@tailor-platform/sdk 1.36.0 → 1.38.0

package/dist/{runtime-C7RRDaB3.mjs → runtime-ChpwtPut.mjs}

@@ -1,17 +1,17 @@
 
-import { A as ExecutorJobStatus, B as AuthSCIMAttribute_Type, C as TailorDBType_PermitAction, D as IdPPermissionPermit, E as IdPPermissionOperator, F as AuthIDPConfig_AuthType, G as UserProfileProviderConfig_UserProfileProviderType, H as AuthSCIMConfig_AuthorizationType, I as AuthInvokerSchema, J as Condition_Operator, K as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, L as AuthOAuth2Client_ClientType, M as ExecutorTriggerType, N as AuthConnection_Type, O as FunctionExecution_Status, P as AuthHookPoint, Q as Subgraph_ServiceType, R as AuthOAuth2Client_GrantType, S as TailorDBType_Permission_Permit, T as IdPLang, V as AuthSCIMAttribute_Uniqueness, W as TenantProviderConfig_TenantProviderType, X as PageDirection, Y as FilterSchema, Z as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as ConditionSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Mutability } from "./client-CN15WgW2.mjs";
-import { t as db } from "./schema-D27cW0Ca.mjs";
-import { i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-qz-Y4sBV.mjs";
-import { t as readPackageJson } from "./package-json-CfUqjJaQ.mjs";
-import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-BwboBFcU.mjs";
-import { r as withSpan } from "./telemetry-CREcGK8y.mjs";
+import { A as ExecutorJobStatus, B as AuthSCIMAttribute_Type, C as TailorDBType_PermitAction, D as IdPPermissionPermit, E as IdPPermissionOperator, F as AuthIDPConfig_AuthType, G as UserProfileProviderConfig_UserProfileProviderType, H as AuthSCIMConfig_AuthorizationType, I as AuthInvokerSchema, J as Condition_Operator, K as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, L as AuthOAuth2Client_ClientType, M as ExecutorTriggerType, N as AuthConnection_Type, O as FunctionExecution_Status, P as AuthHookPoint, Q as Subgraph_ServiceType, R as AuthOAuth2Client_GrantType, S as TailorDBType_Permission_Permit, T as IdPLang, V as AuthSCIMAttribute_Uniqueness, W as TenantProviderConfig_TenantProviderType, X as PageDirection, Y as FilterSchema, Z as ApplicationSchemaUpdateAttemptStatus, _ as WorkflowJobExecution_Status, a as fetchMachineUserToken, b as TailorDBGQLPermission_Permit, f as platformBaseUrl, g as WorkflowExecution_Status, h as WorkspacePlatformUserRole, i as fetchAll, j as ExecutorTargetType, m as userAgent, p as resolveStaticWebsiteUrls, q as ConditionSchema, u as initOperatorClient, v as TailorDBGQLPermission_Action, w as PipelineResolver_OperationType, x as TailorDBType_Permission_Operator, y as TailorDBGQLPermission_Operator, z as AuthSCIMAttribute_Mutability } from "./client-xzPXtc_e.mjs";
+import { t as db } from "./schema-CnwUqPyM.mjs";
+import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-5_JMzHmw.mjs";
+import { t as readPackageJson } from "./package-json-BHViVisJ.mjs";
+import { S as readPlatformConfig, T as writePlatformConfig, _ as hashFile, a as loadConfig, b as loadAccessToken, c as createExecutorService, d as TailorDBTypeSchema, f as stringifyFunction, g as getDistDir, h as createBundleCache, m as loadFilesWithIgnores, n as generatePluginFilesIfNeeded, p as tailorUserMap, r as loadApplication, t as defineApplication, u as OAuth2ClientSchema, x as loadWorkspaceId } from "./application-DhQrXEld.mjs";
+import { r as withSpan } from "./telemetry-DwHuiNiR.mjs";
+import { n as isCLIError, t as createCLIError } from "./errors-D9f2UJpT.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
 import * as fs$1 from "node:fs";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { parseEnv } from "node:util";
 import * as path from "pathe";
-import chalk from "chalk";
 import { formatDistanceToNowStrict } from "date-fns";
 import { getBorderCharacters, table } from "table";
 import { ValueSchema, timestampDate } from "@bufbuild/protobuf/wkt";
@@ -463,9 +463,10 @@ function extractAttributesFromConfig(config) {
 * @param attributeMap - Attribute map configuration
 * @param attributeList - Attribute list configuration
 * @param env - Environment configuration
+* @param machineUserNames - Registered machine user names (used to narrow `authInvoker` strings)
 * @returns Generated type definition source
 */
-function generateTypeDefinition(attributeMap, attributeList, env) {
+function generateTypeDefinition(attributeMap, attributeList, env, machineUserNames) {
 	const mapFields = attributeMap ? Object.entries(attributeMap).map(([key, value]) => `    ${key}: ${value};`).join("\n") : "";
 	const mapBody = !attributeMap || Object.keys(attributeMap).length === 0 ? "{}" : `{
 ${mapFields}
@@ -476,6 +477,11 @@ ${mapFields}
 	const envFields = env ? Object.entries(env).map(([key, value]) => {
 		return `    ${key}: ${typeof value === "string" ? `"${value}"` : String(value)};`;
 	}).join("\n") : "";
+	const envBody = !env || Object.keys(env).length === 0 ? "{}" : `{
+${envFields}
+  }`;
+	const isValidIdentifier = (s) => /^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(s);
+	const machineUserFields = machineUserNames?.length ? machineUserNames.map((name) => `    ${isValidIdentifier(name) ? name : JSON.stringify(name)}: true;`).join("\n") : "";
 	return ml`
 // This file is auto-generated by @tailor-platform/sdk
 // Do not edit this file manually
@@ -484,8 +490,9 @@ ${mapFields}
 declare module "@tailor-platform/sdk" {
   interface AttributeMap ${mapBody}
   interface AttributeList ${listBody}
-  interface Env ${!env || Object.keys(env).length === 0 ? "{}" : `{
-${envFields}
+  interface Env ${envBody}
+  interface MachineUserNameRegistry ${!machineUserNames || machineUserNames.length === 0 ? "{}" : `{
+${machineUserFields}
   }`}
 }
 
@@ -496,6 +503,8 @@ export {};
 function collectAttributesFromConfig(config) {
 	const auth = config.auth;
 	if (!auth || typeof auth !== "object") return {};
+	const machineUsersObj = auth.machineUsers;
+	const machineUserNames = machineUsersObj && typeof machineUsersObj === "object" ? Object.keys(machineUsersObj) : void 0;
 	const inferAttributeType = (field) => {
 		const type = field?.type;
 		const metadata = field?.metadata;
@@ -516,18 +525,22 @@ function collectAttributesFromConfig(config) {
 				acc[key] = inferAttributeType(fields?.[key]);
 				return acc;
 			}, {}) : void 0,
-			attributeList
+			attributeList,
+			machineUserNames
 		};
 	}
 	if ("machineUserAttributes" in auth) {
 		const machineUserAttributes = auth.machineUserAttributes;
-		if (!machineUserAttributes) return {};
-		return { attributeMap: Object.entries(machineUserAttributes).reduce((acc, [key, field]) => {
-			acc[key] = inferAttributeType(field);
-			return acc;
-		}, {}) };
+		if (!machineUserAttributes) return { machineUserNames };
+		return {
+			attributeMap: Object.entries(machineUserAttributes).reduce((acc, [key, field]) => {
+				acc[key] = inferAttributeType(field);
+				return acc;
+			}, {}),
+			machineUserNames
+		};
 	}
-	return {};
+	return { machineUserNames };
 }
 /**
 * Resolve the output path for the generated type definition file.
