npm - @tailor-platform/sdk - Versions diffs - 0.8.6 → 0.10.0 - Mend

@tailor-platform/sdk 0.8.6 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/CHANGELOG.md +64 -0
package/dist/cli/api.d.mts +12 -11
package/dist/cli/api.mjs +1 -1
package/dist/cli/index.mjs +4 -5
package/dist/configure/index.d.mts +2 -2
package/dist/{index-DHpKRtq3.d.mts → index-DxmBZtRb.d.mts} +15 -2
package/dist/{token-Cbs_El75.mjs → token-BD9c1mlS.mjs} +709 -274
package/dist/{types-CPcmGK_X.d.mts → types-DcpYyMM2.d.mts} +4 -3
package/dist/utils/test/index.d.mts +2 -2
package/docs/cli-reference.md +1 -0
package/docs/configuration.md +31 -0
package/package.json +1 -1

package/dist/{token-Cbs_El75.mjs → token-BD9c1mlS.mjs} RENAMED Viewed

@@ -21,6 +21,7 @@ import * as os from "node:os";
 import { parseTOML, parseYAML, stringifyYAML } from "confbox";
 import { xdgConfig } from "xdg-basedir";
 import { fromJson } from "@bufbuild/protobuf";
+import chalk from "chalk";
 import { spawn } from "node:child_process";
 import { glob } from "node:fs/promises";
 import chokidar from "chokidar";
@@ -155,7 +156,7 @@ const FunctionOperationSchema = z.object({
 });
 const GqlOperationSchema = z.object({
 	kind: z.literal("graphql"),
-	appName: z.string(),
+	appName: z.string().optional(),
 	query: z.string(),
 	variables: functionSchema.optional(),
 	invoker: InvokerSchema.optional()
@@ -190,6 +191,7 @@ var ExecutorService = class {
 		this.config = config;
 	}
 	async loadExecutors() {
+		if (Object.keys(this.executors).length > 0) return this.executors;
 		if (!this.config.files || this.config.files.length === 0) return;
 		const executorFiles = loadFilesWithIgnores(this.config);
 		console.log("");
@@ -275,6 +277,7 @@ var ResolverService = class {
 		this.config = config;
 	}
 	async loadResolvers() {
+		if (Object.keys(this.resolvers).length > 0) return;
 		if (!this.config.files || this.config.files.length === 0) return;
 		const resolverFiles = loadFilesWithIgnores(this.config);
 		console.log("");
@@ -464,9 +467,11 @@ var Application = class {
 	_subgraphs = [];
 	_executorService = void 0;
 	_staticWebsiteServices = [];
+	_env = {};
 	constructor(name, config) {
 		this.name = name;
 		this.config = config;
+		this._env = config.env || {};
 	}
 	addSubgraph(type, name) {
 		this._subgraphs.push({
@@ -495,6 +500,9 @@ var Application = class {
 	get staticWebsiteServices() {
 		return this._staticWebsiteServices;
 	}
+	get env() {
+		return this._env;
+	}
 	get applications() {
 		return [this];
 	}
@@ -1576,13 +1584,20 @@ async function loadConfig(configPath) {
 function extractAttributesFromConfig(config) {
 	return collectAttributesFromConfig(config);
 }
-function generateTypeDefinition(attributeMap, attributeList) {
+function generateTypeDefinition(attributeMap, attributeList, env) {
 	const mapFields = attributeMap ? Object.entries(attributeMap).map(([key, value]) => `      ${key}: ${value};`).join("\n") : "";
 	const mapBody = !attributeMap || Object.keys(attributeMap).length === 0 ? "{}" : `{
 ${mapFields}
     }`;
 	const listBody = `{
       __tuple?: ${attributeList ? `[${attributeList.map(() => "string").join(", ")}]` : "[]"};
+    }`;
+	const envFields = env ? Object.entries(env).map(([key, value]) => {
+		const valueType = typeof value === "string" ? `"${value}"` : String(value);
+		return `      ${key}: ${valueType};`;
+	}).join("\n") : "";
+	const envBody = !env || Object.keys(env).length === 0 ? "{}" : `{
+${envFields}
     }`;
 	return ml`
 // This file is auto-generated by @tailor-platform/sdk
@@ -1593,6 +1608,7 @@ declare global {
   namespace TailorSDK {
     interface AttributeMap ${mapBody}
     interface AttributeList ${listBody}
+    interface Env ${envBody}
   }
 }
@@ -1637,13 +1653,12 @@ function resolveTypeDefinitionPath(configPath) {
 async function generateUserTypes(config, configPath) {
 	try {
 		const { attributeMap, attributeList } = extractAttributesFromConfig(config);
-		if (!attributeMap && !attributeList) {
-			console.log(styleText("cyan", "No attributes found in configuration"));
-			return;
-		}
+		if (!attributeMap && !attributeList) console.log(styleText("cyan", "No attributes found in configuration"));
 		if (attributeMap) console.log("Extracted AttributeMap:", attributeMap);
 		if (attributeList) console.log("Extracted AttributeList:", attributeList);
-		const typeDefContent = generateTypeDefinition(attributeMap, attributeList);
+		const env = config.env;
+		if (env) console.log("Extracted Env:", env);
+		const typeDefContent = generateTypeDefinition(attributeMap, attributeList, env);
 		const outputPath = resolveTypeDefinitionPath(configPath);
 		fs.mkdirSync(path.dirname(outputPath), { recursive: true });
 		fs.writeFileSync(outputPath, typeDefContent);
@@ -2254,6 +2269,15 @@ const file_tailor_v1_service = /* @__PURE__ */ fileDesc("Chd0YWlsb3IvdjEvc2Vydml
 */
 const OperatorService = /* @__PURE__ */ serviceDesc(file_tailor_v1_service, 0);
+//#endregion
+//#region src/cli/package-json.ts
+let packageJson = null;
+async function readPackageJson() {
+	if (packageJson) return packageJson;
+	packageJson = await readPackageJSON(import.meta.url);
+	return packageJson;
+}
 //#endregion
 //#region src/cli/client.ts
 const baseUrl = process.env.PLATFORM_URL ?? "https://api.tailor.tech";
@@ -2278,7 +2302,7 @@ async function userAgentInterceptor() {
 	};
 }
 async function userAgent() {
-	return `tailor-sdk/${(await readPackageJSON(import.meta.url)).version ?? "unknown"}`;
+	return `tailor-sdk/${(await readPackageJson()).version ?? "unknown"}`;
 }
 async function bearerTokenInterceptor(accessToken) {
 	return (next) => async (req) => {
@@ -2540,6 +2564,24 @@ function loadConfigPath(configPath) {
 	return "tailor.config.ts";
 }
+//#endregion
+//#region src/cli/apply/services/label.ts
+function trnPrefix(workspaceId) {
+	return `trn:v1:workspace:${workspaceId}`;
+}
+const sdkNameLabelKey = "sdk-name";
+async function buildMetaRequest(trn$7, appName) {
+	const packageJson$1 = await readPackageJson();
+	const sdkVersion = packageJson$1.version ? `v${packageJson$1.version.replace(/\./g, "-")}` : "unknown";
+	return {
+		trn: trn$7,
+		labels: {
+			[sdkNameLabelKey]: appName,
+			"sdk-version": sdkVersion
+		}
+	};
+}
 //#endregion
 //#region src/cli/apply/services/index.ts
 var ChangeSet = class {
@@ -2569,14 +2611,21 @@ var ChangeSet = class {
 async function applyApplication(client, changeSet, phase = "create-update") {
 	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
 		create.request.cors = await resolveStaticWebsiteUrls(client, create.request.workspaceId, create.request.cors, "CORS");
-		return client.createApplication(create.request);
+		await client.createApplication(create.request);
+		await client.setMetadata(create.metaRequest);
 	}), ...changeSet.updates.map(async (update) => {
 		update.request.cors = await resolveStaticWebsiteUrls(client, update.request.workspaceId, update.request.cors, "CORS");
-		return client.updateApplication(update.request);
+		await client.updateApplication(update.request);
+		await client.setMetadata(update.metaRequest);
 	})]);
-	else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteApplication(del.request)));
+	else if (phase === "delete") await Promise.all(changeSet.deletes.map(async (del) => {
+		await client.deleteApplication(del.request);
+	}));
 }
-async function planApplication(client, workspaceId, application) {
+function trn$6(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:application:${name}`;
+}
