@vm0/cli 9.111.0 → 9.111.2

package/{chunk-QX23MVVI.js → chunk-EZQQVFEQ.js}

@@ -4546,8 +4546,8 @@ var require_util = __commonJS({
     function isUSVString(val) {
       return hasIsWellFormed ? `${val}`.isWellFormed() : toUSVString(val) === `${val}`;
     }
-    function isTokenCharCode(c46) {
-      switch (c46) {
+    function isTokenCharCode(c45) {
+      switch (c45) {
         case 34:
         case 40:
         case 41:
@@ -4567,7 +4567,7 @@ var require_util = __commonJS({
         case 125:
           return false;
         default:
-          return c46 >= 33 && c46 <= 126;
+          return c45 >= 33 && c45 <= 126;
       }
     }
     function isValidHTTPToken(characters) {
@@ -6156,7 +6156,7 @@ var require_constants2 = __commonJS({
         exports.HEADER_CHARS.push(i);
       }
     }
-    exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS.filter((c46) => c46 !== 44);
+    exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS.filter((c45) => c45 !== 44);
     exports.MAJOR = exports.NUM_MAP;
     exports.MINOR = exports.MAJOR;
     var HEADER_STATE;
@@ -7302,10 +7302,10 @@ var require_util2 = __commonJS({
     }
     function isValidReasonPhrase(statusText) {
       for (let i = 0; i < statusText.length; ++i) {
-        const c46 = statusText.charCodeAt(i);
-        if (!(c46 === 9 || // HTAB
-        c46 >= 32 && c46 <= 126 || // SP / VCHAR
-        c46 >= 128 && c46 <= 255)) {
+        const c45 = statusText.charCodeAt(i);
+        if (!(c45 === 9 || // HTAB
+        c45 >= 32 && c45 <= 126 || // SP / VCHAR
+        c45 >= 128 && c45 <= 255)) {
           return false;
         }
       }
@@ -11279,7 +11279,7 @@ var require_pool_base = __commonJS({
             pool.emit("drain", origin, [pool, ...targets]);
           }
           if (pool[kClosedResolve] && queue.isEmpty()) {
-            Promise.all(pool[kClients].map((c46) => c46.close())).then(pool[kClosedResolve]);
+            Promise.all(pool[kClients].map((c45) => c45.close())).then(pool[kClosedResolve]);
           }
         };
         this[kOnConnect] = (origin, targets) => {
@@ -11328,7 +11328,7 @@ var require_pool_base = __commonJS({
       }
       async [kClose]() {
         if (this[kQueue].isEmpty()) {
-          await Promise.all(this[kClients].map((c46) => c46.close()));
+          await Promise.all(this[kClients].map((c45) => c45.close()));
         } else {
           await new Promise((resolve) => {
             this[kClosedResolve] = resolve;
@@ -11343,7 +11343,7 @@ var require_pool_base = __commonJS({
           }
           item.handler.onError(err);
         }
-        await Promise.all(this[kClients].map((c46) => c46.destroy(err)));
+        await Promise.all(this[kClients].map((c45) => c45.destroy(err)));
       }
       [kDispatch](opts, handler) {
         const dispatcher = this[kGetDispatcher]();
@@ -18113,8 +18113,8 @@ var require_util4 = __commonJS({
       return new TextDecoder(encoding).decode(sliced);
     }
     function BOMSniffing(ioQueue) {
-      const [a, b, c46] = ioQueue;
-      if (a === 239 && b === 187 && c46 === 191) {
+      const [a, b, c45] = ioQueue;
+      if (a === 239 && b === 187 && c45 === 191) {
         return "UTF-8";
       } else if (a === 254 && b === 255) {
         return "UTF-16BE";
@@ -22593,9 +22593,9 @@ var require_Alias = __commonJS({
       } else if (identity.isCollection(node)) {
         let count = 0;
         for (const item of node.items) {
-          const c46 = getAliasCount(doc, item, anchors2);
-          if (c46 > count)
-            count = c46;
+          const c45 = getAliasCount(doc, item, anchors2);
+          if (c45 > count)
+            count = c45;
         }
         return count;
       } else if (identity.isPair(node)) {
@@ -29611,7 +29611,7 @@ var require_style = __commonJS({
   "../../node_modules/.pnpm/prompts@2.4.2/node_modules/prompts/dist/util/style.js"(exports, module) {
     "use strict";
     init_esm_shims();
-    var c46 = require_kleur();
+    var c45 = require_kleur();
     var figures = require_figures();
     var styles3 = Object.freeze({
       password: {
@@ -29633,14 +29633,14 @@ var require_style = __commonJS({
     });
     var render = (type) => styles3[type] || styles3.default;
     var symbols = Object.freeze({
-      aborted: c46.red(figures.cross),
-      done: c46.green(figures.tick),
-      exited: c46.yellow(figures.cross),
-      default: c46.cyan("?")