@@ -545,13 +558,14 @@ function resolveTypeDefinitionPath(configPath) {
 async function generateUserTypes(options) {
 	const { config, configPath } = options;
 	try {
-		const { attributeMap, attributeList } = extractAttributesFromConfig(config);
+		const { attributeMap, attributeList, machineUserNames } = extractAttributesFromConfig(config);
 		if (!attributeMap && !attributeList) logger.info("No attributes found in configuration", { mode: "plain" });
 		if (attributeMap) logger.debug(`Extracted AttributeMap: ${JSON.stringify(attributeMap)}`);
 		if (attributeList) logger.debug(`Extracted AttributeList: ${JSON.stringify(attributeList)}`);
+		if (machineUserNames?.length) logger.debug(`Extracted MachineUserNames: ${JSON.stringify(machineUserNames)}`);
 		const env = config.env;
 		if (env) logger.debug(`Extracted Env: ${JSON.stringify(env)}`);
-		const typeDefContent = generateTypeDefinition(attributeMap, attributeList, env);
+		const typeDefContent = generateTypeDefinition(attributeMap, attributeList, env, machineUserNames);
 		const outputPath = resolveTypeDefinitionPath(configPath);
 		fs$1.mkdirSync(path.dirname(outputPath), { recursive: true });
 		fs$1.writeFileSync(outputPath, typeDefContent);
@@ -945,7 +959,6 @@ function formatPlanSummary(summary) {
 		`${summary.delete} to delete`
 	];
 	if (summary.replace > 0) parts.push(`${summary.replace} to replace`);
-	parts.push(`${summary.unchanged} unchanged`);
 	return `Plan: ${parts.join(", ")}`;
 }
 
@@ -1133,13 +1146,9 @@ async function planApplication(context) {
 				applicationName: application.name
 			}
 		});
-		changeSet.print();
-		return changeSet;
-	}
-	if (application.subgraphs.length === 0) {
-		changeSet.print();
 		return changeSet;
 	}
+	if (application.subgraphs.length === 0) return changeSet;
 	let authNamespace;
 	let authIdpConfigName;
 	if (application.authService && application.authService.config) {
@@ -1191,7 +1200,6 @@ async function planApplication(context) {
 		request,
 		metaRequest
 	});
-	changeSet.print();
 	return changeSet;
 }
 function protoSubgraph(subgraph) {
@@ -1501,6 +1509,10 @@ function computeContentHash(content) {
 function functionRegistryTrn$1(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:function_registry:${name}`;
 }
+const RESOLVER_PREFIX = "resolver--";
+const EXECUTOR_PREFIX = "executor--";
+const WORKFLOW_PREFIX = "workflow--";
+const AUTH_HOOK_PREFIX = "auth-hook--";
 /**
 * Build a function registry name for a resolver.
 * @param namespace - Resolver namespace
@@ -1508,7 +1520,7 @@ function functionRegistryTrn$1(workspaceId, name) {
 * @returns Function registry name
 */
 function resolverFunctionName(namespace, resolverName) {
-	return `resolver--${namespace}--${resolverName}`;
+	return `${RESOLVER_PREFIX}${namespace}--${resolverName}`;
 }
 /**
 * Build a function registry name for an executor.
@@ -1516,7 +1528,7 @@ function resolverFunctionName(namespace, resolverName) {
 * @returns Function registry name
 */
 function executorFunctionName(executorName) {
-	return `executor--${executorName}`;
+	return `${EXECUTOR_PREFIX}${executorName}`;
 }
 /**
 * Build a function registry name for a workflow job.
@@ -1524,7 +1536,50 @@ function executorFunctionName(executorName) {
 * @returns Function registry name
 */
 function workflowJobFunctionName(jobName) {
-	return `workflow--${jobName}`;
+	return `${WORKFLOW_PREFIX}${jobName}`;
+}
+/**
+* Split function registry changes into grouped buckets by resource-name prefix.
+* @param changeSet - Function registry change set
+* @returns Grouped function registry changes by resource kind
+*/
+function splitFunctionRegistryChanges(changeSet) {
+	function partition(items) {
+		const buckets = {
+			workflowJob: [],
+			resolver: [],
+			executor: [],
+			authHook: [],
+			other: []
+		};
+		for (const item of items) if (item.name.startsWith("workflow--")) buckets.workflowJob.push(item);
+		else if (item.name.startsWith("resolver--")) buckets.resolver.push(item);
+		else if (item.name.startsWith("executor--")) buckets.executor.push(item);
+		else if (item.name.startsWith("auth-hook--")) buckets.authHook.push(item);
+		else buckets.other.push(item);
+		return buckets;
+	}
+	const creates = partition(changeSet.creates);
+	const updates = partition(changeSet.updates);
+	const deletes = partition(changeSet.deletes);
+	const replaces = partition(changeSet.replaces);
+	const unchanged = partition(changeSet.unchanged);
+	function collect(key) {
+		return {
+			creates: creates[key],
+			updates: updates[key],
+			deletes: deletes[key],
+			replaces: replaces[key],
+			unchanged: unchanged[key]
+		};
+	}
+	return {
+		workflowJobChanges: collect("workflowJob"),
+		resolverFunctionChanges: collect("resolver"),
+		executorFunctionChanges: collect("executor"),
+		authHookFunctionChanges: collect("authHook"),
+		otherChanges: collect("other")
+	};
 }
 /**
 * Build a function registry name for an auth hook.
@@ -1687,9 +1742,13 @@ async function planFunctionRegistry(client, workspaceId, appName, entries) {
 			workspaceId
 		});
 	}
-	changeSet.print();
+	const { workflowJobChanges, resolverFunctionChanges, executorFunctionChanges, authHookFunctionChanges } = splitFunctionRegistryChanges(changeSet);
 	return {
 		changeSet,
+		workflowJobChanges,
+		resolverFunctionChanges,
+		executorFunctionChanges,
+		authHookFunctionChanges,
 		conflicts,
 		unmanaged,
 		resourceOwners
@@ -1763,6 +1822,228 @@ async function applyFunctionRegistry(client, workspaceId, result, phase = "creat
 	})));
 }
 
+//#endregion
+//#region src/cli/commands/apply/grouped-display.ts
+/**
+* Convert grouped function registry changes into mutable name sets.
+* @param changes - Grouped function registry changes
+* @returns Mutable name sets keyed by action
+*/
+function createRelatedFunctionRegistryNameSets(changes) {
+	return {
+		creates: new Set(changes?.creates.map((item) => item.name) ?? []),
+		updates: new Set(changes?.updates.map((item) => item.name) ?? []),
+		deletes: new Set(changes?.deletes.map((item) => item.name) ?? []),
+		replaces: new Set(changes?.replaces.map((item) => item.name) ?? [])
+	};
+}
+const ACTION_SYMBOLS = {
+	create: symbols.create,
+	update: symbols.update,
+	delete: symbols.delete,
+	replace: symbols.replace
+};
+/**
+* Convert a plain change set into grouped display entries.
