@tailor-platform/sdk 1.33.2 → 1.35.0

package/dist/{runtime-CxDrzUC0.mjs → runtime-D4O-RfcH.mjs}

@@ -1,9 +1,9 @@
 
-import { A as ExecutorTriggerType, C as TailorDBType_PermitAction, E as FunctionExecution_Status, F as AuthOAuth2Client_GrantType, G as Condition_Operator, H as UserProfileProviderConfig_UserProfileProviderType, I as AuthSCIMAttribute_Mutability, J as ApplicationSchemaUpdateAttemptStatus, K as FilterSchema, L as AuthSCIMAttribute_Type, M as AuthIDPConfig_AuthType, N as AuthInvokerSchema, O as ExecutorJobStatus, P as AuthOAuth2Client_ClientType, R as AuthSCIMAttribute_Uniqueness, S as TailorDBType_Permission_Permit, T as IdPLang, U as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, V as TenantProviderConfig_TenantProviderType, W as ConditionSchema, Y as Subgraph_ServiceType, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as AuthHookPoint, k as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as PageDirection, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMConfig_AuthorizationType } from "./client-CYGsf3Zl.mjs";
+import { A as ExecutorTriggerType, B as AuthSCIMConfig_AuthorizationType, C as TailorDBType_PermitAction, E as FunctionExecution_Status, F as AuthOAuth2Client_ClientType, G as ConditionSchema, H as TenantProviderConfig_TenantProviderType, I as AuthOAuth2Client_GrantType, J as PageDirection, K as Condition_Operator, L as AuthSCIMAttribute_Mutability, M as AuthHookPoint, N as AuthIDPConfig_AuthType, O as ExecutorJobStatus, P as AuthInvokerSchema, R as AuthSCIMAttribute_Type, S as TailorDBType_Permission_Permit, T as IdPLang, U as UserProfileProviderConfig_UserProfileProviderType, W as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as AuthConnection_Type, k as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as FilterSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Uniqueness } from "./client-CA2NM_4R.mjs";
 import { t as db } from "./schema-D27cW0Ca.mjs";
 import { i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-qz-Y4sBV.mjs";
 import { t as readPackageJson } from "./package-json-CfUqjJaQ.mjs";
-import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-CYPU-WIc.mjs";
+import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-BnJRroGX.mjs";
 import { r as withSpan } from "./telemetry-CREcGK8y.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
@@ -1217,6 +1217,276 @@ function protoSubgraph(subgraph) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/apply/secrets-state.ts
+const SecretsStateSchema = z.object({
+	vaults: z.record(z.string(), z.record(z.string(), z.string())),
+	connections: z.record(z.string(), z.string()).optional()
+});
+/**
+* Get the file path for the secrets state JSON.
+* @returns Absolute path to secrets-state.json
+*/
+function getSecretsStatePath() {
+	return path.join(getDistDir(), "secrets-state.json");
+}
+/**
+* Load secrets hash state from disk.
+* @returns Persisted state, or empty state if file is missing or corrupted
+*/
+function loadSecretsState() {
+	const filePath = getSecretsStatePath();
+	if (!existsSync(filePath)) return { vaults: {} };
+	try {
+		const raw = readFileSync(filePath, "utf-8");
+		return SecretsStateSchema.parse(JSON.parse(raw));
+	} catch {
+		return { vaults: {} };
+	}
+}
+/**
+* Save secrets hash state to disk.
+* @param state - The secrets state to persist
+*/
+function saveSecretsState(state) {
+	const filePath = getSecretsStatePath();
+	mkdirSync(path.dirname(filePath), { recursive: true });
+	writeFileSync(filePath, JSON.stringify(state, null, 2), "utf-8");
+}
+/**
+* Compute SHA-256 hex digest of a value.
+* @param value - The string to hash
+* @returns Hex-encoded SHA-256 hash
+*/
+function hashValue(value) {
+	return createHash("sha256").update(value).digest("hex");
+}
+
+//#endregion
+//#region src/cli/commands/apply/auth-connection.ts
+function connectionTrn(workspaceId, name) {
+	return `${trnPrefix(workspaceId)}:auth-connection:${name}`;
+}
+function buildConnectionRequest(workspaceId, name, config) {
+	return {
+		workspaceId,
+		connection: {
+			name,
+			type: AuthConnection_Type.OAUTH2,
+			config: {
+				case: "oauth2",
+				value: {
+					providerUrl: config.providerUrl,
+					issuerUrl: config.issuerUrl,
+					clientId: config.clientId,
+					clientSecret: config.clientSecret,
+					authUrl: config.authUrl ?? "",
+					tokenUrl: config.tokenUrl ?? ""
+				}
+			}
+		}
+	};
+}
+/**
+* Compute a hash of the full connection config for change detection.
