@tailor-platform/sdk 1.35.1 → 1.36.0

package/dist/{index-B1Fgxi8D.d.mts → index-C7vIBAg8.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as Plugin } from "./plugin-CZaJ3_QR.mjs";
+import { n as Plugin } from "./plugin-CiPUxkyN.mjs";
 
 //#region src/plugin/builtin/kysely-type/index.d.ts
 /** Unique identifier for the Kysely type generator plugin. */
@@ -16,4 +16,4 @@ type KyselyTypePluginOptions = {
 declare function kyselyTypePlugin(options: KyselyTypePluginOptions): Plugin<unknown, KyselyTypePluginOptions>;
 //#endregion
 export { kyselyTypePlugin as n, KyselyGeneratorID as t };
-//# sourceMappingURL=index-B1Fgxi8D.d.mts.map
+//# sourceMappingURL=index-C7vIBAg8.d.mts.map

package/dist/{index-wCoQup4y.d.mts → index-CYaunQeL.d.mts}

@@ -1,7 +1,7 @@
 /// <reference types="@tailor-platform/function-types" />
-import { $ as FieldOptions, At as WebhookOperation$1, Ct as FunctionOperation$1, Dt as ResolverExecutedTrigger$1, Et as IncomingWebhookTrigger$1, F as UserAttributeListKey, H as TailorDBInstance, I as UserAttributeMap, Mt as AuthInvoker$1, Ot as ScheduleTriggerInput, Q as FieldMetadata, St as ExecutorInput, Tt as IdpUserTrigger$1, U as TailorDBType, X as ArrayFieldOutput, Z as DefinedFieldMetadata, _t as Resolver, at as JsonCompatible, bt as AuthAccessTokenTrigger$1, dt as TailorUser, et as FieldOutput, it as InferFieldsOutput, j as DefinedAuth, jt as WorkflowOperation$1, k as AuthServiceInput, kt as TailorDBTrigger$1, mt as AllowedValuesOutput, n as Plugin, nt as TailorAnyField, ot as output$1, pt as AllowedValues, rt as TailorField, tt as TailorFieldType, vt as ResolverInput, wt as GqlOperation$1, yt as GeneratorConfig } from "./plugin-CZaJ3_QR.mjs";
-import { n as TailorEnv, r as TailorActor } from "./env-MSlwZt8l.mjs";
-import { b as IdPInput, g as IdpDefinitionBrand, n as AppConfig, t as RetryPolicy } from "./workflow.generated-IZ3kLjC_.mjs";
+import { $ as FieldOptions, At as WebhookOperation$1, Ct as FunctionOperation$1, Dt as ResolverExecutedTrigger$1, Et as IncomingWebhookTrigger$1, F as UserAttributeListKey, H as TailorDBInstance, I as UserAttributeMap, Mt as AuthInvoker$1, Ot as ScheduleTriggerInput, Q as FieldMetadata, St as ExecutorInput, Tt as IdpUserTrigger$1, U as TailorDBType, X as ArrayFieldOutput, Z as DefinedFieldMetadata, _t as Resolver, at as JsonCompatible, bt as AuthAccessTokenTrigger$1, dt as TailorUser, et as FieldOutput, it as InferFieldsOutput, j as DefinedAuth, jt as WorkflowOperation$1, k as AuthServiceInput, kt as TailorDBTrigger$1, mt as AllowedValuesOutput, n as Plugin, nt as TailorAnyField, ot as output$1, pt as AllowedValues, rt as TailorField, tt as TailorFieldType, ut as InferredAttributeMap, vt as ResolverInput, wt as GqlOperation$1, yt as GeneratorConfig } from "./plugin-CiPUxkyN.mjs";
+import { n as TailorEnv, r as TailorActor } from "./env-_ce3IYbl.mjs";
+import { _ as IdpDefinitionBrand, g as IdPUserField, n as AppConfig, t as RetryPolicy, x as IdPInput } from "./workflow.generated-8BeGQsVU.mjs";
 import * as _$zod from "zod";
 import { JsonPrimitive, Jsonifiable, Jsonify } from "type-fest";
 import { Client } from "@urql/core";
@@ -698,6 +698,74 @@ declare function createExecutor<Args, O extends Operation<Args> | {
   workflow: Workflow;
 }>(config: Executor<Trigger<Args>, O>): Executor<Trigger<Args>, O>;
 //#endregion
+//#region src/configure/services/idp/permission.d.ts
+type EqualityOperator = "=" | "!=";
+type ContainsOperator = "in" | "not in";
+type StringFieldKeys<User extends object> = { [K in keyof User]: User[K] extends string ? K : never }[keyof User];
+type StringArrayFieldKeys<User extends object> = { [K in keyof User]: User[K] extends string[] ? K : never }[keyof User];
+type BooleanFieldKeys<User extends object> = { [K in keyof User]: User[K] extends boolean ? K : never }[keyof User];
+type BooleanArrayFieldKeys<User extends object> = { [K in keyof User]: User[K] extends boolean[] ? K : never }[keyof User];
+type UserStringOperand<User extends object = InferredAttributeMap> = {
+  user: StringFieldKeys<User> | "id";
+};
+type UserStringArrayOperand<User extends object = InferredAttributeMap> = {
+  user: StringArrayFieldKeys<User>;
+};
+type UserBooleanOperand<User extends object = InferredAttributeMap> = {
+  user: BooleanFieldKeys<User> | "_loggedIn";
