@tailor-platform/sdk 1.33.1 → 1.34.0

package/dist/{index-0H-YH8Ya.d.mts → index-DTJkkO-t.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as Plugin } from "./plugin-DQqzlulP.mjs";
+import { n as Plugin } from "./plugin-D8hKE6rZ.mjs";
 
 //#region src/plugin/builtin/kysely-type/index.d.ts
 /** Unique identifier for the Kysely type generator plugin. */
@@ -16,4 +16,4 @@ type KyselyTypePluginOptions = {
 declare function kyselyTypePlugin(options: KyselyTypePluginOptions): Plugin<unknown, KyselyTypePluginOptions>;
 //#endregion
 export { kyselyTypePlugin as n, KyselyGeneratorID as t };
-//# sourceMappingURL=index-0H-YH8Ya.d.mts.map
+//# sourceMappingURL=index-DTJkkO-t.d.mts.map

package/dist/{index-BM2SqNfO.d.mts → index-niQ9Qblw.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as Plugin } from "./plugin-DQqzlulP.mjs";
+import { n as Plugin } from "./plugin-D8hKE6rZ.mjs";
 
 //#region src/plugin/builtin/enum-constants/index.d.ts
 /** Unique identifier for the enum constants generator plugin. */
@@ -16,4 +16,4 @@ type EnumConstantsPluginOptions = {
 declare function enumConstantsPlugin(options: EnumConstantsPluginOptions): Plugin<unknown, EnumConstantsPluginOptions>;
 //#endregion
 export { enumConstantsPlugin as n, EnumConstantsGeneratorID as t };
-//# sourceMappingURL=index-BM2SqNfO.d.mts.map
+//# sourceMappingURL=index-niQ9Qblw.d.mts.map

package/dist/{index-BU6fmwJC.d.mts → index-qVqjEYnr.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as Plugin } from "./plugin-DQqzlulP.mjs";
+import { n as Plugin } from "./plugin-D8hKE6rZ.mjs";
 
 //#region src/plugin/builtin/seed/index.d.ts
 /** Unique identifier for the seed generator plugin. */
@@ -18,4 +18,4 @@ type SeedPluginOptions = {
 declare function seedPlugin(options: SeedPluginOptions): Plugin<unknown, SeedPluginOptions>;
 //#endregion
 export { seedPlugin as n, SeedGeneratorID as t };
-//# sourceMappingURL=index-BU6fmwJC.d.mts.map
+//# sourceMappingURL=index-qVqjEYnr.d.mts.map

package/dist/plugin/builtin/enum-constants/index.d.mts

@@ -1,3 +1,3 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "../../../index-BM2SqNfO.mjs";
+import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "../../../index-niQ9Qblw.mjs";
 export { EnumConstantsGeneratorID, enumConstantsPlugin };

package/dist/plugin/builtin/file-utils/index.d.mts

@@ -1,3 +1,3 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "../../../index-mAV9kYJA.mjs";
+import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "../../../index-D4pBPp65.mjs";
 export { FileUtilsGeneratorID, fileUtilsPlugin };

package/dist/plugin/builtin/kysely-type/index.d.mts

@@ -1,3 +1,3 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "../../../index-0H-YH8Ya.mjs";
+import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "../../../index-DTJkkO-t.mjs";
 export { KyselyGeneratorID, kyselyTypePlugin };

package/dist/plugin/builtin/seed/index.d.mts

@@ -1,3 +1,3 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as seedPlugin, t as SeedGeneratorID } from "../../../index-BU6fmwJC.mjs";
+import { n as seedPlugin, t as SeedGeneratorID } from "../../../index-qVqjEYnr.mjs";
 export { SeedGeneratorID, seedPlugin };

package/dist/plugin/index.d.mts

@@ -1,6 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { z as TailorAnyDBType } from "../plugin-DQqzlulP.mjs";
-import { n as TailorEnv, r as TailorActor } from "../env-BvIWsJxg.mjs";
+import { B as TailorAnyDBType, ct as TailorEnv, lt as TailorActor } from "../plugin-D8hKE6rZ.mjs";
 
