@tailor-platform/sdk 1.35.2 → 1.37.0

package/dist/{workflow.generated-DMt8PNVd.d.mts → workflow.generated-Bj_DVqGh.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { Pt as BuiltinIdP, S as TailorDBServiceInput, T as AuthConfig } from "./plugin-D8hKE6rZ.mjs";
+import { Nt as BuiltinIdP, S as TailorDBServiceInput, T as AuthConfig } from "./plugin-D6P4g_2L.mjs";
 
 //#region src/types/idp.generated.d.ts
 /**
@@ -59,6 +59,193 @@ type IdPInput = {
   emailConfig?: {
     fromName?: string | undefined;
     passwordResetSubject?: string | undefined;
+  } | undefined; /** Per-operation permission policies for IdP users */
+  permission?: {
+    create: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    read: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    update: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    delete: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
+    sendPasswordResetEmail: readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[] | readonly (boolean | readonly (string | boolean | readonly string[] | readonly boolean[] | {
+      user: string;
+    } | {
+      idpUser: "name" | "id" | "disabled";
+    } | {
+      oldIdpUser: "name" | "id" | "disabled";
+    } | {
+      newIdpUser: "name" | "id" | "disabled";
+    })[])[] | {
+      conditions: readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[] | readonly (readonly (string | boolean | readonly string[] | readonly boolean[] | {
+        user: string;
+      } | {
+        idpUser: "name" | "id" | "disabled";
+      } | {
+        oldIdpUser: "name" | "id" | "disabled";
+      } | {
+        newIdpUser: "name" | "id" | "disabled";
+      })[])[];
+      description?: string | undefined;
+      permit?: boolean | undefined;
+    })[];
   } | undefined;
 };
 //#endregion
@@ -77,6 +264,7 @@ type IdPExternalConfig = {
 };
 type IdPOwnConfig = Omit<DefinedIdp<string, IdPInput, string>, "provider">;
 type IdPConfig = IdPOwnConfig | IdPExternalConfig;
+type IdPUserField = "id" | "name" | "disabled";
 //#endregion
 //#region src/configure/services/secrets/index.d.ts
 declare const secretsDefinitionBrand: unique symbol;
@@ -84,8 +272,15 @@ type SecretsDefinitionBrand = {
   readonly [secretsDefinitionBrand]: true;
 };
 type SecretsVaultInput = Record<string, string>;
+type SecretsVaultInputNullish = Record<string, string | undefined | null>;
 type SecretsInput = Record<string, SecretsVaultInput>;
-type DefinedSecrets<T extends SecretsInput> = {
+type SecretsInputNullish = Record<string, SecretsVaultInputNullish>;
+type SecretsOptions = {
+  readonly ignoreNullishValues: boolean;
+};
+type DefinedSecrets<T extends SecretsInputNullish> = {
+  readonly vaults: T;
+  readonly options: SecretsOptions;
   get<V extends Extract<keyof T, string>, S extends Extract<keyof T[V], string>>(vault: V, secret: S): Promise<string | undefined>;
   getAll<V extends Extract<keyof T, string>, S extends Extract<keyof T[V], string>>(vault: V, secrets: readonly S[]): Promise<(string | undefined)[]>;
 } & SecretsDefinitionBrand;
@@ -98,6 +293,19 @@ type SecretsConfig = Omit<ReturnType<typeof defineSecretManager>, "get" | "getAl
  * @returns Defined secrets with typed runtime access methods
  */
 declare function defineSecretManager<const T extends SecretsInput>(config: T): DefinedSecrets<T>;
+/**
+ * Define secrets configuration for the Tailor SDK with ignoreNullishValues option.
+ * When `ignoreNullishValues` is true, secrets with nullish values are skipped during deploy
+ * instead of causing an error. This is useful for CI environments where not all
+ * secret values are available.
+ * @param config - Secrets configuration mapping vault names to their secrets
+ * @param options - Options for secret management behavior
+ * @param options.ignoreNullishValues - When true, secrets with nullish values are skipped during deploy
+ * @returns Defined secrets with typed runtime access methods
+ */
+declare function defineSecretManager<const T extends SecretsInputNullish>(config: T, options: {
+  ignoreNullishValues: true;
+}): DefinedSecrets<T>;
 //#endregion
 //#region src/types/staticwebsite.generated.d.ts
 type StaticWebsite = {
@@ -202,5 +410,5 @@ type RetryPolicy = {
   backoffMultiplier: number;
 };
 //#endregion
-export { IdPEmailConfig as _, ResolverExternalConfig as a, IdPInput as b, WorkflowServiceConfig as c, defineStaticWebSite as d, SecretsConfig as f, IdpDefinitionBrand as g, IdPExternalConfig as h, ExecutorServiceInput as i, WorkflowServiceInput as l, IdPConfig as m, AppConfig as n, ResolverServiceConfig as o, defineSecretManager as p, ExecutorServiceConfig as r, ResolverServiceInput as s, RetryPolicy as t, StaticWebsiteConfig as u, IdPGqlOperations as v, IdPGqlOperationsInput as y };
-//# sourceMappingURL=workflow.generated-DMt8PNVd.d.mts.map
+export { IdpDefinitionBrand as _, ResolverExternalConfig as a, IdPGqlOperationsInput as b, WorkflowServiceConfig as c, defineStaticWebSite as d, SecretsConfig as f, IdPUserField as g, IdPExternalConfig as h, ExecutorServiceInput as i, WorkflowServiceInput as l, IdPConfig as m, AppConfig as n, ResolverServiceConfig as o, defineSecretManager as p, ExecutorServiceConfig as r, ResolverServiceInput as s, RetryPolicy as t, StaticWebsiteConfig as u, IdPEmailConfig as v, IdPInput as x, IdPGqlOperations as y };
+//# sourceMappingURL=workflow.generated-Bj_DVqGh.d.mts.map