+};
+type UserBooleanArrayOperand<User extends object = InferredAttributeMap> = {
+  user: BooleanArrayFieldKeys<User>;
+};
+type IdPUserOperand<Update extends boolean = false> = Update extends true ? {
+  oldIdpUser: IdPUserField;
+} | {
+  newIdpUser: IdPUserField;
+} : {
+  idpUser: IdPUserField;
+};
+type StringEqualityCondition<User extends object, Update extends boolean> = readonly [string, EqualityOperator, string] | readonly [UserStringOperand<User>, EqualityOperator, string] | readonly [string, EqualityOperator, UserStringOperand<User>] | readonly [IdPUserOperand<Update>, EqualityOperator, string | UserStringOperand<User> | IdPUserOperand<Update>] | readonly [string | UserStringOperand<User>, EqualityOperator, IdPUserOperand<Update>];
+type BooleanEqualityCondition<User extends object, Update extends boolean> = readonly [boolean, EqualityOperator, boolean] | readonly [UserBooleanOperand<User>, EqualityOperator, boolean] | readonly [boolean, EqualityOperator, UserBooleanOperand<User>] | readonly [IdPUserOperand<Update>, EqualityOperator, boolean | UserBooleanOperand<User> | IdPUserOperand<Update>] | readonly [boolean | UserBooleanOperand<User>, EqualityOperator, IdPUserOperand<Update>];
+type EqualityCondition<User extends object = InferredAttributeMap, Update extends boolean = boolean> = StringEqualityCondition<User, Update> | BooleanEqualityCondition<User, Update>;
+type StringContainsCondition<User extends object, Update extends boolean> = readonly [string, ContainsOperator, string[]] | readonly [UserStringOperand<User>, ContainsOperator, string[]] | readonly [string, ContainsOperator, UserStringArrayOperand<User>] | readonly [IdPUserOperand<Update>, ContainsOperator, string[] | UserStringArrayOperand<User>];
+type BooleanContainsCondition<User extends object, Update extends boolean> = readonly [boolean, ContainsOperator, boolean[]] | readonly [UserBooleanOperand<User>, ContainsOperator, boolean[]] | readonly [boolean, ContainsOperator, UserBooleanArrayOperand<User>] | readonly [IdPUserOperand<Update>, ContainsOperator, boolean[] | UserBooleanArrayOperand<User>];
+type ContainsCondition<User extends object = InferredAttributeMap, Update extends boolean = boolean> = StringContainsCondition<User, Update> | BooleanContainsCondition<User, Update>;
+type IdPPermissionCondition<User extends object = InferredAttributeMap, Update extends boolean = boolean> = EqualityCondition<User, Update> | ContainsCondition<User, Update>;
+type IdPActionPermission<User extends object = InferredAttributeMap, Update extends boolean = boolean> = {
+  conditions: IdPPermissionCondition<User, Update> | readonly IdPPermissionCondition<User, Update>[];
+  description?: string | undefined;
+  permit?: boolean;
+} | readonly [...IdPPermissionCondition<User, Update>, ...([] | [boolean])] | readonly [...IdPPermissionCondition<User, Update>[], ...([] | [boolean])];
+/**
+ * Per-operation permission policies for an IdP service.
+ * Defines create, read, update, delete, and sendPasswordResetEmail permissions.
+ *
+ * For update operations, use `newIdpUser`/`oldIdpUser` operands instead of `idpUser`.
+ * @example
+ * const permission: IdPPermission = {
+ *   create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+ *   read: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+ *   update: [{ conditions: [[{ newIdpUser: "name" }, "=", { user: "id" }]], permit: true }],
+ *   delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+ *   sendPasswordResetEmail: [{ conditions: [], permit: true }],
+ * };
+ */
+type IdPPermission<User extends object = InferredAttributeMap> = {
+  create: readonly IdPActionPermission<User, false>[];
+  read: readonly IdPActionPermission<User, false>[];
+  update: readonly IdPActionPermission<User, true>[];
+  delete: readonly IdPActionPermission<User, false>[];
+  sendPasswordResetEmail: readonly IdPActionPermission<User, false>[];
+};
+/**
+ * Grants full IdP permission access without any conditions.
+ *
+ * Unsafe and intended only for local development, prototyping, or tests.
+ * Do not use this in production environments, as it effectively disables
+ * authorization checks.
+ */
+declare const unsafeAllowAllIdPPermission: IdPPermission;
+//#endregion
 //#region src/configure/services/idp/index.d.ts
