@vm0/cli 9.177.19 → 9.179.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vm0/cli",
-  "version": "9.177.19",
+  "version": "9.179.0",
   "description": "CLI application",
   "repository": {
     "type": "git",

package/zero.js

@@ -11,6 +11,7 @@ import {
   InvalidArgumentError,
   MODEL_PROVIDER_TYPES,
   Option,
+  callZeroBanking,
   callZeroMaps,
   completeGithubFileUpload,
   completeHostedSite,
@@ -61,11 +62,11 @@ import {
   getConnectorAuthMethod,
   getConnectorAuthMethodScopeDiff,
   getConnectorEnvBindingEntries,
-  getConnectorEnvNamesForSecret,
   getConnectorFirewall,
   getConnectorGenerationTypes,
-  getConnectorTypeForSecretName,
+  getConnectorStoredSecretDisplayInfo,
   getDefaultAuthMethod,
+  getDiagnosticConnectorTypeForRuntimeEnvName,
   getGithubInstallation,
   getSecretsForAuthMethod,
   getSelectableProviderTypes,
@@ -148,7 +149,7 @@ import {
   upsertZeroOrgModelProvider,
   withErrorHandler,
   zeroAgentCustomSkillNameSchema
-} from "./chunk-4ILTCW7H.js";
+} from "./chunk-KC3JLLAV.js";
 import {
   __toESM,
   init_esm_shims
@@ -2905,14 +2906,14 @@ How connectors work:
       console.log(`  Relative path:    ${urlLookup.relativePath}`);
       console.log(`  Environment name:  ${envName}`);
     } else {
-      connectorType = getConnectorTypeForSecretName(
-        envName = opts.envName
-      );
-      if (!connectorType) {
+      envName = opts.envName;
+      const resolvedConnectorType = getDiagnosticConnectorTypeForRuntimeEnvName(envName);
+      if (!resolvedConnectorType) {
         throw new Error(
           `Unknown environment name: ${envName} \u2014 not managed by any connector`
         );
       }
+      connectorType = resolvedConnectorType;
       console.log(
         `${envName} is managed by the ${CONNECTOR_TYPES[connectorType].label} connector (type: ${connectorType}).`
       );
@@ -2978,6 +2979,66 @@ How connectors work:
 
 // src/commands/zero/doctor/permission-deny.ts
 init_esm_shims();
+
+// src/commands/zero/doctor/permission-context.ts
+init_esm_shims();
+var LEGACY_PERMISSION_GRANT_MODE = "legacy";
+function roleFromOrg(org) {
+  if (org.role === "admin") return "admin";
+  if (org.role === "member") return "member";
+  return "unknown";
+}
+function permissionGrantModeFromOrg(org) {
+  return org.permissionGrantMode ?? LEGACY_PERMISSION_GRANT_MODE;
+}
+async function resolveUserId() {
+  const zeroPayload = decodeZeroTokenPayload();
+  if (zeroPayload?.userId) return zeroPayload.userId;
+  const token = await getToken();
+  const cliPayload = decodeCliTokenPayload(token);
+  return cliPayload?.userId;
+}
+async function resolvePermissionGrantMode() {
+  try {
+    const org = await getZeroOrg();
+    return permissionGrantModeFromOrg(org);
+  } catch {
+    return LEGACY_PERMISSION_GRANT_MODE;
+  }
+}
+async function resolvePermissionChangeContext(agentId) {
+  try {
+    const org = await getZeroOrg();
+    const permissionGrantMode = permissionGrantModeFromOrg(org);
+    if (!agentId || permissionGrantMode === "user-grants") {
+      return {
+        role: roleFromOrg(org),
+        permissionGrantMode
+      };
+    }
+    if (org.role === "admin") {
+      return { role: "admin", permissionGrantMode };
+    }
+    if (org.role === "member") {
+      const userId = await resolveUserId();
+      if (userId) {
+        const agent = await getZeroAgent(agentId);
+        if (agent.ownerId === userId) {
+          return { role: "owner", permissionGrantMode };
+        }
+      }
+      return { role: "member", permissionGrantMode };
+    }
+    return { role: "unknown", permissionGrantMode };
+  } catch {
+    return {
+      role: "unknown",
+      permissionGrantMode: LEGACY_PERMISSION_GRANT_MODE
+    };
+  }
+}
+
+// src/commands/zero/doctor/permission-deny.ts
 var permissionDenyCommand = new Command().name("permission-deny").description(
