@tailor-platform/sdk 1.35.2 → 1.36.0

package/dist/{runtime-D4O-RfcH.mjs → runtime-C7RRDaB3.mjs}

@@ -1,9 +1,9 @@
 
-import { A as ExecutorTriggerType, B as AuthSCIMConfig_AuthorizationType, C as TailorDBType_PermitAction, E as FunctionExecution_Status, F as AuthOAuth2Client_ClientType, G as ConditionSchema, H as TenantProviderConfig_TenantProviderType, I as AuthOAuth2Client_GrantType, J as PageDirection, K as Condition_Operator, L as AuthSCIMAttribute_Mutability, M as AuthHookPoint, N as AuthIDPConfig_AuthType, O as ExecutorJobStatus, P as AuthInvokerSchema, R as AuthSCIMAttribute_Type, S as TailorDBType_Permission_Permit, T as IdPLang, U as UserProfileProviderConfig_UserProfileProviderType, W as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as AuthConnection_Type, k as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as FilterSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Uniqueness } from "./client-CA2NM_4R.mjs";
+import { A as ExecutorJobStatus, B as AuthSCIMAttribute_Type, C as TailorDBType_PermitAction, D as IdPPermissionPermit, E as IdPPermissionOperator, F as AuthIDPConfig_AuthType, G as UserProfileProviderConfig_UserProfileProviderType, H as AuthSCIMConfig_AuthorizationType, I as AuthInvokerSchema, J as Condition_Operator, K as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, L as AuthOAuth2Client_ClientType, M as ExecutorTriggerType, N as AuthConnection_Type, O as FunctionExecution_Status, P as AuthHookPoint, Q as Subgraph_ServiceType, R as AuthOAuth2Client_GrantType, S as TailorDBType_Permission_Permit, T as IdPLang, V as AuthSCIMAttribute_Uniqueness, W as TenantProviderConfig_TenantProviderType, X as PageDirection, Y as FilterSchema, Z as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as ConditionSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Mutability } from "./client-CN15WgW2.mjs";
 import { t as db } from "./schema-D27cW0Ca.mjs";
 import { i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-qz-Y4sBV.mjs";
 import { t as readPackageJson } from "./package-json-CfUqjJaQ.mjs";
-import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-BnJRroGX.mjs";
+import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-BwboBFcU.mjs";
 import { r as withSpan } from "./telemetry-CREcGK8y.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
@@ -1763,6 +1763,99 @@ async function applyFunctionRegistry(client, workspaceId, result, phase = "creat
 	})));
 }
 
+//#endregion
+//#region src/parser/service/idp/permission.ts
+const operatorMap = {
+	"=": "eq",
+	"!=": "ne",
+	in: "in",
+	"not in": "nin"
+};
+function normalizeOperand(operand) {
+	if (typeof operand === "object" && !Array.isArray(operand) && "user" in operand) return { user: operand.user === "id" ? "_id" : operand.user };
+	return operand;
+}
+function normalizeConditions(conditions) {
+	return conditions.map((cond) => {
+		const [left, operator, right] = cond;
+		return [
+			normalizeOperand(left),
+			operatorMap[operator],
+			normalizeOperand(right)
+		];
+	});
+}
+function isObjectFormat(p) {
+	return typeof p === "object" && p !== null && "conditions" in p;
+}
+function isSingleArrayConditionFormat(cond) {
+	return cond.length >= 2 && typeof cond[1] === "string";
+}
+/**
+* Normalize a single IdP action permission into the standard format.
+* @param permission - Raw permission definition
+* @returns Normalized action permission
+*/
+function normalizeIdPActionPermission(permission) {
+	if (isObjectFormat(permission)) {
+		const conditions = permission.conditions;
+		return {
+			conditions: normalizeConditions(isSingleArrayConditionFormat(conditions) ? [conditions] : conditions),
+			permit: permission.permit ? "allow" : "deny",
+			description: permission.description
+		};
+	}
+	if (!Array.isArray(permission)) throw new Error("Invalid permission format");
+	if (isSingleArrayConditionFormat(permission)) {
+		const [op1, operator, op2, permit] = [...permission, true];
+		return {
+			conditions: normalizeConditions([[
+				op1,
+				operator,
+				op2
+			]]),
+			permit: permit ? "allow" : "deny"
+		};
+	}
+	const conditions = [];
+	const conditionArray = permission;
+	let conditionArrayPermit = true;
+	for (const item of conditionArray) {
+		if (typeof item === "boolean") {
+			conditionArrayPermit = item;
+			continue;
+		}
+		conditions.push(item);
+	}
+	return {
+		conditions: normalizeConditions(conditions),
+		permit: conditionArrayPermit ? "allow" : "deny"
+	};
+}
+/**
+* Normalize raw IdP permission into standard form.