+* @param config - Auth connection config
+* @returns SHA-256 hex digest
+*/
+function hashConnectionConfig(config) {
+	return hashValue(JSON.stringify({
+		type: config.type,
+		providerUrl: config.providerUrl,
+		issuerUrl: config.issuerUrl,
+		clientId: config.clientId,
+		clientSecret: config.clientSecret,
+		authUrl: config.authUrl ?? "",
+		tokenUrl: config.tokenUrl ?? ""
+	}));
+}
+/**
+* Check whether the non-secret fields of an existing connection differ from the desired config.
+* @param existing - Existing connection from the server
+* @param desired - Desired connection config
+* @returns true if any non-secret field has changed
+*/
+function hasNonSecretFieldChanged(existing, desired) {
+	if (existing.config.case !== "oauth2") return true;
+	const oauth2 = existing.config.value;
+	return oauth2.providerUrl !== desired.providerUrl || oauth2.issuerUrl !== desired.issuerUrl || oauth2.clientId !== desired.clientId || oauth2.authUrl !== (desired.authUrl ?? "") || oauth2.tokenUrl !== (desired.tokenUrl ?? "");
+}
+/**
+* Plan auth connection changes based on current and desired state.
+* @param client - Operator client instance
+* @param workspaceId - Workspace ID
+* @param appName - Application name for ownership
+* @param auths - Auth services with connection configs
+* @returns Planned changes for auth connections
+*/
+async function planAuthConnections(client, workspaceId, appName, auths) {
+	const changeSet = createChangeSet("Auth connections");
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const desiredConnections = {};
+	for (const auth of auths) if (auth.connections) for (const [name, config] of Object.entries(auth.connections)) desiredConnections[name] = config;
+	const existingList = await fetchAll(async (pageToken, maxPageSize) => {
+		try {
+			const { connections, nextPageToken } = await client.listAuthConnections({
+				workspaceId,
+				pageToken,
+				pageSize: maxPageSize
+			});
+			return [connections, nextPageToken];
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+			throw error;
+		}
+	});
+	const existingConnections = {};
+	let metadataSupported = true;
+	await Promise.all(existingList.map(async (resource) => {
+		try {
+			const { metadata } = await client.getMetadata({ trn: connectionTrn(workspaceId, resource.name) });
+			existingConnections[resource.name] = {
+				resource,
+				label: metadata?.labels[sdkNameLabelKey]
+			};
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.InvalidArgument) {
+				metadataSupported = false;
+				existingConnections[resource.name] = {
+					resource,
+					label: void 0
+				};
+			} else throw error;
+		}
+	}));
+	const state = loadSecretsState();
+	for (const [name, config] of Object.entries(desiredConnections)) {
+		const existing = existingConnections[name];
+		const metaRequest = metadataSupported ? await buildMetaRequest(connectionTrn(workspaceId, name), appName) : void 0;
+		if (existing) {
+			if (metadataSupported && !existing.label) unmanaged.push({
+				resourceType: "Auth connection",
+				resourceName: name
+			});
+			else if (existing.label && existing.label !== appName) conflicts.push({
+				resourceType: "Auth connection",
+				resourceName: name,
+				currentOwner: existing.label
+			});
+			const currentHash = hashConnectionConfig(config);
+			const storedHash = state.connections?.[name];
+			if (hasNonSecretFieldChanged(existing.resource, config) || currentHash !== storedHash) changeSet.replaces.push({
+				name,
+				revokeRequest: {
+					workspaceId,
+					connectionName: name
+				},
+				createRequest: buildConnectionRequest(workspaceId, name, config),
+				metaRequest
+			});
+			else changeSet.unchanged.push({ name });
+			delete existingConnections[name];
+		} else changeSet.creates.push({
+			name,
+			request: buildConnectionRequest(workspaceId, name, config),
+			metaRequest
+		});
+	}
+	for (const [name, entry] of Object.entries(existingConnections)) {
+		if (!entry) continue;
+		if (entry.label && entry.label !== appName) {
+			resourceOwners.add(entry.label);
+			continue;
+		}
+		if (entry.label === appName || !metadataSupported) changeSet.deletes.push({
+			name,
+			request: {
+				workspaceId,
+				connectionName: name
+			}
+		});
+	}
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
+}
+/**
+* Attempt to set metadata, silently ignoring InvalidArgument errors
+* when the platform does not yet support auth-connection TRNs.