+async function planApplication({ client, workspaceId, application }) {
 	const changeSet = new ChangeSet("Applications");
 	const existingApplications = await fetchAll(async (pageToken) => {
 		try {
@@ -2590,55 +2639,41 @@ async function planApplication(client, workspaceId, application) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingApplications.forEach((application$1) => {
-		existingNameSet.add(application$1.name);
+	let authNamespace;
+	let authIdpConfigName;
+	if (application.authService && application.authService.config) {
+		authNamespace = application.authService.config.name;
+		const idProvider = application.authService.config.idProvider;
+		if (idProvider) authIdpConfigName = idProvider.name;
+	}
+	const metaRequest = await buildMetaRequest(trn$6(workspaceId, application.name), application.name);
+	if (existingApplications.some((app) => app.name === application.name)) changeSet.updates.push({
+		name: application.name,
+		request: {
+			workspaceId,
+			applicationName: application.name,
+			authNamespace,
+			authIdpConfigName,
+			cors: application.config.cors,
+			subgraphs: application.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
+			allowedIpAddresses: application.config.allowedIPAddresses,
+			disableIntrospection: application.config.disableIntrospection
+		},
+		metaRequest
 	});
-	for (const app of application.applications) {
-		let authNamespace;
-		let authIdpConfigName;
-		if (app.authService && app.authService.config) {
-			authNamespace = app.authService.config.name;
-			const idProvider = app.authService.config.idProvider;
-			if (idProvider) authIdpConfigName = idProvider.name;
-		}
-		if (existingNameSet.has(app.name)) {
-			changeSet.updates.push({
-				name: app.name,
-				request: {
-					workspaceId,
-					applicationName: app.name,
-					authNamespace,
-					authIdpConfigName,
-					cors: app.config.cors,
-					subgraphs: app.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
-					allowedIpAddresses: app.config.allowedIPAddresses,
-					disableIntrospection: app.config.disableIntrospection
-				}
-			});
-			existingNameSet.delete(app.name);
-		} else changeSet.creates.push({
-			name: app.name,
-			request: {
-				workspaceId,
-				applicationName: app.name,
-				authNamespace,
-				authIdpConfigName,
-				cors: app.config.cors,
-				subgraphs: app.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
-				allowedIpAddresses: app.config.allowedIPAddresses,
-				disableIntrospection: app.config.disableIntrospection
-			}
-		});
-	}
-	existingNameSet.forEach((name) => {
-		changeSet.deletes.push({
-			name,
-			request: {
-				workspaceId,
-				applicationName: name
-			}
-		});
+	else changeSet.creates.push({
+		name: application.name,
+		request: {
+			workspaceId,
+			applicationName: application.name,
+			authNamespace,
+			authIdpConfigName,
+			cors: application.config.cors,
+			subgraphs: application.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
+			allowedIpAddresses: application.config.allowedIPAddresses,
+			disableIntrospection: application.config.disableIntrospection
+		},
+		metaRequest
 	});
 	changeSet.print();
 	return changeSet;
@@ -2674,9 +2709,16 @@ function idpClientVaultName(namespaceName, clientName) {
 function idpClientSecretName(namespaceName, clientName) {
 	return `client-secret-${namespaceName}-${clientName}`;
 }
-async function applyIdP(client, changeSet, phase = "create-update") {
+async function applyIdP(client, result, phase = "create-update") {
+	const { changeSet } = result;
 	if (phase === "create-update") {
-		await Promise.all([...changeSet.service.creates.map((create) => client.createIdPService(create.request)), ...changeSet.service.updates.map((update) => client.updateIdPService(update.request))]);
+		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await client.createIdPService(create.request);
+			await client.setMetadata(create.metaRequest);
+		}), ...changeSet.service.updates.map(async (update) => {
+			await client.updateIdPService(update.request);
+			await client.setMetadata(update.metaRequest);
+		})]);
 		await Promise.all([...changeSet.client.creates.map(async (create) => {
 			const resp = await client.createIdPClient(create.request);
 			const vaultName = idpClientVaultName(create.request.namespaceName, create.request.client?.name || "");
@@ -2715,7 +2757,7 @@ async function applyIdP(client, changeSet, phase = "create-update") {
 			});
 		})]);
 	} else if (phase === "delete") {
-		await Promise.all(changeSet.client.deletes.filter((del) => del.tag === "client-deleted").map(async (del) => {
+		await Promise.all(changeSet.client.deletes.map(async (del) => {
 			await client.deleteIdPClient(del.request);
 			const vaultName = `idp-${del.request.namespaceName}-${del.request.name}`;
 			await client.deleteSecretManagerVault({
@@ -2726,22 +2768,32 @@ async function applyIdP(client, changeSet, phase = "create-update") {
 		await Promise.all(changeSet.service.deletes.map((del) => client.deleteIdPService(del.request)));
 	}
 }
-async function planIdP(client, workspaceId, application) {
-	const idps = [];
-	for (const app of application.applications) idps.push(...app.idpServices);
-	const serviceChangeSet = await planServices$3(client, workspaceId, idps);
+async function planIdP({ client, workspaceId, application }) {
+	const idps = application.idpServices;
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, idps);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const clientChangeSet = await planClients(client, workspaceId, idps, deletedServices);
 	serviceChangeSet.print();
 	clientChangeSet.print();
 	return {
-		service: serviceChangeSet,
-		client: clientChangeSet
+		changeSet: {
+			service: serviceChangeSet,
+			client: clientChangeSet
+		},
+		conflicts,
+		unmanaged,
+		resourceOwners
 	};
 }
-async function planServices$3(client, workspaceId, idps) {
+function trn$5(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:idp:${name}`;
+}
+async function planServices$3(client, workspaceId, appName, idps) {
 	const changeSet = new ChangeSet("IdP services");
-	const existingServices = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { idpServices, nextPageToken } = await client.listIdPServices({
 				workspaceId,
@@ -2753,13 +2805,19 @@ async function planServices$3(client, workspaceId, idps) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingServices.forEach((service) => {
-		const name = service.namespace?.name;
-		if (name) existingNameSet.add(name);
-	});
+	const existingServices = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		if (!resource.namespace?.name) return;
+		const { metadata } = await client.getMetadata({ trn: trn$5(workspaceId, resource.namespace.name) });
+		existingServices[resource.namespace.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
 	for (const idp of idps) {
 		const namespaceName = idp.name;
+		const existing = existingServices[namespaceName];
+		const metaRequest = await buildMetaRequest(trn$5(workspaceId, namespaceName), appName);
 		let authorization;
 		switch (idp.authorization) {
 			case "insecure":
@@ -2772,27 +2830,40 @@ async function planServices$3(client, workspaceId, idps) {
 				authorization = idp.authorization.cel;
 				break;
 		}
-		if (existingNameSet.has(namespaceName)) {
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "IdP service",
+				resourceName: idp.name
+			});
+			else if (existing.label !== appName) conflicts.push({
+				resourceType: "IdP service",
+				resourceName: idp.name,
+				currentOwner: existing.label
