@vm0/cli 9.176.1 → 9.176.4

package/{chunk-TPUYVLNY.js → chunk-JQ72VVQC.js}

@@ -74083,7 +74083,7 @@ if (DSN) {
   init2({
     dsn: DSN,
     environment: process.env.SENTRY_ENVIRONMENT ?? "production",
-    release: "9.176.1",
+    release: "9.176.4",
     sendDefaultPii: false,
     tracesSampleRate: 0,
     shutdownTimeout: 500,
@@ -74102,7 +74102,7 @@ if (DSN) {
     }
   });
   setContext("cli", {
-    version: "9.176.1",
+    version: "9.176.4",
     command: process.argv.slice(2).join(" ")
   });
   setContext("runtime", {
@@ -74194,295 +74194,8 @@ function configureGlobalProxyFromEnv() {
   }
 }
 
-// ../../packages/connectors/src/feature-switch-key.ts
-init_esm_shims();
-
 // src/lib/api/zero-token.ts
 init_esm_shims();
-
-// ../../packages/core/src/feature-switch.ts
-init_esm_shims();
-
-// ../../packages/core/src/feature-switch-key.ts
-init_esm_shims();
-
-// ../../packages/core/src/identity-hash.ts
-init_esm_shims();
-function fnv1a(input) {
-  let h = 2166136261 >>> 0;
-  for (let i = 0; i < input.length; i++) {
-    h ^= input.charCodeAt(i);
-    h = Math.imul(h, 16777619) >>> 0;
-  }
-  return h.toString(16).padStart(8, "0");
-}
-var STAFF_ORG_ID_HASHES = [
-  "afce210e"
-  // org_3ANttyrbWYJk6JKRSTRLEsbsDLe
-];
-
-// ../../packages/core/src/feature-switch.ts
-var FEATURE_SWITCHES = {
-  ["dummy" /* Dummy */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Test-only feature switch for flag system validation",
-    enabled: true
-  },
-  ["ahrefsConnector" /* AhrefsConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Ahrefs SEO connector",
-    enabled: false
-  },
-  ["bentomlConnector" /* BentomlConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the BentoML model serving connector",
-    enabled: false
-  },
-  ["canvaConnector" /* CanvaConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Canva design connector",
-    enabled: false
-  },
-  ["deelConnector" /* DeelConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Deel HR connector",
-    enabled: false
-  },
-  ["docusignConnector" /* DocuSignConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the DocuSign e-signature connector",
-    enabled: false
-  },
-  ["dropboxConnector" /* DropboxConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Dropbox file storage connector",
-    enabled: false
-  },
-  ["figmaConnector" /* FigmaConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Figma design connector",
-    enabled: false
-  },
-  ["mercuryConnector" /* MercuryConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Mercury banking connector",
-    enabled: false
-  },
-  ["neonConnector" /* NeonConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Neon serverless Postgres connector",
-    enabled: false
-  },
-  ["garminConnectConnector" /* GarminConnectConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Garmin Connect wellness connector",
-    enabled: false
-  },
-  ["redditConnector" /* RedditConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Reddit connector integration",
-    enabled: false
-  },
-  ["supabaseConnector" /* SupabaseConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Supabase database connector integration",
-    enabled: false
-  },
-  ["closeConnector" /* CloseConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Close CRM connector",
-    enabled: false
-  },
-  ["webflowConnector" /* WebflowConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Webflow site management connector",
-    enabled: false
-  },
-  ["outlookMailConnector" /* OutlookMailConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Outlook Mail connector",
-    enabled: false
-  },
-  ["outlookCalendarConnector" /* OutlookCalendarConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Outlook Calendar connector",
-    enabled: false
-  },
-  ["metaAdsConnector" /* MetaAdsConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Meta Ads Manager connector",
-    enabled: false
-  },
-  ["stripeConnector" /* StripeConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Stripe payment connector integration",
-    enabled: false
-  },
-  ["posthogConnector" /* PosthogConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the PostHog analytics connector",
-    enabled: false
-  },