+* @param client - Operator client instance
+* @param metaRequest - Metadata request to send
+*/
+async function trySetMetadata(client, metaRequest) {
+	try {
+		await client.setMetadata(metaRequest);
+	} catch (error) {
+		if (error instanceof ConnectError && error.code === Code.InvalidArgument) return;
+		throw error;
+	}
+}
+function extractOAuth2Config(connection) {
+	if (!connection) return void 0;
+	const config = connection.config;
+	if (!config || config.case !== "oauth2" || !config.value) return void 0;
+	const v = config.value;
+	return {
+		type: "oauth2",
+		providerUrl: v.providerUrl ?? "",
+		issuerUrl: v.issuerUrl ?? "",
+		clientId: v.clientId ?? "",
+		clientSecret: v.clientSecret ?? "",
+		authUrl: v.authUrl || void 0,
+		tokenUrl: v.tokenUrl || void 0
+	};
+}
+/**
+* Apply auth connection changes for the given phase.
+* @param client - Operator client instance
+* @param result - Planned auth connection changes
+* @param phase - Apply phase
+*/
+async function applyAuthConnections(client, result, phase) {
+	const { changeSet } = result;
+	if (phase === "create-update") {
+		await Promise.all(changeSet.creates.map(async (create) => {
+			await client.createAuthConnection(create.request);
+			if (create.metaRequest) await trySetMetadata(client, create.metaRequest);
+		}));
+		for (const replace of changeSet.replaces) {
+			await client.revokeAuthConnection(replace.revokeRequest);
+			await client.createAuthConnection(replace.createRequest);
+			if (replace.metaRequest) await trySetMetadata(client, replace.metaRequest);
+		}
+		const state = loadSecretsState();
+		if (!state.connections) state.connections = {};
+		for (const create of changeSet.creates) {
+			const oauth2 = extractOAuth2Config(create.request.connection);
+			if (oauth2) state.connections[create.name] = hashConnectionConfig(oauth2);
+		}
+		for (const replace of changeSet.replaces) {
+			const oauth2 = extractOAuth2Config(replace.createRequest.connection);
+			if (oauth2) state.connections[replace.name] = hashConnectionConfig(oauth2);
+		}
+		saveSecretsState(state);
+	} else if (phase === "delete-resources" || phase === "delete") {
+		await Promise.all(changeSet.deletes.map(async (del) => {
+			await client.revokeAuthConnection(del.request);
+		}));
+		if (changeSet.deletes.length > 0) {
+			const state = loadSecretsState();
+			if (state.connections) {
+				for (const del of changeSet.deletes) delete state.connections[del.name];
+				saveSecretsState(state);
+			}
+		}
+	}
+}
+
 //#endregion
 //#region src/cli/commands/apply/function-registry.ts
 const CHUNK_SIZE = 64 * 1024;
@@ -1869,6 +2139,7 @@ async function applyAuth(client, result, phase = "create-update") {
 			await client.updateAuthService(update.request);
 			await client.setMetadata(update.metaRequest);
 		})]);
+		if (changeSet.connection) await applyAuthConnections(client, { changeSet: changeSet.connection }, "create-update");
 		await Promise.all([...changeSet.idpConfig.creates.map(async (create) => {
 			if (create.idpConfig.kind === "BuiltInIdP") create.request.idpConfig.config = await protoBuiltinIdPConfig(client, create.request.workspaceId, create.idpConfig);
 			return client.createAuthIDPConfig(create.request);
@@ -1903,6 +2174,7 @@ async function applyAuth(client, result, phase = "create-update") {
 		await Promise.all(changeSet.tenantConfig.deletes.map((del) => client.deleteTenantConfig(del.request)));
 		await Promise.all(changeSet.userProfileConfig.deletes.map((del) => client.deleteUserProfileConfig(del.request)));
 		await Promise.all(changeSet.idpConfig.deletes.map((del) => client.deleteAuthIDPConfig(del.request)));