+			});
 			changeSet.updates.push({
 				name: namespaceName,
 				request: {
 					workspaceId,
 					namespaceName,
 					authorization
-				}
+				},
+				metaRequest
 			});
-			existingNameSet.delete(namespaceName);
+			delete existingServices[namespaceName];
 		} else changeSet.creates.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
 				namespaceName,
 				authorization
-			}
+			},
+			metaRequest
 		});
 	}
-	existingNameSet.forEach((namespaceName) => {
-		changeSet.deletes.push({
+	Object.entries(existingServices).forEach(([namespaceName]) => {
+		const label = existingServices[namespaceName]?.label;
+		if (label && label !== appName) resourceOwners.add(label);
+		if (label === appName) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -2800,7 +2871,12 @@ async function planServices$3(client, workspaceId, idps) {
 			}
 		});
 	});
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 async function planClients(client, workspaceId, idps, deletedServices) {
 	const changeSet = new ChangeSet("IdP clients");
@@ -2844,7 +2920,6 @@ async function planClients(client, workspaceId, idps, deletedServices) {
 		});
 		existingNameMap.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "client-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -2856,8 +2931,12 @@ async function planClients(client, workspaceId, idps, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchClients(namespaceName)).forEach((client$1) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: client$1.name
+			name: client$1.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				name: client$1.name
+			}
 		});
 	});
 	return changeSet;
@@ -2865,9 +2944,13 @@ async function planClients(client, workspaceId, idps, deletedServices) {
 //#endregion
 //#region src/cli/apply/services/auth.ts
-async function applyAuth(client, changeSet, phase = "create-update") {
+async function applyAuth(client, result, phase = "create-update") {
+	const { changeSet } = result;
 	if (phase === "create-update") {
-		await Promise.all(changeSet.service.creates.map((create) => client.createAuthService(create.request)));
+		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await client.createAuthService(create.request);
+			await client.setMetadata(create.metaRequest);
+		}), ...changeSet.service.updates.map((update) => client.setMetadata(update.metaRequest))]);
 		await Promise.all([...changeSet.idpConfig.creates.map(async (create) => {
 			if (create.idpConfig.kind === "BuiltInIdP") create.request.idpConfig.config = await protoBuiltinIdPConfig(client, create.request.workspaceId, create.idpConfig);
 			return client.createAuthIDPConfig(create.request);
@@ -2888,23 +2971,23 @@ async function applyAuth(client, changeSet, phase = "create-update") {
 		await Promise.all([...changeSet.scim.creates.map((create) => client.createAuthSCIMConfig(create.request)), ...changeSet.scim.updates.map((update) => client.updateAuthSCIMConfig(update.request))]);
 		await Promise.all([...changeSet.scimResource.creates.map((create) => client.createAuthSCIMResource(create.request)), ...changeSet.scimResource.updates.map((update) => client.updateAuthSCIMResource(update.request))]);
 	} else if (phase === "delete") {
-		await Promise.all(changeSet.scimResource.deletes.filter((del) => del.tag === "scim-resource-deleted").map((del) => client.deleteAuthSCIMResource(del.request)));
-		await Promise.all(changeSet.scim.deletes.filter((del) => del.tag === "scim-config-deleted").map((del) => client.deleteAuthSCIMConfig(del.request)));
-		await Promise.all(changeSet.oauth2Client.deletes.filter((del) => del.tag === "oauth2-client-deleted").map((del) => client.deleteAuthOAuth2Client(del.request)));
-		await Promise.all(changeSet.machineUser.deletes.filter((del) => del.tag === "machine-user-deleted").map((del) => client.deleteAuthMachineUser(del.request)));
-		await Promise.all(changeSet.tenantConfig.deletes.filter((del) => del.tag === "tenant-config-deleted").map((del) => client.deleteTenantConfig(del.request)));
-		await Promise.all(changeSet.userProfileConfig.deletes.filter((del) => del.tag === "user-profile-config-deleted").map((del) => client.deleteUserProfileConfig(del.request)));
-		await Promise.all(changeSet.idpConfig.deletes.filter((del) => del.tag === "idp-config-deleted").map((del) => client.deleteAuthIDPConfig(del.request)));
+		await Promise.all(changeSet.scimResource.deletes.map((del) => client.deleteAuthSCIMResource(del.request)));
+		await Promise.all(changeSet.scim.deletes.map((del) => client.deleteAuthSCIMConfig(del.request)));
+		await Promise.all(changeSet.oauth2Client.deletes.map((del) => client.deleteAuthOAuth2Client(del.request)));
+		await Promise.all(changeSet.machineUser.deletes.map((del) => client.deleteAuthMachineUser(del.request)));
+		await Promise.all(changeSet.tenantConfig.deletes.map((del) => client.deleteTenantConfig(del.request)));
+		await Promise.all(changeSet.userProfileConfig.deletes.map((del) => client.deleteUserProfileConfig(del.request)));
+		await Promise.all(changeSet.idpConfig.deletes.map((del) => client.deleteAuthIDPConfig(del.request)));
 		await Promise.all(changeSet.service.deletes.map((del) => client.deleteAuthService(del.request)));
 	}
 }
-async function planAuth(client, workspaceId, application) {
+async function planAuth({ client, workspaceId, application }) {
 	const auths = [];
-	for (const app of application.applications) if (app.authService) {
-		await app.authService.resolveNamespaces();
-		auths.push(app.authService);
+	if (application.authService) {
+		await application.authService.resolveNamespaces();
+		auths.push(application.authService);
 	}
-	const serviceChangeSet = await planServices$2(client, workspaceId, auths);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, auths);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const idpConfigChangeSet = await planIdPConfigs(client, workspaceId, auths, deletedServices);
 	const userProfileConfigChangeSet = await planUserProfileConfigs(client, workspaceId, auths, deletedServices);
@@ -2922,19 +3005,30 @@ async function planAuth(client, workspaceId, application) {
 	scimChangeSet.print();
 	scimResourceChangeSet.print();
 	return {
-		service: serviceChangeSet,
-		idpConfig: idpConfigChangeSet,
-		userProfileConfig: userProfileConfigChangeSet,
-		tenantConfig: tenantConfigChangeSet,
-		machineUser: machineUserChangeSet,
-		oauth2Client: oauth2ClientChangeSet,
-		scim: scimChangeSet,
-		scimResource: scimResourceChangeSet
+		changeSet: {
+			service: serviceChangeSet,
+			idpConfig: idpConfigChangeSet,
+			userProfileConfig: userProfileConfigChangeSet,
+			tenantConfig: tenantConfigChangeSet,
+			machineUser: machineUserChangeSet,
+			oauth2Client: oauth2ClientChangeSet,
+			scim: scimChangeSet,
+			scimResource: scimResourceChangeSet
+		},
+		conflicts,
+		unmanaged,
+		resourceOwners
 	};
 }
-async function planServices$2(client, workspaceId, auths) {
+function trn$4(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:auth:${name}`;
+}
+async function planServices$2(client, workspaceId, appName, auths) {
 	const changeSet = new ChangeSet("Auth services");
-	const existingServices = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { authServices, nextPageToken } = await client.listAuthServices({
 				workspaceId,
@@ -2946,23 +3040,46 @@ async function planServices$2(client, workspaceId, auths) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingServices.forEach((service) => {
-		const name = service.namespace?.name;
