@tailor-platform/sdk 1.47.1 → 1.49.0

package/dist/{runtime-XjP6JMmP.mjs → runtime-oZgK353r.mjs}

@@ -1,12 +1,12 @@
 
-import { r as db } from "./tailordb-DjlNUV6u.mjs";
-import { $ as FilterSchema, A as FunctionExecution_Status, B as AuthOAuth2Client_GrantType, C as TailorDBType_Permission_Operator, D as IdPLang, E as PipelineResolver_OperationType, F as AuthConnection_Type, H as AuthSCIMAttribute_Type, I as AuthHookPoint, J as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, K as TenantProviderConfig_TenantProviderType, L as AuthIDPConfig_AuthType, M as ExecutorJobStatus, N as ExecutorTargetType, O as IdPPermissionOperator, P as ExecutorTriggerType, Q as Condition_Operator, R as AuthInvokerSchema, S as TailorDBGQLPermission_Permit, T as TailorDBType_PermitAction, U as AuthSCIMAttribute_Uniqueness, V as AuthSCIMAttribute_Mutability, W as AuthSCIMConfig_AuthorizationType, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, Z as ConditionSchema, _ as WorkspacePlatformUserRole, a as fetchMachineUserToken, b as TailorDBGQLPermission_Action, d as initOperatorClient, et as PageDirection, g as OperatorService, h as userAgent, i as fetchAll, k as IdPPermissionPermit, m as resolveStaticWebsiteUrls, o as fetchPaged, p as platformBaseUrl, q as UserProfileProviderConfig_UserProfileProviderType, v as WorkflowExecution_Status, w as TailorDBType_Permission_Permit, x as TailorDBGQLPermission_Operator, y as WorkflowJobExecution_Status, z as AuthOAuth2Client_ClientType } from "./client-DbyKSN1F.mjs";
+import { t as db } from "./schema-C5QjYEc-.mjs";
+import { $ as FilterSchema, A as FunctionExecution_Status, B as AuthOAuth2Client_GrantType, C as TailorDBType_Permission_Operator, D as IdPLang, E as PipelineResolver_OperationType, F as AuthConnection_Type, H as AuthSCIMAttribute_Type, I as AuthHookPoint, J as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, K as TenantProviderConfig_TenantProviderType, L as AuthIDPConfig_AuthType, M as ExecutorJobStatus, N as ExecutorTargetType, O as IdPPermissionOperator, P as ExecutorTriggerType, Q as Condition_Operator, R as AuthInvokerSchema, S as TailorDBGQLPermission_Permit, T as TailorDBType_PermitAction, U as AuthSCIMAttribute_Uniqueness, V as AuthSCIMAttribute_Mutability, W as AuthSCIMConfig_AuthorizationType, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, Z as ConditionSchema, _ as WorkspacePlatformUserRole, a as fetchMachineUserToken, b as TailorDBGQLPermission_Action, d as initOperatorClient, et as PageDirection, g as OperatorService, h as userAgent, i as fetchAll, k as IdPPermissionPermit, m as resolveStaticWebsiteUrls, o as fetchPaged, p as platformBaseUrl, q as UserProfileProviderConfig_UserProfileProviderType, v as WorkflowExecution_Status, w as TailorDBType_Permission_Permit, x as TailorDBGQLPermission_Operator, y as WorkflowJobExecution_Status, z as AuthOAuth2Client_ClientType } from "./client-_kHh0Pip.mjs";
 import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DTNAMYGy.mjs";
-import { C as loadWorkspaceId, D as writePlatformConfig, S as loadAccessToken, _ as getDistDir, d as buildResolverOperationHookExpr, f as OAuth2ClientSchema, g as createBundleCache, h as loadFilesWithIgnores, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as createExecutorService, t as defineApplication, u as buildExecutorArgsExpr, v as hashFile, w as readPlatformConfig, y as loadConfig } from "./application-C7H7y0hS.mjs";
+import { C as loadConfigPath, O as writePlatformConfig, S as loadAccessToken, T as readPlatformConfig, _ as getDistDir, d as buildResolverOperationHookExpr, f as OAuth2ClientSchema, g as createBundleCache, h as loadFilesWithIgnores, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as createExecutorService, t as defineApplication, u as buildExecutorArgsExpr, v as hashFile, w as loadWorkspaceId, y as loadConfig } from "./application-CZMzt9jL.mjs";
 import { t as multiline } from "./multiline-e3IpANmS.mjs";
 import { t as readPackageJson } from "./package-json-6Px8bDpG.mjs";
-import { n as isCLIError, t as createCLIError } from "./errors-wNQxQQBH.mjs";
-import { r as withSpan } from "./telemetry-DcL8Fsm_.mjs";
+import { n as isCLIError, t as createCLIError } from "./errors-pMPXghkO.mjs";
+import { r as withSpan } from "./telemetry-C1Y56L5E.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
 import * as fs$1 from "node:fs";
@@ -23,7 +23,7 @@ import { xdgConfig } from "xdg-basedir";
 import { Code, ConnectError } from "@connectrpc/connect";
 import { resolveTSConfig } from "pkg-types";
 import { ScalarType, create, fromJson, toJson } from "@bufbuild/protobuf";
-import * as crypto from "node:crypto";
+import * as crypto$1 from "node:crypto";
 import { createHash } from "node:crypto";
 import { ExitPromptError } from "@inquirer/core";
 import { confirm, input, password } from "@inquirer/prompts";
@@ -31,6 +31,7 @@ import { isCI } from "std-env";
 import * as rolldown from "rolldown";
 import * as fs from "node:fs/promises";
 import { glob } from "node:fs/promises";
+import { parseSync } from "oxc-parser";
 import * as inflection from "inflection";
 import { setTimeout as setTimeout$1 } from "timers/promises";
 import { spawn } from "node:child_process";
@@ -266,6 +267,38 @@ function isVerbose() {
 */
 const defineAppCommand = createDefineCommand();
 
+//#endregion
+//#region src/cli/shared/readonly-guard.ts
+/**
+* Throw a CLIError if the active profile has `readonly: true`.
+*
+* Resolves the active profile in this order:
+* 1. `opts.profile` (CLI flag)
+* 2. `process.env.TAILOR_PLATFORM_PROFILE`
+*
+* If neither is set, no profile is in scope so the call is allowed. This is
+* intentional: `TAILOR_PLATFORM_TOKEN` direct access (CI / machine user) and
+* `--workspace-id` without a profile are out-of-band paths whose authorization
+* is governed by the bearer token itself, not by the local profile flag.
+*
+* If the resolved profile cannot be found in the config, this function returns
+* silently and lets downstream loaders surface the not-found error.
+* @param opts - Options
+* @param opts.profile - Optional explicit profile name from command args
+*/
+async function assertWritable(opts) {
+	const profileName = opts?.profile || process.env.TAILOR_PLATFORM_PROFILE;
+	if (!profileName) return;
+	const profile = (await readPlatformConfig()).profiles[profileName];
+	if (!profile || profile.readonly !== true) return;
+	throw createCLIError({
+		code: "PROFILE_READONLY",
+		message: `Profile "${profileName}" is read-only.`,
+		details: "This profile blocks platform-state mutations (apply, create/update/delete, deploy, etc.). Application-data operations remain available because their permissions are governed by the machine user.",
+		suggestion: `Use a different profile, unset TAILOR_PLATFORM_PROFILE, or run 'tailor-sdk profile update ${profileName} --permission write'.`
+	});
+}
+
 //#endregion
 //#region src/cli/commands/api/api-call.ts
 /**
@@ -567,6 +600,7 @@ Values already present in \`--body\` are never overridden. If a value cannot be
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		const methodName = extractMethodName(args.endpoint);
 		const method = getMethodDescriptor(methodName);
 		const parsedBody = parseBodyAsObject(args.body);
@@ -1443,6 +1477,11 @@ function trnPrefix(workspaceId) {
 }
 const sdkNameLabelKey = "sdk-name";
 const sdkVersionLabelKey = "sdk-version";
+const sdkAppIdLabelKey = "sdk-app-id";
+const appIdLabelPrefix = "app-";
+function toAppIdLabelValue(appId) {
+	return `${appIdLabelPrefix}${appId}`;
+}
 /**
 * Check whether existing metadata was produced by the current SDK version.
 * @param existingLabels - Labels currently stored on the remote resource
@@ -1453,13 +1492,33 @@ function hasMatchingSdkVersion(existingLabels, desiredLabels) {
 	return existingLabels?.[sdkVersionLabelKey] === desiredLabels?.[sdkVersionLabelKey];
 }
 /**
+* Determine whether a remote resource is owned by the given application.
+* When the resource carries an `sdk-app-id`, ownership is decided strictly
+* by id match — a resource explicitly tagged with another app's id is
+* NOT ours even if the legacy sdk-name happens to match. Resources without
+* `sdk-app-id` (legacy) fall back to sdk-name comparison.
+* @param labels - Labels currently stored on the remote resource
+* @param appName - Application name from the local config
+* @param appId - Stable application id from the local config (when present)
+* @returns True when the resource is owned by the application
+*/
+function isOwnedByApp(labels, appName, appId) {
+	if (!labels) return false;
+	const labelAppId = labels[sdkAppIdLabelKey];
+	if (labelAppId) return appId !== void 0 && labelAppId === toAppIdLabelValue(appId);
+	return labels[sdkNameLabelKey] === appName;
+}
+/**
 * Build metadata request with SDK labels.