 /**
  * Define an IdP service configuration for the Tailor SDK.
@@ -706,8 +774,9 @@ declare function createExecutor<Args, O extends Operation<Args> | {
  * @param config - IdP configuration
  * @returns Defined IdP service
  */
-declare function defineIdp<const TClients extends string[]>(name: string, config: Omit<IdPInput, "name" | "clients"> & {
+declare function defineIdp<const TClients extends string[]>(name: string, config: Omit<IdPInput, "name" | "clients" | "permission"> & {
   clients: TClients;
+  permission?: IdPPermission;
 }): {
   readonly name: string;
   readonly provider: (providerName: string, clientName: TClients[number]) => {
@@ -747,6 +816,7 @@ declare function defineIdp<const TClients extends string[]>(name: string, config
     passwordResetSubject?: string | undefined;
   } | undefined;
   readonly clients: TClients;
+  readonly permission?: IdPPermission;
 } & IdpDefinitionBrand;
 //#endregion
 //#region src/configure/config.d.ts
@@ -870,5 +940,5 @@ declare namespace t {
   type infer<T> = TailorOutput<T>;
 }
 //#endregion
-export { createWorkflow as $, ResolverExecutedArgs as A, idpUserUpdatedTrigger as B, IdpUserCreatedArgs as C, RecordCreatedArgs as D, IdpUserUpdatedArgs as E, authAccessTokenRevokedTrigger as F, resolverExecutedTrigger as G, recordDeletedTrigger as H, authAccessTokenTrigger as I, Operation as J, FunctionOperation as K, idpUserCreatedTrigger as L, TailorDBTrigger as M, authAccessTokenIssuedTrigger as N, RecordDeletedArgs as O, authAccessTokenRefreshedTrigger as P, WorkflowConfig as Q, idpUserDeletedTrigger as R, IdpUserArgs as S, IdpUserTrigger as T, recordTrigger as U, recordCreatedTrigger as V, recordUpdatedTrigger as W, WorkflowOperation as X, WebhookOperation as Y, Workflow as Z, AuthAccessTokenArgs as _, defineGenerators as a, createWorkflowJob as at, AuthAccessTokenRevokedArgs as b, createExecutor as c, AuthInvoker as ct, IncomingWebhookRequest as d, WORKFLOW_TEST_ENV_KEY as et, IncomingWebhookTrigger as f, scheduleTrigger as g, ScheduleTrigger as h, defineConfig as i, WorkflowJobOutput as it, ResolverExecutedTrigger as j, RecordUpdatedArgs as k, Trigger as l, defineAuth as lt, ScheduleArgs as m, output as n, WorkflowJobContext as nt, definePlugins as o, QueryType as ot, incomingWebhookTrigger as p, GqlOperation as q, t as r, WorkflowJobInput as rt, defineIdp as s, createResolver as st, infer as t, WorkflowJob as tt, IncomingWebhookArgs as u, AuthAccessTokenIssuedArgs as v, IdpUserDeletedArgs as w, AuthAccessTokenTrigger as x, AuthAccessTokenRefreshedArgs as y, idpUserTrigger as z };
-//# sourceMappingURL=index-wCoQup4y.d.mts.map
+export { WorkflowOperation as $, RecordCreatedArgs as A, idpUserCreatedTrigger as B, AuthAccessTokenRevokedArgs as C, IdpUserDeletedArgs as D, IdpUserCreatedArgs as E, TailorDBTrigger as F, recordDeletedTrigger as G, idpUserTrigger as H, authAccessTokenIssuedTrigger as I, resolverExecutedTrigger as J, recordTrigger as K, authAccessTokenRefreshedTrigger as L, RecordUpdatedArgs as M, ResolverExecutedArgs as N, IdpUserTrigger as O, ResolverExecutedTrigger as P, WebhookOperation as Q, authAccessTokenRevokedTrigger as R, AuthAccessTokenRefreshedArgs as S, IdpUserArgs as T, idpUserUpdatedTrigger as U, idpUserDeletedTrigger as V, recordCreatedTrigger as W, GqlOperation as X, FunctionOperation as Y, Operation as Z, ScheduleArgs as _, defineGenerators as a, WorkflowJobContext as at, AuthAccessTokenArgs as b, IdPPermission as c, createWorkflowJob as ct, createExecutor as d, AuthInvoker as dt, Workflow as et, Trigger as f, defineAuth as ft, incomingWebhookTrigger as g, IncomingWebhookTrigger as h, defineConfig as i, WorkflowJob as it, RecordDeletedArgs as j, IdpUserUpdatedArgs as k, IdPPermissionCondition as l, QueryType as lt, IncomingWebhookRequest as m, output as n, createWorkflow as nt, definePlugins as o, WorkflowJobInput as ot, IncomingWebhookArgs as p, recordUpdatedTrigger as q, t as r, WORKFLOW_TEST_ENV_KEY as rt, defineIdp as s, WorkflowJobOutput as st, infer as t, WorkflowConfig as tt, unsafeAllowAllIdPPermission as u, createResolver as ut, ScheduleTrigger as v, AuthAccessTokenTrigger as w, AuthAccessTokenIssuedArgs as x, scheduleTrigger as y, authAccessTokenTrigger as z };
+//# sourceMappingURL=index-CYaunQeL.d.mts.map

