@tailor-platform/sdk 1.27.0 → 1.29.0

package/dist/seed/index.mjs

@@ -1,4 +1,4 @@
-import "../chunk-Cz-A8uMR.mjs";
+import "../chunk-DEt8GZDa.mjs";
 import { stat } from "node:fs/promises";
 import { basename, dirname } from "node:path";
 import { ErrorFormatter, LinesDB, defineSchema } from "@toiroakr/lines-db";

package/dist/{telemetry-VvNfsyEE.mjs → telemetry-BSUlYTs-.mjs}

@@ -34,7 +34,7 @@ async function initTelemetry() {
 		import("@opentelemetry/exporter-trace-otlp-proto"),
 		import("@opentelemetry/resources"),
 		import("@opentelemetry/semantic-conventions"),
-		import("./package-json-DHfTiUCS.mjs")
+		import("./package-json-DiZWrkIA.mjs")
 	]);
 	const version = (await readPackageJson()).version ?? "unknown";
 	_provider = new NodeTracerProvider({
@@ -81,4 +81,4 @@ async function withSpan(name, fn) {
 
 //#endregion
 export { shutdownTelemetry as n, withSpan as r, initTelemetry as t };
-//# sourceMappingURL=telemetry-VvNfsyEE.mjs.map
+//# sourceMappingURL=telemetry-BSUlYTs-.mjs.map

