@vm0/cli 9.177.19 → 9.178.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vm0/cli",
-  "version": "9.177.19",
+  "version": "9.178.0",
   "description": "CLI application",
   "repository": {
     "type": "git",

package/zero.js

@@ -148,7 +148,7 @@ import {
   upsertZeroOrgModelProvider,
   withErrorHandler,
   zeroAgentCustomSkillNameSchema
-} from "./chunk-4ILTCW7H.js";
+} from "./chunk-DPEOZVW6.js";
 import {
   __toESM,
   init_esm_shims
@@ -2978,6 +2978,66 @@ How connectors work:
 
 // src/commands/zero/doctor/permission-deny.ts
 init_esm_shims();
+
+// src/commands/zero/doctor/permission-context.ts
+init_esm_shims();
+var LEGACY_PERMISSION_GRANT_MODE = "legacy";
+function roleFromOrg(org) {
+  if (org.role === "admin") return "admin";
+  if (org.role === "member") return "member";
+  return "unknown";
+}
+function permissionGrantModeFromOrg(org) {
+  return org.permissionGrantMode ?? LEGACY_PERMISSION_GRANT_MODE;
+}
+async function resolveUserId() {
+  const zeroPayload = decodeZeroTokenPayload();
+  if (zeroPayload?.userId) return zeroPayload.userId;
+  const token = await getToken();
+  const cliPayload = decodeCliTokenPayload(token);
+  return cliPayload?.userId;
+}
+async function resolvePermissionGrantMode() {
+  try {
+    const org = await getZeroOrg();
+    return permissionGrantModeFromOrg(org);
+  } catch {
+    return LEGACY_PERMISSION_GRANT_MODE;
+  }
+}
+async function resolvePermissionChangeContext(agentId) {
+  try {
+    const org = await getZeroOrg();
+    const permissionGrantMode = permissionGrantModeFromOrg(org);
+    if (!agentId || permissionGrantMode === "user-grants") {
+      return {
+        role: roleFromOrg(org),
+        permissionGrantMode
+      };
+    }
+    if (org.role === "admin") {
+      return { role: "admin", permissionGrantMode };
+    }
+    if (org.role === "member") {
+      const userId = await resolveUserId();
+      if (userId) {
+        const agent = await getZeroAgent(agentId);
+        if (agent.ownerId === userId) {
+          return { role: "owner", permissionGrantMode };
+        }
+      }
+      return { role: "member", permissionGrantMode };
+    }
+    return { role: "unknown", permissionGrantMode };
+  } catch {
+    return {
+      role: "unknown",
+      permissionGrantMode: LEGACY_PERMISSION_GRANT_MODE
+    };
+  }
+}
+
+// src/commands/zero/doctor/permission-deny.ts
 var permissionDenyCommand = new Command().name("permission-deny").description(
   "Diagnose a permission denial and find the permission that covers it"
 ).argument("<connector-ref>", "The connector type (e.g. github)").addOption(
@@ -3031,8 +3091,11 @@ Notes:
         return (ruleCount.get(current) ?? Infinity) < (ruleCount.get(narrowest) ?? Infinity) ? current : narrowest;
       });
       console.log(`This is covered by the "${permission}" permission.`);
+      const permissionGrantMode = await resolvePermissionGrantMode();
+      const reasonArg = permissionGrantMode === "user-grants" ? "" : ' --reason "why this is needed"';
+      const actionVerb = permissionGrantMode === "user-grants" ? "allow" : "request";
       console.log(
-        `To request this permission, run: zero doctor permission-change ${connectorRef} --permission ${permission} --enable --reason "why this is needed"`
+        `To ${actionVerb} this permission, run: zero doctor permission-change ${connectorRef} --permission ${permission} --enable${reasonArg}`
       );
     }
   )
@@ -3040,36 +3103,6 @@ Notes:
 
