@tailor-platform/sdk 1.25.4 → 1.27.0

package/dist/application-CBJFUKrU.mjs

@@ -0,0 +1,4701 @@
+import { n as isSdkBranded } from "./brand-GZnI4eYb.mjs";
+import { n as logger, r as styles } from "./logger-CqezTedh.mjs";
+import { o as initOAuth2Client } from "./client-bTbnbQbB.mjs";
+import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-CWkIDWMb.mjs";
+import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "./enum-constants-D1nfn0qD.mjs";
+import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "./file-utils-Bctuzn3x.mjs";
+import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "./kysely-type-B_IecdK9.mjs";
+import { createRequire } from "node:module";
+import { z } from "zod";
+import * as fs$1 from "node:fs";
+import { mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import * as path from "pathe";
+import { join, resolve } from "pathe";
+import { resolveTSConfig } from "pkg-types";
+import * as os from "node:os";
+import { parseTOML, parseYAML, stringifyYAML } from "confbox";
+import { findUpSync } from "find-up-simple";
+import ml from "multiline-ts";
+import { xdgConfig } from "xdg-basedir";
+import * as crypto from "node:crypto";
+import * as rolldown from "rolldown";
+import * as fs from "node:fs/promises";
+import { parseSync } from "oxc-parser";
+import { pathToFileURL } from "node:url";
+import * as inflection from "inflection";
+import * as globals from "globals";
+
+//#region src/cli/shared/context.ts
+const pfConfigSchema = z.object({
+	version: z.literal(1),
+	users: z.partialRecord(z.string(), z.object({
+		access_token: z.string(),
+		refresh_token: z.string(),
+		token_expires_at: z.string()
+	})),
+	profiles: z.partialRecord(z.string(), z.object({
+		user: z.string(),
+		workspace_id: z.string()
+	})),
+	current_user: z.string().nullable()
+});
+function platformConfigPath() {
+	if (!xdgConfig) throw new Error("User home directory not found");
+	return path.join(xdgConfig, "tailor-platform", "config.yaml");
+}
+/**
+* Read Tailor Platform CLI configuration, migrating from tailorctl if necessary.
+* @returns Parsed platform configuration
+*/
+function readPlatformConfig() {
+	const configPath = platformConfigPath();
+	if (!fs$1.existsSync(configPath)) {
+		logger.warn(`Config not found at ${configPath}, migrating from tailorctl config...`);
+		const tcConfig = readTailorctlConfig();
+		const pfConfig = tcConfig ? fromTailorctlConfig(tcConfig) : {
+			version: 1,
+			users: {},
+			profiles: {},
+			current_user: null
+		};
+		writePlatformConfig(pfConfig);
+		return pfConfig;
+	}
+	const rawConfig = parseYAML(fs$1.readFileSync(configPath, "utf-8"));
+	return pfConfigSchema.parse(rawConfig);
+}
+/**
+* Write Tailor Platform CLI configuration to disk.
+* @param config - Platform configuration to write
+*/
+function writePlatformConfig(config) {
+	const configPath = platformConfigPath();
+	fs$1.mkdirSync(path.dirname(configPath), { recursive: true });
+	fs$1.writeFileSync(configPath, stringifyYAML(config));
+}
+const tcContextConfigSchema = z.object({
+	username: z.string().optional(),
+	controlplaneaccesstoken: z.string().optional(),
+	controlplanerefreshtoken: z.string().optional(),
+	controlplanetokenexpiresat: z.string().optional(),
+	workspaceid: z.string().optional()
+});
+const tcConfigSchema = z.object({ global: z.object({ context: z.string().optional() }).optional() }).catchall(tcContextConfigSchema.optional());
+function readTailorctlConfig() {
+	const configPath = path.join(os.homedir(), ".tailorctl", "config");
+	if (!fs$1.existsSync(configPath)) return;
+	const rawConfig = parseTOML(fs$1.readFileSync(configPath, "utf-8"));
+	return tcConfigSchema.parse(rawConfig);
+}
+function fromTailorctlConfig(config) {
+	const users = {};
+	const profiles = {};
+	let currentUser = null;
+	const currentContext = config.global?.context || "default";
+	for (const [key, val] of Object.entries(config)) {
+		if (key === "global") continue;
+		const context = val;
+		if (!context.username || !context.controlplaneaccesstoken || !context.controlplanerefreshtoken || !context.controlplanetokenexpiresat || !context.workspaceid) continue;
+		if (key === currentContext) currentUser = context.username;
+		profiles[key] = {
+			user: context.username,
+			workspace_id: context.workspaceid
+		};
+		const user = users[context.username];
+		if (!user || new Date(user.token_expires_at) < new Date(context.controlplanetokenexpiresat)) users[context.username] = {
+			access_token: context.controlplaneaccesstoken,
+			refresh_token: context.controlplanerefreshtoken,
+			token_expires_at: context.controlplanetokenexpiresat
+		};
+	}
+	return {
+		version: 1,
+		users,
+		profiles,
+		current_user: currentUser
+	};
+}
+function validateUUID(value, source) {
+	const result = z.uuid().safeParse(value);
+	if (!result.success) throw new Error(`Invalid value from ${source}: must be a valid UUID`);
+	return result.data;
+}
+/**
+* Load workspace ID from command options, environment variables, or platform config.
+* In CLI context, env fallback is also handled by politty's arg env option.
+* Priority: opts/workspaceId > env/workspaceId > opts/profile > error
+* @param opts - Workspace and profile options
+* @returns Resolved workspace ID
+*/
+function loadWorkspaceId(opts) {
+	if (opts?.workspaceId) return validateUUID(opts.workspaceId, "--workspace-id option");
+	if (process.env.TAILOR_PLATFORM_WORKSPACE_ID) return validateUUID(process.env.TAILOR_PLATFORM_WORKSPACE_ID, "TAILOR_PLATFORM_WORKSPACE_ID environment variable");
+	const profile = opts?.profile || process.env.TAILOR_PLATFORM_PROFILE;
+	if (profile) {
+		const wsId = readPlatformConfig().profiles[profile]?.workspace_id;
+		if (!wsId) throw new Error(`Profile "${profile}" not found`);
+		return validateUUID(wsId, `profile "${profile}"`);
+	}
+	throw new Error(ml`
+    Workspace ID not found.
+    Please specify workspace ID via --workspace-id option or TAILOR_PLATFORM_WORKSPACE_ID environment variable.
+  `);
+}
+/**
+* Load access token from environment variables, command options, or platform config.
+* In CLI context, profile env fallback is also handled by politty's arg env option.
+* Priority: env/TAILOR_PLATFORM_TOKEN > env/TAILOR_TOKEN (deprecated) > opts/profile > env/profile > config/currentUser > error
+* @param opts - Profile options
+* @returns Resolved access token
+*/
+async function loadAccessToken(opts) {
+	if (process.env.TAILOR_PLATFORM_TOKEN) return process.env.TAILOR_PLATFORM_TOKEN;
+	if (process.env.TAILOR_TOKEN) {
+		logger.warn("TAILOR_TOKEN is deprecated. Please use TAILOR_PLATFORM_TOKEN instead.");
+		return process.env.TAILOR_TOKEN;
+	}
+	const pfConfig = readPlatformConfig();
+	let user;
+	const profile = opts?.useProfile ? opts.profile || process.env.TAILOR_PLATFORM_PROFILE : void 0;
+	if (profile) {
+		const u = pfConfig.profiles[profile]?.user;
+		if (!u) throw new Error(`Profile "${profile}" not found`);
+		user = u;
+	} else {
+		const u = pfConfig.current_user;
+		if (!u) throw new Error(ml`
+        Tailor Platform token not found.
+        Please specify token via TAILOR_PLATFORM_TOKEN environment variable or login using 'tailor-sdk login' command.
+      `);
+		user = u;
+	}
+	return await fetchLatestToken(pfConfig, user);
+}
+/**
+* Fetch the latest access token, refreshing if necessary.
+* @param config - Platform config
+* @param user - User name
+* @returns Latest access token
+*/
+async function fetchLatestToken(config, user) {
+	const tokens = config.users[user];
+	if (!tokens) throw new Error(ml`
+      User "${user}" not found.
+      Please verify your user name and login using 'tailor-sdk login' command.
+    `);
+	if (new Date(tokens.token_expires_at) > /* @__PURE__ */ new Date()) return tokens.access_token;
+	const client = initOAuth2Client();
+	let resp;
+	try {
+		resp = await client.refreshToken({
+			accessToken: tokens.access_token,
+			refreshToken: tokens.refresh_token,
+			expiresAt: Date.parse(tokens.token_expires_at)
+		});
+	} catch {
+		throw new Error(ml`
+      Failed to refresh token. Your session may have expired.
+      Please run 'tailor-sdk login' and try again.
+    `);
+	}
+	config.users[user] = {
+		access_token: resp.accessToken,
+		refresh_token: resp.refreshToken,
+		token_expires_at: new Date(resp.expiresAt).toISOString()
+	};
+	writePlatformConfig(config);
+	return resp.accessToken;
+}
+const DEFAULT_CONFIG_FILENAME = "tailor.config.ts";
+/**
+* Load config path from command options, environment variables, or search parent directories.
+* In CLI context, env fallback is also handled by politty's arg env option.
+* Priority: opts/config > env/config > search parent directories
+* @param configPath - Optional explicit config path
+* @returns Resolved config path or undefined
+*/
+function loadConfigPath(configPath) {
+	if (configPath) return configPath;
+	if (process.env.TAILOR_PLATFORM_SDK_CONFIG_PATH) return process.env.TAILOR_PLATFORM_SDK_CONFIG_PATH;
+	return findUpSync(DEFAULT_CONFIG_FILENAME);
+}
+
+//#endregion
+//#region src/cli/cache/hasher.ts
+/**
+* Compute the SHA-256 hex digest of an arbitrary string.
+* @param content - The string content to hash
+* @returns Hex-encoded SHA-256 hash
+*/
+function hashContent(content) {
+	return crypto.createHash("sha256").update(content, "utf-8").digest("hex");
+}
+/**
+* Read a file and return its SHA-256 hex digest.
+* @param filePath - Absolute path to the file
+* @returns Hex-encoded SHA-256 hash of the file content
+*/
+function hashFile(filePath) {
+	const content = fs$1.readFileSync(filePath);
+	return crypto.createHash("sha256").update(content).digest("hex");
+}
+/**
+* Compute a deterministic SHA-256 hash for multiple files.
+*
+* Paths are sorted alphabetically before hashing so that the result
+* is independent of the order the paths are supplied (e.g. glob ordering).
+* Each file's individual hash is concatenated and then hashed again.
+* @param filePaths - Array of absolute file paths
+* @returns Hex-encoded SHA-256 hash representing all files
+*/
+function hashFiles(filePaths) {
+	return hashContent([...filePaths].sort().map((fp) => hashFile(fp)).join(""));
+}
+
+//#endregion
+//#region src/cli/shared/dist-dir.ts
+let distPath = null;
+const getDistDir = () => {
+	const configured = process.env.TAILOR_SDK_OUTPUT_DIR;
+	if (configured && configured !== distPath) distPath = configured;
+	else if (distPath === null) distPath = configured || ".tailor-sdk";
+	return distPath;
+};
+
+//#endregion
+//#region src/cli/cache/dep-collector-plugin.ts
+/**
+* Create a rolldown plugin that collects all resolved module paths during a build.
+* The plugin is purely observational and does not modify any code or behavior.
+* Collected paths exclude node_modules and generated entry files.
+* node_modules changes (package upgrades) are not tracked per-bundle;
+* lockfile hash and SDK version changes invalidate the entire cache.
+* @returns An object containing the plugin and a getResult function that returns sorted, deduplicated paths
+*/
+function createDepCollectorPlugin() {
+	const collectedPaths = /* @__PURE__ */ new Set();
+	const plugin = {
+		name: "cache-dep-collector",
+		load: {
+			filter: { id: { include: [/\.[^/]+$/] } },
+			handler(id) {
+				if (!id.includes("node_modules") && !id.endsWith(".entry.js")) collectedPaths.add(id);
+				return null;
+			}
+		}
+	};
+	function getResult() {
+		return Array.from(collectedPaths).sort();
+	}
+	return {
+		plugin,
+		getResult
+	};
+}
+
+//#endregion
+//#region src/cli/cache/bundle-cache.ts
+function buildCacheKey(kind, name) {
+	return `${kind}:${name}`;
+}
+function combineHash(fileHash, contextHash) {
+	if (!contextHash) return fileHash;
+	return hashContent(fileHash + contextHash);
+}
+/**
+* Compute a context hash for cache invalidation across bundlers.
+*
+* Combines the source file path, serialized trigger context, tsconfig hash,
+* sourcemap mode, and an optional prefix (e.g., serialized env variables)
+* into a single SHA-256 hash.
+* @param params - Context hash computation parameters
+* @returns SHA-256 hex digest of the combined context
+*/
+function computeBundlerContextHash(params) {
+	const { sourceFile, serializedTriggerContext, tsconfig, inlineSourcemap, prefix } = params;
+	return hashContent((prefix ?? "") + path.resolve(sourceFile) + serializedTriggerContext + (tsconfig ? hashFile(tsconfig) : "") + String(inlineSourcemap ?? false));
+}
+/**
+* Run a build with optional cache restore/save around it.
+* When caching is active, attempts to restore from cache first,
+* and saves the build result (with collected dependencies) on a cache miss.
+* @param params - Cache and build parameters
+*/
+async function withCache(params) {
+	const { cache, kind, name, sourceFile, outputPath, contextHash, build } = params;
+	if (!cache) {
+		await build([]);
+		return;
+	}
+	if (cache.tryRestore({
+		kind,
+		name,
+		outputPath,
+		contextHash
+	})) {
+		logger.debug(`  ${styles.dim("cached")}: ${name}`);
+		return;
+	}
+	const { plugin, getResult } = createDepCollectorPlugin();
+	await build([plugin]);
+	cache.save({
+		kind,
+		name,
+		sourceFile,
+		outputPath,
+		dependencyPaths: getResult(),
+		contextHash
+	});
+}
+/**
+* Create a bundle cache backed by the given store.
+* @param store - The cache store for persistence
+* @returns A BundleCache instance
+*/
+function createBundleCache(store) {
+	function tryRestore(params) {
+		const cacheKey = buildCacheKey(params.kind, params.name);
+		const entry = store.getEntry(cacheKey);
+		if (!entry) return false;
+		let currentHash;
+		try {
+			currentHash = combineHash(hashFiles(entry.dependencyPaths), params.contextHash);
+		} catch {
+			return false;
+		}
+		if (currentHash !== entry.inputHash) return false;
+		return store.restoreBundleOutput(cacheKey, params.outputPath);
+	}
+	function save(params) {
+		const { kind, name, sourceFile, outputPath, dependencyPaths, contextHash } = params;
+		const cacheKey = buildCacheKey(kind, name);
+		const allDeps = dependencyPaths.includes(sourceFile) ? dependencyPaths : [sourceFile, ...dependencyPaths];
+		const inputHash = combineHash(hashFiles(allDeps), contextHash);
+		const contentHash = hashFile(outputPath);
+		store.storeBundleOutput(cacheKey, outputPath);
+		const outputFiles = [{
+			outputPath,
+			contentHash
+		}];
+		const mapPath = `${outputPath}.map`;
+		if (fs$1.existsSync(mapPath)) outputFiles.push({
+			outputPath: mapPath,
+			contentHash: hashFile(mapPath)
+		});
+		store.setEntry(cacheKey, {
+			kind: "bundle",
+			inputHash,
+			dependencyPaths: allDeps,
+			outputFiles,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString()
+		});
+	}
+	return {
+		tryRestore,
+		save
+	};
+}
+
+//#endregion
+//#region src/cli/shared/plugin-import.ts
+/**
+* Collect base directories for resolving plugin import paths.
+* @param configPath - Path to tailor.config.ts
+* @returns Ordered list of base directories
+*/
+function getPluginImportBaseDirs(configPath) {
+	if (configPath) return [path.dirname(configPath)];
+	return [process.cwd()];
+}
+/**
+* Resolve a relative plugin import path against candidate base directories.
+* @param pluginImportPath - Relative plugin import path
+* @param baseDirs - Candidate base directories
+* @returns Absolute path if found, otherwise null
+*/
+function resolveRelativePluginImportPath(pluginImportPath, baseDirs) {
+	if (!pluginImportPath.startsWith(".")) return null;
+	for (const baseDir of baseDirs) {
+		const absolutePath = path.resolve(baseDir, pluginImportPath);
+		if (fs$1.existsSync(absolutePath)) return absolutePath;
+	}
+	return null;
+}
+
+//#endregion
+//#region src/types/plugin.ts
+/**
+* Checks if a plugin executor uses file-based resolution.
+* @param executor - The plugin executor to check.
+* @returns True if the executor uses file-based resolution.
+*/
+function isPluginExecutorWithFile(executor) {
+	return "resolve" in executor && "context" in executor;
+}
+
+//#endregion
+//#region src/cli/commands/generate/plugin-executor-generator.ts
+/**
+* Plugin Executor Generator
+*
+* Generates TypeScript files for plugin-generated executors.
+* Supports both legacy format (inline trigger/operation) and new format (executorFile/context).
+*/
+/**
+* Generate TypeScript files for plugin-generated executors.
+* These files will be processed by the standard executor bundler.
+* @param executors - Array of plugin executor information
+* @param outputDir - Base output directory (e.g., .tailor-sdk)
+* @param typeGenerationResult - Result from plugin type generation (for import resolution)
+* @param sourceTypeInfoMap - Map of source type names to their source info
+* @param configPath - Path to tailor.config.ts (used for resolving plugin import paths)
+* @returns Array of generated file paths
+*/
+function generatePluginExecutorFiles(executors, outputDir, typeGenerationResult, sourceTypeInfoMap, configPath) {
+	if (executors.length === 0) return [];
+	const generatedFiles = [];
+	const baseDirs = getPluginImportBaseDirs(configPath);
+	for (const info of executors) {
+		const filePath = generateSingleExecutorFile(info, outputDir, typeGenerationResult, sourceTypeInfoMap, baseDirs);
+		generatedFiles.push(filePath);
+		const relativePath = path.relative(process.cwd(), filePath);
+		logger.log(`  Plugin Executor File: ${styles.success(relativePath)} from plugin ${styles.info(info.pluginId)}`);
+	}
+	return generatedFiles;
+}
+/**
+* Generate a single executor file.
+* @param info - Plugin executor metadata and definition
+* @param outputDir - Base output directory (e.g., .tailor-sdk)
+* @param typeGenerationResult - Result from plugin type generation
+* @param sourceTypeInfoMap - Map of source type names to their source info
+* @param baseDirs - Base directories for resolving plugin import paths
+* @returns Absolute path to the generated file
+*/
+function generateSingleExecutorFile(info, outputDir, typeGenerationResult, sourceTypeInfoMap, baseDirs = []) {
+	const pluginDir = sanitizePluginId$1(info.pluginId);
+	const executorOutputDir = path.join(outputDir, pluginDir, "executors");
+	fs$1.mkdirSync(executorOutputDir, { recursive: true });
+	const fileName = sanitizeExecutorFileName(info.executor.name);
+	const filePath = path.join(executorOutputDir, `${fileName}.ts`);
+	let content;
+	if (isPluginExecutorWithFile(info.executor)) content = generateExecutorFileContentNew(info, info.executor, outputDir, typeGenerationResult, sourceTypeInfoMap, baseDirs);
+	else content = generateExecutorFileContentLegacy(info.executor);
+	fs$1.writeFileSync(filePath, content);
+	return filePath;
+}
+/**
+* Generate TypeScript file content for new format executor (dynamic import).
+* Uses the executor's resolve function to dynamically import the module.
+* @param info - Plugin executor information
+* @param executor - Executor definition with resolve
+* @param outputDir - Base output directory
+* @param typeGenerationResult - Result from plugin type generation
+* @param sourceTypeInfoMap - Map of source type names to their source info
+* @param baseDirs - Base directories for resolving plugin import paths
+* @returns TypeScript source code for executor file
+*/
+function generateExecutorFileContentNew(info, executor, outputDir, typeGenerationResult, sourceTypeInfoMap, baseDirs = []) {
+	const { resolve, context } = executor;
+	const pluginDir = sanitizePluginId$1(info.pluginId);
+	const executorOutputDir = path.join(outputDir, pluginDir, "executors");
+	const executorImportPath = resolveExecutorImportPath(resolve, info.pluginImportPath, executorOutputDir, baseDirs);
+	const typeImports = collectTypeImports(context, outputDir, info.pluginId, typeGenerationResult, sourceTypeInfoMap);
+	const imports = [];
+	for (const [, importInfo] of typeImports) imports.push(`import { ${importInfo.variableName} } from "${importInfo.importPath}";`);
+	const contextCode = generateContextCode(context, typeImports);
+	return ml`
+    /**
+     * Auto-generated executor by plugin: ${info.pluginId}
+     * DO NOT EDIT - This file is generated by @tailor-platform/sdk
+     */
+    ${imports.join("\n")}
+
+    const { default: executorFactory } = await import(${JSON.stringify(executorImportPath)});
+    if (typeof executorFactory !== "function") {
+      throw new Error(
+        "Plugin executor module must export a default function created by withPluginContext().",
+      );
+    }
+    export default executorFactory(${contextCode});
+  `;
+}
+/**
+* Collect type imports needed for context.
+* @param context - Executor context values from plugin
+* @param outputDir - Base output directory for generated files
+* @param pluginId - Plugin identifier used for output paths
+* @param typeGenerationResult - Result from plugin type generation
+* @param sourceTypeInfoMap - Map of source type names to their source info
+* @returns Map of context keys to their import information
+*/
+function collectTypeImports(context, outputDir, pluginId, typeGenerationResult, sourceTypeInfoMap) {
+	const typeImports = /* @__PURE__ */ new Map();
+	const pluginDir = sanitizePluginId$1(pluginId);
+	const executorDir = path.join(outputDir, pluginDir, "executors");
+	for (const [key, value] of Object.entries(context)) if (isTypeObject(value)) {
+		const typeName = value.name;
+		const sourceInfo = sourceTypeInfoMap?.get(typeName);
+		const variableName = sourceInfo?.exportName ?? toCamelCase$1(typeName);
+		let importPath;
+		let isGeneratedType = false;
+		if (typeGenerationResult?.typeFilePaths.has(typeName)) {
+			const typeFilePath = typeGenerationResult.typeFilePaths.get(typeName);
+			const absoluteTypePath = path.join(outputDir, typeFilePath);
+			importPath = path.relative(executorDir, absoluteTypePath).replace(/\.ts$/, "");
+			if (!importPath.startsWith(".")) importPath = `./${importPath}`;
+			isGeneratedType = true;
+		} else if (sourceInfo) {
+			const sourceFilePath = sourceInfo.filePath;
+			importPath = path.relative(executorDir, sourceFilePath).replace(/\.ts$/, "");
+			if (!importPath.startsWith(".")) importPath = `./${importPath}`;
+		} else importPath = `../../../../tailordb/${toKebabCase$1(typeName)}`;
+		typeImports.set(key, {
+			variableName,
+			importPath,
+			isGeneratedType
+		});
+	}
+	return typeImports;
+}
+/**
+* Generate TypeScript code for context object.
+* @param context - Executor context values from plugin
+* @param typeImports - Resolved type import information for context keys
+* @returns TypeScript object literal code
+*/
+function generateContextCode(context, typeImports) {
+	const entries = [];
+	for (const [key, value] of Object.entries(context)) if (isTypeObject(value)) {
+		const importInfo = typeImports.get(key);
+		if (importInfo) entries.push(`  ${key}: ${importInfo.variableName}`);
+	} else if (value !== void 0) entries.push(`  ${key}: ${JSON.stringify(value)}`);
+	return `{\n${entries.join(",\n")},\n}`;
+}
+/**
+* Check if a value is a TailorDB type object.
+* @param value - Value to inspect
+* @returns True if value is a type object with name and fields
+*/
+function isTypeObject(value) {
+	return typeof value === "object" && value !== null && "name" in value && "fields" in value && typeof value.name === "string";
+}
+/**
+* Generate TypeScript file content for legacy format executor (trigger/operation).
