@tailor-platform/sdk 0.16.2 → 0.17.0

package/dist/{types-DUYX8rv-.d.mts → types-Da_WnvA0.d.mts}

@@ -1156,6 +1156,16 @@ declare const IdPSchema: z.core.$ZodBranded<z.ZodObject<{
     en: "en";
     ja: "ja";
   }>>;
+  userAuthPolicy: z.ZodOptional<z.ZodPipe<z.ZodObject<{
+    useNonEmailIdentifier: z.ZodDefault<z.ZodBoolean>;
+    allowSelfPasswordReset: z.ZodDefault<z.ZodBoolean>;
+  }, z.core.$strip>, z.ZodTransform<{
+    useNonEmailIdentifier: boolean;
+    allowSelfPasswordReset: boolean;
+  }, {
+    useNonEmailIdentifier: boolean;
+    allowSelfPasswordReset: boolean;
+  }>>>;
 }, z.core.$strip>, "IdPConfig">;
 //#endregion
 //#region src/parser/service/idp/types.d.ts
@@ -1180,6 +1190,10 @@ declare function defineIdp<const TClients extends string[]>(name: string, config
     cel: string;
   };
   readonly lang?: "en" | "ja" | undefined;
+  readonly userAuthPolicy?: {
+    useNonEmailIdentifier?: boolean | undefined;
+    allowSelfPasswordReset?: boolean | undefined;
+  } | undefined;
   readonly clients: TClients;
 } & IdpDefinitionBrand;
 type IdPExternalConfig = {
@@ -1479,4 +1493,4 @@ type Executor = z.infer<typeof ExecutorSchema>;
 type ExecutorInput = z.input<typeof ExecutorSchema>;
 //#endregion
 export { AllowedValues, AllowedValuesOutput, AppConfig, ArrayFieldOutput, AttributeList$1 as AttributeList, AttributeMap$1 as AttributeMap, AuthConfig, AuthExternalConfig, AuthInvoker$1 as AuthInvoker, AuthOwnConfig, type AuthServiceInput, type BuiltinIdP, CodeGeneratorBase, Executor, ExecutorInput, ExecutorServiceConfig, ExecutorServiceInput, FieldMetadata, FieldOptions, FieldOutput, FunctionOperation, Generator, GqlOperation, type IDToken, IdPConfig, IdPExternalConfig, type IdProviderConfig, IncomingWebhookTrigger, InferFieldsOutput, JsonCompatible, type OAuth2Client, type OAuth2ClientGrantType, type OIDC, PermissionCondition, QueryType, RecordTrigger, Resolver, ResolverExecutedTrigger, ResolverExternalConfig, ResolverInput, ResolverServiceConfig, ResolverServiceInput, type SAML, type SCIMAttribute, type SCIMAttributeMapping, type SCIMAttributeType, type SCIMAuthorization, type SCIMConfig, type SCIMResource, ScheduleTriggerInput, StaticWebsiteConfig, TailorDBField, TailorDBInstance, TailorDBType, TailorDBTypeConfig, TailorField, TailorTypeGqlPermission, TailorTypePermission, TailorUser, type TenantProviderConfig, type UserAttributeKey, type UserAttributeListKey, type UserAttributeMap, type UsernameFieldKey, type ValueOperand, WebhookOperation, WorkflowOperation, WorkflowServiceConfig, WorkflowServiceInput, db, defineAuth, defineConfig, defineGenerators, defineIdp, defineStaticWebSite, output, unauthenticatedTailorUser, unsafeAllowAllGqlPermission, unsafeAllowAllTypePermission };
-//# sourceMappingURL=types-DUYX8rv-.d.mts.map
+//# sourceMappingURL=types-Da_WnvA0.d.mts.map

