@vm0/cli 9.56.10 → 9.57.1

package/index.js

@@ -45,7 +45,7 @@ if (DSN) {
   Sentry.init({
     dsn: DSN,
     environment: process.env.SENTRY_ENVIRONMENT ?? "production",
-    release: "9.56.10",
+    release: "9.57.1",
     sendDefaultPii: false,
     tracesSampleRate: 0,
     shutdownTimeout: 500,
@@ -64,7 +64,7 @@ if (DSN) {
     }
   });
   Sentry.setContext("cli", {
-    version: "9.56.10",
+    version: "9.57.1",
     command: process.argv.slice(2).join(" ")
   });
   Sentry.setContext("runtime", {
@@ -372,16 +372,16 @@ async function getClientConfig() {
   const baseUrl = await getBaseUrl();
   const baseHeaders = await getHeaders();
   const config = await loadConfig();
-  const activeScope = config.activeScope;
-  if (activeScope) {
+  const activeOrg = config.activeOrg;
+  if (activeOrg) {
     return {
       baseUrl,
       baseHeaders,
       jsonQuery: false,
       api: async (args) => {
         const separator = args.path.includes("?") ? "&" : "?";
-        if (!args.path.includes("scope=")) {
-          args.path = `${args.path}${separator}scope=${encodeURIComponent(activeScope)}`;
+        if (!args.path.includes("org=")) {
+          args.path = `${args.path}${separator}org=${encodeURIComponent(activeOrg)}`;
         }
         return tsRestFetchApi(args);
       }
@@ -666,7 +666,7 @@ function getConfigPath() {
   return join2(homedir2(), ".vm0", "config.json");
 }
 var infoCommand = new Command6().name("info").description("Display environment and debug information").action(async () => {
-  console.log(chalk4.bold(`VM0 CLI v${"9.56.10"}`));
+  console.log(chalk4.bold(`VM0 CLI v${"9.57.1"}`));
   console.log();
   const config = await loadConfig();
   const hasEnvToken = !!process.env.VM0_TOKEN;
@@ -792,7 +792,7 @@ var experimentalFirewallSchema = z3.object({
 });
 var runnerGroupSchema = z3.string().regex(
   /^[a-z0-9-]+\/[a-z0-9-]+$/,
-  "Runner group must be in scope/name format (e.g., acme/production)"
+  "Runner group must be in org/name format (e.g., acme/production)"
 );
 var jobSchema = z3.object({
   runId: z3.string().uuid(),
@@ -832,9 +832,12 @@ var serviceApiEntrySchema = z3.object({
   }),
   permissions: z3.array(servicePermissionSchema).optional()
 });
-var experimentalServicesSchema = z3.object({
+var serviceEntrySchema = z3.object({
+  name: z3.string(),
+  ref: z3.string(),
   apis: z3.array(serviceApiEntrySchema)
 });
+var experimentalServicesSchema = z3.array(serviceEntrySchema);
 var storageEntrySchema = z3.object({
   mountPath: z3.string(),
   archiveUrl: z3.string().nullable()
@@ -869,9 +872,9 @@ var storedExecutionContextSchema = z3.object({
   apiStartTime: z3.number().optional(),
   // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
   userTimezone: z3.string().optional(),
-  // Agent metadata for VM0_AGENT_NAME and VM0_AGENT_SCOPE env vars
+  // Agent metadata for VM0_AGENT_NAME and VM0_AGENT_ORG env vars
   agentName: z3.string().optional(),
-  agentScopeSlug: z3.string().optional(),
+  agentOrgSlug: z3.string().optional(),
   // Memory storage name (for first-run when manifest.memory is null)
   memoryName: z3.string().optional(),
   // Experimental services for proxy-side token replacement
@@ -903,7 +906,7 @@ var executionContextSchema = z3.object({
   userTimezone: z3.string().optional(),
   // Agent metadata
   agentName: z3.string().optional(),
-  agentScopeSlug: z3.string().optional(),
+  agentOrgSlug: z3.string().optional(),
   // Memory storage name (for first-run when manifest.memory is null)
   memoryName: z3.string().optional(),
   // Experimental services for proxy-side token replacement
@@ -975,7 +978,7 @@ var agentDefinitionSchema = z4.object({
   experimental_runner: z4.object({
     group: z4.string().regex(
       /^[a-z0-9-]+\/[a-z0-9-]+$/,
-      "Runner group must be in scope/name format (e.g., acme/production)"
+      "Runner group must be in org/name format (e.g., acme/production)"
     )
   }).optional(),
   /**
@@ -986,9 +989,15 @@ var agentDefinitionSchema = z4.object({
   experimental_firewall: experimentalFirewallSchema.optional(),
   /**
    * External services for proxy-side token replacement.
-   * CLI input: string[] (e.g., ["github", "slack"]) — expanded by CLI to full objects before API call.
+   * CLI input: map format { slack: { permissions: [...] | "all" } }
+   * — expanded by CLI to full ExpandedServiceConfig[] before API call.
    */
-  experimental_services: z4.array(z4.string()).optional(),
+  experimental_services: z4.record(
+    z4.string(),
+    z4.object({
+      permissions: z4.union([z4.literal("all"), z4.array(z4.string()).min(1)])
+    })
+  ).optional(),
   /**
    * Agent metadata for display and personalization.
    * - displayName: Human-readable name shown in the UI (preserves original casing).