package/docs/services/auth.md

@@ -256,9 +256,9 @@ Get a machine user token using the CLI:
 tailor-sdk machineuser token <name>
 ```
 
-### Using auth.invoker()
+### Specifying a machine user invoker
 
-The `auth.invoker()` method creates a type-safe reference to a machine user for use in workflow triggers. This specifies which machine user's permissions should be used when executing the workflow.
+Resolvers, executors, and `workflow.trigger()` accept an `authInvoker` option that chooses which machine user runs the operation. Pass the machine user name as a plain string — it is type-narrowed to the names you registered in `machineUsers`.
 
 ```typescript
 // tailor.config.ts
@@ -275,7 +275,6 @@ export const auth = defineAuth("my-auth", {
 ```typescript
 // resolvers/trigger-workflow.ts
 import { createResolver, t } from "@tailor-platform/sdk";
-import { auth } from "../tailor.config";
 import myWorkflow from "../workflows/my-workflow";
 
 export default createResolver({
@@ -288,7 +287,7 @@ export default createResolver({
     // Trigger workflow with machine user permissions
     const workflowRunId = await myWorkflow.trigger(
       { id: input.id },
-      { authInvoker: auth.invoker("admin-machine-user") },
+      { authInvoker: "admin-machine-user" },
     );
     return { workflowRunId };
   },
@@ -298,7 +297,9 @@ export default createResolver({
 });
 ```
 
-The `invoker()` method is type-safe and only accepts machine user names defined in the auth configuration.
+Type narrowing is provided by the generated `tailor.d.ts` (the `MachineUserNameRegistry` interface). Run `tailor-sdk generate` (or `apply`) after defining new machine users to refresh it.
+
+> **Deprecated:** The `auth.invoker("<name>")` helper is still available for backward compatibility. Prefer the string form — it does not require importing `auth` from `tailor.config.ts` into runtime files, avoiding bundling config-layer (Node-only) dependencies.
 
 ## OAuth 2.0 Clients
 

package/docs/services/executor.md

@@ -294,19 +294,10 @@ createExecutor({
 
 ### Authentication for Operations
 
-GraphQL and Workflow operations can specify an `authInvoker` to execute with machine user credentials:
+GraphQL and Workflow operations can specify an `authInvoker` to execute with machine user credentials. Pass the machine user name as a plain string — it is type-narrowed to the names defined in your auth config:
 
 ```typescript
-import { defineAuth, createExecutor, scheduleTrigger } from "@tailor-platform/sdk";
-
-const auth = defineAuth("my-auth", {
-  // ... auth configuration
-  machineUsers: {
-    "batch-processor": {
-      attributes: { role: "ADMIN" },
-    },
-  },
-});
+import { createExecutor, scheduleTrigger } from "@tailor-platform/sdk";
 
 export default createExecutor({
   name: "scheduled-cleanup",
@@ -314,11 +305,13 @@ export default createExecutor({
   operation: {
     kind: "graphql",
     query: `mutation { cleanupOldRecords { count } }`,
-    authInvoker: auth.invoker("batch-processor"),
+    authInvoker: "batch-processor",
   },
 });
 ```
 
