-change.ts
+// src/commands/zero/doctor/permission-change.ts
 init_esm_shims();
 
 // src/commands/zero/doctor/resolve-role.ts
@@ -2332,7 +2344,7 @@ async function resolveAgentRole(agentId) {
   }
 }
 
-// src/commands/zero/doctor/firewall-permissions-change.ts
+// src/commands/zero/doctor/permission-change.ts
 function findPermissionInConfig(ref, permissionName) {
   if (!isFirewallConnectorType(ref)) return false;
   const config = getConnectorFirewall(ref);
@@ -2345,13 +2357,13 @@ function findPermissionInConfig(ref, permissionName) {
   return false;
 }
 var REASON_MAX_LENGTH = 500;
-async function outputPermissionChangeMessage(firewallRef, permission, action, reason) {
-  const { label } = CONNECTOR_TYPES[firewallRef];
+async function outputPermissionChangeMessage(connectorRef, permission, action, reason) {
+  const { label } = CONNECTOR_TYPES[connectorRef];
   const platformOrigin = await getPlatformOrigin();
   const agentId = process.env.ZERO_AGENT_ID;
   const role = agentId ? await resolveAgentRole(agentId) : "unknown";
   const urlParams = new URLSearchParams({
-    ref: firewallRef,
+    ref: connectorRef,
     permission,
     action: action === "enable" ? "allow" : "deny"
   });
@@ -2361,7 +2373,7 @@ async function outputPermissionChangeMessage(firewallRef, permission, action, re
   }
   const pagePath = agentId ? `/agents/${agentId}/permissions` : "/agents";
   const url = `${platformOrigin}${pagePath}?${urlParams.toString()}`;
-  if (firewallRef === "slack" && permission === "chat:write" && action === "enable") {
+  if (connectorRef === "slack" && permission === "chat:write" && action === "enable") {
     console.log("");
     console.log(
       "IMPORTANT: Granting chat:write allows sending messages AS THE USER's identity, not as a bot."
@@ -2374,7 +2386,7 @@ async function outputPermissionChangeMessage(firewallRef, permission, action, re
     );
     console.log("");
   }
-  if (firewallRef === "gmail" && permission === "gmail.send" && action === "enable") {
+  if (connectorRef === "gmail" && permission === "gmail.send" && action === "enable") {
     console.log("");
     console.log(
       "IMPORTANT: Granting gmail.send allows the agent to send emails directly as the user."
@@ -2389,7 +2401,7 @@ async function outputPermissionChangeMessage(firewallRef, permission, action, re
   }
   if (role === "admin" || role === "owner") {
     console.log(
-      `You can ${action} the "${permission}" permission directly: [Manage ${label} firewall](${url})`
+      `You can ${action} the "${permission}" permission directly: [Manage ${label} permissions](${url})`
     );
   } else if (role === "member") {
     if (!reason) {
@@ -2402,16 +2414,16 @@ async function outputPermissionChangeMessage(firewallRef, permission, action, re
       );
     } else {
       console.log(
-        `Permission changes require admin approval. Contact an org admin to disable this permission: [View ${label} firewall](${url})`
+        `Permission changes require admin approval. Contact an org admin to disable this permission: [View ${label} permissions](${url})`
       );
     }
   } else {
     console.log(
-      `To ${action} the "${permission}" permission on the ${label} firewall: [Manage ${label} firewall](${url})`
+      `To ${action} the "${permission}" permission for ${label}: [Manage ${label} permissions](${url})`
     );
   }
 }
-var firewallPermissionsChangeCommand = new Command().name("firewall-permissions-change").description("Request a firewall permission change (enable or disable)").argument("<firewall-ref>", "The firewall connector type (e.g. github)").addOption(
+var permissionChangeCommand = new Command().name("permission-change").description("Request a permission change (enable or disable)").argument("<connector-ref>", "The connector type (e.g. github)").addOption(
   new Option(
     "--permission <name>",
     "The permission name to change"
@@ -2433,29 +2445,29 @@ var firewallPermissionsChangeCommand = new Command().name("firewall-permissions-
   "after",
   `
 Examples:
-  zero doctor firewall-permissions-change github --permission contents:read --enable
-  zero doctor firewall-permissions-change slack --permission chat:write --disable
+  zero doctor permission-change github --permission contents:read --enable
+  zero doctor permission-change slack --permission chat:write --disable
 