package/dist/{telemetry-VvNfsyEE.mjs.map → telemetry-BSUlYTs-.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"telemetry-VvNfsyEE.mjs","names":[],"sources":["../src/cli/telemetry/config.ts","../src/cli/telemetry/index.ts"],"sourcesContent":["/**\n * Telemetry configuration parsed from standard OpenTelemetry environment variables.\n * Tracing is enabled when OTEL_EXPORTER_OTLP_ENDPOINT is set.\n */\nexport interface TelemetryConfig {\n  readonly enabled: boolean;\n  readonly endpoint: string;\n}\n\n/**\n * Parse telemetry configuration from standard OpenTelemetry environment variables.\n * Tracing is enabled when OTEL_EXPORTER_OTLP_ENDPOINT is set.\n * @returns Telemetry configuration\n */\nexport function parseTelemetryConfig(): TelemetryConfig {\n  const endpoint = process.env.OTEL_EXPORTER_OTLP_ENDPOINT ?? \"\";\n  const enabled = endpoint.length > 0;\n\n  return {\n    enabled,\n    endpoint,\n  };\n}\n","import { trace, SpanStatusCode, type Span } from \"@opentelemetry/api\";\nimport { parseTelemetryConfig, type TelemetryConfig } from \"./config\";\n\nlet _config: TelemetryConfig | undefined;\nlet _initialized = false;\nlet _provider: { register: () => void; shutdown: () => Promise<void> } | undefined;\n\n/**\n * Check whether telemetry is currently enabled.\n * @returns true if telemetry has been initialized and is enabled\n */\nexport function isTelemetryEnabled(): boolean {\n  return _config?.enabled ?? false;\n}\n\n/**\n * Initialize telemetry if OTEL_EXPORTER_OTLP_ENDPOINT is set.\n * When disabled, this is a no-op with zero overhead beyond reading env vars.\n * @returns Promise that resolves when initialization completes\n */\nexport async function initTelemetry(): Promise<void> {\n  if (_initialized) return;\n  _initialized = true;\n\n  _config = parseTelemetryConfig();\n  if (!_config.enabled) return;\n\n  // Dynamic imports - only loaded when tracing is enabled\n  const [\n    { NodeTracerProvider, BatchSpanProcessor },\n    { OTLPTraceExporter },\n    { resourceFromAttributes },\n    { ATTR_SERVICE_NAME, ATTR_SERVICE_VERSION },\n    { readPackageJson },\n  ] = await Promise.all([\n    import(\"@opentelemetry/sdk-trace-node\"),\n    import(\"@opentelemetry/exporter-trace-otlp-proto\"),\n    import(\"@opentelemetry/resources\"),\n    import(\"@opentelemetry/semantic-conventions\"),\n    import(\"@/cli/shared/package-json\"),\n  ]);\n\n  const packageJson = await readPackageJson();\n  const version = packageJson.version ?? \"unknown\";\n\n  const resource = resourceFromAttributes({\n    [ATTR_SERVICE_NAME]: \"tailor-sdk\",\n    [ATTR_SERVICE_VERSION]: version,\n  });\n\n  const exporter = new OTLPTraceExporter({\n    url: `${_config.endpoint}/v1/traces`,\n  });\n\n  _provider = new NodeTracerProvider({\n    resource,\n    spanProcessors: [new BatchSpanProcessor(exporter)],\n  });\n\n  _provider.register();\n}\n\n/**\n * Shutdown the telemetry provider, flushing all pending spans.\n * Must be called before process exit to ensure traces are exported.\n * @returns Promise that resolves when shutdown completes\n */\nexport async function shutdownTelemetry(): Promise<void> {\n  if (!_provider) return;\n  await _provider.shutdown();\n}\n\n/**\n * Execute a function within a new span. Records exceptions and sets span status.\n * When no TracerProvider is registered, the OTel API automatically provides\n * noop spans with zero overhead.