@tailor-platform/sdk 0.8.6 → 0.9.0

package/dist/{token-Cbs_El75.mjs → token-DwKmpi9i.mjs}

@@ -21,6 +21,7 @@ import * as os from "node:os";
 import { parseTOML, parseYAML, stringifyYAML } from "confbox";
 import { xdgConfig } from "xdg-basedir";
 import { fromJson } from "@bufbuild/protobuf";
+import chalk from "chalk";
 import { spawn } from "node:child_process";
 import { glob } from "node:fs/promises";
 import chokidar from "chokidar";
@@ -190,6 +191,7 @@ var ExecutorService = class {
 		this.config = config;
 	}
 	async loadExecutors() {
+		if (Object.keys(this.executors).length > 0) return this.executors;
 		if (!this.config.files || this.config.files.length === 0) return;
 		const executorFiles = loadFilesWithIgnores(this.config);
 		console.log("");
@@ -275,6 +277,7 @@ var ResolverService = class {
 		this.config = config;
 	}
 	async loadResolvers() {
+		if (Object.keys(this.resolvers).length > 0) return;
 		if (!this.config.files || this.config.files.length === 0) return;
 		const resolverFiles = loadFilesWithIgnores(this.config);
 		console.log("");
@@ -2254,6 +2257,15 @@ const file_tailor_v1_service = /* @__PURE__ */ fileDesc("Chd0YWlsb3IvdjEvc2Vydml
 */
 const OperatorService = /* @__PURE__ */ serviceDesc(file_tailor_v1_service, 0);
 
+//#endregion
+//#region src/cli/package-json.ts
+let packageJson = null;
+async function readPackageJson() {
+	if (packageJson) return packageJson;
+	packageJson = await readPackageJSON(import.meta.url);
+	return packageJson;
+}
+
 //#endregion
 //#region src/cli/client.ts
 const baseUrl = process.env.PLATFORM_URL ?? "https://api.tailor.tech";
@@ -2278,7 +2290,7 @@ async function userAgentInterceptor() {
 	};
 }
 async function userAgent() {
-	return `tailor-sdk/${(await readPackageJSON(import.meta.url)).version ?? "unknown"}`;
+	return `tailor-sdk/${(await readPackageJson()).version ?? "unknown"}`;
 }
 async function bearerTokenInterceptor(accessToken) {
 	return (next) => async (req) => {
@@ -2540,6 +2552,24 @@ function loadConfigPath(configPath) {
 	return "tailor.config.ts";
 }
 
+//#endregion
+//#region src/cli/apply/services/label.ts
+function trnPrefix(workspaceId) {
+	return `trn:v1:workspace:${workspaceId}`;
+}
+const sdkNameLabelKey = "sdk-name";
+async function buildMetaRequest(trn$7, appName) {
+	const packageJson$1 = await readPackageJson();
+	const sdkVersion = packageJson$1.version ? `v${packageJson$1.version.replace(/\./g, "-")}` : "unknown";
+	return {
+		trn: trn$7,
+		labels: {
+			[sdkNameLabelKey]: appName,
+			"sdk-version": sdkVersion
+		}
+	};
+}
+
 //#endregion
 //#region src/cli/apply/services/index.ts
 var ChangeSet = class {
@@ -2569,14 +2599,21 @@ var ChangeSet = class {
 async function applyApplication(client, changeSet, phase = "create-update") {
 	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
 		create.request.cors = await resolveStaticWebsiteUrls(client, create.request.workspaceId, create.request.cors, "CORS");
-		return client.createApplication(create.request);
+		await client.createApplication(create.request);
+		await client.setMetadata(create.metaRequest);
 	}), ...changeSet.updates.map(async (update) => {
 		update.request.cors = await resolveStaticWebsiteUrls(client, update.request.workspaceId, update.request.cors, "CORS");
-		return client.updateApplication(update.request);
+		await client.updateApplication(update.request);
+		await client.setMetadata(update.metaRequest);
 	})]);
-	else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteApplication(del.request)));
+	else if (phase === "delete") await Promise.all(changeSet.deletes.map(async (del) => {
+		await client.deleteApplication(del.request);
+	}));
 }
-async function planApplication(client, workspaceId, application) {
+function trn$6(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:application:${name}`;
+}
+async function planApplication({ client, workspaceId, application }) {
 	const changeSet = new ChangeSet("Applications");
 	const existingApplications = await fetchAll(async (pageToken) => {
 		try {
@@ -2590,55 +2627,41 @@ async function planApplication(client, workspaceId, application) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingApplications.forEach((application$1) => {
-		existingNameSet.add(application$1.name);
+	let authNamespace;
+	let authIdpConfigName;
+	if (application.authService && application.authService.config) {
+		authNamespace = application.authService.config.name;
+		const idProvider = application.authService.config.idProvider;
+		if (idProvider) authIdpConfigName = idProvider.name;
+	}
+	const metaRequest = await buildMetaRequest(trn$6(workspaceId, application.name), application.name);
+	if (existingApplications.some((app) => app.name === application.name)) changeSet.updates.push({
+		name: application.name,
+		request: {
+			workspaceId,
+			applicationName: application.name,
+			authNamespace,
+			authIdpConfigName,
+			cors: application.config.cors,
+			subgraphs: application.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
+			allowedIpAddresses: application.config.allowedIPAddresses,
+			disableIntrospection: application.config.disableIntrospection
+		},
+		metaRequest
 	});
-	for (const app of application.applications) {
-		let authNamespace;
-		let authIdpConfigName;
-		if (app.authService && app.authService.config) {
-			authNamespace = app.authService.config.name;
-			const idProvider = app.authService.config.idProvider;
-			if (idProvider) authIdpConfigName = idProvider.name;
-		}
-		if (existingNameSet.has(app.name)) {
-			changeSet.updates.push({
-				name: app.name,
-				request: {
-					workspaceId,
-					applicationName: app.name,
-					authNamespace,
-					authIdpConfigName,
-					cors: app.config.cors,
-					subgraphs: app.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
-					allowedIpAddresses: app.config.allowedIPAddresses,
-					disableIntrospection: app.config.disableIntrospection
-				}
-			});
-			existingNameSet.delete(app.name);
-		} else changeSet.creates.push({
-			name: app.name,
-			request: {
-				workspaceId,
-				applicationName: app.name,
-				authNamespace,
-				authIdpConfigName,
-				cors: app.config.cors,
-				subgraphs: app.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
-				allowedIpAddresses: app.config.allowedIPAddresses,
-				disableIntrospection: app.config.disableIntrospection
-			}
-		});
-	}
-	existingNameSet.forEach((name) => {
-		changeSet.deletes.push({
-			name,
-			request: {
-				workspaceId,
-				applicationName: name
-			}
-		});
+	else changeSet.creates.push({
+		name: application.name,
+		request: {
+			workspaceId,
