@tailor-platform/sdk 1.25.4 → 1.26.0

package/dist/{query-kb_4EQp4.mjs → query-B8ml6ClT.mjs}

@@ -1,5 +1,5 @@
 import { t as db } from "./schema-BePzTFBV.mjs";
-import { $ as AuthSCIMAttribute_Uniqueness, A as userAgent, B as PipelineResolver_OperationType, C as fetchAll, D as initOperatorClient, F as TailorDBGQLPermission_Operator, G as ExecutorTargetType, H as FunctionExecution_Status, I as TailorDBGQLPermission_Permit, J as AuthInvokerSchema, K as ExecutorTriggerType, L as TailorDBType_Permission_Operator, M as WorkflowExecution_Status, N as WorkflowJobExecution_Status, O as platformBaseUrl, P as TailorDBGQLPermission_Action, Q as AuthSCIMAttribute_Type, R as TailorDBType_Permission_Permit, S as writePlatformConfig, V as IdPLang, W as ExecutorJobStatus, X as AuthOAuth2Client_GrantType, Y as AuthOAuth2Client_ClientType, Z as AuthSCIMAttribute_Mutability, _ as hashFile, a as loadConfig, at as ConditionSchema, b as loadWorkspaceId, ct as PageDirection, d as TailorDBTypeSchema, dt as CIPromptError, et as AuthSCIMConfig_AuthorizationType, f as stringifyFunction, ft as logger, g as getDistDir, h as createBundleCache, it as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, j as WorkspacePlatformUserRole, k as resolveStaticWebsiteUrls, l as OAuth2ClientSchema, lt as ApplicationSchemaUpdateAttemptStatus, m as loadFilesWithIgnores, mt as symbols, n as generatePluginFilesIfNeeded, nt as TenantProviderConfig_TenantProviderType, ot as Condition_Operator, p as tailorUserMap, pt as styles, q as AuthIDPConfig_AuthType, r as loadApplication, rt as UserProfileProviderConfig_UserProfileProviderType, s as createExecutorService, st as FilterSchema, t as defineApplication, ut as Subgraph_ServiceType, w as fetchMachineUserToken, x as readPlatformConfig, y as loadAccessToken, z as TailorDBType_PermitAction } from "./application-91Th6tm6.mjs";
+import { $ as AuthSCIMAttribute_Type, A as userAgent, B as PipelineResolver_OperationType, C as fetchAll, D as initOperatorClient, F as TailorDBGQLPermission_Operator, G as ExecutorTargetType, H as FunctionExecution_Status, I as TailorDBGQLPermission_Permit, J as AuthIDPConfig_AuthType, K as ExecutorTriggerType, L as TailorDBType_Permission_Operator, M as WorkflowExecution_Status, N as WorkflowJobExecution_Status, O as platformBaseUrl, P as TailorDBGQLPermission_Action, Q as AuthSCIMAttribute_Mutability, R as TailorDBType_Permission_Permit, S as writePlatformConfig, V as IdPLang, W as ExecutorJobStatus, X as AuthOAuth2Client_ClientType, Y as AuthInvokerSchema, Z as AuthOAuth2Client_GrantType, _ as hashFile, a as loadConfig, at as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, b as loadWorkspaceId, ct as FilterSchema, d as TailorDBTypeSchema, dt as Subgraph_ServiceType, et as AuthSCIMAttribute_Uniqueness, f as stringifyFunction, ft as CIPromptError, g as getDistDir, h as createBundleCache, ht as symbols, it as UserProfileProviderConfig_UserProfileProviderType, j as WorkspacePlatformUserRole, k as resolveStaticWebsiteUrls, l as OAuth2ClientSchema, lt as PageDirection, m as loadFilesWithIgnores, mt as styles, n as generatePluginFilesIfNeeded, ot as ConditionSchema, p as tailorUserMap, pt as logger, q as AuthHookPoint, r as loadApplication, rt as TenantProviderConfig_TenantProviderType, s as createExecutorService, st as Condition_Operator, t as defineApplication, tt as AuthSCIMConfig_AuthorizationType, ut as ApplicationSchemaUpdateAttemptStatus, w as fetchMachineUserToken, x as readPlatformConfig, y as loadAccessToken, z as TailorDBType_PermitAction } from "./application-D9xahQRQ.mjs";
 import { t as readPackageJson } from "./package-json-CVUv8Y9T.mjs";
 import { r as withSpan } from "./telemetry-0w8OupuQ.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
@@ -19,11 +19,11 @@ import { findUpSync } from "find-up-simple";
 import ml from "multiline-ts";
 import * as crypto from "node:crypto";
 import { createHash } from "node:crypto";
-import { pathToFileURL } from "node:url";
-import * as inflection from "inflection";
 import * as rolldown from "rolldown";
 import * as fs from "node:fs/promises";
 import { glob } from "node:fs/promises";
+import { pathToFileURL } from "node:url";
+import * as inflection from "inflection";
 import { create, fromJson, toJson } from "@bufbuild/protobuf";
 import { ExitPromptError } from "@inquirer/core";
 import { confirm, input } from "@inquirer/prompts";
@@ -1073,6 +1073,273 @@ function protoSubgraph(subgraph) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/apply/function-registry.ts
+const CHUNK_SIZE = 64 * 1024;
+/**
+* Compute SHA-256 content hash for a script string.
+* @param content - Script content to hash
+* @returns Hex-encoded SHA-256 hash
+*/
+function computeContentHash(content) {
+	return crypto.createHash("sha256").update(content, "utf-8").digest("hex");
+}
+function functionRegistryTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:function_registry:${name}`;
+}
+/**
+* Build a function registry name for a resolver.
+* @param namespace - Resolver namespace
+* @param resolverName - Resolver name
+* @returns Function registry name
+*/
+function resolverFunctionName(namespace, resolverName) {
+	return `resolver--${namespace}--${resolverName}`;
+}
+/**
+* Build a function registry name for an executor.
