npm - @tailor-platform/sdk - Versions diffs - 1.47.1 → 1.48.0 - Mend

@tailor-platform/sdk 1.47.1 → 1.48.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (72) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,84 @@
 # @tailor-platform/sdk
+## 1.48.0
+### Minor Changes
+- [#1118](https://github.com/tailor-platform/sdk/pull/1118) [`5ef8e01`](https://github.com/tailor-platform/sdk/commit/5ef8e01fbcee428d77925662006fd2cc7f64a522) Thanks [@toiroakr](https://github.com/toiroakr)! - Detect app renames via a stable, auto-injected `id` field in `tailor.config.ts`.
+  The SDK now writes a generated `id: "<uuid>"` field into the
+  `defineConfig({...})` call on first `deploy`, and stamps every managed
+  resource with an `sdk-app-id` metadata label. Subsequent deploys identify
+  ownership by the stable id rather than by the app name, so renaming the
+  app (or any of its resources) cleanly removes the old resources before
+  creating the new ones. The id is a plain UUID; the SDK adds the
+  label-compatible `app-` prefix internally at the metadata boundary.
+  Deleting the `id` field regenerates a new UUID on the next `deploy` —
+  typically done after copying `tailor.config.ts` from another project so
+  the new application does not share the original's id. Existing
+  resources keep their data and are re-tagged in place; `deploy` shows a
+  dedicated confirmation prompt for this case ("Application id was
+  regenerated for ..."), separate from the rename/transfer confirmation.
+  If your `tailor.config.ts` is a wrapper that re-exports `defineConfig` from
+  another file, the SDK skips id injection on the wrapper — add the `id`
+  field manually to the file that contains the actual `defineConfig({...})`
+  call. Existing deployments without the id continue to work and migrate
+  transparently on the next `deploy` run.
+- [#1156](https://github.com/tailor-platform/sdk/pull/1156) [`4311e05`](https://github.com/tailor-platform/sdk/commit/4311e05d59f2e4b92d312b2a0e991f69553c741c) Thanks [@toiroakr](https://github.com/toiroakr)! - Add `disableIdpUserSync` option to `seedPlugin` for opting out of the
+  `_User <-> userProfile` foreign keys emitted into the generated seed schema.
+  The seed plugin emits two foreign keys when `auth.userProfile` is configured
+  so that `validate` rejects rows on either side that lack a matching
+  counterpart:
+  - `_User.name → <userProfile>.<usernameField>` (`idpToUser`)
+  - `<userProfile>.<usernameField> → _User.name` (`userToIdp`)
+  Both are emitted by default, matching the previous behavior. Neither
+  direction is enforced by the runtime, so it can be useful to relax one when
+  seeding asymmetric production-like states such as
+  invited-but-not-registered users.
+  ```ts
+  // Allow seeding invited userProfile rows without a _User row
+  seedPlugin({
+    distPath: "./seed",
+    disableIdpUserSync: { userToIdp: true },
+  }),
+  // Allow seeding _User rows whose userProfile row does not exist yet
+  seedPlugin({
+    distPath: "./seed",
+    disableIdpUserSync: { idpToUser: true },
+  }),
+  ```
+### Patch Changes
+- [#1189](https://github.com/tailor-platform/sdk/pull/1189) [`7bcd9c1`](https://github.com/tailor-platform/sdk/commit/7bcd9c14eaed52df95b4a6523804a8a971797473) Thanks [@toiroakr](https://github.com/toiroakr)! - Improve tree-shaking of `@tailor-platform/sdk` so applications that only import a subset of the public API ship less unused code:
+  - Add a selective `sideEffects` allow-list to `package.json`: only `dist/cli/*.mjs` and `dist/vitest/setup.mjs` retain side effects, the rest of `dist/` is marked side-effect-free so bundlers can drop modules whose only imports are unused.
+  - Replace the top-level `export const t = { ..._t }` spread in `configure/index.ts` with a direct alias, eliminating a side-effecting object construction that prevented elimination of unused field builders.
+  - Annotate configure-layer factories (`defineConfig`, `defineAuth`, `defineIdp`, `defineStaticWebSite`, `definePlugins`, `createResolver`, `createExecutor`, `createWorkflow`, `createWorkflowJob`, etc.) with `@__NO_SIDE_EFFECTS__` so calls whose return values are unused can be eliminated.
+  No public API surface changes.
+- [#1180](https://github.com/tailor-platform/sdk/pull/1180) [`3411070`](https://github.com/tailor-platform/sdk/commit/34110703daa5cafa40958f5b9dc6f21df5e201fb) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update @inquirer
+- [#1191](https://github.com/tailor-platform/sdk/pull/1191) [`a20354d`](https://github.com/tailor-platform/sdk/commit/a20354d47211e1955acd9086c4d25228ee2873de) Thanks [@dqn](https://github.com/dqn)! - **Security**: Harden permissions of the CLI config file (`~/.config/tailor-platform/config.yaml`) and local crash reports to `0o600`, with their parent directory at `0o700`. Previously these files inherited the user's `umask` (typically `0o644`), so on multi-user hosts or shared CI volumes other accounts could read access/refresh tokens stored in the config when the OS keyring is unavailable, as well as crash payloads.
+  **Action recommended**: If you have used the CLI on a multi-user host or in a shared CI environment, upgrade and run any `tailor-sdk` command once to auto-tighten existing files, or manually:
+  ```sh
+  chmod 700 ~/.config/tailor-platform
+  chmod 600 ~/.config/tailor-platform/config.yaml
+  ```
+  POSIX-only; on Windows the mode bits are best-effort and ACLs continue to govern access.
 ## 1.47.1
 ### Patch Changes

