@tailor-platform/sdk 1.35.1 → 1.36.0

package/dist/utils/test/index.d.mts

@@ -1,6 +1,6 @@
 /// <reference types="@tailor-platform/function-types" />
-import { U as TailorDBType, rt as TailorField } from "../../plugin-CZaJ3_QR.mjs";
-import { et as WORKFLOW_TEST_ENV_KEY, n as output } from "../../index-wCoQup4y.mjs";
+import { U as TailorDBType, rt as TailorField } from "../../plugin-CiPUxkyN.mjs";
+import { n as output, rt as WORKFLOW_TEST_ENV_KEY } from "../../index-CYaunQeL.mjs";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/utils/test/mock.d.ts

package/dist/{workflow.generated-IZ3kLjC_.d.mts → workflow.generated-8BeGQsVU.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { Nt as BuiltinIdP, S as TailorDBServiceInput, T as AuthConfig } from "./plugin-CZaJ3_QR.mjs";
+import { Nt as BuiltinIdP, S as TailorDBServiceInput, T as AuthConfig } from "./plugin-CiPUxkyN.mjs";
 
 //#region src/types/idp.generated.d.ts
 /**
@@ -59,6 +59,193 @@ type IdPInput = {
   emailConfig?: {
     fromName?: string | undefined;
     passwordResetSubject?: string | undefined;
+  } | undefined; /** Per-operation permission policies for IdP users */
+  permission?: {
+    create: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    read: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    update: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    delete: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    sendPasswordResetEmail: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
   } | undefined;
 };
 //#endregion
@@ -77,6 +264,7 @@ type IdPExternalConfig = {
 };
 type IdPOwnConfig = Omit<DefinedIdp<string, IdPInput, string>, "provider">;
 type IdPConfig = IdPOwnConfig | IdPExternalConfig;
+type IdPUserField = "id" | "name" | "disabled";
 //#endregion
 //#region src/configure/services/secrets/index.d.ts
 declare const secretsDefinitionBrand: unique symbol;
@@ -84,8 +272,15 @@ type SecretsDefinitionBrand = {
   readonly [secretsDefinitionBrand]: true;
 };
 type SecretsVaultInput = Record<string, string>;
+type SecretsVaultInputNullish = Record<string, string | undefined | null>;
 type SecretsInput = Record<string, SecretsVaultInput>;
-type DefinedSecrets<T extends SecretsInput> = {
+type SecretsInputNullish = Record<string, SecretsVaultInputNullish>;
+type SecretsOptions = {
+  readonly ignoreNullishValues: boolean;
+};
+type DefinedSecrets<T extends SecretsInputNullish> = {
+  readonly vaults: T;
+  readonly options: SecretsOptions;
   get<V extends Extract<keyof T, string>, S extends Extract<keyof T[V], string>>(vault: V, secret: S): Promise<string | undefined>;
   getAll<V extends Extract<keyof T, string>, S extends Extract<keyof T[V], string>>(vault: V, secrets: readonly S[]): Promise<(string | undefined)[]>;
 } & SecretsDefinitionBrand;
@@ -98,6 +293,19 @@ type SecretsConfig = Omit<ReturnType<typeof defineSecretManager>, "get" | "getAl
  * @returns Defined secrets with typed runtime access methods
  */
 declare function defineSecretManager<const T extends SecretsInput>(config: T): DefinedSecrets<T>;
+/**
+ * Define secrets configuration for the Tailor SDK with ignoreNullishValues option.
+ * When `ignoreNullishValues` is true, secrets with nullish values are skipped during deploy
+ * instead of causing an error. This is useful for CI environments where not all
+ * secret values are available.
+ * @param config - Secrets configuration mapping vault names to their secrets
+ * @param options - Options for secret management behavior
+ * @param options.ignoreNullishValues - When true, secrets with nullish values are skipped during deploy
+ * @returns Defined secrets with typed runtime access methods
+ */
+declare function defineSecretManager<const T extends SecretsInputNullish>(config: T, options: {
+  ignoreNullishValues: true;
+}): DefinedSecrets<T>;
 //#endregion
 //#region src/types/staticwebsite.generated.d.ts
 type StaticWebsite = {
@@ -202,5 +410,5 @@ type RetryPolicy = {
   backoffMultiplier: number;
 };
 //#endregion
-export { IdPEmailConfig as _, ResolverExternalConfig as a, IdPInput as b, WorkflowServiceConfig as c, defineStaticWebSite as d, SecretsConfig as f, IdpDefinitionBrand as g, IdPExternalConfig as h, ExecutorServiceInput as i, WorkflowServiceInput as l, IdPConfig as m, AppConfig as n, ResolverServiceConfig as o, defineSecretManager as p, ExecutorServiceConfig as r, ResolverServiceInput as s, RetryPolicy as t, StaticWebsiteConfig as u, IdPGqlOperations as v, IdPGqlOperationsInput as y };
-//# sourceMappingURL=workflow.generated-IZ3kLjC_.d.mts.map
+export { IdpDefinitionBrand as _, ResolverExternalConfig as a, IdPGqlOperationsInput as b, WorkflowServiceConfig as c, defineStaticWebSite as d, SecretsConfig as f, IdPUserField as g, IdPExternalConfig as h, ExecutorServiceInput as i, WorkflowServiceInput as l, IdPConfig as m, AppConfig as n, ResolverServiceConfig as o, defineSecretManager as p, ExecutorServiceConfig as r, ResolverServiceInput as s, RetryPolicy as t, StaticWebsiteConfig as u, IdPEmailConfig as v, IdPInput as x, IdPGqlOperations as y };
+//# sourceMappingURL=workflow.generated-8BeGQsVU.d.mts.map

