@tailor-platform/sdk 1.40.0 → 1.43.0

package/CHANGELOG.md

@@ -1,5 +1,63 @@
 # @tailor-platform/sdk
 
+## 1.43.0
+
+### Minor Changes
+
+- [#1062](https://github.com/tailor-platform/sdk/pull/1062) [`7c39665`](https://github.com/tailor-platform/sdk/commit/7c39665bc3364d3bc644c5277f3f9f51926fc2b2) Thanks [@dqn](https://github.com/dqn)! - Auto-enable `publishUserEvents` on IdP services when the project defines executors with `idpUser` triggers (`idpUserCreatedTrigger`, `idpUserUpdatedTrigger`, `idpUserDeletedTrigger`, or `idpUserTrigger`). Previously, omitting `publishUserEvents` defaulted to `false`, silently preventing those executors from firing. The SDK now auto-configures `publishUserEvents: true` for every IdP in the project when any executor uses an `idpUser` trigger, and warns if an IdP explicitly sets `publishUserEvents: false` while such executors are present. Set `publishUserEvents: false` explicitly to opt out.
+
+### Patch Changes
+
+- [#1060](https://github.com/tailor-platform/sdk/pull/1060) [`4ffec9f`](https://github.com/tailor-platform/sdk/commit/4ffec9f86766dc1199ccef31223697c786c3f388) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update oxc
+
+## 1.42.0
+
+### Minor Changes
+
+- [#1046](https://github.com/tailor-platform/sdk/pull/1046) [`9f99c0d`](https://github.com/tailor-platform/sdk/commit/9f99c0d284a5f227acafbb41db6db0bf7293c496) Thanks [@remiposo](https://github.com/remiposo)! - Expose `invoker` on resolver/executor/workflow body contexts. The SDK now calls `tailor.context.getInvoker()` inside bundled wrappers and passes the result to user code as `context.invoker` / `args.invoker`. This reflects `authInvoker` delegation (machine user when specified) and is `null` for anonymous callers.
+
+## 1.41.0
+
+### Minor Changes
+
+- [#514](https://github.com/tailor-platform/sdk/pull/514) [`3047d45`](https://github.com/tailor-platform/sdk/commit/3047d45fd8daa38616ecaad20d5c04cf75d23931) Thanks [@r253hmdryou](https://github.com/r253hmdryou)! - Add `function get` and `function list` CLI commands for querying function registries in a workspace
+
+- [#987](https://github.com/tailor-platform/sdk/pull/987) [`35b2090`](https://github.com/tailor-platform/sdk/commit/35b2090b0009d26ebcbb69c76540791b2f39924e) Thanks [@toiroakr](https://github.com/toiroakr)! - Add wait/resolve support for human-in-the-loop workflows via `defineWaitPoint()` and `defineWaitPoints()` with typed `.wait()` and `.resolve()` methods.
+
+  Tighten `createWorkflowJob` I/O types: both `Input` and `Output` must now be JsonValue-compatible (plain objects/arrays; no class instances or functions). `Output` previously accepted `Jsonifiable` with a `Jsonify<Output>` return transform on `.trigger()`, but the platform runtime rejects non-plain objects, so the old types did not match actual runtime behavior.
+
+  Reject top-level `null` in `createWorkflowJob` `Input` and in wait-point `Payload`: the platform normalizes top-level `null`/`undefined` args to `{}`, so declaring a top-level nullable type would cause the body/callback to receive `{}` at runtime, mismatching the declared type. Nested `null` inside objects or arrays is preserved by JSON serialization and remains allowed.
+
+### Patch Changes
+
+- [#1050](https://github.com/tailor-platform/sdk/pull/1050) [`9232660`](https://github.com/tailor-platform/sdk/commit/92326608640e473138712ac00adc29369980c604) Thanks [@toiroakr](https://github.com/toiroakr)! - Address Dependabot noise for the valibot ReDoS advisory (GHSA-vqpr-j7v3-hqw9): bump `@toiroakr/lines-db` to 0.9.2 and document the remaining transitive `@liam-hq/cli → valibot@1.1.0` report in the SDK README, including an override snippet for consumers who want to silence it.
+
+- [#1030](https://github.com/tailor-platform/sdk/pull/1030) [`fc4cc7c`](https://github.com/tailor-platform/sdk/commit/fc4cc7cc4430c545c50eb8bb4b406023c91d8290) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update dependency politty to v0.4.14
+
+- [#1041](https://github.com/tailor-platform/sdk/pull/1041) [`0858d64`](https://github.com/tailor-platform/sdk/commit/0858d64b3a03a3a9d994ebe5cd18a803b9780cac) Thanks [@renovate](https://github.com/apps/renovate)! - chore(deps): update pnpm/action-setup action to v6.0.3
+
+- [#1044](https://github.com/tailor-platform/sdk/pull/1044) [`04c1fea`](https://github.com/tailor-platform/sdk/commit/04c1fea62a0eb70c24609cdf9bccf0a012d71875) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update dependency std-env to v4.1.0
+
+- [#1045](https://github.com/tailor-platform/sdk/pull/1045) [`09fce15`](https://github.com/tailor-platform/sdk/commit/09fce1500cc24bcf6089248030168817598f47bd) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update dependency type-fest to v5.6.0
+
+- [#1051](https://github.com/tailor-platform/sdk/pull/1051) [`f7e1d34`](https://github.com/tailor-platform/sdk/commit/f7e1d340ecac5ea37c3c5ab33bd3d4a536274817) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update @inquirer
+
+- [#1052](https://github.com/tailor-platform/sdk/pull/1052) [`7e75310`](https://github.com/tailor-platform/sdk/commit/7e7531040b3ceac90e25f633d71f502ac1ac3239) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update dependency @toiroakr/read-multiline to v0.3.2
+
+## 1.40.1
+
+### Patch Changes
+
+- [#1026](https://github.com/tailor-platform/sdk/pull/1026) [`7f89969`](https://github.com/tailor-platform/sdk/commit/7f899699ad0386dd0b89b5660d7f49efe07f8647) Thanks [@toiroakr](https://github.com/toiroakr)! - Fix `apply` plan for IdP services when `permission` is omitted. The platform returns an empty `IdPPermission` (all action arrays empty) for services without configured permission policies, while the SDK sent `undefined`. The diff logic now normalizes an all-empty permission message to `undefined` so repeated applies are idempotent instead of always reporting the service as updated.
+
+- [#1025](https://github.com/tailor-platform/sdk/pull/1025) [`af5262a`](https://github.com/tailor-platform/sdk/commit/af5262a14a31aa721c5b41b26425d938abb6485e) Thanks [@k1LoW](https://github.com/k1LoW)! - Update IdP documentation to promote `permission`-based access control as the primary pattern over legacy `authorization`
+
+- [#1029](https://github.com/tailor-platform/sdk/pull/1029) [`825bf86`](https://github.com/tailor-platform/sdk/commit/825bf86d5df0ab98665989bf7ff59d5db0597a94) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update dependency @toiroakr/read-multiline to v0.3.1
+
+- [#1031](https://github.com/tailor-platform/sdk/pull/1031) [`2e5f589`](https://github.com/tailor-platform/sdk/commit/2e5f589e50937e091f244cd1632ee7252a560394) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update rolldown
+
+- [#1038](https://github.com/tailor-platform/sdk/pull/1038) [`d29b58a`](https://github.com/tailor-platform/sdk/commit/d29b58a27082fb52559548365c6ff75ee1e79122) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update @opentelemetry
+
 ## 1.40.0
 