+* @param changeSet - Change set to convert
+* @param labels - Labels to attach to each entry
+* @param getNamespace - Optional callback to extract namespace from an item
+* @returns Display entries in CLI print order
+*/
+function formatChangeSetEntries(changeSet, labels = [], getNamespace) {
+	function toEntry(action, item) {
+		return {
+			action,
+			symbol: ACTION_SYMBOLS[action],
+			name: item.name,
+			labels: [...labels],
+			namespace: getNamespace?.(item)
+		};
+	}
+	return [
+		...changeSet.creates.map((item) => toEntry("create", item)),
+		...changeSet.deletes.map((item) => toEntry("delete", item)),
+		...changeSet.updates.map((item) => toEntry("update", item)),
+		...changeSet.replaces.map((item) => toEntry("replace", item))
+	];
+}
+function formatGroupedDisplayLine(entry) {
+	return entry.labels.length > 0 ? `${entry.symbol} ${entry.name} (${entry.labels.join(", ")})` : `${entry.symbol} ${entry.name}`;
+}
+function parseFunctionRegistryName(name) {
+	if (name.startsWith("resolver--")) {
+		const [, namespace, resolverName] = name.split("--");
+		if (namespace && resolverName) return {
+			displayName: resolverName,
+			namespace
+		};
+	}
+	if (name.startsWith("workflow--")) return { displayName: name.slice(WORKFLOW_PREFIX.length) };
+	if (name.startsWith("executor--")) return { displayName: name.slice(EXECUTOR_PREFIX.length) };
+	if (name.startsWith("auth-hook--")) {
+		const [, namespace, hookPoint] = name.split("--");
+		if (namespace && hookPoint) return {
+			displayName: hookPoint,
+			namespace
+		};
+	}
+	return { displayName: name };
+}
+/**
+* Build function-registry-only entries that were not grouped with a parent resource.
+* @param names - Related function registry names keyed by action
+* @param consumed - Function registry names already grouped with parent resources
+* @returns Display entries for ungrouped function registry changes
+*/
+function buildRemainingFunctionRegistryEntries(names, consumed = createRelatedFunctionRegistryNameSets()) {
+	return [
+		[
+			"create",
+			names.creates,
+			consumed.creates
+		],
+		[
+			"delete",
+			names.deletes,
+			consumed.deletes
+		],
+		[
+			"update",
+			names.updates,
+			consumed.updates
+		],
+		[
+			"replace",
+			names.replaces,
+			consumed.replaces
+		]
+	].flatMap(([action, nameSet, consumedSet]) => [...nameSet].filter((name) => !consumedSet.has(name)).map((name) => {
+		const { displayName, namespace } = parseFunctionRegistryName(name);
+		return {
+			action,
+			symbol: ACTION_SYMBOLS[action],
+			name: displayName,
+			labels: ["function"],
+			namespace
+		};
+	}));
+}
+/**
+* Format change set entries with function registry grouping.
+*
+* For each item in creates/updates/deletes, calls `getFunctionRegistryNames` to
+* derive zero or more function registry names. When a matching function registry
+* change exists for the same action, the item is displayed with both the resource
+* label and "functionRegistry". Ungrouped function registry changes are appended.
+* @param resourceLabel - Label for the resource kind (e.g. "executor", "resolver")
+* @param changeSet - Resource change set with creates/updates/deletes/replaces
+* @param changeSet.creates - Created resources
+* @param changeSet.updates - Updated resources
+* @param changeSet.deletes - Deleted resources
+* @param changeSet.replaces - Replaced resources
+* @param functionRegistryChanges - Related function registry changes
+* @param getFunctionRegistryNames - Derives function registry names from a resource item
+* @param options - Optional display callbacks
+* @param options.getNamespace - Extract namespace from an item for nested display
+* @param options.getDisplayName - Override display name for an item
+* @returns Display entries for CLI output
+*/
+function formatChangeEntriesWithFunctionRegistry(resourceLabel, changeSet, functionRegistryChanges, getFunctionRegistryNames, options) {
+	const { getNamespace, getDisplayName } = options ?? {};
+	const functionNames = createRelatedFunctionRegistryNameSets(functionRegistryChanges);
+	const consumed = createRelatedFunctionRegistryNameSets();
+	function processItems(items, action, fnNameSet, consumedSet) {
+		return items.map((item) => {
+			const names = getFunctionRegistryNames(item, action);
+			const hasMatch = names.some((name) => fnNameSet.has(name));
+			if (hasMatch) {
+				for (const name of names) if (fnNameSet.has(name)) consumedSet.add(name);
+			}
+			return {
+				action,
+				symbol: ACTION_SYMBOLS[action],
+				name: getDisplayName?.(item) ?? item.name,
+				labels: hasMatch ? [resourceLabel, "function"] : [resourceLabel],
+				namespace: getNamespace?.(item)
+			};
+		});
+	}
+	return [
+		...processItems(changeSet.creates, "create", functionNames.creates, consumed.creates),
+		...processItems(changeSet.deletes, "delete", functionNames.deletes, consumed.deletes),
+		...processItems(changeSet.updates, "update", functionNames.updates, consumed.updates),
+		...changeSet.replaces.map((item) => ({
+			action: "replace",
+			symbol: ACTION_SYMBOLS["replace"],
+			name: getDisplayName?.(item) ?? item.name,
+			labels: [resourceLabel],
+			namespace: getNamespace?.(item)
+		})),
+		...buildRemainingFunctionRegistryEntries(functionNames, consumed)
+	];
+}
+/**
+* Extract service-level actions from a change set for namespace header display.
+* @param changeSet - Service change set
+* @returns Array of namespace actions
+*/
+function extractServiceActions(changeSet) {
+	return [
+		...changeSet.creates.map((item) => ({
+			name: item.name,
+			action: "create"
+		})),
+		...changeSet.deletes.map((item) => ({
+			name: item.name,
+			action: "delete"
+		})),
+		...changeSet.updates.map((item) => ({
+			name: item.name,
+			action: "update"
+		})),
+		...changeSet.replaces.map((item) => ({
+			name: item.name,
+			action: "replace"
+		}))
+	];
+}
+/**
+* Print a titled section of grouped display entries, nesting by namespace.
+* Service-level changes are shown as the namespace header symbol.
+* Services without child entries are shown as flat entries.
+* @param title - Section title
+* @param entries - Entries to print (should NOT include service entries)
+* @param serviceActions - Optional service-level actions to merge into namespace headers
+*/
+function printGroupedDisplaySection(title, entries, serviceActions) {
+	const serviceMap = /* @__PURE__ */ new Map();
+	if (serviceActions) for (const sa of serviceActions) serviceMap.set(sa.name, sa.action);
+	if (entries.length === 0 && serviceMap.size === 0) return;
+	logger.log(styles.bold(`${title}:`));
+	const namespaceOrder = [];
+	const byNamespace = /* @__PURE__ */ new Map();
+	for (const entry of entries) {
+		const ns = entry.namespace;
+		if (!byNamespace.has(ns)) {
+			namespaceOrder.push(ns);
+			byNamespace.set(ns, []);
+		}
+		byNamespace.get(ns).push(entry);
+	}
+	const printedServices = /* @__PURE__ */ new Set();
+	for (const ns of namespaceOrder) {
+		const group = byNamespace.get(ns);
+		if (ns) {
+			const svcAction = serviceMap.get(ns);
+			const prefix = svcAction ? `${ACTION_SYMBOLS[svcAction]} ` : "";
+			logger.log(`  ${prefix}${styles.bold(`${ns}:`)}`);
+			printedServices.add(ns);
+			for (const entry of group) logger.log(`    ${formatGroupedDisplayLine(entry)}`);
+		} else for (const entry of group) logger.log(`  ${formatGroupedDisplayLine(entry)}`);
+	}
+	for (const [name, action] of serviceMap) if (!printedServices.has(name)) logger.log(`  ${ACTION_SYMBOLS[action]} ${name}`);
+}
+
 //#endregion
 //#region src/parser/service/idp/permission.ts
 const operatorMap = {
@@ -1949,13 +2230,10 @@ async function planIdP(context) {
 	const { client, workspaceId, application, forRemoval, forceApplyAll = false } = context;
 	const idps = forRemoval ? [] : application.idpServices;
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, idps);
-	const clientChangeSet = await planClients(client, workspaceId, idps, serviceChangeSet.deletes.map((del) => del.name), forceApplyAll);
-	serviceChangeSet.print();
-	clientChangeSet.print();
 	return {
 		changeSet: {
 			service: serviceChangeSet,
-			client: clientChangeSet
+			client: await planClients(client, workspaceId, idps, serviceChangeSet.deletes.map((del) => del.name), forceApplyAll)
 		},
 		conflicts,
 		unmanaged,
@@ -2396,16 +2674,6 @@ async function planAuth(context) {
 		planSCIMResources(client, workspaceId, auths, deletedServices),
 		planAuthConnections(client, workspaceId, application.name, auths)
 	]);
-	serviceChangeSet.print();
-	idpConfigChangeSet.print();
-	userProfileConfigChangeSet.print();
-	tenantConfigChangeSet.print();
-	machineUserChangeSet.print();
-	authHookChangeSet.print();
-	oauth2ClientChangeSet.print();
-	scimChangeSet.print();
-	scimResourceChangeSet.print();
-	connectionResult.changeSet.print();
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -3371,6 +3639,21 @@ function areAuthHooksEqual(existing, desired) {
 		} : void 0
 	});
 }
+/**
+* Format auth hook changes for grouped dry-run display.