-  ["pwaOfflineCache" /* PwaOfflineCache */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable PWA offline caching (static asset cache-first, offline fallback page, and service worker updateViaCache: none)",
-    enabled: true
-  },
-  ["mailchimpConnector" /* MailchimpConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Mailchimp email marketing connector",
-    enabled: false
-  },
-  ["resendConnector" /* ResendConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Resend email service connector",
-    enabled: false
-  },
-  ["spotifyConnector" /* SpotifyConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Spotify connector integration",
-    enabled: false
-  },
-  ["githubIntegration" /* GitHubIntegration */]: {
-    maintainer: "linghan@vm0.ai",
-    description: "Show the GitHub integration card on the Works page for installing GitHub, connecting users, and managing label listeners. Off by default; individuals opt in via the feature-switch overrides API.",
-    enabled: false
-  },
-  ["dataExport" /* DataExport */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Show the data export option in account menu",
-    enabled: false
-  },
-  ["zeroDebug" /* ZeroDebug */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Reveal activity debug surfaces, activity log navigation, appended system prompts, and Debug preferences",
-    enabled: false
-  },
-  ["computerUse" /* ComputerUse */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable remote desktop host registration",
-    enabled: false
-  },
-  ["larkConnector" /* LarkConnector */]: {
-    maintainer: "liangyou@vm0.ai",
-    description: "Enable the Lark connector while tenant access-token exchange is being repaired.",
-    enabled: false
-  },
-  ["lab" /* Lab */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Show the Lab page for toggling experimental features",
-    enabled: false,
-    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
-  },
-  ["auditLink" /* AuditLink */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Show audit log links in integration replies",
-    enabled: false
-  },
-  ["audioOutput" /* AudioOutput */]: {
-    maintainer: "lancy@vm0.ai",
-    description: "Enable audio output in chat (TTS read-aloud + auto-read) \u2014 gates the volume/read buttons and the /api/zero/voice-io/tts route",
-    enabled: false
-  },
-  ["autoSkill" /* AutoSkill */]: {
-    maintainer: "lancy@vm0.ai",
-    description: "Enable automatic skill creation in agent prompts",
-    enabled: false
-  },
-  ["testOauthConnector" /* TestOauthConnector */]: {
-    maintainer: "liangyou@vm0.ai",
-    description: "Enable the test-oauth connector, a synthetic OAuth 2.0 provider used only for automated tests. Off in prod.",
-    enabled: false
-  },
-  ["chatHeaderNewButton" /* ChatHeaderNewButton */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Replace the Invite people button in the agent chat page header with a New button that creates a new chat thread",
-    enabled: false
-  },
-  ["chatMessageStartButton" /* ChatMessageStartButton */]: {
-    maintainer: "linghan@vm0.ai",
-    description: "Show an icon button in assistant message group actions that scrolls back to the start of that message group.",
-    enabled: false
-  },
-  ["chatThreadRename" /* ChatThreadRename */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Adds a Rename chat item to the sidebar thread kebab menu. When the user renames a thread, automated title generation is suppressed for that thread.",
-    enabled: false
-  },
-  ["freshdeskConnector" /* FreshdeskConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Freshdesk helpdesk connector",
-    enabled: false
-  },
-  ["stabilityAiConnector" /* StabilityAiConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Stability AI image generation connector",
-    enabled: false
-  },
-  ["zoomConnector" /* ZoomConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Zoom connector (OAuth 2.0) for meetings, past participants, and cloud recordings access",
-    enabled: false
-  },
-  ["apiKeys" /* ApiKeys */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Gate the custom /settings/api-keys UI for issuing personal access tokens used by the /api/v1 public surface. When disabled, the settings page redirects to / and the sidebar menu item is hidden. The backend /api/v1 verification does NOT consult this flag \u2014 previously issued PATs continue to work.",
