@tailor-platform/sdk 1.35.2 → 1.37.0

package/dist/{runtime-D4O-RfcH.mjs → runtime-D9ejnCm6.mjs}

@@ -1,10 +1,10 @@
 
-import { A as ExecutorTriggerType, B as AuthSCIMConfig_AuthorizationType, C as TailorDBType_PermitAction, E as FunctionExecution_Status, F as AuthOAuth2Client_ClientType, G as ConditionSchema, H as TenantProviderConfig_TenantProviderType, I as AuthOAuth2Client_GrantType, J as PageDirection, K as Condition_Operator, L as AuthSCIMAttribute_Mutability, M as AuthHookPoint, N as AuthIDPConfig_AuthType, O as ExecutorJobStatus, P as AuthInvokerSchema, R as AuthSCIMAttribute_Type, S as TailorDBType_Permission_Permit, T as IdPLang, U as UserProfileProviderConfig_UserProfileProviderType, W as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as AuthConnection_Type, k as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as FilterSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Uniqueness } from "./client-CA2NM_4R.mjs";
-import { t as db } from "./schema-D27cW0Ca.mjs";
-import { i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-qz-Y4sBV.mjs";
-import { t as readPackageJson } from "./package-json-CfUqjJaQ.mjs";
-import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-BnJRroGX.mjs";
-import { r as withSpan } from "./telemetry-CREcGK8y.mjs";
+import { A as ExecutorJobStatus, B as AuthSCIMAttribute_Type, C as TailorDBType_PermitAction, D as IdPPermissionPermit, E as IdPPermissionOperator, F as AuthIDPConfig_AuthType, G as UserProfileProviderConfig_UserProfileProviderType, H as AuthSCIMConfig_AuthorizationType, I as AuthInvokerSchema, J as Condition_Operator, K as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, L as AuthOAuth2Client_ClientType, M as ExecutorTriggerType, N as AuthConnection_Type, O as FunctionExecution_Status, P as AuthHookPoint, Q as Subgraph_ServiceType, R as AuthOAuth2Client_GrantType, S as TailorDBType_Permission_Permit, T as IdPLang, V as AuthSCIMAttribute_Uniqueness, W as TenantProviderConfig_TenantProviderType, X as PageDirection, Y as FilterSchema, Z as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as ConditionSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Mutability } from "./client-DllDLYmZ.mjs";
+import { t as db } from "./schema-CnwUqPyM.mjs";
+import { i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-C8qBDCKO.mjs";
+import { t as readPackageJson } from "./package-json-BHViVisJ.mjs";
+import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-qRGMV8Tr.mjs";
+import { r as withSpan } from "./telemetry-DwHuiNiR.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
 import * as fs$1 from "node:fs";
@@ -463,9 +463,10 @@ function extractAttributesFromConfig(config) {
 * @param attributeMap - Attribute map configuration
 * @param attributeList - Attribute list configuration
 * @param env - Environment configuration
+* @param machineUserNames - Registered machine user names (used to narrow `authInvoker` strings)
 * @returns Generated type definition source
 */
-function generateTypeDefinition(attributeMap, attributeList, env) {
+function generateTypeDefinition(attributeMap, attributeList, env, machineUserNames) {
 	const mapFields = attributeMap ? Object.entries(attributeMap).map(([key, value]) => `    ${key}: ${value};`).join("\n") : "";
 	const mapBody = !attributeMap || Object.keys(attributeMap).length === 0 ? "{}" : `{
 ${mapFields}
@@ -476,6 +477,11 @@ ${mapFields}
 	const envFields = env ? Object.entries(env).map(([key, value]) => {
 		return `    ${key}: ${typeof value === "string" ? `"${value}"` : String(value)};`;
 	}).join("\n") : "";
+	const envBody = !env || Object.keys(env).length === 0 ? "{}" : `{
+${envFields}
+  }`;
+	const isValidIdentifier = (s) => /^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(s);
+	const machineUserFields = machineUserNames?.length ? machineUserNames.map((name) => `    ${isValidIdentifier(name) ? name : JSON.stringify(name)}: true;`).join("\n") : "";
 	return ml`
 // This file is auto-generated by @tailor-platform/sdk
 // Do not edit this file manually
@@ -484,8 +490,9 @@ ${mapFields}
 declare module "@tailor-platform/sdk" {
   interface AttributeMap ${mapBody}
   interface AttributeList ${listBody}
-  interface Env ${!env || Object.keys(env).length === 0 ? "{}" : `{
-${envFields}
+  interface Env ${envBody}
+  interface MachineUserNameRegistry ${!machineUserNames || machineUserNames.length === 0 ? "{}" : `{
+${machineUserFields}
   }`}
 }
 
@@ -496,6 +503,8 @@ export {};
 function collectAttributesFromConfig(config) {
 	const auth = config.auth;
 	if (!auth || typeof auth !== "object") return {};
+	const machineUsersObj = auth.machineUsers;
+	const machineUserNames = machineUsersObj && typeof machineUsersObj === "object" ? Object.keys(machineUsersObj) : void 0;
 	const inferAttributeType = (field) => {
 		const type = field?.type;
 		const metadata = field?.metadata;
@@ -516,18 +525,22 @@ function collectAttributesFromConfig(config) {
 				acc[key] = inferAttributeType(fields?.[key]);
 				return acc;
 			}, {}) : void 0,
-			attributeList
+			attributeList,
+			machineUserNames
 		};
 	}
 	if ("machineUserAttributes" in auth) {
 		const machineUserAttributes = auth.machineUserAttributes;
-		if (!machineUserAttributes) return {};
-		return { attributeMap: Object.entries(machineUserAttributes).reduce((acc, [key, field]) => {
-			acc[key] = inferAttributeType(field);
-			return acc;
-		}, {}) };
+		if (!machineUserAttributes) return { machineUserNames };
+		return {
+			attributeMap: Object.entries(machineUserAttributes).reduce((acc, [key, field]) => {
+				acc[key] = inferAttributeType(field);
+				return acc;
+			}, {}),
+			machineUserNames
+		};
 	}
-	return {};
+	return { machineUserNames };
 }
 /**
 * Resolve the output path for the generated type definition file.
@@ -545,13 +558,14 @@ function resolveTypeDefinitionPath(configPath) {
 async function generateUserTypes(options) {
 	const { config, configPath } = options;
 	try {
-		const { attributeMap, attributeList } = extractAttributesFromConfig(config);
+		const { attributeMap, attributeList, machineUserNames } = extractAttributesFromConfig(config);
 		if (!attributeMap && !attributeList) logger.info("No attributes found in configuration", { mode: "plain" });
 		if (attributeMap) logger.debug(`Extracted AttributeMap: ${JSON.stringify(attributeMap)}`);
 		if (attributeList) logger.debug(`Extracted AttributeList: ${JSON.stringify(attributeList)}`);
+		if (machineUserNames?.length) logger.debug(`Extracted MachineUserNames: ${JSON.stringify(machineUserNames)}`);
 		const env = config.env;
 		if (env) logger.debug(`Extracted Env: ${JSON.stringify(env)}`);
-		const typeDefContent = generateTypeDefinition(attributeMap, attributeList, env);
+		const typeDefContent = generateTypeDefinition(attributeMap, attributeList, env, machineUserNames);
 		const outputPath = resolveTypeDefinitionPath(configPath);
 		fs$1.mkdirSync(path.dirname(outputPath), { recursive: true });
 		fs$1.writeFileSync(outputPath, typeDefContent);
@@ -945,7 +959,6 @@ function formatPlanSummary(summary) {
 		`${summary.delete} to delete`
 	];
 	if (summary.replace > 0) parts.push(`${summary.replace} to replace`);
-	parts.push(`${summary.unchanged} unchanged`);
 	return `Plan: ${parts.join(", ")}`;
 }
 
@@ -1133,13 +1146,9 @@ async function planApplication(context) {
 				applicationName: application.name
 			}
 		});
-		changeSet.print();
-		return changeSet;
-	}
-	if (application.subgraphs.length === 0) {
-		changeSet.print();
 		return changeSet;
 	}
+	if (application.subgraphs.length === 0) return changeSet;
 	let authNamespace;
 	let authIdpConfigName;
 	if (application.authService && application.authService.config) {
@@ -1191,7 +1200,6 @@ async function planApplication(context) {
 		request,
 		metaRequest
 	});
-	changeSet.print();
 	return changeSet;
 }
 function protoSubgraph(subgraph) {
@@ -1501,6 +1509,10 @@ function computeContentHash(content) {
 function functionRegistryTrn$1(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:function_registry:${name}`;
 }
+const RESOLVER_PREFIX = "resolver--";
+const EXECUTOR_PREFIX = "executor--";
+const WORKFLOW_PREFIX = "workflow--";
+const AUTH_HOOK_PREFIX = "auth-hook--";
 /**
 * Build a function registry name for a resolver.
