@tailor-platform/sdk 1.23.0 → 1.25.0

package/dist/{query-BLQBOaAM.mjs → query-c9RCJduH.mjs}

@@ -1,10 +1,11 @@
-import { t as db } from "./schema-Cjm-OvPF.mjs";
-import { $ as AuthSCIMAttribute_Mutability, A as platformBaseUrl, B as TailorDBType_Permission_Permit, C as readPlatformConfig, E as fetchMachineUserToken, F as WorkflowJobExecution_Status, H as PipelineResolver_OperationType, I as TailorDBGQLPermission_Action, J as ExecutorTriggerType, K as ExecutorJobStatus, L as TailorDBGQLPermission_Operator, M as userAgent, N as WorkspacePlatformUserRole, P as WorkflowExecution_Status, Q as AuthOAuth2Client_GrantType, R as TailorDBGQLPermission_Permit, S as loadWorkspaceId, T as fetchAll, U as IdPLang, V as TailorDBType_PermitAction, W as FunctionExecution_Status, X as AuthInvokerSchema, Y as AuthIDPConfig_AuthType, Z as AuthOAuth2Client_ClientType, _ as hashFile, a as loadConfig, at as UserProfileProviderConfig_UserProfileProviderType, b as loadFolderId, ct as Condition_Operator, d as TailorDBTypeSchema, dt as ApplicationSchemaUpdateAttemptStatus, et as AuthSCIMAttribute_Type, f as stringifyFunction, ft as Subgraph_ServiceType, g as getDistDir, h as createBundleCache, ht as symbols, it as TenantProviderConfig_TenantProviderType, j as resolveStaticWebsiteUrls, k as initOperatorClient, l as OAuth2ClientSchema, lt as FilterSchema, m as loadFilesWithIgnores, mt as styles, n as generatePluginFilesIfNeeded, nt as AuthSCIMConfig_AuthorizationType, ot as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, p as tailorUserMap, pt as logger, q as ExecutorTargetType, r as loadApplication, s as createExecutorService, st as ConditionSchema, t as defineApplication, tt as AuthSCIMAttribute_Uniqueness, ut as PageDirection, w as writePlatformConfig, x as loadOrganizationId, y as loadAccessToken, z as TailorDBType_Permission_Operator } from "./application-CTQe2HSB.mjs";
-import { t as readPackageJson } from "./package-json-iVBhE5Ef.mjs";
-import { r as withSpan } from "./telemetry-C46fds1l.mjs";
+import { t as db } from "./schema-DOx_W_s2.mjs";
+import { $ as AuthSCIMAttribute_Mutability, A as platformBaseUrl, B as TailorDBType_Permission_Permit, C as readPlatformConfig, E as fetchMachineUserToken, F as WorkflowJobExecution_Status, H as PipelineResolver_OperationType, I as TailorDBGQLPermission_Action, J as ExecutorTriggerType, K as ExecutorJobStatus, L as TailorDBGQLPermission_Operator, M as userAgent, N as WorkspacePlatformUserRole, P as WorkflowExecution_Status, Q as AuthOAuth2Client_GrantType, R as TailorDBGQLPermission_Permit, S as loadWorkspaceId, T as fetchAll, U as IdPLang, V as TailorDBType_PermitAction, W as FunctionExecution_Status, X as AuthInvokerSchema, Y as AuthIDPConfig_AuthType, Z as AuthOAuth2Client_ClientType, _ as hashFile, a as loadConfig, at as UserProfileProviderConfig_UserProfileProviderType, b as loadFolderId, ct as Condition_Operator, d as TailorDBTypeSchema, dt as ApplicationSchemaUpdateAttemptStatus, et as AuthSCIMAttribute_Type, f as stringifyFunction, ft as Subgraph_ServiceType, g as getDistDir, h as createBundleCache, ht as symbols, it as TenantProviderConfig_TenantProviderType, j as resolveStaticWebsiteUrls, k as initOperatorClient, l as OAuth2ClientSchema, lt as FilterSchema, m as loadFilesWithIgnores, mt as styles, n as generatePluginFilesIfNeeded, nt as AuthSCIMConfig_AuthorizationType, ot as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, p as tailorUserMap, pt as logger, q as ExecutorTargetType, r as loadApplication, s as createExecutorService, st as ConditionSchema, t as defineApplication, tt as AuthSCIMAttribute_Uniqueness, ut as PageDirection, w as writePlatformConfig, x as loadOrganizationId, y as loadAccessToken, z as TailorDBType_Permission_Operator } from "./application-CxDvCZts.mjs";
+import { t as readPackageJson } from "./package-json-DnbGCOkg.mjs";
+import { r as withSpan } from "./telemetry-d_lgTL33.mjs";
