@vm0/cli 9.113.3 → 9.114.0

package/index.js

@@ -70,7 +70,7 @@ import {
   source_default,
   volumeConfigSchema,
   withErrorHandler
-} from "./chunk-3M2HM4GT.js";
+} from "./chunk-YGGTGOHH.js";
 
 // src/index.ts
 init_esm_shims();
@@ -463,7 +463,7 @@ function getConfigPath() {
   return join(homedir(), ".vm0", "config.json");
 }
 var infoCommand = new Command().name("info").description("Display environment and debug information").action(async () => {
-  console.log(source_default.bold(`VM0 CLI v${"9.113.3"}`));
+  console.log(source_default.bold(`VM0 CLI v${"9.114.0"}`));
   console.log();
   const config = await loadConfig();
   const hasEnvToken = !!process.env.VM0_TOKEN;
@@ -4492,7 +4492,7 @@ var composeCommand = new Command().name("compose").description("Create or update
         options.autoUpdate = false;
       }
       if (options.autoUpdate !== false) {
-        await startSilentUpgrade("9.113.3");
+        await startSilentUpgrade("9.114.0");
       }
       try {
         let result;
@@ -4572,7 +4572,7 @@ var mainRunCommand = new Command().name("run").description("Run an agent").argum
   withErrorHandler(
     async (identifier, prompt, options) => {
       if (options.autoUpdate !== false) {
-        await startSilentUpgrade("9.113.3");
+        await startSilentUpgrade("9.114.0");
       }
       const { name, version } = parseIdentifier(identifier);
       let composeId;
@@ -6313,7 +6313,7 @@ var cookAction = new Command().name("cook").description("Quick start: prepare, c
   withErrorHandler(
     async (prompt, options) => {
       if (options.autoUpdate !== false) {
-        const shouldExit = await checkAndUpgrade("9.113.3", prompt);
+        const shouldExit = await checkAndUpgrade("9.114.0", prompt);
         if (shouldExit) {
           process.exit(0);
         }
@@ -7080,13 +7080,13 @@ var upgradeCommand = new Command().name("upgrade").description("Upgrade vm0 CLI
     if (latestVersion === null) {
       throw new Error("Could not check for updates. Please try again later.");
     }
-    if (latestVersion === "9.113.3") {
-      console.log(source_default.green(`\u2713 Already up to date (${"9.113.3"})`));
+    if (latestVersion === "9.114.0") {
+      console.log(source_default.green(`\u2713 Already up to date (${"9.114.0"})`));
       return;
     }
     console.log(
       source_default.yellow(
-        `Current version: ${"9.113.3"} -> Latest version: ${latestVersion}`
+        `Current version: ${"9.114.0"} -> Latest version: ${latestVersion}`
       )
     );
     console.log();
@@ -7113,7 +7113,7 @@ var upgradeCommand = new Command().name("upgrade").description("Upgrade vm0 CLI
     const success = await performUpgrade(packageManager);
     if (success) {
       console.log(
-        source_default.green(`\u2713 Upgraded from ${"9.113.3"} to ${latestVersion}`)
+        source_default.green(`\u2713 Upgraded from ${"9.114.0"} to ${latestVersion}`)
       );
       return;
     }
@@ -7180,7 +7180,7 @@ var whoamiCommand = new Command().name("whoami").description("Show current ident
 
 // src/index.ts
 var program = new Command();
-program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.113.3");
+program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.114.0");
 program.addCommand(authCommand);
 program.addCommand(infoCommand);
 program.addCommand(composeCommand);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vm0/cli",
-  "version": "9.113.3",
+  "version": "9.114.0",
   "description": "CLI application",
   "repository": {
     "type": "git",

package/zero.js

@@ -38,6 +38,7 @@ import {
   deployZeroSchedule,
   disableZeroSchedule,
   enableZeroSchedule,
+  extractSecretNamesFromApis,
   findMatchingPermissions,
   getActiveOrg,
   getApiUrl,
@@ -45,6 +46,7 @@ import {
   getBaseUrl,
   getComputerUseHost,
   getConnectorDerivedNames,
+  getConnectorEnvironmentMapping,
   getConnectorFirewall,
   getConnectorTypeForSecretName,
   getCustomModelPlaceholder,
@@ -67,6 +69,7 @@ import {
   getZeroOrgMembers,
   getZeroRun,
   getZeroRunAgentEvents,
+  getZeroRunContext,
   getZeroUserPreferences,
   hasAuthMethods,
   hasModelSelection,
@@ -127,7 +130,7 @@ import {
   upsertZeroOrgModelProvider,
   withErrorHandler,
   zeroAgentCustomSkillNameSchema
-} from "./chunk-3M2HM4GT.js";
+} from "./chunk-YGGTGOHH.js";
 