+      aborted: c45.red(figures.cross),
+      done: c45.green(figures.tick),
+      exited: c45.yellow(figures.cross),
+      default: c45.cyan("?")
     });
     var symbol2 = (done, aborted2, exited) => aborted2 ? symbols.aborted : exited ? symbols.exited : done ? symbols.done : symbols.default;
-    var delimiter = (completing) => c46.gray(completing ? figures.ellipsis : figures.pointerSmall);
-    var item = (expandable, expanded) => c46.gray(expandable ? expanded ? figures.pointerSmall : "+" : figures.line);
+    var delimiter = (completing) => c45.gray(completing ? figures.ellipsis : figures.pointerSmall);
+    var item = (expandable, expanded) => c45.gray(expandable ? expanded ? figures.pointerSmall : "+" : figures.line);
     module.exports = {
       styles: styles3,
       render,
@@ -29922,10 +29922,10 @@ var require_text = __commonJS({
         this.cursor = this.cursor + n;
         this.cursorOffset += n;
       }
-      _(c46, key) {
+      _(c45, key) {
         let s1 = this.value.slice(0, this.cursor);
         let s2 = this.value.slice(this.cursor);
-        this.value = `${s1}${c46}${s2}`;
+        this.value = `${s1}${c45}${s2}`;
         this.red = false;
         this.cursor = this.placeholder ? 0 : s1.length + 1;
         this.render();
@@ -30100,8 +30100,8 @@ var require_select = __commonJS({
         this.moveCursor((this.cursor + 1) % this.choices.length);
         this.render();
       }
-      _(c46, key) {
-        if (c46 === " ") return this.submit();
+      _(c45, key) {
+        if (c45 === " ") return this.submit();
       }
       get selection() {
         return this.choices[this.cursor];
@@ -30227,12 +30227,12 @@ var require_toggle = __commonJS({
         this.fire();
         this.render();
       }
-      _(c46, key) {
-        if (c46 === " ") {
+      _(c45, key) {
+        if (c45 === " ") {
           this.value = !this.value;
-        } else if (c46 === "1") {
+        } else if (c45 === "1") {
           this.value = true;
-        } else if (c46 === "0") {
+        } else if (c45 === "0") {
           this.value = false;
         } else return this.bell();
         this.render();
@@ -30740,9 +30740,9 @@ var require_date = __commonJS({
         this.moveCursor(next ? this.parts.indexOf(next) : this.parts.findIndex((part) => part instanceof DatePart));
         this.render();
       }
-      _(c46) {
-        if (/\d/.test(c46)) {
-          this.typed += c46;
+      _(c45) {
+        if (/\d/.test(c45)) {
+          this.typed += c45;
           this.parts[this.cursor].setTo(this.typed);
           this.render();
         }
@@ -30851,8 +30851,8 @@ var require_number = __commonJS({
       parse(x) {
         return this.float ? parseFloat(x) : parseInt(x);
       }
-      valid(c46) {
-        return c46 === `-` || c46 === `.` && this.float || isNumber.test(c46);
+      valid(c45) {
+        return c45 === `-` || c45 === `.` && this.float || isNumber.test(c45);
       }
       reset() {
         this.typed = ``;
@@ -30945,14 +30945,14 @@ var require_number = __commonJS({
         this.fire();
         this.render();
       }
-      _(c46, key) {
-        if (!this.valid(c46)) return this.bell();
+      _(c45, key) {
+        if (!this.valid(c45)) return this.bell();
         const now = Date.now();
         if (now - this.lastHit > 1e3) this.typed = ``;
-        this.typed += c46;
+        this.typed += c45;
         this.lastHit = now;
         this.color = `cyan`;
-        if (c46 === `.`) return this.fire();
+        if (c45 === `.`) return this.fire();
         this.value = Math.min(this.parse(this.typed), this.max);
         if (this.value > this.max) this.value = this.max;
         if (this.value < this.min) this.value = this.min;
@@ -31116,10 +31116,10 @@ var require_multiselect = __commonJS({
         this.value.filter((v) => !v.disabled).forEach((v) => v.selected = newSelected);
         this.render();
       }
-      _(c46, key) {
-        if (c46 === " ") {
+      _(c45, key) {
+        if (c45 === " ") {
           this.handleSpaceToggle();
-        } else if (c46 === "a") {
+        } else if (c45 === "a") {
           this.toggleAll();
         } else {
           return this.bell();