 import { arg, defineCommand, runCommand } from "politty";
 import { z } from "zod";
 import * as fs$1 from "node:fs";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { parseEnv } from "node:util";
 import * as path from "pathe";
 import chalk from "chalk";
@@ -13,9 +14,11 @@ import { getBorderCharacters, table } from "table";
 import { ValueSchema, timestampDate } from "@bufbuild/protobuf/wkt";
 import { Code, ConnectError } from "@connectrpc/connect";
 import { resolveTSConfig } from "pkg-types";
+import { tmpdir } from "node:os";
 import { findUpSync } from "find-up-simple";
 import ml from "multiline-ts";
 import * as crypto from "node:crypto";
+import { createHash } from "node:crypto";
 import { pathToFileURL } from "node:url";
 import * as inflection from "inflection";
 import * as rolldown from "rolldown";
@@ -212,7 +215,7 @@ const withCommonArgs = (handler) => async (args) => {
 	try {
 		if ("json" in args && typeof args.json === "boolean") logger.jsonMode = args.json;
 		loadEnvFiles(args["env-file"], args["env-file-if-exists"]);
-		const { initTelemetry } = await import("./telemetry-BAxP8-PR.mjs");
+		const { initTelemetry } = await import("./telemetry-J6dpByo2.mjs");
 		await initTelemetry();
 		await handler(args);
 	} catch (error) {
@@ -225,7 +228,7 @@ const withCommonArgs = (handler) => async (args) => {
 		} else logger.error(`Unknown error: ${error}`);
 		process.exit(1);
 	} finally {
-		const { shutdownTelemetry } = await import("./telemetry-BAxP8-PR.mjs");
+		const { shutdownTelemetry } = await import("./telemetry-J6dpByo2.mjs");
 		await shutdownTelemetry();
 	}
 	process.exit(0);
@@ -592,14 +595,14 @@ async function generateUserTypes(options) {
 }
 
 //#endregion
-//#region src/parser/plugin-config/generation-types.ts
+//#region src/types/plugin-generation.ts
 /**
 * Derives generation-time dependency set from hook presence on a plugin.
-* @param plugin - Plugin to check for generation hooks
-* @param plugin.onTailorDBReady - TailorDB phase-complete hook
-* @param plugin.onResolverReady - Resolver phase-complete hook
-* @param plugin.onExecutorReady - Executor phase-complete hook
-* @returns Set of dependency kinds based on which hooks are implemented
+* @param plugin - The plugin object to inspect.
+* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
+* @param plugin.onResolverReady - Hook for resolver readiness.
+* @param plugin.onExecutorReady - Hook for executor readiness.
+* @returns Set of dependency kinds required by the plugin.
 */
 function getPluginGenerationDependencies(plugin) {
 	const deps = /* @__PURE__ */ new Set();
@@ -610,11 +613,11 @@ function getPluginGenerationDependencies(plugin) {
 }
 /**
 * Checks if a plugin has any generation-time hooks.
-* @param plugin - Plugin to check
-* @param plugin.onTailorDBReady - TailorDB phase-complete hook
-* @param plugin.onResolverReady - Resolver phase-complete hook
-* @param plugin.onExecutorReady - Executor phase-complete hook
-* @returns True if the plugin has at least one generation hook
+* @param plugin - The plugin object to inspect.
+* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
+* @param plugin.onResolverReady - Hook for resolver readiness.
+* @param plugin.onExecutorReady - Hook for executor readiness.
+* @returns True if the plugin has at least one generation hook.
 */
 function hasGenerationHooks(plugin) {
 	return !!(plugin.onTailorDBReady || plugin.onResolverReady || plugin.onExecutorReady);
@@ -3250,6 +3253,257 @@ function protoFields(fields, baseName, isInput) {
 	});
 }
 
+//#endregion
+//#region src/cli/commands/apply/secrets-state.ts
+const SecretsStateSchema = z.object({ vaults: z.record(z.string(), z.record(z.string(), z.string())) });
+/**
+* Get the file path for the secrets state JSON.
+* @returns Absolute path to secrets-state.json
+*/
+function getSecretsStatePath() {
+	return path.join(getDistDir(), "secrets-state.json");
+}
+/**
+* Load secrets hash state from disk.