+			applicationName: application.name,
+			authNamespace,
+			authIdpConfigName,
+			cors: application.config.cors,
+			subgraphs: application.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
+			allowedIpAddresses: application.config.allowedIPAddresses,
+			disableIntrospection: application.config.disableIntrospection
+		},
+		metaRequest
 	});
 	changeSet.print();
 	return changeSet;
@@ -2674,9 +2697,16 @@ function idpClientVaultName(namespaceName, clientName) {
 function idpClientSecretName(namespaceName, clientName) {
 	return `client-secret-${namespaceName}-${clientName}`;
 }
-async function applyIdP(client, changeSet, phase = "create-update") {
+async function applyIdP(client, result, phase = "create-update") {
+	const { changeSet } = result;
 	if (phase === "create-update") {
-		await Promise.all([...changeSet.service.creates.map((create) => client.createIdPService(create.request)), ...changeSet.service.updates.map((update) => client.updateIdPService(update.request))]);
+		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await client.createIdPService(create.request);
+			await client.setMetadata(create.metaRequest);
+		}), ...changeSet.service.updates.map(async (update) => {
+			await client.updateIdPService(update.request);
+			await client.setMetadata(update.metaRequest);
+		})]);
 		await Promise.all([...changeSet.client.creates.map(async (create) => {
 			const resp = await client.createIdPClient(create.request);
 			const vaultName = idpClientVaultName(create.request.namespaceName, create.request.client?.name || "");
@@ -2715,7 +2745,7 @@ async function applyIdP(client, changeSet, phase = "create-update") {
 			});
 		})]);
 	} else if (phase === "delete") {
-		await Promise.all(changeSet.client.deletes.filter((del) => del.tag === "client-deleted").map(async (del) => {
+		await Promise.all(changeSet.client.deletes.map(async (del) => {
 			await client.deleteIdPClient(del.request);
 			const vaultName = `idp-${del.request.namespaceName}-${del.request.name}`;
 			await client.deleteSecretManagerVault({
@@ -2726,22 +2756,32 @@ async function applyIdP(client, changeSet, phase = "create-update") {
 		await Promise.all(changeSet.service.deletes.map((del) => client.deleteIdPService(del.request)));
 	}
 }
-async function planIdP(client, workspaceId, application) {
-	const idps = [];
-	for (const app of application.applications) idps.push(...app.idpServices);
-	const serviceChangeSet = await planServices$3(client, workspaceId, idps);
+async function planIdP({ client, workspaceId, application }) {
+	const idps = application.idpServices;
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, idps);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const clientChangeSet = await planClients(client, workspaceId, idps, deletedServices);
 	serviceChangeSet.print();
 	clientChangeSet.print();
 	return {
-		service: serviceChangeSet,
-		client: clientChangeSet
+		changeSet: {
+			service: serviceChangeSet,
+			client: clientChangeSet
+		},
+		conflicts,
+		unmanaged,
+		resourceOwners
 	};
 }
-async function planServices$3(client, workspaceId, idps) {
+function trn$5(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:idp:${name}`;
+}
+async function planServices$3(client, workspaceId, appName, idps) {
 	const changeSet = new ChangeSet("IdP services");
-	const existingServices = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { idpServices, nextPageToken } = await client.listIdPServices({
 				workspaceId,
@@ -2753,13 +2793,19 @@ async function planServices$3(client, workspaceId, idps) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingServices.forEach((service) => {
-		const name = service.namespace?.name;
-		if (name) existingNameSet.add(name);
-	});
+	const existingServices = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		if (!resource.namespace?.name) return;
+		const { metadata } = await client.getMetadata({ trn: trn$5(workspaceId, resource.namespace.name) });
+		existingServices[resource.namespace.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
 	for (const idp of idps) {
 		const namespaceName = idp.name;
+		const existing = existingServices[namespaceName];
+		const metaRequest = await buildMetaRequest(trn$5(workspaceId, namespaceName), appName);
 		let authorization;
 		switch (idp.authorization) {
 			case "insecure":
@@ -2772,27 +2818,40 @@ async function planServices$3(client, workspaceId, idps) {
 				authorization = idp.authorization.cel;
 				break;
 		}
-		if (existingNameSet.has(namespaceName)) {
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "IdP service",
+				resourceName: idp.name
+			});
+			else if (existing.label !== appName) conflicts.push({
+				resourceType: "IdP service",
+				resourceName: idp.name,
+				currentOwner: existing.label
+			});
 			changeSet.updates.push({
 				name: namespaceName,
 				request: {
 					workspaceId,
 					namespaceName,
 					authorization
-				}
+				},
+				metaRequest
 			});
-			existingNameSet.delete(namespaceName);
+			delete existingServices[namespaceName];
 		} else changeSet.creates.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
 				namespaceName,
 				authorization
-			}
+			},
+			metaRequest
 		});
 	}
-	existingNameSet.forEach((namespaceName) => {
-		changeSet.deletes.push({
+	Object.entries(existingServices).forEach(([namespaceName]) => {
+		const label = existingServices[namespaceName]?.label;
+		if (label && label !== appName) resourceOwners.add(label);
+		if (label === appName) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -2800,7 +2859,12 @@ async function planServices$3(client, workspaceId, idps) {
 			}
 		});
 	});
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 async function planClients(client, workspaceId, idps, deletedServices) {
 	const changeSet = new ChangeSet("IdP clients");
@@ -2844,7 +2908,6 @@ async function planClients(client, workspaceId, idps, deletedServices) {
 		});
 		existingNameMap.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "client-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -2856,8 +2919,12 @@ async function planClients(client, workspaceId, idps, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchClients(namespaceName)).forEach((client$1) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: client$1.name
+			name: client$1.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				name: client$1.name
+			}
 		});
 	});
 	return changeSet;
@@ -2865,9 +2932,13 @@ async function planClients(client, workspaceId, idps, deletedServices) {
 
 //#endregion
 //#region src/cli/apply/services/auth.ts