@@ -996,6 +1005,7 @@ var agentDefinitionSchema = z4.object({
    */
   metadata: z4.object({
     displayName: z4.string().optional(),
+    description: z4.string().optional(),
     sound: z4.string().optional()
   }).optional(),
   /**
@@ -1016,12 +1026,15 @@ var agentComposeContentSchema = z4.object({
 });
 var expandedServiceConfigSchema = z4.object({
   name: z4.string(),
+  ref: z4.string(),
+  description: z4.string().optional(),
   apis: z4.array(
     z4.object({
       base: z4.string(),
       auth: z4.object({
         headers: z4.record(z4.string(), z4.string())
-      })
+      }),
+      permissions: z4.array(servicePermissionSchema).optional()
     })
   ),
   placeholders: z4.record(z4.string(), z4.string()).optional()
@@ -1053,9 +1066,9 @@ var createComposeResponseSchema = z4.object({
 });
 var composesMainContract = c2.router({
   /**
-   * GET /api/agent/composes?name={name}&scope={scope}
+   * GET /api/agent/composes?name={name}&org={org}
    * Get agent compose by name with HEAD version content
-   * If scope is not provided, uses the authenticated user's default scope
+   * If org is not provided, uses the authenticated user's default org
    */
   getByName: {
     method: "GET",
@@ -1063,7 +1076,6 @@ var composesMainContract = c2.router({
     headers: authHeadersSchema,
     query: z4.object({
       name: z4.string().min(1, "Missing name query parameter"),
-      scope: z4.string().optional(),
       org: z4.string().optional()
     }),
     responses: {
@@ -1166,22 +1178,22 @@ var composeListItemSchema = z4.object({
   id: z4.string(),
   name: z4.string(),
   displayName: z4.string().nullable().optional(),
+  description: z4.string().nullable().optional(),
   headVersionId: z4.string().nullable(),
   updatedAt: z4.string(),
   isOwner: z4.boolean()
 });
 var composesListContract = c2.router({
   /**
-   * GET /api/agent/composes/list?scope={scope}
-   * List all agent composes for a scope
-   * If scope is not provided, uses the authenticated user's default scope
+   * GET /api/agent/composes/list?org={org}
+   * List all agent composes for an org
+   * If org is not provided, uses the authenticated user's default org
    */
   list: {
     method: "GET",
     path: "/api/agent/composes/list",
     headers: authHeadersSchema,
     query: z4.object({
-      scope: z4.string().optional(),
       org: z4.string().optional()
     }),
     responses: {
@@ -1191,7 +1203,7 @@ var composesListContract = c2.router({
       400: apiErrorSchema,
       401: apiErrorSchema
     },
-    summary: "List all agent composes for a scope"
+    summary: "List all agent composes for an org"
   }
 });
 
@@ -2269,51 +2281,51 @@ var cronCleanupSandboxesContract = c8.router({
   }
 });
 
-// ../../packages/core/src/contracts/scopes.ts
+// ../../packages/core/src/contracts/orgs.ts
 import { z as z11 } from "zod";
 var c9 = initContract();
 var orgTierSchema = z11.enum(["free", "pro", "max"]);
-var scopeSlugSchema = z11.string().min(3, "Scope slug must be at least 3 characters").max(64, "Scope slug must be at most 64 characters").regex(
+var orgSlugSchema = z11.string().min(3, "Org slug must be at least 3 characters").max(64, "Org slug must be at most 64 characters").regex(
   /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]{1,2}$/,
-  "Scope slug must contain only lowercase letters, numbers, and hyphens, and must start and end with an alphanumeric character"
+  "Org slug must contain only lowercase letters, numbers, and hyphens, and must start and end with an alphanumeric character"
 ).transform((s) => s.toLowerCase());
-var scopeResponseSchema = z11.object({
+var orgResponseSchema = z11.object({
   id: z11.string(),
   slug: z11.string(),
   tier: z11.string().optional()
 });
-var updateScopeRequestSchema = z11.object({
-  slug: scopeSlugSchema,
+var updateOrgRequestSchema = z11.object({
+  slug: orgSlugSchema,
   force: z11.boolean().optional().default(false)
 });
-var scopeContract = c9.router({
+var orgContract = c9.router({
   /**
-   * GET /api/scope
-   * Get current user's default scope
+   * GET /api/org
+   * Get current user's default org
    */
   get: {
     method: "GET",
-    path: "/api/scope",
+    path: "/api/org",
     headers: authHeadersSchema,
     responses: {
-      200: scopeResponseSchema,
+      200: orgResponseSchema,
       401: apiErrorSchema,
       404: apiErrorSchema,
       500: apiErrorSchema
     },
-    summary: "Get current user's default scope"
+    summary: "Get current user's default org"
   },
   /**
-   * PUT /api/scope
-   * Update scope slug
+   * PUT /api/org
+   * Update org slug
    */
   update: {
     method: "PUT",
-    path: "/api/scope",
+    path: "/api/org",
     headers: authHeadersSchema,
-    body: updateScopeRequestSchema,
+    body: updateOrgRequestSchema,
     responses: {
-      200: scopeResponseSchema,
+      200: orgResponseSchema,
       400: apiErrorSchema,
       401: apiErrorSchema,
       403: apiErrorSchema,
@@ -2321,22 +2333,21 @@ var scopeContract = c9.router({
       409: apiErrorSchema,
       500: apiErrorSchema
     },
-    summary: "Update scope slug"
+    summary: "Update org slug"
   }
 });
-var scopeDefaultAgentContract = c9.router({
+var orgDefaultAgentContract = c9.router({
   /**
-   * PUT /api/scopes/default-agent?scope={slug}
-   * Set or unset the default agent for a scope.
-   * Only scope admins can perform this action.
-   * The agent must belong to the same scope.
+   * PUT /api/orgs/default-agent?org={slug}
+   * Set or unset the default agent for an org.
+   * Only org admins can perform this action.
+   * The agent must belong to the same org.
