@tailor-platform/sdk 1.56.0 → 1.57.0

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # @tailor-platform/sdk
 
+## 1.57.0
+
+### Minor Changes
+
+- [#1319](https://github.com/tailor-platform/sdk/pull/1319) [`77754c2`](https://github.com/tailor-platform/sdk/commit/77754c264f3a18ccea2fb2ee2a144da4768b09a9) Thanks [@dqn](https://github.com/dqn)! - Replace the Liam-based `tailordb erd` beta commands with a TailorDB-specific ERD viewer generated from local TailorDB schema. `tailordb erd export` writes a single self-contained `index.html` under `<output>/<namespace>/dist` (CSS, JS, and the schema are inlined as separately extractable blocks), `tailordb erd serve` runs a built-in local server with watch reload and `--port` / `--open`, and `tailordb erd deploy` uploads the generated viewer while keeping the existing `erdSite` requirement.
+
+### Patch Changes
+
+- [#1309](https://github.com/tailor-platform/sdk/pull/1309) [`9e4c726`](https://github.com/tailor-platform/sdk/commit/9e4c726c1a84ac70ba7bc74aaf4765173562ed0e) Thanks [@toiroakr](https://github.com/toiroakr)! - fix(cli): track auth connection ownership via platform labels
+
+  `deploy` now tags auth connections with SDK ownership labels and uses them to decide which connections to manage, matching every other auth resource. Connections that are not labeled by the SDK are treated as unowned: they are surfaced in the unmanaged-resource confirmation prompt rather than silently deleted, and once you confirm adoption the SDK label is written even when the connection is otherwise unchanged, so later deploys recognize it as owned. Auth connection deletions are also shown in the deletion confirmation prompt.
+
+## 1.56.1
+
+### Patch Changes
+
+- [#1347](https://github.com/tailor-platform/sdk/pull/1347) [`6888110`](https://github.com/tailor-platform/sdk/commit/6888110fa61f9f3fd991e0fb44e86fd37f9536f3) Thanks [@dqn](https://github.com/dqn)! - Fix resolver field builders (`t.*`) leaking metadata between fields. `description()`, `typeName()`, and `validate()` now return a new field instead of mutating the original, so a field instance reused across places (for example shared between a resolver's `input` and `output`, or a record passed to `t.object`) no longer leaks its metadata into the other usages. This matches the existing `db.*` behavior.
+
+- [#1346](https://github.com/tailor-platform/sdk/pull/1346) [`0254e3c`](https://github.com/tailor-platform/sdk/commit/0254e3caff0d1eeb7407d8932385bf5bdbaf4356) Thanks [@dqn](https://github.com/dqn)! - Warn when a permission rule is written in object form without an explicit `permit`. Object-format rules (e.g. `read: [{ conditions: [...] }]`) default to `deny`, unlike the array shorthand which defaults to `allow`, so omitting `permit` can silently lock out access you meant to grant. The CLI now flags these rules during generate/deploy so you can set `permit: true` (allow) or `permit: false` (deny) explicitly. Runtime behavior is unchanged. This covers TailorDB record permissions, TailorDB GraphQL permissions, and IdP permissions.
+
 ## 1.56.0
 
 ### Minor Changes

package/README.md

@@ -97,26 +97,3 @@ See [Create Tailor Platform SDK](https://github.com/tailor-platform/sdk/tree/mai
 
 - Node.js 22 or later (or Bun)
 - A Tailor Platform account ([request access](https://www.tailor.tech/demo))
-
-## Dependabot Noise
-
-Installing `@tailor-platform/sdk` pulls in a few transitive advisories that are **not exploitable in practice**. They are listed here so you can triage reports from `npm audit` / `pnpm audit` / Dependabot without diffing our lockfile.
-
-### valibot ReDoS ([GHSA-vqpr-j7v3-hqw9](https://github.com/advisories/GHSA-vqpr-j7v3-hqw9))
-
-- **Why it shows up**: `@liam-hq/cli@0.7.24` pins `valibot@1.1.0`, which falls in the vulnerable range (`< 1.2.0`).
-- **Why it's safe here**: `@liam-hq/cli` is invoked only by `tailor-sdk tailordb erd export` as a child process, against developer-controlled schema files. The vulnerable code path (`v.emoji()` on attacker-controlled strings) is never reached.
-- **If you want to silence it**: add an override to your project so `valibot` resolves to `>=1.2.0`. `@toiroakr/lines-db` declares `valibot` as an optional peer with range `>=1.0.0`, so forcing `1.2.0+` is safe.
-
-  ```jsonc
-  // pnpm (package.json)
-  "pnpm": { "overrides": { "valibot": ">=1.2.0" } }
-
-  // npm (package.json)
-  "overrides": { "valibot": ">=1.2.0" }
-
-  // yarn (package.json)
-  "resolutions": { "valibot": ">=1.2.0" }
-  ```
-
-  This fix has to live in your project's `package.json` — overrides in a published package do not propagate to consumers.

