windmill-cli 1.700.2 → 1.702.0

package/esm/main.js

@@ -16752,7 +16752,7 @@ var init_OpenAPI = __esm(() => {
     PASSWORD: undefined,
     TOKEN: getEnv3("WM_TOKEN"),
     USERNAME: undefined,
-    VERSION: "1.700.2",
+    VERSION: "1.702.0",
     WITH_CREDENTIALS: true,
     interceptors: {
       request: new Interceptors,
@@ -44417,7 +44417,7 @@ var require_zipEntries = __commonJS((exports, module) => {
       if (this.centralDirRecords !== this.files.length) {
         if (this.centralDirRecords !== 0 && this.files.length === 0) {
           throw new Error("Corrupted zip or bug: expected " + this.centralDirRecords + " records in central dir, got " + this.files.length);
-        } else {}
+        }
       }
     },
     readEndOfCentral: function() {
@@ -47151,7 +47151,7 @@ async function downloadZip(workspace, plainSecrets, skipVariables, skipResources
     }
   }
   const includeWorkspaceDependenciesValue = !(skipWorkspaceDependencies ?? false);
-  const baseParams = `&plain_secret=${plainSecrets ?? false}&skip_variables=${skipVariables ?? false}&skip_resources=${skipResources ?? false}&skip_secrets=${skipSecrets ?? false}&include_schedules=${includeSchedules ?? false}&include_triggers=${includeTriggers ?? false}&include_users=${includeUsers ?? false}&include_groups=${includeGroups ?? false}&include_settings=${includeSettings ?? false}&include_key=${includeKey ?? false}&include_workspace_dependencies=${includeWorkspaceDependenciesValue}&default_ts=${defaultTs ?? "bun"}&skip_resource_types=${skipResourceTypes ?? false}&settings_version=v2`;
+  const baseParams = `&plain_secret=${plainSecrets ?? false}&skip_variables=${skipVariables ?? false}&skip_resources=${skipResources ?? false}&skip_secrets=${skipSecrets ?? false}&include_schedules=${includeSchedules ?? false}&include_triggers=${includeTriggers ?? false}&include_users=${includeUsers ?? false}&include_groups=${includeGroups ?? false}&include_settings=${includeSettings ?? false}&include_key=${includeKey ?? false}&include_workspace_dependencies=${includeWorkspaceDependenciesValue}&default_ts=${defaultTs ?? "bun"}&skip_resource_types=${skipResourceTypes ?? false}&settings_version=v2&preserve_extra_perms=true`;
   const baseUrl2 = workspace.remote + "api/w/" + workspace.workspaceId + "/workspaces/tarball?";
   const zipUrl = baseUrl2 + "archive_type=zip" + baseParams;
   const zipResponse = await fetch(zipUrl, { headers: requestHeaders, method: "GET" });
@@ -55347,7 +55347,7 @@ var require_loader = __commonJS((exports, module) => {
     var error2 = generateError(state, message);
     if (state.onWarning) {
       state.onWarning.call(null, error2);
-    } else {}
+    }
   }
   var directiveHandlers = {
     YAML: function handleYamlDirective(state, name, args) {
@@ -55885,7 +55885,7 @@ var require_loader = __commonJS((exports, module) => {
       } else if (detectedIndent) {
         sc.value += common3.repeat(`
 `, emptyLines + 1);
-      } else {}
+      }
       detectedIndent = true;
       emptyLines = 0;
       captureStart = state.position;
@@ -61584,6 +61584,109 @@ var require_dist3 = __commonJS((exports) => {
   __exportStar2(require_validation3(), exports);
 });
 
+// src/core/extra_perms.ts
+function normalize5(value, source) {
+  const perms = {};
+  const invalidOwners = new Set;
+  if (value === null || value === undefined || typeof value !== "object" || Array.isArray(value)) {
+    if (value !== undefined && value !== null) {
+      error(colors.red(`extra_perms: ${source} is not a {owner: boolean} map — skipping ACL sync to avoid clobbering remote ACLs`));