package/dist/{actor-jk4-f0yp.d.mts → actor-BeIEiPYM.d.mts} RENAMED Viewed

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { Bt as InferredAttributeMap, zt as InferredAttributeList } from "./tailor-db-field-Bn8ZC5lK.mjs";
+import { Bt as InferredAttributeMap, zt as InferredAttributeList } from "./tailor-db-field-4bMLe25-.mjs";
 //#region src/types/env.d.ts
 interface Env {}
@@ -27,4 +27,4 @@ type TailorActor = {
 };
 //#endregion
 export { Env as n, TailorEnv as r, TailorActor as t };
-//# sourceMappingURL=actor-jk4-f0yp.d.mts.map
+//# sourceMappingURL=actor-BeIEiPYM.d.mts.map

package/dist/application-BNkNt47b.mjs ADDED Viewed

@@ -0,0 +1,4 @@
+import { n as generatePluginFilesIfNeeded, r as loadApplication, t as defineApplication } from "./application-DUENhx4Y.mjs";
+export { defineApplication };

package/dist/{application-C7H7y0hS.mjs → application-DUENhx4Y.mjs} RENAMED Viewed

@@ -1,13 +1,14 @@
 import { n as isSdkBranded } from "./brand-D-d15jx3.mjs";
-import { u as initOAuth2Client } from "./client-DbyKSN1F.mjs";
+import { u as initOAuth2Client } from "./client-_kHh0Pip.mjs";
 import { a as parseBoolean, n as logger, r as styles } from "./logger-DTNAMYGy.mjs";
 import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "./enum-constants-C3KSpsYj.mjs";
 import { t as multiline } from "./multiline-e3IpANmS.mjs";
 import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "./file-utils-DjNi_3U_.mjs";
 import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "./kysely-type-B8aRz_oC.mjs";
-import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-DrKY5yIF.mjs";
+import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-DjfAn0BC.mjs";
 import { t as readPackageJson } from "./package-json-6Px8bDpG.mjs";
+import { n as tightenSecretFilePermissions, r as writeSecretFile } from "./secret-file-BHpxGyNf.mjs";
 import { createRequire } from "node:module";
 import { z } from "zod";
 import * as fs$1 from "node:fs";
@@ -28,6 +29,42 @@ import { parseSync } from "oxc-parser";
 import * as inflection from "inflection";
 import * as globals from "globals";
+//#region src/parser/app-config/schema.ts
+const envValueSchema = z.union([
+	z.string(),
+	z.number(),
+	z.boolean()
+]);
+/**
+* Structural validation schema for `defineConfig({...})`. Validates only
+* top-level fields with platform-side constraints (notably `id`); fields
+* that carry SDK builder objects (`auth`, `idp`, `db`, ...) are accepted
+* as opaque values, since their internal shapes are validated by their
+* own factory functions and parser-level schemas.
+*
+* The `id` is auto-managed by `deploy` and stored as a plain UUID. A
+* label-compatible prefix is added at the metadata boundary, so user-facing
+* configs only need to carry a UUID.
+*/
+const AppConfigSchema = z.object({
+	id: z.uuid({ message: "'id' must be a UUID." }).optional(),
+	name: z.string().min(1, { message: "'name' must be a non-empty string." }),
+	env: z.record(z.string(), envValueSchema).optional(),
+	cors: z.array(z.string()).optional(),
+	allowedIpAddresses: z.array(z.string()).optional(),
+	disableIntrospection: z.boolean().optional(),
+	inlineSourcemap: z.boolean().optional(),
+	db: z.unknown().optional(),
+	resolver: z.unknown().optional(),