+* @param executorName - Executor name
+* @returns Function registry name
+*/
+function executorFunctionName(executorName) {
+	return `executor--${executorName}`;
+}
+/**
+* Build a function registry name for a workflow job.
+* @param jobName - Workflow job name
+* @returns Function registry name
+*/
+function workflowJobFunctionName(jobName) {
+	return `workflow--${jobName}`;
+}
+/**
+* Build a function registry name for an auth hook.
+* @param authName - Auth namespace name
+* @param hookPoint - Hook point identifier (e.g. "before-login")
+* @returns Function registry name
+*/
+function authHookFunctionName(authName, hookPoint) {
+	return `auth-hook--${authName}--${hookPoint}`;
+}
+/**
+* Collect all function entries from bundled scripts for all services.
+* @param application - Application definition
+* @param workflowJobs - Collected workflow jobs from config
+* @returns Array of function entries to register
+*/
+function collectFunctionEntries(application, workflowJobs) {
+	const entries = [];
+	const distDir = getDistDir();
+	for (const app of application.applications) for (const pipeline of app.resolverServices) for (const resolver of Object.values(pipeline.resolvers)) {
+		const scriptPath = path.join(distDir, "resolvers", `${resolver.name}.js`);
+		try {
+			const content = fs$1.readFileSync(scriptPath, "utf-8");
+			entries.push({
+				name: resolverFunctionName(pipeline.namespace, resolver.name),
+				scriptContent: content,
+				contentHash: computeContentHash(content),
+				description: `Resolver: ${pipeline.namespace}/${resolver.name}`
+			});
+		} catch {
+			logger.warn(`Function file not found: ${scriptPath}`);
+		}
+	}
+	if (application.executorService) {
+		const executors = application.executorService.executors;
+		for (const executor of Object.values(executors)) if (executor.operation.kind === "function" || executor.operation.kind === "jobFunction") {
+			const scriptPath = path.join(distDir, "executors", `${executor.name}.js`);
+			try {
+				const content = fs$1.readFileSync(scriptPath, "utf-8");
+				entries.push({
+					name: executorFunctionName(executor.name),
+					scriptContent: content,
+					contentHash: computeContentHash(content),
+					description: `Executor: ${executor.name}`
+				});
+			} catch {
+				logger.warn(`Function file not found: ${scriptPath}`);
+			}
+		}
+	}
+	for (const job of workflowJobs) {
+		const scriptPath = path.join(distDir, "workflow-jobs", `${job.name}.js`);
+		try {
+			const content = fs$1.readFileSync(scriptPath, "utf-8");
+			entries.push({
+				name: workflowJobFunctionName(job.name),
+				scriptContent: content,
+				contentHash: computeContentHash(content),
+				description: `Workflow job: ${job.name}`
+			});
+		} catch {
+			logger.warn(`Function file not found: ${scriptPath}`);
+		}
+	}
+	for (const app of application.applications) if (app.authService?.config.hooks?.beforeLogin) {
+		const authName = app.authService.config.name;
+		const funcName = authHookFunctionName(authName, "before-login");
+		const scriptPath = path.join(distDir, "auth-hooks", `${funcName}.js`);
+		try {
+			const content = fs$1.readFileSync(scriptPath, "utf-8");
+			entries.push({
+				name: funcName,
+				scriptContent: content,
+				contentHash: computeContentHash(content),
+				description: `Auth hook: ${authName}/before-login`
+			});
+		} catch {
+			logger.warn(`Function file not found: ${scriptPath}`);
+		}
+	}
+	return entries;
+}
+/**
+* Plan function registry changes based on current and desired state.
+* @param client - Operator client instance
+* @param workspaceId - Workspace ID
+* @param appName - Application name
+* @param entries - Desired function entries
+* @returns Planned changes
+*/
+async function planFunctionRegistry(client, workspaceId, appName, entries) {
+	const changeSet = createChangeSet("Function registry");
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const existingFunctions = await fetchAll(async (pageToken, maxPageSize) => {
+		try {
+			const response = await client.listFunctionRegistries({
+				workspaceId,
+				pageToken,
+				pageSize: maxPageSize
+			});
+			return [response.functions.map((f) => ({
+				name: f.name,
+				contentHash: f.contentHash
+			})), response.nextPageToken];
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+			throw error;
+		}
+	});
+	const existingMap = {};
+	await Promise.all(existingFunctions.map(async (func) => {
+		const { metadata } = await client.getMetadata({ trn: functionRegistryTrn(workspaceId, func.name) });
+		existingMap[func.name] = {
+			resource: func,
+			label: metadata?.labels[sdkNameLabelKey]
+		};
+	}));
+	for (const entry of entries) {
+		const existing = existingMap[entry.name];
+		const metaRequest = await buildMetaRequest(functionRegistryTrn(workspaceId, entry.name), appName);
+		if (existing) {
+			if (!existing.label) unmanaged.push({
+				resourceType: "Function registry",
+				resourceName: entry.name
+			});
+			else if (existing.label !== appName) conflicts.push({
+				resourceType: "Function registry",
+				resourceName: entry.name,
+				currentOwner: existing.label
+			});
+			changeSet.updates.push({
+				name: entry.name,
+				entry,
+				metaRequest
+			});
+			delete existingMap[entry.name];
+		} else changeSet.creates.push({
+			name: entry.name,
+			entry,
+			metaRequest
+		});
+	}
+	for (const [name, existing] of Object.entries(existingMap)) {
+		if (!existing) continue;
+		const label = existing.label;
+		if (label && label !== appName) resourceOwners.add(label);
+		if (label === appName) changeSet.deletes.push({
+			name,
+			workspaceId
+		});
+	}
+	changeSet.print();
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
+}
+/**
+* Upload a function script to the function registry using client streaming.