+      return { perms, invalidOwners, malformedTop: true };
+    }
+    return { perms, invalidOwners, malformedTop: false };
+  }
+  const invalidList = [];
+  for (const [k, v] of Object.entries(value)) {
+    if (typeof v === "boolean") {
+      perms[k] = v;
+    } else {
+      invalidOwners.add(k);
+      invalidList.push(k);
+    }
+  }
+  if (invalidList.length > 0) {
+    error(colors.red(`extra_perms: ${invalidList.length} invalid entry/entries in ${source} (non-boolean value, treating as "no opinion"): ${invalidList.join(", ")}`));
+  }
+  return { perms, invalidOwners, malformedTop: false };
+}
+function formatError(e) {
+  if (!e || typeof e !== "object")
+    return String(e);
+  const anyE = e;
+  if (anyE.body !== undefined) {
+    if (typeof anyE.body === "string")
+      return anyE.body;
+    try {
+      return JSON.stringify(anyE.body);
+    } catch {}
+  }
+  if (typeof anyE.message === "string")
+    return anyE.message;
+  try {
+    return JSON.stringify(e);
+  } catch {
+    return String(e);
+  }
+}
+async function applyExtraPermsDiff(workspace, kind, path7, local, remote) {
+  if (local === undefined || local === null) {
+    return 0;
+  }
+  const localN = normalize5(local, "local yaml");
+  if (localN.malformedTop) {
+    return 0;
+  }
+  const remoteN = normalize5(remote, "remote response");
+  const localPerms = localN.perms;
+  const remotePerms = remoteN.perms;
+  const toGrant = [];
+  for (const [owner, write] of Object.entries(localPerms)) {
+    if (!(owner in remotePerms) || remotePerms[owner] !== write) {
+      toGrant.push([owner, write]);
+    }
+  }
+  const toRevoke = Object.keys(remotePerms).filter((owner) => !(owner in localPerms) && !localN.invalidOwners.has(owner));
+  if (toGrant.length === 0 && toRevoke.length === 0) {
+    return 0;
+  }
+  let calls = 0;
+  for (const [owner, write] of toGrant) {
+    const access = write ? "write" : "read";
+    try {
+      await addGranularAcls({
+        workspace,
+        kind,
+        path: path7,
+        requestBody: { owner, write }
+      });
+      info(colors.green(`  extra_perms: granted ${access} to ${owner} on ${kind}/${path7}`));
+      calls += 1;
+    } catch (e) {
+      error(colors.red(`  extra_perms: failed to grant ${access} to ${owner} on ${kind}/${path7}: ${formatError(e)}`));
+    }
+  }
+  for (const owner of toRevoke) {
+    try {
+      await removeGranularAcls({
+        workspace,
+        kind,
+        path: path7,
+        requestBody: { owner }
+      });
+      info(colors.green(`  extra_perms: revoked ${owner} on ${kind}/${path7}`));
+      calls += 1;
+    } catch (e) {
+      error(colors.red(`  extra_perms: failed to revoke ${owner} on ${kind}/${path7}: ${formatError(e)}`));
+    }
+  }
+  return calls;
+}
+var init_extra_perms = __esm(() => {
+  init_services_gen();
+  init_log();
+  init_colors2();
+});
+
 // src/core/specific_items.ts
 async function resolveWsNameForGitBranch(branchName) {
   const config = await readConfigFile({ warnIfMissing: false });
@@ -62451,6 +62554,7 @@ async function handleFile(path8, workspace, alreadySynced, message, opts, rawWor
         if (typed == undefined || typed.description === remote.description && typed.summary === remote.summary && typed.kind == remote.kind && !remote.archived && (Array.isArray(remote?.lock) ? remote?.lock?.join(`