   "Diagnose a permission denial and find the permission that covers it"
 ).argument("<connector-ref>", "The connector type (e.g. github)").addOption(
@@ -3031,8 +3092,11 @@ Notes:
         return (ruleCount.get(current) ?? Infinity) < (ruleCount.get(narrowest) ?? Infinity) ? current : narrowest;
       });
       console.log(`This is covered by the "${permission}" permission.`);
+      const permissionGrantMode = await resolvePermissionGrantMode();
+      const reasonArg = permissionGrantMode === "user-grants" ? "" : ' --reason "why this is needed"';
+      const actionVerb = permissionGrantMode === "user-grants" ? "allow" : "request";
       console.log(
-        `To request this permission, run: zero doctor permission-change ${connectorRef} --permission ${permission} --enable --reason "why this is needed"`
+        `To ${actionVerb} this permission, run: zero doctor permission-change ${connectorRef} --permission ${permission} --enable${reasonArg}`
       );
     }
   )
@@ -3040,36 +3104,6 @@ Notes:
 
 // src/commands/zero/doctor/permission-change.ts
 init_esm_shims();
-
-// src/commands/zero/doctor/resolve-role.ts
-init_esm_shims();
-async function resolveUserId() {
-  const zeroPayload = decodeZeroTokenPayload();
-  if (zeroPayload?.userId) return zeroPayload.userId;
-  const token = await getToken();
-  const cliPayload = decodeCliTokenPayload(token);
-  return cliPayload?.userId;
-}
-async function resolveAgentRole(agentId) {
-  try {
-    const org = await getZeroOrg();
-    if (org.role === "admin") return "admin";
-    if (org.role === "member") {
-      const userId = await resolveUserId();
-      if (userId) {
-        const agent = await getZeroAgent(agentId);
-        if (agent.ownerId === userId) return "owner";
-      }
-      return "member";
-    }
-    return "unknown";
-  } catch (error) {
-    console.debug("resolveAgentRole failed, falling back to unknown:", error);
-    return "unknown";
-  }
-}
-
-// src/commands/zero/doctor/permission-change.ts
 function findPermissionInConfig(ref, permissionName) {
   if (!isFirewallConnectorType(ref)) return false;
   const config = getConnectorFirewall(ref);
@@ -3082,23 +3116,15 @@ function findPermissionInConfig(ref, permissionName) {
   return false;
 }
 var REASON_MAX_LENGTH = 500;
-async function outputPermissionChangeMessage(connectorRef, permission, action, reason) {
-  const { label } = CONNECTOR_TYPES[connectorRef];
-  const platformOrigin = await getPlatformOrigin();
-  const agentId = process.env.ZERO_AGENT_ID;
-  const role = agentId ? await resolveAgentRole(agentId) : "unknown";
-  const urlParams = new URLSearchParams({
-    ref: connectorRef,
-    permission,
-    action: action === "enable" ? "allow" : "deny"
-  });
-  if (role === "member" && reason) {
-    const truncated = reason.length > REASON_MAX_LENGTH ? reason.slice(0, REASON_MAX_LENGTH) : reason;
-    urlParams.set("reason", truncated);
-  }
-  const pagePath = agentId ? `/agents/${agentId}/permissions` : "/agents";
-  const url = `${platformOrigin}${pagePath}?${urlParams.toString()}`;
-  if (connectorRef === "slack" && permission === "chat:write" && action === "enable") {
+function addReasonParam(urlParams, role, usesUserGrants, reason) {
+  if (usesUserGrants || role !== "member" || !reason) return;
+  const truncated = reason.length > REASON_MAX_LENGTH ? reason.slice(0, REASON_MAX_LENGTH) : reason;
+  urlParams.set("reason", truncated);
+}
+function printSensitivePermissionGuidance(connectorRef, permission, action, usesUserGrants) {
+  if (action !== "enable") return;
+  const approvalWording = usesUserGrants ? "Only allow this permission below" : "Only request user approval below";
+  if (connectorRef === "slack" && permission === "chat:write") {
     console.log("");
     console.log(
       "IMPORTANT: Granting chat:write allows sending messages AS THE USER's identity, not as a bot."
