@tailor-platform/sdk 1.32.1 → 1.33.1

package/dist/{runtime-7DOyTTxR.mjs → runtime-CDvdBV66.mjs}

@@ -1,10 +1,10 @@
 
-import { t as db } from "./schema-BITbkmq3.mjs";
+import { A as ExecutorTriggerType, C as TailorDBType_PermitAction, E as FunctionExecution_Status, F as AuthOAuth2Client_GrantType, G as Condition_Operator, H as UserProfileProviderConfig_UserProfileProviderType, I as AuthSCIMAttribute_Mutability, J as ApplicationSchemaUpdateAttemptStatus, K as FilterSchema, L as AuthSCIMAttribute_Type, M as AuthIDPConfig_AuthType, N as AuthInvokerSchema, O as ExecutorJobStatus, P as AuthOAuth2Client_ClientType, R as AuthSCIMAttribute_Uniqueness, S as TailorDBType_Permission_Permit, T as IdPLang, U as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, V as TenantProviderConfig_TenantProviderType, W as ConditionSchema, Y as Subgraph_ServiceType, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as AuthHookPoint, k as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as PageDirection, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMConfig_AuthorizationType } from "./client-CYGsf3Zl.mjs";
+import { t as db } from "./schema-D27cW0Ca.mjs";
 import { i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-qz-Y4sBV.mjs";
-import { A as ExecutorTriggerType, C as TailorDBType_PermitAction, E as FunctionExecution_Status, F as AuthOAuth2Client_GrantType, G as Condition_Operator, H as UserProfileProviderConfig_UserProfileProviderType, I as AuthSCIMAttribute_Mutability, J as ApplicationSchemaUpdateAttemptStatus, K as FilterSchema, L as AuthSCIMAttribute_Type, M as AuthIDPConfig_AuthType, N as AuthInvokerSchema, O as ExecutorJobStatus, P as AuthOAuth2Client_ClientType, R as AuthSCIMAttribute_Uniqueness, S as TailorDBType_Permission_Permit, T as IdPLang, U as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, V as TenantProviderConfig_TenantProviderType, W as ConditionSchema, Y as Subgraph_ServiceType, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as AuthHookPoint, k as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as PageDirection, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMConfig_AuthorizationType } from "./client-D5P1myz0.mjs";
-import { t as readPackageJson } from "./package-json-VqyFvGiP.mjs";
-import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, l as OAuth2ClientSchema, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, s as createExecutorService, t as defineApplication, x as loadWorkspaceId } from "./application-p2GujXmg.mjs";
-import { r as withSpan } from "./telemetry-B4sp-dD2.mjs";
+import { t as readPackageJson } from "./package-json-CfUqjJaQ.mjs";
+import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-CYPU-WIc.mjs";
+import { r as withSpan } from "./telemetry-CREcGK8y.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
 import * as fs$1 from "node:fs";
@@ -891,6 +891,7 @@ function createChangeSet(title) {
 	const updates = [];
 	const deletes = [];
 	const replaces = [];
+	const unchanged = [];
 	const isEmpty = () => creates.length === 0 && updates.length === 0 && deletes.length === 0 && replaces.length === 0;
 	return {
 		title,
@@ -898,6 +899,7 @@ function createChangeSet(title) {
 		updates,
 		deletes,
 		replaces,
+		unchanged,
 		isEmpty,
 		print: () => {
 			if (isEmpty()) return;
@@ -909,6 +911,83 @@ function createChangeSet(title) {
 		}
 	};
 }
+/**
+* Summarize resource counts across multiple change sets.
+* @param changeSets - Change sets to aggregate
+* @returns Aggregated plan counts by action
+*/
+function summarizeChangeSets(changeSets) {
+	const summary = {
+		create: 0,
+		update: 0,
+		delete: 0,
+		replace: 0,
+		unchanged: 0
+	};
+	for (const changeSet of changeSets) {
+		summary.create += changeSet.creates.length;
+		summary.update += changeSet.updates.length;
+		summary.delete += changeSet.deletes.length;
+		summary.replace += changeSet.replaces.length;
+		summary.unchanged += changeSet.unchanged.length;
+	}
+	return summary;
+}
+/**
+* Format an aggregated plan summary for CLI output.
+* @param summary - Aggregated plan counts
+* @returns Human-readable plan summary line
+*/
+function formatPlanSummary(summary) {
+	const parts = [
+		`${summary.create} to create`,
+		`${summary.update} to update`,
+		`${summary.delete} to delete`
+	];
+	if (summary.replace > 0) parts.push(`${summary.replace} to replace`);
+	parts.push(`${summary.unchanged} unchanged`);
+	return `Plan: ${parts.join(", ")}`;
+}
+
+//#endregion
+//#region src/cli/commands/apply/compare.ts
+/**
+* Stable JSON-like serialization that sorts object keys and ignores proto runtime metadata.
+* @param value - Value to serialize
+* @returns Stable serialized string
+*/
+function stableStringify(value) {
+	if (Array.isArray(value)) return `[${value.map((item) => item === void 0 ? "null" : stableStringify(item)).join(",")}]`;
+	if (value && typeof value === "object") return `{${Object.entries(value).filter(([key, entryValue]) => key !== "$typeName" && entryValue !== void 0).sort(([left], [right]) => left.localeCompare(right)).map(([key, entryValue]) => `${JSON.stringify(key)}:${stableStringify(entryValue)}`).join(",")}}`;
+	if (typeof value === "bigint") return JSON.stringify(value.toString());
+	return JSON.stringify(value);
+}
+/**
+* Normalize a proto-ish object into a plain JSON-compatible structure for comparison.
+* @param value - Value to normalize
+* @returns Normalized value
+*/
+function normalizeProtoConfig(value) {
+	if (value === void 0 || value === null) return value;
+	return JSON.parse(stableStringify(value));
+}
+/**
+* Sort a string array for order-insensitive comparison.
+* @param values - Values to sort
+* @returns Sorted values
+*/
+function normalizeStringArray(values) {
+	return [...values ?? []].sort();
+}
+/**
+* Compare two values after proto normalization.
+* @param left - Left value
+* @param right - Right value
+* @returns True when normalized values are equal
+*/
+function areNormalizedEqual(left, right) {
+	return stableStringify(normalizeProtoConfig(left)) === stableStringify(normalizeProtoConfig(right));
+}
 
 //#endregion
 //#region src/cli/commands/apply/label.ts
@@ -921,6 +1000,16 @@ function trnPrefix(workspaceId) {
 	return `trn:v1:workspace:${workspaceId}`;
 }
 const sdkNameLabelKey = "sdk-name";
+const sdkVersionLabelKey = "sdk-version";
+/**
+* Check whether existing metadata was produced by the current SDK version.
+* @param existingLabels - Labels currently stored on the remote resource
+* @param desiredLabels - Labels that will be written by the current apply run
+* @returns True when sdk-version matches
+*/
+function hasMatchingSdkVersion(existingLabels, desiredLabels) {
+	return existingLabels?.[sdkVersionLabelKey] === desiredLabels?.[sdkVersionLabelKey];
+}
 /**
 * Build metadata request with SDK labels.
 * @param trn - Target TRN
@@ -936,7 +1025,7 @@ async function buildMetaRequest(trn, appName, existingLabels) {
 		labels: {
 			...existingLabels ?? {},
 			[sdkNameLabelKey]: appName,
-			"sdk-version": sdkVersion
+			[sdkVersionLabelKey]: sdkVersion
 		}
 	};
 }
@@ -967,6 +1056,54 @@ async function applyApplication(client, changeSet, phase = "create-update") {
 function trn$6(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:application:${name}`;
 }
+function sortStrings(values) {
+	return [...values ?? []].sort();
+}
+function normalizeSubgraphs(subgraphs) {
+	return [...subgraphs ?? []].map((subgraph) => ({
+		serviceType: subgraph.serviceType,
+		serviceNamespace: subgraph.serviceNamespace ?? ""
+	})).sort((left, right) => {
+		if (left.serviceType !== right.serviceType) return left.serviceType - right.serviceType;
+		return left.serviceNamespace.localeCompare(right.serviceNamespace);
+	});
+}
+function toComparableApplication(input) {
+	return {
+		authNamespace: input.authNamespace,
+		authIdpConfigName: input.authIdpConfigName,
+		cors: sortStrings(input.cors),
+		subgraphs: [...input.subgraphs],
+		allowedIpAddresses: sortStrings(input.allowedIpAddresses),
+		disableIntrospection: input.disableIntrospection,
+		disabled: input.disabled
+	};
+}
+function normalizeComparableApplication(application, authNamespace, authIdpConfigName, cors) {
+	return toComparableApplication({
+		authNamespace: authNamespace ?? "",
+		authIdpConfigName: authIdpConfigName ?? "",
+		cors,
+		subgraphs: normalizeSubgraphs(application.subgraphs.map((subgraph) => protoSubgraph(subgraph))),
+		allowedIpAddresses: application.config.allowedIpAddresses ?? [],
+		disableIntrospection: application.config.disableIntrospection ?? false,
+		disabled: false
+	});
+}
+function normalizeComparableExistingApplication(app) {
+	return toComparableApplication({
+		authNamespace: app.authNamespace,
+		authIdpConfigName: app.authIdpConfigName,
+		cors: app.cors,
+		subgraphs: normalizeSubgraphs(app.subgraphs),
+		allowedIpAddresses: app.allowedIpAddresses,
+		disableIntrospection: app.disableIntrospection,
+		disabled: app.disabled
+	});
+}
+function areApplicationsEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableExistingApplication(existing), desired);
+}
 /**
 * Plan application changes based on current and desired state.
 * @param context - Planning context
@@ -1028,32 +1165,30 @@ async function planApplication(context) {
 		if (idpConfigs.length > 0) authIdpConfigName = idpConfigs[0].name;
 	}
 	const metaRequest = await buildMetaRequest(trn$6(workspaceId, application.name), application.name);
-	if (existingApplications.some((app) => app.name === application.name)) changeSet.updates.push({
-		name: application.name,
-		request: {
-			workspaceId,
-			applicationName: application.name,
-			authNamespace,
-			authIdpConfigName,
-			cors: application.config.cors,
-			subgraphs: application.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
-			allowedIpAddresses: application.config.allowedIpAddresses,
-			disableIntrospection: application.config.disableIntrospection
-		},
-		metaRequest
-	});
-	else changeSet.creates.push({
+	const resolvedCors = await resolveStaticWebsiteUrls(client, workspaceId, application.config.cors, "CORS");
+	const desired = normalizeComparableApplication(application, authNamespace, authIdpConfigName, resolvedCors);
+	const request = {
+		workspaceId,
+		applicationName: application.name,
+		authNamespace,
+		authIdpConfigName,
+		cors: application.config.cors,
+		subgraphs: application.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
+		allowedIpAddresses: application.config.allowedIpAddresses,
+		disableIntrospection: application.config.disableIntrospection
+	};
+	const existing = existingApplications.find((app) => app.name === application.name);
+	if (existing) {
+		const { metadata } = await client.getMetadata({ trn: trn$6(workspaceId, application.name) });
+		if (metadata?.labels?.["sdk-name"] === application.name && hasMatchingSdkVersion(metadata?.labels, metaRequest.labels) && areApplicationsEqual(existing, desired)) changeSet.unchanged.push({ name: application.name });
+		else changeSet.updates.push({
+			name: application.name,
+			request,
+			metaRequest
+		});
+	} else changeSet.creates.push({
 		name: application.name,
-		request: {
-			workspaceId,
-			applicationName: application.name,
-			authNamespace,
-			authIdpConfigName,
-			cors: application.config.cors,
-			subgraphs: application.subgraphs.map((subgraph) => protoSubgraph(subgraph)),
-			allowedIpAddresses: application.config.allowedIpAddresses,
-			disableIntrospection: application.config.disableIntrospection
-		},
+		request,
 		metaRequest
 	});
 	changeSet.print();
@@ -1093,7 +1228,7 @@ const CHUNK_SIZE = 64 * 1024;
 function computeContentHash(content) {
 	return crypto.createHash("sha256").update(content, "utf-8").digest("hex");
 }
-function functionRegistryTrn(workspaceId, name) {
+function functionRegistryTrn$1(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:function_registry:${name}`;
 }
 /**
@@ -1199,6 +1334,16 @@ function collectFunctionEntries(application, workflowJobs, bundledScripts) {
 	return entries;
 }
 /**
+* Filter collected workflow jobs down to the ones actually bundled.
