@zapier/zapier-sdk-cli 0.49.1 → 0.51.0

package/dist/index.cjs

@@ -1180,10 +1180,18 @@ async function runOauthFlow({
 
 // src/utils/auth/client-credentials.ts
 var CREDENTIALS_SCOPES = ["external", "credentials"];
-async function createCredentialsOnServer(api2, name) {
+var EMPTY_POLICY = {
+  version: 2,
+  statements: []
+};
+async function createCredentialsOnServer(api2, name, policy) {
   const response = await api2.post(
     "/api/v0/client-credentials",
-    { name, allowed_scopes: CREDENTIALS_SCOPES },
+    {
+      name,
+      allowed_scopes: CREDENTIALS_SCOPES,
+      ...policy !== void 0 && { policy }
+    },
     { authRequired: true, requiredScopes: ["credentials"] }
   );
   return {
@@ -1200,9 +1208,14 @@ async function deleteCredentialsOnServer(api2, clientId) {
 async function setupClientCredentials({
   api: api2,
   name,
-  credentialsBaseUrl
+  credentialsBaseUrl,
+  policy
 }) {
-  const { clientId, clientSecret } = await createCredentialsOnServer(api2, name);
+  const { clientId, clientSecret } = await createCredentialsOnServer(
+    api2,
+    name,
+    policy
+  );
   try {
     await withRetry({
       action: () => storeClientCredentials({
@@ -1244,7 +1257,10 @@ async function resolveCredentialsBaseUrl(context) {
   return getBaseUrlFromResolvedCredentials(resolvedCredentials) ?? getBaseUrlFromOptionsCredentials(context.options?.credentials) ?? context.options?.baseUrl;
 }
 var LoginSchema = zod.z.object({
-  timeout: zod.z.string().optional().describe("Login timeout in seconds (default: 300)")
+  timeout: zod.z.string().optional().describe("Login timeout in seconds (default: 300)"),
+  useApprovals: zod.z.boolean().optional().describe(
+    "Require approvals for actions performed with these credentials"
+  )
 }).describe("Log in to Zapier to access your account");
 
 // src/plugins/login/index.ts
@@ -1338,7 +1354,9 @@ function emitLoginSuccess({
   sdk.context.eventEmission.emit(
     "platform.sdk.ApplicationLifecycleEvent",
     zapierSdk.buildApplicationLifecycleEvent(
-      { lifecycle_event_type: "login_success" },
+      {
+        lifecycle_event_type: "login_success"
+      },
       {
         customuser_id: profile.user_id,
         account_id: profile.roles[0]?.account_id ?? null
@@ -1410,15 +1428,20 @@ var loginPlugin = zapierSdk.definePlugin(
         profile.email,
         credentialsBaseUrl
       );
+      const useApprovals = options.useApprovals === true;
       await setupClientCredentials({
         api: scopedApi,
         name: credentialName,
-        credentialsBaseUrl
+        credentialsBaseUrl,
+        ...useApprovals && { policy: EMPTY_POLICY }
       });
       await bestEffortClearLegacyJwtState();
       console.log(
         `\u2705 Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`
       );
+      if (useApprovals) {
+        console.log("\u{1F510} Approvals are enabled for these credentials.");
+      }
       emitLoginSuccess({ sdk: sdk2, profile });
     }
   })
@@ -3962,7 +3985,7 @@ zapierSdk.definePlugin(
 // package.json with { type: 'json' }
 var package_default = {
   name: "@zapier/zapier-sdk-cli",
-  version: "0.49.1"};
+  version: "0.51.0"};
 
 // src/sdk.ts
 zapierSdk.injectCliLogin(login_exports);
@@ -3990,7 +4013,7 @@ function createZapierCliSdk(options = {}) {
 
 // package.json
 var package_default2 = {
-  version: "0.49.1"};
+  version: "0.51.0"};
 