 //#region src/plugin/with-context.d.ts
 /**

package/dist/{plugin-DQqzlulP.d.mts → plugin-D8hKE6rZ.d.mts}

@@ -377,6 +377,25 @@ type Resolver = {
 };
 type ResolverInput = Resolver;
 //#endregion
+//#region src/types/auth-connection.generated.d.ts
+type AuthConnectionOAuth2Config = {
+  /** OAuth2 provider URL */providerUrl: string; /** OAuth2 issuer URL */
+  issuerUrl: string; /** OAuth2 client ID */
+  clientId: string; /** OAuth2 client secret */
+  clientSecret: string; /** OAuth2 authorization endpoint override */
+  authUrl?: string | undefined; /** OAuth2 token endpoint override */
+  tokenUrl?: string | undefined;
+};
+type AuthConnectionConfig = {
+  type: "oauth2";
+  providerUrl: string;
+  issuerUrl: string;
+  clientId: string;
+  clientSecret: string;
+  authUrl?: string | undefined;
+  tokenUrl?: string | undefined;
+};
+//#endregion
 //#region src/configure/types/field.d.ts
 type AllowedValue = EnumValue;
 type AllowedValues = readonly [string | EnumValue, ...(string | EnumValue)[]];
@@ -418,6 +437,31 @@ type TailorUser = {
 /** Represents an unauthenticated user in the Tailor platform. */
 declare const unauthenticatedTailorUser: TailorUser;
 //#endregion
+//#region src/configure/types/actor.d.ts
+/** User type enum values from the Tailor Platform server. */
+type TailorActorType = "USER_TYPE_USER" | "USER_TYPE_MACHINE_USER" | "USER_TYPE_UNSPECIFIED";
+/** Represents an actor in event triggers. */
+type TailorActor = {
+  /** The ID of the workspace the user belongs to. */workspaceId: string; /** The ID of the user. */
+  userId: string;
+  /**
+   * A map of the user's attributes.
+   * Maps from server's `attributeMap` field.
+   */
+  attributes: InferredAttributeMap | null;
+  /**
+   * A list of the user's attributes.
+   * Maps from server's `attributes` field.
+   */
+  attributeList: InferredAttributeList; /** The type of the user. */
+  userType: TailorActorType;
+};
+//#endregion
+//#region src/configure/types/env.d.ts
+interface Env {}
+/** Represents environment variables in the Tailor platform. */
+type TailorEnv = keyof Env extends never ? Record<string, string> : Env;
+//#endregion
 //#region src/configure/types/helpers.d.ts
 type Prettify<T> = { [K in keyof T as string extends K ? never : K]: T[K] } & {};
 type DeepWritable<T> = T extends Date | RegExp | Function ? T : T extends object ? { -readonly [P in keyof T]: DeepWritable<T[P]> } & {} : T;
@@ -1525,6 +1569,13 @@ type SCIMAttributeType = SCIMAttribute["type"];
 type AuthInvokerWithName<M extends string> = Omit<AuthInvoker, "machineUserName"> & {
   machineUserName: M;
 };
+/** Result of retrieving a connection token at runtime. */
+type AuthConnectionTokenResult = {
+  access_token: string;
+  refresh_token?: string;
+  token_type?: string;
+  expiry?: string;
+};
 type ValueOperand = string | boolean | string[] | boolean[];
 type AuthAttributeValue = ValueOperand | null | undefined;
 type UserFieldKeys<User extends TailorDBInstance> = keyof output<User> & string;
@@ -1608,7 +1659,7 @@ type BeforeLoginHook<MachineUserNames extends string> = {
 type AuthHooks<MachineUserNames extends string> = {
   beforeLogin?: BeforeLoginHook<MachineUserNames>;
 };
-type AuthServiceInput<User extends TailorDBInstance, AttributeMap extends UserAttributeMap<User>, AttributeList extends UserAttributeListKey<User>[], MachineUserNames extends string, MachineUserAttributes extends MachineUserAttributeFields | undefined = MachineUserAttributeFields | undefined> = {
+type AuthServiceInput<User extends TailorDBInstance, AttributeMap extends UserAttributeMap<User>, AttributeList extends UserAttributeListKey<User>[], MachineUserNames extends string, MachineUserAttributes extends MachineUserAttributeFields | undefined = MachineUserAttributeFields | undefined, ConnectionNames extends string = string> = {
   hooks?: AuthHooks<MachineUserNames>;
   userProfile?: UserProfile<User, AttributeMap, AttributeList>;
   machineUserAttributes?: MachineUserAttributes;
@@ -1617,15 +1668,20 @@ type AuthServiceInput<User extends TailorDBInstance, AttributeMap extends UserAt
   idProvider?: IdProvider;
   scim?: SCIMConfig;
   tenantProvider?: TenantProvider;
+  connections?: Record<ConnectionNames, AuthConnectionConfig>;
   publishSessionEvents?: boolean;
 };
 declare const authDefinitionBrand: unique symbol;
 type AuthDefinitionBrand = {
   readonly [authDefinitionBrand]: true;
 };
+type ConnectionNames<Config> = Config extends {
+  connections?: Record<infer K, unknown>;
+} ? K & string : string;
 type DefinedAuth<Name extends string, Config, MachineUserNames extends string> = Config & {
   name: Name;
   invoker<M extends MachineUserNames>(machineUser: M): AuthInvokerWithName<M>;
+  getConnectionToken<C extends ConnectionNames<Config>>(connectionName: C): Promise<AuthConnectionTokenResult>;
 } & AuthDefinitionBrand;
 type AuthExternalConfig = {
   name: string;