package/dist/{index-D-tMAFVp.d.mts → index-CxSLivW7.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as Plugin } from "./plugin-CZaJ3_QR.mjs";
+import { n as Plugin } from "./plugin-CiPUxkyN.mjs";
 
 //#region src/plugin/builtin/seed/index.d.ts
 /** Unique identifier for the seed generator plugin. */
@@ -18,4 +18,4 @@ type SeedPluginOptions = {
 declare function seedPlugin(options: SeedPluginOptions): Plugin<unknown, SeedPluginOptions>;
 //#endregion
 export { seedPlugin as n, SeedGeneratorID as t };
-//# sourceMappingURL=index-D-tMAFVp.d.mts.map
+//# sourceMappingURL=index-CxSLivW7.d.mts.map

package/dist/{index-BG7YCyXF.d.mts → index-DDCyefuU.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as Plugin } from "./plugin-CZaJ3_QR.mjs";
+import { n as Plugin } from "./plugin-CiPUxkyN.mjs";
 
 //#region src/plugin/builtin/file-utils/index.d.ts
 /** Unique identifier for the file utilities generator plugin. */
@@ -16,4 +16,4 @@ type FileUtilsPluginOptions = {
 declare function fileUtilsPlugin(options: FileUtilsPluginOptions): Plugin<unknown, FileUtilsPluginOptions>;
 //#endregion
 export { fileUtilsPlugin as n, FileUtilsGeneratorID as t };
-//# sourceMappingURL=index-BG7YCyXF.d.mts.map
+//# sourceMappingURL=index-DDCyefuU.d.mts.map

package/dist/{index-BBlE_vQF.d.mts → index-DZN1QFLM.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as Plugin } from "./plugin-CZaJ3_QR.mjs";
+import { n as Plugin } from "./plugin-CiPUxkyN.mjs";
 
 //#region src/plugin/builtin/enum-constants/index.d.ts
 /** Unique identifier for the enum constants generator plugin. */
@@ -16,4 +16,4 @@ type EnumConstantsPluginOptions = {
 declare function enumConstantsPlugin(options: EnumConstantsPluginOptions): Plugin<unknown, EnumConstantsPluginOptions>;
 //#endregion
 export { enumConstantsPlugin as n, EnumConstantsGeneratorID as t };
-//# sourceMappingURL=index-BBlE_vQF.d.mts.map
+//# sourceMappingURL=index-DZN1QFLM.d.mts.map

package/dist/plugin/builtin/enum-constants/index.d.mts

@@ -1,3 +1,3 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "../../../index-BBlE_vQF.mjs";
+import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "../../../index-DZN1QFLM.mjs";
 export { EnumConstantsGeneratorID, enumConstantsPlugin };

package/dist/plugin/builtin/file-utils/index.d.mts

@@ -1,3 +1,3 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "../../../index-BG7YCyXF.mjs";
+import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "../../../index-DDCyefuU.mjs";
 export { FileUtilsGeneratorID, fileUtilsPlugin };

package/dist/plugin/builtin/kysely-type/index.d.mts

@@ -1,3 +1,3 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "../../../index-B1Fgxi8D.mjs";
+import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "../../../index-C7vIBAg8.mjs";
 export { KyselyGeneratorID, kyselyTypePlugin };

package/dist/plugin/builtin/seed/index.d.mts

@@ -1,3 +1,3 @@
 /// <reference types="@tailor-platform/function-types" />
-import { n as seedPlugin, t as SeedGeneratorID } from "../../../index-D-tMAFVp.mjs";
+import { n as seedPlugin, t as SeedGeneratorID } from "../../../index-CxSLivW7.mjs";
 export { SeedGeneratorID, seedPlugin };

package/dist/plugin/index.d.mts

@@ -1,6 +1,6 @@
 /// <reference types="@tailor-platform/function-types" />
-import { B as TailorAnyDBType } from "../plugin-CZaJ3_QR.mjs";
-import { n as TailorEnv, r as TailorActor } from "../env-MSlwZt8l.mjs";
+import { B as TailorAnyDBType } from "../plugin-CiPUxkyN.mjs";
+import { n as TailorEnv, r as TailorActor } from "../env-_ce3IYbl.mjs";
 