+* @param jobs - All collected workflow jobs
+* @param usedJobNames - Job names that were bundled
+* @returns Bundled workflow jobs only
+*/
+function filterBundledWorkflowJobs(jobs, usedJobNames) {
+	const used = new Set(usedJobNames);
+	return jobs.filter((job) => used.has(job.name));
+}
+/**
 * Plan function registry changes based on current and desired state.
 * @param client - Operator client instance
 * @param workspaceId - Workspace ID
@@ -1229,16 +1374,18 @@ async function planFunctionRegistry(client, workspaceId, appName, entries) {
 	});
 	const existingMap = {};
 	await Promise.all(existingFunctions.map(async (func) => {
-		const { metadata } = await client.getMetadata({ trn: functionRegistryTrn(workspaceId, func.name) });
+		const { metadata } = await client.getMetadata({ trn: functionRegistryTrn$1(workspaceId, func.name) });
 		existingMap[func.name] = {
 			resource: func,
-			label: metadata?.labels[sdkNameLabelKey]
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
 		};
 	}));
 	for (const entry of entries) {
 		const existing = existingMap[entry.name];
-		const metaRequest = await buildMetaRequest(functionRegistryTrn(workspaceId, entry.name), appName);
+		const metaRequest = await buildMetaRequest(functionRegistryTrn$1(workspaceId, entry.name), appName);
 		if (existing) {
+			const isManagedByApp = existing.label === appName;
 			if (!existing.label) unmanaged.push({
 				resourceType: "Function registry",
 				resourceName: entry.name
@@ -1248,7 +1395,8 @@ async function planFunctionRegistry(client, workspaceId, appName, entries) {
 				resourceName: entry.name,
 				currentOwner: existing.label
 			});
-			changeSet.updates.push({
+			if (existing.resource.contentHash === entry.contentHash && isManagedByApp && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels)) changeSet.unchanged.push({ name: entry.name });
+			else changeSet.updates.push({
 				name: entry.name,
 				entry,
 				metaRequest
@@ -1435,10 +1583,10 @@ async function applyIdP(client, result, phase = "create-update") {
 * @returns Planned changes and metadata
 */
 async function planIdP(context) {
-	const { client, workspaceId, application, forRemoval } = context;
+	const { client, workspaceId, application, forRemoval, forceApplyAll = false } = context;
 	const idps = forRemoval ? [] : application.idpServices;
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, idps);
-	const clientChangeSet = await planClients(client, workspaceId, idps, serviceChangeSet.deletes.map((del) => del.name));
+	const clientChangeSet = await planClients(client, workspaceId, idps, serviceChangeSet.deletes.map((del) => del.name), forceApplyAll);
 	serviceChangeSet.print();
 	clientChangeSet.print();
 	return {
@@ -1454,6 +1602,57 @@ async function planIdP(context) {
 function trn$5(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:idp:${name}`;
 }
+function normalizeComparableUserAuthPolicy(policy) {
+	return {
+		useNonEmailIdentifier: policy?.useNonEmailIdentifier ?? false,
+		allowSelfPasswordReset: policy?.allowSelfPasswordReset ?? false,
+		passwordRequireUppercase: policy?.passwordRequireUppercase ?? false,
+		passwordRequireLowercase: policy?.passwordRequireLowercase ?? false,
+		passwordRequireNonAlphanumeric: policy?.passwordRequireNonAlphanumeric ?? false,
+		passwordRequireNumeric: policy?.passwordRequireNumeric ?? false,
+		passwordMinLength: policy?.passwordMinLength ?? 0,
+		passwordMaxLength: policy?.passwordMaxLength ?? 0,
+		allowedEmailDomains: [...policy?.allowedEmailDomains ?? []].sort(),
+		allowGoogleOauth: policy?.allowGoogleOauth ?? false,
+		disablePasswordAuth: policy?.disablePasswordAuth ?? false,
+		allowMicrosoftOauth: policy?.allowMicrosoftOauth ?? false
+	};
+}
+function normalizeComparableDisableGqlOperations(value) {
+	return {
+		create: value?.create ?? false,
+		update: value?.update ?? false,
+		delete: value?.delete ?? false,
+		read: value?.read ?? false,
+		sendPasswordResetEmail: value?.sendPasswordResetEmail ?? false
+	};
+}
+function normalizeComparableEmailConfig(value) {
+	return {
+		fromName: value?.fromName ?? "",
+		passwordResetSubject: value?.passwordResetSubject ?? ""
+	};
+}
+function normalizeComparableIdPService(input) {
+	return {
+		authorization: input.authorization,
+		lang: input.lang === IdPLang.UNSPECIFIED ? IdPLang.EN : input.lang,
+		userAuthPolicy: input.userAuthPolicy,
+		publishUserEvents: input.publishUserEvents,
+		disableGqlOperations: input.disableGqlOperations,
+		emailConfig: input.emailConfig
+	};
+}
+function areIdPServicesEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableIdPService({
+		authorization: existing.authorization,
+		lang: existing.lang,
+		userAuthPolicy: normalizeComparableUserAuthPolicy(existing.userAuthPolicy),
+		publishUserEvents: existing.publishUserEvents,
+		disableGqlOperations: normalizeComparableDisableGqlOperations(existing.disableGqlOperations),
+		emailConfig: normalizeComparableEmailConfig(existing.emailConfig)
+	}), desired);
+}
 async function planServices$3(client, workspaceId, appName, idps) {
 	const changeSet = createChangeSet("IdP services");
 	const conflicts = [];
@@ -1478,7 +1677,8 @@ async function planServices$3(client, workspaceId, appName, idps) {
 		const { metadata } = await client.getMetadata({ trn: trn$5(workspaceId, resource.namespace.name) });
 		existingServices[resource.namespace.name] = {
 			resource,
-			label: metadata?.labels[sdkNameLabelKey]
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
 		};
 	}));
 	for (const idp of idps) {
@@ -1499,7 +1699,28 @@ async function planServices$3(client, workspaceId, appName, idps) {
 		}
 		const lang = convertLang(idp.lang);
 		const userAuthPolicy = idp.userAuthPolicy;
+		const publishUserEvents = idp.publishUserEvents ?? false;
+		const emailConfig = idp.emailConfig;
+		const desired = normalizeComparableIdPService({
+			authorization,
+			lang,
+			userAuthPolicy: normalizeComparableUserAuthPolicy(userAuthPolicy),
+			publishUserEvents,
+			disableGqlOperations: normalizeComparableDisableGqlOperations(convertGqlOperationsToDisable(idp.gqlOperations)),
+			emailConfig: normalizeComparableEmailConfig(emailConfig)
+		});
+		const request = {
+			workspaceId,
+			namespaceName,
+			authorization,
+			lang,
+			userAuthPolicy,
+			publishUserEvents,
+			disableGqlOperations: convertGqlOperationsToDisable(idp.gqlOperations),
+			emailConfig
+		};
 		if (existing) {
+			const isManagedByApp = existing.label === appName;
 			if (!existing.label) unmanaged.push({
 				resourceType: "IdP service",
 				resourceName: idp.name
@@ -1509,31 +1730,16 @@ async function planServices$3(client, workspaceId, appName, idps) {
 				resourceName: idp.name,
 				currentOwner: existing.label
 			});
-			changeSet.updates.push({
+			if (isManagedByApp && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areIdPServicesEqual(existing.resource, desired)) changeSet.unchanged.push({ name: namespaceName });
+			else changeSet.updates.push({
 				name: namespaceName,
-				request: {
-					workspaceId,
-					namespaceName,
-					authorization,
-					lang,
-					userAuthPolicy,
-					publishUserEvents: idp.publishUserEvents,
-					disableGqlOperations: convertGqlOperationsToDisable(idp.gqlOperations)
-				},
+				request,
 				metaRequest
 			});
 			delete existingServices[namespaceName];
 		} else changeSet.creates.push({
 			name: namespaceName,
-			request: {
-				workspaceId,
-				namespaceName,
-				authorization,
-				lang,
-				userAuthPolicy,
-				publishUserEvents: idp.publishUserEvents,
-				disableGqlOperations: convertGqlOperationsToDisable(idp.gqlOperations)
-			},
+			request,
 			metaRequest
 		});
 	}
@@ -1555,7 +1761,7 @@ async function planServices$3(client, workspaceId, appName, idps) {
 		resourceOwners
 	};
 }
-async function planClients(client, workspaceId, idps, deletedServices) {
+async function planClients(client, workspaceId, idps, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("IdP clients");
 	const fetchClients = (namespaceName) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -1583,12 +1789,13 @@ async function planClients(client, workspaceId, idps, deletedServices) {
 			existingNameMap.set(client.name, client.clientSecret);
 		});
 		for (const name of idp.clients) if (existingNameMap.has(name)) {
-			changeSet.updates.push({
+			if (forceApplyAll) changeSet.updates.push({
 				name,
 				workspaceId,
 				namespaceName,
-				clientSecret: existingNameMap.get(name)
+				clientSecret: existingNameMap.get(name) ?? ""
 			});
+			else changeSet.unchanged.push({ name });
 			existingNameMap.delete(name);
 		} else changeSet.creates.push({
 			name,
@@ -1598,7 +1805,7 @@ async function planClients(client, workspaceId, idps, deletedServices) {
 				client: { name }
 			}
 		});
-		existingNameMap.forEach((name) => {
+		existingNameMap.forEach((_clientSecret, name) => {
 			changeSet.deletes.push({
 				name,
 				request: {
@@ -1704,21 +1911,21 @@ async function applyAuth(client, result, phase = "create-update") {
 * @returns Planned auth changes and metadata
 */
 async function planAuth(context) {
-	const { client, workspaceId, application, forRemoval } = context;
+	const { client, workspaceId, application, forRemoval, forceApplyAll = false } = context;
 	const auths = [];
 	if (!forRemoval && application.authService) {
 		await application.authService.resolveNamespaces();
 		auths.push(application.authService);
 	}
-	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, auths);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, auths, forceApplyAll);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const [idpConfigChangeSet, userProfileConfigChangeSet, tenantConfigChangeSet, machineUserChangeSet, authHookChangeSet, oauth2ClientChangeSet, scimChangeSet, scimResourceChangeSet] = await Promise.all([
-		planIdPConfigs(client, workspaceId, auths, deletedServices),
-		planUserProfileConfigs(client, workspaceId, auths, deletedServices),
-		planTenantConfigs(client, workspaceId, auths, deletedServices),
-		planMachineUsers(client, workspaceId, auths, deletedServices),
-		planAuthHooks(client, workspaceId, auths, deletedServices),
-		planOAuth2Clients(client, workspaceId, auths, deletedServices),
+		planIdPConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
+		planUserProfileConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
+		planTenantConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
+		planMachineUsers(client, workspaceId, auths, deletedServices, forceApplyAll),
+		planAuthHooks(client, workspaceId, auths, deletedServices, forceApplyAll),
+		planOAuth2Clients(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planSCIMConfigs(client, workspaceId, auths, deletedServices),
 		planSCIMResources(client, workspaceId, auths, deletedServices)
 	]);
@@ -1751,7 +1958,7 @@ async function planAuth(context) {
 function trn$4(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:auth:${name}`;
 }
-async function planServices$2(client, workspaceId, appName, auths) {
+async function planServices$2(client, workspaceId, appName, auths, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth services");
 	const conflicts = [];
 	const unmanaged = [];
@@ -1782,7 +1989,13 @@ async function planServices$2(client, workspaceId, appName, auths) {
 		const { parsedConfig: config } = auth;
 		const existing = existingServices[config.name];
 		const metaRequest = await buildMetaRequest(trn$4(workspaceId, config.name), appName);
+		const request = {
+			workspaceId,
+			namespaceName: config.name,
+			publishSessionEvents: config.publishSessionEvents
+		};
 		if (existing) {
+			const isManagedByApp = existing.label === appName;
 			if (!existing.label) unmanaged.push({
 				resourceType: "Auth service",
 				resourceName: config.name
@@ -1792,23 +2005,16 @@ async function planServices$2(client, workspaceId, appName, auths) {
 				resourceName: config.name,
 				currentOwner: existing.label
 			});
-			changeSet.updates.push({
+			if (!forceApplyAll && existing.resource.publishSessionEvents === (config.publishSessionEvents ?? false) && isManagedByApp) changeSet.unchanged.push({ name: config.name });
+			else changeSet.updates.push({
 				name: config.name,
-				request: {
-					workspaceId,
-					namespaceName: config.name,
-					publishSessionEvents: config.publishSessionEvents
-				},
+				request,
 				metaRequest
 			});
 			delete existingServices[config.name];
 		} else changeSet.creates.push({
 			name: config.name,
-			request: {
-				workspaceId,
-				namespaceName: config.name,
-				publishSessionEvents: config.publishSessionEvents
-			},
+			request,
 			metaRequest
 		});
 	}
@@ -1830,7 +2036,7 @@ async function planServices$2(client, workspaceId, appName, auths) {
 		resourceOwners
 	};
 }
-async function planIdPConfigs(client, workspaceId, auths, deletedServices) {