@@ -2037,5 +2093,5 @@ interface Plugin<TypeConfig = unknown, PluginConfig = unknown> {
   onExecutorReady?(context: ExecutorReadyContext<PluginConfig>): GeneratorResult | Promise<GeneratorResult>;
 }
 //#endregion
-export { FieldOutput$1 as $, DefinedAuth as A, BuiltinIdP as At, TailorDBField as B, SCIMResource as Bt, TailorDBType as C, IncomingWebhookTrigger as Ct, AuthOwnConfig as D, WebhookOperation as Dt, AuthExternalConfig as E, TailorDBTrigger as Et, UserAttributeMap as F, SAML as Ft, TailorTypeGqlPermission as G, TailorDBType$1 as H, UsernameFieldKey as I, SCIMAttribute as It, unsafeAllowAllTypePermission as J, TailorTypePermission as K, ValueOperand as L, SCIMAttributeMapping as Lt, SCIMAttributeType as M, IdProvider as Mt, UserAttributeKey as N, OAuth2ClientInput as Nt, AuthServiceInput as O, WorkflowOperation as Ot, UserAttributeListKey as P, OIDC as Pt, FieldOptions as Q, TailorAnyDBField as R, SCIMAuthorization as Rt, TailorDBServiceInput as S, IdpUserTrigger as St, AuthConfig as T, ScheduleTriggerInput as Tt, db as U, TailorDBInstance as V, TenantProvider as Vt, PermissionCondition as W, DefinedFieldMetadata as X, ArrayFieldOutput as Y, FieldMetadata as Z, GeneratorResult as _, AuthAccessTokenTrigger as _t, PluginExecutorContext as a, output as at, TailorDBNamespaceData as b, FunctionOperation as bt, PluginGeneratedExecutorWithFile as c, InferredAttributeList as ct, PluginNamespaceProcessContext as d, unauthenticatedTailorUser as dt, TailorFieldType as et, PluginOutput as f, AllowedValues as ft, ExecutorReadyContext as g, GeneratorConfig as gt, TypePluginOutput as h, ResolverInput as ht, PluginConfigs as i, JsonCompatible as it, OAuth2ClientGrantType as j, IDToken as jt, BeforeLoginHookArgs as k, AuthInvoker as kt, PluginGeneratedResolver as l, InferredAttributeMap as lt, TailorDBTypeForPlugin as m, Resolver as mt, Plugin as n, TailorField as nt, PluginExecutorContextBase as o, AttributeList as ot, PluginProcessContext as p, AllowedValuesOutput as pt, unsafeAllowAllGqlPermission as q, PluginAttachment as r, InferFieldsOutput as rt, PluginGeneratedExecutor as s, AttributeMap as st, NamespacePluginOutput as t, TailorAnyField as tt, PluginGeneratedType as u, TailorUser as ut, ResolverNamespaceData as v, Executor as vt, TypeSourceInfoEntry as w, ResolverExecutedTrigger as wt, TailorDBReadyContext as x, GqlOperation as xt, ResolverReadyContext as y, ExecutorInput as yt, TailorAnyDBType as z, SCIMConfig as zt };
-//# sourceMappingURL=plugin-DQqzlulP.d.mts.map
+export { FieldOptions as $, BeforeLoginHookArgs as A, TailorDBTrigger as At, TailorAnyDBType as B, SCIMAttribute as Bt, TailorDBType as C, ExecutorInput as Ct, AuthExternalConfig as D, IncomingWebhookTrigger as Dt, AuthConnectionTokenResult as E, IdpUserTrigger as Et, UserAttributeListKey as F, IDToken as Ft, PermissionCondition as G, TenantProvider as Gt, TailorDBInstance as H, SCIMAuthorization as Ht, UserAttributeMap as I, IdProvider as It, unsafeAllowAllGqlPermission as J, TailorTypeGqlPermission as K, UsernameFieldKey as L, OAuth2ClientInput as Lt, OAuth2ClientGrantType as M, WorkflowOperation as Mt, SCIMAttributeType as N, AuthInvoker as Nt, AuthOwnConfig as O, ResolverExecutedTrigger as Ot, UserAttributeKey as P, BuiltinIdP as Pt, FieldMetadata as Q, ValueOperand as R, OIDC as Rt, TailorDBServiceInput as S, Executor as St, AuthConfig as T, GqlOperation as Tt, TailorDBType$1 as U, SCIMConfig as Ut, TailorDBField as V, SCIMAttributeMapping as Vt, db as W, SCIMResource as Wt, ArrayFieldOutput as X, unsafeAllowAllTypePermission as Y, DefinedFieldMetadata as Z, GeneratorResult as _, AuthConnectionOAuth2Config as _t, PluginExecutorContext as a, JsonCompatible as at, TailorDBNamespaceData as b, GeneratorConfig as bt, PluginGeneratedExecutorWithFile as c, TailorEnv as ct, PluginNamespaceProcessContext as d, AttributeMap as dt, FieldOutput$1 as et, PluginOutput as f, TailorUser as ft, ExecutorReadyContext as g, AuthConnectionConfig as gt, TypePluginOutput as h, AllowedValuesOutput as ht, PluginConfigs as i, InferFieldsOutput as it, DefinedAuth as j, WebhookOperation as jt, AuthServiceInput as k, ScheduleTriggerInput as kt, PluginGeneratedResolver as l, TailorActor as lt, TailorDBTypeForPlugin as m, AllowedValues as mt, Plugin as n, TailorAnyField as nt, PluginExecutorContextBase as o, output as ot, PluginProcessContext as p, unauthenticatedTailorUser as pt, TailorTypePermission as q, PluginAttachment as r, TailorField as rt, PluginGeneratedExecutor as s, Env as st, NamespacePluginOutput as t, TailorFieldType as tt, PluginGeneratedType as u, AttributeList as ut, ResolverNamespaceData as v, Resolver as vt, TypeSourceInfoEntry as w, FunctionOperation as wt, TailorDBReadyContext as x, AuthAccessTokenTrigger as xt, ResolverReadyContext as y, ResolverInput as yt, TailorAnyDBField as z, SAML as zt };
+//# sourceMappingURL=plugin-D8hKE6rZ.d.mts.map