+* @param executor - Legacy executor definition
+* @returns TypeScript source code for executor file
+*/
+function generateExecutorFileContentLegacy(executor) {
+	const triggerCode = generateTriggerCode(executor.trigger);
+	const operationCode = generateOperationCode(executor.operation);
+	const injectDeclarations = generateInjectDeclarations(executor.operation.kind === "function" ? executor.operation.inject : void 0);
+	const descriptionLine = executor.description ? `\n  description: ${JSON.stringify(executor.description)},` : "";
+	return ml`
+    /**
+     * Auto-generated executor by plugin
+     * DO NOT EDIT - This file is generated by @tailor-platform/sdk
+     */
+    import { createExecutor } from "@tailor-platform/sdk";
+    ${injectDeclarations}
+    export default createExecutor({
+      name: ${JSON.stringify(executor.name)},${descriptionLine}
+      trigger: ${triggerCode},
+      operation: ${operationCode},
+    });
+  `;
+}
+/**
+* Generate const declarations for injected variables.
+* @param inject - Map of injected values keyed by variable name
+* @returns TypeScript const declarations or empty string
+*/
+function generateInjectDeclarations(inject) {
+	if (!inject || Object.keys(inject).length === 0) return "";
+	return `\n// Injected variables from plugin\n${Object.entries(inject).map(([name, value]) => `const ${name} = ${JSON.stringify(value)};`).join("\n")}\n`;
+}
+/**
+* Generate TypeScript code for trigger configuration.
+* @param trigger - Trigger configuration for executor
+* @returns TypeScript code for trigger object
+*/
+function generateTriggerCode(trigger) {
+	switch (trigger.kind) {
+		case "recordCreated":
+		case "recordUpdated":
+		case "recordDeleted": return `{
+    kind: ${JSON.stringify(trigger.kind)},
+    typeName: ${JSON.stringify(trigger.typeName)},
+  }`;
+		case "schedule": return `{
+    kind: "schedule",
+    cron: ${JSON.stringify(trigger.cron)},
+    timezone: ${JSON.stringify(trigger.timezone ?? "UTC")},
+  }`;
+		case "incomingWebhook": return `{
+    kind: "incomingWebhook",
+  }`;
+		default: throw new Error(`Unknown trigger kind: ${trigger.kind}`);
+	}
+}
+/**
+* Generate TypeScript code for operation configuration.
+* @param operation - Operation configuration for executor
+* @returns TypeScript code for operation object
+*/
+function generateOperationCode(operation) {
+	switch (operation.kind) {
+		case "graphql": {
+			const appNameLine = operation.appName ? `\n    appName: ${JSON.stringify(operation.appName)},` : "";
+			const variablesLine = operation.variables ? `\n    variables: ${operation.variables},` : "";
+			return `{
+    kind: "graphql",
+    query: \`${escapeTemplateLiteral(operation.query)}\`,${appNameLine}${variablesLine}
+  }`;
+		}
+		case "function": return `{
+    kind: "function",
+    body: ${operation.body},
+  }`;
+		case "webhook": return `{
+    kind: "webhook",
+    url: () => ${JSON.stringify(operation.url)},
+  }`;
+		case "workflow": return `{
+    kind: "workflow",
+    workflowName: ${JSON.stringify(operation.workflowName)},
+  }`;
+		default: throw new Error(`Unknown operation kind: ${operation.kind}`);
+	}
+}
+/**
+* Escape special characters in template literal content.
+* @param str - Raw template literal content
+* @returns Escaped string safe for template literals
+*/
+function escapeTemplateLiteral(str) {
+	return str.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$\{/g, "\\${");
+}
+const require = createRequire(import.meta.url);
+/**
+* Resolve the import path for a plugin executor module.
+* @param resolve - Executor resolve function
+* @param pluginImportPath - Plugin's import path
+* @param executorOutputDir - Directory where the generated executor will be written
+* @param baseDirs - Base directories for resolving plugin import paths
+* @returns Import path string for the executor module
+*/
+function resolveExecutorImportPath(resolve, pluginImportPath, executorOutputDir, baseDirs) {
+	const specifier = extractDynamicImportSpecifier(resolve);
+	if (!specifier.startsWith(".")) return specifier;
+	const pluginBaseDir = resolvePluginBaseDir(pluginImportPath, baseDirs);
+	if (!pluginBaseDir) throw new Error(`Unable to resolve plugin import base for "${pluginImportPath}". Tried base dirs: ${baseDirs.join(", ") || "(none)"}. Use an absolute import specifier in resolve(), or ensure the plugin path is resolvable.`);
+	const absolutePath = path.resolve(pluginBaseDir, specifier);
+	let relativePath = path.relative(executorOutputDir, absolutePath).replace(/\\/g, "/");
+	relativePath = stripSourceExtension(relativePath);
+	if (!relativePath.startsWith(".")) relativePath = `./${relativePath}`;
+	return relativePath;
+}
+/**
+* Extract the dynamic import specifier from a resolve function.
+* @param resolve - Executor resolve function
+* @returns The module specifier string
+*/
+function extractDynamicImportSpecifier(resolve) {
+	const match = resolve.toString().match(/import\s*\(\s*["']([^"']+)["']\s*\)/);
+	if (!match) throw new Error(`resolve() must return a dynamic import, e.g. \`async () => await import("./executors/on-create")\`.`);
+	return match[1];
+}
+/**
+* Resolve plugin base directory for relative imports.
+* @param pluginImportPath - Plugin import path
+* @param baseDirs - Base directories for resolving plugin import paths
+* @returns Directory path or null if not resolvable
+*/
+function resolvePluginBaseDir(pluginImportPath, baseDirs) {
+	if (pluginImportPath.startsWith(".")) {
+		const resolvedPath = resolveRelativePluginImportPath(pluginImportPath, baseDirs) ?? path.resolve(baseDirs[0] ?? process.cwd(), pluginImportPath);
+		if (fs$1.existsSync(resolvedPath)) return fs$1.statSync(resolvedPath).isDirectory() ? resolvedPath : path.dirname(resolvedPath);
+		return path.extname(resolvedPath) ? path.dirname(resolvedPath) : resolvedPath;
+	}
+	for (const baseDir of baseDirs) try {
+		const resolved = require.resolve(pluginImportPath, { paths: [baseDir] });
+		return path.dirname(resolved);
+	} catch {
+		continue;
+	}
+	return null;
+}
+/**
+* Strip TypeScript source extensions from import paths.
+* @param importPath - Path to normalize
+* @returns Path without .ts/.tsx extension
+*/
+function stripSourceExtension(importPath) {
+	return importPath.replace(/\.(ts|tsx)$/, "");
+}
+/**
+* Convert plugin ID to safe directory name.
+* @param pluginId - Plugin identifier (e.g., "@scope/name")
+* @returns Safe directory name
+*/
+function sanitizePluginId$1(pluginId) {
+	return pluginId.replace(/^@/, "").replace(/\//g, "-");
+}
+/**
+* Convert executor name to safe filename.
+* @param executorName - Executor name
+* @returns Safe filename without extension
+*/
+function sanitizeExecutorFileName(executorName) {
+	const sanitized = path.basename(executorName).replace(/\.[^/.]+$/, "").replace(/[^a-zA-Z0-9_-]/g, "-");
+	if (!sanitized) throw new Error(`Invalid executor name: "${executorName}"`);
+	return sanitized;
+}
+/**
+* Convert string to camelCase.
+* @param str - Input string to convert
+* @returns camelCase string
+*/
+function toCamelCase$1(str) {
+	const result = str.replace(/[-_\s]+(.)?/g, (_, c) => c ? c.toUpperCase() : "");
+	return result.charAt(0).toLowerCase() + result.slice(1);
+}
+/**
+* Convert string to kebab-case.
+* @param str - Input string to convert
+* @returns kebab-case string
+*/
+function toKebabCase$1(str) {
+	return str.replace(/([a-z])([A-Z])/g, "$1-$2").replace(/[\s_]+/g, "-").toLowerCase();
+}
+
+//#endregion
+//#region src/cli/commands/generate/plugin-type-generator.ts
+/**
+* Plugin Type Generator
+*
+* Generates TypeScript files for plugin-generated types (TailorDB types).
+* These files can be imported by plugin executors to reference generated types.
+*/
+function isFieldDefinition(value) {
+	return typeof value === "object" && value !== null;
+}
+/**
+* Generate TypeScript files for plugin-generated types.
+* These files export the type definition and can be imported by executor files.
+* @param types - Array of plugin type information
+* @param outputDir - Base output directory (e.g., .tailor-sdk)
+* @returns Generation result with file paths
+*/
+function generatePluginTypeFiles(types, outputDir) {
+	const typeFilePaths = /* @__PURE__ */ new Map();
+	const generatedFiles = [];
+	if (types.length === 0) return {
+		typeFilePaths,
+		generatedFiles
+	};
+	const seenTypeNames = /* @__PURE__ */ new Map();
+	for (const info of types) {
+		const existing = seenTypeNames.get(info.type.name);
+		if (existing) throw new Error(`Duplicate plugin-generated type name "${info.type.name}" detected. First: plugin "${existing.pluginId}" (kind: "${existing.kind}", source type: "${existing.sourceTypeName}"), Second: plugin "${info.pluginId}" (kind: "${info.kind}", source type: "${info.sourceTypeName}"). Plugin-generated type names must be unique.`);
+		seenTypeNames.set(info.type.name, info);
+		const pluginDir = sanitizePluginId(info.pluginId);
+		const typeOutputDir = path.join(outputDir, pluginDir, "types");
+		fs$1.mkdirSync(typeOutputDir, { recursive: true });
+		const fileName = `${toKebabCase(info.type.name)}.ts`;
+		const filePath = path.join(typeOutputDir, fileName);
+		const content = generateTypeFileContent(info);
+		fs$1.writeFileSync(filePath, content);
+		generatedFiles.push(filePath);
+		const relativePath = path.relative(outputDir, filePath);
+		typeFilePaths.set(info.type.name, relativePath);
+		const displayPath = path.relative(process.cwd(), filePath);
+		logger.log(`  Plugin Type File: ${styles.success(displayPath)} (${styles.dim(info.kind)}) from plugin ${styles.info(info.pluginId)}`);
+	}
+	return {
+		typeFilePaths,
+		generatedFiles
+	};
+}
+/**
+* Generate TypeScript file content for a single type.
+* @param info - Plugin type information
+* @returns TypeScript source code
+*/
+function generateTypeFileContent(info) {
+	const { type, pluginId, sourceTypeName, kind } = info;
+	const variableName = toCamelCase(type.name);
+	const fieldsCode = generateFieldsCode(type);
+	return ml`
+    /**
+     * Auto-generated type by plugin: ${pluginId}
+     * Source type: ${sourceTypeName}
+     * Kind: ${kind}
+     *
+     * DO NOT EDIT - This file is generated by @tailor-platform/sdk
+     */
+    import { db } from "@tailor-platform/sdk";
+
+    export const ${variableName} = db.type(${JSON.stringify(type.name)}, ${fieldsCode});
+
+    export type ${type.name} = typeof ${variableName};
+  `;
+}
+/**
+* Generate TypeScript code for field definitions.
+* This creates a simplified version of the type's fields.
+* @param type - TailorDB type
+* @returns TypeScript code for fields object
+*/
+function generateFieldsCode(type) {
+	const fieldEntries = [];
+	for (const [fieldName, field] of Object.entries(type.fields)) {
+		if (!isFieldDefinition(field)) continue;
+		const fieldCode = generateSingleFieldCode(field);
+		if (fieldCode) fieldEntries.push(`  ${fieldName}: ${fieldCode}`);
+	}
+	return `{\n${fieldEntries.join(",\n")},\n}`;
+}
+/**
+* Map from TailorDB type to SDK method name.
+*/
+const typeToMethodMap = {
+	string: "string",
+	integer: "int",
+	float: "float",
+	boolean: "bool",
+	uuid: "uuid",
+	datetime: "datetime",
+	date: "date",
+	time: "time",
+	enum: "enum",
+	nested: "nested"
+};
+/**
+* Generate TypeScript code for a single field definition.
+* @param field - Field definition object
+* @returns TypeScript code for the field
+*/
+function generateSingleFieldCode(field) {
+	const fieldType = field.type;
+	if (!fieldType) return null;
+	const method = typeToMethodMap[fieldType] ?? fieldType;
+	const metadata = field._metadata ?? field.metadata ?? {};
+	const optionParts = [];
+	if (metadata.required === false) optionParts.push("optional: true");
+	const optionsArg = optionParts.length > 0 ? `{ ${optionParts.join(", ")} }` : "";
+	if (fieldType === "enum") {
+		const allowedValues = metadata.allowedValues;
+		let enumValues = [];
+		if (Array.isArray(allowedValues)) enumValues = allowedValues.map((v) => v.value);
+		let code = `db.enum(${JSON.stringify(enumValues)}${optionsArg ? `, ${optionsArg}` : ""})`;
+		if (metadata.index) code += ".index()";
+		if (metadata.unique) code += ".unique()";
+		if (metadata.description) code += `.description(${JSON.stringify(metadata.description)})`;
+		return code;
+	}
+	let code = `db.${method}(${optionsArg})`;
+	if (metadata.index) code += ".index()";
+	if (metadata.unique) code += ".unique()";
+	if (metadata.description) code += `.description(${JSON.stringify(metadata.description)})`;
+	return code;
+}
+/**
+* Convert plugin ID to safe directory name.
+* @param pluginId - Plugin identifier (e.g., "@tailor-platform/change-history")
+* @returns Safe directory name (e.g., "tailor-platform-change-history")
+*/
+function sanitizePluginId(pluginId) {
+	return pluginId.replace(/^@/, "").replace(/\//g, "-");
+}
+/**
+* Convert string to kebab-case.
+* @param str - Input string
+* @returns kebab-case string
+*/
+function toKebabCase(str) {
+	return str.replace(/([a-z])([A-Z])/g, "$1-$2").replace(/[\s_]+/g, "-").toLowerCase();
+}
+/**
+* Convert string to camelCase.
+* @param str - Input string
+* @returns camelCase string
+*/
+function toCamelCase(str) {
+	const result = str.replace(/[-_\s]+(.)?/g, (_, c) => c ? c.toUpperCase() : "");
+	return result.charAt(0).toLowerCase() + result.slice(1);
+}
+
+//#endregion
+//#region src/cli/services/stale-cleanup.ts
+/**
+* Remove stale `.entry.js` files from the output directory.
+*
+* Must be called before parallel bundling; concurrent builds
+* sharing the same output directory would otherwise conflict.
+* @param outputDir - Directory to clean
+*/
+async function removeStaleEntryFiles(outputDir) {
+	const files = await fs.readdir(outputDir);
+	await Promise.all(files.filter((file) => file.endsWith(".entry.js")).map((file) => fs.rm(path.join(outputDir, file), { force: true })));
+}
+
+//#endregion
+//#region src/cli/services/file-loader.ts
+const DEFAULT_IGNORE_PATTERNS = ["**/*.test.ts", "**/*.spec.ts"];
+/**
+* Load files matching the given patterns, excluding files that match ignore patterns.
+* By default, test files (*.test.ts, *.spec.ts) are excluded unless ignores is explicitly specified.
+* @param config - Configuration with files patterns and optional ignores patterns
+* @returns Array of absolute file paths
+*/
+function loadFilesWithIgnores(config) {
+	const ignorePatterns = config.ignores ?? DEFAULT_IGNORE_PATTERNS;
+	const ignoreFiles = /* @__PURE__ */ new Set();
+	for (const ignorePattern of ignorePatterns) {
+		const absoluteIgnorePattern = path.resolve(process.cwd(), ignorePattern);
+		try {
+			fs$1.globSync(absoluteIgnorePattern).forEach((file) => ignoreFiles.add(file));
+		} catch (error) {
+			logger.warn(`Failed to glob ignore pattern "${ignorePattern}": ${String(error)}`);
+		}
+	}
+	const files = [];
+	for (const pattern of config.files) {
+		const absolutePattern = path.resolve(process.cwd(), pattern);
+		try {
+			const filteredFiles = fs$1.globSync(absolutePattern).filter((file) => !ignoreFiles.has(file));
+			files.push(...filteredFiles);
+		} catch (error) {
+			logger.warn(`Failed to glob pattern "${pattern}": ${String(error)}`);
+		}
+	}
+	return files;
+}
+
+//#endregion
+//#region src/cli/services/workflow/ast-utils.ts
+/**
+* Check if a module source is from the Tailor SDK package (including subpaths)
+* @param source - Module source string
+* @returns True if the source is from the Tailor SDK package
+*/
+function isTailorSdkSource(source) {
+	return /^@tailor-platform\/sdk(\/|$)/.test(source);
+}
+/**
+* Get the source string from a dynamic import or require call
+* @param node - AST node to inspect
+* @returns Resolved import/require source string or null
+*/
+function getImportSource(node) {
+	if (!node) return null;
+	if (node.type === "ImportExpression") {
+		const source = node.source;
+		if (source.type === "Literal" && typeof source.value === "string") return source.value;
+	}
+	if (node.type === "CallExpression") {
+		const callExpr = node;
+		if (callExpr.callee.type === "Identifier" && callExpr.callee.name === "require") {
+			const arg = callExpr.arguments[0];
+			if (arg && "type" in arg && arg.type === "Literal" && "value" in arg && typeof arg.value === "string") return arg.value;
+		}
+	}
+	return null;
+}
+/**
+* Unwrap AwaitExpression to get the inner expression
+* @param node - AST expression node
+* @returns Inner expression if node is an AwaitExpression
+*/
+function unwrapAwait(node) {
+	if (node?.type === "AwaitExpression") return node.argument;
+	return node;
+}
+/**
+* Check if a node is a string literal
+* @param node - AST expression node
+* @returns True if node is a string literal
+*/
+function isStringLiteral(node) {
+	return node?.type === "Literal" && typeof node.value === "string";
+}
+/**
+* Check if a node is a function expression (arrow or regular)
+* @param node - AST expression node
+* @returns True if node is a function expression
+*/
+function isFunctionExpression(node) {
+	return node?.type === "ArrowFunctionExpression" || node?.type === "FunctionExpression";
+}
+/**
+* Find a property in an object expression
+* @param properties - Object properties to search
+* @param name - Property name to find
+* @returns Found property info or null
+*/
+function findProperty(properties, name) {
+	for (const prop of properties) if (prop.type === "Property") {
+		const objProp = prop;
+		if ((objProp.key.type === "Identifier" ? objProp.key.name : objProp.key.type === "Literal" ? objProp.key.value : null) === name) return {
+			key: objProp.key,
+			value: objProp.value,
+			start: objProp.start,
+			end: objProp.end
+		};
+	}
+	return null;
+}
+/**
+* Apply string replacements to source code
+* Replacements are applied from end to start to maintain positions
+* @param source - Original source code
+* @param replacements - Replacements to apply
+* @returns Transformed source code
+*/
+function applyReplacements(source, replacements) {
+	const sorted = [...replacements].sort((a, b) => b.start - a.start);
+	let result = source;
+	for (const r of sorted) result = result.slice(0, r.start) + r.text + result.slice(r.end);
+	return result;
+}
+/**
+* Find the end of a statement including any trailing newline
+* @param source - Source code
+* @param position - Start position of the statement
+* @returns Index of the end of the statement including trailing newline
+*/
+function findStatementEnd(source, position) {
+	let i = position;
+	while (i < source.length && (source[i] === ";" || source[i] === " " || source[i] === "	")) i++;
+	if (i < source.length && source[i] === "\n") i++;
+	return i;
+}
+/**
+* Resolve a relative path from a base directory
+* Simple implementation that handles ./ and ../ prefixes
+* @param baseDir - Base directory
+* @param relativePath - Relative path to resolve
+* @returns Resolved absolute path
+*/
+function resolvePath(baseDir, relativePath) {
+	const parts = relativePath.replace(/\\/g, "/").split("/");
+	const baseParts = baseDir.replace(/\\/g, "/").split("/");
+	for (const part of parts) if (part === ".") {} else if (part === "..") baseParts.pop();
+	else baseParts.push(part);
+	return baseParts.join("/");
+}
+
+//#endregion
+//#region src/cli/services/workflow/sdk-binding-collector.ts
+/**
+* Collect all import bindings for a specific function from the Tailor SDK package
+* Returns a Set of local names that refer to the function
+* @param program - Parsed TypeScript program
+* @param functionName - Function name to collect bindings for
+* @returns Set of local names bound to the SDK function
+*/
+function collectSdkBindings(program, functionName) {
+	const bindings = /* @__PURE__ */ new Set();
+	function walk(node) {
+		if (!node || typeof node !== "object") return;
+		const nodeType = node.type;
+		if (nodeType === "ImportDeclaration") {
+			const importDecl = node;
+			const source = importDecl.source?.value;
+			if (typeof source === "string" && isTailorSdkSource(source)) {
+				for (const specifier of importDecl.specifiers || []) if (specifier.type === "ImportSpecifier") {
+					const importSpec = specifier;
+					const imported = importSpec.imported.type === "Identifier" ? importSpec.imported.name : importSpec.imported.value;
+					if (imported === functionName) bindings.add(importSpec.local?.name || imported);
+				} else if (specifier.type === "ImportDefaultSpecifier" || specifier.type === "ImportNamespaceSpecifier") {
+					const spec = specifier;
+					bindings.add(`__namespace__:${spec.local?.name}`);
+				}
+			}
+		}
+		if (nodeType === "VariableDeclaration") {
+			const varDecl = node;
+			for (const decl of varDecl.declarations || []) {
+				const source = getImportSource(unwrapAwait(decl.init));
+				if (source && isTailorSdkSource(source)) {
+					const id = decl.id;
+					if (id?.type === "Identifier") bindings.add(`__namespace__:${id.name}`);
+					else if (id?.type === "ObjectPattern") {
+						const objPattern = id;
+						for (const prop of objPattern.properties || []) if (prop.type === "Property") {
+							const bindingProp = prop;
+							const keyName = bindingProp.key.type === "Identifier" ? bindingProp.key.name : bindingProp.key.value;
+							if (keyName === functionName) {
+								const localName = bindingProp.value.type === "Identifier" ? bindingProp.value.name : keyName;
+								bindings.add(localName ?? "");
+							}
+						}
+					}
+				}
+			}
+		}
+		for (const key of Object.keys(node)) {
+			const child = node[key];
+			if (Array.isArray(child)) child.forEach((c) => walk(c));
+			else if (child && typeof child === "object") walk(child);
+		}
+	}
+	walk(program);
+	return bindings;
+}
+/**
+* Check if a CallExpression is a call to a specific SDK function
+* @param node - AST node to inspect
+* @param bindings - Collected SDK bindings
+* @param functionName - SDK function name
+* @returns True if node is a call to the SDK function
+*/
+function isSdkFunctionCall(node, bindings, functionName) {
+	if (node.type !== "CallExpression") return false;
+	const callee = node.callee;
+	if (callee.type === "Identifier") {
+		const identifier = callee;
+		return bindings.has(identifier.name);
+	}
+	if (callee.type === "MemberExpression") {
+		const memberExpr = callee;
+		if (!memberExpr.computed) {
+			const object = memberExpr.object;
+			const property = memberExpr.property;
+			if (object.type === "Identifier" && bindings.has(`__namespace__:${object.name}`) && property.name === functionName) return true;
+		}
+	}
+	return false;
+}
+
+//#endregion
+//#region src/cli/services/workflow/job-detector.ts
+/**
+* Find all workflow jobs by detecting createWorkflowJob calls from `@tailor-platform/sdk`
+* @param program - Parsed TypeScript program
+* @param _sourceText - Source code text (currently unused)
+* @returns Detected job locations
+*/
+function findAllJobs(program, _sourceText) {
+	const jobs = [];
+	const bindings = collectSdkBindings(program, "createWorkflowJob");
+	function walk(node, parents = []) {
+		if (!node || typeof node !== "object") return;
+		if (isSdkFunctionCall(node, bindings, "createWorkflowJob")) {
+			const args = node.arguments;
+			if (args?.length >= 1 && args[0]?.type === "ObjectExpression") {
+				const configObj = args[0];
+				const nameProp = findProperty(configObj.properties, "name");
+				const bodyProp = findProperty(configObj.properties, "body");
+				if (nameProp && isStringLiteral(nameProp.value) && bodyProp && isFunctionExpression(bodyProp.value)) {
+					let statementRange;
+					let exportName;
+					for (let i = parents.length - 1; i >= 0; i--) {