+		if (changeSet.connection) await applyAuthConnections(client, { changeSet: changeSet.connection }, "delete-resources");
 	} else if (phase === "delete-services") await Promise.all(changeSet.service.deletes.map((del) => client.deleteAuthService(del.request)));
 }
 /**
@@ -1919,7 +2191,7 @@ async function planAuth(context) {
 	}
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, auths, forceApplyAll);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
-	const [idpConfigChangeSet, userProfileConfigChangeSet, tenantConfigChangeSet, machineUserChangeSet, authHookChangeSet, oauth2ClientChangeSet, scimChangeSet, scimResourceChangeSet] = await Promise.all([
+	const [idpConfigChangeSet, userProfileConfigChangeSet, tenantConfigChangeSet, machineUserChangeSet, authHookChangeSet, oauth2ClientChangeSet, scimChangeSet, scimResourceChangeSet, connectionResult] = await Promise.all([
 		planIdPConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planUserProfileConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planTenantConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
@@ -1927,7 +2199,8 @@ async function planAuth(context) {
 		planAuthHooks(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planOAuth2Clients(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planSCIMConfigs(client, workspaceId, auths, deletedServices),
-		planSCIMResources(client, workspaceId, auths, deletedServices)
+		planSCIMResources(client, workspaceId, auths, deletedServices),
+		planAuthConnections(client, workspaceId, application.name, auths)
 	]);
 	serviceChangeSet.print();
 	idpConfigChangeSet.print();
@@ -1938,6 +2211,7 @@ async function planAuth(context) {
 	oauth2ClientChangeSet.print();
 	scimChangeSet.print();
 	scimResourceChangeSet.print();
+	connectionResult.changeSet.print();
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -1948,11 +2222,12 @@ async function planAuth(context) {
 			authHook: authHookChangeSet,
 			oauth2Client: oauth2ClientChangeSet,
 			scim: scimChangeSet,
-			scimResource: scimResourceChangeSet
+			scimResource: scimResourceChangeSet,
+			connection: connectionResult.changeSet
 		},
-		conflicts,
-		unmanaged,
-		resourceOwners
+		conflicts: [...conflicts, ...connectionResult.conflicts],
+		unmanaged: [...unmanaged, ...connectionResult.unmanaged],
+		resourceOwners: new Set([...resourceOwners, ...connectionResult.resourceOwners])
 	};
 }
 function trn$4(workspaceId, name) {
@@ -3832,48 +4107,6 @@ function protoFields(fields, baseName, isInput) {
 	});
 }
 
-//#endregion
-//#region src/cli/commands/apply/secrets-state.ts
-const SecretsStateSchema = z.object({ vaults: z.record(z.string(), z.record(z.string(), z.string())) });
-/**
-* Get the file path for the secrets state JSON.
-* @returns Absolute path to secrets-state.json
-*/
-function getSecretsStatePath() {
-	return path.join(getDistDir(), "secrets-state.json");
-}
-/**
-* Load secrets hash state from disk.
-* @returns Persisted state, or empty state if file is missing or corrupted
-*/
-function loadSecretsState() {
-	const filePath = getSecretsStatePath();
-	if (!existsSync(filePath)) return { vaults: {} };
-	try {
-		const raw = readFileSync(filePath, "utf-8");
-		return SecretsStateSchema.parse(JSON.parse(raw));
-	} catch {
-		return { vaults: {} };
-	}
-}
-/**
-* Save secrets hash state to disk.
-* @param state - The secrets state to persist
-*/
-function saveSecretsState(state) {
-	const filePath = getSecretsStatePath();
-	mkdirSync(path.dirname(filePath), { recursive: true });
-	writeFileSync(filePath, JSON.stringify(state, null, 2), "utf-8");
-}
-/**
-* Compute SHA-256 hex digest of a value.