 * @param namespace - Resolver namespace
@@ -1508,7 +1520,7 @@ function functionRegistryTrn$1(workspaceId, name) {
 * @returns Function registry name
 */
 function resolverFunctionName(namespace, resolverName) {
-	return `resolver--${namespace}--${resolverName}`;
+	return `${RESOLVER_PREFIX}${namespace}--${resolverName}`;
 }
 /**
 * Build a function registry name for an executor.
@@ -1516,7 +1528,7 @@ function resolverFunctionName(namespace, resolverName) {
 * @returns Function registry name
 */
 function executorFunctionName(executorName) {
-	return `executor--${executorName}`;
+	return `${EXECUTOR_PREFIX}${executorName}`;
 }
 /**
 * Build a function registry name for a workflow job.
@@ -1524,7 +1536,50 @@ function executorFunctionName(executorName) {
 * @returns Function registry name
 */
 function workflowJobFunctionName(jobName) {
-	return `workflow--${jobName}`;
+	return `${WORKFLOW_PREFIX}${jobName}`;
+}
+/**
+* Split function registry changes into grouped buckets by resource-name prefix.
+* @param changeSet - Function registry change set
+* @returns Grouped function registry changes by resource kind
+*/
+function splitFunctionRegistryChanges(changeSet) {
+	function partition(items) {
+		const buckets = {
+			workflowJob: [],
+			resolver: [],
+			executor: [],
+			authHook: [],
+			other: []
+		};
+		for (const item of items) if (item.name.startsWith("workflow--")) buckets.workflowJob.push(item);
+		else if (item.name.startsWith("resolver--")) buckets.resolver.push(item);
+		else if (item.name.startsWith("executor--")) buckets.executor.push(item);
+		else if (item.name.startsWith("auth-hook--")) buckets.authHook.push(item);
+		else buckets.other.push(item);
+		return buckets;
+	}
+	const creates = partition(changeSet.creates);
+	const updates = partition(changeSet.updates);
+	const deletes = partition(changeSet.deletes);
+	const replaces = partition(changeSet.replaces);
+	const unchanged = partition(changeSet.unchanged);
+	function collect(key) {
+		return {
+			creates: creates[key],
+			updates: updates[key],
+			deletes: deletes[key],
+			replaces: replaces[key],
+			unchanged: unchanged[key]
+		};
+	}
+	return {
+		workflowJobChanges: collect("workflowJob"),
+		resolverFunctionChanges: collect("resolver"),
+		executorFunctionChanges: collect("executor"),
+		authHookFunctionChanges: collect("authHook"),
+		otherChanges: collect("other")
+	};
 }
 /**
 * Build a function registry name for an auth hook.
@@ -1687,9 +1742,13 @@ async function planFunctionRegistry(client, workspaceId, appName, entries) {
 			workspaceId
 		});
 	}
-	changeSet.print();
+	const { workflowJobChanges, resolverFunctionChanges, executorFunctionChanges, authHookFunctionChanges } = splitFunctionRegistryChanges(changeSet);
 	return {
 		changeSet,
+		workflowJobChanges,
+		resolverFunctionChanges,
+		executorFunctionChanges,
+		authHookFunctionChanges,
 		conflicts,
 		unmanaged,
 		resourceOwners
@@ -1763,6 +1822,321 @@ async function applyFunctionRegistry(client, workspaceId, result, phase = "creat
 	})));
 }
 
+//#endregion
+//#region src/cli/commands/apply/grouped-display.ts
+/**
+* Convert grouped function registry changes into mutable name sets.
+* @param changes - Grouped function registry changes
+* @returns Mutable name sets keyed by action
+*/
+function createRelatedFunctionRegistryNameSets(changes) {
+	return {
+		creates: new Set(changes?.creates.map((item) => item.name) ?? []),
+		updates: new Set(changes?.updates.map((item) => item.name) ?? []),
+		deletes: new Set(changes?.deletes.map((item) => item.name) ?? []),
+		replaces: new Set(changes?.replaces.map((item) => item.name) ?? [])
+	};
+}
+const ACTION_SYMBOLS = {
+	create: symbols.create,
+	update: symbols.update,
+	delete: symbols.delete,
+	replace: symbols.replace
+};
+/**
+* Convert a plain change set into grouped display entries.
+* @param changeSet - Change set to convert
+* @param labels - Labels to attach to each entry
+* @param getNamespace - Optional callback to extract namespace from an item
+* @returns Display entries in CLI print order
+*/
+function formatChangeSetEntries(changeSet, labels = [], getNamespace) {
+	function toEntry(action, item) {
+		return {
+			action,
+			symbol: ACTION_SYMBOLS[action],
+			name: item.name,
+			labels: [...labels],
+			namespace: getNamespace?.(item)
+		};
+	}
+	return [
+		...changeSet.creates.map((item) => toEntry("create", item)),
+		...changeSet.deletes.map((item) => toEntry("delete", item)),
+		...changeSet.updates.map((item) => toEntry("update", item)),
+		...changeSet.replaces.map((item) => toEntry("replace", item))
+	];
+}
+function formatGroupedDisplayLine(entry) {
+	return entry.labels.length > 0 ? `${entry.symbol} ${entry.name} (${entry.labels.join(", ")})` : `${entry.symbol} ${entry.name}`;
+}
+function parseFunctionRegistryName(name) {
+	if (name.startsWith("resolver--")) {
+		const [, namespace, resolverName] = name.split("--");
+		if (namespace && resolverName) return {
+			displayName: resolverName,
+			namespace
+		};
+	}
+	if (name.startsWith("workflow--")) return { displayName: name.slice(WORKFLOW_PREFIX.length) };
+	if (name.startsWith("executor--")) return { displayName: name.slice(EXECUTOR_PREFIX.length) };
+	if (name.startsWith("auth-hook--")) {
+		const [, namespace, hookPoint] = name.split("--");
+		if (namespace && hookPoint) return {
+			displayName: hookPoint,
+			namespace
+		};
+	}
+	return { displayName: name };
+}
+/**
+* Build function-registry-only entries that were not grouped with a parent resource.
+* @param names - Related function registry names keyed by action
+* @param consumed - Function registry names already grouped with parent resources
+* @returns Display entries for ungrouped function registry changes
+*/
+function buildRemainingFunctionRegistryEntries(names, consumed = createRelatedFunctionRegistryNameSets()) {
+	return [
+		[
+			"create",
+			names.creates,
+			consumed.creates
+		],
+		[
+			"delete",
+			names.deletes,
+			consumed.deletes
+		],
+		[
+			"update",
+			names.updates,
+			consumed.updates
+		],
+		[
+			"replace",
+			names.replaces,
+			consumed.replaces
+		]
+	].flatMap(([action, nameSet, consumedSet]) => [...nameSet].filter((name) => !consumedSet.has(name)).map((name) => {
+		const { displayName, namespace } = parseFunctionRegistryName(name);
+		return {
+			action,
+			symbol: ACTION_SYMBOLS[action],
+			name: displayName,
+			labels: ["function"],
+			namespace
+		};
+	}));
+}
+/**
+* Format change set entries with function registry grouping.