+* @param client - Operator client instance
+* @param workspaceId - Workspace ID
+* @param entry - Function entry to upload
+* @param isCreate - Whether this is a create (true) or update (false)
+*/
+async function uploadFunctionScript(client, workspaceId, entry, isCreate) {
+	const buffer = Buffer.from(entry.scriptContent, "utf-8");
+	const info = {
+		workspaceId,
+		name: entry.name,
+		description: entry.description,
+		sizeBytes: BigInt(buffer.length),
+		contentHash: entry.contentHash
+	};
+	if (isCreate) {
+		/** @yields {MessageInitShape<typeof CreateFunctionRegistryRequestSchema>} Create request messages (info header followed by content chunks) */
+		async function* createStream() {
+			yield { payload: {
+				case: "info",
+				value: info
+			} };
+			for (let i = 0; i < buffer.length; i += CHUNK_SIZE) yield { payload: {
+				case: "chunk",
+				value: buffer.subarray(i, Math.min(i + CHUNK_SIZE, buffer.length))
+			} };
+		}
+		await client.createFunctionRegistry(createStream());
+	} else {
+		/** @yields {MessageInitShape<typeof UpdateFunctionRegistryRequestSchema>} Update request messages (info header followed by content chunks) */
+		async function* updateStream() {
+			yield { payload: {
+				case: "info",
+				value: info
+			} };
+			for (let i = 0; i < buffer.length; i += CHUNK_SIZE) yield { payload: {
+				case: "chunk",
+				value: buffer.subarray(i, Math.min(i + CHUNK_SIZE, buffer.length))
+			} };
+		}
+		await client.updateFunctionRegistry(updateStream());
+	}
+}
+/**
+* Apply function registry changes for the given phase.
+* @param client - Operator client instance
+* @param workspaceId - Workspace ID
+* @param result - Planned function registry changes
+* @param phase - Apply phase
+*/
+async function applyFunctionRegistry(client, workspaceId, result, phase = "create-update") {
+	const { changeSet } = result;
+	if (phase === "create-update") {
+		for (const create of changeSet.creates) {
+			await uploadFunctionScript(client, workspaceId, create.entry, true);
+			await client.setMetadata(create.metaRequest);
+		}
+		for (const update of changeSet.updates) {
+			await uploadFunctionScript(client, workspaceId, update.entry, false);
+			await client.setMetadata(update.metaRequest);
+		}
+	} else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteFunctionRegistry({
+		workspaceId: del.workspaceId,
+		name: del.name
+	})));
+}
+
 //#endregion
 //#region src/cli/commands/apply/idp.ts
 /**
@@ -1400,6 +1667,7 @@ async function applyAuth(client, result, phase = "create-update") {
 		await Promise.all([...changeSet.userProfileConfig.creates.map((create) => client.createUserProfileConfig(create.request)), ...changeSet.userProfileConfig.updates.map((update) => client.updateUserProfileConfig(update.request))]);
 		await Promise.all([...changeSet.tenantConfig.creates.map((create) => client.createTenantConfig(create.request)), ...changeSet.tenantConfig.updates.map((update) => client.updateTenantConfig(update.request))]);
 		await Promise.all([...changeSet.machineUser.creates.map((create) => client.createAuthMachineUser(create.request)), ...changeSet.machineUser.updates.map((update) => client.updateAuthMachineUser(update.request))]);
+		await Promise.all([...changeSet.authHook.creates.map((create) => client.createAuthHook(create.request)), ...changeSet.authHook.updates.map((update) => client.updateAuthHook(update.request))]);
 		await Promise.all([...changeSet.oauth2Client.creates.map(async (create) => {
 			create.request.oauth2Client.redirectUris = await resolveStaticWebsiteUrls(client, create.request.workspaceId, create.request.oauth2Client.redirectUris, "OAuth2 redirect URIs");
 			return client.createAuthOAuth2Client(create.request);
@@ -1418,6 +1686,7 @@ async function applyAuth(client, result, phase = "create-update") {
 		await Promise.all(changeSet.scimResource.deletes.map((del) => client.deleteAuthSCIMResource(del.request)));
 		await Promise.all(changeSet.scim.deletes.map((del) => client.deleteAuthSCIMConfig(del.request)));
 		await Promise.all(changeSet.oauth2Client.deletes.map((del) => client.deleteAuthOAuth2Client(del.request)));
+		await Promise.all(changeSet.authHook.deletes.map((del) => client.deleteAuthHook(del.request)));
 		await Promise.all(changeSet.machineUser.deletes.map((del) => client.deleteAuthMachineUser(del.request)));
 		await Promise.all(changeSet.tenantConfig.deletes.map((del) => client.deleteTenantConfig(del.request)));
 		await Promise.all(changeSet.userProfileConfig.deletes.map((del) => client.deleteUserProfileConfig(del.request)));
@@ -1438,11 +1707,12 @@ async function planAuth(context) {
 	}
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, auths);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
-	const [idpConfigChangeSet, userProfileConfigChangeSet, tenantConfigChangeSet, machineUserChangeSet, oauth2ClientChangeSet, scimChangeSet, scimResourceChangeSet] = await Promise.all([
+	const [idpConfigChangeSet, userProfileConfigChangeSet, tenantConfigChangeSet, machineUserChangeSet, authHookChangeSet, oauth2ClientChangeSet, scimChangeSet, scimResourceChangeSet] = await Promise.all([
 		planIdPConfigs(client, workspaceId, auths, deletedServices),
 		planUserProfileConfigs(client, workspaceId, auths, deletedServices),
 		planTenantConfigs(client, workspaceId, auths, deletedServices),
 		planMachineUsers(client, workspaceId, auths, deletedServices),
+		planAuthHooks(client, workspaceId, auths, deletedServices),