+async function planIdPConfigs(client, workspaceId, auths, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth idpConfigs");
 	const fetchIdPConfigs = (namespaceName) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -1851,32 +2057,51 @@ async function planIdPConfigs(client, workspaceId, auths, deletedServices) {
 	for (const authService of auths) {
 		const { parsedConfig: config } = authService;
 		const existingIdPConfigs = await fetchIdPConfigs(config.name);
-		const existingNameSet = /* @__PURE__ */ new Set();
+		const existingMap = /* @__PURE__ */ new Map();
 		existingIdPConfigs.forEach((idpConfig) => {
-			existingNameSet.add(idpConfig.name);
+			existingMap.set(idpConfig.name, idpConfig);
 		});
 		const idpConfig = config.idProvider;
-		if (idpConfig) if (existingNameSet.has(idpConfig.name)) {
-			changeSet.updates.push({
+		if (idpConfig) {
+			const desired = protoIdPConfig(idpConfig);
+			const existing = existingMap.get(idpConfig.name);
+			if (existing) {
+				const desiredComparable = await protoIdPConfigForComparison(client, workspaceId, idpConfig, desired);
+				if (!desiredComparable) {
+					changeSet.updates.push({
+						name: idpConfig.name,
+						idpConfig,
+						request: {
+							workspaceId,
+							namespaceName: config.name,
+							idpConfig: desired
+						}
+					});
+					existingMap.delete(idpConfig.name);
+					continue;
+				}
+				if (!forceApplyAll && areAuthIdPConfigsEqual(existing, desiredComparable)) changeSet.unchanged.push({ name: idpConfig.name });
+				else changeSet.updates.push({
+					name: idpConfig.name,
+					idpConfig,
+					request: {
+						workspaceId,
+						namespaceName: config.name,
+						idpConfig: desired
+					}
+				});
+				existingMap.delete(idpConfig.name);
+			} else changeSet.creates.push({
 				name: idpConfig.name,
 				idpConfig,
 				request: {
 					workspaceId,
 					namespaceName: config.name,
-					idpConfig: protoIdPConfig(idpConfig)
+					idpConfig: desired
 				}
 			});
-			existingNameSet.delete(idpConfig.name);
-		} else changeSet.creates.push({
-			name: idpConfig.name,
-			idpConfig,
-			request: {
-				workspaceId,
-				namespaceName: config.name,
-				idpConfig: protoIdPConfig(idpConfig)
-			}
-		});
-		existingNameSet.forEach((name) => {
+		}
+		existingMap.forEach((_, name) => {
 			changeSet.deletes.push({
 				name,
 				request: {
@@ -1899,6 +2124,32 @@ async function planIdPConfigs(client, workspaceId, auths, deletedServices) {
 	});
 	return changeSet;
 }
+async function protoIdPConfigForComparison(client, workspaceId, idpConfig, desired) {
+	if (idpConfig.kind !== "BuiltInIdP") return desired;
+	const config = await tryProtoBuiltinIdPConfig(client, workspaceId, idpConfig);
+	return config ? {
+		...desired,
+		config
+	} : void 0;
+}
+function normalizeComparableAuthIdPConfig(idpConfig) {
+	const configCase = idpConfig.config?.config?.case;
+	const oidcValue = configCase === "oidc" && typeof idpConfig.config?.config?.value === "object" && idpConfig.config.config.value !== null ? idpConfig.config.config.value : void 0;
+	return normalizeProtoConfig({
+		name: idpConfig.name,
+		authType: idpConfig.authType,
+		config: configCase === "oidc" ? { config: {
+			case: "oidc",
+			value: {
+				...oidcValue ?? {},
+				issuerUrl: oidcValue && "issuerUrl" in oidcValue ? oidcValue.issuerUrl || void 0 : void 0
+			}
+		} } : idpConfig.config
+	});
+}
+function areAuthIdPConfigsEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableAuthIdPConfig(existing), normalizeComparableAuthIdPConfig(desired));
+}
 function protoIdPConfig(idpConfig) {
 	switch (idpConfig.kind) {
 		case "IDToken": return {
@@ -1951,6 +2202,11 @@ function protoIdPConfig(idpConfig) {
 	}
 }
 async function protoBuiltinIdPConfig(client, workspaceId, builtinIdPConfig) {
+	const config = await tryProtoBuiltinIdPConfig(client, workspaceId, builtinIdPConfig);
+	if (!config) throw new Error(`Built-in IdP "${builtinIdPConfig.namespace}" not found. Please ensure that idp is configured correctly.`);
+	return config;
+}
+async function tryProtoBuiltinIdPConfig(client, workspaceId, builtinIdPConfig) {
 	let idpService;
 	try {
 		idpService = await client.getIdPService({
@@ -1958,14 +2214,20 @@ async function protoBuiltinIdPConfig(client, workspaceId, builtinIdPConfig) {
 			namespaceName: builtinIdPConfig.namespace
 		});
 	} catch (error) {
-		if (error instanceof ConnectError && error.code === Code.NotFound) throw new Error(`Built-in IdP "${builtinIdPConfig.namespace}" not found. Please ensure that idp is configured correctly.`, { cause: error });
+		if (error instanceof ConnectError && error.code === Code.NotFound) return;
+		throw error;
+	}
+	let idpClient;
+	try {
+		idpClient = await client.getIdPClient({
+			workspaceId,
+			namespaceName: builtinIdPConfig.namespace,
+			name: builtinIdPConfig.clientName
+		});
+	} catch (error) {
+		if (error instanceof ConnectError && error.code === Code.NotFound) return;
 		throw error;
 	}
-	const idpClient = await client.getIdPClient({
-		workspaceId,
-		namespaceName: builtinIdPConfig.namespace,
-		name: builtinIdPConfig.clientName
-	});
 	const vaultName = idpClientVaultName(builtinIdPConfig.namespace, builtinIdPConfig.clientName);
 	const secretKey = idpClientSecretName(builtinIdPConfig.namespace, builtinIdPConfig.clientName);
 	return { config: {
@@ -1981,16 +2243,35 @@ async function protoBuiltinIdPConfig(client, workspaceId, builtinIdPConfig) {
 		}
 	} };
 }
-async function planUserProfileConfigs(client, workspaceId, auths, deletedServices) {
+async function planUserProfileConfigs(client, workspaceId, auths, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth userProfileConfigs");
 	for (const auth of auths) {
 		const { parsedConfig: config } = auth;
 		const name = `${config.name}-user-profile-config`;
 		try {
-			await client.getUserProfileConfig({
+			const { userProfileProviderConfig } = await client.getUserProfileConfig({
 				workspaceId,
 				namespaceName: config.name
 			});
+			const userProfileForUpdate = auth.userProfile;
+			if (userProfileForUpdate) {
+				const desired = protoUserProfileConfig(userProfileForUpdate);
+				if (!forceApplyAll && areUserProfileConfigsEqual(userProfileProviderConfig ?? {}, desired)) changeSet.unchanged.push({ name });
+				else changeSet.updates.push({
+					name,
+					request: {
+						workspaceId,
+						namespaceName: config.name,
+						userProfileProviderConfig: desired
+					}
+				});
+			} else changeSet.deletes.push({
+				name,
+				request: {
+					workspaceId,
+					namespaceName: config.name
+				}
+			});
 		} catch (error) {
 			if (error instanceof ConnectError && error.code === Code.NotFound) {
 				const userProfileForCreate = auth.userProfile;
@@ -2006,22 +2287,6 @@ async function planUserProfileConfigs(client, workspaceId, auths, deletedService
 			}
 			throw error;
 		}
-		const userProfileForUpdate = auth.userProfile;
-		if (userProfileForUpdate) changeSet.updates.push({
-			name,
-			request: {
-				workspaceId,
-				namespaceName: config.name,
-				userProfileProviderConfig: protoUserProfileConfig(userProfileForUpdate)
-			}
-		});
-		else changeSet.deletes.push({
-			name,
-			request: {
-				workspaceId,
-				namespaceName: config.name
-			}
-		});
 	}
 	for (const namespaceName of deletedServices) {
 		try {
@@ -2061,16 +2326,34 @@ function protoUserProfileConfig(userProfile) {
 		} }
 	};
 }
-async function planTenantConfigs(client, workspaceId, auths, deletedServices) {
+async function planTenantConfigs(client, workspaceId, auths, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth tenantConfigs");
 	for (const auth of auths) {
 		const { parsedConfig: config } = auth;
 		const name = `${config.name}-tenant-config`;
 		try {
-			await client.getTenantConfig({
+			const { tenantProviderConfig } = await client.getTenantConfig({
 				workspaceId,
 				namespaceName: config.name
 			});
+			if (config.tenantProvider) {
+				const desired = protoTenantConfig(config.tenantProvider);
+				if (!forceApplyAll && areTenantProviderConfigsEqual(tenantProviderConfig, desired)) changeSet.unchanged.push({ name });
+				else changeSet.updates.push({
+					name,
+					request: {
+						workspaceId,
+						namespaceName: config.name,
+						tenantProviderConfig: desired
+					}
+				});
+			} else changeSet.deletes.push({
+				name,
+				request: {
+					workspaceId,
+					namespaceName: config.name
+				}
+			});
 		} catch (error) {
 			if (error instanceof ConnectError && error.code === Code.NotFound) {
 				if (config.tenantProvider) changeSet.creates.push({
@@ -2085,21 +2368,6 @@ async function planTenantConfigs(client, workspaceId, auths, deletedServices) {
 			}
 			throw error;
 		}
-		if (config.tenantProvider) changeSet.updates.push({
-			name,
-			request: {
-				workspaceId,
-				namespaceName: config.name,
-				tenantProviderConfig: protoTenantConfig(config.tenantProvider)
-			}
-		});
-		else changeSet.deletes.push({
-			name,
-			request: {
-				workspaceId,
-				namespaceName: config.name
-			}
-		});
 	}
 	for (const namespaceName of deletedServices) {
 		try {
@@ -2134,7 +2402,7 @@ function protoTenantConfig(tenantConfig) {
 		} }
 	};
 }
-async function planMachineUsers(client, workspaceId, auths, deletedServices) {
+async function planMachineUsers(client, workspaceId, auths, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth machineUsers");
 	const fetchMachineUsers = (authNamespace) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -2155,25 +2423,31 @@ async function planMachineUsers(client, workspaceId, auths, deletedServices) {
 	for (const auth of auths) {
 		const { parsedConfig: config } = auth;
 		const existingMachineUsers = await fetchMachineUsers(config.name);
-		const existingNameSet = /* @__PURE__ */ new Set();
+		const existingMap = /* @__PURE__ */ new Map();
 		existingMachineUsers.forEach((machineUser) => {
-			existingNameSet.add(machineUser.name);
+			existingMap.set(machineUser.name, machineUser);
 		});
 		for (const machineUsername of Object.keys(config.machineUsers ?? {})) {
 			const machineUser = config.machineUsers?.[machineUsername];
 			if (!machineUser) continue;
-			if (existingNameSet.has(machineUsername)) {
-				changeSet.updates.push({
+			const desiredMachineUser = {
+				attributes: machineUser.attributeList,
+				attributeMap: machineUser.attributes ? protoMachineUserAttributeMap(machineUser.attributes) : void 0
+			};
+			const existing = existingMap.get(machineUsername);
+			if (existing) {
+				if (!forceApplyAll && areMachineUsersEqual(existing, desiredMachineUser)) changeSet.unchanged.push({ name: machineUsername });
+				else changeSet.updates.push({
 					name: machineUsername,
 					request: {
 						workspaceId,
 						authNamespace: config.name,
 						name: machineUsername,
 						attributes: machineUser.attributeList,
-						attributeMap: machineUser.attributes ? protoMachineUserAttributeMap(machineUser.attributes) : void 0
+						attributeMap: desiredMachineUser.attributeMap
 					}
 				});
-				existingNameSet.delete(machineUsername);
+				existingMap.delete(machineUsername);
 			} else changeSet.creates.push({
 				name: machineUsername,
 				request: {
@@ -2181,11 +2455,11 @@ async function planMachineUsers(client, workspaceId, auths, deletedServices) {
 					authNamespace: config.name,
 					name: machineUsername,
 					attributes: machineUser.attributeList,
-					attributeMap: machineUser.attributes ? protoMachineUserAttributeMap(machineUser.attributes) : void 0
+					attributeMap: desiredMachineUser.attributeMap
 				}
 			});
 		}
-		existingNameSet.forEach((name) => {
+		existingMap.forEach((_, name) => {
 			changeSet.deletes.push({
 				name,
 				request: {
@@ -2213,7 +2487,60 @@ function protoMachineUserAttributeMap(attributeMap) {
 	for (const [key, value] of Object.entries(attributeMap)) ret[key] = fromJson(ValueSchema, value ?? null);
 	return ret;
 }
-async function planOAuth2Clients(client, workspaceId, auths, deletedServices) {
+function normalizeComparableUserProfileConfig(config) {
+	const comparableConfig = config.config?.config;
+	const tailorDBConfig = comparableConfig?.case === "tailordb" ? comparableConfig.value : void 0;
+	return normalizeProtoConfig({
+		providerType: config.providerType,
+		config: { config: {
+			case: comparableConfig?.case,
+			value: tailorDBConfig ? {
+				...tailorDBConfig,
+				tenantIdField: tailorDBConfig.tenantIdField || void 0,
+				attributesFields: normalizeStringArray(tailorDBConfig.attributesFields),
+				attributeMap: normalizeProtoConfig(tailorDBConfig.attributeMap)
+			} : comparableConfig?.value
+		} }
+	});
+}
+function areUserProfileConfigsEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableUserProfileConfig(existing), normalizeComparableUserProfileConfig(desired));
+}