+*
+* For each item in creates/updates/deletes, calls `getFunctionRegistryNames` to
+* derive zero or more function registry names. When a matching function registry
+* change exists for the same action, the item is displayed with both the resource
+* label and "functionRegistry". Ungrouped function registry changes are appended.
+* @param resourceLabel - Label for the resource kind (e.g. "executor", "resolver")
+* @param changeSet - Resource change set with creates/updates/deletes/replaces
+* @param changeSet.creates - Created resources
+* @param changeSet.updates - Updated resources
+* @param changeSet.deletes - Deleted resources
+* @param changeSet.replaces - Replaced resources
+* @param functionRegistryChanges - Related function registry changes
+* @param getFunctionRegistryNames - Derives function registry names from a resource item
+* @param options - Optional display callbacks
+* @param options.getNamespace - Extract namespace from an item for nested display
+* @param options.getDisplayName - Override display name for an item
+* @returns Display entries for CLI output
+*/
+function formatChangeEntriesWithFunctionRegistry(resourceLabel, changeSet, functionRegistryChanges, getFunctionRegistryNames, options) {
+	const { getNamespace, getDisplayName } = options ?? {};
+	const functionNames = createRelatedFunctionRegistryNameSets(functionRegistryChanges);
+	const consumed = createRelatedFunctionRegistryNameSets();
+	function processItems(items, action, fnNameSet, consumedSet) {
+		return items.map((item) => {
+			const names = getFunctionRegistryNames(item, action);
+			const hasMatch = names.some((name) => fnNameSet.has(name));
+			if (hasMatch) {
+				for (const name of names) if (fnNameSet.has(name)) consumedSet.add(name);
+			}
+			return {
+				action,
+				symbol: ACTION_SYMBOLS[action],
+				name: getDisplayName?.(item) ?? item.name,
+				labels: hasMatch ? [resourceLabel, "function"] : [resourceLabel],
+				namespace: getNamespace?.(item)
+			};
+		});
+	}
+	return [
+		...processItems(changeSet.creates, "create", functionNames.creates, consumed.creates),
+		...processItems(changeSet.deletes, "delete", functionNames.deletes, consumed.deletes),
+		...processItems(changeSet.updates, "update", functionNames.updates, consumed.updates),
+		...changeSet.replaces.map((item) => ({
+			action: "replace",
+			symbol: ACTION_SYMBOLS["replace"],
+			name: getDisplayName?.(item) ?? item.name,
+			labels: [resourceLabel],
+			namespace: getNamespace?.(item)
+		})),
+		...buildRemainingFunctionRegistryEntries(functionNames, consumed)
+	];
+}
+/**
+* Extract service-level actions from a change set for namespace header display.
+* @param changeSet - Service change set
+* @returns Array of namespace actions
+*/
+function extractServiceActions(changeSet) {
+	return [
+		...changeSet.creates.map((item) => ({
+			name: item.name,
+			action: "create"
+		})),
+		...changeSet.deletes.map((item) => ({
+			name: item.name,
+			action: "delete"
+		})),
+		...changeSet.updates.map((item) => ({
+			name: item.name,
+			action: "update"
+		})),
+		...changeSet.replaces.map((item) => ({
+			name: item.name,
+			action: "replace"
+		}))
+	];
+}
+/**
+* Print a titled section of grouped display entries, nesting by namespace.
+* Service-level changes are shown as the namespace header symbol.
+* Services without child entries are shown as flat entries.
+* @param title - Section title
+* @param entries - Entries to print (should NOT include service entries)
+* @param serviceActions - Optional service-level actions to merge into namespace headers
+*/
+function printGroupedDisplaySection(title, entries, serviceActions) {
+	const serviceMap = /* @__PURE__ */ new Map();
+	if (serviceActions) for (const sa of serviceActions) serviceMap.set(sa.name, sa.action);
+	if (entries.length === 0 && serviceMap.size === 0) return;
+	logger.log(styles.bold(`${title}:`));
+	const namespaceOrder = [];
+	const byNamespace = /* @__PURE__ */ new Map();
+	for (const entry of entries) {
+		const ns = entry.namespace;
+		if (!byNamespace.has(ns)) {
+			namespaceOrder.push(ns);
+			byNamespace.set(ns, []);
+		}
+		byNamespace.get(ns).push(entry);
+	}
+	const printedServices = /* @__PURE__ */ new Set();
+	for (const ns of namespaceOrder) {
+		const group = byNamespace.get(ns);
+		if (ns) {
+			const svcAction = serviceMap.get(ns);
+			const prefix = svcAction ? `${ACTION_SYMBOLS[svcAction]} ` : "";
+			logger.log(`  ${prefix}${styles.bold(`${ns}:`)}`);
+			printedServices.add(ns);
+			for (const entry of group) logger.log(`    ${formatGroupedDisplayLine(entry)}`);
+		} else for (const entry of group) logger.log(`  ${formatGroupedDisplayLine(entry)}`);
+	}
+	for (const [name, action] of serviceMap) if (!printedServices.has(name)) logger.log(`  ${ACTION_SYMBOLS[action]} ${name}`);
+}
+
+//#endregion
+//#region src/parser/service/idp/permission.ts
+const operatorMap = {
+	"=": "eq",
+	"!=": "ne",
+	in: "in",
+	"not in": "nin"
+};
+function normalizeOperand(operand) {
+	if (typeof operand === "object" && !Array.isArray(operand) && "user" in operand) return { user: operand.user === "id" ? "_id" : operand.user };
+	return operand;
+}
+function normalizeConditions(conditions) {
+	return conditions.map((cond) => {
+		const [left, operator, right] = cond;
+		return [
+			normalizeOperand(left),
+			operatorMap[operator],
+			normalizeOperand(right)
+		];
+	});
+}
+function isObjectFormat(p) {
+	return typeof p === "object" && p !== null && "conditions" in p;
+}
+function isSingleArrayConditionFormat(cond) {
+	return cond.length >= 2 && typeof cond[1] === "string";
+}
+/**
+* Normalize a single IdP action permission into the standard format.
+* @param permission - Raw permission definition
+* @returns Normalized action permission
+*/
+function normalizeIdPActionPermission(permission) {
+	if (isObjectFormat(permission)) {
+		const conditions = permission.conditions;
+		return {
+			conditions: normalizeConditions(isSingleArrayConditionFormat(conditions) ? [conditions] : conditions),
+			permit: permission.permit ? "allow" : "deny",
+			description: permission.description
+		};
+	}
+	if (!Array.isArray(permission)) throw new Error("Invalid permission format");
+	if (isSingleArrayConditionFormat(permission)) {
+		const [op1, operator, op2, permit] = [...permission, true];
+		return {
+			conditions: normalizeConditions([[
+				op1,
+				operator,
+				op2
+			]]),
+			permit: permit ? "allow" : "deny"
+		};
+	}
+	const conditions = [];
+	const conditionArray = permission;
+	let conditionArrayPermit = true;
+	for (const item of conditionArray) {
+		if (typeof item === "boolean") {
+			conditionArrayPermit = item;
+			continue;
+		}
+		conditions.push(item);
+	}
+	return {
+		conditions: normalizeConditions(conditions),
+		permit: conditionArrayPermit ? "allow" : "deny"
+	};
+}
+/**
+* Normalize raw IdP permission into standard form.