@@ -3107,11 +3133,11 @@ async function outputPermissionChangeMessage(connectorRef, permission, action, r
       "Use `zero slack message send -c <channel> -t <text>` to send messages as the bot instead \u2014 this is the recommended approach for most use cases."
     );
     console.log(
-      "Only request user approval below if acting as the user is specifically required."
+      `${approvalWording} if acting as the user is specifically required.`
     );
     console.log("");
   }
-  if (connectorRef === "gmail" && permission === "gmail.send" && action === "enable") {
+  if (connectorRef === "gmail" && permission === "gmail.send") {
     console.log("");
     console.log(
       "IMPORTANT: Granting gmail.send allows the agent to send emails directly as the user."
@@ -3120,51 +3146,98 @@ async function outputPermissionChangeMessage(connectorRef, permission, action, r
       "Consider keeping gmail.send disabled and using gmail.compose instead \u2014 the agent can create drafts for the user to review and send manually."
     );
     console.log(
-      "Only request user approval below if direct sending is specifically required."
+      `${approvalWording} if direct sending is specifically required.`
     );
     console.log("");
   }
-  if (role === "admin" || role === "owner") {
+}
+function printPermissionActionMessage(args) {
+  if (args.usesUserGrants) {
+    const grantAction = args.action === "enable" ? "allow" : "deny";
     console.log(
-      `You can ${action} the "${permission}" permission directly: [Manage ${label} permissions](${url})`
+      `You can ${grantAction} the "${args.permission}" permission for your connector access: [Manage ${args.label} permissions](${args.url})`
     );
-  } else if (role === "member") {
-    if (!reason) {
-      console.log(
-        `IMPORTANT: Re-run with \`--reason "one sentence why this is needed"\` so the admin can review your request faster.`
-      );
-    } else if (action === "enable") {
-      console.log(
-        `Permission changes require admin approval. Request access at: [Request ${label} access](${url})`
-      );
-    } else {
-      console.log(
-        `Permission changes require admin approval. Contact an org admin to disable this permission: [View ${label} permissions](${url})`
-      );
-    }
-  } else {
+    return;
+  }
+  if (args.role === "admin" || args.role === "owner") {
+    console.log(
+      `You can ${args.action} the "${args.permission}" permission directly: [Manage ${args.label} permissions](${args.url})`
+    );
+    return;
+  }
+  if (args.role !== "member") {
+    console.log(
+      `To ${args.action} the "${args.permission}" permission for ${args.label}: [Manage ${args.label} permissions](${args.url})`
+    );
+    return;
+  }
+  if (!args.reason) {
     console.log(
-      `To ${action} the "${permission}" permission for ${label}: [Manage ${label} permissions](${url})`
+      `IMPORTANT: Re-run with \`--reason "one sentence why this is needed"\` so the admin can review your request faster.`
     );
+    return;
   }
+  if (args.action === "enable") {
+    console.log(
+      `Permission changes require admin approval. Request access at: [Request ${args.label} access](${args.url})`
+    );
+    return;
+  }
+  console.log(
+    `Permission changes require admin approval. Contact an org admin to disable this permission: [View ${args.label} permissions](${args.url})`
+  );
+}
+async function outputPermissionChangeMessage(connectorRef, permission, action, reason) {
+  const { label } = CONNECTOR_TYPES[connectorRef];
+  const platformOrigin = await getPlatformOrigin();
+  const agentId = process.env.ZERO_AGENT_ID;
+  const context = await resolvePermissionChangeContext(agentId || void 0);