+* @returns Persisted state, or empty state if file is missing or corrupted
+*/
+function loadSecretsState() {
+	const filePath = getSecretsStatePath();
+	if (!existsSync(filePath)) return { vaults: {} };
+	try {
+		const raw = readFileSync(filePath, "utf-8");
+		return SecretsStateSchema.parse(JSON.parse(raw));
+	} catch {
+		return { vaults: {} };
+	}
+}
+/**
+* Save secrets hash state to disk.
+* @param state - The secrets state to persist
+*/
+function saveSecretsState(state) {
+	const filePath = getSecretsStatePath();
+	mkdirSync(path.dirname(filePath), { recursive: true });
+	writeFileSync(filePath, JSON.stringify(state, null, 2), "utf-8");
+}
+/**
+* Compute SHA-256 hex digest of a value.
+* @param value - The string to hash
+* @returns Hex-encoded SHA-256 hash
+*/
+function hashValue(value) {
+	return createHash("sha256").update(value).digest("hex");
+}
+
+//#endregion
+//#region src/cli/commands/apply/secret-manager.ts
+/**
+* Plan secret manager changes based on current and desired state.
+* @param context - Planning context
+* @returns Planned changes for vaults and secrets
+*/
+async function planSecretManager(context) {
+	const { client, workspaceId, application, forRemoval } = context;
+	const secretVaults = forRemoval ? [] : application.secrets;
+	const vaultChangeSet = createChangeSet("Secret Manager vaults");
+	const secretChangeSet = createChangeSet("Secret Manager secrets");
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const existingVaultList = await fetchAll(async (pageToken, maxPageSize) => {
+		try {
+			const { vaults, nextPageToken } = await client.listSecretManagerVaults({
+				workspaceId,
+				pageToken,
+				pageSize: maxPageSize
+			});
+			return [vaults, nextPageToken];
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+			throw error;
+		}
+	});
+	const existingVaults = {};
+	await Promise.all(existingVaultList.map(async (resource) => {
+		const { metadata } = await client.getMetadata({ trn: vaultTrn(workspaceId, resource.name) });
+		existingVaults[resource.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
+	const state = loadSecretsState();
+	await Promise.all(secretVaults.map(async (vault) => {
+		const vaultName = vault.vaultName;
+		const existing = existingVaults[vaultName];
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "Secret Manager vault",
+				resourceName: vaultName
+			});
+			else if (existing.label !== application.name) conflicts.push({
+				resourceType: "Secret Manager vault",
+				resourceName: vaultName,
+				currentOwner: existing.label
+			});
+			vaultChangeSet.updates.push({
+				name: vaultName,
+				workspaceId
+			});
+			delete existingVaults[vaultName];
+		} else vaultChangeSet.creates.push({
+			name: vaultName,
+			workspaceId
+		});
+		let existingSecrets = [];
+		if (existing) existingSecrets = (await fetchAll(async (pageToken, maxPageSize) => {
+			try {
+				const { secrets, nextPageToken } = await client.listSecretManagerSecrets({
+					workspaceId,
+					secretmanagerVaultName: vaultName,
+					pageToken,
+					pageSize: maxPageSize
+				});
+				return [secrets, nextPageToken];
+			} catch (error) {
+				if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+				throw error;
+			}
+		})).map((s) => s.name);
+		const existingSet = new Set(existingSecrets);
+		for (const secret of vault.secrets) if (existingSet.has(secret.name)) {
+			if (hashValue(secret.value) !== state.vaults[vaultName]?.[secret.name]) secretChangeSet.updates.push({
+				name: `${vaultName}/${secret.name}`,
+				secretName: secret.name,
+				workspaceId,
+				vaultName,
+				value: secret.value
+			});
+			existingSet.delete(secret.name);
+		} else secretChangeSet.creates.push({
+			name: `${vaultName}/${secret.name}`,
+			secretName: secret.name,
+			workspaceId,
+			vaultName,
+			value: secret.value
+		});
+		for (const orphanName of existingSet) secretChangeSet.deletes.push({
+			name: `${vaultName}/${orphanName}`,
+			secretName: orphanName,
+			workspaceId,
+			vaultName
+		});
+	}));
+	for (const [name, entry] of Object.entries(existingVaults)) {
+		if (!entry) continue;
+		const label = entry.label;
+		if (label && label !== application.name) resourceOwners.add(label);
+		if (label === application.name) {
+			const secrets = await fetchAll(async (pageToken, maxPageSize) => {
+				try {
+					const { secrets: secrets$1, nextPageToken } = await client.listSecretManagerSecrets({
+						workspaceId,
+						secretmanagerVaultName: name,
+						pageToken,
+						pageSize: maxPageSize
+					});
+					return [secrets$1, nextPageToken];
+				} catch (error) {
+					if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+					throw error;
+				}
+			});
+			for (const secret of secrets) secretChangeSet.deletes.push({
+				name: `${name}/${secret.name}`,
+				secretName: secret.name,
+				workspaceId,
+				vaultName: name
+			});
+			vaultChangeSet.deletes.push({
+				name,
+				workspaceId
+			});
+		}
+	}
+	vaultChangeSet.print();
+	secretChangeSet.print();
+	return {
+		vaultChangeSet,
+		secretChangeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
+}
+function vaultTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:vault:${name}`;
+}
+/**
+* Apply secret manager changes for the given phase.