+* @param permission - Raw IdP permission from user config
+* @returns Normalized IdP permission
+*/
+function normalizeIdPPermission(permission) {
+	return {
+		create: permission.create.map((p) => normalizeIdPActionPermission(p)),
+		read: permission.read.map((p) => normalizeIdPActionPermission(p)),
+		update: permission.update.map((p) => normalizeIdPActionPermission(p)),
+		delete: permission.delete.map((p) => normalizeIdPActionPermission(p)),
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => normalizeIdPActionPermission(p))
+	};
+}
+/**
+* Parse raw IdP permission, returning undefined if not set.
+* @param rawPermission - Raw permission from parsed config
+* @returns Normalized permission or undefined
+*/
+function parseIdPPermission(rawPermission) {
+	if (!rawPermission) return;
+	return normalizeIdPPermission(rawPermission);
+}
+
 //#endregion
 //#region src/cli/commands/apply/idp.ts
 /**
@@ -1856,13 +2230,10 @@ async function planIdP(context) {
 	const { client, workspaceId, application, forRemoval, forceApplyAll = false } = context;
 	const idps = forRemoval ? [] : application.idpServices;
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, idps);
-	const clientChangeSet = await planClients(client, workspaceId, idps, serviceChangeSet.deletes.map((del) => del.name), forceApplyAll);
-	serviceChangeSet.print();
-	clientChangeSet.print();
 	return {
 		changeSet: {
 			service: serviceChangeSet,
-			client: clientChangeSet
+			client: await planClients(client, workspaceId, idps, serviceChangeSet.deletes.map((del) => del.name), forceApplyAll)
 		},
 		conflicts,
 		unmanaged,
@@ -1910,7 +2281,27 @@ function normalizeComparableIdPService(input) {
 		userAuthPolicy: input.userAuthPolicy,
 		publishUserEvents: input.publishUserEvents,
 		disableGqlOperations: input.disableGqlOperations,
-		emailConfig: input.emailConfig
+		emailConfig: input.emailConfig,
+		permission: input.permission
+	};
+}
+function normalizeComparablePermission(permission) {
+	if (!permission) return;
+	const normalizePolicy = (policy) => ({
+		conditions: policy.conditions.map((c) => ({
+			left: c.left ? { kind: c.left.kind } : void 0,
+			operator: c.operator,
+			right: c.right ? { kind: c.right.kind } : void 0
+		})),
+		permit: policy.permit,
+		description: policy.description
+	});
+	return {
+		create: permission.create.map(normalizePolicy),
+		read: permission.read.map(normalizePolicy),
+		update: permission.update.map(normalizePolicy),
+		delete: permission.delete.map(normalizePolicy),
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map(normalizePolicy)
 	};
 }
 function areIdPServicesEqual(existing, desired) {
@@ -1920,7 +2311,8 @@ function areIdPServicesEqual(existing, desired) {
 		userAuthPolicy: normalizeComparableUserAuthPolicy(existing.userAuthPolicy),
 		publishUserEvents: existing.publishUserEvents,
 		disableGqlOperations: normalizeComparableDisableGqlOperations(existing.disableGqlOperations),
-		emailConfig: normalizeComparableEmailConfig(existing.emailConfig)
+		emailConfig: normalizeComparableEmailConfig(existing.emailConfig),
+		permission: normalizeComparablePermission(existing.permission)
 	}), desired);
 }
 async function planServices$3(client, workspaceId, appName, idps) {
@@ -1971,13 +2363,17 @@ async function planServices$3(client, workspaceId, appName, idps) {
 		const userAuthPolicy = idp.userAuthPolicy;
 		const publishUserEvents = idp.publishUserEvents ?? false;
 		const emailConfig = idp.emailConfig;
+		if (!idp.permission) logger.warn(`IdP service "${namespaceName}" has no permission configured.`);
+		const parsedPermission = parseIdPPermission(idp.permission);
+		const protoPermission = parsedPermission ? protoIdPPermission(parsedPermission) : void 0;
 		const desired = normalizeComparableIdPService({
 			authorization,
 			lang,
 			userAuthPolicy: normalizeComparableUserAuthPolicy(userAuthPolicy),
 			publishUserEvents,
 			disableGqlOperations: normalizeComparableDisableGqlOperations(convertGqlOperationsToDisable(idp.gqlOperations)),
-			emailConfig: normalizeComparableEmailConfig(emailConfig)
+			emailConfig: normalizeComparableEmailConfig(emailConfig),
+			permission: protoPermission
 		});
 		const request = {
 			workspaceId,
@@ -1987,7 +2383,8 @@ async function planServices$3(client, workspaceId, appName, idps) {
 			userAuthPolicy,
 			publishUserEvents,
 			disableGqlOperations: convertGqlOperationsToDisable(idp.gqlOperations),
-			emailConfig
+			emailConfig,
+			permission: protoPermission
 		};
 		if (existing) {
 			const isManagedByApp = existing.label === appName;
@@ -2119,6 +2516,81 @@ function convertGqlOperationsToDisable(gqlOperations) {
 		sendPasswordResetEmail: gqlOperations.sendPasswordResetEmail === false
 	};
 }
+function protoIdPPermission(permission) {
+	return {
+		create: permission.create.map((p) => protoIdPPolicy(p)),
+		read: permission.read.map((p) => protoIdPPolicy(p)),
+		update: permission.update.map((p) => protoIdPPolicy(p)),
+		delete: permission.delete.map((p) => protoIdPPolicy(p)),
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => protoIdPPolicy(p))
+	};
+}
+function protoIdPPolicy(policy) {
+	let permit;
+	switch (policy.permit) {
+		case "allow":
+			permit = IdPPermissionPermit.ALLOW;
+			break;
+		case "deny":
+			permit = IdPPermissionPermit.DENY;
+			break;
+		default: throw new Error(`Unknown permission: ${policy.permit}`);
+	}
+	return {
+		conditions: policy.conditions.map((cond) => protoIdPCondition(cond)),
+		permit,
+		description: policy.description
+	};
+}
+function protoIdPCondition(condition) {
+	const [left, operator, right] = condition;
+	const l = protoIdPOperand(left);
+	const r = protoIdPOperand(right);
+	let op;
+	switch (operator) {
+		case "eq":
+			op = IdPPermissionOperator.EQ;
+			break;
+		case "ne":
+			op = IdPPermissionOperator.NE;
+			break;
+		case "in":
+			op = IdPPermissionOperator.IN;
+			break;
+		case "nin":
+			op = IdPPermissionOperator.NIN;
+			break;
+		default: throw new Error(`Unknown operator: ${operator}`);
+	}
+	return {
+		left: l,
+		operator: op,
+		right: r
+	};
+}
+function protoIdPOperand(operand) {
+	if (typeof operand === "object" && !Array.isArray(operand)) if ("user" in operand) return { kind: {
+		case: "userField",
+		value: operand.user
+	} };
+	else if ("idpUser" in operand) return { kind: {
+		case: "idpUserField",
+		value: operand.idpUser
+	} };
+	else if ("newIdpUser" in operand) return { kind: {
+		case: "newIdpUserField",
+		value: operand.newIdpUser
+	} };
+	else if ("oldIdpUser" in operand) return { kind: {
+		case: "oldIdpUserField",
+		value: operand.oldIdpUser
+	} };
+	else throw new Error(`Unknown operand: ${JSON.stringify(operand)}`);
+	return { kind: {
+		case: "value",
+		value: fromJson(ValueSchema, operand)
+	} };
+}
 
 //#endregion
 //#region src/cli/commands/apply/auth.ts
@@ -2202,16 +2674,6 @@ async function planAuth(context) {
 		planSCIMResources(client, workspaceId, auths, deletedServices),
 		planAuthConnections(client, workspaceId, application.name, auths)
 	]);
-	serviceChangeSet.print();
-	idpConfigChangeSet.print();
-	userProfileConfigChangeSet.print();
-	tenantConfigChangeSet.print();
-	machineUserChangeSet.print();
-	authHookChangeSet.print();
-	oauth2ClientChangeSet.print();
-	scimChangeSet.print();
-	scimResourceChangeSet.print();
-	connectionResult.changeSet.print();
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -2447,7 +2909,8 @@ function protoIdPConfig(idpConfig) {
 				case: "saml",
 				value: {
 					...idpConfig.metadataURL !== void 0 ? { metadataUrl: idpConfig.metadataURL } : { rawMetadata: idpConfig.rawMetadata },
-					enableSignRequest: idpConfig.enableSignRequest
+					enableSignRequest: idpConfig.enableSignRequest,
+					defaultRedirectUrl: idpConfig.defaultRedirectURL
 				}
 			} }
 		};
@@ -3176,6 +3639,21 @@ function areAuthHooksEqual(existing, desired) {
 		} : void 0
 	});
 }
+/**
+* Format auth hook changes for grouped dry-run display.
