@tailor-platform/sdk 1.29.0 → 1.31.0

package/dist/{application-Clwpv84E.mjs → application-CASjzt3W.mjs}

@@ -1,6 +1,7 @@
 import { n as isSdkBranded } from "./brand-GZnI4eYb.mjs";
 import { n as logger, r as styles } from "./logger-CqezTedh.mjs";
-import { c as initOAuth2Client } from "./client-CZmQBXAY.mjs";
+import { l as initOAuth2Client } from "./client-DfdgRZlQ.mjs";
+import { t as readPackageJson } from "./package-json-D3x2nBPB.mjs";
 import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-CWkIDWMb.mjs";
 import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "./enum-constants-D1nfn0qD.mjs";
 import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "./file-utils-Bctuzn3x.mjs";
@@ -18,6 +19,7 @@ import * as os from "node:os";
 import { parseTOML, parseYAML, stringifyYAML } from "confbox";
 import { findUpSync } from "find-up-simple";
 import ml from "multiline-ts";
+import { lt } from "semver";
 import { xdgConfig } from "xdg-basedir";
 import * as rolldown from "rolldown";
 import * as fs from "node:fs/promises";
@@ -25,18 +27,112 @@ import { parseSync } from "oxc-parser";
 import * as inflection from "inflection";
 import * as globals from "globals";
 
+//#region src/cli/shared/token-store.ts
+const SERVICE_NAME = "tailor-platform-cli";
+let entryClass;
+async function getEntryClass() {
+	if (entryClass !== void 0) return entryClass;
+	try {
+		const mod = await import("@napi-rs/keyring");
+		const probe = new mod.Entry(SERVICE_NAME, "__probe__");
+		probe.setPassword("probe");
+		probe.deletePassword();
+		entryClass = mod.Entry;
+	} catch {
+		logger.warn("System keyring is not available. Tokens will be stored in the config file. Set TAILOR_PLATFORM_TOKEN environment variable for CI environments.");
+		entryClass = false;
+	}
+	return entryClass;
+}
+/**
+* Check whether the OS keyring is available and functional.
+* @returns true if keyring is available
+*/
+async function isKeyringAvailable() {
+	return await getEntryClass() !== false;
+}
+/**
+* Load tokens from the OS keyring for a given account.
+* @param account - User identifier (e.g. email or client ID)
+* @returns Token data or undefined if not found or keyring unavailable
+*/
+async function loadKeyringTokens(account) {
+	const Entry = await getEntryClass();
+	if (!Entry) return void 0;
+	try {
+		const raw = new Entry(SERVICE_NAME, account).getPassword();
+		if (raw === null) return void 0;
+		return JSON.parse(raw);
+	} catch {
+		return;
+	}
+}
+/**
+* Save tokens to the OS keyring for a given account.
+* @param account - User identifier (e.g. email or client ID)
+* @param tokens - Token data to store
+*/
+async function saveKeyringTokens(account, tokens) {
+	const Entry = await getEntryClass();
+	if (!Entry) return;
+	new Entry(SERVICE_NAME, account).setPassword(JSON.stringify(tokens));
+}
+/**
+* Delete tokens from the OS keyring for a given account.
+* @param account - User identifier (e.g. email or client ID)
+*/
+async function deleteKeyringTokens(account) {
+	const Entry = await getEntryClass();
+	if (!Entry) return;
+	try {
+		new Entry(SERVICE_NAME, account).deletePassword();
+	} catch {}
+}
+
+//#endregion
 //#region src/cli/shared/context.ts
-const pfConfigSchema = z.object({
+const pfProfileSchema = z.object({
+	user: z.string(),
+	workspace_id: z.string()
+});
+const pfUserSchemaV1 = z.object({
+	access_token: z.string(),
+	refresh_token: z.string().optional(),
+	token_expires_at: z.string()
+});
+const pfUserKeyringSchema = z.object({
+	storage: z.literal("keyring"),
+	token_expires_at: z.string()
+});
+const pfUserFileSchema = z.object({
+	storage: z.literal("file"),
+	token_expires_at: z.string(),
+	access_token: z.string(),
+	refresh_token: z.string().optional()
+});
+const pfUserSchemaV2 = z.discriminatedUnion("storage", [pfUserKeyringSchema, pfUserFileSchema]);
+const pfConfigSchemaV1 = z.object({
 	version: z.literal(1),
-	users: z.partialRecord(z.string(), z.object({
-		access_token: z.string(),
-		refresh_token: z.string().optional(),
-		token_expires_at: z.string()
-	})),
-	profiles: z.partialRecord(z.string(), z.object({
-		user: z.string(),
-		workspace_id: z.string()
-	})),
+	users: z.partialRecord(z.string(), pfUserSchemaV1),
+	profiles: z.partialRecord(z.string(), pfProfileSchema),
+	current_user: z.string().nullable()
+});
+const LATEST_CONFIG_VERSION = 2;
+const V2_MIN_SDK_VERSION = "1.29.0";
+const semverSchema = z.templateLiteral([
+	z.number().int(),
+	".",
+	z.number().int(),
+	".",
+	z.number().int()
+]);
+const pfConfigSchemaV2 = z.object({
+	version: z.literal(LATEST_CONFIG_VERSION),
+	min_sdk_version: semverSchema,
+	latest_version: z.number().int().optional(),
+	latest_min_sdk_version: semverSchema.optional(),
+	users: z.partialRecord(z.string(), pfUserSchemaV2),
+	profiles: z.partialRecord(z.string(), pfProfileSchema),
 	current_user: z.string().nullable()
 });
 function platformConfigPath() {
@@ -44,34 +140,104 @@ function platformConfigPath() {
 	return path.join(xdgConfig, "tailor-platform", "config.yaml");
 }
 /**
-* Read Tailor Platform CLI configuration, migrating from tailorctl if necessary.