+* @param changeSet - Auth hook changes
+* @param functionRegistryAuthHookChanges - Related function registry changes for auth hooks
+* @returns Display entries for auth hook output
+*/
+function formatAuthHookChangeEntries(changeSet, functionRegistryAuthHookChanges) {
+	return formatChangeEntriesWithFunctionRegistry("authHook", changeSet, functionRegistryAuthHookChanges, (item) => {
+		const [namespace, hookPoint] = item.name.split("/");
+		return namespace && hookPoint ? [authHookFunctionName(namespace, hookPoint)] : [];
+	}, {
+		getNamespace: (item) => item.name.split("/")[0],
+		getDisplayName: (item) => item.name.split("/")[1] ?? item.name
+	});
+}
 async function planAuthHooks(client, workspaceId, auths, deletedServices, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth hooks");
 	for (const auth of auths) {
@@ -3606,6 +3889,32 @@ function buildResolverOperationHookExpr(env) {
 	return `({ ...context.pipeline, input: context.args, user: ${tailorUserMap}, env: ${JSON.stringify(env)} });`;
 }
 
+//#endregion
+//#region src/cli/commands/apply/auth-invoker.ts
+/**
+* Normalize an authInvoker value to the object form required by the proto payload.
+*
+* Accepts either:
+* - `undefined` — returns undefined
+* - a plain string (machine user name) — expands to `{ namespace, machineUserName }` using `authNamespace`
+* - an object `{ namespace, machineUserName }` — returned as-is
+* @param authInvoker - String machine user name or object form
+* @param authNamespace - Auth service namespace (required when authInvoker is a string)
+* @param context - Contextual label used in error messages (e.g. `resolver "foo"`)
+* @returns Object form of auth invoker, or undefined
+*/
+function normalizeAuthInvoker(authInvoker, authNamespace, context) {
+	if (authInvoker === void 0) return void 0;
+	if (typeof authInvoker === "string") {
+		if (!authNamespace) throw new Error(`${context} uses a string authInvoker ("${authInvoker}"), but no Auth service is configured. Configure an Auth service or use the object form { namespace, machineUserName }.`);
+		return {
+			namespace: authNamespace,
+			machineUserName: authInvoker
+		};
+	}
+	return authInvoker;
+}
+
 //#endregion
 //#region src/cli/commands/apply/executor.ts
 /**
@@ -3707,7 +4016,6 @@ async function planExecutor(context) {
 			}
 		});
 	});
-	changeSet.print();
 	return {
 		changeSet,
 		conflicts,
@@ -3715,6 +4023,31 @@ async function planExecutor(context) {
 		resourceOwners
 	};
 }
+function isFunctionBackedExecutor(executor) {
+	return executor?.targetType === ExecutorTargetType.FUNCTION || executor?.targetType === ExecutorTargetType.JOB_FUNCTION;
+}
+/**
+* Build desired executor configs keyed by executor name from create/update changes.
+* @param changeSet - Executor create/update changes
+* @returns Executor configs keyed by name
+*/
+function buildPlannedExecutorsByName(changeSet) {
+	return Object.fromEntries([...changeSet.creates, ...changeSet.updates].map((item) => [item.name, item.request.executor]));
+}
+/**
+* Format executor changes for grouped dry-run display.
+* @param changeSet - Executor changes
+* @param executors - Desired executor configs keyed by name
+* @param functionRegistryExecutorChanges - Related function registry changes for executors
+* @returns Display entries for executor output
+*/
+function formatExecutorChangeEntries(changeSet, executors, functionRegistryExecutorChanges) {
+	return formatChangeEntriesWithFunctionRegistry("executor", changeSet, functionRegistryExecutorChanges, (item, action) => {
+		if (action === "delete") return [executorFunctionName(item.name)];
+		const executor = executors[item.name];
+		return executor && isFunctionBackedExecutor(executor) ? [executorFunctionName(item.name)] : [];
+	});
+}
 function normalizeComparableExecutor(executor) {
 	const normalized = normalizeProtoConfig(executor) ?? {};
 	const webhookHeaders = normalized.targetConfig?.config?.case === "webhook" ? [...normalized.targetConfig.config.value.headers ?? []].sort((left, right) => (left.key ?? "").localeCompare(right.key ?? "")) : void 0;
@@ -3722,7 +4055,10 @@ function normalizeComparableExecutor(executor) {
 		...normalized.triggerConfig,
 		config: {
 			...normalized.triggerConfig.config,
-			value: {}
+			value: {
+				...normalized.triggerConfig.config.value,
+				secret: void 0
+			}
 		}
 	} : normalized.triggerConfig?.config?.case === "event" ? {
 		...normalized.triggerConfig,
@@ -3834,7 +4170,10 @@ function protoExecutor(application, executor) {
 			triggerType = ExecutorTriggerType.INCOMING_WEBHOOK;
 			triggerConfig = { config: {
 				case: "incomingWebhook",
-				value: {}
+				value: { ...trigger.response ? { response: {
+					...trigger.response.body ? { body: { expr: `(${stringifyFunction(trigger.response.body)})(${argsExpr})` } } : {},
+					...trigger.response.statusCode != null ? { statusCode: trigger.response.statusCode } : {}
+				} } : {} }
 			} };
 			break;
 		case "idpUser":
@@ -3862,6 +4201,8 @@ function protoExecutor(application, executor) {
 	const target = executor.operation;
 	let targetType;
 	let targetConfig;
+	const authNamespace = application.authService?.parsedConfig.name;
+	const invokerContext = `Executor "${executor.name}"`;
 	switch (target.kind) {
 		case "webhook":
 			targetType = ExecutorTargetType.WEBHOOK;
@@ -3899,7 +4240,7 @@ function protoExecutor(application, executor) {
 					appName: target.appName ?? appName,
 					query: target.query,
 					variables: target.variables ? { expr: `(${stringifyFunction(target.variables)})(${argsExpr})` } : void 0,
-					invoker: target.authInvoker ?? void 0
+					invoker: normalizeAuthInvoker(target.authInvoker, authNamespace, invokerContext)
 				}
 			} };
 			break;
@@ -3913,7 +4254,7 @@ function protoExecutor(application, executor) {
 					name: "operation",
 					scriptRef: executorFunctionName(executor.name),
 					variables: { expr: argsExpr },
-					invoker: target.authInvoker ?? void 0
+					invoker: normalizeAuthInvoker(target.authInvoker, authNamespace, invokerContext)
 				}
 			} };
 			break;
@@ -3924,7 +4265,7 @@ function protoExecutor(application, executor) {
 				value: {
 					workflowName: target.workflowName,
