@zapier/zapier-sdk 0.42.0 → 0.43.0

package/dist/index.cjs

@@ -1,6 +1,7 @@
 'use strict';
 
 var zod = require('zod');
+var policyContext = require('@zapier/policy-context');
 var apps = require('@zapier/zapier-sdk-core/v0/schemas/apps');
 var connections = require('@zapier/zapier-sdk-core/v0/schemas/connections');
 var clientCredentials = require('@zapier/zapier-sdk-core/v0/schemas/client-credentials');
@@ -58,6 +59,16 @@ function parseIntEnvVar(name) {
 }
 var ZAPIER_MAX_NETWORK_RETRIES = parseIntEnvVar("ZAPIER_MAX_NETWORK_RETRIES") ?? 3;
 var ZAPIER_MAX_NETWORK_RETRY_DELAY_MS = parseIntEnvVar("ZAPIER_MAX_NETWORK_RETRY_DELAY_MS") ?? 6e4;
+function getZapierIsInteractive() {
+  return globalThis.process?.env?.ZAPIER_IS_INTERACTIVE === "true";
+}
+function getZapierApprovalMode() {
+  const value = globalThis.process?.env?.ZAPIER_APPROVAL_MODE;
+  if (value === "poll" || value === "fail") return value;
+  return void 0;
+}
+var DEFAULT_APPROVAL_TIMEOUT_MS = 10 * 60 * 1e3;
+var DEFAULT_MAX_APPROVAL_RETRIES = 2;
 
 // src/types/properties.ts
 var AppKeyPropertySchema = withPositional(
@@ -226,6 +237,17 @@ var ZapierRateLimitError = class extends ZapierError {
     this.retries = options.retries ?? 0;
   }
 };
+var ZapierApprovalError = class extends ZapierError {
+  constructor(message, options = {}) {
+    super(message, options);
+    this.name = "ZapierApprovalError";
+    this.code = "ZAPIER_APPROVAL_ERROR";
+    this.approvalId = options.approvalId;
+    this.approvalStatus = options.status;
+    this.approvalUrl = options.approvalUrl;
+    this.pollUrl = options.pollUrl;
+  }
+};
 var ZapierRelayError = class extends ZapierError {
   constructor(message, options = {}) {
     super(message, options);
@@ -270,6 +292,10 @@ ${context.join(", ")}`;
   if (error instanceof ZapierBundleError && error.buildErrors && error.buildErrors.length > 0) {
     message += "\n\nBuild errors:\n" + error.buildErrors.map((err) => `  \u2022 ${err}`).join("\n");
   }
+  if (error instanceof ZapierApprovalError && error.approvalUrl) {
+    message += `
+Approval URL: ${error.approvalUrl}`;
+  }
   if (error instanceof ZapierRateLimitError) {
     const { limit, remaining, retryAfterMs } = error.rateLimit;
     const parts = [];
@@ -517,7 +543,7 @@ function createAppsProxy(options) {
   });
   return appsProxy;
 }
-var appsPlugin = ({ sdk }) => {
+var appsPlugin = (sdk) => {
   return {
     apps: createAppsProxy({ sdk }),
     context: {
@@ -927,11 +953,11 @@ function buildAbortHandle({
 }
 var FetchInitSdkValidationSchema = zod.z.looseObject(FetchInitZapierFieldsSchema.shape).optional();
 var validateFetchInit = createValidator(FetchInitSdkValidationSchema);
-var fetchPlugin = ({ context }) => {
+var fetchPlugin = (sdk) => {
   return {
     fetch: async function fetch2(url, init) {
       return runWithTelemetryContext(async () => {
-        const { api } = context;
+        const { api } = sdk.context;
         const startTime = Date.now();
         const isNested = isTelemetryNested();
         try {
@@ -950,7 +976,7 @@ var fetchPlugin = ({ context }) => {
             connectionId,
             connection,
             authenticationId,
-            resolveConnection: context.resolveConnection,
+            resolveConnection: sdk.context.resolveConnection,
             label: "fetch"
           });
           const relayPath = transformUrlToRelayPath(url);
@@ -977,18 +1003,27 @@ var fetchPlugin = ({ context }) => {
           if (maxTime !== void 0) {
             headers["X-Zapier-Sdk-Max-Time"] = String(maxTime);
           }
+          const upstreamUrl = new URL(url).toString();
+          const method = (fetchInit.method ?? "GET").toUpperCase();
           const abortHandle = buildAbortHandle({
             maxTimeSeconds: maxTime,
             callerSignal: fetchInit.signal
           });
           try {
             const result = await api.fetch(relayPath, {
-              method: fetchInit.method ?? "GET",
+              method,
               body: fetchInit.body,
               headers,
               redirect: fetchInit.redirect,
               signal: abortHandle?.signal,
-              authRequired: true
+              authRequired: true,
+              approvalContext: () => policyContext.buildHttpRequestContext({
+                method,
+                url: upstreamUrl,
+                headers,
+                body: typeof fetchInit.body === "string" ? fetchInit.body : void 0,
+                connection_id: resolvedConnectionId ? String(resolvedConnectionId) : void 0
+              })
             });
             const relayError = result.headers.get("x-relay-error");
             if (relayError) {
@@ -997,7 +1032,7 @@ var fetchPlugin = ({ context }) => {
               });
             }
             if (!isNested) {
-              context.eventEmission.emitMethodCalled({
+              sdk.context.eventEmission.emitMethodCalled({
                 method_name: "fetch",
                 execution_duration_ms: Date.now() - startTime,
                 success_flag: true,
@@ -1019,7 +1054,7 @@ var fetchPlugin = ({ context }) => {
           }
         } catch (error) {
           if (!isNested) {
-            context.eventEmission.emitMethodCalled({
+            sdk.context.eventEmission.emitMethodCalled({
               method_name: "fetch",
               execution_duration_ms: Date.now() - startTime,
               success_flag: false,
@@ -1583,9 +1618,9 @@ function createTelemetryCallback(emitMethodCalled, methodName) {
 }
 
 // src/plugins/listApps/index.ts
-var listAppsPlugin = ({ context }) => {
+var listAppsPlugin = (sdk) => {
   async function listAppsPage(options) {
-    const { api, resolveAppKeys: resolveAppKeys2 } = context;
+    const { api, resolveAppKeys: resolveAppKeys2 } = sdk.context;
     const appKeys = options.apps ?? options.appKeys ?? [];
     const appLocators = await resolveAppKeys2({
       appKeys: [...appKeys]
@@ -1629,7 +1664,10 @@ var listAppsPlugin = ({ context }) => {
   const listAppsDefinition = createPaginatedFunction(
     listAppsPage,
     ListAppsSchema,
-    createTelemetryCallback(context.eventEmission.emitMethodCalled, methodName),
+    createTelemetryCallback(
+      sdk.context.eventEmission.emitMethodCalled,
+      methodName
+    ),
     methodName,
     DEFAULT_PAGE_SIZE
   );
@@ -2070,7 +2108,7 @@ var actionKeyResolver = {
 
 // src/resolvers/connectionId.ts
 async function fetchConnections(sdk, resolvedParams) {
-  const context = sdk.getContext();
+  const context = sdk.context;
   const includeShared = await context.hasCapability?.(
     "canIncludeSharedConnections"
   );
@@ -2238,7 +2276,7 @@ var tableIdResolver = {
   type: "dynamic",
   requireCapabilities: ["canIncludeSharedTables"],
   fetch: async (sdk) => {
-    const context = sdk.getContext();
+    const context = sdk.context;
     const includeShared = await context.hasCapability?.(
       "canIncludeSharedTables"
     );
@@ -2878,7 +2916,7 @@ var tableSortResolver = {
 };
 