    */
   setDefaultAgent: {
     method: "PUT",
-    path: "/api/scopes/default-agent",
+    path: "/api/orgs/default-agent",
     headers: authHeadersSchema,
     query: z11.object({
-      scope: z11.string().optional(),
       org: z11.string().optional()
     }),
     body: z11.object({
@@ -2351,7 +2362,7 @@ var scopeDefaultAgentContract = c9.router({
       403: apiErrorSchema,
       404: apiErrorSchema
     },
-    summary: "Set or unset the default agent for a scope"
+    summary: "Set or unset the default agent for an org"
   }
 });
 
@@ -2382,7 +2393,7 @@ var setSecretRequestSchema = z12.object({
 var secretsMainContract = c10.router({
   /**
    * GET /api/secrets
-   * List all secrets for the current user's scope (metadata only)
+   * List all secrets for the current user's org (metadata only)
    */
   list: {
     method: "GET",
@@ -2481,7 +2492,7 @@ var setVariableRequestSchema = z13.object({
 var variablesMainContract = c11.router({
   /**
    * GET /api/variables
-   * List all variables for the current user's scope (includes values)
+   * List all variables for the current user's org (includes values)
    */
   list: {
     method: "GET",
@@ -3169,7 +3180,7 @@ var deployScheduleRequestSchema = z16.object({
   artifactName: z16.string().optional(),
   artifactVersion: z16.string().optional(),
   volumeVersions: z16.record(z16.string(), z16.string()).optional(),
-  // Resolved agent compose ID (CLI resolves scope/name:version → composeId)
+  // Resolved agent compose ID (CLI resolves org/name:version → composeId)
   composeId: z16.string().uuid("Invalid compose ID"),
   // Enable schedule immediately upon creation
   enabled: z16.boolean().optional()
@@ -3190,7 +3201,7 @@ var scheduleResponseSchema = z16.object({
   id: z16.string().uuid(),
   composeId: z16.string().uuid(),
   composeName: z16.string(),
-  scopeSlug: z16.string(),
+  orgSlug: z16.string(),
   userId: z16.string(),
   name: z16.string(),
   triggerType: z16.enum(["cron", "once", "loop"]),
@@ -3450,7 +3461,7 @@ var platformLogEntrySchema = z18.object({
   id: z18.string().uuid(),
   sessionId: z18.string().nullable(),
   agentName: z18.string(),
-  scopeSlug: z18.string().nullable(),
+  orgSlug: z18.string().nullable(),
   framework: z18.string().nullable(),
   status: platformLogStatusSchema,
   createdAt: z18.string(),
@@ -3486,7 +3497,7 @@ var platformLogsListContract = c16.router({
       search: z18.string().optional(),
       agent: z18.string().optional(),
       name: z18.string().optional(),
-      scope: z18.string().optional(),
+      org: z18.string().optional(),
       status: platformLogStatusSchema.optional()
     }),
     responses: {
@@ -3500,6 +3511,7 @@ var platformLogsByIdContract = c16.router({
   getById: {
     method: "GET",
     path: "/api/platform/logs/:id",
+    headers: authHeadersSchema,
     pathParams: z18.object({
       id: z18.string().uuid("Invalid log ID")
     }),
@@ -4650,7 +4662,6 @@ var CONNECTOR_TYPES_DEF = {
   },
   strava: {
     label: "Strava",
-    featureFlag: "stravaConnector" /* StravaConnector */,
     helpText: "Connect your Strava account to access activities and athlete data",
     authMethods: {
       oauth: {
@@ -6447,7 +6458,120 @@ var SERVICE_CONFIGS = {
     apis: [api("https://api.airtable.com", bearerAuth("AIRTABLE_TOKEN"))]
   },
   github: {
-    apis: [api("https://api.github.com", bearerAuth("GITHUB_TOKEN"))],
+    apis: [
+      {
+        base: "https://api.github.com",
+        auth: bearerAuth("GITHUB_TOKEN"),
+        permissions: [
+          {
+            name: "repo-read",
+            description: "Read repository metadata, branches, and commits",
+            rules: [
+              "GET /repos/{owner}/{repo}",
+              "GET /repos/{owner}/{repo}/branches",
+              "GET /repos/{owner}/{repo}/branches/{branch}",
+              "GET /repos/{owner}/{repo}/commits",
+              "GET /repos/{owner}/{repo}/commits/{ref}",
+              "GET /repos/{owner}/{repo}/contributors",
+              "GET /repos/{owner}/{repo}/tags",
+              "GET /repos/{owner}/{repo}/releases",
+              "GET /repos/{owner}/{repo}/releases/{release_id}"
+            ]
+          },
+          {
+            name: "contents-read",
+            description: "Read file contents and directory listings",
+            rules: [
+              "GET /repos/{owner}/{repo}/contents/{path+}",
+              "GET /repos/{owner}/{repo}/readme",
+              "GET /repos/{owner}/{repo}/git/trees/{sha}",
+              "GET /repos/{owner}/{repo}/git/blobs/{sha}",
+              "GET /repos/{owner}/{repo}/git/refs/{ref+}"
+            ]
+          },
+          {
+            name: "contents-write",
+            description: "Create, update, and delete file contents",
+            rules: [
+              "PUT /repos/{owner}/{repo}/contents/{path+}",
+              "DELETE /repos/{owner}/{repo}/contents/{path+}",
+              "POST /repos/{owner}/{repo}/git/blobs",
+              "POST /repos/{owner}/{repo}/git/trees",
+              "POST /repos/{owner}/{repo}/git/commits",
+              "POST /repos/{owner}/{repo}/git/refs",
+              "PATCH /repos/{owner}/{repo}/git/refs/{ref+}"
+            ]
+          },
+          {
+            name: "issues-read",
+            description: "Read issues and comments",
+            rules: [
+              "GET /repos/{owner}/{repo}/issues",
+              "GET /repos/{owner}/{repo}/issues/{issue_number}",
+              "GET /repos/{owner}/{repo}/issues/{issue_number}/comments",
+              "GET /repos/{owner}/{repo}/issues/{issue_number}/labels",
+              "GET /repos/{owner}/{repo}/labels"
+            ]
+          },
+          {
+            name: "issues-write",
+            description: "Create and update issues, comments, and labels",
+            rules: [
+              "POST /repos/{owner}/{repo}/issues",
+              "PATCH /repos/{owner}/{repo}/issues/{issue_number}",
+              "POST /repos/{owner}/{repo}/issues/{issue_number}/comments",
+              "PATCH /repos/{owner}/{repo}/issues/comments/{comment_id}",