+* @param changeSet - Auth hook changes
+* @param functionRegistryAuthHookChanges - Related function registry changes for auth hooks
+* @returns Display entries for auth hook output
+*/
+function formatAuthHookChangeEntries(changeSet, functionRegistryAuthHookChanges) {
+	return formatChangeEntriesWithFunctionRegistry("authHook", changeSet, functionRegistryAuthHookChanges, (item) => {
+		const [namespace, hookPoint] = item.name.split("/");
+		return namespace && hookPoint ? [authHookFunctionName(namespace, hookPoint)] : [];
+	}, {
+		getNamespace: (item) => item.name.split("/")[0],
+		getDisplayName: (item) => item.name.split("/")[1] ?? item.name
+	});
+}
 async function planAuthHooks(client, workspaceId, auths, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth hooks");
 	for (const auth of auths) {
@@ -3411,6 +3889,32 @@ function buildResolverOperationHookExpr(env) {
 	return `({ ...context.pipeline, input: context.args, user: ${tailorUserMap}, env: ${JSON.stringify(env)} });`;
 }
 
+//#endregion
+//#region src/cli/commands/apply/auth-invoker.ts
+/**
+* Normalize an authInvoker value to the object form required by the proto payload.
+*
+* Accepts either:
+* - `undefined` — returns undefined
+* - a plain string (machine user name) — expands to `{ namespace, machineUserName }` using `authNamespace`
+* - an object `{ namespace, machineUserName }` — returned as-is
+* @param authInvoker - String machine user name or object form
+* @param authNamespace - Auth service namespace (required when authInvoker is a string)
+* @param context - Contextual label used in error messages (e.g. `resolver "foo"`)
+* @returns Object form of auth invoker, or undefined
+*/
+function normalizeAuthInvoker(authInvoker, authNamespace, context) {
+	if (authInvoker === void 0) return void 0;
+	if (typeof authInvoker === "string") {
+		if (!authNamespace) throw new Error(`${context} uses a string authInvoker ("${authInvoker}"), but no Auth service is configured. Configure an Auth service or use the object form { namespace, machineUserName }.`);
+		return {
+			namespace: authNamespace,
+			machineUserName: authInvoker
+		};
+	}
+	return authInvoker;
+}
+
 //#endregion
 //#region src/cli/commands/apply/executor.ts
 /**
@@ -3512,7 +4016,6 @@ async function planExecutor(context) {
 			}
 		});
 	});
-	changeSet.print();
 	return {
 		changeSet,
 		conflicts,
@@ -3520,6 +4023,31 @@ async function planExecutor(context) {
 		resourceOwners
 	};
 }
+function isFunctionBackedExecutor(executor) {
+	return executor?.targetType === ExecutorTargetType.FUNCTION || executor?.targetType === ExecutorTargetType.JOB_FUNCTION;
+}
+/**
+* Build desired executor configs keyed by executor name from create/update changes.
+* @param changeSet - Executor create/update changes
+* @returns Executor configs keyed by name
+*/
+function buildPlannedExecutorsByName(changeSet) {
+	return Object.fromEntries([...changeSet.creates, ...changeSet.updates].map((item) => [item.name, item.request.executor]));
+}
+/**
+* Format executor changes for grouped dry-run display.
+* @param changeSet - Executor changes
+* @param executors - Desired executor configs keyed by name
+* @param functionRegistryExecutorChanges - Related function registry changes for executors
+* @returns Display entries for executor output
+*/
+function formatExecutorChangeEntries(changeSet, executors, functionRegistryExecutorChanges) {
+	return formatChangeEntriesWithFunctionRegistry("executor", changeSet, functionRegistryExecutorChanges, (item, action) => {
+		if (action === "delete") return [executorFunctionName(item.name)];
+		const executor = executors[item.name];
+		return executor && isFunctionBackedExecutor(executor) ? [executorFunctionName(item.name)] : [];
+	});
+}
 function normalizeComparableExecutor(executor) {
 	const normalized = normalizeProtoConfig(executor) ?? {};
 	const webhookHeaders = normalized.targetConfig?.config?.case === "webhook" ? [...normalized.targetConfig.config.value.headers ?? []].sort((left, right) => (left.key ?? "").localeCompare(right.key ?? "")) : void 0;
@@ -3667,6 +4195,8 @@ function protoExecutor(application, executor) {
 	const target = executor.operation;
 	let targetType;
 	let targetConfig;
+	const authNamespace = application.authService?.parsedConfig.name;
+	const invokerContext = `Executor "${executor.name}"`;
 	switch (target.kind) {
 		case "webhook":
 			targetType = ExecutorTargetType.WEBHOOK;
@@ -3704,7 +4234,7 @@ function protoExecutor(application, executor) {
 					appName: target.appName ?? appName,
 					query: target.query,
 					variables: target.variables ? { expr: `(${stringifyFunction(target.variables)})(${argsExpr})` } : void 0,
-					invoker: target.authInvoker ?? void 0
+					invoker: normalizeAuthInvoker(target.authInvoker, authNamespace, invokerContext)
 				}
 			} };
 			break;
@@ -3718,7 +4248,7 @@ function protoExecutor(application, executor) {
 					name: "operation",
 					scriptRef: executorFunctionName(executor.name),
 					variables: { expr: argsExpr },
-					invoker: target.authInvoker ?? void 0
+					invoker: normalizeAuthInvoker(target.authInvoker, authNamespace, invokerContext)
 				}
 			} };
 			break;
@@ -3729,7 +4259,7 @@ function protoExecutor(application, executor) {
 				value: {
 					workflowName: target.workflowName,
 					variables: target.args ? typeof target.args === "function" ? { expr: `(${stringifyFunction(target.args)})(${argsExpr})` } : { expr: JSON.stringify(target.args) } : void 0,
-					invoker: target.authInvoker ?? void 0
+					invoker: normalizeAuthInvoker(target.authInvoker, authNamespace, invokerContext)
 				}
 			} };
 			break;
@@ -3821,9 +4351,7 @@ async function planPipeline(context) {
 	}
 	const executors = forRemoval ? [] : Object.values(await application.executorService?.loadExecutors() ?? {});
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$1(client, workspaceId, application.name, pipelines);
-	const resolverChangeSet = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, forceApplyAll);
-	serviceChangeSet.print();
-	resolverChangeSet.print();
+	const { changeSet: resolverChangeSet } = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, application.authService?.config.name, forceApplyAll);
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -3915,7 +4443,7 @@ async function planServices$1(client, workspaceId, appName, pipelines) {
 		resourceOwners
 	};
 }
-async function planResolvers(client, workspaceId, pipelines, executors, deletedServices, env, forceApplyAll = false) {
+async function planResolvers(client, workspaceId, pipelines, executors, deletedServices, env, authNamespace, forceApplyAll = false) {
 	const changeSet = createChangeSet("Pipeline resolvers");
 	const fetchResolvers = (namespaceName) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -3940,7 +4468,7 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 		const existingResolvers = await fetchResolvers(pipeline.namespace);
 		const existingResolversMap = new Map(existingResolvers.map((resolver) => [resolver.name, resolver]));
 		for (const resolver of Object.values(pipeline.resolvers)) {
-			const desiredResolver = processResolver(pipeline.namespace, resolver, executorUsedResolvers, env);
+			const desiredResolver = processResolver(pipeline.namespace, resolver, executorUsedResolvers, env, authNamespace);
 			if (existingResolversMap.get(resolver.name)) {
 				const { pipelineResolver: existingResolverDetail } = await client.getPipelineResolver({
 					workspaceId,
@@ -3987,7 +4515,19 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 			}
 		});
 	});
-	return changeSet;
+	return { changeSet };
+}
+/**
+* Format resolver changes for grouped dry-run display.