 // src/zero.ts
 init_esm_shims();
@@ -2183,7 +2186,7 @@ var zeroConnectorCommand = new Command().name("connector").description("Check or
 // src/commands/zero/doctor/index.ts
 init_esm_shims();
 
-// src/commands/zero/doctor/missing-token.ts
+// src/commands/zero/doctor/check-connector.ts
 init_esm_shims();
 
 // src/commands/zero/doctor/platform-url.ts
@@ -2206,80 +2209,403 @@ async function getPlatformOrigin() {
   return toPlatformUrl(apiUrl).origin;
 }
 
-// src/commands/zero/doctor/missing-token.ts
-var missingTokenCommand = new Command().name("missing-token").description(
-  "Diagnose a missing token and find the connector that provides it"
-).argument("<token-name>", "The environment variable / token name to look up").addHelpText(
+// src/commands/zero/doctor/check-connector.ts
+function resolveConnectorFromUrl(url) {
+  const allTypes = Object.keys(CONNECTOR_TYPES);
+  const normalized = url.endsWith("/") ? url.slice(0, -1) : url;
+  let bestMatch = null;
+  for (const type of allTypes) {
+    if (!isFirewallConnectorType(type)) continue;
+    const config = getConnectorFirewall(type);
+    for (const api of config.apis) {
+      const base = api.base.endsWith("/") ? api.base.slice(0, -1) : api.base;
+      if (normalized === base || normalized.startsWith(base + "/")) {
+        if (!bestMatch || base.length > bestMatch.base.length) {
+          bestMatch = { connectorType: type, base, config };
+        }
+      }
+    }
+  }
+  if (!bestMatch) return null;
+  const mapping = getConnectorEnvironmentMapping(
+    bestMatch.connectorType
+  );
+  const envName = Object.keys(mapping)[0];
+  if (!envName) return null;
+  const relativePath = normalized === bestMatch.base ? "/" : normalized.slice(bestMatch.base.length);
+  return {
+    connectorType: bestMatch.connectorType,
+    envName,
+    matchedBase: bestMatch.base,
+    relativePath
+  };
+}
+function checkEnvVariable(ctx) {
+  console.log("## Step 1: Sandbox environment variable");
+  console.log("");
+  const envPresent = Boolean(process.env[ctx.envName]);
+  console.log(
+    `Checking process.env.${ctx.envName}: ${envPresent ? "present" : "not present"}`
+  );
+  if (envPresent) {
+    console.log(
+      "A placeholder value is present in the sandbox environment. This value is not the real credential \u2014 it is a stand-in that gets replaced at the network boundary when requests are sent to registered base URLs."
+    );
+  } else {
+    console.log(
+      "No value found for this environment variable. Note: credential replacement at the network boundary is independent of this variable \u2014 the proxy injects auth headers based on the destination URL, not the presence of this env var."
+    );
+  }
+  console.log("");
+  return envPresent;
+}
+async function checkConnectorStatus(ctx) {
+  console.log("## Step 2: Connector configuration");
+  console.log("");
+  console.log(
+    "A Connector holds the real credentials (OAuth tokens or API keys) for an external service. These credentials are never injected into the sandbox. Instead, when the sandbox sends an HTTP request to a base URL registered by the Connector, the network boundary intercepts the request and replaces the auth headers with real credentials. For this to work, three conditions must be met:"
+  );
+  console.log("");
+  const [connector, enabledTypes] = await Promise.all([
+    getZeroConnector(ctx.connectorType),
+    ctx.agentId ? getZeroAgentUserConnectors(ctx.agentId) : Promise.resolve(null)
+  ]);
+  const isConnected = connector !== null;
+  const isExpired = connector?.needsReconnect === true;
+  const hasPermission = enabledTypes !== null && enabledTypes.includes(ctx.connectorType);
+  console.log(
+    `### 2a: Connector status (user must configure via OAuth login or API key)`
+  );
+  console.log("");
+  if (!isConnected) {
+    const connectUrl = ctx.agentId ? `${ctx.platformOrigin}/connectors/${ctx.connectorType}/connect?agentId=${ctx.agentId}` : `${ctx.platformOrigin}/connectors/${ctx.connectorType}/connect`;
+    console.log(`The ${ctx.label} connector is not connected.`);
+    console.log(`Connect it at: [Connect ${ctx.label}](${connectUrl})`);
+  } else if (isExpired) {
+    const url = `${ctx.platformOrigin}/connectors`;
+    console.log(
+      `The ${ctx.label} connector is connected but has expired and needs to be reconnected.`
+    );
+    console.log(`Reconnect it at: [Reconnect ${ctx.label}](${url})`);
+  } else {
+    console.log(`The ${ctx.label} connector is connected and active.`);
+  }
+  console.log("");
+  console.log(
+    `### 2b: Agent authorization (user must authorize agent to use this connector)`
+  );
+  console.log("");
+  if (!ctx.agentId) {
+    console.log("ZERO_AGENT_ID is not set \u2014 cannot check agent authorization.");
