@tailor-platform/sdk 1.40.1 → 1.44.0

package/dist/{runtime-B9R1TzLD.mjs → runtime-l7GFD3Xg.mjs}

@@ -1,34 +1,34 @@
 
-import { $ as ApplicationSchemaUpdateAttemptStatus, A as FunctionExecution_Status, B as AuthOAuth2Client_GrantType, C as TailorDBType_Permission_Operator, D as IdPLang, E as PipelineResolver_OperationType, F as AuthConnection_Type, H as AuthSCIMAttribute_Type, I as AuthHookPoint, J as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, K as TenantProviderConfig_TenantProviderType, L as AuthIDPConfig_AuthType, M as ExecutorJobStatus, N as ExecutorTargetType, O as IdPPermissionOperator, P as ExecutorTriggerType, Q as PageDirection, R as AuthInvokerSchema, S as TailorDBGQLPermission_Permit, T as TailorDBType_PermitAction, U as AuthSCIMAttribute_Uniqueness, V as AuthSCIMAttribute_Mutability, W as AuthSCIMConfig_AuthorizationType, X as Condition_Operator, Y as ConditionSchema, Z as FilterSchema, _ as WorkspacePlatformUserRole, a as fetchMachineUserToken, b as TailorDBGQLPermission_Action, d as initOperatorClient, et as Subgraph_ServiceType, g as OperatorService, h as userAgent, i as fetchAll, k as IdPPermissionPermit, m as resolveStaticWebsiteUrls, o as fetchPaged, p as platformBaseUrl, q as UserProfileProviderConfig_UserProfileProviderType, v as WorkflowExecution_Status, w as TailorDBType_Permission_Permit, x as TailorDBGQLPermission_Operator, y as WorkflowJobExecution_Status, z as AuthOAuth2Client_ClientType } from "./client-CcV6Jjds.mjs";
-import { t as db } from "./schema-CEcfEyPN.mjs";
+import { $ as FilterSchema, A as FunctionExecution_Status, B as AuthOAuth2Client_GrantType, C as TailorDBType_Permission_Operator, D as IdPLang, E as PipelineResolver_OperationType, F as AuthConnection_Type, H as AuthSCIMAttribute_Type, I as AuthHookPoint, J as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, K as TenantProviderConfig_TenantProviderType, L as AuthIDPConfig_AuthType, M as ExecutorJobStatus, N as ExecutorTargetType, O as IdPPermissionOperator, P as ExecutorTriggerType, Q as Condition_Operator, R as AuthInvokerSchema, S as TailorDBGQLPermission_Permit, T as TailorDBType_PermitAction, U as AuthSCIMAttribute_Uniqueness, V as AuthSCIMAttribute_Mutability, W as AuthSCIMConfig_AuthorizationType, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, Z as ConditionSchema, _ as WorkspacePlatformUserRole, a as fetchMachineUserToken, b as TailorDBGQLPermission_Action, d as initOperatorClient, et as PageDirection, g as OperatorService, h as userAgent, i as fetchAll, k as IdPPermissionPermit, m as resolveStaticWebsiteUrls, o as fetchPaged, p as platformBaseUrl, q as UserProfileProviderConfig_UserProfileProviderType, v as WorkflowExecution_Status, w as TailorDBType_Permission_Permit, x as TailorDBGQLPermission_Operator, y as WorkflowJobExecution_Status, z as AuthOAuth2Client_ClientType } from "./client-DQl5NPG9.mjs";
+import { t as db } from "./schema-DBq6hr6h.mjs";
 import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DTNAMYGy.mjs";
-import { t as readPackageJson } from "./package-json-CWp8s9dE.mjs";
-import { S as readPlatformConfig, T as writePlatformConfig, _ as loadConfig, b as loadAccessToken, d as stringifyFunction, f as tailorUserMap, g as hashFile, h as getDistDir, l as OAuth2ClientSchema, m as createBundleCache, n as generatePluginFilesIfNeeded, p as loadFilesWithIgnores, r as loadApplication, s as createExecutorService, t as defineApplication, u as TailorDBTypeSchema, x as loadWorkspaceId } from "./application-EvhIIVg0.mjs";
-import { r as withSpan } from "./telemetry-BuDto_2q.mjs";
-import { n as isCLIError, t as createCLIError } from "./errors-ChWX5ZG8.mjs";
+import { C as loadWorkspaceId, D as writePlatformConfig, S as loadAccessToken, _ as getDistDir, d as buildResolverOperationHookExpr, f as OAuth2ClientSchema, g as createBundleCache, h as loadFilesWithIgnores, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as createExecutorService, t as defineApplication, u as buildExecutorArgsExpr, v as hashFile, w as readPlatformConfig, y as loadConfig } from "./application-DkVNbIuh.mjs";
+import { t as readPackageJson } from "./package-json-CRzw5eUf.mjs";
+import { n as isCLIError, t as createCLIError } from "./errors-_M2TVoWh.mjs";
+import { r as withSpan } from "./telemetry-B6Le9XT-.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
-import { ValueSchema, timestampDate } from "@bufbuild/protobuf/wkt";
 import * as fs$1 from "node:fs";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { parseEnv } from "node:util";
+import { ValueSchema, timestampDate } from "@bufbuild/protobuf/wkt";
 import * as path from "pathe";
 import { formatDistanceToNowStrict } from "date-fns";
 import { getBorderCharacters, table } from "table";
-import { Code, ConnectError } from "@connectrpc/connect";
-import * as crypto from "node:crypto";
-import { createHash } from "node:crypto";
 import { pathToFileURL } from "node:url";
-import { resolveTSConfig } from "pkg-types";
 import ml from "multiline-ts";
 import { tmpdir } from "node:os";
 import { findUpSync } from "find-up-simple";
 import { xdgConfig } from "xdg-basedir";
+import { Code, ConnectError } from "@connectrpc/connect";
+import * as crypto from "node:crypto";
+import { createHash } from "node:crypto";
+import { resolveTSConfig } from "pkg-types";
+import { ScalarType, create, fromJson, toJson } from "@bufbuild/protobuf";
 import * as rolldown from "rolldown";
 import * as fs from "node:fs/promises";
 import { glob } from "node:fs/promises";
 import * as inflection from "inflection";
-import { create, fromJson, toJson } from "@bufbuild/protobuf";
 import { ExitPromptError } from "@inquirer/core";
 import { confirm, input, password } from "@inquirer/prompts";
 import { isCI } from "std-env";
@@ -268,7 +268,7 @@ function isVerbose() {
 const defineAppCommand = createDefineCommand();
 
 //#endregion
-//#region src/cli/commands/api.ts
+//#region src/cli/commands/api/api-call.ts
 /**
 * Call Tailor Platform API endpoints directly.
 * If the endpoint doesn't contain "/", it defaults to `tailor.v1.OperatorService/{endpoint}`.
