@tailor-platform/sdk 0.17.0 → 0.18.0

package/dist/{types-Da_WnvA0.d.mts → types-DgaCdTug.d.mts}

@@ -1,11 +1,11 @@
 /// <reference path="./user-defined.d.ts" />
 
-import * as zod34 from "zod";
+import * as zod0 from "zod";
 import { z } from "zod";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 import * as type_fest0 from "type-fest";
 import { IsAny, NonEmptyObject } from "type-fest";
-import * as zod_v4_core50 from "zod/v4/core";
+import * as zod_v4_core0 from "zod/v4/core";
 
 //#region src/configure/types/helpers.d.ts
 type Prettify<T> = { [K in keyof T as string extends K ? never : K]: T[K] } & {};
@@ -439,6 +439,14 @@ declare const OAuth2ClientSchema: z.ZodObject<{
   grantTypes: z.ZodDefault<z.ZodArray<z.ZodUnion<readonly [z.ZodLiteral<"authorization_code">, z.ZodLiteral<"refresh_token">]>>>;
   redirectURIs: z.ZodArray<z.ZodUnion<readonly [z.ZodTemplateLiteral<`https://${string}`>, z.ZodTemplateLiteral<`http://${string}`>, z.ZodTemplateLiteral<`${string}:url`>, z.ZodTemplateLiteral<`${string}:url/${string}`>]>>;
   clientType: z.ZodOptional<z.ZodUnion<readonly [z.ZodLiteral<"confidential">, z.ZodLiteral<"public">, z.ZodLiteral<"browser">]>>;
+  accessTokenLifetimeSeconds: z.ZodPipe<z.ZodOptional<z.ZodNumber>, z.ZodTransform<{
+    seconds: bigint;
+    nanos: number;
+  } | undefined, number | undefined>>;
+  refreshTokenLifetimeSeconds: z.ZodPipe<z.ZodOptional<z.ZodNumber>, z.ZodTransform<{
+    seconds: bigint;
+    nanos: number;
+  } | undefined, number | undefined>>;
 }, z.core.$strip>;
 declare const SCIMAuthorizationSchema: z.ZodObject<{
   type: z.ZodUnion<readonly [z.ZodLiteral<"oauth2">, z.ZodLiteral<"bearer">]>;
@@ -533,7 +541,7 @@ type IDToken = z.output<typeof IDTokenSchema>;
 type BuiltinIdP = z.output<typeof BuiltinIdPSchema>;
 type IdProviderConfig = z.output<typeof IdProviderSchema>;
 type OAuth2ClientGrantType = z.output<typeof OAuth2ClientGrantTypeSchema>;
-type OAuth2Client = z.output<typeof OAuth2ClientSchema>;
+type OAuth2ClientInput = z.input<typeof OAuth2ClientSchema>;
 type SCIMAuthorization = z.output<typeof SCIMAuthorizationSchema>;
 type SCIMAttributeType = z.output<typeof SCIMAttributeTypeSchema>;
 type SCIMAttribute = z.output<typeof SCIMAttributeSchema>;
@@ -588,7 +596,7 @@ type MachineUser<User extends TailorDBInstance, AttributeMap extends UserAttribu
 type AuthServiceInput<User extends TailorDBInstance, AttributeMap extends UserAttributeMap<User>, AttributeList extends UserAttributeListKey<User>[], MachineUserNames extends string> = {
   userProfile?: UserProfile<User, AttributeMap, AttributeList>;
   machineUsers?: Record<MachineUserNames, MachineUser<User, AttributeMap, AttributeList>>;
-  oauth2Clients?: Record<string, OAuth2Client>;
+  oauth2Clients?: Record<string, OAuth2ClientInput>;
   idProvider?: IdProviderConfig;
   scim?: SCIMConfig;
   tenantProvider?: TenantProviderConfig;
@@ -631,7 +639,7 @@ declare function defineAuth<const Name extends string, const User extends Tailor
   } : {
     attributeList: { [Index in keyof AttributeList]: AttributeList[Index] extends UserAttributeListKey<User> ? AttributeList[Index] extends infer T ? T extends AttributeList[Index] ? T extends keyof output<User> ? output<User>[T] : never : never : never : never };
   })> | undefined;
-  readonly oauth2Clients?: Record<string, OAuth2Client>;
+  readonly oauth2Clients?: Record<string, OAuth2ClientInput>;
   readonly idProvider?: IdProviderConfig;
   readonly scim?: SCIMConfig;
   readonly tenantProvider?: TenantProviderConfig;
@@ -1349,12 +1357,12 @@ declare function defineGenerators(...configs: GeneratorConfig[]): (["@tailor-pla
 }] | {
   id: string;
   description: string;
-  processType: zod_v4_core50.$InferInnerFunctionType<zod_v4_core50.$ZodFunctionArgs, zod_v4_core50.$ZodFunctionOut>;
-  processResolver: zod_v4_core50.$InferInnerFunctionType<zod_v4_core50.$ZodFunctionArgs, zod_v4_core50.$ZodFunctionOut>;
-  processExecutor: zod_v4_core50.$InferInnerFunctionType<zod_v4_core50.$ZodFunctionArgs, zod_v4_core50.$ZodFunctionOut>;
-  aggregate: zod_v4_core50.$InferInnerFunctionType<zod_v4_core50.$ZodFunctionArgs, zod34.ZodAny>;
-  processTailorDBNamespace?: zod_v4_core50.$InferInnerFunctionType<zod_v4_core50.$ZodFunctionArgs, zod_v4_core50.$ZodFunctionOut> | undefined;