 // src/telemetry/builders.ts
 function createCliBaseEvent(context = {}) {

package/dist/index.mjs

@@ -1144,10 +1144,18 @@ async function runOauthFlow({
 
 // src/utils/auth/client-credentials.ts
 var CREDENTIALS_SCOPES = ["external", "credentials"];
-async function createCredentialsOnServer(api2, name) {
+var EMPTY_POLICY = {
+  version: 2,
+  statements: []
+};
+async function createCredentialsOnServer(api2, name, policy) {
   const response = await api2.post(
     "/api/v0/client-credentials",
-    { name, allowed_scopes: CREDENTIALS_SCOPES },
+    {
+      name,
+      allowed_scopes: CREDENTIALS_SCOPES,
+      ...policy !== void 0 && { policy }
+    },
     { authRequired: true, requiredScopes: ["credentials"] }
   );
   return {
@@ -1164,9 +1172,14 @@ async function deleteCredentialsOnServer(api2, clientId) {
 async function setupClientCredentials({
   api: api2,
   name,
-  credentialsBaseUrl
+  credentialsBaseUrl,
+  policy
 }) {
-  const { clientId, clientSecret } = await createCredentialsOnServer(api2, name);
+  const { clientId, clientSecret } = await createCredentialsOnServer(
+    api2,
+    name,
+    policy
+  );
   try {
     await withRetry({
       action: () => storeClientCredentials({
@@ -1208,7 +1221,10 @@ async function resolveCredentialsBaseUrl(context) {
   return getBaseUrlFromResolvedCredentials(resolvedCredentials) ?? getBaseUrlFromOptionsCredentials(context.options?.credentials) ?? context.options?.baseUrl;
 }
 var LoginSchema = z.object({
-  timeout: z.string().optional().describe("Login timeout in seconds (default: 300)")
+  timeout: z.string().optional().describe("Login timeout in seconds (default: 300)"),
+  useApprovals: z.boolean().optional().describe(
+    "Require approvals for actions performed with these credentials"
+  )
 }).describe("Log in to Zapier to access your account");
 
 // src/plugins/login/index.ts
@@ -1302,7 +1318,9 @@ function emitLoginSuccess({
   sdk.context.eventEmission.emit(
     "platform.sdk.ApplicationLifecycleEvent",
     buildApplicationLifecycleEvent(
-      { lifecycle_event_type: "login_success" },
+      {
+        lifecycle_event_type: "login_success"
+      },
       {
         customuser_id: profile.user_id,
         account_id: profile.roles[0]?.account_id ?? null
@@ -1374,15 +1392,20 @@ var loginPlugin = definePlugin(
         profile.email,
         credentialsBaseUrl
       );
+      const useApprovals = options.useApprovals === true;
       await setupClientCredentials({
         api: scopedApi,
         name: credentialName,
-        credentialsBaseUrl
+        credentialsBaseUrl,
+        ...useApprovals && { policy: EMPTY_POLICY }
       });
       await bestEffortClearLegacyJwtState();
       console.log(
         `\u2705 Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`
       );
+      if (useApprovals) {
+        console.log("\u{1F510} Approvals are enabled for these credentials.");
+      }
       emitLoginSuccess({ sdk: sdk2, profile });
     }
   })
@@ -3926,7 +3949,7 @@ definePlugin(
 // package.json with { type: 'json' }
 var package_default = {
   name: "@zapier/zapier-sdk-cli",
-  version: "0.49.1"};
+  version: "0.51.0"};
 
 // src/sdk.ts
 injectCliLogin(login_exports);
@@ -3954,7 +3977,7 @@ function createZapierCliSdk(options = {}) {
 
 // package.json
 var package_default2 = {
-  version: "0.49.1"};
+  version: "0.51.0"};
 