\n * @param name - Span name\n * @param fn - Function to execute within the span\n * @returns Result of fn\n */\nexport async function withSpan<T>(name: string, fn: (span: Span) => Promise<T>): Promise<T> {\n  const tracer = trace.getTracer(\"tailor-sdk\");\n\n  return tracer.startActiveSpan(name, async (span) => {\n    try {\n      const result = await fn(span);\n      span.setStatus({ code: SpanStatusCode.OK });\n      return result;\n    } catch (error) {\n      span.setStatus({ code: SpanStatusCode.ERROR });\n      if (error instanceof Error) {\n        span.recordException(error);\n      }\n      throw error;\n    } finally {\n      span.end();\n    }\n  });\n}\n"],"mappings":";;;;;;;;AAcA,SAAgB,uBAAwC;CACtD,MAAM,WAAW,QAAQ,IAAI,+BAA+B;AAG5D,QAAO;EACL,SAHc,SAAS,SAAS;EAIhC;EACD;;;;;AClBH,IAAI;AACJ,IAAI,eAAe;AACnB,IAAI;;;;;;AAeJ,eAAsB,gBAA+B;AACnD,KAAI,aAAc;AAClB,gBAAe;AAEf,WAAU,sBAAsB;AAChC,KAAI,CAAC,QAAQ,QAAS;CAGtB,MAAM,CACJ,EAAE,oBAAoB,sBACtB,EAAE,qBACF,EAAE,0BACF,EAAE,mBAAmB,wBACrB,EAAE,qBACA,MAAM,QAAQ,IAAI;EACpB,OAAO;EACP,OAAO;EACP,OAAO;EACP,OAAO;EACP,OAAO;EACR,CAAC;CAGF,MAAM,WADc,MAAM,iBAAiB,EACf,WAAW;AAWvC,aAAY,IAAI,mBAAmB;EACjC,UAVe,uBAAuB;IACrC,oBAAoB;IACpB,uBAAuB;GACzB,CAAC;EAQA,gBAAgB,CAAC,IAAI,mBANN,IAAI,kBAAkB,EACrC,KAAK,GAAG,QAAQ,SAAS,aAC1B,CAAC,CAIiD,CAAC;EACnD,CAAC;AAEF,WAAU,UAAU;;;;;;;AAQtB,eAAsB,oBAAmC;AACvD,KAAI,CAAC,UAAW;AAChB,OAAM,UAAU,UAAU;;;;;;;;;;AAW5B,eAAsB,SAAY,MAAc,IAA4C;AAG1F,QAFe,MAAM,UAAU,aAAa,CAE9B,gBAAgB,MAAM,OAAO,SAAS;AAClD,MAAI;GACF,MAAM,SAAS,MAAM,GAAG,KAAK;AAC7B,QAAK,UAAU,EAAE,MAAM,eAAe,IAAI,CAAC;AAC3C,UAAO;WACA,OAAO;AACd,QAAK,UAAU,EAAE,MAAM,eAAe,OAAO,CAAC;AAC9C,OAAI,iBAAiB,MACnB,MAAK,gBAAgB,MAAM;AAE7B,SAAM;YACE;AACR,QAAK,KAAK;;GAEZ"}
+{"version":3,"file":"telemetry-BSUlYTs-.mjs","names":[],"sources":["../src/cli/telemetry/config.ts","../src/cli/telemetry/index.ts"],"sourcesContent":["/**\n * Telemetry configuration parsed from standard OpenTelemetry environment variables.\n * Tracing is enabled when OTEL_EXPORTER_OTLP_ENDPOINT is set.\n */\nexport interface TelemetryConfig {\n  readonly enabled: boolean;\n  readonly endpoint: string;\n}\n\n/**\n * Parse telemetry configuration from standard OpenTelemetry environment variables.\n * Tracing is enabled when OTEL_EXPORTER_OTLP_ENDPOINT is set.\n * @returns Telemetry configuration\n */\nexport function parseTelemetryConfig(): TelemetryConfig {\n  const endpoint = process.env.OTEL_EXPORTER_OTLP_ENDPOINT ?? \"\";\n  const enabled = endpoint.length > 0;\n\n  return {\n    enabled,\n    endpoint,\n  };\n}\n","import { trace, SpanStatusCode, type Span } from \"@opentelemetry/api\";\nimport { parseTelemetryConfig, type TelemetryConfig } from \"./config\";\n\nlet _config: TelemetryConfig | undefined;\nlet _initialized = false;\nlet _provider: { register: () => void; shutdown: () => Promise<void> } | undefined;\n\n/**\n * Check whether telemetry is currently enabled.\n * @returns true if telemetry has been initialized and is enabled\n */\nexport function isTelemetryEnabled(): boolean {\n  return _config?.enabled ?? false;\n}\n\n/**\n * Initialize telemetry if OTEL_EXPORTER_OTLP_ENDPOINT is set.\n * When disabled, this is a no-op with zero overhead beyond reading env vars.\n * @returns Promise that resolves when initialization completes\n */\nexport async function initTelemetry(): Promise<void> {\n  if (_initialized) return;\n  _initialized = true;\n\n  _config = parseTelemetryConfig();\n  if (!