+* @param client - Operator client instance
+* @param result - Planned secret changes
+* @param phase - Apply phase
+* @param application - Application to read secrets from for hash state persistence
+* @returns Promise that resolves when secret changes are applied
+*/
+async function applySecretManager(client, result, phase = "create-update", application) {
+	const { vaultChangeSet, secretChangeSet } = result;
+	if (phase === "create-update") {
+		await Promise.all(vaultChangeSet.creates.map(async (create$1) => {
+			await client.createSecretManagerVault({
+				workspaceId: create$1.workspaceId,
+				secretmanagerVaultName: create$1.name
+			});
+			if (application) {
+				const metaRequest = await buildMetaRequest(vaultTrn(create$1.workspaceId, create$1.name), application.name);
+				await client.setMetadata(metaRequest);
+			}
+		}));
+		if (application) await Promise.all(vaultChangeSet.updates.map(async (update) => {
+			const metaRequest = await buildMetaRequest(vaultTrn(update.workspaceId, update.name), application.name);
+			await client.setMetadata(metaRequest);
+		}));
+		await Promise.all(secretChangeSet.creates.map((create$1) => client.createSecretManagerSecret({
+			workspaceId: create$1.workspaceId,
+			secretmanagerVaultName: create$1.vaultName,
+			secretmanagerSecretName: create$1.secretName,
+			secretmanagerSecretValue: create$1.value
+		})));
+		await Promise.all(secretChangeSet.updates.map((update) => client.updateSecretManagerSecret({
+			workspaceId: update.workspaceId,
+			secretmanagerVaultName: update.vaultName,
+			secretmanagerSecretName: update.secretName,
+			secretmanagerSecretValue: update.value
+		})));
+		if (application) {
+			const state = loadSecretsState();
+			for (const vault of application.secrets) {
+				if (!state.vaults[vault.vaultName]) state.vaults[vault.vaultName] = {};
+				for (const secret of vault.secrets) state.vaults[vault.vaultName][secret.name] = hashValue(secret.value);
+			}
+			saveSecretsState(state);
+		}
+	} else if (phase === "delete") {
+		await Promise.all(secretChangeSet.deletes.map((del) => client.deleteSecretManagerSecret({
+			workspaceId: del.workspaceId,
+			secretmanagerVaultName: del.vaultName,
+			secretmanagerSecretName: del.secretName
+		})));
+		await Promise.all(vaultChangeSet.deletes.map((del) => client.deleteSecretManagerVault({
+			workspaceId: del.workspaceId,
+			secretmanagerVaultName: del.name
+		})));
+		if (secretChangeSet.deletes.length > 0 || vaultChangeSet.deletes.length > 0) {
+			const state = loadSecretsState();
+			for (const del of secretChangeSet.deletes) if (state.vaults[del.vaultName]) {
+				delete state.vaults[del.vaultName][del.secretName];
+				if (Object.keys(state.vaults[del.vaultName]).length === 0) delete state.vaults[del.vaultName];
+			}
+			for (const del of vaultChangeSet.deletes) delete state.vaults[del.name];
+			saveSecretsState(state);
+		}
+	}
+}
+
 //#endregion
 //#region src/cli/commands/apply/staticwebsite.ts
 /**
@@ -3672,7 +3926,7 @@ function createSnapshotFieldConfig(field) {
 }
 /**
 * Create a snapshot field config from an OperatorFieldConfig (for nested fields)
-* @param {import("@/parser/service/tailordb/types").OperatorFieldConfig} fieldConfig - Field configuration
+* @param {import("@/types/tailordb").OperatorFieldConfig} fieldConfig - Field configuration
 * @returns {SnapshotFieldConfig} Snapshot field configuration
 */
 function createSnapshotFieldConfigFromOperatorConfig(fieldConfig) {
@@ -6381,7 +6635,7 @@ async function apply(options) {
 		const functionEntries = collectFunctionEntries(application, workflowService?.jobs ?? []);
 		const dryRun = options?.dryRun ?? false;
 		const yes = options?.yes ?? false;