 		planOAuth2Clients(client, workspaceId, auths, deletedServices),
 		planSCIMConfigs(client, workspaceId, auths, deletedServices),
 		planSCIMResources(client, workspaceId, auths, deletedServices)
@@ -1452,6 +1722,7 @@ async function planAuth(context) {
 	userProfileConfigChangeSet.print();
 	tenantConfigChangeSet.print();
 	machineUserChangeSet.print();
+	authHookChangeSet.print();
 	oauth2ClientChangeSet.print();
 	scimChangeSet.print();
 	scimResourceChangeSet.print();
@@ -1462,6 +1733,7 @@ async function planAuth(context) {
 			userProfileConfig: userProfileConfigChangeSet,
 			tenantConfig: tenantConfigChangeSet,
 			machineUser: machineUserChangeSet,
+			authHook: authHookChangeSet,
 			oauth2Client: oauth2ClientChangeSet,
 			scim: scimChangeSet,
 			scimResource: scimResourceChangeSet
@@ -2261,6 +2533,72 @@ function protoSCIMAttribute(attr) {
 		subAttributes: attr.subAttributes?.map((attr) => protoSCIMAttribute(attr))
 	};
 }
+async function planAuthHooks(client, workspaceId, auths, deletedServices) {
+	const changeSet = createChangeSet("Auth hooks");
+	for (const auth of auths) {
+		const { parsedConfig: config } = auth;
+		const beforeLogin = config.hooks?.beforeLogin;
+		let existingHook;
+		try {
+			await client.getAuthHook({
+				workspaceId,
+				namespaceName: config.name,
+				hookPoint: AuthHookPoint.BEFORE_LOGIN
+			});
+			existingHook = true;
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) existingHook = false;
+			else throw error;
+		}
+		if (beforeLogin) {
+			const hookRequest = {
+				workspaceId,
+				namespaceName: config.name,
+				hook: {
+					hookPoint: AuthHookPoint.BEFORE_LOGIN,
+					scriptRef: authHookFunctionName(config.name, "before-login"),
+					invoker: {
+						namespace: config.name,
+						machineUserName: beforeLogin.invoker
+					}
+				}
+			};
+			if (existingHook) changeSet.updates.push({
+				name: `${config.name}/before-login`,
+				request: hookRequest
+			});
+			else changeSet.creates.push({
+				name: `${config.name}/before-login`,
+				request: hookRequest
+			});
+		} else if (existingHook) changeSet.deletes.push({
+			name: `${config.name}/before-login`,
+			request: {
+				workspaceId,
+				namespaceName: config.name,
+				hookPoint: AuthHookPoint.BEFORE_LOGIN
+			}
+		});
+	}
+	for (const namespaceName of deletedServices) try {
+		await client.getAuthHook({
+			workspaceId,
+			namespaceName,
+			hookPoint: AuthHookPoint.BEFORE_LOGIN
+		});
+		changeSet.deletes.push({
+			name: `${namespaceName}/before-login`,
+			request: {
+				workspaceId,
+				namespaceName,
+				hookPoint: AuthHookPoint.BEFORE_LOGIN
+			}
+		});
+	} catch (error) {
+		if (error instanceof ConnectError && error.code === Code.NotFound) {} else throw error;
+	}
+	return changeSet;
+}
 
 //#endregion
 //#region src/cli/shared/prompt.ts
@@ -2325,358 +2663,116 @@ async function confirmOwnerConflict(conflicts, appName, yes) {
 */
 async function confirmUnmanagedResources(resources, appName, yes) {
 	if (resources.length === 0) return;
-	logger.warn("Existing resources not tracked by tailor-sdk were found:");
-	logger.log(`  ${styles.info("Resources")}:`);
-	for (const r of resources) logger.log(`    • ${styles.bold(r.resourceType)} ${styles.info(`"${r.resourceName}"`)}`);
-	logger.newline();
-	logger.log("  These resources may have been created by older SDK versions, Terraform, or CUE.");
-	logger.log("  To continue, confirm that tailor-sdk should manage them.");
-	logger.log("  If they are managed by another tool (e.g., Terraform), cancel and manage them there instead.");
-	if (yes) {
-		logger.success(`Adding to "${appName}" (--yes flag specified)...`, { mode: "plain" });
-		return;
-	}
-	if (!await prompt.confirm({
-		message: `Allow tailor-sdk to manage these resources for "${appName}"?`,
-		default: false
-	})) throw new Error(ml`
-      Apply cancelled. Resources remain unmanaged.
-      To override, run again and confirm, or use --yes flag.
-    `);
-}
-/**
-* Confirm deletion of important resources.
-* @param resources - Resources scheduled for deletion
-* @param yes - Whether to auto-confirm without prompting
-* @returns Promise that resolves when confirmation completes
-*/
-async function confirmImportantResourceDeletion(resources, yes) {
-	if (resources.length === 0) return;
-	logger.warn("The following resources will be deleted:");
-	logger.log(`  ${styles.info("Resources")}:`);
-	for (const r of resources) logger.log(`    • ${styles.bold(r.resourceType)} ${styles.error(`"${r.resourceName}"`)}`);
-	logger.newline();
-	logger.log(styles.warning("  Deleting these resources will permanently remove all associated data."));
-	if (yes) {
-		logger.success("Deleting resources (--yes flag specified)...", { mode: "plain" });
-		return;
-	}
-	if (!await prompt.confirm({
-		message: "Are you sure you want to delete these resources?",
-		default: false
-	})) throw new Error(ml`
-      Apply cancelled. Resources will not be deleted.
-      To override, run again and confirm, or use --yes flag.
-    `);
-}
-
-//#endregion
-//#region src/cli/shared/runtime-args.ts
-/**
-* Runtime args transformation for all services.
-*
-* Each service transforms server-side args/context into SDK-friendly format:
-* - Executor: server-side expression evaluated by platform before calling function
-* - Resolver: operationHook expression evaluated by platform before calling function
-*
-* The user field mapping (server → SDK) shared across services is defined in
-* `@/parser/service/tailordb` as `tailorUserMap`.
