@tailor-platform/sdk 1.57.0 → 1.58.0

package/dist/{runtime-1YuaoNr8.mjs → runtime-BC-FbQkg.mjs}

@@ -1,8 +1,8 @@
 
 import { t as db } from "./schema-DKsNhbav.mjs";
-import { $ as FilterSchema, A as FunctionExecution_Status, B as AuthOAuth2Client_GrantType, C as TailorDBType_Permission_Operator, D as IdPLang, E as PipelineResolver_OperationType, F as AuthConnection_Type, H as AuthSCIMAttribute_Type, I as AuthHookPoint, J as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, K as TenantProviderConfig_TenantProviderType, L as AuthIDPConfig_AuthType, M as ExecutorJobStatus, N as ExecutorTargetType, O as IdPPermissionOperator, P as ExecutorTriggerType, Q as Condition_Operator, R as AuthInvokerSchema, S as TailorDBGQLPermission_Permit, T as TailorDBType_PermitAction, U as AuthSCIMAttribute_Uniqueness, V as AuthSCIMAttribute_Mutability, W as AuthSCIMConfig_AuthorizationType, X as Subgraph_ServiceType, Y as ApplicationSchemaUpdateAttemptStatus, Z as ConditionSchema, _ as WorkspacePlatformUserRole, a as fetchMachineUserToken, b as TailorDBGQLPermission_Action, d as initOperatorClient, et as PageDirection, g as OperatorService, h as userAgent, i as fetchAll, k as IdPPermissionPermit, m as resolveStaticWebsiteUrls, o as fetchPaged, p as platformBaseUrl, q as UserProfileProviderConfig_UserProfileProviderType, v as WorkflowExecution_Status, w as TailorDBType_Permission_Permit, x as TailorDBGQLPermission_Operator, y as WorkflowJobExecution_Status, z as AuthOAuth2Client_ClientType } from "./client-DLPEPJ_s.mjs";
+import { $ as Condition_Operator, A as IdPPermissionPermit, B as AuthOAuth2Client_ClientType, C as TailorDBType_Permission_Operator, D as PipelineResolver_OperationType, F as ExecutorTriggerType, G as AuthSCIMConfig_AuthorizationType, H as AuthSCIMAttribute_Mutability, I as AuthConnection_Type, J as UserProfileProviderConfig_UserProfileProviderType, L as AuthHookPoint, N as ExecutorJobStatus, O as IdPLang, P as ExecutorTargetType, Q as ConditionSchema, R as AuthIDPConfig_AuthType, S as TailorDBGQLPermission_Permit, T as TailorDBType_PermitAction, U as AuthSCIMAttribute_Type, V as AuthOAuth2Client_GrantType, W as AuthSCIMAttribute_Uniqueness, X as ApplicationSchemaUpdateAttemptStatus, Y as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, Z as Subgraph_ServiceType, _ as WorkspacePlatformUserRole, a as fetchMachineUserToken, b as TailorDBGQLPermission_Action, d as initOperatorClient, et as FilterSchema, g as OperatorService, h as userAgent, i as fetchAll, j as FunctionExecution_Status, k as IdPPermissionOperator, m as resolveStaticWebsiteUrls, o as fetchPaged, p as platformBaseUrl, q as TenantProviderConfig_TenantProviderType, tt as PageDirection, v as WorkflowExecution_Status, w as TailorDBType_Permission_Permit, x as TailorDBGQLPermission_Operator, y as WorkflowJobExecution_Status, z as AuthInvokerSchema } from "./client-62B-r3MN.mjs";
 import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DpJyJvNz.mjs";
-import { C as loadConfig, D as loadConfigPath, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, S as hashFile, b as getDistDir, c as createExecutorService, d as buildExecutorArgsExpr, f as buildResolverOperationHookExpr, h as loadFilesWithIgnores, k as readPlatformConfig, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, y as createBundleCache } from "./application-CdkoGX27.mjs";
+import { C as loadConfig, D as loadConfigPath, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, S as hashFile, b as getDistDir, c as createExecutorService, d as buildExecutorArgsExpr, f as buildResolverOperationHookExpr, h as loadFilesWithIgnores, k as readPlatformConfig, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, y as createBundleCache } from "./application-B59TaTk_.mjs";
 import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
 import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
 import { n as isCLIError, t as createCLIError } from "./errors-EsY4XO6O.mjs";
@@ -636,7 +636,7 @@ const inspectCommand = defineAppCommand({
 const listCommand$10 = defineAppCommand({
 	name: "list",
 	description: "List all invocable OperatorService methods.",
-	notes: "Only unary RPCs are listed; streaming methods are excluded because `tailor-sdk api run` issues a single JSON POST and reads one JSON response.",
+	notes: "Only single-request (non-streaming) methods are listed, because the CLI issues a single JSON request and reads one JSON response.",
 	args: z.object({}).strict(),
 	run: () => {
 		const names = listMethodNames();
@@ -793,7 +793,7 @@ const apiCommand = defineAppCommand({
 	description: "Call Tailor Platform API endpoints directly.",
 	notes: `Use \`tailor-sdk api list\` to enumerate invocable methods and \`tailor-sdk api inspect <endpoint>\` to print an endpoint's input message tree (combine with \`--json\` for machine-readable output).