-		const { functionRegistry, tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow } = await withSpan("plan", async () => {
+		const { functionRegistry, tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager } = await withSpan("plan", async () => {
 			const ctx = {
 				client,
 				workspaceId,
@@ -6390,7 +6644,7 @@ async function apply(options) {
 				config,
 				noSchemaCheck: options?.noSchemaCheck
 			};
-			const [functionRegistry$1, tailorDB$1, staticWebsite$1, idp$1, auth$1, pipeline$1, app$1, executor$1, workflow$1] = await Promise.all([
+			const [functionRegistry$1, tailorDB$1, staticWebsite$1, idp$1, auth$1, pipeline$1, app$1, executor$1, workflow$1, secretManager$1] = await Promise.all([
 				withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, functionEntries)),
 				withSpan("plan.tailorDB", () => planTailorDB(ctx)),
 				withSpan("plan.staticWebsite", () => planStaticWebsite(ctx)),
@@ -6399,7 +6653,8 @@ async function apply(options) {
 				withSpan("plan.pipeline", () => planPipeline(ctx)),
 				withSpan("plan.application", () => planApplication(ctx)),
 				withSpan("plan.executor", () => planExecutor(ctx)),
-				withSpan("plan.workflow", () => planWorkflow(client, workspaceId, application.name, workflowService?.workflows ?? {}, workflowBuildResult?.mainJobDeps ?? {}))
+				withSpan("plan.workflow", () => planWorkflow(client, workspaceId, application.name, workflowService?.workflows ?? {}, workflowBuildResult?.mainJobDeps ?? {})),
+				withSpan("plan.secretManager", () => planSecretManager(ctx))
 			]);
 			return {
 				functionRegistry: functionRegistry$1,
@@ -6410,7 +6665,8 @@ async function apply(options) {
 				pipeline: pipeline$1,
 				app: app$1,
 				executor: executor$1,
-				workflow: workflow$1
+				workflow: workflow$1,
+				secretManager: secretManager$1
 			};
 		});
 		await withSpan("confirm", async () => {
@@ -6422,7 +6678,8 @@ async function apply(options) {
 				...auth.conflicts,
 				...pipeline.conflicts,
 				...executor.conflicts,
-				...workflow.conflicts
+				...workflow.conflicts,
+				...secretManager.conflicts
 			];
 			await confirmOwnerConflict(allConflicts, application.name, yes);
 			await confirmUnmanagedResources([
@@ -6433,7 +6690,8 @@ async function apply(options) {
 				...auth.unmanaged,
 				...pipeline.unmanaged,
 				...executor.unmanaged,
-				...workflow.unmanaged
+				...workflow.unmanaged,
+				...secretManager.unmanaged
 			], application.name, yes);
 			const importantDeletions = [];
 			for (const del of tailorDB.changeSet.type.deletes) importantDeletions.push({
@@ -6452,6 +6710,14 @@ async function apply(options) {
 				resourceType: "OAuth2 client (client type change)",
 				resourceName: replace.name
 			});
+			for (const del of secretManager.vaultChangeSet.deletes) importantDeletions.push({
+				resourceType: "Secret Manager vault",
+				resourceName: del.name
+			});
+			for (const del of secretManager.secretChangeSet.deletes) importantDeletions.push({
+				resourceType: "Secret Manager secret",
+				resourceName: del.name
+			});
 			await confirmImportantResourceDeletion(importantDeletions, yes);
 			const resourceOwners = new Set([
 				...functionRegistry.resourceOwners,
@@ -6461,7 +6727,8 @@ async function apply(options) {
 				...auth.resourceOwners,
 				...pipeline.resourceOwners,
 				...executor.resourceOwners,
-				...workflow.resourceOwners
+				...workflow.resourceOwners,
+				...secretManager.resourceOwners
 			]);
 			const emptyApps = [...new Set(allConflicts.map((c) => c.currentOwner))].filter((owner) => !resourceOwners.has(owner));
 			for (const emptyApp of emptyApps) app.deletes.push({
@@ -6477,6 +6744,7 @@ async function apply(options) {