@@ -300,11 +300,195 @@ async function apiCall(options) {
 		data
 	};
 }
-function getEndpointFieldNames(methodName) {
-	const method = OperatorService.methods.find((m) => m.name === methodName);
-	if (!method) return [];
-	return method.input.fields.map((f) => f.jsonName);
+
+//#endregion
+//#region src/cli/commands/api/proto-reflect.ts
+function unaryMethods() {
+	return OperatorService.methods.filter((m) => m.methodKind === "unary");
+}
+function listMethodNames() {
+	return unaryMethods().map((m) => m.name).sort();
+}
+function getMethodDescriptor(methodName) {
+	return unaryMethods().find((m) => m.name === methodName);
 }
+function extractMethodName(endpoint) {
+	if (!endpoint.includes("/")) return endpoint;
+	return endpoint.split("/").pop() ?? endpoint;
+}
+
+//#endregion
+//#region src/cli/commands/api/render.ts
+const SCALAR_LABEL = {
+	[ScalarType.DOUBLE]: "double",
+	[ScalarType.FLOAT]: "float",
+	[ScalarType.INT64]: "int64",
+	[ScalarType.UINT64]: "uint64",
+	[ScalarType.INT32]: "int32",
+	[ScalarType.FIXED64]: "fixed64",
+	[ScalarType.FIXED32]: "fixed32",
+	[ScalarType.BOOL]: "bool",
+	[ScalarType.STRING]: "string",
+	[ScalarType.BYTES]: "bytes",
+	[ScalarType.UINT32]: "uint32",
+	[ScalarType.SFIXED32]: "sfixed32",
+	[ScalarType.SFIXED64]: "sfixed64",
+	[ScalarType.SINT32]: "sint32",
+	[ScalarType.SINT64]: "sint64"
+};
+function shortName(typeName) {
+	const dot = typeName.lastIndexOf(".");
+	return dot < 0 ? typeName : typeName.slice(dot + 1);
+}
+function scalarLabel(scalar) {
+	return SCALAR_LABEL[scalar] ?? `scalar(${scalar})`;
+}
+function enumLabel(enumDesc) {
+	return `enum ${shortName(enumDesc.typeName)}`;
+}
+function enumOf(field) {
+	if (field.fieldKind === "enum") return field.enum;
+	if (field.fieldKind === "list" && field.listKind === "enum") return field.enum;
+}
+function describeFieldType(field) {
+	switch (field.fieldKind) {
+		case "scalar": return scalarLabel(field.scalar);
+		case "enum": return enumLabel(field.enum);
+		case "message": return shortName(field.message.typeName);
+		case "list": {
+			let inner;
+			if (field.listKind === "scalar") inner = scalarLabel(field.scalar);
+			else if (field.listKind === "enum") inner = enumLabel(field.enum);
+			else inner = shortName(field.message.typeName);
+			return `repeated ${inner}`;
+		}
+		case "map": {
+			const keyType = scalarLabel(field.mapKey);
+			let valType;
+			if (field.mapKind === "scalar") valType = scalarLabel(field.scalar);
+			else if (field.mapKind === "enum") valType = enumLabel(field.enum);
+			else valType = shortName(field.message.typeName);
+			return `map<${keyType}, ${valType}>`;
+		}
+		default: return "<unknown>";
+	}
+}
+function nestedMessageForInspect(field) {
+	if (field.fieldKind === "message") return field.message;
+	if (field.fieldKind === "list" && field.listKind === "message") return field.message;
+	if (field.fieldKind === "map" && field.mapKind === "message") return field.message;
+}
+function fieldToJson(field, visited) {
+	const json = {
+		name: field.localName,
+		protoName: field.name,
+		type: describeFieldType(field),
+		fieldKind: field.fieldKind,
+		repeated: field.fieldKind === "list"
+	};
+	if (field.oneof) json.oneof = field.oneof.name;
+	const fieldEnum = enumOf(field);
+	if (fieldEnum) json.enumValues = fieldEnum.values.map((v) => v.name);
+	const nested = nestedMessageForInspect(field);
+	if (nested && !visited.has(nested)) {
+		visited.add(nested);
+		json.message = {
+			typeName: nested.typeName,
+			fields: nested.fields.map((f) => fieldToJson(f, visited))
+		};
+		visited.delete(nested);
+	} else if (nested) json.message = {
+		typeName: nested.typeName,
+		fields: [],
+		recursive: true
+	};
+	return json;
+}
+function renderInspectJson(method) {
+	const visited = new Set([method.input]);
+	return {
+		method: method.name,
+		input: {
+			typeName: method.input.typeName,
+			fields: method.input.fields.map((f) => fieldToJson(f, visited))
+		},
+		output: { typeName: method.output.typeName }
+	};
+}
+function renderFieldText(field, indent, visited) {
+	const lines = [];
+	const oneofTag = field.oneof ? ` (oneof ${field.oneof.name})` : "";
+	lines.push(`${indent}${field.localName}: ${describeFieldType(field)}${oneofTag}`);
+	const fieldEnum = enumOf(field);
+	if (fieldEnum) {
+		const values = fieldEnum.values.map((v) => v.name).join(", ");
+		lines.push(`${indent}  values: ${values}`);
+	}
+	const nested = nestedMessageForInspect(field);
+	if (nested && !visited.has(nested)) {
+		visited.add(nested);
+		for (const sub of nested.fields) lines.push(...renderFieldText(sub, `${indent}  `, visited));
+		visited.delete(nested);
+	} else if (nested) lines.push(`${indent}  …(recursive ${nested.typeName})`);
+	return lines;
+}
+function renderInspectText(method) {
+	const lines = [];
+	lines.push(`${method.name}`);
+	lines.push(`  request: ${method.input.typeName}`);
+	const visited = new Set([method.input]);
+	for (const f of method.input.fields) lines.push(...renderFieldText(f, "    ", visited));
+	lines.push(`  response: ${method.output.typeName}`);
+	return lines.join("\n");
+}
+
+//#endregion
+//#region src/cli/commands/api/inspect.ts
+const inspectCommand = defineAppCommand({
+	name: "inspect",
+	description: "Print the input message tree of an OperatorService endpoint.",
+	notes: "Combine with the global `--json` flag for a machine-readable descriptor. Recursive type references and `oneof` membership are annotated. Use `tailor-sdk api list` to discover endpoint names.",
+	examples: [{
+		cmd: "GetApplication",
+		desc: "Show fields of GetApplicationRequest."
+	}, {
+		cmd: "CreateExecutorExecutor",
+		desc: "Inspect a deeply nested input with `(oneof config)` annotations."