 
-The request body is inferred from the proto definition of the target endpoint, and commonly required fields are auto-injected so they can be omitted from \`--body\`:
+The request body is inferred from the target endpoint's request schema, and commonly required fields are auto-injected so they can be omitted from \`--body\`:
 
 - \`workspaceId\` — resolved from \`-w\` / \`TAILOR_PLATFORM_WORKSPACE_ID\` / the selected profile.
 - \`namespaceName\` — resolved from \`tailor.config.ts\` based on the endpoint's service:
@@ -802,7 +802,7 @@ The request body is inferred from the proto definition of the target endpoint, a
 
 Values already present in \`--body\` are never overridden. If a value cannot be resolved (e.g. no config found), injection is silently skipped and the server-side validation error takes precedence.
 
-Use \`--field key=value\` (repeatable) to set request body fields without writing JSON. Dotted keys (e.g. \`application.name=foo\`) build nested objects. \`--field\` overrides matching fields in \`--body\` and tab-completes from the endpoint's proto schema.`,
+Use \`--field key=value\` (repeatable) to set request body fields without writing JSON. Dotted keys (e.g. \`application.name=foo\`) build nested objects. \`--field\` overrides matching fields in \`--body\` and tab-completes from the endpoint's request schema.`,
 	examples: [
 		{
 			cmd: "GetApplication -b '{\"applicationName\":\"app-1\"}'",
@@ -1735,6 +1735,16 @@ function areNormalizedEqual(left, right) {
 function trnPrefix(workspaceId) {
 	return `trn:v1:workspace:${workspaceId}`;
 }
+/**
+* Build the TRN for a workspace resource.
+* @param workspaceId - Workspace ID
+* @param kind - Resource kind segment
+* @param name - Resource name
+* @returns Fully-qualified TRN string
+*/
+function resourceTrn(workspaceId, kind, name) {
+	return `${trnPrefix(workspaceId)}:${kind}:${name}`;
+}
 const sdkNameLabelKey = "sdk-name";
 const sdkVersionLabelKey = "sdk-version";
 const sdkAppIdLabelKey = "sdk-app-id";
@@ -1817,9 +1827,6 @@ async function applyApplication(client, changeSet, phase = "create-update") {
 		await client.deleteApplication(del.request);
 	}));
 }
-function trn$6(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:application:${name}`;
-}
 function sortStrings(values) {
 	return [...values ?? []].sort();
 }
@@ -1944,7 +1951,7 @@ async function planApplication(context, httpAdapterBuildResult) {
 		if (idpConfigs.length > 0) authIdpConfigName = idpConfigs[0].name;
 	}
 	const metaRequest = await buildMetaRequest({
-		trn: trn$6(workspaceId, application.name),
+		trn: resourceTrn(workspaceId, "application", application.name),
 		appName: application.name,
 		appId: application.id
 	});
@@ -2003,7 +2010,7 @@ async function planApplication(context, httpAdapterBuildResult) {
 }
 async function fetchAppLabels(client, workspaceId, appName) {
 	try {
-		const { metadata } = await client.getMetadata({ trn: trn$6(workspaceId, appName) });
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "application", appName) });
 		return metadata?.labels;
 	} catch (error) {
 		if (error instanceof ConnectError && error.code === Code.NotFound) return;
@@ -2133,9 +2140,6 @@ function hashValue(value) {
 
 //#endregion
 //#region src/cli/commands/deploy/auth-connection.ts
-function connectionTrn(workspaceId, name) {
-	return `${trnPrefix(workspaceId)}:auth_connection:${name}`;
-}
 function buildConnectionRequest(workspaceId, name, config) {
 	return {
 		workspaceId,
@@ -2203,7 +2207,7 @@ async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 	});
 	const existingConnections = {};
 	await Promise.all(existingList.map(async (resource) => {
-		const { metadata } = await client.getMetadata({ trn: connectionTrn(workspaceId, resource.name) });
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "auth_connection", resource.name) });
 		existingConnections[resource.name] = {
 			resource,
 			label: metadata?.labels[sdkNameLabelKey],
@@ -2214,7 +2218,7 @@ async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 	for (const [name, config] of Object.entries(desiredConnections)) {
 		const existing = existingConnections[name];
 		const metaRequest = await buildMetaRequest({
-			trn: connectionTrn(workspaceId, name),
+			trn: resourceTrn(workspaceId, "auth_connection", name),
 			appName,
 			appId
 		});
@@ -2232,7 +2236,7 @@ async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 			const storedHash = state.connections?.[name];
 			if (hasNonSecretFieldChanged(existing.resource, config) || currentHash !== storedHash) changeSet.replaces.push({
 				name,
-				revokeRequest: {
+				deleteRequest: {
 					workspaceId,
 					connectionName: name
 				},
@@ -2302,7 +2306,7 @@ async function applyAuthConnections(client, result, phase) {
 			await client.setMetadata(create.metaRequest);
 		}));