-* @param trn - Target TRN
-* @param appName - Application name label
-* @param existingLabels - Existing labels to preserve (optional)
+* @param params - Parameters for building the metadata request
+* @param params.trn - Target TRN
+* @param params.appName - Application name label
+* @param params.appId - Stable application id label (when managed by SDK)
+* @param params.existingLabels - Existing labels to preserve (optional)
 * @returns Metadata request
 */
-async function buildMetaRequest(trn, appName, existingLabels) {
+async function buildMetaRequest(params) {
+	const { trn, appName, appId, existingLabels } = params;
 	const packageJson = await readPackageJson();
 	const sdkVersion = packageJson.version ? `v${packageJson.version.replace(/\./g, "-")}` : "unknown";
 	return {
@@ -1467,7 +1526,8 @@ async function buildMetaRequest(trn, appName, existingLabels) {
 		labels: {
 			...existingLabels ?? {},
 			[sdkNameLabelKey]: appName,
-			[sdkVersionLabelKey]: sdkVersion
+			[sdkVersionLabelKey]: sdkVersion,
+			...appId ? { [sdkAppIdLabelKey]: toAppIdLabelValue(appId) } : {}
 		}
 	};
 }
@@ -1568,11 +1628,20 @@ async function planApplication(context) {
 		}
 	});
 	if (forRemoval) {
-		if (existingApplications.some((app) => app.name === application.name)) changeSet.deletes.push({
-			name: application.name,
+		const ownedAppNames = /* @__PURE__ */ new Set();
+		if (existingApplications.some((app) => app.name === application.name)) ownedAppNames.add(application.name);
+		if (application.id) {
+			const others = existingApplications.filter((app) => !ownedAppNames.has(app.name));
+			const owned = await Promise.all(others.map(async (app) => {
+				return isOwnedByApp(await fetchAppLabels(client, workspaceId, app.name), application.name, application.id) ? app.name : null;
+			}));
+			for (const name of owned) if (name) ownedAppNames.add(name);
+		}
+		for (const name of ownedAppNames) changeSet.deletes.push({
+			name,
 			request: {
 				workspaceId,
-				applicationName: application.name
+				applicationName: name
 			}
 		});
 		return changeSet;
@@ -1602,7 +1671,11 @@ async function planApplication(context) {
 		});
 		if (idpConfigs.length > 0) authIdpConfigName = idpConfigs[0].name;
 	}
-	const metaRequest = await buildMetaRequest(trn$6(workspaceId, application.name), application.name);
+	const metaRequest = await buildMetaRequest({
+		trn: trn$6(workspaceId, application.name),
+		appName: application.name,
+		appId: application.id
+	});
 	const expectedLocalWebsites = new Set(application.staticWebsiteServices.map((website) => website.name));
 	const resolvedCors = await resolveStaticWebsiteUrls(client, workspaceId, application.config.cors, "CORS", { expectedLocalNames: expectedLocalWebsites });
 	const desired = normalizeComparableApplication(application, authNamespace, authIdpConfigName, resolvedCors);
@@ -1617,9 +1690,22 @@ async function planApplication(context) {
 		disableIntrospection: application.config.disableIntrospection
 	};
 	const existing = existingApplications.find((app) => app.name === application.name);
+	if (application.id) {
+		const otherApps = existingApplications.filter((app) => app.name !== application.name);
+		const renamedAway = await Promise.all(otherApps.map(async (app) => {
+			return isOwnedByApp(await fetchAppLabels(client, workspaceId, app.name), application.name, application.id) ? app.name : null;
+		}));
+		for (const name of renamedAway) if (name) changeSet.deletes.push({
+			name,
+			request: {
+				workspaceId,
+				applicationName: name
+			}
+		});
+	}
 	if (existing) {
-		const { metadata } = await client.getMetadata({ trn: trn$6(workspaceId, application.name) });
-		if (metadata?.labels?.["sdk-name"] === application.name && hasMatchingSdkVersion(metadata?.labels, metaRequest.labels) && areApplicationsEqual(existing, desired)) changeSet.unchanged.push({ name: application.name });
+		const labels = await fetchAppLabels(client, workspaceId, application.name);
+		if (isOwnedByApp(labels, application.name, application.id) && hasMatchingSdkVersion(labels, metaRequest.labels) && areApplicationsEqual(existing, desired)) changeSet.unchanged.push({ name: application.name });
 		else changeSet.updates.push({
 			name: application.name,
 			request,
@@ -1632,6 +1718,15 @@ async function planApplication(context) {
 	});
 	return changeSet;
 }
+async function fetchAppLabels(client, workspaceId, appName) {
+	try {
+		const { metadata } = await client.getMetadata({ trn: trn$6(workspaceId, appName) });
+		return metadata?.labels;
+	} catch (error) {
+		if (error instanceof ConnectError && error.code === Code.NotFound) return;
+		throw error;
+	}
+}
 function protoSubgraph(subgraph) {
 	let serviceType;
 	switch (subgraph.Type) {
@@ -1757,10 +1852,11 @@ function hasNonSecretFieldChanged(existing, desired) {
 * @param client - Operator client instance
 * @param workspaceId - Workspace ID
 * @param appName - Application name for ownership
+* @param appId - Stable application id (when managed by SDK)
 * @param auths - Auth services with connection configs
 * @returns Planned changes for auth connections
 */
-async function planAuthConnections(client, workspaceId, appName, auths) {
+async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 	const changeSet = createChangeSet("Auth connections");
 	const conflicts = [];
 	const unmanaged = [];
@@ -1787,7 +1883,8 @@ async function planAuthConnections(client, workspaceId, appName, auths) {
 			const { metadata } = await client.getMetadata({ trn: connectionTrn(workspaceId, resource.name) });
 			existingConnections[resource.name] = {
 				resource,
-				label: metadata?.labels[sdkNameLabelKey]
+				label: metadata?.labels[sdkNameLabelKey],
+				allLabels: metadata?.labels
 			};
 		} catch (error) {
 			if (error instanceof ConnectError && error.code === Code.InvalidArgument) {
@@ -1802,17 +1899,23 @@ async function planAuthConnections(client, workspaceId, appName, auths) {
 	const state = loadSecretsState();
 	for (const [name, config] of Object.entries(desiredConnections)) {
 		const existing = existingConnections[name];
-		const metaRequest = metadataSupported ? await buildMetaRequest(connectionTrn(workspaceId, name), appName) : void 0;
+		const metaRequest = metadataSupported ? await buildMetaRequest({
+			trn: connectionTrn(workspaceId, name),
+			appName,
+			appId
+		}) : void 0;
 		if (existing) {
-			if (metadataSupported && !existing.label) unmanaged.push({
-				resourceType: "Auth connection",
-				resourceName: name
-			});
-			else if (existing.label && existing.label !== appName) conflicts.push({
-				resourceType: "Auth connection",
-				resourceName: name,
-				currentOwner: existing.label
-			});
+			if (!isOwnedByApp(existing.allLabels, appName, appId)) {
+				if (metadataSupported && !existing.label) unmanaged.push({
+					resourceType: "Auth connection",
+					resourceName: name
+				});
+				else if (existing.label) conflicts.push({
+					resourceType: "Auth connection",
+					resourceName: name,
+					currentOwner: existing.label
+				});
+			}
 			const currentHash = hashConnectionConfig(config);
 			const storedHash = state.connections?.[name];
 			if (hasNonSecretFieldChanged(existing.resource, config) || currentHash !== storedHash) changeSet.replaces.push({
@@ -1834,11 +1937,12 @@ async function planAuthConnections(client, workspaceId, appName, auths) {
 	}
 	for (const [name, entry] of Object.entries(existingConnections)) {
 		if (!entry) continue;
-		if (entry.label && entry.label !== appName) {
+		const owned = isOwnedByApp(entry.allLabels, appName, appId);
+		if (entry.label && !owned) {
 			resourceOwners.add(entry.label);
 			continue;
 		}
-		if (entry.label === appName || !metadataSupported) changeSet.deletes.push({
+		if (owned || !metadataSupported) changeSet.deletes.push({
 			name,
 			request: {
 				workspaceId,
@@ -1934,7 +2038,7 @@ const CHUNK_SIZE = 64 * 1024;
 * @returns Hex-encoded SHA-256 hash
 */
 function computeContentHash(content) {
-	return crypto.createHash("sha256").update(content, "utf-8").digest("hex");
+	return crypto$1.createHash("sha256").update(content, "utf-8").digest("hex");
 }
 function functionRegistryTrn$1(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:function_registry:${name}`;
@@ -2103,10 +2207,11 @@ function filterBundledWorkflowJobs(jobs, usedJobNames) {
 * @param client - Operator client instance
 * @param workspaceId - Workspace ID
 * @param appName - Application name
+* @param appId - Stable application id (when managed by SDK)
 * @param entries - Desired function entries
 * @returns Planned changes
 */
-async function planFunctionRegistry(client, workspaceId, appName, entries) {
+async function planFunctionRegistry(client, workspaceId, appName, appId, entries) {
 	const changeSet = createChangeSet("Function registry");
 	const conflicts = [];
 	const unmanaged = [];
@@ -2138,19 +2243,23 @@ async function planFunctionRegistry(client, workspaceId, appName, entries) {
 	}));
 	for (const entry of entries) {
 		const existing = existingMap[entry.name];
-		const metaRequest = await buildMetaRequest(functionRegistryTrn$1(workspaceId, entry.name), appName);
+		const metaRequest = await buildMetaRequest({
+			trn: functionRegistryTrn$1(workspaceId, entry.name),
+			appName,
+			appId
+		});
 		if (existing) {
-			const isManagedByApp = existing.label === appName;
-			if (!existing.label) unmanaged.push({
+			const owned = isOwnedByApp(existing.allLabels, appName, appId);
+			if (!owned) if (!existing.label) unmanaged.push({
 				resourceType: "Function registry",
 				resourceName: entry.name
 			});
-			else if (existing.label !== appName) conflicts.push({