+function normalizeComparableTenantProviderConfig(config) {
+	return normalizeProtoConfig(config);
+}
+function areTenantProviderConfigsEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableTenantProviderConfig(existing), normalizeComparableTenantProviderConfig(desired));
+}
+function normalizeComparableMachineUser(input) {
+	return normalizeProtoConfig({
+		attributes: normalizeStringArray(input.attributes),
+		attributeMap: normalizeProtoConfig(input.attributeMap ?? {})
+	});
+}
+function areMachineUsersEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableMachineUser(existing), normalizeComparableMachineUser(desired));
+}
+function normalizeComparableOAuth2Client(client) {
+	const accessTokenLifetime = oauth2LifetimeToSeconds(client.accessTokenLifetime);
+	const refreshTokenLifetime = oauth2LifetimeToSeconds(client.refreshTokenLifetime);
+	return normalizeProtoConfig({
+		...client,
+		redirectUris: normalizeStringArray(client.redirectUris),
+		grantTypes: [...client.grantTypes ?? []].sort((left, right) => left - right),
+		accessTokenLifetime: accessTokenLifetime ?? 86400,
+		refreshTokenLifetime: refreshTokenLifetime ?? 604800,
+		requireDpop: client.requireDpop ?? false
+	});
+}
+function oauth2LifetimeToSeconds(lifetime) {
+	if (typeof lifetime === "number") return lifetime;
+	if (lifetime?.seconds != null) return Number(lifetime.seconds);
+}
+function areOAuth2ClientsEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableOAuth2Client(existing), normalizeComparableOAuth2Client(desired));
+}
+async function planOAuth2Clients(client, workspaceId, auths, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth oauth2Clients");
 	const fetchOAuth2Clients = (namespaceName) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -2236,14 +2563,16 @@ async function planOAuth2Clients(client, workspaceId, auths, deletedServices) {
 		const existingOAuth2Clients = await fetchOAuth2Clients(config.name);
 		const existingClientsMap = /* @__PURE__ */ new Map();
 		existingOAuth2Clients.forEach((oauth2Client) => {
-			existingClientsMap.set(oauth2Client.name, oauth2Client.clientType);
+			existingClientsMap.set(oauth2Client.name, oauth2Client);
 		});
 		for (const oauth2ClientName of Object.keys(config.oauth2Clients ?? {})) {
 			const oauth2Client = config.oauth2Clients?.[oauth2ClientName];
 			if (!oauth2Client) continue;
 			const newOAuth2Client = protoOAuth2Client(oauth2ClientName, oauth2Client);
+			const resolvedRedirectUris = await resolveStaticWebsiteUrls(client, workspaceId, newOAuth2Client.redirectUris ?? [], "OAuth2 redirect URIs");
 			if (existingClientsMap.has(oauth2ClientName)) {
-				if (existingClientsMap.get(oauth2ClientName) !== newOAuth2Client.clientType) changeSet.replaces.push({
+				const existingClient = existingClientsMap.get(oauth2ClientName);
+				if (existingClient.clientType !== newOAuth2Client.clientType) changeSet.replaces.push({
 					name: oauth2ClientName,
 					deleteRequest: {
 						workspaceId,
@@ -2256,14 +2585,33 @@ async function planOAuth2Clients(client, workspaceId, auths, deletedServices) {
 						oauth2Client: newOAuth2Client
 					}
 				});
-				else changeSet.updates.push({
-					name: oauth2ClientName,
-					request: {
-						workspaceId,
-						namespaceName: config.name,
-						oauth2Client: newOAuth2Client
-					}
-				});
+				else {
+					const desiredComparable = {
+						...newOAuth2Client,
+						redirectUris: resolvedRedirectUris,
+						accessTokenLifetime: oauth2LifetimeToSeconds(newOAuth2Client.accessTokenLifetime),
+						refreshTokenLifetime: oauth2LifetimeToSeconds(newOAuth2Client.refreshTokenLifetime)
+					};
+					const existingComparable = {
+						name: existingClient.name,
+						description: existingClient.description,
+						grantTypes: existingClient.grantTypes,
+						redirectUris: existingClient.redirectUris,
+						clientType: existingClient.clientType,
+						accessTokenLifetime: oauth2LifetimeToSeconds(existingClient.accessTokenLifetime),
+						refreshTokenLifetime: oauth2LifetimeToSeconds(existingClient.refreshTokenLifetime),
+						requireDpop: existingClient.requireDpop
+					};
+					if (!forceApplyAll && areOAuth2ClientsEqual(existingComparable, desiredComparable)) changeSet.unchanged.push({ name: oauth2ClientName });
+					else changeSet.updates.push({
+						name: oauth2ClientName,
+						request: {
+							workspaceId,
+							namespaceName: config.name,
+							oauth2Client: newOAuth2Client
+						}
+					});
+				}
 				existingClientsMap.delete(oauth2ClientName);
 			} else changeSet.creates.push({
 				name: oauth2ClientName,
@@ -2538,21 +2886,36 @@ function protoSCIMAttribute(attr) {
 		subAttributes: attr.subAttributes?.map((attr) => protoSCIMAttribute(attr))
 	};
 }
-async function planAuthHooks(client, workspaceId, auths, deletedServices) {
+function areAuthHooksEqual(existing, desired) {
+	return areNormalizedEqual({
+		scriptRef: existing.scriptRef ?? "",
+		invoker: existing.invoker ? {
+			namespace: existing.invoker.namespace ?? "",
+			machineUserName: existing.invoker.machineUserName ?? ""
+		} : void 0
+	}, {
+		scriptRef: desired.scriptRef ?? "",
+		invoker: desired.invoker ? {
+			namespace: desired.invoker.namespace ?? "",
+			machineUserName: desired.invoker.machineUserName ?? ""
+		} : void 0
+	});
+}
+async function planAuthHooks(client, workspaceId, auths, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth hooks");
 	for (const auth of auths) {
 		const { parsedConfig: config } = auth;
 		const beforeLogin = config.hooks?.beforeLogin;
 		let existingHook;
 		try {
-			await client.getAuthHook({
+			const { hook } = await client.getAuthHook({
 				workspaceId,
 				namespaceName: config.name,
 				hookPoint: AuthHookPoint.BEFORE_LOGIN
 			});
-			existingHook = true;
+			existingHook = hook;
 		} catch (error) {
-			if (error instanceof ConnectError && error.code === Code.NotFound) existingHook = false;
+			if (error instanceof ConnectError && error.code === Code.NotFound) existingHook = void 0;
 			else throw error;
 		}
 		if (beforeLogin) {
@@ -2568,7 +2931,8 @@ async function planAuthHooks(client, workspaceId, auths, deletedServices) {
 					}
 				}
 			};
-			if (existingHook) changeSet.updates.push({
+			if (existingHook) if (!forceApplyAll && areAuthHooksEqual(existingHook, hookRequest.hook)) changeSet.unchanged.push({ name: `${config.name}/before-login` });
+			else changeSet.updates.push({
 				name: `${config.name}/before-login`,
 				request: hookRequest
 			});
@@ -2751,19 +3115,10 @@ const ACTOR_TRANSFORM_EXPR = "actor: args.actor ? (({ attributeMap, attributes:
 function buildExecutorArgsExpr(triggerKind, env) {
 	const envExpr = `env: ${JSON.stringify(env)}`;
 	switch (triggerKind) {
-		case "schedule":
-		case "recordCreated":
-		case "recordUpdated":
-		case "recordDeleted":
-		case "idpUserCreated":
-		case "idpUserUpdated":
-		case "idpUserDeleted":
-		case "authAccessTokenIssued":
-		case "authAccessTokenRefreshed":
-		case "authAccessTokenRevoked": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, ${envExpr} })`;
+		case "schedule": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, ${envExpr} })`;
 		case "resolverExecuted": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, success: !!args.succeeded, result: args.succeeded?.result.resolver, error: args.failed?.error, ${envExpr} })`;
 		case "incomingWebhook": return `({ ...args, appNamespace: args.namespaceName, rawBody: args.raw_body, ${envExpr} })`;
-		default: throw new Error(`Unknown trigger kind for args expression: ${triggerKind}`);
+		default: return `({ ...args, event: args.eventType?.split(".").pop(), rawEvent: args.eventType, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, ${envExpr} })`;
 	}
 }
 /**
@@ -2833,13 +3188,15 @@ async function planExecutor(context) {
 		const { metadata } = await client.getMetadata({ trn: trn$3(workspaceId, resource.name) });
 		existingExecutors[resource.name] = {
 			resource,
-			label: metadata?.labels[sdkNameLabelKey]
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
 		};
 	}));
 	const executors = forRemoval ? {} : await application.executorService?.loadExecutors() ?? {};
 	for (const executor of Object.values(executors)) {
 		const existing = existingExecutors[executor.name];
 		const metaRequest = await buildMetaRequest(trn$3(workspaceId, executor.name), application.name);
+		const desiredExecutor = protoExecutor(application, executor);
 		if (existing) {
 			if (!existing.label) unmanaged.push({
 				resourceType: "Executor",
@@ -2850,11 +3207,12 @@ async function planExecutor(context) {
 				resourceName: executor.name,
 				currentOwner: existing.label
 			});
-			changeSet.updates.push({
+			if (existing.label === application.name && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areExecutorsEqual(existing.resource, desiredExecutor)) changeSet.unchanged.push({ name: executor.name });
+			else changeSet.updates.push({
 				name: executor.name,
 				request: {
 					workspaceId,
-					executor: protoExecutor(application, executor)
+					executor: desiredExecutor
 				},
 				metaRequest
 			});
@@ -2863,7 +3221,7 @@ async function planExecutor(context) {
 			name: executor.name,
 			request: {
 				workspaceId,
-				executor: protoExecutor(application, executor)
+				executor: desiredExecutor
 			},
 			metaRequest
 		});
@@ -2887,6 +3245,56 @@ async function planExecutor(context) {
 		resourceOwners
 	};
 }
+function normalizeComparableExecutor(executor) {
+	const normalized = normalizeProtoConfig(executor) ?? {};
+	const webhookHeaders = normalized.targetConfig?.config?.case === "webhook" ? [...normalized.targetConfig.config.value.headers ?? []].sort((left, right) => (left.key ?? "").localeCompare(right.key ?? "")) : void 0;
+	const triggerConfig = normalized.triggerConfig?.config?.case === "incomingWebhook" ? {
+		...normalized.triggerConfig,
+		config: {
+			...normalized.triggerConfig.config,
+			value: {}
+		}
+	} : normalized.triggerConfig?.config?.case === "event" ? {
+		...normalized.triggerConfig,
+		config: {
+			...normalized.triggerConfig.config,
+			value: {
+				...normalized.triggerConfig.config.value,
+				eventType: void 0
+			}
+		}
+	} : normalized.triggerConfig;
+	return {
+		name: normalized.name,
+		description: normalized.description ?? "",
+		disabled: normalized.disabled ?? false,
+		triggerType: normalized.triggerType,
+		triggerConfig,
+		targetType: normalized.targetType,
+		targetConfig: normalized.targetConfig?.config?.case === "webhook" ? {
+			...normalized.targetConfig,
+			config: {
+				...normalized.targetConfig.config,
+				value: {
+					...normalized.targetConfig.config.value,
+					headers: webhookHeaders
+				}
+			}
+		} : normalized.targetConfig?.config?.case === "function" ? {
+			...normalized.targetConfig,
+			config: {
+				...normalized.targetConfig.config,
+				value: {
+					...normalized.targetConfig.config.value,
+					script: void 0
+				}
+			}
+		} : normalized.targetConfig
+	};
+}
+function areExecutorsEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableExecutor(existing), normalizeComparableExecutor(desired));
+}
 function resolveTailorDBNamespace(application, typeName) {
 	for (const service of application.tailorDBServices) if (service.types[typeName]) return service.namespace;
 	throw new Error(`TailorDB type "${typeName}" not found in any namespace. Available namespaces: ${application.tailorDBServices.map((s) => s.namespace).join(", ")}`);
@@ -2911,18 +3319,6 @@ function protoExecutor(application, executor) {
 	let triggerType;
 	let triggerConfig;
 	const argsExpr = buildExecutorArgsExpr(trigger.kind, env);
-	const eventType = {
-		recordCreated: "tailordb.type_record.created",
-		recordUpdated: "tailordb.type_record.updated",
-		recordDeleted: "tailordb.type_record.deleted",
-		resolverExecuted: "pipeline.resolver.executed",
-		idpUserCreated: "idp.user.created",
-		idpUserUpdated: "idp.user.updated",
-		idpUserDeleted: "idp.user.deleted",
-		authAccessTokenIssued: "auth.access_token.issued",
-		authAccessTokenRefreshed: "auth.access_token.refreshed",
-		authAccessTokenRevoked: "auth.access_token.revoked"
-	};
 	function typedEventTrigger(typedConfig) {
 		return { config: {
 			case: "event",
@@ -2940,14 +3336,12 @@ function protoExecutor(application, executor) {
 				}
 			} };
 			break;
-		case "recordCreated":
-		case "recordUpdated":
-		case "recordDeleted":
+		case "tailordb":
 			triggerType = ExecutorTriggerType.EVENT;
 			triggerConfig = typedEventTrigger({
 				case: "tailordb",
 				value: {
-					eventTypes: [eventType[trigger.kind]],
+					eventTypes: trigger.events,
 					namespaceName: resolveTailorDBNamespace(application, trigger.typeName),
 					typeName: trigger.typeName,
 					...trigger.condition ? { condition: { expr: `(${stringifyFunction(trigger.condition)})(${argsExpr})` } } : {}