-    enabled: false
-  },
-  ["apiBackend" /* ApiBackend */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Route platform API traffic to the api backend host instead of the www backend host. Unported endpoints continue through the api backend's web fallback proxy.",
-    enabled: false,
-    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
-  },
-  ["zapierConnector" /* ZapierConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Enable the Zapier connector. When disabled, Zapier is hidden from the connectors list and cannot be connected.",
-    enabled: false
-  },
-  ["hostedSites" /* HostedSites */]: {
-    maintainer: "lancy@vm0.ai",
-    description: "Enable static hosted-site deployments from zero host.",
-    enabled: true
-  },
-  ["sandboxIoLimiters" /* SandboxIoLimiters */]: {
-    maintainer: "liangyou@vm0.ai",
-    description: "Enable runner-provided disk and network device rate limiters for sandbox VMs.",
-    enabled: false,
-    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
-  },
-  ["chatArtifactSidebar" /* ChatArtifactSidebar */]: {
-    maintainer: "ethan@vm0.ai",
-    description: "Replace the inline attachment text editor and modal lightbox with a single page-level artifact sidebar (50/50 with the chat thread area, URL-routed via ?artifact=, fullscreen-capable). When on, inline text/markdown attachments render as anchor chips, all preview chips route to the sidebar, and the artifacts drawer is hidden.",
-    enabled: false,
-    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
-  }
-};
-function isFeatureEnabled(key, ctx) {
-  const override = ctx.overrides?.[key];
-  if (override !== void 0) {
-    return override;
-  }
-  const featureSwitch = FEATURE_SWITCHES[key];
-  if (featureSwitch.enabled) {
-    return true;
-  }
-  if (ctx.userId && featureSwitch.enabledUserHashes?.length) {
-    if (featureSwitch.enabledUserHashes.includes(fnv1a(ctx.userId)))
-      return true;
-  }
-  if (ctx.email && featureSwitch.enabledEmailHashes?.length) {
-    if (featureSwitch.enabledEmailHashes.includes(fnv1a(ctx.email.toLowerCase())))
-      return true;
-  }
-  if (ctx.orgId && featureSwitch.enabledOrgIdHashes?.length) {
-    if (featureSwitch.enabledOrgIdHashes.includes(fnv1a(ctx.orgId)))
-      return true;
-  }
-  return false;
-}
-
-// src/lib/api/zero-token.ts
 function decodeZeroTokenPayload(token) {
   const raw = token ?? process.env.ZERO_TOKEN;
   if (!raw) return void 0;
@@ -74502,15 +74215,6 @@ function decodeZeroTokenPayload(token) {
   }
   return void 0;
 }
-function zeroTokenAllowsFeatureSwitch(key, payload = decodeZeroTokenPayload()) {
-  if (!payload) return true;
-  const tokenValue = payload.featureSwitches?.[key];
-  if (typeof tokenValue === "boolean") return tokenValue;
-  return isFeatureEnabled(key, {
-    userId: payload.userId,
-    orgId: payload.orgId
-  });
-}
 
 // ../../node_modules/.pnpm/chalk@5.6.2/node_modules/chalk/source/index.js
 init_esm_shims();
@@ -95302,6 +95006,7 @@ var zeroBillingStatusContract = c8.router({
     responses: {
       200: billingStatusResponseSchema,
       401: apiErrorSchema,
+      403: apiErrorSchema,
       500: apiErrorSchema
     },
     summary: "Get billing status for current org"
@@ -97520,6 +97225,11 @@ var airtable = {
 
 // ../../packages/connectors/src/connectors/docusign.ts
 init_esm_shims();
+
+// ../../packages/connectors/src/feature-switch-key.ts
+init_esm_shims();
+
+// ../../packages/connectors/src/connectors/docusign.ts
 var docusign = {
   docusign: {
     label: "DocuSign",
@@ -97662,7 +97372,9 @@ var gumroad = {
           ]
         },
         access: {
-          kind: "static",
+          kind: "refresh-token",
+          accessToken: "GUMROAD_ACCESS_TOKEN",
+          refreshToken: "GUMROAD_REFRESH_TOKEN",
           envBindings: {
             GUMROAD_TOKEN: "$secrets.GUMROAD_ACCESS_TOKEN"
           }
@@ -107520,11 +107232,15 @@ var storedExecutionContextSchema = external_exports.object({
   storageManifest: storageManifestSchema.nullable(),
   environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
   resumeSession: resumeSessionSchema.nullable(),
+  // AES-256-GCM encrypted Record<string, string>. Keys are the runtime secret
+  // names used by `${{ secrets.NAME }}`; connector/model-provider keys are env
+  // aliases, not backing storage secret names.