+			else conflicts.push({
 				resourceType: "Function registry",
 				resourceName: entry.name,
 				currentOwner: existing.label
 			});
-			if (existing.resource.contentHash === entry.contentHash && isManagedByApp && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels)) changeSet.unchanged.push({ name: entry.name });
+			if (existing.resource.contentHash === entry.contentHash && owned && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels)) changeSet.unchanged.push({ name: entry.name });
 			else changeSet.updates.push({
 				name: entry.name,
 				entry,
@@ -2166,8 +2275,9 @@ async function planFunctionRegistry(client, workspaceId, appName, entries) {
 	for (const [name, existing] of Object.entries(existingMap)) {
 		if (!existing) continue;
 		const label = existing.label;
-		if (label && label !== appName) resourceOwners.add(label);
-		if (label === appName) changeSet.deletes.push({
+		const owned = isOwnedByApp(existing.allLabels, appName, appId);
+		if (label && !owned) resourceOwners.add(label);
+		if (owned) changeSet.deletes.push({
 			name,
 			workspaceId
 		});
@@ -2659,7 +2769,7 @@ async function applyIdP(client, result, phase = "create-update") {
 async function planIdP(context) {
 	const { client, workspaceId, application, forRemoval, forceApplyAll = false, idpUserTriggerTargets } = context;
 	const idps = forRemoval ? [] : application.idpServices;
-	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, idps, idpUserTriggerTargets ?? /* @__PURE__ */ new Set());
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, application.id, idps, idpUserTriggerTargets ?? /* @__PURE__ */ new Set());
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -2746,7 +2856,7 @@ function areIdPServicesEqual(existing, desired) {
 		permission: normalizeComparablePermission(existing.permission)
 	}), desired);
 }
-async function planServices$3(client, workspaceId, appName, idps, idpUserTriggerTargets) {
+async function planServices$3(client, workspaceId, appName, appId, idps, idpUserTriggerTargets) {
 	const changeSet = createChangeSet("IdP services");
 	const conflicts = [];
 	const unmanaged = [];
@@ -2777,7 +2887,11 @@ async function planServices$3(client, workspaceId, appName, idps, idpUserTrigger
 	for (const idp of idps) {
 		const namespaceName = idp.name;
 		const existing = existingServices[namespaceName];
-		const metaRequest = await buildMetaRequest(trn$5(workspaceId, namespaceName), appName);
+		const metaRequest = await buildMetaRequest({
+			trn: trn$5(workspaceId, namespaceName),
+			appName,
+			appId
+		});
 		let authorization;
 		switch (idp.authorization) {
 			case "insecure":
@@ -2823,17 +2937,17 @@ async function planServices$3(client, workspaceId, appName, idps, idpUserTrigger
 			permission: protoPermission
 		};
 		if (existing) {
-			const isManagedByApp = existing.label === appName;
-			if (!existing.label) unmanaged.push({
+			const owned = isOwnedByApp(existing.allLabels, appName, appId);
+			if (!owned) if (!existing.label) unmanaged.push({
 				resourceType: "IdP service",
 				resourceName: idp.name
 			});
-			else if (existing.label !== appName) conflicts.push({
+			else conflicts.push({
 				resourceType: "IdP service",
 				resourceName: idp.name,
 				currentOwner: existing.label
 			});
-			if (isManagedByApp && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areIdPServicesEqual(existing.resource, desired)) changeSet.unchanged.push({ name: namespaceName });
+			if (owned && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areIdPServicesEqual(existing.resource, desired)) changeSet.unchanged.push({ name: namespaceName });
 			else changeSet.updates.push({
 				name: namespaceName,
 				request,
@@ -2847,9 +2961,11 @@ async function planServices$3(client, workspaceId, appName, idps, idpUserTrigger
 		});
 	}
 	Object.entries(existingServices).forEach(([namespaceName]) => {
-		const label = existingServices[namespaceName]?.label;
-		if (label && label !== appName) resourceOwners.add(label);
-		if (label === appName) changeSet.deletes.push({
+		const entry = existingServices[namespaceName];
+		const label = entry?.label;
+		const owned = isOwnedByApp(entry?.allLabels, appName, appId);
+		if (label && !owned) resourceOwners.add(label);
+		if (owned) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -3097,7 +3213,7 @@ async function planAuth(context) {
 		await application.authService.resolveNamespaces();
 		auths.push(application.authService);
 	}
-	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, auths, forceApplyAll);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$2(client, workspaceId, application.name, application.id, auths, forceApplyAll);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const expectedLocalWebsites = new Set(application.staticWebsiteServices.map((website) => website.name));
 	const [idpConfigChangeSet, userProfileConfigChangeSet, tenantConfigChangeSet, machineUserChangeSet, authHookChangeSet, oauth2ClientChangeSet, scimChangeSet, scimResourceChangeSet, connectionResult] = await Promise.all([
@@ -3109,7 +3225,7 @@ async function planAuth(context) {
 		planOAuth2Clients(client, workspaceId, auths, deletedServices, expectedLocalWebsites, forceApplyAll),
 		planSCIMConfigs(client, workspaceId, auths, deletedServices),
 		planSCIMResources(client, workspaceId, auths, deletedServices),
-		planAuthConnections(client, workspaceId, application.name, auths)
+		planAuthConnections(client, workspaceId, application.name, application.id, auths)
 	]);
 	return {
 		changeSet: {
@@ -3132,7 +3248,7 @@ async function planAuth(context) {
 function trn$4(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:auth:${name}`;
 }
-async function planServices$2(client, workspaceId, appName, auths, forceApplyAll = false) {
+async function planServices$2(client, workspaceId, appName, appId, auths, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth services");
 	const conflicts = [];
 	const unmanaged = [];
@@ -3156,30 +3272,35 @@ async function planServices$2(client, workspaceId, appName, auths, forceApplyAll
 		const { metadata } = await client.getMetadata({ trn: trn$4(workspaceId, resource.namespace.name) });
 		existingServices[resource.namespace.name] = {
 			resource,
-			label: metadata?.labels[sdkNameLabelKey]
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
 		};
 	}));
 	for (const auth of auths) {
 		const { parsedConfig: config } = auth;
 		const existing = existingServices[config.name];
-		const metaRequest = await buildMetaRequest(trn$4(workspaceId, config.name), appName);
+		const metaRequest = await buildMetaRequest({
+			trn: trn$4(workspaceId, config.name),
+			appName,
+			appId
+		});
 		const request = {
 			workspaceId,
 			namespaceName: config.name,
 			publishSessionEvents: config.publishSessionEvents
 		};
 		if (existing) {
-			const isManagedByApp = existing.label === appName;
-			if (!existing.label) unmanaged.push({
+			const owned = isOwnedByApp(existing.allLabels, appName, appId);
+			if (!owned) if (!existing.label) unmanaged.push({
 				resourceType: "Auth service",
 				resourceName: config.name
 			});
-			else if (existing.label !== appName) conflicts.push({
+			else conflicts.push({
 				resourceType: "Auth service",
 				resourceName: config.name,
 				currentOwner: existing.label
 			});
-			if (!forceApplyAll && existing.resource.publishSessionEvents === (config.publishSessionEvents ?? false) && isManagedByApp) changeSet.unchanged.push({ name: config.name });
+			if (!forceApplyAll && existing.resource.publishSessionEvents === (config.publishSessionEvents ?? false) && owned) changeSet.unchanged.push({ name: config.name });
 			else changeSet.updates.push({
 				name: config.name,
 				request,
@@ -3193,9 +3314,11 @@ async function planServices$2(client, workspaceId, appName, auths, forceApplyAll
 		});
 	}
 	Object.entries(existingServices).forEach(([namespaceName]) => {
-		const label = existingServices[namespaceName]?.label;
-		if (label && label !== appName) resourceOwners.add(label);
-		if (label === appName) changeSet.deletes.push({
+		const entry = existingServices[namespaceName];
+		const label = entry?.label;
+		const owned = isOwnedByApp(entry?.allLabels, appName, appId);
+		if (label && !owned) resourceOwners.add(label);
+		if (owned) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -4159,10 +4282,99 @@ async function planAuthHooks(client, workspaceId, auths, deletedServices, forceA
 	return changeSet;
 }
 
+//#endregion
+//#region src/cli/commands/deploy/config-id-injector.ts
+const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function findDefineConfigCalls(node, results) {
+	if (!node || typeof node !== "object") return;
+	const n = node;
+	if (n.type === "CallExpression") {
+		const ce = n;
+		if (ce.callee.type === "Identifier" && ce.callee.name === "defineConfig") {
+			const arg = ce.arguments[0];
+			const configObj = arg && arg.type === "ObjectExpression" ? arg : null;
+			results.push({
+				callExpr: ce,
+				configObj
+			});
+		}
+	}
+	for (const key of Object.keys(n)) {
+		const child = n[key];
+		if (Array.isArray(child)) for (const c of child) findDefineConfigCalls(c, results);
+		else if (child && typeof child === "object") findDefineConfigCalls(child, results);
+	}
+}
+function findIdProperty(obj) {
+	for (const prop of obj.properties) {
+		if (prop.type !== "Property") continue;
+		if ((prop.key.type === "Identifier" ? prop.key.name : prop.key.type === "Literal" ? prop.key.value : null) === "id") return prop;
+	}
+	return null;
+}
+/**
+* Ensure `tailor.config.ts` has an `id` property on the `defineConfig({...})`
+* argument. Generates a UUID when missing and writes it back to the file.