+* @param permission - Raw IdP permission from user config
+* @returns Normalized IdP permission
+*/
+function normalizeIdPPermission(permission) {
+	return {
+		create: permission.create.map((p) => normalizeIdPActionPermission(p)),
+		read: permission.read.map((p) => normalizeIdPActionPermission(p)),
+		update: permission.update.map((p) => normalizeIdPActionPermission(p)),
+		delete: permission.delete.map((p) => normalizeIdPActionPermission(p)),
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => normalizeIdPActionPermission(p))
+	};
+}
+/**
+* Parse raw IdP permission, returning undefined if not set.
+* @param rawPermission - Raw permission from parsed config
+* @returns Normalized permission or undefined
+*/
+function parseIdPPermission(rawPermission) {
+	if (!rawPermission) return;
+	return normalizeIdPPermission(rawPermission);
+}
+
 //#endregion
 //#region src/cli/commands/apply/idp.ts
 /**
@@ -1910,7 +2003,27 @@ function normalizeComparableIdPService(input) {
 		userAuthPolicy: input.userAuthPolicy,
 		publishUserEvents: input.publishUserEvents,
 		disableGqlOperations: input.disableGqlOperations,
-		emailConfig: input.emailConfig
+		emailConfig: input.emailConfig,
+		permission: input.permission
+	};
+}
+function normalizeComparablePermission(permission) {
+	if (!permission) return;
+	const normalizePolicy = (policy) => ({
+		conditions: policy.conditions.map((c) => ({
+			left: c.left ? { kind: c.left.kind } : void 0,
+			operator: c.operator,
+			right: c.right ? { kind: c.right.kind } : void 0
+		})),
+		permit: policy.permit,
+		description: policy.description
+	});
+	return {
+		create: permission.create.map(normalizePolicy),
+		read: permission.read.map(normalizePolicy),
+		update: permission.update.map(normalizePolicy),
+		delete: permission.delete.map(normalizePolicy),
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map(normalizePolicy)
 	};
 }
 function areIdPServicesEqual(existing, desired) {
@@ -1920,7 +2033,8 @@ function areIdPServicesEqual(existing, desired) {
 		userAuthPolicy: normalizeComparableUserAuthPolicy(existing.userAuthPolicy),
 		publishUserEvents: existing.publishUserEvents,
 		disableGqlOperations: normalizeComparableDisableGqlOperations(existing.disableGqlOperations),
-		emailConfig: normalizeComparableEmailConfig(existing.emailConfig)
+		emailConfig: normalizeComparableEmailConfig(existing.emailConfig),
+		permission: normalizeComparablePermission(existing.permission)
 	}), desired);
 }
 async function planServices$3(client, workspaceId, appName, idps) {
@@ -1971,13 +2085,17 @@ async function planServices$3(client, workspaceId, appName, idps) {
 		const userAuthPolicy = idp.userAuthPolicy;
 		const publishUserEvents = idp.publishUserEvents ?? false;
 		const emailConfig = idp.emailConfig;
+		if (!idp.permission) logger.warn(`IdP service "${namespaceName}" has no permission configured.`);
+		const parsedPermission = parseIdPPermission(idp.permission);
+		const protoPermission = parsedPermission ? protoIdPPermission(parsedPermission) : void 0;
 		const desired = normalizeComparableIdPService({
 			authorization,
 			lang,
 			userAuthPolicy: normalizeComparableUserAuthPolicy(userAuthPolicy),
 			publishUserEvents,
 			disableGqlOperations: normalizeComparableDisableGqlOperations(convertGqlOperationsToDisable(idp.gqlOperations)),
-			emailConfig: normalizeComparableEmailConfig(emailConfig)
+			emailConfig: normalizeComparableEmailConfig(emailConfig),
+			permission: protoPermission
 		});
 		const request = {
 			workspaceId,
@@ -1987,7 +2105,8 @@ async function planServices$3(client, workspaceId, appName, idps) {
 			userAuthPolicy,
 			publishUserEvents,
 			disableGqlOperations: convertGqlOperationsToDisable(idp.gqlOperations),
-			emailConfig
+			emailConfig,
+			permission: protoPermission
 		};
 		if (existing) {
 			const isManagedByApp = existing.label === appName;
@@ -2119,6 +2238,81 @@ function convertGqlOperationsToDisable(gqlOperations) {
 		sendPasswordResetEmail: gqlOperations.sendPasswordResetEmail === false
 	};
 }
+function protoIdPPermission(permission) {
+	return {
+		create: permission.create.map((p) => protoIdPPolicy(p)),