 		for (const replace of changeSet.replaces) {
-			await client.revokeAuthConnection(replace.revokeRequest);
+			await client.deleteAuthConnection(replace.deleteRequest);
 			await client.createAuthConnection(replace.createRequest);
 			await client.setMetadata(replace.metaRequest);
 		}
@@ -2322,7 +2326,7 @@ async function applyAuthConnections(client, result, phase) {
 		saveSecretsState(state);
 	} else if (phase === "delete-resources" || phase === "delete") {
 		await Promise.all(changeSet.deletes.map(async (del) => {
-			await client.revokeAuthConnection(del.request);
+			await client.deleteAuthConnection(del.request);
 		}));
 		if (changeSet.deletes.length > 0) {
 			const state = loadSecretsState();
@@ -2345,9 +2349,6 @@ const CHUNK_SIZE = 64 * 1024;
 function computeContentHash(content) {
 	return crypto$1.createHash("sha256").update(content, "utf-8").digest("hex");
 }
-function functionRegistryTrn$1(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:function_registry:${name}`;
-}
 const RESOLVER_PREFIX = "resolver--";
 const EXECUTOR_PREFIX = "executor--";
 const WORKFLOW_PREFIX = "workflow--";
@@ -2539,7 +2540,7 @@ async function planFunctionRegistry(client, workspaceId, appName, appId, entries
 	});
 	const existingMap = {};
 	await Promise.all(existingFunctions.map(async (func) => {
-		const { metadata } = await client.getMetadata({ trn: functionRegistryTrn$1(workspaceId, func.name) });
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "function_registry", func.name) });
 		existingMap[func.name] = {
 			resource: func,
 			label: metadata?.labels[sdkNameLabelKey],
@@ -2549,7 +2550,7 @@ async function planFunctionRegistry(client, workspaceId, appName, appId, entries
 	for (const entry of entries) {
 		const existing = existingMap[entry.name];
 		const metaRequest = await buildMetaRequest({
-			trn: functionRegistryTrn$1(workspaceId, entry.name),
+			trn: resourceTrn(workspaceId, "function_registry", entry.name),
 			appName,
 			appId
 		});
@@ -3104,9 +3105,6 @@ async function planIdP(context) {
 		resourceOwners
 	};
 }
-function trn$5(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:idp:${name}`;
-}
 function normalizeComparableUserAuthPolicy(policy) {
 	return {
 		useNonEmailIdentifier: policy?.useNonEmailIdentifier ?? false,
@@ -3201,7 +3199,7 @@ async function planServices$3(client, workspaceId, appName, appId, idps, idpUser
 	const existingServices = {};
 	await Promise.all(withoutLabel.map(async (resource) => {
 		if (!resource.namespace?.name) return;
-		const { metadata } = await client.getMetadata({ trn: trn$5(workspaceId, resource.namespace.name) });
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "idp", resource.namespace.name) });
 		existingServices[resource.namespace.name] = {
 			resource,
 			label: metadata?.labels[sdkNameLabelKey],
@@ -3212,7 +3210,7 @@ async function planServices$3(client, workspaceId, appName, appId, idps, idpUser
 		const namespaceName = idp.name;
 		const existing = existingServices[namespaceName];
 		const metaRequest = await buildMetaRequest({
-			trn: trn$5(workspaceId, namespaceName),
+			trn: resourceTrn(workspaceId, "idp", namespaceName),
 			appName,
 			appId
 		});
@@ -3571,9 +3569,6 @@ async function planAuth(context) {
 		resourceOwners: new Set([...resourceOwners, ...connectionResult.resourceOwners])
 	};
 }
-function trn$4(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:auth:${name}`;
-}
 async function planServices$2(client, workspaceId, appName, appId, auths, forceApplyAll = false) {
 	const changeSet = createChangeSet("Auth services");
 	const conflicts = [];
@@ -3595,7 +3590,7 @@ async function planServices$2(client, workspaceId, appName, appId, auths, forceA
 	const existingServices = {};
 	await Promise.all(withoutLabel.map(async (resource) => {
 		if (!resource.namespace?.name) return;
-		const { metadata } = await client.getMetadata({ trn: trn$4(workspaceId, resource.namespace.name) });
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "auth", resource.namespace.name) });
 		existingServices[resource.namespace.name] = {
 			resource,
 			label: metadata?.labels[sdkNameLabelKey],
@@ -3606,7 +3601,7 @@ async function planServices$2(client, workspaceId, appName, appId, auths, forceA
 		const { config } = auth;
 		const existing = existingServices[config.name];
 		const metaRequest = await buildMetaRequest({
-			trn: trn$4(workspaceId, config.name),
+			trn: resourceTrn(workspaceId, "auth", config.name),
 			appName,
 			appId
 		});
@@ -4934,9 +4929,6 @@ async function applyExecutor(client, result, phase = "create-update") {
 	})]);
 	else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteExecutorExecutor(del.request)));
 }
-function trn$3(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:executor:${name}`;
-}
 /**
 * Plan executor-related changes based on current and desired state.