 //#region src/plugin/with-context.d.ts
 /**

package/dist/{plugin-CZaJ3_QR.d.mts → plugin-CiPUxkyN.d.mts}

@@ -51,7 +51,8 @@ type SAML = {
   kind: "SAML"; /** Enable signing of SAML requests */
   enableSignRequest: boolean; /** URL to fetch SAML metadata (mutually exclusive with rawMetadata) */
   metadataURL?: string | undefined; /** Raw SAML metadata XML (mutually exclusive with metadataURL) */
-  rawMetadata?: string | undefined;
+  rawMetadata?: string | undefined; /** URL to redirect to when SAML ACS receives a response with an empty RelayState. */
+  defaultRedirectURL?: string | undefined;
 };
 type IDToken = {
   /** Identity provider name */name: string;
@@ -2069,4 +2070,4 @@ interface Plugin<TypeConfig = unknown, PluginConfig = unknown> {
 }
 //#endregion
 export { FieldOptions as $, BeforeLoginHookArgs as A, WebhookOperation as At, TailorAnyDBType as B, SCIMAttributeMapping as Bt, TailorDBType as C, FunctionOperation as Ct, AuthExternalConfig as D, ResolverExecutedTrigger as Dt, AuthConnectionTokenResult as E, IncomingWebhookTrigger as Et, UserAttributeListKey as F, IdProvider as Ft, PermissionCondition as G, TailorDBInstance as H, SCIMConfig as Ht, UserAttributeMap as I, OAuth2ClientInput as It, unsafeAllowAllGqlPermission as J, TailorTypeGqlPermission as K, UsernameFieldKey as L, OIDC as Lt, OAuth2ClientGrantType as M, AuthInvoker as Mt, SCIMAttributeType as N, BuiltinIdP as Nt, AuthOwnConfig as O, ScheduleTriggerInput as Ot, UserAttributeKey as P, IDToken as Pt, FieldMetadata as Q, ValueOperand as R, SAML as Rt, TailorDBServiceInput as S, ExecutorInput as St, AuthConfig as T, IdpUserTrigger as Tt, TailorDBType$1 as U, SCIMResource as Ut, TailorDBField as V, SCIMAuthorization as Vt, db as W, TenantProvider as Wt, ArrayFieldOutput as X, unsafeAllowAllTypePermission as Y, DefinedFieldMetadata as Z, GeneratorResult as _, Resolver as _t, PluginExecutorContext as a, JsonCompatible as at, TailorDBNamespaceData as b, AuthAccessTokenTrigger as bt, PluginGeneratedExecutorWithFile as c, AttributeMap as ct, PluginNamespaceProcessContext as d, TailorUser as dt, FieldOutput$1 as et, PluginOutput as f, unauthenticatedTailorUser as ft, ExecutorReadyContext as g, AuthConnectionOAuth2Config as gt, TypePluginOutput as h, AuthConnectionConfig as ht, PluginConfigs as i, InferFieldsOutput as it, DefinedAuth as j, WorkflowOperation as jt, AuthServiceInput as k, TailorDBTrigger as kt, PluginGeneratedResolver as l, InferredAttributeList as lt, TailorDBTypeForPlugin as m, AllowedValuesOutput as mt, Plugin as n, TailorAnyField as nt, PluginExecutorContextBase as o, output as ot, PluginProcessContext as p, AllowedValues as pt, TailorTypePermission as q, PluginAttachment as r, TailorField as rt, PluginGeneratedExecutor as s, AttributeList as st, NamespacePluginOutput as t, TailorFieldType as tt, PluginGeneratedType as u, InferredAttributeMap as ut, ResolverNamespaceData as v, ResolverInput as vt, TypeSourceInfoEntry as w, GqlOperation as wt, TailorDBReadyContext as x, Executor as xt, ResolverReadyContext as y, GeneratorConfig as yt, TailorAnyDBField as z, SCIMAttribute as zt };
-//# sourceMappingURL=plugin-CZaJ3_QR.d.mts.map
+//# sourceMappingURL=plugin-CiPUxkyN.d.mts.map

package/dist/{runtime-D4O-RfcH.mjs → runtime-C7RRDaB3.mjs}

@@ -1,9 +1,9 @@
 
-import { A as ExecutorTriggerType, B as AuthSCIMConfig_AuthorizationType, C as TailorDBType_PermitAction, E as FunctionExecution_Status, F as AuthOAuth2Client_ClientType, G as ConditionSchema, H as TenantProviderConfig_TenantProviderType, I as AuthOAuth2Client_GrantType, J as PageDirection, K as Condition_Operator, L as AuthSCIMAttribute_Mutability, M as AuthHookPoint, N as AuthIDPConfig_AuthType, O as ExecutorJobStatus, P as AuthInvokerSchema, R as AuthSCIMAttribute_Type, S as TailorDBType_Permission_Permit, T as IdPLang, U as UserProfileProviderConfig_UserProfileProviderType, W as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as AuthConnection_Type, k as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as FilterSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Uniqueness } from "./client-CA2NM_4R.mjs";
+import { A as ExecutorJobStatus, B as AuthSCIMAttribute_Type, C as TailorDBType_PermitAction, D as IdPPermissionPermit, E as IdPPermissionOperator, F as AuthIDPConfig_AuthType, G as UserProfileProviderConfig_UserProfileProviderType, H as AuthSCIMConfig_AuthorizationType, I as AuthInvokerSchema, J as Condition_Operator, K as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, L as AuthOAuth2Client_ClientType, M as ExecutorTriggerType, N as AuthConnection_Type, O as FunctionExecution_Status, P as AuthHookPoint, Q as Subgraph_ServiceType, R as AuthOAuth2Client_GrantType, S as TailorDBType_Permission_Permit, T as IdPLang, V as AuthSCIMAttribute_Uniqueness, W as TenantProviderConfig_TenantProviderType, X as PageDirection, Y as FilterSchema, Z as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as ConditionSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Mutability } from "./client-CN15WgW2.mjs";
 import { t as db } from "./schema-D27cW0Ca.mjs";
 import { i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-qz-Y4sBV.mjs";
 import { t as readPackageJson } from "./package-json-CfUqjJaQ.mjs";
-import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-BnJRroGX.mjs";
+import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-BwboBFcU.mjs";
 import { r as withSpan } from "./telemetry-CREcGK8y.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
@@ -1763,6 +1763,99 @@ async function applyFunctionRegistry(client, workspaceId, result, phase = "creat
 	})));
 }
 