@@ -31360,10 +31360,10 @@ var require_autocomplete = __commonJS({
         this.out.write("\n");
         this.close();
       }
-      _(c46, key) {
+      _(c45, key) {
         let s1 = this.input.slice(0, this.cursor);
         let s2 = this.input.slice(this.cursor);
-        this.input = `${s1}${c46}${s2}`;
+        this.input = `${s1}${c45}${s2}`;
         this.cursor = s1.length + 1;
         this.complete(this.render);
         this.render();
@@ -31563,15 +31563,15 @@ var require_autocompleteMultiselect = __commonJS({
           this.render();
         }
       }
-      handleInputChange(c46) {
-        this.inputValue = this.inputValue + c46;
+      handleInputChange(c45) {
+        this.inputValue = this.inputValue + c45;
         this.updateFilteredOptions();
       }
-      _(c46, key) {
-        if (c46 === " ") {
+      _(c45, key) {
+        if (c45 === " ") {
           this.handleSpaceToggle();
         } else {
-          this.handleInputChange(c46);
+          this.handleInputChange(c45);
         }
       }
       renderInstructions() {
@@ -31677,12 +31677,12 @@ var require_confirm = __commonJS({
         this.out.write("\n");
         this.close();
       }
-      _(c46, key) {
-        if (c46.toLowerCase() === "y") {
+      _(c45, key) {
+        if (c45.toLowerCase() === "y") {
           this.value = true;
           return this.submit();
         }
-        if (c46.toLowerCase() === "n") {
+        if (c45.toLowerCase() === "n") {
           this.value = false;
           return this.submit();
         }
@@ -32123,7 +32123,7 @@ var require_style2 = __commonJS({
   "../../node_modules/.pnpm/prompts@2.4.2/node_modules/prompts/lib/util/style.js"(exports, module) {
     "use strict";
     init_esm_shims();
-    var c46 = require_kleur();
+    var c45 = require_kleur();
     var figures = require_figures2();
     var styles3 = Object.freeze({
       password: { scale: 1, render: (input) => "*".repeat(input.length) },
@@ -32133,14 +32133,14 @@ var require_style2 = __commonJS({
     });
     var render = (type) => styles3[type] || styles3.default;
     var symbols = Object.freeze({
-      aborted: c46.red(figures.cross),
-      done: c46.green(figures.tick),
-      exited: c46.yellow(figures.cross),
-      default: c46.cyan("?")
+      aborted: c45.red(figures.cross),
+      done: c45.green(figures.tick),
+      exited: c45.yellow(figures.cross),
+      default: c45.cyan("?")
     });
     var symbol2 = (done, aborted2, exited) => aborted2 ? symbols.aborted : exited ? symbols.exited : done ? symbols.done : symbols.default;
-    var delimiter = (completing) => c46.gray(completing ? figures.ellipsis : figures.pointerSmall);
-    var item = (expandable, expanded) => c46.gray(expandable ? expanded ? figures.pointerSmall : "+" : figures.line);
+    var delimiter = (completing) => c45.gray(completing ? figures.ellipsis : figures.pointerSmall);
+    var item = (expandable, expanded) => c45.gray(expandable ? expanded ? figures.pointerSmall : "+" : figures.line);
     module.exports = {
       styles: styles3,
       render,
@@ -32373,10 +32373,10 @@ var require_text2 = __commonJS({
         this.cursor = this.cursor + n;
         this.cursorOffset += n;
       }
-      _(c46, key) {
+      _(c45, key) {
         let s1 = this.value.slice(0, this.cursor);
         let s2 = this.value.slice(this.cursor);
-        this.value = `${s1}${c46}${s2}`;
+        this.value = `${s1}${c45}${s2}`;
         this.red = false;
         this.cursor = this.placeholder ? 0 : s1.length + 1;
         this.render();
@@ -32550,8 +32550,8 @@ var require_select2 = __commonJS({
         this.moveCursor((this.cursor + 1) % this.choices.length);
         this.render();
       }
-      _(c46, key) {
-        if (c46 === " ") return this.submit();
+      _(c45, key) {
+        if (c45 === " ") return this.submit();
       }
       get selection() {
         return this.choices[this.cursor];
@@ -32675,12 +32675,12 @@ var require_toggle2 = __commonJS({
         this.fire();
         this.render();
       }
-      _(c46, key) {
-        if (c46 === " ") {
+      _(c45, key) {
+        if (c45 === " ") {
           this.value = !this.value;
-        } else if (c46 === "1") {
+        } else if (c45 === "1") {