-async function applyAuth(client, changeSet, phase = "create-update") {
+async function applyAuth(client, result, phase = "create-update") {
+	const { changeSet } = result;
 	if (phase === "create-update") {
-		await Promise.all(changeSet.service.creates.map((create) => client.createAuthService(create.request)));
+		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await client.createAuthService(create.request);
+			await client.setMetadata(create.metaRequest);
+		}), ...changeSet.service.updates.map((update) => client.setMetadata(update.metaRequest))]);
 		await Promise.all([...changeSet.idpConfig.creates.map(async (create) => {
 			if (create.idpConfig.kind === "BuiltInIdP") create.request.idpConfig.config = await protoBuiltinIdPConfig(client, create.request.workspaceId, create.idpConfig);
 			return client.createAuthIDPConfig(create.request);
@@ -2888,23 +2959,23 @@ async function applyAuth(client, changeSet, phase = "create-update") {
 		await Promise.all([...changeSet.scim.creates.map((create) => client.createAuthSCIMConfig(create.request)), ...changeSet.scim.updates.map((update) => client.updateAuthSCIMConfig(update.request))]);
 		await Promise.all([...changeSet.scimResource.creates.map((create) => client.createAuthSCIMResource(create.request)), ...changeSet.scimResource.updates.map((update) => client.updateAuthSCIMResource(update.request))]);
 	} else if (phase === "delete") {
-		await Promise.all(changeSet.scimResource.deletes.filter((del) => del.tag === "scim-resource-deleted").map((del) => client.deleteAuthSCIMResource(del.request)));
-		await Promise.all(changeSet.scim.deletes.filter((del) => del.tag === "scim-config-deleted").map((del) => client.deleteAuthSCIMConfig(del.request)));
-		await Promise.all(changeSet.oauth2Client.deletes.filter((del) => del.tag === "oauth2-client-deleted").map((del) => client.deleteAuthOAuth2Client(del.request)));
-		await Promise.all(changeSet.machineUser.deletes.filter((del) => del.tag === "machine-user-deleted").map((del) => client.deleteAuthMachineUser(del.request)));
-		await Promise.all(changeSet.tenantConfig.deletes.filter((del) => del.tag === "tenant-config-deleted").map((del) => client.deleteTenantConfig(del.request)));
-		await Promise.all(changeSet.userProfileConfig.deletes.filter((del) => del.tag === "user-profile-config-deleted").map((del) => client.deleteUserProfileConfig(del.request)));
-		await Promise.all(changeSet.idpConfig.deletes.filter((del) => del.tag === "idp-config-deleted").map((del) => client.deleteAuthIDPConfig(del.request)));
+		await Promise.all(changeSet.scimResource.deletes.map((del) => client.deleteAuthSCIMResource(del.request)));
+		await Promise.all(changeSet.scim.deletes.map((del) => client.deleteAuthSCIMConfig(del.request)));
+		await Promise.all(changeSet.oauth2Client.deletes.map((del) => client.deleteAuthOAuth2Client(del.request)));
+		await Promise.all(changeSet.machineUser.deletes.map((del) => client.deleteAuthMachineUser(del.request)));
+		await Promise.all(changeSet.tenantConfig.deletes.map((del) => client.deleteTenantConfig(del.request)));
+		await Promise.all(changeSet.userProfileConfig.deletes.map((del) => client.deleteUserProfileConfig(del.request)));
+		await Promise.all(changeSet.idpConfig.deletes.map((del) => client.deleteAuthIDPConfig(del.request)));
 		await Promise.all(changeSet.service.deletes.map((del) => client.deleteAuthService(del.request)));
 	}
 }
-async function planAuth(client, workspaceId, application) {
+async function planAuth({ client, workspaceId, application }) {
 	const auths = [];
-	for (const app of application.applications) if (app.authService) {
-		await app.authService.resolveNamespaces();
-		auths.push(app.authService);
+	if (application.authService) {
+		await application.authService.resolveNamespaces();
+		auths.push(application.authService);
 	}
-	const serviceChangeSet = await planServices$2(client, workspaceId, auths);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, auths);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const idpConfigChangeSet = await planIdPConfigs(client, workspaceId, auths, deletedServices);
 	const userProfileConfigChangeSet = await planUserProfileConfigs(client, workspaceId, auths, deletedServices);
@@ -2922,19 +2993,30 @@ async function planAuth(client, workspaceId, application) {
 	scimChangeSet.print();
 	scimResourceChangeSet.print();
 	return {
-		service: serviceChangeSet,
-		idpConfig: idpConfigChangeSet,
-		userProfileConfig: userProfileConfigChangeSet,
-		tenantConfig: tenantConfigChangeSet,
-		machineUser: machineUserChangeSet,
-		oauth2Client: oauth2ClientChangeSet,
-		scim: scimChangeSet,
-		scimResource: scimResourceChangeSet
+		changeSet: {
+			service: serviceChangeSet,
+			idpConfig: idpConfigChangeSet,
+			userProfileConfig: userProfileConfigChangeSet,
+			tenantConfig: tenantConfigChangeSet,
+			machineUser: machineUserChangeSet,
+			oauth2Client: oauth2ClientChangeSet,
+			scim: scimChangeSet,
+			scimResource: scimResourceChangeSet
+		},
+		conflicts,
+		unmanaged,
+		resourceOwners
 	};
 }
-async function planServices$2(client, workspaceId, auths) {
+function trn$4(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:auth:${name}`;
+}
+async function planServices$2(client, workspaceId, appName, auths) {
 	const changeSet = new ChangeSet("Auth services");
-	const existingServices = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { authServices, nextPageToken } = await client.listAuthServices({
 				workspaceId,
@@ -2946,23 +3028,46 @@ async function planServices$2(client, workspaceId, auths) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingServices.forEach((service) => {
-		const name = service.namespace?.name;
-		if (name) existingNameSet.add(name);
-	});
-	for (const { config } of auths) if (existingNameSet.has(config.name)) {
-		changeSet.updates.push({ name: config.name });
-		existingNameSet.delete(config.name);
-	} else changeSet.creates.push({
-		name: config.name,
-		request: {
-			workspaceId,
-			namespaceName: config.name
-		}
-	});
-	existingNameSet.forEach((namespaceName) => {
-		changeSet.deletes.push({
+	const existingServices = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		if (!resource.namespace?.name) return;
+		const { metadata } = await client.getMetadata({ trn: trn$4(workspaceId, resource.namespace.name) });
+		existingServices[resource.namespace.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
+	for (const { config } of auths) {
+		const existing = existingServices[config.name];
+		const metaRequest = await buildMetaRequest(trn$4(workspaceId, config.name), appName);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "Auth service",