-*/
-/**
-* Actor field transformation expression.
-*
-* Transforms the server's actor object to match the SDK's TailorActor type:
-*   server `attributeMap`  → SDK `attributes`
-*   server `attributes`    → SDK `attributeList`
-*   other fields           → passed through
-*   null/undefined actor   → null
-*/
-const ACTOR_TRANSFORM_EXPR = "actor: args.actor ? (({ attributeMap, attributes: attrList, ...rest }) => ({ ...rest, attributes: attributeMap, attributeList: attrList }))(args.actor) : null";
-/**
-* Build the JavaScript expression that transforms server-format executor event
-* args into SDK-format args at runtime.
-*
-* The Tailor Platform server delivers event args with server-side field names.
-* The SDK exposes different field names to user code. This function produces a
-* JavaScript expression string that performs the mapping when evaluated
-* server-side.
-* @param triggerKind - The trigger kind discriminant from the parsed executor
-* @param env - Application env record to embed in the expression
-* @returns A JavaScript expression string, e.g. `({ ...args, ... })`
-*/
-function buildExecutorArgsExpr(triggerKind, env) {
-	const envExpr = `env: ${JSON.stringify(env)}`;
-	switch (triggerKind) {
-		case "schedule":
-		case "recordCreated":
-		case "recordUpdated":
-		case "recordDeleted":
-		case "idpUserCreated":
-		case "idpUserUpdated":
-		case "idpUserDeleted":
-		case "authAccessTokenIssued":
-		case "authAccessTokenRefreshed":
-		case "authAccessTokenRevoked": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, ${envExpr} })`;
-		case "resolverExecuted": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, success: !!args.succeeded, result: args.succeeded?.result.resolver, error: args.failed?.error, ${envExpr} })`;
-		case "incomingWebhook": return `({ ...args, appNamespace: args.namespaceName, rawBody: args.raw_body, ${envExpr} })`;
-		default: throw new Error(`Unknown trigger kind for args expression: ${triggerKind}`);
-	}
-}
-/**
-* Build the operationHook expression for resolver pipelines.
-*
-* Transforms server context to SDK resolver context:
-*   context.args        → input
-*   context.pipeline     → spread into result
-*   user (global var)    → TailorUser (via tailorUserMap: workspace_id→workspaceId, attribute_map→attributes, attributes→attributeList)
-*   env                 → injected as JSON
-* @param env - Application env record to embed in the expression
-* @returns A JavaScript expression string for the operationHook
-*/
-function buildResolverOperationHookExpr(env) {
-	return `({ ...context.pipeline, input: context.args, user: ${tailorUserMap}, env: ${JSON.stringify(env)} });`;
-}
-
-//#endregion
-//#region src/cli/commands/apply/function-registry.ts
-const CHUNK_SIZE = 64 * 1024;
-/**
-* Compute SHA-256 content hash for a script string.
-* @param content - Script content to hash
-* @returns Hex-encoded SHA-256 hash
-*/
-function computeContentHash(content) {
-	return crypto.createHash("sha256").update(content, "utf-8").digest("hex");
-}
-function functionRegistryTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:function_registry:${name}`;
-}
-/**
-* Build a function registry name for a resolver.
-* @param namespace - Resolver namespace
-* @param resolverName - Resolver name
-* @returns Function registry name
-*/
-function resolverFunctionName(namespace, resolverName) {
-	return `resolver--${namespace}--${resolverName}`;
-}
-/**
-* Build a function registry name for an executor.
-* @param executorName - Executor name
-* @returns Function registry name
-*/
-function executorFunctionName(executorName) {
-	return `executor--${executorName}`;
-}
-/**
-* Build a function registry name for a workflow job.
-* @param jobName - Workflow job name
-* @returns Function registry name
-*/
-function workflowJobFunctionName(jobName) {
-	return `workflow--${jobName}`;
-}
-/**
-* Collect all function entries from bundled scripts for all services.
-* @param application - Application definition
-* @param workflowJobs - Collected workflow jobs from config
-* @returns Array of function entries to register
-*/
-function collectFunctionEntries(application, workflowJobs) {
-	const entries = [];
-	const distDir = getDistDir();
-	for (const app of application.applications) for (const pipeline of app.resolverServices) for (const resolver of Object.values(pipeline.resolvers)) {
-		const scriptPath = path.join(distDir, "resolvers", `${resolver.name}.js`);
-		try {
-			const content = fs$1.readFileSync(scriptPath, "utf-8");
-			entries.push({
-				name: resolverFunctionName(pipeline.namespace, resolver.name),
-				scriptContent: content,
-				contentHash: computeContentHash(content),
-				description: `Resolver: ${pipeline.namespace}/${resolver.name}`
-			});
-		} catch {
-			logger.warn(`Function file not found: ${scriptPath}`);
-		}
-	}
-	if (application.executorService) {
-		const executors = application.executorService.executors;
-		for (const executor of Object.values(executors)) if (executor.operation.kind === "function" || executor.operation.kind === "jobFunction") {
-			const scriptPath = path.join(distDir, "executors", `${executor.name}.js`);
-			try {
-				const content = fs$1.readFileSync(scriptPath, "utf-8");
-				entries.push({
-					name: executorFunctionName(executor.name),
-					scriptContent: content,
-					contentHash: computeContentHash(content),
-					description: `Executor: ${executor.name}`
-				});
-			} catch {
-				logger.warn(`Function file not found: ${scriptPath}`);
-			}
-		}
-	}
-	for (const job of workflowJobs) {
-		const scriptPath = path.join(distDir, "workflow-jobs", `${job.name}.js`);
-		try {
-			const content = fs$1.readFileSync(scriptPath, "utf-8");
-			entries.push({
-				name: workflowJobFunctionName(job.name),
-				scriptContent: content,
-				contentHash: computeContentHash(content),
-				description: `Workflow job: ${job.name}`
-			});
-		} catch {
-			logger.warn(`Function file not found: ${scriptPath}`);
-		}
+	logger.warn("Existing resources not tracked by tailor-sdk were found:");
+	logger.log(`  ${styles.info("Resources")}:`);
+	for (const r of resources) logger.log(`    • ${styles.bold(r.resourceType)} ${styles.info(`"${r.resourceName}"`)}`);
+	logger.newline();
+	logger.log("  These resources may have been created by older SDK versions, Terraform, or CUE.");
+	logger.log("  To continue, confirm that tailor-sdk should manage them.");
+	logger.log("  If they are managed by another tool (e.g., Terraform), cancel and manage them there instead.");
+	if (yes) {
+		logger.success(`Adding to "${appName}" (--yes flag specified)...`, { mode: "plain" });
+		return;
 	}
-	return entries;
+	if (!await prompt.confirm({
+		message: `Allow tailor-sdk to manage these resources for "${appName}"?`,
+		default: false
+	})) throw new Error(ml`
+      Apply cancelled. Resources remain unmanaged.