-		if (name) existingNameSet.add(name);
-	});
-	for (const { config } of auths) if (existingNameSet.has(config.name)) {
-		changeSet.updates.push({ name: config.name });
-		existingNameSet.delete(config.name);
-	} else changeSet.creates.push({
-		name: config.name,
-		request: {
-			workspaceId,
-			namespaceName: config.name
-		}
-	});
-	existingNameSet.forEach((namespaceName) => {
-		changeSet.deletes.push({
+	const existingServices = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		if (!resource.namespace?.name) return;
+		const { metadata } = await client.getMetadata({ trn: trn$4(workspaceId, resource.namespace.name) });
+		existingServices[resource.namespace.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
+	for (const { config } of auths) {
+		const existing = existingServices[config.name];
+		const metaRequest = await buildMetaRequest(trn$4(workspaceId, config.name), appName);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "Auth service",
+				resourceName: config.name
+			});
+			else if (existing.label !== appName) conflicts.push({
+				resourceType: "Auth service",
+				resourceName: config.name,
+				currentOwner: existing.label
+			});
+			changeSet.updates.push({
+				name: config.name,
+				metaRequest
+			});
+			delete existingServices[config.name];
+		} else changeSet.creates.push({
+			name: config.name,
+			request: {
+				workspaceId,
+				namespaceName: config.name
+			},
+			metaRequest
+		});
+	}
+	Object.entries(existingServices).forEach(([namespaceName]) => {
+		const label = existingServices[namespaceName]?.label;
+		if (label && label !== appName) resourceOwners.add(label);
+		if (label === appName) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -2970,7 +3087,12 @@ async function planServices$2(client, workspaceId, auths) {
 			}
 		});
 	});
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 async function planIdPConfigs(client, workspaceId, auths, deletedServices) {
 	const changeSet = new ChangeSet("Auth idpConfigs");
@@ -3018,7 +3140,6 @@ async function planIdPConfigs(client, workspaceId, auths, deletedServices) {
 		});
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "idp-config-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3030,8 +3151,12 @@ async function planIdPConfigs(client, workspaceId, auths, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchIdPConfigs(namespaceName)).forEach((idpConfig) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: idpConfig.name
+			name: idpConfig.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				name: idpConfig.name
+			}
 		});
 	});
 	return changeSet;
@@ -3157,7 +3282,6 @@ async function planUserProfileConfigs(client, workspaceId, auths, deletedService
 			}
 		});
 		else changeSet.deletes.push({
-			tag: "user-profile-config-deleted",
 			name,
 			request: {
 				workspaceId,
@@ -3176,8 +3300,11 @@ async function planUserProfileConfigs(client, workspaceId, auths, deletedService
 			throw error;
 		}
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: `${namespaceName}-user-profile-config`
+			name: `${namespaceName}-user-profile-config`,
+			request: {
+				workspaceId,
+				namespaceName
+			}
 		});
 	}
 	return changeSet;
@@ -3232,7 +3359,6 @@ async function planTenantConfigs(client, workspaceId, auths, deletedServices) {
 			}
 		});
 		else changeSet.deletes.push({
-			tag: "tenant-config-deleted",
 			name,
 			request: {
 				workspaceId,
@@ -3251,8 +3377,11 @@ async function planTenantConfigs(client, workspaceId, auths, deletedServices) {
 			throw error;
 		}
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: `${namespaceName}-tenant-config`
+			name: `${namespaceName}-tenant-config`,
+			request: {
+				workspaceId,
+				namespaceName
+			}
 		});
 	}
 	return changeSet;
@@ -3321,7 +3450,6 @@ async function planMachineUsers(client, workspaceId, auths, deletedServices) {
 		}
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "machine-user-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3333,8 +3461,12 @@ async function planMachineUsers(client, workspaceId, auths, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchMachineUsers(namespaceName)).forEach((machineUser) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: machineUser.name
+			name: machineUser.name,
+			request: {
+				workspaceId,
+				authNamespace: namespaceName,
+				name: machineUser.name
+			}
 		});
 	});
 	return changeSet;
@@ -3391,7 +3523,6 @@ async function planOAuth2Clients(client, workspaceId, auths, deletedServices) {
 		}
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "oauth2-client-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3403,8 +3534,12 @@ async function planOAuth2Clients(client, workspaceId, auths, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchOAuth2Clients(namespaceName)).forEach((oauth2Client) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: oauth2Client.name
+			name: oauth2Client.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				name: oauth2Client.name
+			}
 		});
 	});
 	return changeSet;
@@ -3460,7 +3595,6 @@ async function planSCIMConfigs(client, workspaceId, auths, deletedServices) {
 			}
 		});
 		else changeSet.deletes.push({
-			tag: "scim-config-deleted",
 			name,
 			request: {
 				workspaceId,
@@ -3479,8 +3613,11 @@ async function planSCIMConfigs(client, workspaceId, auths, deletedServices) {
 			throw error;
 		}
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: `${namespaceName}-scim-config`
+			name: `${namespaceName}-scim-config`,
+			request: {
+				workspaceId,
+				namespaceName
+			}
 		});
 	}
 	return changeSet;
@@ -3548,7 +3685,6 @@ async function planSCIMResources(client, workspaceId, auths, deletedServices) {
 		});
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "scim-resource-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3560,8 +3696,12 @@ async function planSCIMResources(client, workspaceId, auths, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchSCIMResources(namespaceName)).forEach((scimResource) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: scimResource.name
+			name: scimResource.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				name: scimResource.name
+			}
 		});
 	});
 	return changeSet;
@@ -3640,15 +3780,91 @@ function protoSCIMAttribute(attr) {
 	};
 }
+//#endregion
+//#region src/cli/apply/services/confirm.ts
+async function confirmOwnerConflict(conflicts, appName, yes) {
+	if (conflicts.length === 0) return;
+	const currentOwners = [...new Set(conflicts.map((c) => c.currentOwner))];
+	consola.warn("Application name mismatch detected:");
+	console.log(`  ${chalk.yellow("Current application(s)")}: ${currentOwners.map((o) => chalk.bold(`"${o}"`)).join(", ")}`);
+	console.log(`  ${chalk.green("New application")}:        ${chalk.bold(`"${appName}"`)}`);
+	console.log("");
+	console.log(`  ${chalk.cyan("Resources")}:`);
+	for (const c of conflicts) console.log(`    • ${chalk.bold(c.resourceType)} ${chalk.cyan(`"${c.resourceName}"`)}`);
+	if (yes) {
+		consola.success("Updating resources (--yes flag specified)...");
+		return;
+	}
+	const promptMessage = currentOwners.length === 1 ? `Update these resources to be managed by "${appName}"?\n${chalk.gray("(Common when renaming your application)")}` : `Update these resources to be managed by "${appName}"?`;
+	if (!await consola.prompt(promptMessage, {
+		type: "confirm",
+		initial: false
+	})) throw new Error(ml`
+      Apply cancelled. Resources remain managed by their current applications.