+				resourceName: config.name
+			});
+			else if (existing.label !== appName) conflicts.push({
+				resourceType: "Auth service",
+				resourceName: config.name,
+				currentOwner: existing.label
+			});
+			changeSet.updates.push({
+				name: config.name,
+				metaRequest
+			});
+			delete existingServices[config.name];
+		} else changeSet.creates.push({
+			name: config.name,
+			request: {
+				workspaceId,
+				namespaceName: config.name
+			},
+			metaRequest
+		});
+	}
+	Object.entries(existingServices).forEach(([namespaceName]) => {
+		const label = existingServices[namespaceName]?.label;
+		if (label && label !== appName) resourceOwners.add(label);
+		if (label === appName) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -2970,7 +3075,12 @@ async function planServices$2(client, workspaceId, auths) {
 			}
 		});
 	});
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 async function planIdPConfigs(client, workspaceId, auths, deletedServices) {
 	const changeSet = new ChangeSet("Auth idpConfigs");
@@ -3018,7 +3128,6 @@ async function planIdPConfigs(client, workspaceId, auths, deletedServices) {
 		});
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "idp-config-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3030,8 +3139,12 @@ async function planIdPConfigs(client, workspaceId, auths, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchIdPConfigs(namespaceName)).forEach((idpConfig) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: idpConfig.name
+			name: idpConfig.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				name: idpConfig.name
+			}
 		});
 	});
 	return changeSet;
@@ -3157,7 +3270,6 @@ async function planUserProfileConfigs(client, workspaceId, auths, deletedService
 			}
 		});
 		else changeSet.deletes.push({
-			tag: "user-profile-config-deleted",
 			name,
 			request: {
 				workspaceId,
@@ -3176,8 +3288,11 @@ async function planUserProfileConfigs(client, workspaceId, auths, deletedService
 			throw error;
 		}
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: `${namespaceName}-user-profile-config`
+			name: `${namespaceName}-user-profile-config`,
+			request: {
+				workspaceId,
+				namespaceName
+			}
 		});
 	}
 	return changeSet;
@@ -3232,7 +3347,6 @@ async function planTenantConfigs(client, workspaceId, auths, deletedServices) {
 			}
 		});
 		else changeSet.deletes.push({
-			tag: "tenant-config-deleted",
 			name,
 			request: {
 				workspaceId,
@@ -3251,8 +3365,11 @@ async function planTenantConfigs(client, workspaceId, auths, deletedServices) {
 			throw error;
 		}
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: `${namespaceName}-tenant-config`
+			name: `${namespaceName}-tenant-config`,
+			request: {
+				workspaceId,
+				namespaceName
+			}
 		});
 	}
 	return changeSet;
@@ -3321,7 +3438,6 @@ async function planMachineUsers(client, workspaceId, auths, deletedServices) {
 		}
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "machine-user-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3333,8 +3449,12 @@ async function planMachineUsers(client, workspaceId, auths, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchMachineUsers(namespaceName)).forEach((machineUser) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: machineUser.name
+			name: machineUser.name,
+			request: {
+				workspaceId,
+				authNamespace: namespaceName,
+				name: machineUser.name
+			}
 		});
 	});
 	return changeSet;
@@ -3391,7 +3511,6 @@ async function planOAuth2Clients(client, workspaceId, auths, deletedServices) {
 		}
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "oauth2-client-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3403,8 +3522,12 @@ async function planOAuth2Clients(client, workspaceId, auths, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchOAuth2Clients(namespaceName)).forEach((oauth2Client) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: oauth2Client.name
+			name: oauth2Client.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				name: oauth2Client.name
+			}
 		});
 	});
 	return changeSet;
@@ -3460,7 +3583,6 @@ async function planSCIMConfigs(client, workspaceId, auths, deletedServices) {
 			}
 		});
 		else changeSet.deletes.push({
-			tag: "scim-config-deleted",
 			name,
 			request: {
 				workspaceId,
@@ -3479,8 +3601,11 @@ async function planSCIMConfigs(client, workspaceId, auths, deletedServices) {
 			throw error;
 		}
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: `${namespaceName}-scim-config`
+			name: `${namespaceName}-scim-config`,
+			request: {
+				workspaceId,
+				namespaceName
+			}
 		});
 	}
 	return changeSet;
@@ -3548,7 +3673,6 @@ async function planSCIMResources(client, workspaceId, auths, deletedServices) {
 		});
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "scim-resource-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3560,8 +3684,12 @@ async function planSCIMResources(client, workspaceId, auths, deletedServices) {
 	}
 	for (const namespaceName of deletedServices) (await fetchSCIMResources(namespaceName)).forEach((scimResource) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: scimResource.name
+			name: scimResource.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				name: scimResource.name
+			}
 		});
 	});
 	return changeSet;
@@ -3640,15 +3768,72 @@ function protoSCIMAttribute(attr) {
 	};
 }
 
+//#endregion
+//#region src/cli/apply/services/confirm.ts
+async function confirmOwnerConflict(conflicts, appName, yes) {
+	if (conflicts.length === 0) return;
+	const currentOwners = [...new Set(conflicts.map((c) => c.currentOwner))];
+	consola.warn("Application name mismatch detected:");
+	console.log(`  ${chalk.yellow("Current application(s)")}: ${currentOwners.map((o) => chalk.bold(`"${o}"`)).join(", ")}`);
+	console.log(`  ${chalk.green("New application")}:        ${chalk.bold(`"${appName}"`)}`);
+	console.log("");
+	console.log(`  ${chalk.cyan("Resources")}:`);
+	for (const c of conflicts) console.log(`    • ${chalk.bold(c.resourceType)} ${chalk.cyan(`"${c.resourceName}"`)}`);
+	if (yes) {
+		consola.success("Updating resources (--yes flag specified)...");
+		return;
+	}
+	const promptMessage = currentOwners.length === 1 ? `Update these resources to be managed by "${appName}"?\n${chalk.gray("(Common when renaming your application)")}` : `Update these resources to be managed by "${appName}"?`;
+	if (!await consola.prompt(promptMessage, {
+		type: "confirm",
+		initial: false
+	})) throw new Error(ml`
+      Apply cancelled. Resources remain managed by their current applications.