+	}],
+	args: z.object({ endpoint: arg(z.string(), {
+		positional: true,
+		description: "API endpoint to inspect (e.g., 'GetApplication' or 'tailor.v1.OperatorService/GetApplication').",
+		completion: { custom: { choices: listMethodNames() } }
+	}) }).strict(),
+	run: (args) => {
+		const methodName = extractMethodName(args.endpoint);
+		const method = getMethodDescriptor(methodName);
+		if (!method) throw createCLIError({
+			message: `unknown method: ${methodName}`,
+			suggestion: "Run `tailor-sdk api list` to see available methods.",
+			command: "api inspect"
+		});
+		if (logger.jsonMode) logger.out(renderInspectJson(method));
+		else logger.out(renderInspectText(method));
+	}
+});
+
+//#endregion
+//#region src/cli/commands/api/list.ts
+const listCommand$10 = defineAppCommand({
+	name: "list",
+	description: "List all invocable OperatorService methods.",
+	notes: "Only unary RPCs are listed; streaming methods are excluded because `tailor-sdk api run` issues a single JSON POST and reads one JSON response.",
+	args: z.object({}).strict(),
+	run: () => {
+		const names = listMethodNames();
+		if (logger.jsonMode) logger.out(names);
+		else for (const name of names) logger.out(name);
+	}
+});
+
+//#endregion
+//#region src/cli/commands/api/index.ts
 function resolveNamespaceName(methodName, config) {
 	if (/Auth|Tenant|UserProfile/.test(methodName)) return config.auth?.name;
 	if (/IdP/.test(methodName)) {
@@ -342,7 +526,9 @@ function parseBodyAsObject(body) {
 const apiCommand = defineAppCommand({
 	name: "api",
 	description: "Call Tailor Platform API endpoints directly.",
-	notes: `The request body is inferred from the proto definition of the target endpoint, and commonly required fields are auto-injected so they can be omitted from \`--body\`:
+	notes: `Use \`tailor-sdk api list\` to enumerate invocable methods and \`tailor-sdk api inspect <endpoint>\` to print an endpoint's input message tree (combine with \`--json\` for machine-readable output).
+
+The request body is inferred from the proto definition of the target endpoint, and commonly required fields are auto-injected so they can be omitted from \`--body\`:
 
 - \`workspaceId\` — resolved from \`-w\` / \`TAILOR_PLATFORM_WORKSPACE_ID\` / the selected profile.
 - \`namespaceName\` — resolved from \`tailor.config.ts\` based on the endpoint's service:
@@ -350,24 +536,44 @@ const apiCommand = defineAppCommand({
   - IdP / TailorDB / Pipeline endpoints use the sole configured namespace when exactly one is defined.
 
 Values already present in \`--body\` are never overridden. If a value cannot be resolved (e.g. no config found), injection is silently skipped and the server-side validation error takes precedence.`,
+	examples: [
+		{
+			cmd: "GetApplication -b '{\"applicationName\":\"app-1\"}'",
+			desc: "Call an endpoint; workspaceId is auto-injected."
+		},
+		{
+			cmd: "list",
+			desc: "List all invocable OperatorService methods."
+		},
+		{
+			cmd: "inspect GetApplication",
+			desc: "Show the input message tree for an endpoint."
+		}
+	],
+	subCommands: {
+		list: listCommand$10,
+		inspect: inspectCommand
+	},
 	args: z.object({
 		...workspaceArgs,
 		...configArg,
 		body: arg(z.string().default("{}"), {
 			alias: "b",
-			description: "Request body as JSON"
+			description: "Request body as JSON."
 		}),
 		endpoint: arg(z.string(), {
 			positional: true,
-			description: "API endpoint to call (e.g., 'GetApplication' or 'tailor.v1.OperatorService/GetApplication')"
+			description: "API endpoint to call (e.g., 'GetApplication' or 'tailor.v1.OperatorService/GetApplication').",
+			completion: { custom: { choices: listMethodNames() } }
 		})
 	}).strict(),
 	run: async (args) => {
-		const methodName = args.endpoint.includes("/") ? args.endpoint.split("/").pop() : args.endpoint;
+		const methodName = extractMethodName(args.endpoint);
+		const method = getMethodDescriptor(methodName);
 		const parsedBody = parseBodyAsObject(args.body);
 		let mutated = false;
-		if (parsedBody) {
-			const fieldNames = getEndpointFieldNames(methodName);
+		if (parsedBody && method) {
+			const fieldNames = method.input.fields.map((f) => f.localName);
 			if (fieldNames.includes("workspaceId") && !("workspaceId" in parsedBody)) try {
 				parsedBody.workspaceId = await loadWorkspaceId({
 					workspaceId: args["workspace-id"],
@@ -387,7 +593,7 @@ Values already present in \`--body\` are never overridden. If a value cannot be
 		const result = await apiCall({
 			profile: args.profile,
 			endpoint: args.endpoint,
-			body: mutated ? JSON.stringify(parsedBody) : args.body
+			body: mutated && parsedBody ? JSON.stringify(parsedBody) : args.body
 		});
 		logger.log(JSON.stringify(result.data, null, 2));
 	}
@@ -1298,7 +1504,8 @@ async function planApplication(context) {
 		if (idpConfigs.length > 0) authIdpConfigName = idpConfigs[0].name;
 	}
 	const metaRequest = await buildMetaRequest(trn$6(workspaceId, application.name), application.name);
-	const resolvedCors = await resolveStaticWebsiteUrls(client, workspaceId, application.config.cors, "CORS");
+	const expectedLocalWebsites = new Set(application.staticWebsiteServices.map((website) => website.name));
+	const resolvedCors = await resolveStaticWebsiteUrls(client, workspaceId, application.config.cors, "CORS", { expectedLocalNames: expectedLocalWebsites });
 	const desired = normalizeComparableApplication(application, authNamespace, authIdpConfigName, resolvedCors);
 	const request = {
 		workspaceId,
@@ -2351,9 +2558,9 @@ async function applyIdP(client, result, phase = "create-update") {
 * @returns Planned changes and metadata
 */
 async function planIdP(context) {
-	const { client, workspaceId, application, forRemoval, forceApplyAll = false } = context;
+	const { client, workspaceId, application, forRemoval, forceApplyAll = false, hasIdpUserTrigger = false } = context;
 	const idps = forRemoval ? [] : application.idpServices;
-	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, idps);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, idps, hasIdpUserTrigger);
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -2440,7 +2647,7 @@ function areIdPServicesEqual(existing, desired) {
 		permission: normalizeComparablePermission(existing.permission)
 	}), desired);
 }
-async function planServices$3(client, workspaceId, appName, idps) {
+async function planServices$3(client, workspaceId, appName, idps, hasIdpUserTrigger) {
 	const changeSet = createChangeSet("IdP services");
 	const conflicts = [];
 	const unmanaged = [];
@@ -2489,7 +2696,9 @@ async function planServices$3(client, workspaceId, appName, idps) {
 		}
 		const lang = convertLang(idp.lang);
 		const userAuthPolicy = idp.userAuthPolicy;
-		const publishUserEvents = idp.publishUserEvents ?? false;
+		const publishUserEvents = idp.publishUserEvents ?? hasIdpUserTrigger;
+		if (hasIdpUserTrigger && idp.publishUserEvents === void 0) logger.info(`IdP service "${namespaceName}": automatically enabled "publishUserEvents" because executors with idpUser triggers are defined. Set "publishUserEvents" explicitly to silence this message.`);
