@tailor-platform/sdk 1.47.1 → 1.49.0

package/CHANGELOG.md

@@ -1,5 +1,100 @@
 # @tailor-platform/sdk
 
+## 1.49.0
+
+### Minor Changes
+
+- [#1147](https://github.com/tailor-platform/sdk/pull/1147) [`f0de80a`](https://github.com/tailor-platform/sdk/commit/f0de80ac83a3e76bcb65be7957cb3d7bd1f80ec1) Thanks [@dqn](https://github.com/dqn)! - Add `--permission <write|read>` flag to `profile create`, `profile update`, and `workspace create` (when `--profile-name` is given) so editor users can use a viewer-style profile by default. Profiles created with `--permission read` block platform-state mutations driven by the operator's bearer token (`apply`, `remove`, `workspace create/delete/restore`, `secret create/update/delete`, `tailordb migrate set`, `tailordb truncate`, `tailordb erd deploy`, `executor trigger`, `staticwebsite deploy`, `authconnection authorize/revoke`, organization / folder / PAT / workspace-user mutations, and direct `api <endpoint>` calls) with a `PROFILE_READONLY` error. Application-data operations executed under a machine user (`query`, `workflow start/resume`, `function test-run`) are not gated because the machine user's own permissions already govern those mutations. Switch profile or run `profile update <name> --permission write` to lift the restriction. Profile management itself stays available so the flag can always be cleared. `profile update` skips remote user / workspace validation when only `--permission` is changing, so the flag can be cleared offline or with an expired token.
+
+  The guard activates only when a profile is in scope: pass `--profile <name>` or set `TAILOR_PLATFORM_PROFILE`. `TAILOR_PLATFORM_TOKEN` and `--workspace-id` direct access bypass the guard by design; they are intended for machine-user / CI flows where the platform token already encodes the permitted scope.
+
+### Patch Changes
+
+- [#1204](https://github.com/tailor-platform/sdk/pull/1204) [`6b1bbcb`](https://github.com/tailor-platform/sdk/commit/6b1bbcbe843340a912a3c75c2ecdb03c5697f967) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update dependency rolldown to v1.0.1
+
+- [#1196](https://github.com/tailor-platform/sdk/pull/1196) [`c9b7d1e`](https://github.com/tailor-platform/sdk/commit/c9b7d1eae8a3cccf70191bd8c228cd11db6ed060) Thanks [@dqn](https://github.com/dqn)! - Eliminate the Node.js `DEP0205` `DeprecationWarning` (`` `module.register()` is deprecated. Use `module.registerHooks()` instead. ``) printed by every `tailor-sdk` CLI invocation on Node v26. The CLI now registers `tsx` through its own programmatic API (`tsx/esm/api`) instead of calling `node:module`'s `register("tsx", …)` directly, which on tsx 4.21.1+ routes through `module.registerHooks()` on Node ≥ 24.11.1 / 25.1 / 26 and falls back to `module.register()` on older runtimes. Bumps the bundled `tsx` from 4.21.0 to 4.21.1.
+
+- [#1179](https://github.com/tailor-platform/sdk/pull/1179) [`f72ffe1`](https://github.com/tailor-platform/sdk/commit/f72ffe1aed824eb9af5e7520529c3ebde029b5a6) Thanks [@toiroakr](https://github.com/toiroakr)! - Fix `tailor-sdk deploy --no-schema-check` to reconcile the TailorDB migration label to the working tree's latest migration number when it completes. Previously, running `deploy --no-schema-check` from a revision whose working tree is older than the remote left the remote migration label stale; the next `deploy` then reconstructed a snapshot at a label that no longer existed in the working tree and aborted with a false "Remote schema drift detected" error.
+
+## 1.48.0
+
+### Minor Changes
+
+- [#1118](https://github.com/tailor-platform/sdk/pull/1118) [`5ef8e01`](https://github.com/tailor-platform/sdk/commit/5ef8e01fbcee428d77925662006fd2cc7f64a522) Thanks [@toiroakr](https://github.com/toiroakr)! - Detect app renames via a stable, auto-injected `id` field in `tailor.config.ts`.
+
+  The SDK now writes a generated `id: "<uuid>"` field into the
+  `defineConfig({...})` call on first `deploy`, and stamps every managed
+  resource with an `sdk-app-id` metadata label. Subsequent deploys identify
+  ownership by the stable id rather than by the app name, so renaming the
+  app (or any of its resources) cleanly removes the old resources before
+  creating the new ones. The id is a plain UUID; the SDK adds the
+  label-compatible `app-` prefix internally at the metadata boundary.
+
+  Deleting the `id` field regenerates a new UUID on the next `deploy` —