           this.value = true;
-        } else if (c46 === "0") {
+        } else if (c45 === "0") {
           this.value = false;
         } else return this.bell();
         this.render();
@@ -33136,9 +33136,9 @@ var require_date2 = __commonJS({
         this.moveCursor(next ? this.parts.indexOf(next) : this.parts.findIndex((part) => part instanceof DatePart));
         this.render();
       }
-      _(c46) {
-        if (/\d/.test(c46)) {
-          this.typed += c46;
+      _(c45) {
+        if (/\d/.test(c45)) {
+          this.typed += c45;
           this.parts[this.cursor].setTo(this.typed);
           this.render();
         }
@@ -33220,8 +33220,8 @@ var require_number2 = __commonJS({
       parse(x) {
         return this.float ? parseFloat(x) : parseInt(x);
       }
-      valid(c46) {
-        return c46 === `-` || c46 === `.` && this.float || isNumber.test(c46);
+      valid(c45) {
+        return c45 === `-` || c45 === `.` && this.float || isNumber.test(c45);
       }
       reset() {
         this.typed = ``;
@@ -33308,14 +33308,14 @@ var require_number2 = __commonJS({
         this.fire();
         this.render();
       }
-      _(c46, key) {
-        if (!this.valid(c46)) return this.bell();
+      _(c45, key) {
+        if (!this.valid(c45)) return this.bell();
         const now = Date.now();
         if (now - this.lastHit > 1e3) this.typed = ``;
-        this.typed += c46;
+        this.typed += c45;
         this.lastHit = now;
         this.color = `cyan`;
-        if (c46 === `.`) return this.fire();
+        if (c45 === `.`) return this.fire();
         this.value = Math.min(this.parse(this.typed), this.max);
         if (this.value > this.max) this.value = this.max;
         if (this.value < this.min) this.value = this.min;
@@ -33477,10 +33477,10 @@ var require_multiselect2 = __commonJS({
         this.value.filter((v) => !v.disabled).forEach((v) => v.selected = newSelected);
         this.render();
       }
-      _(c46, key) {
-        if (c46 === " ") {
+      _(c45, key) {
+        if (c45 === " ") {
           this.handleSpaceToggle();
-        } else if (c46 === "a") {
+        } else if (c45 === "a") {
           this.toggleAll();
         } else {
           return this.bell();
@@ -33677,10 +33677,10 @@ var require_autocomplete2 = __commonJS({
         this.out.write("\n");
         this.close();
       }
-      _(c46, key) {
+      _(c45, key) {
         let s1 = this.input.slice(0, this.cursor);
         let s2 = this.input.slice(this.cursor);
-        this.input = `${s1}${c46}${s2}`;
+        this.input = `${s1}${c45}${s2}`;
         this.cursor = s1.length + 1;
         this.complete(this.render);
         this.render();
@@ -33883,15 +33883,15 @@ var require_autocompleteMultiselect2 = __commonJS({
           this.render();
         }
       }
-      handleInputChange(c46) {
-        this.inputValue = this.inputValue + c46;
+      handleInputChange(c45) {
+        this.inputValue = this.inputValue + c45;
         this.updateFilteredOptions();
       }
-      _(c46, key) {
-        if (c46 === " ") {
+      _(c45, key) {
+        if (c45 === " ") {
           this.handleSpaceToggle();
         } else {
-          this.handleInputChange(c46);
+          this.handleInputChange(c45);
         }
       }
       renderInstructions() {
@@ -33998,12 +33998,12 @@ var require_confirm2 = __commonJS({
         this.out.write("\n");
         this.close();
       }
-      _(c46, key) {
-        if (c46.toLowerCase() === "y") {
+      _(c45, key) {
+        if (c45.toLowerCase() === "y") {
           this.value = true;
           return this.submit();
         }
-        if (c46.toLowerCase() === "n") {
+        if (c45.toLowerCase() === "n") {
           this.value = false;
           return this.submit();
         }
@@ -34652,7 +34652,7 @@ if (DSN) {
   Sentry.init({
     dsn: DSN,
     environment: process.env.SENTRY_ENVIRONMENT ?? "production",
-    release: "9.111.0",
+    release: "9.111.2",
     sendDefaultPii: false,
     tracesSampleRate: 0,
     shutdownTimeout: 500,
@@ -34671,7 +34671,7 @@ if (DSN) {
     }
   });
   Sentry.setContext("cli", {
-    version: "9.111.0",
+    version: "9.111.2",
     command: process.argv.slice(2).join(" ")