 					variables: target.args ? typeof target.args === "function" ? { expr: `(${stringifyFunction(target.args)})(${argsExpr})` } : { expr: JSON.stringify(target.args) } : void 0,
-					invoker: target.authInvoker ?? void 0
+					invoker: normalizeAuthInvoker(target.authInvoker, authNamespace, invokerContext)
 				}
 			} };
 			break;
@@ -4016,9 +4357,7 @@ async function planPipeline(context) {
 	}
 	const executors = forRemoval ? [] : Object.values(await application.executorService?.loadExecutors() ?? {});
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$1(client, workspaceId, application.name, pipelines);
-	const resolverChangeSet = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, forceApplyAll);
-	serviceChangeSet.print();
-	resolverChangeSet.print();
+	const { changeSet: resolverChangeSet } = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, application.authService?.config.name, forceApplyAll);
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -4110,7 +4449,7 @@ async function planServices$1(client, workspaceId, appName, pipelines) {
 		resourceOwners
 	};
 }
-async function planResolvers(client, workspaceId, pipelines, executors, deletedServices, env, forceApplyAll = false) {
+async function planResolvers(client, workspaceId, pipelines, executors, deletedServices, env, authNamespace, forceApplyAll = false) {
 	const changeSet = createChangeSet("Pipeline resolvers");
 	const fetchResolvers = (namespaceName) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -4135,7 +4474,7 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 		const existingResolvers = await fetchResolvers(pipeline.namespace);
 		const existingResolversMap = new Map(existingResolvers.map((resolver) => [resolver.name, resolver]));
 		for (const resolver of Object.values(pipeline.resolvers)) {
-			const desiredResolver = processResolver(pipeline.namespace, resolver, executorUsedResolvers, env);
+			const desiredResolver = processResolver(pipeline.namespace, resolver, executorUsedResolvers, env, authNamespace);
 			if (existingResolversMap.get(resolver.name)) {
 				const { pipelineResolver: existingResolverDetail } = await client.getPipelineResolver({
 					workspaceId,
@@ -4182,7 +4521,19 @@ async function planResolvers(client, workspaceId, pipelines, executors, deletedS
 			}
 		});
 	});
-	return changeSet;
+	return { changeSet };
+}
+/**
+* Format resolver changes for grouped dry-run display.
+* @param changeSet - Resolver changes
+* @param resolverFunctionChanges - Related function registry changes for resolvers
+* @returns Display entries for resolver output
+*/
+function formatResolverChangeEntries(changeSet, resolverFunctionChanges) {
+	return formatChangeEntriesWithFunctionRegistry("resolver", changeSet, resolverFunctionChanges, (item) => {
+		const namespace = item.request.namespaceName;
+		return namespace ? [resolverFunctionName(namespace, item.name)] : [];
+	}, { getNamespace: (item) => item.request.namespaceName });
 }
 function normalizeComparableResolver(resolver) {
 	const normalized = normalizeProtoConfig(resolver) ?? {};
@@ -4237,7 +4588,7 @@ function normalizeComparableType(type) {
 		fields: (type.fields ?? []).map((field) => normalizeComparableField(field))
 	};
 }
-function processResolver(namespace, resolver, executorUsedResolvers, env) {
+function processResolver(namespace, resolver, executorUsedResolvers, env, authNamespace) {
 	const pipelines = [{
 		name: "body",
 		operationName: "body",
@@ -4246,7 +4597,7 @@ function processResolver(namespace, resolver, executorUsedResolvers, env) {
 		operationSourceRef: resolverFunctionName(namespace, resolver.name),
 		operationHook: { expr: buildResolverOperationHookExpr(env) },
 		postScript: `args.body`,
-		invoker: resolver.authInvoker
+		invoker: normalizeAuthInvoker(resolver.authInvoker, authNamespace, `Resolver "${resolver.name}"`)
 	}];
 	const typeBaseName = inflection.camelize(resolver.name);
 	const inputs = resolver.input ? protoFields(resolver.input, `${typeBaseName}Input`, true) : [];
@@ -4444,12 +4795,6 @@ async function planSecretManager(context) {
 			});
 		}
 	}
-	vaultChangeSet.print();
-	secretChangeSet.print();
-	if (skippedSecrets.length > 0) {
-		logger.log(styles.bold("Secret Manager secrets (skipped - no value provided):"));
-		for (const name of skippedSecrets) logger.log(`  ${styles.dim("○")} ${name}`);
-	}
 	return {
 		vaultChangeSet,
 		secretChangeSet,
@@ -4650,7 +4995,6 @@ async function planStaticWebsite(context) {
 			}
 		});
 	});
-	changeSet.print();
 	return {
 		changeSet,
 		conflicts,
@@ -6771,9 +7115,6 @@ async function planTailorDB(context) {
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices(client, workspaceId, application.name, tailordbs);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const [typeChangeSet, gqlPermissionChangeSet] = await Promise.all([planTypes(client, workspaceId, tailordbs, executors, deletedServices, void 0, forceApplyAll), planGqlPermissions(client, workspaceId, tailordbs, deletedServices, forceApplyAll)]);
-	serviceChangeSet.print();
-	typeChangeSet.print();
-	gqlPermissionChangeSet.print();
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -6791,6 +7132,42 @@ async function planTailorDB(context) {
 		}
 	};
 }
+function itemKey(item) {
+	return `${item.request?.namespaceName ?? ""}/${item.name}`;
+}
+function collectTailorDBDisplayEntries(action, typeItems, gqlPermissionItems) {
+	const typeKeys = new Set(typeItems.map(itemKey));
+	const gqlPermissionKeys = new Set(gqlPermissionItems.map(itemKey));
+	const typeEntries = typeItems.map((item) => ({
+		action,
+		symbol: ACTION_SYMBOLS[action],
+		name: item.name,
+		labels: gqlPermissionKeys.has(itemKey(item)) ? ["type", "gqlPermission"] : ["type"],
+		namespace: item.request?.namespaceName
+	}));
+	const gqlPermissionOnlyEntries = gqlPermissionItems.filter((item) => !typeKeys.has(itemKey(item))).map((item) => ({
+		action,
+		symbol: ACTION_SYMBOLS[action],
+		name: item.name,
+		labels: ["gqlPermission"],
+		namespace: item.request?.namespaceName
+	}));
+	return [...typeEntries, ...gqlPermissionOnlyEntries];
+}
+/**
+* Format TailorDB type and gqlPermission changes as grouped dry-run entries.