 // src/plugins/listActions/index.ts
-var listActionsPlugin = ({ context }) => {
+var listActionsPlugin = (sdk) => {
   const methodMeta = {
     categories: ["action"],
     type: "list",
@@ -2891,7 +2929,7 @@ var listActionsPlugin = ({ context }) => {
     }
   };
   async function listActionsPage(options) {
-    const { api, getVersionedImplementationId } = context;
+    const { api, getVersionedImplementationId } = sdk.context;
     const appKey = "app" in options ? options.app : options.appKey;
     const selectedApi = await getVersionedImplementationId(appKey);
     if (!selectedApi) {
@@ -2956,7 +2994,10 @@ var listActionsPlugin = ({ context }) => {
   const listActionsDefinition = createPaginatedFunction(
     listActionsPage,
     ListActionsInputSchema,
-    createTelemetryCallback(context.eventEmission.emitMethodCalled, methodName),
+    createTelemetryCallback(
+      sdk.context.eventEmission.emitMethodCalled,
+      methodName
+    ),
     methodName,
     DEFAULT_PAGE_SIZE
   );
@@ -3279,9 +3320,9 @@ function transformNeedsToFields(needs) {
   }
   return rootFields;
 }
-var listInputFieldsPlugin = ({ sdk, context }) => {
+var listInputFieldsPlugin = (sdk) => {
   async function listInputFieldsPage(options) {
-    const { api, getVersionedImplementationId } = context;
+    const { api, getVersionedImplementationId } = sdk.context;
     const appKey = "app" in options ? options.app : options.appKey;
     const actionKey = "action" in options ? options.action : options.actionKey;
     const { actionType, connection, connectionId, authenticationId, inputs } = options;
@@ -3289,7 +3330,7 @@ var listInputFieldsPlugin = ({ sdk, context }) => {
       connection,
       connectionId,
       authenticationId,
-      resolveConnection: context.resolveConnection
+      resolveConnection: sdk.context.resolveConnection
     });
     const selectedApi = await getVersionedImplementationId(appKey);
     if (!selectedApi) {
@@ -3327,7 +3368,10 @@ var listInputFieldsPlugin = ({ sdk, context }) => {
   const listInputFieldsDefinition = createPaginatedFunction(
     listInputFieldsPage,
     ListInputFieldsInputSchema,
-    createTelemetryCallback(context.eventEmission.emitMethodCalled, methodName),
+    createTelemetryCallback(
+      sdk.context.eventEmission.emitMethodCalled,
+      methodName
+    ),
     methodName,
     DEFAULT_PAGE_SIZE
   );
@@ -3430,12 +3474,12 @@ var ConnectionItemSchema = withFormatter(connections.ConnectionItemSchema, {
 });
 
 // src/plugins/listConnections/index.ts
-var listConnectionsPlugin = ({ context }) => {
+var listConnectionsPlugin = (sdk) => {
   async function listConnectionsPage(options) {
     if (options.includeShared) {
-      await context.checkCapability("canIncludeSharedConnections");
+      await sdk.context.checkCapability("canIncludeSharedConnections");
     }
-    const { api, getVersionedImplementationId } = context;
+    const { api, getVersionedImplementationId } = sdk.context;
     const searchParams = {};
     if (options.pageSize !== void 0) {
       searchParams.page_size = options.pageSize.toString();
@@ -3458,7 +3502,7 @@ var listConnectionsPlugin = ({ context }) => {
         connectionRefs.map(
           (ref) => resolveConnectionId({
             connection: ref,
-            resolveConnection: context.resolveConnection
+            resolveConnection: sdk.context.resolveConnection
           })
         )
       );
@@ -3524,7 +3568,10 @@ var listConnectionsPlugin = ({ context }) => {
   const listConnectionsDefinition = createPaginatedFunction(
     listConnectionsPage,
     ListConnectionsQuerySchema,
-    createTelemetryCallback(context.eventEmission.emitMethodCalled, methodName),
+    createTelemetryCallback(
+      sdk.context.eventEmission.emitMethodCalled,
+      methodName
+    ),
     methodName,
     DEFAULT_PAGE_SIZE
   );
@@ -3600,9 +3647,9 @@ var ClientCredentialsCreatedItemSchema = withFormatter(
 );
 
 // src/plugins/listClientCredentials/index.ts
-var listClientCredentialsPlugin = ({ context }) => {
+var listClientCredentialsPlugin = (sdk) => {
   async function listClientCredentialsPage(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const searchParams = {};
     if (options.pageSize !== void 0) {
       searchParams.pageSize = options.pageSize.toString();
@@ -3639,7 +3686,10 @@ var listClientCredentialsPlugin = ({ context }) => {
   const listClientCredentialsDefinition = createPaginatedFunction(
     listClientCredentialsPage,
     ListClientCredentialsQuerySchema,
-    createTelemetryCallback(context.eventEmission.emitMethodCalled, methodName),
+    createTelemetryCallback(
+      sdk.context.eventEmission.emitMethodCalled,
+      methodName
+    ),
     methodName,
     DEFAULT_PAGE_SIZE
   );
@@ -3659,18 +3709,21 @@ var listClientCredentialsPlugin = ({ context }) => {
   };
 };
 var CreateClientCredentialsSchema = clientCredentials.CreateClientCredentialsRequestSchema.omit({ allowed_scopes: true }).extend({
-  allowedScopes: zod.z.array(zod.z.enum(["credentials", "external"])).default(["external"]).describe("Scopes to allow for these credentials")
+  allowedScopes: zod.z.array(zod.z.enum(["credentials", "external"])).default(["external"]).describe("Scopes to allow for these credentials"),
+  // Temporarily hidden while we finalise work to make approvals/policies customer-facing.
+  policy: zod.z.record(zod.z.string(), zod.z.unknown()).optional().describe("Policy document (JSON) to attach to the credentials").meta({ deprecated: true })
 }).describe("Create new client credentials for the authenticated user");
 
 // src/plugins/createClientCredentials/index.ts
-var createClientCredentialsPlugin = ({ context }) => {
+var createClientCredentialsPlugin = (sdk) => {
   async function createClientCredentials(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const response = await api.post(
       "/api/v0/client-credentials",
       {
         name: options.name,
-        allowed_scopes: options.allowedScopes
+        allowed_scopes: options.allowedScopes,
+        ...options.policy && { policy: options.policy }
       },
       {
         customErrorHandler: ({ status }) => {
@@ -3700,7 +3753,7 @@ var createClientCredentialsPlugin = ({ context }) => {
     createClientCredentials,
     CreateClientCredentialsSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       createClientCredentials.name
     )
   );
@@ -3728,9 +3781,9 @@ var DeleteClientCredentialsSchema = zod.z.object({
 }).describe("Delete client credentials by client ID");
 
 // src/plugins/deleteClientCredentials/index.ts
-var deleteClientCredentialsPlugin = ({ context }) => {
+var deleteClientCredentialsPlugin = (sdk) => {
   async function deleteClientCredentials(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     await api.delete(
       `/api/v0/client-credentials/${options.clientId}`,
       void 0,
@@ -3762,7 +3815,7 @@ var deleteClientCredentialsPlugin = ({ context }) => {
     deleteClientCredentials,
     DeleteClientCredentialsSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       deleteClientCredentials.name
     )
   );
@@ -3793,7 +3846,7 @@ var GetAppSchemaDeprecated = zod.z.object({
 var GetAppInputSchema = zod.z.union([GetAppSchema, GetAppSchemaDeprecated]).describe(GetAppDescription);
 
 // src/plugins/getApp/index.ts
-var getAppPlugin = ({ sdk, context }) => {
+var getAppPlugin = (sdk) => {
   async function getApp(options) {
     const appKey = "app" in options ? options.app : options.appKey;
     const appsIterable = sdk.listApps({
@@ -3812,7 +3865,7 @@ var getAppPlugin = ({ sdk, context }) => {
     getApp,
     GetAppInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       getApp.name
     )
   );
@@ -3848,7 +3901,7 @@ var GetActionSchemaDeprecated = zod.z.object({
 var GetActionInputSchema = zod.z.union([GetActionSchema, GetActionSchemaDeprecated]).describe(GetActionDescription);
 
 // src/plugins/getAction/index.ts
-var getActionPlugin = ({ sdk, context }) => {
+var getActionPlugin = (sdk) => {
   async function getAction(options) {
     const appKey = "app" in options ? options.app : options.appKey;
     const actionKey = "action" in options ? options.action : options.actionKey;
@@ -3871,7 +3924,7 @@ var getActionPlugin = ({ sdk, context }) => {
     getAction,
     GetActionInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       getAction.name
     )
   );
@@ -3908,9 +3961,9 @@ var GetConnectionParamSchema = zod.z.object({
 });
 
