@vm0/cli 9.83.1 → 9.83.3

package/{chunk-5BLBSO2W.js → chunk-IFUYTPFH.js}

@@ -47,7 +47,7 @@ if (DSN) {
   Sentry.init({
     dsn: DSN,
     environment: process.env.SENTRY_ENVIRONMENT ?? "production",
-    release: "9.83.1",
+    release: "9.83.3",
     sendDefaultPii: false,
     tracesSampleRate: 0,
     shutdownTimeout: 500,
@@ -66,7 +66,7 @@ if (DSN) {
     }
   });
   Sentry.setContext("cli", {
-    version: "9.83.1",
+    version: "9.83.3",
     command: process.argv.slice(2).join(" ")
   });
   Sentry.setContext("runtime", {
@@ -170,9 +170,16 @@ import { existsSync } from "fs";
 function decodeCliTokenPayload(token) {
   const raw = token ?? void 0;
   if (!raw) return void 0;
-  const prefix = "vm0_sandbox_";
-  if (!raw.startsWith(prefix)) return void 0;
-  const jwt = raw.slice(prefix.length);
+  const patPrefix = "vm0_pat_";
+  const legacyPrefix = "vm0_sandbox_";
+  let jwt;
+  if (raw.startsWith(patPrefix)) {
+    jwt = raw.slice(patPrefix.length);
+  } else if (raw.startsWith(legacyPrefix)) {
+    jwt = raw.slice(legacyPrefix.length);
+  } else {
+    return void 0;
+  }
   const parts = jwt.split(".");
   if (parts.length !== 3) return void 0;
   try {
@@ -237,11 +244,7 @@ async function getActiveOrg() {
   const token = await getToken();
   const cliPayload = decodeCliTokenPayload(token);
   if (cliPayload) return cliPayload.orgId;
-  if (process.env.VM0_ACTIVE_ORG) {
-    return process.env.VM0_ACTIVE_ORG;
-  }
-  const config = await loadConfig();
-  return config.activeOrg;
+  return void 0;
 }
 async function clearConfig() {
   const configFile = getConfigFile();
@@ -11522,18 +11525,21 @@ var ANTHROPIC_API_BASE = "https://api.anthropic.com";
 function getFirewallBaseUrl(type) {
   return getEnvironmentMapping(type)?.ANTHROPIC_BASE_URL ?? ANTHROPIC_API_BASE;
 }
-function mpFirewall(type, authHeaders, placeholders) {
+function mpFirewall(type, authHeader, placeholderValue) {
+  const secretName = MODEL_PROVIDER_TYPES[type].secretName;
+  const secretRef = `\${{ secrets.${secretName} }}`;
+  const headerValue = authHeader.valuePrefix ? `${authHeader.valuePrefix} ${secretRef}` : secretRef;
   return {
     name: `model-provider:${type}`,
     ref: "__auto__",
     apis: [
       {
         base: getFirewallBaseUrl(type),
-        auth: { headers: authHeaders },
+        auth: { headers: { [authHeader.name]: headerValue } },
         permissions: [{ name: "unrestricted", rules: ["ANY /{path*}"] }]
       }
     ],
-    placeholders
+    placeholders: { [secretName]: placeholderValue }
   };
 }
 var MODEL_PROVIDER_FIREWALL_CONFIGS = {
@@ -11542,10 +11548,8 @@ var MODEL_PROVIDER_FIREWALL_CONFIGS = {
   //   https://semgrep.dev/blog/2025/secrets-story-and-prefixed-secrets/
   "anthropic-api-key": mpFirewall(
     "anthropic-api-key",
-    { "x-api-key": "${{ secrets.ANTHROPIC_API_KEY }}" },
-    {
-      ANTHROPIC_API_KEY: "sk-ant-api03-vm0placeholder0000000000000000000000000000000000000000000000000000000000000000000000000000000AA"
-    }
+    { name: "x-api-key" },
+    "sk-ant-api03-vm0placeholder0000000000000000000000000000000000000000000000000000000000000000000000000000000AA"
   ),
   // Placeholder: sk-ant-oat01-{93 word/hyphen chars}AA (108 chars total)