+* Migrate a v1 config to v2.
+* Tokens are kept in the config file (storage: "file") during migration.
+* They will be moved to the OS keyring on next login or token refresh.
+* @param v1Config - v1 configuration to migrate
+* @returns Migrated v2 configuration
+*/
+function migrateV1ToV2(v1Config) {
+	const users = {};
+	for (const [name, v1User] of Object.entries(v1Config.users)) {
+		if (!v1User) continue;
+		users[name] = {
+			access_token: v1User.access_token,
+			refresh_token: v1User.refresh_token,
+			token_expires_at: v1User.token_expires_at,
+			storage: "file"
+		};
+	}
+	return {
+		version: LATEST_CONFIG_VERSION,
+		min_sdk_version: V2_MIN_SDK_VERSION,
+		users,
+		profiles: v1Config.profiles,
+		current_user: v1Config.current_user
+	};
+}
+/**
+* Read Tailor Platform CLI configuration, migrating from tailorctl or v1 if necessary.
 * @returns Parsed platform configuration
 */
-function readPlatformConfig() {
+async function readPlatformConfig() {
 	const configPath = platformConfigPath();
 	if (!fs$1.existsSync(configPath)) {
 		logger.warn(`Config not found at ${configPath}, migrating from tailorctl config...`);
 		const tcConfig = readTailorctlConfig();
-		const pfConfig = tcConfig ? fromTailorctlConfig(tcConfig) : {
+		const v1Config = tcConfig ? fromTailorctlConfig(tcConfig) : {
 			version: 1,
 			users: {},
 			profiles: {},
 			current_user: null
 		};
-		writePlatformConfig(pfConfig);
-		return pfConfig;
+		writePlatformConfig(v1Config);
+		return migrateV1ToV2(v1Config);
 	}
 	const rawConfig = parseYAML(fs$1.readFileSync(configPath, "utf-8"));
-	return pfConfigSchema.parse(rawConfig);
+	const version = rawConfig != null && typeof rawConfig === "object" && "version" in rawConfig ? rawConfig.version : void 0;
+	if (typeof version === "number" && version > LATEST_CONFIG_VERSION) {
+		const minSdk = "min_sdk_version" in rawConfig ? String(rawConfig.min_sdk_version) : void 0;
+		const updateHint = minSdk ? `Please update your SDK to >= ${minSdk}: pnpm update @tailor-platform/sdk` : "Please update your SDK: pnpm update @tailor-platform/sdk";
+		throw new Error(ml`
+      Config file uses version ${String(version)}, but this SDK only supports up to version ${String(LATEST_CONFIG_VERSION)}.
+      ${updateHint}
+    `);
+	}
+	const v2Result = pfConfigSchemaV2.safeParse(rawConfig);
+	if (v2Result.success) {
+		if (v2Result.data.latest_min_sdk_version) {
+			if (lt((await readPackageJson()).version ?? "0.0.0", v2Result.data.latest_min_sdk_version)) logger.warn(ml`
+          A newer config version (${String(v2Result.data.latest_version)}) is available.
+          Please update your SDK to >= ${v2Result.data.latest_min_sdk_version}: pnpm update @tailor-platform/sdk
+        `);
+		}
+		return v2Result.data;
+	}
+	const v1Result = pfConfigSchemaV1.safeParse(rawConfig);
+	if (v1Result.success) return migrateV1ToV2(v1Result.data);
+	throw new Error(ml`
+    Failed to parse config file at ${configPath}.
+    The file may be corrupted or created by an incompatible SDK version.
