@tailor-platform/sdk 1.56.0 → 1.57.0

package/dist/{runtime-B8F1nklz.mjs → runtime-1YuaoNr8.mjs}

@@ -2,7 +2,7 @@
 import { t as db } from "./schema-DKsNhbav.mjs";
 import { $ as FilterSchema, A as FunctionExecution_Status, B as AuthOAuth2Client_GrantType, C as TailorDBType_Permission_Operator, D as IdPLang, E as PipelineResolver_OperationType, F as AuthConnection_Type, H as AuthSCIMAttribute_Type, I as AuthHookPoint, J as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, K as TenantProviderConfig_TenantProviderType, L as AuthIDPConfig_AuthType, M as ExecutorJobStatus, N as ExecutorTargetType, O as IdPPermissionOperator, P as ExecutorTriggerType, Q as Condition_Operator, R as AuthInvokerSchema, S as TailorDBGQLPermission_Permit, T as TailorDBType_PermitAction, U as AuthSCIMAttribute_Uniqueness, V as AuthSCIMAttribute_Mutability, W as AuthSCIMConfig_AuthorizationType, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, Z as ConditionSchema, _ as WorkspacePlatformUserRole, a as fetchMachineUserToken, b as TailorDBGQLPermission_Action, d as initOperatorClient, et as PageDirection, g as OperatorService, h as userAgent, i as fetchAll, k as IdPPermissionPermit, m as resolveStaticWebsiteUrls, o as fetchPaged, p as platformBaseUrl, q as UserProfileProviderConfig_UserProfileProviderType, v as WorkflowExecution_Status, w as TailorDBType_Permission_Permit, x as TailorDBGQLPermission_Operator, y as WorkflowJobExecution_Status, z as AuthOAuth2Client_ClientType } from "./client-DLPEPJ_s.mjs";
 import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DpJyJvNz.mjs";
-import { D as loadWorkspaceId, E as loadConfigPath, O as readPlatformConfig, S as loadConfig, T as loadAccessToken, b as getDistDir, c as createExecutorService, d as buildExecutorArgsExpr, f as buildResolverOperationHookExpr, h as loadFilesWithIgnores, j as writePlatformConfig, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, x as hashFile, y as createBundleCache } from "./application-YHZIkjdy.mjs";
+import { C as loadConfig, D as loadConfigPath, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, S as hashFile, b as getDistDir, c as createExecutorService, d as buildExecutorArgsExpr, f as buildResolverOperationHookExpr, h as loadFilesWithIgnores, k as readPlatformConfig, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, y as createBundleCache } from "./application-CdkoGX27.mjs";
 import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
 import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
 import { n as isCLIError, t as createCLIError } from "./errors-EsY4XO6O.mjs";
@@ -2134,7 +2134,7 @@ function hashValue(value) {
 //#endregion
 //#region src/cli/commands/deploy/auth-connection.ts
 function connectionTrn(workspaceId, name) {
-	return `${trnPrefix(workspaceId)}:auth-connection:${name}`;
+	return `${trnPrefix(workspaceId)}:auth_connection:${name}`;
 }
 function buildConnectionRequest(workspaceId, name, config) {
 	return {
@@ -2156,11 +2156,6 @@ function buildConnectionRequest(workspaceId, name, config) {
 		}
 	};
 }
-/**
-* Compute a hash of the full connection config for change detection.
-* @param config - Auth connection config
-* @returns SHA-256 hex digest
-*/
 function hashConnectionConfig(config) {
 	return hashValue(JSON.stringify({
 		type: config.type,
@@ -2172,12 +2167,6 @@ function hashConnectionConfig(config) {
 		tokenUrl: config.tokenUrl ?? ""
 	}));
 }
-/**
-* Check whether the non-secret fields of an existing connection differ from the desired config.