+      To override, run again and confirm, or use --yes flag.
+    `);
+}
+async function confirmUnmanagedResources(resources, appName, yes) {
+	if (resources.length === 0) return;
+	consola.warn("Unmanaged resources detected:");
+	console.log(`  ${chalk.cyan("Resources")}:`);
+	for (const r of resources) console.log(`    • ${chalk.bold(r.resourceType)} ${chalk.cyan(`"${r.resourceName}"`)}`);
+	console.log("");
+	console.log("  These resources are not managed by any application.");
+	if (yes) {
+		consola.success(`Adding to "${appName}" (--yes flag specified)...`);
+		return;
+	}
+	if (!await consola.prompt(`Add these resources to "${appName}"?`, {
+		type: "confirm",
+		initial: false
+	})) throw new Error(ml`
+      Apply cancelled. Resources remain unmanaged.
+      To override, run again and confirm, or use --yes flag.
+    `);
+}
+async function confirmImportantResourceDeletion(resources, yes) {
+	if (resources.length === 0) return;
+	consola.warn("The following resources will be deleted:");
+	console.log(`  ${chalk.cyan("Resources")}:`);
+	for (const r of resources) console.log(`    • ${chalk.bold(r.resourceType)} ${chalk.red(`"${r.resourceName}"`)}`);
+	console.log("");
+	console.log(chalk.yellow("  Deleting these resources will permanently remove all associated data."));
+	if (yes) {
+		consola.success("Deleting resources (--yes flag specified)...");
+		return;
+	}
+	if (!await consola.prompt("Are you sure you want to delete these resources?", {
+		type: "confirm",
+		initial: false
+	})) throw new Error(ml`
+      Apply cancelled. Resources will not be deleted.
+      To override, run again and confirm, or use --yes flag.
+    `);
+}
 //#endregion
 //#region src/cli/apply/services/executor.ts
-async function applyExecutor(client, changeSet, phase = "create-update") {
-	if (phase === "create-update") await Promise.all([...changeSet.creates.map((create) => client.createExecutorExecutor(create.request)), ...changeSet.updates.map((update) => client.updateExecutorExecutor(update.request))]);
+async function applyExecutor(client, result, phase = "create-update") {
+	const { changeSet } = result;
+	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
+		await client.createExecutorExecutor(create.request);
+		await client.setMetadata(create.metaRequest);
+	}), ...changeSet.updates.map(async (update) => {
+		await client.updateExecutorExecutor(update.request);
+		await client.setMetadata(update.metaRequest);
+	})]);
 	else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteExecutorExecutor(del.request)));
 }
-async function planExecutor(client, workspaceId, application) {
+function trn$3(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:executor:${name}`;
+}
+async function planExecutor({ client, workspaceId, application }) {
 	const changeSet = new ChangeSet("Executors");
-	const existingExecutors = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { executors: executors$1, nextPageToken } = await client.listExecutorExecutors({
 				workspaceId,
@@ -3660,29 +3876,50 @@ async function planExecutor(client, workspaceId, application) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingExecutors.forEach((executor) => {
-		existingNameSet.add(executor.name);
-	});
+	const existingExecutors = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		const { metadata } = await client.getMetadata({ trn: trn$3(workspaceId, resource.name) });
+		existingExecutors[resource.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
 	const executors = await application.executorService?.loadExecutors() ?? {};
-	for (const executor of Object.values(executors)) if (existingNameSet.has(executor.name)) {
-		changeSet.updates.push({
+	for (const executor of Object.values(executors)) {
+		const existing = existingExecutors[executor.name];
+		const metaRequest = await buildMetaRequest(trn$3(workspaceId, executor.name), application.name);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "Executor",
+				resourceName: executor.name
+			});
+			else if (existing.label !== application.name) conflicts.push({
+				resourceType: "Executor",
+				resourceName: executor.name,
+				currentOwner: existing.label
+			});
+			changeSet.updates.push({
+				name: executor.name,
+				request: {
+					workspaceId,
+					executor: protoExecutor(application.name, executor, application.env)
+				},
+				metaRequest
+			});
+			delete existingExecutors[executor.name];
+		} else changeSet.creates.push({
 			name: executor.name,
 			request: {
 				workspaceId,
-				executor: protoExecutor(executor)
-			}
+				executor: protoExecutor(application.name, executor, application.env)
+			},
+			metaRequest
 		});
-		existingNameSet.delete(executor.name);
-	} else changeSet.creates.push({
-		name: executor.name,
-		request: {
-			workspaceId,
-			executor: protoExecutor(executor)
-		}
-	});
-	existingNameSet.forEach((name) => {
-		changeSet.deletes.push({
+	}
+	Object.entries(existingExecutors).forEach(([name]) => {
+		const label = existingExecutors[name]?.label;
+		if (label && label !== application.name) resourceOwners.add(label);
+		if (label === application.name) changeSet.deletes.push({
 			name,
 			request: {
 				workspaceId,
@@ -3691,9 +3928,14 @@ async function planExecutor(client, workspaceId, application) {
 		});
 	});
 	changeSet.print();
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
-function protoExecutor(executor) {
+function protoExecutor(appName, executor, env) {
 	const trigger = executor.trigger;
 	let triggerType;
 	let triggerConfig;
@@ -3782,7 +4024,7 @@ function protoExecutor(executor) {
 			targetConfig = { config: {
 				case: "tailorGraphql",
 				value: {
-					appName: target.appName,
+					appName: target.appName ?? appName,
 					query: target.query,
 					variables: target.variables ? { expr: `(${target.variables.toString()})(args)` } : void 0,
 					invoker: target.invoker ? {
@@ -3803,7 +4045,7 @@ function protoExecutor(executor) {
 				value: {
 					name: `${executor.name}__target`,
 					script,
-					variables: { expr: "({ ...args, appNamespace: args.namespaceName })" },
+					variables: { expr: `({ ...args, appNamespace: args.namespaceName, env: ${JSON.stringify(env)} })` },
 					invoker: target.invoker ? {
 						namespace: target.invoker.authName,
 						machineUserName: target.invoker.machineUser
@@ -3861,35 +4103,53 @@ const SCALAR_TYPE_MAP = {
 		name: "Time"
 	}
 };
-async function applyPipeline(client, changeSet, phase = "create-update") {
+async function applyPipeline(client, result, phase = "create-update") {
+	const { changeSet } = result;
 	if (phase === "create-update") {
-		await Promise.all([...changeSet.service.creates.map((create) => client.createPipelineService(create.request)), ...changeSet.service.updates.map((update) => client.updatePipelineService(update.request))]);
+		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await client.createPipelineService(create.request);
+			await client.setMetadata(create.metaRequest);
+		}), ...changeSet.service.updates.map(async (update) => {
+			await client.updatePipelineService(update.request);
+			await client.setMetadata(update.metaRequest);
+		})]);
 		await Promise.all([...changeSet.resolver.creates.map((create) => client.createPipelineResolver(create.request)), ...changeSet.resolver.updates.map((update) => client.updatePipelineResolver(update.request))]);
 	} else if (phase === "delete") {