+  `);
+}
+function toV1ForDisk(config) {
+	const users = {};
+	for (const [name, entry] of Object.entries(config.users)) {
+		if (!entry || entry.storage === "keyring") continue;
+		users[name] = {
+			access_token: entry.access_token,
+			refresh_token: entry.refresh_token,
+			token_expires_at: entry.token_expires_at
+		};
+	}
+	return {
+		version: 1,
+		users,
+		profiles: config.profiles,
+		current_user: config.current_user
+	};
 }
 /**
 * Write Tailor Platform CLI configuration to disk.
+* By default, V2 configs are converted to V1 for backward compatibility.
+* Set TAILOR_USE_KEYRING to write V2 format (required for keyring storage).
 * @param config - Platform configuration to write
 */
 function writePlatformConfig(config) {
 	const configPath = platformConfigPath();
 	fs$1.mkdirSync(path.dirname(configPath), { recursive: true });
-	fs$1.writeFileSync(configPath, stringifyYAML(config));
+	const diskConfig = config.version === 2 && !process.env.TAILOR_USE_KEYRING ? toV1ForDisk(config) : config;
+	fs$1.writeFileSync(configPath, stringifyYAML(diskConfig));
 }
 const tcContextConfigSchema = z.object({
 	username: z.string().optional(),
@@ -127,12 +293,12 @@ function validateUUID(value, source) {
 * @param opts - Workspace and profile options
 * @returns Resolved workspace ID
 */
-function loadWorkspaceId(opts) {
+async function loadWorkspaceId(opts) {
 	if (opts?.workspaceId) return validateUUID(opts.workspaceId, "--workspace-id option");
 	if (process.env.TAILOR_PLATFORM_WORKSPACE_ID) return validateUUID(process.env.TAILOR_PLATFORM_WORKSPACE_ID, "TAILOR_PLATFORM_WORKSPACE_ID environment variable");
 	const profile = opts?.profile || process.env.TAILOR_PLATFORM_PROFILE;
 	if (profile) {
-		const wsId = readPlatformConfig().profiles[profile]?.workspace_id;
+		const wsId = (await readPlatformConfig()).profiles[profile]?.workspace_id;
 		if (!wsId) throw new Error(`Profile "${profile}" not found`);
 		return validateUUID(wsId, `profile "${profile}"`);
 	}
@@ -154,7 +320,7 @@ async function loadAccessToken(opts) {
 		logger.warn("TAILOR_TOKEN is deprecated. Please use TAILOR_PLATFORM_TOKEN instead.");
 		return process.env.TAILOR_TOKEN;
 	}
-	const pfConfig = readPlatformConfig();
+	const pfConfig = await readPlatformConfig();
 	let user;
 	const profile = opts?.useProfile ? opts.profile || process.env.TAILOR_PLATFORM_PROFILE : void 0;
 	if (profile) {
@@ -172,19 +338,71 @@ async function loadAccessToken(opts) {
 	return await fetchLatestToken(pfConfig, user);
 }
 /**
+* Resolve the actual token values for a user, reading from keyring or config as appropriate.
+* @param userEntry - User entry from the config
+* @param user - User identifier
+* @returns Access token and optional refresh token
+*/
+async function resolveTokens(userEntry, user) {
+	if (userEntry.storage === "keyring") {
+		const tokens = await loadKeyringTokens(user);
+		if (!tokens) throw new Error(ml`
+        Credentials not found in OS keyring for "${user}".
+        Please run 'tailor-sdk login' and try again.
+      `);
+		return tokens;
+	}
+	return {
+		accessToken: userEntry.access_token,
+		refreshToken: userEntry.refresh_token
+	};
+}
+/**
+* Save tokens for a user, writing to keyring or config as appropriate.
+* @param config - Platform config
+* @param user - User identifier
+* @param tokens - Token data to save
+* @param tokens.accessToken
+* @param tokens.refreshToken
+* @param expiresAt - Token expiration date
+*/
+async function saveUserTokens(config, user, tokens, expiresAt) {
+	if (process.env.TAILOR_USE_KEYRING && await isKeyringAvailable()) {
+		await saveKeyringTokens(user, tokens);
+		config.users[user] = {
+			token_expires_at: expiresAt,
+			storage: "keyring"
+		};
+	} else config.users[user] = {
+		access_token: tokens.accessToken,
+		refresh_token: tokens.refreshToken,
+		token_expires_at: expiresAt,
+		storage: "file"
+	};
+}
+/**
+* Delete tokens for a user from keyring if applicable.
+* @param config - Platform config
+* @param user - User identifier
+*/
+async function deleteUserTokens(config, user) {
+	if (config.users[user]?.storage === "keyring") await deleteKeyringTokens(user);
+}
+/**
 * Fetch the latest access token, refreshing if necessary.