 // src/plugins/getConnection/index.ts
-var getConnectionPlugin = ({ context }) => {
+var getConnectionPlugin = (sdk) => {
   async function getConnection(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const resolvedConnectionId = options.connection ?? options.connectionId ?? options.authenticationId;
     if (!resolvedConnectionId) {
       throw new Error("connection is required");
@@ -3927,7 +3980,7 @@ var getConnectionPlugin = ({ context }) => {
     getConnection,
     GetConnectionParamSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       getConnection.name
     )
   );
@@ -3961,7 +4014,7 @@ var FindFirstConnectionSchema = ListConnectionsQuerySchema.omit({
 }).describe("Find the first connection matching the criteria");
 
 // src/plugins/findFirstConnection/index.ts
-var findFirstConnectionPlugin = ({ sdk, context }) => {
+var findFirstConnectionPlugin = (sdk) => {
   async function findFirstConnection(options = {}) {
     const connectionsResponse = await sdk.listConnections({
       ...options,
@@ -3981,7 +4034,7 @@ var findFirstConnectionPlugin = ({ sdk, context }) => {
     findFirstConnection,
     FindFirstConnectionSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       findFirstConnection.name
     )
   );
@@ -4012,7 +4065,7 @@ var FindUniqueConnectionSchema = ListConnectionsQuerySchema.omit({
 }).describe("Find a unique connection matching the criteria");
 
 // src/plugins/findUniqueConnection/index.ts
-var findUniqueConnectionPlugin = ({ sdk, context }) => {
+var findUniqueConnectionPlugin = (sdk) => {
   async function findUniqueConnection(options = {}) {
     const connectionsResponse = await sdk.listConnections({
       ...options,
@@ -4038,7 +4091,7 @@ var findUniqueConnectionPlugin = ({ sdk, context }) => {
     findUniqueConnection,
     FindUniqueConnectionSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       findUniqueConnection.name
     )
   );
@@ -4093,8 +4146,6 @@ var RunActionSchemaDeprecated = zod.z.object({
   actionKey: ActionKeyPropertySchema
 }).merge(RunActionBaseSchema);
 var RunActionInputSchema = zod.z.union([RunActionSchema, RunActionSchemaDeprecated]).describe(RunActionDescription);
-
-// src/plugins/runAction/index.ts
 async function executeAction(actionOptions) {
   const {
     api,
@@ -4125,7 +4176,18 @@ async function executeAction(actionOptions) {
   };
   const runData = await api.post(
     "/zapier/api/actions/v1/runs",
-    runRequest
+    runRequest,
+    {
+      approvalContext: () => policyContext.buildActionRunContext({
+        selected_api: selectedApi,
+        action_type: actionType,
+        action_key: actionKey,
+        connection_id: connectionId != null ? String(connectionId) : void 0,
+        // Cast: inputs is Record<string, unknown> at the SDK surface, but
+        // buildActionRunContext coerces to JsonValue at runtime via zod.
+        inputs: executionOptions.inputs ?? {}
+      })
+    }
   );
   const runId = runData.data.id;
   return await api.poll(`/zapier/api/actions/v1/runs/${runId}`, {
@@ -4141,7 +4203,7 @@ async function executeAction(actionOptions) {
 }
 var CONTEXT_CACHE_TTL_MS = 6e4;
 var CONTEXT_CACHE_MAX_SIZE = 500;
-var runActionPlugin = ({ sdk, context }) => {
+var runActionPlugin = (sdk) => {
   const runActionContextCache = /* @__PURE__ */ new Map();
   function evictIfNeeded() {
     if (runActionContextCache.size < CONTEXT_CACHE_MAX_SIZE) return;
@@ -4185,7 +4247,7 @@ var runActionPlugin = ({ sdk, context }) => {
   }
   async function resolveRunActionContext(options) {
     const { appKey, actionKey, actionType } = options;
-    const selectedApi = await context.getVersionedImplementationId(appKey);
+    const selectedApi = await sdk.context.getVersionedImplementationId(appKey);
     if (!selectedApi) {
       throw new ZapierConfigurationError(
         "No current_implementation_id found for app",
@@ -4205,7 +4267,7 @@ var runActionPlugin = ({ sdk, context }) => {
     return { selectedApi, actionId: actionData.data.id };
   }
   async function runActionPage(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const appKey = "app" in options ? options.app : options.appKey;
     const actionKey = "action" in options ? options.action : options.actionKey;
     const {
@@ -4221,7 +4283,7 @@ var runActionPlugin = ({ sdk, context }) => {
       connectionId,
       connection,
       authenticationId,
-      resolveConnection: context.resolveConnection
+      resolveConnection: sdk.context.resolveConnection
     });
     const { selectedApi, actionId } = await getRunActionContext({
       appKey,
@@ -4264,7 +4326,10 @@ var runActionPlugin = ({ sdk, context }) => {
   const runActionDefinition = createPaginatedFunction(
     runActionPage,
     RunActionInputSchema,
-    createTelemetryCallback(context.eventEmission.emitMethodCalled, methodName),
+    createTelemetryCallback(
+      sdk.context.eventEmission.emitMethodCalled,
+      methodName
+    ),
     methodName
   );
   return {
@@ -4324,7 +4389,7 @@ function resetDeprecationWarnings() {
 }
 
 // src/plugins/request/index.ts
-var requestPlugin = ({ sdk, context }) => {
+var requestPlugin = (sdk) => {
   async function request(options) {
     logDeprecation("request() is deprecated. Use fetch() instead.");
     const {
@@ -4349,7 +4414,7 @@ var requestPlugin = ({ sdk, context }) => {
     request,
     RelayRequestSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       request.name
     )
   );
@@ -4658,9 +4723,8 @@ async function resolveAppKeys({
   });
   return slugResolvedLocators.filter(isResolvedAppLocator);
 }
-var manifestPlugin = (params) => {
-  const { context } = params;
-  const { api, options } = context;
+var manifestPlugin = (sdk) => {
+  const { api, options } = sdk.context;
   const { manifestPath = DEFAULT_CONFIG_PATH, manifest } = options || {};
   let resolvedManifest;
   async function resolveManifest() {
@@ -4871,9 +4935,9 @@ var UserProfileItemSchema = withFormatter(
 );
 
 // src/plugins/getProfile/index.ts
-var getProfilePlugin = ({ context }) => {
+var getProfilePlugin = (sdk) => {
   async function getProfile() {
-    const profile = await context.api.get(
+    const profile = await sdk.context.api.get(
       "/zapier/api/v4/profile/",
       {
         authRequired: true
@@ -4895,7 +4959,7 @@ var getProfilePlugin = ({ context }) => {
     getProfile,
     GetProfileSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       getProfile.name
     )
   );
@@ -5672,7 +5736,89 @@ async function invalidateCredentialsToken(options) {
   }
 }
 