 // src/commands/zero/doctor/permission-change.ts
 init_esm_shims();
-
-// src/commands/zero/doctor/resolve-role.ts
-init_esm_shims();
-async function resolveUserId() {
-  const zeroPayload = decodeZeroTokenPayload();
-  if (zeroPayload?.userId) return zeroPayload.userId;
-  const token = await getToken();
-  const cliPayload = decodeCliTokenPayload(token);
-  return cliPayload?.userId;
-}
-async function resolveAgentRole(agentId) {
-  try {
-    const org = await getZeroOrg();
-    if (org.role === "admin") return "admin";
-    if (org.role === "member") {
-      const userId = await resolveUserId();
-      if (userId) {
-        const agent = await getZeroAgent(agentId);
-        if (agent.ownerId === userId) return "owner";
-      }
-      return "member";
-    }
-    return "unknown";
-  } catch (error) {
-    console.debug("resolveAgentRole failed, falling back to unknown:", error);
-    return "unknown";
-  }
-}
-
-// src/commands/zero/doctor/permission-change.ts
 function findPermissionInConfig(ref, permissionName) {
   if (!isFirewallConnectorType(ref)) return false;
   const config = getConnectorFirewall(ref);
@@ -3082,23 +3115,15 @@ function findPermissionInConfig(ref, permissionName) {
   return false;
 }
 var REASON_MAX_LENGTH = 500;
-async function outputPermissionChangeMessage(connectorRef, permission, action, reason) {
-  const { label } = CONNECTOR_TYPES[connectorRef];
-  const platformOrigin = await getPlatformOrigin();
-  const agentId = process.env.ZERO_AGENT_ID;
-  const role = agentId ? await resolveAgentRole(agentId) : "unknown";
-  const urlParams = new URLSearchParams({
-    ref: connectorRef,
-    permission,
-    action: action === "enable" ? "allow" : "deny"
-  });
-  if (role === "member" && reason) {
-    const truncated = reason.length > REASON_MAX_LENGTH ? reason.slice(0, REASON_MAX_LENGTH) : reason;
-    urlParams.set("reason", truncated);
-  }
-  const pagePath = agentId ? `/agents/${agentId}/permissions` : "/agents";
-  const url = `${platformOrigin}${pagePath}?${urlParams.toString()}`;
-  if (connectorRef === "slack" && permission === "chat:write" && action === "enable") {
+function addReasonParam(urlParams, role, usesUserGrants, reason) {
+  if (usesUserGrants || role !== "member" || !reason) return;
+  const truncated = reason.length > REASON_MAX_LENGTH ? reason.slice(0, REASON_MAX_LENGTH) : reason;
+  urlParams.set("reason", truncated);
+}
+function printSensitivePermissionGuidance(connectorRef, permission, action, usesUserGrants) {
+  if (action !== "enable") return;
+  const approvalWording = usesUserGrants ? "Only allow this permission below" : "Only request user approval below";
+  if (connectorRef === "slack" && permission === "chat:write") {
     console.log("");
     console.log(
       "IMPORTANT: Granting chat:write allows sending messages AS THE USER's identity, not as a bot."
@@ -3107,11 +3132,11 @@ async function outputPermissionChangeMessage(connectorRef, permission, action, r
       "Use `zero slack message send -c <channel> -t <text>` to send messages as the bot instead \u2014 this is the recommended approach for most use cases."
     );
     console.log(
-      "Only request user approval below if acting as the user is specifically required."
+      `${approvalWording} if acting as the user is specifically required.`
     );
     console.log("");
   }
-  if (connectorRef === "gmail" && permission === "gmail.send" && action === "enable") {
+  if (connectorRef === "gmail" && permission === "gmail.send") {
     console.log("");
     console.log(
       "IMPORTANT: Granting gmail.send allows the agent to send emails directly as the user."
@@ -3120,51 +3145,98 @@ async function outputPermissionChangeMessage(connectorRef, permission, action, r
       "Consider keeping gmail.send disabled and using gmail.compose instead \u2014 the agent can create drafts for the user to review and send manually."
     );
     console.log(
-      "Only request user approval below if direct sending is specifically required."
+      `${approvalWording} if direct sending is specifically required.`
     );
     console.log("");
   }
-  if (role === "admin" || role === "owner") {
+}
+function printPermissionActionMessage(args) {
+  if (args.usesUserGrants) {
+    const grantAction = args.action === "enable" ? "allow" : "deny";
     console.log(
-      `You can ${action} the "${permission}" permission directly: [Manage ${label} permissions](${url})`
+      `You can ${grantAction} the "${args.permission}" permission for your connector access: [Manage ${args.label} permissions](${args.url})`
     );
-  } else if (role === "member") {
-    if (!reason) {
-      console.log(