+  } else if (!hasPermission) {
+    const url = `${ctx.platformOrigin}/connectors/${ctx.connectorType}/authorize?agentId=${ctx.agentId}`;
+    console.log(
+      `The ${ctx.label} connector is not authorized for this agent (${ctx.agentId}).`
+    );
+    console.log(`Authorize it at: [Authorize ${ctx.label}](${url})`);
+  } else {
+    console.log(`The ${ctx.label} connector is authorized for this agent.`);
+  }
+  console.log("");
+  return { isConnected, isExpired, hasPermission };
+}
+async function checkConnectorDomains(ctx) {
+  console.log(
+    `### 2c: Registered base URLs (credential replacement only applies to URLs matching these prefixes)`
+  );
+  console.log("");
+  const payload = decodeZeroTokenPayload();
+  const runId = payload?.runId;
+  if (!runId) {
+    console.log(
+      "Cannot determine run ID from ZERO_TOKEN \u2014 skipping base URL check."
+    );
+    console.log("");
+    return null;
+  }
+  const runContext = await getZeroRunContext(runId);
+  printConnectorDomains(ctx, runContext);
+  console.log("");
+  return runContext.networkPolicies;
+}
+function printConnectorDomains(ctx, runContext) {
+  const matchingEntry = runContext.firewalls.find((fw) => {
+    return fw.ref === ctx.connectorType;
+  });
+  if (!matchingEntry) {
+    console.log(
+      `No configuration found for the ${ctx.label} connector in this run.`
+    );
+    console.log(
+      "This means no base URLs are registered for credential replacement for this connector."
+    );
+    return;
+  }
+  console.log(
+    `The ${ctx.label} connector is configured for this run with the following base URLs:`
+  );
+  for (const api of matchingEntry.apis) {
+    console.log(`  - ${api.base}`);
+  }
+  console.log("");
+  console.log(
+    "When the sandbox sends an HTTP request matching one of these URL prefixes, the network boundary intercepts the request and injects real credentials into the auth headers."
+  );
+  if (isFirewallConnectorType(ctx.connectorType)) {
+    const firewallConfig = getConnectorFirewall(ctx.connectorType);
+    const secretNames = extractSecretNamesFromApis(firewallConfig.apis);
+    if (secretNames.length > 0) {
+      console.log(`Credentials resolved from: ${secretNames.join(", ")}`);
+    }
+  }
+}
+function checkPermissionPolicy(connectorType, label, permissionName, networkPolicies) {
+  console.log("## Step 3: Permission policy check");
+  console.log("");
+  console.log(
+    `Checking permission: "${permissionName}" for the ${label} connector.`
+  );
+  console.log(
+    `Beyond credential replacement, the ${label} connector enforces permission policies on each API path. A request either matches a named permission or falls through to the unknown-endpoint policy.`
+  );
+  console.log("");
+  if (!networkPolicies) {
+    console.log(
+      "Network policies are not available for this run \u2014 cannot check permission status."
+    );
+    console.log("");
+    return;
+  }
+  const connectorPolicies = networkPolicies[connectorType];
+  if (!connectorPolicies) {
+    console.log(
+      `No policy entry found for the ${label} connector in this run's network policies.`
+    );
+    console.log(
+      "When a connector has no policy entry, all requests are fully permissive (allowed)."
+    );
+    console.log("");
+    return;
+  }
+  console.log(`Permission policies for the ${label} connector:`);
+  console.log(`  allow list: [${connectorPolicies.allow.join(", ")}]`);
+  console.log(`  deny list:  [${connectorPolicies.deny.join(", ")}]`);
+  console.log(`  unknown endpoint policy: ${connectorPolicies.unknownPolicy}`);
+  console.log("");
+  const isInAllow = connectorPolicies.allow.includes(permissionName);
+  const isInDeny = connectorPolicies.deny.includes(permissionName);
+  if (isInAllow) {
+    console.log(
+      `Result: "${permissionName}" is in the allow list. Requests matching this permission are allowed.`
+    );
+  } else if (isInDeny) {
+    console.log(
+      `Result: "${permissionName}" is in the deny list. Requests matching this permission are denied.`
+    );
+  } else {
+    console.log(
+      `Result: "${permissionName}" is not in any permission list. It will be handled by the unknown endpoint policy: ${connectorPolicies.unknownPolicy}.`
+    );
+  }
+  console.log("");
+}
+function resolvePermissionFromUrl(connectorType, label, method, relativePath, matchedBase, networkPolicies) {
+  console.log("## Step 3: Permission policy check (auto-detected from URL)");
+  console.log("");
+  console.log(
+    `Matching ${method} ${relativePath} (relative to base URL ${matchedBase}) against the ${label} connector's permission rules.`
+  );
+  console.log("");
+  if (!isFirewallConnectorType(connectorType)) {
+    console.log(