-  processResolverNamespace?: zod_v4_core50.$InferInnerFunctionType<zod_v4_core50.$ZodFunctionArgs, zod_v4_core50.$ZodFunctionOut> | undefined;
+  processType: zod_v4_core0.$InferInnerFunctionType<zod_v4_core0.$ZodFunctionArgs, zod_v4_core0.$ZodFunctionOut>;
+  processResolver: zod_v4_core0.$InferInnerFunctionType<zod_v4_core0.$ZodFunctionArgs, zod_v4_core0.$ZodFunctionOut>;
+  processExecutor: zod_v4_core0.$InferInnerFunctionType<zod_v4_core0.$ZodFunctionArgs, zod_v4_core0.$ZodFunctionOut>;
+  aggregate: zod_v4_core0.$InferInnerFunctionType<zod_v4_core0.$ZodFunctionArgs, zod0.ZodAny>;
+  processTailorDBNamespace?: zod_v4_core0.$InferInnerFunctionType<zod_v4_core0.$ZodFunctionArgs, zod_v4_core0.$ZodFunctionOut> | undefined;
+  processResolverNamespace?: zod_v4_core0.$InferInnerFunctionType<zod_v4_core0.$ZodFunctionArgs, zod_v4_core0.$ZodFunctionOut> | undefined;
 })[];
 //#endregion
 //#region src/parser/service/executor/schema.d.ts
@@ -1492,5 +1500,5 @@ type WorkflowOperation = z.infer<typeof WorkflowOperationSchema>;
 type Executor = z.infer<typeof ExecutorSchema>;
 type ExecutorInput = z.input<typeof ExecutorSchema>;
 //#endregion
-export { AllowedValues, AllowedValuesOutput, AppConfig, ArrayFieldOutput, AttributeList$1 as AttributeList, AttributeMap$1 as AttributeMap, AuthConfig, AuthExternalConfig, AuthInvoker$1 as AuthInvoker, AuthOwnConfig, type AuthServiceInput, type BuiltinIdP, CodeGeneratorBase, Executor, ExecutorInput, ExecutorServiceConfig, ExecutorServiceInput, FieldMetadata, FieldOptions, FieldOutput, FunctionOperation, Generator, GqlOperation, type IDToken, IdPConfig, IdPExternalConfig, type IdProviderConfig, IncomingWebhookTrigger, InferFieldsOutput, JsonCompatible, type OAuth2Client, type OAuth2ClientGrantType, type OIDC, PermissionCondition, QueryType, RecordTrigger, Resolver, ResolverExecutedTrigger, ResolverExternalConfig, ResolverInput, ResolverServiceConfig, ResolverServiceInput, type SAML, type SCIMAttribute, type SCIMAttributeMapping, type SCIMAttributeType, type SCIMAuthorization, type SCIMConfig, type SCIMResource, ScheduleTriggerInput, StaticWebsiteConfig, TailorDBField, TailorDBInstance, TailorDBType, TailorDBTypeConfig, TailorField, TailorTypeGqlPermission, TailorTypePermission, TailorUser, type TenantProviderConfig, type UserAttributeKey, type UserAttributeListKey, type UserAttributeMap, type UsernameFieldKey, type ValueOperand, WebhookOperation, WorkflowOperation, WorkflowServiceConfig, WorkflowServiceInput, db, defineAuth, defineConfig, defineGenerators, defineIdp, defineStaticWebSite, output, unauthenticatedTailorUser, unsafeAllowAllGqlPermission, unsafeAllowAllTypePermission };
-//# sourceMappingURL=types-Da_WnvA0.d.mts.map
+export { AllowedValues, AllowedValuesOutput, AppConfig, ArrayFieldOutput, AttributeList$1 as AttributeList, AttributeMap$1 as AttributeMap, AuthConfig, AuthExternalConfig, AuthInvoker$1 as AuthInvoker, AuthOwnConfig, type AuthServiceInput, type BuiltinIdP, CodeGeneratorBase, Executor, ExecutorInput, ExecutorServiceConfig, ExecutorServiceInput, FieldMetadata, FieldOptions, FieldOutput, FunctionOperation, Generator, GqlOperation, type IDToken, IdPConfig, IdPExternalConfig, type IdProviderConfig, IncomingWebhookTrigger, InferFieldsOutput, JsonCompatible, type OAuth2ClientGrantType, OAuth2ClientInput, type OIDC, PermissionCondition, QueryType, RecordTrigger, Resolver, ResolverExecutedTrigger, ResolverExternalConfig, ResolverInput, ResolverServiceConfig, ResolverServiceInput, type SAML, type SCIMAttribute, type SCIMAttributeMapping, type SCIMAttributeType, type SCIMAuthorization, type SCIMConfig, type SCIMResource, ScheduleTriggerInput, StaticWebsiteConfig, TailorDBField, TailorDBInstance, TailorDBType, TailorDBTypeConfig, TailorField, TailorTypeGqlPermission, TailorTypePermission, TailorUser, type TenantProviderConfig, type UserAttributeKey, type UserAttributeListKey, type UserAttributeMap, type UsernameFieldKey, type ValueOperand, WebhookOperation, WorkflowOperation, WorkflowServiceConfig, WorkflowServiceInput, db, defineAuth, defineConfig, defineGenerators, defineIdp, defineStaticWebSite, output, unauthenticatedTailorUser, unsafeAllowAllGqlPermission, unsafeAllowAllTypePermission };
+//# sourceMappingURL=types-DgaCdTug.d.mts.map