+* @param changeSet - Resolver changes
+* @param resolverFunctionChanges - Related function registry changes for resolvers
+* @returns Display entries for resolver output
+*/
+function formatResolverChangeEntries(changeSet, resolverFunctionChanges) {
+	return formatChangeEntriesWithFunctionRegistry("resolver", changeSet, resolverFunctionChanges, (item) => {
+		const namespace = item.request.namespaceName;
+		return namespace ? [resolverFunctionName(namespace, item.name)] : [];
+	}, { getNamespace: (item) => item.request.namespaceName });
 }
 function normalizeComparableResolver(resolver) {
 	const normalized = normalizeProtoConfig(resolver) ?? {};
@@ -4042,7 +4582,7 @@ function normalizeComparableType(type) {
 		fields: (type.fields ?? []).map((field) => normalizeComparableField(field))
 	};
 }
-function processResolver(namespace, resolver, executorUsedResolvers, env) {
+function processResolver(namespace, resolver, executorUsedResolvers, env, authNamespace) {
 	const pipelines = [{
 		name: "body",
 		operationName: "body",
@@ -4051,7 +4591,7 @@ function processResolver(namespace, resolver, executorUsedResolvers, env) {
 		operationSourceRef: resolverFunctionName(namespace, resolver.name),
 		operationHook: { expr: buildResolverOperationHookExpr(env) },
 		postScript: `args.body`,
-		invoker: resolver.authInvoker
+		invoker: normalizeAuthInvoker(resolver.authInvoker, authNamespace, `Resolver "${resolver.name}"`)
 	}];
 	const typeBaseName = inflection.camelize(resolver.name);
 	const inputs = resolver.input ? protoFields(resolver.input, `${typeBaseName}Input`, true) : [];
@@ -4145,6 +4685,7 @@ async function planSecretManager(context) {
 		};
 	}));
 	const state = loadSecretsState();
+	const skippedSecrets = [];
 	await Promise.all(secretVaults.map(async (vault) => {
 		const vaultName = vault.vaultName;
 		const existing = existingVaults[vaultName];
@@ -4185,24 +4726,31 @@ async function planSecretManager(context) {
 			}
 		})).map((s) => s.name);
 		const existingSet = new Set(existingSecrets);
-		for (const secret of vault.secrets) if (existingSet.has(secret.name)) {
-			const currentHash = hashValue(secret.value);
-			const storedHash = state.vaults[vaultName]?.[secret.name];
-			if (forceApplyAll || currentHash !== storedHash) secretChangeSet.updates.push({
+		for (const secret of vault.secrets) {
+			if (secret.value == null) {
+				existingSet.delete(secret.name);
+				skippedSecrets.push(`${vaultName}/${secret.name}`);
+				continue;
+			}
+			if (existingSet.has(secret.name)) {
+				const currentHash = hashValue(secret.value);
+				const storedHash = state.vaults[vaultName]?.[secret.name];
+				if (forceApplyAll || currentHash !== storedHash) secretChangeSet.updates.push({
+					name: `${vaultName}/${secret.name}`,
+					secretName: secret.name,
+					workspaceId,
+					vaultName,
+					value: secret.value
+				});
+				existingSet.delete(secret.name);
+			} else secretChangeSet.creates.push({
 				name: `${vaultName}/${secret.name}`,
 				secretName: secret.name,
 				workspaceId,
 				vaultName,
 				value: secret.value
 			});
-			existingSet.delete(secret.name);
-		} else secretChangeSet.creates.push({
-			name: `${vaultName}/${secret.name}`,
-			secretName: secret.name,
-			workspaceId,
-			vaultName,
-			value: secret.value
-		});
+		}
 		for (const orphanName of existingSet) secretChangeSet.deletes.push({
 			name: `${vaultName}/${orphanName}`,
 			secretName: orphanName,
@@ -4241,11 +4789,10 @@ async function planSecretManager(context) {
 			});
 		}
 	}
-	vaultChangeSet.print();
-	secretChangeSet.print();
 	return {
 		vaultChangeSet,
 		secretChangeSet,
+		skippedSecrets,
 		conflicts,
 		unmanaged,
 		resourceOwners
@@ -4295,7 +4842,7 @@ async function applySecretManager(client, result, phase = "create-update", appli
 			const state = loadSecretsState();
 			for (const vault of application.secrets) {
 				if (!state.vaults[vault.vaultName]) state.vaults[vault.vaultName] = {};
-				for (const secret of vault.secrets) state.vaults[vault.vaultName][secret.name] = hashValue(secret.value);
+				for (const secret of vault.secrets) if (secret.value != null) state.vaults[vault.vaultName][secret.name] = hashValue(secret.value);
 			}
 			saveSecretsState(state);
 		}
@@ -4442,7 +4989,6 @@ async function planStaticWebsite(context) {
 			}
 		});
 	});
-	changeSet.print();
 	return {
 		changeSet,
 		conflicts,
@@ -6563,9 +7109,6 @@ async function planTailorDB(context) {
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices(client, workspaceId, application.name, tailordbs);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const [typeChangeSet, gqlPermissionChangeSet] = await Promise.all([planTypes(client, workspaceId, tailordbs, executors, deletedServices, void 0, forceApplyAll), planGqlPermissions(client, workspaceId, tailordbs, deletedServices, forceApplyAll)]);
-	serviceChangeSet.print();
-	typeChangeSet.print();
-	gqlPermissionChangeSet.print();
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -6583,6 +7126,42 @@ async function planTailorDB(context) {
 		}
 	};
 }
+function itemKey(item) {
+	return `${item.request?.namespaceName ?? ""}/${item.name}`;
+}
+function collectTailorDBDisplayEntries(action, typeItems, gqlPermissionItems) {
+	const typeKeys = new Set(typeItems.map(itemKey));
+	const gqlPermissionKeys = new Set(gqlPermissionItems.map(itemKey));
+	const typeEntries = typeItems.map((item) => ({
+		action,
+		symbol: ACTION_SYMBOLS[action],
+		name: item.name,
+		labels: gqlPermissionKeys.has(itemKey(item)) ? ["type", "gqlPermission"] : ["type"],
+		namespace: item.request?.namespaceName
+	}));
+	const gqlPermissionOnlyEntries = gqlPermissionItems.filter((item) => !typeKeys.has(itemKey(item))).map((item) => ({
+		action,
+		symbol: ACTION_SYMBOLS[action],
+		name: item.name,
+		labels: ["gqlPermission"],
+		namespace: item.request?.namespaceName
+	}));
+	return [...typeEntries, ...gqlPermissionOnlyEntries];
+}
+/**
+* Format TailorDB type and gqlPermission changes as grouped dry-run entries.