+	idp: z.unknown().optional(),
+	auth: z.unknown().optional(),
+	executor: z.unknown().optional(),
+	workflow: z.unknown().optional(),
+	staticWebsites: z.unknown().optional(),
+	secrets: z.unknown().optional()
+});
+//#endregion
 //#region src/parser/generator-config/schema.ts
 const DependencyKindSchema = z.enum([
 	"tailordb",
@@ -37,7 +74,11 @@ const DependencyKindSchema = z.enum([
 const KyselyTypeConfigSchema = z.tuple([z.literal("@tailor-platform/kysely-type"), z.object({ distPath: z.string() })]);
 const SeedConfigSchema = z.tuple([z.literal("@tailor-platform/seed"), z.object({
 	distPath: z.string(),
-	machineUserName: z.string().optional()
+	machineUserName: z.string().optional(),
+	disableIdpUserSync: z.object({
+		userToIdp: z.boolean().optional(),
+		idpToUser: z.boolean().optional()
+	}).optional()
 })]);
 const EnumConstantsConfigSchema = z.tuple([z.literal("@tailor-platform/enum-constants"), z.object({ distPath: z.string() })]);
 const FileUtilsConfigSchema = z.tuple([z.literal("@tailor-platform/file-utils"), z.object({ distPath: z.string() })]);
@@ -248,6 +289,7 @@ async function readPlatformConfig() {
 		return migrateV1ToV2(v1Config);
 	}
 	const rawConfig = parseYAML(fs$1.readFileSync(configPath, "utf-8"));
+	tightenSecretFilePermissions(configPath);
 	const version = rawConfig != null && typeof rawConfig === "object" && "version" in rawConfig ? rawConfig.version : void 0;
 	if (typeof version === "number" && version > LATEST_CONFIG_VERSION) {
 		const minSdk = "min_sdk_version" in rawConfig ? String(rawConfig.min_sdk_version) : void 0;
@@ -295,13 +337,14 @@ function toV1ForDisk(config) {
 * Write Tailor Platform CLI configuration to disk.
 * By default, V2 configs are converted to V1 for backward compatibility.
 * Set TAILOR_USE_KEYRING to write V2 format (required for keyring storage).
+*
+* The config file may contain access/refresh tokens when the OS keyring is
+* unavailable, so it is written via {@link writeSecretFile} so other users
+* on the host cannot read it.
 * @param config - Platform configuration to write
 */
 function writePlatformConfig(config) {
-	const configPath = platformConfigPath();
-	fs$1.mkdirSync(path.dirname(configPath), { recursive: true });
-	const diskConfig = config.version === 2 && !process.env.TAILOR_USE_KEYRING ? toV1ForDisk(config) : config;
-	fs$1.writeFileSync(configPath, stringifyYAML(diskConfig));
+	writeSecretFile(platformConfigPath(), stringifyYAML(config.version === 2 && !process.env.TAILOR_USE_KEYRING ? toV1ForDisk(config) : config));
 }
 const tcContextConfigSchema = z.object({
 	username: z.string().optional(),
@@ -508,14 +551,27 @@ function loadConfigPath(configPath) {
 //#endregion
 //#region src/cli/shared/mock.ts
-globalThis.tailordb = { Client: class {
-	constructor(_config) {}
-	async connect() {}
-	async end() {}
-	async queryObject() {
-		return {};
-	}
-} };
+/**
+* Install a stub `globalThis.tailordb` so that user code loaded by the CLI
+* (e.g. via `createGetDB` in `@tailor-platform/sdk/kysely`) can reference
+* `tailordb.Client` without hitting a `ReferenceError`. The CLI never
+* actually executes the user code paths that issue queries, so a no-op
+* client suffices.
+*
+* Exposed as a function (rather than a top-level statement) so that