+      To override, run again and confirm, or use --yes flag.
+    `);
+}
+async function confirmUnmanagedResources(resources, appName, yes) {
+	if (resources.length === 0) return;
+	consola.warn("Unmanaged resources detected:");
+	console.log(`  ${chalk.cyan("Resources")}:`);
+	for (const r of resources) console.log(`    • ${chalk.bold(r.resourceType)} ${chalk.cyan(`"${r.resourceName}"`)}`);
+	console.log("");
+	console.log("  These resources are not managed by any application.");
+	if (yes) {
+		consola.success(`Adding to "${appName}" (--yes flag specified)...`);
+		return;
+	}
+	if (!await consola.prompt(`Add these resources to "${appName}"?`, {
+		type: "confirm",
+		initial: false
+	})) throw new Error(ml`
+      Apply cancelled. Resources remain unmanaged.
+      To override, run again and confirm, or use --yes flag.
+    `);
+}
+
 //#endregion
 //#region src/cli/apply/services/executor.ts
-async function applyExecutor(client, changeSet, phase = "create-update") {
-	if (phase === "create-update") await Promise.all([...changeSet.creates.map((create) => client.createExecutorExecutor(create.request)), ...changeSet.updates.map((update) => client.updateExecutorExecutor(update.request))]);
+async function applyExecutor(client, result, phase = "create-update") {
+	const { changeSet } = result;
+	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
+		await client.createExecutorExecutor(create.request);
+		await client.setMetadata(create.metaRequest);
+	}), ...changeSet.updates.map(async (update) => {
+		await client.updateExecutorExecutor(update.request);
+		await client.setMetadata(update.metaRequest);
+	})]);
 	else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteExecutorExecutor(del.request)));
 }
-async function planExecutor(client, workspaceId, application) {
+function trn$3(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:executor:${name}`;
+}
+async function planExecutor({ client, workspaceId, application }) {
 	const changeSet = new ChangeSet("Executors");
-	const existingExecutors = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { executors: executors$1, nextPageToken } = await client.listExecutorExecutors({
 				workspaceId,
@@ -3660,29 +3845,50 @@ async function planExecutor(client, workspaceId, application) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingExecutors.forEach((executor) => {
-		existingNameSet.add(executor.name);
-	});
+	const existingExecutors = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		const { metadata } = await client.getMetadata({ trn: trn$3(workspaceId, resource.name) });
+		existingExecutors[resource.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
 	const executors = await application.executorService?.loadExecutors() ?? {};
-	for (const executor of Object.values(executors)) if (existingNameSet.has(executor.name)) {
-		changeSet.updates.push({
+	for (const executor of Object.values(executors)) {
+		const existing = existingExecutors[executor.name];
+		const metaRequest = await buildMetaRequest(trn$3(workspaceId, executor.name), application.name);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "Executor",
+				resourceName: executor.name
+			});
+			else if (existing.label !== application.name) conflicts.push({
+				resourceType: "Executor",
+				resourceName: executor.name,
+				currentOwner: existing.label
+			});
+			changeSet.updates.push({
+				name: executor.name,
+				request: {
+					workspaceId,
+					executor: protoExecutor(executor)
+				},
+				metaRequest
+			});
+			delete existingExecutors[executor.name];
+		} else changeSet.creates.push({
 			name: executor.name,
 			request: {
 				workspaceId,
 				executor: protoExecutor(executor)
-			}
+			},
+			metaRequest
 		});
-		existingNameSet.delete(executor.name);
-	} else changeSet.creates.push({
-		name: executor.name,
-		request: {
-			workspaceId,
-			executor: protoExecutor(executor)
-		}
-	});
-	existingNameSet.forEach((name) => {
-		changeSet.deletes.push({
+	}
+	Object.entries(existingExecutors).forEach(([name]) => {
+		const label = existingExecutors[name]?.label;
+		if (label && label !== application.name) resourceOwners.add(label);
+		if (label === application.name) changeSet.deletes.push({
 			name,
 			request: {
 				workspaceId,
@@ -3691,7 +3897,12 @@ async function planExecutor(client, workspaceId, application) {
 		});
 	});
 	changeSet.print();
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 function protoExecutor(executor) {
 	const trigger = executor.trigger;
@@ -3861,35 +4072,53 @@ const SCALAR_TYPE_MAP = {
 		name: "Time"
 	}
 };
-async function applyPipeline(client, changeSet, phase = "create-update") {
+async function applyPipeline(client, result, phase = "create-update") {
+	const { changeSet } = result;
 	if (phase === "create-update") {
-		await Promise.all([...changeSet.service.creates.map((create) => client.createPipelineService(create.request)), ...changeSet.service.updates.map((update) => client.updatePipelineService(update.request))]);
+		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await client.createPipelineService(create.request);
+			await client.setMetadata(create.metaRequest);
+		}), ...changeSet.service.updates.map(async (update) => {
+			await client.updatePipelineService(update.request);
+			await client.setMetadata(update.metaRequest);
+		})]);
 		await Promise.all([...changeSet.resolver.creates.map((create) => client.createPipelineResolver(create.request)), ...changeSet.resolver.updates.map((update) => client.updatePipelineResolver(update.request))]);
 	} else if (phase === "delete") {
-		await Promise.all(changeSet.resolver.deletes.filter((del) => del.tag === "resolver-deleted").map((del) => client.deletePipelineResolver(del.request)));
+		await Promise.all(changeSet.resolver.deletes.map((del) => client.deletePipelineResolver(del.request)));
 		await Promise.all(changeSet.service.deletes.map((del) => client.deletePipelineService(del.request)));
 	}
 }
-async function planPipeline(client, workspaceId, application) {
+async function planPipeline({ client, workspaceId, application }) {
 	const pipelines = [];
-	for (const app of application.applications) for (const pipeline of app.resolverServices) {
+	for (const pipeline of application.resolverServices) {
 		await pipeline.loadResolvers();
 		pipelines.push(pipeline);
 	}
 	const executors = Object.values(await application.executorService?.loadExecutors() ?? {});