@@ -2959,7 +3353,7 @@ function protoExecutor(application, executor) {
 			triggerConfig = typedEventTrigger({
 				case: "pipeline",
 				value: {
-					eventTypes: [eventType[trigger.kind]],
+					eventTypes: ["pipeline.resolver.executed"],
 					namespaceName: resolveResolverNamespace(application, trigger.resolverName),
 					resolverName: trigger.resolverName,
 					...trigger.condition ? { condition: { expr: `(${stringifyFunction(trigger.condition)})(${argsExpr})` } } : {}
@@ -2973,26 +3367,22 @@ function protoExecutor(application, executor) {
 				value: {}
 			} };
 			break;
-		case "idpUserCreated":
-		case "idpUserUpdated":
-		case "idpUserDeleted":
+		case "idpUser":
 			triggerType = ExecutorTriggerType.EVENT;
 			triggerConfig = typedEventTrigger({
 				case: "idp",
 				value: {
-					eventTypes: [eventType[trigger.kind]],
+					eventTypes: trigger.events,
 					namespaceName: resolveIdpNamespace(application)
 				}
 			});
 			break;
-		case "authAccessTokenIssued":
-		case "authAccessTokenRefreshed":
-		case "authAccessTokenRevoked":
+		case "authAccessToken":
 			triggerType = ExecutorTriggerType.EVENT;
 			triggerConfig = typedEventTrigger({
 				case: "auth",
 				value: {
-					eventTypes: [eventType[trigger.kind]],
+					eventTypes: trigger.events,
 					namespaceName: resolveAuthNamespace(application)
 				}
 			});
@@ -3148,7 +3538,7 @@ async function applyPipeline(client, result, phase = "create-update") {
 * @returns Planned changes
 */
 async function planPipeline(context) {
-	const { client, workspaceId, application, forRemoval } = context;
+	const { client, workspaceId, application, forRemoval, forceApplyAll = false } = context;
 	const pipelines = [];
 	if (!forRemoval) for (const pipeline of application.resolverServices) {
 		await pipeline.loadResolvers();
@@ -3156,7 +3546,7 @@ async function planPipeline(context) {
 	}
 	const executors = forRemoval ? [] : Object.values(await application.executorService?.loadExecutors() ?? {});
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$1(client, workspaceId, application.name, pipelines);
-	const resolverChangeSet = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env);
+	const resolverChangeSet = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, forceApplyAll);
 	serviceChangeSet.print();
 	resolverChangeSet.print();
 	return {
@@ -3196,7 +3586,8 @@ async function planServices$1(client, workspaceId, appName, pipelines) {
 		const { metadata } = await client.getMetadata({ trn: trn$2(workspaceId, resource.namespace.name) });
 		existingServices[resource.namespace.name] = {
 			resource,
-			label: metadata?.labels[sdkNameLabelKey]
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
 		};
 	}));
 	for (const pipeline of pipelines) {
@@ -3212,7 +3603,8 @@ async function planServices$1(client, workspaceId, appName, pipelines) {
 				resourceName: pipeline.namespace,
 				currentOwner: existing.label
 			});
-			changeSet.updates.push({
+			if (existing.label === appName && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels)) changeSet.unchanged.push({ name: pipeline.namespace });
+			else changeSet.updates.push({
 				name: pipeline.namespace,
 				request: {
 					workspaceId,
@@ -3248,7 +3640,7 @@ async function planServices$1(client, workspaceId, appName, pipelines) {
 		resourceOwners
 	};
 }
-async function planResolvers(client, workspaceId, pipelines, executors, deletedServices, env) {
+async function planResolvers(client, workspaceId, pipelines, executors, deletedServices, env, forceApplyAll = false) {
 	const changeSet = createChangeSet("Pipeline resolvers");
 	const fetchResolvers = (namespaceName) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -3271,29 +3663,35 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 	for (const pipeline of pipelines) for (const resolver of Object.values(pipeline.resolvers)) if (executorUsedResolvers.has(resolver.name) && resolver.publishEvents === false) throw new Error(`Resolver "${resolver.name}" has publishEvents set to false, but it is used by an executor with a resolverExecuted trigger. Either remove the publishEvents: false setting or remove the executor trigger for this resolver.`);
 	for (const pipeline of pipelines) {
 		const existingResolvers = await fetchResolvers(pipeline.namespace);
-		const existingNameSet = /* @__PURE__ */ new Set();
-		existingResolvers.forEach((resolver) => {
-			existingNameSet.add(resolver.name);
-		});
-		for (const resolver of Object.values(pipeline.resolvers)) if (existingNameSet.has(resolver.name)) {
-			changeSet.updates.push({
+		const existingResolversMap = new Map(existingResolvers.map((resolver) => [resolver.name, resolver]));
+		for (const resolver of Object.values(pipeline.resolvers)) {
+			const desiredResolver = processResolver(pipeline.namespace, resolver, executorUsedResolvers, env);
+			if (existingResolversMap.get(resolver.name)) {
+				const { pipelineResolver: existingResolverDetail } = await client.getPipelineResolver({
+					workspaceId,
+					namespaceName: pipeline.namespace,
+					resolverName: resolver.name
+				});
+				if (!forceApplyAll && existingResolverDetail && areResolversEqual(existingResolverDetail, desiredResolver)) changeSet.unchanged.push({ name: resolver.name });
+				else changeSet.updates.push({
+					name: resolver.name,
+					request: {
+						workspaceId,
+						namespaceName: pipeline.namespace,
+						pipelineResolver: desiredResolver
+					}
+				});
+				existingResolversMap.delete(resolver.name);
+			} else changeSet.creates.push({
 				name: resolver.name,
 				request: {
 					workspaceId,
 					namespaceName: pipeline.namespace,
-					pipelineResolver: processResolver(pipeline.namespace, resolver, executorUsedResolvers, env)
+					pipelineResolver: desiredResolver
 				}
 			});
-			existingNameSet.delete(resolver.name);
-		} else changeSet.creates.push({
-			name: resolver.name,
-			request: {
-				workspaceId,
-				namespaceName: pipeline.namespace,
-				pipelineResolver: processResolver(pipeline.namespace, resolver, executorUsedResolvers, env)
-			}
-		});
-		existingNameSet.forEach((name) => {
+		}
+		existingResolversMap.forEach((_resolver, name) => {
 			changeSet.deletes.push({
 				name,
 				request: {
@@ -3316,6 +3714,59 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 	});
 	return changeSet;
 }
+function normalizeComparableResolver(resolver) {
+	const normalized = normalizeProtoConfig(resolver) ?? {};
+	return {
+		name: normalized.name,
+		description: normalized.description ?? "",
+		authorization: normalized.authorization ?? "",
+		operationType: normalized.operationType,
+		publishExecutionEvents: normalized.publishExecutionEvents ?? false,
+		inputs: normalizeComparableFields(normalized.inputs),
+		response: normalizeComparableField(normalized.response),
+		pipelines: normalizeComparablePipelines(normalized.pipelines)
+	};
+}
+function areResolversEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableResolver(existing), normalizeComparableResolver(desired));
+}
+function normalizeComparablePipelines(pipelines) {
+	return (pipelines ?? []).map((pipeline) => ({
+		name: pipeline.name ?? "",
+		operationName: pipeline.operationName ?? "",
+		description: pipeline.description ?? "",
+		operationType: pipeline.operationType,
+		operationSourceRef: pipeline.operationSourceRef ?? "",
+		operationHook: pipeline.operationHook?.expr ?? "",
+		postScript: pipeline.postScript ?? "",
+		skipOperationOnError: pipeline.skipOperationOnError ?? false,
+		invoker: pipeline.invoker ?? void 0
+	}));
+}
+function normalizeComparableFields(fields) {
+	return (fields ?? []).map((field) => normalizeComparableField(field));
+}
+function normalizeComparableField(field) {
+	if (!field) return;
+	return {
+		name: field.name ?? "",
+		array: field.array ?? false,
+		required: field.required ?? true,
+		description: field.description ?? "",
+		type: normalizeComparableType(field.type)
+	};
+}
+function normalizeComparableType(type) {
+	if (!type) return;
+	return {
+		kind: type.kind ?? "",
+		name: type.name ?? "",
+		required: type.required ?? true,
+		description: type.description ?? "",
+		allowedValues: type.allowedValues ?? [],
+		fields: (type.fields ?? []).map((field) => normalizeComparableField(field))
+	};
+}
 function processResolver(namespace, resolver, executorUsedResolvers, env) {
 	const pipelines = [{
 		name: "body",
@@ -3431,7 +3882,7 @@ function hashValue(value) {
 * @returns Planned changes for vaults and secrets
 */
 async function planSecretManager(context) {
-	const { client, workspaceId, application, forRemoval } = context;
+	const { client, workspaceId, application, forRemoval, forceApplyAll = false } = context;
 	const secretVaults = forRemoval ? [] : application.secrets;
 	const vaultChangeSet = createChangeSet("Secret Manager vaults");
 	const secretChangeSet = createChangeSet("Secret Manager secrets");
@@ -3453,10 +3904,11 @@ async function planSecretManager(context) {
 	});
 	const existingVaults = {};
 	await Promise.all(existingVaultList.map(async (resource) => {
-		const { metadata } = await client.getMetadata({ trn: vaultTrn(workspaceId, resource.name) });
+		const { metadata } = await client.getMetadata({ trn: vaultTrn$1(workspaceId, resource.name) });
 		existingVaults[resource.name] = {
 			resource,
-			label: metadata?.labels[sdkNameLabelKey]
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
 		};
 	}));
 	const state = loadSecretsState();
@@ -3464,6 +3916,7 @@ async function planSecretManager(context) {
 		const vaultName = vault.vaultName;
 		const existing = existingVaults[vaultName];
 		if (existing) {
+			const metaRequest = await buildMetaRequest(vaultTrn$1(workspaceId, vaultName), application.name);
 			if (!existing.label) unmanaged.push({
 				resourceType: "Secret Manager vault",
 				resourceName: vaultName
@@ -3473,7 +3926,8 @@ async function planSecretManager(context) {
 				resourceName: vaultName,
 				currentOwner: existing.label
 			});
-			vaultChangeSet.updates.push({
+			if (existing.label === application.name && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels)) vaultChangeSet.unchanged.push({ name: vaultName });
+			else vaultChangeSet.updates.push({
 				name: vaultName,
 				workspaceId
 			});
@@ -3499,7 +3953,9 @@ async function planSecretManager(context) {
 		})).map((s) => s.name);
 		const existingSet = new Set(existingSecrets);
 		for (const secret of vault.secrets) if (existingSet.has(secret.name)) {
-			if (hashValue(secret.value) !== state.vaults[vaultName]?.[secret.name]) secretChangeSet.updates.push({
+			const currentHash = hashValue(secret.value);
+			const storedHash = state.vaults[vaultName]?.[secret.name];
+			if (forceApplyAll || currentHash !== storedHash) secretChangeSet.updates.push({
 				name: `${vaultName}/${secret.name}`,
 				secretName: secret.name,
 				workspaceId,
@@ -3562,7 +4018,7 @@ async function planSecretManager(context) {
 		resourceOwners
 	};
 }
-function vaultTrn(workspaceId, name) {
+function vaultTrn$1(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:vault:${name}`;
 }
 /**
@@ -3582,12 +4038,12 @@ async function applySecretManager(client, result, phase = "create-update", appli
 				secretmanagerVaultName: create.name
 			});
 			if (application) {
-				const metaRequest = await buildMetaRequest(vaultTrn(create.workspaceId, create.name), application.name);
+				const metaRequest = await buildMetaRequest(vaultTrn$1(create.workspaceId, create.name), application.name);
 				await client.setMetadata(metaRequest);
 			}
 		}));
 		if (application) await Promise.all(vaultChangeSet.updates.map(async (update) => {
-			const metaRequest = await buildMetaRequest(vaultTrn(update.workspaceId, update.name), application.name);
+			const metaRequest = await buildMetaRequest(vaultTrn$1(update.workspaceId, update.name), application.name);
 			await client.setMetadata(metaRequest);
 		}));
 		await Promise.all(secretChangeSet.creates.map((create) => client.createSecretManagerSecret({
@@ -3655,6 +4111,21 @@ async function applyStaticWebsite(client, result, phase = "create-update") {
 function trn$1(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:staticwebsite:${name}`;
 }
+function normalizeComparableStaticWebsiteShape(input) {
+	return {
+		description: input.description,
+		allowedIpAddresses: [...input.allowedIpAddresses].sort()
+	};
+}
+function normalizeComparableStaticWebsite(input) {
+	return normalizeComparableStaticWebsiteShape({
+		description: input.description || "",
+		allowedIpAddresses: [...input.allowedIpAddresses || []]
+	});
+}
+function areStaticWebsitesEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableStaticWebsite(existing), normalizeComparableStaticWebsite(desired));
+}
 /**
 * Plan static website changes based on current and desired state.