+						const parent = parents[i];
+						if (parent.type === "VariableDeclarator") {
+							const declarator = parent;
+							if (declarator.id?.type === "Identifier") exportName = declarator.id.name;
+						}
+						if (parent.type === "ExportNamedDeclaration" || parent.type === "VariableDeclaration") statementRange = {
+							start: parent.start,
+							end: parent.end
+						};
+					}
+					jobs.push({
+						name: nameProp.value.value,
+						exportName,
+						nameRange: {
+							start: nameProp.start,
+							end: nameProp.end
+						},
+						bodyValueRange: {
+							start: bodyProp.value.start,
+							end: bodyProp.value.end
+						},
+						statementRange
+					});
+				}
+			}
+		}
+		const newParents = [...parents, node];
+		for (const key of Object.keys(node)) {
+			const child = node[key];
+			if (Array.isArray(child)) child.forEach((c) => walk(c, newParents));
+			else if (child && typeof child === "object") walk(child, newParents);
+		}
+	}
+	walk(program);
+	return jobs;
+}
+/**
+* Build a map from export name to job name from detected jobs
+* @param jobs - Detected job locations
+* @returns Map from export name to job name
+*/
+function buildJobNameMap(jobs) {
+	const map = /* @__PURE__ */ new Map();
+	for (const job of jobs) if (job.exportName) map.set(job.exportName, job.name);
+	return map;
+}
+/**
+* Detect all .trigger() calls in the source code
+* Returns information about each trigger call for transformation
+* @param program - Parsed TypeScript program
+* @param sourceText - Source code text
+* @returns Detected trigger calls
+*/
+function detectTriggerCalls(program, sourceText) {
+	const calls = [];
+	function walk(node, parent = null) {
+		if (!node || typeof node !== "object") return;
+		if (node.type === "CallExpression") {
+			const callExpr = node;
+			const callee = callExpr.callee;
+			if (callee.type === "MemberExpression") {
+				const memberExpr = callee;
+				if (!memberExpr.computed && memberExpr.object.type === "Identifier" && memberExpr.property.name === "trigger") {
+					const identifierName = memberExpr.object.name;
+					let argsText = "";
+					if (callExpr.arguments.length > 0) {
+						const firstArg = callExpr.arguments[0];
+						const lastArg = callExpr.arguments[callExpr.arguments.length - 1];
+						if (firstArg && lastArg && "start" in firstArg && "end" in lastArg) argsText = sourceText.slice(firstArg.start, lastArg.end);
+					}
+					const hasAwait = parent?.type === "AwaitExpression";
+					const awaitExpr = hasAwait ? parent : null;
+					const callRange = {
+						start: callExpr.start,
+						end: callExpr.end
+					};
+					const fullRange = awaitExpr ? {
+						start: awaitExpr.start,
+						end: awaitExpr.end
+					} : callRange;
+					calls.push({
+						identifierName,
+						callRange,
+						argsText,
+						hasAwait,
+						fullRange
+					});
+				}
+			}
+		}
+		for (const key of Object.keys(node)) {
+			const child = node[key];
+			if (Array.isArray(child)) child.forEach((c) => walk(c, node));
+			else if (child && typeof child === "object") walk(child, node);
+		}
+	}
+	walk(program);
+	return calls;
+}
+
+//#endregion
+//#region src/cli/services/workflow/workflow-detector.ts
+/**
+* Find all workflows by detecting createWorkflow calls from `@tailor-platform/sdk`
+* @param program - Parsed TypeScript program
+* @param _sourceText - Source code text (currently unused)
+* @returns Detected workflows
+*/
+function findAllWorkflows(program, _sourceText) {
+	const workflows = [];
+	const bindings = collectSdkBindings(program, "createWorkflow");
+	function walk(node, parents = []) {
+		if (!node || typeof node !== "object") return;
+		if (isSdkFunctionCall(node, bindings, "createWorkflow")) {
+			const args = node.arguments;
+			if (args?.length >= 1 && args[0]?.type === "ObjectExpression") {
+				const configObj = args[0];
+				const nameProp = findProperty(configObj.properties, "name");
+				if (nameProp && isStringLiteral(nameProp.value)) {
+					let exportName;
+					let isDefaultExport = false;
+					for (let i = parents.length - 1; i >= 0; i--) {
+						const parent = parents[i];
+						if (parent.type === "VariableDeclarator") {
+							const declarator = parent;
+							if (declarator.id?.type === "Identifier") {
+								exportName = declarator.id.name;
+								break;
+							}
+						}
+						if (parent.type === "ExportDefaultDeclaration") isDefaultExport = true;
+					}
+					workflows.push({
+						name: nameProp.value.value,
+						exportName,
+						isDefaultExport
+					});
+				}
+			}
+		}
+		const newParents = [...parents, node];
+		for (const key of Object.keys(node)) {
+			const child = node[key];
+			if (Array.isArray(child)) child.forEach((c) => walk(c, newParents));
+			else if (child && typeof child === "object") walk(child, newParents);
+		}
+	}
+	walk(program);
+	return workflows;
+}
+/**
+* Build a map from export name to workflow name from detected workflows
+* @param workflows - Detected workflows
+* @returns Map from export name to workflow name
+*/
+function buildWorkflowNameMap(workflows) {
+	const map = /* @__PURE__ */ new Map();
+	for (const workflow of workflows) if (workflow.exportName) map.set(workflow.exportName, workflow.name);
+	return map;
+}
+/**
+* Detect default imports in a source file and return a map from local name to import source
+* @param program - Parsed TypeScript program
+* @returns Map from local name to import source
+*/
+function detectDefaultImports(program) {
+	const imports = /* @__PURE__ */ new Map();
+	function walk(node) {
+		if (!node || typeof node !== "object") return;
+		if (node.type === "ImportDeclaration") {
+			const importDecl = node;
+			const source = importDecl.source?.value;
+			if (typeof source === "string") {
+				for (const specifier of importDecl.specifiers || []) if (specifier.type === "ImportDefaultSpecifier") {
+					const spec = specifier;
+					if (spec.local?.name) imports.set(spec.local.name, source);
+				}
+			}
+		}
+		for (const key of Object.keys(node)) {
+			const child = node[key];
+			if (Array.isArray(child)) child.forEach((c) => walk(c));
+			else if (child && typeof child === "object") walk(child);
+		}
+	}
+	walk(program);
+	return imports;
+}
+
+//#endregion
+//#region src/cli/services/workflow/trigger-transformer.ts
+/**
+* Extract authInvoker info from a config object expression
+* Returns the authInvoker value text and whether it's a shorthand property
+* @param configArg - Config argument node
+* @param sourceText - Source code text
+* @returns Extracted authInvoker info, if any
+*/
+function extractAuthInvokerInfo(configArg, sourceText) {
+	if (!configArg || typeof configArg !== "object") return void 0;
+	if (configArg.type !== "ObjectExpression") return void 0;
+	const objExpr = configArg;
+	for (const prop of objExpr.properties) {
+		if (prop.type !== "Property") continue;
+		const objProp = prop;
+		if ((objProp.key.type === "Identifier" ? objProp.key.name : objProp.key.type === "Literal" ? objProp.key.value : null) === "authInvoker") {
+			if (objProp.shorthand) return {
+				isShorthand: true,
+				valueText: "authInvoker"
+			};
+			return {
+				isShorthand: false,
+				valueText: sourceText.slice(objProp.value.start, objProp.value.end)
+			};
+		}
+	}
+}
+/**
+* Detect .trigger() calls for known workflows and jobs
+* Only detects calls where the identifier is in workflowNames or jobNames
+* @param program - The parsed AST program
+* @param sourceText - The source code text
+* @param workflowNames - Set of known workflow identifier names
+* @param jobNames - Set of known job identifier names
+* @returns Detected trigger call metadata
+*/
+function detectExtendedTriggerCalls(program, sourceText, workflowNames, jobNames) {
+	const calls = [];
+	function walk(node, parent = null) {
+		if (!node || typeof node !== "object") return;
+		if (node.type === "CallExpression") {
+			const callExpr = node;
+			const callee = callExpr.callee;
+			if (callee.type === "MemberExpression") {
+				const memberExpr = callee;
+				if (!memberExpr.computed && memberExpr.object.type === "Identifier" && memberExpr.property.name === "trigger") {
+					const identifierName = memberExpr.object.name;
+					const isWorkflow = workflowNames.has(identifierName);
+					const isJob = jobNames.has(identifierName);
+					if (!isWorkflow && !isJob) return;
+					const argCount = callExpr.arguments.length;
+					let argsText = "";
+					if (argCount > 0) {
+						const firstArg = callExpr.arguments[0];
+						if (firstArg && "start" in firstArg && "end" in firstArg) argsText = sourceText.slice(firstArg.start, firstArg.end);
+					}
+					const hasAwait = parent?.type === "AwaitExpression";
+					const awaitExpr = hasAwait ? parent : null;
+					if (isWorkflow && argCount >= 2) {
+						const secondArg = callExpr.arguments[1];
+						const authInvoker = extractAuthInvokerInfo(secondArg, sourceText);
+						if (authInvoker) calls.push({
+							kind: "workflow",
+							identifierName,
+							callRange: {
+								start: callExpr.start,
+								end: callExpr.end
+							},
+							argsText,
+							authInvoker,
+							hasAwait: false
+						});
+					} else if (isJob) calls.push({
+						kind: "job",
+						identifierName,
+						callRange: {
+							start: callExpr.start,
+							end: callExpr.end
+						},
+						argsText,
+						hasAwait,
+						fullRange: awaitExpr ? {
+							start: awaitExpr.start,
+							end: awaitExpr.end
+						} : void 0
+					});
+				}
+			}
+		}
+		for (const key of Object.keys(node)) {
+			const child = node[key];
+			if (Array.isArray(child)) child.forEach((c) => walk(c, node));
+			else if (child && typeof child === "object") walk(child, node);
+		}
+	}
+	walk(program);
+	return calls;
+}
+/**
+* Transform trigger calls for resolver/executor/workflow functions
+* Handles both job.trigger() and workflow.trigger() calls
+* @param source - The source code to transform
+* @param workflowNameMap - Map from variable name to workflow name
+* @param jobNameMap - Map from variable name to job name
+* @param workflowFileMap - Map from file path (without extension) to workflow name for default exports
+* @param currentFilePath - Path of the current file being transformed (for resolving relative imports)
+* @returns Transformed source code with trigger calls rewritten
+*/
+function transformFunctionTriggers(source, workflowNameMap, jobNameMap, workflowFileMap, currentFilePath) {
+	const { program } = parseSync("input.ts", source);
+	const localWorkflowNameMap = new Map(workflowNameMap);
+	if (workflowFileMap && currentFilePath) {
+		const defaultImports = detectDefaultImports(program);
+		const currentDir = currentFilePath.replace(/[/\\][^/\\]+$/, "");
+		for (const [localName, importSource] of defaultImports) {
+			if (!importSource.startsWith(".")) continue;
+			const resolvedPath = resolvePath(currentDir, importSource);
+			const workflowName = workflowFileMap.get(resolvedPath);
+			if (workflowName) localWorkflowNameMap.set(localName, workflowName);
+		}
+	}
+	const triggerCalls = detectExtendedTriggerCalls(program, source, new Set(localWorkflowNameMap.keys()), new Set(jobNameMap.keys()));
+	const replacements = [];
+	for (const call of triggerCalls) if (call.kind === "workflow" && call.authInvoker) {
+		const workflowName = localWorkflowNameMap.get(call.identifierName);
+		if (workflowName) {
+			const authInvokerExpr = call.authInvoker.isShorthand ? "authInvoker" : call.authInvoker.valueText;
+			const transformedCall = `tailor.workflow.triggerWorkflow("${workflowName}", ${call.argsText || "undefined"}, { authInvoker: ${authInvokerExpr} })`;
+			replacements.push({
+				start: call.callRange.start,
+				end: call.callRange.end,
+				text: transformedCall
+			});
+		}
+	} else if (call.kind === "job") {
+		const jobName = jobNameMap.get(call.identifierName);
+		if (jobName) {
+			const transformedCall = `tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"})`;
+			const range = call.hasAwait && call.fullRange ? call.fullRange : call.callRange;
+			replacements.push({
+				start: range.start,
+				end: range.end,
+				text: transformedCall
+			});
+		}
+	}
+	return applyReplacements(source, replacements);
+}
+
+//#endregion
+//#region src/cli/shared/trigger-context.ts
+/**
+* Normalize a file path by removing extension and resolving to absolute path
+* @param filePath - File path to normalize
+* @returns Normalized absolute path without extension
+*/
+function normalizeFilePath(filePath) {
+	const absolutePath = path.resolve(filePath);
+	const ext = path.extname(absolutePath);
+	return absolutePath.slice(0, -ext.length);
+}
+/**
+* Build trigger context from workflow configuration
+* Scans workflow files to collect workflow and job mappings
+* @param workflowConfig - Workflow file loading configuration
+* @returns Trigger context built from workflow sources
+*/
+async function buildTriggerContext(workflowConfig) {
+	const workflowNameMap = /* @__PURE__ */ new Map();
+	const jobNameMap = /* @__PURE__ */ new Map();
+	const workflowFileMap = /* @__PURE__ */ new Map();
+	if (!workflowConfig) return {
+		workflowNameMap,
+		jobNameMap,
+		workflowFileMap
+	};
+	const workflowFiles = loadFilesWithIgnores(workflowConfig);
+	for (const file of workflowFiles) try {
+		const source = await fs$1.promises.readFile(file, "utf-8");
+		const { program } = parseSync("input.ts", source);
+		const workflows = findAllWorkflows(program, source);
+		const workflowMap = buildWorkflowNameMap(workflows);
+		for (const [exportName, workflowName] of workflowMap) workflowNameMap.set(exportName, workflowName);
+		for (const workflow of workflows) if (workflow.isDefaultExport) {
+			const normalizedPath = normalizeFilePath(file);
+			workflowFileMap.set(normalizedPath, workflow.name);
+		}
+		const jobMap = buildJobNameMap(findAllJobs(program, source));
+		for (const [exportName, jobName] of jobMap) jobNameMap.set(exportName, jobName);
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : String(error);
+		logger.warn(`Failed to process workflow file ${file}: ${errorMessage}`, { mode: "stream" });
+		continue;
+	}
+	return {
+		workflowNameMap,
+		jobNameMap,
+		workflowFileMap
+	};
+}
+function sortedMapToJson(m) {
+	return JSON.stringify([...m.entries()].sort(([a], [b]) => a.localeCompare(b)));
+}
+/**
+* Serialize trigger context to a deterministic string for cache hashing.
+* Returns an empty string if no context is provided.
+* @param ctx - Trigger context to serialize
+* @returns Deterministic string representation
+*/
+function serializeTriggerContext(ctx) {
+	if (!ctx) return "";
+	return sortedMapToJson(ctx.workflowNameMap) + sortedMapToJson(ctx.jobNameMap) + sortedMapToJson(ctx.workflowFileMap);
+}
+/**
+* Create a rolldown plugin for transforming trigger calls
+* Returns undefined if no trigger context is provided
+* @param triggerContext - Trigger context to use for transformations
+* @returns Rolldown plugin or undefined when no context
+*/
+function createTriggerTransformPlugin(triggerContext) {
+	if (!triggerContext) return;
+	return {
+		name: "trigger-transform",
+		transform: {
+			filter: { id: { include: [/\.ts$/, /\.js$/] } },
+			handler(code, id) {
+				if (!code.includes(".trigger(")) return null;
+				return { code: transformFunctionTriggers(code, triggerContext.workflowNameMap, triggerContext.jobNameMap, triggerContext.workflowFileMap, id) };
+			}
+		}
+	};
+}
+
+//#endregion
+//#region src/cli/services/auth/bundler.ts
+/**
+* Bundle a single auth hook handler into dist/auth-hooks/.
+*
+* Follows the same pattern as the executor bundler:
+* 1. Generate an entry file that re-exports the handler as `main`
+* 2. Bundle with rolldown + tree-shaking
+* @param options - Bundle options
+*/
+async function bundleAuthHooks(options) {
+	const { configPath, authName, handlerAccessPath, triggerContext, cache, inlineSourcemap } = options;
+	logger.newline();
+	logger.log(`Bundling auth hook for ${styles.info(`"${authName}"`)}`);
+	const outputDir = path.resolve(getDistDir(), "auth-hooks");
+	fs$1.mkdirSync(outputDir, { recursive: true });
+	await removeStaleEntryFiles(outputDir);
+	let tsconfig;
+	try {
+		tsconfig = await resolveTSConfig();
+	} catch {
+		tsconfig = void 0;
+	}
+	const functionName = `auth-hook--${authName}--before-login`;
+	const outputPath = path.join(outputDir, `${functionName}.js`);
+	const absoluteConfigPath = path.resolve(configPath);
+	await withCache({
+		cache,
+		kind: "auth-hook",
+		name: functionName,
+		sourceFile: absoluteConfigPath,
+		outputPath,
+		contextHash: computeBundlerContextHash({
+			sourceFile: absoluteConfigPath,
+			serializedTriggerContext: serializeTriggerContext(triggerContext),
+			tsconfig,
+			inlineSourcemap
+		}),
+		async build(cachePlugins) {
+			const entryPath = path.join(outputDir, `${functionName}.entry.js`);
+			const entryContent = ml`
+        import _config from "${absoluteConfigPath}";
+        const __auth_hook_function = _config.${handlerAccessPath};
+        export { __auth_hook_function as main };
+      `;
+			fs$1.writeFileSync(entryPath, entryContent);
+			const triggerPlugin = createTriggerTransformPlugin(triggerContext);
+			const plugins = triggerPlugin ? [triggerPlugin] : [];
+			plugins.push(...cachePlugins);
+			await rolldown.build(rolldown.defineConfig({
+				input: entryPath,
+				output: {
+					file: outputPath,
+					format: "esm",
+					sourcemap: inlineSourcemap ? "inline" : true,
+					minify: inlineSourcemap ? { mangle: { keepNames: true } } : true,
+					codeSplitting: false
+				},
+				tsconfig,
+				plugins,
+				treeshake: {
+					moduleSideEffects: false,
+					annotations: true,
+					unknownGlobalSideEffects: false
+				},
+				logLevel: "silent"
+			}));
+		}
+	});
+	logger.log(`${styles.success("Bundled")} auth hook for ${styles.info(`"${authName}"`)}`);
+}
+
+//#endregion
+//#region src/parser/service/tailordb/hooks-validate-precompiled-expr.ts
+const PRECOMPILED_EXPR_KEY = "__precompiledScriptExpr";
+/**
+* Attach a precompiled script expression to a function object.
+* @param fn - Function metadata object.
+* @param expr - Precompiled script expression.
+*/
+function setPrecompiledScriptExpr(fn, expr) {
+	fn[PRECOMPILED_EXPR_KEY] = expr;
+}
+/**
+* Read a precompiled script expression from a function object.
+* @param fn - Function metadata object.
+* @returns Precompiled script expression if attached.
+*/
+function getPrecompiledScriptExpr(fn) {
+	const value = fn[PRECOMPILED_EXPR_KEY];
+	return typeof value === "string" ? value : void 0;
+}
+
+//#endregion
+//#region src/parser/service/tailordb/field.ts
+const tailorUserMap = `{ id: user.id, type: user.type, workspaceId: user.workspace_id, attributes: user.attribute_map, attributeList: user.attributes }`;
+/**
+* Convert a function to a string representation.
+* Handles method shorthand syntax (e.g., `create() { ... }`) by converting it to
+* a function expression (e.g., `function create() { ... }`).
+* @param fn - Function to stringify
+* @returns Stringified function source
+*/
+const stringifyFunction = (fn) => {
+	const src = fn.toString().trim();
+	if (/^[a-zA-Z_$][a-zA-Z0-9_$]*\s*\(/.test(src) && !src.startsWith("function") && !src.startsWith("(") && !src.includes("=>")) return `function ${src}`;
+	return src;
+};
+/**
+* Convert a hook function to a script expression.
+* @param fn - Hook function
+* @returns JavaScript expression calling the hook
+*/
+const convertHookToExpr = (fn) => {
+	const precompiledExpr = getPrecompiledScriptExpr(fn);
+	if (precompiledExpr) return precompiledExpr;
+	return `(${stringifyFunction(fn)})({ value: _value, data: _data, user: ${tailorUserMap} })`;
+};
+/**
+* Parse TailorDBField into OperatorFieldConfig.
+* This transforms user-defined functions into script expressions.
+* @param field - TailorDB field definition
+* @returns Parsed operator field configuration
+*/
+function parseFieldConfig(field) {
+	const metadata = field.metadata;
+	const fieldType = field.type;
+	const rawRelation = field.rawRelation;
+	const nestedFields = field.fields;
+	return {
+		type: fieldType,
+		...metadata,
+		rawRelation,
+		...fieldType === "nested" && nestedFields && Object.keys(nestedFields).length > 0 ? { fields: Object.entries(nestedFields).reduce((acc, [key, nestedField]) => {
+			acc[key] = parseFieldConfig(nestedField);
+			return acc;
+		}, {}) } : {},
+		validate: metadata.validate?.map((v) => {
+			const { fn, message } = typeof v === "function" ? {
+				fn: v,
+				message: `failed by \`${v.toString().trim()}\``
+			} : {
+				fn: v[0],
+				message: v[1]
+			};
+			return {
+				script: { expr: getPrecompiledScriptExpr(fn) ?? `(${fn.toString().trim()})({ value: _value, data: _data, user: ${tailorUserMap} })` },
+				errorMessage: message
+			};
+		}),
+		hooks: metadata.hooks ? {
+			create: metadata.hooks.create ? { expr: convertHookToExpr(metadata.hooks.create) } : void 0,
+			update: metadata.hooks.update ? { expr: convertHookToExpr(metadata.hooks.update) } : void 0
+		} : void 0,
+		serial: metadata.serial ? {
+			start: metadata.serial.start,
+			maxValue: metadata.serial.maxValue,
+			format: "format" in metadata.serial ? metadata.serial.format : void 0
+		} : void 0
+	};
+}
+
+//#endregion
+//#region src/parser/service/tailordb/permission.ts
+const operatorMap = {
+	"=": "eq",
+	"!=": "ne",
+	in: "in",
+	"not in": "nin",
+	hasAny: "hasAny",
+	"not hasAny": "nhasAny"
+};
+function normalizeOperand(operand) {
+	if (typeof operand === "object" && "user" in operand) return { user: operand.user === "id" ? "_id" : operand.user };
+	return operand;
+}
+function normalizeConditions(conditions) {
+	return conditions.map((cond) => {
+		const [left, operator, right] = cond;
+		return [
+			normalizeOperand(left),
+			operatorMap[operator],
+			normalizeOperand(right)
+		];
+	});
+}
+function isObjectFormat(p) {
+	return typeof p === "object" && p !== null && "conditions" in p;
+}
+function isSingleArrayConditionFormat(cond) {
+	return cond.length >= 2 && typeof cond[1] === "string";
+}
+/**
+* Normalize record-level permissions into a standard structure.
+* @param permission - Tailor type permission
+* @returns Normalized record permissions
+*/
+function normalizePermission(permission) {
+	return Object.keys(permission).reduce((acc, action) => {
+		acc[action] = permission[action].map((p) => normalizeActionPermission(p));
+		return acc;
+	}, {});
+}
+/**
+* Normalize GraphQL permissions into a standard structure.
+* @param permission - Tailor GQL permission
+* @returns Normalized GQL permissions
+*/
+function normalizeGqlPermission(permission) {
+	return permission.map((policy) => normalizeGqlPolicy(policy));
+}
+function normalizeGqlPolicy(policy) {
+	return {
+		conditions: policy.conditions ? normalizeConditions(policy.conditions) : [],
+		actions: policy.actions === "all" ? ["all"] : policy.actions,
+		permit: policy.permit ? "allow" : "deny",
+		description: policy.description
+	};
+}
+/**
+* Parse raw permissions into normalized permissions.
+* This is the main entry point for permission parsing in the parser layer.
+* @param rawPermissions - Raw permissions definition
+* @returns Normalized permissions
+*/
+function parsePermissions(rawPermissions) {
+	return {
+		...rawPermissions.record && { record: normalizePermission(rawPermissions.record) },
+		...rawPermissions.gql && { gql: normalizeGqlPermission(rawPermissions.gql) }
+	};
+}
+/**
+* Normalize a single action permission into the standard format.