-		await Promise.all(changeSet.resolver.deletes.filter((del) => del.tag === "resolver-deleted").map((del) => client.deletePipelineResolver(del.request)));
+		await Promise.all(changeSet.resolver.deletes.map((del) => client.deletePipelineResolver(del.request)));
 		await Promise.all(changeSet.service.deletes.map((del) => client.deletePipelineService(del.request)));
 	}
 }
-async function planPipeline(client, workspaceId, application) {
+async function planPipeline({ client, workspaceId, application }) {
 	const pipelines = [];
-	for (const app of application.applications) for (const pipeline of app.resolverServices) {
+	for (const pipeline of application.resolverServices) {
 		await pipeline.loadResolvers();
 		pipelines.push(pipeline);
 	}
 	const executors = Object.values(await application.executorService?.loadExecutors() ?? {});
-	const serviceChangeSet = await planServices$1(client, workspaceId, pipelines);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$1(client, workspaceId, application.name, pipelines);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
-	const resolverChangeSet = await planResolvers(client, workspaceId, pipelines, executors, deletedServices);
+	const resolverChangeSet = await planResolvers(client, workspaceId, pipelines, executors, deletedServices, application.env);
 	serviceChangeSet.print();
 	resolverChangeSet.print();
 	return {
-		service: serviceChangeSet,
-		resolver: resolverChangeSet
+		changeSet: {
+			service: serviceChangeSet,
+			resolver: resolverChangeSet
+		},
+		conflicts,
+		unmanaged,
+		resourceOwners
 	};
 }
-async function planServices$1(client, workspaceId, pipelines) {
+function trn$2(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:pipeline:${name}`;
+}
+async function planServices$1(client, workspaceId, appName, pipelines) {
 	const changeSet = new ChangeSet("Pipeline services");
-	const existingServices = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { pipelineServices, nextPageToken } = await client.listPipelineServices({
 				workspaceId,
@@ -3901,29 +4161,50 @@ async function planServices$1(client, workspaceId, pipelines) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingServices.forEach((service) => {
-		const name = service.namespace?.name;
-		if (name) existingNameSet.add(name);
-	});
-	for (const pipeline of pipelines) if (existingNameSet.has(pipeline.namespace)) {
-		changeSet.updates.push({
+	const existingServices = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		if (!resource.namespace?.name) return;
+		const { metadata } = await client.getMetadata({ trn: trn$2(workspaceId, resource.namespace.name) });
+		existingServices[resource.namespace.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
+	for (const pipeline of pipelines) {
+		const existing = existingServices[pipeline.namespace];
+		const metaRequest = await buildMetaRequest(trn$2(workspaceId, pipeline.namespace), appName);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "Pipeline service",
+				resourceName: pipeline.namespace
+			});
+			else if (existing.label !== appName) conflicts.push({
+				resourceType: "Pipeline service",
+				resourceName: pipeline.namespace,
+				currentOwner: existing.label
+			});
+			changeSet.updates.push({
+				name: pipeline.namespace,
+				request: {
+					workspaceId,
+					namespaceName: pipeline.namespace
+				},
+				metaRequest
+			});
+			delete existingServices[pipeline.namespace];
+		} else changeSet.creates.push({
 			name: pipeline.namespace,
 			request: {
 				workspaceId,
 				namespaceName: pipeline.namespace
-			}
+			},
+			metaRequest
 		});
-		existingNameSet.delete(pipeline.namespace);
-	} else changeSet.creates.push({
-		name: pipeline.namespace,
-		request: {
-			workspaceId,
-			namespaceName: pipeline.namespace
-		}
-	});
-	existingNameSet.forEach((namespaceName) => {
-		changeSet.deletes.push({
+	}
+	Object.entries(existingServices).forEach(([namespaceName]) => {
+		const label = existingServices[namespaceName]?.label;
+		if (label && label !== appName) resourceOwners.add(label);
+		if (label === appName) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -3931,9 +4212,14 @@ async function planServices$1(client, workspaceId, pipelines) {
 			}
 		});
 	});
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
-async function planResolvers(client, workspaceId, pipelines, executors, deletedServices) {
+async function planResolvers(client, workspaceId, pipelines, executors, deletedServices, env) {
 	const changeSet = new ChangeSet("Pipeline resolvers");
 	const fetchResolvers = (namespaceName) => {
 		return fetchAll(async (pageToken) => {
@@ -3964,7 +4250,7 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 				request: {
 					workspaceId,
 					namespaceName: pipeline.namespace,
-					pipelineResolver: processResolver(resolver, executorUsedResolvers)
+					pipelineResolver: processResolver(resolver, executorUsedResolvers, env)
 				}
 			});
 			existingNameSet.delete(resolver.name);
@@ -3973,12 +4259,11 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 			request: {
 				workspaceId,
 				namespaceName: pipeline.namespace,
-				pipelineResolver: processResolver(resolver, executorUsedResolvers)
+				pipelineResolver: processResolver(resolver, executorUsedResolvers, env)
 			}
 		});
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "resolver-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3990,13 +4275,17 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 	}
 	for (const namespaceName of deletedServices) (await fetchResolvers(namespaceName)).forEach((resolver) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: resolver.name
+			name: resolver.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				resolverName: resolver.name
+			}
 		});
 	});
 	return changeSet;
 }
-function processResolver(resolver, executorUsedResolvers) {
+function processResolver(resolver, executorUsedResolvers, env) {
 	const functionPath = path.join(getDistDir(), "functions", `${resolver.name}__body.js`);
 	let functionCode = "";
 	try {
@@ -4010,7 +4299,7 @@ function processResolver(resolver, executorUsedResolvers) {
 		description: `${resolver.name} function body`,
 		operationType: PipelineResolver_OperationType.FUNCTION,
 		operationSource: functionCode,
-		operationHook: { expr: `({ ...context.pipeline, input: context.args, user: ${tailorUserMap} });` },
+		operationHook: { expr: `({ ...context.pipeline, input: context.args, user: ${tailorUserMap}, env: ${JSON.stringify(env)} });` },
 		postScript: `args.body`
 	}];
 	const typeBaseName = inflection.camelize(resolver.name);
@@ -4065,13 +4354,26 @@ function protoFields(fields, baseName, isInput) {
 //#endregion
 //#region src/cli/apply/services/staticwebsite.ts
-async function applyStaticWebsite(client, changeSet, phase = "create-update") {
-	if (phase === "create-update") await Promise.all([...changeSet.creates.map((create) => client.createStaticWebsite(create.request)), ...changeSet.updates.map((update) => client.updateStaticWebsite(update.request))]);
+async function applyStaticWebsite(client, result, phase = "create-update") {
+	const { changeSet } = result;
+	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
+		await client.createStaticWebsite(create.request);
+		await client.setMetadata(create.metaRequest);
+	}), ...changeSet.updates.map(async (update) => {
+		await client.updateStaticWebsite(update.request);