+      To override, run again and confirm, or use --yes flag.
+    `);
 }
 /**
-* Plan function registry changes based on current and desired state.
-* @param client - Operator client instance
-* @param workspaceId - Workspace ID
-* @param appName - Application name
-* @param entries - Desired function entries
-* @returns Planned changes
+* Confirm deletion of important resources.
+* @param resources - Resources scheduled for deletion
+* @param yes - Whether to auto-confirm without prompting
+* @returns Promise that resolves when confirmation completes
 */
-async function planFunctionRegistry(client, workspaceId, appName, entries) {
-	const changeSet = createChangeSet("Function registry");
-	const conflicts = [];
-	const unmanaged = [];
-	const resourceOwners = /* @__PURE__ */ new Set();
-	const existingFunctions = await fetchAll(async (pageToken, maxPageSize) => {
-		try {
-			const response = await client.listFunctionRegistries({
-				workspaceId,
-				pageToken,
-				pageSize: maxPageSize
-			});
-			return [response.functions.map((f) => ({
-				name: f.name,
-				contentHash: f.contentHash
-			})), response.nextPageToken];
-		} catch (error) {
-			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
-			throw error;
-		}
-	});
-	const existingMap = {};
-	await Promise.all(existingFunctions.map(async (func) => {
-		const { metadata } = await client.getMetadata({ trn: functionRegistryTrn(workspaceId, func.name) });
-		existingMap[func.name] = {
-			resource: func,
-			label: metadata?.labels[sdkNameLabelKey]
-		};
-	}));
-	for (const entry of entries) {
-		const existing = existingMap[entry.name];
-		const metaRequest = await buildMetaRequest(functionRegistryTrn(workspaceId, entry.name), appName);
-		if (existing) {
-			if (!existing.label) unmanaged.push({
-				resourceType: "Function registry",
-				resourceName: entry.name
-			});
-			else if (existing.label !== appName) conflicts.push({
-				resourceType: "Function registry",
-				resourceName: entry.name,
-				currentOwner: existing.label
-			});
-			changeSet.updates.push({
-				name: entry.name,
-				entry,
-				metaRequest
-			});
-			delete existingMap[entry.name];
-		} else changeSet.creates.push({
-			name: entry.name,
-			entry,
-			metaRequest
-		});
-	}
-	for (const [name, existing] of Object.entries(existingMap)) {
-		if (!existing) continue;
-		const label = existing.label;
-		if (label && label !== appName) resourceOwners.add(label);
-		if (label === appName) changeSet.deletes.push({
-			name,
-			workspaceId
-		});
+async function confirmImportantResourceDeletion(resources, yes) {
+	if (resources.length === 0) return;
+	logger.warn("The following resources will be deleted:");
+	logger.log(`  ${styles.info("Resources")}:`);
+	for (const r of resources) logger.log(`    • ${styles.bold(r.resourceType)} ${styles.error(`"${r.resourceName}"`)}`);
+	logger.newline();
+	logger.log(styles.warning("  Deleting these resources will permanently remove all associated data."));
+	if (yes) {
+		logger.success("Deleting resources (--yes flag specified)...", { mode: "plain" });
+		return;
 	}
-	changeSet.print();
-	return {
-		changeSet,
-		conflicts,
-		unmanaged,
-		resourceOwners
-	};
+	if (!await prompt.confirm({
+		message: "Are you sure you want to delete these resources?",
+		default: false
+	})) throw new Error(ml`
+      Apply cancelled. Resources will not be deleted.
+      To override, run again and confirm, or use --yes flag.
+    `);
 }
+
+//#endregion
+//#region src/cli/shared/runtime-args.ts
 /**
-* Upload a function script to the function registry using client streaming.
-* @param client - Operator client instance
-* @param workspaceId - Workspace ID
-* @param entry - Function entry to upload
-* @param isCreate - Whether this is a create (true) or update (false)
+* Runtime args transformation for all services.
+*
+* Each service transforms server-side args/context into SDK-friendly format:
+* - Executor: server-side expression evaluated by platform before calling function
+* - Resolver: operationHook expression evaluated by platform before calling function
+*
+* The user field mapping (server → SDK) shared across services is defined in
+* `@/parser/service/tailordb` as `tailorUserMap`.