package/dist/{runtime-CDvdBV66.mjs → runtime-8G74KN_M.mjs}

@@ -1,9 +1,9 @@
 
-import { A as ExecutorTriggerType, C as TailorDBType_PermitAction, E as FunctionExecution_Status, F as AuthOAuth2Client_GrantType, G as Condition_Operator, H as UserProfileProviderConfig_UserProfileProviderType, I as AuthSCIMAttribute_Mutability, J as ApplicationSchemaUpdateAttemptStatus, K as FilterSchema, L as AuthSCIMAttribute_Type, M as AuthIDPConfig_AuthType, N as AuthInvokerSchema, O as ExecutorJobStatus, P as AuthOAuth2Client_ClientType, R as AuthSCIMAttribute_Uniqueness, S as TailorDBType_Permission_Permit, T as IdPLang, U as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, V as TenantProviderConfig_TenantProviderType, W as ConditionSchema, Y as Subgraph_ServiceType, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as AuthHookPoint, k as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as PageDirection, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMConfig_AuthorizationType } from "./client-CYGsf3Zl.mjs";
+import { A as ExecutorTriggerType, B as AuthSCIMConfig_AuthorizationType, C as TailorDBType_PermitAction, E as FunctionExecution_Status, F as AuthOAuth2Client_ClientType, G as ConditionSchema, H as TenantProviderConfig_TenantProviderType, I as AuthOAuth2Client_GrantType, J as PageDirection, K as Condition_Operator, L as AuthSCIMAttribute_Mutability, M as AuthHookPoint, N as AuthIDPConfig_AuthType, O as ExecutorJobStatus, P as AuthInvokerSchema, R as AuthSCIMAttribute_Type, S as TailorDBType_Permission_Permit, T as IdPLang, U as UserProfileProviderConfig_UserProfileProviderType, W as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as AuthConnection_Type, k as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as FilterSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Uniqueness } from "./client-CA2NM_4R.mjs";
 import { t as db } from "./schema-D27cW0Ca.mjs";
 import { i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-qz-Y4sBV.mjs";
 import { t as readPackageJson } from "./package-json-CfUqjJaQ.mjs";
-import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-CYPU-WIc.mjs";
+import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-CluuzA0-.mjs";
 import { r as withSpan } from "./telemetry-CREcGK8y.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
@@ -37,7 +37,7 @@ import { spawn } from "node:child_process";
 import { watch } from "chokidar";
 import * as madgeModule from "madge";
 import { createInterface } from "node:readline/promises";
-import { astVisitor, parse, toSql } from "pgsql-ast-parser";
+import { astVisitor, parse } from "pgsql-ast-parser";
 import { parse as parse$1 } from "@0no-co/graphql.web";
 