package/dist/utils/test/index.d.mts

@@ -1,12 +1,18 @@
 /// <reference path="./../../user-defined.d.ts" />
 
-import { TailorDBType, TailorField, TailorUser } from "../../types-DUYX8rv-.mjs";
-import { output } from "../../index-DOA9RfBq.mjs";
+import { TailorDBType, TailorField } from "../../types-Da_WnvA0.mjs";
+import { output } from "../../index-Bin7-j3v.mjs";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/utils/test/index.d.ts
 /** Represents an unauthenticated user in the Tailor platform. */
-declare const unauthenticatedTailorUser: TailorUser;
+declare const unauthenticatedTailorUser: {
+  readonly id: "00000000-0000-0000-0000-000000000000";
+  readonly type: "";
+  readonly workspaceId: "00000000-0000-0000-0000-000000000000";
+  readonly attributes: null;
+  readonly attributeList: [];
+};
 /**
  * Creates a hook function that processes TailorDB type fields
  * - Uses existing id from data if provided, otherwise generates UUID for id fields

package/dist/utils/test/index.mjs

@@ -23,12 +23,14 @@ function createTailorDBHook(type) {
 			const field = value;
 			if (key === "id") hooked[key] = (data && typeof data === "object" ? data[key] : void 0) ?? crypto.randomUUID();
 			else if (field.type === "nested") hooked[key] = createTailorDBHook({ fields: field.fields })(data[key]);
-			else if (field.metadata.hooks?.create) hooked[key] = field.metadata.hooks.create({
-				value: data[key],
-				data,
-				user: unauthenticatedTailorUser
-			});
-			else if (data && typeof data === "object") hooked[key] = data[key];
+			else if (field.metadata.hooks?.create) {
+				hooked[key] = field.metadata.hooks.create({
+					value: data[key],
+					data,
+					user: unauthenticatedTailorUser
+				});
+				if (hooked[key] instanceof Date) hooked[key] = hooked[key].toISOString();
+			} else if (data && typeof data === "object") hooked[key] = data[key];
 			return hooked;
 		}, {});
 	};