+              "POST /repos/{owner}/{repo}/issues/{issue_number}/labels",
+              "DELETE /repos/{owner}/{repo}/issues/{issue_number}/labels/{name}"
+            ]
+          },
+          {
+            name: "pull-requests-read",
+            description: "Read pull requests, reviews, and diffs",
+            rules: [
+              "GET /repos/{owner}/{repo}/pulls",
+              "GET /repos/{owner}/{repo}/pulls/{pull_number}",
+              "GET /repos/{owner}/{repo}/pulls/{pull_number}/files",
+              "GET /repos/{owner}/{repo}/pulls/{pull_number}/commits",
+              "GET /repos/{owner}/{repo}/pulls/{pull_number}/reviews",
+              "GET /repos/{owner}/{repo}/pulls/{pull_number}/comments"
+            ]
+          },
+          {
+            name: "pull-requests-write",
+            description: "Create, update, and merge pull requests",
+            rules: [
+              "POST /repos/{owner}/{repo}/pulls",
+              "PATCH /repos/{owner}/{repo}/pulls/{pull_number}",
+              "POST /repos/{owner}/{repo}/pulls/{pull_number}/reviews",
+              "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments",
+              "PUT /repos/{owner}/{repo}/pulls/{pull_number}/merge"
+            ]
+          },
+          {
+            name: "actions-read",
+            description: "Read workflow runs and logs",
+            rules: [
+              "GET /repos/{owner}/{repo}/actions/runs",
+              "GET /repos/{owner}/{repo}/actions/runs/{run_id}",
+              "GET /repos/{owner}/{repo}/actions/runs/{run_id}/jobs",
+              "GET /repos/{owner}/{repo}/actions/workflows",
+              "GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs"
+            ]
+          },
+          {
+            name: "search",
+            description: "Search code, issues, and repositories",
+            rules: [
+              "GET /search/code",
+              "GET /search/issues",
+              "GET /search/repositories",
+              "GET /search/commits"
+            ]
+          }
+        ]
+      }
+    ],
     placeholders: {
       GITHUB_TOKEN: "gho_vm0placeholder0000000000000000000000"
     }
@@ -6880,7 +7004,9 @@ var SERVICE_CONFIGS = {
   }
 };
 function getServiceConfig(type2) {
-  return SERVICE_CONFIGS[type2];
+  const config = SERVICE_CONFIGS[type2];
+  if (!config) return void 0;
+  return { ...config, name: type2 };
 }
 
 // ../../packages/core/src/contracts/user-preferences.ts
@@ -6889,14 +7015,16 @@ var c19 = initContract();
 var userPreferencesResponseSchema = z21.object({
   timezone: z21.string().nullable(),
   notifyEmail: z21.boolean(),
-  notifySlack: z21.boolean()
+  notifySlack: z21.boolean(),
+  pinnedAgentIds: z21.array(z21.string())
 });
 var updateUserPreferencesRequestSchema = z21.object({
   timezone: z21.string().min(1).optional(),
   notifyEmail: z21.boolean().optional(),
-  notifySlack: z21.boolean().optional()
+  notifySlack: z21.boolean().optional(),
+  pinnedAgentIds: z21.array(z21.string()).max(4).optional()
 }).refine(
-  (data) => data.timezone !== void 0 || data.notifyEmail !== void 0 || data.notifySlack !== void 0,
+  (data) => data.timezone !== void 0 || data.notifyEmail !== void 0 || data.notifySlack !== void 0 || data.pinnedAgentIds !== void 0,
   {
     message: "At least one preference must be provided"
   }
@@ -6936,131 +7064,131 @@ var userPreferencesContract = c19.router({
   }
 });
 
-// ../../packages/core/src/contracts/scope-list.ts
+// ../../packages/core/src/contracts/org-list.ts
 import { z as z22 } from "zod";
 var c20 = initContract();
-var scopeListItemSchema = z22.object({
+var orgListItemSchema = z22.object({
   slug: z22.string(),
   role: z22.string()
 });
-var scopeListResponseSchema = z22.object({
-  scopes: z22.array(scopeListItemSchema),
+var orgListResponseSchema = z22.object({
+  orgs: z22.array(orgListItemSchema),
   active: z22.string().optional()
 });
-var scopeListContract = c20.router({
+var orgListContract = c20.router({
   /**
-   * GET /api/scope/list
-   * List all scopes accessible to the user
+   * GET /api/org/list
+   * List all orgs accessible to the user
    */
   list: {
     method: "GET",
-    path: "/api/scope/list",
+    path: "/api/org/list",
     headers: authHeadersSchema,
     responses: {
-      200: scopeListResponseSchema,
+      200: orgListResponseSchema,
       401: apiErrorSchema,
       500: apiErrorSchema
     },
-    summary: "List all accessible scopes"
+    summary: "List all accessible orgs"
   }
 });
 
-// ../../packages/core/src/contracts/scope-members.ts
+// ../../packages/core/src/contracts/org-members.ts
 import { z as z23 } from "zod";
 var c21 = initContract();
 var orgRoleSchema = z23.enum(["admin", "member"]);
-var scopeMemberSchema = z23.object({
+var orgMemberSchema = z23.object({
   userId: z23.string(),
   email: z23.string(),
   role: orgRoleSchema,
   joinedAt: z23.string()
 });
-var scopeMembersResponseSchema = z23.object({
+var orgMembersResponseSchema = z23.object({
   slug: z23.string(),
   role: orgRoleSchema,
-  members: z23.array(scopeMemberSchema),
+  members: z23.array(orgMemberSchema),
   createdAt: z23.string()
 });
-var inviteScopeMemberRequestSchema = z23.object({
+var inviteOrgMemberRequestSchema = z23.object({
   email: z23.string().email()
 });
-var removeScopeMemberRequestSchema = z23.object({
+var removeOrgMemberRequestSchema = z23.object({
   email: z23.string().email()
 });
-var scopeMessageResponseSchema = z23.object({
+var orgMessageResponseSchema = z23.object({
   message: z23.string()
 });
-var scopeMembersContract = c21.router({
+var orgMembersContract = c21.router({
   /**
-   * GET /api/scope/members
-   * Get scope members and status
+   * GET /api/org/members
+   * Get org members and status
    */
   members: {
     method: "GET",
-    path: "/api/scope/members",
+    path: "/api/org/members",
     headers: authHeadersSchema,
     responses: {
-      200: scopeMembersResponseSchema,
+      200: orgMembersResponseSchema,
       400: apiErrorSchema,
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema,
       500: apiErrorSchema
     },
-    summary: "Get scope members and status"