+      `The ${label} connector does not have permission rules defined.`
+    );
+    console.log("");
+    return;
+  }
+  const config = getConnectorFirewall(connectorType);
+  const matchedPermissions = findMatchingPermissions(
+    method,
+    relativePath,
+    config
+  );
+  if (matchedPermissions.length === 0) {
+    console.log(
+      `No named permission matches ${method} ${relativePath}. This request falls through to the unknown-endpoint policy.`
+    );
+  } else {
+    console.log(`Matched permissions: [${matchedPermissions.join(", ")}]`);
+  }
+  console.log("");
+  if (!networkPolicies) {
+    console.log(
+      "Network policies are not available for this run \u2014 cannot check allow/deny status."
+    );
+    console.log("");
+    return;
+  }
+  const connectorPolicies = networkPolicies[connectorType];
+  if (!connectorPolicies) {
+    console.log(
+      `No policy entry found for the ${label} connector. All requests are fully permissive (allowed).`
+    );
+    console.log("");
+    return;
+  }
+  console.log(`Permission policies for the ${label} connector:`);
+  console.log(`  allow list: [${connectorPolicies.allow.join(", ")}]`);
+  console.log(`  deny list:  [${connectorPolicies.deny.join(", ")}]`);
+  console.log(`  unknown endpoint policy: ${connectorPolicies.unknownPolicy}`);
+  console.log("");
+  if (matchedPermissions.length === 0) {
+    console.log(
+      `Result: No permission matched. The unknown endpoint policy applies: ${connectorPolicies.unknownPolicy}.`
+    );
+  } else {
+    for (const perm of matchedPermissions) {
+      const isInAllow = connectorPolicies.allow.includes(perm);
+      const isInDeny = connectorPolicies.deny.includes(perm);
+      if (isInAllow) {
+        console.log(`Result: "${perm}" is in the allow list \u2014 allowed.`);
+      } else if (isInDeny) {
+        console.log(`Result: "${perm}" is in the deny list \u2014 denied.`);
+      } else {
+        console.log(
+          `Result: "${perm}" is not in any list \u2014 falls through to unknown endpoint policy: ${connectorPolicies.unknownPolicy}.`
+        );
+      }
+    }
+  }
+  console.log("");
+}
+var checkConnectorCommand = new Command().name("check-connector").description(
+  "Diagnose connector health: environment variable, connector configuration, and permission policies"
+).addOption(
+  new Option(
+    "--env-name <ENV_NAME>",
+    "The environment variable name to check (e.g. GITHUB_TOKEN)"
+  )
+).addOption(
+  new Option(
+    "--url <URL>",
+    "A full URL to diagnose \u2014 auto-detects the connector, env var, and permission (e.g. https://api.github.com/repos/owner/repo)"
+  )
+).addOption(
+  new Option(
+    "--method <METHOD>",
+    "HTTP method to use when matching permissions with --url (default: GET)"
+  ).default("GET")
+).addOption(
+  new Option(
+    "--check-permission <name>",
+    "Check whether a specific permission is allowed or denied (e.g. contents:read)"
+  )
+).addHelpText(
   "after",
   `
 Examples:
-  zero doctor missing-token GITHUB_TOKEN
-  zero doctor missing-token LINEAR_API_KEY
-  zero doctor missing-token NOTION_TOKEN
-
-Notes:
-  - Outputs which connector provides the token and a URL for the user to connect it
-  - Use this to guide the user when a required token is not available in the sandbox`
+  zero doctor check-connector --env-name GITHUB_TOKEN
+  zero doctor check-connector --url https://api.github.com/repos/owner/repo
+  zero doctor check-connector --url https://slack.com/api/chat.postMessage --method POST
+  zero doctor check-connector --env-name SLACK_TOKEN --check-permission chat:write
+
+How connectors work:
+  A Connector holds the real credentials for an external service. These credentials
+  are never injected into the sandbox. Instead, when the sandbox sends an HTTP
+  request to a base URL registered by the Connector, the network boundary intercepts
+  the request and replaces the auth headers with real credentials.
+
+  This command checks each part of that pipeline and reports what it finds.`
 ).action(
-  withErrorHandler(async (tokenName) => {
-    const connectorType = getConnectorTypeForSecretName(tokenName);
-    if (!connectorType) {
+  withErrorHandler(async (opts) => {
+    if (!opts.envName && !opts.url) {
       throw new Error(
-        `Unknown token: ${tokenName} \u2014 not managed by any connector`
+        "Either --env-name or --url is required. Use --help for usage."
       );
     }
+    let envName;
+    let connectorType;
+    let urlLookup = null;
+    if (opts.url) {
+      urlLookup = resolveConnectorFromUrl(opts.url);
+      if (!urlLookup) {
+        throw new Error(
+          `No connector found for URL: ${opts.url} \u2014 no registered base URL matches this URL`
+        );
+      }
+      connectorType = urlLookup.connectorType;