-	const serviceChangeSet = await planServices$1(client, workspaceId, pipelines);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$1(client, workspaceId, application.name, pipelines);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const resolverChangeSet = await planResolvers(client, workspaceId, pipelines, executors, deletedServices);
 	serviceChangeSet.print();
 	resolverChangeSet.print();
 	return {
-		service: serviceChangeSet,
-		resolver: resolverChangeSet
+		changeSet: {
+			service: serviceChangeSet,
+			resolver: resolverChangeSet
+		},
+		conflicts,
+		unmanaged,
+		resourceOwners
 	};
 }
-async function planServices$1(client, workspaceId, pipelines) {
+function trn$2(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:pipeline:${name}`;
+}
+async function planServices$1(client, workspaceId, appName, pipelines) {
 	const changeSet = new ChangeSet("Pipeline services");
-	const existingServices = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { pipelineServices, nextPageToken } = await client.listPipelineServices({
 				workspaceId,
@@ -3901,29 +4130,50 @@ async function planServices$1(client, workspaceId, pipelines) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingServices.forEach((service) => {
-		const name = service.namespace?.name;
-		if (name) existingNameSet.add(name);
-	});
-	for (const pipeline of pipelines) if (existingNameSet.has(pipeline.namespace)) {
-		changeSet.updates.push({
+	const existingServices = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		if (!resource.namespace?.name) return;
+		const { metadata } = await client.getMetadata({ trn: trn$2(workspaceId, resource.namespace.name) });
+		existingServices[resource.namespace.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
+	for (const pipeline of pipelines) {
+		const existing = existingServices[pipeline.namespace];
+		const metaRequest = await buildMetaRequest(trn$2(workspaceId, pipeline.namespace), appName);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "Pipeline service",
+				resourceName: pipeline.namespace
+			});
+			else if (existing.label !== appName) conflicts.push({
+				resourceType: "Pipeline service",
+				resourceName: pipeline.namespace,
+				currentOwner: existing.label
+			});
+			changeSet.updates.push({
+				name: pipeline.namespace,
+				request: {
+					workspaceId,
+					namespaceName: pipeline.namespace
+				},
+				metaRequest
+			});
+			delete existingServices[pipeline.namespace];
+		} else changeSet.creates.push({
 			name: pipeline.namespace,
 			request: {
 				workspaceId,
 				namespaceName: pipeline.namespace
-			}
+			},
+			metaRequest
 		});
-		existingNameSet.delete(pipeline.namespace);
-	} else changeSet.creates.push({
-		name: pipeline.namespace,
-		request: {
-			workspaceId,
-			namespaceName: pipeline.namespace
-		}
-	});
-	existingNameSet.forEach((namespaceName) => {
-		changeSet.deletes.push({
+	}
+	Object.entries(existingServices).forEach(([namespaceName]) => {
+		const label = existingServices[namespaceName]?.label;
+		if (label && label !== appName) resourceOwners.add(label);
+		if (label === appName) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -3931,7 +4181,12 @@ async function planServices$1(client, workspaceId, pipelines) {
 			}
 		});
 	});
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 async function planResolvers(client, workspaceId, pipelines, executors, deletedServices) {
 	const changeSet = new ChangeSet("Pipeline resolvers");
@@ -3978,7 +4233,6 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 		});
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "resolver-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -3990,8 +4244,12 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 	}
 	for (const namespaceName of deletedServices) (await fetchResolvers(namespaceName)).forEach((resolver) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: resolver.name
+			name: resolver.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				resolverName: resolver.name
+			}
 		});
 	});
 	return changeSet;
@@ -4065,13 +4323,26 @@ function protoFields(fields, baseName, isInput) {
 
 //#endregion
 //#region src/cli/apply/services/staticwebsite.ts
-async function applyStaticWebsite(client, changeSet, phase = "create-update") {
-	if (phase === "create-update") await Promise.all([...changeSet.creates.map((create) => client.createStaticWebsite(create.request)), ...changeSet.updates.map((update) => client.updateStaticWebsite(update.request))]);
+async function applyStaticWebsite(client, result, phase = "create-update") {
+	const { changeSet } = result;
+	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
+		await client.createStaticWebsite(create.request);
+		await client.setMetadata(create.metaRequest);
+	}), ...changeSet.updates.map(async (update) => {
+		await client.updateStaticWebsite(update.request);
+		await client.setMetadata(update.metaRequest);
+	})]);
 	else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteStaticWebsite(del.request)));
 }
-async function planStaticWebsite(client, workspaceId, application) {
+function trn$1(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:staticwebsite:${name}`;
+}
+async function planStaticWebsite({ client, workspaceId, application }) {
 	const changeSet = new ChangeSet("StaticWebsites");
-	const existingWebsites = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { staticwebsites, nextPageToken } = await client.listStaticWebsites({
 				workspaceId,
@@ -4083,14 +4354,29 @@ async function planStaticWebsite(client, workspaceId, application) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingWebsites.forEach((website) => {
-		existingNameSet.add(website.name);
-	});
+	const existingWebsites = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		const { metadata } = await client.getMetadata({ trn: trn$1(workspaceId, resource.name) });
+		existingWebsites[resource.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
 	for (const websiteService of application.staticWebsiteServices) {
 		const config = websiteService;
 		const name = websiteService.name;
-		if (existingNameSet.has(name)) {
+		const existing = existingWebsites[name];
+		const metaRequest = await buildMetaRequest(trn$1(workspaceId, name), application.name);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "StaticWebsite",
+				resourceName: name
+			});
+			else if (existing.label !== application.name) conflicts.push({
+				resourceType: "StaticWebsite",
+				resourceName: name,
+				currentOwner: existing.label
+			});
 			changeSet.updates.push({