+  const role = context.role;
+  const permissionGrantMode = context.permissionGrantMode;
+  const usesUserGrants = permissionGrantMode === "user-grants";
+  const urlParams = new URLSearchParams({
+    ref: connectorRef,
+    permission,
+    action: action === "enable" ? "allow" : "deny"
+  });
+  addReasonParam(urlParams, role, usesUserGrants, reason);
+  const pagePath = agentId ? `/agents/${agentId}/permissions` : "/agents";
+  const url = `${platformOrigin}${pagePath}?${urlParams.toString()}`;
+  printSensitivePermissionGuidance(
+    connectorRef,
+    permission,
+    action,
+    usesUserGrants
+  );
+  printPermissionActionMessage({
+    usesUserGrants,
+    action,
+    role,
+    permission,
+    label,
+    url,
+    reason
+  });
 }
-var permissionChangeCommand = new Command().name("permission-change").description("Request a permission change (enable or disable)").argument("<connector-ref>", "The connector type (e.g. github)").addOption(
+var permissionChangeCommand = new Command().name("permission-change").description("Change or request a permission (enable or disable)").argument("<connector-ref>", "The connector type (e.g. github)").addOption(
   new Option(
     "--permission <name>",
     "The permission name to change"
   ).makeOptionMandatory()
 ).addOption(
-  new Option("--enable", "Request to enable the permission").conflicts(
-    "disable"
-  )
+  new Option(
+    "--enable",
+    "Enable or request enabling the permission"
+  ).conflicts("disable")
 ).addOption(
-  new Option("--disable", "Request to disable the permission").conflicts(
-    "enable"
-  )
+  new Option(
+    "--disable",
+    "Disable or request disabling the permission"
+  ).conflicts("enable")
 ).addOption(
   new Option(
     "--reason <text>",
-    "Brief reason why the permission is needed (max 500 chars)"
+    "Brief reason for admin approval requests (max 500 chars)"
   )
 ).addHelpText(
   "after",
@@ -3175,7 +3248,7 @@ Examples:
 
 Notes:
   - Outputs a platform URL for the user to adjust the permission
-  - Admins can change permissions directly; members must request approval`
+  - Depending on rollout state, members either request approval or manage their own permission grants`
 ).action(
   withErrorHandler(
     async (connectorRef, opts) => {
@@ -4429,7 +4502,7 @@ var listCommand8 = new Command().name("list").alias("ls").description("List all
       if (secret.type === "model-provider") {
         typeIndicator = source_default.dim(" [model-provider]");
       } else if (secret.type === "connector") {
-        const derived = getConnectorEnvNamesForSecret(secret.name);
+        const derived = getConnectorStoredSecretDisplayInfo(secret.name);
         if (derived) {
           typeIndicator = source_default.dim(` [${derived.connectorLabel} connector]`);
           derivedLine = source_default.dim(
@@ -4439,7 +4512,7 @@ var listCommand8 = new Command().name("list").alias("ls").description("List all
           typeIndicator = source_default.dim(" [connector]");
         }
       } else if (secret.type === "user") {
-        const derived = getConnectorEnvNamesForSecret(secret.name);
+        const derived = getConnectorStoredSecretDisplayInfo(secret.name);
         if (derived) {
           typeIndicator = source_default.dim(` [${derived.connectorLabel} connector]`);
           derivedLine = source_default.dim(
@@ -9929,6 +10002,30 @@ var RESOURCE_REGISTRY = [
       path: "illustration-template/iberian-vignette"
     }
   },
+  {
+    id: "image-style:cozy-parlor",
+    kind: "image-style",
+    name: "Cozy Parlor",
+    description: "Hand-painted watercolor + ink-line scene \u2014 one anthropomorphic animal in a quiet domestic interior, clean cool-white paper, neutral palette with one hot accent pop.",