+* @param typeChangeSet - TailorDB type changes
+* @param gqlPermissionChangeSet - TailorDB gqlPermission changes
+* @returns Display entries for TailorDB resource output
+*/
+function formatTailorDBResourceChangeEntries(typeChangeSet, gqlPermissionChangeSet) {
+	return [
+		...collectTailorDBDisplayEntries("create", typeChangeSet.creates, gqlPermissionChangeSet.creates),
+		...collectTailorDBDisplayEntries("delete", typeChangeSet.deletes, gqlPermissionChangeSet.deletes),
+		...collectTailorDBDisplayEntries("update", typeChangeSet.updates, gqlPermissionChangeSet.updates),
+		...collectTailorDBDisplayEntries("replace", typeChangeSet.replaces, gqlPermissionChangeSet.replaces)
+	];
+}
 function trn(workspaceId, name) {
 	return `${trnPrefix(workspaceId)}:tailordb:${name}`;
 }
@@ -7688,15 +8065,16 @@ async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps
 		});
 	}
 	Object.values(existingWorkflows).forEach((existing) => {
-		const label = existing?.label;
+		if (!existing) return;
+		const label = existing.label;
 		if (label && label !== appName) resourceOwners.add(label);
 		if (label === appName) changeSet.deletes.push({
 			name: existing.resource.name,
 			workspaceId,
-			workflowId: existing.resource.id
+			workflowId: existing.resource.id,
+			usedJobNames: getExistingWorkflowJobNames(existing.resource)
 		});
 	});
-	changeSet.print();
 	return {
 		changeSet,
 		conflicts,
@@ -7706,6 +8084,15 @@ async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps
 		unchangedWorkflowJobNames
 	};
 }
+/**
+* Format workflow changes for grouped dry-run display.
+* @param changeSet - Workflow changes
+* @param workflowJobFunctionChanges - Related function registry changes for workflow jobs
+* @returns Display entries for workflow output
+*/
+function formatWorkflowChangeEntries(changeSet, workflowJobFunctionChanges) {
+	return formatChangeEntriesWithFunctionRegistry("workflow", changeSet, workflowJobFunctionChanges, (item) => "usedJobNames" in item ? item.usedJobNames.map((jobName) => workflowJobFunctionName(jobName)) : []);
+}
 function canTreatWorkflowAsUnchanged(existing, workflow, usedJobNames, unchangedJobFunctions) {
 	if (!usedJobNames.every((jobName) => unchangedJobFunctions.has(jobName))) return false;
 	return areWorkflowsEqual(existing, workflow, usedJobNames);
@@ -7740,6 +8127,11 @@ function normalizeComparableWorkflowRetryPolicy(policy) {
 function normalizeComparableWorkflowJobNames(jobFunctions) {
 	return Array.isArray(jobFunctions) ? [...jobFunctions].sort() : Object.keys(jobFunctions ?? {}).sort();
 }
+function getExistingWorkflowJobNames(existing) {
+	const jobNames = new Set(Object.keys(existing.jobFunctions ?? {}));
+	if (existing.mainJobFunctionName) jobNames.add(existing.mainJobFunctionName);
+	return [...jobNames].sort();
+}
 function normalizeRetryPolicyForCompare(policy) {
 	return {
 		maxRetries: policy.maxRetries,
@@ -7826,34 +8218,95 @@ async function shouldForceApplyAll(client, workspaceId, application, functionEnt
 	}
 	return false;
 }
-function printPlanSummary(results) {
-	const summary = summarizeChangeSets([
-		results.functionRegistry.changeSet,
-		results.tailorDB.changeSet.service,
-		results.tailorDB.changeSet.type,
-		results.tailorDB.changeSet.gqlPermission,
+function printPlanResults(results) {
+	const executorEntries = formatExecutorChangeEntries(results.executor.changeSet, buildPlannedExecutorsByName(results.executor.changeSet), results.functionRegistry.executorFunctionChanges);
+	const resolverEntries = formatResolverChangeEntries(results.pipeline.changeSet.resolver, results.functionRegistry.resolverFunctionChanges);
+	const workflowEntries = formatWorkflowChangeEntries(results.workflow.changeSet, results.functionRegistry.workflowJobChanges);
+	const authHookEntries = formatAuthHookChangeEntries(results.auth.changeSet.authHook, results.functionRegistry.authHookFunctionChanges);
+	const tailorDBEntries = [...formatTailorDBResourceChangeEntries(results.tailorDB.changeSet.type, results.tailorDB.changeSet.gqlPermission)];
+	const pipelineEntries = [...resolverEntries];
+	const namespaceOf = (item) => {
+		if ("request" in item && item.request && typeof item.request === "object" && "namespaceName" in item.request) return item.request.namespaceName;
+		if ("namespaceName" in item) return item.namespaceName;
+	};
+	const authNamespaceOf = (item) => "request" in item && item.request && typeof item.request === "object" && "authNamespace" in item.request ? item.request.authNamespace : void 0;
+	const idpEntries = [...formatChangeSetEntries(results.idp.changeSet.client, ["client"], namespaceOf)];
+	const authEntries = [
+		...formatChangeSetEntries(results.auth.changeSet.idpConfig, ["idpConfig"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.userProfileConfig, ["userProfileConfig"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.tenantConfig, ["tenantConfig"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.machineUser, ["machineUser"], authNamespaceOf),
+		...authHookEntries,
+		...formatChangeSetEntries(results.auth.changeSet.oauth2Client, ["oauth2Client"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.scim, ["scimConfig"], namespaceOf),
+		...formatChangeSetEntries(results.auth.changeSet.scimResource, ["scimResource"], namespaceOf),
+		...results.auth.changeSet.connection ? formatChangeSetEntries(results.auth.changeSet.connection, ["connection"], namespaceOf) : []
+	];
+	const { otherChanges: otherFunctionRegistryChanges } = splitFunctionRegistryChanges(results.functionRegistry.changeSet);
+	printGroupedDisplaySection(results.functionRegistry.changeSet.title, formatChangeSetEntries(otherFunctionRegistryChanges));
+	const tailorDBServiceActions = extractServiceActions(results.tailorDB.changeSet.service);
+	const pipelineServiceActions = extractServiceActions(results.pipeline.changeSet.service);
+	const idpServiceActions = extractServiceActions(results.idp.changeSet.service);
+	const authServiceActions = extractServiceActions(results.auth.changeSet.service);
+	results.staticWebsite.changeSet.print();
+	results.app.print();
+	printGroupedDisplaySection("TailorDB", tailorDBEntries, tailorDBServiceActions);
+	printGroupedDisplaySection("Resolver", pipelineEntries, pipelineServiceActions);
+	printGroupedDisplaySection("Executor", executorEntries);
+	printGroupedDisplaySection("Workflow", workflowEntries);
+	printGroupedDisplaySection("IdP", idpEntries, idpServiceActions);
+	printGroupedDisplaySection("Auth", authEntries, authServiceActions);
+	results.secretManager.vaultChangeSet.print();
+	results.secretManager.secretChangeSet.print();
+	if (results.secretManager.skippedSecrets.length > 0) {
+		logger.log(styles.bold("Secret Manager secrets (skipped - no value provided):"));
+		for (const name of results.secretManager.skippedSecrets) logger.log(`  ${styles.dim("○")} ${name}`);
+	}
+	const summary = summarizePlanResults(results, [
+		...tailorDBEntries,
+		...pipelineEntries,
+		...executorEntries,
+		...workflowEntries,
+		...idpEntries,
+		...authEntries
+	], [
+		...tailorDBServiceActions,
+		...pipelineServiceActions,
+		...idpServiceActions,
+		...authServiceActions
+	]);
+	logger.log(formatPlanSummary(summary));
+}
+/**
+* Summarize plan counts from display entries, service actions, and non-grouped changesets.