package/dist/utils/test/index.d.mts

@@ -1,7 +1,7 @@
 /// <reference path="./../../user-defined.d.ts" />
 
-import { TailorDBType, TailorField } from "../../types-Da_WnvA0.mjs";
-import { output } from "../../index-Bin7-j3v.mjs";
+import { TailorDBType, TailorField } from "../../types-DgaCdTug.mjs";
+import { output } from "../../index-BWqIQ4iC.mjs";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/utils/test/index.d.ts

package/docs/configuration.md

@@ -62,6 +62,32 @@ export default defineConfig({
 
 **ignores**: Glob patterns to exclude files. Optional. By default, `**/*.test.ts` and `**/*.spec.ts` are automatically ignored. If you explicitly specify `ignores`, the default patterns will not be applied. Use `ignores: []` to include all files including test files.
 
+### External Resources
+
+You can reference resources managed by Terraform or other SDK projects to include them in your application's subgraph. External resources are not deployed by this project but can be used for shared access across multiple applications.
+
+```typescript
+export default defineConfig({
+  name: "my-app",
+  db: {
+    "shared-db": { external: true },
+  },
+  resolver: {
+    "my-resolver": { external: true },
+  },
+  auth: { name: "shared-auth", external: true },
+  idp: [{ name: "shared-idp", external: true }],
+});
+```
+
+**external**: Set to `true` to reference an external resource. The resource must already exist and be managed by another project (e.g., Terraform or another SDK application).
+
+When using external resources:
+
+- The resource itself is not deployed by this project
+- The resource must be deployed and available before referencing it
+- You can combine external resources with locally-defined resources
+
 ### Built-in IdP
 
 Configure the Built-in IdP service using `defineIdp()`. See [IdP](./services/idp.md) for full documentation.

package/docs/services/auth.md

@@ -53,16 +53,29 @@ Maps authenticated identities to a TailorDB type:
 ```typescript
 userProfile: {
   type: user,              // TailorDB type for user records
-  usernameField: "email",  // Field used as username
+  usernameField: "email",  // Field used as username (must be unique)
   attributes: {
     role: true,            // Enable 'role' as a user attribute
   },
 },
 ```
 
+Example TailorDB type for user profile:
+
+```typescript
+// tailordb/user.ts
+import { db } from "@tailor-platform/sdk";
+
+export const user = db.type("User", {
+  email: db.string().unique(), // usernameField must have unique constraint
+  role: db.enum(["admin", "user"]),
+  ...db.fields.timestamps(),
+});
+```
+
 **type**: The TailorDB type that stores user records.
 