+* @param permission - Raw permission definition
+* @returns Normalized action permission
+*/
+function normalizeActionPermission(permission) {
+	if (isObjectFormat(permission)) {
+		const conditions = permission.conditions;
+		return {
+			conditions: normalizeConditions(isSingleArrayConditionFormat(conditions) ? [conditions] : conditions),
+			permit: permission.permit ? "allow" : "deny",
+			description: permission.description
+		};
+	}
+	if (!Array.isArray(permission)) throw new Error("Invalid permission format");
+	if (isSingleArrayConditionFormat(permission)) {
+		const [op1, operator, op2, permit] = [...permission, true];
+		return {
+			conditions: normalizeConditions([[
+				op1,
+				operator,
+				op2
+			]]),
+			permit: permit ? "allow" : "deny"
+		};
+	}
+	const conditions = [];
+	const conditionArray = permission;
+	let conditionArrayPermit = true;
+	for (const item of conditionArray) {
+		if (typeof item === "boolean") {
+			conditionArrayPermit = item;
+			continue;
+		}
+		conditions.push(item);
+	}
+	return {
+		conditions: normalizeConditions(conditions),
+		permit: conditionArrayPermit ? "allow" : "deny"
+	};
+}
+
+//#endregion
+//#region src/parser/service/tailordb/relation.ts
+const relationTypes = {
+	"1-1": "1-1",
+	oneToOne: "1-1",
+	"n-1": "n-1",
+	manyToOne: "n-1",
+	"N-1": "n-1",
+	keyOnly: "keyOnly"
+};
+const relationTypesKeys = Object.keys(relationTypes);
+function fieldRef(context) {
+	return `Field "${context.fieldName}" on type "${context.typeName}"`;
+}
+/**
+* Validate relation configuration.
+* @param rawRelation - Raw relation configuration from TailorDB type definition
+* @param context - Context information for the relation (type name, field name, all type names)
+*/
+function validateRelationConfig(rawRelation, context) {
+	if (!rawRelation.type) throw new Error(`${fieldRef(context)} has a relation but is missing the required 'type' property. Valid values: ${relationTypesKeys.join(", ")}.`);
+	if (!(rawRelation.type in relationTypes)) throw new Error(`${fieldRef(context)} has invalid relation type '${rawRelation.type}'. Valid values: ${relationTypesKeys.join(", ")}.`);
+	if (rawRelation.toward.type !== "self" && !context.allTypeNames.has(rawRelation.toward.type)) throw new Error(`${fieldRef(context)} references unknown type "${rawRelation.toward.type}".`);
+}
+/**
+* Process raw relation config and compute derived metadata values.
+* @param rawRelation - Raw relation configuration
+* @param context - Context information for the relation
+* @param isArrayField - Whether the target field is an array field
+* @returns Computed relation metadata to apply to field config
+*/
+function processRelationMetadata(rawRelation, context, isArrayField = false) {
+	const isUnique = relationTypes[rawRelation.type] === "1-1";
+	const key = rawRelation.toward.key ?? "id";
+	const targetTypeName = rawRelation.toward.type === "self" ? context.typeName : rawRelation.toward.type;
+	const shouldSetIndex = !isArrayField;
+	const shouldSetUnique = !isArrayField && isUnique;
+	return {
+		index: shouldSetIndex,
+		foreignKey: true,
+		relationType: rawRelation.type,
+		unique: shouldSetUnique,
+		foreignKeyType: targetTypeName,
+		foreignKeyField: key
+	};
+}
+/**
+* Build relation info for creating forward/backward relationships.
+* Returns undefined for keyOnly relations.
+* @param rawRelation - Raw relation configuration
+* @param context - Context information for the relation
+* @returns Relation information or undefined for keyOnly relations
+*/
+function buildRelationInfo(rawRelation, context) {
+	if (rawRelation.type === "keyOnly") return;
+	const isUnique = relationTypes[rawRelation.type] === "1-1";
+	const key = rawRelation.toward.key ?? "id";
+	const targetTypeName = rawRelation.toward.type === "self" ? context.typeName : rawRelation.toward.type;
+	let forwardName = rawRelation.toward.as;
+	if (!forwardName) if (rawRelation.toward.type === "self") forwardName = context.fieldName.replace(/(ID|Id|id)$/u, "");
+	else forwardName = inflection.camelize(targetTypeName, true);
+	return {
+		targetType: targetTypeName,
+		forwardName,
+		backwardName: rawRelation.backward ?? "",
+		key,
+		unique: isUnique
+	};
+}
+/**
+* Apply processed relation metadata to field config.
+* @param fieldConfig - Original operator field configuration
+* @param metadata - Processed relation metadata to apply
+* @returns Field config with relation metadata applied
+*/
+function applyRelationMetadataToFieldConfig(fieldConfig, metadata) {
+	return {
+		...fieldConfig,
+		index: metadata.index,
+		foreignKey: metadata.foreignKey,
+		unique: metadata.unique,
+		foreignKeyType: metadata.foreignKeyType,
+		foreignKeyField: metadata.foreignKeyField
+	};
+}
+
+//#endregion
+//#region src/parser/service/tailordb/type-parser.ts
+/**
+* Parse multiple TailorDB types, build relationships, and validate uniqueness.
+* This is the main entry point for parsing TailorDB types.
+* @param rawTypes - Raw TailorDB types keyed by name
+* @param namespace - TailorDB namespace name
+* @param typeSourceInfo - Optional type source information
+* @returns Parsed types
+*/
+function parseTypes(rawTypes, namespace, typeSourceInfo) {
+	const types = {};
+	const allTypeNames = new Set(Object.keys(rawTypes));
+	for (const [typeName, type] of Object.entries(rawTypes)) types[typeName] = parseTailorDBType(type, allTypeNames, rawTypes);
+	buildBackwardRelationships(types, namespace, typeSourceInfo);
+	validatePluralFormUniqueness(types, namespace, typeSourceInfo);
+	return types;
+}
+/**
+* Parse a TailorDBTypeSchemaOutput into a TailorDBType.
+* @param type - TailorDB type to parse
+* @param allTypeNames - Set of all TailorDB type names
+* @param rawTypes - All raw TailorDB types keyed by name
+* @returns Parsed TailorDB type
+*/
+function parseTailorDBType(type, allTypeNames, rawTypes) {
+	const metadata = type.metadata;
+	const pluralForm = metadata.settings?.pluralForm || inflection.pluralize(type.name);
+	const fields = {};
+	const forwardRelationships = {};
+	for (const [fieldName, fieldDef] of Object.entries(type.fields)) {
+		let fieldConfig = parseFieldConfig(fieldDef);
+		const rawRelation = fieldConfig.rawRelation;
+		const context = {
+			typeName: type.name,
+			fieldName,
+			allTypeNames
+		};
+		if (rawRelation) {
+			validateRelationConfig(rawRelation, context);
+			if ([
+				"n-1",
+				"manyToOne",
+				"N-1"
+			].includes(rawRelation.type) && fieldConfig.unique) throw new Error(`Field "${fieldName}" on type "${type.name}": cannot set unique on n-1 (manyToOne) relation. Use 1-1 (oneToOne) relation instead, or remove the unique constraint.`);
+			const relationMetadata = processRelationMetadata(rawRelation, context, fieldConfig.array);
+			fieldConfig = applyRelationMetadataToFieldConfig(fieldConfig, relationMetadata);
+		}
+		if (fieldConfig.array && fieldConfig.index) throw new Error(`Field "${fieldName}" on type "${type.name}": index cannot be set on array fields`);
+		if (fieldConfig.array && fieldConfig.unique) throw new Error(`Field "${fieldName}" on type "${type.name}": unique cannot be set on array fields`);
+		const parsedField = {
+			name: fieldName,
+			config: fieldConfig
+		};
+		const relationInfo = rawRelation ? buildRelationInfo(rawRelation, context) : void 0;
+		if (relationInfo) {
+			parsedField.relation = { ...relationInfo };
+			const targetType = rawTypes[relationInfo.targetType];
+			forwardRelationships[relationInfo.forwardName] = {
+				name: relationInfo.forwardName,
+				targetType: relationInfo.targetType,
+				targetField: fieldName,
+				sourceField: relationInfo.key,
+				isArray: false,
+				description: targetType?.metadata?.description || ""
+			};
+		}
+		fields[fieldName] = parsedField;
+	}
+	return {
+		name: type.name,
+		pluralForm,
+		description: metadata.description,
+		fields,
+		forwardRelationships,
+		backwardRelationships: {},
+		settings: metadata.settings || {},
+		permissions: parsePermissions(metadata.permissions || {}),
+		indexes: metadata.indexes,
+		files: metadata.files
+	};
+}
+/**
+* Build backward relationships between parsed types.
+* Also validates that backward relation names are unique within each type.
+* @param types - Parsed types
+* @param namespace - TailorDB namespace name
+* @param typeSourceInfo - Optional type source information
+*/
+function buildBackwardRelationships(types, namespace, typeSourceInfo) {
+	const backwardNameSources = {};
+	for (const typeName of Object.keys(types)) backwardNameSources[typeName] = {};
+	for (const [typeName, type] of Object.entries(types)) for (const [otherTypeName, otherType] of Object.entries(types)) for (const [fieldName, field] of Object.entries(otherType.fields)) if (field.relation && field.relation.targetType === typeName) {
+		let backwardName = field.relation.backwardName;
+		if (!backwardName) {
+			const lowerName = inflection.camelize(otherTypeName, true);
+			backwardName = field.relation.unique ? inflection.singularize(lowerName) : inflection.pluralize(lowerName);
+		}
+		if (!backwardNameSources[typeName][backwardName]) backwardNameSources[typeName][backwardName] = [];
+		backwardNameSources[typeName][backwardName].push({
+			sourceType: otherTypeName,
+			fieldName
+		});
+		type.backwardRelationships[backwardName] = {
+			name: backwardName,
+			targetType: otherTypeName,
+			targetField: fieldName,
+			sourceField: field.relation.key,
+			isArray: !field.relation.unique,
+			description: otherType.description || ""
+		};
+	}
+	const errors = [];
+	for (const [targetTypeName, backwardNames] of Object.entries(backwardNameSources)) {
+		const targetType = types[targetTypeName];
+		const targetTypeSourceInfo = typeSourceInfo?.[targetTypeName];
+		const targetLocation = targetTypeSourceInfo ? isPluginGeneratedType(targetTypeSourceInfo) ? ` (plugin: ${targetTypeSourceInfo.pluginId})` : ` (${targetTypeSourceInfo.filePath})` : "";
+		for (const [backwardName, sources] of Object.entries(backwardNames)) {
+			if (sources.length > 1) {
+				const sourceList = sources.map((s) => {
+					const sourceInfo = typeSourceInfo?.[s.sourceType];
+					const location = sourceInfo ? isPluginGeneratedType(sourceInfo) ? ` (plugin: ${sourceInfo.pluginId})` : ` (${sourceInfo.filePath})` : "";
+					return `${s.sourceType}.${s.fieldName}${location}`;
+				}).join(", ");
+				errors.push(`Backward relation name "${backwardName}" on type "${targetTypeName}" is duplicated from: ${sourceList}. Use the "backward" option in .relation() to specify unique names.`);
+			}
+			if (backwardName in targetType.fields) {
+				const source = sources[0];
+				const sourceInfo = typeSourceInfo?.[source.sourceType];
+				const sourceLocation = sourceInfo ? isPluginGeneratedType(sourceInfo) ? ` (plugin: ${sourceInfo.pluginId})` : ` (${sourceInfo.filePath})` : "";
+				errors.push(`Backward relation name "${backwardName}" from ${source.sourceType}.${source.fieldName}${sourceLocation} conflicts with existing field "${backwardName}" on type "${targetTypeName}"${targetLocation}. Use the "backward" option in .relation() to specify a different name.`);
+			}
+			if (targetType.files && backwardName in targetType.files) {
+				const source = sources[0];
+				const sourceInfo = typeSourceInfo?.[source.sourceType];
+				const sourceLocation = sourceInfo ? isPluginGeneratedType(sourceInfo) ? ` (plugin: ${sourceInfo.pluginId})` : ` (${sourceInfo.filePath})` : "";
+				errors.push(`Backward relation name "${backwardName}" from ${source.sourceType}.${source.fieldName}${sourceLocation} conflicts with files field "${backwardName}" on type "${targetTypeName}"${targetLocation}. Use the "backward" option in .relation() to specify a different name.`);
+			}
+		}
+	}
+	if (errors.length > 0) throw new Error(`Backward relation name conflicts detected in TailorDB service "${namespace}".\n${errors.map((e) => `  - ${e}`).join("\n")}`);
+}
+/**
+* Validate GraphQL query field name uniqueness.
+* Checks for:
+* 1. Each type's singular query name != plural query name
+* 2. No duplicate query names across all types
+* @param types - Parsed types
+* @param namespace - TailorDB namespace name
+* @param typeSourceInfo - Optional type source information
+*/
+function validatePluralFormUniqueness(types, namespace, typeSourceInfo) {
+	const errors = [];
+	for (const [, parsedType] of Object.entries(types)) {
+		const singularQuery = inflection.camelize(parsedType.name, true);
+		if (singularQuery === inflection.camelize(parsedType.pluralForm, true)) {
+			const sourceInfo = typeSourceInfo?.[parsedType.name];
+			const location = sourceInfo ? isPluginGeneratedType(sourceInfo) ? ` (plugin: ${sourceInfo.pluginId})` : ` (${sourceInfo.filePath})` : "";
+			errors.push(`Type "${parsedType.name}"${location} has identical singular and plural query names "${singularQuery}". Use db.type(["${parsedType.name}", "UniquePluralForm"], {...}) to set a unique pluralForm.`);
+		}
+	}
+	const queryNameToSource = {};
+	for (const parsedType of Object.values(types)) {
+		const singularQuery = inflection.camelize(parsedType.name, true);
+		const pluralQuery = inflection.camelize(parsedType.pluralForm, true);
+		if (!queryNameToSource[singularQuery]) queryNameToSource[singularQuery] = [];
+		queryNameToSource[singularQuery].push({
+			typeName: parsedType.name,
+			kind: "singular"
+		});
+		if (singularQuery !== pluralQuery) {
+			if (!queryNameToSource[pluralQuery]) queryNameToSource[pluralQuery] = [];
+			queryNameToSource[pluralQuery].push({
+				typeName: parsedType.name,
+				kind: "plural"
+			});
+		}
+	}
+	const duplicates = Object.entries(queryNameToSource).filter(([, sources]) => sources.length > 1);
+	for (const [queryName, sources] of duplicates) {
+		const sourceList = sources.map((s) => {
+			const sourceInfo = typeSourceInfo?.[s.typeName];
+			const location = sourceInfo ? isPluginGeneratedType(sourceInfo) ? ` (plugin: ${sourceInfo.pluginId})` : ` (${sourceInfo.filePath})` : "";
+			return `"${s.typeName}"${location} (${s.kind})`;
+		}).join(", ");
+		errors.push(`GraphQL query field "${queryName}" conflicts between: ${sourceList}`);
+	}
+	if (errors.length > 0) throw new Error(`GraphQL field name conflicts detected in TailorDB service "${namespace}".\n${errors.map((e) => `  - ${e}`).join("\n")}`);
+}
+
+//#endregion
+//#region src/parser/service/common.ts
+const functionSchema = z.custom((val) => typeof val === "function");
+
+//#endregion
+//#region src/parser/service/tailordb/schema.ts
+/**
+* Normalize GqlOperationsConfig (alias or object) to GqlOperations object.
+* "query" alias expands to read-only mode: { create: false, update: false, delete: false, read: true }
+* @param config - The config to normalize
+* @returns The normalized GqlOperations object
+*/
+function normalizeGqlOperations(config) {
+	if (config === "query") return {
+		create: false,
+		update: false,
+		delete: false,
+		read: true
+	};
+	return config;
+}
+/**
+* Zod schema for GqlOperations configuration with normalization transform.
+* Accepts "query" alias or detailed object, normalizes to GqlOperations object.
+*/
+const GqlOperationsSchema = z.union([z.literal("query"), z.object({
+	create: z.boolean().optional().describe("Enable create mutation (default: true)"),
+	update: z.boolean().optional().describe("Enable update mutation (default: true)"),
+	delete: z.boolean().optional().describe("Enable delete mutation (default: true)"),
+	read: z.boolean().optional().describe("Enable read queries - get, list, aggregation (default: true)")
+})]).describe("Configuration for GraphQL operations on a TailorDB type.\nAll operations are enabled by default (undefined or true = enabled, false = disabled).").transform((val) => normalizeGqlOperations(val));
+const TailorFieldTypeSchema$1 = z.enum([
+	"uuid",
+	"string",
+	"boolean",
+	"integer",
+	"float",
+	"decimal",
+	"enum",
+	"date",
+	"datetime",
+	"time",
+	"nested"
+]);
+const AllowedValueSchema$1 = z.object({
+	value: z.string(),
+	description: z.string().optional()
+});
+const DBFieldMetadataSchema = z.object({
+	required: z.boolean().optional().describe("Whether the field is required"),
+	array: z.boolean().optional().describe("Whether the field is an array"),
+	description: z.string().optional().describe("Field description"),
+	typeName: z.string().optional().describe("Type name for nested or enum fields"),
+	allowedValues: z.array(AllowedValueSchema$1).optional().describe("Allowed values for enum fields"),
+	index: z.boolean().optional().describe("Whether the field is indexed for faster queries"),
+	unique: z.boolean().optional().describe("Whether the field value must be unique"),
+	vector: z.boolean().optional().describe("Whether the field is a vector field for similarity search"),
+	foreignKey: z.boolean().optional().describe("Whether the field is a foreign key"),
+	foreignKeyType: z.string().optional().describe("Target type name for foreign key relations"),
+	foreignKeyField: z.string().optional().describe("Target field name for foreign key relations"),
+	hooks: z.object({
+		create: functionSchema.optional().describe("Hook function called on record creation"),
+		update: functionSchema.optional().describe("Hook function called on record update")
+	}).optional().describe("Lifecycle hooks for the field"),
+	validate: z.array(z.union([functionSchema, z.tuple([functionSchema, z.string()])])).optional().describe("Validation functions for the field"),
+	serial: z.object({
+		start: z.number().describe("Starting value for the serial sequence"),
+		maxValue: z.number().optional().describe("Maximum value for the serial sequence"),
+		format: z.string().optional().describe("Format string for serial value (string type only)")
+	}).optional().describe("Serial (auto-increment) configuration"),
+	scale: z.number().int().min(0).max(12).optional().describe("Decimal scale (number of digits after decimal point, 0-12)")
+});
+const RelationTypeSchema = z.enum(relationTypesKeys);
+const RawRelationConfigSchema = z.object({
+	type: RelationTypeSchema.describe("Relation cardinality type"),
+	toward: z.object({
+		type: z.string().describe("Target type name, or 'self' for self-relations"),
+		as: z.string().optional().describe("Custom forward relation name"),
+		key: z.string().optional().describe("Target field to join on (default: 'id')")
+	}),
+	backward: z.string().optional().describe("Backward relation name on the target type")
+});
+const TailorDBFieldSchema = z.lazy(() => z.object({
+	type: TailorFieldTypeSchema$1,
+	fields: z.record(z.string(), TailorDBFieldSchema).optional(),
+	metadata: DBFieldMetadataSchema,
+	rawRelation: RawRelationConfigSchema.optional()
+}));
+/**
+* Schema for TailorDB type settings.
+* Normalizes gqlOperations from alias ("query") to object format.
+*/
+const TailorDBTypeSettingsSchema = z.object({
+	pluralForm: z.string().optional().describe("Custom plural form of the type name for GraphQL"),
+	aggregation: z.boolean().optional().describe("Enable aggregation queries for this type"),
+	bulkUpsert: z.boolean().optional().describe("Enable bulk upsert mutation for this type"),
+	gqlOperations: GqlOperationsSchema.optional().describe("Configure GraphQL operations for this type. Use \"query\" for read-only mode, or an object for granular control."),
+	publishEvents: z.boolean().optional().describe("Enable publishing events for this type.\nWhen enabled, record creation/update/deletion events are published.\nIf not specified, this is automatically set to true when an executor uses this type\nwith recordCreated/recordUpdated/recordDeleted triggers. If explicitly set to false\nwhile an executor uses this type, an error will be thrown during apply.")
+});
+const GQL_PERMISSION_INVALID_OPERAND_MESSAGE = "operand is not supported in gqlPermission. Use permission() for record-level conditions.";
+const GqlPermissionOperandSchema = z.union([
+	z.object({ user: z.string() }).strict(),
+	z.string(),
+	z.boolean(),
+	z.array(z.string()),
+	z.array(z.boolean())
+], { error: (issue) => {
+	if (typeof issue.input === "object" && issue.input !== null) {
+		const keys = Object.keys(issue.input);
+		if (keys.length === 1) return `"${keys[0]}" ${GQL_PERMISSION_INVALID_OPERAND_MESSAGE}`;
+		return "Operand object must have exactly 1 key";
+	}
+	return "Invalid operand in gqlPermission";
+} });
+const RecordPermissionOperandSchema = z.union([
+	GqlPermissionOperandSchema,
+	z.object({ record: z.string() }),
+	z.object({ oldRecord: z.string() }),
+	z.object({ newRecord: z.string() })
+]);
+const PermissionOperatorSchema = z.enum([
+	"=",
+	"!=",
+	"in",
+	"not in",
+	"hasAny",
+	"not hasAny"
+]);
+const RecordPermissionConditionSchema = z.tuple([
+	RecordPermissionOperandSchema,
+	PermissionOperatorSchema,
+	RecordPermissionOperandSchema
+]).readonly();
+const GqlPermissionConditionSchema = z.tuple([
+	GqlPermissionOperandSchema,
+	PermissionOperatorSchema,
+	GqlPermissionOperandSchema
+]).readonly();
+const ActionPermissionSchema = z.union([
+	z.object({
+		conditions: z.union([RecordPermissionConditionSchema, z.array(RecordPermissionConditionSchema).readonly()]),
+		description: z.string().optional(),
+		permit: z.boolean().optional()
+	}),
+	z.tuple([
+		RecordPermissionOperandSchema,
+		PermissionOperatorSchema,
+		RecordPermissionOperandSchema
+	]).readonly(),
+	z.tuple([
+		RecordPermissionOperandSchema,
+		PermissionOperatorSchema,
+		RecordPermissionOperandSchema,
+		z.boolean()
+	]).readonly(),
+	z.array(z.union([RecordPermissionConditionSchema, z.boolean()])).refine((arr) => {
+		const boolIndex = arr.findIndex((item) => typeof item === "boolean");
+		return boolIndex === -1 || boolIndex === arr.length - 1;
+	}, { message: "Boolean permit flag must only appear at the end" }).readonly()
+]);
+const GqlPermissionActionSchema = z.enum([
+	"read",
+	"create",
+	"update",
+	"delete",
+	"aggregate",
+	"bulkUpsert"
+]);
+const GqlPermissionPolicySchema = z.object({
+	conditions: z.array(GqlPermissionConditionSchema).readonly(),
+	actions: z.union([z.literal("all"), z.array(GqlPermissionActionSchema).readonly()]),
+	permit: z.boolean().optional(),
+	description: z.string().optional()
+});
+const RawPermissionsSchema = z.object({
+	record: z.object({
+		create: z.array(ActionPermissionSchema).readonly(),
+		read: z.array(ActionPermissionSchema).readonly(),
+		update: z.array(ActionPermissionSchema).readonly(),
+		delete: z.array(ActionPermissionSchema).readonly()
+	}).optional(),
+	gql: z.array(GqlPermissionPolicySchema).readonly().optional()
+});
+const TailorDBTypeSchema = z.object({
+	name: z.string(),
+	fields: z.record(z.string(), TailorDBFieldSchema),
+	metadata: z.object({
+		name: z.string(),
+		description: z.string().optional(),
+		settings: TailorDBTypeSettingsSchema.optional(),
+		permissions: RawPermissionsSchema,
+		files: z.record(z.string(), z.string()),
+		indexes: z.record(z.string(), z.object({
+			fields: z.array(z.string()),
+			unique: z.boolean().optional()
+		})).optional()
+	})
+});
+const TailorDBMigrationConfigSchema = z.object({
+	directory: z.string().describe("Directory containing migration files"),
+	machineUser: z.string().optional().describe("Machine user name for migration execution")
+});
+/**
+* Schema for TailorDB service configuration.