 `) : remote?.lock ?? "").trim() == (typed?.lock ?? "").trim() && deepEqual(typed.schema, remote.schema) && typed.tag == remote.tag && (typed.ws_error_handler_muted ?? false) == remote.ws_error_handler_muted && typed.dedicated_worker == remote.dedicated_worker && typed.cache_ttl == remote.cache_ttl && typed.concurrency_time_window_s == remote.concurrency_time_window_s && typed.concurrent_limit == remote.concurrent_limit && Boolean(typed.restart_unless_cancelled) == Boolean(remote.restart_unless_cancelled) && Boolean(typed.visible_to_runner_only) == Boolean(remote.visible_to_runner_only) && Boolean(typed.has_preprocessor) == Boolean(remote.has_preprocessor) && typed.priority == Boolean(remote.priority) && typed.timeout == remote.timeout && typed.concurrency_key == remote["concurrency_key"] && typed.debounce_key == remote["debounce_key"] && typed.debounce_delay_s == remote["debounce_delay_s"] && typed.codebase == remote.codebase && (hasOnBehalfOf ? true : typed.on_behalf_of_email == remote.on_behalf_of_email) && deepEqual(typed.envs, remote.envs) && deepEqual(modules ?? null, remote.modules ?? null)) {
           info(colors.green(`Script ${remotePath} is up to date`));
+          await applyExtraPermsDiff(workspaceId, "script", remotePath.replaceAll(SEP4, "/"), typed?.extra_perms, remote?.extra_perms);
           return true;
         }
       }
@@ -62471,6 +62575,7 @@ async function handleFile(path8, workspace, alreadySynced, message, opts, rawWor
       const execTime = await createScript2(bundleContent, workspaceId, body, workspace);
       info(colors.yellow.bold(`Created new script ${remotePath} (${execTime.toFixed(0)}ms)`));
     }
+    await applyExtraPermsDiff(workspaceId, "script", remotePath.replaceAll(SEP4, "/"), typed?.extra_perms, remote?.extra_perms);
     return true;
   }
   return false;
@@ -63213,6 +63318,7 @@ async function setPermissionedAs(opts, scriptPath, email) {
 }
 var import_yaml6, exts, languageAliases, command4, script_default;
 var init_script = __esm(async () => {
+  init_extra_perms();
   init_colors2();
   init_mod3();
   init_mod6();
@@ -64370,12 +64476,16 @@ var init_path_assigner = __esm(() => {
 });
 
 // windmill-utils-internal/src/inline-scripts/extractor.ts
-function extractRawscriptInline(id, summary, rawscript, mapping, separator, assigner) {
+function extractRawscriptInline(id, summary, rawscript, mapping, separator, assigner, failOnInlineDirective) {
   const [basePath, ext2] = assigner.assignPath(summary ?? id, rawscript.language);
   const mappedPath = mapping[id];
   const path10 = mappedPath ?? basePath + ext2;
   const language = rawscript.language;
   const content = rawscript.content;
+  if (failOnInlineDirective && typeof content === "string" && content.startsWith("!inline ")) {
+    throw new Error(`Refusing to extract corrupted inline script for module '${id}': ` + `rawscript.content is the literal string \`${content.split(`
+`)[0]}\` ` + `instead of script source. The backend's flow_version.value is corrupt — ` + `re-push from a known-good local copy to repair it.`);
+  }
   const r = [{ path: path10, content, language, is_lock: false }];
   rawscript.content = "!inline " + path10.replaceAll(separator, "/");
   const lock = rawscript.lock;
@@ -64390,19 +64500,20 @@ function extractRawscriptInline(id, summary, rawscript, mapping, separator, assi
 }
 function extractInlineScripts(modules, mapping = {}, separator = "/", defaultTs, pathAssigner, options) {
   const assigner = pathAssigner ?? newPathAssigner(defaultTs ?? "bun", { skipInlineScriptSuffix: options?.skipInlineScriptSuffix });
+  const failOnInlineDirective = options?.failOnInlineDirective ?? false;
   return modules.flatMap((m) => {
     if (m.value.type == "rawscript") {
-      return extractRawscriptInline(m.id, m.summary, m.value, mapping, separator, assigner);