 				name,
 				request: {
@@ -4100,9 +4386,10 @@ async function planStaticWebsite(client, workspaceId, application) {
 						description: config.description || "",
 						allowedIpAddresses: config.allowedIpAddresses || []
 					}
-				}
+				},
+				metaRequest
 			});
-			existingNameSet.delete(name);
+			delete existingWebsites[name];
 		} else changeSet.creates.push({
 			name,
 			request: {
@@ -4112,11 +4399,14 @@ async function planStaticWebsite(client, workspaceId, application) {
 					description: config.description || "",
 					allowedIpAddresses: config.allowedIpAddresses || []
 				}
-			}
+			},
+			metaRequest
 		});
 	}
-	existingNameSet.forEach((name) => {
-		changeSet.deletes.push({
+	Object.entries(existingWebsites).forEach(([name]) => {
+		const label = existingWebsites[name]?.label;
+		if (label && label !== application.name) resourceOwners.add(label);
+		if (label === application.name) changeSet.deletes.push({
 			name,
 			request: {
 				workspaceId,
@@ -4125,30 +4415,39 @@ async function planStaticWebsite(client, workspaceId, application) {
 		});
 	});
 	changeSet.print();
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 
 //#endregion
 //#region src/cli/apply/services/tailordb.ts
-async function applyTailorDB(client, changeSet, phase = "create-update") {
+async function applyTailorDB(client, result, phase = "create-update") {
+	const { changeSet } = result;
 	if (phase === "create-update") {
-		await Promise.all(changeSet.service.creates.map((create) => client.createTailorDBService(create.request)));
+		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await client.createTailorDBService(create.request);
+			await client.setMetadata(create.metaRequest);
+		}), ...changeSet.service.updates.map((update) => client.setMetadata(update.metaRequest))]);
 		await Promise.all([...changeSet.type.creates.map((create) => client.createTailorDBType(create.request)), ...changeSet.type.updates.map((update) => client.updateTailorDBType(update.request))]);
 		await Promise.all([...changeSet.gqlPermission.creates.map((create) => client.createTailorDBGQLPermission(create.request)), ...changeSet.gqlPermission.updates.map((update) => client.updateTailorDBGQLPermission(update.request))]);
 	} else if (phase === "delete") {
-		await Promise.all(changeSet.gqlPermission.deletes.filter((del) => del.tag === "gql-permission-deleted").map((del) => client.deleteTailorDBGQLPermission(del.request)));
-		await Promise.all(changeSet.type.deletes.filter((del) => del.tag === "type-deleted").map((del) => client.deleteTailorDBType(del.request)));
+		await Promise.all(changeSet.gqlPermission.deletes.map((del) => client.deleteTailorDBGQLPermission(del.request)));
+		await Promise.all(changeSet.type.deletes.map((del) => client.deleteTailorDBType(del.request)));
 		await Promise.all(changeSet.service.deletes.map((del) => client.deleteTailorDBService(del.request)));
 	}
 }
-async function planTailorDB(client, workspaceId, application) {
+async function planTailorDB({ client, workspaceId, application }) {
 	const tailordbs = [];
-	for (const app of application.applications) for (const tailordb of app.tailorDBServices) {
+	for (const tailordb of application.tailorDBServices) {
 		await tailordb.loadTypes();
 		tailordbs.push(tailordb);
 	}
 	const executors = Object.values(await application.executorService?.loadExecutors() ?? {});
-	const serviceChangeSet = await planServices(client, workspaceId, tailordbs);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices(client, workspaceId, application.name, tailordbs);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const typeChangeSet = await planTypes(client, workspaceId, tailordbs, executors, deletedServices);
 	const gqlPermissionChangeSet = await planGqlPermissions(client, workspaceId, tailordbs, deletedServices);
@@ -4156,14 +4455,25 @@ async function planTailorDB(client, workspaceId, application) {
 	typeChangeSet.print();
 	gqlPermissionChangeSet.print();
 	return {
-		service: serviceChangeSet,
-		type: typeChangeSet,
-		gqlPermission: gqlPermissionChangeSet
+		changeSet: {
+			service: serviceChangeSet,
+			type: typeChangeSet,
+			gqlPermission: gqlPermissionChangeSet
+		},
+		conflicts,
+		unmanaged,
+		resourceOwners
 	};
 }
-async function planServices(client, workspaceId, tailordbs) {
+function trn(workspaceId, name) {
+	return `${trnPrefix(workspaceId)}:tailordb:${name}`;
+}
+async function planServices(client, workspaceId, appName, tailordbs) {
 	const changeSet = new ChangeSet("TailorDB services");
-	const existingServices = await fetchAll(async (pageToken) => {
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const withoutLabel = await fetchAll(async (pageToken) => {
 		try {
 			const { tailordbServices, nextPageToken } = await client.listTailorDBServices({
 				workspaceId,
@@ -4175,24 +4485,47 @@ async function planServices(client, workspaceId, tailordbs) {
 			throw error;
 		}
 	});
-	const existingNameSet = /* @__PURE__ */ new Set();
-	existingServices.forEach((service) => {
-		const name = service.namespace?.name;
-		if (name) existingNameSet.add(name);
-	});
-	for (const tailordb of tailordbs) if (existingNameSet.has(tailordb.namespace)) {
-		changeSet.updates.push({ name: tailordb.namespace });
-		existingNameSet.delete(tailordb.namespace);
-	} else changeSet.creates.push({
-		name: tailordb.namespace,
-		request: {
-			workspaceId,
-			namespaceName: tailordb.namespace,
-			defaultTimezone: "UTC"
-		}
-	});
-	existingNameSet.forEach((namespaceName) => {
-		changeSet.deletes.push({
+	const existingServices = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		if (!resource.namespace?.name) return;
+		const { metadata } = await client.getMetadata({ trn: trn(workspaceId, resource.namespace.name) });
+		existingServices[resource.namespace.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
+	for (const tailordb of tailordbs) {
+		const existing = existingServices[tailordb.namespace];
+		const metaRequest = await buildMetaRequest(trn(workspaceId, tailordb.namespace), appName);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "TailorDB service",
+				resourceName: tailordb.namespace
+			});
+			else if (existing.label !== appName) conflicts.push({
+				resourceType: "TailorDB service",
+				resourceName: tailordb.namespace,
+				currentOwner: existing.label
+			});
+			changeSet.updates.push({
+				name: tailordb.namespace,
+				metaRequest
+			});
+			delete existingServices[tailordb.namespace];