 //#region src/cli/shared/args.ts
@@ -1217,6 +1217,276 @@ function protoSubgraph(subgraph) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/apply/secrets-state.ts
+const SecretsStateSchema = z.object({
+	vaults: z.record(z.string(), z.record(z.string(), z.string())),
+	connections: z.record(z.string(), z.string()).optional()
+});
+/**
+* Get the file path for the secrets state JSON.
+* @returns Absolute path to secrets-state.json
+*/
+function getSecretsStatePath() {
+	return path.join(getDistDir(), "secrets-state.json");
+}
+/**
+* Load secrets hash state from disk.
+* @returns Persisted state, or empty state if file is missing or corrupted
+*/
+function loadSecretsState() {
+	const filePath = getSecretsStatePath();
+	if (!existsSync(filePath)) return { vaults: {} };
+	try {
+		const raw = readFileSync(filePath, "utf-8");
+		return SecretsStateSchema.parse(JSON.parse(raw));
+	} catch {
+		return { vaults: {} };
+	}
+}
+/**
+* Save secrets hash state to disk.
+* @param state - The secrets state to persist
+*/
+function saveSecretsState(state) {
+	const filePath = getSecretsStatePath();
+	mkdirSync(path.dirname(filePath), { recursive: true });
+	writeFileSync(filePath, JSON.stringify(state, null, 2), "utf-8");
+}
+/**
+* Compute SHA-256 hex digest of a value.
+* @param value - The string to hash
+* @returns Hex-encoded SHA-256 hash
+*/
+function hashValue(value) {
+	return createHash("sha256").update(value).digest("hex");
+}
+
+//#endregion
+//#region src/cli/commands/apply/auth-connection.ts
+function connectionTrn(workspaceId, name) {
+	return `${trnPrefix(workspaceId)}:auth-connection:${name}`;
+}
+function buildConnectionRequest(workspaceId, name, config) {
+	return {
+		workspaceId,
+		connection: {
+			name,
+			type: AuthConnection_Type.OAUTH2,
+			config: {
+				case: "oauth2",
+				value: {
+					providerUrl: config.providerUrl,
+					issuerUrl: config.issuerUrl,
+					clientId: config.clientId,
+					clientSecret: config.clientSecret,
+					authUrl: config.authUrl ?? "",
+					tokenUrl: config.tokenUrl ?? ""
+				}
+			}
+		}
+	};
+}
+/**
+* Compute a hash of the full connection config for change detection.
+* @param config - Auth connection config
+* @returns SHA-256 hex digest
+*/
+function hashConnectionConfig(config) {
+	return hashValue(JSON.stringify({
+		type: config.type,
+		providerUrl: config.providerUrl,
+		issuerUrl: config.issuerUrl,
+		clientId: config.clientId,
+		clientSecret: config.clientSecret,
+		authUrl: config.authUrl ?? "",
+		tokenUrl: config.tokenUrl ?? ""
+	}));
+}
+/**
+* Check whether the non-secret fields of an existing connection differ from the desired config.
+* @param existing - Existing connection from the server
+* @param desired - Desired connection config
+* @returns true if any non-secret field has changed
+*/
+function hasNonSecretFieldChanged(existing, desired) {
+	if (existing.config.case !== "oauth2") return true;
+	const oauth2 = existing.config.value;
+	return oauth2.providerUrl !== desired.providerUrl || oauth2.issuerUrl !== desired.issuerUrl || oauth2.clientId !== desired.clientId || oauth2.authUrl !== (desired.authUrl ?? "") || oauth2.tokenUrl !== (desired.tokenUrl ?? "");
+}
+/**
+* Plan auth connection changes based on current and desired state.
+* @param client - Operator client instance
+* @param workspaceId - Workspace ID
+* @param appName - Application name for ownership
+* @param auths - Auth services with connection configs
+* @returns Planned changes for auth connections
+*/
+async function planAuthConnections(client, workspaceId, appName, auths) {
+	const changeSet = createChangeSet("Auth connections");
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const desiredConnections = {};
+	for (const auth of auths) if (auth.connections) for (const [name, config] of Object.entries(auth.connections)) desiredConnections[name] = config;
+	const existingList = await fetchAll(async (pageToken, maxPageSize) => {
+		try {
+			const { connections, nextPageToken } = await client.listAuthConnections({
+				workspaceId,
+				pageToken,
+				pageSize: maxPageSize
+			});
+			return [connections, nextPageToken];
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+			throw error;
+		}
+	});
+	const existingConnections = {};
+	let metadataSupported = true;
+	await Promise.all(existingList.map(async (resource) => {
+		try {
+			const { metadata } = await client.getMetadata({ trn: connectionTrn(workspaceId, resource.name) });
+			existingConnections[resource.name] = {
+				resource,
+				label: metadata?.labels[sdkNameLabelKey]
+			};
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.InvalidArgument) {
+				metadataSupported = false;
+				existingConnections[resource.name] = {
+					resource,
+					label: void 0
+				};
+			} else throw error;
+		}
+	}));
+	const state = loadSecretsState();
+	for (const [name, config] of Object.entries(desiredConnections)) {
+		const existing = existingConnections[name];
+		const metaRequest = metadataSupported ? await buildMetaRequest(connectionTrn(workspaceId, name), appName) : void 0;
+		if (existing) {
+			if (metadataSupported && !existing.label) unmanaged.push({
+				resourceType: "Auth connection",
+				resourceName: name
+			});
+			else if (existing.label && existing.label !== appName) conflicts.push({
+				resourceType: "Auth connection",
+				resourceName: name,
+				currentOwner: existing.label
+			});
+			const currentHash = hashConnectionConfig(config);
+			const storedHash = state.connections?.[name];
+			if (hasNonSecretFieldChanged(existing.resource, config) || currentHash !== storedHash) changeSet.replaces.push({
+				name,
+				revokeRequest: {
+					workspaceId,
+					connectionName: name
+				},
+				createRequest: buildConnectionRequest(workspaceId, name, config),
+				metaRequest
+			});
+			else changeSet.unchanged.push({ name });
+			delete existingConnections[name];
+		} else changeSet.creates.push({
+			name,
+			request: buildConnectionRequest(workspaceId, name, config),
+			metaRequest
+		});
+	}
+	for (const [name, entry] of Object.entries(existingConnections)) {
+		if (!entry) continue;
+		if (entry.label && entry.label !== appName) {
+			resourceOwners.add(entry.label);
+			continue;
+		}
+		if (entry.label === appName || !metadataSupported) changeSet.deletes.push({
+			name,
+			request: {
+				workspaceId,
+				connectionName: name