+		read: permission.read.map((p) => protoIdPPolicy(p)),
+		update: permission.update.map((p) => protoIdPPolicy(p)),
+		delete: permission.delete.map((p) => protoIdPPolicy(p)),
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => protoIdPPolicy(p))
+	};
+}
+function protoIdPPolicy(policy) {
+	let permit;
+	switch (policy.permit) {
+		case "allow":
+			permit = IdPPermissionPermit.ALLOW;
+			break;
+		case "deny":
+			permit = IdPPermissionPermit.DENY;
+			break;
+		default: throw new Error(`Unknown permission: ${policy.permit}`);
+	}
+	return {
+		conditions: policy.conditions.map((cond) => protoIdPCondition(cond)),
+		permit,
+		description: policy.description
+	};
+}
+function protoIdPCondition(condition) {
+	const [left, operator, right] = condition;
+	const l = protoIdPOperand(left);
+	const r = protoIdPOperand(right);
+	let op;
+	switch (operator) {
+		case "eq":
+			op = IdPPermissionOperator.EQ;
+			break;
+		case "ne":
+			op = IdPPermissionOperator.NE;
+			break;
+		case "in":
+			op = IdPPermissionOperator.IN;
+			break;
+		case "nin":
+			op = IdPPermissionOperator.NIN;
+			break;
+		default: throw new Error(`Unknown operator: ${operator}`);
+	}
+	return {
+		left: l,
+		operator: op,
+		right: r
+	};
+}
+function protoIdPOperand(operand) {
+	if (typeof operand === "object" && !Array.isArray(operand)) if ("user" in operand) return { kind: {
+		case: "userField",
+		value: operand.user
+	} };
+	else if ("idpUser" in operand) return { kind: {
+		case: "idpUserField",
+		value: operand.idpUser
+	} };
+	else if ("newIdpUser" in operand) return { kind: {
+		case: "newIdpUserField",
+		value: operand.newIdpUser
+	} };
+	else if ("oldIdpUser" in operand) return { kind: {
+		case: "oldIdpUserField",
+		value: operand.oldIdpUser
+	} };
+	else throw new Error(`Unknown operand: ${JSON.stringify(operand)}`);
+	return { kind: {
+		case: "value",
+		value: fromJson(ValueSchema, operand)
+	} };
+}
 
 //#endregion
 //#region src/cli/commands/apply/auth.ts
@@ -2447,7 +2641,8 @@ function protoIdPConfig(idpConfig) {
 				case: "saml",
 				value: {
 					...idpConfig.metadataURL !== void 0 ? { metadataUrl: idpConfig.metadataURL } : { rawMetadata: idpConfig.rawMetadata },
-					enableSignRequest: idpConfig.enableSignRequest
+					enableSignRequest: idpConfig.enableSignRequest,
+					defaultRedirectUrl: idpConfig.defaultRedirectURL
 				}
 			} }
 		};
@@ -4145,6 +4340,7 @@ async function planSecretManager(context) {
 		};
 	}));
 	const state = loadSecretsState();
+	const skippedSecrets = [];
 	await Promise.all(secretVaults.map(async (vault) => {
 		const vaultName = vault.vaultName;
 		const existing = existingVaults[vaultName];
@@ -4185,24 +4381,31 @@ async function planSecretManager(context) {
 			}
 		})).map((s) => s.name);
 		const existingSet = new Set(existingSecrets);
-		for (const secret of vault.secrets) if (existingSet.has(secret.name)) {
-			const currentHash = hashValue(secret.value);
-			const storedHash = state.vaults[vaultName]?.[secret.name];
-			if (forceApplyAll || currentHash !== storedHash) secretChangeSet.updates.push({
+		for (const secret of vault.secrets) {
+			if (secret.value == null) {
+				existingSet.delete(secret.name);
+				skippedSecrets.push(`${vaultName}/${secret.name}`);
+				continue;
+			}
+			if (existingSet.has(secret.name)) {
+				const currentHash = hashValue(secret.value);
+				const storedHash = state.vaults[vaultName]?.[secret.name];
+				if (forceApplyAll || currentHash !== storedHash) secretChangeSet.updates.push({
+					name: `${vaultName}/${secret.name}`,
+					secretName: secret.name,
+					workspaceId,
+					vaultName,
+					value: secret.value
+				});
+				existingSet.delete(secret.name);
+			} else secretChangeSet.creates.push({
 				name: `${vaultName}/${secret.name}`,
 				secretName: secret.name,
 				workspaceId,
 				vaultName,
 				value: secret.value
 			});
-			existingSet.delete(secret.name);
-		} else secretChangeSet.creates.push({
-			name: `${vaultName}/${secret.name}`,
-			secretName: secret.name,
-			workspaceId,
-			vaultName,
-			value: secret.value
-		});
+		}
 		for (const orphanName of existingSet) secretChangeSet.deletes.push({
 			name: `${vaultName}/${orphanName}`,