-// src/api/client.ts
+// src/utils/open-url.ts
+var nodePrefix = "node:";
+async function loadChildProcess() {
+  return import(`${nodePrefix}child_process`);
+}
+async function loadProcess() {
+  return import(`${nodePrefix}process`);
+}
+var openUrl = async (url) => {
+  if (typeof url !== "string") {
+    throw new TypeError("Expected `url` to be a string");
+  }
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error(`Invalid URL: ${url}`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(`Refusing to open non-http(s) URL: ${parsed.protocol}`);
+  }
+  const target = parsed.toString();
+  if (typeof globalThis.window !== "undefined" && typeof globalThis.window.open === "function") {
+    globalThis.window.open(target, "_blank", "noopener");
+    return;
+  }
+  let spawn;
+  let platform;
+  try {
+    const [cp, proc] = await Promise.all([loadChildProcess(), loadProcess()]);
+    spawn = cp.spawn;
+    platform = proc.platform;
+  } catch {
+    throw new Error(
+      "openUrl: no supported runtime. window.open is unavailable and node:child_process could not be loaded."
+    );
+  }
+  if (typeof spawn !== "function") {
+    throw new Error(
+      "openUrl: child_process.spawn is not available in this runtime"
+    );
+  }
+  let command;
+  let args;
+  if (platform === "darwin") {
+    command = "open";
+    args = [target];
+  } else if (platform === "win32") {
+    command = "rundll32";
+    args = ["url.dll,FileProtocolHandler", target];
+  } else {
+    throw new Error(`Unsupported platform: ${platform}`);
+  }
+  const child = spawn(command, args, {
+    stdio: "ignore",
+    detached: true,
+    windowsHide: true
+  });
+  child.once("error", () => {
+  });
+  child.unref();
+};
+var open_url_default = openUrl;
+
+// src/utils/open-approval.ts
+async function openApproval(url) {
+  console.error(`Approval required. Opening browser: ${url}`);
+  try {
+    await open_url_default(url);
+  } catch {
+  }
+}
+var ApprovalStatusSchema = zod.z.enum(["pending_approval", "approved", "denied"]);
+var CreateApprovalResponseSchema = zod.z.object({
+  status: ApprovalStatusSchema,
+  approval_id: zod.z.string(),
+  approval_url: zod.z.string().url(),
+  poll_url: zod.z.string().url()
+});
+var PollApprovalResponseSchema = zod.z.object({
+  status: ApprovalStatusSchema,
+  approval_id: zod.z.string()
+});
 function parseRateLimitHeaders(response) {
   const info = {};
   const retryAfter = response.headers.get("retry-after");
@@ -5733,16 +5879,23 @@ var pathConfig = {
 var ZapierApiClient = class {
   constructor(options) {
     this.options = options;
-    this.fetch = async (path, init) => {
-      if (!path.startsWith("/")) {
-        throw new ZapierValidationError(
-          `fetch expects a path starting with '/', got: ${path}`
-        );
-      }
+    /**
+     * Perform a request against an already-resolved URL.
+     *
+     * Does auth, header merging, and 429 retry — all the cross-cutting
+     * concerns that every Zapier-bound HTTP call needs. Callers that have a
+     * path (e.g. `/relay/...`) should use `rawFetch` instead, which does
+     * path → URL resolution and delegates here.
+     *
+     * Exposed as a separate helper so call sites with a server-supplied
+     * absolute URL (e.g. an approval poll URL) can still share the same
+     * auth/retry pipeline instead of reaching for `this.options.fetch`
+     * directly and drifting.
+     */
+    this.rawFetchUrl = async (url, init, pathConfig2) => {
       if (init?.body && (isPlainObject(init.body) || Array.isArray(init.body))) {
         init.body = JSON.stringify(init.body);
       }
-      const { url, pathConfig: pathConfig2 } = this.buildUrl(path, init?.searchParams);
       const builtHeaders = await this.buildHeaders(
         init,
         pathConfig2
@@ -5761,30 +5914,114 @@ var ZapierApiClient = class {
           ...init,
           headers: mergedHeaders
         });
-        if (response.status === 429) {
-          const rateLimitInfo = parseRateLimitHeaders(response);
-          const delayMs = rateLimitInfo.retryAfterMs ?? calculateExponentialBackoffMs(retries + 1);
-          if (delayMs > this.maxNetworkRetryDelayMs || retries >= this.maxNetworkRetries) {
-            throw new ZapierRateLimitError("Rate limited", {
-              statusCode: 429,
-              rateLimit: rateLimitInfo,
-              retries
-            });
-          }
-          retries++;
-          this.emitEvent("api:rate_limit_retry", {
-            retry: retries,
-            maxNetworkRetries: this.maxNetworkRetries,
-            delayMs,
-            path,
-            method: init?.method ?? "GET",
-            rateLimit: rateLimitInfo
+        if (response.status !== 429) {
+          return response;
+        }
+        const rateLimitInfo = parseRateLimitHeaders(response);
+        const delayMs = rateLimitInfo.retryAfterMs ?? calculateExponentialBackoffMs(retries + 1);
+        if (delayMs > this.maxNetworkRetryDelayMs || retries >= this.maxNetworkRetries) {
+          throw new ZapierRateLimitError("Rate limited", {
+            statusCode: 429,
+            rateLimit: rateLimitInfo,
+            retries
+          });
+        }
+        retries++;
+        this.emitEvent("api:rate_limit_retry", {
+          retry: retries,
+          maxNetworkRetries: this.maxNetworkRetries,
+          delayMs,
+          path: url,
+          method: init?.method ?? "GET",
+          rateLimit: rateLimitInfo
+        });
+        await sleep(delayMs);
+      }
+    };
+    /**
+     * Perform a request with auth, header merging, and rate-limit (429) retries.
+     * Does NOT handle 403 approval_required — that's routed by `fetch`.
+     */
+    this.rawFetch = async (path, init) => {
+      if (!path.startsWith("/")) {
+        throw new ZapierValidationError(
+          `fetch expects a path starting with '/', got: ${path}`
+        );
+      }
+      const { url, pathConfig: pathConfig2 } = this.buildUrl(path, init?.searchParams);
+      return this.rawFetchUrl(url, init, pathConfig2);
+    };
+    /**
+     * Approval-aware HTTP fetch.
+     *
+     * Wraps `rawFetch` with the backend's just-in-time approval protocol. The
+     * backend signals approval state via a 403 response with an
+     * `x-zapier-error-type` header:
+     *
+     *   - `request_denied_by_policy`  → a policy rule permanently blocks the
+     *                                   request; no human can approve it. Throw.
+     *   - `approval_required`         → the request needs human approval; the
+     *                                   SDK creates an approval, opens the URL
+     *                                   (poll mode), waits for resolution, and
+     *                                   retries the original request.
+     *   - anything else               → not our concern, pass through.
+     *
+     * The retry loop exists because a single user action can legitimately
+     * require multiple sequential approvals (e.g. policies that approve one
+     * step at a time). Each iteration is either a first attempt or a post-
+     * approval retry; `maxApprovalRetries` bounds the loop as a runaway-loop
+     * safeguard.
+     *
+     * Loop accounting: `attempt` counts rawFetch calls, not approval rounds.
+     * With `maxRetries = N` we perform up to `N + 1` rawFetch calls and at
+     * most `N` approval rounds. The `attempt === maxRetries` guard ensures we
+     * don't run an (N+1)th approval round we'll never consume — if the final
+     * retry still returns `approval_required`, we break out and throw
+     * `max_retries_exceeded` instead.
+     */
+    this.fetch = async (path, init) => {
+      const maxRetries = this.options.maxApprovalRetries ?? DEFAULT_MAX_APPROVAL_RETRIES;
+      for (let attempt = 0; attempt <= maxRetries; attempt++) {
+        const response = await this.rawFetch(path, init);
+        if (response.status !== 403) return response;
+        const errorType = response.headers.get("x-zapier-error-type");
+        if (errorType === "request_denied_by_policy") {
+          const { data } = await this.parseResult(response);
+          const { message, errors } = this.parseErrorResponse({
+            status: response.status,
+            statusText: response.statusText,
+            data
           });
-          await sleep(delayMs);
-          continue;
+          throw new ZapierApprovalError(
+            message || "Request explicitly denied by policy",
+            {
+              status: "policy_denied",
+              statusCode: response.status,
+              errors
+            }
+          );
+        }
+        if (errorType !== "approval_required") return response;
+        if (attempt === maxRetries) break;
+        const isInteractive = this.options.isInteractive ?? getZapierIsInteractive();
+        if (!isInteractive) {
+          throw new ZapierApprovalError(
+            "Approval required but session is not interactive",
+            { status: "approval_required" }
+          );
         }
-        return response;
+        if (!init?.approvalContext) {
+          throw new ZapierApiError(
+            `Received 403 approval_required for ${path}, but the caller did not provide an approvalContext builder. Every approval-capable request must pass approvalContext so the SDK can create the approval with the correct policy context.`,
+            { statusCode: 403 }
+          );
+        }
+        await this.runOneApprovalRound(init.approvalContext);
       }
+      throw new ZapierApprovalError(
+        `Exceeded maximum approval retries (${maxRetries}) for ${path}`,
+        { status: "max_retries_exceeded" }
+      );
     };
     this.get = async (path, options = {}) => {
       return this.fetchJson("GET", path, void 0, options);
@@ -6069,6 +6306,156 @@ var ZapierApiClient = class {
     }
     return result;
   }
+  /**
+   * Run a single approval round: create the approval, open the URL (poll mode)
+   * or throw (fail mode), poll until resolved, and emit events. Throws on
+   * denied/timeout/unexpected status. Returns on approved.
+   */
+  async runOneApprovalRound(buildContext) {
+    const context = buildContext();
+    let approvalResponse;
+    try {
+      approvalResponse = await this.rawFetch("/api/v0/approvals", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json"
+        },
+        body: JSON.stringify({ context })
+      });
+    } catch (err) {
+      throw new ZapierApiError("Failed to create approval request", {
+        statusCode: 0,
+        cause: err
+      });
+    }
+    if (!approvalResponse.ok) {
+      const body2 = await approvalResponse.text().catch(() => void 0);
+      throw new ZapierApiError(
+        `Failed to create approval request: ${approvalResponse.status}`,
+        { statusCode: approvalResponse.status, response: body2 }
+      );
+    }
+    let body;
+    try {
+      body = await approvalResponse.text();
+    } catch (err) {
+      throw new ZapierApiError("Failed to read approval response body", {
+        statusCode: approvalResponse.status,
+        cause: err
+      });
+    }
+    let approval;
+    try {
+      approval = CreateApprovalResponseSchema.parse(JSON.parse(body));
+    } catch (err) {
+      throw new ZapierApiError(`Failed to parse approval response: ${body}`, {
+        statusCode: approvalResponse.status,
+        cause: err,
+        response: body
+      });
+    }
+    const sdkapiOrigin = new URL(this.buildUrl("/api/v0/approvals").url).origin;
+    const browserOrigin = getZapierBaseUrl(this.options.baseUrl) ?? sdkapiOrigin;
+    const assertApprovalOrigin = (url, expectedOrigin, label) => {
+      let parsed;
+      try {
+        parsed = new URL(url);
+      } catch {
+        throw new ZapierApiError(`Invalid approval ${label}: ${url}`, {
+          statusCode: approvalResponse.status,
+          response: body
+        });
+      }
+      if (parsed.origin !== expectedOrigin) {
+        throw new ZapierApiError(
+          `Approval ${label} origin ${parsed.origin} does not match expected ${expectedOrigin}`,
+          { statusCode: approvalResponse.status, response: body }
+        );
+      }
+    };
+    assertApprovalOrigin(approval.poll_url, sdkapiOrigin, "poll_url");
+    assertApprovalOrigin(approval.approval_url, browserOrigin, "approval_url");
+    this.emitEvent("approval:required", {
+      approvalId: approval.approval_id,
+      approvalUrl: approval.approval_url
+    });
+    const approvalMode = this.options.approvalMode ?? getZapierApprovalMode();
+    if (approvalMode === "fail") {
+      throw new ZapierApprovalError("This request requires approval.", {
+        approvalId: approval.approval_id,
+        approvalUrl: approval.approval_url,
+        pollUrl: approval.poll_url,
+        status: "pending"
+      });
+    }
+    await openApproval(approval.approval_url);
+    const timeoutMs = this.options.approvalTimeoutMs ?? DEFAULT_APPROVAL_TIMEOUT_MS;
+    let rawPollResult;
+    try {
+      rawPollResult = await pollUntilComplete({
+        // poll_url is an absolute URL supplied by the server, so we use
+        // rawFetchUrl directly (skipping path resolution) but still share
+        // auth + interactive-header + 429-retry with the rest of the SDK.
+        fetchPoll: () => this.rawFetchUrl(approval.poll_url, {
+          method: "GET",
+          headers: { Accept: "application/json" }
+        }),
+        timeoutMs,
+        isPending: (body2) => {
+          const parsed = PollApprovalResponseSchema.safeParse(body2);
+          return parsed.success && parsed.data.status === "pending_approval";
+        }
+      });
+    } catch (err) {
+      if (!(err instanceof ZapierTimeoutError)) {
+        throw err;
+      }
+      this.emitEvent("approval:timeout", {
+        approvalId: approval.approval_id
+      });
+      throw new ZapierApprovalError(
+        `Approval timed out after ${timeoutMs / 1e3} seconds`,
+        {
+          approvalId: approval.approval_id,
+          approvalUrl: approval.approval_url,
+          pollUrl: approval.poll_url,
+          status: "timeout",
+          cause: err
+        }
+      );
+    }
+    const pollParse = PollApprovalResponseSchema.safeParse(rawPollResult);
+    if (!pollParse.success) {
+      const bodyPreview = typeof rawPollResult === "string" ? rawPollResult : JSON.stringify(rawPollResult);
+      throw new ZapierApiError(
+        `Failed to parse approval poll response: ${bodyPreview}`,
+        {
+          statusCode: 0,
+          cause: pollParse.error,
+          response: rawPollResult
+        }
+      );
+    }
+    const pollResult = pollParse.data;
+    if (pollResult.status === "denied") {
+      this.emitEvent("approval:denied", {
+        approvalId: approval.approval_id
+      });
+      throw new ZapierApprovalError("Request denied by user", {
+        approvalId: approval.approval_id,
+        status: "denied"
+      });
+    }
+    if (pollResult.status !== "approved") {
+      throw new ZapierApiError(
+        `Unexpected approval status received: ${pollResult.status}`
+      );
+    }
+    this.emitEvent("approval:approved", {
+      approvalId: approval.approval_id
+    });
+  }
 };
 var createZapierApi = (options) => {
   const { debug = false, fetch: originalFetch = globalThis.fetch } = options;
@@ -6082,7 +6469,7 @@ var createZapierApi = (options) => {
 };
 