 			return;
 		}
 		await withSpan("apply.createUpdateServices", async () => {
+			await applySecretManager(client, secretManager, "create-update", application);
 			await applyFunctionRegistry(client, workspaceId, functionRegistry, "create-update");
 			await applyStaticWebsite(client, staticWebsite, "create-update");
 			await applyIdP(client, idp, "create-update");
@@ -6498,6 +6766,7 @@ async function apply(options) {
 			await applyWorkflow(client, workflow, "delete");
 			await applyExecutor(client, executor, "delete");
 			await applyStaticWebsite(client, staticWebsite, "delete");
+			await applySecretManager(client, secretManager, "delete");
 		});
 		await withSpan("apply.deleteApplication", () => applyApplication(client, app, "delete"));
 		await withSpan("apply.deleteSubgraphServices", async () => {
@@ -9399,7 +9668,8 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	const executor = await planExecutor(ctx);
 	const workflow = await planWorkflow(client, workspaceId, application.name, {}, {});
 	const functionRegistry = await planFunctionRegistry(client, workspaceId, application.name, []);
-	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0) return;
+	const secretManager = await planSecretManager(ctx);
+	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
 	if (confirm) await confirm();
 	await applyWorkflow(client, workflow, "delete");
 	await applyExecutor(client, executor, "delete");
@@ -9414,6 +9684,7 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	await applyTailorDB(client, tailorDB, "delete-resources");
 	await applyTailorDB(client, tailorDB, "delete-services");
 	await applyFunctionRegistry(client, workspaceId, functionRegistry, "delete");
+	await applySecretManager(client, secretManager, "delete");
 }
 /**
 * Remove all resources managed by the current application.
@@ -9527,6 +9798,70 @@ function logBetaWarning(featureName) {
 	logger.newline();
 }
 
+//#endregion
+//#region src/cli/shared/editor.ts
+const DEFAULT_EDITOR = "editor";
+function normalizeEditorCommand(editor) {
+	const normalized = editor?.trim();
+	return normalized && normalized.length > 0 ? normalized : void 0;
+}
+/**
+* Resolve an editor command only from explicit environment variables.
+* @returns Configured editor command, if any
+*/
+function getConfiguredEditorCommand() {
+	return normalizeEditorCommand(process.env.VISUAL) ?? normalizeEditorCommand(process.env.EDITOR);
+}
+/**
+* Resolve the editor command used for interactive file editing.
+* @returns Configured editor command or the system default fallback
+*/
+function getEditorCommand() {
+	return getConfiguredEditorCommand() ?? DEFAULT_EDITOR;
+}
+function parseEditorCommand(editor) {
+	const [command, ...args] = editor.trim().split(/\s+/);
+	if (!command) throw new Error("Editor command is empty.");
+	return {
+		command,
+		args
+	};
+}
+/**
+* Open a file in the resolved editor and wait for the process to exit.
+* @param filePath - File path to open
+* @param editor - Editor command string
+* @returns Whether an editor process was launched
+*/
+async function openInEditor(filePath, editor = getEditorCommand()) {
+	const { command, args } = parseEditorCommand(editor);
+	await new Promise((resolve$1, reject) => {
+		const child = spawn(command, [...args, filePath], {
+			stdio: "inherit",
+			detached: false
+		});
+		child.once("error", (error) => reject(error));
+		child.once("close", (code) => {
+			if (code == null || code === 0) {
+				resolve$1();
+				return;
+			}
+			reject(/* @__PURE__ */ new Error(`Editor exited with code ${code}.`));
+		});
+	});
+	return true;
+}
+/**
+* Open a file only when an editor is explicitly configured in the environment.