package/dist/utils/test/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":["unauthenticatedTailorUser: TailorUser"],"sources":["../../../src/utils/test/index.ts"],"sourcesContent":["import type { output, TailorUser } from \"@/configure\";\nimport type { TailorDBType } from \"@/configure/services/tailordb/schema\";\nimport type { TailorField } from \"@/configure/types/type\";\nimport type { StandardSchemaV1 } from \"@standard-schema/spec\";\n\n/** Represents an unauthenticated user in the Tailor platform. */\nexport const unauthenticatedTailorUser: TailorUser = {\n  id: \"00000000-0000-0000-0000-000000000000\",\n  type: \"\",\n  workspaceId: \"00000000-0000-0000-0000-000000000000\",\n  attributes: null,\n  attributeList: [],\n} as const;\n\n/**\n * Creates a hook function that processes TailorDB type fields\n * - Uses existing id from data if provided, otherwise generates UUID for id fields\n * - Recursively processes nested types\n * - Executes hooks.create for fields with create hooks\n *\n * @template T - The output type of the hook function\n * @param type - TailorDB type definition\n * @returns A function that transforms input data according to field hooks\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport function createTailorDBHook<T extends TailorDBType<any, any>>(type: T) {\n  return (data: unknown) => {\n    return Object.entries(type.fields).reduce(\n      (hooked, [key, value]) => {\n        // eslint-disable-next-line @typescript-eslint/no-explicit-any\n        const field = value as TailorField<any, any, any>;\n        if (key === \"id\") {\n          // Use existing id from data if provided, otherwise generate new UUID\n          const existingId =\n            data && typeof data === \"object\"\n              ? (data as Record<string, unknown>)[key]\n              : undefined;\n          hooked[key] = existingId ?? crypto.randomUUID();\n        } else if (field.type === \"nested\") {\n          // eslint-disable-next-line @typescript-eslint/no-explicit-any\n          hooked[key] = createTailorDBHook({ fields: field.fields } as any)(\n            (data as Record<string, unknown>)[key],\n          );\n        } else if (field.metadata.hooks?.create) {\n          hooked[key] = field.metadata.hooks.create({\n            value: (data as Record<string, unknown>)[key],\n            data: data,\n            user: unauthenticatedTailorUser,\n          });\n        } else if (data && typeof data === \"object\") {\n          hooked[key] = (data as Record<string, unknown>)[key];\n        }\n        return hooked;\n      },\n      {} as Record<string, unknown>,\n    ) as Partial<output<T>>;\n  };\n}\n\n/**\n * Creates the standard schema definition for lines-db\n * This returns the first argument for defineSchema with the ~standard section\n *\n * @template T - The output type after validation\n * @param schemaType - TailorDB field schema for validation\n * @param hook - Hook function to transform data before validation\n * @returns Schema object with ~standard section for defineSchema\n */\nexport function createStandardSchema<T = Record<string, unknown>>(\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  schemaType: TailorField<any, T>,\n  hook: (data: unknown) => Partial<T>,\n) {\n  return {\n    \"~standard\": {\n      version: 1,\n      vendor: \"@tailor-platform/sdk\",\n      validate: (value: unknown) => {\n        const hooked = hook(value);\n        const result = schemaType.parse({\n          value: hooked,\n          data: hooked,\n          user: unauthenticatedTailorUser,\n        });\n        if (result.issues) {\n          return result;\n        }\n        return { value: hooked as T };\n      },\n    },\n  } as const satisfies StandardSchemaV1<T>;\n}\n"],"mappings":";;AAMA,MAAaA,4BAAwC;CACnD,IAAI;CACJ,MAAM;CACN,aAAa;CACb,YAAY;CACZ,eAAe,EAAE;CAClB;;;;;;;;;;;AAaD,SAAgB,mBAAqD,MAAS;AAC5E,SAAQ,SAAkB;AACxB,SAAO,OAAO,QAAQ,KAAK,OAAO,CAAC,QAChC,QAAQ,CAAC,KAAK,WAAW;GAExB,MAAM,QAAQ;AACd,OAAI,QAAQ,KAMV,QAAO,QAHL,QAAQ,OAAO,SAAS,WACnB,KAAiC,OAClC,WACsB,OAAO,YAAY;YACtC,MAAM,SAAS,SAExB,QAAO,OAAO,mBAAmB,EAAE,QAAQ,MAAM,QAAQ,CAAQ,CAC9D,KAAiC,KACnC;YACQ,MAAM,SAAS,OAAO,OAC/B,QAAO,OAAO,MAAM,SAAS,MAAM,OAAO;IACxC,OAAQ,KAAiC;IACnC;IACN,MAAM;IACP,CAAC;YACO,QAAQ,OAAO,SAAS,SACjC,QAAO,OAAQ,KAAiC;AAElD,UAAO;KAET,EAAE,CACH;;;;;;;;;;;;AAaL,SAAgB,qBAEd,YACA,MACA;AACA,QAAO,EACL,aAAa;EACX,SAAS;EACT,QAAQ;EACR,WAAW,UAAmB;GAC5B,MAAM,SAAS,KAAK,MAAM;GAC1B,MAAM,SAAS,WAAW,MAAM;IAC9B,OAAO;IACP,MAAM;IACN,MAAM;IACP,CAAC;AACF,OAAI,OAAO,OACT,QAAO;AAET,UAAO,EAAE,OAAO,QAAa;;EAEhC,EACF"}