 * @param context - Planning context
@@ -4960,13 +4952,13 @@ async function planExecutor(context) {
 			return [executors, nextPageToken];
 		},
 		getName: (resource) => resource.name,
-		getTrn: trn$3
+		getTrn: (workspaceId, name) => resourceTrn(workspaceId, "executor", name)
 	});
 	const executors = forRemoval ? {} : await application.executorService?.loadExecutors() ?? {};
 	for (const executor of Object.values(executors)) {
 		const existing = existingExecutors[executor.name];
 		const metaRequest = await buildMetaRequest({
-			trn: trn$3(workspaceId, executor.name),
+			trn: resourceTrn(workspaceId, "executor", executor.name),
 			appName: application.name,
 			appId: application.id
 		});
@@ -5380,9 +5372,6 @@ async function planPipeline(context) {
 		resourceOwners
 	};
 }
-function trn$2(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:pipeline:${name}`;
-}
 async function planServices$1(client, workspaceId, appName, appId, pipelines) {
 	const changeSet = createChangeSet("Pipeline services");
 	const conflicts = [];
@@ -5404,7 +5393,7 @@ async function planServices$1(client, workspaceId, appName, appId, pipelines) {
 	const existingServices = {};
 	await Promise.all(withoutLabel.map(async (resource) => {
 		if (!resource.namespace?.name) return;
-		const { metadata } = await client.getMetadata({ trn: trn$2(workspaceId, resource.namespace.name) });
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "pipeline", resource.namespace.name) });
 		existingServices[resource.namespace.name] = {
 			resource,
 			label: metadata?.labels[sdkNameLabelKey],
@@ -5414,7 +5403,7 @@ async function planServices$1(client, workspaceId, appName, appId, pipelines) {
 	for (const pipeline of pipelines) {
 		const existing = existingServices[pipeline.namespace];
 		const metaRequest = await buildMetaRequest({
-			trn: trn$2(workspaceId, pipeline.namespace),
+			trn: resourceTrn(workspaceId, "pipeline", pipeline.namespace),
 			appName,
 			appId
 		});
@@ -5702,7 +5691,7 @@ async function planSecretManager(context) {
 	});
 	const existingVaults = {};
 	await Promise.all(existingVaultList.map(async (resource) => {
-		const { metadata } = await client.getMetadata({ trn: vaultTrn$1(workspaceId, resource.name) });
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "vault", resource.name) });
 		existingVaults[resource.name] = {
 			resource,
 			label: metadata?.labels[sdkNameLabelKey],
@@ -5716,7 +5705,7 @@ async function planSecretManager(context) {
 		const existing = existingVaults[vaultName];
 		if (existing) {
 			const metaRequest = await buildMetaRequest({
-				trn: vaultTrn$1(workspaceId, vaultName),
+				trn: resourceTrn(workspaceId, "vault", vaultName),
 				appName: application.name,
 				appId: application.id
 			});
@@ -5829,9 +5818,6 @@ async function planSecretManager(context) {
 		resourceOwners
 	};
 }
-function vaultTrn$1(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:vault:${name}`;
-}
 /**
 * Apply secret manager changes for the given phase.
 * @param client - Operator client instance
@@ -5850,7 +5836,7 @@ async function applySecretManager(client, result, phase = "create-update", appli
 			});
 			if (application) {
 				const metaRequest = await buildMetaRequest({
-					trn: vaultTrn$1(create.workspaceId, create.name),
+					trn: resourceTrn(create.workspaceId, "vault", create.name),
 					appName: application.name,
 					appId: application.id
 				});
@@ -5859,7 +5845,7 @@ async function applySecretManager(client, result, phase = "create-update", appli
 		}));
 		if (application) await Promise.all(vaultChangeSet.updates.map(async (update) => {
 			const metaRequest = await buildMetaRequest({
-				trn: vaultTrn$1(update.workspaceId, update.name),
+				trn: resourceTrn(update.workspaceId, "vault", update.name),
 				appName: application.name,
 				appId: application.id
 			});
@@ -5917,18 +5903,23 @@ async function applySecretManager(client, result, phase = "create-update", appli
 * @returns Promise that resolves when static websites are applied
 */
 async function applyStaticWebsite(client, result, phase = "create-update") {
-	const { changeSet } = result;
-	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
-		await client.createStaticWebsite(create.request);
-		await client.setMetadata(create.metaRequest);
-	}), ...changeSet.updates.map(async (update) => {
-		await client.updateStaticWebsite(update.request);
-		await client.setMetadata(update.metaRequest);
-	})]);
-	else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteStaticWebsite(del.request)));
+	const { changeSet, customDomainChangeSet } = result;
+	if (phase === "create-update") {
+		await Promise.all([...changeSet.creates.map(async (create) => {
+			await client.createStaticWebsite(create.request);
+			await client.setMetadata(create.metaRequest);
+		}), ...changeSet.updates.map(async (update) => {