+      return extractRawscriptInline(m.id, m.summary, m.value, mapping, separator, assigner, failOnInlineDirective);
     } else if (m.value.type == "forloopflow") {
-      return extractInlineScripts(m.value.modules, mapping, separator, defaultTs, assigner);
+      return extractInlineScripts(m.value.modules, mapping, separator, defaultTs, assigner, options);
     } else if (m.value.type == "branchall") {
-      return m.value.branches.flatMap((b) => extractInlineScripts(b.modules, mapping, separator, defaultTs, assigner));
+      return m.value.branches.flatMap((b) => extractInlineScripts(b.modules, mapping, separator, defaultTs, assigner, options));
     } else if (m.value.type == "whileloopflow") {
-      return extractInlineScripts(m.value.modules, mapping, separator, defaultTs, assigner);
+      return extractInlineScripts(m.value.modules, mapping, separator, defaultTs, assigner, options);
     } else if (m.value.type == "branchone") {
       return [
-        ...m.value.branches.flatMap((b) => extractInlineScripts(b.modules, mapping, separator, defaultTs, assigner)),
-        ...extractInlineScripts(m.value.default, mapping, separator, defaultTs, assigner)
+        ...m.value.branches.flatMap((b) => extractInlineScripts(b.modules, mapping, separator, defaultTs, assigner, options)),
+        ...extractInlineScripts(m.value.default, mapping, separator, defaultTs, assigner, options)
       ];
     } else if (m.value.type == "aiagent") {
       return (m.value.tools ?? []).flatMap((tool) => {
@@ -64410,7 +64521,7 @@ function extractInlineScripts(modules, mapping = {}, separator = "/", defaultTs,
         if (!toolValue || toolValue.tool_type !== "flowmodule" || toolValue.type !== "rawscript") {
           return [];
         }
-        return extractRawscriptInline(tool.id, tool.summary, toolValue, mapping, separator, assigner);
+        return extractRawscriptInline(tool.id, tool.summary, toolValue, mapping, separator, assigner, failOnInlineDirective);
       });
     } else {
       return [];
@@ -64786,12 +64897,16 @@ async function generateFlowLockInternal(folder, dryRun, workspace, opts, justUpd
       const treePath = fileToTreePath.get(k) ?? folderNormalized + "/" + path10.basename(k, path10.extname(k));
       return tree.isStale(treePath);
     }) : changedScripts;
-    await replaceInlineScripts(flowValue.value.modules, fileReader, exports_log, folder + SEP7, SEP7, locksToRemove);
+    const missingFiles = [];
+    await replaceInlineScripts(flowValue.value.modules, fileReader, exports_log, folder + SEP7, SEP7, locksToRemove, missingFiles);
     if (flowValue.value.failure_module) {
-      await replaceInlineScripts([flowValue.value.failure_module], fileReader, exports_log, folder + SEP7, SEP7, locksToRemove);
+      await replaceInlineScripts([flowValue.value.failure_module], fileReader, exports_log, folder + SEP7, SEP7, locksToRemove, missingFiles);
     }
     if (flowValue.value.preprocessor_module) {
-      await replaceInlineScripts([flowValue.value.preprocessor_module], fileReader, exports_log, folder + SEP7, SEP7, locksToRemove);
+      await replaceInlineScripts([flowValue.value.preprocessor_module], fileReader, exports_log, folder + SEP7, SEP7, locksToRemove, missingFiles);
+    }
+    if (missingFiles.length > 0) {
+      throw new Error(`Cannot regenerate lock for flow ${remote_path}: missing inline script file(s): ${missingFiles.join(", ")}. ` + `Either restore the file(s) or remove the !inline reference(s) from flow.yaml before retrying.`);
     }