+		else if (hasIdpUserTrigger && idp.publishUserEvents === false) logger.warn(`IdP service "${namespaceName}" has "publishUserEvents: false", but executors with idpUser triggers are defined. Those executors will not fire for this IdP. Set "publishUserEvents: true" to enable them.`);
 		const emailConfig = idp.emailConfig;
 		if (!idp.permission) logger.warn(`IdP service "${namespaceName}" has no permission configured.`);
 		const parsedPermission = parseIdPPermission(idp.permission);
@@ -2791,13 +3000,14 @@ async function planAuth(context) {
 	}
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, auths, forceApplyAll);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
+	const expectedLocalWebsites = new Set(application.staticWebsiteServices.map((website) => website.name));
 	const [idpConfigChangeSet, userProfileConfigChangeSet, tenantConfigChangeSet, machineUserChangeSet, authHookChangeSet, oauth2ClientChangeSet, scimChangeSet, scimResourceChangeSet, connectionResult] = await Promise.all([
 		planIdPConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planUserProfileConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planTenantConfigs(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planMachineUsers(client, workspaceId, auths, deletedServices, forceApplyAll),
 		planAuthHooks(client, workspaceId, auths, deletedServices, forceApplyAll),
-		planOAuth2Clients(client, workspaceId, auths, deletedServices, forceApplyAll),
+		planOAuth2Clients(client, workspaceId, auths, deletedServices, expectedLocalWebsites, forceApplyAll),
 		planSCIMConfigs(client, workspaceId, auths, deletedServices),
 		planSCIMResources(client, workspaceId, auths, deletedServices),
 		planAuthConnections(client, workspaceId, application.name, auths)
@@ -3406,7 +3616,7 @@ function oauth2LifetimeToSeconds(lifetime) {
 function areOAuth2ClientsEqual(existing, desired) {
 	return areNormalizedEqual(normalizeComparableOAuth2Client(existing), normalizeComparableOAuth2Client(desired));
 }
-async function planOAuth2Clients(client, workspaceId, auths, deletedServices, forceApplyAll = false) {
+async function planOAuth2Clients(client, workspaceId, auths, deletedServices, expectedLocalWebsites, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth oauth2Clients");
 	const fetchOAuth2Clients = (namespaceName) => {
 		return fetchAll(async (pageToken, maxPageSize) => {
@@ -3435,7 +3645,7 @@ async function planOAuth2Clients(client, workspaceId, auths, deletedServices, fo
 			const oauth2Client = config.oauth2Clients?.[oauth2ClientName];
 			if (!oauth2Client) continue;
 			const newOAuth2Client = protoOAuth2Client(oauth2ClientName, oauth2Client);
-			const resolvedRedirectUris = await resolveStaticWebsiteUrls(client, workspaceId, newOAuth2Client.redirectUris ?? [], "OAuth2 redirect URIs");
+			const resolvedRedirectUris = await resolveStaticWebsiteUrls(client, workspaceId, newOAuth2Client.redirectUris ?? [], "OAuth2 redirect URIs", { expectedLocalNames: expectedLocalWebsites });
 			if (existingClientsMap.has(oauth2ClientName)) {
 				const existingClient = existingClientsMap.get(oauth2ClientName);
 				if (existingClient.clientType !== newOAuth2Client.clientType) changeSet.replaces.push({
@@ -3959,64 +4169,6 @@ async function confirmImportantResourceDeletion(resources, yes) {
     `);
 }
 
-//#endregion
-//#region src/cli/shared/runtime-args.ts
-/**
-* Runtime args transformation for all services.
-*
-* Each service transforms server-side args/context into SDK-friendly format:
-* - Executor: server-side expression evaluated by platform before calling function
-* - Resolver: operationHook expression evaluated by platform before calling function
-*
-* The user field mapping (server → SDK) shared across services is defined in
-* `@/parser/service/tailordb` as `tailorUserMap`.
-*/
-/**
-* Actor field transformation expression.
-*
-* Transforms the server's actor object to match the SDK's TailorActor type:
-*   server `attributeMap`  → SDK `attributes`
-*   server `attributes`    → SDK `attributeList`
-*   other fields           → passed through
-*   null/undefined actor   → null
-*/
-const ACTOR_TRANSFORM_EXPR = "actor: args.actor ? (({ attributeMap, attributes: attrList, ...rest }) => ({ ...rest, attributes: attributeMap, attributeList: attrList }))(args.actor) : null";
-/**
-* Build the JavaScript expression that transforms server-format executor event
-* args into SDK-format args at runtime.
-*
-* The Tailor Platform server delivers event args with server-side field names.
-* The SDK exposes different field names to user code. This function produces a
-* JavaScript expression string that performs the mapping when evaluated
-* server-side.
-* @param triggerKind - The trigger kind discriminant from the parsed executor
-* @param env - Application env record to embed in the expression
-* @returns A JavaScript expression string, e.g. `({ ...args, ... })`
-*/
-function buildExecutorArgsExpr(triggerKind, env) {
-	const envExpr = `env: ${JSON.stringify(env)}`;
-	switch (triggerKind) {
-		case "schedule": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, ${envExpr} })`;
-		case "resolverExecuted": return `({ ...args, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, success: !!args.succeeded, result: args.succeeded?.result.resolver, error: args.failed?.error, ${envExpr} })`;
-		case "incomingWebhook": return `({ ...args, appNamespace: args.namespaceName, rawBody: args.raw_body, ${envExpr} })`;
-		default: return `({ ...args, event: args.eventType?.split(".").pop(), rawEvent: args.eventType, appNamespace: args.namespaceName, ${ACTOR_TRANSFORM_EXPR}, ${envExpr} })`;
-	}
-}
-/**
-* Build the operationHook expression for resolver pipelines.
-*
-* Transforms server context to SDK resolver context:
-*   context.args        → input
-*   context.pipeline     → spread into result
-*   user (global var)    → TailorUser (via tailorUserMap: workspace_id→workspaceId, attribute_map→attributes, attributes→attributeList)
-*   env                 → injected as JSON
-* @param env - Application env record to embed in the expression
-* @returns A JavaScript expression string for the operationHook
-*/
-function buildResolverOperationHookExpr(env) {
-	return `({ ...context.pipeline, input: context.args, user: ${tailorUserMap}, env: ${JSON.stringify(env)} });`;
-}
-
 //#endregion
 //#region src/cli/commands/apply/auth-invoker.ts
 /**
@@ -7470,13 +7622,25 @@ function isPlainObject(value) {
 	return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 const tailordbCompareKnownDefaults = {
+	/**
+	* Platform returns this object with explicit false flags even when the SDK omitted
+	* gqlOperations entirely. Treat the all-false object as "unset" for diff purposes.
+	*/
 	disableGqlOperations: {
 		create: false,
 		update: false,
 		delete: false,
 		read: false
 	},
+	/**
+	* Some remote validate expressions are emitted as an empty string when the SDK did
+	* not define a script. Local manifests omit the field entirely.
+	*/
 	emptyExpression: "",
+	/**
+	* Proto bigint-backed values can round-trip as numbers locally and strings remotely.