 // src/plugins/api/index.ts
-var apiPlugin = (params) => {
+var apiPlugin = (sdk) => {
   const {
     fetch: customFetch = globalThis.fetch,
     baseUrl = ZAPIER_BASE_URL,
@@ -6091,8 +6478,12 @@ var apiPlugin = (params) => {
     onEvent,
     debug = false,
     maxNetworkRetries = ZAPIER_MAX_NETWORK_RETRIES,
-    maxNetworkRetryDelayMs = ZAPIER_MAX_NETWORK_RETRY_DELAY_MS
-  } = params.context.options;
+    maxNetworkRetryDelayMs = ZAPIER_MAX_NETWORK_RETRY_DELAY_MS,
+    isInteractive,
+    approvalTimeoutMs,
+    maxApprovalRetries,
+    approvalMode
+  } = sdk.context.options;
   const api = createZapierApi({
     baseUrl,
     credentials,
@@ -6101,7 +6492,11 @@ var apiPlugin = (params) => {
     fetch: customFetch,
     onEvent,
     maxNetworkRetries,
-    maxNetworkRetryDelayMs
+    maxNetworkRetryDelayMs,
+    isInteractive,
+    approvalTimeoutMs,
+    maxApprovalRetries,
+    approvalMode
   });
   return {
     context: {
@@ -6207,12 +6602,11 @@ async function batch(tasks, options = {}) {
 }
 
 // src/plugins/connections/index.ts
-var connectionsPlugin = (params) => {
-  const { context } = params;
+var connectionsPlugin = (sdk) => {
   let cachedMap;
   async function loadConnectionsMap() {
     if (cachedMap === void 0) {
-      cachedMap = await context.getManifestConnections() ?? null;
+      cachedMap = await sdk.context.getManifestConnections() ?? null;
     }
     return cachedMap;
   }
@@ -6259,12 +6653,12 @@ function isEnabledByEnv(key) {
   if (value === "false" || value === "0") return false;
   return void 0;
 }
-var capabilitiesPlugin = ({ context }) => {
-  const options = context.options ?? {};
+var capabilitiesPlugin = (sdk) => {
+  const options = sdk.context.options ?? {};
   let cached;
   async function resolveFlags() {
     if (cached) return cached;
-    const manifest = await context.getResolvedManifest();
+    const manifest = await sdk.context.getResolvedManifest();
     cached = {};
     for (const flag of GATED_FLAGS) {
       cached[flag] = Boolean(
@@ -6350,12 +6744,12 @@ function extractNextCursor(links) {
     return void 0;
   }
 }
-var listTablesPlugin = ({ context }) => {
+var listTablesPlugin = (sdk) => {
   async function listTablesPage(options) {
     if (options.includeShared) {
-      await context.checkCapability("canIncludeSharedTables");
+      await sdk.context.checkCapability("canIncludeSharedTables");
     }
-    const { api } = context;
+    const { api } = sdk.context;
     const searchParams = {};
     if (options.pageSize !== void 0) {
       searchParams.limit = options.pageSize.toString();
@@ -6420,7 +6814,10 @@ var listTablesPlugin = ({ context }) => {
   const listTablesDefinition = createPaginatedFunction(
     listTablesPage,
     ListTablesOptionsSchema,
-    createTelemetryCallback(context.eventEmission.emitMethodCalled, methodName),
+    createTelemetryCallback(
+      sdk.context.eventEmission.emitMethodCalled,
+      methodName
+    ),
     methodName,
     DEFAULT_PAGE_SIZE
   );
@@ -6452,9 +6849,9 @@ var GetTableOptionsSchemaDeprecated = zod.z.object({
 var GetTableOptionsInputSchema = zod.z.union([GetTableOptionsSchema, GetTableOptionsSchemaDeprecated]).describe(GetTableDescription);
 