+    summary: "Get org members and status"
   },
   /**
-   * POST /api/scope/invite
-   * Invite a member to the scope
+   * POST /api/org/invite
+   * Invite a member to the org
    */
   invite: {
     method: "POST",
-    path: "/api/scope/invite",
+    path: "/api/org/invite",
     headers: authHeadersSchema,
-    body: inviteScopeMemberRequestSchema,
+    body: inviteOrgMemberRequestSchema,
     responses: {
-      200: scopeMessageResponseSchema,
+      200: orgMessageResponseSchema,
       400: apiErrorSchema,
       401: apiErrorSchema,
       403: apiErrorSchema,
       500: apiErrorSchema
     },
-    summary: "Invite a member to the scope"
+    summary: "Invite a member to the org"
   },
   /**
-   * POST /api/scope/leave
-   * Leave the current scope
+   * POST /api/org/leave
+   * Leave the current org
    */
   leave: {
     method: "POST",
-    path: "/api/scope/leave",
+    path: "/api/org/leave",
     headers: authHeadersSchema,
     body: z23.object({}),
     responses: {
-      200: scopeMessageResponseSchema,
+      200: orgMessageResponseSchema,
       401: apiErrorSchema,
       403: apiErrorSchema,
       500: apiErrorSchema
     },
-    summary: "Leave the current scope"
+    summary: "Leave the current org"
   },
   /**
-   * DELETE /api/scope/members
-   * Remove a member from the scope
+   * DELETE /api/org/members
+   * Remove a member from the org
    */
   removeMember: {
     method: "DELETE",
-    path: "/api/scope/members",
+    path: "/api/org/members",
     headers: authHeadersSchema,
-    body: removeScopeMemberRequestSchema,
+    body: removeOrgMemberRequestSchema,
     responses: {
-      200: scopeMessageResponseSchema,
+      200: orgMessageResponseSchema,
       400: apiErrorSchema,
       401: apiErrorSchema,
       403: apiErrorSchema,
       500: apiErrorSchema
     },
-    summary: "Remove a member from the scope"
+    summary: "Remove a member from the org"
   }
 });
 
@@ -7069,13 +7197,14 @@ import { z as z24 } from "zod";
 var c22 = initContract();
 var onboardingStatusResponseSchema = z24.object({
   needsOnboarding: z24.boolean(),
-  hasScope: z24.boolean(),
+  hasOrg: z24.boolean(),
   hasModelProvider: z24.boolean(),
   hasDefaultAgent: z24.boolean(),
   defaultAgentName: z24.string().nullable(),
   defaultAgentComposeId: z24.string().nullable(),
   defaultAgentMetadata: z24.object({
     displayName: z24.string().optional(),
+    description: z24.string().optional(),
     sound: z24.string().optional()
   }).nullable()
 });
@@ -7356,11 +7485,6 @@ var FEATURE_SWITCHES = {
     enabled: false,
     enabledUserHashes: STAFF_USER_HASHES
   },
-  ["stravaConnector" /* StravaConnector */]: {
-    maintainer: "ethan@vm0.ai",
-    enabled: false,
-    enabledUserHashes: STAFF_USER_HASHES
-  },
   ["neonConnector" /* NeonConnector */]: {
     maintainer: "ethan@vm0.ai",
     enabled: false,
@@ -7485,7 +7609,32 @@ function parseSkillFrontmatter(content) {
 // ../../packages/core/src/instructions-frontmatter.ts
 var PROFILE_START = "<!-- ZERO_PROFILE";
 var PROFILE_END = "ZERO_PROFILE -->";
-var PROFILE_REGEX = /<!-- ZERO_PROFILE\n(?:[^\n]*\n)*?ZERO_PROFILE -->\n?/g;
+function stripProfileBlocks(content) {
+  let result = "";
+  let searchFrom = 0;
+  while (searchFrom < content.length) {
+    const startIdx = content.indexOf(PROFILE_START + "\n", searchFrom);
+    if (startIdx === -1) {
+      result += content.slice(searchFrom);
+      break;
+    }
+    result += content.slice(searchFrom, startIdx);
+    const endIdx = content.indexOf(
+      PROFILE_END,
+      startIdx + PROFILE_START.length + 1
+    );
+    if (endIdx === -1) {
+      result += content.slice(startIdx);
+      break;
+    }
+    let afterEnd = endIdx + PROFILE_END.length;
+    if (content[afterEnd] === "\n") {
+      afterEnd++;
+    }
+    searchFrom = afterEnd;
+  }
+  return result;
+}
 var LEGACY_METADATA_KEYS = /* @__PURE__ */ new Set(["name", "tone"]);
 function stripLegacyFrontmatter(content) {
   const match = content.match(/^---\r?\n([\s\S]*?)\r?\n---(\r?\n|$)/);
@@ -7516,6 +7665,9 @@ function buildProfileParagraph(metadata) {
   if (metadata.displayName) {
     parts.push(`Your name is ${metadata.displayName}.`);
   }
+  if (metadata.description) {
+    parts.push(metadata.description);
+  }
   if (metadata.sound) {
     const desc = TONE_DESCRIPTIONS[metadata.sound] ?? metadata.sound;
     parts.push(
@@ -7538,7 +7690,9 @@ function injectMetadataFrontmatter(content, metadata) {
   const block = `${PROFILE_START}
 ${paragraph}
 ${PROFILE_END}`;
-  const stripped = stripLegacyFrontmatter(content).replace(PROFILE_REGEX, "").trimEnd();
+  const stripped = stripProfileBlocks(
+    stripLegacyFrontmatter(content)
+  ).trimEnd();
   if (!stripped) {
     return `${block}
 `;
@@ -7550,21 +7704,21 @@ ${block}
 }
 
 // src/lib/api/core/http.ts
-async function appendScopeParam(path18) {
+async function appendOrgParam(path18) {
   const config = await loadConfig();
-  const activeScope = config.activeScope;
-  if (!activeScope) {
+  const activeOrg = config.activeOrg;
+  if (!activeOrg) {
     return path18;
   }
   const queryStart = path18.indexOf("?");
   if (queryStart !== -1) {
     const params = new URLSearchParams(path18.slice(queryStart));
-    if (params.has("scope")) {
+    if (params.has("org")) {
       return path18;
     }
-    return `${path18}&scope=${encodeURIComponent(activeScope)}`;
+    return `${path18}&org=${encodeURIComponent(activeOrg)}`;
   }
-  return `${path18}?scope=${encodeURIComponent(activeScope)}`;
+  return `${path18}?org=${encodeURIComponent(activeOrg)}`;
 }
 async function getRawHeaders() {
   const token = await getActiveToken();
@@ -7583,8 +7737,8 @@ async function getRawHeaders() {
 async function httpGet(path18) {
   const baseUrl = await getBaseUrl();
   const headers = await getRawHeaders();
-  const scopedPath = await appendScopeParam(path18);
-  return fetch(`${baseUrl}${scopedPath}`, {
+  const orgPath = await appendOrgParam(path18);
+  return fetch(`${baseUrl}${orgPath}`, {
     method: "GET",
     headers
   });
@@ -7592,8 +7746,8 @@ async function httpGet(path18) {