+	* Canonicalize them to strings at compare time.
+	*/
 	numericStringPaths: new Set([
 		"schema.fields.*.serial.start",
 		"schema.fields.*.serial.maxValue",
@@ -8514,6 +8678,7 @@ async function apply(options) {
 		const yes = options?.yes ?? false;
 		const forceApplyAll = await withSpan("plan.detectSdkVersionChange", () => shouldForceApplyAll(client, workspaceId, application, functionEntries));
 		const { functionRegistry, tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager } = await withSpan("plan", async () => {
+			const hasIdpUserTrigger = Object.values(application.executorService?.executors ?? {}).some((executor) => executor.trigger.kind === "idpUser");
 			const ctx = {
 				client,
 				workspaceId,
@@ -8521,7 +8686,8 @@ async function apply(options) {
 				forRemoval: false,
 				config,
 				noSchemaCheck: options?.noSchemaCheck,
-				forceApplyAll
+				forceApplyAll,
+				hasIdpUserTrigger
 			};
 			const functionRegistry = await withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, functionEntries));
 			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.filter((entry) => entry.name.startsWith(WORKFLOW_PREFIX)).map((entry) => entry.name.slice(WORKFLOW_PREFIX.length)));
@@ -8967,7 +9133,7 @@ async function getExecutor(options) {
 		throw error;
 	}
 }
-const getCommand$5 = defineAppCommand({
+const getCommand$6 = defineAppCommand({
 	name: "get",
 	description: "Get executor details",
 	args: z.object({
@@ -9447,7 +9613,7 @@ async function getWorkflow(options) {
 		throw error;
 	}
 }
-const getCommand$4 = defineAppCommand({
+const getCommand$5 = defineAppCommand({
 	name: "get",
 	description: "Get workflow details.",
 	args: z.object({
@@ -10076,7 +10242,7 @@ async function listExecutors(options) {
 		return [executors, nextPageToken];
 	}, { limit: options?.limit })).map((e) => toExecutorListInfo(e));
 }
-const listCommand$8 = defineAppCommand({
+const listCommand$9 = defineAppCommand({
 	name: "list",
 	description: "List all executors",
 	args: z.object({
@@ -10328,14 +10494,16 @@ async function listWebhookExecutors(options) {
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
 	});
-	return (await fetchAll(async (pageToken, maxPageSize) => {
+	const pageDirection = toPageDirection(options?.order);
+	return (await fetchPaged(async (pageToken, pageSize) => {
 		const { webhooks, nextPageToken } = await client.listExecutorIncomingWebhooks({
 			workspaceId,
 			pageToken,
-			pageSize: maxPageSize
+			pageSize,
+			pageDirection
 		});
 		return [webhooks, nextPageToken];
-	})).map((w) => ({
+	}, { limit: options?.limit })).map((w) => ({
 		name: w.executorName,
 		webhookUrl: w.url,
 		disabled: w.disabled
@@ -10344,11 +10512,16 @@ async function listWebhookExecutors(options) {
 const listWebhookCommand = defineAppCommand({
 	name: "list",
 	description: "List executors with incoming webhook triggers",
-	args: z.object({ ...workspaceArgs }).strict(),
+	args: z.object({
+		...workspaceArgs,
+		...paginationArgs()
+	}).strict(),
 	run: async (args) => {
 		const executors = await listWebhookExecutors({
 			workspaceId: args["workspace-id"],
-			profile: args.profile
+			profile: args.profile,
+			order: args.order,
+			limit: args.limit
 		});
 		if (executors.length === 0) {
 			logger.info("No webhook executors found.");
@@ -10367,6 +10540,157 @@ const webhookCommand = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/cli/commands/function/transform.ts
+const functionRegistryInfo = (fn) => {
+	return {
+		name: fn.name,
+		description: fn.description,
+		sizeBytes: fn.sizeBytes.toString(),
+		contentHash: fn.contentHash,
+		createdAt: formatTimestamp(fn.createdAt),
+		updatedAt: formatTimestamp(fn.updatedAt)
+	};
+};
+
+//#endregion
+//#region src/cli/commands/function/get.ts
+const getFunctionRegistryOptionsSchema = z.object({
+	workspaceId: z.uuid({ message: "workspace-id must be a valid UUID" }).optional(),
+	profile: z.string().optional(),
+	name: z.string().min(1, { message: "name is required" })
+});
+async function loadOptions$12(options) {
+	const result = getFunctionRegistryOptionsSchema.safeParse(options);
+	if (!result.success) throw new Error(result.error.issues[0].message);
+	return {
+		client: await initOperatorClient(await loadAccessToken({
+			useProfile: true,
+			profile: result.data.profile
+		})),
+		workspaceId: await loadWorkspaceId({
+			workspaceId: result.data.workspaceId,
+			profile: result.data.profile
+		}),
+		name: result.data.name
+	};
+}
+/**
+* Get a function registry by name.
+* @param options - Function registry get options
+* @returns Function registry info
+*/
+async function getFunctionRegistry(options) {
+	const { client, workspaceId, name } = await loadOptions$12(options);
+	const notFoundErrorMessage = `Function registry "${name}" not found.`;
+	try {
+		const response = await client.getFunctionRegistry({
+			workspaceId,
+			name
+		});
+		if (!response.function) throw new Error(notFoundErrorMessage);
+		return functionRegistryInfo(response.function);
+	} catch (error) {
+		if (error instanceof ConnectError && error.code === Code.NotFound) throw new Error(notFoundErrorMessage, { cause: error });
+		throw error;
+	}
+}
+const getCommand$4 = defineAppCommand({
+	name: "get",
+	description: "Get a function registry by name",
+	args: z.object({
+		...workspaceArgs,
+		name: arg(z.string(), {
+			description: "Function name",
+			alias: "n"
+		})
+	}).strict(),
+	run: async (args) => {
+		const fn = await getFunctionRegistry({
+			workspaceId: args["workspace-id"],
+			profile: args.profile,
+			name: args.name
+		});
+		const formatted = args.json ? fn : {
+			...fn,
+			createdAt: humanizeRelativeTime(fn.createdAt),
+			updatedAt: humanizeRelativeTime(fn.updatedAt)
+		};
+		logger.out(formatted);
+	}
+});
+
+//#endregion
+//#region src/cli/commands/function/list.ts
+const listFunctionRegistriesOptionsSchema = z.object({
+	workspaceId: z.uuid({ message: "workspace-id must be a valid UUID" }).optional(),
+	profile: z.string().optional(),
+	order: z.enum(["asc", "desc"]).optional(),
+	limit: z.coerce.number().int().nonnegative().optional()
+});
+async function loadOptions$11(options) {
+	const result = listFunctionRegistriesOptionsSchema.safeParse(options);
+	if (!result.success) throw new Error(result.error.issues[0].message);
+	return {
+		client: await initOperatorClient(await loadAccessToken({
+			useProfile: true,
+			profile: result.data.profile
+		})),
+		workspaceId: await loadWorkspaceId({
+			workspaceId: result.data.workspaceId,
+			profile: result.data.profile
+		}),
+		order: result.data.order,
+		limit: result.data.limit
+	};
+}
+/**
+* List function registries in a workspace with optional pagination.