   // Source: same structure as API key; prefix from claude setup-token output
@@ -11553,10 +11557,8 @@ var MODEL_PROVIDER_FIREWALL_CONFIGS = {
   //   Example: sk-ant-oat01-xxxxx...xxxxx (1-year OAuth token)
   "claude-code-oauth-token": mpFirewall(
     "claude-code-oauth-token",
-    { Authorization: "Bearer ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}" },
-    {
-      CLAUDE_CODE_OAUTH_TOKEN: "sk-ant-oat01-vm0placeholder0000000000000000000000000000000000000000000000000000000000000000000000000000000AA"
-    }
+    { name: "Authorization", valuePrefix: "Bearer" },
+    "sk-ant-oat01-vm0placeholder0000000000000000000000000000000000000000000000000000000000000000000000000000000AA"
   ),
   // Placeholder: sk-or-v1-{64 hex chars} (73 chars total)
   // Source: real key observed in GitHub issue
@@ -11564,47 +11566,45 @@ var MODEL_PROVIDER_FIREWALL_CONFIGS = {
   //   Example: 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
   "openrouter-api-key": mpFirewall(
     "openrouter-api-key",
-    { Authorization: "Bearer ${{ secrets.OPENROUTER_API_KEY }}" },
-    {
-      OPENROUTER_API_KEY: "sk-or-v1-vm0placeholder00000000000000000000000000000000000000000000000000"
-    }
+    { name: "Authorization", valuePrefix: "Bearer" },
+    "sk-or-v1-vm0placeholder00000000000000000000000000000000000000000000000000"
   ),
   // Placeholder: sk-{32 chars} (35 chars total)
   // Source: no authoritative format documentation found; using generic sk- prefix
   "moonshot-api-key": mpFirewall(
     "moonshot-api-key",
-    { Authorization: "Bearer ${{ secrets.MOONSHOT_API_KEY }}" },
-    { MOONSHOT_API_KEY: "sk-vm0placeholder000000000000000000" }
+    { name: "Authorization", valuePrefix: "Bearer" },
+    "sk-vm0placeholder000000000000000000"
   ),
   // Placeholder: eyJ... (JWT-style, variable length)
   // Source: no authoritative format documentation found; MiniMax docs do not disclose key format
   //   https://platform.minimax.io/docs/api-reference/api-overview
   "minimax-api-key": mpFirewall(
     "minimax-api-key",
-    { Authorization: "Bearer ${{ secrets.MINIMAX_API_KEY }}" },
-    { MINIMAX_API_KEY: "eyvm0placeholder000000000000000000000000000000000000" }
+    { name: "Authorization", valuePrefix: "Bearer" },
+    "eyvm0placeholder000000000000000000000000000000000000"
   ),
   // Placeholder: sk-{32 hex chars} (35 chars total)
   // Source: Semgrep regex \bsk-[a-f0-9]{32}\b
   //   https://semgrep.dev/blog/2025/secrets-story-and-prefixed-secrets/
   "deepseek-api-key": mpFirewall(
     "deepseek-api-key",
-    { Authorization: "Bearer ${{ secrets.DEEPSEEK_API_KEY }}" },
-    { DEEPSEEK_API_KEY: "sk-vm0placeholder000000000000000000" }
+    { name: "Authorization", valuePrefix: "Bearer" },
+    "sk-vm0placeholder000000000000000000"
   ),
   // Placeholder: sk-{32 chars} (35 chars total)
   // Source: no authoritative format documentation found; using generic sk- prefix
   "zai-api-key": mpFirewall(
     "zai-api-key",
-    { Authorization: "Bearer ${{ secrets.ZAI_API_KEY }}" },
-    { ZAI_API_KEY: "sk-vm0placeholder000000000000000000" }
+    { name: "Authorization", valuePrefix: "Bearer" },
+    "sk-vm0placeholder000000000000000000"
   ),
   // Placeholder: sk-{32 chars} (35 chars total)
   // Source: no authoritative format documentation found; Vercel gateway proxies upstream providers