-* @param existing - Existing connection from the server
-* @param desired - Desired connection config
-* @returns true if any non-secret field has changed
-*/
 function hasNonSecretFieldChanged(existing, desired) {
 	if (existing.config.case !== "oauth2") return true;
 	const oauth2 = existing.config.value;
@@ -2213,45 +2202,32 @@ async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 		}
 	});
 	const existingConnections = {};
-	let metadataSupported = true;
 	await Promise.all(existingList.map(async (resource) => {
-		try {
-			const { metadata } = await client.getMetadata({ trn: connectionTrn(workspaceId, resource.name) });
-			existingConnections[resource.name] = {
-				resource,
-				label: metadata?.labels[sdkNameLabelKey],
-				allLabels: metadata?.labels
-			};
-		} catch (error) {
-			if (error instanceof ConnectError && error.code === Code.InvalidArgument) {
-				metadataSupported = false;
-				existingConnections[resource.name] = {
-					resource,
-					label: void 0
-				};
-			} else throw error;
-		}
+		const { metadata } = await client.getMetadata({ trn: connectionTrn(workspaceId, resource.name) });
+		existingConnections[resource.name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
+		};
 	}));
 	const state = loadSecretsState();
 	for (const [name, config] of Object.entries(desiredConnections)) {
 		const existing = existingConnections[name];
-		const metaRequest = metadataSupported ? await buildMetaRequest({
+		const metaRequest = await buildMetaRequest({
 			trn: connectionTrn(workspaceId, name),
 			appName,
 			appId
-		}) : void 0;
+		});
 		if (existing) {
-			if (!isOwnedByApp(existing.allLabels, appName, appId)) {
-				if (metadataSupported && !existing.label) unmanaged.push({
-					resourceType: "Auth connection",
-					resourceName: name
-				});
-				else if (existing.label) conflicts.push({
-					resourceType: "Auth connection",
-					resourceName: name,
-					currentOwner: existing.label
-				});
-			}
+			if (!isOwnedByApp(existing.allLabels, appName, appId)) if (existing.label) conflicts.push({
+				resourceType: "Auth connection",
+				resourceName: name,
+				currentOwner: existing.label
+			});
+			else unmanaged.push({
+				resourceType: "Auth connection",
+				resourceName: name
+			});
 			const currentHash = hashConnectionConfig(config);
 			const storedHash = state.connections?.[name];
 			if (hasNonSecretFieldChanged(existing.resource, config) || currentHash !== storedHash) changeSet.replaces.push({
@@ -2263,6 +2239,10 @@ async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 				createRequest: buildConnectionRequest(workspaceId, name, config),
 				metaRequest
 			});
+			else if (!existing.label) changeSet.updates.push({
+				name,
+				metaRequest
+			});
 			else changeSet.unchanged.push({ name });
 			delete existingConnections[name];
 		} else changeSet.creates.push({
@@ -2278,7 +2258,7 @@ async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 			resourceOwners.add(entry.label);
 			continue;
 		}
-		if (owned || !metadataSupported) changeSet.deletes.push({
+		if (owned) changeSet.deletes.push({
 			name,
 			request: {
 				workspaceId,
@@ -2293,20 +2273,6 @@ async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 		resourceOwners
 	};
 }
-/**
-* Attempt to set metadata, silently ignoring InvalidArgument errors
-* when the platform does not yet support auth-connection TRNs.
-* @param client - Operator client instance
-* @param metaRequest - Metadata request to send
-*/
-async function trySetMetadata(client, metaRequest) {
-	try {
-		await client.setMetadata(metaRequest);
-	} catch (error) {
-		if (error instanceof ConnectError && error.code === Code.InvalidArgument) return;
-		throw error;
-	}
-}
 function extractOAuth2Config(connection) {
 	if (!connection) return void 0;
 	const config = connection.config;
@@ -2333,13 +2299,16 @@ async function applyAuthConnections(client, result, phase) {
 	if (phase === "create-update") {
 		await Promise.all(changeSet.creates.map(async (create) => {
 			await client.createAuthConnection(create.request);
-			if (create.metaRequest) await trySetMetadata(client, create.metaRequest);
+			await client.setMetadata(create.metaRequest);
 		}));
 		for (const replace of changeSet.replaces) {
 			await client.revokeAuthConnection(replace.revokeRequest);
 			await client.createAuthConnection(replace.createRequest);
-			if (replace.metaRequest) await trySetMetadata(client, replace.metaRequest);
+			await client.setMetadata(replace.metaRequest);
 		}
+		await Promise.all(changeSet.updates.map(async (update) => {
+			await client.setMetadata(update.metaRequest);
+		}));
 		const state = loadSecretsState();
 		if (!state.connections) state.connections = {};
 		for (const create of changeSet.creates) {
@@ -3012,6 +2981,25 @@ function parseIdPPermission(rawPermission) {
 	if (!rawPermission) return;
 	return normalizeIdPPermission(rawPermission);
 }
+/**
+* Find object-format IdP permission rules that omit `permit`.
+*
+* Object-format rules default to `deny` when `permit` is omitted, whereas the
+* array shorthand defaults to `allow`. Omitting `permit` on an object rule is
+* therefore an easy way to accidentally deny access you meant to grant, so the
+* CLI warns about these locations to nudge authors toward setting `permit`
+* explicitly.