+		} else changeSet.creates.push({
+			name: tailordb.namespace,
+			request: {
+				workspaceId,
+				namespaceName: tailordb.namespace,
+				defaultTimezone: "UTC"
+			},
+			metaRequest
+		});
+	}
+	Object.entries(existingServices).forEach(([namespaceName]) => {
+		const label = existingServices[namespaceName]?.label;
+		if (label && label !== appName) resourceOwners.add(label);
+		if (label === appName) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -4200,7 +4533,12 @@ async function planServices(client, workspaceId, tailordbs) {
 			}
 		});
 	});
-	return changeSet;
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
 }
 async function planTypes(client, workspaceId, tailordbs, executors, deletedServices) {
 	const changeSet = new ChangeSet("TailorDB types");
@@ -4249,7 +4587,6 @@ async function planTypes(client, workspaceId, tailordbs, executors, deletedServi
 		}
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "type-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -4261,8 +4598,12 @@ async function planTypes(client, workspaceId, tailordbs, executors, deletedServi
 	}
 	for (const namespaceName of deletedServices) (await fetchTypes(namespaceName)).forEach((typ) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: typ.name
+			name: typ.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				tailordbTypeName: typ.name
+			}
 		});
 	});
 	return changeSet;
@@ -4520,7 +4861,6 @@ async function planGqlPermissions(client, workspaceId, tailordbs, deletedService
 		}
 		existingNameSet.forEach((name) => {
 			changeSet.deletes.push({
-				tag: "gql-permission-deleted",
 				name,
 				request: {
 					workspaceId,
@@ -4532,8 +4872,12 @@ async function planGqlPermissions(client, workspaceId, tailordbs, deletedService
 	}
 	for (const namespaceName of deletedServices) (await fetchGqlPermissions(namespaceName)).forEach((gqlPermission) => {
 		changeSet.deletes.push({
-			tag: "service-deleted",
-			name: gqlPermission.typeName
+			name: gqlPermission.typeName,
+			request: {
+				workspaceId,
+				namespaceName,
+				typeName: gqlPermission.typeName
+			}
 		});
 	});
 	return changeSet;
@@ -4628,6 +4972,7 @@ async function apply(options) {
 	const configPath = loadConfigPath(options?.configPath);
 	const { config } = await loadConfig(configPath);
 	const dryRun = options?.dryRun ?? false;
+	const yes = options?.yes ?? false;
 	const buildOnly = options?.buildOnly ?? false;
 	await generateUserTypes(config, configPath);
 	const application = defineApplication(config);
@@ -4643,13 +4988,56 @@ async function apply(options) {
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
 	});
-	const tailorDB = await planTailorDB(client, workspaceId, application);
-	const staticWebsite = await planStaticWebsite(client, workspaceId, application);
-	const idp = await planIdP(client, workspaceId, application);
-	const auth = await planAuth(client, workspaceId, application);
-	const pipeline = await planPipeline(client, workspaceId, application);
-	const app = await planApplication(client, workspaceId, application);
-	const executor = await planExecutor(client, workspaceId, application);
+	for (const tailordb of application.tailorDBServices) await tailordb.loadTypes();
+	for (const pipeline$1 of application.resolverServices) await pipeline$1.loadResolvers();
+	if (application.executorService) await application.executorService.loadExecutors();
+	console.log("");
+	const ctx = {
+		client,
+		workspaceId,
+		application
+	};
+	const tailorDB = await planTailorDB(ctx);
+	const staticWebsite = await planStaticWebsite(ctx);
+	const idp = await planIdP(ctx);
+	const auth = await planAuth(ctx);
+	const pipeline = await planPipeline(ctx);
+	const app = await planApplication(ctx);
+	const executor = await planExecutor(ctx);
+	const allConflicts = [
+		...tailorDB.conflicts,
+		...staticWebsite.conflicts,
+		...idp.conflicts,
+		...auth.conflicts,
+		...pipeline.conflicts,
+		...executor.conflicts
+	];
+	const allUnmanaged = [
+		...tailorDB.unmanaged,
+		...staticWebsite.unmanaged,
+		...idp.unmanaged,
+		...auth.unmanaged,
+		...pipeline.unmanaged,
+		...executor.unmanaged
+	];
+	await confirmOwnerConflict(allConflicts, application.name, yes);
+	await confirmUnmanagedResources(allUnmanaged, application.name, yes);
+	const resourceOwners = new Set([
+		...tailorDB.resourceOwners,
+		...staticWebsite.resourceOwners,
+		...idp.resourceOwners,
+		...auth.resourceOwners,
+		...pipeline.resourceOwners,
+		...executor.resourceOwners
+	]);
+	const emptyApps = [...new Set(allConflicts.map((c) => c.currentOwner))].filter((owner) => !resourceOwners.has(owner));
+	for (const emptyApp of emptyApps) app.deletes.push({
+		name: emptyApp,
+		request: {
+			workspaceId,
+			applicationName: emptyApp
+		}
+	});
 	if (dryRun) {
 		console.log("Dry run enabled. No changes applied.");
 		return;
@@ -4724,6 +5112,11 @@ const applyCommand = defineCommand({
 			type: "boolean",
 			description: "Run the command without making any changes",
 			alias: "d"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip all confirmation prompts",
+			alias: "y"
 		}
 	},
 	run: withCommonArgs(async (args) => {
@@ -4731,7 +5124,8 @@ const applyCommand = defineCommand({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
 			configPath: args.config,
-			dryRun: args.dryRun
+			dryRun: args.dryRun,
+			yes: args.yes
 		});
 	})
 });
@@ -5855,4 +6249,4 @@ const tokenCommand = defineCommand({
 });
 
 //#endregion
-export { PATScope, apply, applyCommand, commonArgs, createCommand, deleteCommand, fetchAll, fetchLatestToken, formatArgs, generate, generateCommand, generateUserTypes, initOperatorClient, listCommand, listCommand$1, loadAccessToken, loadConfig, loadConfigPath, loadWorkspaceId, machineUserList, machineUserToken, parseFormat, printWithFormat, readPlatformConfig, show, showCommand, tokenCommand, userAgent, withCommonArgs, workspaceCreate, workspaceDelete, workspaceList, writePlatformConfig };
+export { PATScope, apply, applyCommand, commonArgs, createCommand, deleteCommand, fetchAll, fetchLatestToken, formatArgs, generate, generateCommand, generateUserTypes, initOperatorClient, listCommand, listCommand$1, loadAccessToken, loadConfig, loadConfigPath, loadWorkspaceId, machineUserList, machineUserToken, parseFormat, printWithFormat, readPackageJson, readPlatformConfig, show, showCommand, tokenCommand, userAgent, withCommonArgs, workspaceCreate, workspaceDelete, workspaceList, writePlatformConfig };