+			}
+		});
+	}
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
+}
+/**
+* Attempt to set metadata, silently ignoring InvalidArgument errors
+* when the platform does not yet support auth-connection TRNs.
+* @param client - Operator client instance
+* @param metaRequest - Metadata request to send
+*/
+async function trySetMetadata(client, metaRequest) {
+	try {
+		await client.setMetadata(metaRequest);
+	} catch (error) {
+		if (error instanceof ConnectError && error.code === Code.InvalidArgument) return;
+		throw error;
+	}
+}
+function extractOAuth2Config(connection) {
+	if (!connection) return void 0;
+	const config = connection.config;
+	if (!config || config.case !== "oauth2" || !config.value) return void 0;
+	const v = config.value;
+	return {
+		type: "oauth2",
+		providerUrl: v.providerUrl ?? "",
+		issuerUrl: v.issuerUrl ?? "",
+		clientId: v.clientId ?? "",
+		clientSecret: v.clientSecret ?? "",
+		authUrl: v.authUrl || void 0,
+		tokenUrl: v.tokenUrl || void 0
+	};
+}
+/**
+* Apply auth connection changes for the given phase.
+* @param client - Operator client instance
+* @param result - Planned auth connection changes
+* @param phase - Apply phase
+*/
+async function applyAuthConnections(client, result, phase) {
+	const { changeSet } = result;
+	if (phase === "create-update") {
+		await Promise.all(changeSet.creates.map(async (create) => {
+			await client.createAuthConnection(create.request);
+			if (create.metaRequest) await trySetMetadata(client, create.metaRequest);
+		}));
+		for (const replace of changeSet.replaces) {
+			await client.revokeAuthConnection(replace.revokeRequest);
+			await client.createAuthConnection(replace.createRequest);
+			if (replace.metaRequest) await trySetMetadata(client, replace.metaRequest);
+		}
+		const state = loadSecretsState();
+		if (!state.connections) state.connections = {};
+		for (const create of changeSet.creates) {
+			const oauth2 = extractOAuth2Config(create.request.connection);
+			if (oauth2) state.connections[create.name] = hashConnectionConfig(oauth2);
+		}
+		for (const replace of changeSet.replaces) {
+			const oauth2 = extractOAuth2Config(replace.createRequest.connection);
+			if (oauth2) state.connections[replace.name] = hashConnectionConfig(oauth2);
+		}
+		saveSecretsState(state);
+	} else if (phase === "delete-resources" || phase === "delete") {
+		await Promise.all(changeSet.deletes.map(async (del) => {
+			await client.revokeAuthConnection(del.request);
+		}));
+		if (changeSet.deletes.length > 0) {
+			const state = loadSecretsState();
+			if (state.connections) {
+				for (const del of changeSet.deletes) delete state.connections[del.name];
+				saveSecretsState(state);
+			}
+		}
+	}
+}
+
 //#endregion
 //#region src/cli/commands/apply/function-registry.ts
 const CHUNK_SIZE = 64 * 1024;
@@ -1869,6 +2139,7 @@ async function applyAuth(client, result, phase = "create-update") {
 			await client.updateAuthService(update.request);
 			await client.setMetadata(update.metaRequest);
 		})]);
+		if (changeSet.connection) await applyAuthConnections(client, { changeSet: changeSet.connection }, "create-update");
 		await Promise.all([...changeSet.idpConfig.creates.map(async (create) => {
 			if (create.idpConfig.kind === "BuiltInIdP") create.request.idpConfig.config = await protoBuiltinIdPConfig(client, create.request.workspaceId, create.idpConfig);
 			return client.createAuthIDPConfig(create.request);
@@ -1903,6 +2174,7 @@ async function applyAuth(client, result, phase = "create-update") {
 		await Promise.all(changeSet.tenantConfig.deletes.map((del) => client.deleteTenantConfig(del.request)));
 		await Promise.all(changeSet.userProfileConfig.deletes.map((del) => client.deleteUserProfileConfig(del.request)));
 		await Promise.all(changeSet.idpConfig.deletes.map((del) => client.deleteAuthIDPConfig(del.request)));
+		if (changeSet.connection) await applyAuthConnections(client, { changeSet: changeSet.connection }, "delete-resources");
 	} else if (phase === "delete-services") await Promise.all(changeSet.service.deletes.map((del) => client.deleteAuthService(del.request)));
 }
 /**
@@ -1919,7 +2191,7 @@ async function planAuth(context) {
 	}
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, auths, forceApplyAll);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
-	const [idpConfigChangeSet, userProfileConfigChangeSet, tenantConfigChangeSet, machineUserChangeSet, authHookChangeSet, oauth2ClientChangeSet, scimChangeSet, scimResourceChangeSet] = await Promise.all([
+	const [idpConfigChangeSet, userProfileConfigChangeSet, tenantConfigChangeSet, machineUserChangeSet, authHookChangeSet, oauth2ClientChangeSet, scimChangeSet, scimResourceChangeSet, connectionResult] = await Promise.all([
 		planIdPConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planUserProfileConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planTenantConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
@@ -1927,7 +2199,8 @@ async function planAuth(context) {
 		planAuthHooks(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planOAuth2Clients(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planSCIMConfigs(client, workspaceId, auths, deletedServices),
-		planSCIMResources(client, workspaceId, auths, deletedServices)
+		planSCIMResources(client, workspaceId, auths, deletedServices),
+		planAuthConnections(client, workspaceId, application.name, auths)
 	]);
 	serviceChangeSet.print();
 	idpConfigChangeSet.print();
@@ -1938,6 +2211,7 @@ async function planAuth(context) {
 	oauth2ClientChangeSet.print();
 	scimChangeSet.print();
 	scimResourceChangeSet.print();
+	connectionResult.changeSet.print();
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -1948,11 +2222,12 @@ async function planAuth(context) {
 			authHook: authHookChangeSet,
 			oauth2Client: oauth2ClientChangeSet,
 			scim: scimChangeSet,
-			scimResource: scimResourceChangeSet
+			scimResource: scimResourceChangeSet,
+			connection: connectionResult.changeSet
 		},
-		conflicts,
-		unmanaged,
-		resourceOwners
+		conflicts: [...conflicts, ...connectionResult.conflicts],
+		unmanaged: [...unmanaged, ...connectionResult.unmanaged],
+		resourceOwners: new Set([...resourceOwners, ...connectionResult.resourceOwners])
 	};
 }
 function trn$4(workspaceId, name) {
@@ -3832,48 +4107,6 @@ function protoFields(fields, baseName, isInput) {
 	});
 }
 