+//#endregion
+//#region src/parser/service/idp/permission.ts
+const operatorMap = {
+	"=": "eq",
+	"!=": "ne",
+	in: "in",
+	"not in": "nin"
+};
+function normalizeOperand(operand) {
+	if (typeof operand === "object" && !Array.isArray(operand) && "user" in operand) return { user: operand.user === "id" ? "_id" : operand.user };
+	return operand;
+}
+function normalizeConditions(conditions) {
+	return conditions.map((cond) => {
+		const [left, operator, right] = cond;
+		return [
+			normalizeOperand(left),
+			operatorMap[operator],
+			normalizeOperand(right)
+		];
+	});
+}
+function isObjectFormat(p) {
+	return typeof p === "object" && p !== null && "conditions" in p;
+}
+function isSingleArrayConditionFormat(cond) {
+	return cond.length >= 2 && typeof cond[1] === "string";
+}
+/**
+* Normalize a single IdP action permission into the standard format.
+* @param permission - Raw permission definition
+* @returns Normalized action permission
+*/
+function normalizeIdPActionPermission(permission) {
+	if (isObjectFormat(permission)) {
+		const conditions = permission.conditions;
+		return {
+			conditions: normalizeConditions(isSingleArrayConditionFormat(conditions) ? [conditions] : conditions),
+			permit: permission.permit ? "allow" : "deny",
+			description: permission.description
+		};
+	}
+	if (!Array.isArray(permission)) throw new Error("Invalid permission format");
+	if (isSingleArrayConditionFormat(permission)) {
+		const [op1, operator, op2, permit] = [...permission, true];
+		return {
+			conditions: normalizeConditions([[
+				op1,
+				operator,
+				op2
+			]]),
+			permit: permit ? "allow" : "deny"
+		};
+	}
+	const conditions = [];
+	const conditionArray = permission;
+	let conditionArrayPermit = true;
+	for (const item of conditionArray) {
+		if (typeof item === "boolean") {
+			conditionArrayPermit = item;
+			continue;
+		}
+		conditions.push(item);
+	}
+	return {
+		conditions: normalizeConditions(conditions),
+		permit: conditionArrayPermit ? "allow" : "deny"
+	};
+}
+/**
+* Normalize raw IdP permission into standard form.
+* @param permission - Raw IdP permission from user config
+* @returns Normalized IdP permission
+*/
+function normalizeIdPPermission(permission) {
+	return {
+		create: permission.create.map((p) => normalizeIdPActionPermission(p)),
+		read: permission.read.map((p) => normalizeIdPActionPermission(p)),
+		update: permission.update.map((p) => normalizeIdPActionPermission(p)),
+		delete: permission.delete.map((p) => normalizeIdPActionPermission(p)),
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => normalizeIdPActionPermission(p))
+	};
+}
+/**
+* Parse raw IdP permission, returning undefined if not set.
+* @param rawPermission - Raw permission from parsed config
+* @returns Normalized permission or undefined
+*/
+function parseIdPPermission(rawPermission) {
+	if (!rawPermission) return;
+	return normalizeIdPPermission(rawPermission);
+}
+
 //#endregion
 //#region src/cli/commands/apply/idp.ts
 /**
@@ -1910,7 +2003,27 @@ function normalizeComparableIdPService(input) {
 		userAuthPolicy: input.userAuthPolicy,
 		publishUserEvents: input.publishUserEvents,
 		disableGqlOperations: input.disableGqlOperations,
-		emailConfig: input.emailConfig
+		emailConfig: input.emailConfig,
+		permission: input.permission
+	};
+}
+function normalizeComparablePermission(permission) {
+	if (!permission) return;
+	const normalizePolicy = (policy) => ({
+		conditions: policy.conditions.map((c) => ({
+			left: c.left ? { kind: c.left.kind } : void 0,
+			operator: c.operator,
+			right: c.right ? { kind: c.right.kind } : void 0
+		})),
+		permit: policy.permit,
+		description: policy.description
+	});
+	return {
+		create: permission.create.map(normalizePolicy),
+		read: permission.read.map(normalizePolicy),
+		update: permission.update.map(normalizePolicy),
+		delete: permission.delete.map(normalizePolicy),
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map(normalizePolicy)
 	};
 }
 function areIdPServicesEqual(existing, desired) {
@@ -1920,7 +2033,8 @@ function areIdPServicesEqual(existing, desired) {
 		userAuthPolicy: normalizeComparableUserAuthPolicy(existing.userAuthPolicy),
 		publishUserEvents: existing.publishUserEvents,
 		disableGqlOperations: normalizeComparableDisableGqlOperations(existing.disableGqlOperations),
-		emailConfig: normalizeComparableEmailConfig(existing.emailConfig)
+		emailConfig: normalizeComparableEmailConfig(existing.emailConfig),
+		permission: normalizeComparablePermission(existing.permission)
 	}), desired);
 }
 async function planServices$3(client, workspaceId, appName, idps) {
@@ -1971,13 +2085,17 @@ async function planServices$3(client, workspaceId, appName, idps) {
 		const userAuthPolicy = idp.userAuthPolicy;
 		const publishUserEvents = idp.publishUserEvents ?? false;
 		const emailConfig = idp.emailConfig;
+		if (!idp.permission) logger.warn(`IdP service "${namespaceName}" has no permission configured.`);
+		const parsedPermission = parseIdPPermission(idp.permission);
+		const protoPermission = parsedPermission ? protoIdPPermission(parsedPermission) : void 0;
 		const desired = normalizeComparableIdPService({
 			authorization,
 			lang,
 			userAuthPolicy: normalizeComparableUserAuthPolicy(userAuthPolicy),
 			publishUserEvents,
 			disableGqlOperations: normalizeComparableDisableGqlOperations(convertGqlOperationsToDisable(idp.gqlOperations)),
-			emailConfig: normalizeComparableEmailConfig(emailConfig)
+			emailConfig: normalizeComparableEmailConfig(emailConfig),
+			permission: protoPermission
 		});
 		const request = {
 			workspaceId,
@@ -1987,7 +2105,8 @@ async function planServices$3(client, workspaceId, appName, idps) {
 			userAuthPolicy,
 			publishUserEvents,
 			disableGqlOperations: convertGqlOperationsToDisable(idp.gqlOperations),
-			emailConfig
+			emailConfig,
+			permission: protoPermission
 		};
 		if (existing) {
 			const isManagedByApp = existing.label === appName;
@@ -2119,6 +2238,81 @@ function convertGqlOperationsToDisable(gqlOperations) {
 		sendPasswordResetEmail: gqlOperations.sendPasswordResetEmail === false
 	};
 }
+function protoIdPPermission(permission) {
+	return {
+		create: permission.create.map((p) => protoIdPPolicy(p)),
+		read: permission.read.map((p) => protoIdPPolicy(p)),
+		update: permission.update.map((p) => protoIdPPolicy(p)),
+		delete: permission.delete.map((p) => protoIdPPolicy(p)),
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => protoIdPPolicy(p))
+	};
+}
+function protoIdPPolicy(policy) {
+	let permit;
+	switch (policy.permit) {
+		case "allow":
+			permit = IdPPermissionPermit.ALLOW;
+			break;
+		case "deny":
+			permit = IdPPermissionPermit.DENY;
+			break;
+		default: throw new Error(`Unknown permission: ${policy.permit}`);
+	}
+	return {
+		conditions: policy.conditions.map((cond) => protoIdPCondition(cond)),
+		permit,
+		description: policy.description
+	};
+}
+function protoIdPCondition(condition) {
+	const [left, operator, right] = condition;
+	const l = protoIdPOperand(left);
+	const r = protoIdPOperand(right);
+	let op;
+	switch (operator) {
+		case "eq":
+			op = IdPPermissionOperator.EQ;
+			break;
+		case "ne":
+			op = IdPPermissionOperator.NE;
+			break;
+		case "in":
+			op = IdPPermissionOperator.IN;
+			break;
+		case "nin":
+			op = IdPPermissionOperator.NIN;
+			break;
+		default: throw new Error(`Unknown operator: ${operator}`);
+	}
+	return {
+		left: l,
+		operator: op,
+		right: r
+	};
+}
+function protoIdPOperand(operand) {
+	if (typeof operand === "object" && !Array.isArray(operand)) if ("user" in operand) return { kind: {
+		case: "userField",
+		value: operand.user
+	} };
+	else if ("idpUser" in operand) return { kind: {
+		case: "idpUserField",
+		value: operand.idpUser
+	} };
+	else if ("newIdpUser" in operand) return { kind: {
+		case: "newIdpUserField",
+		value: operand.newIdpUser
+	} };
+	else if ("oldIdpUser" in operand) return { kind: {
+		case: "oldIdpUserField",
+		value: operand.oldIdpUser
+	} };
+	else throw new Error(`Unknown operand: ${JSON.stringify(operand)}`);
+	return { kind: {
+		case: "value",
+		value: fromJson(ValueSchema, operand)
+	} };
+}
 