+* Returns null when the file does not contain a `defineConfig()` call (e.g.
+* a wrapper that re-exports another config).
+* @param configPath - Absolute path to the config file
+* @returns Resolved id and whether it was newly injected, or null if skipped
+*/
+async function ensureConfigId(configPath) {
+	const source = await fs$1.promises.readFile(configPath, "utf-8");
+	const { program } = parseSync(configPath, source);
+	const calls = [];
+	findDefineConfigCalls(program, calls);
+	if (calls.length === 0) return null;
+	if (calls.length > 1) throw new Error(`Multiple defineConfig() calls found in ${configPath}. Only one is supported.`);
+	const { configObj } = calls[0];
+	if (!configObj) throw new Error(`defineConfig() argument must be an inline object literal in ${configPath} so the SDK can manage the 'id' field.`);
+	const idProp = findIdProperty(configObj);
+	if (idProp) {
+		const value = idProp.value;
+		if (value.type !== "Literal") throw new Error(`'id' field in ${configPath} must be a string literal. To use this config for a separate app, delete it.`);
+		const literalValue = value.value;
+		if (typeof literalValue !== "string" || literalValue === "") throw new Error(`'id' field in ${configPath} must be a non-empty string literal. To use this config for a separate app, delete it.`);
+		if (!uuidRegex.test(literalValue)) throw new Error(`'id' field in ${configPath} must be a UUID. To use this config for a separate app, delete it.`);
+		return {
+			id: literalValue,
+			injected: false
+		};
+	}
+	const id = crypto.randomUUID();
+	const newSource = insertIdProperty(source, configObj, id);
+	await fs$1.promises.writeFile(configPath, newSource, "utf-8");
+	logger.info(`Generated app id and wrote to ${configPath}: ${id}`);
+	return {
+		id,
+		injected: true
+	};
+}
+const idComment = "// SDK-managed app id — do not edit, except when copying this config to a separate app.";
+function insertIdProperty(source, configObj, id) {
+	const idLiteral = `id: ${JSON.stringify(id)}`;
+	if (configObj.properties.length > 0) {
+		const firstProp = configObj.properties[0];
+		const lineStart = source.lastIndexOf("\n", firstProp.start - 1) + 1;
+		const indent = source.slice(lineStart, firstProp.start);
+		const insertion = `${idComment}\n${indent}${idLiteral},\n${indent}`;
+		return source.slice(0, firstProp.start) + insertion + source.slice(firstProp.start);
+	}
+	const openBracePos = configObj.start + 1;
+	const braceLineStart = source.lastIndexOf("\n", configObj.start) + 1;
+	const baseIndent = source.slice(braceLineStart).match(/^[\t ]*/)?.[0] ?? "";
+	const innerIndent = `${baseIndent}  `;
+	const insertion = `\n${innerIndent}${idComment}\n${innerIndent}${idLiteral},\n${baseIndent}`;
+	return source.slice(0, openBracePos) + insertion + source.slice(openBracePos);
+}
+
 //#endregion
 //#region src/cli/commands/deploy/confirm.ts
 /**
 * Confirm reassignment of resources when owner conflicts are detected.
+* Splits into two scenarios: id regeneration (same sdk-name, different
+* sdk-app-id) and name mismatch (different sdk-name). Each gets its own
+* prompt because the user-facing meaning is different.
 * @param conflicts - Detected owner conflicts
 * @param appName - Target application name
 * @param yes - Whether to auto-confirm without prompting
@@ -4170,6 +4382,30 @@ async function planAuthHooks(client, workspaceId, auths, deletedServices, forceA
 */
 async function confirmOwnerConflict(conflicts, appName, yes) {
 	if (conflicts.length === 0) return;
+	const idRegenerated = conflicts.filter((c) => c.currentOwner === appName);
+	const nameMismatches = conflicts.filter((c) => c.currentOwner !== appName);
+	if (idRegenerated.length > 0) await confirmIdRegeneration(idRegenerated, appName, yes);
+	if (nameMismatches.length > 0) await confirmNameMismatch(nameMismatches, appName, yes);
+}
+async function confirmIdRegeneration(conflicts, appName, yes) {
+	logger.warn(`Application id was regenerated for "${appName}":`);
+	logger.log("  These resources still carry the previous id.");
+	logger.newline();
+	logger.log(`  ${styles.info("Resources")}:`);
+	for (const c of conflicts) logger.log(`    • ${styles.bold(c.resourceType)} ${styles.info(`"${c.resourceName}"`)}`);
+	if (yes) {
+		logger.success("Re-tagging resources with the new id (--yes flag specified)...", { mode: "plain" });
+		return;
+	}
+	if (!await prompt.confirm({
+		message: `Re-tag these resources with the new id for "${appName}"?\n${styles.dim("(The id in tailor.config.ts was removed since the previous deploy, so a new one was generated)")}`,
+		default: false
+	})) throw new Error(multiline`
+      Apply cancelled. Resources remain tagged with the previous id.
+      To override, run again and confirm, or use --yes flag.
+    `);
+}
+async function confirmNameMismatch(conflicts, appName, yes) {
 	const currentOwners = [...new Set(conflicts.map((c) => c.currentOwner))];
 	logger.warn("Application name mismatch detected:");
 	logger.log(`  ${styles.warning("Current application(s)")}: ${currentOwners.map((o) => styles.bold(`"${o}"`)).join(", ")}`);
@@ -4329,19 +4565,24 @@ async function planExecutor(context) {
 	const executors = forRemoval ? {} : await application.executorService?.loadExecutors() ?? {};
 	for (const executor of Object.values(executors)) {
 		const existing = existingExecutors[executor.name];
-		const metaRequest = await buildMetaRequest(trn$3(workspaceId, executor.name), application.name);
+		const metaRequest = await buildMetaRequest({
+			trn: trn$3(workspaceId, executor.name),
+			appName: application.name,
+			appId: application.id
+		});
 		const desiredExecutor = protoExecutor(application, executor);
 		if (existing) {
-			if (!existing.label) unmanaged.push({
+			const owned = isOwnedByApp(existing.allLabels, application.name, application.id);
+			if (!owned) if (!existing.label) unmanaged.push({
 				resourceType: "Executor",
 				resourceName: executor.name
 			});
-			else if (existing.label !== application.name) conflicts.push({
+			else conflicts.push({
 				resourceType: "Executor",
 				resourceName: executor.name,
 				currentOwner: existing.label
 			});
-			if (existing.label === application.name && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areExecutorsEqual(existing.resource, desiredExecutor)) changeSet.unchanged.push({ name: executor.name });
+			if (owned && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areExecutorsEqual(existing.resource, desiredExecutor)) changeSet.unchanged.push({ name: executor.name });
 			else changeSet.updates.push({
 				name: executor.name,
 				request: {
@@ -4361,9 +4602,11 @@ async function planExecutor(context) {
 		});
 	}
 	Object.entries(existingExecutors).forEach(([name]) => {
-		const label = existingExecutors[name]?.label;
-		if (label && label !== application.name) resourceOwners.add(label);
-		if (label === application.name) changeSet.deletes.push({
+		const entry = existingExecutors[name];
+		const label = entry?.label;
+		const owned = isOwnedByApp(entry?.allLabels, application.name, application.id);
+		if (label && !owned) resourceOwners.add(label);
+		if (owned) changeSet.deletes.push({
 			name,
 			request: {
 				workspaceId,
@@ -4722,7 +4965,7 @@ async function planPipeline(context) {
 		pipelines.push(pipeline);
 	}
 	const executors = forRemoval ? [] : Object.values(await application.executorService?.loadExecutors() ?? {});
-	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$1(client, workspaceId, application.name, pipelines);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$1(client, workspaceId, application.name, application.id, pipelines);
 	const { changeSet: resolverChangeSet } = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, application.authService?.config.name, forceApplyAll);
 	return {
 		changeSet: {
@@ -4737,7 +4980,7 @@ async function planPipeline(context) {
 function trn$2(workspaceId, name) {
 	return `trn:v1:workspace:${workspaceId}:pipeline:${name}`;
 }
-async function planServices$1(client, workspaceId, appName, pipelines) {
+async function planServices$1(client, workspaceId, appName, appId, pipelines) {
 	const changeSet = createChangeSet("Pipeline services");
 	const conflicts = [];
 	const unmanaged = [];
@@ -4767,18 +5010,23 @@ async function planServices$1(client, workspaceId, appName, pipelines) {
 	}));
 	for (const pipeline of pipelines) {
 		const existing = existingServices[pipeline.namespace];