 // src/telemetry/builders.ts
 function createCliBaseEvent(context = {}) {

package/dist/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@zapier/zapier-sdk-cli",
-    "version": "0.49.1",
+    "version": "0.51.0",
     "description": "Command line interface for Zapier SDK",
     "main": "dist/index.cjs",
     "module": "dist/index.mjs",
@@ -78,6 +78,7 @@
         "access": "public"
     },
     "dependencies": {
+        "@zapier/policy-schema": "0.11.0",
         "@inquirer/search": "^3.2.2",
         "@zapier/zapier-sdk": "workspace:*",
         "@zapier/zapier-sdk-mcp": "workspace:*",

package/dist/src/plugins/login/index.d.ts

@@ -22,6 +22,7 @@ export declare const loginPlugin: (sdk: {
 }) => {
     login: (options?: {
         timeout?: string | undefined;
+        useApprovals?: boolean | undefined;
     } | undefined) => Promise<void>;
 } & {
     context: {

package/dist/src/plugins/login/index.js

@@ -5,7 +5,7 @@ import { clearLegacyJwtState, hasLegacyJwtConfig, } from "../../login/legacy-jwt
 import { getActiveCredentials, credentialsNameExists, deleteStoredClientCredentials, } from "../../login/credentials-store";
 import { revokeCredentials } from "../../login/credentials-revoke";
 import { runOauthFlow } from "../../utils/auth/oauth-flow";
-import { setupClientCredentials } from "../../utils/auth/client-credentials";
+import { EMPTY_POLICY, setupClientCredentials, } from "../../utils/auth/client-credentials";
 import { resolveCredentialsBaseUrl } from "../auth/credentials-base-url";
 import { LoginSchema } from "./schemas";
 function toPkceCredentials(credentials) {
@@ -98,7 +98,9 @@ async function promptCredentialsName(email, baseUrl) {
     return credentialName;
 }
 function emitLoginSuccess({ sdk, profile, }) {
-    sdk.context.eventEmission.emit("platform.sdk.ApplicationLifecycleEvent", buildApplicationLifecycleEvent({ lifecycle_event_type: "login_success" }, {
+    sdk.context.eventEmission.emit("platform.sdk.ApplicationLifecycleEvent", buildApplicationLifecycleEvent({
+        lifecycle_event_type: "login_success",
+    }, {
         customuser_id: profile.user_id,
         account_id: profile.roles[0]?.account_id ?? null,
     }));
@@ -168,13 +170,18 @@ export const loginPlugin = definePlugin((sdk) => createPluginMethod(sdk, {
         console.log(`👤 Logged in as ${profile.email}`);
         console.log("\nGenerating credentials so this machine can make authenticated requests on your behalf.");
         const credentialName = await promptCredentialsName(profile.email, credentialsBaseUrl);
+        const useApprovals = options.useApprovals === true;
         await setupClientCredentials({
             api: scopedApi,
             name: credentialName,
             credentialsBaseUrl,
+            ...(useApprovals && { policy: EMPTY_POLICY }),
         });
         await bestEffortClearLegacyJwtState();
         console.log(`✅ Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`);
+        if (useApprovals) {
+            console.log("🔐 Approvals are enabled for these credentials.");
+        }
         emitLoginSuccess({ sdk, profile });
     },
 }));

package/dist/src/plugins/login/schemas.d.ts

@@ -1,5 +1,6 @@
 import { z } from "zod";
 export declare const LoginSchema: z.ZodObject<{
     timeout: z.ZodOptional<z.ZodString>;
+    useApprovals: z.ZodOptional<z.ZodBoolean>;
 }, z.core.$strip>;
 export type LoginOptions = z.infer<typeof LoginSchema>;

package/dist/src/plugins/login/schemas.js

@@ -6,5 +6,9 @@ export const LoginSchema = z
         .string()
         .optional()
         .describe("Login timeout in seconds (default: 300)"),
+    useApprovals: z
+        .boolean()
+        .optional()
+        .describe("Require approvals for actions performed with these credentials"),
 })
     .describe("Log in to Zapier to access your account");