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/utils/test/index.ts"],"sourcesContent":["import type { output, TailorUser } from \"@/configure\";\nimport type { TailorDBType } from \"@/configure/services/tailordb/schema\";\nimport type { TailorField } from \"@/configure/types/type\";\nimport type { StandardSchemaV1 } from \"@standard-schema/spec\";\n\n/** Represents an unauthenticated user in the Tailor platform. */\nexport const unauthenticatedTailorUser = {\n  id: \"00000000-0000-0000-0000-000000000000\",\n  type: \"\",\n  workspaceId: \"00000000-0000-0000-0000-000000000000\",\n  attributes: null,\n  attributeList: [],\n} as const satisfies TailorUser;\n\n/**\n * Creates a hook function that processes TailorDB type fields\n * - Uses existing id from data if provided, otherwise generates UUID for id fields\n * - Recursively processes nested types\n * - Executes hooks.create for fields with create hooks\n *\n * @template T - The output type of the hook function\n * @param type - TailorDB type definition\n * @returns A function that transforms input data according to field hooks\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport function createTailorDBHook<T extends TailorDBType<any, any>>(type: T) {\n  return (data: unknown) => {\n    return Object.entries(type.fields).reduce(\n      (hooked, [key, value]) => {\n        // eslint-disable-next-line @typescript-eslint/no-explicit-any\n        const field = value as TailorField<any, any, any>;\n        if (key === \"id\") {\n          // Use existing id from data if provided, otherwise generate new UUID\n          const existingId =\n            data && typeof data === \"object\"\n              ? (data as Record<string, unknown>)[key]\n              : undefined;\n          hooked[key] = existingId ?? crypto.randomUUID();\n        } else if (field.type === \"nested\") {\n          // eslint-disable-next-line @typescript-eslint/no-explicit-any\n          hooked[key] = createTailorDBHook({ fields: field.fields } as any)(\n            (data as Record<string, unknown>)[key],\n          );\n        } else if (field.metadata.hooks?.create) {\n          hooked[key] = field.metadata.hooks.create({\n            value: (data as Record<string, unknown>)[key],\n            data: data,\n            user: unauthenticatedTailorUser,\n          });\n          if (hooked[key] instanceof Date) {\n            hooked[key] = hooked[key].toISOString();\n          }\n        } else if (data && typeof data === \"object\") {\n          hooked[key] = (data as Record<string, unknown>)[key];\n        }\n        return hooked;\n      },\n      {} as Record<string, unknown>,\n    ) as Partial<output<T>>;\n  };\n}\n\n/**\n * Creates the standard schema definition for lines-db\n * This returns the first argument for defineSchema with the ~standard section\n *\n * @template T - The output type after validation\n * @param schemaType - TailorDB field schema for validation\n * @param hook - Hook function to transform data before validation\n * @returns Schema object with ~standard section for defineSchema\n */\nexport function createStandardSchema<T = Record<string, unknown>>(\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  schemaType: TailorField<any, T>,\n  hook: (data: unknown) => Partial<T>,\n) {\n  return {\n    \"~standard\": {\n      version: 1,\n      vendor: \"@tailor-platform/sdk\",\n      validate: (value: unknown) => {\n        const hooked = hook(value);\n        const result = schemaType.parse({\n          value: hooked,\n          data: hooked,\n          user: unauthenticatedTailorUser,\n        });\n        if (result.issues) {\n          return result;\n        }\n        return { value: hooked as T };\n      },\n    },\n  } as const satisfies StandardSchemaV1<T>;\n}\n"],"mappings":";;AAMA,MAAa,4BAA4B;CACvC,IAAI;CACJ,MAAM;CACN,aAAa;CACb,YAAY;CACZ,eAAe,EAAE;CAClB;;;;;;;;;;;AAaD,SAAgB,mBAAqD,MAAS;AAC5E,SAAQ,SAAkB;AACxB,SAAO,OAAO,QAAQ,KAAK,OAAO,CAAC,QAChC,QAAQ,CAAC,KAAK,WAAW;GAExB,MAAM,QAAQ;AACd,OAAI,QAAQ,KAMV,QAAO,QAHL,QAAQ,OAAO,SAAS,WACnB,KAAiC,OAClC,WACsB,OAAO,YAAY;YACtC,MAAM,SAAS,SAExB,QAAO,OAAO,mBAAmB,EAAE,QAAQ,MAAM,QAAQ,CAAQ,CAC9D,KAAiC,KACnC;YACQ,MAAM,SAAS,OAAO,QAAQ;AACvC,WAAO,OAAO,MAAM,SAAS,MAAM,OAAO;KACxC,OAAQ,KAAiC;KACnC;KACN,MAAM;KACP,CAAC;AACF,QAAI,OAAO,gBAAgB,KACzB,QAAO,OAAO,OAAO,KAAK,aAAa;cAEhC,QAAQ,OAAO,SAAS,SACjC,QAAO,OAAQ,KAAiC;AAElD,UAAO;KAET,EAAE,CACH;;;;;;;;;;;;AAaL,SAAgB,qBAEd,YACA,MACA;AACA,QAAO,EACL,aAAa;EACX,SAAS;EACT,QAAQ;EACR,WAAW,UAAmB;GAC5B,MAAM,SAAS,KAAK,MAAM;GAC1B,MAAM,SAAS,WAAW,MAAM;IAC9B,OAAO;IACP,MAAM;IACN,MAAM;IACP,CAAC;AACF,OAAI,OAAO,OACT,QAAO;AAET,UAAO,EAAE,OAAO,QAAa;;EAEhC,EACF"}