 ### Minor Changes

package/README.md

@@ -96,3 +96,26 @@ See [Create Tailor Platform SDK](https://github.com/tailor-platform/sdk/tree/mai
 
 - Node.js 22 or later (or Bun)
 - A Tailor Platform account ([request access](https://www.tailor.tech/demo))
+
+## Dependabot Noise
+
+Installing `@tailor-platform/sdk` pulls in a few transitive advisories that are **not exploitable in practice**. They are listed here so you can triage reports from `npm audit` / `pnpm audit` / Dependabot without diffing our lockfile.
+
+### valibot ReDoS ([GHSA-vqpr-j7v3-hqw9](https://github.com/advisories/GHSA-vqpr-j7v3-hqw9))
+
+- **Why it shows up**: `@liam-hq/cli@0.7.24` pins `valibot@1.1.0`, which falls in the vulnerable range (`< 1.2.0`).
+- **Why it's safe here**: `@liam-hq/cli` is invoked only by `tailor-sdk tailordb erd export` as a child process, against developer-controlled schema files. The vulnerable code path (`v.emoji()` on attacker-controlled strings) is never reached.
+- **If you want to silence it**: add an override to your project so `valibot` resolves to `>=1.2.0`. `@toiroakr/lines-db` declares `valibot` as an optional peer with range `>=1.0.0`, so forcing `1.2.0+` is safe.
+
+  ```jsonc
+  // pnpm (package.json)
+  "pnpm": { "overrides": { "valibot": ">=1.2.0" } }
+
+  // npm (package.json)
+  "overrides": { "valibot": ">=1.2.0" }
+
+  // yarn (package.json)
+  "resolutions": { "valibot": ">=1.2.0" }
+  ```
+
+  This fix has to live in your project's `package.json` — overrides in a published package do not propagate to consumers.