+* `package.json#sideEffects` can keep the file marked side-effect-free
+* without bundlers eliminating the install step.
+*/
+function installCliTailordbStub() {
+	globalThis.tailordb = { Client: class {
+		constructor(_config) {}
+		async connect() {}
+		async end() {}
+		async queryObject() {
+			return {};
+		}
+	} };
+}
 //#endregion
 //#region src/cli/shared/config-loader.ts
@@ -526,12 +582,18 @@ const GeneratorConfigSchema = CodeGeneratorSchema.brand("CodeGenerator");
 * @returns Loaded config, generators, plugins, and config path
 */
 async function loadConfig(configPath) {
+	installCliTailordbStub();
 	const foundPath = loadConfigPath(configPath);
 	if (!foundPath) throw new Error("Configuration file not found: tailor.config.ts not found in current or parent directories");
 	const resolvedPath = path.resolve(process.cwd(), foundPath);
 	if (!fs$1.existsSync(resolvedPath)) throw new Error(`Configuration file not found: ${configPath}`);
 	const configModule = await import(pathToFileURL(resolvedPath).href);
 	if (!configModule || !configModule.default) throw new Error("Invalid Tailor config module: default export not found");
+	const validated = AppConfigSchema.safeParse(configModule.default);
+	if (!validated.success) {
+		const issues = validated.error.issues.map((i) => `  - ${i.path.join(".") || "(root)"}: ${i.message}`).join("\n");
+		throw new Error(`Invalid Tailor config in ${resolvedPath}:\n${issues}`);
+	}
 	const allGenerators = [];
 	const allPlugins = [];
 	for (const value of Object.values(configModule)) if (Array.isArray(value)) {
@@ -5129,6 +5191,7 @@ function defineServices(config, pluginManager) {
 function buildApplication(params) {
 	const application = {
 		name: params.config.name,
+		id: params.config.id,
 		config: params.config,
 		subgraphs: [
 			...params.tailordbResult.subgraphs,
@@ -5280,5 +5343,5 @@ async function loadApplication(params) {
 }
 //#endregion
-export { loadWorkspaceId as C, writePlatformConfig as D, saveUserTokens as E, loadAccessToken as S, resolveTokens as T, getDistDir as _, WorkflowJobSchema as a, deleteUserTokens as b, ExecutorSchema as c, buildResolverOperationHookExpr as d, OAuth2ClientSchema as f, createBundleCache as g, loadFilesWithIgnores as h, resolveInlineSourcemap as i, INVOKER_EXPR as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, createExecutorService as s, defineApplication as t, buildExecutorArgsExpr as u, hashFile as v, readPlatformConfig as w, fetchLatestToken as x, loadConfig as y };
-//# sourceMappingURL=application-C7H7y0hS.mjs.map
+export { loadConfigPath as C, saveUserTokens as D, resolveTokens as E, writePlatformConfig as O, loadAccessToken as S, readPlatformConfig as T, getDistDir as _, WorkflowJobSchema as a, deleteUserTokens as b, ExecutorSchema as c, buildResolverOperationHookExpr as d, OAuth2ClientSchema as f, createBundleCache as g, loadFilesWithIgnores as h, resolveInlineSourcemap as i, INVOKER_EXPR as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, createExecutorService as s, defineApplication as t, buildExecutorArgsExpr as u, hashFile as v, loadWorkspaceId as w, fetchLatestToken as x, loadConfig as y };
+//# sourceMappingURL=application-DUENhx4Y.mjs.map