 * @param context - Planning context
@@ -3684,7 +4155,8 @@ async function planStaticWebsite(context) {
 		const { metadata } = await client.getMetadata({ trn: trn$1(workspaceId, resource.name) });
 		existingWebsites[resource.name] = {
 			resource,
-			label: metadata?.labels[sdkNameLabelKey]
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
 		};
 	}));
 	const staticWebsiteServices = forRemoval ? [] : application.staticWebsiteServices;
@@ -3693,7 +4165,17 @@ async function planStaticWebsite(context) {
 		const name = websiteService.name;
 		const existing = existingWebsites[name];
 		const metaRequest = await buildMetaRequest(trn$1(workspaceId, name), application.name);
+		const desired = normalizeComparableStaticWebsite(config);
+		const request = {
+			workspaceId,
+			staticwebsite: {
+				name,
+				description: config.description || "",
+				allowedIpAddresses: config.allowedIpAddresses || []
+			}
+		};
 		if (existing) {
+			const isManagedByApp = existing.label === application.name;
 			if (!existing.label) unmanaged.push({
 				resourceType: "StaticWebsite",
 				resourceName: name
@@ -3703,29 +4185,16 @@ async function planStaticWebsite(context) {
 				resourceName: name,
 				currentOwner: existing.label
 			});
-			changeSet.updates.push({
+			if (isManagedByApp && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areStaticWebsitesEqual(existing.resource, desired)) changeSet.unchanged.push({ name });
+			else changeSet.updates.push({
 				name,
-				request: {
-					workspaceId,
-					staticwebsite: {
-						name,
-						description: config.description || "",
-						allowedIpAddresses: config.allowedIpAddresses || []
-					}
-				},
+				request,
 				metaRequest
 			});
 			delete existingWebsites[name];
 		} else changeSet.creates.push({
 			name,
-			request: {
-				workspaceId,
-				staticwebsite: {
-					name,
-					description: config.description || "",
-					allowedIpAddresses: config.allowedIpAddresses || []
-				}
-			},
+			request,
 			metaRequest
 		});
 	}
@@ -3949,8 +4418,11 @@ const INITIAL_SCHEMA_NUMBER = 0;
 * Migration file names (used within migration directories)
 */
 const SCHEMA_FILE_NAME = "schema.json";
+/** File name for migration diff metadata. */
 const DIFF_FILE_NAME = "diff.json";
+/** File name for migration script. */
 const MIGRATE_FILE_NAME = "migrate.ts";
+/** File name for generated DB type definitions. */
 const DB_TYPES_FILE_NAME = "db.ts";
 /**
 * Pattern for validating migration number format (4-digit sequential number)
@@ -5848,7 +6320,7 @@ async function executeSingleMigrationPostPhase(client, changeSet, migration) {
 * @returns Planned changes
 */
 async function planTailorDB(context) {
-	const { client, workspaceId, application, forRemoval, config, noSchemaCheck } = context;
+	const { client, workspaceId, application, forRemoval, config, noSchemaCheck, forceApplyAll = false } = context;
 	const tailordbs = [];
 	if (!forRemoval) for (const tailordb of application.tailorDBServices) {
 		await tailordb.loadTypes();
@@ -5857,7 +6329,7 @@ async function planTailorDB(context) {
 	const executors = forRemoval ? [] : Object.values(await application.executorService?.loadExecutors() ?? {});
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices(client, workspaceId, application.name, tailordbs);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
-	const [typeChangeSet, gqlPermissionChangeSet] = await Promise.all([planTypes(client, workspaceId, tailordbs, executors, deletedServices), planGqlPermissions(client, workspaceId, tailordbs, deletedServices)]);
+	const [typeChangeSet, gqlPermissionChangeSet] = await Promise.all([planTypes(client, workspaceId, tailordbs, executors, deletedServices, void 0, forceApplyAll), planGqlPermissions(client, workspaceId, tailordbs, deletedServices, forceApplyAll)]);
 	serviceChangeSet.print();
 	typeChangeSet.print();
 	gqlPermissionChangeSet.print();
@@ -5881,6 +6353,21 @@ async function planTailorDB(context) {
 function trn(workspaceId, name) {
 	return `${trnPrefix(workspaceId)}:tailordb:${name}`;
 }
+function normalizeComparableTailorDBService(service) {
+	return normalizeProtoConfig({
+		namespace: service.namespace,
+		defaultTimezone: service.defaultTimezone || "UTC"
+	});
+}
+function areTailorDBServicesEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableTailorDBService({
+		namespace: existing.namespace?.name,
+		defaultTimezone: existing.defaultTimezone
+	}), normalizeComparableTailorDBService({
+		namespace: desired.namespace,
+		defaultTimezone: "UTC"
+	}));
+}
 async function planServices(client, workspaceId, appName, tailordbs) {
 	const changeSet = createChangeSet("TailorDB services");
 	const conflicts = [];
@@ -5922,7 +6409,8 @@ async function planServices(client, workspaceId, appName, tailordbs) {
 				resourceName: tailordb.namespace,
 				currentOwner: existing.label
 			});
-			changeSet.updates.push({
+			if (existing.label === appName && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areTailorDBServicesEqual(existing.resource, tailordb)) changeSet.unchanged.push({ name: tailordb.namespace });
+			else changeSet.updates.push({
 				name: tailordb.namespace,
 				metaRequest
 			});
@@ -5955,7 +6443,7 @@ async function planServices(client, workspaceId, appName, tailordbs) {
 		resourceOwners
 	};
 }
-async function planTypes(client, workspaceId, tailordbs, executors, deletedServices, filteredTypesByNamespace) {
+async function planTypes(client, workspaceId, tailordbs, executors, deletedServices, filteredTypesByNamespace, forceApplyAll = false) {
 	const changeSet = createChangeSet("TailorDB types");
 	const fetchTypes = (namespaceName) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -5974,7 +6462,7 @@ async function planTypes(client, workspaceId, tailordbs, executors, deletedServi
 		});
 	};
 	const executorUsedTypes = /* @__PURE__ */ new Set();
-	for (const executor of executors) if (executor.trigger.kind === "recordCreated" || executor.trigger.kind === "recordUpdated" || executor.trigger.kind === "recordDeleted") executorUsedTypes.add(executor.trigger.typeName);
+	for (const executor of executors) if (executor.trigger.kind === "tailordb") executorUsedTypes.add(executor.trigger.typeName);
 	for (const tailordb of tailordbs) {
 		const types = filteredTypesByNamespace?.get(tailordb.namespace) ?? tailordb.types;
 		for (const typeName of Object.keys(types)) {
@@ -5984,13 +6472,14 @@ async function planTypes(client, workspaceId, tailordbs, executors, deletedServi
 	}
 	for (const tailordb of tailordbs) {
 		const existingTypes = await fetchTypes(tailordb.namespace);
-		const existingNameSet = /* @__PURE__ */ new Set();
-		existingTypes.forEach((type) => existingNameSet.add(type.name));
+		const existingTypesMap = new Map(existingTypes.map((type) => [type.name, type]));
 		const types = filteredTypesByNamespace?.get(tailordb.namespace) ?? tailordb.types;
 		for (const typeName of Object.keys(types)) {
 			const tailordbType = generateTailorDBTypeManifest(types[typeName], executorUsedTypes, tailordb.config.gqlOperations);
-			if (existingNameSet.has(typeName)) {
-				changeSet.updates.push({
+			const existingType = existingTypesMap.get(typeName);
+			if (existingType) {
+				if (!forceApplyAll && areNormalizedEqual(normalizeComparableTailorDBType(existingType), normalizeComparableTailorDBType(tailordbType))) changeSet.unchanged.push({ name: typeName });
+				else changeSet.updates.push({
 					name: typeName,
 					request: {
 						workspaceId,
@@ -5998,7 +6487,7 @@ async function planTypes(client, workspaceId, tailordbs, executors, deletedServi
 						tailordbType
 					}
 				});
-				existingNameSet.delete(typeName);
+				existingTypesMap.delete(typeName);
 			} else changeSet.creates.push({
 				name: typeName,
 				request: {
@@ -6008,7 +6497,7 @@ async function planTypes(client, workspaceId, tailordbs, executors, deletedServi
 				}
 			});
 		}
-		existingNameSet.forEach((name) => {
+		existingTypesMap.forEach((_type, name) => {
 			changeSet.deletes.push({
 				name,
 				request: {
@@ -6031,6 +6520,66 @@ async function planTypes(client, workspaceId, tailordbs, executors, deletedServi
 	});
 	return changeSet;
 }
+function isPlainObject(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+const tailordbCompareKnownDefaults = {
+	disableGqlOperations: {
+		create: false,
+		update: false,
+		delete: false,
+		read: false
+	},
+	emptyExpression: "",
+	numericStringPaths: new Set([
+		"schema.fields.*.serial.start",
+		"schema.fields.*.serial.maxValue",
+		"schema.settings.defaultQueryLimitSize",
+		"schema.settings.maxBulkUpsertSize"
+	])
+};
+function normalizeComparableTailorDBType(type) {
+	const normalized = normalizeProtoConfig(type);
+	return normalizeTailorDBCompareValue({
+		name: normalized?.name ?? "",
+		schema: {
+			description: normalized?.schema?.description ?? "",
+			fields: normalized?.schema?.fields ?? {},
+			relationships: normalized?.schema?.relationships ?? {},
+			settings: normalized?.schema?.settings ?? {},
+			indexes: normalized?.schema?.indexes ?? {},
+			files: normalized?.schema?.files ?? {},
+			permission: normalized?.schema?.permission ?? {}
+		}
+	}, []);
+}
+function normalizeTailorDBCompareValue(value, path) {
+	if (value === void 0 || value === null) return value;
+	if (typeof value === "number" || typeof value === "bigint" || typeof value === "string") {
+		if (matchesNumericStringPath(path) && isNumericLikeValue(value)) return String(value);
+		if (path.at(-1) === "expr" && value === tailordbCompareKnownDefaults.emptyExpression) return;
+		return value;
+	}
+	if (Array.isArray(value)) return value.map((item, index) => normalizeTailorDBCompareValue(item, [...path, index])).filter((item) => item !== void 0);
+	if (!isPlainObject(value)) return value;
+	const normalizedEntries = Object.entries(value).map(([key, entryValue]) => [key, normalizeTailorDBCompareValue(entryValue, [...path, key])]).filter(([, entryValue]) => entryValue !== void 0);
+	const normalizedObject = Object.fromEntries(normalizedEntries);
+	if (path.at(-1) === "fields" && Object.keys(normalizedObject).length === 0) return;
+	if (path.at(-1) === "disableGqlOperations" && areNormalizedEqual(normalizedObject, tailordbCompareKnownDefaults.disableGqlOperations)) return;
+	return normalizedObject;
+}
+function matchesNumericStringPath(path) {
+	const pathKey = path.map((segment) => String(segment)).join(".");
+	return [...tailordbCompareKnownDefaults.numericStringPaths].some((pattern) => {
+		const patternParts = pattern.split(".");
+		const pathParts = pathKey.split(".");
+		if (patternParts.length !== pathParts.length) return false;
+		return patternParts.every((part, index) => part === "*" || part === pathParts[index]);
+	});
+}
+function isNumericLikeValue(value) {