_config.enabled) return;\n\n  // Dynamic imports - only loaded when tracing is enabled\n  const [\n    { NodeTracerProvider, BatchSpanProcessor },\n    { OTLPTraceExporter },\n    { resourceFromAttributes },\n    { ATTR_SERVICE_NAME, ATTR_SERVICE_VERSION },\n    { readPackageJson },\n  ] = await Promise.all([\n    import(\"@opentelemetry/sdk-trace-node\"),\n    import(\"@opentelemetry/exporter-trace-otlp-proto\"),\n    import(\"@opentelemetry/resources\"),\n    import(\"@opentelemetry/semantic-conventions\"),\n    import(\"@/cli/shared/package-json\"),\n  ]);\n\n  const packageJson = await readPackageJson();\n  const version = packageJson.version ?? \"unknown\";\n\n  const resource = resourceFromAttributes({\n    [ATTR_SERVICE_NAME]: \"tailor-sdk\",\n    [ATTR_SERVICE_VERSION]: version,\n  });\n\n  const exporter = new OTLPTraceExporter({\n    url: `${_config.endpoint}/v1/traces`,\n  });\n\n  _provider = new NodeTracerProvider({\n    resource,\n    spanProcessors: [new BatchSpanProcessor(exporter)],\n  });\n\n  _provider.register();\n}\n\n/**\n * Shutdown the telemetry provider, flushing all pending spans.\n * Must be called before process exit to ensure traces are exported.\n * @returns Promise that resolves when shutdown completes\n */\nexport async function shutdownTelemetry(): Promise<void> {\n  if (!_provider) return;\n  await _provider.shutdown();\n}\n\n/**\n * Execute a function within a new span. Records exceptions and sets span status.\n * When no TracerProvider is registered, the OTel API automatically provides\n * noop spans with zero overhead.\n * @param name - Span name\n * @param fn - Function to execute within the span\n * @returns Result of fn\n */\nexport async function withSpan<T>(name: string, fn: (span: Span) => Promise<T>): Promise<T> {\n  const tracer = trace.getTracer(\"tailor-sdk\");\n\n  return tracer.startActiveSpan(name, async (span) => {\n    try {\n      const result = await fn(span);\n      span.setStatus({ code: SpanStatusCode.OK });\n      return result;\n    } catch (error) {\n      span.setStatus({ code: SpanStatusCode.ERROR });\n      if (error instanceof Error) {\n        span.recordException(error);\n      }\n      throw error;\n    } finally {\n      span.end();\n    }\n  });\n}\n"],"mappings":";;;;;;;;AAcA,SAAgB,uBAAwC;CACtD,MAAM,WAAW,QAAQ,IAAI,+BAA+B;AAG5D,QAAO;EACL,SAHc,SAAS,SAAS;EAIhC;EACD;;;;;AClBH,IAAI;AACJ,IAAI,eAAe;AACnB,IAAI;;;;;;AAeJ,eAAsB,gBAA+B;AACnD,KAAI,aAAc;AAClB,gBAAe;AAEf,WAAU,sBAAsB;AAChC,KAAI,CAAC,QAAQ,QAAS;CAGtB,MAAM,CACJ,EAAE,oBAAoB,sBACtB,EAAE,qBACF,EAAE,0BACF,EAAE,mBAAmB,wBACrB,EAAE,qBACA,MAAM,QAAQ,IAAI;EACpB,OAAO;EACP,OAAO;EACP,OAAO;EACP,OAAO;EACP,OAAO;EACR,CAAC;CAGF,MAAM,WADc,MAAM,iBAAiB,EACf,WAAW;AAWvC,aAAY,IAAI,mBAAmB;EACjC,UAVe,uBAAuB;IACrC,oBAAoB;IACpB,uBAAuB;GACzB,CAAC;EAQA,gBAAgB,CAAC,IAAI,mBANN,IAAI,kBAAkB,EACrC,KAAK,GAAG,QAAQ,SAAS,aAC1B,CAAC,CAIiD,CAAC;EACnD,CAAC;AAEF,WAAU,UAAU;;;;;;;AAQtB,eAAsB,oBAAmC;AACvD,KAAI,CAAC,UAAW;AAChB,OAAM,UAAU,UAAU;;;;;;;;;;AAW5B,eAAsB,SAAY,MAAc,IAA4C;AAG1F,QAFe,MAAM,UAAU,aAAa,CAE9B,gBAAgB,MAAM,OAAO,SAAS;AAClD,MAAI;GACF,MAAM,SAAS,MAAM,GAAG,KAAK;AAC7B,QAAK,UAAU,EAAE,MAAM,eAAe,IAAI,CAAC;AAC3C,UAAO;WACA,OAAO;AACd,QAAK,UAAU,EAAE,MAAM,eAAe,OAAO,CAAC;AAC9C,OAAI,iBAAiB,MACnB,MAAK,gBAAgB,MAAM;AAE7B,SAAM;YACE;AACR,QAAK,KAAK;;GAEZ"}