   encryptedSecrets: external_exports.string().nullable(),
-  // AES-256-GCM encrypted Record<string, string> (secret name → value)
-  // Maps secret names to OAuth connector types for runtime token refresh (e.g. { "GMAIL_ACCESS_TOKEN": "gmail" })
+  // Maps firewall auth secret env aliases (the `NAME` in `${{ secrets.NAME }}`) to
+  // their connector or provider owner. Keys are env aliases, not storage secret names.
   secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
-  // Per-secret refresh metadata, used when a handler needs owner-specific storage (e.g. personal model providers)
+  // Same keys as secretConnectorMap; adds source details when the owner alone
+  // is not enough to locate access storage (for example, personal model providers).
   secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
   cliAgentType: external_exports.string(),
   // Debug flag to force real Claude in mock environments (internal use only)
@@ -107567,12 +107283,19 @@ var executionContextSchema = external_exports.object({
   storageManifest: storageManifestSchema.nullable(),
   environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
   resumeSession: resumeSessionSchema.nullable(),
+  // Plain secret values used by the runner for redaction. These are values, not
+  // names, and are base64-encoded only when exported through VM0_SECRET_VALUES.
   secretValues: external_exports.array(external_exports.string()).nullable(),
-  // AES-256-GCM encrypted Record<string, string> — passed through to mitm-addon for auth resolution
+  // AES-256-GCM encrypted Record<string, string>, passed through to mitm-addon
+  // for auth resolution. Keys are runtime secret names used by
+  // `${{ secrets.NAME }}`; connector/model-provider keys are env aliases, not
+  // backing storage secret names.
   encryptedSecrets: external_exports.string().nullable(),
-  // Maps secret names to OAuth connector types for runtime token refresh
+  // Maps firewall auth secret env aliases (the `NAME` in `${{ secrets.NAME }}`) to
+  // their connector or provider owner. Keys are env aliases, not storage secret names.
   secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
-  // Per-secret refresh metadata, used when a handler needs owner-specific storage (e.g. personal model providers)
+  // Same keys as secretConnectorMap; adds source details when the owner alone
+  // is not enough to locate access storage (for example, personal model providers).
   secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
   cliAgentType: external_exports.string(),
   // Debug flag to force real Claude in mock environments (internal use only)
@@ -107995,7 +107718,7 @@ var firewallAuthResponseSchema = external_exports.object({
   headers: external_exports.record(external_exports.string(), external_exports.string()),
   base: external_exports.string().optional(),
   query: external_exports.record(external_exports.string(), external_exports.string()).optional(),
-  // Effective addon cache expiry as Unix seconds. OAuth token expiry is the
+  // Effective addon cache expiry as Unix seconds. Access token expiry is the
   // normal source; billable firewall auth can shorten it to force credit
   // re-authorization. Null means non-expiring only for non-billable auth.
   expiresAt: external_exports.number().nullable(),
@@ -108006,18 +107729,24 @@ var firewallAuthResponseSchema = external_exports.object({
 var webhookFirewallAuthContract = c18.router({
   /**
    * POST /api/webhooks/agent/firewall/auth
-   * Resolve firewall auth templates and refresh OAuth tokens on demand.
+   * Resolve firewall auth templates and refresh access tokens on demand.
    */
   resolve: {
     method: "POST",
     path: "/api/webhooks/agent/firewall/auth",
     headers: authHeadersSchema,
     body: external_exports.object({
+      // Encrypted runtime secret namespace. After decryption, keys are the
+      // `NAME` in `${{ secrets.NAME }}`.
       encryptedSecrets: external_exports.string().min(1),
       authHeaders: external_exports.record(external_exports.string(), external_exports.string()),
       authBase: external_exports.string().optional(),
       authQuery: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+      // Maps firewall auth secret env aliases (the `NAME` in `${{ secrets.NAME }}`)
+      // to the connector or provider owner that can refresh/resolve access.
       secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+      // Same keys as secretConnectorMap; adds source details when the owner
+      // alone is not enough to locate access storage.