     const tempScriptRefs = tree?.getTempScriptRefs(folderNormalized);
     const savedNotes = flowValue.value.notes;
@@ -64804,12 +64919,13 @@ async function generateFlowLockInternal(folder, dryRun, workspace, opts, justUpd
     const lockAssigner = newPathAssigner(opts.defaultTs ?? "bun", {
       skipInlineScriptSuffix: getNonDottedPaths()
     });
-    const inlineScripts = extractInlineScripts(flowValue.value.modules, currentMapping, SEP7, opts.defaultTs, lockAssigner);
+    const extractOpts = { skipInlineScriptSuffix: getNonDottedPaths(), failOnInlineDirective: true };
+    const inlineScripts = extractInlineScripts(flowValue.value.modules, currentMapping, SEP7, opts.defaultTs, lockAssigner, extractOpts);
     if (flowValue.value.failure_module) {
-      inlineScripts.push(...extractInlineScripts([flowValue.value.failure_module], currentMapping, SEP7, opts.defaultTs, lockAssigner));
+      inlineScripts.push(...extractInlineScripts([flowValue.value.failure_module], currentMapping, SEP7, opts.defaultTs, lockAssigner, extractOpts));
     }
     if (flowValue.value.preprocessor_module) {
-      inlineScripts.push(...extractInlineScripts([flowValue.value.preprocessor_module], currentMapping, SEP7, opts.defaultTs, lockAssigner));
+      inlineScripts.push(...extractInlineScripts([flowValue.value.preprocessor_module], currentMapping, SEP7, opts.defaultTs, lockAssigner, extractOpts));
     }
     inlineScripts.forEach((s) => {
       writeIfChanged(process.cwd() + SEP7 + folder + SEP7 + s.path, s.content);
@@ -65931,12 +66047,12 @@ function ZipFSElement(zip, useYaml, defaultTs, resourceTypeToFormatExtension, re
             try {
               const assigner = newPathAssigner(defaultTs, { skipInlineScriptSuffix: getNonDottedPaths() });
               const inlineMapping = extractCurrentMapping(flow.value.modules, {}, flow.value.failure_module, flow.value.preprocessor_module);
-              inlineScripts = extractInlineScripts(flow.value.modules, inlineMapping, SEP9, defaultTs, assigner, { skipInlineScriptSuffix: getNonDottedPaths() });
+              inlineScripts = extractInlineScripts(flow.value.modules, inlineMapping, SEP9, defaultTs, assigner, { skipInlineScriptSuffix: getNonDottedPaths(), failOnInlineDirective: true });
               if (flow.value.failure_module) {
-                inlineScripts.push(...extractInlineScripts([flow.value.failure_module], inlineMapping, SEP9, defaultTs, assigner, { skipInlineScriptSuffix: getNonDottedPaths() }));
+                inlineScripts.push(...extractInlineScripts([flow.value.failure_module], inlineMapping, SEP9, defaultTs, assigner, { skipInlineScriptSuffix: getNonDottedPaths(), failOnInlineDirective: true }));
               }
               if (flow.value.preprocessor_module) {
-                inlineScripts.push(...extractInlineScripts([flow.value.preprocessor_module], inlineMapping, SEP9, defaultTs, assigner, { skipInlineScriptSuffix: getNonDottedPaths() }));
+                inlineScripts.push(...extractInlineScripts([flow.value.preprocessor_module], inlineMapping, SEP9, defaultTs, assigner, { skipInlineScriptSuffix: getNonDottedPaths(), failOnInlineDirective: true }));
               }
             } catch (error2) {
               error(`Failed to extract inline scripts for flow at path: ${p}`);
@@ -69433,31 +69549,32 @@ async function pushRawApp(workspace, remotePath, localPath, message) {
   if (localApp.data) {
     value.data = localApp.data;
   }
+  const { extra_perms: localPerms, ...localAppNoPerms } = localApp;
   if (app) {
-    const metadataUpToDate = isSuperset({ ...localApp, runnables }, app);