-//#endregion
-//#region src/cli/commands/apply/secrets-state.ts
-const SecretsStateSchema = z.object({ vaults: z.record(z.string(), z.record(z.string(), z.string())) });
-/**
-* Get the file path for the secrets state JSON.
-* @returns Absolute path to secrets-state.json
-*/
-function getSecretsStatePath() {
-	return path.join(getDistDir(), "secrets-state.json");
-}
-/**
-* Load secrets hash state from disk.
-* @returns Persisted state, or empty state if file is missing or corrupted
-*/
-function loadSecretsState() {
-	const filePath = getSecretsStatePath();
-	if (!existsSync(filePath)) return { vaults: {} };
-	try {
-		const raw = readFileSync(filePath, "utf-8");
-		return SecretsStateSchema.parse(JSON.parse(raw));
-	} catch {
-		return { vaults: {} };
-	}
-}
-/**
-* Save secrets hash state to disk.
-* @param state - The secrets state to persist
-*/
-function saveSecretsState(state) {
-	const filePath = getSecretsStatePath();
-	mkdirSync(path.dirname(filePath), { recursive: true });
-	writeFileSync(filePath, JSON.stringify(state, null, 2), "utf-8");
-}
-/**
-* Compute SHA-256 hex digest of a value.
-* @param value - The string to hash
-* @returns Hex-encoded SHA-256 hash
-*/
-function hashValue(value) {
-	return createHash("sha256").update(value).digest("hex");
-}
-
 //#endregion
 //#region src/cli/commands/apply/secret-manager.ts
 /**
@@ -7403,6 +7636,7 @@ function printPlanSummary(results) {
 		results.auth.changeSet.authHook,
 		results.auth.changeSet.scim,
 		results.auth.changeSet.scimResource,
+		...results.auth.changeSet.connection ? [results.auth.changeSet.connection] : [],
 		results.pipeline.changeSet.service,
 		results.pipeline.changeSet.resolver,
 		results.app,
@@ -11691,7 +11925,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-dnB8CQiT.mjs");
+	const { defineApplication } = await import("./application-CLKuNo-l.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -13819,14 +14053,12 @@ function printSingleSqlResult(execResult, options = {}) {
 	logger.out(`rows: ${execResult.rowCount}`);
 }
 function splitSqlStatements(query) {
-	try {
-		const statements = parse(query);
-		if (statements.length === 0) return [];
-		return statements.map((s) => toSql.statement(s));
-	} catch {
-		const trimmed = query.trim();
-		return trimmed.length > 0 ? [trimmed] : [];
-	}
+	const statements = parse(query, { locationTracking: true });
+	return statements.map((s, i) => {
+		const start = s._location.start;
+		const end = i + 1 < statements.length ? statements[i + 1]._location.start : query.length;
+		return query.substring(start, end);
+	});
 }
 function isSQLExecutionResultArray(value) {
 	return Array.isArray(value) && value.length > 0 && value.every(isSQLExecutionResult);
@@ -13896,4 +14128,4 @@ function isDeno() {
 