+  typically done after copying `tailor.config.ts` from another project so
+  the new application does not share the original's id. Existing
+  resources keep their data and are re-tagged in place; `deploy` shows a
+  dedicated confirmation prompt for this case ("Application id was
+  regenerated for ..."), separate from the rename/transfer confirmation.
+
+  If your `tailor.config.ts` is a wrapper that re-exports `defineConfig` from
+  another file, the SDK skips id injection on the wrapper — add the `id`
+  field manually to the file that contains the actual `defineConfig({...})`
+  call. Existing deployments without the id continue to work and migrate
+  transparently on the next `deploy` run.
+
+- [#1156](https://github.com/tailor-platform/sdk/pull/1156) [`4311e05`](https://github.com/tailor-platform/sdk/commit/4311e05d59f2e4b92d312b2a0e991f69553c741c) Thanks [@toiroakr](https://github.com/toiroakr)! - Add `disableIdpUserSync` option to `seedPlugin` for opting out of the
+  `_User <-> userProfile` foreign keys emitted into the generated seed schema.
+
+  The seed plugin emits two foreign keys when `auth.userProfile` is configured
+  so that `validate` rejects rows on either side that lack a matching
+  counterpart:
+
+  - `_User.name → <userProfile>.<usernameField>` (`idpToUser`)
+  - `<userProfile>.<usernameField> → _User.name` (`userToIdp`)
+
+  Both are emitted by default, matching the previous behavior. Neither
+  direction is enforced by the runtime, so it can be useful to relax one when
+  seeding asymmetric production-like states such as
+  invited-but-not-registered users.
+
+  ```ts
+  // Allow seeding invited userProfile rows without a _User row
+  seedPlugin({
+    distPath: "./seed",
+    disableIdpUserSync: { userToIdp: true },
+  }),
+
+  // Allow seeding _User rows whose userProfile row does not exist yet
+  seedPlugin({
+    distPath: "./seed",
+    disableIdpUserSync: { idpToUser: true },
+  }),
+  ```
+
+### Patch Changes
+
+- [#1189](https://github.com/tailor-platform/sdk/pull/1189) [`7bcd9c1`](https://github.com/tailor-platform/sdk/commit/7bcd9c14eaed52df95b4a6523804a8a971797473) Thanks [@toiroakr](https://github.com/toiroakr)! - Improve tree-shaking of `@tailor-platform/sdk` so applications that only import a subset of the public API ship less unused code:
+
+  - Add a selective `sideEffects` allow-list to `package.json`: only `dist/cli/*.mjs` and `dist/vitest/setup.mjs` retain side effects, the rest of `dist/` is marked side-effect-free so bundlers can drop modules whose only imports are unused.
+  - Replace the top-level `export const t = { ..._t }` spread in `configure/index.ts` with a direct alias, eliminating a side-effecting object construction that prevented elimination of unused field builders.
+  - Annotate configure-layer factories (`defineConfig`, `defineAuth`, `defineIdp`, `defineStaticWebSite`, `definePlugins`, `createResolver`, `createExecutor`, `createWorkflow`, `createWorkflowJob`, etc.) with `@__NO_SIDE_EFFECTS__` so calls whose return values are unused can be eliminated.
+
+  No public API surface changes.
+
+- [#1180](https://github.com/tailor-platform/sdk/pull/1180) [`3411070`](https://github.com/tailor-platform/sdk/commit/34110703daa5cafa40958f5b9dc6f21df5e201fb) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update @inquirer
+
+- [#1191](https://github.com/tailor-platform/sdk/pull/1191) [`a20354d`](https://github.com/tailor-platform/sdk/commit/a20354d47211e1955acd9086c4d25228ee2873de) Thanks [@dqn](https://github.com/dqn)! - **Security**: Harden permissions of the CLI config file (`~/.config/tailor-platform/config.yaml`) and local crash reports to `0o600`, with their parent directory at `0o700`. Previously these files inherited the user's `umask` (typically `0o644`), so on multi-user hosts or shared CI volumes other accounts could read access/refresh tokens stored in the config when the OS keyring is unavailable, as well as crash payloads.
+
+  **Action recommended**: If you have used the CLI on a multi-user host or in a shared CI environment, upgrade and run any `tailor-sdk` command once to auto-tighten existing files, or manually:
+
+  ```sh
+  chmod 700 ~/.config/tailor-platform
+  chmod 600 ~/.config/tailor-platform/config.yaml
+  ```
+
+  POSIX-only; on Windows the mode bits are best-effort and ACLs continue to govern access.
+
 ## 1.47.1
 