+* @param results - Planned apply results
+* @param displayEntries - All grouped display entries across sections
+* @param serviceActions - All service-level namespace actions
+* @returns Aggregated plan summary
+*/
+function summarizePlanResults(results, displayEntries, serviceActions) {
+	const summary = {
+		create: 0,
+		update: 0,
+		delete: 0,
+		replace: 0,
+		unchanged: 0
+	};
+	for (const entry of displayEntries) summary[entry.action] += 1;
+	for (const sa of serviceActions) summary[sa.action] += 1;
+	const { otherChanges } = splitFunctionRegistryChanges(results.functionRegistry.changeSet);
+	const nonGrouped = summarizeChangeSets([
+		otherChanges,
 		results.staticWebsite.changeSet,
-		results.idp.changeSet.service,
-		results.idp.changeSet.client,
-		results.auth.changeSet.service,
-		results.auth.changeSet.idpConfig,
-		results.auth.changeSet.userProfileConfig,
-		results.auth.changeSet.tenantConfig,
-		results.auth.changeSet.machineUser,
-		results.auth.changeSet.oauth2Client,
-		results.auth.changeSet.authHook,
-		results.auth.changeSet.scim,
-		results.auth.changeSet.scimResource,
-		...results.auth.changeSet.connection ? [results.auth.changeSet.connection] : [],
-		results.pipeline.changeSet.service,
-		results.pipeline.changeSet.resolver,
 		results.app,
-		results.executor.changeSet,
-		results.workflow.changeSet,
 		results.secretManager.vaultChangeSet,
 		results.secretManager.secretChangeSet
 	]);
-	logger.log(formatPlanSummary(summary));
+	summary.create += nonGrouped.create;
+	summary.update += nonGrouped.update;
+	summary.delete += nonGrouped.delete;
+	summary.replace += nonGrouped.replace;
+	return summary;
 }
 /**
 * Apply the configured application to the Tailor platform.
@@ -7866,7 +8319,7 @@ async function apply(options) {
 		const { config, application, workflowBuildResult, bundledScripts, buildOnly } = await withSpan("build", async () => {
 			const { config, plugins } = await withSpan("build.loadConfig", () => loadConfig(options?.configPath));
 			const dryRun = options?.dryRun ?? false;
-			const buildOnly = options?.buildOnly ?? process.env.TAILOR_PLATFORM_SDK_BUILD_ONLY === "true";
+			const buildOnly = options?.buildOnly ?? parseBoolean(process.env.TAILOR_PLATFORM_SDK_BUILD_ONLY) === true;
 			const noCache = options?.noCache ?? false;
 			const packageJson = await readPackageJson();
 			const cacheDir = path.resolve(getDistDir(), "cache");
@@ -7943,7 +8396,7 @@ async function apply(options) {
 				forceApplyAll
 			};
 			const functionRegistry = await withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, functionEntries));
-			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.map((entry) => entry.name).filter((name) => name.startsWith("workflow--")).map((name) => name.slice(10)));
+			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.filter((entry) => entry.name.startsWith(WORKFLOW_PREFIX)).map((entry) => entry.name.slice(WORKFLOW_PREFIX.length)));
 			const [tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
 				withSpan("plan.tailorDB", () => planTailorDB(ctx)),
 				withSpan("plan.staticWebsite", () => planStaticWebsite(ctx)),
@@ -8038,7 +8491,7 @@ async function apply(options) {
 				}
 			});
 		});
-		printPlanSummary({
+		printPlanResults({
 			functionRegistry,
 			tailorDB,
 			staticWebsite,
@@ -9043,9 +9496,11 @@ const startCommand = defineAppCommand({
 	args: z.object({
 		...deploymentArgs,
 		...nameArgs,
-		machineuser: arg(z.string(), {
+		"machine-user": arg(z.string(), {
 			alias: "m",
-			description: "Machine user name"
+			hiddenAlias: "machineuser",
+			description: "Machine user name",
+			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
 		arg: arg(z.string().optional(), {
 			alias: "a",
@@ -9056,7 +9511,7 @@ const startCommand = defineAppCommand({
 	run: async (args) => {
 		const { executionId, wait } = await startWorkflowByName({
 			name: args.name,
-			machineUser: args.machineuser,
+			machineUser: args["machine-user"],
 			arg: args.arg,
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
@@ -11436,6 +11891,30 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	const workflow = await planWorkflow(client, workspaceId, application.name, {}, {});
 	const functionRegistry = await planFunctionRegistry(client, workspaceId, application.name, []);
 	const secretManager = await planSecretManager(ctx);
+	functionRegistry.changeSet.print();
+	staticWebsite.changeSet.print();
+	app.print();
+	tailorDB.changeSet.service.print();
+	tailorDB.changeSet.type.print();
+	tailorDB.changeSet.gqlPermission.print();
+	pipeline.changeSet.service.print();
+	pipeline.changeSet.resolver.print();
+	executor.changeSet.print();
+	workflow.changeSet.print();
+	idp.changeSet.service.print();
+	idp.changeSet.client.print();
+	auth.changeSet.service.print();
+	auth.changeSet.idpConfig.print();
+	auth.changeSet.userProfileConfig.print();
+	auth.changeSet.tenantConfig.print();
+	auth.changeSet.machineUser.print();
+	auth.changeSet.oauth2Client.print();
+	auth.changeSet.authHook.print();
+	auth.changeSet.scim.print();
+	auth.changeSet.scimResource.print();
+	auth.changeSet.connection?.print();
+	secretManager.vaultChangeSet.print();
+	secretManager.secretChangeSet.print();
 	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
 	if (confirm) await confirm();
 	await applyWorkflow(client, workflow, "delete");
@@ -12133,7 +12612,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-BB5TqXWY.mjs");
+	const { defineApplication } = await import("./application-C1ipG5Q6.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -13447,44 +13926,6 @@ async function bundleQueryScript(engine) {
 	})).output[0].code;
 }
 
-//#endregion
-//#region src/cli/shared/errors.ts
-/**
-* Format CLI error for output
-* @param error - CLIError instance to format
-* @returns Formatted error message
-*/
-function formatError(error) {
-	const parts = [chalk.red(`Error${error.code ? ` [${error.code}]` : ""}: ${error.message}`)];
-	if (error.details) parts.push(`\n  ${chalk.gray("Details:")} ${error.details}`);
-	if (error.suggestion) parts.push(`\n  ${chalk.cyan("Suggestion:")} ${error.suggestion}`);
-	if (error.command) parts.push(`\n  ${chalk.gray("Help:")} Run \`tailor-sdk ${error.command} --help\` for usage information.`);
-	return parts.join("");
-}
-/**
-* Create a CLI error with formatted output
-* @param options - Options to construct a CLIError
-* @returns Constructed CLIError instance
-*/
-function createCLIError(options) {
-	const error = new Error(options.message);
-	error.name = "CLIError";
-	error.code = options.code;
-	error.details = options.details;
-	error.suggestion = options.suggestion;
-	error.command = options.command;
-	error.format = () => formatError(error);
-	return error;
-}
-/**
-* Type guard to check if an error is a CLIError
-* @param error - Error to check
-* @returns True if the error is a CLIError
-*/