package/dist/telemetry-BtN2l0f1.mjs

@@ -0,0 +1,4 @@
+import "./chunk-DEt8GZDa.mjs";
+import { n as shutdownTelemetry, r as withSpan, t as initTelemetry } from "./telemetry-BSUlYTs-.mjs";
+
+export { initTelemetry, shutdownTelemetry };

package/dist/utils/test/index.mjs

@@ -1,4 +1,4 @@
-import "../../chunk-Cz-A8uMR.mjs";
+import "../../chunk-DEt8GZDa.mjs";
 import "../../brand-GZnI4eYb.mjs";
 import { t as WORKFLOW_TEST_ENV_KEY } from "../../job-DdfW7vH3.mjs";
 import { pathToFileURL } from "node:url";

package/docs/cli/secret.md

@@ -243,13 +243,14 @@ tailor-sdk secret create [options]
 
 **Options**
 
-| Option                          | Alias | Description       | Required | Default | Env                            |
-| ------------------------------- | ----- | ----------------- | -------- | ------- | ------------------------------ |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID      | No       | -       | `TAILOR_PLATFORM_WORKSPACE_ID` |
-| `--profile <PROFILE>`           | `-p`  | Workspace profile | No       | -       | `TAILOR_PLATFORM_PROFILE`      |
-| `--vault-name <VAULT_NAME>`     | `-V`  | Vault name        | Yes      | -       | -                              |
-| `--name <NAME>`                 | `-n`  | Secret name       | Yes      | -       | -                              |
-| `--value <VALUE>`               | `-v`  | Secret value      | Yes      | -       | -                              |
+| Option                          | Alias | Description               | Required | Default | Env                            |
+| ------------------------------- | ----- | ------------------------- | -------- | ------- | ------------------------------ |
+| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID              | No       | -       | `TAILOR_PLATFORM_WORKSPACE_ID` |
+| `--profile <PROFILE>`           | `-p`  | Workspace profile         | No       | -       | `TAILOR_PLATFORM_PROFILE`      |
+| `--vault-name <VAULT_NAME>`     | `-V`  | Vault name                | Yes      | -       | -                              |
+| `--name <NAME>`                 | `-n`  | Secret name               | Yes      | -       | -                              |
+| `--value <VALUE>`               | `-v`  | Secret value              | Yes      | -       | -                              |
+| `--yes`                         | `-y`  | Skip confirmation prompts | No       | `false` | -                              |
 
 <!-- politty:command:secret create:options:end -->
 
@@ -284,13 +285,14 @@ tailor-sdk secret update [options]
 
 **Options**
 
-| Option                          | Alias | Description       | Required | Default | Env                            |
-| ------------------------------- | ----- | ----------------- | -------- | ------- | ------------------------------ |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID      | No       | -       | `TAILOR_PLATFORM_WORKSPACE_ID` |
-| `--profile <PROFILE>`           | `-p`  | Workspace profile | No       | -       | `TAILOR_PLATFORM_PROFILE`      |
-| `--vault-name <VAULT_NAME>`     | `-V`  | Vault name        | Yes      | -       | -                              |
-| `--name <NAME>`                 | `-n`  | Secret name       | Yes      | -       | -                              |
-| `--value <VALUE>`               | `-v`  | Secret value      | Yes      | -       | -                              |
+| Option                          | Alias | Description               | Required | Default | Env                            |
+| ------------------------------- | ----- | ------------------------- | -------- | ------- | ------------------------------ |
+| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID              | No       | -       | `TAILOR_PLATFORM_WORKSPACE_ID` |
+| `--profile <PROFILE>`           | `-p`  | Workspace profile         | No       | -       | `TAILOR_PLATFORM_PROFILE`      |
+| `--vault-name <VAULT_NAME>`     | `-V`  | Vault name                | Yes      | -       | -                              |
+| `--name <NAME>`                 | `-n`  | Secret name               | Yes      | -       | -                              |
+| `--value <VALUE>`               | `-v`  | Secret value              | Yes      | -       | -                              |
+| `--yes`                         | `-y`  | Skip confirmation prompts | No       | `false` | -                              |
 
 <!-- politty:command:secret update:options:end -->
 

package/docs/cli/user.md

@@ -19,11 +19,31 @@ Login to Tailor Platform.
 **Usage**
 
 ```
-tailor-sdk login
+tailor-sdk login [options]
 ```
 
 <!-- politty:command:login:usage:end -->
 
+<!-- politty:command:login:options:start -->
+
+**Options**
+
+> One of the following option groups is required:
+
+**User Login:**
+
+_no options_
+
+**Machine User Login:**
+
+| Option                            | Alias | Description                       | Required | Default | Env                                          |
+| --------------------------------- | ----- | --------------------------------- | -------- | ------- | -------------------------------------------- |
+| `--machineuser <MACHINEUSER>`     | -     | Login as a platform machine user. | Yes      | -       | -                                            |
+| `--client-id <CLIENT_ID>`         | -     | Client ID                         | Yes      | -       | `TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID`     |
+| `--client-secret <CLIENT_SECRET>` | -     | Client secret                     | No       | -       | `TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET` |
+
+<!-- politty:command:login:options:end -->
+
 <!-- politty:command:login:global-options-link:start -->
 