   });
   Sentry.setContext("runtime", {
@@ -39800,7 +39800,7 @@ var $ZodBase64 = /* @__PURE__ */ $constructor("$ZodBase64", (inst, def) => {
 function isValidBase64URL(data) {
   if (!base64url.test(data))
     return false;
-  const base643 = data.replace(/[-_]/g, (c46) => c46 === "-" ? "+" : "/");
+  const base643 = data.replace(/[-_]/g, (c45) => c45 === "-" ? "+" : "/");
   const padded = base643.padEnd(Math.ceil(base643.length / 4) * 4, "=");
   return isValidBase64(padded);
 }
@@ -49911,9 +49911,9 @@ var ZodDate = /* @__PURE__ */ $constructor("ZodDate", (inst, def) => {
   inst._zod.processJSONSchema = (ctx, json2, params) => dateProcessor(inst, ctx, json2, params);
   inst.min = (value, params) => inst.check(_gte(value, params));
   inst.max = (value, params) => inst.check(_lte(value, params));
-  const c46 = inst._zod.bag;
-  inst.minDate = c46.minimum ? new Date(c46.minimum) : null;
-  inst.maxDate = c46.maximum ? new Date(c46.maximum) : null;
+  const c45 = inst._zod.bag;
+  inst.minDate = c45.minimum ? new Date(c45.minimum) : null;
+  inst.maxDate = c45.maximum ? new Date(c45.maximum) : null;
 });
 function date3(params) {
   return _date(ZodDate, params);
@@ -53351,6 +53351,27 @@ var CONNECTOR_TYPES_DEF = {
     },
     defaultAuthMethod: "api-token"
   },
+  plain: {
+    label: "Plain",
+    environmentMapping: {
+      PLAIN_TOKEN: "$secrets.PLAIN_TOKEN"
+    },
+    helpText: "Connect your Plain account to manage customer support threads, customers, and labels via Plain's GraphQL API",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        helpText: "1. Log in to [Plain](https://app.plain.com)\n2. Go to **Settings \u2192 Machine Users**\n3. Click **New machine user** and generate an API key\n4. Copy the API key",
+        secrets: {
+          PLAIN_TOKEN: {
+            label: "API Key",
+            required: true,
+            placeholder: "plainApiKey__..."
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
   plausible: {
     label: "Plausible",
     environmentMapping: {
@@ -59464,6 +59485,27 @@ var perplexityFirewall = {
   ]
 };
 
+// ../../packages/core/src/firewalls/plain.generated.ts
+init_esm_shims();
+var plainFirewall = {
+  name: "plain",
+  description: "Plain",
+  placeholders: {
+    PLAIN_TOKEN: "plainApiKey__CoffeeSafeLocalCoffeeSafeLocalCoffeeSafeLo"
+  },
+  apis: [
+    {
+      base: "https://core-api.uk.plain.com",
+      auth: {
+        headers: {
+          Authorization: "Bearer ${{ secrets.PLAIN_TOKEN }}"
+        }
+      },
+      permissions: []
+    }
+  ]
+};
+
 // ../../packages/core/src/firewalls/plausible.generated.ts
 init_esm_shims();
 var plausibleFirewall = {
@@ -63545,6 +63587,7 @@ var CONNECTOR_FIREWALLS = {
   pdfco: pdfcoFirewall,
   pdforge: pdforgeFirewall,
   perplexity: perplexityFirewall,
+  plain: plainFirewall,
   plausible: plausibleFirewall,
   podchaser: podchaserFirewall,
   posthog: posthogFirewall,
@@ -63633,27 +63676,31 @@ var DEFAULT_ALLOWED = {
 };
 function getDefaultFirewallPolicies(type) {
   const allowed = DEFAULT_ALLOWED[type];
-  if (!allowed) return null;
-  const allowSet = new Set(allowed);
+  const allowSet = allowed ? new Set(allowed) : null;
   const config2 = getConnectorFirewall(type);
-  const result = {};
+  const policies = {};
   for (const api of config2.apis) {
     if (api.permissions) {
       for (const p of api.permissions) {
-        result[p.name] = allowSet.has(p.name) ? "allow" : "deny";
+        policies[p.name] = !allowSet || allowSet.has(p.name) ? "allow" : "deny";
       }
     }
   }
-  return result;
+  return { policies, unknownPolicy: "allow" };
 }
 function resolveFirewallPolicies(stored, connectors) {
   let resolved = stored;
   for (const connector of connectors) {
     if (!isFirewallConnectorType(connector)) continue;
-    if (resolved?.[connector]) continue;
     const defaults = getDefaultFirewallPolicies(connector);
-    if (!defaults) continue;
-    resolved = { ...resolved, [connector]: defaults };
+    const existing = resolved?.[connector];
+    resolved = {
+      ...resolved,
+      [connector]: {
+        policies: { ...defaults.policies, ...existing?.policies },