   "vercel-ai-gateway": mpFirewall(
     "vercel-ai-gateway",
-    { Authorization: "Bearer ${{ secrets.VERCEL_AI_GATEWAY_API_KEY }}" },
-    { VERCEL_AI_GATEWAY_API_KEY: "sk-vm0placeholder000000000000000000" }
+    { name: "Authorization", valuePrefix: "Bearer" },
+    "sk-vm0placeholder000000000000000000"
   )
 };
 var modelProviderTypeSchema = z16.enum([
@@ -16753,7 +16753,8 @@ var memberUsageSchema = z37.object({
   outputTokens: z37.number(),
   cacheReadInputTokens: z37.number(),
   cacheCreationInputTokens: z37.number(),
-  creditsCharged: z37.number()
+  creditsCharged: z37.number(),
+  creditCap: z37.number().nullable()
 });
 var usageMembersResponseSchema = z37.object({
   period: z37.object({
@@ -17055,9 +17056,7 @@ var STAFF_ORG_ID_HASHES = [
 var FEATURE_SWITCHES = {
   ["pricing" /* Pricing */]: {
     maintainer: "ethan@vm0.ai",
-    enabled: false,
-    enabledUserHashes: STAFF_USER_HASHES,
-    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+    enabled: true
   },
   ["dummy" /* Dummy */]: {
     maintainer: "ethan@vm0.ai",
@@ -17240,6 +17239,14 @@ var FEATURE_SWITCHES = {
     enabled: false,
     enabledUserHashes: STAFF_USER_HASHES,
     enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+  },
+  ["concurrentAddOn" /* ConcurrentAddOn */]: {
+    maintainer: "ethan@vm0.ai",
+    enabled: false
+  },
+  ["creditAddOn" /* CreditAddOn */]: {
+    maintainer: "ethan@vm0.ai",
+    enabled: false
   }
 };
 async function isFeatureEnabled(key, ctx) {
@@ -17290,7 +17297,6 @@ function parseSkillFrontmatter(content) {
 import chalk from "chalk";
 
 // src/lib/api/core/client-factory.ts
-import { tsRestFetchApi } from "@ts-rest/core";
 var ApiRequestError = class extends Error {
   constructor(message, code, status) {
     super(message);
@@ -17323,30 +17329,7 @@ async function getClientConfig() {
     throw new ApiRequestError("Not authenticated", "UNAUTHORIZED", 401);
   }
   const baseHeaders = buildHeaders(token);
-  const jwtPayload = decodeCliTokenPayload(token) ?? decodeZeroTokenPayload(token);
-  if (jwtPayload) {
-    return { baseUrl, baseHeaders, jsonQuery: false };
-  }
-  const activeOrg = await getActiveOrg();
-  if (!activeOrg) {
-    throw new Error(
-      "No active organization configured. Run: zero org use <slug>"
-    );
-  }
-  return {
-    baseUrl,
-    baseHeaders,
-    jsonQuery: false,
-    api: async (args) => {
-      const [pathPart, queryPart] = args.path.split("?");
-      const params = new URLSearchParams(queryPart ?? "");
-      if (!params.has("org")) {
-        params.set("org", activeOrg);
-      }
-      args.path = params.toString() ? `${pathPart}?${params.toString()}` : pathPart;
-      return tsRestFetchApi(args);
-    }
-  };
+  return { baseUrl, baseHeaders, jsonQuery: false };
 }
 function handleError(result, defaultMessage) {
   const errorBody = result.body;
@@ -18319,7 +18302,6 @@ async function promptPassword(message) {
 
 export {
   configureGlobalProxyFromEnv,
-  decodeCliTokenPayload,
   decodeZeroTokenPayload,
   loadConfig,
   saveConfig,
@@ -18437,4 +18419,4 @@ export {
   promptSelect,
   promptPassword
 };
-//# sourceMappingURL=chunk-5BLBSO2W.js.map
+//# sourceMappingURL=chunk-IFUYTPFH.js.map