 ### Patch Changes

package/dist/{actor-jk4-f0yp.d.mts → actor-BeIEiPYM.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { Bt as InferredAttributeMap, zt as InferredAttributeList } from "./tailor-db-field-Bn8ZC5lK.mjs";
+import { Bt as InferredAttributeMap, zt as InferredAttributeList } from "./tailor-db-field-4bMLe25-.mjs";
 
 //#region src/types/env.d.ts
 interface Env {}
@@ -27,4 +27,4 @@ type TailorActor = {
 };
 //#endregion
 export { Env as n, TailorEnv as r, TailorActor as t };
-//# sourceMappingURL=actor-jk4-f0yp.d.mts.map
+//# sourceMappingURL=actor-BeIEiPYM.d.mts.map

package/dist/{application-C7H7y0hS.mjs → application-CZMzt9jL.mjs}

@@ -1,13 +1,14 @@
 
 import { n as isSdkBranded } from "./brand-D-d15jx3.mjs";
-import { u as initOAuth2Client } from "./client-DbyKSN1F.mjs";
+import { u as initOAuth2Client } from "./client-_kHh0Pip.mjs";
 import { a as parseBoolean, n as logger, r as styles } from "./logger-DTNAMYGy.mjs";
 import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "./enum-constants-C3KSpsYj.mjs";
 import { t as multiline } from "./multiline-e3IpANmS.mjs";
 import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "./file-utils-DjNi_3U_.mjs";
 import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "./kysely-type-B8aRz_oC.mjs";
-import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-DrKY5yIF.mjs";
+import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-DjfAn0BC.mjs";
 import { t as readPackageJson } from "./package-json-6Px8bDpG.mjs";
+import { n as tightenSecretFilePermissions, r as writeSecretFile } from "./secret-file-BHpxGyNf.mjs";
 import { createRequire } from "node:module";
 import { z } from "zod";
 import * as fs$1 from "node:fs";
@@ -28,6 +29,42 @@ import { parseSync } from "oxc-parser";
 import * as inflection from "inflection";
 import * as globals from "globals";
 