 async function httpPost(path18, body) {
   const baseUrl = await getBaseUrl();
   const headers = await getRawHeaders();
-  const scopedPath = await appendScopeParam(path18);
-  return fetch(`${baseUrl}${scopedPath}`, {
+  const orgPath = await appendOrgParam(path18);
+  return fetch(`${baseUrl}${orgPath}`, {
     method: "POST",
     headers: {
       ...headers,
@@ -7605,8 +7759,8 @@ async function httpPost(path18, body) {
 async function httpDelete(path18) {
   const baseUrl = await getBaseUrl();
   const headers = await getRawHeaders();
-  const scopedPath = await appendScopeParam(path18);
-  return fetch(`${baseUrl}${scopedPath}`, {
+  const orgPath = await appendOrgParam(path18);
+  return fetch(`${baseUrl}${orgPath}`, {
     method: "DELETE",
     headers
   });
@@ -7614,11 +7768,11 @@ async function httpDelete(path18) {
 
 // src/lib/api/domains/composes.ts
 import { initClient } from "@ts-rest/core";
-async function getComposeByName(name, scope) {
+async function getComposeByName(name, org) {
   const config = await getClientConfig();
   const client = initClient(composesMainContract, config);
   const result = await client.getByName({
-    query: { name, scope }
+    query: { name, org }
   });
   if (result.status === 200) {
     return result.body;
@@ -7774,7 +7928,7 @@ async function getUserTokenClientConfig() {
 }
 async function getOrg() {
   const config = await getClientConfig();
-  const client = initClient4(scopeContract, config);
+  const client = initClient4(orgContract, config);
   const result = await client.get({ headers: {} });
   if (result.status === 200) {
     return result.body;
@@ -7783,7 +7937,7 @@ async function getOrg() {
 }
 async function updateOrg(body) {
   const config = await getClientConfig();
-  const client = initClient4(scopeContract, config);
+  const client = initClient4(orgContract, config);
   const result = await client.update({ body });
   if (result.status === 200) {
     return result.body;
@@ -7792,7 +7946,7 @@ async function updateOrg(body) {
 }
 async function getOrgMembers() {
   const config = await getClientConfig();
-  const client = initClient4(scopeMembersContract, config);
+  const client = initClient4(orgMembersContract, config);
   const result = await client.members({ headers: {} });
   if (result.status === 200) {
     return result.body;
@@ -7801,7 +7955,7 @@ async function getOrgMembers() {
 }
 async function inviteOrgMember(email) {
   const config = await getClientConfig();
-  const client = initClient4(scopeMembersContract, config);
+  const client = initClient4(orgMembersContract, config);
   const result = await client.invite({
     body: { email }
   });
@@ -7812,7 +7966,7 @@ async function inviteOrgMember(email) {
 }
 async function removeOrgMember(email) {
   const config = await getClientConfig();
-  const client = initClient4(scopeMembersContract, config);
+  const client = initClient4(orgMembersContract, config);
   const result = await client.removeMember({
     body: { email }
   });
@@ -7823,7 +7977,7 @@ async function removeOrgMember(email) {
 }
 async function leaveOrg() {
   const config = await getClientConfig();
-  const client = initClient4(scopeMembersContract, config);
+  const client = initClient4(orgMembersContract, config);
   const result = await client.leave({
     body: {}
   });
@@ -7834,7 +7988,7 @@ async function leaveOrg() {
 }
 async function listOrgs() {
   const config = await getUserTokenClientConfig();
-  const client = initClient4(scopeListContract, config);
+  const client = initClient4(orgListContract, config);
   const result = await client.list({ headers: {} });
   if (result.status === 200) {
     return result.body;
@@ -9259,30 +9413,77 @@ function mergeSkillVariables(agent, variables) {
     agent.environment = environment;
   }
 }
+function resolveServiceConfig(ref) {
+  const parsed = connectorTypeSchema.safeParse(ref);
+  if (!parsed.success) {
+    throw new Error(
+      `Cannot resolve service ref "${ref}": no built-in service with this name`
+    );
+  }
+  const serviceConfig = getServiceConfig(parsed.data);
+  if (!serviceConfig) {
+    throw new Error(
+      `Service ref "${ref}" resolved to "${parsed.data}" but it does not support proxy-side token replacement`
+    );
+  }
+  return serviceConfig;
+}
+function collectAndValidatePermissions(ref, serviceConfig) {
+  const available = /* @__PURE__ */ new Set();
+  for (const api2 of serviceConfig.apis) {
+    for (const perm of api2.permissions ?? []) {
+      if (perm.name === "all") {
+        throw new Error(
+          `Service "${serviceConfig.name}" (ref "${ref}") has a permission named "all", which is a reserved keyword`
+        );
+      }
+      available.add(perm.name);
+    }
+  }
+  return available;
+}
 function expandServiceConfigs(config) {
   const compose = config;
   if (!compose?.agents) return;
   for (const agent of Object.values(compose.agents)) {
     const services = agent.experimental_services;
-    if (!services || services.length === 0) continue;
-    if (typeof services[0] !== "string") continue;
-    agent.experimental_services = services.map((name) => {
-      const parsed = connectorTypeSchema.safeParse(name);
-      if (!parsed.success) {
-        throw new Error(`Unknown service: "${name}"`);
-      }
-      const serviceConfig = getServiceConfig(parsed.data);
-      if (!serviceConfig) {
-        throw new Error(
-          `Service "${name}" does not support proxy-side token replacement`
-        );
+    if (!services) continue;
+    if (Array.isArray(services)) continue;
+    const expanded = [];
+    for (const [ref, selection] of Object.entries(services)) {
+      const serviceConfig = resolveServiceConfig(ref);
+      const availablePermissions = collectAndValidatePermissions(
+        ref,
+        serviceConfig
+      );
+      if (selection.permissions !== "all") {
+        for (const name of selection.permissions) {
+          if (!availablePermissions.has(name)) {
+            const available = [...availablePermissions].join(", ");
+            throw new Error(
+              `Permission "${name}" does not exist in service "${serviceConfig.name}" (ref "${ref}"). Available: ${available}`