       secretConnectorMetadataMap: secretConnectorMetadataMapSchema.optional(),
       vars: external_exports.record(external_exports.string(), external_exports.string()).optional(),
       // Set by mitm from billableFirewalls. Server uses this only to bound
@@ -131180,6 +130909,247 @@ function getInstructionsFilename(framework) {
   return FRAMEWORK_INSTRUCTIONS_FILENAMES[validated];
 }
 
+// ../../packages/core/src/feature-switch-key.ts
+init_esm_shims();
+
+// ../../packages/core/src/feature-switch.ts
+init_esm_shims();
+
+// ../../packages/core/src/identity-hash.ts
+init_esm_shims();
+var STAFF_ORG_ID_HASHES = [
+  "afce210e"
+  // org_3ANttyrbWYJk6JKRSTRLEsbsDLe
+];
+
+// ../../packages/core/src/feature-switch.ts
+var FEATURE_SWITCHES = {
+  ["dummy" /* Dummy */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Test-only feature switch for flag system validation",
+    enabled: true
+  },
+  ["ahrefsConnector" /* AhrefsConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Ahrefs SEO connector",
+    enabled: false
+  },
+  ["bentomlConnector" /* BentomlConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the BentoML model serving connector",
+    enabled: false
+  },
+  ["canvaConnector" /* CanvaConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Canva design connector",
+    enabled: false
+  },
+  ["deelConnector" /* DeelConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Deel HR connector",
+    enabled: false
+  },
+  ["docusignConnector" /* DocuSignConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the DocuSign e-signature connector",
+    enabled: false
+  },
+  ["dropboxConnector" /* DropboxConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Dropbox file storage connector",
+    enabled: false
+  },
+  ["figmaConnector" /* FigmaConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Figma design connector",
+    enabled: false
+  },
+  ["mercuryConnector" /* MercuryConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Mercury banking connector",
+    enabled: false
+  },
+  ["neonConnector" /* NeonConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Neon serverless Postgres connector",
+    enabled: false
+  },
+  ["garminConnectConnector" /* GarminConnectConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Garmin Connect wellness connector",
+    enabled: false
+  },
+  ["redditConnector" /* RedditConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Reddit connector integration",
+    enabled: false
+  },
+  ["supabaseConnector" /* SupabaseConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Supabase database connector integration",
+    enabled: false
+  },
+  ["closeConnector" /* CloseConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Close CRM connector",
+    enabled: false
+  },
+  ["webflowConnector" /* WebflowConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Webflow site management connector",
+    enabled: false
+  },
+  ["outlookMailConnector" /* OutlookMailConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Outlook Mail connector",
+    enabled: false
+  },
+  ["outlookCalendarConnector" /* OutlookCalendarConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Outlook Calendar connector",
+    enabled: false
+  },
+  ["metaAdsConnector" /* MetaAdsConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Meta Ads Manager connector",
+    enabled: false
+  },
+  ["stripeConnector" /* StripeConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Stripe payment connector integration",
+    enabled: false
+  },
+  ["posthogConnector" /* PosthogConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the PostHog analytics connector",
+    enabled: false
+  },
+  ["mailchimpConnector" /* MailchimpConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Mailchimp email marketing connector",
+    enabled: false
+  },
+  ["resendConnector" /* ResendConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Resend email service connector",
+    enabled: false
+  },
+  ["spotifyConnector" /* SpotifyConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Spotify connector integration",
+    enabled: false
+  },
+  ["githubIntegration" /* GitHubIntegration */]: {
+    maintainer: "linghan@vm0.ai",
+    description: "Show the GitHub integration card on the Works page for installing GitHub, connecting users, and managing label listeners. Off by default; individuals opt in via the feature-switch overrides API.",
+    enabled: false
+  },
+  ["dataExport" /* DataExport */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Show the data export option in account menu",
+    enabled: false
+  },
+  ["zeroDebug" /* ZeroDebug */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Reveal activity debug surfaces, activity log navigation, appended system prompts, and Debug preferences",
+    enabled: false
+  },