+* @param filePath - File path to open
+* @returns Whether an editor process was launched
+*/
+async function openInConfiguredEditor(filePath) {
+	const editor = getConfiguredEditorCommand();
+	if (!editor) return false;
+	return await openInEditor(filePath, editor);
+}
+
 //#endregion
 //#region src/cli/commands/tailordb/migrate/db-types-generator.ts
 /**
@@ -10036,7 +10371,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication: defineApplication$1 } = await import("./application-DdSu3baZ.mjs");
+	const { defineApplication: defineApplication$1 } = await import("./application-EQCsho6Z.mjs");
 	const application = defineApplication$1({
 		config,
 		pluginManager
@@ -10135,35 +10470,23 @@ async function generateDiffFromSnapshot(previousSnapshot, currentSnapshot, migra
 		logger.newline();
 		logger.log("A migration script was generated for breaking changes.");
 		logger.log("Please review and edit the script before running 'tailor-sdk apply'.");
-		await openInEditor(result.migrateFilePath);
+		const editor = getConfiguredEditorCommand();
+		if (!editor) return;
+		try {
+			await fs.access(result.migrateFilePath);
+		} catch {
+			return;
+		}
+		logger.newline();
+		logger.info(`Opening ${path.basename(result.migrateFilePath)} in ${editor}...`);
+		try {
+			await openInConfiguredEditor(result.migrateFilePath);
+		} catch {
+			return;
+		}
 	}
 }
 /**
-* Open a file in the user's preferred editor
-* @param {string} filePath - Path to file to open
-* @returns {Promise<void>} Promise that resolves when editor closes
-*/
-async function openInEditor(filePath) {
-	const editor = process.env.EDITOR;
-	if (!editor) return;
-	try {
-		await fs.access(filePath);
-	} catch {
-		return;
-	}
-	const [command, ...args] = editor.trim().split(/\s+/);
-	logger.newline();
-	logger.info(`Opening ${path.basename(filePath)} in ${editor}...`);
-	const child = spawn(command, [...args, filePath], {
-		stdio: "inherit",
-		detached: false
-	});
-	await new Promise((resolve$1) => {
-		child.on("close", () => resolve$1());
-		child.on("error", () => resolve$1());
-	});
-}
-/**
 * CLI command definition for generate
 */
 const generateCommand = defineCommand({
@@ -11763,11 +12086,49 @@ function parseExecutionResult(result) {
 * Resolve query input mode from CLI args.
 * @param args - Query input flags
 * @param args.query - Direct query string
+* @param args.file - File path containing query text
+* @param args.edit - Open a query editor instead of REPL
+* @param args.engine - Query engine used to choose temp file extension
 * @returns Normalized input mode
 */
-function resolveQueryCommandInput(args) {
-	if (args.query != null) return { query: args.query };
-	return { query: void 0 };
+async function resolveQueryCommandInput(args) {
+	if (args.query != null) return {
+		mode: "query",
+		query: args.query
+	};
+	if (args.file != null) return {
+		mode: "query",
+		query: await fs.readFile(args.file, "utf-8")
+	};
+	if (args.edit) return await resolveEditedQueryInput(args.engine);
+	return { mode: "repl" };
+}
+async function resolveEditedQueryInput(engine) {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) throw new Error("Non-interactive terminals are not supported. Pass -q/--query or -f/--file to run a query.");
+	const editor = getEditorCommand();
+	const tempDir = await fs.mkdtemp(path.join(tmpdir(), "tailor-query-"));
+	const fileExtension = engine === "sql" ? "sql" : "graphql";
+	const filePath = path.join(tempDir, `query.${fileExtension}`);
+	const initialQuery = "";
+	try {
+		await fs.writeFile(filePath, initialQuery, "utf-8");
+		try {
+			await openInEditor(filePath, editor);
+		} catch (error) {
+			throw new Error(`Failed to open query editor "${editor}": ${error instanceof Error ? error.message : String(error)}`);
+		}
+		const editedQuery = await fs.readFile(filePath, "utf-8");
+		if (editedQuery.trim().length === 0 || editedQuery === initialQuery) return { mode: "abort" };
+		return {
+			mode: "query",
+			query: editedQuery
+		};
+	} finally {
+		await fs.rm(tempDir, {
+			recursive: true,
+			force: true
+		});
+	}
 }
 /**
 * Dispatch query execution.
@@ -11849,7 +12210,7 @@ function clearReplScreen() {
 	process.stdout.write("\x1Bc");
 }
 async function runRepl(options) {
-	if (!process.stdin.isTTY || !process.stdout.isTTY) throw new Error("Non-interactive terminals are not supported. Pass -q/--query to run a query.");
+	if (!process.stdin.isTTY || !process.stdout.isTTY) throw new Error("Non-interactive terminals are not supported. Pass -q/--query or -f/--file to run a query.");
 	const execute = await prepareQueryExecutor(options);
 	const rl = createInterface({
 		input: process.stdin,
@@ -12042,13 +12403,39 @@ const queryCommand = defineCommand({
 			alias: "q",
 			description: "Query string to execute directly; omit to start REPL mode"
 		}),
+		file: arg(z.string().optional(), {
+			alias: "f",
+			description: "Read query string from file; omit to start REPL mode"
+		}),
+		edit: arg(z.boolean().default(false), { description: "Open a temporary file in your editor; omit to start REPL mode" }),
 		machineuser: arg(z.string(), {
 			alias: "m",
 			description: "Machine user name for query execution"
 		})
+	}).superRefine((args, ctx) => {
+		if (args.query != null && args.file != null) ctx.addIssue({
+			code: "custom",
+			path: ["file"],
+			message: "Pass either -q/--query or -f/--file, not both."