+      envName = opts.envName ?? urlLookup.envName;
+      console.log(
+        `URL ${opts.url} matches the ${CONNECTOR_TYPES[connectorType].label} connector (type: ${connectorType}).`
+      );
+      console.log(`  Matched base URL: ${urlLookup.matchedBase}`);
+      console.log(`  Relative path:    ${urlLookup.relativePath}`);
+      console.log(`  Environment var:  ${envName}`);
+    } else {
+      connectorType = getConnectorTypeForSecretName(
+        envName = opts.envName
+      );
+      if (!connectorType) {
+        throw new Error(
+          `Unknown environment variable: ${envName} \u2014 not managed by any connector`
+        );
+      }
+      console.log(
+        `${envName} is managed by the ${CONNECTOR_TYPES[connectorType].label} connector (type: ${connectorType}).`
+      );
+    }
+    console.log("");
     const { label } = CONNECTOR_TYPES[connectorType];
     const apiUrl = await getApiUrl();
     const platformUrl = toPlatformUrl(apiUrl);
-    const agentId = process.env.ZERO_AGENT_ID;
-    const tokenPresent = Boolean(process.env[tokenName]);
-    console.log(
-      `${tokenName} is provided by the ${label} connector. Sandbox env: ${tokenPresent ? "present" : "not present"}.`
-    );
-    const [connector, enabledTypes] = await Promise.all([
-      getZeroConnector(connectorType).catch(() => {
-        return null;
-      }),
-      agentId ? getZeroAgentUserConnectors(agentId).catch(() => {
-        return null;
-      }) : Promise.resolve(null)
-    ]);
-    const isConnected = connector !== null;
-    const hasPermission = enabledTypes !== null && enabledTypes.includes(connectorType);
-    const rediagnoseHint = `Important: if ${tokenName} is still missing after the user takes action, run \`zero doctor missing-token ${tokenName}\` again to re-diagnose instead of assuming the status.`;
-    if (!isConnected) {
-      const connectUrl = agentId ? `${platformUrl.origin}/connectors/${connectorType}/connect?agentId=${agentId}` : `${platformUrl.origin}/connectors/${connectorType}/connect`;
+    const ctx = {
+      envName,
+      connectorType,
+      label,
+      platformOrigin: platformUrl.origin,
+      agentId: process.env.ZERO_AGENT_ID || void 0
+    };
+    checkEnvVariable(ctx);
+    const { isConnected, isExpired, hasPermission } = await checkConnectorStatus(ctx);
+    const networkPolicies = await checkConnectorDomains(ctx);
+    if (isConnected && !isExpired && hasPermission) {
       console.log(
-        `The ${label} connector is not connected. Ask the user to connect it at: [Connect ${label}](${connectUrl})
-${rediagnoseHint}`
+        `Steps 1-2 summary: The ${label} connector is connected, active, and authorized. Outbound requests to the registered base URLs will have credentials injected at the network boundary.`
       );
-      return;
     }
-    const issues = [];
-    if (connector.needsReconnect) {
-      const url = `${platformUrl.origin}/connectors`;
-      issues.push(
-        `The ${label} connector has expired and needs to be reconnected. Ask the user to reconnect it at: [Reconnect ${label}](${url})`
+    console.log("");
+    if (urlLookup) {
+      resolvePermissionFromUrl(
+        connectorType,
+        label,
+        opts.method,
+        urlLookup.relativePath,
+        urlLookup.matchedBase,
+        networkPolicies
       );
-    }
-    if (!hasPermission) {
-      const url = agentId ? `${platformUrl.origin}/connectors/${connectorType}/authorize?agentId=${agentId}` : `${platformUrl.origin}/connectors`;
-      issues.push(
-        `The ${label} connector is not authorized for this agent. Ask the user to enable it at: [Authorize ${label}](${url})`
+    } else if (opts.checkPermission) {
+      checkPermissionPolicy(
+        connectorType,
+        label,
+        opts.checkPermission,
+        networkPolicies
       );
     }
-    if (issues.length > 0) {
-      for (const issue of issues) {
-        console.log(issue);
+    const args = [];
+    if (opts.url) {
+      args.push(`--url ${opts.url}`);
+      if (opts.method !== "GET") {
+        args.push(`--method ${opts.method}`);
       }
-      console.log(rediagnoseHint);
     } else {
-      const url = `${platformUrl.origin}/connectors`;
-      console.log(
-        `The ${label} connector is connected and authorized, but the token is still missing. Ask VM0 developer to resolve this issue. Connector status: [Check ${label} status](${url})
-${rediagnoseHint}`
-      );
+      args.push(`--env-name ${envName}`);
+    }
+    if (opts.checkPermission) {
+      args.push(`--check-permission ${opts.checkPermission}`);
     }
+    console.log(
+      `To re-diagnose after changes, run: zero doctor check-connector ${args.join(" ")}`
+    );
   })
 );
 