+* @param options - Function registry listing options
+* @returns List of function registries
+*/
+async function listFunctionRegistries(options) {
+	const { client, workspaceId, order, limit } = await loadOptions$11(options);
+	const pageDirection = toPageDirection(order);
+	return (await fetchPaged(async (pageToken, pageSize) => {
+		try {
+			const { functions, nextPageToken } = await client.listFunctionRegistries({
+				workspaceId,
+				pageToken,
+				pageSize,
+				sortBy: "updated_at",
+				pageDirection
+			});
+			return [functions, nextPageToken];
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+			throw error;
+		}
+	}, { limit })).map(functionRegistryInfo);
+}
+const listCommand$8 = defineAppCommand({
+	name: "list",
+	description: "List function registries in a workspace",
+	args: z.object({
+		...workspaceArgs,
+		...paginationArgs()
+	}).strict(),
+	run: async (args) => {
+		const registries = await listFunctionRegistries({
+			workspaceId: args["workspace-id"],
+			profile: args.profile,
+			order: args.order,
+			limit: args.limit
+		});
+		const formatted = args.json ? registries : registries.map(({ createdAt, updatedAt, ...rest }) => ({
+			...rest,
+			createdAt: humanizeRelativeTime(createdAt),
+			updatedAt: humanizeRelativeTime(updatedAt)
+		}));
+		logger.out(formatted);
+	}
+});
+
 //#endregion
 //#region src/cli/commands/generate/types.ts
 /**
@@ -11681,7 +12005,8 @@ const getCommand$2 = defineAppCommand({
 const listFoldersOptionsSchema = z.object({
 	organizationId: z.uuid({ message: "organization-id must be a valid UUID" }),
 	parentFolderId: z.string().optional(),
-	limit: z.number().int().positive().optional()
+	order: orderArg.optional(),
+	limit: z.number().int().nonnegative().optional()
 });
 /**
 * List folders in an organization.
@@ -11691,28 +12016,19 @@ const listFoldersOptionsSchema = z.object({
 async function listFolders(options) {
 	const result = listFoldersOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(result.error.issues[0].message);
-	const { organizationId, parentFolderId, limit } = result.data;
-	const hasLimit = limit !== void 0;
+	const { organizationId, parentFolderId, order, limit } = result.data;
 	const client = await initOperatorClient(await loadAccessToken());
-	const results = [];
-	let pageToken = "";
-	while (true) {
-		if (hasLimit && results.length >= limit) break;
-		const remaining = hasLimit ? limit - results.length : void 0;
-		const pageSize = remaining !== void 0 && remaining > 0 ? remaining : void 0;
+	const pageDirection = toPageDirection(order);
+	return (await fetchPaged(async (pageToken, pageSize) => {
 		const response = await client.listOrganizationFolders({
 			organizationId,
 			...parentFolderId ? { parentFolderId } : {},
 			pageToken,
-			...pageSize !== void 0 ? { pageSize } : {}
+			pageSize,
+			pageDirection
 		});
-		const mapped = response.folders.map(folderListInfo);
-		if (remaining !== void 0 && mapped.length > remaining) results.push(...mapped.slice(0, remaining));
-		else results.push(...mapped);
-		if (!response.nextPageToken) break;
-		pageToken = response.nextPageToken;
-	}
-	return results;
+		return [response.folders, response.nextPageToken];
+	}, { limit })).map(folderListInfo);
 }
 const listCommand$5 = defineAppCommand({
 	name: "list",
@@ -11720,15 +12036,13 @@ const listCommand$5 = defineAppCommand({
 	args: z.object({
 		...organizationArgs,
 		"parent-folder-id": arg(z.string().optional(), { description: "Parent folder ID to list children of" }),
-		limit: arg(positiveIntArg.optional(), {
-			alias: "l",
-			description: "Maximum number of folders to list"
-		})
+		...paginationArgs()
 	}).strict(),
 	run: async (args) => {
 		const folders = await listFolders({
 			organizationId: args["organization-id"],
 			parentFolderId: args["parent-folder-id"],
+			order: args.order,
 			limit: args.limit
 		});
 		logger.out(folders, { display: { updatedAt: null } });
@@ -12762,7 +13076,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-CE2s_a6w.mjs");
+	const { defineApplication } = await import("./application-BZRbA1pL.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -13275,7 +13589,10 @@ async function loadOptions$9(options) {
 	const result = healthOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(result.error.issues[0].message);
 	return {
-		client: await initOperatorClient(await loadAccessToken()),
+		client: await initOperatorClient(await loadAccessToken({
+			useProfile: true,
+			profile: result.data.profile
+		})),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -13325,61 +13642,55 @@ const healthCommand = defineAppCommand({
 const listAppsOptionsSchema = z.object({
 	workspaceId: z.uuid({ message: "workspace-id must be a valid UUID" }).optional(),
 	profile: z.string().optional(),
-	limit: z.coerce.number().int().positive().optional()
+	order: orderArg.optional(),
+	limit: z.coerce.number().int().nonnegative().optional()
 });
 async function loadOptions$8(options) {
 	const result = listAppsOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(result.error.issues[0].message);
 	return {
-		client: await initOperatorClient(await loadAccessToken()),
+		client: await initOperatorClient(await loadAccessToken({
+			useProfile: true,
+			profile: result.data.profile
+		})),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
 		}),
+		order: result.data.order,
 		limit: result.data.limit
 	};
 }
 /**
-* List applications in a workspace with an optional limit.
+* List applications in a workspace with an optional order and limit.
 * @param options - Application listing options
 * @returns List of applications
 */
 async function listApps(options) {
-	const { client, workspaceId, limit } = await loadOptions$8(options);
-	const hasLimit = limit !== void 0;
-	const results = [];
-	let pageToken = "";
-	while (true) {
-		if (hasLimit && results.length >= limit) break;
-		const remaining = hasLimit ? limit - results.length : void 0;
-		const pageSize = remaining !== void 0 && remaining > 0 ? remaining : void 0;
+	const { client, workspaceId, order, limit } = await loadOptions$8(options);
+	const pageDirection = toPageDirection(order);
+	return (await fetchPaged(async (pageToken, pageSize) => {
 		const { applications, nextPageToken } = await client.listApplications({
 			workspaceId,
 			pageToken,
-			...pageSize !== void 0 ? { pageSize } : {}
+			pageSize,
+			pageDirection
 		});
-		const mapped = applications.map(appInfo);
-		if (remaining !== void 0 && mapped.length > remaining) results.push(...mapped.slice(0, remaining));
-		else results.push(...mapped);
-		if (!nextPageToken) break;
-		pageToken = nextPageToken;
-	}
-	return results;
+		return [applications, nextPageToken];
+	}, { limit })).map(appInfo);
 }
 const listCommand$2 = defineAppCommand({
 	name: "list",
 	description: "List applications in a workspace",
 	args: z.object({
 		...workspaceArgs,
-		limit: arg(positiveIntArg.optional(), {
-			alias: "l",
-			description: "Maximum number of applications to list"
-		})
+		...paginationArgs()
 	}).strict(),
 	run: async (args) => {
 		const apps = await listApps({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
+			order: args.order,
 			limit: args.limit
 		});
 		const formattedApps = args.json ? apps : apps.map(({ updatedAt: _, createdAt, ...rest }) => ({
@@ -13589,7 +13900,10 @@ async function loadOptions$6(options) {
 	const result = getWorkspaceOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(result.error.issues[0].message);
 	return {
-		client: await initOperatorClient(await loadAccessToken()),
+		client: await initOperatorClient(await loadAccessToken({
+			useProfile: true,
+			profile: result.data.profile
+		})),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -13628,41 +13942,31 @@ const getCommand = defineAppCommand({
 //#endregion
 //#region src/cli/commands/workspace/list.ts
 /**
-* List workspaces with an optional limit.