 // src/plugins/tables/getTable/index.ts
-var getTablePlugin = ({ context }) => {
+var getTablePlugin = (sdk) => {
   async function getTable(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     const rawResponse = await api.get(`/tables/api/v1/tables/${tableId}`, {
       customErrorHandler: ({ status }) => {
@@ -6486,7 +6883,7 @@ var getTablePlugin = ({ context }) => {
     getTable,
     GetTableOptionsInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       getTable.name
     )
   );
@@ -6517,9 +6914,9 @@ var CreateTableOptionsSchema = zod.z.object({
 }).describe("Create a new table");
 
 // src/plugins/tables/createTable/index.ts
-var createTablePlugin = ({ context }) => {
+var createTablePlugin = (sdk) => {
   async function createTable(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const rawResponse = await api.post(
       "/tables/api/v1/tables",
       {
@@ -6554,7 +6951,7 @@ var createTablePlugin = ({ context }) => {
     createTable,
     CreateTableOptionsSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       createTable.name
     )
   );
@@ -6586,10 +6983,10 @@ var DeleteTableOptionsSchemaDeprecated = zod.z.object({
 var DeleteTableOptionsInputSchema = zod.z.union([DeleteTableOptionsSchema, DeleteTableOptionsSchemaDeprecated]).describe(DeleteTableDescription);
 
 // src/plugins/tables/deleteTable/index.ts
-var deleteTablePlugin = ({ context }) => {
+var deleteTablePlugin = (sdk) => {
   async function deleteTable(options) {
-    await context.checkCapability("canDeleteTables");
-    const { api } = context;
+    await sdk.context.checkCapability("canDeleteTables");
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     await api.delete(`/tables/api/v1/tables/${tableId}`, void 0, {
       customErrorHandler: ({ status }) => {
@@ -6617,7 +7014,7 @@ var deleteTablePlugin = ({ context }) => {
     deleteTable,
     DeleteTableOptionsInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       deleteTable.name
     )
   );
@@ -6641,9 +7038,9 @@ var deleteTablePlugin = ({ context }) => {
 };
 
 // src/plugins/tables/listTableFields/index.ts
-var listTableFieldsPlugin = ({ context }) => {
+var listTableFieldsPlugin = (sdk) => {
   async function listTableFields(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     const fieldKeys = "fields" in options ? options.fields : options.fieldKeys;
     const searchParams = {};
@@ -6689,7 +7086,7 @@ var listTableFieldsPlugin = ({ context }) => {
     listTableFields,
     ListTableFieldsOptionsInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       listTableFields.name
     )
   );
@@ -6744,9 +7141,9 @@ var CreateTableFieldsOptionsInputSchema = zod.z.union([
 ]).describe(CreateTableFieldsDescription);
 
 // src/plugins/tables/createTableFields/index.ts
-var createTableFieldsPlugin = ({ context }) => {
+var createTableFieldsPlugin = (sdk) => {
   async function createTableFields(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     const rawResponse = await api.post(
       `/tables/api/v1/tables/${tableId}/fields`,
@@ -6781,7 +7178,7 @@ var createTableFieldsPlugin = ({ context }) => {
     createTableFields,
     CreateTableFieldsOptionsInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       createTableFields.name
     )
   );
@@ -6821,9 +7218,9 @@ var DeleteTableFieldsOptionsInputSchema = zod.z.union([
 ]).describe(DeleteTableFieldsDescription);
 
 // src/plugins/tables/deleteTableFields/index.ts
-var deleteTableFieldsPlugin = ({ context }) => {
+var deleteTableFieldsPlugin = (sdk) => {
   async function deleteTableFields(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     const fieldKeys = "fields" in options ? options.fields : options.fieldKeys;
     const numericFieldIds = await resolveFieldKeys({
@@ -6861,7 +7258,7 @@ var deleteTableFieldsPlugin = ({ context }) => {
     deleteTableFields,
     DeleteTableFieldsOptionsInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       deleteTableFields.name
     )
   );
@@ -6948,9 +7345,9 @@ var tableRecordFormatter = {
 };
 
 // src/plugins/tables/getTableRecord/index.ts
-var getTableRecordPlugin = ({ context }) => {
+var getTableRecordPlugin = (sdk) => {
   async function getTableRecord(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     const recordId = "record" in options ? options.record : options.recordId;
     const rawResponse = await api.get(
@@ -6994,7 +7391,7 @@ var getTableRecordPlugin = ({ context }) => {
     getTableRecord,
     GetTableRecordOptionsInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       getTableRecord.name
     )
   );
@@ -7082,9 +7479,9 @@ function extractNextCursor2(meta) {
   }
   return meta.pagination.end_cursor;
 }
-var listTableRecordsPlugin = ({ context }) => {
+var listTableRecordsPlugin = (sdk) => {
   async function listTableRecordsPage(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     const translator = await createFieldKeyTranslator({
       api,
@@ -7156,7 +7553,10 @@ var listTableRecordsPlugin = ({ context }) => {
   const listTableRecordsDefinition = createPaginatedFunction(
     listTableRecordsPage,
     ListTableRecordsOptionsInputSchema,
-    createTelemetryCallback(context.eventEmission.emitMethodCalled, methodName),
+    createTelemetryCallback(
+      sdk.context.eventEmission.emitMethodCalled,
+      methodName
+    ),
     methodName,
     DEFAULT_PAGE_SIZE
   );
@@ -7211,9 +7611,9 @@ var CreateTableRecordsOptionsInputSchema = zod.z.union([
 ]).describe(CreateTableRecordsDescription);
 
 // src/plugins/tables/createTableRecords/index.ts
-var createTableRecordsPlugin = ({ context }) => {
+var createTableRecordsPlugin = (sdk) => {
   async function createTableRecords(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     const translator = await createFieldKeyTranslator({
       api,
@@ -7265,7 +7665,7 @@ var createTableRecordsPlugin = ({ context }) => {
     createTableRecords,
     CreateTableRecordsOptionsInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       createTableRecords.name
     )
   );
@@ -7304,9 +7704,9 @@ var DeleteTableRecordsOptionsInputSchema = zod.z.union([
 ]).describe(DeleteTableRecordsDescription);
 
 // src/plugins/tables/deleteTableRecords/index.ts
-var deleteTableRecordsPlugin = ({ context }) => {
+var deleteTableRecordsPlugin = (sdk) => {
   async function deleteTableRecords(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     const recordIds = "records" in options ? options.records : options.recordIds;
     await api.delete(
@@ -7339,7 +7739,7 @@ var deleteTableRecordsPlugin = ({ context }) => {
     deleteTableRecords,
     DeleteTableRecordsOptionsInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       deleteTableRecords.name
     )
   );
@@ -7393,9 +7793,9 @@ var UpdateTableRecordsOptionsInputSchema = zod.z.union([
 ]).describe(UpdateTableRecordsDescription);
 
 // src/plugins/tables/updateTableRecords/index.ts
-var updateTableRecordsPlugin = ({ context }) => {
+var updateTableRecordsPlugin = (sdk) => {
   async function updateTableRecords(options) {
-    const { api } = context;
+    const { api } = sdk.context;
     const tableId = "table" in options ? options.table : options.tableId;
     const translator = await createFieldKeyTranslator({
       api,
@@ -7448,7 +7848,7 @@ var updateTableRecordsPlugin = ({ context }) => {
     updateTableRecords,
     UpdateTableRecordsOptionsInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       updateTableRecords.name
     )
   );
@@ -7474,8 +7874,8 @@ var updateTableRecordsPlugin = ({ context }) => {
 };
 