package/dist/src/utils/auth/client-credentials.d.ts

@@ -1,8 +1,18 @@
+import type { Policy } from "@zapier/policy-schema";
 import type { ApiClient } from "@zapier/zapier-sdk";
+/**
+ * The canonical empty approvals policy. Attaching this to a credential at
+ * creation time tells the server that requests made with these credentials
+ * are subject to approval. Server-side enforcement decides which specific
+ * requests trigger the approval flow; the SDK only attaches the policy.
+ */
+export declare const EMPTY_POLICY: Policy;
 export interface SetupClientCredentialsOptions {
     api: ApiClient;
     name: string;
     credentialsBaseUrl?: string;
+    /** Optional policy document to attach to the new credential. */
+    policy?: Policy;
 }
 export interface SetupClientCredentialsResult {
     clientId: string;
@@ -13,4 +23,4 @@ export interface SetupClientCredentialsResult {
  * to roll back the orphan; if that rollback also fails, surface a
  * manual-fix message and re-throw the original store error.
  */
-export declare function setupClientCredentials({ api, name, credentialsBaseUrl, }: SetupClientCredentialsOptions): Promise<SetupClientCredentialsResult>;
+export declare function setupClientCredentials({ api, name, credentialsBaseUrl, policy, }: SetupClientCredentialsOptions): Promise<SetupClientCredentialsResult>;

package/dist/src/utils/auth/client-credentials.js

@@ -3,10 +3,24 @@ import { withRetry } from "../retry";
 // "external" allows SDK operations (listing, running actions, etc.);
 // "credentials" allows managing client credentials (list, create, delete).
 const CREDENTIALS_SCOPES = ["external", "credentials"];
-async function createCredentialsOnServer(api, name) {
+/**
+ * The canonical empty approvals policy. Attaching this to a credential at
+ * creation time tells the server that requests made with these credentials
+ * are subject to approval. Server-side enforcement decides which specific
+ * requests trigger the approval flow; the SDK only attaches the policy.
+ */
+export const EMPTY_POLICY = {
+    version: 2,
+    statements: [],
+};
+async function createCredentialsOnServer(api, name, policy) {
     // The server wraps the credential in `{ data: { ... } }`; mirror the
     // shape the SDK's own createClientCredentials plugin reads.
-    const response = await api.post("/api/v0/client-credentials", { name, allowed_scopes: CREDENTIALS_SCOPES }, { authRequired: true, requiredScopes: ["credentials"] });
+    const response = await api.post("/api/v0/client-credentials", {
+        name,
+        allowed_scopes: CREDENTIALS_SCOPES,
+        ...(policy !== undefined && { policy }),
+    }, { authRequired: true, requiredScopes: ["credentials"] });
     return {
         clientId: response.data.client_id,
         clientSecret: response.data.client_secret,
@@ -24,8 +38,8 @@ async function deleteCredentialsOnServer(api, clientId) {
  * to roll back the orphan; if that rollback also fails, surface a
  * manual-fix message and re-throw the original store error.
  */
-export async function setupClientCredentials({ api, name, credentialsBaseUrl, }) {
-    const { clientId, clientSecret } = await createCredentialsOnServer(api, name);
+export async function setupClientCredentials({ api, name, credentialsBaseUrl, policy, }) {
+    const { clientId, clientSecret } = await createCredentialsOnServer(api, name, policy);
     try {
         await withRetry({
             action: () => storeClientCredentials({