package/dist/{actor-B2oEmlTc.d.mts → actor-DzCuoMlP.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { Bt as InferredAttributeMap, zt as InferredAttributeList } from "./tailor-db-field-CoFKRCYW.mjs";
+import { Bt as InferredAttributeMap, zt as InferredAttributeList } from "./tailor-db-field-D_z185oq.mjs";
 
 //#region src/types/env.d.ts
 interface Env {}
@@ -27,4 +27,4 @@ type TailorActor = {
 };
 //#endregion
 export { Env as n, TailorEnv as r, TailorActor as t };
-//# sourceMappingURL=actor-B2oEmlTc.d.mts.map
+//# sourceMappingURL=actor-DzCuoMlP.d.mts.map

package/dist/{application-C_LFXkKJ.mjs → application-DQpD_kHR.mjs}

@@ -1,5 +1,5 @@
 
-import { u as initOAuth2Client } from "./client-DjGFRjH4.mjs";
+import { u as initOAuth2Client } from "./client-CcV6Jjds.mjs";
 import { n as isSdkBranded } from "./brand-Ll48SMXe.mjs";
 import { a as parseBoolean, n as logger, r as styles } from "./logger-DTNAMYGy.mjs";
 import { t as readPackageJson } from "./package-json-CWp8s9dE.mjs";
@@ -1798,8 +1798,9 @@ function detectExtendedTriggerCalls(program, sourceText, workflowNames, jobNames
 			const callee = callExpr.callee;
 			if (callee.type === "MemberExpression") {
 				const memberExpr = callee;
-				if (!memberExpr.computed && memberExpr.object.type === "Identifier" && memberExpr.property.name === "trigger") {
-					const identifierName = memberExpr.object.name;
+				const identifierName = !memberExpr.computed && memberExpr.object.type === "Identifier" ? memberExpr.object.name : null;
+				const propertyName = !memberExpr.computed ? memberExpr.property.name : null;
+				if (identifierName && propertyName === "trigger") {
 					const isWorkflow = workflowNames.has(identifierName);
 					const isJob = jobNames.has(identifierName);
 					if (!isWorkflow && !isJob) return;
@@ -1853,7 +1854,7 @@ function detectExtendedTriggerCalls(program, sourceText, workflowNames, jobNames
 }
 /**
 * Transform trigger calls for resolver/executor/workflow functions
-* Handles both job.trigger() and workflow.trigger() calls
+* Handles job.trigger() and workflow.trigger() calls
 * @param source - The source code to transform
 * @param workflowNameMap - Map from variable name to workflow name
 * @param jobNameMap - Map from variable name to job name
@@ -3592,6 +3593,79 @@ function createAuthService(config, tailorDBServices, externalTailorDBNamespaces)
 	};
 }
 
+//#endregion
+//#region src/cli/shared/runtime-exprs.ts
+/**
+* JS expressions that shape the inputs passed to user-authored code.
+*
+* Two delivery paths:
+* - Apply config: shipped with apply and evaluated by the platform before
+*   invoking user code.
+* - Bundle inline: interpolated into the generated `.entry.js` wrapper and
+*   evaluated inside the bundled script at function entry.
+*
+* The user field mapping (server → SDK) shared across services is defined in
+* `@/parser/service/tailordb` as `tailorUserMap`.
+*/
+/**
+* `invoker` value expression, inlined into bundler entry wrappers.
+*
+* Calls `tailor.context.getInvoker()` at function entry and maps the server
+* shape to TailorInvoker. Anonymous callers (`null`) pass through as `null`.
+*/
+const INVOKER_EXPR = `(($raw) => $raw ? ({
+  id: $raw.id,
+  type: $raw.type,
+  workspaceId: $raw.workspaceId,
+  attributes: $raw.attributeMap,
+  attributeList: $raw.attributes,
+}) : null)(tailor.context.getInvoker())`;
+/**
+* Actor field transformation expression.
+*
+* Transforms the server's actor object to match the SDK's TailorActor type:
+*   server `attributeMap`  → SDK `attributes`
+*   server `attributes`    → SDK `attributeList`
+*   other fields           → passed through
+*   null/undefined actor   → null
+*/
+const ACTOR_TRANSFORM_EXPR = "actor: args.actor ? (({ attributeMap, attributes: attrList, ...rest }) => ({ ...rest, attributes: attributeMap, attributeList: attrList }))(args.actor) : null";
+/**
+* Build the JavaScript expression that transforms server-format executor event
+* args into SDK-format args at runtime.
+*
+* The Tailor Platform server delivers event args with server-side field names.
+* The SDK exposes different field names to user code. This function produces a
+* JavaScript expression string that performs the mapping when evaluated
+* server-side.
+* @param triggerKind - The trigger kind discriminant from the parsed executor
+* @param env - Application env record to embed in the expression
+* @returns A JavaScript expression string, e.g. `({ ...args, ... })`
+*/
+function buildExecutorArgsExpr(triggerKind, env) {
+	const envExpr = `env: ${JSON.stringify(env)}`;
+	switch (triggerKind) {
+		case "schedule": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, ${envExpr} })`;
+		case "resolverExecuted": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, success: !!args.succeeded, result: args.succeeded?.result.resolver, error: args.failed?.error, ${envExpr} })`;
+		case "incomingWebhook": return `({ ...args, appNamespace: args.namespaceName, rawBody: args.raw_body, ${envExpr} })`;
+		default: return `({ ...args, event: args.eventType?.split(".").pop(), rawEvent: args.eventType, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, ${envExpr} })`;
+	}
+}
+/**
+* Build the operationHook expression for resolver pipelines.
+*
+* Transforms server context to SDK resolver context:
+*   context.args        → input
+*   context.pipeline     → spread into result
+*   user (global var)    → TailorUser (via tailorUserMap: workspace_id→workspaceId, attribute_map→attributes, attributes→attributeList)
+*   env                 → injected as JSON
+* @param env - Application env record to embed in the expression
+* @returns A JavaScript expression string for the operationHook
+*/
+function buildResolverOperationHookExpr(env) {
+	return `({ ...context.pipeline, input: context.args, user: ${tailorUserMap}, env: ${JSON.stringify(env)} });`;
+}
+
 //#endregion
 //#region src/parser/service/executor/schema.ts
 const TailorDBTriggerSchema = z.object({
@@ -3782,7 +3856,10 @@ async function bundleSingleExecutor(executor, outputDir, tsconfig, triggerContex
 			const entryContent = ml`
         import _internalExecutor from "${path.resolve(executor.sourceFile)}";
 