+        ...existing?.unknownPolicy !== void 0 ? { unknownPolicy: existing.unknownPolicy } : { unknownPolicy: defaults.unknownPolicy }
+      }
+    };
   }
   return resolved;
 }
@@ -68208,10 +68255,21 @@ var firewallConfigSchema = external_exports.object({
   placeholders: external_exports.record(external_exports.string(), external_exports.string()).optional()
 });
 var firewallPolicyValueSchema = external_exports.enum(["allow", "deny", "ask"]);
+var firewallPolicySchema = external_exports.object({
+  policies: external_exports.record(external_exports.string(), firewallPolicyValueSchema),
+  unknownPolicy: firewallPolicyValueSchema.optional()
+});
 var firewallPoliciesSchema = external_exports.record(
   external_exports.string(),
-  external_exports.record(external_exports.string(), firewallPolicyValueSchema)
+  firewallPolicySchema
 );
+var networkPolicySchema = external_exports.object({
+  allow: external_exports.array(external_exports.string()),
+  deny: external_exports.array(external_exports.string()),
+  ask: external_exports.array(external_exports.string()),
+  unknownPolicy: firewallPolicyValueSchema
+});
+var networkPoliciesSchema = external_exports.record(external_exports.string(), networkPolicySchema);
 var BASE_URL_VARS_PATTERN = /\$\{\{\s*vars\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/;
 var BASE_URL_VARS_PATTERN_G = new RegExp(BASE_URL_VARS_PATTERN.source, "g");
 
@@ -70556,8 +70614,10 @@ var storedExecutionContextSchema = external_exports.object({
   userTimezone: external_exports.string().optional(),
   // Memory storage name (for first-run when manifest.memory is null)
   memoryName: external_exports.string().optional(),
-  // Firewall for proxy-side token replacement
+  // Firewall for proxy-side token replacement (complete config, all permissions)
   firewalls: firewallsSchema.optional(),
+  // Per-firewall network policies: which permissions are granted + unknownPolicy
+  networkPolicies: networkPoliciesSchema.optional(),
   // Tools to disable in Claude CLI (passed as --disallowed-tools)
   disallowedTools: external_exports.array(external_exports.string()).optional(),
   // Tools to make available in Claude CLI (passed as --tools)
@@ -70596,8 +70656,10 @@ var executionContextSchema = external_exports.object({
   userTimezone: external_exports.string().optional(),
   // Memory storage name (for first-run when manifest.memory is null)
   memoryName: external_exports.string().optional(),
-  // Firewall for proxy-side token replacement
+  // Firewall for proxy-side token replacement (complete config, all permissions)
   firewalls: firewallsSchema.optional(),
+  // Per-firewall network policies: which permissions are granted + unknownPolicy
+  networkPolicies: networkPoliciesSchema.optional(),
   // Tools to disable in Claude CLI (passed as --disallowed-tools)
   disallowedTools: external_exports.array(external_exports.string()).optional(),
   // Tools to make available in Claude CLI (passed as --tools)
@@ -72063,6 +72125,7 @@ var runContextResponseSchema = external_exports.object({
   vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
   environment: external_exports.record(external_exports.string(), external_exports.string()),
   firewalls: external_exports.array(runContextFirewallSchema),
+  networkPolicies: networkPoliciesSchema.nullable().optional(),
   volumes: external_exports.array(runContextVolumeSchema),
   artifact: runContextArtifactSchema.nullable(),
   memory: runContextArtifactSchema.nullable()
@@ -73006,70 +73069,9 @@ var zeroMemberCreditCapContract = c38.router({
   }
 });
 
-// ../../packages/core/src/contracts/zero-ask-user.ts
-init_esm_shims();
-var c39 = initContract();
-var askUserQuestionItemSchema = external_exports.object({
-  question: external_exports.string().min(1),
-  header: external_exports.string().max(12).optional(),
-  options: external_exports.array(
-    external_exports.object({
-      label: external_exports.string(),
-      description: external_exports.string().optional()
-    })
-  ).min(1),
-  multiSelect: external_exports.boolean().optional()
-});
-var askUserQuestionBodySchema = external_exports.object({
-  questions: external_exports.array(askUserQuestionItemSchema).min(1)
-});
-var askUserQuestionResponseSchema = external_exports.object({