 See [Global Options](../cli-reference.md#global-options) for options available to all commands.
@@ -148,13 +168,6 @@ tailor-sdk user list
 <!-- politty:command:user list:usage:end -->
 
 <!-- politty:command:user list:options:start -->
-
-**Options**
-
-| Option   | Alias | Description    | Required | Default |
-| -------- | ----- | -------------- | -------- | ------- |
-| `--json` | `-j`  | Output as JSON | No       | `false` |
-
 <!-- politty:command:user list:options:end -->
 
 <!-- politty:command:user list:global-options-link:start -->
@@ -222,13 +235,6 @@ tailor-sdk user pat [command]
 <!-- politty:command:user pat:usage:end -->
 
 <!-- politty:command:user pat:options:start -->
-
-**Options**
-
-| Option   | Alias | Description    | Required | Default |
-| -------- | ----- | -------------- | -------- | ------- |
-| `--json` | `-j`  | Output as JSON | No       | `false` |
-
 <!-- politty:command:user pat:options:end -->
 
 <!-- politty:command:user pat:subcommands:start -->
@@ -272,13 +278,6 @@ tailor-sdk user pat list
 <!-- politty:command:user pat list:usage:end -->
 
 <!-- politty:command:user pat list:options:start -->
-
-**Options**
-
-| Option   | Alias | Description    | Required | Default |
-| -------- | ----- | -------------- | -------- | ------- |
-| `--json` | `-j`  | Output as JSON | No       | `false` |
-
 <!-- politty:command:user pat list:options:end -->
 
 <!-- politty:command:user pat list:global-options-link:start -->

package/docs/cli/workspace.md

@@ -274,13 +274,6 @@ tailor-sdk profile list
 <!-- politty:command:profile list:usage:end -->
 
 <!-- politty:command:profile list:options:start -->
-
-**Options**
-
-| Option   | Alias | Description    | Required | Default |
-| -------- | ----- | -------------- | -------- | ------- |
-| `--json` | `-j`  | Output as JSON | No       | `false` |
-
 <!-- politty:command:profile list:options:end -->
 
 <!-- politty:command:profile list:global-options-link:start -->

package/docs/cli-reference.md

@@ -53,16 +53,18 @@ tailor-sdk apply --env-file .env --env-file .env.production
 
 You can use environment variables to configure workspace and authentication:
 
-| Variable                          | Description                                                                 |
-| --------------------------------- | --------------------------------------------------------------------------- |
-| `TAILOR_PLATFORM_WORKSPACE_ID`    | Workspace ID for deployment commands                                        |
-| `TAILOR_PLATFORM_TOKEN`           | Authentication token (alternative to `login`)                               |
-| `TAILOR_TOKEN`                    | **Deprecated.** Use `TAILOR_PLATFORM_TOKEN` instead                         |
-| `TAILOR_PLATFORM_PROFILE`         | Workspace profile name                                                      |
-| `TAILOR_PLATFORM_SDK_CONFIG_PATH` | Path to SDK config file                                                     |
-| `VISUAL` / `EDITOR`               | Preferred editor for commands that open files (e.g., `vim`, `code`, `nano`) |
-| `TAILOR_CRASH_REPORTS_LOCAL`      | Local crash log writing: `on` (default) or `off`                            |
-| `TAILOR_CRASH_REPORTS_REMOTE`     | Automatic crash report submission: `off` (default) or `on`                  |
+| Variable                                     | Description                                                                 |
+| -------------------------------------------- | --------------------------------------------------------------------------- |
+| `TAILOR_PLATFORM_WORKSPACE_ID`               | Workspace ID for deployment commands                                        |
+| `TAILOR_PLATFORM_TOKEN`                      | Authentication token (alternative to `login`)                               |
+| `TAILOR_TOKEN`                               | **Deprecated.** Use `TAILOR_PLATFORM_TOKEN` instead                         |
+| `TAILOR_PLATFORM_PROFILE`                    | Workspace profile name                                                      |
+| `TAILOR_PLATFORM_SDK_CONFIG_PATH`            | Path to SDK config file                                                     |
+| `TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID`     | Client ID for `login --machineuser`                                         |
+| `TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET` | Client secret for `login --machineuser`                                     |
+| `VISUAL` / `EDITOR`                          | Preferred editor for commands that open files (e.g., `vim`, `code`, `nano`) |
+| `TAILOR_CRASH_REPORTS_LOCAL`                 | Local crash log writing: `on` (default) or `off`                            |
+| `TAILOR_CRASH_REPORTS_REMOTE`                | Automatic crash report submission: `off` (default) or `on`                  |
 