+			await client.updateStaticWebsite(update.request);
+			await client.setMetadata(update.metaRequest);
+		})]);
+		await Promise.all([...customDomainChangeSet.creates.map(async (add) => {
+			await client.addCustomDomain(add.request);
+			await client.setMetadata(add.metaRequest);
+		}), ...customDomainChangeSet.deletes.map((del) => client.removeCustomDomain(del.request))]);
+	} else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteStaticWebsite(del.request)));
 }
-function trn$1(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:staticwebsite:${name}`;
+function customDomainTrn(workspaceId, websiteName, domain) {
+	return `trn:v1:workspace:${workspaceId}:staticwebsite:${websiteName}:custom_domain:${domain}`;
 }
 function normalizeComparableStaticWebsiteShape(input) {
 	return {
@@ -5953,6 +5944,7 @@ function areStaticWebsitesEqual(existing, desired) {
 async function planStaticWebsite(context) {
 	const { client, workspaceId, application, forRemoval } = context;
 	const changeSet = createChangeSet("StaticWebsites");
+	const customDomainChangeSet = createChangeSet("CustomDomains");
 	const conflicts = [];
 	const unmanaged = [];
 	const resourceOwners = /* @__PURE__ */ new Set();
@@ -5968,15 +5960,16 @@ async function planStaticWebsite(context) {
 			return [staticwebsites, nextPageToken];
 		},
 		getName: (resource) => resource.name,
-		getTrn: trn$1
+		getTrn: (workspaceId, name) => resourceTrn(workspaceId, "staticwebsite", name)
 	});
+	const ownedWebsiteNames = /* @__PURE__ */ new Set();
 	const staticWebsiteServices = forRemoval ? [] : application.staticWebsiteServices;
 	for (const websiteService of staticWebsiteServices) {
 		const config = websiteService;
 		const name = websiteService.name;
 		const existing = existingWebsites[name];
 		const metaRequest = await buildMetaRequest({
-			trn: trn$1(workspaceId, name),
+			trn: resourceTrn(workspaceId, "staticwebsite", name),
 			appName: application.name,
 			appId: application.id
 		});
@@ -5990,7 +5983,7 @@ async function planStaticWebsite(context) {
 			}
 		};
 		if (existing) {
-			if (trackDesiredResourceOwnership({
+			const owned = trackDesiredResourceOwnership({
 				labels: existing.allLabels,
 				ownerLabel: existing.label,
 				appName: application.name,
@@ -5999,18 +5992,23 @@ async function planStaticWebsite(context) {
 				resourceName: name,
 				conflicts,
 				unmanaged
-			}) && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areStaticWebsitesEqual(existing.resource, desired)) changeSet.unchanged.push({ name });
+			});
+			if (owned && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areStaticWebsitesEqual(existing.resource, desired)) changeSet.unchanged.push({ name });
 			else changeSet.updates.push({
 				name,
 				request,
 				metaRequest
 			});
+			if (owned) ownedWebsiteNames.add(name);
 			delete existingWebsites[name];
-		} else changeSet.creates.push({
-			name,
-			request,
-			metaRequest
-		});
+		} else {
+			changeSet.creates.push({
+				name,
+				request,
+				metaRequest
+			});
+			ownedWebsiteNames.add(name);
+		}
 	}
 	Object.entries(existingWebsites).forEach(([name]) => {
 		const entry = existingWebsites[name];
@@ -6029,8 +6027,63 @@ async function planStaticWebsite(context) {
 			}
 		});
 	});
+	const desiredDomainsByWebsite = /* @__PURE__ */ new Map();
+	for (const service of staticWebsiteServices) if (service.customDomains !== void 0 && ownedWebsiteNames.has(service.name)) desiredDomainsByWebsite.set(service.name, service.customDomains);
+	const existingDomainsByWebsite = /* @__PURE__ */ new Map();
+	const websitesToFetchDomains = [...ownedWebsiteNames].filter((name) => !changeSet.creates.some((c) => c.name === name));
+	await Promise.all(websitesToFetchDomains.map(async (name) => {
+		try {
+			const { customDomains } = await client.listCustomDomains({
+				workspaceId,
+				staticWebsiteName: name
+			});
+			const domainsWithLabels = await Promise.all(customDomains.map(async (d) => {
+				const { metadata } = await client.getMetadata({ trn: customDomainTrn(workspaceId, name, d.domain) });
+				return {
+					domain: d.domain,
+					allLabels: metadata?.labels
+				};
+			}));
+			existingDomainsByWebsite.set(name, domainsWithLabels);
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return;
+			throw error;
+		}
+	}));
+	for (const name of ownedWebsiteNames) {
+		const desired = new Set(desiredDomainsByWebsite.get(name) ?? []);
+		const existingDomains = existingDomainsByWebsite.get(name) ?? [];
+		const existingSet = new Set(existingDomains.map((d) => d.domain));
+		const sdkOwnedDomains = new Set(existingDomains.filter((d) => isOwnedByApp(d.allLabels, application.name, application.id)).map((d) => d.domain));
+		for (const domain of desired) if (!existingSet.has(domain)) {
+			const metaRequest = await buildMetaRequest({
+				trn: customDomainTrn(workspaceId, name, domain),
+				appName: application.name,