 * @param config - Platform config
 * @param user - User name
 * @returns Latest access token
 */
 async function fetchLatestToken(config, user) {
-	const tokens = config.users[user];
-	if (!tokens) throw new Error(ml`
+	const userEntry = config.users[user];
+	if (!userEntry) throw new Error(ml`
       User "${user}" not found.
       Please verify your user name and login using 'tailor-sdk login' command.
     `);
-	if (new Date(tokens.token_expires_at) > /* @__PURE__ */ new Date()) return tokens.access_token;
-	if (!tokens.refresh_token) throw new Error(ml`
+	const tokens = await resolveTokens(userEntry, user);
+	if (new Date(userEntry.token_expires_at) > /* @__PURE__ */ new Date()) return tokens.accessToken;
+	if (!tokens.refreshToken) throw new Error(ml`
       Token expired.
       Please run 'tailor-sdk login' and try again.
     `);
@@ -192,9 +410,9 @@ async function fetchLatestToken(config, user) {
 	let resp;
 	try {
 		resp = await client.refreshToken({
-			accessToken: tokens.access_token,
-			refreshToken: tokens.refresh_token,
-			expiresAt: Date.parse(tokens.token_expires_at)
+			accessToken: tokens.accessToken,
+			refreshToken: tokens.refreshToken,
+			expiresAt: Date.parse(userEntry.token_expires_at)
 		});
 	} catch {
 		throw new Error(ml`
@@ -202,11 +420,11 @@ async function fetchLatestToken(config, user) {
       Please run 'tailor-sdk login' and try again.
     `);
 	}
-	config.users[user] = {
-		access_token: resp.accessToken,
-		refresh_token: resp.refreshToken,
-		token_expires_at: new Date(resp.expiresAt).toISOString()
-	};
+	const newExpiresAt = new Date(resp.expiresAt).toISOString();
+	await saveUserTokens(config, user, {
+		accessToken: resp.accessToken,
+		refreshToken: resp.refreshToken ?? void 0
+	}, newExpiresAt);
 	writePlatformConfig(config);
 	return resp.accessToken;
 }
@@ -324,32 +542,31 @@ function computeBundlerContextHash(params) {
 * When caching is active, attempts to restore from cache first,
 * and saves the build result (with collected dependencies) on a cache miss.
 * @param params - Cache and build parameters
+* @returns The bundled code string
 */
 async function withCache(params) {
-	const { cache, kind, name, sourceFile, outputPath, contextHash, build } = params;
-	if (!cache) {
-		await build([]);
-		return;
-	}
-	if (cache.tryRestore({
+	const { cache, kind, name, sourceFile, contextHash, build } = params;
+	if (!cache) return await build([]);
+	const content = cache.tryRestore({
 		kind,
 		name,
-		outputPath,
 		contextHash
-	})) {
+	});
+	if (content !== void 0) {
 		logger.debug(`  ${styles.dim("cached")}: ${name}`);
-		return;
+		return content;
 	}
 	const { plugin, getResult } = createDepCollectorPlugin();
-	await build([plugin]);
+	const code = await build([plugin]);
 	cache.save({
 		kind,
 		name,
 		sourceFile,
-		outputPath,
+		content: code,
 		dependencyPaths: getResult(),
 		contextHash
 	});
+	return code;
 }
 /**
 * Create a bundle cache backed by the given store.
@@ -360,37 +577,31 @@ function createBundleCache(store) {
 	function tryRestore(params) {
 		const cacheKey = buildCacheKey(params.kind, params.name);
 		const entry = store.getEntry(cacheKey);
-		if (!entry) return false;
+		if (!entry) return;
 		let currentHash;
 		try {
 			currentHash = combineHash(hashFiles(entry.dependencyPaths), params.contextHash);
 		} catch {
-			return false;
+			return;
 		}
-		if (currentHash !== entry.inputHash) return false;
-		return store.restoreBundleOutput(cacheKey, params.outputPath);
+		if (currentHash !== entry.inputHash) return;
+		return store.restoreBundleContent(cacheKey);
 	}
 	function save(params) {
-		const { kind, name, sourceFile, outputPath, dependencyPaths, contextHash } = params;
+		const { kind, name, sourceFile, content, dependencyPaths, contextHash } = params;
 		const cacheKey = buildCacheKey(kind, name);
 		const allDeps = dependencyPaths.includes(sourceFile) ? dependencyPaths : [sourceFile, ...dependencyPaths];
 		const inputHash = combineHash(hashFiles(allDeps), contextHash);
-		const contentHash = hashFile(outputPath);
-		store.storeBundleOutput(cacheKey, outputPath);
-		const outputFiles = [{
-			outputPath,
-			contentHash
-		}];
-		const mapPath = `${outputPath}.map`;
-		if (fs$1.existsSync(mapPath)) outputFiles.push({
-			outputPath: mapPath,
-			contentHash: hashFile(mapPath)
-		});
+		const contentHash = hashContent(content);
+		store.storeBundleContent(cacheKey, content);
 		store.setEntry(cacheKey, {
 			kind: "bundle",
 			inputHash,
 			dependencyPaths: allDeps,
-			outputFiles,
+			outputFiles: [{
+				outputPath: cacheKey,
+				contentHash
+			}],
 			createdAt: (/* @__PURE__ */ new Date()).toISOString()
 		});
 	}
@@ -1622,12 +1833,13 @@ function createTriggerTransformPlugin(triggerContext) {
 //#endregion
 //#region src/cli/services/auth/bundler.ts
 /**
-* Bundle a single auth hook handler into dist/auth-hooks/.