+> **Deprecated:** `auth.invoker("batch-processor")` still works, but is deprecated. Prefer the string form to avoid importing config-layer modules into runtime files.
+
 ## Event Payloads
 
 Each trigger type provides specific context data in the callback functions.

package/docs/services/idp.md

@@ -99,6 +99,56 @@ defineIdp("my-idp", {
 
 **Validation:** Each field must be 200 characters or less and must not contain newline characters.
 
+### permission
+
+Per-operation permission policies for IdP user management. Controls who can create, read, update, delete users, and send password reset emails.
+
+```typescript
+defineIdp("my-idp", {
+  authorization: "loggedIn",
+  clients: ["my-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    read: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    update: [
+      { conditions: [[{ newIdpUser: "name" }, "!=", { oldIdpUser: "name" }]], permit: true },
+    ],
+    delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [], permit: true }],
+  },
+});
+```
+
+**Operations:**
+
+- `create` - Controls who can create IdP users
+- `read` - Controls who can read IdP users
+- `update` - Controls who can update IdP users
+- `delete` - Controls who can delete IdP users
+- `sendPasswordResetEmail` - Controls who can send password reset emails
+
+**Operands:**
+
+- `{ user: "field" }` - Authenticated user's attribute
+- `{ idpUser: "field" }` - IdP user field (for create/read/delete). Allowed values: `"id"`, `"name"`, `"disabled"`
+- `{ oldIdpUser: "field" }` - Previous IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
+- `{ newIdpUser: "field" }` - New IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
+- Literal values: `string`, `boolean`, `string[]`, `boolean[]`
+
+**Operators:** `"="`, `"!="`, `"in"`, `"not in"`
+
+**Helper:** `unsafeAllowAllIdPPermission` grants full access without conditions. Intended only for development and testing.
+
+```typescript
+import { unsafeAllowAllIdPPermission } from "@tailor-platform/sdk";
+
+defineIdp("my-idp", {
+  authorization: "loggedIn",
+  clients: ["my-client"],
+  permission: unsafeAllowAllIdPPermission,
+});
+```
+
 ## Using idp.provider()
 
 The `idp.provider()` method creates a type-safe reference to the IdP for use in Auth configuration. The client name is validated at compile time against the clients defined in the IdP.

package/docs/services/resolver.md

@@ -350,19 +350,10 @@ createResolver({
 
 ## Authentication
 
-Specify an `authInvoker` to execute the resolver with machine user credentials:
+Specify an `authInvoker` to execute the resolver with machine user credentials. Pass the machine user name as a plain string — it is type-narrowed to the names you defined in your auth config:
 
 ```typescript
-import { defineAuth, createResolver, t } from "@tailor-platform/sdk";
-
-const auth = defineAuth("my-auth", {
-  // ... auth configuration
-  machineUsers: {
-    "batch-processor": {
-      attributes: { role: "ADMIN" },
-    },
-  },
-});
+import { createResolver, t } from "@tailor-platform/sdk";
 
 export default createResolver({
   name: "adminQuery",
@@ -372,10 +363,12 @@ export default createResolver({
     // Executes as "batch-processor" machine user
     return { result: "ok" };
   },
-  authInvoker: auth.invoker("batch-processor"),
+  authInvoker: "batch-processor",
 });
 ```
 
-The `authInvoker` option accepts the return value of `auth.invoker()`, which specifies the auth namespace and machine user name.
+The machine user name is looked up in the auth service configured on your app (`machineUsers` in `defineAuth`). The namespace is resolved automatically — no need to import `auth` from `tailor.config.ts` in resolver files.
+
+> **Deprecated:** `auth.invoker("batch-processor")` still works, but is deprecated. Importing `auth` into runtime files pulls config-layer (Node-only) dependencies into the bundle.
 
 **Note:** `authInvoker` controls the permissions for database operations and other platform actions, but the `user` object passed to the `body` function still reflects the original caller who invoked the resolver.

package/docs/services/secret.md

@@ -64,6 +64,31 @@ export default defineConfig({
 
 The exported `secrets` object provides type-safe `get()` and `getAll()` methods for runtime access from resolvers, executors, and workflows.
 