 			secretName: orphanName,
@@ -4243,9 +4446,14 @@ async function planSecretManager(context) {
 	}
 	vaultChangeSet.print();
 	secretChangeSet.print();
+	if (skippedSecrets.length > 0) {
+		logger.log(styles.bold("Secret Manager secrets (skipped - no value provided):"));
+		for (const name of skippedSecrets) logger.log(`  ${styles.dim("○")} ${name}`);
+	}
 	return {
 		vaultChangeSet,
 		secretChangeSet,
+		skippedSecrets,
 		conflicts,
 		unmanaged,
 		resourceOwners
@@ -4295,7 +4503,7 @@ async function applySecretManager(client, result, phase = "create-update", appli
 			const state = loadSecretsState();
 			for (const vault of application.secrets) {
 				if (!state.vaults[vault.vaultName]) state.vaults[vault.vaultName] = {};
-				for (const secret of vault.secrets) state.vaults[vault.vaultName][secret.name] = hashValue(secret.value);
+				for (const secret of vault.secrets) if (secret.value != null) state.vaults[vault.vaultName][secret.name] = hashValue(secret.value);
 			}
 			saveSecretsState(state);
 		}
@@ -11925,7 +12133,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-mGasp_EX.mjs");
+	const { defineApplication } = await import("./application-BB5TqXWY.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -14128,4 +14336,4 @@ function isDeno() {
 
 //#endregion
 export { getFolder as $, getNextMigrationNumber as $t, listWorkflows as A, functionExecutionStatusToString as At, updateCommand$1 as B, DB_TYPES_FILE_NAME as Bt, listApps as C, startCommand as Ct, resumeCommand as D, executionsCommand as Dt, healthCommand as E, getWorkflow as Et, show as F, executeScript as Ft, listOrganizations as G, compareLocalTypesWithSnapshot as Gt, organizationTree as H, INITIAL_SCHEMA_NUMBER as Ht, showCommand as I, waitForExecution$1 as It, updateCommand$2 as J, formatMigrationNumber as Jt, getCommand$1 as K, compareSnapshots as Kt, logBetaWarning as L, MIGRATION_LABEL_KEY as Lt, truncateCommand as M, getCommand$5 as Mt, generate as N, getExecutor as Nt, resumeWorkflow as O, getWorkflowExecution as Ot, generateCommand as P, apply as Pt, getCommand$2 as Q, getMigrationFiles as Qt, remove as R, parseMigrationLabelNumber as Rt, createWorkspace as S, watchExecutorJob as St, getAppHealth as T, getCommand$4 as Tt, treeCommand as U, MIGRATE_FILE_NAME as Ut, updateOrganization as V, DIFF_FILE_NAME as Vt, listCommand$4 as W, SCHEMA_FILE_NAME as Wt, listCommand$5 as X, getMigrationDirPath as Xt, updateFolder as Y, getLatestMigrationNumber as Yt, listFolders as Z, getMigrationFilePath as Zt, getCommand as _, isVerbose as _n, listCommand$8 as _t, updateCommand as a, hasChanges as an, listOAuth2Clients as at, deleteWorkspace as b, jobsCommand as bt, removeUser as c, sdkNameLabelKey as cn, getMachineUserToken as ct, inviteCommand as d, apiCall as dn, listMachineUsers as dt, isValidMigrationNumber as en, deleteCommand$1 as et, inviteUser as f, apiCommand as fn, generate$1 as ft, listWorkspaces as g, deploymentArgs as gn, triggerExecutor as gt, listCommand$1 as h, confirmationArgs as hn, triggerCommand as ht, isCLIError as i, formatMigrationDiff as in, listCommand$6 as it, truncate as j, formatKeyValueTable as jt, listCommand$3 as k, listWorkflowExecutions as kt, listCommand as l, trnPrefix as ln, tokenCommand as lt, restoreWorkspace as m, commonArgs as mn, webhookCommand as mt, query as n, reconstructSnapshotFromMigrations as nn, createCommand$1 as nt, updateUser as o, getNamespacesWithMigrations as on, getCommand$3 as ot, restoreCommand as p, defineAppCommand as pn, listWebhookExecutors as pt, getOrganization as q, createSnapshotFromLocalTypes as qt, queryCommand as r, formatDiffSummary as rn, createFolder as rt, removeCommand as s, prompt as sn, getOAuth2Client as st, isNativeTypeScriptRuntime as t, loadDiff as tn, deleteFolder as tt, listUsers as u, generateUserTypes as un, listCommand$7 as ut, getWorkspace as v, workspaceArgs as vn, listExecutors as vt, listCommand$2 as w, startWorkflow as wt, createCommand as x, listExecutorJobs as xt, deleteCommand as y, getExecutorJob as yt, removeCommand$1 as z, bundleMigrationScript as zt };
-//# sourceMappingURL=runtime-D4O-RfcH.mjs.map
+//# sourceMappingURL=runtime-C7RRDaB3.mjs.map