package/docs/cli/function.md

@@ -152,7 +152,7 @@ tailor-sdk function test-run [options] <file>
 **Run a resolver with input arguments**
 
 ```bash
-$ tailor-sdk function test-run resolvers/add.ts --arg '{"input":{"a":1,"b":2}}'
+$ tailor-sdk function test-run resolvers/add.ts --arg '{"a":1,"b":2}'
 ```
 
 **Run a specific workflow job by name**
@@ -164,7 +164,7 @@ $ tailor-sdk function test-run workflows/sample.ts --name validate-order
 **Run a pre-bundled .js file directly**
 
 ```bash
-$ tailor-sdk function test-run build/resolvers/add.js --arg '{"input":{"a":1,"b":2}}'
+$ tailor-sdk function test-run build/resolvers/add.js --arg '{"a":1,"b":2}'
 ```
 
 <!-- politty:command:function test-run:examples:end -->

package/docs/services/idp.md

@@ -99,6 +99,56 @@ defineIdp("my-idp", {
 
 **Validation:** Each field must be 200 characters or less and must not contain newline characters.
 
+### permission
+
+Per-operation permission policies for IdP user management. Controls who can create, read, update, delete users, and send password reset emails.
+
+```typescript
+defineIdp("my-idp", {
+  authorization: "loggedIn",
+  clients: ["my-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    read: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    update: [
+      { conditions: [[{ newIdpUser: "name" }, "!=", { oldIdpUser: "name" }]], permit: true },
+    ],
+    delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [], permit: true }],
+  },
+});
+```
+
+**Operations:**
+
+- `create` - Controls who can create IdP users
+- `read` - Controls who can read IdP users
+- `update` - Controls who can update IdP users
+- `delete` - Controls who can delete IdP users
+- `sendPasswordResetEmail` - Controls who can send password reset emails
+
+**Operands:**
+
+- `{ user: "field" }` - Authenticated user's attribute
+- `{ idpUser: "field" }` - IdP user field (for create/read/delete). Allowed values: `"id"`, `"name"`, `"disabled"`
+- `{ oldIdpUser: "field" }` - Previous IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
+- `{ newIdpUser: "field" }` - New IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
+- Literal values: `string`, `boolean`, `string[]`, `boolean[]`
+
+**Operators:** `"="`, `"!="`, `"in"`, `"not in"`
+
+**Helper:** `unsafeAllowAllIdPPermission` grants full access without conditions. Intended only for development and testing.
+
+```typescript
+import { unsafeAllowAllIdPPermission } from "@tailor-platform/sdk";
+
+defineIdp("my-idp", {
+  authorization: "loggedIn",
+  clients: ["my-client"],
+  permission: unsafeAllowAllIdPPermission,
+});
+```
+
 ## Using idp.provider()
 
 The `idp.provider()` method creates a type-safe reference to the IdP for use in Auth configuration. The client name is validated at compile time against the clients defined in the IdP.

package/docs/services/resolver.md

@@ -13,7 +13,7 @@ Resolvers provide:
 
 ## Comparison with Tailor Platform Pipeline Resolver
 
-The SDK's Resolver is a simplified version of Tailor Platform's [Pipeline Resolver](https://docs.tailor.tech/guides/pipeline).
+The SDK's Resolver is a simplified version of Tailor Platform's [Pipeline Resolver](https://docs.tailor.tech/guides/resolver).
 
 | Pipeline Resolver                        | SDK Resolver                      |
 | ---------------------------------------- | --------------------------------- |

package/docs/services/secret.md

@@ -64,6 +64,31 @@ export default defineConfig({
 
 The exported `secrets` object provides type-safe `get()` and `getAll()` methods for runtime access from resolvers, executors, and workflows.
 