-		const metaRequest = await buildMetaRequest(trn$2(workspaceId, pipeline.namespace), appName);
+		const metaRequest = await buildMetaRequest({
+			trn: trn$2(workspaceId, pipeline.namespace),
+			appName,
+			appId
+		});
 		if (existing) {
-			if (!existing.label) unmanaged.push({
+			const owned = isOwnedByApp(existing.allLabels, appName, appId);
+			if (!owned) if (!existing.label) unmanaged.push({
 				resourceType: "Pipeline service",
 				resourceName: pipeline.namespace
 			});
-			else if (existing.label !== appName) conflicts.push({
+			else conflicts.push({
 				resourceType: "Pipeline service",
 				resourceName: pipeline.namespace,
 				currentOwner: existing.label
 			});
-			if (existing.label === appName && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels)) changeSet.unchanged.push({ name: pipeline.namespace });
+			if (owned && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels)) changeSet.unchanged.push({ name: pipeline.namespace });
 			else changeSet.updates.push({
 				name: pipeline.namespace,
 				request: {
@@ -4798,9 +5046,11 @@ async function planServices$1(client, workspaceId, appName, pipelines) {
 		});
 	}
 	Object.entries(existingServices).forEach(([namespaceName]) => {
-		const label = existingServices[namespaceName]?.label;
-		if (label && label !== appName) resourceOwners.add(label);
-		if (label === appName) changeSet.deletes.push({
+		const entry = existingServices[namespaceName];
+		const label = entry?.label;
+		const owned = isOwnedByApp(entry?.allLabels, appName, appId);
+		if (label && !owned) resourceOwners.add(label);
+		if (owned) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -5062,17 +5312,22 @@ async function planSecretManager(context) {
 		const vaultName = vault.vaultName;
 		const existing = existingVaults[vaultName];
 		if (existing) {
-			const metaRequest = await buildMetaRequest(vaultTrn$1(workspaceId, vaultName), application.name);
-			if (!existing.label) unmanaged.push({
+			const metaRequest = await buildMetaRequest({
+				trn: vaultTrn$1(workspaceId, vaultName),
+				appName: application.name,
+				appId: application.id
+			});
+			const owned = isOwnedByApp(existing.allLabels, application.name, application.id);
+			if (!owned) if (!existing.label) unmanaged.push({
 				resourceType: "Secret Manager vault",
 				resourceName: vaultName
 			});
-			else if (existing.label !== application.name) conflicts.push({
+			else conflicts.push({
 				resourceType: "Secret Manager vault",
 				resourceName: vaultName,
 				currentOwner: existing.label
 			});
-			if (existing.label === application.name && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels)) vaultChangeSet.unchanged.push({ name: vaultName });
+			if (owned && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels)) vaultChangeSet.unchanged.push({ name: vaultName });
 			else vaultChangeSet.updates.push({
 				name: vaultName,
 				workspaceId
@@ -5133,8 +5388,9 @@ async function planSecretManager(context) {
 	for (const [name, entry] of Object.entries(existingVaults)) {
 		if (!entry) continue;
 		const label = entry.label;
-		if (label && label !== application.name) resourceOwners.add(label);
-		if (label === application.name) {
+		const owned = isOwnedByApp(entry.allLabels, application.name, application.id);
+		if (label && !owned) resourceOwners.add(label);
+		if (owned) {
 			const secrets = await fetchAll(async (pageToken, maxPageSize) => {
 				try {
 					const { secrets, nextPageToken } = await client.listSecretManagerSecrets({
@@ -5190,12 +5446,20 @@ async function applySecretManager(client, result, phase = "create-update", appli
 				secretmanagerVaultName: create.name
 			});
 			if (application) {
-				const metaRequest = await buildMetaRequest(vaultTrn$1(create.workspaceId, create.name), application.name);
+				const metaRequest = await buildMetaRequest({
+					trn: vaultTrn$1(create.workspaceId, create.name),
+					appName: application.name,
+					appId: application.id
+				});
 				await client.setMetadata(metaRequest);
 			}
 		}));
 		if (application) await Promise.all(vaultChangeSet.updates.map(async (update) => {
-			const metaRequest = await buildMetaRequest(vaultTrn$1(update.workspaceId, update.name), application.name);
+			const metaRequest = await buildMetaRequest({
+				trn: vaultTrn$1(update.workspaceId, update.name),
+				appName: application.name,
+				appId: application.id
+			});
 			await client.setMetadata(metaRequest);
 		}));
 		await Promise.all(secretChangeSet.creates.map((create) => client.createSecretManagerSecret({
@@ -5316,7 +5580,11 @@ async function planStaticWebsite(context) {
 		const config = websiteService;
 		const name = websiteService.name;
 		const existing = existingWebsites[name];
-		const metaRequest = await buildMetaRequest(trn$1(workspaceId, name), application.name);
+		const metaRequest = await buildMetaRequest({
+			trn: trn$1(workspaceId, name),
+			appName: application.name,
+			appId: application.id
+		});
 		const desired = normalizeComparableStaticWebsite(config);
 		const request = {
 			workspaceId,
@@ -5327,17 +5595,17 @@ async function planStaticWebsite(context) {
 			}
 		};
 		if (existing) {
-			const isManagedByApp = existing.label === application.name;
-			if (!existing.label) unmanaged.push({
+			const owned = isOwnedByApp(existing.allLabels, application.name, application.id);
+			if (!owned) if (!existing.label) unmanaged.push({
 				resourceType: "StaticWebsite",
 				resourceName: name
 			});
-			else if (existing.label !== application.name) conflicts.push({
+			else conflicts.push({
 				resourceType: "StaticWebsite",
 				resourceName: name,
 				currentOwner: existing.label
 			});
-			if (isManagedByApp && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areStaticWebsitesEqual(existing.resource, desired)) changeSet.unchanged.push({ name });
+			if (owned && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areStaticWebsitesEqual(existing.resource, desired)) changeSet.unchanged.push({ name });
 			else changeSet.updates.push({
 				name,
 				request,
@@ -5351,9 +5619,11 @@ async function planStaticWebsite(context) {
 		});
 	}
 	Object.entries(existingWebsites).forEach(([name]) => {
-		const label = existingWebsites[name]?.label;
-		if (label && label !== application.name) resourceOwners.add(label);
-		if (label === application.name) changeSet.deletes.push({
+		const entry = existingWebsites[name];
+		const label = entry?.label;
+		const owned = isOwnedByApp(entry?.allLabels, application.name, application.id);
+		if (label && !owned) resourceOwners.add(label);
+		if (owned) changeSet.deletes.push({
 			name,
 			request: {
 				workspaceId,
@@ -7286,7 +7556,7 @@ function formatRemoteVerificationResults(results) {
 * @param {ReadonlyMap<string, Record<string, TailorDBType>>} typesByNamespace - Types by namespace
 * @param {LoadedConfig} config - Loaded application config (includes path)
 * @param {boolean} noSchemaCheck - Whether to skip schema diff check
-* @returns {Promise<PendingMigration[]>} List of pending migrations
+* @returns {Promise<ValidateAndDetectResult>} Pending migrations and namespaces that have migration directories configured
 */
 async function validateAndDetectMigrations(client, workspaceId, typesByNamespace, config, noSchemaCheck) {
 	const namespacesWithMigrations = getNamespacesWithMigrations(config, path.dirname(config.path));
@@ -7327,7 +7597,38 @@ async function validateAndDetectMigrations(client, workspaceId, typesByNamespace
 			if (withScripts.length > 0) logger.info(`  • ${withScripts.length} data migration(s) (requires migration script execution)`, { mode: "plain" });
 		}
 	}
-	return pendingMigrations;
+	return {
+		pendingMigrations,
+		namespacesWithMigrations
+	};
+}
+/**
+* Reconcile the on-remote migration label with the working tree's latest
+* migration number for each namespace.
+*
+* Used after a `--no-schema-check` apply: that flag skips the local/remote
+* snapshot drift checks, but if it also leaves the label untouched the remote
+* label can drift past the working tree's latest migration (e.g. when
+* checking out an older revision and re-deploying). A subsequent run would
+* then reconstruct the expected snapshot at a label that no longer exists in
+* the working tree, triggering a false drift error.
+*
+* Always force `label = working_tree_max` regardless of the previous label so
+* the invariant `label <= working_tree_max` is preserved.