+* @param permission - Raw IdP permission from user config
+* @returns Locations of offending rules, e.g. `read[0]`
+*/
+function findOmittedPermitRules(permission) {
+	if (!permission) return [];
+	const locations = [];
+	for (const action of Object.keys(permission)) permission[action]?.forEach((rule, index) => {
+		if (isObjectFormat(rule) && rule.permit === void 0) locations.push(`${String(action)}[${index}]`);
+	});
+	return locations;
+}
 
 //#endregion
 //#region src/cli/commands/deploy/idp.ts
@@ -3250,6 +3238,8 @@ async function planServices$3(client, workspaceId, appName, appId, idps, idpUser
 		const publishUserEvents = idp.publishUserEvents ?? isIdpUserTriggerTarget;
 		const emailConfig = idp.emailConfig;
 		if (!idp.permission) logger.warn(`IdP service "${namespaceName}" has no permission configured.`);
+		const omittedPermitLocations = findOmittedPermitRules(idp.permission);
+		if (omittedPermitLocations.length > 0) logger.warn(`IdP service "${namespaceName}" has permission rule(s) ${omittedPermitLocations.join(", ")} in object form without an explicit "permit"; they default to "deny". Set permit: true (allow) or permit: false (deny) to silence this warning.`);
 		const parsedPermission = parseIdPPermission(idp.permission);
 		const protoPermission = parsedPermission ? protoIdPPermission(parsedPermission) : void 0;
 		const desired = normalizeComparableIdPService({
@@ -10100,6 +10090,10 @@ async function deploy(options) {
 				resourceType: "OAuth2 client (client type change)",
 				resourceName: replace.name
 			});
+			for (const del of auth.changeSet.connection.deletes) importantDeletions.push({
+				resourceType: "Auth connection",
+				resourceName: del.name
+			});
 			for (const del of secretManager.vaultChangeSet.deletes) importantDeletions.push({
 				resourceType: "Secret Manager vault",
 				resourceName: del.name
@@ -14494,7 +14488,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-C9-t0qQb.mjs");
+	const { defineApplication } = await import("./application-x_mURdR0.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -16686,5 +16680,5 @@ function isDeno() {
 }
 
 //#endregion
-export { listCommand$5 as $, compareSnapshots as $t, truncate as A, workspaceArgs as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, configArg as Cn, triggerExecutor as Ct, resumeWorkflow as D, pagedLogArgs as Dn, jobsCommand as Dt, resumeCommand as E, isVerbose as En, getExecutorJob as Et, writeDbTypesFile as F, getWorkflowExecution as Ft, organizationTree as G, parseMigrationLabelNumber as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, listWorkflowExecutions as It, listOrganizations as J, DIFF_FILE_NAME as Jt, treeCommand as K, bundleMigrationScript as Kt, openInConfiguredEditor as L, functionExecutionStatusToString as Lt, generate as M, getCommand$5 as Mt, generateCommand as N, getWorkflow as Nt, listCommand$3 as O, paginationArgs as On, listExecutorJobs as Ot, generateMigrationScript as P, executionsCommand as Pt, updateFolder as Q, compareLocalTypesWithSnapshot as Qt, show as R, formatKeyValueTable as Rt, listApps as S, commonArgs as Sn, triggerCommand as St, healthCommand as T, deploymentArgs as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, MIGRATION_LABEL_KEY as Wt, getOrganization as X, MIGRATE_FILE_NAME as Xt, getCommand$1 as Y, INITIAL_SCHEMA_NUMBER as Yt, updateCommand$2 as Z, SCHEMA_FILE_NAME as Zt, getWorkspace as _, prompt as _n, listFunctionRegistries as _t, updateUser as a, getNextMigrationNumber as an, createCommand$1 as at, createCommand as b, assertWritable as bn, listWebhookExecutors as bt, listCommand as c, reconstructSnapshotFromMigrations as cn, listOAuth2Clients as ct, inviteUser as d, formatMigrationDiff as dn, getMachineUserToken as dt, createSnapshotFromLocalTypes as en, listFolders as et, restoreCommand as f, hasChanges as fn, tokenCommand as ft, getCommand as g, generateUserTypes as gn, listCommand$8 as gt, listWorkspaces as h, trnPrefix as hn, generate$1 as ht, updateCommand as i, getMigrationFiles as in, deleteFolder as it, truncateCommand as j, startWorkflow