+* List workspaces with an optional order and limit.
 * @param options - Workspace listing options
 * @returns List of workspaces
 */
 async function listWorkspaces(options) {
-	const limit = options?.limit;
-	const hasLimit = limit !== void 0;
 	const client = await initOperatorClient(await loadAccessToken());
-	const results = [];
-	let pageToken = "";
-	while (true) {
-		if (hasLimit && results.length >= limit) break;
-		const remaining = hasLimit ? limit - results.length : void 0;
-		const pageSize = remaining !== void 0 && remaining > 0 ? remaining : void 0;
+	const pageDirection = toPageDirection(options?.order);
+	return (await fetchPaged(async (pageToken, pageSize) => {
 		const { workspaces, nextPageToken } = await client.listWorkspaces({
 			pageToken,
-			...pageSize !== void 0 ? { pageSize } : {}
+			pageSize,
+			pageDirection
 		});
-		const mapped = workspaces.map(workspaceInfo);
-		if (remaining !== void 0 && mapped.length > remaining) results.push(...mapped.slice(0, remaining));
-		else results.push(...mapped);
-		if (!nextPageToken) break;
-		pageToken = nextPageToken;
-	}
-	return results;
+		return [workspaces, nextPageToken];
+	}, { limit: options?.limit })).map(workspaceInfo);
 }
 const listCommand$1 = defineAppCommand({
 	name: "list",
 	description: "List all Tailor Platform workspaces.",
-	args: z.object({ limit: arg(positiveIntArg.optional(), {
-		alias: "l",
-		description: "Maximum number of workspaces to list"
-	}) }).strict(),
+	args: z.object({ ...paginationArgs() }).strict(),
 	run: async (args) => {
-		const workspaces = await listWorkspaces({ limit: args.limit });
+		const workspaces = await listWorkspaces({
+			order: args.order,
+			limit: args.limit
+		});
 		logger.out(workspaces, { display: { updatedAt: null } });
 	}
 });
@@ -13753,7 +14057,10 @@ async function loadOptions$4(options) {
 	const result = inviteUserOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(result.error.issues[0].message);
 	return {
-		client: await initOperatorClient(await loadAccessToken()),
+		client: await initOperatorClient(await loadAccessToken({
+			useProfile: true,
+			profile: result.data.profile
+		})),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -13802,61 +14109,55 @@ const inviteCommand = defineAppCommand({
 const listUsersOptionsSchema = z.object({
 	workspaceId: z.uuid({ message: "workspace-id must be a valid UUID" }).optional(),
 	profile: z.string().optional(),
-	limit: z.coerce.number().int().positive().optional()
+	order: orderArg.optional(),
+	limit: z.coerce.number().int().nonnegative().optional()
 });
 async function loadOptions$3(options) {
 	const result = listUsersOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(result.error.issues[0].message);
 	return {
-		client: await initOperatorClient(await loadAccessToken()),
+		client: await initOperatorClient(await loadAccessToken({
+			useProfile: true,
+			profile: result.data.profile
+		})),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
 		}),
+		order: result.data.order,
 		limit: result.data.limit
 	};
 }
 /**
-* List users in a workspace with an optional limit.
+* List users in a workspace with an optional order and limit.
 * @param options - User listing options
 * @returns List of workspace users
 */
 async function listUsers(options) {
-	const { client, workspaceId, limit } = await loadOptions$3(options);
-	const hasLimit = limit !== void 0;
-	const results = [];
-	let pageToken = "";
-	while (true) {
-		if (hasLimit && results.length >= limit) break;
-		const remaining = hasLimit ? limit - results.length : void 0;
-		const pageSize = remaining !== void 0 && remaining > 0 ? remaining : void 0;
+	const { client, workspaceId, order, limit } = await loadOptions$3(options);
+	const pageDirection = toPageDirection(order);
+	return (await fetchPaged(async (pageToken, pageSize) => {
 		const { workspacePlatformUsers, nextPageToken } = await client.listWorkspacePlatformUsers({
 			workspaceId,
 			pageToken,
-			...pageSize !== void 0 ? { pageSize } : {}
+			pageSize,
+			pageDirection
 		});
-		const mapped = workspacePlatformUsers.map(userInfo);
-		if (remaining !== void 0 && mapped.length > remaining) results.push(...mapped.slice(0, remaining));
-		else results.push(...mapped);
-		if (!nextPageToken) break;
-		pageToken = nextPageToken;
-	}
-	return results;
+		return [workspacePlatformUsers, nextPageToken];
+	}, { limit })).map(userInfo);
 }
 const listCommand = defineAppCommand({
 	name: "list",
 	description: "List users in a workspace",
 	args: z.object({
 		...workspaceArgs,
-		limit: arg(positiveIntArg.optional(), {
-			alias: "l",
-			description: "Maximum number of users to list"
-		})
+		...paginationArgs()
 	}).strict(),
 	run: async (args) => {
 		const users = await listUsers({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
+			order: args.order,
 			limit: args.limit
 		});
 		logger.out(users);
@@ -13874,7 +14175,10 @@ async function loadOptions$2(options) {
 	const result = removeUserOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(result.error.issues[0].message);
 	return {
-		client: await initOperatorClient(await loadAccessToken()),
+		client: await initOperatorClient(await loadAccessToken({
+			useProfile: true,
+			profile: result.data.profile
+		})),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -13930,7 +14234,10 @@ async function loadOptions$1(options) {
 	const result = updateUserOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(result.error.issues[0].message);
 	return {
-		client: await initOperatorClient(await loadAccessToken()),
+		client: await initOperatorClient(await loadAccessToken({
+			useProfile: true,
+			profile: result.data.profile
+		})),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -14917,5 +15224,5 @@ function isDeno() {
 }
 
 //#endregion