 //#endregion
 //#region src/cli/commands/apply/auth.ts
@@ -2447,7 +2641,8 @@ function protoIdPConfig(idpConfig) {
 				case: "saml",
 				value: {
 					...idpConfig.metadataURL !== void 0 ? { metadataUrl: idpConfig.metadataURL } : { rawMetadata: idpConfig.rawMetadata },
-					enableSignRequest: idpConfig.enableSignRequest
+					enableSignRequest: idpConfig.enableSignRequest,
+					defaultRedirectUrl: idpConfig.defaultRedirectURL
 				}
 			} }
 		};
@@ -4145,6 +4340,7 @@ async function planSecretManager(context) {
 		};
 	}));
 	const state = loadSecretsState();
+	const skippedSecrets = [];
 	await Promise.all(secretVaults.map(async (vault) => {
 		const vaultName = vault.vaultName;
 		const existing = existingVaults[vaultName];
@@ -4185,24 +4381,31 @@ async function planSecretManager(context) {
 			}
 		})).map((s) => s.name);
 		const existingSet = new Set(existingSecrets);
-		for (const secret of vault.secrets) if (existingSet.has(secret.name)) {
-			const currentHash = hashValue(secret.value);
-			const storedHash = state.vaults[vaultName]?.[secret.name];
-			if (forceApplyAll || currentHash !== storedHash) secretChangeSet.updates.push({
+		for (const secret of vault.secrets) {
+			if (secret.value == null) {
+				existingSet.delete(secret.name);
+				skippedSecrets.push(`${vaultName}/${secret.name}`);
+				continue;
+			}
+			if (existingSet.has(secret.name)) {
+				const currentHash = hashValue(secret.value);
+				const storedHash = state.vaults[vaultName]?.[secret.name];
+				if (forceApplyAll || currentHash !== storedHash) secretChangeSet.updates.push({
+					name: `${vaultName}/${secret.name}`,
+					secretName: secret.name,
+					workspaceId,
+					vaultName,
+					value: secret.value
+				});
+				existingSet.delete(secret.name);
+			} else secretChangeSet.creates.push({
 				name: `${vaultName}/${secret.name}`,
 				secretName: secret.name,
 				workspaceId,
 				vaultName,
 				value: secret.value
 			});
-			existingSet.delete(secret.name);
-		} else secretChangeSet.creates.push({
-			name: `${vaultName}/${secret.name}`,
-			secretName: secret.name,
-			workspaceId,
-			vaultName,
-			value: secret.value
-		});
+		}
 		for (const orphanName of existingSet) secretChangeSet.deletes.push({
 			name: `${vaultName}/${orphanName}`,
 			secretName: orphanName,
@@ -4243,9 +4446,14 @@ async function planSecretManager(context) {
 	}
 	vaultChangeSet.print();
 	secretChangeSet.print();
+	if (skippedSecrets.length > 0) {
+		logger.log(styles.bold("Secret Manager secrets (skipped - no value provided):"));
+		for (const name of skippedSecrets) logger.log(`  ${styles.dim("○")} ${name}`);
+	}
 	return {
 		vaultChangeSet,
 		secretChangeSet,
+		skippedSecrets,
 		conflicts,
 		unmanaged,
 		resourceOwners
@@ -4295,7 +4503,7 @@ async function applySecretManager(client, result, phase = "create-update", appli
 			const state = loadSecretsState();
 			for (const vault of application.secrets) {
 				if (!state.vaults[vault.vaultName]) state.vaults[vault.vaultName] = {};
-				for (const secret of vault.secrets) state.vaults[vault.vaultName][secret.name] = hashValue(secret.value);
+				for (const secret of vault.secrets) if (secret.value != null) state.vaults[vault.vaultName][secret.name] = hashValue(secret.value);
 			}
 			saveSecretsState(state);
 		}
@@ -11925,7 +12133,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-mGasp_EX.mjs");
+	const { defineApplication } = await import("./application-BB5TqXWY.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -14128,4 +14336,4 @@ function isDeno() {
 
 //#endregion
 export { getFolder as $, getNextMigrationNumber as $t, listWorkflows as A, functionExecutionStatusToString as At, updateCommand$1 as B, DB_TYPES_FILE_NAME as Bt, listApps as C, startCommand as Ct, resumeCommand as D, executionsCommand as Dt, healthCommand as E, getWorkflow as Et, show as F, executeScript as Ft, listOrganizations as G, compareLocalTypesWithSnapshot as Gt, organizationTree as H, INITIAL_SCHEMA_NUMBER as Ht, showCommand as I, waitForExecution$1 as It, updateCommand$2 as J, formatMigrationNumber as Jt, getCommand$1 as K, compareSnapshots as Kt, logBetaWarning as L, MIGRATION_LABEL_KEY as Lt, truncateCommand as M, getCommand$5 as Mt, generate as N, getExecutor as Nt, resumeWorkflow as O, getWorkflowExecution as Ot, generateCommand as P, apply as Pt, getCommand$2 as Q, getMigrationFiles as Qt, remove as R, parseMigrationLabelNumber as Rt, createWorkspace as S, watchExecutorJob as St, getAppHealth as T, getCommand$4 as Tt, treeCommand as U, MIGRATE_FILE_NAME as Ut, updateOrganization as V, DIFF_FILE_NAME as Vt, listCommand$4 as W, SCHEMA_FILE_NAME as Wt, listCommand$5 as X, getMigrationDirPath as Xt, updateFolder as Y, getLatestMigrationNumber as Yt, listFolders as Z, getMigrationFilePath as Zt, getCommand as _, isVerbose as _n, listCommand$8 as _t, updateCommand as a, hasChanges as an, listOAuth2Clients as at, deleteWorkspace as b, jobsCommand as bt, removeUser as c, sdkNameLabelKey as cn, getMachineUserToken as ct, inviteCommand as d, apiCall as dn, listMachineUsers as dt, isValidMigrationNumber as en, deleteCommand$1 as et, inviteUser as f, apiCommand as fn, generate$1 as ft, listWorkspaces as g, deploymentArgs as gn, triggerExecutor as gt, listCommand$1 as h, confirmationArgs as hn, triggerCommand as ht, isCLIError as i, formatMigrationDiff as in, listCommand$6 as it, truncate as j, formatKeyValueTable as jt, listCommand$3 as k, listWorkflowExecutions as kt, listCommand as l, trnPrefix as ln, tokenCommand as lt, restoreWorkspace as m, commonArgs as mn, webhookCommand as mt, query as n, reconstructSnapshotFromMigrations as nn, createCommand$1 as nt, updateUser as o, getNamespacesWithMigrations as on, getCommand$3 as ot, restoreCommand as p, defineAppCommand as pn, listWebhookExecutors as pt, getOrganization as q, createSnapshotFromLocalTypes as qt, queryCommand as r, formatDiffSummary as rn, createFolder as rt, removeCommand as s, prompt as sn, getOAuth2Client as st, isNativeTypeScriptRuntime as t, loadDiff as tn, deleteFolder as tt, listUsers as u, generateUserTypes as un, listCommand$7 as ut, getWorkspace as v, workspaceArgs as vn, listExecutors as vt, listCommand$2 as w, startWorkflow as wt, createCommand as x, listExecutorJobs as xt, deleteCommand as y, getExecutorJob as yt, removeCommand$1 as z, bundleMigrationScript as zt };
-//# sourceMappingURL=runtime-D4O-RfcH.mjs.map
+//# sourceMappingURL=runtime-C7RRDaB3.mjs.map