+* Bundle a single auth hook handler.
 *
 * Follows the same pattern as the executor bundler:
 * 1. Generate an entry file that re-exports the handler as `main`
 * 2. Bundle with rolldown + tree-shaking
 * @param options - Bundle options
+* @returns Map of function name to bundled code
 */
 async function bundleAuthHooks(options) {
 	const { configPath, authName, handlerAccessPath, triggerContext, cache, inlineSourcemap } = options;
@@ -1643,14 +1855,12 @@ async function bundleAuthHooks(options) {
 		tsconfig = void 0;
 	}
 	const functionName = `auth-hook--${authName}--before-login`;
-	const outputPath = path.join(outputDir, `${functionName}.js`);
 	const absoluteConfigPath = path.resolve(configPath);
-	await withCache({
+	const code = await withCache({
 		cache,
 		kind: "auth-hook",
 		name: functionName,
 		sourceFile: absoluteConfigPath,
-		outputPath,
 		contextHash: computeBundlerContextHash({
 			sourceFile: absoluteConfigPath,
 			serializedTriggerContext: serializeTriggerContext(triggerContext),
@@ -1668,10 +1878,10 @@ async function bundleAuthHooks(options) {
 			const triggerPlugin = createTriggerTransformPlugin(triggerContext);
 			const plugins = triggerPlugin ? [triggerPlugin] : [];
 			plugins.push(...cachePlugins);
-			await rolldown.build(rolldown.defineConfig({
+			return (await rolldown.build({
 				input: entryPath,
+				write: false,
 				output: {
-					file: outputPath,
 					format: "esm",
 					sourcemap: inlineSourcemap ? "inline" : true,
 					minify: inlineSourcemap ? { mangle: { keepNames: true } } : true,
@@ -1685,10 +1895,13 @@ async function bundleAuthHooks(options) {
 					unknownGlobalSideEffects: false
 				},
 				logLevel: "silent"
-			}));
+			})).output[0].code;
 		}
 	});
 	logger.log(`${styles.success("Bundled")} auth hook for ${styles.info(`"${authName}"`)}`);
+	const bundledCode = /* @__PURE__ */ new Map();
+	bundledCode.set(functionName, code);
+	return bundledCode;
 }
 
 //#endregion
@@ -2692,12 +2905,11 @@ async function bundleScriptTarget(args) {
   ${kind}: ${fnSource}`);
 	const entryContent = buildMinimalEntryFromResolved(imports, declarations, fnSource, sourceFilePath);
 	const entryPath = join(tempDir, `tailordb-script-${targetIndex}.entry.ts`);
-	const outputPath = join(tempDir, `tailordb-script-${targetIndex}.bundle.cjs`);
 	writeFileSync(entryPath, entryContent);
-	await rolldown.build(rolldown.defineConfig({
+	const bundledCode = (await rolldown.build({
 		input: entryPath,
+		write: false,
 		output: {
-			file: outputPath,
 			format: "cjs",
 			sourcemap: false,
 			minify: true,
@@ -2710,8 +2922,8 @@ async function bundleScriptTarget(args) {
 			unknownGlobalSideEffects: false
 		},
 		logLevel: "silent"
-	}));
-	return buildPrecompiledExpr(readFileSync(outputPath, "utf-8"));
+	})).output[0].code;
+	return buildPrecompiledExpr(bundledCode);
 }
 /**
 * Precompile TailorDB hooks/validators into self-contained script expressions using rolldown.
