@vm0/cli 9.98.1 → 9.99.0

package/{chunk-F2IYWURQ.js → chunk-52LSZTSN.js}

@@ -49,7 +49,7 @@ if (DSN) {
   Sentry.init({
     dsn: DSN,
     environment: process.env.SENTRY_ENVIRONMENT ?? "production",
-    release: "9.98.1",
+    release: "9.99.0",
     sendDefaultPii: false,
     tracesSampleRate: 0,
     shutdownTimeout: 500,
@@ -68,7 +68,7 @@ if (DSN) {
     }
   });
   Sentry.setContext("cli", {
-    version: "9.98.1",
+    version: "9.99.0",
     command: process.argv.slice(2).join(" ")
   });
   Sentry.setContext("runtime", {
@@ -7725,6 +7725,19 @@ var slackFirewall = {
     }
   ]
 };
+var slackDefaultAllowed = [
+  "bookmarks:read",
+  "channels:history",
+  "channels:read",
+  "emoji:read",
+  "pins:read",
+  "reactions:read",
+  "search:read",
+  "team:read",
+  "usergroups:read",
+  "users.profile:read",
+  "users:read"
+];
 
 // ../../packages/core/src/firewalls/categories.ts
 var CATEGORY_REGISTRY = {};
@@ -22518,7 +22531,23 @@ var linearFirewall = {
           Authorization: "Bearer ${{ secrets.LINEAR_TOKEN }}"
         }
       },
-      permissions: []
+      permissions: [
+        {
+          name: "read",
+          description: "Read data (all GraphQL queries)",
+          rules: ["POST /graphql GraphQL type:query"]
+        },
+        {
+          name: "write",
+          description: "Modify data (all GraphQL mutations)",
+          rules: ["POST /graphql GraphQL type:mutation"]
+        },
+        {
+          name: "subscribe",
+          description: "Subscribe to real-time events",
+          rules: ["POST /graphql GraphQL type:subscription"]
+        }
+      ]
     }
   ]
 };
@@ -27113,6 +27142,35 @@ function isFirewallConnectorType(type) {
 function getConnectorFirewall(type) {
   return EXPANDED_CONNECTOR_FIREWALLS[type];
 }
+var DEFAULT_ALLOWED = {
+  slack: slackDefaultAllowed
+};
+function getDefaultFirewallPolicies(type) {
+  const allowed = DEFAULT_ALLOWED[type];
+  if (!allowed) return null;
+  const allowSet = new Set(allowed);
+  const config = getConnectorFirewall(type);
+  const result = {};
+  for (const api of config.apis) {
+    if (api.permissions) {
+      for (const p of api.permissions) {
+        result[p.name] = allowSet.has(p.name) ? "allow" : "deny";
+      }
+    }
+  }
+  return result;
+}
+function resolveFirewallPolicies(stored, connectors) {
+  let resolved = stored;
+  for (const connector of connectors) {
+    if (!isFirewallConnectorType(connector)) continue;
+    if (resolved?.[connector]) continue;
+    const defaults = getDefaultFirewallPolicies(connector);
+    if (!defaults) continue;
+    resolved = { ...resolved, [connector]: defaults };
+  }
+  return resolved;
+}
 
 // ../../packages/core/src/firewall-loader.ts
 var MAX_RESPONSE_SIZE = 128 * 1024;
@@ -27148,7 +27206,40 @@ function matchFirewallPath(path, pattern) {
   if (pi !== pathSegs.length) return null;
   return params;
 }
-function findMatchingPermissions(method, path, config) {
+function parseGraphQLRule(rest) {
+  const gqlIdx = rest.indexOf(" GraphQL");
+  if (gqlIdx === -1) return null;
+  const path = gqlIdx > 0 ? rest.slice(0, gqlIdx) : "/";
+  const suffixParts = rest.slice(gqlIdx + 1).split(/\s+/);
+  let typeFilter = null;
+  let opFilter = null;
+  for (let i = 1; i < suffixParts.length; i++) {
+    const part = suffixParts[i];
+    if (part.startsWith("type:")) {
+      typeFilter = part.slice(5);
+    } else if (part.startsWith("operationName:")) {
+      opFilter = part.slice(14);
+    }
+  }
+  return { path, typeFilter, opFilter };
+}
+function matchGraphQLBody(body, typeFilter, opFilter) {
+  if (!body) return false;
+  if (typeFilter !== null && body.type !== typeFilter) {
+    return false;
+  }
+  if (opFilter !== null) {
+    const opName = body.operationName;
+    if (!opName) return false;
+    if (opFilter.endsWith("*")) {
+      if (!opName.startsWith(opFilter.slice(0, -1))) return false;
+    } else if (opName !== opFilter) {
+      return false;
+    }
+  }
+  return true;
+}
+function findMatchingPermissions(method, path, config, graphqlBody) {
   const upperMethod = method.toUpperCase();
   const matched = /* @__PURE__ */ new Set();
   for (const api of config.apis) {
@@ -27159,9 +27250,14 @@ function findMatchingPermissions(method, path, config) {
         const spaceIdx = rule.indexOf(" ");
         if (spaceIdx === -1) continue;
         const ruleMethod = rule.slice(0, spaceIdx).toUpperCase();
-        const rulePath = rule.slice(spaceIdx + 1);
+        const rest = rule.slice(spaceIdx + 1);
         if (ruleMethod !== "ANY" && ruleMethod !== upperMethod) continue;
+        const gql = parseGraphQLRule(rest);
+        const rulePath = gql ? gql.path : rest;
         if (matchFirewallPath(path, rulePath) !== null) {
+          if (gql && (gql.typeFilter !== null || gql.opFilter !== null) && !matchGraphQLBody(graphqlBody, gql.typeFilter, gql.opFilter)) {
+            continue;
+          }
           matched.add(perm.name);
           break;
         }
@@ -31727,6 +31823,7 @@ export {
   resolveSkillRef,
   isFirewallConnectorType,
   getConnectorFirewall,
+  resolveFirewallPolicies,
   findMatchingPermissions,
   getInstructionsStorageName,
   getSkillStorageName,
@@ -31843,4 +31940,4 @@ export {
   parseTime,
   paginate
 };
-//# sourceMappingURL=chunk-F2IYWURQ.js.map
+//# sourceMappingURL=chunk-52LSZTSN.js.map