+  ["computerUse" /* ComputerUse */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable remote desktop host registration",
+    enabled: false
+  },
+  ["larkConnector" /* LarkConnector */]: {
+    maintainer: "liangyou@vm0.ai",
+    description: "Enable the Lark connector while tenant access-token exchange is being repaired.",
+    enabled: false
+  },
+  ["lab" /* Lab */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Show the Lab page for toggling experimental features",
+    enabled: false,
+    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+  },
+  ["auditLink" /* AuditLink */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Show audit log links in integration replies",
+    enabled: false
+  },
+  ["audioOutput" /* AudioOutput */]: {
+    maintainer: "lancy@vm0.ai",
+    description: "Enable audio output in chat (TTS read-aloud + auto-read) \u2014 gates the volume/read buttons and the /api/zero/voice-io/tts route",
+    enabled: false
+  },
+  ["autoSkill" /* AutoSkill */]: {
+    maintainer: "lancy@vm0.ai",
+    description: "Enable automatic skill creation in agent prompts",
+    enabled: false
+  },
+  ["testOauthConnector" /* TestOauthConnector */]: {
+    maintainer: "liangyou@vm0.ai",
+    description: "Enable the test-oauth connector, a synthetic OAuth 2.0 provider used only for automated tests. Off in prod.",
+    enabled: false
+  },
+  ["chatHeaderNewButton" /* ChatHeaderNewButton */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Replace the Invite people button in the agent chat page header with a New button that creates a new chat thread",
+    enabled: false
+  },
+  ["chatMessageStartButton" /* ChatMessageStartButton */]: {
+    maintainer: "linghan@vm0.ai",
+    description: "Show an icon button in assistant message group actions that scrolls back to the start of that message group.",
+    enabled: false
+  },
+  ["chatThreadRename" /* ChatThreadRename */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Adds a Rename chat item to the sidebar thread kebab menu. When the user renames a thread, automated title generation is suppressed for that thread.",
+    enabled: false
+  },
+  ["freshdeskConnector" /* FreshdeskConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Freshdesk helpdesk connector",
+    enabled: false
+  },
+  ["stabilityAiConnector" /* StabilityAiConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Stability AI image generation connector",
+    enabled: false
+  },
+  ["zoomConnector" /* ZoomConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Zoom connector (OAuth 2.0) for meetings, past participants, and cloud recordings access",
+    enabled: false
+  },
+  ["apiKeys" /* ApiKeys */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Gate the custom /settings/api-keys UI for issuing personal access tokens used by the /api/v1 public surface. When disabled, the settings page redirects to / and the sidebar menu item is hidden. The backend /api/v1 verification does NOT consult this flag \u2014 previously issued PATs continue to work.",
+    enabled: false
+  },
+  ["apiBackend" /* ApiBackend */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Route platform API traffic to the api backend host instead of the www backend host. Unported endpoints continue through the api backend's web fallback proxy.",
+    enabled: false,
+    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+  },
+  ["zapierConnector" /* ZapierConnector */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Enable the Zapier connector. When disabled, Zapier is hidden from the connectors list and cannot be connected.",
+    enabled: false
+  },
+  ["sandboxIoLimiters" /* SandboxIoLimiters */]: {
+    maintainer: "liangyou@vm0.ai",
+    description: "Enable runner-provided disk and network device rate limiters for sandbox VMs.",
+    enabled: false,
+    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+  },
+  ["chatArtifactSidebar" /* ChatArtifactSidebar */]: {
+    maintainer: "ethan@vm0.ai",
+    description: "Replace the inline attachment text editor and modal lightbox with a single page-level artifact sidebar (50/50 with the chat thread area, URL-routed via ?artifact=, fullscreen-capable). When on, inline text/markdown attachments render as anchor chips, all preview chips route to the sidebar, and the artifacts drawer is hidden.",
+    enabled: false,
+    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+  }
+};
+
 // ../../packages/core/src/staff-org.ts
 init_esm_shims();
 
@@ -132545,7 +132515,6 @@ export {
   source_default,
   decodeCliTokenPayload,
   decodeZeroTokenPayload,
-  zeroTokenAllowsFeatureSwitch,
   loadConfig,
   saveConfig,
   getToken,
@@ -132732,4 +132701,4 @@ undici/lib/web/fetch/body.js:
 undici/lib/web/websocket/frame.js:
   (*! ws. MIT License. Einar Otto Stangvik <einaros@gmail.com> *)
 */
-//# sourceMappingURL=chunk-TPUYVLNY.js.map
+//# sourceMappingURL=chunk-JQ72VVQC.js.map