npm - @tailor-platform/sdk - Versions diffs - 1.40.0 → 1.40.1 - Mend

@tailor-platform/sdk 1.40.0 → 1.40.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/docs/services/idp.md CHANGED Viewed

@@ -26,14 +26,26 @@ Configure the Built-in IdP using `defineIdp()`:
 import { defineIdp, defineConfig } from "@tailor-platform/sdk";
 const idp = defineIdp("my-idp", {
-  authorization: "loggedIn",
   clients: ["my-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    read: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    update: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [], permit: false }],
+  },
 });
 // You can define multiple IdPs
 const anotherIdp = defineIdp("another-idp", {
-  authorization: "loggedIn",
   clients: ["another-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    read: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    update: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [], permit: false }],
+  },
 });
 export default defineConfig({
@@ -43,30 +55,60 @@ export default defineConfig({
 ## Options
-### authorization (optional)
+### permission
-User management permissions. Controls who can manage users in the IdP. This field can be omitted when using `permission` for access control.
+Per-operation permission policies for IdP user management. Controls who can create, read, update, delete users, and send password reset emails.
 ```typescript
 defineIdp("my-idp", {
-  authorization: "loggedIn", // Only logged-in users can manage
+  clients: ["my-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    read: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    update: [
+      {
+        conditions: [
+          [{ user: "role" }, "=", "ADMIN"],
+          [{ newIdpUser: "name" }, "!=", { oldIdpUser: "name" }],
+        ],
+        permit: true,
+      },
+    ],
+    delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [], permit: false }],
+  },
 });
+```
-defineIdp("my-idp", {
-  authorization: "insecure", // Anyone can manage (development only)
-});
+**Operations:**
+- `create` - Controls who can create IdP users
+- `read` - Controls who can read IdP users
+- `update` - Controls who can update IdP users
+- `delete` - Controls who can delete IdP users
+- `sendPasswordResetEmail` - Controls who can send password reset emails. The examples above disable this operation; to enable it, use a permission such as `[{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }]`.
+**Operands:**
+- `{ user: "field" }` - Authenticated user's attribute. Built-in fields: `"id"` (user ID), `"_loggedIn"` (boolean, whether the user is authenticated). User-defined attributes (e.g., `"role"`) are also available when configured via `userProfile.attributes` or `machineUserAttributes` in `defineAuth()`
+- `{ idpUser: "field" }` - IdP user field (for create/read/delete). Allowed values: `"id"`, `"name"`, `"disabled"`
+- `{ oldIdpUser: "field" }` - Previous IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
+- `{ newIdpUser: "field" }` - New IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
+- Literal values: `string`, `boolean`, `string[]`, `boolean[]`
+**Operators:** `"="`, `"!="`, `"in"`, `"not in"`
+**Helper:** `unsafeAllowAllIdPPermission` grants full access without conditions. Intended only for development and testing.
+```typescript
+import { unsafeAllowAllIdPPermission } from "@tailor-platform/sdk";
 defineIdp("my-idp", {
-  authorization: { cel: "user.role == 'admin'" }, // CEL expression
+  clients: ["my-client"],
+  permission: unsafeAllowAllIdPPermission,
 });
 ```
-**Values:**
-- `"insecure"` - No authentication required (use only for development)
-- `"loggedIn"` - Requires authenticated user
-- `{ cel: "<expression>" }` - Custom authorization logic using CEL
 ### clients
 OAuth client names that can use this IdP:
@@ -77,77 +119,50 @@ defineIdp("my-idp", {
 });
 ```
-### emailConfig
+### authorization (optional, legacy)
-Namespace-level email configuration defaults. Per-request values take priority over these defaults.
+Legacy access control field. Use `permission` instead for fine-grained per-operation control. This field is kept for backward compatibility.
 ```typescript
 defineIdp("my-idp", {
-  authorization: "loggedIn",
-  clients: ["my-client"],
-  emailConfig: {
-    fromName: "My App",
-    passwordResetSubject: "Reset your password",
-  },
+  clients: ["default-client"],
+  authorization: "loggedIn", // Only logged-in users can manage
 });
 ```
-**Fields:**
-- `fromName` - Default sender display name for emails. Empty means use mailer default.
-- `passwordResetSubject` - Default subject for password reset emails. Empty means use localized default.
+**Values:**
-**Validation:** Each field must be 200 characters or less and must not contain newline characters.
+- `"insecure"` - No authentication required (use only for development)
+- `"loggedIn"` - Requires authenticated user
+- `{ cel: "<expression>" }` - Custom authorization logic using CEL
-### permission
+### emailConfig
-Per-operation permission policies for IdP user management. Controls who can create, read, update, delete users, and send password reset emails.
+Namespace-level email configuration defaults. Per-request values take priority over these defaults.