package/docs/cli/application.md

@@ -0,0 +1,136 @@
+# Application Commands
+
+Commands for managing Tailor Platform applications. These commands work with `tailor.config.ts`.
+
+## init
+
+Initialize a new project using create-sdk.
+
+```bash
+tailor-sdk init [name] [options]
+```
+
+**Arguments:**
+
+- `name` - Project name
+
+**Options:**
+
+- `-t, --template` - Template name
+
+## generate
+
+Generate files using Tailor configuration.
+
+```bash
+tailor-sdk generate [options]
+```
+
+**Options:**
+
+- `-c, --config` - Path to the SDK config file (default: `tailor.config.ts`)
+- `-w, --watch` - Watch for type/resolver changes and regenerate
+
+## apply
+
+Apply Tailor configuration to deploy your application.
+
+```bash
+tailor-sdk apply [options]
+```
+
+**Options:**
+
+- `-w, --workspace-id` - ID of the workspace to apply the configuration to
+- `-p, --profile` - Workspace profile to use
+- `-c, --config` - Path to the SDK config file (default: `tailor.config.ts`)
+- `-d, --dryRun` - Run the command without making any changes
+- `-y, --yes` - Skip confirmation prompt
+
+## remove
+
+Remove all resources managed by the application from the workspace.
+
+```bash
+tailor-sdk remove [options]
+```
+
+**Options:**
+
+- `-w, --workspace-id` - ID of the workspace to remove resources from
+- `-p, --profile` - Workspace profile to use
+- `-c, --config` - Path to the SDK config file (default: `tailor.config.ts`)
+- `-y, --yes` - Skip confirmation prompt
+
+## show
+
+Show information about the deployed application.
+
+```bash
+tailor-sdk show [options]
+```
+
+**Options:**
+
+- `-w, --workspace-id` - ID of the workspace to show the application from
+- `-p, --profile` - Workspace profile to use
+- `-c, --config` - Path to the SDK config file (default: `tailor.config.ts`)
+- `--json` - Output as JSON
+
+## tailordb
+
+Manage TailorDB tables and data.
+
+```bash
+tailor-sdk tailordb <subcommand> [options]
+```
+
+### tailordb truncate
+
+Truncate (delete all records from) TailorDB tables.
+
+```bash
+tailor-sdk tailordb truncate [types...] [options]
+```
+
+**Arguments:**
+
+- `types...` - Space-separated list of type names to truncate (optional)
+
+**Options:**
+
+- `-a, --all` - Truncate all tables in all namespaces
+- `-n, --namespace` - Truncate all tables in the specified namespace
+- `-y, --yes` - Skip confirmation prompt
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+- `-c, --config` - Path to the SDK config file (default: `tailor.config.ts`)
+
+**Usage Examples:**
+
+```bash
+# Truncate all tables in all namespaces (requires confirmation)
+tailor-sdk tailordb truncate --all
+
+# Truncate all tables in all namespaces (skip confirmation)
+tailor-sdk tailordb truncate --all --yes
+
+# Truncate all tables in a specific namespace
+tailor-sdk tailordb truncate --namespace myNamespace
+
+# Truncate specific types (namespace is auto-detected)
+tailor-sdk tailordb truncate User Post Comment
+
+# Truncate specific types with confirmation skipped
+tailor-sdk tailordb truncate User Post --yes
+```
+
+**Notes:**
+
+- You must specify exactly one of: `--all`, `--namespace`, or type names
+- When truncating specific types, the namespace is automatically detected from your config
+- Confirmation prompts vary based on the operation:
+  - `--all`: requires typing `truncate all`
+  - `--namespace`: requires typing `truncate <namespace-name>`
+  - Specific types: requires typing `yes`
+- Use `--yes` flag to skip confirmation prompts (useful for scripts and CI/CD)