-function isCLIError(error) {
-	return error instanceof Error && error.name === "CLIError";
-}
-
 //#endregion
 //#region src/cli/query/errors.ts
 function toErrorMessage(error) {
@@ -14173,9 +14614,11 @@ const queryCommand = defineAppCommand({
 			description: "Read query string from file; omit to start REPL mode"
 		}),
 		edit: arg(z.boolean().default(false), { description: "Open a temporary file in your editor; omit to start REPL mode" }),
-		machineuser: arg(z.string(), {
+		"machine-user": arg(z.string(), {
 			alias: "m",
-			description: "Machine user name for query execution"
+			hiddenAlias: "machineuser",
+			description: "Machine user name for query execution",
+			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		})
 	}).superRefine((args, ctx) => {
 		if (args.query != null && args.file != null) ctx.addIssue({
@@ -14206,7 +14649,7 @@ const queryCommand = defineAppCommand({
 			profile: args.profile,
 			configPath: args.config,
 			engine: args.engine,
-			machineUser: args.machineuser
+			machineUser: args["machine-user"]
 		};
 		if (mode.mode === "abort") {
 			logger.info("Editor closed without a query. Nothing was executed.");
@@ -14335,5 +14778,5 @@ function isDeno() {
 }
 
 //#endregion
-export { getFolder as $, getNextMigrationNumber as $t, listWorkflows as A, functionExecutionStatusToString as At, updateCommand$1 as B, DB_TYPES_FILE_NAME as Bt, listApps as C, startCommand as Ct, resumeCommand as D, executionsCommand as Dt, healthCommand as E, getWorkflow as Et, show as F, executeScript as Ft, listOrganizations as G, compareLocalTypesWithSnapshot as Gt, organizationTree as H, INITIAL_SCHEMA_NUMBER as Ht, showCommand as I, waitForExecution$1 as It, updateCommand$2 as J, formatMigrationNumber as Jt, getCommand$1 as K, compareSnapshots as Kt, logBetaWarning as L, MIGRATION_LABEL_KEY as Lt, truncateCommand as M, getCommand$5 as Mt, generate as N, getExecutor as Nt, resumeWorkflow as O, getWorkflowExecution as Ot, generateCommand as P, apply as Pt, getCommand$2 as Q, getMigrationFiles as Qt, remove as R, parseMigrationLabelNumber as Rt, createWorkspace as S, watchExecutorJob as St, getAppHealth as T, getCommand$4 as Tt, treeCommand as U, MIGRATE_FILE_NAME as Ut, updateOrganization as V, DIFF_FILE_NAME as Vt, listCommand$4 as W, SCHEMA_FILE_NAME as Wt, listCommand$5 as X, getMigrationDirPath as Xt, updateFolder as Y, getLatestMigrationNumber as Yt, listFolders as Z, getMigrationFilePath as Zt, getCommand as _, isVerbose as _n, listCommand$8 as _t, updateCommand as a, hasChanges as an, listOAuth2Clients as at, deleteWorkspace as b, jobsCommand as bt, removeUser as c, sdkNameLabelKey as cn, getMachineUserToken as ct, inviteCommand as d, apiCall as dn, listMachineUsers as dt, isValidMigrationNumber as en, deleteCommand$1 as et, inviteUser as f, apiCommand as fn, generate$1 as ft, listWorkspaces as g, deploymentArgs as gn, triggerExecutor as gt, listCommand$1 as h, confirmationArgs as hn, triggerCommand as ht, isCLIError as i, formatMigrationDiff as in, listCommand$6 as it, truncate as j, formatKeyValueTable as jt, listCommand$3 as k, listWorkflowExecutions as kt, listCommand as l, trnPrefix as ln, tokenCommand as lt, restoreWorkspace as m, commonArgs as mn, webhookCommand as mt, query as n, reconstructSnapshotFromMigrations as nn, createCommand$1 as nt, updateUser as o, getNamespacesWithMigrations as on, getCommand$3 as ot, restoreCommand as p, defineAppCommand as pn, listWebhookExecutors as pt, getOrganization as q, createSnapshotFromLocalTypes as qt, queryCommand as r, formatDiffSummary as rn, createFolder as rt, removeCommand as s, prompt as sn, getOAuth2Client as st, isNativeTypeScriptRuntime as t, loadDiff as tn, deleteFolder as tt, listUsers as u, generateUserTypes as un, listCommand$7 as ut, getWorkspace as v, workspaceArgs as vn, listExecutors as vt, listCommand$2 as w, startWorkflow as wt, createCommand as x, listExecutorJobs as xt, deleteCommand as y, getExecutorJob as yt, removeCommand$1 as z, bundleMigrationScript as zt };
-//# sourceMappingURL=runtime-C7RRDaB3.mjs.map
+export { deleteCommand$1 as $, isValidMigrationNumber as $t, truncate as A, formatKeyValueTable as At, updateOrganization as B, DIFF_FILE_NAME as Bt, listCommand$2 as C, startWorkflow as Ct, resumeWorkflow as D, getWorkflowExecution as Dt, resumeCommand as E, executionsCommand as Et, showCommand as F, waitForExecution$1 as Ft, getCommand$1 as G, compareSnapshots as Gt, treeCommand as H, MIGRATE_FILE_NAME as Ht, logBetaWarning as I, MIGRATION_LABEL_KEY as It, updateFolder as J, getLatestMigrationNumber as Jt, getOrganization as K, createSnapshotFromLocalTypes as Kt, remove as L, parseMigrationLabelNumber as Lt, generate as M, getExecutor as Mt, generateCommand as N, apply as Nt, listCommand$3 as O, listWorkflowExecutions as Ot, show as P, executeScript as Pt, getFolder as Q, getNextMigrationNumber as Qt, removeCommand$1 as R, bundleMigrationScript as Rt, listApps as S, startCommand as St, healthCommand as T, getWorkflow as Tt, listCommand$4 as U, SCHEMA_FILE_NAME as Ut, organizationTree as V, INITIAL_SCHEMA_NUMBER as Vt, listOrganizations as W, compareLocalTypesWithSnapshot as Wt, listFolders as X, getMigrationFilePath as Xt, listCommand$5 as Y, getMigrationDirPath as Yt, getCommand$2 as Z, getMigrationFiles as Zt, getWorkspace as _, workspaceArgs as _n, listExecutors as _t, updateUser as a, getNamespacesWithMigrations as an, getCommand$3 as at, createCommand as b, listExecutorJobs as bt, listCommand as c, trnPrefix as cn, tokenCommand as ct, inviteUser as d, apiCommand as dn, generate$1 as dt, loadDiff as en, deleteFolder as et, restoreCommand as f, defineAppCommand as fn, listWebhookExecutors as ft, getCommand as g, isVerbose as gn, listCommand$8 as gt, listWorkspaces as h, deploymentArgs as hn, triggerExecutor as ht, updateCommand as i, hasChanges as in, listOAuth2Clients as it, truncateCommand as j, getCommand$5 as jt, listWorkflows as k, functionExecutionStatusToString as kt, listUsers as l, generateUserTypes as ln, listCommand$7 as lt, listCommand$1 as m, confirmationArgs as mn, triggerCommand as mt, query as n, formatDiffSummary as nn, createFolder as nt, removeCommand as o, prompt as on, getOAuth2Client as ot, restoreWorkspace as p, commonArgs as pn, webhookCommand as pt, updateCommand$2 as q, formatMigrationNumber as qt, queryCommand as r, formatMigrationDiff as rn, listCommand$6 as rt, removeUser as s, sdkNameLabelKey as sn, getMachineUserToken as st, isNativeTypeScriptRuntime as t, reconstructSnapshotFromMigrations as tn, createCommand$1 as tt, inviteCommand as u, apiCall as un, listMachineUsers as ut, deleteCommand as v, getExecutorJob as vt, getAppHealth as w, getCommand$4 as wt, createWorkspace as x, watchExecutorJob as xt, deleteWorkspace as y, jobsCommand as yt, updateCommand$1 as z, DB_TYPES_FILE_NAME as zt };
+//# sourceMappingURL=runtime-ChpwtPut.mjs.map