+    const metadataUpToDate = isSuperset({ ...localAppNoPerms, runnables }, app);
     const filesUpToDate = deepEqual(files, app.value?.files);
     if (metadataUpToDate && filesUpToDate) {
       info(colors.green(`App ${remotePath} is up to date`));
-      return;
+    } else {
+      const { js, css } = await createBundleRaw();
+      info(colors.bold.yellow(`Updating app ${remotePath}...`));
+      await updateAppRaw({
+        workspace,
+        path: remotePath,
+        formData: {
+          app: {
+            value,
+            path: remotePath,
+            summary: localApp.summary,
+            policy: appForPolicy.policy,
+            deployment_message: message,
+            ...localApp.custom_path ? { custom_path: localApp.custom_path } : {}
+          },
+          js,
+          css
+        }
+      });
     }
-    const { js, css } = await createBundleRaw();
-    info(colors.bold.yellow(`Updating app ${remotePath}...`));
-    await updateAppRaw({
-      workspace,
-      path: remotePath,
-      formData: {
-        app: {
-          value,
-          path: remotePath,
-          summary: localApp.summary,
-          policy: appForPolicy.policy,
-          deployment_message: message,
-          ...localApp.custom_path ? { custom_path: localApp.custom_path } : {}
-        },
-        js,
-        css
-      }
-    });
   } else {
     const { js, css } = await createBundleRaw();
     await createAppRaw({
@@ -69476,6 +69593,7 @@ async function pushRawApp(workspace, remotePath, localPath, message) {
       }
     });
   }
+  await applyExtraPermsDiff(workspace, "raw_app", remotePath, localPerms, app?.extra_perms);
 }
 async function generatingPolicy(app, path14, publicApp) {
   info(colors.gray(`Generating fresh policy for app ${path14}...`));
@@ -69493,6 +69611,7 @@ var init_raw_apps = __esm(async () => {
   init_log();
   init_lib_es();
   init_services_gen();
+  init_extra_perms();
   init_path_assigner();
   await __promiseAll([
     init_auth(),
@@ -72330,21 +72449,22 @@ async function pushApp(workspace, remotePath, localPath, message, permissionedAs
       }
     }
   }
+  const { extra_perms: localPerms, ...localAppBody } = localApp;
   if (app) {
-    if (isSuperset(localApp, app)) {
+    if (isSuperset(localAppBody, app)) {
       info(colors.green(`App ${remotePath} is up to date`));
-      return;
+    } else {
+      info(colors.bold.yellow(`Updating app ${remotePath}...`));
+      await updateApp({
+        workspace,
+        path: remotePath,
+        requestBody: {
+          deployment_message: message,
+          ...localAppBody,
+          ...preserveFields
+        }
+      });
     }
-    info(colors.bold.yellow(`Updating app ${remotePath}...`));
-    await updateApp({
-      workspace,
-      path: remotePath,
-      requestBody: {
-        deployment_message: message,
-        ...localApp,
-        ...preserveFields
-      }
-    });
   } else {
     info(colors.yellow.bold("Creating new app..."));
     await createApp({
@@ -72352,11 +72472,12 @@ async function pushApp(workspace, remotePath, localPath, message, permissionedAs
       requestBody: {
         path: remotePath,
         deployment_message: message,
-        ...localApp,
+        ...localAppBody,
         ...preserveFields
       }
     });
   }
+  await applyExtraPermsDiff(workspace, "app", remotePath, localPerms, app?.extra_perms);
 }
 async function generatingPolicy2(app, path19, publicApp) {
   info(colors.gray(`Generating fresh policy for app ${path19}...`));
@@ -72486,6 +72607,7 @@ var init_app = __esm(async () => {