+				appId: application.id
+			});
+			customDomainChangeSet.creates.push({
+				name: domain,
+				request: {
+					workspaceId,
+					staticWebsiteName: name,
+					domain
+				},
+				metaRequest
+			});
+		} else customDomainChangeSet.unchanged.push({ name: domain });
+		if (desiredDomainsByWebsite.has(name)) {
+			for (const domain of sdkOwnedDomains) if (!desired.has(domain)) customDomainChangeSet.deletes.push({
+				name: domain,
+				request: {
+					workspaceId,
+					domain
+				}
+			});
+		}
+	}
 	return {
 		changeSet,
+		customDomainChangeSet,
 		conflicts,
 		unmanaged,
 		resourceOwners
@@ -7952,7 +8005,7 @@ function spinner(options) {
 */
 async function getCurrentMigrationNumber(client, workspaceId, namespace) {
 	try {
-		const trn = `${trnPrefix(workspaceId)}:tailordb:${namespace}`;
+		const trn = resourceTrn(workspaceId, "tailordb", namespace);
 		const { metadata } = await client.getMetadata({ trn });
 		const label = metadata?.labels[MIGRATION_LABEL_KEY];
 		if (!label) return 0;
@@ -8033,7 +8086,7 @@ async function executeSingleMigration(options, migration) {
 * @returns {Promise<void>}
 */
 async function updateMigrationLabel(client, workspaceId, namespace, migrationNumber) {
-	const trn = `${trnPrefix(workspaceId)}:tailordb:${namespace}`;
+	const trn = resourceTrn(workspaceId, "tailordb", namespace);
 	const { metadata } = await client.getMetadata({ trn });
 	const existingLabels = metadata?.labels ?? {};
 	const newLabel = `m${formatMigrationNumber(migrationNumber)}`;
@@ -8148,7 +8201,7 @@ async function fetchRemoteTypes(client, workspaceId, namespace) {
 */
 async function getRemoteMigrationNumber(client, workspaceId, namespace) {
 	try {
-		const trn = `${trnPrefix(workspaceId)}:tailordb:${namespace}`;
+		const trn = resourceTrn(workspaceId, "tailordb", namespace);
 		const { metadata } = await client.getMetadata({ trn });
 		const label = metadata?.labels?.["sdk-migration"];
 		if (!label) return null;
@@ -8702,9 +8755,6 @@ function formatTailorDBResourceChangeEntries(typeChangeSet, gqlPermissionChangeS
 		...collectTailorDBDisplayEntries("replace", typeChangeSet.replaces, gqlPermissionChangeSet.replaces)
 	];
 }
-function trn(workspaceId, name) {
-	return `${trnPrefix(workspaceId)}:tailordb:${name}`;
-}
 function normalizeComparableTailorDBService(service) {
 	return normalizeProtoConfig({
 		namespace: service.namespace,
@@ -8741,7 +8791,7 @@ async function planServices(client, workspaceId, appName, appId, tailordbs) {
 	const existingServices = {};
 	await Promise.all(withoutLabel.map(async (resource) => {
 		if (!resource.namespace?.name) return;
-		const { metadata } = await client.getMetadata({ trn: trn(workspaceId, resource.namespace.name) });
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "tailordb", resource.namespace.name) });
 		existingServices[resource.namespace.name] = {
 			resource,
 			label: metadata?.labels[sdkNameLabelKey],
@@ -8751,7 +8801,7 @@ async function planServices(client, workspaceId, appName, appId, tailordbs) {
 	for (const tailordb of tailordbs) {
 		const existing = existingServices[tailordb.namespace];
 		const metaRequest = await buildMetaRequest({
-			trn: trn(workspaceId, tailordb.namespace),
+			trn: resourceTrn(workspaceId, "tailordb", tailordb.namespace),
 			appName,
 			appId,
 			existingLabels: existing?.allLabels
@@ -9518,7 +9568,7 @@ async function registerJobFunctions(client, changeSet, appName, appId, unchanged
 				scriptRef: workflowJobFunctionName(jobName)
 			});
 			await client.setMetadata(await buildMetaRequest({
-				trn: jobFunctionTrn(workspaceId, jobName),
+				trn: resourceTrn(workspaceId, "workflow_job_function", jobName),
 				appName,
 				appId
 			}));
@@ -9531,9 +9581,9 @@ async function registerJobFunctions(client, changeSet, appName, appId, unchanged
 	}
 	const unusedJobFunctions = existingJobFunctions.filter((jobName) => !allUsedJobNames.has(jobName));
 	await Promise.all(unusedJobFunctions.map(async (jobName) => {
-		const { metadata } = await client.getMetadata({ trn: jobFunctionTrn(workspaceId, jobName) });
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "workflow_job_function", jobName) });
 		if (isOwnedByApp(metadata?.labels, appName, appId)) await client.setMetadata({
-			trn: jobFunctionTrn(workspaceId, jobName),
+			trn: resourceTrn(workspaceId, "workflow_job_function", jobName),
 			labels: { [sdkNameLabelKey]: "" }
 		});
 	}));
@@ -9559,12 +9609,6 @@ function toRetryPolicy(policy) {
 function toConcurrencyPolicy(policy) {
 	return { maxConcurrentExecutions: policy.maxConcurrentExecutions };
 }
-function workflowTrn$1(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:workflow:${name}`;
-}
-function jobFunctionTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:workflow_job_function:${name}`;
-}
 /**
 * Plan workflow changes and job functions based on current and desired state.