+### Skipping Secrets with Missing Values
+
+In CI environments, you may not have all secret values available (e.g., secrets are already set on the platform and you don't want to duplicate them in CI environment variables). Use the `ignoreNullishValues` option to skip secrets whose values are `undefined` or `null`:
+
+```typescript
+export const secrets = defineSecretManager(
+  {
+    "api-keys": {
+      "stripe-secret-key": process.env.STRIPE_SECRET_KEY,
+      "sendgrid-api-key": process.env.SENDGRID_API_KEY,
+    },
+  },
+  { ignoreNullishValues: true },
+);
+```
+
+When `ignoreNullishValues: true`:
+
+- Secrets with a string value are created or updated as normal
+- Secrets with `undefined` or `null` values are **skipped** — they are not created, updated, or deleted
+- Skipped secrets are shown in the deploy output for visibility
+- Secrets removed from the config entirely are still deleted (orphan cleanup)
+
+This allows you to set secret values once (e.g., via local `tailor-sdk apply` or the CLI) and then deploy from CI without needing the actual values in CI environment variables.
+
 ## Using Secrets
 
 ### Runtime Access with `get()` / `getAll()`

package/docs/services/workflow.md

@@ -227,11 +227,10 @@ export default createWorkflow({
 You can start a workflow execution from a resolver using `workflow.trigger()`.
 
 - `workflow.trigger(args, options?)` returns a workflow run ID (`Promise<string>`).
-- To run with machine-user permissions, pass `{ authInvoker: auth.invoker("<machine-user>") }`.
+- To run with machine-user permissions, pass `{ authInvoker: "<machine-user>" }`. The name is type-narrowed to the machine users defined in your auth config.
 
 ```typescript
 import { createResolver, t } from "@tailor-platform/sdk";
-import { auth } from "../tailor.config";
 import orderProcessingWorkflow from "../workflows/order-processing";
 
 export default createResolver({
@@ -244,7 +243,7 @@ export default createResolver({
   body: async ({ input }) => {
     const workflowRunId = await orderProcessingWorkflow.trigger(
       { orderId: input.orderId, customerId: input.customerId },
-      { authInvoker: auth.invoker("manager-machine-user") },
+      { authInvoker: "manager-machine-user" },
     );
 
     return { workflowRunId };
@@ -255,6 +254,8 @@ export default createResolver({
 });
 ```
 
+> **Deprecated:** `auth.invoker("manager-machine-user")` still works but is deprecated. Using the string form avoids importing `auth` into runtime code.
+
 See the full working example in the repository: [example/resolvers/triggerWorkflow.ts](../../../../example/resolvers/triggerWorkflow.ts).
 
 ## File Organization

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.35.2",
+  "version": "1.37.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {
@@ -82,7 +82,8 @@
     "@connectrpc/connect": "2.1.1",
     "@connectrpc/connect-node": "2.1.1",
     "@inquirer/core": "11.1.8",
-    "@inquirer/prompts": "8.4.0",
+    "@inquirer/prompts": "8.4.1",
+    "@jridgewell/trace-mapping": "0.3.31",
     "@liam-hq/cli": "0.7.24",
     "@napi-rs/keyring": "1.2.0",
     "@opentelemetry/api": "1.9.1",
@@ -116,7 +117,7 @@
     "pgsql-ast-parser": "12.0.2",
     "pkg-types": "2.3.0",
     "politty": "0.4.13",
-    "rolldown": "1.0.0-rc.13",
+    "rolldown": "1.0.0-rc.15",
     "semver": "7.7.4",
     "serve": "14.2.6",
     "std-env": "4.0.0",
@@ -138,14 +139,14 @@
     "@vitest/coverage-v8": "4.1.2",
     "eslint": "10.2.0",
     "eslint-plugin-jsdoc": "62.9.0",
-    "eslint-plugin-oxlint": "1.58.0",
+    "eslint-plugin-oxlint": "1.59.0",
     "oxfmt": "0.44.0",
-    "oxlint": "1.58.0",
+    "oxlint": "1.59.0",
     "oxlint-tsgolint": "0.20.0",
     "sonda": "0.11.1",
     "tsdown": "0.21.7",
     "typescript": "5.9.3",
-    "typescript-eslint": "8.58.0",
+    "typescript-eslint": "8.58.1",
     "vitest": "4.1.2",
     "zinfer": "0.1.7"
   },