as jt, listWorkflows as k, toPageDirection as kn, watchExecutorJob as kt, listUsers as l, formatMigrationNumber as ln, getCommand$3 as lt, listCommand$1 as m, sdkNameLabelKey as mn, listMachineUsers as mt, query as n, getMigrationDirPath as nn, getFolder as nt, removeCommand as o, isValidMigrationNumber as on, createFolder as ot, restoreWorkspace as p, getNamespacesWithMigrations as pn, listCommand$7 as pt, listCommand$4 as q, DB_TYPES_FILE_NAME as qt, queryCommand as r, getMigrationFilePath as rn, deleteCommand$1 as rt, removeUser as s, loadDiff as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, getLatestMigrationNumber as tn, getCommand$2 as tt, inviteCommand as u, formatDiffSummary as un, getOAuth2Client as ut, deleteCommand as v, apiCommand as vn, getCommand$4 as vt, getAppHealth as w, confirmationArgs as wn, listCommand$9 as wt, createWorkspace as x, defineAppCommand as xn, webhookCommand as xt, deleteWorkspace as y, apiCall as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
-//# sourceMappingURL=runtime-B8F1nklz.mjs.map
+export { listCommand$5 as $, compareSnapshots as $t, truncate as A, toPageDirection as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, commonArgs as Cn, triggerExecutor as Ct, resumeWorkflow as D, isVerbose as Dn, jobsCommand as Dt, resumeCommand as E, deploymentArgs as En, getExecutorJob as Et, writeDbTypesFile as F, getWorkflowExecution as Ft, organizationTree as G, parseMigrationLabelNumber as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, listWorkflowExecutions as It, listOrganizations as J, DIFF_FILE_NAME as Jt, treeCommand as K, bundleMigrationScript as Kt, openInConfiguredEditor as L, functionExecutionStatusToString as Lt, generate as M, getCommand$5 as Mt, generateCommand as N, getWorkflow as Nt, listCommand$3 as O, pagedLogArgs as On, listExecutorJobs as Ot, generateMigrationScript as P, executionsCommand as Pt, updateFolder as Q, compareLocalTypesWithSnapshot as Qt, show as R, formatKeyValueTable as Rt, listApps as S, defineAppCommand as Sn, triggerCommand as St, healthCommand as T, confirmationArgs as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, MIGRATION_LABEL_KEY as Wt, getOrganization as X, MIGRATE_FILE_NAME as Xt, getCommand$1 as Y, INITIAL_SCHEMA_NUMBER as Yt, updateCommand$2 as Z, SCHEMA_FILE_NAME as Zt, getWorkspace as _, generateUserTypes as _n, listFunctionRegistries as _t, updateUser as a, getNextMigrationNumber as an, createCommand$1 as at, createCommand as b, apiCall as bn, listWebhookExecutors as bt, listCommand as c, reconstructSnapshotFromMigrations as cn, listOAuth2Clients as ct, inviteUser as d, formatMigrationDiff as dn, getMachineUserToken as dt, createSnapshotFromLocalTypes as en, listFolders as et, restoreCommand as f, hasChanges as fn, tokenCommand as ft, getCommand as g, PluginManager as gn, listCommand$8 as gt, listWorkspaces as h, trnPrefix as hn, generate$1 as ht, updateCommand as i, getMigrationFiles as in, deleteFolder as it, truncateCommand as j, workspaceArgs as jn, startWorkflow as jt, listWorkflows as k, paginationArgs as kn, watchExecutorJob as kt, listUsers as l, formatMigrationNumber as ln, getCommand$3 as lt, listCommand$1 as m, sdkNameLabelKey as mn, listMachineUsers as mt, query as n, getMigrationDirPath as nn, getFolder as nt, removeCommand as o, isValidMigrationNumber as on, createFolder as ot, restoreWorkspace as p, getNamespacesWithMigrations as pn, listCommand$7 as pt, listCommand$4 as q, DB_TYPES_FILE_NAME as qt, queryCommand as r, getMigrationFilePath as rn, deleteCommand$1 as rt, removeUser as s, loadDiff as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, getLatestMigrationNumber as tn, getCommand$2 as tt, inviteCommand as u, formatDiffSummary as un, getOAuth2Client as ut, deleteCommand as v, prompt as vn, getCommand$4 as vt, getAppHealth as w, configArg as wn, listCommand$9 as wt, createWorkspace as x, assertWritable as xn, webhookCommand as xt, deleteWorkspace as y, apiCommand as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
+//# sourceMappingURL=runtime-1YuaoNr8.mjs.map