+* Normalizes gqlOperations from alias ("query") to object format.
+*/
+const TailorDBServiceConfigSchema = z.object({
+	files: z.array(z.string()).describe("Glob patterns for TailorDB type definition files"),
+	ignores: z.array(z.string()).optional().describe("Glob patterns to exclude from type discovery"),
+	erdSite: z.string().optional().describe("URL for the ERD (Entity Relationship Diagram) site"),
+	migration: TailorDBMigrationConfigSchema.optional().describe("Migration configuration"),
+	gqlOperations: GqlOperationsSchema.optional().describe("Default GraphQL operations for all types in this service")
+});
+
+//#endregion
+//#region src/cli/services/tailordb/es-builtins.ts
+const globalsMap = globals.default ?? globals;
+/**
+* Runtime globals available in the PF execution environment.
+* Identifiers in this set are excluded from free variable detection
+* since they are always available in the runtime environment.
+*
+* Combines globals.builtin (ECMAScript language builtins) and
+* globals['shared-node-browser'] (shared runtime globals like
+* console, fetch, setTimeout, etc.) from the `globals` npm package.
+*/
+const ES_BUILTINS = new Set([...Object.keys(globalsMap.builtin ?? {}), ...Object.keys(globalsMap["shared-node-browser"] ?? {})]);
+
+//#endregion
+//#region src/cli/services/tailordb/hooks-validate-bundler.ts
+/**
+* Recursively extract binding names from a destructuring pattern node.
+* @param pattern - The binding pattern AST node.
+* @param bindings - Set to collect binding names into.
+*/
+function collectBindingsFromPattern(pattern, bindings) {
+	switch (pattern.type) {
+		case "Identifier":
+			bindings.add(pattern.name);
+			break;
+		case "ObjectPattern":
+			for (const prop of pattern.properties) if (prop.type === "RestElement") collectBindingsFromPattern(prop.argument, bindings);
+			else collectBindingsFromPattern(prop.value, bindings);
+			break;
+		case "ArrayPattern":
+			for (const elem of pattern.elements) if (elem) if (elem.type === "RestElement") collectBindingsFromPattern(elem.argument, bindings);
+			else collectBindingsFromPattern(elem, bindings);
+			break;
+		case "AssignmentPattern":
+			collectBindingsFromPattern(pattern.left, bindings);
+			break;
+	}
+}
+/** Fields that contain TypeScript type annotations (not runtime references). */
+const TS_TYPE_FIELDS = new Set([
+	"typeAnnotation",
+	"typeParameters",
+	"returnType",
+	"superTypeArguments",
+	"typeArguments"
+]);
+function isBindingPattern(param) {
+	return param.type !== "TSParameterProperty";
+}
+function toScriptFunction(value) {
+	if (typeof value !== "function") return void 0;
+	return value;
+}
+function collectScriptTargets(type) {
+	const targets = [];
+	const collectFieldTargets = (field) => {
+		const metadata = field.metadata;
+		const createHook = toScriptFunction(metadata.hooks?.create);
+		if (createHook) targets.push({
+			fn: createHook,
+			kind: "hooks"
+		});
+		const updateHook = toScriptFunction(metadata.hooks?.update);
+		if (updateHook) targets.push({
+			fn: updateHook,
+			kind: "hooks"
+		});
+		for (const validateInput of metadata.validate ?? []) if (typeof validateInput === "function") {
+			const validateFn = toScriptFunction(validateInput);
+			if (validateFn) targets.push({
+				fn: validateFn,
+				kind: "validate"
+			});
+		} else {
+			const validateFn = toScriptFunction(validateInput[0]);
+			if (validateFn) targets.push({
+				fn: validateFn,
+				kind: "validate"
+			});
+		}
+		if (field.type === "nested" && field.fields) for (const nestedField of Object.values(field.fields)) collectFieldTargets(nestedField);
+	};
+	for (const field of Object.values(type.fields)) collectFieldTargets(field);
+	return targets;
+}
+/**
+* Parse a code string with oxc-parser and return identifiers that are referenced
+* but never bound anywhere in the snippet (free variables), excluding ES builtins.
+* @param code - Valid JavaScript code to analyze.
+* @returns Set of undefined variable names.
+*/
+function findUndefinedReferences(code) {
+	const { program } = parseSync("_.js", code);
+	const references = /* @__PURE__ */ new Set();
+	const bindings = /* @__PURE__ */ new Set();
+	const walk = (node) => {
+		if (!node) return;
+		switch (node.type) {
+			case "VariableDeclarator":
+				collectBindingsFromPattern(node.id, bindings);
+				walk(node.init);
+				return;
+			case "FunctionDeclaration":
+			case "FunctionExpression":
+				if (node.id) bindings.add(node.id.name);
+				for (const param of node.params) if (isBindingPattern(param)) {
+					collectBindingsFromPattern(param, bindings);
+					walk(param);
+				}
+				walk(node.body);
+				return;
+			case "ArrowFunctionExpression":
+				for (const param of node.params) if (isBindingPattern(param)) {
+					collectBindingsFromPattern(param, bindings);
+					walk(param);
+				}
+				walk(node.body);
+				return;
+			case "ClassDeclaration":
+			case "ClassExpression":
+				if (node.id) bindings.add(node.id.name);
+				walk(node.superClass);
+				walk(node.body);
+				return;
+			case "CatchClause":
+				if (node.param) collectBindingsFromPattern(node.param, bindings);
+				walk(node.body);
+				return;
+			case "MemberExpression":
+				walk(node.object);
+				if (node.computed) walk(node.property);
+				return;
+			case "Property":
+				if (node.computed) walk(node.key);
+				walk(node.value);
+				return;
+			case "LabeledStatement":
+				walk(node.body);
+				return;
+			case "Identifier":
+				references.add(node.name);
+				return;
+		}
+		const rec = node;
+		for (const [key, value] of Object.entries(rec)) {
+			if (key === "type" || TS_TYPE_FIELDS.has(key)) continue;
+			if (Array.isArray(value)) for (const item of value) walk(item);
+			else if (value && typeof value === "object" && "type" in value) walk(value);
+		}
+	};
+	walk(program);
+	const freeVars = /* @__PURE__ */ new Set();
+	for (const ref of references) if (!bindings.has(ref) && !ES_BUILTINS.has(ref)) freeVars.add(ref);
+	return freeVars;
+}
+/**
+* Collect all Identifier names from a TypeScript/JavaScript code string using oxc-parser.
+* @param code - Code string to analyze.
+* @returns Set of identifier names found in the code.
+*/
+function collectIdentifierNames(code) {
+	const { program } = parseSync("_.ts", code);
+	const names = /* @__PURE__ */ new Set();
+	const walk = (node) => {
+		if (!node || typeof node !== "object") return;
+		const record = node;
+		if (record.type === "Identifier" && typeof record.name === "string") names.add(record.name);
+		for (const [key, value] of Object.entries(record)) {
+			if (key === "property" && record.type === "MemberExpression" && !record.computed) continue;
+			if (key === "key" && record.type === "Property" && !record.computed) continue;
+			if (TS_TYPE_FIELDS.has(key)) continue;
+			if (Array.isArray(value)) for (const item of value) walk(item);
+			else if (value && typeof value === "object" && "type" in value) walk(value);
+		}
+	};
+	walk(program);
+	return names;
+}
+/**
+* Collect top-level bindings (imports and declarations) from a TypeScript source file.
+* @param sourceFilePath - Absolute path to the source file.
+* @returns Map of binding name to SourceBinding.
+*/
+function collectSourceBindings(sourceFilePath) {
+	const source = readFileSync(sourceFilePath, "utf-8");
+	const { program } = parseSync(sourceFilePath, source);
+	const bindings = /* @__PURE__ */ new Map();
+	for (const stmt of program.body) if (stmt.type === "ImportDeclaration") {
+		const importDecl = stmt;
+		const text = source.slice(importDecl.start, importDecl.end);
+		if (importDecl.specifiers) for (const spec of importDecl.specifiers) bindings.set(spec.local.name, {
+			name: spec.local.name,
+			sourceText: text,
+			kind: "import"
+		});
+	} else if (stmt.type === "VariableDeclaration") {
+		const varDecl = stmt;
+		const text = source.slice(varDecl.start, varDecl.end);
+		for (const decl of varDecl.declarations) if (decl.id.type === "Identifier") bindings.set(decl.id.name, {
+			name: decl.id.name,
+			sourceText: text,
+			kind: "declaration"
+		});
+	} else if (stmt.type === "FunctionDeclaration") {
+		const funcDecl = stmt;
+		if (funcDecl.id) {
+			const text = source.slice(funcDecl.start, funcDecl.end);
+			bindings.set(funcDecl.id.name, {
+				name: funcDecl.id.name,
+				sourceText: text,
+				kind: "declaration"
+			});
+		}
+	} else if (stmt.type === "ExportNamedDeclaration") {
+		const innerDecl = stmt.declaration;
+		if (!innerDecl) continue;
+		if (innerDecl.type === "VariableDeclaration") {
+			const varDecl = innerDecl;
+			const text = source.slice(varDecl.start, varDecl.end);
+			for (const decl of varDecl.declarations) if (decl.id.type === "Identifier") bindings.set(decl.id.name, {
+				name: decl.id.name,
+				sourceText: text,
+				kind: "declaration"
+			});
+		} else if (innerDecl.type === "FunctionDeclaration") {
+			const funcDecl = innerDecl;
+			if (funcDecl.id) {
+				const text = source.slice(funcDecl.start, funcDecl.end);
+				bindings.set(funcDecl.id.name, {
+					name: funcDecl.id.name,
+					sourceText: text,
+					kind: "declaration"
+				});
+			}
+		}
+	}
+	return bindings;
+}
+/**
+* Resolve all bindings needed by a function, recursively including
+* dependencies of top-level declarations.
+* @param freeVars - Set of free variable names extracted from the function.
+* @param sourceBindings - Available bindings from the source file.
+* @returns Object with needed import statements and declaration texts.
+*/
+function resolveNeededBindings(freeVars, sourceBindings) {
+	const neededImports = /* @__PURE__ */ new Set();
+	const neededDeclarations = /* @__PURE__ */ new Set();
+	const unresolved = [];
+	const resolved = /* @__PURE__ */ new Set();
+	const resolveVars = (vars) => {
+		for (const varName of vars) {
+			if (resolved.has(varName)) continue;
+			resolved.add(varName);
+			const binding = sourceBindings.get(varName);
+			if (!binding) {
+				unresolved.push(varName);
+				continue;
+			}
+			if (binding.kind === "import") neededImports.add(binding.sourceText);
+			else {
+				const identifiers = collectIdentifierNames(binding.sourceText);
+				const referencedVars = /* @__PURE__ */ new Set();
+				for (const id of identifiers) if (id !== varName && sourceBindings.has(id)) referencedVars.add(id);
+				resolveVars(referencedVars);
+				neededDeclarations.add(binding.sourceText);
+			}
+		}
+	};
+	resolveVars(freeVars);
+	return {
+		imports: [...neededImports],
+		declarations: [...neededDeclarations],
+		unresolved
+	};
+}
+function buildPrecompiledExpr(bundleCode) {
+	return `(() => {
+  const module = { exports: {} };
+  const exports = module.exports;
+${bundleCode}\n  return module.exports.main({ value: _value, data: _data, user: ${tailorUserMap} });\n})()`;
+}
+/**
+* Build entry file content from already-resolved imports and declarations.
+* @param imports - Import statement texts.
+* @param declarations - Declaration statement texts.
+* @param fnSource - The function source code.
+* @param sourceFilePath - Path to the source file for resolving relative imports.
+* @returns Entry file content string.
+*/
+function buildMinimalEntryFromResolved(imports, declarations, fnSource, sourceFilePath) {
+	const sourceDir = resolve(sourceFilePath, "..").replace(/\\/g, "/");
+	return [
+		...imports.map((imp) => imp.replace(/from\s+["'](\.[^"']+)["']/g, (_match, relPath) => `from "${resolve(sourceDir, relPath).replace(/\\/g, "/")}"`)),
+		...declarations,
+		`export function main(input) { return (${fnSource})(input); }`
+	].join("\n");
+}
+async function bundleScriptTarget(args) {
+	const { fn, kind, sourceFilePath, sourceBindings, tempDir, targetIndex, tsconfig } = args;
+	const fnSource = stringifyFunction(fn);
+	const inlineExpr = `(${fnSource})({ value: _value, data: _data, user: ${tailorUserMap} })`;
+	const freeVars = findUndefinedReferences(`const __fn = ${fnSource};`);
+	if (freeVars.size === 0) return inlineExpr;
+	const { imports, declarations, unresolved } = resolveNeededBindings(freeVars, sourceBindings);
+	if (unresolved.length > 0) throw new Error(`${kind} in ${sourceFilePath} captures unresolvable variables (${unresolved.join(", ")}). Hooks and validators must not reference variables that cannot be resolved from the source file.
+  ${kind}: ${fnSource}`);
+	const entryContent = buildMinimalEntryFromResolved(imports, declarations, fnSource, sourceFilePath);
+	const entryPath = join(tempDir, `tailordb-script-${targetIndex}.entry.ts`);
+	const outputPath = join(tempDir, `tailordb-script-${targetIndex}.bundle.cjs`);
+	writeFileSync(entryPath, entryContent);
+	await rolldown.build(rolldown.defineConfig({
+		input: entryPath,
+		output: {
+			file: outputPath,
+			format: "cjs",
+			sourcemap: false,
+			minify: true,
+			codeSplitting: false
+		},
+		tsconfig,
+		treeshake: {
+			moduleSideEffects: false,
+			annotations: true,
+			unknownGlobalSideEffects: false
+		},
+		logLevel: "silent"
+	}));
+	return buildPrecompiledExpr(readFileSync(outputPath, "utf-8"));
+}
+/**
+* Precompile TailorDB hooks/validators into self-contained script expressions using rolldown.
+* Uses oxc-parser AST walking to extract free variables from functions, then builds
+* minimal entry points containing only the needed imports and declarations.
+* @param type - TailorDB type schema output.
+* @param sourceFilePath - Source file where the type is defined.
+* @param tsconfig - Resolved tsconfig path, or undefined if not found.
+*/
+async function precompileTailorDBTypeScripts(type, sourceFilePath, tsconfig) {
+	const targets = collectScriptTargets(type);
+	if (targets.length === 0) return;
+	const sourceBindings = collectSourceBindings(sourceFilePath);
+	const tempDir = resolve(getDistDir(), "hooks-validate-scripts", type.name);
+	mkdirSync(tempDir, { recursive: true });
+	try {
+		const results = await Promise.allSettled(targets.map((target, index) => bundleScriptTarget({
+			fn: target.fn,
+			kind: target.kind,
+			sourceFilePath,
+			sourceBindings,
+			tempDir,
+			targetIndex: index,
+			tsconfig
+		})));
+		const firstError = results.find((r) => r.status === "rejected");
+		if (firstError && firstError.status === "rejected") throw firstError.reason;
+		for (const [index, result] of results.entries()) if (result.status === "fulfilled") setPrecompiledScriptExpr(targets[index].fn, result.value);
+	} finally {
+		rmSync(tempDir, {
+			recursive: true,
+			force: true
+		});
+	}
+}
+
+//#endregion
+//#region src/cli/services/tailordb/service.ts
+/**
+* Creates a new TailorDBService instance.
+* @param params - Parameters for creating the service
+* @returns A new TailorDBService instance
+*/
+function createTailorDBService(params) {
+	const { namespace, config, pluginManager } = params;
+	const rawTypes = {};
+	let types = {};
+	const typeSourceInfo = {};
+	const pluginAttachments = /* @__PURE__ */ new Map();
+	let loadPromise;
+	const doParseTypes = () => {
+		const allTypes = {};
+		for (const fileTypes of Object.values(rawTypes)) for (const [typeName, type] of Object.entries(fileTypes)) allTypes[typeName] = type;
+		types = parseTypes(allTypes, namespace, typeSourceInfo);
+	};
+	/**
+	* Process plugins for a type and add generated types to rawTypes
+	* @param rawType - The raw TailorDB type being processed
+	* @param attachments - Plugin attachments for this type
+	* @param sourceFilePath - The file path where the type was loaded from
+	*/
+	const processPluginsForType = async (rawType, attachments, sourceFilePath) => {
+		if (!pluginManager) return;
+		let currentType = rawType;
+		for (const attachment of attachments) {
+			const result = await pluginManager.processAttachment({
+				type: currentType,
+				typeConfig: attachment.config,
+				namespace,
+				pluginId: attachment.pluginId
+			});
+			if (!result.success) {
+				logger.error(result.error);
+				throw new Error(result.error);
+			}
+			const output = result.output;
+			const extendFields = output.extends?.fields;
+			if (extendFields && Object.keys(extendFields).length > 0) {
+				const extendedType = pluginManager.extendType({
+					originalType: currentType,
+					extendFields,
+					pluginId: attachment.pluginId
+				});
+				rawTypes[sourceFilePath][currentType.name] = extendedType;
+				currentType = extendedType;
+				logger.log(`  Extended: ${styles.success(currentType.name)} with ${styles.highlight(Object.keys(extendFields).length.toString())} fields by plugin ${styles.info(attachment.pluginId)}`);
+			}
+			const plugin = pluginManager.getPlugin(attachment.pluginId);
+			for (const [kind, generatedType] of Object.entries(output.types ?? {})) {
+				rawTypes[sourceFilePath][generatedType.name] = generatedType;
+				typeSourceInfo[generatedType.name] = {
+					exportName: generatedType.name,
+					pluginId: attachment.pluginId,
+					pluginImportPath: pluginManager.getPluginImportPath(attachment.pluginId) ?? "",
+					originalFilePath: sourceFilePath,
+					originalExportName: typeSourceInfo[rawType.name]?.exportName || rawType.name,
+					generatedTypeKind: kind,
+					pluginConfig: plugin?.pluginConfig,
+					namespace
+				};
+				logger.log(`  Generated: ${styles.success(generatedType.name)} by plugin ${styles.info(attachment.pluginId)}`);
+			}
+		}
+	};
+	const loadTypeFile = async (typeFile, tsconfig) => {
+		rawTypes[typeFile] = {};
+		const loadedTypes = {};
+		try {
+			const module = await import(pathToFileURL(typeFile).href);
+			for (const exportName of Object.keys(module)) {
+				const exportedValue = module[exportName];
+				const result = TailorDBTypeSchema.safeParse(exportedValue);
+				if (!result.success) {
+					if (isSdkBranded(exportedValue, "tailordb-type")) throw result.error;
+					continue;
+				}
+				const relativePath = path.relative(process.cwd(), typeFile);
+				logger.log(`Type: ${styles.successBright(`"${result.data.name}"`)} loaded from ${styles.path(relativePath)}`);
+				await precompileTailorDBTypeScripts(result.data, typeFile, tsconfig);
+				rawTypes[typeFile][result.data.name] = result.data;
+				loadedTypes[result.data.name] = result.data;
+				typeSourceInfo[result.data.name] = {
+					filePath: typeFile,
+					exportName
+				};
+				if (exportedValue.plugins && Array.isArray(exportedValue.plugins) && exportedValue.plugins.length > 0) {
+					pluginAttachments.set(exportedValue.name, [...exportedValue.plugins]);
+					logger.log(`  Plugin attachments: ${styles.info(exportedValue.plugins.map((p) => p.pluginId).join(", "))}`);
+					await processPluginsForType(exportedValue, exportedValue.plugins, typeFile);
+				}
+			}
+		} catch (error) {
+			const relativePath = path.relative(process.cwd(), typeFile);
+			logger.error(`Failed to load type from ${styles.bold(relativePath)}`);
+			logger.error(String(error));
+			throw error;
+		}
+		return loadedTypes;
+	};
+	return {
+		namespace,
+		config,
+		get types() {
+			return types;
+		},
+		get typeSourceInfo() {
+			return typeSourceInfo;
+		},
+		get pluginAttachments() {
+			return pluginAttachments;
+		},
+		loadTypes: async () => {
+			if (!loadPromise) loadPromise = (async () => {
+				if (!config.files || config.files.length === 0) return;
+				const typeFiles = loadFilesWithIgnores(config);
+				let tsconfig;
+				try {
+					tsconfig = await resolveTSConfig();
+				} catch {
+					tsconfig = void 0;
+				}
+				logger.newline();
+				logger.log(`Found ${styles.highlight(typeFiles.length.toString())} type files for TailorDB service ${styles.highlight(`"${namespace}"`)}`);
+				if (pluginManager) for (const typeFile of typeFiles) await loadTypeFile(typeFile, tsconfig);
+				else await Promise.all(typeFiles.map((typeFile) => loadTypeFile(typeFile, tsconfig)));
+				doParseTypes();
+				return types;
+			})();
+			return loadPromise;
+		},
+		processNamespacePlugins: async () => {
+			if (!pluginManager) return;
+			const results = await pluginManager.processNamespacePlugins(namespace);
+			const pluginGeneratedKey = "__plugin_generated__";
+			if (!rawTypes[pluginGeneratedKey]) rawTypes[pluginGeneratedKey] = {};
+			let hasGeneratedTypes = false;
+			for (const { pluginId, config, result } of results) {
+				if (!result.success) {
+					logger.error(result.error);
+					throw new Error(result.error);
+				}
+				const output = result.output;
+				for (const [kind, generatedType] of Object.entries(output.types ?? {})) {
+					rawTypes[pluginGeneratedKey][generatedType.name] = generatedType;
+					hasGeneratedTypes = true;
+					typeSourceInfo[generatedType.name] = {
+						exportName: generatedType.name,
+						pluginId,
+						pluginImportPath: pluginManager.getPluginImportPath(pluginId) ?? "",
+						originalFilePath: "",
+						originalExportName: "",
+						generatedTypeKind: kind,
+						pluginConfig: config,
+						namespace
+					};
+					logger.log(`  Generated: ${styles.success(generatedType.name)} by namespace plugin ${styles.info(pluginId)}`);
+				}
+			}
+			if (hasGeneratedTypes) doParseTypes();
+		}
+	};
+}
+
+//#endregion
+//#region src/parser/service/resolver/schema.ts
+const TailorFieldTypeSchema = z.enum([
+	"uuid",
+	"string",
+	"boolean",
+	"integer",
+	"float",
+	"decimal",
+	"enum",
+	"date",
+	"datetime",
+	"time",
+	"nested"
+]);
+const QueryTypeSchema = z.union([z.literal("query"), z.literal("mutation")]).describe("GraphQL operation type");
+const AllowedValueSchema = z.object({
+	value: z.string().describe("The allowed value"),
+	description: z.string().optional().describe("Description of the allowed value")
+});
+const FieldMetadataSchema = z.object({
+	required: z.boolean().optional().describe("Whether the field is required"),
+	array: z.boolean().optional().describe("Whether the field is an array"),
+	description: z.string().optional().describe("Field description"),
+	allowedValues: z.array(AllowedValueSchema).optional().describe("Allowed values for enum fields"),
+	hooks: z.object({
+		create: functionSchema.optional().describe("Hook function called on creation"),