+//#region src/parser/app-config/schema.ts
+const envValueSchema = z.union([
+	z.string(),
+	z.number(),
+	z.boolean()
+]);
+/**
+* Structural validation schema for `defineConfig({...})`. Validates only
+* top-level fields with platform-side constraints (notably `id`); fields
+* that carry SDK builder objects (`auth`, `idp`, `db`, ...) are accepted
+* as opaque values, since their internal shapes are validated by their
+* own factory functions and parser-level schemas.
+*
+* The `id` is auto-managed by `deploy` and stored as a plain UUID. A
+* label-compatible prefix is added at the metadata boundary, so user-facing
+* configs only need to carry a UUID.
+*/
+const AppConfigSchema = z.object({
+	id: z.uuid({ message: "'id' must be a UUID." }).optional(),
+	name: z.string().min(1, { message: "'name' must be a non-empty string." }),
+	env: z.record(z.string(), envValueSchema).optional(),
+	cors: z.array(z.string()).optional(),
+	allowedIpAddresses: z.array(z.string()).optional(),
+	disableIntrospection: z.boolean().optional(),
+	inlineSourcemap: z.boolean().optional(),
+	db: z.unknown().optional(),
+	resolver: z.unknown().optional(),
+	idp: z.unknown().optional(),
+	auth: z.unknown().optional(),
+	executor: z.unknown().optional(),
+	workflow: z.unknown().optional(),
+	staticWebsites: z.unknown().optional(),
+	secrets: z.unknown().optional()
+});
+
+//#endregion
 //#region src/parser/generator-config/schema.ts
 const DependencyKindSchema = z.enum([
 	"tailordb",
@@ -37,7 +74,11 @@ const DependencyKindSchema = z.enum([
 const KyselyTypeConfigSchema = z.tuple([z.literal("@tailor-platform/kysely-type"), z.object({ distPath: z.string() })]);
 const SeedConfigSchema = z.tuple([z.literal("@tailor-platform/seed"), z.object({
 	distPath: z.string(),
-	machineUserName: z.string().optional()
+	machineUserName: z.string().optional(),
+	disableIdpUserSync: z.object({
+		userToIdp: z.boolean().optional(),
+		idpToUser: z.boolean().optional()
+	}).optional()
 })]);
 const EnumConstantsConfigSchema = z.tuple([z.literal("@tailor-platform/enum-constants"), z.object({ distPath: z.string() })]);
 const FileUtilsConfigSchema = z.tuple([z.literal("@tailor-platform/file-utils"), z.object({ distPath: z.string() })]);
@@ -157,7 +198,8 @@ async function deleteKeyringTokens(account) {
 //#region src/cli/shared/context.ts
 const pfProfileSchema = z.object({
 	user: z.string(),
-	workspace_id: z.string()
+	workspace_id: z.string(),
+	readonly: z.boolean().optional()
 });
 const pfUserSchemaV1 = z.object({
 	access_token: z.string(),
@@ -248,6 +290,7 @@ async function readPlatformConfig() {
 		return migrateV1ToV2(v1Config);
 	}
 	const rawConfig = parseYAML(fs$1.readFileSync(configPath, "utf-8"));
+	tightenSecretFilePermissions(configPath);
 	const version = rawConfig != null && typeof rawConfig === "object" && "version" in rawConfig ? rawConfig.version : void 0;
 	if (typeof version === "number" && version > LATEST_CONFIG_VERSION) {
 		const minSdk = "min_sdk_version" in rawConfig ? String(rawConfig.min_sdk_version) : void 0;
@@ -295,13 +338,14 @@ function toV1ForDisk(config) {
 * Write Tailor Platform CLI configuration to disk.
 * By default, V2 configs are converted to V1 for backward compatibility.
 * Set TAILOR_USE_KEYRING to write V2 format (required for keyring storage).
+*
+* The config file may contain access/refresh tokens when the OS keyring is
+* unavailable, so it is written via {@link writeSecretFile} so other users
+* on the host cannot read it.
 * @param config - Platform configuration to write
 */
 function writePlatformConfig(config) {
-	const configPath = platformConfigPath();
-	fs$1.mkdirSync(path.dirname(configPath), { recursive: true });
-	const diskConfig = config.version === 2 && !process.env.TAILOR_USE_KEYRING ? toV1ForDisk(config) : config;
-	fs$1.writeFileSync(configPath, stringifyYAML(diskConfig));
+	writeSecretFile(platformConfigPath(), stringifyYAML(config.version === 2 && !process.env.TAILOR_USE_KEYRING ? toV1ForDisk(config) : config));
 }
 const tcContextConfigSchema = z.object({
 	username: z.string().optional(),
@@ -508,14 +552,27 @@ function loadConfigPath(configPath) {
 