+* @param typeChangeSet - TailorDB type changes
+* @param gqlPermissionChangeSet - TailorDB gqlPermission changes
+* @returns Display entries for TailorDB resource output
+*/
+function formatTailorDBResourceChangeEntries(typeChangeSet, gqlPermissionChangeSet) {
+	return [
+		...collectTailorDBDisplayEntries("create", typeChangeSet.creates, gqlPermissionChangeSet.creates),
+		...collectTailorDBDisplayEntries("delete", typeChangeSet.deletes, gqlPermissionChangeSet.deletes),
+		...collectTailorDBDisplayEntries("update", typeChangeSet.updates, gqlPermissionChangeSet.updates),
+		...collectTailorDBDisplayEntries("replace", typeChangeSet.replaces, gqlPermissionChangeSet.replaces)
+	];
+}
 function trn(workspaceId, name) {
 	return `${trnPrefix(workspaceId)}:tailordb:${name}`;
 }
@@ -7480,15 +8059,16 @@ async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps
 		});
 	}
 	Object.values(existingWorkflows).forEach((existing) => {
-		const label = existing?.label;
+		if (!existing) return;
+		const label = existing.label;
 		if (label && label !== appName) resourceOwners.add(label);
 		if (label === appName) changeSet.deletes.push({
 			name: existing.resource.name,
 			workspaceId,
-			workflowId: existing.resource.id
+			workflowId: existing.resource.id,
+			usedJobNames: getExistingWorkflowJobNames(existing.resource)
 		});
 	});
-	changeSet.print();
 	return {
 		changeSet,
 		conflicts,
@@ -7498,6 +8078,15 @@ async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps
 		unchangedWorkflowJobNames
 	};
 }
+/**
+* Format workflow changes for grouped dry-run display.
+* @param changeSet - Workflow changes
+* @param workflowJobFunctionChanges - Related function registry changes for workflow jobs
+* @returns Display entries for workflow output
+*/
+function formatWorkflowChangeEntries(changeSet, workflowJobFunctionChanges) {
+	return formatChangeEntriesWithFunctionRegistry("workflow", changeSet, workflowJobFunctionChanges, (item) => "usedJobNames" in item ? item.usedJobNames.map((jobName) => workflowJobFunctionName(jobName)) : []);
+}
 function canTreatWorkflowAsUnchanged(existing, workflow, usedJobNames, unchangedJobFunctions) {
 	if (!usedJobNames.every((jobName) => unchangedJobFunctions.has(jobName))) return false;
 	return areWorkflowsEqual(existing, workflow, usedJobNames);
@@ -7532,6 +8121,11 @@ function normalizeComparableWorkflowRetryPolicy(policy) {
 function normalizeComparableWorkflowJobNames(jobFunctions) {
 	return Array.isArray(jobFunctions) ? [...jobFunctions].sort() : Object.keys(jobFunctions ?? {}).sort();
 }
+function getExistingWorkflowJobNames(existing) {
+	const jobNames = new Set(Object.keys(existing.jobFunctions ?? {}));
+	if (existing.mainJobFunctionName) jobNames.add(existing.mainJobFunctionName);
+	return [...jobNames].sort();
+}
 function normalizeRetryPolicyForCompare(policy) {
 	return {
 		maxRetries: policy.maxRetries,
@@ -7618,34 +8212,95 @@ async function shouldForceApplyAll(client, workspaceId, application, functionEnt
 	}
 	return false;
 }
-function printPlanSummary(results) {
-	const summary = summarizeChangeSets([
-		results.functionRegistry.changeSet,
-		results.tailorDB.changeSet.service,
-		results.tailorDB.changeSet.type,
-		results.tailorDB.changeSet.gqlPermission,
+function printPlanResults(results) {
+	const executorEntries = formatExecutorChangeEntries(results.executor.changeSet, buildPlannedExecutorsByName(results.executor.changeSet), results.functionRegistry.executorFunctionChanges);
+	const resolverEntries = formatResolverChangeEntries(results.pipeline.changeSet.resolver, results.functionRegistry.resolverFunctionChanges);
+	const workflowEntries = formatWorkflowChangeEntries(results.workflow.changeSet, results.functionRegistry.workflowJobChanges);
+	const authHookEntries = formatAuthHookChangeEntries(results.auth.changeSet.authHook, results.functionRegistry.authHookFunctionChanges);
+	const tailorDBEntries = [...formatTailorDBResourceChangeEntries(results.tailorDB.changeSet.type, results.tailorDB.changeSet.gqlPermission)];
+	const pipelineEntries = [...resolverEntries];
+	const namespaceOf = (item) => {
+		if ("request" in item && item.request && typeof item.request === "object" && "namespaceName" in item.request) return item.request.namespaceName;
+		if ("namespaceName" in item) return item.namespaceName;
+	};
+	const authNamespaceOf = (item) => "request" in item && item.request && typeof item.request === "object" && "authNamespace" in item.request ? item.request.authNamespace : void 0;
+	const idpEntries = [...formatChangeSetEntries(results.idp.changeSet.client, ["client"], namespaceOf)];
+	const authEntries = [
+		...formatChangeSetEntries(results.auth.changeSet.idpConfig, ["idpConfig"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.userProfileConfig, ["userProfileConfig"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.tenantConfig, ["tenantConfig"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.machineUser, ["machineUser"], authNamespaceOf),
+		...authHookEntries,
+		...formatChangeSetEntries(results.auth.changeSet.oauth2Client, ["oauth2Client"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.scim, ["scimConfig"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.scimResource, ["scimResource"], namespaceOf),
+		...results.auth.changeSet.connection ? formatChangeSetEntries(results.auth.changeSet.connection, ["connection"], namespaceOf) : []
+	];
+	const { otherChanges: otherFunctionRegistryChanges } = splitFunctionRegistryChanges(results.functionRegistry.changeSet);
+	printGroupedDisplaySection(results.functionRegistry.changeSet.title, formatChangeSetEntries(otherFunctionRegistryChanges));
+	const tailorDBServiceActions = extractServiceActions(results.tailorDB.changeSet.service);
+	const pipelineServiceActions = extractServiceActions(results.pipeline.changeSet.service);
+	const idpServiceActions = extractServiceActions(results.idp.changeSet.service);
+	const authServiceActions = extractServiceActions(results.auth.changeSet.service);
+	results.staticWebsite.changeSet.print();
+	results.app.print();
+	printGroupedDisplaySection("TailorDB", tailorDBEntries, tailorDBServiceActions);
+	printGroupedDisplaySection("Resolver", pipelineEntries, pipelineServiceActions);
+	printGroupedDisplaySection("Executor", executorEntries);
+	printGroupedDisplaySection("Workflow", workflowEntries);
+	printGroupedDisplaySection("IdP", idpEntries, idpServiceActions);
+	printGroupedDisplaySection("Auth", authEntries, authServiceActions);
+	results.secretManager.vaultChangeSet.print();
+	results.secretManager.secretChangeSet.print();
+	if (results.secretManager.skippedSecrets.length > 0) {
+		logger.log(styles.bold("Secret Manager secrets (skipped - no value provided):"));
+		for (const name of results.secretManager.skippedSecrets) logger.log(`  ${styles.dim("○")} ${name}`);
+	}
+	const summary = summarizePlanResults(results, [
+		...tailorDBEntries,
+		...pipelineEntries,
+		...executorEntries,
+		...workflowEntries,
+		...idpEntries,
+		...authEntries
+	], [
+		...tailorDBServiceActions,
+		...pipelineServiceActions,
+		...idpServiceActions,
+		...authServiceActions
+	]);
+	logger.log(formatPlanSummary(summary));
+}
+/**
+* Summarize plan counts from display entries, service actions, and non-grouped changesets.