-        `IMPORTANT: Re-run with \`--reason "one sentence why this is needed"\` so the admin can review your request faster.`
-      );
-    } else if (action === "enable") {
-      console.log(
-        `Permission changes require admin approval. Request access at: [Request ${label} access](${url})`
-      );
-    } else {
-      console.log(
-        `Permission changes require admin approval. Contact an org admin to disable this permission: [View ${label} permissions](${url})`
-      );
-    }
-  } else {
+    return;
+  }
+  if (args.role === "admin" || args.role === "owner") {
+    console.log(
+      `You can ${args.action} the "${args.permission}" permission directly: [Manage ${args.label} permissions](${args.url})`
+    );
+    return;
+  }
+  if (args.role !== "member") {
+    console.log(
+      `To ${args.action} the "${args.permission}" permission for ${args.label}: [Manage ${args.label} permissions](${args.url})`
+    );
+    return;
+  }
+  if (!args.reason) {
+    console.log(
+      `IMPORTANT: Re-run with \`--reason "one sentence why this is needed"\` so the admin can review your request faster.`
+    );
+    return;
+  }
+  if (args.action === "enable") {
     console.log(
-      `To ${action} the "${permission}" permission for ${label}: [Manage ${label} permissions](${url})`
+      `Permission changes require admin approval. Request access at: [Request ${args.label} access](${args.url})`
     );
+    return;
   }
+  console.log(
+    `Permission changes require admin approval. Contact an org admin to disable this permission: [View ${args.label} permissions](${args.url})`
+  );
 }
-var permissionChangeCommand = new Command().name("permission-change").description("Request a permission change (enable or disable)").argument("<connector-ref>", "The connector type (e.g. github)").addOption(
+async function outputPermissionChangeMessage(connectorRef, permission, action, reason) {
+  const { label } = CONNECTOR_TYPES[connectorRef];
+  const platformOrigin = await getPlatformOrigin();
+  const agentId = process.env.ZERO_AGENT_ID;
+  const context = await resolvePermissionChangeContext(agentId || void 0);
+  const role = context.role;
+  const permissionGrantMode = context.permissionGrantMode;
+  const usesUserGrants = permissionGrantMode === "user-grants";
+  const urlParams = new URLSearchParams({
+    ref: connectorRef,
+    permission,
+    action: action === "enable" ? "allow" : "deny"
+  });
+  addReasonParam(urlParams, role, usesUserGrants, reason);
+  const pagePath = agentId ? `/agents/${agentId}/permissions` : "/agents";
+  const url = `${platformOrigin}${pagePath}?${urlParams.toString()}`;
+  printSensitivePermissionGuidance(
+    connectorRef,
+    permission,
+    action,
+    usesUserGrants
+  );
+  printPermissionActionMessage({
+    usesUserGrants,
+    action,
+    role,
+    permission,
+    label,
+    url,
+    reason
+  });
+}
+var permissionChangeCommand = new Command().name("permission-change").description("Change or request a permission (enable or disable)").argument("<connector-ref>", "The connector type (e.g. github)").addOption(
   new Option(
     "--permission <name>",
     "The permission name to change"
   ).makeOptionMandatory()
 ).addOption(
-  new Option("--enable", "Request to enable the permission").conflicts(
-    "disable"
-  )
+  new Option(
+    "--enable",
+    "Enable or request enabling the permission"
+  ).conflicts("disable")
 ).addOption(
-  new Option("--disable", "Request to disable the permission").conflicts(
-    "enable"
-  )
+  new Option(
+    "--disable",
+    "Disable or request disabling the permission"
+  ).conflicts("enable")
 ).addOption(
   new Option(
     "--reason <text>",
-    "Brief reason why the permission is needed (max 500 chars)"
+    "Brief reason for admin approval requests (max 500 chars)"
   )
 ).addHelpText(
   "after",
@@ -3175,7 +3247,7 @@ Examples:
 
 Notes:
   - Outputs a platform URL for the user to adjust the permission
-  - Admins can change permissions directly; members must request approval`
+  - Depending on rollout state, members either request approval or manage their own permission grants`
 ).action(
   withErrorHandler(
     async (connectorRef, opts) => {
@@ -13229,7 +13301,7 @@ function registerZeroCommands(prog, commands) {
 var program = new Command();
 program.name("zero").description(
   "Zero CLI \u2014 interact with the zero platform from inside the sandbox"
-).version("9.177.19").addHelpText("after", () => {
+).version("9.178.0").addHelpText("after", () => {
   return buildZeroHelpText();
 });
 if (process.argv[1]?.endsWith("zero.js") || process.argv[1]?.endsWith("zero.ts") || process.argv[1]?.endsWith("zero")) {