+### Skipping Secrets with Missing Values
+
+In CI environments, you may not have all secret values available (e.g., secrets are already set on the platform and you don't want to duplicate them in CI environment variables). Use the `ignoreNullishValues` option to skip secrets whose values are `undefined` or `null`:
+
+```typescript
+export const secrets = defineSecretManager(
+  {
+    "api-keys": {
+      "stripe-secret-key": process.env.STRIPE_SECRET_KEY,
+      "sendgrid-api-key": process.env.SENDGRID_API_KEY,
+    },
+  },
+  { ignoreNullishValues: true },
+);
+```
+
+When `ignoreNullishValues: true`:
+
+- Secrets with a string value are created or updated as normal
+- Secrets with `undefined` or `null` values are **skipped** — they are not created, updated, or deleted
+- Skipped secrets are shown in the deploy output for visibility
+- Secrets removed from the config entirely are still deleted (orphan cleanup)
+
+This allows you to set secret values once (e.g., via local `tailor-sdk apply` or the CLI) and then deploy from CI without needing the actual values in CI environment variables.
+
 ## Using Secrets
 
 ### Runtime Access with `get()` / `getAll()`

package/docs/services/workflow.md

@@ -115,6 +115,54 @@ export const mainJob = createWorkflowJob({
 
 **Important:** On the Tailor runtime, job triggers are executed synchronously. This means `Promise.all([jobA.trigger(), jobB.trigger()])` will not run jobs in parallel.
 
+### Deterministic Execution Requirement
+
+Workflow jobs use a **suspend/resume execution model**. When a job calls `.trigger()`, the runtime suspends the current job, executes the triggered job, and then **re-executes the calling job from the beginning** with cached results from previous triggers.
+
+This means that **job code must be deterministic** — every re-execution must produce the same sequence of `.trigger()` calls with the same arguments in the same order.
+
+Using `.trigger()` inside a loop works correctly, as long as the loop is deterministic:
+
+```typescript
+// ✅ OK: deterministic loop — same calls in the same order on every execution
+const regions = ["us", "eu", "ap"];
+for (const region of regions) {
+  const result = await fetchData.trigger({ region });
+  results.push(result);
+}
+```
+
+```typescript
+// ❌ Bad: non-deterministic — argument changes between executions
+await processJob.trigger({ timestamp: Date.now() });
+
+// ✅ OK: call Date.now() in separated job
+const timestamp = await timestampJob.trigger();
+await processJob.trigger({ timestamp });
+```
+
+```typescript
+// ❌ Bad: non-deterministic — external data may change between executions
+const items = await fetch("https://api.example.com/items").then((r) => r.json());
+for (const item of items) {
+  await processItem.trigger({ id: item.id });
+}
+
+// ✅ OK: call fetch("https://api.example.com/items").then((r) => r.json()); in separated job
+const items = await fetchItemsJob.trigger();
+for (const item of items) {
+  await processItem.trigger({ id: item.id });
+}
+```
+
+If the runtime detects that a `.trigger()` call at the same position has different arguments than the previous execution, it will throw an **argument hash mismatch error**.
+
+**Guidelines:**
+
+- Do not use non-deterministic values (random numbers, timestamps, external API responses) as `.trigger()` arguments.
+- Do not use conditions that may change between executions to decide whether to call `.trigger()`.
+- Any data that varies between executions should be fetched **inside the triggered job**, not passed as an argument from the calling job.
+
 ## Workflow Definition
 
 Define a workflow using `createWorkflow` and export it as default:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.35.1",
+  "version": "1.36.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {
@@ -81,8 +81,9 @@
     "@bufbuild/protobuf": "2.11.0",
     "@connectrpc/connect": "2.1.1",
     "@connectrpc/connect-node": "2.1.1",
-    "@inquirer/core": "11.1.7",
-    "@inquirer/prompts": "8.3.2",
+    "@inquirer/core": "11.1.8",
+    "@inquirer/prompts": "8.4.0",
+    "@jridgewell/trace-mapping": "0.3.31",
     "@liam-hq/cli": "0.7.24",
     "@napi-rs/keyring": "1.2.0",
     "@opentelemetry/api": "1.9.1",
@@ -110,7 +111,7 @@
     "multiline-ts": "4.0.1",
     "open": "11.0.0",
     "ora": "9.3.0",
-    "oxc-parser": "0.121.0",
+    "oxc-parser": "0.124.0",
     "p-limit": "7.3.0",
     "pathe": "2.0.3",
     "pgsql-ast-parser": "12.0.2",
@@ -134,13 +135,13 @@
     "@types/mime-types": "3.0.1",
     "@types/node": "24.12.2",
     "@types/semver": "7.7.1",
-    "@typescript/native-preview": "7.0.0-dev.20260404.1",
+    "@typescript/native-preview": "7.0.0-dev.20260406.1",
     "@vitest/coverage-v8": "4.1.2",
     "eslint": "10.2.0",
     "eslint-plugin-jsdoc": "62.9.0",
-    "eslint-plugin-oxlint": "1.58.0",
-    "oxfmt": "0.42.0",
-    "oxlint": "1.58.0",
+    "eslint-plugin-oxlint": "1.59.0",
+    "oxfmt": "0.44.0",
+    "oxlint": "1.59.0",
     "oxlint-tsgolint": "0.20.0",
     "sonda": "0.11.1",
     "tsdown": "0.21.7",