@@ -3322,14 +3534,15 @@ async function loadExecutor(executorFilePath) {
 * 1. Creates entry file that extracts operation.body
 * 2. Bundles in a single step with tree-shaking
 * @param options - Bundle executor options
-* @returns Promise that resolves when bundling completes
+* @returns Map of executor name to bundled code
 */
 async function bundleExecutors(options) {
+	const bundledCode = /* @__PURE__ */ new Map();
 	const { config, triggerContext, additionalFiles = [], cache, inlineSourcemap } = options;
 	const files = [...loadFilesWithIgnores(config), ...additionalFiles];
 	if (files.length === 0) {
 		logger.warn(`No executor files found for patterns: ${config.files?.join(", ") ?? "(none)"}`);
-		return;
+		return bundledCode;
 	}
 	logger.newline();
 	logger.log(`Bundling ${styles.highlight(files.length.toString())} files for ${styles.info("\"executor\"")}`);
@@ -3351,7 +3564,7 @@ async function bundleExecutors(options) {
 	}
 	if (executors.length === 0) {
 		logger.debug("  No function executors to bundle");
-		return;
+		return bundledCode;
 	}
 	const outputDir = path.resolve(getDistDir(), "executors");
 	fs$1.mkdirSync(outputDir, { recursive: true });
@@ -3362,11 +3575,12 @@ async function bundleExecutors(options) {
 	} catch {
 		tsconfig = void 0;
 	}
-	await Promise.all(executors.map((executor) => bundleSingleExecutor(executor, outputDir, tsconfig, triggerContext, cache, inlineSourcemap)));
+	const results = await Promise.all(executors.map((executor) => bundleSingleExecutor(executor, outputDir, tsconfig, triggerContext, cache, inlineSourcemap)));
+	for (const [name, code] of results) bundledCode.set(name, code);
 	logger.log(`${styles.success("Bundled")} ${styles.info("\"executor\"")}`);
+	return bundledCode;
 }
 async function bundleSingleExecutor(executor, outputDir, tsconfig, triggerContext, cache, inlineSourcemap) {
-	const outputPath = path.join(outputDir, `${executor.name}.js`);
 	const serializedTriggerContext = serializeTriggerContext(triggerContext);
 	const contextHash = computeBundlerContextHash({
 		sourceFile: executor.sourceFile,
@@ -3374,12 +3588,11 @@ async function bundleSingleExecutor(executor, outputDir, tsconfig, triggerContex
 		tsconfig,
 		inlineSourcemap
 	});
-	await withCache({
+	const code = await withCache({
 		cache,
 		kind: "executor",
 		name: executor.name,
 		sourceFile: executor.sourceFile,
-		outputPath,
 		contextHash,
 		async build(cachePlugins) {
 			const entryPath = path.join(outputDir, `${executor.name}.entry.js`);
@@ -3394,10 +3607,10 @@ async function bundleSingleExecutor(executor, outputDir, tsconfig, triggerContex
 			const triggerPlugin = createTriggerTransformPlugin(triggerContext);
 			const plugins = triggerPlugin ? [triggerPlugin] : [];
 			plugins.push(...cachePlugins);
-			await rolldown.build(rolldown.defineConfig({
+			return (await rolldown.build({
 				input: entryPath,
+				write: false,
 				output: {
-					file: outputPath,
 					format: "esm",
 					sourcemap: inlineSourcemap ? "inline" : true,
 					minify: inlineSourcemap ? { mangle: { keepNames: true } } : true,
@@ -3411,9 +3624,10 @@ async function bundleSingleExecutor(executor, outputDir, tsconfig, triggerContex
 					unknownGlobalSideEffects: false
 				},
 				logLevel: "silent"
-			}));
+			})).output[0].code;
 		}
 	});
+	return [executor.name, code];
 }
 
 //#endregion
@@ -3509,13 +3723,14 @@ async function loadResolver(resolverFilePath) {
 * @param triggerContext - Trigger context for workflow/job transformations
 * @param cache - Optional bundle cache for skipping unchanged builds
 * @param inlineSourcemap - Whether to enable inline sourcemaps
-* @returns Promise that resolves when bundling completes
+* @returns Map of resolver name to bundled code
 */
 async function bundleResolvers(namespace, config, triggerContext, cache, inlineSourcemap) {
+	const bundledCode = /* @__PURE__ */ new Map();