package/dist/src/utils/parameter-resolver.d.ts

@@ -1,5 +1,26 @@
 import { z } from "zod";
 import { type ZapierSdk } from "@zapier/zapier-sdk";
+/**
+ * Append a choice's `hint` to its name as dimmed parens, returning a new
+ * choice object. An array hint is joined with ", ". Used by every prompt
+ * backend that renders resolver-supplied choices so the dim styling lives
+ * in one place.
+ *
+ * Default-when-unset: if `hint` is not provided and the choice's `value`
+ * is a primitive (string or number), the value is auto-rendered as the
+ * hint. So a resolver returning `{ name: "Slack", value: "SlackCLIAPI" }`
+ * with no `hint` renders as `Slack (SlackCLIAPI)`. To opt out of the
+ * auto-default, set `hint: ""` or `hint: []` explicitly.
+ *
+ * Skip-when-equal: a hint that matches the rendered name verbatim is
+ * suppressed so primitive-enum resolvers (where `name === String(value)`)
+ * don't render "read (read)". Case differences still render both.
+ */
+export declare function renderChoiceLabel<T extends {
+    name: string;
+    value: unknown;
+    hint?: string | string[];
+}>(choice: T): T;
 export declare class SchemaParameterResolver {
     private debug;
     private spinner;

package/dist/src/utils/parameter-resolver.js

@@ -87,6 +87,40 @@ function coerceToSchemaType(value, schema) {
 // ============================================================================
 // Schema Parameter Resolver
 // ============================================================================
+/**
+ * Append a choice's `hint` to its name as dimmed parens, returning a new
+ * choice object. An array hint is joined with ", ". Used by every prompt
+ * backend that renders resolver-supplied choices so the dim styling lives
+ * in one place.
+ *
+ * Default-when-unset: if `hint` is not provided and the choice's `value`
+ * is a primitive (string or number), the value is auto-rendered as the
+ * hint. So a resolver returning `{ name: "Slack", value: "SlackCLIAPI" }`
+ * with no `hint` renders as `Slack (SlackCLIAPI)`. To opt out of the
+ * auto-default, set `hint: ""` or `hint: []` explicitly.
+ *
+ * Skip-when-equal: a hint that matches the rendered name verbatim is
+ * suppressed so primitive-enum resolvers (where `name === String(value)`)
+ * don't render "read (read)". Case differences still render both.
+ */
+export function renderChoiceLabel(choice) {
+    let effectiveHint = choice.hint;
+    if (effectiveHint === undefined &&
+        (typeof choice.value === "string" || typeof choice.value === "number")) {
+        effectiveHint = String(choice.value);
+    }
+    if (!effectiveHint ||
+        (Array.isArray(effectiveHint) && effectiveHint.length === 0)) {
+        return choice;
+    }
+    const hintText = Array.isArray(effectiveHint)
+        ? effectiveHint.join(", ")
+        : effectiveHint;
+    if (hintText === choice.name) {
+        return choice;
+    }
+    return { ...choice, name: `${choice.name} ${chalk.dim(`(${hintText})`)}` };
+}
 export class SchemaParameterResolver {
     constructor() {
         this.debug = false;
@@ -513,7 +547,7 @@ export class SchemaParameterResolver {
             }
             const { items } = await this.unpackFetchResult(fetchResult, promptLabel);
             const choicesConfig = resolver.prompt(items, searchParams);
-            const dataChoices = choicesConfig.choices ?? [];
+            const dataChoices = (choicesConfig.choices ?? []).map(renderChoiceLabel);
             const capabilityHintMessages = await this.computeCapabilityHints(resolver, context);
             const selected = await search({
                 message: choicesConfig.message,
@@ -730,6 +764,12 @@ export class SchemaParameterResolver {
             while (true) {
                 const promptConfig = dynamicResolver.prompt(items, context.resolvedParams);
                 promptConfig.name = promptName;
+                // Fold any per-choice `hint` into the rendered name once, here, so
+                // both the search-backed list path and the checkbox path below
+                // pick up the dim styling without each having to know about hints.
+                if (promptConfig.choices) {
+                    promptConfig.choices = promptConfig.choices.map(renderChoiceLabel);
+                }
                 // Friendlier than inquirer's default "No selectable choices. All
                 // choices are disabled." when the resolver returns no items (or
                 // filters everything out in `prompt`). Use ZapierCliValidationError