-**usernameField**: The field in the TailorDB type used as the username.
+**usernameField**: The field in the TailorDB type used as the username. This field must have a unique constraint (`.unique()`) since it is used to uniquely identify users.
 
 **attributes**: Specifies which fields from the TailorDB type are used as user attributes. Set to `true` to enable a field. Enabled attributes must be assigned values in all machine user definitions.
 
@@ -175,6 +188,8 @@ oauth2Clients: {
     ],
     description: "My OAuth2 client",
     grantTypes: ["authorization_code", "refresh_token"],
+    accessTokenLifetimeSeconds: 3600,    // 1 hour
+    refreshTokenLifetimeSeconds: 604800, // 7 days
   },
 },
 ```
@@ -188,6 +203,10 @@ oauth2Clients: {
 - `authorization_code` - Standard OAuth 2.0 authorization code flow
 - `refresh_token` - Allow refreshing access tokens
 
+**accessTokenLifetimeSeconds**: Optional access token lifetime in seconds. Minimum: 60 seconds, Maximum: 86400 seconds (1 day). If not specified, uses platform default.
+
+**refreshTokenLifetimeSeconds**: Optional refresh token lifetime in seconds. Minimum: 60 seconds, Maximum: 604800 seconds (7 days). If not specified, uses platform default.
+
 Get OAuth2 client credentials using the CLI:
 
 ```bash

package/docs/services/tailordb.md

@@ -282,6 +282,8 @@ db.type("User", {
 
 Configure Permission and GQLPermission. For details, see the [TailorDB Permission documentation](https://docs.tailor.tech/guides/tailordb/permission).
 
+**Important**: Following the secure-by-default principle, all operations are denied if permissions are not configured. You must explicitly grant permissions for each operation (create, read, update, delete).
+
 ```typescript
 db.type("User", {
   name: db.string(),
@@ -302,4 +304,22 @@ db.type("User", {
   ]);
 ```
 
-Following the secure-by-default principle, all operations are denied if permissions are not configured.
+#### Development/Test Helpers
+
+For local development, prototyping, or testing, the SDK provides helper constants that grant full access without conditions:
+
+```typescript
+import {
+  db,
+  unsafeAllowAllTypePermission,
+  unsafeAllowAllGqlPermission,
+} from "@tailor-platform/sdk";
+
+db.type("User", {
+  name: db.string(),
+})
+  .permission(unsafeAllowAllTypePermission)
+  .gqlPermission(unsafeAllowAllGqlPermission);
+```
+
+**Warning**: Do not use `unsafeAllowAllTypePermission` or `unsafeAllowAllGqlPermission` in production environments as they effectively disable authorization checks.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "0.17.0",
+  "version": "0.18.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "main": "./dist/configure/index.mjs",
@@ -40,7 +40,7 @@
   "types": "./dist/configure/index.d.mts",
   "dependencies": {
     "@badgateway/oauth2-client": "3.3.1",
-    "@bufbuild/protobuf": "2.10.1",
+    "@bufbuild/protobuf": "2.10.2",
     "@connectrpc/connect": "2.1.1",
     "@connectrpc/connect-node": "2.1.1",
     "@standard-schema/spec": "1.0.0",
@@ -51,7 +51,7 @@
     "confbox": "0.2.2",
     "consola": "3.4.2",
     "date-fns": "4.1.0",
-    "es-toolkit": "1.42.0",
+    "es-toolkit": "1.43.0",
     "inflection": "3.0.2",
     "madge": "8.0.0",
     "multiline-ts": "4.0.1",
@@ -69,12 +69,12 @@
     "zod": "4.1.13"
   },
   "devDependencies": {
-    "@eslint/js": "9.39.1",
+    "@eslint/js": "9.39.2",
     "@tailor-platform/function-types": "0.8.0",
     "@types/madge": "5.0.3",
-    "@types/node": "22.19.2",
+    "@types/node": "22.19.3",
     "cross-env": "10.1.0",
-    "eslint": "9.39.1",
+    "eslint": "9.39.2",
     "eslint-plugin-jsdoc": "61.5.0",
     "globals": "16.5.0",
     "sonda": "0.10.1",