-        const __executor_function = _internalExecutor.operation.body;
+        const __executor_function = async (args) => {
+          const invoker = ${INVOKER_EXPR};
+          return _internalExecutor.operation.body({ ...args, invoker });
+        };
 
         export { __executor_function as main };
       `;
@@ -3978,6 +4055,7 @@ async function bundleSingleResolver(resolver, outputDir, tsconfig, triggerContex
         import { t } from "@tailor-platform/sdk";
 
         const $tailor_resolver_body = async (context) => {
+          const invoker = ${INVOKER_EXPR};
           if (_internalResolver.input) {
             const result = t.object(_internalResolver.input).parse({
               value: context.input,
@@ -3993,7 +4071,7 @@ async function bundleSingleResolver(resolver, outputDir, tsconfig, triggerContex
             }
           }
 
-          return _internalResolver.body(context);
+          return _internalResolver.body({ ...context, invoker });
         };
 
         export { $tailor_resolver_body as main };
@@ -4370,7 +4448,8 @@ async function bundleSingleJob(job, allJobs, outputDir, tsconfig, env, triggerCo
 
         export async function main(input) {
           const env = ${JSON.stringify(env)};
-          return await ${job.exportName}.body(input, { env });
+          const invoker = ${INVOKER_EXPR};
+          return await ${job.exportName}.body(input, { env, invoker });
         }
       `;
 			fs$1.writeFileSync(entryPath, entryContent);
@@ -5087,5 +5166,5 @@ async function loadApplication(params) {
 }
 
 //#endregion
-export { resolveTokens as C, readPlatformConfig as S, writePlatformConfig as T, loadConfig as _, WorkflowJobSchema as a, loadAccessToken as b, ExecutorSchema as c, stringifyFunction as d, tailorUserMap as f, hashFile as g, getDistDir as h, resolveInlineSourcemap as i, OAuth2ClientSchema as l, createBundleCache as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, loadFilesWithIgnores as p, loadApplication as r, createExecutorService as s, defineApplication as t, TailorDBTypeSchema as u, deleteUserTokens as v, saveUserTokens as w, loadWorkspaceId as x, fetchLatestToken as y };
-//# sourceMappingURL=application-C_LFXkKJ.mjs.map
+export { loadWorkspaceId as C, writePlatformConfig as D, saveUserTokens as E, loadAccessToken as S, resolveTokens as T, getDistDir as _, WorkflowJobSchema as a, deleteUserTokens as b, ExecutorSchema as c, buildResolverOperationHookExpr as d, OAuth2ClientSchema as f, createBundleCache as g, loadFilesWithIgnores as h, resolveInlineSourcemap as i, INVOKER_EXPR as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, createExecutorService as s, defineApplication as t, buildExecutorArgsExpr as u, hashFile as v, readPlatformConfig as w, fetchLatestToken as x, loadConfig as y };
+//# sourceMappingURL=application-DQpD_kHR.mjs.map