+	return typeof value === "number" || typeof value === "bigint" || /^-?\d+$/.test(value);
+}
 /**
 * Generate a TailorDB type manifest from parsed type
 * @param {TailorDBType} type - Parsed TailorDB type
@@ -6267,7 +6816,7 @@ function protoOperand(operand) {
 		value: fromJson(ValueSchema, operand)
 	} };
 }
-async function planGqlPermissions(client, workspaceId, tailordbs, deletedServices) {
+async function planGqlPermissions(client, workspaceId, tailordbs, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("TailorDB gqlPermissions");
 	const fetchGqlPermissions = (namespaceName) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -6295,14 +6844,17 @@ async function planGqlPermissions(client, workspaceId, tailordbs, deletedService
 		for (const typeName of Object.keys(types)) {
 			const gqlPermission = types[typeName].permissions.gql;
 			if (!gqlPermission) continue;
+			const desiredPermission = protoGqlPermission(gqlPermission);
+			const existingPermission = existingGqlPermissions.find((entry) => entry.typeName === typeName);
 			if (existingNameSet.has(typeName)) {
-				changeSet.updates.push({
+				if (!forceApplyAll && existingPermission && areNormalizedEqual(normalizeComparableGqlPermission(existingPermission.permission), normalizeComparableGqlPermission(desiredPermission))) changeSet.unchanged.push({ name: typeName });
+				else changeSet.updates.push({
 					name: typeName,
 					request: {
 						workspaceId,
 						namespaceName: tailordb.namespace,
 						typeName,
-						permission: protoGqlPermission(gqlPermission)
+						permission: desiredPermission
 					}
 				});
 				existingNameSet.delete(typeName);
@@ -6312,7 +6864,7 @@ async function planGqlPermissions(client, workspaceId, tailordbs, deletedService
 					workspaceId,
 					namespaceName: tailordb.namespace,
 					typeName,
-					permission: protoGqlPermission(gqlPermission)
+					permission: desiredPermission
 				}
 			});
 		}
@@ -6339,6 +6891,12 @@ async function planGqlPermissions(client, workspaceId, tailordbs, deletedService
 	});
 	return changeSet;
 }
+function normalizeComparableGqlPermission(permission) {
+	return { policies: (normalizeProtoConfig(permission)?.policies ?? []).map((policy) => ({
+		...policy,
+		actions: [...policy.actions ?? []].sort((left, right) => left - right)
+	})) };
+}
 function protoGqlPermission(permission) {
 	return { policies: permission.map((policy) => protoGqlPolicy(policy)) };
 }
@@ -6503,7 +7061,7 @@ function formatMigrationCheckResults(results) {
 async function applyWorkflow(client, result, phase = "create-update") {
 	const { changeSet, appName } = result;
 	if (phase === "create-update") {
-		const jobFunctionVersions = await registerJobFunctions(client, changeSet, appName);
+		const jobFunctionVersions = await registerJobFunctions(client, changeSet, appName, result.unchangedWorkflowJobNames);
 		await Promise.all([...changeSet.creates.map(async (create) => {
 			const filteredVersions = filterJobFunctionVersions(jobFunctionVersions, create.usedJobNames);
 			await client.createWorkflow({
@@ -6549,14 +7107,16 @@ function filterJobFunctionVersions(allVersions, usedJobNames) {
 * @param client - Operator client instance
 * @param changeSet - Workflow change set
 * @param appName - Application name
+* @param unchangedWorkflowJobNames - Job function names used by unchanged workflows
 * @returns Map of job function names to versions
 */
-async function registerJobFunctions(client, changeSet, appName) {
+async function registerJobFunctions(client, changeSet, appName, unchangedWorkflowJobNames = /* @__PURE__ */ new Set()) {
 	const jobFunctionVersions = {};
-	const firstWorkflow = changeSet.creates[0] || changeSet.updates[0];
+	const firstWorkflow = changeSet.creates[0] || changeSet.updates[0] || changeSet.deletes[0];
 	if (!firstWorkflow) return jobFunctionVersions;
 	const { workspaceId } = firstWorkflow;
 	const allUsedJobNames = /* @__PURE__ */ new Set();
+	unchangedWorkflowJobNames.forEach((jobName) => allUsedJobNames.add(jobName));
 	for (const item of [...changeSet.creates, ...changeSet.updates]) for (const jobName of item.usedJobNames) allUsedJobNames.add(jobName);
 	const existingJobFunctions = await fetchAll(async (pageToken, maxPageSize) => {
 		const response = await client.listWorkflowJobFunctions({
@@ -6567,23 +7127,25 @@ async function registerJobFunctions(client, changeSet, appName) {
 		return [response.jobFunctions.map((j) => j.name), response.nextPageToken];
 	});
 	const existingJobNamesSet = new Set(existingJobFunctions);
-	const results = await Promise.all(Array.from(allUsedJobNames).map(async (jobName) => {
-		const response = existingJobNamesSet.has(jobName) ? await client.updateWorkflowJobFunction({
-			workspaceId,
-			jobFunctionName: jobName,
-			scriptRef: workflowJobFunctionName(jobName)
-		}) : await client.createWorkflowJobFunction({
-			workspaceId,
-			jobFunctionName: jobName,
-			scriptRef: workflowJobFunctionName(jobName)
-		});
-		await client.setMetadata(await buildMetaRequest(jobFunctionTrn(workspaceId, jobName), appName));
-		return {
-			jobName,
-			version: response.jobFunction?.version
-		};
-	}));
-	for (const { jobName, version } of results) if (version) jobFunctionVersions[jobName] = version;
+	if (changeSet.creates.length > 0 || changeSet.updates.length > 0) {
+		const results = await Promise.all(Array.from(allUsedJobNames).map(async (jobName) => {
+			const response = existingJobNamesSet.has(jobName) ? await client.updateWorkflowJobFunction({
+				workspaceId,
+				jobFunctionName: jobName,
+				scriptRef: workflowJobFunctionName(jobName)
+			}) : await client.createWorkflowJobFunction({
+				workspaceId,
+				jobFunctionName: jobName,
+				scriptRef: workflowJobFunctionName(jobName)
+			});
+			await client.setMetadata(await buildMetaRequest(jobFunctionTrn(workspaceId, jobName), appName));
+			return {
+				jobName,
+				version: response.jobFunction?.version
+			};
+		}));
+		for (const { jobName, version } of results) if (version) jobFunctionVersions[jobName] = version;
+	}
 	const unusedJobFunctions = existingJobFunctions.filter((jobName) => !allUsedJobNames.has(jobName));
 	await Promise.all(unusedJobFunctions.map(async (jobName) => {
 		const { metadata } = await client.getMetadata({ trn: jobFunctionTrn(workspaceId, jobName) });
@@ -6611,7 +7173,7 @@ function toRetryPolicy(policy) {
 		backoffMultiplier: policy.backoffMultiplier
 	};
 }
-function workflowTrn(workspaceId, name) {
+function workflowTrn$1(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:workflow:${name}`;
 }
 function jobFunctionTrn(workspaceId, name) {
@@ -6624,35 +7186,35 @@ function jobFunctionTrn(workspaceId, name) {
 * @param appName - Application name
 * @param workflows - Parsed workflows
 * @param mainJobDeps - Main job dependencies by workflow
+* @param unchangedJobFunctions - Job functions already proven unchanged by function registry plan
 * @returns Planned workflow changes
 */
-async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps) {
+async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps, unchangedJobFunctions = /* @__PURE__ */ new Set()) {
 	const changeSet = createChangeSet("Workflows");
 	const conflicts = [];
 	const unmanaged = [];
 	const resourceOwners = /* @__PURE__ */ new Set();
+	const unchangedWorkflowJobNames = /* @__PURE__ */ new Set();
 	const withoutLabel = await fetchAll(async (pageToken, maxPageSize) => {
 		const response = await client.listWorkflows({
 			workspaceId,
 			pageToken,
 			pageSize: maxPageSize
 		});
-		return [response.workflows.map((w) => ({
-			id: w.id,
-			name: w.name
-		})), response.nextPageToken];
+		return [response.workflows, response.nextPageToken];
 	});
 	const existingWorkflows = {};
 	await Promise.all(withoutLabel.map(async (resource) => {
-		const { metadata } = await client.getMetadata({ trn: workflowTrn(workspaceId, resource.name) });
+		const { metadata } = await client.getMetadata({ trn: workflowTrn$1(workspaceId, resource.name) });
 		existingWorkflows[resource.name] = {
 			resource,
-			label: metadata?.labels[sdkNameLabelKey]
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
 		};
 	}));
 	for (const workflow of Object.values(workflows)) {
 		const existing = existingWorkflows[workflow.name];
-		const metaRequest = await buildMetaRequest(workflowTrn(workspaceId, workflow.name), appName);
+		const metaRequest = await buildMetaRequest(workflowTrn$1(workspaceId, workflow.name), appName);
 		const usedJobNames = mainJobDeps[workflow.mainJob.name];
 		if (!usedJobNames) throw new Error(`Job "${workflow.mainJob.name}" (mainJob of workflow "${workflow.name}") was not found.\n\nPossible causes:\n  - The job is not exported as a named export\n  - The file containing the job is not included in workflow.files glob pattern\n\nSolution:\n  export const ${workflow.mainJob.name} = createWorkflowJob({ name: "${workflow.mainJob.name}", ... })`);
 		if (existing) {
@@ -6665,7 +7227,10 @@ async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps
 				resourceName: workflow.name,
 				currentOwner: existing.label
 			});
-			changeSet.updates.push({
+			if (existing.label === appName && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && canTreatWorkflowAsUnchanged(existing.resource, workflow, usedJobNames, unchangedJobFunctions)) {
+				changeSet.unchanged.push({ name: workflow.name });
+				for (const jobName of usedJobNames) unchangedWorkflowJobNames.add(jobName);
+			} else changeSet.updates.push({
 				name: workflow.name,
 				workspaceId,
 				workflow,
@@ -6696,12 +7261,158 @@ async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps
 		conflicts,
 		unmanaged,
 		resourceOwners,
-		appName
+		appName,
+		unchangedWorkflowJobNames
+	};
+}
+function canTreatWorkflowAsUnchanged(existing, workflow, usedJobNames, unchangedJobFunctions) {
+	if (!usedJobNames.every((jobName) => unchangedJobFunctions.has(jobName))) return false;
+	return areWorkflowsEqual(existing, workflow, usedJobNames);
+}
+function areWorkflowsEqual(existing, workflow, usedJobNames) {
+	return existing.mainJobFunctionName === workflow.mainJob.name && areNormalizedEqual(normalizeComparableExistingWorkflowRetryPolicy(existing.retryPolicy), normalizeComparableWorkflowRetryPolicy(workflow.retryPolicy)) && areNormalizedEqual(normalizeComparableWorkflowJobNames(existing.jobFunctions), normalizeComparableWorkflowJobNames(usedJobNames));
+}
+function normalizeComparableExistingWorkflowRetryPolicy(policy) {
+	if (!policy) return;
+	return normalizeRetryPolicyForCompare({
+		maxRetries: policy.maxRetries ?? 0,
+		backoffMultiplier: policy.backoffMultiplier ?? 0,
+		initialBackoff: {
+			seconds: policy.initialBackoff?.seconds ?? 0n,
+			nanos: policy.initialBackoff?.nanos ?? 0
+		},
+		maxBackoff: {
+			seconds: policy.maxBackoff?.seconds ?? 0n,
+			nanos: policy.maxBackoff?.nanos ?? 0
+		}
+	});
+}