+            );
+          }
+        }
       }
-      return {
-        name,
-        apis: serviceConfig.apis,
-        placeholders: serviceConfig.placeholders
+      const selectedSet = selection.permissions === "all" ? null : new Set(selection.permissions);
+      const filteredApis = serviceConfig.apis.map((api2) => ({
+        ...api2,
+        permissions: selectedSet ? (api2.permissions ?? []).filter((p) => selectedSet.has(p.name)) : api2.permissions
+      })).filter((api2) => (api2.permissions ?? []).length > 0);
+      if (filteredApis.length === 0) continue;
+      const entry = {
+        name: serviceConfig.name,
+        ref,
+        apis: filteredApis
       };
-    });
+      if (serviceConfig.description !== void 0)
+        entry.description = serviceConfig.description;
+      if (serviceConfig.placeholders !== void 0)
+        entry.placeholders = serviceConfig.placeholders;
+      expanded.push(entry);
+    }
+    agent.experimental_services = expanded;
   }
 }
 function getPlatformUrl(apiUrl) {
@@ -9352,9 +9553,9 @@ async function finalizeCompose(config, agent, variables, options) {
     console.log("Uploading compose...");
   }
   const response = await createOrUpdateCompose({ content: config });
-  const scopeResponse = await getOrg();
+  const orgResponse = await getOrg();
   const shortVersionId = response.versionId.slice(0, 8);
-  const displayName = `${scopeResponse.slug}/${response.name}`;
+  const displayName = `${orgResponse.slug}/${response.name}`;
   const result = {
     composeId: response.composeId,
     composeName: response.name,
@@ -9485,7 +9686,7 @@ var composeCommand = new Command7().name("compose").description("Create or updat
         options.autoUpdate = false;
       }
       if (options.autoUpdate !== false) {
-        await startSilentUpgrade("9.56.10");
+        await startSilentUpgrade("9.57.1");
       }
       try {
         let result;
@@ -10517,22 +10718,22 @@ function parseIdentifier(identifier) {
   if (isUUID(identifier)) {
     return { name: identifier };
   }
-  let scope;
+  let org;
   let rest = identifier;
   const slashIndex = identifier.indexOf("/");
   if (slashIndex > 0) {
-    scope = identifier.slice(0, slashIndex);
+    org = identifier.slice(0, slashIndex);
     rest = identifier.slice(slashIndex + 1);
   }
   const colonIndex = rest.indexOf(":");
   if (colonIndex > 0 && colonIndex < rest.length - 1) {
     return {
-      scope,
+      org,
       name: rest.slice(0, colonIndex),
       version: rest.slice(colonIndex + 1)
     };
   }
-  return { scope, name: rest };
+  return { org, name: rest };
 }
 function renderRunCreated(response) {
   if (response.status === "queued") {
@@ -10623,7 +10824,7 @@ function showNextSteps(result) {
 // src/commands/run/run.ts
 var mainRunCommand = new Command8().name("run").description("Run an agent").argument(
   "<agent-name>",
-  "Agent reference: [scope/]name[:version] (e.g., 'my-agent', 'lancy/my-agent:abc123', 'my-agent:latest')"
+  "Agent reference: [org/]name[:version] (e.g., 'my-agent', 'lancy/my-agent:abc123', 'my-agent:latest')"
 ).argument("<prompt>", "Prompt for the agent").option(
   "--env-file <path>",
   "Load environment variables from file (priority: CLI flags > file > env vars)"
@@ -10653,18 +10854,18 @@ var mainRunCommand = new Command8().name("run").description("Run an agent").argu
   "Override model provider (e.g., anthropic-api-key)"
 ).option("--verbose", "Show full tool inputs and outputs").option(
   "--experimental-shared-agent",
-  "Allow running agents shared by other users (required when running scope/agent format)"
+  "Allow running agents shared by other users (required when running org/agent format)"
 ).option("--check-env", "Validate secrets and vars before running").addOption(new Option2("--debug-no-mock-claude").hideHelp()).addOption(new Option2("--no-auto-update").hideHelp()).action(
   withErrorHandler(
     async (identifier, prompt, options) => {
       if (options.autoUpdate !== false) {
-        await startSilentUpgrade("9.56.10");
+        await startSilentUpgrade("9.57.1");
       }
-      const { scope, name, version } = parseIdentifier(identifier);
-      if (scope && !options.experimentalSharedAgent) {
-        const defaultScope = await getOrg();
-        const isOwnScope = defaultScope.slug === scope;
-        if (!isOwnScope) {
+      const { org, name, version } = parseIdentifier(identifier);
+      if (org && !options.experimentalSharedAgent) {
+        const defaultOrg = await getOrg();
+        const isOwnOrg = defaultOrg.slug === org;
+        if (!isOwnOrg) {
           throw new Error(
             "Running shared agents requires --experimental-shared-agent flag",
             {
@@ -10682,7 +10883,7 @@ var mainRunCommand = new Command8().name("run").description("Run an agent").argu
         composeId = compose.id;
         composeContent = compose.content;
       } else {
-        const compose = await getComposeByName(name, scope);
+        const compose = await getComposeByName(name, org);
         if (!compose) {
           throw new Error(`Agent not found: ${identifier}`, {
             cause: new Error(
@@ -12345,7 +12546,7 @@ var cookAction = new Command34().name("cook").description("Quick start: prepare,
   withErrorHandler(
     async (prompt, options) => {
       if (options.autoUpdate !== false) {
-        const shouldExit = await checkAndUpgrade("9.56.10", prompt);
+        const shouldExit = await checkAndUpgrade("9.57.1", prompt);
         if (shouldExit) {
           process.exit(0);
         }
@@ -12554,7 +12755,7 @@ var ApiClient = class {
     }
     return apiUrl;
   }
-  async getComposeByName(name, scope) {
+  async getComposeByName(name, org) {
     const baseUrl = await this.getBaseUrl();
     const headers = await this.getHeaders();
     const client = initClient12(composesMainContract, {
@@ -12565,7 +12766,7 @@ var ApiClient = class {
     const result = await client.getByName({
       query: {
         name,
-        scope
+        org
       }
     });
     if (result.status === 200) {
