@zapier/zapier-sdk-cli 0.50.0 → 0.51.1

package/dist/index.mjs

@@ -1144,10 +1144,18 @@ async function runOauthFlow({
 
 // src/utils/auth/client-credentials.ts
 var CREDENTIALS_SCOPES = ["external", "credentials"];
-async function createCredentialsOnServer(api2, name) {
+var EMPTY_POLICY = {
+  version: 2,
+  statements: []
+};
+async function createCredentialsOnServer(api2, name, policy) {
   const response = await api2.post(
     "/api/v0/client-credentials",
-    { name, allowed_scopes: CREDENTIALS_SCOPES },
+    {
+      name,
+      allowed_scopes: CREDENTIALS_SCOPES,
+      ...policy !== void 0 && { policy }
+    },
     { authRequired: true, requiredScopes: ["credentials"] }
   );
   return {
@@ -1164,9 +1172,14 @@ async function deleteCredentialsOnServer(api2, clientId) {
 async function setupClientCredentials({
   api: api2,
   name,
-  credentialsBaseUrl
+  credentialsBaseUrl,
+  policy
 }) {
-  const { clientId, clientSecret } = await createCredentialsOnServer(api2, name);
+  const { clientId, clientSecret } = await createCredentialsOnServer(
+    api2,
+    name,
+    policy
+  );
   try {
     await withRetry({
       action: () => storeClientCredentials({
@@ -1208,7 +1221,10 @@ async function resolveCredentialsBaseUrl(context) {
   return getBaseUrlFromResolvedCredentials(resolvedCredentials) ?? getBaseUrlFromOptionsCredentials(context.options?.credentials) ?? context.options?.baseUrl;
 }
 var LoginSchema = z.object({
-  timeout: z.string().optional().describe("Login timeout in seconds (default: 300)")
+  timeout: z.string().optional().describe("Login timeout in seconds (default: 300)"),
+  useApprovals: z.boolean().optional().describe(
+    "Require approvals for actions performed with these credentials"
+  )
 }).describe("Log in to Zapier to access your account");
 
 // src/plugins/login/index.ts
@@ -1302,7 +1318,9 @@ function emitLoginSuccess({
   sdk.context.eventEmission.emit(
     "platform.sdk.ApplicationLifecycleEvent",
     buildApplicationLifecycleEvent(
-      { lifecycle_event_type: "login_success" },
+      {
+        lifecycle_event_type: "login_success"
+      },
       {
         customuser_id: profile.user_id,
         account_id: profile.roles[0]?.account_id ?? null
@@ -1374,15 +1392,20 @@ var loginPlugin = definePlugin(
         profile.email,
         credentialsBaseUrl
       );
+      const useApprovals = options.useApprovals === true;
       await setupClientCredentials({
         api: scopedApi,
         name: credentialName,
-        credentialsBaseUrl
+        credentialsBaseUrl,
+        ...useApprovals && { policy: EMPTY_POLICY }
       });
       await bestEffortClearLegacyJwtState();
       console.log(
         `\u2705 Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`
       );
+      if (useApprovals) {
+        console.log("\u{1F510} Approvals are enabled for these credentials.");
+      }
       emitLoginSuccess({ sdk: sdk2, profile });
     }
   })
@@ -3926,7 +3949,7 @@ definePlugin(
 // package.json with { type: 'json' }
 var package_default = {
   name: "@zapier/zapier-sdk-cli",
-  version: "0.50.0"};
+  version: "0.51.1"};
 
 // src/sdk.ts
 injectCliLogin(login_exports);
@@ -3954,7 +3977,7 @@ function createZapierCliSdk(options = {}) {
 
 // package.json
 var package_default2 = {
-  version: "0.50.0"};
+  version: "0.51.1"};
 
 // src/telemetry/builders.ts
 function createCliBaseEvent(context = {}) {

package/dist/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@zapier/zapier-sdk-cli",
-    "version": "0.50.0",
+    "version": "0.51.1",
     "description": "Command line interface for Zapier SDK",
     "main": "dist/index.cjs",
     "module": "dist/index.mjs",
@@ -78,6 +78,7 @@
         "access": "public"
     },
     "dependencies": {
+        "@zapier/policy-schema": "0.11.0",
         "@inquirer/search": "^3.2.2",
         "@zapier/zapier-sdk": "workspace:*",
         "@zapier/zapier-sdk-mcp": "workspace:*",

package/dist/src/plugins/login/index.d.ts

@@ -22,6 +22,7 @@ export declare const loginPlugin: (sdk: {
 }) => {
     login: (options?: {
         timeout?: string | undefined;
+        useApprovals?: boolean | undefined;
     } | undefined) => Promise<void>;
 } & {
     context: {