+function normalizeComparableWorkflowRetryPolicy(policy) {
+	if (!policy) return;
+	return normalizeRetryPolicyForCompare({
+		maxRetries: policy.maxRetries,
+		backoffMultiplier: policy.backoffMultiplier,
+		initialBackoff: parseDurationToProto(policy.initialBackoff),
+		maxBackoff: parseDurationToProto(policy.maxBackoff)
+	});
+}
+function normalizeComparableWorkflowJobNames(jobFunctions) {
+	return Array.isArray(jobFunctions) ? [...jobFunctions].sort() : Object.keys(jobFunctions ?? {}).sort();
+}
+function normalizeRetryPolicyForCompare(policy) {
+	return {
+		maxRetries: policy.maxRetries,
+		backoffMultiplier: policy.backoffMultiplier,
+		initialBackoff: {
+			seconds: String(policy.initialBackoff.seconds),
+			nanos: policy.initialBackoff.nanos
+		},
+		maxBackoff: {
+			seconds: String(policy.maxBackoff.seconds),
+			nanos: policy.maxBackoff.nanos
+		}
 	};
 }
 
 //#endregion
 //#region src/cli/commands/apply/apply.ts
+function applicationTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:application:${name}`;
+}
+function functionRegistryTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:function_registry:${name}`;
+}
+function pipelineTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:pipeline:${name}`;
+}
+function idpTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:idp:${name}`;
+}
+function authTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:auth:${name}`;
+}
+function executorTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:executor:${name}`;
+}
+function workflowTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:workflow:${name}`;
+}
+function staticWebsiteTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:staticwebsite:${name}`;
+}
+function tailorDBTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:tailordb:${name}`;
+}
+function vaultTrn(workspaceId, name) {
+	return `trn:v1:workspace:${workspaceId}:vault:${name}`;
+}
+async function shouldForceApplyAll(client, workspaceId, application, functionEntries) {
+	const desiredLabels = (await buildMetaRequest(applicationTrn(workspaceId, application.name), application.name)).labels;
+	const candidateTrns = /* @__PURE__ */ new Set();
+	if (application.subgraphs.length > 0) candidateTrns.add(applicationTrn(workspaceId, application.name));
+	application.staticWebsiteServices.forEach((website) => {
+		candidateTrns.add(staticWebsiteTrn(workspaceId, website.name));
+	});
+	application.resolverServices.forEach((pipeline) => {
+		candidateTrns.add(pipelineTrn(workspaceId, pipeline.namespace));
+	});
+	application.idpServices.forEach((idp) => {
+		candidateTrns.add(idpTrn(workspaceId, idp.name));
+	});
+	if (application.authService) candidateTrns.add(authTrn(workspaceId, application.authService.config.name));
+	Object.values(application.executorService?.executors ?? {}).forEach((executor) => {
+		candidateTrns.add(executorTrn(workspaceId, executor.name));
+	});
+	Object.values(application.workflowService?.workflows ?? {}).forEach((workflow) => {
+		candidateTrns.add(workflowTrn(workspaceId, workflow.name));
+	});
+	application.tailorDBServices.forEach((service) => {
+		candidateTrns.add(tailorDBTrn(workspaceId, service.namespace));
+	});
+	application.secrets.forEach((vault) => {
+		candidateTrns.add(vaultTrn(workspaceId, vault.vaultName));
+	});
+	functionEntries.forEach((entry) => {
+		candidateTrns.add(functionRegistryTrn(workspaceId, entry.name));
+	});
+	for (const trn of candidateTrns) try {
+		const { metadata } = await client.getMetadata({ trn });
+		if (metadata?.labels?.["sdk-name"] !== application.name) continue;
+		if (!hasMatchingSdkVersion(metadata.labels, desiredLabels)) return true;
+	} catch (error) {
+		if (error instanceof ConnectError && error.code === Code.NotFound) continue;
+		throw error;
+	}
+	return false;
+}
+function printPlanSummary(results) {
+	const summary = summarizeChangeSets([
+		results.functionRegistry.changeSet,
+		results.tailorDB.changeSet.service,
+		results.tailorDB.changeSet.type,
+		results.tailorDB.changeSet.gqlPermission,
+		results.staticWebsite.changeSet,
+		results.idp.changeSet.service,
+		results.idp.changeSet.client,
+		results.auth.changeSet.service,
+		results.auth.changeSet.idpConfig,
+		results.auth.changeSet.userProfileConfig,
+		results.auth.changeSet.tenantConfig,
+		results.auth.changeSet.machineUser,
+		results.auth.changeSet.oauth2Client,
+		results.auth.changeSet.authHook,
+		results.auth.changeSet.scim,
+		results.auth.changeSet.scimResource,
+		results.pipeline.changeSet.service,
+		results.pipeline.changeSet.resolver,
+		results.app,
+		results.executor.changeSet,
+		results.workflow.changeSet,
+		results.secretManager.vaultChangeSet,
+		results.secretManager.secretChangeSet
+	]);
+	logger.log(formatPlanSummary(summary));
+}
 /**
 * Apply the configured application to the Tailor platform.
 * @param options - Options for apply execution
@@ -6775,9 +7486,10 @@ async function apply(options) {
 		rootSpan.setAttribute("app.name", application.name);
 		rootSpan.setAttribute("workspace.id", workspaceId);
 		const workflowService = application.workflowService;
-		const functionEntries = collectFunctionEntries(application, workflowService?.jobs ?? [], bundledScripts);
+		const functionEntries = collectFunctionEntries(application, filterBundledWorkflowJobs(workflowService?.jobs ?? [], workflowBuildResult?.usedJobNames ?? []), bundledScripts);
 		const dryRun = options?.dryRun ?? false;
 		const yes = options?.yes ?? false;
+		const forceApplyAll = await withSpan("plan.detectSdkVersionChange", () => shouldForceApplyAll(client, workspaceId, application, functionEntries));
 		const { functionRegistry, tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager } = await withSpan("plan", async () => {
 			const ctx = {
 				client,
@@ -6785,10 +7497,12 @@ async function apply(options) {
 				application,
 				forRemoval: false,
 				config,
-				noSchemaCheck: options?.noSchemaCheck
+				noSchemaCheck: options?.noSchemaCheck,
+				forceApplyAll
 			};
-			const [functionRegistry, tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
-				withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, functionEntries)),
+			const functionRegistry = await withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, functionEntries));
+			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.map((entry) => entry.name).filter((name) => name.startsWith("workflow--")).map((name) => name.slice(10)));
+			const [tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
 				withSpan("plan.tailorDB", () => planTailorDB(ctx)),
 				withSpan("plan.staticWebsite", () => planStaticWebsite(ctx)),
 				withSpan("plan.idp", () => planIdP(ctx)),
@@ -6796,7 +7510,7 @@ async function apply(options) {
 				withSpan("plan.pipeline", () => planPipeline(ctx)),
 				withSpan("plan.application", () => planApplication(ctx)),
 				withSpan("plan.executor", () => planExecutor(ctx)),
-				withSpan("plan.workflow", () => planWorkflow(client, workspaceId, application.name, workflowService?.workflows ?? {}, workflowBuildResult?.mainJobDeps ?? {})),
+				withSpan("plan.workflow", () => planWorkflow(client, workspaceId, application.name, workflowService?.workflows ?? {}, workflowBuildResult?.mainJobDeps ?? {}, unchangedWorkflowJobs)),
 				withSpan("plan.secretManager", () => planSecretManager(ctx))
 			]);
 			return {
@@ -6882,6 +7596,18 @@ async function apply(options) {
 				}
 			});
 		});
+		printPlanSummary({
+			functionRegistry,
+			tailorDB,
+			staticWebsite,
+			idp,
+			auth,
+			pipeline,
+			app,
+			executor,
+			workflow,
+			secretManager
+		});
 		if (dryRun) {
 			logger.info("Dry run enabled. No changes applied.");
 			return;
@@ -10965,7 +11691,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-Cwt_ifTT.mjs");
+	const { defineApplication } = await import("./application-dnB8CQiT.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -13170,4 +13896,4 @@ function isDeno() {
 
 //#endregion
 export { getFolder as $, getNextMigrationNumber as $t, listWorkflows as A, functionExecutionStatusToString as At, updateCommand$1 as B, DB_TYPES_FILE_NAME as Bt, listApps as C, startCommand as Ct, resumeCommand as D, executionsCommand as Dt, healthCommand as E, getWorkflow as Et, show as F, executeScript as Ft, listOrganizations as G, compareLocalTypesWithSnapshot as Gt, organizationTree as H, INITIAL_SCHEMA_NUMBER as Ht, showCommand as I, waitForExecution$1 as It, updateCommand$2 as J, formatMigrationNumber as Jt, getCommand$1 as K, compareSnapshots as Kt, logBetaWarning as L, MIGRATION_LABEL_KEY as Lt, truncateCommand as M, getCommand$5 as Mt, generate as N, getExecutor as Nt, resumeWorkflow as O, getWorkflowExecution as Ot, generateCommand as P, apply as Pt, getCommand$2 as Q, getMigrationFiles as Qt, remove as R, parseMigrationLabelNumber as Rt, createWorkspace as S, watchExecutorJob as St, getAppHealth as T, getCommand$4 as Tt, treeCommand as U, MIGRATE_FILE_NAME as Ut, updateOrganization as V, DIFF_FILE_NAME as Vt, listCommand$4 as W, SCHEMA_FILE_NAME as Wt, listCommand$5 as X, getMigrationDirPath as Xt, updateFolder as Y, getLatestMigrationNumber as Yt, listFolders as Z, getMigrationFilePath as Zt, getCommand as _, isVerbose as _n, listCommand$8 as _t, updateCommand as a, hasChanges as an, listOAuth2Clients as at, deleteWorkspace as b, jobsCommand as bt, removeUser as c, sdkNameLabelKey as cn, getMachineUserToken as ct, inviteCommand as d, apiCall as dn, listMachineUsers as dt, isValidMigrationNumber as en, deleteCommand$1 as et, inviteUser as f, apiCommand as fn, generate$1 as ft, listWorkspaces as g, deploymentArgs as gn, triggerExecutor as gt, listCommand$1 as h, confirmationArgs as hn, triggerCommand as ht, isCLIError as i, formatMigrationDiff as in, listCommand$6 as it, truncate as j, formatKeyValueTable as jt, listCommand$3 as k, listWorkflowExecutions as kt, listCommand as l, trnPrefix as ln, tokenCommand as lt, restoreWorkspace as m, commonArgs as mn, webhookCommand as mt, query as n, reconstructSnapshotFromMigrations as nn, createCommand$1 as nt, updateUser as o, getNamespacesWithMigrations as on, getCommand$3 as ot, restoreCommand as p, defineAppCommand as pn, listWebhookExecutors as pt, getOrganization as q, createSnapshotFromLocalTypes as qt, queryCommand as r, formatDiffSummary as rn, createFolder as rt, removeCommand as s, prompt as sn, getOAuth2Client as st, isNativeTypeScriptRuntime as t, loadDiff as tn, deleteFolder as tt, listUsers as u, generateUserTypes as un, listCommand$7 as ut, getWorkspace as v, workspaceArgs as vn, listExecutors as vt, listCommand$2 as w, startWorkflow as wt, createCommand as x, listExecutorJobs as xt, deleteCommand as y, getExecutorJob as yt, removeCommand$1 as z, bundleMigrationScript as zt };
-//# sourceMappingURL=runtime-7DOyTTxR.mjs.map
+//# sourceMappingURL=runtime-CDvdBV66.mjs.map