@@ -2509,11 +2835,13 @@ Notes:
 );
 
 // src/commands/zero/doctor/index.ts
-var zeroDoctorCommand = new Command().name("doctor").description("Diagnose runtime issues (missing tokens, permission denials)").addCommand(missingTokenCommand).addCommand(permissionDenyCommand).addCommand(permissionChangeCommand).addHelpText(
+var zeroDoctorCommand = new Command().name("doctor").description("Diagnose runtime issues (connector health, permission denials)").addCommand(checkConnectorCommand).addCommand(permissionDenyCommand).addCommand(permissionChangeCommand).addHelpText(
   "after",
   `
 Examples:
-  Missing an API key?    zero doctor missing-token GITHUB_TOKEN
+  Check a connector?     zero doctor check-connector --env-name GITHUB_TOKEN
+  Check a URL?           zero doctor check-connector --url https://api.github.com/repos/owner/repo
+  Check with permission? zero doctor check-connector --env-name SLACK_TOKEN --check-permission chat:write
   Permission denied?     zero doctor permission-deny github --method GET --path /repos/owner/repo
   Change a permission?   zero doctor permission-change github --permission contents:read --enable
 
@@ -6011,11 +6339,11 @@ function registerZeroCommands(prog, commands) {
 var program = new Command();
 program.name("zero").description(
   "Zero CLI \u2014 interact with the zero platform from inside the sandbox"
-).version("9.113.3").addHelpText(
+).version("9.114.0").addHelpText(
   "after",
   `
 Examples:
-  Missing a token?       zero doctor missing-token <TOKEN_NAME>
+  Check a connector?     zero doctor check-connector --env-name <ENV_NAME>
   Send a Slack message?  zero slack message send --help
   Set up a schedule?     zero schedule setup --help
   Update yourself?       zero agent --help