package/dist/src/plugins/login/index.js

@@ -5,7 +5,7 @@ import { clearLegacyJwtState, hasLegacyJwtConfig, } from "../../login/legacy-jwt
 import { getActiveCredentials, credentialsNameExists, deleteStoredClientCredentials, } from "../../login/credentials-store";
 import { revokeCredentials } from "../../login/credentials-revoke";
 import { runOauthFlow } from "../../utils/auth/oauth-flow";
-import { setupClientCredentials } from "../../utils/auth/client-credentials";
+import { EMPTY_POLICY, setupClientCredentials, } from "../../utils/auth/client-credentials";
 import { resolveCredentialsBaseUrl } from "../auth/credentials-base-url";
 import { LoginSchema } from "./schemas";
 function toPkceCredentials(credentials) {
@@ -98,7 +98,9 @@ async function promptCredentialsName(email, baseUrl) {
     return credentialName;
 }
 function emitLoginSuccess({ sdk, profile, }) {
-    sdk.context.eventEmission.emit("platform.sdk.ApplicationLifecycleEvent", buildApplicationLifecycleEvent({ lifecycle_event_type: "login_success" }, {
+    sdk.context.eventEmission.emit("platform.sdk.ApplicationLifecycleEvent", buildApplicationLifecycleEvent({
+        lifecycle_event_type: "login_success",
+    }, {
         customuser_id: profile.user_id,
         account_id: profile.roles[0]?.account_id ?? null,
     }));
@@ -168,13 +170,18 @@ export const loginPlugin = definePlugin((sdk) => createPluginMethod(sdk, {
         console.log(`👤 Logged in as ${profile.email}`);
         console.log("\nGenerating credentials so this machine can make authenticated requests on your behalf.");
         const credentialName = await promptCredentialsName(profile.email, credentialsBaseUrl);
+        const useApprovals = options.useApprovals === true;
         await setupClientCredentials({
             api: scopedApi,
             name: credentialName,
             credentialsBaseUrl,
+            ...(useApprovals && { policy: EMPTY_POLICY }),
         });
         await bestEffortClearLegacyJwtState();
         console.log(`✅ Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`);
+        if (useApprovals) {
+            console.log("🔐 Approvals are enabled for these credentials.");
+        }
         emitLoginSuccess({ sdk, profile });
     },
 }));

package/dist/src/plugins/login/schemas.d.ts

@@ -1,5 +1,6 @@
 import { z } from "zod";
 export declare const LoginSchema: z.ZodObject<{
     timeout: z.ZodOptional<z.ZodString>;
+    useApprovals: z.ZodOptional<z.ZodBoolean>;
 }, z.core.$strip>;
 export type LoginOptions = z.infer<typeof LoginSchema>;

package/dist/src/plugins/login/schemas.js

@@ -6,5 +6,9 @@ export const LoginSchema = z
         .string()
         .optional()
         .describe("Login timeout in seconds (default: 300)"),
+    useApprovals: z
+        .boolean()
+        .optional()
+        .describe("Require approvals for actions performed with these credentials"),
 })
     .describe("Log in to Zapier to access your account");

package/dist/src/utils/auth/client-credentials.d.ts

@@ -1,8 +1,18 @@
+import type { Policy } from "@zapier/policy-schema";
 import type { ApiClient } from "@zapier/zapier-sdk";
+/**
+ * The canonical empty approvals policy. Attaching this to a credential at
+ * creation time tells the server that requests made with these credentials
+ * are subject to approval. Server-side enforcement decides which specific
+ * requests trigger the approval flow; the SDK only attaches the policy.
+ */
+export declare const EMPTY_POLICY: Policy;
 export interface SetupClientCredentialsOptions {
     api: ApiClient;
     name: string;
     credentialsBaseUrl?: string;
+    /** Optional policy document to attach to the new credential. */
+    policy?: Policy;
 }
 export interface SetupClientCredentialsResult {
     clientId: string;
@@ -13,4 +23,4 @@ export interface SetupClientCredentialsResult {
  * to roll back the orphan; if that rollback also fails, surface a
  * manual-fix message and re-throw the original store error.
  */
-export declare function setupClientCredentials({ api, name, credentialsBaseUrl, }: SetupClientCredentialsOptions): Promise<SetupClientCredentialsResult>;
+export declare function setupClientCredentials({ api, name, credentialsBaseUrl, policy, }: SetupClientCredentialsOptions): Promise<SetupClientCredentialsResult>;

package/dist/src/utils/auth/client-credentials.js

@@ -3,10 +3,24 @@ import { withRetry } from "../retry";
 // "external" allows SDK operations (listing, running actions, etc.);
 // "credentials" allows managing client credentials (list, create, delete).
 const CREDENTIALS_SCOPES = ["external", "credentials"];
-async function createCredentialsOnServer(api, name) {
+/**
+ * The canonical empty approvals policy. Attaching this to a credential at
+ * creation time tells the server that requests made with these credentials
+ * are subject to approval. Server-side enforcement decides which specific
+ * requests trigger the approval flow; the SDK only attaches the policy.
+ */
+export const EMPTY_POLICY = {
+    version: 2,
+    statements: [],
+};
+async function createCredentialsOnServer(api, name, policy) {
     // The server wraps the credential in `{ data: { ... } }`; mirror the
     // shape the SDK's own createClientCredentials plugin reads.
-    const response = await api.post("/api/v0/client-credentials", { name, allowed_scopes: CREDENTIALS_SCOPES }, { authRequired: true, requiredScopes: ["credentials"] });
+    const response = await api.post("/api/v0/client-credentials", {
+        name,
+        allowed_scopes: CREDENTIALS_SCOPES,
+        ...(policy !== undefined && { policy }),
+    }, { authRequired: true, requiredScopes: ["credentials"] });
     return {
         clientId: response.data.client_id,
         clientSecret: response.data.client_secret,
@@ -24,8 +38,8 @@ async function deleteCredentialsOnServer(api, clientId) {
  * to roll back the orphan; if that rollback also fails, surface a
  * manual-fix message and re-throw the original store error.
  */
-export async function setupClientCredentials({ api, name, credentialsBaseUrl, }) {
-    const { clientId, clientSecret } = await createCredentialsOnServer(api, name);
+export async function setupClientCredentials({ api, name, credentialsBaseUrl, policy, }) {
+    const { clientId, clientSecret } = await createCredentialsOnServer(api, name, policy);
     try {
         await withRetry({
             action: () => storeClientCredentials({