+* @param client - Operator client instance
+* @param workspaceId - Workspace ID
+* @param namespacesWithMigrations - Namespaces that have migration directories configured
+*/
+async function reconcileMigrationLabels(client, workspaceId, namespacesWithMigrations) {
+	for (const { namespace, migrationsDir } of namespacesWithMigrations) {
+		const targetVersion = getLatestMigrationNumber(migrationsDir);
+		const currentVersion = await getRemoteMigrationNumber(client, workspaceId, namespace);
+		await updateMigrationLabel(client, workspaceId, namespace, targetVersion);
+		if (currentVersion !== targetVersion) {
+			const from = currentVersion === null ? "<unset>" : formatMigrationNumber(currentVersion);
+			logger.info(`Migration label for namespace ${namespace} reconciled: ${from} → ${formatMigrationNumber(targetVersion)}.`);
+		}
+	}
 }
 /**
 * Build migration execution context for script-based migrations.
@@ -7363,7 +7664,7 @@ async function applyTailorDB(client, result, phase = "create-update") {
 			const types = tailordb.types;
 			if (types) typesByNamespace.set(tailordb.namespace, types);
 		}
-		const pendingMigrations = await validateAndDetectMigrations(client, migrationContext.workspaceId, typesByNamespace, migrationContext.config, migrationContext.noSchemaCheck);
+		const { pendingMigrations, namespacesWithMigrations } = await validateAndDetectMigrations(client, migrationContext.workspaceId, typesByNamespace, migrationContext.config, migrationContext.noSchemaCheck);
 		if (pendingMigrations.length > 0) {
 			processedTypes.reset();
 			deletedResources.reset();
@@ -7403,6 +7704,7 @@ async function applyTailorDB(client, result, phase = "create-update") {
 			await Promise.all(changeSet.gqlPermission.deletes.map((del) => client.deleteTailorDBGQLPermission(del.request)));
 			await Promise.all(changeSet.type.deletes.map((del) => client.deleteTailorDBType(del.request)));
 		}
+		if (migrationContext.noSchemaCheck && namespacesWithMigrations.length > 0) await reconcileMigrationLabels(client, migrationContext.workspaceId, namespacesWithMigrations);
 	} else if (phase === "delete-resources") {
 		await Promise.all(changeSet.gqlPermission.deletes.map((del) => client.deleteTailorDBGQLPermission(del.request)));
 		await Promise.all(changeSet.type.deletes.map((del) => client.deleteTailorDBType(del.request)));
@@ -7657,7 +7959,7 @@ async function planTailorDB(context) {
 		tailordbs.push(tailordb);
 	}
 	const executors = forRemoval ? [] : Object.values(await application.executorService?.loadExecutors() ?? {});
-	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices(client, workspaceId, application.name, tailordbs);
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices(client, workspaceId, application.name, application.id, tailordbs);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const [typeChangeSet, gqlPermissionChangeSet] = await Promise.all([planTypes(client, workspaceId, tailordbs, executors, deletedServices, void 0, forceApplyAll), planGqlPermissions(client, workspaceId, tailordbs, deletedServices, forceApplyAll)]);
 	return {
@@ -7731,7 +8033,7 @@ function areTailorDBServicesEqual(existing, desired) {
 		defaultTimezone: "UTC"
 	}));
 }
-async function planServices(client, workspaceId, appName, tailordbs) {
+async function planServices(client, workspaceId, appName, appId, tailordbs) {
 	const changeSet = createChangeSet("TailorDB services");
 	const conflicts = [];
 	const unmanaged = [];
@@ -7761,18 +8063,24 @@ async function planServices(client, workspaceId, appName, tailordbs) {
 	}));
 	for (const tailordb of tailordbs) {
 		const existing = existingServices[tailordb.namespace];
-		const metaRequest = await buildMetaRequest(trn(workspaceId, tailordb.namespace), appName, existing?.allLabels);
+		const metaRequest = await buildMetaRequest({
+			trn: trn(workspaceId, tailordb.namespace),
+			appName,
+			appId,
+			existingLabels: existing?.allLabels
+		});
 		if (existing) {
-			if (!existing.label) unmanaged.push({
+			const owned = isOwnedByApp(existing.allLabels, appName, appId);
+			if (!owned) if (!existing.label) unmanaged.push({
 				resourceType: "TailorDB service",
 				resourceName: tailordb.namespace
 			});
-			else if (existing.label !== appName) conflicts.push({
+			else conflicts.push({
 				resourceType: "TailorDB service",
 				resourceName: tailordb.namespace,
 				currentOwner: existing.label
 			});
-			if (existing.label === appName && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areTailorDBServicesEqual(existing.resource, tailordb)) changeSet.unchanged.push({ name: tailordb.namespace });
+			if (owned && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areTailorDBServicesEqual(existing.resource, tailordb)) changeSet.unchanged.push({ name: tailordb.namespace });
 			else changeSet.updates.push({
 				name: tailordb.namespace,
 				metaRequest
@@ -7789,9 +8097,11 @@ async function planServices(client, workspaceId, appName, tailordbs) {
 		});
 	}
 	Object.entries(existingServices).forEach(([namespaceName]) => {
-		const label = existingServices[namespaceName]?.label;
-		if (label && label !== appName) resourceOwners.add(label);
-		if (label === appName) changeSet.deletes.push({
+		const entry = existingServices[namespaceName];
+		const label = entry?.label;
+		const owned = isOwnedByApp(entry?.allLabels, appName, appId);
+		if (label && !owned) resourceOwners.add(label);
+		if (owned) changeSet.deletes.push({
 			name: namespaceName,
 			request: {
 				workspaceId,
@@ -8434,9 +8744,9 @@ function formatMigrationCheckResults(results) {
 * @returns Promise that resolves when workflows are applied
 */
 async function applyWorkflow(client, result, phase = "create-update") {
-	const { changeSet, appName } = result;
+	const { changeSet, appName, appId } = result;
 	if (phase === "create-update") {
-		const jobFunctionVersions = await registerJobFunctions(client, changeSet, appName, result.unchangedWorkflowJobNames);
+		const jobFunctionVersions = await registerJobFunctions(client, changeSet, appName, appId, result.unchangedWorkflowJobNames);
 		await Promise.all([...changeSet.creates.map(async (create) => {
 			const filteredVersions = filterJobFunctionVersions(jobFunctionVersions, create.usedJobNames);
 			await client.createWorkflow({
@@ -8484,10 +8794,11 @@ function filterJobFunctionVersions(allVersions, usedJobNames) {
 * @param client - Operator client instance
 * @param changeSet - Workflow change set
 * @param appName - Application name
+* @param appId
 * @param unchangedWorkflowJobNames - Job function names used by unchanged workflows
 * @returns Map of job function names to versions
 */
-async function registerJobFunctions(client, changeSet, appName, unchangedWorkflowJobNames = /* @__PURE__ */ new Set()) {
+async function registerJobFunctions(client, changeSet, appName, appId, unchangedWorkflowJobNames = /* @__PURE__ */ new Set()) {
 	const jobFunctionVersions = {};
 	const firstWorkflow = changeSet.creates[0] || changeSet.updates[0] || changeSet.deletes[0];
 	if (!firstWorkflow) return jobFunctionVersions;
@@ -8515,7 +8826,11 @@ async function registerJobFunctions(client, changeSet, appName, unchangedWorkflo
 				jobFunctionName: jobName,
 				scriptRef: workflowJobFunctionName(jobName)
 			});
-			await client.setMetadata(await buildMetaRequest(jobFunctionTrn(workspaceId, jobName), appName));
+			await client.setMetadata(await buildMetaRequest({
+				trn: jobFunctionTrn(workspaceId, jobName),
+				appName,
+				appId
+			}));
 			return {
 				jobName,
 				version: response.jobFunction?.version
@@ -8526,7 +8841,7 @@ async function registerJobFunctions(client, changeSet, appName, unchangedWorkflo
 	const unusedJobFunctions = existingJobFunctions.filter((jobName) => !allUsedJobNames.has(jobName));
 	await Promise.all(unusedJobFunctions.map(async (jobName) => {
 		const { metadata } = await client.getMetadata({ trn: jobFunctionTrn(workspaceId, jobName) });
-		if (metadata?.labels?.["sdk-name"] === appName) await client.setMetadata({
+		if (isOwnedByApp(metadata?.labels, appName, appId)) await client.setMetadata({
 			trn: jobFunctionTrn(workspaceId, jobName),
 			labels: { [sdkNameLabelKey]: "" }
 		});
@@ -8564,12 +8879,13 @@ function jobFunctionTrn(workspaceId, name) {
 * @param client - Operator client instance
 * @param workspaceId - Workspace ID
 * @param appName - Application name
+* @param appId
 * @param workflows - Parsed workflows
 * @param mainJobDeps - Main job dependencies by workflow
 * @param unchangedJobFunctions - Job functions already proven unchanged by function registry plan
 * @returns Planned workflow changes
 */
-async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps, unchangedJobFunctions = /* @__PURE__ */ new Set()) {
+async function planWorkflow(client, workspaceId, appName, appId, workflows, mainJobDeps, unchangedJobFunctions = /* @__PURE__ */ new Set()) {
 	const changeSet = createChangeSet("Workflows");
 	const conflicts = [];
 	const unmanaged = [];