 */
-async function uploadFunctionScript(client, workspaceId, entry, isCreate) {
-	const buffer = Buffer.from(entry.scriptContent, "utf-8");
-	const info = {
-		workspaceId,
-		name: entry.name,
-		description: entry.description,
-		sizeBytes: BigInt(buffer.length),
-		contentHash: entry.contentHash
-	};
-	if (isCreate) {
-		/** @yields {MessageInitShape<typeof CreateFunctionRegistryRequestSchema>} Create request messages (info header followed by content chunks) */
-		async function* createStream() {
-			yield { payload: {
-				case: "info",
-				value: info
-			} };
-			for (let i = 0; i < buffer.length; i += CHUNK_SIZE) yield { payload: {
-				case: "chunk",
-				value: buffer.subarray(i, Math.min(i + CHUNK_SIZE, buffer.length))
-			} };
-		}
-		await client.createFunctionRegistry(createStream());
-	} else {
-		/** @yields {MessageInitShape<typeof UpdateFunctionRegistryRequestSchema>} Update request messages (info header followed by content chunks) */
-		async function* updateStream() {
-			yield { payload: {
-				case: "info",
-				value: info
-			} };
-			for (let i = 0; i < buffer.length; i += CHUNK_SIZE) yield { payload: {
-				case: "chunk",
-				value: buffer.subarray(i, Math.min(i + CHUNK_SIZE, buffer.length))
-			} };
-		}
-		await client.updateFunctionRegistry(updateStream());
+/**
+* Actor field transformation expression.
+*
+* Transforms the server's actor object to match the SDK's TailorActor type:
+*   server `attributeMap`  → SDK `attributes`
+*   server `attributes`    → SDK `attributeList`
+*   other fields           → passed through
+*   null/undefined actor   → null
+*/
+const ACTOR_TRANSFORM_EXPR = "actor: args.actor ? (({ attributeMap, attributes: attrList, ...rest }) => ({ ...rest, attributes: attributeMap, attributeList: attrList }))(args.actor) : null";
+/**
+* Build the JavaScript expression that transforms server-format executor event
+* args into SDK-format args at runtime.
+*
+* The Tailor Platform server delivers event args with server-side field names.
+* The SDK exposes different field names to user code. This function produces a
+* JavaScript expression string that performs the mapping when evaluated
+* server-side.
+* @param triggerKind - The trigger kind discriminant from the parsed executor
+* @param env - Application env record to embed in the expression
+* @returns A JavaScript expression string, e.g. `({ ...args, ... })`
+*/
+function buildExecutorArgsExpr(triggerKind, env) {
+	const envExpr = `env: ${JSON.stringify(env)}`;
+	switch (triggerKind) {
+		case "schedule":
+		case "recordCreated":
+		case "recordUpdated":
+		case "recordDeleted":
+		case "idpUserCreated":
+		case "idpUserUpdated":
+		case "idpUserDeleted":
+		case "authAccessTokenIssued":
+		case "authAccessTokenRefreshed":
+		case "authAccessTokenRevoked": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, ${envExpr} })`;
+		case "resolverExecuted": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, success: !!args.succeeded, result: args.succeeded?.result.resolver, error: args.failed?.error, ${envExpr} })`;
+		case "incomingWebhook": return `({ ...args, appNamespace: args.namespaceName, rawBody: args.raw_body, ${envExpr} })`;
+		default: throw new Error(`Unknown trigger kind for args expression: ${triggerKind}`);
 	}
 }
 /**
-* Apply function registry changes for the given phase.
-* @param client - Operator client instance
-* @param workspaceId - Workspace ID
-* @param result - Planned function registry changes
-* @param phase - Apply phase
+* Build the operationHook expression for resolver pipelines.
+*
+* Transforms server context to SDK resolver context:
+*   context.args        → input
+*   context.pipeline     → spread into result
+*   user (global var)    → TailorUser (via tailorUserMap: workspace_id→workspaceId, attribute_map→attributes, attributes→attributeList)
+*   env                 → injected as JSON
+* @param env - Application env record to embed in the expression
+* @returns A JavaScript expression string for the operationHook
 */
-async function applyFunctionRegistry(client, workspaceId, result, phase = "create-update") {
-	const { changeSet } = result;
-	if (phase === "create-update") {
-		for (const create of changeSet.creates) {
-			await uploadFunctionScript(client, workspaceId, create.entry, true);
-			await client.setMetadata(create.metaRequest);
-		}
-		for (const update of changeSet.updates) {
-			await uploadFunctionScript(client, workspaceId, update.entry, false);
-			await client.setMetadata(update.metaRequest);
-		}
-	} else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteFunctionRegistry({
-		workspaceId: del.workspaceId,
-		name: del.name
-	})));
+function buildResolverOperationHookExpr(env) {
+	return `({ ...context.pipeline, input: context.args, user: ${tailorUserMap}, env: ${JSON.stringify(env)} });`;
 }
 
 //#endregion
@@ -9685,6 +9781,17 @@ const removeCommand$1 = defineAppCommand({
 	}
 });
 
+//#endregion
+//#region src/cli/shared/beta.ts
+/**
+* Warn that a feature is in beta.
+* @param {string} featureName - Name of the beta feature (e.g., "tailordb erd", "tailordb migration")
+*/
+function logBetaWarning(featureName) {
+	logger.warn(`The '${featureName}' command is a beta feature and may introduce breaking changes in future releases.`);
+	logger.newline();
+}
+
 //#endregion
 //#region src/cli/commands/show.ts
 function applicationInfo(app) {
@@ -9742,17 +9849,6 @@ const showCommand = defineAppCommand({
 	}
 });
 
-//#endregion
-//#region src/cli/shared/beta.ts
-/**
-* Warn that a feature is in beta.