 	const files = loadFilesWithIgnores(config);
 	if (files.length === 0) {
 		logger.warn(`No resolver files found for patterns: ${config.files?.join(", ") ?? "(none)"}`);
-		return;
+		return bundledCode;
 	}
 	logger.newline();
 	logger.log(`Bundling ${styles.highlight(files.length.toString())} files for ${styles.info(`"${namespace}"`)}`);
@@ -3540,11 +3755,12 @@ async function bundleResolvers(namespace, config, triggerContext, cache, inlineS
 	} catch {
 		tsconfig = void 0;
 	}
-	await Promise.all(resolvers.map((resolver) => bundleSingleResolver(resolver, outputDir, tsconfig, triggerContext, cache, inlineSourcemap)));
+	const results = await Promise.all(resolvers.map((resolver) => bundleSingleResolver(resolver, outputDir, tsconfig, triggerContext, cache, inlineSourcemap)));
+	for (const [name, code] of results) bundledCode.set(name, code);
 	logger.log(`${styles.success("Bundled")} ${styles.info(`"${namespace}"`)}`);
+	return bundledCode;
 }
 async function bundleSingleResolver(resolver, outputDir, tsconfig, triggerContext, cache, inlineSourcemap) {
-	const outputPath = path.join(outputDir, `${resolver.name}.js`);
 	const serializedTriggerContext = serializeTriggerContext(triggerContext);
 	const contextHash = computeBundlerContextHash({
 		sourceFile: resolver.sourceFile,
@@ -3552,12 +3768,11 @@ async function bundleSingleResolver(resolver, outputDir, tsconfig, triggerContex
 		tsconfig,
 		inlineSourcemap
 	});
-	await withCache({
+	const code = await withCache({
 		cache,
 		kind: "resolver",
 		name: resolver.name,
 		sourceFile: resolver.sourceFile,
-		outputPath,
 		contextHash,
 		async build(cachePlugins) {
 			const entryPath = path.join(outputDir, `${resolver.name}.entry.js`);
@@ -3593,10 +3808,10 @@ async function bundleSingleResolver(resolver, outputDir, tsconfig, triggerContex
 			const triggerPlugin = createTriggerTransformPlugin(triggerContext);
 			const plugins = triggerPlugin ? [triggerPlugin] : [];
 			plugins.push(...cachePlugins);
-			await rolldown.build(rolldown.defineConfig({
+			return (await rolldown.build({
 				input: entryPath,
+				write: false,
 				output: {
-					file: outputPath,
 					format: "esm",
 					sourcemap: inlineSourcemap ? "inline" : true,
 					minify: inlineSourcemap ? { mangle: { keepNames: true } } : true,
@@ -3610,9 +3825,10 @@ async function bundleSingleResolver(resolver, outputDir, tsconfig, triggerContex
 					unknownGlobalSideEffects: false
 				},
 				logLevel: "silent"
-			}));
+			})).output[0].code;
 		}
 	});
+	return [resolver.name, code];
 }
 
 //#endregion
@@ -3833,7 +4049,10 @@ function transformWorkflowSource(source, targetJobName, targetJobExportName, oth
 async function bundleWorkflowJobs(allJobs, mainJobNames, env = {}, triggerContext, cache, inlineSourcemap) {
 	if (allJobs.length === 0) {
 		logger.warn("No workflow jobs to bundle");
-		return { mainJobDeps: {} };
+		return {
+			mainJobDeps: {},
+			bundledCode: /* @__PURE__ */ new Map()
+		};
 	}
 	const { usedJobs, mainJobDeps } = await filterUsedJobs(allJobs, mainJobNames);
 	logger.newline();
@@ -3850,9 +4069,14 @@ async function bundleWorkflowJobs(allJobs, mainJobNames, env = {}, triggerContex
 	} catch {
 		tsconfig = void 0;
 	}
-	await Promise.all(usedJobs.map((job) => bundleSingleJob(job, usedJobs, outputDir, tsconfig, env, triggerContext, cache, inlineSourcemap)));
+	const results = await Promise.all(usedJobs.map((job) => bundleSingleJob(job, usedJobs, outputDir, tsconfig, env, triggerContext, cache, inlineSourcemap)));
+	const bundledCode = /* @__PURE__ */ new Map();
+	for (const [name, code] of results) bundledCode.set(name, code);
 	logger.log(`${styles.success("Bundled")} ${styles.info("\"workflow-job\"")}`);
-	return { mainJobDeps };
+	return {
+		mainJobDeps,
+		bundledCode
+	};
 }
 /**
 * Filter jobs to only include those that are actually used.