-  pendingId: external_exports.string().uuid()
-});
-var askUserAnswerStatusSchema = external_exports.enum([
-  "pending",
-  "answered",
-  "expired"
-]);
-var askUserAnswerResponseSchema = external_exports.object({
-  status: askUserAnswerStatusSchema,
-  answer: external_exports.string().optional()
-});
-var zeroAskUserQuestionContract = c39.router({
-  postQuestion: {
-    method: "POST",
-    path: "/api/zero/ask-user/question",
-    headers: authHeadersSchema,
-    body: askUserQuestionBodySchema,
-    responses: {
-      200: askUserQuestionResponseSchema,
-      400: apiErrorSchema,
-      401: apiErrorSchema
-    },
-    summary: "Submit a question for the user and receive a pending ID for polling"
-  }
-});
-var zeroAskUserAnswerContract = c39.router({
-  getAnswer: {
-    method: "GET",
-    path: "/api/zero/ask-user/answer",
-    headers: authHeadersSchema,
-    query: external_exports.object({
-      pendingId: external_exports.string().uuid()
-    }),
-    responses: {
-      200: askUserAnswerResponseSchema,
-      401: apiErrorSchema,
-      403: apiErrorSchema,
-      404: apiErrorSchema
-    },
-    summary: "Poll for the user's answer to a pending question"
-  }
-});
-
 // ../../packages/core/src/contracts/zero-developer-support.ts
 init_esm_shims();
-var c40 = initContract();
+var c39 = initContract();
 var developerSupportBodySchema = external_exports.object({
   title: external_exports.string().min(1, "Title is required"),
   description: external_exports.string().min(1, "Description is required"),
@@ -73081,7 +73083,7 @@ var consentCodeResponseSchema = external_exports.object({
 var submitResponseSchema = external_exports.object({
   reference: external_exports.string()
 });
-var zeroDeveloperSupportContract = c40.router({
+var zeroDeveloperSupportContract = c39.router({
   submit: {
     method: "POST",
     path: "/api/zero/developer-support",
@@ -73099,7 +73101,7 @@ var zeroDeveloperSupportContract = c40.router({
 
 // ../../packages/core/src/contracts/zero-report-error.ts
 init_esm_shims();
-var c41 = initContract();
+var c40 = initContract();
 var reportErrorBodySchema = external_exports.object({
   runId: external_exports.string().min(1, "Run ID is required"),
   title: external_exports.string().min(1, "Title is required"),
@@ -73108,7 +73110,7 @@ var reportErrorBodySchema = external_exports.object({
 var reportErrorResponseSchema = external_exports.object({
   reference: external_exports.string()
 });
-var zeroReportErrorContract = c41.router({
+var zeroReportErrorContract = c40.router({
   submit: {
     method: "POST",
     path: "/api/zero/report-error",
@@ -73126,7 +73128,7 @@ var zeroReportErrorContract = c41.router({
 
 // ../../packages/core/src/contracts/zero-computer-use.ts
 init_esm_shims();
-var c42 = initContract();
+var c41 = initContract();
 var registerResponseSchema = external_exports.object({
   id: external_exports.string(),
   domain: external_exports.string(),
@@ -73138,12 +73140,12 @@ var hostResponseSchema = external_exports.object({
   domain: external_exports.string(),
   token: external_exports.string()
 });
-var zeroComputerUseRegisterContract = c42.router({
+var zeroComputerUseRegisterContract = c41.router({
   register: {
     method: "POST",
     path: "/api/zero/computer-use/register",
     headers: authHeadersSchema,
-    body: c42.noBody(),
+    body: c41.noBody(),
     responses: {
       200: registerResponseSchema,
       401: apiErrorSchema,
@@ -73153,14 +73155,14 @@ var zeroComputerUseRegisterContract = c42.router({
     summary: "Register a computer-use host"
   }
 });
-var zeroComputerUseUnregisterContract = c42.router({
+var zeroComputerUseUnregisterContract = c41.router({
   unregister: {
     method: "DELETE",
     path: "/api/zero/computer-use/unregister",
     headers: authHeadersSchema,
-    body: c42.noBody(),
+    body: c41.noBody(),
     responses: {
-      204: c42.noBody(),
+      204: c41.noBody(),
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema
@@ -73168,7 +73170,7 @@ var zeroComputerUseUnregisterContract = c42.router({
     summary: "Unregister a computer-use host"
   }
 });
-var zeroComputerUseHostContract = c42.router({
+var zeroComputerUseHostContract = c41.router({
   getHost: {