+* @param results - Planned apply results
+* @param displayEntries - All grouped display entries across sections
+* @param serviceActions - All service-level namespace actions
+* @returns Aggregated plan summary
+*/
+function summarizePlanResults(results, displayEntries, serviceActions) {
+	const summary = {
+		create: 0,
+		update: 0,
+		delete: 0,
+		replace: 0,
+		unchanged: 0
+	};
+	for (const entry of displayEntries) summary[entry.action] += 1;
+	for (const sa of serviceActions) summary[sa.action] += 1;
+	const { otherChanges } = splitFunctionRegistryChanges(results.functionRegistry.changeSet);
+	const nonGrouped = summarizeChangeSets([
+		otherChanges,
 		results.staticWebsite.changeSet,
-		results.idp.changeSet.service,
-		results.idp.changeSet.client,
-		results.auth.changeSet.service,
-		results.auth.changeSet.idpConfig,
-		results.auth.changeSet.userProfileConfig,
-		results.auth.changeSet.tenantConfig,
-		results.auth.changeSet.machineUser,
-		results.auth.changeSet.oauth2Client,
-		results.auth.changeSet.authHook,
-		results.auth.changeSet.scim,
-		results.auth.changeSet.scimResource,
-		...results.auth.changeSet.connection ? [results.auth.changeSet.connection] : [],
-		results.pipeline.changeSet.service,
-		results.pipeline.changeSet.resolver,
 		results.app,
-		results.executor.changeSet,
-		results.workflow.changeSet,
 		results.secretManager.vaultChangeSet,
 		results.secretManager.secretChangeSet
 	]);
-	logger.log(formatPlanSummary(summary));
+	summary.create += nonGrouped.create;
+	summary.update += nonGrouped.update;
+	summary.delete += nonGrouped.delete;
+	summary.replace += nonGrouped.replace;
+	return summary;
 }
 /**
 * Apply the configured application to the Tailor platform.
@@ -7735,7 +8390,7 @@ async function apply(options) {
 				forceApplyAll
 			};
 			const functionRegistry = await withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, functionEntries));
-			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.map((entry) => entry.name).filter((name) => name.startsWith("workflow--")).map((name) => name.slice(10)));
+			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.filter((entry) => entry.name.startsWith(WORKFLOW_PREFIX)).map((entry) => entry.name.slice(WORKFLOW_PREFIX.length)));
 			const [tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
 				withSpan("plan.tailorDB", () => planTailorDB(ctx)),
 				withSpan("plan.staticWebsite", () => planStaticWebsite(ctx)),
@@ -7830,7 +8485,7 @@ async function apply(options) {
 				}
 			});
 		});
-		printPlanSummary({
+		printPlanResults({
 			functionRegistry,
 			tailorDB,
 			staticWebsite,
@@ -11228,6 +11883,30 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	const workflow = await planWorkflow(client, workspaceId, application.name, {}, {});
 	const functionRegistry = await planFunctionRegistry(client, workspaceId, application.name, []);
 	const secretManager = await planSecretManager(ctx);
+	functionRegistry.changeSet.print();
+	staticWebsite.changeSet.print();
+	app.print();
+	tailorDB.changeSet.service.print();
+	tailorDB.changeSet.type.print();
+	tailorDB.changeSet.gqlPermission.print();
+	pipeline.changeSet.service.print();
+	pipeline.changeSet.resolver.print();
+	executor.changeSet.print();
+	workflow.changeSet.print();
+	idp.changeSet.service.print();
+	idp.changeSet.client.print();
+	auth.changeSet.service.print();
+	auth.changeSet.idpConfig.print();
+	auth.changeSet.userProfileConfig.print();
+	auth.changeSet.tenantConfig.print();
+	auth.changeSet.machineUser.print();
+	auth.changeSet.oauth2Client.print();
+	auth.changeSet.authHook.print();
+	auth.changeSet.scim.print();
+	auth.changeSet.scimResource.print();
+	auth.changeSet.connection?.print();
+	secretManager.vaultChangeSet.print();
+	secretManager.secretChangeSet.print();
 	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
 	if (confirm) await confirm();
 	await applyWorkflow(client, workflow, "delete");
@@ -11925,7 +12604,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-mGasp_EX.mjs");
+	const { defineApplication } = await import("./application-ILhZq_oW.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -14128,4 +14807,4 @@ function isDeno() {
 
 //#endregion
 export { getFolder as $, getNextMigrationNumber as $t, listWorkflows as A, functionExecutionStatusToString as At, updateCommand$1 as B, DB_TYPES_FILE_NAME as Bt, listApps as C, startCommand as Ct, resumeCommand as D, executionsCommand as Dt, healthCommand as E, getWorkflow as Et, show as F, executeScript as Ft, listOrganizations as G, compareLocalTypesWithSnapshot as Gt, organizationTree as H, INITIAL_SCHEMA_NUMBER as Ht, showCommand as I, waitForExecution$1 as It, updateCommand$2 as J, formatMigrationNumber as Jt, getCommand$1 as K, compareSnapshots as Kt, logBetaWarning as L, MIGRATION_LABEL_KEY as Lt, truncateCommand as M, getCommand$5 as Mt, generate as N, getExecutor as Nt, resumeWorkflow as O, getWorkflowExecution as Ot, generateCommand as P, apply as Pt, getCommand$2 as Q, getMigrationFiles as Qt, remove as R, parseMigrationLabelNumber as Rt, createWorkspace as S, watchExecutorJob as St, getAppHealth as T, getCommand$4 as Tt, treeCommand as U, MIGRATE_FILE_NAME as Ut, updateOrganization as V, DIFF_FILE_NAME as Vt, listCommand$4 as W, SCHEMA_FILE_NAME as Wt, listCommand$5 as X, getMigrationDirPath as Xt, updateFolder as Y, getLatestMigrationNumber as Yt, listFolders as Z, getMigrationFilePath as Zt, getCommand as _, isVerbose as _n, listCommand$8 as _t, updateCommand as a, hasChanges as an, listOAuth2Clients as at, deleteWorkspace as b, jobsCommand as bt, removeUser as c, sdkNameLabelKey as cn, getMachineUserToken as ct, inviteCommand as d, apiCall as dn, listMachineUsers as dt, isValidMigrationNumber as en, deleteCommand$1 as et, inviteUser as f, apiCommand as fn, generate$1 as ft, listWorkspaces as g, deploymentArgs as gn, triggerExecutor as gt, listCommand$1 as h, confirmationArgs as hn, triggerCommand as ht, isCLIError as i, formatMigrationDiff as in, listCommand$6 as it, truncate as j, formatKeyValueTable as jt, listCommand$3 as k, listWorkflowExecutions as kt, listCommand as l, trnPrefix as ln, tokenCommand as lt, restoreWorkspace as m, commonArgs as mn, webhookCommand as mt, query as n, reconstructSnapshotFromMigrations as nn, createCommand$1 as nt, updateUser as o, getNamespacesWithMigrations as on, getCommand$3 as ot, restoreCommand as p, defineAppCommand as pn, listWebhookExecutors as pt, getOrganization as q, createSnapshotFromLocalTypes as qt, queryCommand as r, formatDiffSummary as rn, createFolder as rt, removeCommand as s, prompt as sn, getOAuth2Client as st, isNativeTypeScriptRuntime as t, loadDiff as tn, deleteFolder as tt, listUsers as u, generateUserTypes as un, listCommand$7 as ut, getWorkspace as v, workspaceArgs as vn, listExecutors as vt, listCommand$2 as w, startWorkflow as wt, createCommand as x, listExecutorJobs as xt, deleteCommand as y, getExecutorJob as yt, removeCommand$1 as z, bundleMigrationScript as zt };
-//# sourceMappingURL=runtime-D4O-RfcH.mjs.map
+//# sourceMappingURL=runtime-D9ejnCm6.mjs.map