+		update: functionSchema.optional().describe("Hook function called on update")
+	}).optional().describe("Lifecycle hooks"),
+	typeName: z.string().optional().describe("Type name for nested or enum fields")
+});
+const TailorFieldSchema = z.object({
+	type: TailorFieldTypeSchema.describe("Field data type"),
+	metadata: FieldMetadataSchema.describe("Field metadata configuration"),
+	get fields() {
+		return z.record(z.string(), TailorFieldSchema);
+	}
+});
+const ResolverSchema = z.object({
+	operation: QueryTypeSchema.describe("GraphQL operation type (query or mutation)"),
+	name: z.string().describe("Resolver name"),
+	description: z.string().optional().describe("Resolver description"),
+	input: z.record(z.string(), TailorFieldSchema).optional().describe("Input field definitions"),
+	body: functionSchema.describe("Resolver implementation function"),
+	output: TailorFieldSchema.describe("Output field definition"),
+	publishEvents: z.boolean().optional().describe("Enable publishing events from this resolver"),
+	get authInvoker() {
+		return AuthInvokerSchema.optional().describe("Machine user to execute this resolver as");
+	}
+});
+
+//#endregion
+//#region src/parser/service/auth/schema.ts
+const AuthInvokerSchema = z.object({
+	namespace: z.string().describe("Auth namespace"),
+	machineUserName: z.string().describe("Machine user name for authentication")
+});
+const secretValueSchema = z.object({
+	vaultName: z.string().describe("Vault name containing the secret"),
+	secretKey: z.string().describe("Key of the secret in the vault")
+});
+const OIDCSchema = z.object({
+	name: z.string().describe("Identity provider name"),
+	kind: z.literal("OIDC"),
+	clientID: z.string().describe("OAuth2 client ID"),
+	clientSecret: secretValueSchema.describe("OAuth2 client secret"),
+	providerURL: z.string().describe("OIDC provider URL"),
+	issuerURL: z.string().optional().describe("OIDC issuer URL (defaults to providerURL)"),
+	usernameClaim: z.string().optional().describe("JWT claim to use as username")
+});
+const SAMLSchema = z.object({
+	name: z.string().describe("Identity provider name"),
+	kind: z.literal("SAML"),
+	enableSignRequest: z.boolean().default(false).describe("Enable signing of SAML requests"),
+	metadataURL: z.string().optional().describe("URL to fetch SAML metadata (mutually exclusive with rawMetadata)"),
+	rawMetadata: z.string().optional().describe("Raw SAML metadata XML (mutually exclusive with metadataURL)")
+}).refine((value) => {
+	return value.metadataURL !== void 0 !== (value.rawMetadata !== void 0);
+}, "Provide either metadataURL or rawMetadata");
+const IDTokenSchema = z.object({
+	name: z.string().describe("Identity provider name"),
+	kind: z.literal("IDToken"),
+	providerURL: z.string().describe("ID token provider URL"),
+	issuerURL: z.string().optional().describe("ID token issuer URL"),
+	clientID: z.string().describe("Client ID for ID token validation"),
+	usernameClaim: z.string().optional().describe("JWT claim to use as username")
+});
+const BuiltinIdPSchema = z.object({
+	name: z.string().describe("Identity provider name"),
+	kind: z.literal("BuiltInIdP"),
+	namespace: z.string().describe("IdP namespace"),
+	clientName: z.string().describe("OAuth2 client name in the IdP")
+});
+const IdProviderSchema = z.discriminatedUnion("kind", [
+	OIDCSchema,
+	SAMLSchema,
+	IDTokenSchema,
+	BuiltinIdPSchema
+]);
+const OAuth2ClientGrantTypeSchema = z.union([z.literal("authorization_code"), z.literal("refresh_token")]).describe("OAuth2 grant type");
+const OAuth2ClientSchema = z.object({
+	description: z.string().optional().describe("Client description"),
+	grantTypes: z.array(OAuth2ClientGrantTypeSchema).default(["authorization_code", "refresh_token"]).describe("Allowed OAuth2 grant types"),
+	redirectURIs: z.array(z.union([
+		z.templateLiteral(["https://", z.string()]),
+		z.templateLiteral(["http://", z.string()]),
+		z.templateLiteral([z.string(), ":url"]),
+		z.templateLiteral([
+			z.string(),
+			":url/",
+			z.string()
+		])
+	])).describe("Allowed redirect URIs"),
+	clientType: z.union([
+		z.literal("confidential"),
+		z.literal("public"),
+		z.literal("browser")
+	]).optional().describe("OAuth2 client type"),
+	accessTokenLifetimeSeconds: z.number().int().min(60, "Minimum access token lifetime is 60 seconds").max(86400, "Maximum access token lifetime is 1 day (86400 seconds)").optional().describe("Access token lifetime in seconds (60-86400)").transform((val) => val ? {
+		seconds: BigInt(val),
+		nanos: 0
+	} : void 0),
+	refreshTokenLifetimeSeconds: z.number().int().min(60, "Minimum refresh token lifetime is 60 seconds").max(604800, "Maximum refresh token lifetime is 7 days (604800 seconds)").optional().describe("Refresh token lifetime in seconds (60-604800)").transform((val) => val ? {
+		seconds: BigInt(val),
+		nanos: 0
+	} : void 0),
+	requireDpop: z.boolean().optional().describe("Require DPoP (Demonstrating Proof-of-Possession) for token requests")
+}).refine((data) => !(data.clientType === "browser" && data.requireDpop === true), {
+	message: "requireDpop cannot be set to true for browser clients as they don't support DPoP",
+	path: ["requireDpop"]
+});
+const SCIMAuthorizationSchema = z.object({
+	type: z.union([z.literal("oauth2"), z.literal("bearer")]).describe("SCIM authorization type"),
+	bearerSecret: secretValueSchema.optional().describe("Bearer token secret (required for bearer type)")
+});
+const SCIMAttributeTypeSchema = z.union([
+	z.literal("string"),
+	z.literal("number"),
+	z.literal("boolean"),
+	z.literal("datetime"),
+	z.literal("complex")
+]).describe("SCIM attribute data type");
+const SCIMAttributeSchema = z.object({
+	type: SCIMAttributeTypeSchema.describe("Attribute data type"),
+	name: z.string().describe("Attribute name"),
+	description: z.string().optional().describe("Attribute description"),
+	mutability: z.union([
+		z.literal("readOnly"),
+		z.literal("readWrite"),
+		z.literal("writeOnly")
+	]).optional().describe("Attribute mutability"),
+	required: z.boolean().optional().describe("Whether the attribute is required"),
+	multiValued: z.boolean().optional().describe("Whether the attribute can have multiple values"),
+	uniqueness: z.union([
+		z.literal("none"),
+		z.literal("server"),
+		z.literal("global")
+	]).optional().describe("Uniqueness constraint"),
+	canonicalValues: z.array(z.string()).nullable().optional().describe("List of canonical values"),
+	get subAttributes() {
+		return z.array(SCIMAttributeSchema).nullable().optional();
+	}
+});
+const SCIMSchemaSchema = z.object({
+	name: z.string().describe("SCIM schema name"),
+	attributes: z.array(SCIMAttributeSchema).describe("Schema attributes")
+});
+const SCIMAttributeMappingSchema = z.object({
+	tailorDBField: z.string().describe("TailorDB field name to map to"),
+	scimPath: z.string().describe("SCIM attribute path")
+});
+const SCIMResourceSchema = z.object({
+	name: z.string().describe("SCIM resource name"),
+	tailorDBNamespace: z.string().describe("TailorDB namespace for the resource"),
+	tailorDBType: z.string().describe("TailorDB type name for the resource"),
+	coreSchema: SCIMSchemaSchema.describe("Core SCIM schema definition"),
+	attributeMapping: z.array(SCIMAttributeMappingSchema).describe("Attribute mapping configuration")
+});
+const SCIMSchema = z.object({
+	machineUserName: z.string().describe("Machine user name for SCIM operations"),
+	authorization: SCIMAuthorizationSchema.describe("SCIM authorization configuration"),
+	resources: z.array(SCIMResourceSchema).describe("SCIM resource definitions")
+});
+const TenantProviderSchema = z.object({
+	namespace: z.string().describe("TailorDB namespace for the tenant type"),
+	type: z.string().describe("TailorDB type name for tenants"),
+	signatureField: z.string().describe("Field used as the tenant signature")
+});
+const UserProfileSchema = z.object({
+	type: z.object({
+		name: z.string(),
+		fields: z.any(),
+		metadata: z.any(),
+		hooks: z.any(),
+		validate: z.any(),
+		features: z.any(),
+		indexes: z.any(),
+		files: z.any(),
+		permission: z.any(),
+		gqlPermission: z.any(),
+		_output: z.any()
+	}),
+	usernameField: z.string(),
+	attributes: z.record(z.string(), z.literal(true)).optional(),
+	attributeList: z.array(z.string()).optional()
+});
+const ValueOperandSchema = z.union([
+	z.string(),
+	z.boolean(),
+	z.array(z.string()),
+	z.array(z.boolean())
+]);
+const MachineUserSchema = z.object({
+	attributes: z.record(z.string(), ValueOperandSchema).optional(),
+	attributeList: z.array(z.uuid()).optional()
+});
+const BeforeLoginHookSchema = z.object({
+	handler: z.function(),
+	invoker: z.string()
+});
+const AuthConfigBaseSchema = z.object({
+	name: z.string().describe("Auth service name"),
+	hooks: z.object({ beforeLogin: BeforeLoginHookSchema.optional().describe("Before login auth hook") }).optional().describe("Auth hooks"),
+	machineUsers: z.record(z.string(), MachineUserSchema).optional().describe("Machine user definitions"),
+	oauth2Clients: z.record(z.string(), OAuth2ClientSchema).optional().describe("OAuth2 client definitions"),
+	idProvider: IdProviderSchema.optional().describe("Identity provider configuration"),
+	scim: SCIMSchema.optional().describe("SCIM provisioning configuration"),
+	tenantProvider: TenantProviderSchema.optional().describe("Multi-tenant provider configuration"),
+	publishSessionEvents: z.boolean().optional().describe("Enable publishing session events")
+});
+const AuthConfigSchema = z.union([AuthConfigBaseSchema.extend({
+	userProfile: z.undefined().optional(),
+	machineUserAttributes: z.undefined().optional()
+}), z.xor([AuthConfigBaseSchema.extend({
+	userProfile: UserProfileSchema,
+	machineUserAttributes: z.undefined().optional()
+}), AuthConfigBaseSchema.extend({
+	userProfile: z.undefined().optional(),
+	machineUserAttributes: z.record(z.string(), TailorFieldSchema)
+})])]).brand("AuthConfig");
+
+//#endregion
+//#region src/cli/services/auth/service.ts
+/**
+* Creates a new AuthService instance.
+* @param config - The auth configuration
+* @param tailorDBServices - The TailorDB services
+* @param externalTailorDBNamespaces - External TailorDB namespaces
+* @returns A new AuthService instance
+*/
+function createAuthService(config, tailorDBServices, externalTailorDBNamespaces) {
+	const parsedConfig = {
+		...config,
+		idProvider: IdProviderSchema.optional().parse(config.idProvider)
+	};
+	let userProfile;
+	return {
+		config,
+		tailorDBServices,
+		externalTailorDBNamespaces,
+		parsedConfig,
+		get userProfile() {
+			return userProfile;
+		},
+		resolveNamespaces: async () => {
+			if (!config.userProfile) return;
+			if (config.userProfile.namespace) {
+				userProfile = {
+					...config.userProfile,
+					namespace: config.userProfile.namespace
+				};
+				return;
+			}
+			const totalNamespaceCount = tailorDBServices.length + externalTailorDBNamespaces.length;
+			let userProfileNamespace;
+			if (totalNamespaceCount === 1) userProfileNamespace = tailorDBServices[0]?.namespace ?? externalTailorDBNamespaces[0];
+			else {
+				await Promise.all(tailorDBServices.map((tailordb) => tailordb.loadTypes()));
+				const userProfileTypeName = typeof config.userProfile.type === "object" && "name" in config.userProfile.type ? config.userProfile.type.name : void 0;
+				if (userProfileTypeName) for (const service of tailorDBServices) {
+					const types = service.types;
+					if (Object.prototype.hasOwnProperty.call(types, userProfileTypeName)) {
+						userProfileNamespace = service.namespace;
+						break;
+					}
+				}
+				if (!userProfileNamespace) throw new Error(`userProfile type "${config.userProfile.type.name}" not found in any TailorDB namespace`);
+			}
+			userProfile = {
+				...config.userProfile,
+				namespace: userProfileNamespace
+			};
+		}
+	};
+}
+
+//#endregion
+//#region src/parser/service/executor/schema.ts
+const RecordTriggerSchema = z.object({
+	kind: z.enum([
+		"recordCreated",
+		"recordUpdated",
+		"recordDeleted"
+	]).describe("Record event type"),
+	typeName: z.string().describe("TailorDB type name to watch for events"),
+	condition: functionSchema.optional().describe("Condition function to filter events")
+});
+const ResolverExecutedTriggerSchema = z.object({
+	kind: z.literal("resolverExecuted"),
+	resolverName: z.string().describe("Name of the resolver to trigger on"),
+	condition: functionSchema.optional().describe("Condition function to filter events")
+});
+const ScheduleTriggerSchema = z.object({
+	kind: z.literal("schedule"),
+	cron: z.string().describe("CRON expression for the schedule"),
+	timezone: z.string().optional().default("UTC").describe("Timezone for the CRON schedule (default: UTC)")
+});
+const IncomingWebhookTriggerSchema = z.object({ kind: z.literal("incomingWebhook") });
+const IdpUserTriggerSchema = z.object({ kind: z.enum([
+	"idpUserCreated",
+	"idpUserUpdated",
+	"idpUserDeleted"
+]).describe("IdP user event type") });
+const AuthAccessTokenTriggerSchema = z.object({ kind: z.enum([
+	"authAccessTokenIssued",
+	"authAccessTokenRefreshed",
+	"authAccessTokenRevoked"
+]).describe("Auth access token event type") });
+const TriggerSchema = z.discriminatedUnion("kind", [
+	RecordTriggerSchema,
+	ResolverExecutedTriggerSchema,
+	ScheduleTriggerSchema,
+	IncomingWebhookTriggerSchema,
+	IdpUserTriggerSchema,
+	AuthAccessTokenTriggerSchema
+]);
+const FunctionOperationSchema = z.object({
+	kind: z.enum(["function", "jobFunction"]),
+	body: functionSchema.describe("Function implementation"),
+	authInvoker: AuthInvokerSchema.optional().describe("Auth invoker for the function execution")
+});
+const GqlOperationSchema = z.object({
+	kind: z.literal("graphql"),
+	appName: z.string().optional().describe("Target application name for the GraphQL query"),
+	query: z.preprocess((val) => String(val), z.string().describe("GraphQL query string")),
+	variables: functionSchema.optional().describe("Function to compute GraphQL variables"),
+	authInvoker: AuthInvokerSchema.optional().describe("Auth invoker for the GraphQL execution")
+});
+const WebhookOperationSchema = z.object({
+	kind: z.literal("webhook"),
+	url: functionSchema.describe("Function returning the webhook URL"),
+	requestBody: functionSchema.optional().describe("Function to compute the request body"),
+	headers: z.record(z.string(), z.union([z.string(), z.object({
+		vault: z.string(),
+		key: z.string()
+	})])).optional().describe("HTTP headers for the webhook request")
+});
+const WorkflowOperationSchema = z.preprocess((val) => {
+	if (val == null || typeof val !== "object" || !("workflow" in val) || typeof val.workflow !== "object" || val.workflow === null) return val;
+	const { workflow, ...rest } = val;
+	return {
+		...rest,
+		workflowName: workflow.name
+	};
+}, z.object({
+	kind: z.literal("workflow"),
+	workflowName: z.string().describe("Name of the workflow to execute"),
+	args: z.union([z.record(z.string(), z.unknown()), functionSchema]).optional().describe("Arguments to pass to the workflow"),
+	authInvoker: AuthInvokerSchema.optional().describe("Auth invoker for the workflow execution")
+}));
+const OperationSchema = z.union([
+	FunctionOperationSchema,
+	GqlOperationSchema,
+	WebhookOperationSchema,
+	WorkflowOperationSchema
+]);
+const ExecutorSchema = z.object({
+	name: z.string().describe("Executor name"),
+	description: z.string().optional().describe("Executor description"),
+	disabled: z.boolean().optional().default(false).describe("Whether the executor is disabled"),
+	trigger: TriggerSchema.describe("Event trigger configuration"),
+	operation: OperationSchema.describe("Operation to execute when triggered")
+});
+
+//#endregion
+//#region src/cli/services/executor/loader.ts
+/**
+* Load and validate an executor definition from a file.
+* @param executorFilePath - Path to the executor file
+* @returns Parsed executor or null if invalid
+*/
+async function loadExecutor(executorFilePath) {
+	const executor = (await import(pathToFileURL(executorFilePath).href)).default;
+	const parseResult = ExecutorSchema.safeParse(executor);
+	if (!parseResult.success) return null;
+	return parseResult.data;
+}
+
+//#endregion
+//#region src/cli/services/executor/bundler.ts
+/**
+* Bundle executors from the specified configuration
+*
+* This function:
+* 1. Creates entry file that extracts operation.body
+* 2. Bundles in a single step with tree-shaking
+* @param options - Bundle executor options
+* @returns Promise that resolves when bundling completes
+*/
+async function bundleExecutors(options) {
+	const { config, triggerContext, additionalFiles = [], cache, inlineSourcemap } = options;
+	const files = [...loadFilesWithIgnores(config), ...additionalFiles];
+	if (files.length === 0) {
+		logger.warn(`No executor files found for patterns: ${config.files?.join(", ") ?? "(none)"}`);
+		return;
+	}
+	logger.newline();
+	logger.log(`Bundling ${styles.highlight(files.length.toString())} files for ${styles.info("\"executor\"")}`);
+	const executors = [];
+	for (const file of files) {
+		const executor = await loadExecutor(file);
+		if (!executor) {
+			logger.debug(`  Skipping: ${file} (could not be loaded)`);
+			continue;
+		}
+		if (!["function", "jobFunction"].includes(executor.operation.kind)) {
+			logger.debug(`  Skipping: ${executor.name} (not a function executor)`);
+			continue;
+		}
+		executors.push({
+			name: executor.name,
+			sourceFile: file
+		});
+	}
+	if (executors.length === 0) {
+		logger.debug("  No function executors to bundle");
+		return;
+	}
+	const outputDir = path.resolve(getDistDir(), "executors");
+	fs$1.mkdirSync(outputDir, { recursive: true });
+	await removeStaleEntryFiles(outputDir);
+	let tsconfig;
+	try {
+		tsconfig = await resolveTSConfig();
+	} catch {
+		tsconfig = void 0;
+	}
+	await Promise.all(executors.map((executor) => bundleSingleExecutor(executor, outputDir, tsconfig, triggerContext, cache, inlineSourcemap)));
+	logger.log(`${styles.success("Bundled")} ${styles.info("\"executor\"")}`);
+}
+async function bundleSingleExecutor(executor, outputDir, tsconfig, triggerContext, cache, inlineSourcemap) {
+	const outputPath = path.join(outputDir, `${executor.name}.js`);
+	const serializedTriggerContext = serializeTriggerContext(triggerContext);
+	const contextHash = computeBundlerContextHash({
+		sourceFile: executor.sourceFile,
+		serializedTriggerContext,
+		tsconfig,
+		inlineSourcemap
+	});
+	await withCache({
+		cache,
+		kind: "executor",
+		name: executor.name,
+		sourceFile: executor.sourceFile,
+		outputPath,
+		contextHash,
+		async build(cachePlugins) {
+			const entryPath = path.join(outputDir, `${executor.name}.entry.js`);
+			const entryContent = ml`
+        import _internalExecutor from "${path.resolve(executor.sourceFile)}";
+
+        const __executor_function = _internalExecutor.operation.body;
+
+        export { __executor_function as main };
+      `;
+			fs$1.writeFileSync(entryPath, entryContent);
+			const triggerPlugin = createTriggerTransformPlugin(triggerContext);
+			const plugins = triggerPlugin ? [triggerPlugin] : [];
+			plugins.push(...cachePlugins);
+			await rolldown.build(rolldown.defineConfig({
+				input: entryPath,
+				output: {
+					file: outputPath,
+					format: "esm",
+					sourcemap: inlineSourcemap ? "inline" : true,
+					minify: inlineSourcemap ? { mangle: { keepNames: true } } : true,
+					codeSplitting: false
+				},
+				tsconfig,
+				plugins,
+				treeshake: {
+					moduleSideEffects: false,
+					annotations: true,
+					unknownGlobalSideEffects: false
+				},
+				logLevel: "silent"
+			}));
+		}
+	});
+}
+
+//#endregion
+//#region src/cli/services/executor/service.ts
+/**
+* Creates a new ExecutorService instance.
+* @param params - Parameters for creating the service
+* @returns A new ExecutorService instance
+*/
+function createExecutorService(params) {
+	const { config } = params;
+	const executors = {};
+	const pluginExecutors = [];
+	let loadPromise;
+	const loadExecutorForFile = async (executorFile) => {
+		try {
+			const executorModule = await import(pathToFileURL(executorFile).href);
+			const result = ExecutorSchema.safeParse(executorModule.default);
+			if (result.success) {
+				const relativePath = path.relative(process.cwd(), executorFile);
+				logger.log(`Executor: ${styles.successBright(`"${result.data.name}"`)} loaded from ${styles.path(relativePath)}`);
+				executors[executorFile] = result.data;
+				return result.data;
+			}
+			if (isSdkBranded(executorModule.default, "executor")) throw result.error;
+		} catch (error) {
+			const relativePath = path.relative(process.cwd(), executorFile);
+			logger.error(`Failed to load executor from ${styles.bold(relativePath)}`);
+			logger.error(String(error));
+			throw error;
+		}
+	};
+	return {
+		config,
+		get executors() {
+			return executors;
+		},
+		get pluginExecutors() {
+			return pluginExecutors;
+		},
+		loadExecutors: async () => {
+			if (!loadPromise) loadPromise = (async () => {
+				if (!config.files || config.files.length === 0) return;
+				const executorFiles = loadFilesWithIgnores(config);
+				logger.newline();
+				logger.log(`Found ${styles.highlight(executorFiles.length.toString())} executor files`);
+				await Promise.all(executorFiles.map((executorFile) => loadExecutorForFile(executorFile)));
+				return executors;
+			})();
+			return loadPromise;
+		},
+		loadPluginExecutorFiles: async (filePaths) => {
+			if (filePaths.length === 0) return;
+			logger.newline();
+			logger.log(`Loading ${styles.highlight(filePaths.length.toString())} plugin-generated executor files`);
+			for (const filePath of filePaths) {
+				const executor = await loadExecutorForFile(filePath);
+				if (executor) pluginExecutors.push({
+					executor,
+					pluginId: "plugin-generated",
+					sourceTypeName: void 0
+				});
+			}
+		}
+	};
+}
+
+//#endregion
+//#region src/cli/services/resolver/loader.ts
+/**
+* Load and validate a resolver definition from a file.