     method: "GET",
     path: "/api/zero/computer-use/host",
@@ -73185,7 +73187,7 @@ var zeroComputerUseHostContract = c42.router({
 
 // ../../packages/core/src/contracts/zero-insights.ts
 init_esm_shims();
-var c43 = initContract();
+var c42 = initContract();
 var insightAgentSchema = external_exports.object({
   agentName: external_exports.string(),
   agentId: external_exports.string().nullable(),
@@ -73235,7 +73237,7 @@ var insightsRangeResponseSchema = external_exports.object({
   maxDate: external_exports.string().nullable(),
   totalDays: external_exports.number()
 });
-var zeroInsightsContract = c43.router({
+var zeroInsightsContract = c42.router({
   get: {
     method: "GET",
     path: "/api/zero/insights",
@@ -73250,7 +73252,7 @@ var zeroInsightsContract = c43.router({
     summary: "Get daily insights for the authenticated org"
   }
 });
-var zeroInsightsRangeContract = c43.router({
+var zeroInsightsRangeContract = c42.router({
   get: {
     method: "GET",
     path: "/api/zero/insights/range",
@@ -73265,8 +73267,8 @@ var zeroInsightsRangeContract = c43.router({
 
 // ../../packages/core/src/contracts/push-subscriptions.ts
 init_esm_shims();
-var c44 = initContract();
-var pushSubscriptionsContract = c44.router({
+var c43 = initContract();
+var pushSubscriptionsContract = c43.router({
   register: {
     method: "POST",
     path: "/api/zero/push-subscriptions",
@@ -73290,7 +73292,7 @@ var pushSubscriptionsContract = c44.router({
 
 // ../../packages/core/src/contracts/zero-voice-chat-context.ts
 init_esm_shims();
-var c45 = initContract();
+var c44 = initContract();
 var contextEventSchema = external_exports.object({
   seq: external_exports.number(),
   source: external_exports.string(),
@@ -73306,7 +73308,7 @@ var appendContextEventBodySchema = external_exports.object({
   type: external_exports.string(),
   content: external_exports.string().optional()
 });
-var zeroVoiceChatContextGetContract = c45.router({
+var zeroVoiceChatContextGetContract = c44.router({
   getEvents: {
     method: "GET",
     path: "/api/zero/voice-chat/:id/context",
@@ -73321,7 +73323,7 @@ var zeroVoiceChatContextGetContract = c45.router({
     summary: "Get shared context events for a voice-chat session"
   }
 });
-var zeroVoiceChatContextAppendContract = c45.router({
+var zeroVoiceChatContextAppendContract = c44.router({
   appendEvent: {
     method: "POST",
     path: "/api/zero/voice-chat/:id/context",
@@ -74733,26 +74735,6 @@ async function searchZeroLogs(options) {
   handleError(result, "Failed to search zero logs");
 }
 
-// src/lib/api/domains/zero-ask-user.ts
-init_esm_shims();
-async function postAskUserQuestion(body) {
-  const config2 = await getClientConfig();
-  const client = initClient(zeroAskUserQuestionContract, config2);
-  const result = await client.postQuestion({ body, headers: {} });
-  if (result.status === 200) return result.body;
-  handleError(result, "Failed to post question");
-}
-async function getAskUserAnswer(pendingId) {
-  const config2 = await getClientConfig();
-  const client = initClient(zeroAskUserAnswerContract, config2);
-  const result = await client.getAnswer({
-    query: { pendingId },
-    headers: {}
-  });
-  if (result.status === 200) return result.body;
-  handleError(result, "Failed to get answer");
-}
-
 // src/lib/api/domains/zero-computer-use.ts
 init_esm_shims();
 async function registerComputerUseHost() {
@@ -75585,7 +75567,7 @@ function parsePermissionPolicies(json2) {
   } catch {
     throw new Error(
       `Invalid --permission-policies JSON: ${json2}
-Expected format: '{"ref": {"permission": "allow|deny|ask"}}'`
+Expected format: '{"ref": {"permissions": {"perm": "allow|deny|ask"}}}'`
     );
   }
   const result = firewallPoliciesSchema.safeParse(parsed);
@@ -75951,8 +75933,6 @@ export {
   getAgentEvents,
   getNetworkLogs,
   searchLogs,
-  postAskUserQuestion,
-  getAskUserAnswer,
   requestDeveloperSupportConsent,
   submitDeveloperSupport,
   registerComputerUseHost,
@@ -75994,4 +75974,4 @@ undici/lib/web/fetch/body.js:
 undici/lib/web/websocket/frame.js:
   (*! ws. MIT License. Einar Otto Stangvik <einaros@gmail.com> *)
 */
-//# sourceMappingURL=chunk-QX23MVVI.js.map
+//# sourceMappingURL=chunk-EZQQVFEQ.js.map