-* @param value - The string to hash
-* @returns Hex-encoded SHA-256 hash
-*/
-function hashValue(value) {
-	return createHash("sha256").update(value).digest("hex");
-}
-
 //#endregion
 //#region src/cli/commands/apply/secret-manager.ts
 /**
@@ -7403,6 +7636,7 @@ function printPlanSummary(results) {
 		results.auth.changeSet.authHook,
 		results.auth.changeSet.scim,
 		results.auth.changeSet.scimResource,
+		...results.auth.changeSet.connection ? [results.auth.changeSet.connection] : [],
 		results.pipeline.changeSet.service,
 		results.pipeline.changeSet.resolver,
 		results.app,
@@ -11691,7 +11925,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-dnB8CQiT.mjs");
+	const { defineApplication } = await import("./application-mGasp_EX.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -13894,4 +14128,4 @@ function isDeno() {
 
 //#endregion
 export { getFolder as $, getNextMigrationNumber as $t, listWorkflows as A, functionExecutionStatusToString as At, updateCommand$1 as B, DB_TYPES_FILE_NAME as Bt, listApps as C, startCommand as Ct, resumeCommand as D, executionsCommand as Dt, healthCommand as E, getWorkflow as Et, show as F, executeScript as Ft, listOrganizations as G, compareLocalTypesWithSnapshot as Gt, organizationTree as H, INITIAL_SCHEMA_NUMBER as Ht, showCommand as I, waitForExecution$1 as It, updateCommand$2 as J, formatMigrationNumber as Jt, getCommand$1 as K, compareSnapshots as Kt, logBetaWarning as L, MIGRATION_LABEL_KEY as Lt, truncateCommand as M, getCommand$5 as Mt, generate as N, getExecutor as Nt, resumeWorkflow as O, getWorkflowExecution as Ot, generateCommand as P, apply as Pt, getCommand$2 as Q, getMigrationFiles as Qt, remove as R, parseMigrationLabelNumber as Rt, createWorkspace as S, watchExecutorJob as St, getAppHealth as T, getCommand$4 as Tt, treeCommand as U, MIGRATE_FILE_NAME as Ut, updateOrganization as V, DIFF_FILE_NAME as Vt, listCommand$4 as W, SCHEMA_FILE_NAME as Wt, listCommand$5 as X, getMigrationDirPath as Xt, updateFolder as Y, getLatestMigrationNumber as Yt, listFolders as Z, getMigrationFilePath as Zt, getCommand as _, isVerbose as _n, listCommand$8 as _t, updateCommand as a, hasChanges as an, listOAuth2Clients as at, deleteWorkspace as b, jobsCommand as bt, removeUser as c, sdkNameLabelKey as cn, getMachineUserToken as ct, inviteCommand as d, apiCall as dn, listMachineUsers as dt, isValidMigrationNumber as en, deleteCommand$1 as et, inviteUser as f, apiCommand as fn, generate$1 as ft, listWorkspaces as g, deploymentArgs as gn, triggerExecutor as gt, listCommand$1 as h, confirmationArgs as hn, triggerCommand as ht, isCLIError as i, formatMigrationDiff as in, listCommand$6 as it, truncate as j, formatKeyValueTable as jt, listCommand$3 as k, listWorkflowExecutions as kt, listCommand as l, trnPrefix as ln, tokenCommand as lt, restoreWorkspace as m, commonArgs as mn, webhookCommand as mt, query as n, reconstructSnapshotFromMigrations as nn, createCommand$1 as nt, updateUser as o, getNamespacesWithMigrations as on, getCommand$3 as ot, restoreCommand as p, defineAppCommand as pn, listWebhookExecutors as pt, getOrganization as q, createSnapshotFromLocalTypes as qt, queryCommand as r, formatDiffSummary as rn, createFolder as rt, removeCommand as s, prompt as sn, getOAuth2Client as st, isNativeTypeScriptRuntime as t, loadDiff as tn, deleteFolder as tt, listUsers as u, generateUserTypes as un, listCommand$7 as ut, getWorkspace as v, workspaceArgs as vn, listExecutors as vt, listCommand$2 as w, startWorkflow as wt, createCommand as x, listExecutorJobs as xt, deleteCommand as y, getExecutorJob as yt, removeCommand$1 as z, bundleMigrationScript as zt };
-//# sourceMappingURL=runtime-CxDrzUC0.mjs.map
+//# sourceMappingURL=runtime-D4O-RfcH.mjs.map