@@ -8594,20 +8910,25 @@ async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps
 	}));
 	for (const workflow of Object.values(workflows)) {
 		const existing = existingWorkflows[workflow.name];
-		const metaRequest = await buildMetaRequest(workflowTrn$1(workspaceId, workflow.name), appName);
+		const metaRequest = await buildMetaRequest({
+			trn: workflowTrn$1(workspaceId, workflow.name),
+			appName,
+			appId
+		});
 		const usedJobNames = mainJobDeps[workflow.mainJob.name];
 		if (!usedJobNames) throw new Error(`Job "${workflow.mainJob.name}" (mainJob of workflow "${workflow.name}") was not found.\n\nPossible causes:\n  - The job is not exported as a named export\n  - The file containing the job is not included in workflow.files glob pattern\n\nSolution:\n  export const ${workflow.mainJob.name} = createWorkflowJob({ name: "${workflow.mainJob.name}", ... })`);
 		if (existing) {
-			if (!existing.label) unmanaged.push({
+			const owned = isOwnedByApp(existing.allLabels, appName, appId);
+			if (!owned) if (!existing.label) unmanaged.push({
 				resourceType: "Workflow",
 				resourceName: workflow.name
 			});
-			else if (existing.label !== appName) conflicts.push({
+			else conflicts.push({
 				resourceType: "Workflow",
 				resourceName: workflow.name,
 				currentOwner: existing.label
 			});
-			if (existing.label === appName && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && canTreatWorkflowAsUnchanged(existing.resource, workflow, usedJobNames, unchangedJobFunctions)) {
+			if (owned && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && canTreatWorkflowAsUnchanged(existing.resource, workflow, usedJobNames, unchangedJobFunctions)) {
 				changeSet.unchanged.push({ name: workflow.name });
 				for (const jobName of usedJobNames) unchangedWorkflowJobNames.add(jobName);
 			} else changeSet.updates.push({
@@ -8629,8 +8950,9 @@ async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps
 	Object.values(existingWorkflows).forEach((existing) => {
 		if (!existing) return;
 		const label = existing.label;
-		if (label && label !== appName) resourceOwners.add(label);
-		if (label === appName) changeSet.deletes.push({
+		const owned = isOwnedByApp(existing.allLabels, appName, appId);
+		if (label && !owned) resourceOwners.add(label);
+		if (owned) changeSet.deletes.push({
 			name: existing.resource.name,
 			workspaceId,
 			workflowId: existing.resource.id,
@@ -8643,6 +8965,7 @@ async function planWorkflow(client, workspaceId, appName, workflows, mainJobDeps
 		unmanaged,
 		resourceOwners,
 		appName,
+		appId,
 		unchangedWorkflowJobNames
 	};
 }
@@ -8765,7 +9088,11 @@ function collectIdpUserTriggerTargets(application) {
 	return targets;
 }
 async function shouldForceApplyAll(client, workspaceId, application, functionEntries) {
-	const desiredLabels = (await buildMetaRequest(applicationTrn(workspaceId, application.name), application.name)).labels;
+	const desiredLabels = (await buildMetaRequest({
+		trn: applicationTrn(workspaceId, application.name),
+		appName: application.name,
+		appId: application.id
+	})).labels;
 	const candidateTrns = /* @__PURE__ */ new Set();
 	if (application.subgraphs.length > 0) candidateTrns.add(applicationTrn(workspaceId, application.name));
 	application.staticWebsiteServices.forEach((website) => {
@@ -8902,9 +9229,16 @@ async function deploy(options) {
 	return withSpan("deploy", async (rootSpan) => {
 		rootSpan.setAttribute("deploy.dry_run", options?.dryRun ?? false);
 		const { config, application, workflowBuildResult, bundledScripts, buildOnly } = await withSpan("build", async () => {
-			const { config, plugins } = await withSpan("build.loadConfig", () => loadConfig(options?.configPath));
 			const dryRun = options?.dryRun ?? false;
 			const buildOnly = options?.buildOnly ?? parseBoolean(process.env.TAILOR_PLATFORM_SDK_BUILD_ONLY) === true;
+			const { config, plugins } = await withSpan("build.loadConfig", async () => {
+				const foundPath = loadConfigPath(options?.configPath);
+				if (foundPath && !dryRun && !buildOnly) {
+					const resolvedPath = path.resolve(process.cwd(), foundPath);
+					if (fs$1.existsSync(resolvedPath)) await ensureConfigId(resolvedPath);
+				}
+				return loadConfig(options?.configPath);
+			});
 			const noCache = options?.noCache ?? false;
 			const packageJson = await readPackageJson();
 			const cacheDir = path.resolve(getDistDir(), "cache");
@@ -8982,7 +9316,7 @@ async function deploy(options) {
 				forceApplyAll,
 				idpUserTriggerTargets
 			};
-			const functionRegistry = await withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, functionEntries));
+			const functionRegistry = await withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, application.id, functionEntries));
 			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.filter((entry) => entry.name.startsWith(WORKFLOW_PREFIX)).map((entry) => entry.name.slice(WORKFLOW_PREFIX.length)));
 			const [tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
 				withSpan("plan.tailorDB", () => planTailorDB(ctx)),
@@ -8992,7 +9326,7 @@ async function deploy(options) {
 				withSpan("plan.pipeline", () => planPipeline(ctx)),
 				withSpan("plan.application", () => planApplication(ctx)),
 				withSpan("plan.executor", () => planExecutor(ctx)),
-				withSpan("plan.workflow", () => planWorkflow(client, workspaceId, application.name, workflowService?.workflows ?? {}, workflowBuildResult?.mainJobDeps ?? {}, unchangedWorkflowJobs)),
+				withSpan("plan.workflow", () => planWorkflow(client, workspaceId, application.name, application.id, workflowService?.workflows ?? {}, workflowBuildResult?.mainJobDeps ?? {}, unchangedWorkflowJobs)),
 				withSpan("plan.secretManager", () => planSecretManager(ctx))
 			]);
 			return {
@@ -10688,6 +11022,7 @@ The \`--logs\` option displays logs from the downstream execution when available
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		const client = await initOperatorClient(await loadAccessToken({
 			useProfile: true,
 			profile: args.profile
@@ -11820,7 +12155,9 @@ function createGenerationManager(params) {
 */
 async function generate$1(options) {
 	return withSpan("generate", async (rootSpan) => {
-		const { config, generators, plugins } = await withSpan("generate.loadConfig", async () => loadConfig(options?.configPath));
+		const { config, generators, plugins } = await withSpan("generate.loadConfig", async () => {
+			return loadConfig(options?.configPath);
+		});
 		const watch = options?.watch ?? false;
 		rootSpan.setAttribute("generate.watch", watch);
 		rootSpan.setAttribute("generate.generators.count", generators.length);
@@ -12192,6 +12529,7 @@ const createCommand$1 = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const folder = await createFolder({
 			organizationId: args["organization-id"],
 			parentFolderId: args["parent-folder-id"],
@@ -12230,6 +12568,7 @@ const deleteCommand$1 = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const client = await initOperatorClient(await loadAccessToken());
 		let folderName;
 		try {
@@ -12380,6 +12719,7 @@ const updateCommand$2 = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const folder = await updateFolder({
 			organizationId: args["organization-id"],
 			folderId: args["folder-id"],
@@ -12605,6 +12945,7 @@ const updateCommand$1 = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const organization = await updateOrganization({
 			organizationId: args["organization-id"],
 			name: args.name
@@ -12648,8 +12989,8 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	const pipeline = await planPipeline(ctx);
 	const app = await planApplication(ctx);
 	const executor = await planExecutor(ctx);
-	const workflow = await planWorkflow(client, workspaceId, application.name, {}, {});
-	const functionRegistry = await planFunctionRegistry(client, workspaceId, application.name, []);
+	const workflow = await planWorkflow(client, workspaceId, application.name, application.id, {}, {});
+	const functionRegistry = await planFunctionRegistry(client, workspaceId, application.name, application.id, []);
 	const secretManager = await planSecretManager(ctx);
 	functionRegistry.changeSet.print();
 	staticWebsite.changeSet.print();
@@ -12709,6 +13050,7 @@ const removeCommand$1 = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		const { client, workspaceId, application, config } = await loadOptions$10({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
@@ -13372,7 +13714,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-Csq5jxYP.mjs");
+	const { defineApplication } = await import("./application-v_E2W-Fz.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -13702,6 +14044,7 @@ const truncateCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		const types = args.types && args.types.length > 0 ? args.types : void 0;
 		await $truncate({
 			workspaceId: args["workspace-id"],
@@ -14084,9 +14427,11 @@ const createCommand = defineAppCommand({
 			alias: "p",
 			description: "Profile name to create"
 		}),