-* @param {string} featureName - Name of the beta feature (e.g., "tailordb erd", "tailordb migration")
-*/
-function logBetaWarning(featureName) {
-	logger.warn(`The '${featureName}' command is a beta feature and may introduce breaking changes in future releases.`);
-	logger.newline();
-}
-
 //#endregion
 //#region src/cli/shared/editor.ts
 const DEFAULT_EDITOR = "editor";
@@ -10326,7 +10422,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-DegTCDd8.mjs");
+	const { defineApplication } = await import("./application-CxH6Yp54.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -12504,5 +12600,5 @@ function printGqlResult(result, options = {}) {
 }
 
 //#endregion
-export { listExecutors as $, truncate as A, getLatestMigrationNumber as At, listOAuth2Clients as B, hasChanges as Bt, listCommand$2 as C, INITIAL_SCHEMA_NUMBER as Ct, resumeWorkflow as D, compareSnapshots as Dt, resumeCommand as E, compareLocalTypesWithSnapshot as Et, show as F, isValidMigrationNumber as Ft, listCommand$5 as G, apiCall as Gt, getOAuth2Client as H, prompt as Ht, showCommand as I, loadDiff as It, listWebhookExecutors as J, commonArgs as Jt, listMachineUsers as K, apiCommand as Kt, remove as L, reconstructSnapshotFromMigrations as Lt, generate as M, getMigrationFilePath as Mt, generateCommand as N, getMigrationFiles as Nt, listCommand$3 as O, createSnapshotFromLocalTypes as Ot, logBetaWarning as P, getNextMigrationNumber as Pt, listCommand$6 as Q, workspaceArgs as Qt, removeCommand$1 as R, formatDiffSummary as Rt, listApps as S, DIFF_FILE_NAME as St, healthCommand as T, SCHEMA_FILE_NAME as Tt, getMachineUserToken as U, trnPrefix as Ut, getCommand$1 as V, getNamespacesWithMigrations as Vt, tokenCommand as W, generateUserTypes as Wt, triggerCommand as X, deploymentArgs as Xt, webhookCommand as Y, confirmationArgs as Yt, triggerExecutor as Z, isVerbose as Zt, getWorkspace as _, waitForExecution$1 as _t, updateUser as a, startWorkflow as at, createCommand as b, bundleMigrationScript as bt, listCommand as c, executionsCommand as ct, inviteUser as d, functionExecutionStatusToString as dt, getExecutorJob as et, restoreCommand as f, formatKeyValueTable as ft, getCommand as g, executeScript as gt, listWorkspaces as h, apply as ht, updateCommand as i, startCommand as it, truncateCommand as j, getMigrationDirPath as jt, listWorkflows as k, formatMigrationNumber as kt, listUsers as l, getWorkflowExecution as lt, listCommand$1 as m, getExecutor as mt, queryCommand as n, listExecutorJobs as nt, removeCommand as o, getCommand$2 as ot, restoreWorkspace as p, getCommand$3 as pt, generate$1 as q, defineAppCommand as qt, isCLIError as r, watchExecutorJob as rt, removeUser as s, getWorkflow as st, query as t, jobsCommand as tt, inviteCommand as u, listWorkflowExecutions as ut, deleteCommand as v, MIGRATION_LABEL_KEY as vt, getAppHealth as w, MIGRATE_FILE_NAME as wt, createWorkspace as x, DB_TYPES_FILE_NAME as xt, deleteWorkspace as y, parseMigrationLabelNumber as yt, listCommand$4 as z, formatMigrationDiff as zt };
-//# sourceMappingURL=query-kb_4EQp4.mjs.map
+export { listExecutors as $, truncate as A, getLatestMigrationNumber as At, listOAuth2Clients as B, hasChanges as Bt, listCommand$2 as C, INITIAL_SCHEMA_NUMBER as Ct, resumeWorkflow as D, compareSnapshots as Dt, resumeCommand as E, compareLocalTypesWithSnapshot as Et, showCommand as F, isValidMigrationNumber as Ft, listCommand$5 as G, apiCall as Gt, getOAuth2Client as H, prompt as Ht, logBetaWarning as I, loadDiff as It, listWebhookExecutors as J, commonArgs as Jt, listMachineUsers as K, apiCommand as Kt, remove as L, reconstructSnapshotFromMigrations as Lt, generate as M, getMigrationFilePath as Mt, generateCommand as N, getMigrationFiles as Nt, listCommand$3 as O, createSnapshotFromLocalTypes as Ot, show as P, getNextMigrationNumber as Pt, listCommand$6 as Q, workspaceArgs as Qt, removeCommand$1 as R, formatDiffSummary as Rt, listApps as S, DIFF_FILE_NAME as St, healthCommand as T, SCHEMA_FILE_NAME as Tt, getMachineUserToken as U, trnPrefix as Ut, getCommand$1 as V, getNamespacesWithMigrations as Vt, tokenCommand as W, generateUserTypes as Wt, triggerCommand as X, deploymentArgs as Xt, webhookCommand as Y, confirmationArgs as Yt, triggerExecutor as Z, isVerbose as Zt, getWorkspace as _, waitForExecution$1 as _t, updateUser as a, startWorkflow as at, createCommand as b, bundleMigrationScript as bt, listCommand as c, executionsCommand as ct, inviteUser as d, functionExecutionStatusToString as dt, getExecutorJob as et, restoreCommand as f, formatKeyValueTable as ft, getCommand as g, executeScript as gt, listWorkspaces as h, apply as ht, updateCommand as i, startCommand as it, truncateCommand as j, getMigrationDirPath as jt, listWorkflows as k, formatMigrationNumber as kt, listUsers as l, getWorkflowExecution as lt, listCommand$1 as m, getExecutor as mt, queryCommand as n, listExecutorJobs as nt, removeCommand as o, getCommand$2 as ot, restoreWorkspace as p, getCommand$3 as pt, generate$1 as q, defineAppCommand as qt, isCLIError as r, watchExecutorJob as rt, removeUser as s, getWorkflow as st, query as t, jobsCommand as tt, inviteCommand as u, listWorkflowExecutions as ut, deleteCommand as v, MIGRATION_LABEL_KEY as vt, getAppHealth as w, MIGRATE_FILE_NAME as wt, createWorkspace as x, DB_TYPES_FILE_NAME as xt, deleteWorkspace as y, parseMigrationLabelNumber as yt, listCommand$4 as z, formatMigrationDiff as zt };
+//# sourceMappingURL=query-B8ml6ClT.mjs.map