 ```typescript
 defineIdp("my-idp", {
-  authorization: "loggedIn",
   clients: ["my-client"],
   permission: {
     create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
-    read: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
-    update: [
-      { conditions: [[{ newIdpUser: "name" }, "!=", { oldIdpUser: "name" }]], permit: true },
-    ],
+    read: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    update: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
     delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
-    sendPasswordResetEmail: [{ conditions: [], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [], permit: false }],
+  },
+  emailConfig: {
+    fromName: "My App",
+    passwordResetSubject: "Reset your password",
   },
 });
 ```
-**Operations:**
-- `create` - Controls who can create IdP users
-- `read` - Controls who can read IdP users
-- `update` - Controls who can update IdP users
-- `delete` - Controls who can delete IdP users
-- `sendPasswordResetEmail` - Controls who can send password reset emails
-**Operands:**
-- `{ user: "field" }` - Authenticated user's attribute
-- `{ idpUser: "field" }` - IdP user field (for create/read/delete). Allowed values: `"id"`, `"name"`, `"disabled"`
-- `{ oldIdpUser: "field" }` - Previous IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
-- `{ newIdpUser: "field" }` - New IdP user field value (for update only). Allowed values: `"id"`, `"name"`, `"disabled"`
-- Literal values: `string`, `boolean`, `string[]`, `boolean[]`
-**Operators:** `"="`, `"!="`, `"in"`, `"not in"`
-**Helper:** `unsafeAllowAllIdPPermission` grants full access without conditions. Intended only for development and testing.
+**Fields:**
-```typescript
-import { unsafeAllowAllIdPPermission } from "@tailor-platform/sdk";
+- `fromName` - Default sender display name for emails. Empty means use mailer default.
+- `passwordResetSubject` - Default subject for password reset emails. Empty means use localized default.
-defineIdp("my-idp", {
-  authorization: "loggedIn",
-  clients: ["my-client"],
-  permission: unsafeAllowAllIdPPermission,
-});
-```
+**Validation:** Each field must be 200 characters or less and must not contain newline characters.
 ## Using idp.provider()
@@ -158,8 +173,14 @@ import { defineIdp, defineAuth, defineConfig } from "@tailor-platform/sdk";
 import { user } from "./tailordb/user";
 const idp = defineIdp("my-idp", {
-  authorization: "loggedIn",
   clients: ["default-client", "mobile-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    read: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    update: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [], permit: false }],
+  },
 });
 const auth = defineAuth("my-auth", {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.40.0",
+  "version": "1.40.1",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {
@@ -87,16 +87,16 @@
     "@liam-hq/cli": "0.7.24",
     "@napi-rs/keyring": "1.2.0",
     "@opentelemetry/api": "1.9.1",
-    "@opentelemetry/exporter-trace-otlp-proto": "0.214.0",
-    "@opentelemetry/resources": "2.6.1",
-    "@opentelemetry/sdk-trace-node": "2.6.1",
+    "@opentelemetry/exporter-trace-otlp-proto": "0.215.0",
+    "@opentelemetry/resources": "2.7.0",
+    "@opentelemetry/sdk-trace-node": "2.7.0",
     "@opentelemetry/semantic-conventions": "1.40.0",
     "@oxc-project/types": "0.126.0",
     "@standard-schema/spec": "1.1.0",
     "@tailor-platform/function-kysely-tailordb": "0.1.3",
     "@tailor-platform/function-types": "0.8.4",
     "@toiroakr/lines-db": "0.9.1",
-    "@toiroakr/read-multiline": "0.3.0",
+    "@toiroakr/read-multiline": "0.3.1",
     "@urql/core": "6.0.1",
     "chalk": "5.6.2",
     "chokidar": "5.0.0",
@@ -119,7 +119,7 @@
     "pgsql-ast-parser": "12.0.2",
     "pkg-types": "2.3.0",
     "politty": "0.4.14",
-    "rolldown": "1.0.0-rc.15",
+    "rolldown": "1.0.0-rc.16",
     "semver": "7.7.4",
     "serve": "14.2.6",
     "sql-highlight": "6.1.0",
@@ -133,7 +133,7 @@
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",
-    "@opentelemetry/sdk-trace-base": "2.6.1",
+    "@opentelemetry/sdk-trace-base": "2.7.0",
     "@types/madge": "5.0.3",
     "@types/mime-types": "3.0.1",
     "@types/node": "24.12.2",
@@ -147,7 +147,7 @@
     "oxlint": "1.60.0",
     "oxlint-tsgolint": "0.20.0",
     "sonda": "0.11.1",
-    "tsdown": "0.21.8",
+    "tsdown": "0.21.9",
     "typescript": "5.9.3",
     "typescript-eslint": "8.58.2",
     "vitest": "4.1.4",

package/dist/application-CEeKm4R-.mjs DELETED Viewed

@@ -1,4 +0,0 @@
-import { n as generatePluginFilesIfNeeded, r as loadApplication, t as defineApplication } from "./application-C_LFXkKJ.mjs";
-export { defineApplication };