-export { deleteCommand$1 as $, isValidMigrationNumber as $t, truncate as A, formatKeyValueTable as At, updateOrganization as B, DIFF_FILE_NAME as Bt, listCommand$2 as C, startWorkflow as Ct, resumeWorkflow as D, getWorkflowExecution as Dt, resumeCommand as E, executionsCommand as Et, showCommand as F, waitForExecution$1 as Ft, getCommand$1 as G, compareSnapshots as Gt, treeCommand as H, MIGRATE_FILE_NAME as Ht, logBetaWarning as I, MIGRATION_LABEL_KEY as It, updateFolder as J, getLatestMigrationNumber as Jt, getOrganization as K, createSnapshotFromLocalTypes as Kt, remove as L, parseMigrationLabelNumber as Lt, generate as M, getExecutor as Mt, generateCommand as N, apply as Nt, listCommand$3 as O, listWorkflowExecutions as Ot, show as P, executeScript as Pt, getFolder as Q, getNextMigrationNumber as Qt, removeCommand$1 as R, bundleMigrationScript as Rt, listApps as S, startCommand as St, healthCommand as T, getWorkflow as Tt, listCommand$4 as U, SCHEMA_FILE_NAME as Ut, organizationTree as V, INITIAL_SCHEMA_NUMBER as Vt, listOrganizations as W, compareLocalTypesWithSnapshot as Wt, listFolders as X, getMigrationFilePath as Xt, listCommand$5 as Y, getMigrationDirPath as Yt, getCommand$2 as Z, getMigrationFiles as Zt, getWorkspace as _, pagedLogArgs as _n, listExecutors as _t, updateUser as a, getNamespacesWithMigrations as an, getCommand$3 as at, createCommand as b, workspaceArgs as bn, listExecutorJobs as bt, listCommand as c, trnPrefix as cn, tokenCommand as ct, inviteUser as d, apiCommand as dn, generate$1 as dt, loadDiff as en, deleteFolder as et, restoreCommand as f, defineAppCommand as fn, listWebhookExecutors as ft, getCommand as g, isVerbose as gn, listCommand$8 as gt, listWorkspaces as h, deploymentArgs as hn, triggerExecutor as ht, updateCommand as i, hasChanges as in, listOAuth2Clients as it, truncateCommand as j, getCommand$5 as jt, listWorkflows as k, functionExecutionStatusToString as kt, listUsers as l, generateUserTypes as ln, listCommand$7 as lt, listCommand$1 as m, confirmationArgs as mn, triggerCommand as mt, query as n, formatDiffSummary as nn, createFolder as nt, removeCommand as o, prompt as on, getOAuth2Client as ot, restoreWorkspace as p, commonArgs as pn, webhookCommand as pt, updateCommand$2 as q, formatMigrationNumber as qt, queryCommand as r, formatMigrationDiff as rn, listCommand$6 as rt, removeUser as s, sdkNameLabelKey as sn, getMachineUserToken as st, isNativeTypeScriptRuntime as t, reconstructSnapshotFromMigrations as tn, createCommand$1 as tt, inviteCommand as u, apiCall as un, listMachineUsers as ut, deleteCommand as v, paginationArgs as vn, getExecutorJob as vt, getAppHealth as w, getCommand$4 as wt, createWorkspace as x, watchExecutorJob as xt, deleteWorkspace as y, toPageDirection as yn, jobsCommand as yt, updateCommand$1 as z, DB_TYPES_FILE_NAME as zt };
-//# sourceMappingURL=runtime-B9R1TzLD.mjs.map
+export { deleteCommand$1 as $, getMigrationDirPath as $t, truncate as A, executionsCommand as At, updateOrganization as B, MIGRATION_LABEL_KEY as Bt, listCommand$2 as C, toPageDirection as Cn, jobsCommand as Ct, resumeWorkflow as D, startWorkflow as Dt, resumeCommand as E, startCommand as Et, showCommand as F, getCommand$6 as Ft, getCommand$1 as G, INITIAL_SCHEMA_NUMBER as Gt, treeCommand as H, bundleMigrationScript as Ht, logBetaWarning as I, getExecutor as It, updateFolder as J, compareLocalTypesWithSnapshot as Jt, getOrganization as K, MIGRATE_FILE_NAME as Kt, remove as L, apply as Lt, generate as M, listWorkflowExecutions as Mt, generateCommand as N, functionExecutionStatusToString as Nt, listCommand$3 as O, getCommand$5 as Ot, show as P, formatKeyValueTable as Pt, getFolder as Q, getLatestMigrationNumber as Qt, removeCommand$1 as R, executeScript as Rt, listApps as S, paginationArgs as Sn, getExecutorJob as St, healthCommand as T, watchExecutorJob as Tt, listCommand$4 as U, DB_TYPES_FILE_NAME as Ut, organizationTree as V, parseMigrationLabelNumber as Vt, listOrganizations as W, DIFF_FILE_NAME as Wt, listFolders as X, createSnapshotFromLocalTypes as Xt, listCommand$5 as Y, compareSnapshots as Yt, getCommand$2 as Z, formatMigrationNumber as Zt, getWorkspace as _, commonArgs as _n, webhookCommand as _t, updateUser as a, reconstructSnapshotFromMigrations as an, getCommand$3 as at, createCommand as b, isVerbose as bn, listCommand$9 as bt, listCommand as c, hasChanges as cn, tokenCommand as ct, inviteUser as d, sdkNameLabelKey as dn, generate$1 as dt, getMigrationFilePath as en, deleteFolder as et, restoreCommand as f, trnPrefix as fn, listCommand$8 as ft, getCommand as g, defineAppCommand as gn, listWebhookExecutors as gt, listWorkspaces as h, apiCall as hn, getFunctionRegistry as ht, updateCommand as i, loadDiff as in, listOAuth2Clients as it, truncateCommand as j, getWorkflowExecution as jt, listWorkflows as k, getWorkflow as kt, listUsers as l, getNamespacesWithMigrations as ln, listCommand$7 as lt, listCommand$1 as m, apiCommand as mn, getCommand$4 as mt, query as n, getNextMigrationNumber as nn, createFolder as nt, removeCommand as o, formatDiffSummary as on, getOAuth2Client as ot, restoreWorkspace as p, generateUserTypes as pn, listFunctionRegistries as pt, updateCommand$2 as q, SCHEMA_FILE_NAME as qt, queryCommand as r, isValidMigrationNumber as rn, listCommand$6 as rt, removeUser as s, formatMigrationDiff as sn, getMachineUserToken as st, isNativeTypeScriptRuntime as t, getMigrationFiles as tn, createCommand$1 as tt, inviteCommand as u, prompt as un, listMachineUsers as ut, deleteCommand as v, confirmationArgs as vn, triggerCommand as vt, getAppHealth as w, workspaceArgs as wn, listExecutorJobs as wt, createWorkspace as x, pagedLogArgs as xn, listExecutors as xt, deleteWorkspace as y, deploymentArgs as yn, triggerExecutor as yt, updateCommand$1 as z, waitForExecution$1 as zt };
+//# sourceMappingURL=runtime-l7GFD3Xg.mjs.map