@tailor-platform/sdk 1.48.0 → 1.49.0

package/dist/{runtime-CNg0w27y.mjs → runtime-oZgK353r.mjs}

@@ -2,7 +2,7 @@
 import { t as db } from "./schema-C5QjYEc-.mjs";
 import { $ as FilterSchema, A as FunctionExecution_Status, B as AuthOAuth2Client_GrantType, C as TailorDBType_Permission_Operator, D as IdPLang, E as PipelineResolver_OperationType, F as AuthConnection_Type, H as AuthSCIMAttribute_Type, I as AuthHookPoint, J as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, K as TenantProviderConfig_TenantProviderType, L as AuthIDPConfig_AuthType, M as ExecutorJobStatus, N as ExecutorTargetType, O as IdPPermissionOperator, P as ExecutorTriggerType, Q as Condition_Operator, R as AuthInvokerSchema, S as TailorDBGQLPermission_Permit, T as TailorDBType_PermitAction, U as AuthSCIMAttribute_Uniqueness, V as AuthSCIMAttribute_Mutability, W as AuthSCIMConfig_AuthorizationType, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, Z as ConditionSchema, _ as WorkspacePlatformUserRole, a as fetchMachineUserToken, b as TailorDBGQLPermission_Action, d as initOperatorClient, et as PageDirection, g as OperatorService, h as userAgent, i as fetchAll, k as IdPPermissionPermit, m as resolveStaticWebsiteUrls, o as fetchPaged, p as platformBaseUrl, q as UserProfileProviderConfig_UserProfileProviderType, v as WorkflowExecution_Status, w as TailorDBType_Permission_Permit, x as TailorDBGQLPermission_Operator, y as WorkflowJobExecution_Status, z as AuthOAuth2Client_ClientType } from "./client-_kHh0Pip.mjs";
 import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DTNAMYGy.mjs";
-import { C as loadConfigPath, O as writePlatformConfig, S as loadAccessToken, T as readPlatformConfig, _ as getDistDir, d as buildResolverOperationHookExpr, f as OAuth2ClientSchema, g as createBundleCache, h as loadFilesWithIgnores, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as createExecutorService, t as defineApplication, u as buildExecutorArgsExpr, v as hashFile, w as loadWorkspaceId, y as loadConfig } from "./application-DUENhx4Y.mjs";
+import { C as loadConfigPath, O as writePlatformConfig, S as loadAccessToken, T as readPlatformConfig, _ as getDistDir, d as buildResolverOperationHookExpr, f as OAuth2ClientSchema, g as createBundleCache, h as loadFilesWithIgnores, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as createExecutorService, t as defineApplication, u as buildExecutorArgsExpr, v as hashFile, w as loadWorkspaceId, y as loadConfig } from "./application-CZMzt9jL.mjs";
 import { t as multiline } from "./multiline-e3IpANmS.mjs";
 import { t as readPackageJson } from "./package-json-6Px8bDpG.mjs";
 import { n as isCLIError, t as createCLIError } from "./errors-pMPXghkO.mjs";
@@ -267,6 +267,38 @@ function isVerbose() {
 */
 const defineAppCommand = createDefineCommand();
 
+//#endregion
+//#region src/cli/shared/readonly-guard.ts
+/**
+* Throw a CLIError if the active profile has `readonly: true`.
+*
+* Resolves the active profile in this order:
+* 1. `opts.profile` (CLI flag)
+* 2. `process.env.TAILOR_PLATFORM_PROFILE`
+*
+* If neither is set, no profile is in scope so the call is allowed. This is
+* intentional: `TAILOR_PLATFORM_TOKEN` direct access (CI / machine user) and
+* `--workspace-id` without a profile are out-of-band paths whose authorization
+* is governed by the bearer token itself, not by the local profile flag.
+*
+* If the resolved profile cannot be found in the config, this function returns
+* silently and lets downstream loaders surface the not-found error.
+* @param opts - Options
+* @param opts.profile - Optional explicit profile name from command args
+*/
+async function assertWritable(opts) {
+	const profileName = opts?.profile || process.env.TAILOR_PLATFORM_PROFILE;
+	if (!profileName) return;
+	const profile = (await readPlatformConfig()).profiles[profileName];
+	if (!profile || profile.readonly !== true) return;
+	throw createCLIError({
+		code: "PROFILE_READONLY",
+		message: `Profile "${profileName}" is read-only.`,
+		details: "This profile blocks platform-state mutations (apply, create/update/delete, deploy, etc.). Application-data operations remain available because their permissions are governed by the machine user.",
+		suggestion: `Use a different profile, unset TAILOR_PLATFORM_PROFILE, or run 'tailor-sdk profile update ${profileName} --permission write'.`
+	});
+}
+
 //#endregion
 //#region src/cli/commands/api/api-call.ts
 /**
@@ -568,6 +600,7 @@ Values already present in \`--body\` are never overridden. If a value cannot be
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		const methodName = extractMethodName(args.endpoint);
 		const method = getMethodDescriptor(methodName);
 		const parsedBody = parseBodyAsObject(args.body);
@@ -7523,7 +7556,7 @@ function formatRemoteVerificationResults(results) {
 * @param {ReadonlyMap<string, Record<string, TailorDBType>>} typesByNamespace - Types by namespace
 * @param {LoadedConfig} config - Loaded application config (includes path)
 * @param {boolean} noSchemaCheck - Whether to skip schema diff check
-* @returns {Promise<PendingMigration[]>} List of pending migrations
+* @returns {Promise<ValidateAndDetectResult>} Pending migrations and namespaces that have migration directories configured
 */
 async function validateAndDetectMigrations(client, workspaceId, typesByNamespace, config, noSchemaCheck) {
 	const namespacesWithMigrations = getNamespacesWithMigrations(config, path.dirname(config.path));
@@ -7564,7 +7597,38 @@ async function validateAndDetectMigrations(client, workspaceId, typesByNamespace
 			if (withScripts.length > 0) logger.info(`  • ${withScripts.length} data migration(s) (requires migration script execution)`, { mode: "plain" });
 		}
 	}
-	return pendingMigrations;
+	return {
+		pendingMigrations,
+		namespacesWithMigrations
+	};
+}
+/**
+* Reconcile the on-remote migration label with the working tree's latest
+* migration number for each namespace.
+*
+* Used after a `--no-schema-check` apply: that flag skips the local/remote
+* snapshot drift checks, but if it also leaves the label untouched the remote
+* label can drift past the working tree's latest migration (e.g. when
+* checking out an older revision and re-deploying). A subsequent run would
+* then reconstruct the expected snapshot at a label that no longer exists in
+* the working tree, triggering a false drift error.
+*
+* Always force `label = working_tree_max` regardless of the previous label so
+* the invariant `label <= working_tree_max` is preserved.
+* @param client - Operator client instance
+* @param workspaceId - Workspace ID
+* @param namespacesWithMigrations - Namespaces that have migration directories configured
+*/
+async function reconcileMigrationLabels(client, workspaceId, namespacesWithMigrations) {
+	for (const { namespace, migrationsDir } of namespacesWithMigrations) {
+		const targetVersion = getLatestMigrationNumber(migrationsDir);
+		const currentVersion = await getRemoteMigrationNumber(client, workspaceId, namespace);
+		await updateMigrationLabel(client, workspaceId, namespace, targetVersion);
+		if (currentVersion !== targetVersion) {
+			const from = currentVersion === null ? "<unset>" : formatMigrationNumber(currentVersion);
+			logger.info(`Migration label for namespace ${namespace} reconciled: ${from} → ${formatMigrationNumber(targetVersion)}.`);
+		}
+	}
 }
 /**
 * Build migration execution context for script-based migrations.
@@ -7600,7 +7664,7 @@ async function applyTailorDB(client, result, phase = "create-update") {
 			const types = tailordb.types;
 			if (types) typesByNamespace.set(tailordb.namespace, types);
 		}
-		const pendingMigrations = await validateAndDetectMigrations(client, migrationContext.workspaceId, typesByNamespace, migrationContext.config, migrationContext.noSchemaCheck);
+		const { pendingMigrations, namespacesWithMigrations } = await validateAndDetectMigrations(client, migrationContext.workspaceId, typesByNamespace, migrationContext.config, migrationContext.noSchemaCheck);
 		if (pendingMigrations.length > 0) {
 			processedTypes.reset();
 			deletedResources.reset();
@@ -7640,6 +7704,7 @@ async function applyTailorDB(client, result, phase = "create-update") {
 			await Promise.all(changeSet.gqlPermission.deletes.map((del) => client.deleteTailorDBGQLPermission(del.request)));
 			await Promise.all(changeSet.type.deletes.map((del) => client.deleteTailorDBType(del.request)));
 		}
+		if (migrationContext.noSchemaCheck && namespacesWithMigrations.length > 0) await reconcileMigrationLabels(client, migrationContext.workspaceId, namespacesWithMigrations);
 	} else if (phase === "delete-resources") {
 		await Promise.all(changeSet.gqlPermission.deletes.map((del) => client.deleteTailorDBGQLPermission(del.request)));
 		await Promise.all(changeSet.type.deletes.map((del) => client.deleteTailorDBType(del.request)));
@@ -10957,6 +11022,7 @@ The \`--logs\` option displays logs from the downstream execution when available
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		const client = await initOperatorClient(await loadAccessToken({
 			useProfile: true,
 			profile: args.profile
@@ -12463,6 +12529,7 @@ const createCommand$1 = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const folder = await createFolder({
 			organizationId: args["organization-id"],
 			parentFolderId: args["parent-folder-id"],
@@ -12501,6 +12568,7 @@ const deleteCommand$1 = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const client = await initOperatorClient(await loadAccessToken());
 		let folderName;
 		try {
@@ -12651,6 +12719,7 @@ const updateCommand$2 = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const folder = await updateFolder({
 			organizationId: args["organization-id"],
 			folderId: args["folder-id"],
@@ -12876,6 +12945,7 @@ const updateCommand$1 = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const organization = await updateOrganization({
 			organizationId: args["organization-id"],
 			name: args.name
@@ -12980,6 +13050,7 @@ const removeCommand$1 = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		const { client, workspaceId, application, config } = await loadOptions$10({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
@@ -13643,7 +13714,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-BNkNt47b.mjs");
+	const { defineApplication } = await import("./application-v_E2W-Fz.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -13973,6 +14044,7 @@ const truncateCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		const types = args.types && args.types.length > 0 ? args.types : void 0;
 		await $truncate({
 			workspaceId: args["workspace-id"],
@@ -14355,9 +14427,11 @@ const createCommand = defineAppCommand({
 			alias: "p",
 			description: "Profile name to create"
 		}),
-		"profile-user": arg(z.string().optional(), { description: "User email for the profile (defaults to current user)" })
+		"profile-user": arg(z.string().optional(), { description: "User email for the profile (defaults to current user)" }),
+		permission: arg(z.enum(["write", "read"]).default("write"), { description: "Profile permission (requires --profile-name). 'read' blocks all write commands while the profile is active." })
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const workspace = await createWorkspace({
 			name: args.name,
 			region: args.region,
@@ -14375,13 +14449,15 @@ const createCommand = defineAppCommand({
 			if (!config.users[profileUser]) throw new Error(`User "${profileUser}" not found.\nPlease verify your user name and login using 'tailor-sdk login' command.`);
 			config.profiles[profileName] = {
 				user: profileUser,
-				workspace_id: workspace.id
+				workspace_id: workspace.id,
+				...args.permission === "read" ? { readonly: true } : {}
 			};
 			writePlatformConfig(config);
 			profileInfo = {
 				name: profileName,
 				user: profileUser,
-				workspaceId: workspace.id
+				workspaceId: workspace.id,
+				permission: args.permission
 			};
 			if (!args.json) logger.success(`Profile "${profileName}" created successfully.`);
 		}
@@ -14432,6 +14508,7 @@ const deleteCommand = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const { client, workspaceId } = await loadOptions$7({ workspaceId: args["workspace-id"] });
 		let workspace;
 		try {
@@ -14569,6 +14646,7 @@ const restoreCommand = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable();
 		const { client, workspaceId } = await loadOptions$5({ workspaceId: args["workspace-id"] });
 		if (!args.yes) {
 			if (await prompt.text({ message: `Are you sure you want to restore workspace "${workspaceId}"? (yes/no):` }) !== "yes") {
@@ -14661,6 +14739,7 @@ const inviteCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		await inviteUser({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
@@ -14774,6 +14853,7 @@ const removeCommand = defineAppCommand({
 		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		if (!args.yes) {
 			if (await prompt.text({ message: `Are you sure you want to remove user "${args.email}" from the workspace? (yes/no):` }) !== "yes") {
 				logger.info("User removal cancelled.");
@@ -14838,6 +14918,7 @@ const updateCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		await assertWritable({ profile: args.profile });
 		await updateUser({
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
@@ -15791,5 +15872,5 @@ function isDeno() {
 }
 
 //#endregion
-export { deleteCommand$1 as $, getMigrationDirPath as $t, truncate as A, executionsCommand as At, updateOrganization as B, MIGRATION_LABEL_KEY as Bt, listCommand$2 as C, toPageDirection as Cn, jobsCommand as Ct, resumeWorkflow as D, startWorkflow as Dt, resumeCommand as E, startCommand as Et, showCommand as F, getCommand$6 as Ft, getCommand$1 as G, INITIAL_SCHEMA_NUMBER as Gt, treeCommand as H, bundleMigrationScript as Ht, logBetaWarning as I, getExecutor as It, updateFolder as J, compareLocalTypesWithSnapshot as Jt, getOrganization as K, MIGRATE_FILE_NAME as Kt, remove as L, deploy as Lt, generate as M, listWorkflowExecutions as Mt, generateCommand as N, functionExecutionStatusToString as Nt, listCommand$3 as O, getCommand$5 as Ot, show as P, formatKeyValueTable as Pt, getFolder as Q, getLatestMigrationNumber as Qt, removeCommand$1 as R, executeScript as Rt, listApps as S, paginationArgs as Sn, getExecutorJob as St, healthCommand as T, watchExecutorJob as Tt, listCommand$4 as U, DB_TYPES_FILE_NAME as Ut, organizationTree as V, parseMigrationLabelNumber as Vt, listOrganizations as W, DIFF_FILE_NAME as Wt, listFolders as X, createSnapshotFromLocalTypes as Xt, listCommand$5 as Y, compareSnapshots as Yt, getCommand$2 as Z, formatMigrationNumber as Zt, getWorkspace as _, commonArgs as _n, webhookCommand as _t, updateUser as a, reconstructSnapshotFromMigrations as an, getCommand$3 as at, createCommand as b, isVerbose as bn, listCommand$9 as bt, listCommand as c, hasChanges as cn, tokenCommand as ct, inviteUser as d, trnPrefix as dn, generate$1 as dt, getMigrationFilePath as en, deleteFolder as et, restoreCommand as f, generateUserTypes as fn, listCommand$8 as ft, getCommand as g, defineAppCommand as gn, listWebhookExecutors as gt, listWorkspaces as h, apiCall as hn, getFunctionRegistry as ht, updateCommand as i, loadDiff as in, listOAuth2Clients as it, truncateCommand as j, getWorkflowExecution as jt, listWorkflows as k, getWorkflow as kt, listUsers as l, getNamespacesWithMigrations as ln, listCommand$7 as lt, listCommand$1 as m, apiCommand as mn, getCommand$4 as mt, query as n, getNextMigrationNumber as nn, createFolder as nt, removeCommand as o, formatDiffSummary as on, getOAuth2Client as ot, restoreWorkspace as p, prompt as pn, listFunctionRegistries as pt, updateCommand$2 as q, SCHEMA_FILE_NAME as qt, queryCommand as r, isValidMigrationNumber as rn, listCommand$6 as rt, removeUser as s, formatMigrationDiff as sn, getMachineUserToken as st, isNativeTypeScriptRuntime as t, getMigrationFiles as tn, createCommand$1 as tt, inviteCommand as u, sdkNameLabelKey as un, listMachineUsers as ut, deleteCommand as v, confirmationArgs as vn, triggerCommand as vt, getAppHealth as w, workspaceArgs as wn, listExecutorJobs as wt, createWorkspace as x, pagedLogArgs as xn, listExecutors as xt, deleteWorkspace as y, deploymentArgs as yn, triggerExecutor as yt, updateCommand$1 as z, waitForExecution$1 as zt };
-//# sourceMappingURL=runtime-CNg0w27y.mjs.map
+export { deleteCommand$1 as $, getMigrationDirPath as $t, truncate as A, executionsCommand as At, updateOrganization as B, MIGRATION_LABEL_KEY as Bt, listCommand$2 as C, paginationArgs as Cn, jobsCommand as Ct, resumeWorkflow as D, startWorkflow as Dt, resumeCommand as E, startCommand as Et, showCommand as F, getCommand$6 as Ft, getCommand$1 as G, INITIAL_SCHEMA_NUMBER as Gt, treeCommand as H, bundleMigrationScript as Ht, logBetaWarning as I, getExecutor as It, updateFolder as J, compareLocalTypesWithSnapshot as Jt, getOrganization as K, MIGRATE_FILE_NAME as Kt, remove as L, deploy as Lt, generate as M, listWorkflowExecutions as Mt, generateCommand as N, functionExecutionStatusToString as Nt, listCommand$3 as O, getCommand$5 as Ot, show as P, formatKeyValueTable as Pt, getFolder as Q, getLatestMigrationNumber as Qt, removeCommand$1 as R, executeScript as Rt, listApps as S, pagedLogArgs as Sn, getExecutorJob as St, healthCommand as T, workspaceArgs as Tn, watchExecutorJob as Tt, listCommand$4 as U, DB_TYPES_FILE_NAME as Ut, organizationTree as V, parseMigrationLabelNumber as Vt, listOrganizations as W, DIFF_FILE_NAME as Wt, listFolders as X, createSnapshotFromLocalTypes as Xt, listCommand$5 as Y, compareSnapshots as Yt, getCommand$2 as Z, formatMigrationNumber as Zt, getWorkspace as _, defineAppCommand as _n, webhookCommand as _t, updateUser as a, reconstructSnapshotFromMigrations as an, getCommand$3 as at, createCommand as b, deploymentArgs as bn, listCommand$9 as bt, listCommand as c, hasChanges as cn, tokenCommand as ct, inviteUser as d, trnPrefix as dn, generate$1 as dt, getMigrationFilePath as en, deleteFolder as et, restoreCommand as f, generateUserTypes as fn, listCommand$8 as ft, getCommand as g, assertWritable as gn, listWebhookExecutors as gt, listWorkspaces as h, apiCall as hn, getFunctionRegistry as ht, updateCommand as i, loadDiff as in, listOAuth2Clients as it, truncateCommand as j, getWorkflowExecution as jt, listWorkflows as k, getWorkflow as kt, listUsers as l, getNamespacesWithMigrations as ln, listCommand$7 as lt, listCommand$1 as m, apiCommand as mn, getCommand$4 as mt, query as n, getNextMigrationNumber as nn, createFolder as nt, removeCommand as o, formatDiffSummary as on, getOAuth2Client as ot, restoreWorkspace as p, prompt as pn, listFunctionRegistries as pt, updateCommand$2 as q, SCHEMA_FILE_NAME as qt, queryCommand as r, isValidMigrationNumber as rn, listCommand$6 as rt, removeUser as s, formatMigrationDiff as sn, getMachineUserToken as st, isNativeTypeScriptRuntime as t, getMigrationFiles as tn, createCommand$1 as tt, inviteCommand as u, sdkNameLabelKey as un, listMachineUsers as ut, deleteCommand as v, commonArgs as vn, triggerCommand as vt, getAppHealth as w, toPageDirection as wn, listExecutorJobs as wt, createWorkspace as x, isVerbose as xn, listExecutors as xt, deleteWorkspace as y, confirmationArgs as yn, triggerExecutor as yt, updateCommand$1 as z, waitForExecution$1 as zt };
+//# sourceMappingURL=runtime-oZgK353r.mjs.map