-		"profile-user": arg(z.string().optional(), { description: "User email for the profile (defaults to current user)" })
+		"profile-user": arg(z.string().optional(), { description: "User email for the profile (defaults to current user)" }),
+		permission: arg(z.enum(["write", "read"]).default("write"), { description: "Profile permission (requires --profile-name). 'read' blocks all write commands while the profile is active." })
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const workspace = await createWorkspace({
 			name: args.name,
 			region: args.region,
@@ -14104,13 +14449,15 @@ const createCommand = defineAppCommand({
 			if (!config.users[profileUser]) throw new Error(`User "${profileUser}" not found.\nPlease verify your user name and login using 'tailor-sdk login' command.`);
 			config.profiles[profileName] = {
 				user: profileUser,
-				workspace_id: workspace.id
+				workspace_id: workspace.id,
+				...args.permission === "read" ? { readonly: true } : {}
 			};
 			writePlatformConfig(config);
 			profileInfo = {
 				name: profileName,
 				user: profileUser,
-				workspaceId: workspace.id
+				workspaceId: workspace.id,
+				permission: args.permission
 			};
 			if (!args.json) logger.success(`Profile "${profileName}" created successfully.`);
 		}
@@ -14161,6 +14508,7 @@ const deleteCommand = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const { client, workspaceId } = await loadOptions$7({ workspaceId: args["workspace-id"] });
 		let workspace;
 		try {
@@ -14298,6 +14646,7 @@ const restoreCommand = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const { client, workspaceId } = await loadOptions$5({ workspaceId: args["workspace-id"] });
 		if (!args.yes) {
 			if (await prompt.text({ message: `Are you sure you want to restore workspace "${workspaceId}"? (yes/no):` }) !== "yes") {
@@ -14390,6 +14739,7 @@ const inviteCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		await inviteUser({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
@@ -14503,6 +14853,7 @@ const removeCommand = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		if (!args.yes) {
 			if (await prompt.text({ message: `Are you sure you want to remove user "${args.email}" from the workspace? (yes/no):` }) !== "yes") {
 				logger.info("User removal cancelled.");
@@ -14567,6 +14918,7 @@ const updateCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		await updateUser({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
@@ -15187,7 +15539,7 @@ async function runRepl(options) {
 	const execute = await prepareQueryExecutor(options);
 	const historyPath = getReplHistoryPath(options.engine, options.profile, options.workspaceId);
 	const validate = createReplValidator(options.engine);
-	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-CZpLlOBj.mjs");
+	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-jZ493eQI.mjs");
 	const highlight = options.engine === "sql" ? highlightSqlLine : highlightGraphqlLine;
 	const prompt = createPrompt({
 		prefix: "",
@@ -15520,5 +15872,5 @@ function isDeno() {
 }
 
 //#endregion
-export { deleteCommand$1 as $, getMigrationDirPath as $t, truncate as A, executionsCommand as At, updateOrganization as B, MIGRATION_LABEL_KEY as Bt, listCommand$2 as C, toPageDirection as Cn, jobsCommand as Ct, resumeWorkflow as D, startWorkflow as Dt, resumeCommand as E, startCommand as Et, showCommand as F, getCommand$6 as Ft, getCommand$1 as G, INITIAL_SCHEMA_NUMBER as Gt, treeCommand as H, bundleMigrationScript as Ht, logBetaWarning as I, getExecutor as It, updateFolder as J, compareLocalTypesWithSnapshot as Jt, getOrganization as K, MIGRATE_FILE_NAME as Kt, remove as L, deploy as Lt, generate as M, listWorkflowExecutions as Mt, generateCommand as N, functionExecutionStatusToString as Nt, listCommand$3 as O, getCommand$5 as Ot, show as P, formatKeyValueTable as Pt, getFolder as Q, getLatestMigrationNumber as Qt, removeCommand$1 as R, executeScript as Rt, listApps as S, paginationArgs as Sn, getExecutorJob as St, healthCommand as T, watchExecutorJob as Tt, listCommand$4 as U, DB_TYPES_FILE_NAME as Ut, organizationTree as V, parseMigrationLabelNumber as Vt, listOrganizations as W, DIFF_FILE_NAME as Wt, listFolders as X, createSnapshotFromLocalTypes as Xt, listCommand$5 as Y, compareSnapshots as Yt, getCommand$2 as Z, formatMigrationNumber as Zt, getWorkspace as _, commonArgs as _n, webhookCommand as _t, updateUser as a, reconstructSnapshotFromMigrations as an, getCommand$3 as at, createCommand as b, isVerbose as bn, listCommand$9 as bt, listCommand as c, hasChanges as cn, tokenCommand as ct, inviteUser as d, trnPrefix as dn, generate$1 as dt, getMigrationFilePath as en, deleteFolder as et, restoreCommand as f, generateUserTypes as fn, listCommand$8 as ft, getCommand as g, defineAppCommand as gn, listWebhookExecutors as gt, listWorkspaces as h, apiCall as hn, getFunctionRegistry as ht, updateCommand as i, loadDiff as in, listOAuth2Clients as it, truncateCommand as j, getWorkflowExecution as jt, listWorkflows as k, getWorkflow as kt, listUsers as l, getNamespacesWithMigrations as ln, listCommand$7 as lt, listCommand$1 as m, apiCommand as mn, getCommand$4 as mt, query as n, getNextMigrationNumber as nn, createFolder as nt, removeCommand as o, formatDiffSummary as on, getOAuth2Client as ot, restoreWorkspace as p, prompt as pn, listFunctionRegistries as pt, updateCommand$2 as q, SCHEMA_FILE_NAME as qt, queryCommand as r, isValidMigrationNumber as rn, listCommand$6 as rt, removeUser as s, formatMigrationDiff as sn, getMachineUserToken as st, isNativeTypeScriptRuntime as t, getMigrationFiles as tn, createCommand$1 as tt, inviteCommand as u, sdkNameLabelKey as un, listMachineUsers as ut, deleteCommand as v, confirmationArgs as vn, triggerCommand as vt, getAppHealth as w, workspaceArgs as wn, listExecutorJobs as wt, createWorkspace as x, pagedLogArgs as xn, listExecutors as xt, deleteWorkspace as y, deploymentArgs as yn, triggerExecutor as yt, updateCommand$1 as z, waitForExecution$1 as zt };
-//# sourceMappingURL=runtime-XjP6JMmP.mjs.map
+export { deleteCommand$1 as $, getMigrationDirPath as $t, truncate as A, executionsCommand as At, updateOrganization as B, MIGRATION_LABEL_KEY as Bt, listCommand$2 as C, paginationArgs as Cn, jobsCommand as Ct, resumeWorkflow as D, startWorkflow as Dt, resumeCommand as E, startCommand as Et, showCommand as F, getCommand$6 as Ft, getCommand$1 as G, INITIAL_SCHEMA_NUMBER as Gt, treeCommand as H, bundleMigrationScript as Ht, logBetaWarning as I, getExecutor as It, updateFolder as J, compareLocalTypesWithSnapshot as Jt, getOrganization as K, MIGRATE_FILE_NAME as Kt, remove as L, deploy as Lt, generate as M, listWorkflowExecutions as Mt, generateCommand as N, functionExecutionStatusToString as Nt, listCommand$3 as O, getCommand$5 as Ot, show as P, formatKeyValueTable as Pt, getFolder as Q, getLatestMigrationNumber as Qt, removeCommand$1 as R, executeScript as Rt, listApps as S, pagedLogArgs as Sn, getExecutorJob as St, healthCommand as T, workspaceArgs as Tn, watchExecutorJob as Tt, listCommand$4 as U, DB_TYPES_FILE_NAME as Ut, organizationTree as V, parseMigrationLabelNumber as Vt, listOrganizations as W, DIFF_FILE_NAME as Wt, listFolders as X, createSnapshotFromLocalTypes as Xt, listCommand$5 as Y, compareSnapshots as Yt, getCommand$2 as Z, formatMigrationNumber as Zt, getWorkspace as _, defineAppCommand as _n, webhookCommand as _t, updateUser as a, reconstructSnapshotFromMigrations as an, getCommand$3 as at, createCommand as b, deploymentArgs as bn, listCommand$9 as bt, listCommand as c, hasChanges as cn, tokenCommand as ct, inviteUser as d, trnPrefix as dn, generate$1 as dt, getMigrationFilePath as en, deleteFolder as et, restoreCommand as f, generateUserTypes as fn, listCommand$8 as ft, getCommand as g, assertWritable as gn, listWebhookExecutors as gt, listWorkspaces as h, apiCall as hn, getFunctionRegistry as ht, updateCommand as i, loadDiff as in, listOAuth2Clients as it, truncateCommand as j, getWorkflowExecution as jt, listWorkflows as k, getWorkflow as kt, listUsers as l, getNamespacesWithMigrations as ln, listCommand$7 as lt, listCommand$1 as m, apiCommand as mn, getCommand$4 as mt, query as n, getNextMigrationNumber as nn, createFolder as nt, removeCommand as o, formatDiffSummary as on, getOAuth2Client as ot, restoreWorkspace as p, prompt as pn, listFunctionRegistries as pt, updateCommand$2 as q, SCHEMA_FILE_NAME as qt, queryCommand as r, isValidMigrationNumber as rn, listCommand$6 as rt, removeUser as s, formatMigrationDiff as sn, getMachineUserToken as st, isNativeTypeScriptRuntime as t, getMigrationFiles as tn, createCommand$1 as tt, inviteCommand as u, sdkNameLabelKey as un, listMachineUsers as ut, deleteCommand as v, commonArgs as vn, triggerCommand as vt, getAppHealth as w, toPageDirection as wn, listExecutorJobs as wt, createWorkspace as x, isVerbose as xn, listExecutors as xt, deleteWorkspace as y, confirmationArgs as yn, triggerExecutor as yt, updateCommand$1 as z, waitForExecution$1 as zt };
+//# sourceMappingURL=runtime-oZgK353r.mjs.map