 * @param client - Operator client instance
@@ -9594,12 +9638,12 @@ async function planWorkflow(client, workspaceId, appName, appId, workflows, main
 			return [response.workflows, response.nextPageToken];
 		},
 		getName: (resource) => resource.name,
-		getTrn: workflowTrn$1
+		getTrn: (workspaceId, name) => resourceTrn(workspaceId, "workflow", name)
 	});
 	for (const workflow of Object.values(workflows)) {
 		const existing = existingWorkflows[workflow.name];
 		const metaRequest = await buildMetaRequest({
-			trn: workflowTrn$1(workspaceId, workflow.name),
+			trn: resourceTrn(workspaceId, "workflow", workflow.name),
 			appName,
 			appId
 		});
@@ -9728,36 +9772,6 @@ function normalizeRetryPolicyForCompare(policy) {
 
 //#endregion
 //#region src/cli/commands/deploy/deploy.ts
-function applicationTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:application:${name}`;
-}
-function functionRegistryTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:function_registry:${name}`;
-}
-function pipelineTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:pipeline:${name}`;
-}
-function idpTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:idp:${name}`;
-}
-function authTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:auth:${name}`;
-}
-function executorTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:executor:${name}`;
-}
-function workflowTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:workflow:${name}`;
-}
-function staticWebsiteTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:staticwebsite:${name}`;
-}
-function tailorDBTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:tailordb:${name}`;
-}
-function vaultTrn(workspaceId, name) {
-	return `trn:v1:workspace:${workspaceId}:vault:${name}`;
-}
 /**
 * Resolve the set of IdP names that have at least one executor subscribed to
 * their user events. When an executor's idpUser trigger omits the `idp` option
@@ -9779,36 +9793,36 @@ function collectIdpUserTriggerTargets(application) {
 }
 async function shouldForceApplyAll(client, workspaceId, application, functionEntries) {
 	const desiredLabels = (await buildMetaRequest({
-		trn: applicationTrn(workspaceId, application.name),
+		trn: resourceTrn(workspaceId, "application", application.name),
 		appName: application.name,
 		appId: application.id
 	})).labels;
 	const candidateTrns = /* @__PURE__ */ new Set();
-	if (application.subgraphs.length > 0) candidateTrns.add(applicationTrn(workspaceId, application.name));
+	if (application.subgraphs.length > 0) candidateTrns.add(resourceTrn(workspaceId, "application", application.name));
 	application.staticWebsiteServices.forEach((website) => {
-		candidateTrns.add(staticWebsiteTrn(workspaceId, website.name));
+		candidateTrns.add(resourceTrn(workspaceId, "staticwebsite", website.name));
 	});
 	application.resolverServices.forEach((pipeline) => {
-		candidateTrns.add(pipelineTrn(workspaceId, pipeline.namespace));
+		candidateTrns.add(resourceTrn(workspaceId, "pipeline", pipeline.namespace));
 	});
 	application.idpServices.forEach((idp) => {
-		candidateTrns.add(idpTrn(workspaceId, idp.name));
+		candidateTrns.add(resourceTrn(workspaceId, "idp", idp.name));
 	});
-	if (application.authService) candidateTrns.add(authTrn(workspaceId, application.authService.config.name));
+	if (application.authService) candidateTrns.add(resourceTrn(workspaceId, "auth", application.authService.config.name));
 	Object.values(application.executorService?.executors ?? {}).forEach((executor) => {
-		candidateTrns.add(executorTrn(workspaceId, executor.name));
+		candidateTrns.add(resourceTrn(workspaceId, "executor", executor.name));
 	});
 	Object.values(application.workflowService?.workflows ?? {}).forEach((workflow) => {
-		candidateTrns.add(workflowTrn(workspaceId, workflow.name));
+		candidateTrns.add(resourceTrn(workspaceId, "workflow", workflow.name));
 	});
 	application.tailorDBServices.forEach((service) => {
-		candidateTrns.add(tailorDBTrn(workspaceId, service.namespace));
+		candidateTrns.add(resourceTrn(workspaceId, "tailordb", service.namespace));
 	});
 	application.secrets.forEach((vault) => {
-		candidateTrns.add(vaultTrn(workspaceId, vault.vaultName));
+		candidateTrns.add(resourceTrn(workspaceId, "vault", vault.vaultName));
 	});
 	functionEntries.forEach((entry) => {
-		candidateTrns.add(functionRegistryTrn(workspaceId, entry.name));
+		candidateTrns.add(resourceTrn(workspaceId, "function_registry", entry.name));
 	});
 	for (const trn of candidateTrns) try {
 		const { metadata } = await client.getMetadata({ trn });
@@ -9865,6 +9879,7 @@ function printPlanResults(results) {
 	const idpServiceActions = extractServiceActions(results.idp.changeSet.service);
 	const authServiceActions = extractServiceActions(results.auth.changeSet.service);
 	results.staticWebsite.changeSet.print();
+	results.staticWebsite.customDomainChangeSet.print();
 	results.app.print();
 	printGroupedDisplaySection("TailorDB", tailorDBEntries, tailorDBServiceActions);