 Notes:
   - Outputs a platform URL for the user to adjust the permission
   - Admins can change permissions directly; members must request approval`
 ).action(
   withErrorHandler(
-    async (firewallRef, opts) => {
+    async (connectorRef, opts) => {
       if (!opts.enable && !opts.disable) {
         throw new Error("Either --enable or --disable is required");
       }
-      if (!isFirewallConnectorType(firewallRef)) {
-        throw new Error(`Unknown firewall connector type: ${firewallRef}`);
+      if (!isFirewallConnectorType(connectorRef)) {
+        throw new Error(`Unknown connector type: ${connectorRef}`);
       }
-      if (!findPermissionInConfig(firewallRef, opts.permission)) {
+      if (!findPermissionInConfig(connectorRef, opts.permission)) {
         throw new Error(
-          `Unknown permission "${opts.permission}" for ${firewallRef} firewall`
+          `Unknown permission "${opts.permission}" for ${connectorRef}`
         );
       }
       const action = opts.enable ? "enable" : "disable";
       await outputPermissionChangeMessage(
-        firewallRef,
+        connectorRef,
         opts.permission,
         action,
         opts.reason
@@ -2465,16 +2477,16 @@ Notes:
 );
 
 // src/commands/zero/doctor/index.ts
-var zeroDoctorCommand = new Command().name("doctor").description("Diagnose runtime issues (missing tokens, firewall denials)").addCommand(missingTokenCommand).addCommand(firewallDenyCommand).addCommand(firewallPermissionsChangeCommand).addHelpText(
+var zeroDoctorCommand = new Command().name("doctor").description("Diagnose runtime issues (missing tokens, permission denials)").addCommand(missingTokenCommand).addCommand(permissionDenyCommand).addCommand(permissionChangeCommand).addHelpText(
   "after",
   `
 Examples:
   Missing an API key?    zero doctor missing-token GITHUB_TOKEN
-  Firewall blocked?      zero doctor firewall-deny github --method GET --path /repos/owner/repo
-  Change a permission?   zero doctor firewall-permissions-change github --permission contents:read --enable
+  Permission denied?     zero doctor permission-deny github --method GET --path /repos/owner/repo
+  Change a permission?   zero doctor permission-change github --permission contents:read --enable
 
 Notes:
-  - Use this when your task fails due to a missing environment variable or firewall denial
+  - Use this when your task fails due to a missing environment variable or permission denial
   - The doctor will identify the issue and give the user a link to resolve it`
 );
 
@@ -3718,7 +3730,7 @@ Examples:
   With title and comment:  zero slack upload-file -f /tmp/data.csv -c C01234 --title "Daily Report" --comment "Here's the report"
 
 Notes:
-  - Uses the bot token (not user SLACK_TOKEN), so no files:write firewall permission is needed
+  - Uses the bot token (not user SLACK_TOKEN), so no files:write permission is needed
   - Returns file_id and permalink for reference`
 ).action(
   withErrorHandler(
@@ -3931,7 +3943,7 @@ async function showSandboxInfo(showPermissions) {
       const permissionDataAvailable = agentResult.status === "fulfilled" && enabledResult.status === "fulfilled";
       if (permissionDataAvailable) {
         resolvedPolicies = resolveFirewallPolicies(
-          agentResult.value.firewallPolicies,
+          agentResult.value.permissionPolicies,
           enabledResult.value
         );
       }
@@ -5789,7 +5801,7 @@ function registerZeroCommands(prog, commands) {
 var program = new Command();
 program.name("zero").description(
   "Zero CLI \u2014 interact with the zero platform from inside the sandbox"
-).version("9.107.0").addHelpText(
+).version("9.107.2").addHelpText(
   "after",
   `
 Examples: