@tailor-platform/sdk 1.35.2 → 1.36.0

package/dist/utils/test/index.d.mts

@@ -1,6 +1,6 @@
 /// <reference types="@tailor-platform/function-types" />
-import { U as TailorDBType, rt as TailorField } from "../../plugin-D8hKE6rZ.mjs";
-import { et as WORKFLOW_TEST_ENV_KEY, n as output } from "../../index--9iVDOXn.mjs";
+import { U as TailorDBType, rt as TailorField } from "../../plugin-CiPUxkyN.mjs";
+import { n as output, rt as WORKFLOW_TEST_ENV_KEY } from "../../index-CYaunQeL.mjs";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/utils/test/mock.d.ts

package/dist/{workflow.generated-DMt8PNVd.d.mts → workflow.generated-8BeGQsVU.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { Pt as BuiltinIdP, S as TailorDBServiceInput, T as AuthConfig } from "./plugin-D8hKE6rZ.mjs";
+import { Nt as BuiltinIdP, S as TailorDBServiceInput, T as AuthConfig } from "./plugin-CiPUxkyN.mjs";
 
 //#region src/types/idp.generated.d.ts
 /**
@@ -59,6 +59,193 @@ type IdPInput = {
   emailConfig?: {
     fromName?: string | undefined;
     passwordResetSubject?: string | undefined;
+  } | undefined; /** Per-operation permission policies for IdP users */
+  permission?: {
+    create: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    read: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    update: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    delete: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    sendPasswordResetEmail: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
   } | undefined;
 };
 //#endregion
@@ -77,6 +264,7 @@ type IdPExternalConfig = {
 };
 type IdPOwnConfig = Omit<DefinedIdp<string, IdPInput, string>, "provider">;
 type IdPConfig = IdPOwnConfig | IdPExternalConfig;
+type IdPUserField = "id" | "name" | "disabled";
 //#endregion
 //#region src/configure/services/secrets/index.d.ts
 declare const secretsDefinitionBrand: unique symbol;
@@ -84,8 +272,15 @@ type SecretsDefinitionBrand = {
   readonly [secretsDefinitionBrand]: true;
 };
 type SecretsVaultInput = Record<string, string>;
+type SecretsVaultInputNullish = Record<string, string | undefined | null>;
 type SecretsInput = Record<string, SecretsVaultInput>;
-type DefinedSecrets<T extends SecretsInput> = {
+type SecretsInputNullish = Record<string, SecretsVaultInputNullish>;
+type SecretsOptions = {
+  readonly ignoreNullishValues: boolean;
+};
+type DefinedSecrets<T extends SecretsInputNullish> = {
+  readonly vaults: T;
+  readonly options: SecretsOptions;
   get<V extends Extract<keyof T, string>, S extends Extract<keyof T[V], string>>(vault: V, secret: S): Promise<string | undefined>;
   getAll<V extends Extract<keyof T, string>, S extends Extract<keyof T[V], string>>(vault: V, secrets: readonly S[]): Promise<(string | undefined)[]>;
 } & SecretsDefinitionBrand;
@@ -98,6 +293,19 @@ type SecretsConfig = Omit<ReturnType<typeof defineSecretManager>, "get" | "getAl
  * @returns Defined secrets with typed runtime access methods
  */
 declare function defineSecretManager<const T extends SecretsInput>(config: T): DefinedSecrets<T>;
+/**
+ * Define secrets configuration for the Tailor SDK with ignoreNullishValues option.
+ * When `ignoreNullishValues` is true, secrets with nullish values are skipped during deploy
+ * instead of causing an error. This is useful for CI environments where not all
+ * secret values are available.
+ * @param config - Secrets configuration mapping vault names to their secrets
+ * @param options - Options for secret management behavior
+ * @param options.ignoreNullishValues - When true, secrets with nullish values are skipped during deploy
+ * @returns Defined secrets with typed runtime access methods
+ */
+declare function defineSecretManager<const T extends SecretsInputNullish>(config: T, options: {
+  ignoreNullishValues: true;
+}): DefinedSecrets<T>;
 //#endregion
 //#region src/types/staticwebsite.generated.d.ts
 type StaticWebsite = {
@@ -202,5 +410,5 @@ type RetryPolicy = {
   backoffMultiplier: number;
 };
 //#endregion
-export { IdPEmailConfig as _, ResolverExternalConfig as a, IdPInput as b, WorkflowServiceConfig as c, defineStaticWebSite as d, SecretsConfig as f, IdpDefinitionBrand as g, IdPExternalConfig as h, ExecutorServiceInput as i, WorkflowServiceInput as l, IdPConfig as m, AppConfig as n, ResolverServiceConfig as o, defineSecretManager as p, ExecutorServiceConfig as r, ResolverServiceInput as s, RetryPolicy as t, StaticWebsiteConfig as u, IdPGqlOperations as v, IdPGqlOperationsInput as y };
-//# sourceMappingURL=workflow.generated-DMt8PNVd.d.mts.map
+export { IdpDefinitionBrand as _, ResolverExternalConfig as a, IdPGqlOperationsInput as b, WorkflowServiceConfig as c, defineStaticWebSite as d, SecretsConfig as f, IdPUserField as g, IdPExternalConfig as h, ExecutorServiceInput as i, WorkflowServiceInput as l, IdPConfig as m, AppConfig as n, ResolverServiceConfig as o, defineSecretManager as p, ExecutorServiceConfig as r, ResolverServiceInput as s, RetryPolicy as t, StaticWebsiteConfig as u, IdPEmailConfig as v, IdPInput as x, IdPGqlOperations as y };
+//# sourceMappingURL=workflow.generated-8BeGQsVU.d.mts.map

package/docs/services/idp.md

@@ -99,6 +99,56 @@ defineIdp("my-idp", {
 
 **Validation:** Each field must be 200 characters or less and must not contain newline characters.
 
+### permission
+
+Per-operation permission policies for IdP user management. Controls who can create, read, update, delete users, and send password reset emails.
+
+```typescript
+defineIdp("my-idp", {
+  authorization: "loggedIn",
+  clients: ["my-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    read: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    update: [
+      { conditions: [[{ newIdpUser: "name" }, "!=", { oldIdpUser: "name" }]], permit: true },
+    ],
+    delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [], permit: true }],
+  },
+});
+```
+
+**Operations:**
+
+- `create` - Controls who can create IdP users
+- `read` - Controls who can read IdP users
+- `update` - Controls who can update IdP users
+- `delete` - Controls who can delete IdP users
+- `sendPasswordResetEmail` - Controls who can send password reset emails
+
+**Operands:**
+
+- `{ user: "field" }` - Authenticated user's attribute
+- `{ idpUser: "field" }` - IdP user field (for create/read/delete). Allowed values: `"id"`, `"name"`, `"disabled"`
+- `{ oldIdpUser: "field" }` - Previous IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
+- `{ newIdpUser: "field" }` - New IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
+- Literal values: `string`, `boolean`, `string[]`, `boolean[]`
+
+**Operators:** `"="`, `"!="`, `"in"`, `"not in"`
+
+**Helper:** `unsafeAllowAllIdPPermission` grants full access without conditions. Intended only for development and testing.
+
+```typescript
+import { unsafeAllowAllIdPPermission } from "@tailor-platform/sdk";
+
+defineIdp("my-idp", {
+  authorization: "loggedIn",
+  clients: ["my-client"],
+  permission: unsafeAllowAllIdPPermission,
+});
+```
+
 ## Using idp.provider()
 
 The `idp.provider()` method creates a type-safe reference to the IdP for use in Auth configuration. The client name is validated at compile time against the clients defined in the IdP.

package/docs/services/secret.md

@@ -64,6 +64,31 @@ export default defineConfig({
 
 The exported `secrets` object provides type-safe `get()` and `getAll()` methods for runtime access from resolvers, executors, and workflows.
 
+### Skipping Secrets with Missing Values
+
+In CI environments, you may not have all secret values available (e.g., secrets are already set on the platform and you don't want to duplicate them in CI environment variables). Use the `ignoreNullishValues` option to skip secrets whose values are `undefined` or `null`:
+
+```typescript
+export const secrets = defineSecretManager(
+  {
+    "api-keys": {
+      "stripe-secret-key": process.env.STRIPE_SECRET_KEY,
+      "sendgrid-api-key": process.env.SENDGRID_API_KEY,
+    },
+  },
+  { ignoreNullishValues: true },
+);
+```
+
+When `ignoreNullishValues: true`:
+
+- Secrets with a string value are created or updated as normal
+- Secrets with `undefined` or `null` values are **skipped** — they are not created, updated, or deleted
+- Skipped secrets are shown in the deploy output for visibility
+- Secrets removed from the config entirely are still deleted (orphan cleanup)
+
+This allows you to set secret values once (e.g., via local `tailor-sdk apply` or the CLI) and then deploy from CI without needing the actual values in CI environment variables.
+
 ## Using Secrets
 
 ### Runtime Access with `get()` / `getAll()`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.35.2",
+  "version": "1.36.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {
@@ -83,6 +83,7 @@
     "@connectrpc/connect-node": "2.1.1",
     "@inquirer/core": "11.1.8",
     "@inquirer/prompts": "8.4.0",
+    "@jridgewell/trace-mapping": "0.3.31",
     "@liam-hq/cli": "0.7.24",
     "@napi-rs/keyring": "1.2.0",
     "@opentelemetry/api": "1.9.1",
@@ -138,9 +139,9 @@
     "@vitest/coverage-v8": "4.1.2",
     "eslint": "10.2.0",
     "eslint-plugin-jsdoc": "62.9.0",
-    "eslint-plugin-oxlint": "1.58.0",
+    "eslint-plugin-oxlint": "1.59.0",
     "oxfmt": "0.44.0",
-    "oxlint": "1.58.0",
+    "oxlint": "1.59.0",
     "oxlint-tsgolint": "0.20.0",
     "sonda": "0.11.1",
     "tsdown": "0.21.7",