+		await client.setMetadata(update.metaRequest);
+	})]);
 	else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteStaticWebsite(del.request)));
 }
-async function planStaticWebsite(client, workspaceId, application) {
+function trn$1(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:staticwebsite:${name}`;
+}
+async function planStaticWebsite({ client, workspaceId, application }) {
 	const changeSet = new ChangeSet("StaticWebsites");
-	const existingWebsites = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { staticwebsites, nextPageToken } = await client.listStaticWebsites({
 				workspaceId,
@@ -4083,14 +4385,29 @@ async function planStaticWebsite(client, workspaceId, application) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingWebsites.forEach((website) => {
-		existingNameSet.add(website.name);
-	});
+	const existingWebsites = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		const { metadata } = await client.getMetadata({ trn: trn$1(workspaceId, resource.name) });
+		existingWebsites[resource.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
 	for (const websiteService of application.staticWebsiteServices) {
 		const config = websiteService;
 		const name = websiteService.name;
-		if (existingNameSet.has(name)) {
+		const existing = existingWebsites[name];
+		const metaRequest = await buildMetaRequest(trn$1(workspaceId, name), application.name);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "StaticWebsite",
+				resourceName: name
+			});
+			else if (existing.label !== application.name) conflicts.push({
+				resourceType: "StaticWebsite",
+				resourceName: name,
+				currentOwner: existing.label
+			});
 			changeSet.updates.push({
 				name,
 				request: {
@@ -4100,9 +4417,10 @@ async function planStaticWebsite(client, workspaceId, application) {
 						description: config.description || "",
 						allowedIpAddresses: config.allowedIpAddresses || []
 					}
-				}
+				},
+				metaRequest
 			});
-			existingNameSet.delete(name);
+			delete existingWebsites[name];
 		} else changeSet.creates.push({
 			name,
 			request: {
@@ -4112,11 +4430,14 @@ async function planStaticWebsite(client, workspaceId, application) {
 					description: config.description || "",
 					allowedIpAddresses: config.allowedIpAddresses || []
 				}
-			}
+			},
+			metaRequest
 		});
 	}
-	existingNameSet.forEach((name) => {
-		changeSet.deletes.push({
+	Object.entries(existingWebsites).forEach(([name]) => {
+		const label = existingWebsites[name]?.label;
+		if (label && label !== application.name) resourceOwners.add(label);
+		if (label === application.name) changeSet.deletes.push({
 			name,
 			request: {
 				workspaceId,
@@ -4125,30 +4446,39 @@ async function planStaticWebsite(client, workspaceId, application) {
 		});
 	});
 	changeSet.print();
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 //#endregion
 //#region src/cli/apply/services/tailordb.ts
-async function applyTailorDB(client, changeSet, phase = "create-update") {
+async function applyTailorDB(client, result, phase = "create-update") {
+	const { changeSet } = result;
 	if (phase === "create-update") {
-		await Promise.all(changeSet.service.creates.map((create) => client.createTailorDBService(create.request)));
+		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await client.createTailorDBService(create.request);
+			await client.setMetadata(create.metaRequest);
+		}), ...changeSet.service.updates.map((update) => client.setMetadata(update.metaRequest))]);
 		await Promise.all([...changeSet.type.creates.map((create) => client.createTailorDBType(create.request)), ...changeSet.type.updates.map((update) => client.updateTailorDBType(update.request))]);
 		await Promise.all([...changeSet.gqlPermission.creates.map((create) => client.createTailorDBGQLPermission(create.request)), ...changeSet.gqlPermission.updates.map((update) => client.updateTailorDBGQLPermission(update.request))]);
 	} else if (phase === "delete") {
-		await Promise.all(changeSet.gqlPermission.deletes.filter((del) => del.tag === "gql-permission-deleted").map((del) => client.deleteTailorDBGQLPermission(del.request)));
-		await Promise.all(changeSet.type.deletes.filter((del) => del.tag === "type-deleted").map((del) => client.deleteTailorDBType(del.request)));
+		await Promise.all(changeSet.gqlPermission.deletes.map((del) => client.deleteTailorDBGQLPermission(del.request)));
+		await Promise.all(changeSet.type.deletes.map((del) => client.deleteTailorDBType(del.request)));
 		await Promise.all(changeSet.service.deletes.map((del) => client.deleteTailorDBService(del.request)));
 	}
 }
-async function planTailorDB(client, workspaceId, application) {
+async function planTailorDB({ client, workspaceId, application }) {
 	const tailordbs = [];
-	for (const app of application.applications) for (const tailordb of app.tailorDBServices) {
+	for (const tailordb of application.tailorDBServices) {
 		await tailordb.loadTypes();
 		tailordbs.push(tailordb);
 	}
 	const executors = Object.values(await application.executorService?.loadExecutors() ?? {});
-	const serviceChangeSet = await planServices(client, workspaceId, tailordbs);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices(client, workspaceId, application.name, tailordbs);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const typeChangeSet = await planTypes(client, workspaceId, tailordbs, executors, deletedServices);
 	const gqlPermissionChangeSet = await planGqlPermissions(client, workspaceId, tailordbs, deletedServices);
@@ -4156,14 +4486,25 @@ async function planTailorDB(client, workspaceId, application) {
 	typeChangeSet.print();
 	gqlPermissionChangeSet.print();
 	return {
-		service: serviceChangeSet,
-		type: typeChangeSet,
-		gqlPermission: gqlPermissionChangeSet
+		changeSet: {
+			service: serviceChangeSet,
+			type: typeChangeSet,
+			gqlPermission: gqlPermissionChangeSet
+		},
+		conflicts,
+		unmanaged,
+		resourceOwners
 	};
 }
-async function planServices(client, workspaceId, tailordbs) {
+function trn(workspaceId, name) {
+	return `${trnPrefix(workspaceId)}:tailordb:${name}`;
+}
+async function planServices(client, workspaceId, appName, tailordbs) {
 	const changeSet = new ChangeSet("TailorDB services");
-	const existingServices = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { tailordbServices, nextPageToken } = await client.listTailorDBServices({
 				workspaceId,
@@ -4175,24 +4516,47 @@ async function planServices(client, workspaceId, tailordbs) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingServices.forEach((service) => {
-		const name = service.namespace?.name;
-		if (name) existingNameSet.add(name);
-	});
-	for (const tailordb of tailordbs) if (existingNameSet.has(tailordb.namespace)) {
-		changeSet.updates.push({ name: tailordb.namespace });
-		existingNameSet.delete(tailordb.namespace);
-	} else changeSet.creates.push({
-		name: tailordb.namespace,
-		request: {
-			workspaceId,
-			namespaceName: tailordb.namespace,
-			defaultTimezone: "UTC"
-		}
-	});
-	existingNameSet.forEach((namespaceName) => {
-		changeSet.deletes.push({
+	const existingServices = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		if (!resource.namespace?.name) return;
+		const { metadata } = await client.getMetadata({ trn: trn(workspaceId, resource.namespace.name) });
+		existingServices[resource.namespace.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