+    desc: "Hand-painted watercolor + brushy black ink line on clean cool-white paper (no amber tint). ONE anthropomorphic animal mid-quiet-activity in a domestic interior. Closed-crescent-eye smile, minimal facial features, expression through posture. At least two patterned surfaces per piece. Cool/neutral palette lead (sage, slate-blue, cornflower, lavender, mint, dove-gray) with a single hot accent pop (cherry-red, mustard, magenta-pink) on one object. Six dials per brief \u2014 cast, activity, palette family, pattern motif stack, hot accent object, and complexity (L1/L2/L3). Trigger when user says /cozy-parlor, asks for a 'cozy parlor illustration', a 'watercolor animal scene', a 'picture-book interior', or a new piece in this neutral-palette watercolor style.",
+    source: {
+      repo: VM0_SKILLS_REPO,
+      ref: VM0_SKILLS_REF,
+      path: "illustration-template/cozy-parlor"
+    }
+  },
+  {
+    id: "image-style:crowd-ink",
+    kind: "image-style",
+    name: "Crowd Ink",
+    description: "Hand-drawn editorial crowd illustration \u2014 sketchy black ink contours over flat 3-color spot fills on pure white, scene-as-metaphor composition.",
+    desc: 'Hand-drawn editorial crowd illustration style \u2014 confident sketchy black ink contour lines with slightly irregular weight, flat 3-color spot fills sitting under or beside the ink lines (edges allowed to misregister slightly), on a PURE WHITE background (never cream). Fine-line backdrop drawn lighter than the foreground figures, scattered atmospheric marks in negative space (birds / leaves / steam / confetti / dots), and a scene-as-metaphor composition with a cast that varies per piece. Six dials per brief \u2014 palette (tested families: urban editorial / cool transit / warm natural / cozy interior), scene metaphor, complexity (L2 small group of 3\u20135 / L3 full crowd of 8\u201310), cast, backdrop, atmospheric motif. Trigger when the user says /crowd-ink, asks for a "crowd-ink illustration", "editorial crowd scene", "hand-drawn ink-and-spot-color illustration", "New-Yorker-style crowd vignette", or briefs with palette + scene metaphor + complexity level.',
+    source: {
+      repo: VM0_SKILLS_REPO,
+      ref: VM0_SKILLS_REF,
+      path: "illustration-template/crowd-ink"
+    }
+  },
   {
     id: "image-style:ink-storefront",
     kind: "image-style",
@@ -12982,6 +13079,99 @@ Notes:
   - Use --fields essentials for place details unless pro fields are required`
 );
 
+// src/commands/zero/banking/index.ts
+init_esm_shims();
+function parseLimit5(value) {
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed < 1 || parsed > 1e3) {
+    throw new InvalidArgumentError("limit must be between 1 and 1000");
+  }
+  return parsed;
+}
+function parseDateOnly(value) {
+  if (!/^\d{4}-\d{2}-\d{2}$/.test(value)) {
+    throw new InvalidArgumentError("date must be formatted as YYYY-MM-DD");
+  }
+  return value;
+}
+function renderBankingResponse(label, response) {
+  console.log(source_default.green(`\u2713 ${label}`));
+  console.log(source_default.dim(`  Provider: ${response.provider}`));
+  if (response.accounts) {
+    console.log(JSON.stringify(response.accounts, null, 2));
+    return;
+  }
+  if (response.balance) {
+    console.log(JSON.stringify(response.balance, null, 2));
+    return;
+  }
+  console.log(JSON.stringify(response.transactions ?? [], null, 2));
+}
+async function runBankingRequest(label, operation, payload, options) {
+  const response = await callZeroBanking(operation, payload);
+  if (options.json) {
+    console.log(JSON.stringify(response));
+    return;
+  }
+  renderBankingResponse(label, response);