 // src/plugins/registry/index.ts
-var registryPlugin = ({ sdk, context }) => {
-  const metaKeys = Object.keys(context.meta || {});
+var registryPlugin = (sdk) => {
+  const metaKeys = Object.keys(sdk.context.meta || {});
   const categoryDefinitions = {
     account: {
       title: "Account"
@@ -7520,7 +7920,7 @@ var registryPlugin = ({ sdk, context }) => {
     }
     return false;
   }).map((key) => {
-    const meta = context.meta[key];
+    const meta = sdk.context.meta[key];
     return {
       name: key,
       description: meta.description,
@@ -7588,7 +7988,7 @@ var registryPlugin = ({ sdk, context }) => {
 };
 
 // src/plugins/deprecated/authentications.ts
-var listAuthenticationsPlugin = ({ sdk }) => ({
+var listAuthenticationsPlugin = (sdk) => ({
   listAuthentications: sdk.listConnections,
   context: {
     meta: {
@@ -7603,7 +8003,7 @@ var listAuthenticationsPlugin = ({ sdk }) => ({
     }
   }
 });
-var getAuthenticationPlugin = ({ sdk }) => ({
+var getAuthenticationPlugin = (sdk) => ({
   getAuthentication: sdk.getConnection,
   context: {
     meta: {
@@ -7618,7 +8018,7 @@ var getAuthenticationPlugin = ({ sdk }) => ({
     }
   }
 });
-var findFirstAuthenticationPlugin = ({ sdk }) => ({
+var findFirstAuthenticationPlugin = (sdk) => ({
   findFirstAuthentication: sdk.findFirstConnection,
   context: {
     meta: {
@@ -7633,7 +8033,7 @@ var findFirstAuthenticationPlugin = ({ sdk }) => ({
     }
   }
 });
-var findUniqueAuthenticationPlugin = ({ sdk }) => ({
+var findUniqueAuthenticationPlugin = (sdk) => ({
   findUniqueAuthentication: sdk.findUniqueConnection,
   context: {
     meta: {
@@ -7696,9 +8096,9 @@ var GetInputFieldsSchemaSchemaDeprecated = zod.z.object({
 var GetInputFieldsSchemaInputSchema = zod.z.union([GetInputFieldsSchemaSchema, GetInputFieldsSchemaSchemaDeprecated]).describe(GetInputFieldsSchemaDescription);
 
 // src/plugins/getInputFieldsSchema/index.ts
-var getInputFieldsSchemaPlugin = ({ sdk, context }) => {
+var getInputFieldsSchemaPlugin = (sdk) => {
   async function getInputFieldsSchema(options) {
-    const { api, getVersionedImplementationId } = context;
+    const { api, getVersionedImplementationId } = sdk.context;
     const appKey = "app" in options ? options.app : options.appKey;
     const actionKey = "action" in options ? options.action : options.actionKey;
     const { actionType, connection, connectionId, authenticationId, inputs } = options;
@@ -7706,7 +8106,7 @@ var getInputFieldsSchemaPlugin = ({ sdk, context }) => {
       connection,
       connectionId,
       authenticationId,
-      resolveConnection: context.resolveConnection
+      resolveConnection: sdk.context.resolveConnection
     });
     const selectedApi = await getVersionedImplementationId(appKey);
     if (!selectedApi) {
@@ -7741,7 +8141,7 @@ var getInputFieldsSchemaPlugin = ({ sdk, context }) => {
     getInputFieldsSchema,
     GetInputFieldsSchemaInputSchema,
     createTelemetryCallback(
-      context.eventEmission.emitMethodCalled,
+      sdk.context.eventEmission.emitMethodCalled,
       getInputFieldsSchema.name
     )
   );
@@ -7835,9 +8235,9 @@ function transformNeedChoicesToInputFieldChoiceItem(choice) {
     value: choice.value
   };
 }
-var listInputFieldChoicesPlugin = ({ context, sdk }) => {
+var listInputFieldChoicesPlugin = (sdk) => {
   async function listInputFieldChoicesPage(options) {
-    const { api, getVersionedImplementationId } = context;
+    const { api, getVersionedImplementationId } = sdk.context;
     const appKey = "app" in options ? options.app : options.appKey;
     const actionKey = "action" in options ? options.action : options.actionKey;
     const inputFieldKey = "inputField" in options ? options.inputField : options.inputFieldKey;
@@ -7854,7 +8254,7 @@ var listInputFieldChoicesPlugin = ({ context, sdk }) => {
       connection,
       connectionId,
       authenticationId,
-      resolveConnection: context.resolveConnection
+      resolveConnection: sdk.context.resolveConnection
     });
     const selectedApi = await getVersionedImplementationId(appKey);
     if (!selectedApi) {
@@ -7932,7 +8332,10 @@ var listInputFieldChoicesPlugin = ({ context, sdk }) => {
   const listInputFieldChoicesDefinition = createPaginatedFunction(
     listInputFieldChoicesPage,
     ListInputFieldChoicesInputSchema,
-    createTelemetryCallback(context.eventEmission.emitMethodCalled, methodName),
+    createTelemetryCallback(
+      sdk.context.eventEmission.emitMethodCalled,
+      methodName
+    ),
     methodName,
     DEFAULT_PAGE_SIZE
   );
@@ -8304,19 +8707,20 @@ function getTransportConfig(options) {
     endpoint
   };
 }
-var eventEmissionPlugin = ({ context }) => {
+var eventEmissionPlugin = (sdk) => {
+  const options = sdk.context.options ?? {};
   const defaultTransport = getTransportConfig({
-    trackingBaseUrl: context.options.trackingBaseUrl,
-    baseUrl: context.options.baseUrl
+    trackingBaseUrl: options.trackingBaseUrl,
+    baseUrl: options.baseUrl
   });
   const config = {
-    enabled: context.options.eventEmission?.enabled ?? true,
-    callContext: context.options.eventEmission?.callContext,
+    enabled: options.eventEmission?.enabled ?? true,
+    callContext: options.eventEmission?.callContext,
     transport: (
       // If env var is set, use it (defaultTransport will be from env)
       globalThis.process?.env?.ZAPIER_SDK_TELEMETRY_TRANSPORT ? defaultTransport : (
         // Otherwise, use option transport or default
-        context.options.eventEmission?.transport ?? defaultTransport
+        options.eventEmission?.transport ?? defaultTransport
       )
     )
   };
@@ -8324,7 +8728,7 @@ var eventEmissionPlugin = ({ context }) => {
     if (config.enabled) {
       try {
         const token = await resolveAuthToken({
-          ...context.options
+          ...options
         });
         if (token) {
           return extractUserIdsFromJwt(token);
@@ -8574,55 +8978,54 @@ var eventEmissionPlugin = ({ context }) => {
 };
 