+* @param resolverFilePath - Path to the resolver file
+* @returns Parsed resolver or null if invalid
+*/
+async function loadResolver(resolverFilePath) {
+	const resolver = (await import(pathToFileURL(resolverFilePath).href)).default;
+	const parseResult = ResolverSchema.safeParse(resolver);
+	if (!parseResult.success) return null;
+	return parseResult.data;
+}
+
+//#endregion
+//#region src/cli/services/resolver/bundler.ts
+/**
+* Bundle resolvers for the specified namespace
+*
+* This function:
+* 1. Uses a transform plugin to add validation wrapper during bundling
+* 2. Creates entry file
+* 3. Bundles in a single step with tree-shaking
+* @param namespace - Resolver namespace name
+* @param config - Resolver file loading configuration
+* @param triggerContext - Trigger context for workflow/job transformations
+* @param cache - Optional bundle cache for skipping unchanged builds
+* @param inlineSourcemap - Whether to enable inline sourcemaps
+* @returns Promise that resolves when bundling completes
+*/
+async function bundleResolvers(namespace, config, triggerContext, cache, inlineSourcemap) {
+	const files = loadFilesWithIgnores(config);
+	if (files.length === 0) {
+		logger.warn(`No resolver files found for patterns: ${config.files?.join(", ") ?? "(none)"}`);
+		return;
+	}
+	logger.newline();
+	logger.log(`Bundling ${styles.highlight(files.length.toString())} files for ${styles.info(`"${namespace}"`)}`);
+	const resolvers = [];
+	for (const file of files) {
+		const resolver = await loadResolver(file);
+		if (!resolver) {
+			logger.debug(`  Skipping: ${file} (could not be loaded)`);
+			continue;
+		}
+		resolvers.push({
+			name: resolver.name,
+			sourceFile: file
+		});
+	}
+	const outputDir = path.resolve(getDistDir(), "resolvers");
+	fs$1.mkdirSync(outputDir, { recursive: true });
+	await removeStaleEntryFiles(outputDir);
+	let tsconfig;
+	try {
+		tsconfig = await resolveTSConfig();
+	} catch {
+		tsconfig = void 0;
+	}
+	await Promise.all(resolvers.map((resolver) => bundleSingleResolver(resolver, outputDir, tsconfig, triggerContext, cache, inlineSourcemap)));
+	logger.log(`${styles.success("Bundled")} ${styles.info(`"${namespace}"`)}`);
+}
+async function bundleSingleResolver(resolver, outputDir, tsconfig, triggerContext, cache, inlineSourcemap) {
+	const outputPath = path.join(outputDir, `${resolver.name}.js`);
+	const serializedTriggerContext = serializeTriggerContext(triggerContext);
+	const contextHash = computeBundlerContextHash({
+		sourceFile: resolver.sourceFile,
+		serializedTriggerContext,
+		tsconfig,
+		inlineSourcemap
+	});
+	await withCache({
+		cache,
+		kind: "resolver",
+		name: resolver.name,
+		sourceFile: resolver.sourceFile,
+		outputPath,
+		contextHash,
+		async build(cachePlugins) {
+			const entryPath = path.join(outputDir, `${resolver.name}.entry.js`);
+			const entryContent = ml`
+        import _internalResolver from "${path.resolve(resolver.sourceFile)}";
+        import { t } from "@tailor-platform/sdk";
+
+        const $tailor_resolver_body = async (context) => {
+          if (_internalResolver.input) {
+            const result = t.object(_internalResolver.input).parse({
+              value: context.input,
+              data: context.input,
+              user: context.user,
+            });
+
+            if (result.issues) {
+              const errorMessages = result.issues
+                .map(issue => {
+                  const path = issue.path ? issue.path.join('.') : '';
+                  return path ? \`  \${path}: \${issue.message}\` : issue.message;
+                })
+                .join('\\n');
+              throw new Error(\`Failed to input validation:\\n\${errorMessages}\`);
+            }
+          }
+
+          return _internalResolver.body(context);
+        };
+
+        export { $tailor_resolver_body as main };
+      `;
+			fs$1.writeFileSync(entryPath, entryContent);
+			const triggerPlugin = createTriggerTransformPlugin(triggerContext);
+			const plugins = triggerPlugin ? [triggerPlugin] : [];
+			plugins.push(...cachePlugins);
+			await rolldown.build(rolldown.defineConfig({
+				input: entryPath,
+				output: {
+					file: outputPath,
+					format: "esm",
+					sourcemap: inlineSourcemap ? "inline" : true,
+					minify: inlineSourcemap ? { mangle: { keepNames: true } } : true,
+					codeSplitting: false
+				},
+				tsconfig,
+				plugins,
+				treeshake: {
+					moduleSideEffects: false,
+					annotations: true,
+					unknownGlobalSideEffects: false
+				},
+				logLevel: "silent"
+			}));
+		}
+	});
+}
+
+//#endregion
+//#region src/cli/services/resolver/service.ts
+/**
+* Creates a new ResolverService instance.
+* @param namespace - The namespace for this resolver service
+* @param config - The resolver service configuration
+* @returns A new ResolverService instance
+*/
+function createResolverService(namespace, config) {
+	const resolvers = {};
+	const loadResolverForFile = async (resolverFile) => {
+		try {
+			const resolverModule = await import(pathToFileURL(resolverFile).href);
+			const result = ResolverSchema.safeParse(resolverModule.default);
+			if (result.success) {
+				const relativePath = path.relative(process.cwd(), resolverFile);
+				logger.log(`Resolver: ${styles.successBright(`"${result.data.name}"`)} loaded from ${styles.path(relativePath)}`);
+				resolvers[resolverFile] = result.data;
+				return result.data;
+			}
+			if (isSdkBranded(resolverModule.default, "resolver")) throw result.error;
+		} catch (error) {
+			const relativePath = path.relative(process.cwd(), resolverFile);
+			logger.error(`Failed to load resolver from ${styles.bold(relativePath)}`);
+			logger.error(String(error));
+			throw error;
+		}
+	};
+	return {
+		namespace,
+		config,
+		get resolvers() {
+			return resolvers;
+		},
+		loadResolvers: async () => {
+			if (Object.keys(resolvers).length > 0) return;
+			if (!config.files || config.files.length === 0) return;
+			const resolverFiles = loadFilesWithIgnores(config);
+			logger.log(`Found ${styles.highlight(resolverFiles.length.toString())} resolver files for service ${styles.highlight(`"${namespace}"`)}`);
+			await Promise.all(resolverFiles.map((resolverFile) => loadResolverForFile(resolverFile)));
+		}
+	};
+}
+
+//#endregion
+//#region src/cli/services/workflow/source-transformer.ts
+/**
+* Find variable declarations by export names
+* Returns a map of export name to statement range
+* @param program - Parsed TypeScript program
+* @returns Map of export name to statement range
+*/
+function findVariableDeclarationsByName(program) {
+	const declarations = /* @__PURE__ */ new Map();
+	function walk(node) {
+		if (!node || typeof node !== "object") return;
+		const nodeType = node.type;
+		if (nodeType === "VariableDeclaration") {
+			const varDecl = node;
+			for (const decl of varDecl.declarations || []) if (decl.id?.type === "Identifier" && decl.id.name) {
+				if (!declarations.has(decl.id.name)) declarations.set(decl.id.name, {
+					start: varDecl.start,
+					end: varDecl.end
+				});
+			}
+		}
+		if (nodeType === "ExportNamedDeclaration") {
+			const exportDecl = node;
+			const declaration = exportDecl.declaration;
+			if (declaration?.type === "VariableDeclaration") {
+				const varDecl = declaration;
+				for (const decl of varDecl.declarations || []) if (decl.id?.type === "Identifier" && decl.id.name) declarations.set(decl.id.name, {
+					start: exportDecl.start,
+					end: exportDecl.end
+				});
+			}
+		}
+		for (const key of Object.keys(node)) {
+			const child = node[key];
+			if (Array.isArray(child)) child.forEach((c) => walk(c));
+			else if (child && typeof child === "object") walk(child);
+		}
+	}
+	walk(program);
+	return declarations;
+}
+/**
+* Find createWorkflow default export declarations
+* Returns the range of the export statement to remove
+* @param program - Parsed TypeScript program
+* @returns Range of the default export statement or null
+*/
+function findWorkflowDefaultExport(program) {
+	const bindings = collectSdkBindings(program, "createWorkflow");
+	for (const statement of program.body) if (statement.type === "ExportDefaultDeclaration") {
+		const exportDecl = statement;
+		const declaration = exportDecl.declaration;
+		if (isSdkFunctionCall(declaration, bindings, "createWorkflow")) return {
+			start: exportDecl.start,
+			end: exportDecl.end
+		};
+		if (declaration.type === "Identifier") return {
+			start: exportDecl.start,
+			end: exportDecl.end
+		};
+	}
+	return null;
+}
+/**
+* Transform workflow source code
+* - Transform .trigger() calls to tailor.workflow.triggerJobFunction()
+* - Other jobs: remove entire variable declaration
+* @param source - The source code to transform
+* @param targetJobName - The name of the target job (from job config)
+* @param targetJobExportName - The export name of the target job (optional, for enhanced detection)
+* @param otherJobExportNames - Export names of other jobs to remove (optional, for enhanced detection)
+* @param allJobsMap - Map from export name to job name for trigger transformation (optional)
+* @returns Transformed workflow source code
+*/
+function transformWorkflowSource(source, targetJobName, targetJobExportName, otherJobExportNames, allJobsMap) {
+	const { program } = parseSync("input.ts", source);
+	const detectedJobs = findAllJobs(program, source);
+	const jobNameMap = allJobsMap ?? buildJobNameMap(detectedJobs);
+	const allDeclarations = findVariableDeclarationsByName(program);
+	const triggerCalls = detectTriggerCalls(program, source);
+	const replacements = [];
+	const removedRanges = [];
+	const isInsideRemovedRange = (pos) => {
+		return removedRanges.some((r) => pos >= r.start && pos < r.end);
+	};
+	const isAlreadyMarkedForRemoval = (start) => {
+		return removedRanges.some((r) => r.start === start);
+	};
+	for (const job of detectedJobs) {
+		if (job.name === targetJobName) continue;
+		if (job.statementRange && !isAlreadyMarkedForRemoval(job.statementRange.start)) {
+			const endPos = findStatementEnd(source, job.statementRange.end);
+			removedRanges.push({
+				start: job.statementRange.start,
+				end: endPos
+			});
+			replacements.push({
+				start: job.statementRange.start,
+				end: endPos,
+				text: ""
+			});
+		} else if (!job.statementRange) replacements.push({
+			start: job.bodyValueRange.start,
+			end: job.bodyValueRange.end,
+			text: "() => {}"
+		});
+	}
+	if (otherJobExportNames) for (const exportName of otherJobExportNames) {
+		if (exportName === targetJobExportName) continue;
+		const declRange = allDeclarations.get(exportName);
+		if (declRange && !isAlreadyMarkedForRemoval(declRange.start)) {
+			const endPos = findStatementEnd(source, declRange.end);
+			removedRanges.push({
+				start: declRange.start,
+				end: endPos
+			});
+			replacements.push({
+				start: declRange.start,
+				end: endPos,
+				text: ""
+			});
+		}
+	}
+	const workflowExport = findWorkflowDefaultExport(program);
+	if (workflowExport && !isAlreadyMarkedForRemoval(workflowExport.start)) {
+		const endPos = findStatementEnd(source, workflowExport.end);
+		removedRanges.push({
+			start: workflowExport.start,
+			end: endPos
+		});
+		replacements.push({
+			start: workflowExport.start,
+			end: endPos,
+			text: ""
+		});
+	}
+	for (const call of triggerCalls) {
+		if (isInsideRemovedRange(call.callRange.start)) continue;
+		const jobName = jobNameMap.get(call.identifierName);
+		if (jobName) {
+			const transformedCall = `tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"})`;
+			replacements.push({
+				start: call.fullRange.start,
+				end: call.fullRange.end,
+				text: transformedCall
+			});
+		}
+	}
+	return applyReplacements(source, replacements);
+}
+
+//#endregion
+//#region src/cli/services/workflow/bundler.ts
+/**
+* Bundle workflow jobs
+*
+* This function:
+* 1. Detects which jobs are actually used (mainJobs + their dependencies)
+* 2. Uses a transform plugin to transform trigger calls during bundling
+* 3. Creates entry file and bundles with tree-shaking
+*
+* Returns metadata about which jobs each workflow uses.
+* @param allJobs - All available job infos
+* @param mainJobNames - Names of main jobs
+* @param env - Environment variables to inject
+* @param triggerContext - Trigger context for transformations
+* @param cache - Optional bundle cache for skipping unchanged builds
+* @param inlineSourcemap - Whether to enable inline sourcemaps
+* @returns Workflow job bundling result
+*/
+async function bundleWorkflowJobs(allJobs, mainJobNames, env = {}, triggerContext, cache, inlineSourcemap) {
+	if (allJobs.length === 0) {
+		logger.warn("No workflow jobs to bundle");
+		return { mainJobDeps: {} };
+	}
+	const { usedJobs, mainJobDeps } = await filterUsedJobs(allJobs, mainJobNames);
+	logger.newline();
+	logger.log(`Bundling ${styles.highlight(usedJobs.length.toString())} files for ${styles.info("\"workflow-job\"")}`);
+	const outputDir = path.resolve(getDistDir(), "workflow-jobs");
+	fs$1.mkdirSync(outputDir, { recursive: true });
+	const currentJobNames = new Set(usedJobs.map((j) => j.name));
+	const existingFiles = fs$1.readdirSync(outputDir);
+	for (const file of existingFiles) if (file.endsWith(".js") && !currentJobNames.has(path.basename(file, ".js"))) fs$1.rmSync(path.join(outputDir, file), { force: true });
+	else if (file.endsWith(".js.map") && !currentJobNames.has(path.basename(file, ".js.map"))) fs$1.rmSync(path.join(outputDir, file), { force: true });
+	let tsconfig;
+	try {
+		tsconfig = await resolveTSConfig();
+	} catch {
+		tsconfig = void 0;
+	}
+	await Promise.all(usedJobs.map((job) => bundleSingleJob(job, usedJobs, outputDir, tsconfig, env, triggerContext, cache, inlineSourcemap)));
+	logger.log(`${styles.success("Bundled")} ${styles.info("\"workflow-job\"")}`);
+	return { mainJobDeps };
+}
+/**
+* Filter jobs to only include those that are actually used.
+* A job is "used" if:
+* - It's a mainJob of a workflow
+* - It's called via .trigger() from another used job (transitively)
+*
+* Also returns a map of mainJob -> all jobs it depends on (for metadata).
+* @param allJobs - All available job infos
+* @param mainJobNames - Names of main jobs
+* @returns Used jobs and main job dependency map
+*/
+async function filterUsedJobs(allJobs, mainJobNames) {
+	if (allJobs.length === 0 || mainJobNames.length === 0) return {
+		usedJobs: [],
+		mainJobDeps: {}
+	};
+	const jobsBySourceFile = /* @__PURE__ */ new Map();
+	for (const job of allJobs) {
+		const existing = jobsBySourceFile.get(job.sourceFile) || [];
+		existing.push(job);
+		jobsBySourceFile.set(job.sourceFile, existing);
+	}
+	const exportNameToJobName = /* @__PURE__ */ new Map();
+	for (const job of allJobs) exportNameToJobName.set(job.exportName, job.name);
+	const dependencies = /* @__PURE__ */ new Map();
+	const fileResults = await Promise.all(Array.from(jobsBySourceFile.entries()).map(async ([sourceFile, jobs]) => {
+		try {
+			const source = await fs$1.promises.readFile(sourceFile, "utf-8");
+			const { program } = parseSync("input.ts", source);
+			const detectedJobs = findAllJobs(program, source);
+			const localExportNameToJobName = /* @__PURE__ */ new Map();
+			for (const detected of detectedJobs) if (detected.exportName) localExportNameToJobName.set(detected.exportName, detected.name);
+			const triggerCalls = detectTriggerCalls(program, source);
+			const jobDependencies = [];
+			for (const job of jobs) {
+				const detectedJob = detectedJobs.find((d) => d.name === job.name);
+				if (!detectedJob) continue;
+				const jobDeps = /* @__PURE__ */ new Set();
+				for (const call of triggerCalls) if (detectedJob.bodyValueRange && call.callRange.start >= detectedJob.bodyValueRange.start && call.callRange.end <= detectedJob.bodyValueRange.end) {
+					const triggeredJobName = localExportNameToJobName.get(call.identifierName) || exportNameToJobName.get(call.identifierName);
+					if (triggeredJobName) jobDeps.add(triggeredJobName);
+				}
+				if (jobDeps.size > 0) jobDependencies.push({
+					jobName: job.name,
+					deps: jobDeps
+				});
+			}
+			return jobDependencies;
+		} catch {
+			return [];
+		}
+	}));
+	for (const jobDependencies of fileResults) for (const { jobName, deps } of jobDependencies) dependencies.set(jobName, deps);
+	const usedJobNames = /* @__PURE__ */ new Set();
+	const mainJobDeps = {};
+	function collectDeps(jobName, collected) {
+		if (collected.has(jobName)) return;
+		collected.add(jobName);
+		const deps = dependencies.get(jobName);
+		if (deps) for (const dep of deps) collectDeps(dep, collected);
+	}
+	for (const mainJobName of mainJobNames) {
+		const depsForMainJob = /* @__PURE__ */ new Set();
+		collectDeps(mainJobName, depsForMainJob);
+		mainJobDeps[mainJobName] = Array.from(depsForMainJob);
+		for (const dep of depsForMainJob) usedJobNames.add(dep);
+	}
+	return {
+		usedJobs: allJobs.filter((job) => usedJobNames.has(job.name)),
+		mainJobDeps
+	};
+}
+async function bundleSingleJob(job, allJobs, outputDir, tsconfig, env, triggerContext, cache, inlineSourcemap) {
+	const outputPath = path.join(outputDir, `${job.name}.js`);
+	const serializedTriggerContext = serializeTriggerContext(triggerContext);
+	const sortedEnvPrefix = JSON.stringify(Object.fromEntries(Object.entries(env).sort(([a], [b]) => a.localeCompare(b))));
+	const contextHash = computeBundlerContextHash({
+		sourceFile: job.sourceFile,
+		serializedTriggerContext,
+		tsconfig,
+		inlineSourcemap,
+		prefix: sortedEnvPrefix
+	});
+	await withCache({
+		cache,
+		kind: "workflow-job",
+		name: job.name,
+		sourceFile: job.sourceFile,
+		outputPath,
+		contextHash,
+		async build(cachePlugins) {
+			const entryPath = path.join(outputDir, `${job.name}.entry.js`);
+			const absoluteSourcePath = path.resolve(job.sourceFile);
+			const entryContent = ml`
+        import { ${job.exportName} } from "${absoluteSourcePath}";
+
+        export async function main(input) {
+          const env = ${JSON.stringify(env)};
+          return await ${job.exportName}.body(input, { env });
+        }
+      `;
+			fs$1.writeFileSync(entryPath, entryContent);
+			const otherJobExportNames = allJobs.filter((j) => j.name !== job.name).map((j) => j.exportName);
+			const allJobsMap = /* @__PURE__ */ new Map();
+			for (const j of allJobs) allJobsMap.set(j.exportName, j.name);
+			const plugins = [{
+				name: "workflow-transform",
+				transform: {
+					filter: { id: { include: [/\.ts$/, /\.js$/] } },
+					handler(code, id) {
+						if (!code.includes("createWorkflowJob") && !code.includes("createWorkflow") && !code.includes(".trigger(")) return null;
+						let transformed = transformWorkflowSource(code, job.name, job.exportName, otherJobExportNames, allJobsMap);
+						if (triggerContext && transformed.includes(".trigger(")) transformed = transformFunctionTriggers(transformed, triggerContext.workflowNameMap, triggerContext.jobNameMap, triggerContext.workflowFileMap, id);
+						return { code: transformed };
+					}
+				}
+			}, ...cachePlugins];
+			await rolldown.build(rolldown.defineConfig({
+				input: entryPath,
+				output: {
+					file: outputPath,
+					format: "esm",
+					sourcemap: inlineSourcemap ? "inline" : true,
+					minify: inlineSourcemap ? { mangle: { keepNames: true } } : true,
+					codeSplitting: false
+				},
+				tsconfig,
+				plugins,
+				treeshake: {
+					moduleSideEffects: false,
+					annotations: true,
+					unknownGlobalSideEffects: false
+				},
+				logLevel: "silent"
+			}));
+		}
+	});
+}
+
+//#endregion
+//#region src/parser/service/workflow/schema.ts
+const WorkflowJobSchema = z.object({
+	name: z.string().describe("Job name (must be unique across the project)"),
+	trigger: functionSchema.describe("Trigger function that initiates the job"),
+	body: functionSchema.describe("Job implementation function")
+});
+const durationUnits = [
+	"ms",
+	"s",
+	"m"
+];
+const unitToSeconds = {
+	ms: 1 / 1e3,
+	s: 1,
+	m: 60
+};
+function durationToSeconds(duration) {
+	const match = duration.match(/^(\d+)(ms|s|m)$/);
+	if (!match) return 0;
+	return parseInt(match[1], 10) * unitToSeconds[match[2]];
+}
+const baseDurationSchema = z.templateLiteral([z.number().int().positive(), z.enum(durationUnits)]);
+const durationSchema = (maxSeconds) => baseDurationSchema.refine((val) => durationToSeconds(val) <= maxSeconds, { message: `Duration must be at most ${maxSeconds} seconds` });
+const RetryPolicySchema = z.object({
+	maxRetries: z.number().int().min(1).max(10).describe("Maximum number of retries (1-10)"),
+	initialBackoff: durationSchema(3600).describe("Initial backoff duration (e.g., '1s', '500ms', '1m', max 1h)"),
+	maxBackoff: durationSchema(86400).describe("Maximum backoff duration (e.g., '30s', '5m', max 24h)"),
+	backoffMultiplier: z.number().min(1).describe("Backoff multiplier (>= 1)")
+}).refine((data) => durationToSeconds(data.initialBackoff) <= durationToSeconds(data.maxBackoff), {
+	message: "initialBackoff must be less than or equal to maxBackoff",
+	path: ["initialBackoff"]
+}).refine((data) => durationToSeconds(data.initialBackoff) > 0, {
+	message: "initialBackoff must be greater than 0",
+	path: ["initialBackoff"]
+});
+const WorkflowSchema = z.object({
+	name: z.string().describe("Workflow name"),
+	mainJob: WorkflowJobSchema.describe("Main job that starts the workflow"),
+	retryPolicy: RetryPolicySchema.optional().describe("Retry policy for the workflow")
+});
+
+//#endregion
+//#region src/cli/services/workflow/service.ts
+/**
+* Creates a new WorkflowService instance.
+* @param params - Parameters for creating the service
+* @returns A new WorkflowService instance
+*/
+function createWorkflowService(params) {
+	const { config } = params;
+	let workflows = {};
+	let workflowSources = [];
+	let jobs = [];
+	let fileCount = 0;
+	let loaded = false;
+	return {
+		config,
+		get workflows() {
+			return workflows;
+		},
+		get workflowSources() {
+			return workflowSources;
+		},
+		get jobs() {
+			return jobs;
+		},
+		get fileCount() {
+			return fileCount;
+		},
+		loadWorkflows: async () => {
+			if (loaded) return;
+			const result = await loadAndCollectJobs(config);
+			workflows = result.workflows;
+			workflowSources = result.workflowSources;
+			jobs = result.jobs;
+			fileCount = result.fileCount;
+			loaded = true;
+		},
+		printLoadedWorkflows: () => {
+			if (fileCount === 0) return;
+			logger.newline();
+			logger.log(`Found ${styles.highlight(fileCount.toString())} workflow files`);
+			for (const { workflow, sourceFile } of workflowSources) {
+				const relativePath = path.relative(process.cwd(), sourceFile);
+				logger.log(`Workflow: ${styles.successBright(`"${workflow.name}"`)} loaded from ${styles.path(relativePath)}`);
+			}
+		}
+	};
+}
+/**
+* Load workflow files and collect all jobs in a single pass.
+* Dependencies are detected at bundle time via AST analysis.