+}
+var accountsCommand = new Command().name("accounts").description("List enabled banking accounts").option("--json", "Print the raw banking response as JSON").action(
+  withErrorHandler(async (options) => {
+    await runBankingRequest(
+      "Banking accounts loaded",
+      "accounts",
+      {},
+      options
+    );
+  })
+);
+var balancesCommand = new Command().name("balances").description("Read an enabled account balance").requiredOption("--account-id <id>", "Enabled provider account ID").option("--json", "Print the raw banking response as JSON").action(
+  withErrorHandler(async (options) => {
+    await runBankingRequest(
+      "Banking balance loaded",
+      "balances",
+      { accountId: options.accountId },
+      options
+    );
+  })
+);
+var transactionsCommand = new Command().name("transactions").description("Read transactions for an enabled account").requiredOption("--account-id <id>", "Enabled provider account ID").requiredOption(
+  "--from <date>",
+  "Start date, formatted as YYYY-MM-DD",
+  parseDateOnly
+).requiredOption(
+  "--to <date>",
+  "End date, formatted as YYYY-MM-DD",
+  parseDateOnly
+).option("--limit <n>", "Maximum transactions to return", parseLimit5, 100).option("--json", "Print the raw banking response as JSON").action(
+  withErrorHandler(async (options) => {
+    await runBankingRequest(
+      "Banking transactions loaded",
+      "transactions",
+      {
+        accountId: options.accountId,
+        from: options.from,
+        to: options.to,
+        limit: options.limit
+      },
+      options
+    );
+  })
+);
+var zeroBankingCommand = new Command().name("banking").description("Use managed zero banking services").addCommand(accountsCommand).addCommand(balancesCommand).addCommand(transactionsCommand).addHelpText(
+  "after",
+  `
+Examples:
+  List accounts:      zero banking accounts --json
+  Get balance:        zero banking balances --account-id <id> --json
+  Get transactions:   zero banking transactions --account-id <id> --from 2026-01-01 --to 2026-01-31 --json
+
+Notes:
+  - Authenticates via ZERO_TOKEN (requires banking:read capability)
+  - Finicity credentials and app tokens stay on the vm0 API server
+  - Access is limited to accounts enabled for the current agent`
+);
+
 // src/commands/zero/model/index.ts
 init_esm_shims();
 
@@ -13141,7 +13331,8 @@ var COMMAND_CAPABILITY_MAP = {
   generate: null,
   web: null,
   host: "host:write",
-  maps: "maps:read"
+  maps: "maps:read",
+  banking: "banking:read"
 };
 var DEFAULT_COMMANDS = [
   zeroOrgCommand,
@@ -13170,7 +13361,8 @@ var DEFAULT_COMMANDS = [
   generateCommand,
   zeroWebCommand,
   zeroHostCommand,
-  zeroMapsCommand
+  zeroMapsCommand,
+  zeroBankingCommand
 ];
 function shouldHideCommand(name, payload) {
   if (!payload) return false;
@@ -13212,6 +13404,7 @@ function buildZeroHelpText(payload = decodeZeroTokenPayload()) {
     ...shouldHideCommand("maps", payload) ? [] : [
       '  Get directions?       zero maps directions --origin "SFO" --destination "Mountain View" --json'
     ],
+    ...shouldHideCommand("banking", payload) ? [] : ["  Read bank data?       zero banking accounts --json"],
     "  Check your identity?   zero whoami"
   ];
   return `
@@ -13229,7 +13422,7 @@ function registerZeroCommands(prog, commands) {
 var program = new Command();
 program.name("zero").description(
   "Zero CLI \u2014 interact with the zero platform from inside the sandbox"
-).version("9.177.19").addHelpText("after", () => {
+).version("9.179.0").addHelpText("after", () => {
   return buildZeroHelpText();
 });
 if (process.argv[1]?.endsWith("zero.js") || process.argv[1]?.endsWith("zero.ts") || process.argv[1]?.endsWith("zero")) {