   init_lib_es();
   init_services_gen();
   init_global();
+  init_extra_perms();
   await __promiseAll([
     init_auth(),
     init_context(),
@@ -75684,7 +75806,7 @@ async function pushFlow(workspace, remotePath, localPath, message, permissionedA
     await replaceInlineScripts([localFlow.value.preprocessor_module], fileReader, exports_log, localPath, SEP20, undefined, missingFiles);
   }
   if (missingFiles.length > 0) {
-    warn(colors.yellow(`Warning: missing inline script file(s): ${missingFiles.join(", ")}. ` + `The flow will be pushed with unresolved !inline references.`));
+    throw new Error(`Cannot push flow ${remotePath}: missing inline script file(s): ${missingFiles.join(", ")}. ` + `Either restore the file(s) or remove the !inline reference(s) from flow.yaml before pushing.`);
   }
   const hasOnBehalfOf = localFlow.has_on_behalf_of ?? !!localFlow.on_behalf_of_email;
   delete localFlow.has_on_behalf_of;
@@ -75696,22 +75818,23 @@ async function pushFlow(workspace, remotePath, localPath, message, permissionedA
       info(`Preserving ${flow.on_behalf_of_email} as on_behalf_of for flow ${remotePath}`);
     }
   }
+  const { extra_perms: localPerms, ...localFlowBody } = localFlow;
   if (flow) {
-    if (isSuperset(localFlow, flow)) {
+    if (isSuperset(localFlowBody, flow)) {
       info(colors.green(`Flow ${remotePath} is up to date`));
-      return;
-    }
-    info(colors.bold.yellow(`Updating flow ${remotePath}...`));
-    await updateFlow({
-      workspace,
-      path: remotePath.replaceAll(SEP20, "/"),
-      requestBody: {
+    } else {
+      info(colors.bold.yellow(`Updating flow ${remotePath}...`));
+      await updateFlow({
+        workspace,
         path: remotePath.replaceAll(SEP20, "/"),
-        deployment_message: message,
-        ...localFlow,
-        ...preserveFields
-      }
-    });
+        requestBody: {
+          path: remotePath.replaceAll(SEP20, "/"),
+          deployment_message: message,
+          ...localFlowBody,
+          ...preserveFields
+        }
+      });
+    }
   } else {
     info(colors.bold.yellow("Creating new flow..."));
     try {
@@ -75720,7 +75843,7 @@ async function pushFlow(workspace, remotePath, localPath, message, permissionedA
         requestBody: {
           path: remotePath.replaceAll(SEP20, "/"),
           deployment_message: message,
-          ...localFlow,
+          ...localFlowBody,
           ...preserveFields
         }
       });
@@ -75728,6 +75851,7 @@ async function pushFlow(workspace, remotePath, localPath, message, permissionedA
       throw new Error(`Failed to create flow ${remotePath}: ${e.body ?? e.message}`);
     }
   }
+  await applyExtraPermsDiff(workspace, "flow", remotePath.replaceAll(SEP20, "/"), localPerms, flow?.extra_perms);
 }
 async function push11(opts, filePath, remotePath) {
   if (!validatePath(remotePath)) {
@@ -76154,6 +76278,7 @@ var init_flow = __esm(async () => {
   init_mod6();
   init_log();
   init_services_gen();
+  init_extra_perms();
   await __promiseAll([
     init_types(),
     init_confirm(),
@@ -89676,7 +89801,7 @@ var config_default = command35;
 
 // src/main.ts
 await init_context();
-var VERSION = "1.700.2";
+var VERSION = "1.702.0";
 async function checkVersionSafe(cmd) {
   const mainCommand = cmd.getMainCommand();
   const upgradeCommand = mainCommand.getCommand("upgrade");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "windmill-cli",
-  "version": "1.700.2",
+  "version": "1.702.0",
   "description": "CLI for Windmill",
   "license": "Apache 2.0",
   "type": "module",