@@ -3927,7 +4151,6 @@ async function filterUsedJobs(allJobs, mainJobNames) {
 	};
 }
 async function bundleSingleJob(job, allJobs, outputDir, tsconfig, env, triggerContext, cache, inlineSourcemap) {
-	const outputPath = path.join(outputDir, `${job.name}.js`);
 	const serializedTriggerContext = serializeTriggerContext(triggerContext);
 	const sortedEnvPrefix = JSON.stringify(Object.fromEntries(Object.entries(env).sort(([a], [b]) => a.localeCompare(b))));
 	const contextHash = computeBundlerContextHash({
@@ -3937,12 +4160,11 @@ async function bundleSingleJob(job, allJobs, outputDir, tsconfig, env, triggerCo
 		inlineSourcemap,
 		prefix: sortedEnvPrefix
 	});
-	await withCache({
+	const code = await withCache({
 		cache,
 		kind: "workflow-job",
 		name: job.name,
 		sourceFile: job.sourceFile,
-		outputPath,
 		contextHash,
 		async build(cachePlugins) {
 			const entryPath = path.join(outputDir, `${job.name}.entry.js`);
@@ -3971,10 +4193,10 @@ async function bundleSingleJob(job, allJobs, outputDir, tsconfig, env, triggerCo
 					}
 				}
 			}, ...cachePlugins];
-			await rolldown.build(rolldown.defineConfig({
+			return (await rolldown.build({
 				input: entryPath,
+				write: false,
 				output: {
-					file: outputPath,
 					format: "esm",
 					sourcemap: inlineSourcemap ? "inline" : true,
 					minify: inlineSourcemap ? { mangle: { keepNames: true } } : true,
@@ -3988,9 +4210,10 @@ async function bundleSingleJob(job, allJobs, outputDir, tsconfig, env, triggerCo
 					unknownGlobalSideEffects: false
 				},
 				logLevel: "silent"
-			}));
+			})).output[0].code;
 		}
 	});
+	return [job.name, code];
 }
 
 //#endregion
@@ -4652,8 +4875,17 @@ async function loadApplication(params) {
 	if (workflowService) await workflowService.loadWorkflows();
 	const triggerContext = await buildTriggerContext(config.workflow);
 	const inlineSourcemap = resolveInlineSourcemap(config.inlineSourcemap);
-	for (const pipeline of resolverResult.resolverServices) await bundleResolvers(pipeline.namespace, pipeline.config, triggerContext, bundleCache, inlineSourcemap);
-	if (executorService) await bundleExecutors({
+	const bundledScripts = {
+		resolvers: /* @__PURE__ */ new Map(),
+		executors: /* @__PURE__ */ new Map(),
+		workflowJobs: /* @__PURE__ */ new Map(),
+		authHooks: /* @__PURE__ */ new Map()
+	};
+	for (const pipeline of resolverResult.resolverServices) {
+		const resolverBundles = await bundleResolvers(pipeline.namespace, pipeline.config, triggerContext, bundleCache, inlineSourcemap);
+		for (const [name, code] of resolverBundles) bundledScripts.resolvers.set(name, code);
+	}
+	if (executorService) bundledScripts.executors = await bundleExecutors({
 		config: executorService.config,
 		triggerContext,
 		additionalFiles: [...pluginExecutorFiles],
@@ -4664,10 +4896,11 @@ async function loadApplication(params) {
 	if (workflowService && workflowService.jobs.length > 0) {
 		const mainJobNames = workflowService.workflowSources.map((ws) => ws.workflow.mainJob.name);
 		workflowBuildResult = await bundleWorkflowJobs(workflowService.jobs, mainJobNames, config.env ?? {}, triggerContext, bundleCache, inlineSourcemap);
+		bundledScripts.workflowJobs = workflowBuildResult.bundledCode;
 	}
 	if (authResult.authService?.config.hooks?.beforeLogin) {
 		const authName = authResult.authService.config.name;
-		await bundleAuthHooks({
+		bundledScripts.authHooks = await bundleAuthHooks({
 			configPath: config.path,
 			authName,
 			handlerAccessPath: `auth.hooks.beforeLogin.handler`,
@@ -4696,10 +4929,11 @@ async function loadApplication(params) {
 			secrets,
 			env: config.env ?? {}
 		}),
-		workflowBuildResult
+		workflowBuildResult,
+		bundledScripts
 	};
 }
 
 //#endregion
-export { writePlatformConfig as S, hashFile as _, loadConfig as a, loadWorkspaceId as b, ExecutorSchema as c, TailorDBTypeSchema as d, stringifyFunction as f, getDistDir as g, createBundleCache as h, resolveInlineSourcemap as i, OAuth2ClientSchema as l, loadFilesWithIgnores as m, generatePluginFilesIfNeeded as n, WorkflowJobSchema as o, tailorUserMap as p, loadApplication as r, createExecutorService as s, defineApplication as t, ResolverSchema as u, fetchLatestToken as v, readPlatformConfig as x, loadAccessToken as y };
-//# sourceMappingURL=application-Clwpv84E.mjs.map
+export { resolveTokens as C, readPlatformConfig as S, writePlatformConfig as T, hashFile as _, loadConfig as a, loadAccessToken as b, ExecutorSchema as c, TailorDBTypeSchema as d, stringifyFunction as f, getDistDir as g, createBundleCache as h, resolveInlineSourcemap as i, OAuth2ClientSchema as l, loadFilesWithIgnores as m, generatePluginFilesIfNeeded as n, WorkflowJobSchema as o, tailorUserMap as p, loadApplication as r, createExecutorService as s, defineApplication as t, ResolverSchema as u, deleteUserTokens as v, saveUserTokens as w, loadWorkspaceId as x, fetchLatestToken as y };
+//# sourceMappingURL=application-CASjzt3W.mjs.map