+* @param config - Workflow service configuration
+* @returns Loaded workflows and collected jobs
+*/
+async function loadAndCollectJobs(config) {
+	const workflows = {};
+	const workflowSources = [];
+	const collectedJobs = [];
+	if (!config.files || config.files.length === 0) return {
+		workflows,
+		workflowSources,
+		jobs: collectedJobs,
+		fileCount: 0
+	};
+	const workflowFiles = loadFilesWithIgnores(config);
+	const fileCount = workflowFiles.length;
+	const allJobsMap = /* @__PURE__ */ new Map();
+	const loadResults = await Promise.all(workflowFiles.map(async (workflowFile) => {
+		const { jobs, workflow } = await loadFileContent(workflowFile);
+		return {
+			workflowFile,
+			jobs,
+			workflow
+		};
+	}));
+	for (const { workflowFile, jobs, workflow } of loadResults) {
+		if (workflow) {
+			workflowSources.push({
+				workflow,
+				sourceFile: workflowFile
+			});
+			workflows[workflowFile] = workflow;
+		}
+		for (const job of jobs) {
+			const existing = allJobsMap.get(job.name);
+			if (existing) throw new Error(`Duplicate job name "${job.name}" found:\n  - ${existing.sourceFile} (export: ${existing.exportName})\n  - ${job.sourceFile} (export: ${job.exportName})\nEach job must have a unique name.`);
+			allJobsMap.set(job.name, job);
+			collectedJobs.push(job);
+		}
+	}
+	return {
+		workflows,
+		workflowSources,
+		jobs: collectedJobs,
+		fileCount
+	};
+}
+/**
+* Load a single file and extract jobs and workflow
+* @param filePath - Path to the workflow file
+* @returns Extracted jobs and workflow
+*/
+async function loadFileContent(filePath) {
+	const jobs = [];
+	let workflow = null;
+	try {
+		const module = await import(pathToFileURL(filePath).href);
+		for (const [exportName, exportValue] of Object.entries(module)) {
+			if (exportName === "default") {
+				const workflowResult = WorkflowSchema.safeParse(exportValue);
+				if (workflowResult.success) workflow = workflowResult.data;
+				else if (isSdkBranded(exportValue, ["workflow", "workflow-job"])) throw workflowResult.error;
+				continue;
+			}
+			const jobResult = WorkflowJobSchema.safeParse(exportValue);
+			if (jobResult.success) jobs.push({
+				name: jobResult.data.name,
+				exportName,
+				sourceFile: filePath
+			});
+			else if (isSdkBranded(exportValue, ["workflow", "workflow-job"])) throw jobResult.error;
+		}
+	} catch (error) {
+		const relativePath = path.relative(process.cwd(), filePath);
+		logger.error(`${styles.error("Failed to load workflow from")} ${styles.errorBright(relativePath)}`);
+		logger.error(String(error));
+		throw error;
+	}
+	return {
+		jobs,
+		workflow
+	};
+}
+
+//#endregion
+//#region src/parser/generator-config/index.ts
+const DependencyKindSchema = z.enum([
+	"tailordb",
+	"resolver",
+	"executor"
+]);
+const KyselyTypeConfigSchema = z.tuple([z.literal("@tailor-platform/kysely-type"), z.object({ distPath: z.string() })]);
+const SeedConfigSchema = z.tuple([z.literal("@tailor-platform/seed"), z.object({
+	distPath: z.string(),
+	machineUserName: z.string().optional()
+})]);
+const EnumConstantsConfigSchema = z.tuple([z.literal("@tailor-platform/enum-constants"), z.object({ distPath: z.string() })]);
+const FileUtilsConfigSchema = z.tuple([z.literal("@tailor-platform/file-utils"), z.object({ distPath: z.string() })]);
+const CodeGeneratorSchema = z.object({
+	id: z.string(),
+	description: z.string(),
+	dependencies: z.array(DependencyKindSchema),
+	processType: z.function().optional(),
+	processResolver: z.function().optional(),
+	processExecutor: z.function().optional(),
+	processTailorDBNamespace: z.function().optional(),
+	processResolverNamespace: z.function().optional(),
+	aggregate: z.function({ output: z.any() })
+});
+const BaseGeneratorConfigSchema = z.union([
+	KyselyTypeConfigSchema,
+	SeedConfigSchema,
+	EnumConstantsConfigSchema,
+	FileUtilsConfigSchema,
+	CodeGeneratorSchema
+]);
+
+//#endregion
+//#region src/parser/plugin-config/schema.ts
+const PluginConfigSchema = z.object({
+	id: z.string(),
+	description: z.string(),
+	importPath: z.string().optional(),
+	pluginConfig: z.unknown().optional(),
+	typeConfigRequired: z.union([z.boolean(), functionSchema]).optional(),
+	onTypeLoaded: functionSchema.optional(),
+	onNamespaceLoaded: functionSchema.optional(),
+	onTailorDBReady: functionSchema.optional(),
+	onResolverReady: functionSchema.optional(),
+	onExecutorReady: functionSchema.optional()
+}).passthrough().refine((p) => {
+	return !(p.onTypeLoaded || p.onNamespaceLoaded) || !!p.importPath;
+}, { message: "importPath is required when plugin has definition-time hooks (onTypeLoaded/onNamespaceLoaded)" }).transform((plugin) => plugin);
+
+//#endregion
+//#region src/plugin/builtin/registry.ts
+const builtinPlugins = new Map([
+	[KyselyGeneratorID, (options) => kyselyTypePlugin(options)],
+	[SeedGeneratorID, (options) => seedPlugin(options)],
+	[EnumConstantsGeneratorID, (options) => enumConstantsPlugin(options)],
+	[FileUtilsGeneratorID, (options) => fileUtilsPlugin(options)]
+]);
+
+//#endregion
+//#region src/cli/shared/mock.ts
+globalThis.tailordb = { Client: class {
+	constructor(_config) {}
+	async connect() {}
+	async end() {}
+	async queryObject() {
+		return {};
+	}
+} };
+
+//#endregion
+//#region src/cli/shared/config-loader.ts
+const GeneratorConfigSchema = CodeGeneratorSchema.brand("CodeGenerator");
+/**
+* Load Tailor configuration file and associated generators and plugins.
+* @param configPath - Optional explicit config path
+* @returns Loaded config, generators, plugins, and config path
+*/
+async function loadConfig(configPath) {
+	const foundPath = loadConfigPath(configPath);
+	if (!foundPath) throw new Error("Configuration file not found: tailor.config.ts not found in current or parent directories");
+	const resolvedPath = path.resolve(process.cwd(), foundPath);
+	if (!fs$1.existsSync(resolvedPath)) throw new Error(`Configuration file not found: ${configPath}`);
+	const configModule = await import(pathToFileURL(resolvedPath).href);
+	if (!configModule || !configModule.default) throw new Error("Invalid Tailor config module: default export not found");
+	const allGenerators = [];
+	const allPlugins = [];
+	for (const value of Object.values(configModule)) if (Array.isArray(value)) {
+		const generatorParsed = value.reduce((acc, item) => {
+			if (!acc.success) return acc;
+			const baseResult = BaseGeneratorConfigSchema.safeParse(item);
+			if (baseResult.success && Array.isArray(baseResult.data)) {
+				const [id, options] = baseResult.data;
+				const pluginFactory = builtinPlugins.get(id);
+				if (pluginFactory) {
+					acc.convertedPlugins.push(pluginFactory(options));
+					return acc;
+				}
+			}
+			const result = GeneratorConfigSchema.safeParse(item);
+			if (result.success) acc.items.push(result.data);
+			else acc.success = false;
+			return acc;
+		}, {
+			success: true,
+			items: [],
+			convertedPlugins: []
+		});
+		if (generatorParsed.success && (generatorParsed.items.length > 0 || generatorParsed.convertedPlugins.length > 0)) {
+			allGenerators.push(...generatorParsed.items);
+			allPlugins.push(...generatorParsed.convertedPlugins);
+			continue;
+		}
+		const pluginParsed = value.reduce((acc, item) => {
+			if (!acc.success) return acc;
+			const result = PluginConfigSchema.safeParse(item);
+			if (result.success) acc.items.push(result.data);
+			else acc.success = false;
+			return acc;
+		}, {
+			success: true,
+			items: []
+		});
+		if (pluginParsed.success && pluginParsed.items.length > 0) allPlugins.push(...pluginParsed.items);
+	}
+	return {
+		config: {
+			...configModule.default,
+			path: resolvedPath
+		},
+		generators: allGenerators,
+		plugins: allPlugins
+	};
+}
+
+//#endregion
+//#region src/cli/shared/inline-sourcemap.ts
+/**
+* Resolve whether inline sourcemaps should be enabled.
+*
+* Resolution order:
+* 1. Config value (`inlineSourcemap` in defineConfig) — if explicitly set
+* 2. Environment variable `TAILOR_ENABLE_INLINE_SOURCEMAP` — if explicitly set
+* 3. Default: `true`
+* @param configValue - The `inlineSourcemap` value from AppConfig
+* @returns Whether inline sourcemaps should be enabled
+*/
+function resolveInlineSourcemap(configValue) {
+	if (configValue !== void 0) return configValue;
+	if (process.env.TAILOR_ENABLE_INLINE_SOURCEMAP !== void 0) return process.env.TAILOR_ENABLE_INLINE_SOURCEMAP === "true";
+	return true;
+}
+
+//#endregion
+//#region src/parser/service/idp/schema.ts
+/**
+* Normalize IdPGqlOperationsConfig (alias or object) to IdPGqlOperations object.
+* "query" alias expands to read-only mode: { create: false, update: false, delete: false, read: true, sendPasswordResetEmail: false }
+* @param config - The config to normalize
+* @returns The normalized IdPGqlOperations object
+*/
+function normalizeIdPGqlOperations(config) {
+	if (config === "query") return {
+		create: false,
+		update: false,
+		delete: false,
+		read: true,
+		sendPasswordResetEmail: false
+	};
+	return config;
+}
+/**
+* Zod schema for IdPGqlOperations configuration with normalization transform.
+* Accepts "query" alias or detailed object, normalizes to IdPGqlOperations object.
+*/
+const IdPGqlOperationsSchema = z.union([z.literal("query"), z.object({
+	create: z.boolean().optional().describe("Enable _createUser mutation (default: true)"),
+	update: z.boolean().optional().describe("Enable _updateUser mutation (default: true)"),
+	delete: z.boolean().optional().describe("Enable _deleteUser mutation (default: true)"),
+	read: z.boolean().optional().describe("Enable _users and _user queries (default: true)"),
+	sendPasswordResetEmail: z.boolean().optional().describe("Enable _sendPasswordResetEmail mutation (default: true)")
+})]).describe("Configuration for GraphQL operations on IdP users.\nAll operations are enabled by default (undefined or true = enabled, false = disabled).").transform((val) => normalizeIdPGqlOperations(val));
+const IdPLangSchema = z.enum(["en", "ja"]).describe("IdP UI language");
+const IdPUserAuthPolicySchema = z.object({
+	useNonEmailIdentifier: z.boolean().optional().describe("Use non-email identifier for usernames"),
+	allowSelfPasswordReset: z.boolean().optional().describe("Allow users to reset their own passwords"),
+	passwordRequireUppercase: z.boolean().optional().describe("Require uppercase letters in passwords"),
+	passwordRequireLowercase: z.boolean().optional().describe("Require lowercase letters in passwords"),
+	passwordRequireNonAlphanumeric: z.boolean().optional().describe("Require non-alphanumeric characters in passwords"),
+	passwordRequireNumeric: z.boolean().optional().describe("Require numeric characters in passwords"),
+	passwordMinLength: z.number().int().refine((val) => val >= 6 && val <= 30, { message: "passwordMinLength must be between 6 and 30" }).optional().describe("Minimum password length (6-30)"),
+	passwordMaxLength: z.number().int().refine((val) => val >= 6 && val <= 4096, { message: "passwordMaxLength must be between 6 and 4096" }).optional().describe("Maximum password length (6-4096)"),
+	allowedEmailDomains: z.array(z.string()).optional().describe("Restrict registration to these email domains"),
+	allowGoogleOauth: z.boolean().optional().describe("Enable Google OAuth login"),
+	allowMicrosoftOauth: z.boolean().optional().describe("Enable Microsoft OAuth login"),
+	disablePasswordAuth: z.boolean().optional().describe("Disable password-based authentication")
+}).refine((data) => data.passwordMinLength === void 0 || data.passwordMaxLength === void 0 || data.passwordMinLength <= data.passwordMaxLength, {
+	message: "passwordMinLength must be less than or equal to passwordMaxLength",
+	path: ["passwordMinLength"]
+}).refine((data) => !data.allowedEmailDomains || data.allowedEmailDomains.length === 0 || !data.useNonEmailIdentifier, {
+	message: "allowedEmailDomains cannot be set when useNonEmailIdentifier is true",
+	path: ["allowedEmailDomains"]
+}).refine((data) => data.allowGoogleOauth === void 0 || data.allowGoogleOauth === false || !data.useNonEmailIdentifier, {
+	message: "allowGoogleOauth cannot be set when useNonEmailIdentifier is true",
+	path: ["allowGoogleOauth"]
+}).refine((data) => !data.allowGoogleOauth || data.allowedEmailDomains && data.allowedEmailDomains.length > 0, {
+	message: "allowGoogleOauth requires allowedEmailDomains to be set",
+	path: ["allowGoogleOauth"]
+}).refine((data) => !data.allowMicrosoftOauth || !data.useNonEmailIdentifier, {
+	message: "allowMicrosoftOauth cannot be set when useNonEmailIdentifier is true",
+	path: ["allowMicrosoftOauth"]
+}).refine((data) => !data.allowMicrosoftOauth || data.allowedEmailDomains && data.allowedEmailDomains.length > 0, {
+	message: "allowMicrosoftOauth requires allowedEmailDomains to be set",
+	path: ["allowMicrosoftOauth"]
+}).refine((data) => !data.allowMicrosoftOauth || data.disablePasswordAuth === true, {
+	message: "allowMicrosoftOauth requires disablePasswordAuth to be enabled",
+	path: ["allowMicrosoftOauth"]
+}).refine((data) => !data.disablePasswordAuth || data.allowGoogleOauth === true || data.allowMicrosoftOauth === true, {
+	message: "disablePasswordAuth requires allowGoogleOauth or allowMicrosoftOauth to be enabled",
+	path: ["disablePasswordAuth"]
+}).refine((data) => !data.disablePasswordAuth || !data.allowSelfPasswordReset, {
+	message: "disablePasswordAuth cannot be used with allowSelfPasswordReset",
+	path: ["disablePasswordAuth"]
+});
+const IdPSchema = z.object({
+	name: z.string().describe("IdP service name"),
+	authorization: z.union([
+		z.literal("insecure"),
+		z.literal("loggedIn"),
+		z.object({ cel: z.string() })
+	]).describe("Authorization mode for IdP API access"),
+	clients: z.array(z.string()).describe("OAuth2 client names that can use this IdP"),
+	lang: IdPLangSchema.optional().describe("UI language for IdP pages"),
+	userAuthPolicy: IdPUserAuthPolicySchema.transform((input) => IdPUserAuthPolicySchema.parse(input ?? {})).optional().describe("User authentication policy configuration"),
+	publishUserEvents: z.boolean().optional().describe("Enable publishing user lifecycle events"),
+	gqlOperations: IdPGqlOperationsSchema.optional().describe("Configure which GraphQL operations are enabled")
+}).brand("IdPConfig");
+
+//#endregion
+//#region src/parser/service/secrets/schema.ts
+const nameSchema = z.string().regex(/^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/);
+const secretsVaultSchema = z.record(nameSchema, z.string());
+const SecretsSchema = z.record(nameSchema, secretsVaultSchema);
+
+//#endregion
+//#region src/parser/service/staticwebsite/schema.ts
+const StaticWebsiteSchema = z.object({
+	name: z.string().describe("Static website name"),
+	description: z.string().optional().describe("Static website description"),
+	allowedIpAddresses: z.array(z.string()).optional().describe("IP addresses allowed to access the website")
+}).brand("StaticWebsiteConfig");
+
+//#endregion
+//#region src/cli/services/application.ts
+function defineTailorDB(config, pluginManager) {
+	const tailorDBServices = [];
+	const externalTailorDBNamespaces = [];
+	const subgraphs = [];
+	if (!config) return {
+		tailorDBServices,
+		externalTailorDBNamespaces,
+		subgraphs
+	};
+	for (const [namespace, serviceConfig] of Object.entries(config)) {
+		if ("external" in serviceConfig) externalTailorDBNamespaces.push(namespace);
+		else {
+			const tailorDB = createTailorDBService({
+				namespace,
+				config: TailorDBServiceConfigSchema.parse(serviceConfig),
+				pluginManager
+			});
+			tailorDBServices.push(tailorDB);
+		}
+		subgraphs.push({
+			Type: "tailordb",
+			Name: namespace
+		});
+	}
+	return {
+		tailorDBServices,
+		externalTailorDBNamespaces,
+		subgraphs
+	};
+}
+function defineResolver(config) {
+	const resolverServices = [];
+	const subgraphs = [];
+	if (!config) return {
+		resolverServices,
+		subgraphs
+	};
+	for (const [namespace, serviceConfig] of Object.entries(config)) {
+		if (!("external" in serviceConfig)) {
+			const resolverService = createResolverService(namespace, serviceConfig);
+			resolverServices.push(resolverService);
+		}
+		subgraphs.push({
+			Type: "pipeline",
+			Name: namespace
+		});
+	}
+	return {
+		resolverServices,
+		subgraphs
+	};
+}
+function defineIdp(config) {
+	const idpServices = [];
+	const subgraphs = [];
+	if (!config) return {
+		idpServices,
+		subgraphs
+	};
+	const idpNames = /* @__PURE__ */ new Set();
+	config.forEach((idpConfig) => {
+		const name = idpConfig.name;
+		if (idpNames.has(name)) throw new Error(`IdP with name "${name}" already defined.`);
+		idpNames.add(name);
+		if (!("external" in idpConfig)) {
+			const idp = IdPSchema.parse(idpConfig);
+			idpServices.push(idp);
+		}
+		subgraphs.push({
+			Type: "idp",
+			Name: name
+		});
+	});
+	return {
+		idpServices,
+		subgraphs
+	};
+}
+function defineAuth(config, tailorDBServices, externalTailorDBNamespaces) {
+	const subgraphs = [];
+	if (!config) return {
+		authService: void 0,
+		subgraphs
+	};
+	let authService;
+	if (!("external" in config)) authService = createAuthService(config, tailorDBServices, externalTailorDBNamespaces);
+	subgraphs.push({
+		Type: "auth",
+		Name: config.name
+	});
+	return {
+		authService,
+		subgraphs
+	};
+}
+function defineExecutor(config, hasPluginExecutors) {
+	if (!config && !hasPluginExecutors) return;
+	return createExecutorService({ config: config ?? { files: [] } });
+}
+function defineWorkflow(config) {
+	if (!config) return;
+	return createWorkflowService({ config });
+}
+function defineStaticWebsites(websites) {
+	const staticWebsiteServices = [];
+	const websiteNames = /* @__PURE__ */ new Set();
+	(websites ?? []).forEach((config) => {
+		const website = StaticWebsiteSchema.parse(config);
+		if (websiteNames.has(website.name)) throw new Error(`Static website with name "${website.name}" already defined.`);
+		websiteNames.add(website.name);
+		staticWebsiteServices.push(website);
+	});
+	return staticWebsiteServices;
+}
+function defineSecretManager(config) {
+	if (!config) return [];
+	const data = Object.fromEntries(Object.entries(config));
+	const parsed = SecretsSchema.parse(data);
+	return Object.entries(parsed).map(([vaultName, vaultSecrets]) => ({
+		vaultName,
+		secrets: Object.entries(vaultSecrets).map(([name, value]) => ({
+			name,
+			value
+		}))
+	}));
+}
+function defineServices(config, pluginManager) {
+	const tailordbResult = defineTailorDB(config.db, pluginManager);
+	return {
+		tailordbResult,
+		resolverResult: defineResolver(config.resolver),
+		idpResult: defineIdp(config.idp),
+		authResult: defineAuth(config.auth, tailordbResult.tailorDBServices, tailordbResult.externalTailorDBNamespaces),
+		staticWebsiteServices: defineStaticWebsites(config.staticWebsites),
+		secrets: defineSecretManager(config.secrets)
+	};
+}
+function buildApplication(params) {
+	const application = {
+		name: params.config.name,
+		config: params.config,
+		subgraphs: [
+			...params.tailordbResult.subgraphs,
+			...params.resolverResult.subgraphs,
+			...params.idpResult.subgraphs,
+			...params.authResult.subgraphs
+		],
+		tailorDBServices: params.tailordbResult.tailorDBServices,
+		externalTailorDBNamespaces: params.tailordbResult.externalTailorDBNamespaces,
+		resolverServices: params.resolverResult.resolverServices,
+		idpServices: params.idpResult.idpServices,
+		authService: params.authResult.authService,
+		executorService: params.executorService,
+		workflowService: params.workflowService,
+		staticWebsiteServices: params.staticWebsiteServices,
+		secrets: params.secrets,
+		env: params.env,
+		get applications() {
+			return [application];
+		}
+	};
+	return application;
+}
+/**
+* Define a Tailor application from the given configuration.
+* This is a lightweight, synchronous function that creates the application
+* structure without loading types or bundling files.
+* @param params - Parameters for defining the application
+* @returns Configured application instance
+*/
+function defineApplication(params) {
+	const { config, pluginManager } = params;
+	const services = defineServices(config, pluginManager);
+	const executorService = defineExecutor(config.executor, false);
+	const workflowService = defineWorkflow(config.workflow);
+	return buildApplication({
+		config,
+		...services,
+		executorService,
+		workflowService,
+		env: config.env ?? {}
+	});
+}
+/**
+* Generate plugin type and executor files if a plugin manager is provided.
+* Collects source type info from TailorDB services and delegates to PluginManager.
+* @param pluginManager - Plugin manager instance (skips if undefined)
+* @param tailorDBServices - TailorDB services to collect type source info from
+* @param configPath - Path to tailor.config.ts for resolving plugin imports
+* @returns Generated executor file paths
+*/
+function generatePluginFilesIfNeeded(pluginManager, tailorDBServices, configPath) {
+	if (!pluginManager) return [];
+	const sourceTypeInfoMap = /* @__PURE__ */ new Map();
+	for (const db of tailorDBServices) {
+		const typeSourceInfo = db.typeSourceInfo;
+		for (const [typeName, sourceInfo] of Object.entries(typeSourceInfo)) if (sourceInfo.filePath) sourceTypeInfoMap.set(typeName, {
+			filePath: sourceInfo.filePath,
+			exportName: sourceInfo.exportName
+		});
+	}
+	return pluginManager.generatePluginFiles({
+		outputDir: path.join(getDistDir(), "plugin"),
+		sourceTypeInfoMap,
+		configPath,
+		typeGenerator: generatePluginTypeFiles,
+		executorGenerator: generatePluginExecutorFiles
+	});
+}
+/**
+* Load and fully initialize a Tailor application.
+* This performs all I/O-heavy operations: loading types, processing plugins,
+* generating plugin files, bundling, and loading definitions for validation.
+* @param params - Parameters for defining and loading the application
+* @returns Fully initialized application with workflow results
+*/
+async function loadApplication(params) {
+	const { config, pluginManager, bundleCache } = params;
+	const { tailordbResult, resolverResult, idpResult, authResult, staticWebsiteServices, secrets } = defineServices(config, pluginManager);
+	for (const tailordb of tailordbResult.tailorDBServices) {
+		await tailordb.loadTypes();
+		await tailordb.processNamespacePlugins();
+	}
+	const pluginExecutorFiles = generatePluginFilesIfNeeded(pluginManager, tailordbResult.tailorDBServices, config.path);
+	const executorService = defineExecutor(config.executor, pluginExecutorFiles.length > 0);
+	const workflowService = defineWorkflow(config.workflow);
+	if (workflowService) await workflowService.loadWorkflows();
+	const triggerContext = await buildTriggerContext(config.workflow);
+	const inlineSourcemap = resolveInlineSourcemap(config.inlineSourcemap);
+	for (const pipeline of resolverResult.resolverServices) await bundleResolvers(pipeline.namespace, pipeline.config, triggerContext, bundleCache, inlineSourcemap);
+	if (executorService) await bundleExecutors({
+		config: executorService.config,
+		triggerContext,
+		additionalFiles: [...pluginExecutorFiles],
+		cache: bundleCache,
+		inlineSourcemap
+	});
+	let workflowBuildResult;
+	if (workflowService && workflowService.jobs.length > 0) {
+		const mainJobNames = workflowService.workflowSources.map((ws) => ws.workflow.mainJob.name);
+		workflowBuildResult = await bundleWorkflowJobs(workflowService.jobs, mainJobNames, config.env ?? {}, triggerContext, bundleCache, inlineSourcemap);
+	}
+	if (authResult.authService?.config.hooks?.beforeLogin) {
+		const authName = authResult.authService.config.name;
+		await bundleAuthHooks({
+			configPath: config.path,
+			authName,
+			handlerAccessPath: `auth.hooks.beforeLogin.handler`,
+			triggerContext,
+			cache: bundleCache,
+			inlineSourcemap
+		});
+	}
+	for (const pipeline of resolverResult.resolverServices) await pipeline.loadResolvers();
+	if (executorService) {
+		await executorService.loadExecutors();
+		if (pluginExecutorFiles.length > 0) await executorService.loadPluginExecutorFiles([...pluginExecutorFiles]);
+	}
+	if (workflowService) workflowService.printLoadedWorkflows();
+	logger.newline();
+	return {
+		application: buildApplication({
+			config,
+			tailordbResult,
+			resolverResult,
+			idpResult,
+			authResult,
+			executorService,
+			workflowService,
+			staticWebsiteServices,
+			secrets,
+			env: config.env ?? {}
+		}),
+		workflowBuildResult
+	};
+}
+
+//#endregion
+export { writePlatformConfig as S, hashFile as _, loadConfig as a, loadWorkspaceId as b, ExecutorSchema as c, TailorDBTypeSchema as d, stringifyFunction as f, getDistDir as g, createBundleCache as h, resolveInlineSourcemap as i, OAuth2ClientSchema as l, loadFilesWithIgnores as m, generatePluginFilesIfNeeded as n, WorkflowJobSchema as o, tailorUserMap as p, loadApplication as r, createExecutorService as s, defineApplication as t, ResolverSchema as u, fetchLatestToken as v, readPlatformConfig as x, loadAccessToken as y };
+//# sourceMappingURL=application-CBJFUKrU.mjs.map