package/docs/cli/auth.md

@@ -0,0 +1,110 @@
+# Auth Resource Commands
+
+Commands for managing Auth service resources (machine users and OAuth2 clients).
+
+## machineuser
+
+Manage machine users in your Tailor Platform application.
+
+```bash
+tailor-sdk machineuser <subcommand> [options]
+```
+
+### machineuser list
+
+List all machine users in the application.
+
+```bash
+tailor-sdk machineuser list [options]
+```
+
+**Options:**
+
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+- `-c, --config` - Path to the SDK config file (default: `tailor.config.ts`)
+- `--json` - Output as JSON
+
+### machineuser token
+
+Get an access token for a machine user.
+
+```bash
+tailor-sdk machineuser token <name> [options]
+```
+
+**Arguments:**
+
+- `name` - Machine user name (required)
+
+**Options:**
+
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+- `-c, --config` - Path to the SDK config file (default: `tailor.config.ts`)
+- `--json` - Output as JSON
+
+## oauth2client
+
+Manage OAuth2 clients in your Tailor Platform application.
+
+```bash
+tailor-sdk oauth2client <subcommand> [options]
+```
+
+### oauth2client list
+
+List all OAuth2 clients in the application.
+
+```bash
+tailor-sdk oauth2client list [options]
+```
+
+**Options:**
+
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+- `-c, --config` - Path to the SDK config file (default: `tailor.config.ts`)
+- `--json` - Output as JSON
+
+**Output:**
+
+Returns a list of OAuth2 clients with the following fields:
+
+- `name` - Client name
+- `description` - Client description
+- `clientId` - OAuth2 client ID
+- `grantTypes` - Supported grant types (e.g., `authorization_code`, `refresh_token`)
+- `redirectUris` - Registered redirect URIs
+- `createdAt` - Creation timestamp
+
+### oauth2client get
+
+Get OAuth2 client credentials (including client secret).
+
+```bash
+tailor-sdk oauth2client get <name> [options]
+```
+
+**Arguments:**
+
+- `name` - OAuth2 client name (required)
+
+**Options:**
+
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+- `-c, --config` - Path to the SDK config file (default: `tailor.config.ts`)
+- `--json` - Output as JSON
+
+**Output:**
+
+Returns the OAuth2 client credentials with the following fields:
+
+- `name` - Client name
+- `description` - Client description
+- `clientId` - OAuth2 client ID
+- `clientSecret` - OAuth2 client secret
+- `grantTypes` - Supported grant types
+- `redirectUris` - Registered redirect URIs
+- `createdAt` - Creation timestamp

package/docs/cli/secret.md

@@ -0,0 +1,125 @@
+# Secret Commands
+
+Commands for managing Secret Manager vaults and secrets.
+
+## secret
+
+Manage Secret Manager vaults and secrets.
+
+```bash
+tailor-sdk secret <subcommand> [options]
+```
+
+### secret vault
+
+Manage Secret Manager vaults.
+
+```bash
+tailor-sdk secret vault <subcommand> [options]
+```
+
+#### secret vault create
+
+Create a new Secret Manager vault.
+
+```bash
+tailor-sdk secret vault create [options]
+```
+
+**Options:**
+
+- `--name` - Vault name (required)
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+
+#### secret vault delete
+
+Delete a Secret Manager vault.
+
+```bash
+tailor-sdk secret vault delete [options]
+```
+
+**Options:**
+
+- `--name` - Vault name (required)
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+- `-y, --yes` - Skip confirmation prompt
+
+#### secret vault list
+
+List all Secret Manager vaults in the workspace.
+
+```bash
+tailor-sdk secret vault list [options]
+```
+
+**Options:**
+
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+- `--json` - Output as JSON
+
+### secret create
+
+Create a secret in a vault.
+
+```bash
+tailor-sdk secret create [options]
+```
+
+**Options:**
+
+- `--vault-name` - Vault name (required)
+- `--name` - Secret name (required)
+- `--value` - Secret value (required)
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+
+### secret update
+
+Update a secret in a vault.
+
+```bash
+tailor-sdk secret update [options]
+```
+
+**Options:**
+
+- `--vault-name` - Vault name (required)
+- `--name` - Secret name (required)
+- `--value` - New secret value (required)
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+
+### secret list
+
+List all secrets in a vault.
+
+```bash
+tailor-sdk secret list [options]
+```
+
+**Options:**
+
+- `--vault-name` - Vault name (required)
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+- `--json` - Output as JSON
+
+### secret delete
+
+Delete a secret in a vault.
+
+```bash
+tailor-sdk secret delete [options]
+```
+
+**Options:**
+
+- `--vault-name` - Vault name (required)
+- `--name` - Secret name (required)
+- `-w, --workspace-id` - ID of the workspace
+- `-p, --profile` - Workspace profile to use
+- `-y, --yes` - Skip confirmation prompt