+		});
+		if (args.edit && args.query != null) ctx.addIssue({
+			code: "custom",
+			path: ["edit"],
+			message: "Pass only one of --edit, -q/--query, or -f/--file."
+		});
+		if (args.edit && args.file != null) ctx.addIssue({
+			code: "custom",
+			path: ["edit"],
+			message: "Pass only one of --edit, -q/--query, or -f/--file."
+		});
 	}).strict(),
 	run: withCommonArgs(async (args) => {
-		const mode = resolveQueryCommandInput({ query: args.query });
+		const mode = await resolveQueryCommandInput({
+			query: args.query,
+			file: args.file,
+			edit: args.edit,
+			engine: args.engine
+		});
 		const sharedOptions = {
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
@@ -12056,7 +12443,11 @@ const queryCommand = defineCommand({
 			engine: args.engine,
 			machineUser: args.machineuser
 		};
-		if (mode.query == null) {
+		if (mode.mode === "abort") {
+			logger.info("Editor closed without a query. Nothing was executed.");
+			return;
+		}
+		if (mode.mode === "repl") {
 			await runRepl({
 				...sharedOptions,
 				json: args.json
@@ -12154,4 +12545,4 @@ function printGqlResult(result, options = {}) {
 
 //#endregion
 export { getExecutorJob as $, truncateCommand as A, getMigrationDirPath as At, getCommand$1 as B, getNamespacesWithMigrations as Bt, getAppHealth as C, MIGRATE_FILE_NAME as Ct, listCommand$3 as D, createSnapshotFromLocalTypes as Dt, resumeWorkflow as E, compareSnapshots as Et, showCommand as F, loadDiff as Ft, listMachineUsers as G, commonArgs as Gt, getMachineUserToken as H, generateUserTypes as Ht, remove as I, reconstructSnapshotFromMigrations as It, webhookCommand as J, jsonArgs as Jt, generate$1 as K, confirmationArgs as Kt, removeCommand$1 as L, formatDiffSummary as Lt, generateCommand as M, getMigrationFiles as Mt, logBetaWarning as N, getNextMigrationNumber as Nt, listWorkflows as O, formatMigrationNumber as Ot, show as P, isValidMigrationNumber as Pt, listExecutors as Q, listCommand$4 as R, formatMigrationDiff as Rt, listCommand$2 as S, INITIAL_SCHEMA_NUMBER as St, resumeCommand as T, compareLocalTypesWithSnapshot as Tt, tokenCommand as U, apiCall as Ut, getOAuth2Client as V, trnPrefix as Vt, listCommand$5 as W, apiCommand as Wt, triggerExecutor as X, workspaceArgs as Xt, triggerCommand as Y, withCommonArgs as Yt, listCommand$6 as Z, deleteCommand as _, MIGRATION_LABEL_KEY as _t, removeCommand as a, getCommand$2 as at, createWorkspace as b, DB_TYPES_FILE_NAME as bt, listUsers as c, getWorkflowExecution as ct, restoreCommand as d, formatKeyValueTable as dt, jobsCommand as et, restoreWorkspace as f, getCommand$3 as ft, getWorkspace as g, waitForExecution$1 as gt, getCommand as h, executeScript as ht, updateUser as i, startWorkflow as it, generate as j, getMigrationFilePath as jt, truncate as k, getLatestMigrationNumber as kt, inviteCommand as l, listWorkflowExecutions as lt, listWorkspaces as m, apply as mt, queryCommand as n, watchExecutorJob as nt, removeUser as o, getWorkflow as ot, listCommand$1 as p, getExecutor as pt, listWebhookExecutors as q, deploymentArgs as qt, updateCommand as r, startCommand as rt, listCommand as s, executionsCommand as st, query as t, listExecutorJobs as tt, inviteUser as u, functionExecutionStatusToString as ut, deleteWorkspace as v, parseMigrationLabelNumber as vt, healthCommand as w, SCHEMA_FILE_NAME as wt, listApps as x, DIFF_FILE_NAME as xt, createCommand as y, bundleMigrationScript as yt, listOAuth2Clients as z, hasChanges as zt };
-//# sourceMappingURL=query-BLQBOaAM.mjs.map
+//# sourceMappingURL=query-c9RCJduH.mjs.map