 ### Authentication Token Priority
 

package/docs/configuration.md

@@ -145,6 +145,25 @@ export default defineConfig({
 });
 ```
 
+### Secret Manager
+
+Configure secrets using `defineSecretManager()`. See [Secret Manager](./services/secret.md) for full documentation.
+
+```typescript
+import { defineSecretManager } from "@tailor-platform/sdk";
+
+export const secrets = defineSecretManager({
+  "api-keys": {
+    "stripe-secret-key": process.env.STRIPE_SECRET_KEY!,
+    "sendgrid-api-key": process.env.SENDGRID_API_KEY!,
+  },
+});
+
+export default defineConfig({
+  secrets,
+});
+```
+
 ### Environment Variables
 
 Define environment variables that can be accessed in resolvers, executors, and workflows:

package/docs/services/executor.md

@@ -99,6 +99,30 @@ resolverExecutedTrigger({
 });
 ```
 
+### IdP User Triggers
+
+Fire when IdP users are created, updated, or deleted:
+
+- `idpUserCreatedTrigger()`: Fires when a new IdP user is created
+- `idpUserUpdatedTrigger()`: Fires when an IdP user is updated
+- `idpUserDeletedTrigger()`: Fires when an IdP user is deleted
+
+```typescript
+idpUserCreatedTrigger();
+```
+
+### Auth Access Token Triggers
+
+Fire on auth access token lifecycle events:
+
+- `authAccessTokenIssuedTrigger()`: Fires when a new access token is issued
+- `authAccessTokenRefreshedTrigger()`: Fires when an access token is refreshed
+- `authAccessTokenRevokedTrigger()`: Fires when an access token is revoked
+
+```typescript
+authAccessTokenIssuedTrigger();
+```
+
 ## Operation Types
 