@@ -12774,10 +12975,10 @@ var ApiClient = class {
   /**
    * Get current user's default org
    */
-  async getScope() {
+  async getOrg() {
     const baseUrl = await this.getBaseUrl();
     const headers = await this.getHeaders();
-    const client = initClient12(scopeContract, {
+    const client = initClient12(orgContract, {
       baseUrl,
       baseHeaders: headers,
       jsonQuery: false
@@ -12793,10 +12994,10 @@ var ApiClient = class {
   /**
    * Update user's default org slug
    */
-  async updateScope(body) {
+  async updateOrg(body) {
     const baseUrl = await this.getBaseUrl();
     const headers = await this.getHeaders();
-    const client = initClient12(scopeContract, {
+    const client = initClient12(orgContract, {
       baseUrl,
       baseHeaders: headers,
       jsonQuery: false
@@ -13620,9 +13821,6 @@ async function showNetworkLogs(runId, options) {
   }
 }
 
-// src/index.ts
-import chalk84 from "chalk";
-
 // src/commands/org/index.ts
 import { Command as Command48 } from "commander";
 
@@ -13687,10 +13885,10 @@ var listCommand5 = new Command42().name("list").description("List all accessible
   withErrorHandler(async () => {
     const result = await listOrgs();
     const config = await loadConfig();
-    const activeScope = config.activeScope;
+    const activeOrg = config.activeOrg;
     console.log(chalk38.bold("Available organizations:"));
-    for (const org of result.scopes) {
-      const isCurrent = org.slug === activeScope;
+    for (const org of result.orgs) {
+      const isCurrent = org.slug === activeOrg;
       const marker = isCurrent ? chalk38.green("* ") : "  ";
       const roleLabel = org.role ? ` (${org.role})` : "";
       const currentLabel = isCurrent ? chalk38.dim(" \u2190 current") : "";
@@ -13706,7 +13904,7 @@ var useCommand = new Command43().name("use").description("Switch to a different
   withErrorHandler(
     async (slug, options) => {
       if (options.personal) {
-        await saveConfig({ activeScope: void 0 });
+        await saveConfig({ activeOrg: void 0 });
         console.log(chalk39.green("\u2713 Switched to personal org."));
         return;
       }
@@ -13716,13 +13914,13 @@ var useCommand = new Command43().name("use").description("Switch to a different
         );
       }
       const orgList = await listOrgs();
-      const target = orgList.scopes.find((s) => s.slug === slug);
+      const target = orgList.orgs.find((s) => s.slug === slug);
       if (!target) {
         throw new Error(
           `Organization '${slug}' not found or not accessible.`
         );
       }
-      await saveConfig({ activeScope: slug });
+      await saveConfig({ activeOrg: slug });
       console.log(chalk39.green(`\u2713 Switched to organization: ${slug}`));
     }
   )
@@ -13783,7 +13981,7 @@ import chalk43 from "chalk";
 var leaveCommand = new Command47().name("leave").description("Leave the current organization").action(
   withErrorHandler(async () => {
     await leaveOrg();
-    await saveConfig({ activeScope: void 0 });
+    await saveConfig({ activeOrg: void 0 });
     console.log(
       chalk43.green("\u2713 Left organization. Switched to personal org.")
     );
@@ -15284,7 +15482,7 @@ function printRunConfiguration(schedule) {
   const statusText = schedule.enabled ? chalk56.green("enabled") : chalk56.yellow("disabled");
   console.log(`${"Status:".padEnd(16)}${statusText}`);
   console.log(
-    `${"Agent:".padEnd(16)}${schedule.composeName} ${chalk56.dim(`(${schedule.scopeSlug})`)}`
+    `${"Agent:".padEnd(16)}${schedule.composeName} ${chalk56.dim(`(${schedule.orgSlug})`)}`
   );
   const promptPreview = schedule.prompt.length > 60 ? schedule.prompt.slice(0, 57) + "..." : schedule.prompt;
   console.log(`${"Prompt:".padEnd(16)}${chalk56.dim(promptPreview)}`);
@@ -17699,13 +17897,13 @@ var upgradeCommand = new Command90().name("upgrade").description("Upgrade vm0 CL
     if (latestVersion === null) {
       throw new Error("Could not check for updates. Please try again later.");
     }
-    if (latestVersion === "9.56.10") {
-      console.log(chalk83.green(`\u2713 Already up to date (${"9.56.10"})`));
+    if (latestVersion === "9.57.1") {
+      console.log(chalk83.green(`\u2713 Already up to date (${"9.57.1"})`));
       return;
     }
     console.log(
       chalk83.yellow(
-        `Current version: ${"9.56.10"} -> Latest version: ${latestVersion}`
+        `Current version: ${"9.57.1"} -> Latest version: ${latestVersion}`
       )
     );
     console.log();
@@ -17732,7 +17930,7 @@ var upgradeCommand = new Command90().name("upgrade").description("Upgrade vm0 CL
     const success = await performUpgrade(packageManager);
     if (success) {
       console.log(
-        chalk83.green(`\u2713 Upgraded from ${"9.56.10"} to ${latestVersion}`)
+        chalk83.green(`\u2713 Upgraded from ${"9.57.1"} to ${latestVersion}`)
       );
       return;
     }
@@ -17746,7 +17944,7 @@ var upgradeCommand = new Command90().name("upgrade").description("Upgrade vm0 CL
 
 // src/index.ts
 var program = new Command91();
-program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.56.10");
+program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.57.1");
 program.addCommand(authCommand);
 program.addCommand(infoCommand);
 program.addCommand(composeCommand);
@@ -17757,16 +17955,6 @@ program.addCommand(memoryCommand);
 program.addCommand(cookCommand);
 program.addCommand(logsCommand2);
 program.addCommand(orgCommand);
-var deprecatedScopeCommand = new Command91("scope").allowUnknownOption().allowExcessArguments().action((_options, command) => {
-  const args = command.args.join(" ");
-  console.error(
-    chalk84.yellow(
-      `\u26A0 'vm0 scope' is deprecated. Use 'vm0 org${args ? " " + args : ""}' instead.`
-    )
-  );
-  process.exit(1);
-});
-program.addCommand(deprecatedScopeCommand, { hidden: true });
 program.addCommand(agentCommand);
 program.addCommand(initCommand4);
 program.addCommand(scheduleCommand);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vm0/cli",
-  "version": "9.56.10",
+  "version": "9.57.1",
   "description": "CLI application",
   "repository": {
     "type": "git",