+	for (const tailordb of tailordbs) {
+		const existing = existingServices[tailordb.namespace];
+		const metaRequest = await buildMetaRequest(trn(workspaceId, tailordb.namespace), appName);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "TailorDB service",
+				resourceName: tailordb.namespace
+			});
+			else if (existing.label !== appName) conflicts.push({
+				resourceType: "TailorDB service",
+				resourceName: tailordb.namespace,
+				currentOwner: existing.label
+			});
+			changeSet.updates.push({
+				name: tailordb.namespace,
+				metaRequest
+			});
+			delete existingServices[tailordb.namespace];
+		} else changeSet.creates.push({
+			name: tailordb.namespace,
+			request: {
+				workspaceId,
+				namespaceName: tailordb.namespace,
+				defaultTimezone: "UTC"
+			},
+			metaRequest
+		});
+	}
+	Object.entries(existingServices).forEach(([namespaceName]) => {
+		const label = existingServices[namespaceName]?.label;
+		if (label && label !== appName) resourceOwners.add(label);
+		if (label === appName) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -4200,7 +4564,12 @@ async function planServices(client, workspaceId, tailordbs) {
 			}
 		});
 	});
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 async function planTypes(client, workspaceId, tailordbs, executors, deletedServices) {
 	const changeSet = new ChangeSet("TailorDB types");
@@ -4249,7 +4618,6 @@ async function planTypes(client, workspaceId, tailordbs, executors, deletedServi
 		}
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "type-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -4261,8 +4629,12 @@ async function planTypes(client, workspaceId, tailordbs, executors, deletedServi
 	}
 	for (const namespaceName of deletedServices) (await fetchTypes(namespaceName)).forEach((typ) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: typ.name
+			name: typ.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				tailordbTypeName: typ.name
+			}
 		});
 	});
 	return changeSet;
@@ -4520,7 +4892,6 @@ async function planGqlPermissions(client, workspaceId, tailordbs, deletedService
 		}
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "gql-permission-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -4532,8 +4903,12 @@ async function planGqlPermissions(client, workspaceId, tailordbs, deletedService
 	}
 	for (const namespaceName of deletedServices) (await fetchGqlPermissions(namespaceName)).forEach((gqlPermission) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: gqlPermission.typeName
+			name: gqlPermission.typeName,
+			request: {
+				workspaceId,
+				namespaceName,
+				typeName: gqlPermission.typeName
+			}
 		});
 	});
 	return changeSet;
@@ -4628,6 +5003,7 @@ async function apply(options) {
 	const configPath = loadConfigPath(options?.configPath);
 	const { config } = await loadConfig(configPath);
 	const dryRun = options?.dryRun ?? false;
+	const yes = options?.yes ?? false;
 	const buildOnly = options?.buildOnly ?? false;
 	await generateUserTypes(config, configPath);
 	const application = defineApplication(config);
@@ -4643,13 +5019,66 @@ async function apply(options) {
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
 	});
-	const tailorDB = await planTailorDB(client, workspaceId, application);
-	const staticWebsite = await planStaticWebsite(client, workspaceId, application);
-	const idp = await planIdP(client, workspaceId, application);
-	const auth = await planAuth(client, workspaceId, application);
-	const pipeline = await planPipeline(client, workspaceId, application);
-	const app = await planApplication(client, workspaceId, application);
-	const executor = await planExecutor(client, workspaceId, application);
+	for (const tailordb of application.tailorDBServices) await tailordb.loadTypes();
+	for (const pipeline$1 of application.resolverServices) await pipeline$1.loadResolvers();
+	if (application.executorService) await application.executorService.loadExecutors();
+	console.log("");
+	const ctx = {
+		client,
+		workspaceId,
+		application
+	};
+	const tailorDB = await planTailorDB(ctx);
+	const staticWebsite = await planStaticWebsite(ctx);
+	const idp = await planIdP(ctx);
+	const auth = await planAuth(ctx);
+	const pipeline = await planPipeline(ctx);
+	const app = await planApplication(ctx);
+	const executor = await planExecutor(ctx);
+	const allConflicts = [
+		...tailorDB.conflicts,
+		...staticWebsite.conflicts,
+		...idp.conflicts,
+		...auth.conflicts,
+		...pipeline.conflicts,
+		...executor.conflicts
+	];
+	await confirmOwnerConflict(allConflicts, application.name, yes);
+	const allUnmanaged = [
+		...tailorDB.unmanaged,
+		...staticWebsite.unmanaged,
+		...idp.unmanaged,
+		...auth.unmanaged,
+		...pipeline.unmanaged,
+		...executor.unmanaged
+	];
+	await confirmUnmanagedResources(allUnmanaged, application.name, yes);
+	const importantDeletions = [];
+	for (const del of tailorDB.changeSet.type.deletes) importantDeletions.push({
+		resourceType: "TailorDB type",
+		resourceName: del.name
+	});
+	for (const del of staticWebsite.changeSet.deletes) importantDeletions.push({
+		resourceType: "StaticWebsite",
+		resourceName: del.name
+	});
+	await confirmImportantResourceDeletion(importantDeletions, yes);
+	const resourceOwners = new Set([
+		...tailorDB.resourceOwners,
+		...staticWebsite.resourceOwners,
+		...idp.resourceOwners,
+		...auth.resourceOwners,
+		...pipeline.resourceOwners,
+		...executor.resourceOwners
+	]);
+	const emptyApps = [...new Set(allConflicts.map((c) => c.currentOwner))].filter((owner) => !resourceOwners.has(owner));
+	for (const emptyApp of emptyApps) app.deletes.push({
+		name: emptyApp,
+		request: {
+			workspaceId,
+			applicationName: emptyApp
+		}
+	});
 	if (dryRun) {
 		console.log("Dry run enabled. No changes applied.");
 		return;
@@ -4724,6 +5153,11 @@ const applyCommand = defineCommand({
 			type: "boolean",
 			description: "Run the command without making any changes",
 			alias: "d"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip all confirmation prompts",
+			alias: "y"
 		}
 	},
 	run: withCommonArgs(async (args) => {
@@ -4731,7 +5165,8 @@ const applyCommand = defineCommand({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
 			configPath: args.config,
-			dryRun: args.dryRun
+			dryRun: args.dryRun,
+			yes: args.yes
 		});
 	})
 });
@@ -5855,4 +6290,4 @@ const tokenCommand = defineCommand({
 });
 //#endregion
-export { PATScope, apply, applyCommand, commonArgs, createCommand, deleteCommand, fetchAll, fetchLatestToken, formatArgs, generate, generateCommand, generateUserTypes, initOperatorClient, listCommand, listCommand$1, loadAccessToken, loadConfig, loadConfigPath, loadWorkspaceId, machineUserList, machineUserToken, parseFormat, printWithFormat, readPlatformConfig, show, showCommand, tokenCommand, userAgent, withCommonArgs, workspaceCreate, workspaceDelete, workspaceList, writePlatformConfig };
+export { PATScope, apply, applyCommand, commonArgs, createCommand, deleteCommand, fetchAll, fetchLatestToken, formatArgs, generate, generateCommand, generateUserTypes, initOperatorClient, listCommand, listCommand$1, loadAccessToken, loadConfig, loadConfigPath, loadWorkspaceId, machineUserList, machineUserToken, parseFormat, printWithFormat, readPackageJson, readPlatformConfig, show, showCommand, tokenCommand, userAgent, withCommonArgs, workspaceCreate, workspaceDelete, workspaceList, writePlatformConfig };