 //#endregion
 //#region src/cli/shared/mock.ts
-globalThis.tailordb = { Client: class {
-	constructor(_config) {}
-	async connect() {}
-	async end() {}
-	async queryObject() {
-		return {};
-	}
-} };
+/**
+* Install a stub `globalThis.tailordb` so that user code loaded by the CLI
+* (e.g. via `createGetDB` in `@tailor-platform/sdk/kysely`) can reference
+* `tailordb.Client` without hitting a `ReferenceError`. The CLI never
+* actually executes the user code paths that issue queries, so a no-op
+* client suffices.
+*
+* Exposed as a function (rather than a top-level statement) so that
+* `package.json#sideEffects` can keep the file marked side-effect-free
+* without bundlers eliminating the install step.
+*/
+function installCliTailordbStub() {
+	globalThis.tailordb = { Client: class {
+		constructor(_config) {}
+		async connect() {}
+		async end() {}
+		async queryObject() {
+			return {};
+		}
+	} };
+}
 
 //#endregion
 //#region src/cli/shared/config-loader.ts
@@ -526,12 +583,18 @@ const GeneratorConfigSchema = CodeGeneratorSchema.brand("CodeGenerator");
 * @returns Loaded config, generators, plugins, and config path
 */
 async function loadConfig(configPath) {
+	installCliTailordbStub();
 	const foundPath = loadConfigPath(configPath);
 	if (!foundPath) throw new Error("Configuration file not found: tailor.config.ts not found in current or parent directories");
 	const resolvedPath = path.resolve(process.cwd(), foundPath);
 	if (!fs$1.existsSync(resolvedPath)) throw new Error(`Configuration file not found: ${configPath}`);
 	const configModule = await import(pathToFileURL(resolvedPath).href);
 	if (!configModule || !configModule.default) throw new Error("Invalid Tailor config module: default export not found");
+	const validated = AppConfigSchema.safeParse(configModule.default);
+	if (!validated.success) {
+		const issues = validated.error.issues.map((i) => `  - ${i.path.join(".") || "(root)"}: ${i.message}`).join("\n");
+		throw new Error(`Invalid Tailor config in ${resolvedPath}:\n${issues}`);
+	}
 	const allGenerators = [];
 	const allPlugins = [];
 	for (const value of Object.values(configModule)) if (Array.isArray(value)) {
@@ -5129,6 +5192,7 @@ function defineServices(config, pluginManager) {
 function buildApplication(params) {
 	const application = {
 		name: params.config.name,
+		id: params.config.id,
 		config: params.config,
 		subgraphs: [
 			...params.tailordbResult.subgraphs,
@@ -5280,5 +5344,5 @@ async function loadApplication(params) {
 }
 
 //#endregion
-export { loadWorkspaceId as C, writePlatformConfig as D, saveUserTokens as E, loadAccessToken as S, resolveTokens as T, getDistDir as _, WorkflowJobSchema as a, deleteUserTokens as b, ExecutorSchema as c, buildResolverOperationHookExpr as d, OAuth2ClientSchema as f, createBundleCache as g, loadFilesWithIgnores as h, resolveInlineSourcemap as i, INVOKER_EXPR as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, createExecutorService as s, defineApplication as t, buildExecutorArgsExpr as u, hashFile as v, readPlatformConfig as w, fetchLatestToken as x, loadConfig as y };
-//# sourceMappingURL=application-C7H7y0hS.mjs.map
+export { loadConfigPath as C, saveUserTokens as D, resolveTokens as E, writePlatformConfig as O, loadAccessToken as S, readPlatformConfig as T, getDistDir as _, WorkflowJobSchema as a, deleteUserTokens as b, ExecutorSchema as c, buildResolverOperationHookExpr as d, OAuth2ClientSchema as f, createBundleCache as g, loadFilesWithIgnores as h, resolveInlineSourcemap as i, INVOKER_EXPR as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, createExecutorService as s, defineApplication as t, buildExecutorArgsExpr as u, hashFile as v, loadWorkspaceId as w, fetchLatestToken as x, loadConfig as y };
+//# sourceMappingURL=application-CZMzt9jL.mjs.map