 //#endregion
 export { getFolder as $, getNextMigrationNumber as $t, listWorkflows as A, functionExecutionStatusToString as At, updateCommand$1 as B, DB_TYPES_FILE_NAME as Bt, listApps as C, startCommand as Ct, resumeCommand as D, executionsCommand as Dt, healthCommand as E, getWorkflow as Et, show as F, executeScript as Ft, listOrganizations as G, compareLocalTypesWithSnapshot as Gt, organizationTree as H, INITIAL_SCHEMA_NUMBER as Ht, showCommand as I, waitForExecution$1 as It, updateCommand$2 as J, formatMigrationNumber as Jt, getCommand$1 as K, compareSnapshots as Kt, logBetaWarning as L, MIGRATION_LABEL_KEY as Lt, truncateCommand as M, getCommand$5 as Mt, generate as N, getExecutor as Nt, resumeWorkflow as O, getWorkflowExecution as Ot, generateCommand as P, apply as Pt, getCommand$2 as Q, getMigrationFiles as Qt, remove as R, parseMigrationLabelNumber as Rt, createWorkspace as S, watchExecutorJob as St, getAppHealth as T, getCommand$4 as Tt, treeCommand as U, MIGRATE_FILE_NAME as Ut, updateOrganization as V, DIFF_FILE_NAME as Vt, listCommand$4 as W, SCHEMA_FILE_NAME as Wt, listCommand$5 as X, getMigrationDirPath as Xt, updateFolder as Y, getLatestMigrationNumber as Yt, listFolders as Z, getMigrationFilePath as Zt, getCommand as _, isVerbose as _n, listCommand$8 as _t, updateCommand as a, hasChanges as an, listOAuth2Clients as at, deleteWorkspace as b, jobsCommand as bt, removeUser as c, sdkNameLabelKey as cn, getMachineUserToken as ct, inviteCommand as d, apiCall as dn, listMachineUsers as dt, isValidMigrationNumber as en, deleteCommand$1 as et, inviteUser as f, apiCommand as fn, generate$1 as ft, listWorkspaces as g, deploymentArgs as gn, triggerExecutor as gt, listCommand$1 as h, confirmationArgs as hn, triggerCommand as ht, isCLIError as i, formatMigrationDiff as in, listCommand$6 as it, truncate as j, formatKeyValueTable as jt, listCommand$3 as k, listWorkflowExecutions as kt, listCommand as l, trnPrefix as ln, tokenCommand as lt, restoreWorkspace as m, commonArgs as mn, webhookCommand as mt, query as n, reconstructSnapshotFromMigrations as nn, createCommand$1 as nt, updateUser as o, getNamespacesWithMigrations as on, getCommand$3 as ot, restoreCommand as p, defineAppCommand as pn, listWebhookExecutors as pt, getOrganization as q, createSnapshotFromLocalTypes as qt, queryCommand as r, formatDiffSummary as rn, createFolder as rt, removeCommand as s, prompt as sn, getOAuth2Client as st, isNativeTypeScriptRuntime as t, loadDiff as tn, deleteFolder as tt, listUsers as u, generateUserTypes as un, listCommand$7 as ut, getWorkspace as v, workspaceArgs as vn, listExecutors as vt, listCommand$2 as w, startWorkflow as wt, createCommand as x, listExecutorJobs as xt, deleteCommand as y, getExecutorJob as yt, removeCommand$1 as z, bundleMigrationScript as zt };
-//# sourceMappingURL=runtime-CDvdBV66.mjs.map
+//# sourceMappingURL=runtime-8G74KN_M.mjs.map