 ### Function Operation
@@ -401,3 +425,25 @@ export default createExecutor({
   },
 });
 ```
+
+### IdP User Event Payload
+
+IdP user triggers receive user context:
+
+```typescript
+interface IdpUserContext {
+  namespaceName: string; // IdP namespace name
+  userId: string; // The affected user ID
+}
+```
+
+### Auth Access Token Event Payload
+
+Auth access token triggers receive token context:
+
+```typescript
+interface AuthAccessTokenContext {
+  namespaceName: string; // Auth namespace name
+  userId: string; // The user associated with the token
+}
+```

package/docs/services/secret.md

@@ -32,8 +32,85 @@ workspace/
 
 Secrets are key-value pairs stored within a vault. Secret values are encrypted at rest and only accessible at runtime by authorized services.
 
+## Managing Secrets
+
+There are two ways to manage secrets: declaratively via `defineSecretManager()` in `tailor.config.ts`, or imperatively via the [CLI](#cli-management). Management is scoped per vault — **do not mix both approaches for the same vault**. When a vault is defined in config, the config becomes the source of truth: any secrets in that vault not present in the config will be deleted on `tailor-sdk apply`.
+
+### Declarative Configuration
+
+Define your secrets in `tailor.config.ts` using `defineSecretManager()`. Each key is a vault name, and its value is a record of secret names to their values. These values are deployed to each vault on `tailor-sdk apply`.
+
+Since secret values should not be committed to source control, use environment variables:
+
+```typescript
+import { defineConfig, defineSecretManager } from "@tailor-platform/sdk";
+
+export const secrets = defineSecretManager({
+  "api-keys": {
+    "stripe-secret-key": process.env.STRIPE_SECRET_KEY!,
+    "sendgrid-api-key": process.env.SENDGRID_API_KEY!,
+  },
+  database: {
+    "analytics-connection-string": process.env.ANALYTICS_DB_URL!,
+  },
+});
+
+export default defineConfig({
+  name: "my-app",
+  secrets,
+  // ...other config
+});
+```
+
+The exported `secrets` object provides type-safe `get()` and `getAll()` methods for runtime access from resolvers, executors, and workflows.
+
 ## Using Secrets
 
+### Runtime Access with `get()` / `getAll()`
+
+Use the `secrets` object exported from `tailor.config.ts` to retrieve secret values at runtime. The vault and secret names are fully type-checked based on the `defineSecretManager()` configuration.
+
+#### `get(vault, secret)`
+
+Retrieves a single secret value.
+
+```typescript
+import { createResolver } from "@tailor-platform/sdk";
+import { secrets } from "../tailor.config";
+
+export default createResolver({
+  name: "call-stripe",
+  // ...
+  operation: async ({ input }) => {
+    const apiKey = await secrets.get("api-keys", "stripe-secret-key");
+    // Use apiKey to call the Stripe API
+  },
+});
+```
+
+#### `getAll(vault, secrets)`
+
+Retrieves multiple secret values at once from the same vault.
+
+```typescript
+import { createResolver } from "@tailor-platform/sdk";
+import { secrets } from "../tailor.config";
+
+export default createResolver({
+  name: "send-notification",
+  // ...
+  operation: async ({ input }) => {
+    const [apiKey, webhookSecret] = await secrets.getAll("api-keys", [
+      "sendgrid-api-key",
+      "stripe-secret-key",
+    ]);
+    // Use the retrieved secrets
+  },
+});
+```
+
+Both methods return `Promise<string | undefined>` (or an array of them for `getAll`).
+
 ### In Webhook Operations
 
 Reference secrets in webhook headers using the vault/key syntax:
@@ -71,6 +148,10 @@ At runtime, these references are replaced with the actual secret values.
 
 ## CLI Management
 
+Use the CLI to manage vaults that are **not** defined in `defineSecretManager()`. If you attempt to modify a vault that is managed by the config, the CLI will show a warning and ask for confirmation. Once confirmed, the CLI releases the vault's ownership label so it is no longer managed by config.
+
+After ownership is released, the next `tailor-sdk apply` will treat the vault as an unmanaged resource and prompt for confirmation before taking any action on it.
+
 ### Create a Vault
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.27.0",
+  "version": "1.29.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {
@@ -89,7 +89,7 @@
     "@opentelemetry/resources": "2.6.0",
     "@opentelemetry/sdk-trace-node": "2.6.0",
     "@opentelemetry/semantic-conventions": "1.40.0",
-    "@oxc-project/types": "0.108.0",
+    "@oxc-project/types": "0.120.0",
     "@standard-schema/spec": "1.1.0",
     "@tailor-platform/function-kysely-tailordb": "0.1.3",
     "@toiroakr/lines-db": "0.9.0",
@@ -102,18 +102,18 @@
     "find-up-simple": "1.0.1",
     "globals": "17.0.0",
     "inflection": "3.0.2",
-    "kysely": "0.28.11",
+    "kysely": "0.28.14",
     "madge": "8.0.0",
     "mime-types": "3.0.2",
     "multiline-ts": "4.0.1",
     "open": "11.0.0",
     "ora": "9.0.0",
-    "oxc-parser": "0.108.0",
-    "p-limit": "7.2.0",
+    "oxc-parser": "0.119.0",
+    "p-limit": "7.3.0",
     "pathe": "2.0.3",
     "pgsql-ast-parser": "12.0.2",
     "pkg-types": "2.3.0",
-    "politty": "0.4.9",
+    "politty": "0.4.11",
     "rolldown": "1.0.0-rc.9",
     "serve": "14.2.6",
     "std-env": "3.10.0",
@@ -135,8 +135,8 @@
     "@vitest/coverage-v8": "4.1.0",
     "eslint": "9.39.4",
     "eslint-plugin-jsdoc": "62.8.0",
-    "eslint-plugin-oxlint": "1.39.0",
-    "oxlint": "1.39.0",
+    "eslint-plugin-oxlint": "1.55.0",
+    "oxlint": "1.55.0",
     "oxlint-tsgolint": "0.16.0",
     "sonda": "0.11.1",
     "tsdown": "0.21.2",