package/docs/cli/user.md

@@ -0,0 +1,183 @@
+# User & Auth Commands
+
+Commands for authentication and user management.
+
+## login
+
+Login to Tailor Platform.
+
+```bash
+tailor-sdk login
+```
+
+## logout
+
+Logout from Tailor Platform.
+
+```bash
+tailor-sdk logout
+```
+
+## user
+
+Manage Tailor Platform users.
+
+```bash
+tailor-sdk user <subcommand> [options]
+```
+
+### user current
+
+Show current user.
+
+```bash
+tailor-sdk user current [options]
+```
+
+### user list
+
+List all users.
+
+```bash
+tailor-sdk user list [options]
+```
+
+**Options:**
+
+- `--json` - Output as JSON
+
+### user use
+
+Set current user.
+
+```bash
+tailor-sdk user use <user>
+```
+
+**Arguments:**
+
+- `user` - User email (required)
+
+### user pat
+
+Manage personal access tokens.
+
+```bash
+tailor-sdk user pat <subcommand> [options]
+```
+
+When no subcommand is provided, defaults to `list`.
+
+#### user pat list
+
+List all personal access tokens.
+
+```bash
+tailor-sdk user pat list [options]
+```
+
+**Options:**
+
+- `--json` - Output as JSON
+
+**Output (default):**
+
+```
+ token-name-1: read/write
+ token-name-2: read
+```
+
+**Output (`--json`):**
+
+```json
+[
+  { "name": "token-name-1", "scopes": ["read", "write"] },
+  { "name": "token-name-2", "scopes": ["read"] }
+]
+```
+
+#### user pat create
+
+Create a new personal access token.
+
+```bash
+tailor-sdk user pat create <name> [options]
+```
+
+**Arguments:**
+
+- `name` - Token name (required)
+
+**Options:**
+
+- `-w, --write` - Grant write permission (default: read-only)
+- `--json` - Output as JSON
+
+**Output (default):**
+
+```
+Personal access token created successfully.
+
+  name: token-name
+scopes: read/write
+ token: tpp_xxxxxxxxxxxxx
+
+Please save this token in a secure location. You won't be able to see it again.
+```
+
+**Output (`--json`):**
+
+```json
+{ "name": "token-name", "scopes": ["read", "write"], "token": "eyJhbGc..." }
+```
+
+#### user pat delete
+
+Delete a personal access token.
+
+```bash
+tailor-sdk user pat delete <name>
+```
+
+**Arguments:**
+
+- `name` - Token name (required)
+
+#### user pat update
+
+Update a personal access token (delete and recreate).
+
+```bash
+tailor-sdk user pat update <name> [options]
+```
+
+**Arguments:**
+
+- `name` - Token name (required)
+
+**Options:**
+
+- `-w, --write` - Grant write permission (if not specified, keeps read-only)
+- `--json` - Output as JSON
+
+**Output (default):**
+
+```
+Personal access token updated successfully.
+
+  name: token-name
+scopes: read/write
+ token: tpp_xxxxxxxxxxxxx
+
+Please save this token in a secure location. You won't be able to see it again.
+```
+
+**Output (`--json`):**
+
+```json
+{
+  "name": "token-name",
+  "scopes": ["read", "write"],
+  "token": "tpp_xxxxxxxxxxxxx"
+}
+```