package/dist/{application-YHZIkjdy.mjs → application-CdkoGX27.mjs}

@@ -606,15 +606,18 @@ const GeneratorConfigSchema = CodeGeneratorSchema.brand("CodeGenerator");
 /**
 * Load Tailor configuration file and associated generators and plugins.
 * @param configPath - Optional explicit config path
+* @param options - Optional module import behavior.
 * @returns Loaded config, generators, plugins, and config path
 */
-async function loadConfig(configPath) {
+async function loadConfig(configPath, options = {}) {
 	installCliTailordbStub();
 	const foundPath = loadConfigPath(configPath);
 	if (!foundPath) throw new Error("Configuration file not found: tailor.config.ts not found in current or parent directories");
 	const resolvedPath = path.resolve(process.cwd(), foundPath);
 	if (!fs$1.existsSync(resolvedPath)) throw new Error(`Configuration file not found: ${configPath}`);
-	const configModule = await import(pathToFileURL(resolvedPath).href);
+	const configUrl = pathToFileURL(resolvedPath);
+	if (options.importNonce) configUrl.searchParams.set("tailorImportNonce", options.importNonce);
+	const configModule = await import(configUrl.href);
 	if (!configModule || !configModule.default) throw new Error("Invalid Tailor config module: default export not found");
 	const validated = AppConfigSchema.safeParse(configModule.default);
 	if (!validated.success) {
@@ -2560,6 +2563,29 @@ function normalizeActionPermission(permission) {
 		permit: conditionArrayPermit ? "allow" : "deny"
 	};
 }
+/**
+* Find object-format permission rules that omit `permit`.
+*
+* Object-format rules default to `deny` when `permit` is omitted, whereas the
+* array shorthand defaults to `allow`. Omitting `permit` on an object rule is
+* therefore an easy way to accidentally deny access you meant to grant, so the
+* CLI warns about these locations to nudge authors toward setting `permit`
+* explicitly.
+* @param rawPermissions - Raw permissions definition
+* @returns Dotted locations of offending rules, e.g. `record.read[0]`, `gql[1]`
+*/
+function findOmittedPermitRules(rawPermissions) {
+	const locations = [];
+	const record = rawPermissions.record;
+	if (record) for (const action of Object.keys(record)) record[action]?.forEach((rule, index) => {
+		if (isObjectFormat(rule) && rule.permit === void 0) locations.push(`record.${String(action)}[${index}]`);
+	});
+	const gql = rawPermissions.gql;
+	if (gql) gql.forEach((policy, index) => {
+		if (policy.permit === void 0) locations.push(`gql[${index}]`);
+	});
+	return locations;
+}
 
 //#endregion
 //#region src/parser/service/tailordb/relation.ts
@@ -3431,6 +3457,12 @@ function createTailorDBService(params) {
 		for (const fileTypes of Object.values(rawTypes)) for (const [typeName, type] of Object.entries(fileTypes)) allTypes[typeName] = type;
 		types = parseTypes(allTypes, namespace, typeSourceInfo);
 	};
+	const warnOmittedPermit = () => {
+		for (const fileTypes of Object.values(rawTypes)) for (const [typeName, type] of Object.entries(fileTypes)) {
+			const locations = findOmittedPermitRules(type.metadata.permissions ?? {});
+			if (locations.length > 0) logger.warn(`TailorDB type "${typeName}" has permission rule(s) ${locations.join(", ")} in object form without an explicit "permit"; they default to "deny". Set permit: true (allow) or permit: false (deny) to silence this warning.`);
+		}
+	};
 	/**
 	* Process plugins for a type and add generated types to rawTypes
 	* @param rawType - The raw TailorDB type being processed
@@ -3523,6 +3555,7 @@ function createTailorDBService(params) {
 				if (pluginManager) for (const typeFile of typeFiles) await loadTypeFile(typeFile, tsconfig);
 				else await Promise.all(typeFiles.map((typeFile) => loadTypeFile(typeFile, tsconfig)));
 				doParseTypes();
+				warnOmittedPermit();
 				return types;
 			})();
 			return loadPromise;
@@ -5805,5 +5838,5 @@ async function loadApplication(params) {
 }
 
 //#endregion
-export { saveUserTokens as A, deleteUserTokens as C, loadWorkspaceId as D, loadConfigPath as E, readPlatformConfig as O, loadConfig as S, loadAccessToken as T, createLogLevelTreeshakeOptions as _, WorkflowJobSchema as a, getDistDir as b, createExecutorService as c, buildExecutorArgsExpr as d, buildResolverOperationHookExpr as f, composeFunctionTreeshakeOptions as g, loadFilesWithIgnores as h, resolveInlineSourcemap as i, writePlatformConfig as j, resolveTokens as k, ExecutorSchema as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, HTTP_METHODS as s, defineApplication as t, INVOKER_EXPR as u, resolveBundleLogLevel as v, fetchLatestToken as w, hashFile as x, createBundleCache as y };
-//# sourceMappingURL=application-YHZIkjdy.mjs.map
+export { resolveTokens as A, loadConfig as C, loadConfigPath as D, loadAccessToken as E, writePlatformConfig as M, loadWorkspaceId as O, hashFile as S, fetchLatestToken as T, createLogLevelTreeshakeOptions as _, WorkflowJobSchema as a, getDistDir as b, createExecutorService as c, buildExecutorArgsExpr as d, buildResolverOperationHookExpr as f, composeFunctionTreeshakeOptions as g, loadFilesWithIgnores as h, resolveInlineSourcemap as i, saveUserTokens as j, readPlatformConfig as k, ExecutorSchema as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, HTTP_METHODS as s, defineApplication as t, INVOKER_EXPR as u, resolveBundleLogLevel as v, deleteUserTokens as w, hashContent as x, createBundleCache as y };
+//# sourceMappingURL=application-CdkoGX27.mjs.map