 // src/sdk.ts
-function createSdk(options = {}, initialSdk = {}, initialContext = { meta: {} }) {
+function createOptionsPlugin(options) {
+  return () => ({ context: { options } });
+}
+function createSdk() {
+  return buildSdk({}, { meta: {} });
+}
+function buildSdk(properties, context) {
+  const frozenContext = Object.freeze(context);
   return {
-    ...initialSdk,
-    getContext: () => initialContext,
-    addPlugin(plugin, addPluginOptions = {}) {
-      const currentSdkWithContext = {
-        ...initialSdk,
-        getContext: () => initialContext
-      };
+    ...properties,
+    get context() {
+      return frozenContext;
+    },
+    getContext: () => frozenContext,
+    // runtime compat shim, not in types
+    addPlugin(plugin) {
       const pluginResult = plugin({
-        sdk: currentSdkWithContext,
-        context: {
-          ...initialContext,
-          // Add the options that createSdk was called with to context
-          options
-        },
-        ...addPluginOptions
+        ...properties,
+        context: frozenContext
       });
-      const { context: pluginContext, ...sdkProperties } = pluginResult;
-      const newSdk = { ...initialSdk, ...sdkProperties };
-      let newContext = {
-        ...initialContext,
-        ...addPluginOptions,
-        meta: initialContext.meta || {}
+      const { context: pluginContext, ...pluginProperties } = pluginResult;
+      const mergedProperties = { ...properties, ...pluginProperties };
+      let mergedContext = {
+        ...context,
+        meta: context.meta || {}
       };
       if (pluginContext) {
-        const { meta: pluginMeta, ...otherPluginContext } = pluginContext;
-        newContext = {
-          ...newContext,
-          ...otherPluginContext
+        const { meta: pluginMeta, ...pluginContextRest } = pluginContext;
+        mergedContext = {
+          ...mergedContext,
+          ...pluginContextRest
         };
         if (pluginMeta) {
-          newContext = {
-            ...newContext,
-            meta: {
-              ...newContext.meta,
-              // Existing meta (now guaranteed to exist)
-              ...pluginMeta
-              // New meta from plugin
-            }
+          mergedContext = {
+            ...mergedContext,
+            meta: { ...mergedContext.meta, ...pluginMeta }
           };
         }
       }
-      return createSdk(options, newSdk, newContext);
+      return buildSdk(
+        mergedProperties,
+        mergedContext
+      );
     }
   };
 }
 function createZapierSdkWithoutRegistry(options = {}) {
-  return createSdk(options).addPlugin(eventEmissionPlugin).addPlugin(apiPlugin).addPlugin(manifestPlugin).addPlugin(capabilitiesPlugin).addPlugin(connectionsPlugin).addPlugin(listAppsPlugin).addPlugin(getAppPlugin).addPlugin(listActionsPlugin).addPlugin(getActionPlugin).addPlugin(listInputFieldsPlugin).addPlugin(getInputFieldsSchemaPlugin).addPlugin(listInputFieldChoicesPlugin).addPlugin(runActionPlugin).addPlugin(listConnectionsPlugin).addPlugin(getConnectionPlugin).addPlugin(findFirstConnectionPlugin).addPlugin(findUniqueConnectionPlugin).addPlugin(listAuthenticationsPlugin).addPlugin(getAuthenticationPlugin).addPlugin(findFirstAuthenticationPlugin).addPlugin(findUniqueAuthenticationPlugin).addPlugin(listClientCredentialsPlugin).addPlugin(createClientCredentialsPlugin).addPlugin(deleteClientCredentialsPlugin).addPlugin(fetchPlugin).addPlugin(requestPlugin).addPlugin(listTablesPlugin).addPlugin(getTablePlugin).addPlugin(deleteTablePlugin).addPlugin(createTablePlugin).addPlugin(listTableFieldsPlugin).addPlugin(createTableFieldsPlugin).addPlugin(deleteTableFieldsPlugin).addPlugin(getTableRecordPlugin).addPlugin(listTableRecordsPlugin).addPlugin(createTableRecordsPlugin).addPlugin(deleteTableRecordsPlugin).addPlugin(updateTableRecordsPlugin).addPlugin(appsPlugin).addPlugin(getProfilePlugin);
+  return createSdk().addPlugin(createOptionsPlugin(options)).addPlugin(eventEmissionPlugin).addPlugin(apiPlugin).addPlugin(manifestPlugin).addPlugin(capabilitiesPlugin).addPlugin(connectionsPlugin).addPlugin(listAppsPlugin).addPlugin(getAppPlugin).addPlugin(listActionsPlugin).addPlugin(getActionPlugin).addPlugin(listInputFieldsPlugin).addPlugin(getInputFieldsSchemaPlugin).addPlugin(listInputFieldChoicesPlugin).addPlugin(runActionPlugin).addPlugin(listConnectionsPlugin).addPlugin(getConnectionPlugin).addPlugin(findFirstConnectionPlugin).addPlugin(findUniqueConnectionPlugin).addPlugin(listAuthenticationsPlugin).addPlugin(getAuthenticationPlugin).addPlugin(findFirstAuthenticationPlugin).addPlugin(findUniqueAuthenticationPlugin).addPlugin(listClientCredentialsPlugin).addPlugin(createClientCredentialsPlugin).addPlugin(deleteClientCredentialsPlugin).addPlugin(fetchPlugin).addPlugin(requestPlugin).addPlugin(listTablesPlugin).addPlugin(getTablePlugin).addPlugin(deleteTablePlugin).addPlugin(createTablePlugin).addPlugin(listTableFieldsPlugin).addPlugin(createTableFieldsPlugin).addPlugin(deleteTableFieldsPlugin).addPlugin(getTableRecordPlugin).addPlugin(listTableRecordsPlugin).addPlugin(createTableRecordsPlugin).addPlugin(deleteTableRecordsPlugin).addPlugin(updateTableRecordsPlugin).addPlugin(appsPlugin).addPlugin(getProfilePlugin);
 }
 function createZapierSdk(options = {}) {
   return createZapierSdkWithoutRegistry(options).addPlugin(registryPlugin);
@@ -8645,6 +9048,16 @@ var BaseSdkOptionsSchema = zod.z.object({
    * Default is 60000 (60 seconds).
    */
   maxNetworkRetryDelayMs: zod.z.number().optional().describe("Max delay in ms to wait for retry (default: 60000).").meta({ valueHint: "ms" }),
+  isInteractive: zod.z.boolean().optional().describe(
+    "Whether this session is interactive (user can visit approval URLs). Defaults to ZAPIER_IS_INTERACTIVE env var."
+  ).meta({ internal: true }),
+  approvalTimeoutMs: zod.z.number().optional().describe("Timeout in ms for approval polling. Default: 600000 (10 min).").meta({ valueHint: "ms", internal: true }),
+  maxApprovalRetries: zod.z.number().optional().describe(
+    "Maximum number of sequential approval rounds per request (one per gating policy) before giving up. Default: 2."
+  ).meta({ internal: true }),
+  approvalMode: zod.z.enum(["poll", "fail"]).optional().describe(
+    'Approval flow behavior. "poll" opens browser and polls (default). "fail" creates the approval and throws immediately with the approval URL.'
+  ).meta({ internal: true }),
   // Internal
   manifestPath: zod.z.string().optional().describe("Path to a .zapierrc manifest file for app version locking.").meta({ internal: true }),
   manifest: zod.z.custom().optional().describe("Manifest for app version locking.").meta({ internal: true }),
@@ -8680,7 +9093,9 @@ exports.CredentialsFunctionSchema = CredentialsFunctionSchema;
 exports.CredentialsObjectSchema = CredentialsObjectSchema;
 exports.CredentialsSchema = CredentialsSchema;
 exports.DEFAULT_ACTION_TIMEOUT_MS = DEFAULT_ACTION_TIMEOUT_MS;
+exports.DEFAULT_APPROVAL_TIMEOUT_MS = DEFAULT_APPROVAL_TIMEOUT_MS;
 exports.DEFAULT_CONFIG_PATH = DEFAULT_CONFIG_PATH;
+exports.DEFAULT_MAX_APPROVAL_RETRIES = DEFAULT_MAX_APPROVAL_RETRIES;
 exports.DEFAULT_PAGE_SIZE = DEFAULT_PAGE_SIZE;
 exports.DebugPropertySchema = DebugPropertySchema;
 exports.FieldsPropertySchema = FieldsPropertySchema;
@@ -8705,6 +9120,7 @@ exports.ZAPIER_MAX_NETWORK_RETRY_DELAY_MS = ZAPIER_MAX_NETWORK_RETRY_DELAY_MS;
 exports.ZapierActionError = ZapierActionError;
 exports.ZapierApiError = ZapierApiError;
 exports.ZapierAppNotFoundError = ZapierAppNotFoundError;
+exports.ZapierApprovalError = ZapierApprovalError;
 exports.ZapierAuthenticationError = ZapierAuthenticationError;
 exports.ZapierBundleError = ZapierBundleError;
 exports.ZapierConfigurationError = ZapierConfigurationError;
@@ -8738,6 +9154,7 @@ exports.connectionsPlugin = connectionsPlugin;
 exports.createBaseEvent = createBaseEvent;
 exports.createClientCredentialsPlugin = createClientCredentialsPlugin;
 exports.createFunction = createFunction;
+exports.createOptionsPlugin = createOptionsPlugin;
 exports.createSdk = createSdk;
 exports.createTableFieldsPlugin = createTableFieldsPlugin;
 exports.createTablePlugin = createTablePlugin;
@@ -8771,6 +9188,8 @@ exports.getReleaseId = getReleaseId;
 exports.getTablePlugin = getTablePlugin;
 exports.getTableRecordPlugin = getTableRecordPlugin;
 exports.getTokenFromCliLogin = getTokenFromCliLogin;
+exports.getZapierApprovalMode = getZapierApprovalMode;
+exports.getZapierIsInteractive = getZapierIsInteractive;
 exports.injectCliLogin = injectCliLogin;
 exports.inputFieldKeyResolver = inputFieldKeyResolver;
 exports.inputsAllOptionalResolver = inputsAllOptionalResolver;