 	printGroupedDisplaySection("Resolver", pipelineEntries, pipelineServiceActions);
@@ -9914,6 +9929,7 @@ function summarizePlanResults(results, displayEntries, serviceActions) {
 	const nonGrouped = summarizeChangeSets([
 		otherChanges,
 		results.staticWebsite.changeSet,
+		results.staticWebsite.customDomainChangeSet,
 		results.app,
 		results.secretManager.vaultChangeSet,
 		results.secretManager.secretChangeSet
@@ -14488,7 +14504,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-x_mURdR0.mjs");
+	const { defineApplication } = await import("./application-gO_pa5BO.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -16680,5 +16696,5 @@ function isDeno() {
 }
 
 //#endregion
-export { listCommand$5 as $, compareSnapshots as $t, truncate as A, toPageDirection as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, commonArgs as Cn, triggerExecutor as Ct, resumeWorkflow as D, isVerbose as Dn, jobsCommand as Dt, resumeCommand as E, deploymentArgs as En, getExecutorJob as Et, writeDbTypesFile as F, getWorkflowExecution as Ft, organizationTree as G, parseMigrationLabelNumber as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, listWorkflowExecutions as It, listOrganizations as J, DIFF_FILE_NAME as Jt, treeCommand as K, bundleMigrationScript as Kt, openInConfiguredEditor as L, functionExecutionStatusToString as Lt, generate as M, getCommand$5 as Mt, generateCommand as N, getWorkflow as Nt, listCommand$3 as O, pagedLogArgs as On, listExecutorJobs as Ot, generateMigrationScript as P, executionsCommand as Pt, updateFolder as Q, compareLocalTypesWithSnapshot as Qt, show as R, formatKeyValueTable as Rt, listApps as S, defineAppCommand as Sn, triggerCommand as St, healthCommand as T, confirmationArgs as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, MIGRATION_LABEL_KEY as Wt, getOrganization as X, MIGRATE_FILE_NAME as Xt, getCommand$1 as Y, INITIAL_SCHEMA_NUMBER as Yt, updateCommand$2 as Z, SCHEMA_FILE_NAME as Zt, getWorkspace as _, generateUserTypes as _n, listFunctionRegistries as _t, updateUser as a, getNextMigrationNumber as an, createCommand$1 as at, createCommand as b, apiCall as bn, listWebhookExecutors as bt, listCommand as c, reconstructSnapshotFromMigrations as cn, listOAuth2Clients as ct, inviteUser as d, formatMigrationDiff as dn, getMachineUserToken as dt, createSnapshotFromLocalTypes as en, listFolders as et, restoreCommand as f, hasChanges as fn, tokenCommand as ft, getCommand as g, PluginManager as gn, listCommand$8 as gt, listWorkspaces as h, trnPrefix as hn, generate$1 as ht, updateCommand as i, getMigrationFiles as in, deleteFolder as it, truncateCommand as j, workspaceArgs as jn, startWorkflow as jt, listWorkflows as k, paginationArgs as kn, watchExecutorJob as kt, listUsers as l, formatMigrationNumber as ln, getCommand$3 as lt, listCommand$1 as m, sdkNameLabelKey as mn, listMachineUsers as mt, query as n, getMigrationDirPath as nn, getFolder as nt, removeCommand as o, isValidMigrationNumber as on, createFolder as ot, restoreWorkspace as p, getNamespacesWithMigrations as pn, listCommand$7 as pt, listCommand$4 as q, DB_TYPES_FILE_NAME as qt, queryCommand as r, getMigrationFilePath as rn, deleteCommand$1 as rt, removeUser as s, loadDiff as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, getLatestMigrationNumber as tn, getCommand$2 as tt, inviteCommand as u, formatDiffSummary as un, getOAuth2Client as ut, deleteCommand as v, prompt as vn, getCommand$4 as vt, getAppHealth as w, configArg as wn, listCommand$9 as wt, createWorkspace as x, assertWritable as xn, webhookCommand as xt, deleteWorkspace as y, apiCommand as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
-//# sourceMappingURL=runtime-1YuaoNr8.mjs.map
+export { listCommand$5 as $, compareSnapshots as $t, truncate as A, toPageDirection as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, commonArgs as Cn, triggerExecutor as Ct, resumeWorkflow as D, isVerbose as Dn, jobsCommand as Dt, resumeCommand as E, deploymentArgs as En, getExecutorJob as Et, writeDbTypesFile as F, getWorkflowExecution as Ft, organizationTree as G, parseMigrationLabelNumber as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, listWorkflowExecutions as It, listOrganizations as J, DIFF_FILE_NAME as Jt, treeCommand as K, bundleMigrationScript as Kt, openInConfiguredEditor as L, functionExecutionStatusToString as Lt, generate as M, getCommand$5 as Mt, generateCommand as N, getWorkflow as Nt, listCommand$3 as O, pagedLogArgs as On, listExecutorJobs as Ot, generateMigrationScript as P, executionsCommand as Pt, updateFolder as Q, compareLocalTypesWithSnapshot as Qt, show as R, formatKeyValueTable as Rt, listApps as S, defineAppCommand as Sn, triggerCommand as St, healthCommand as T, confirmationArgs as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, MIGRATION_LABEL_KEY as Wt, getOrganization as X, MIGRATE_FILE_NAME as Xt, getCommand$1 as Y, INITIAL_SCHEMA_NUMBER as Yt, updateCommand$2 as Z, SCHEMA_FILE_NAME as Zt, getWorkspace as _, generateUserTypes as _n, listFunctionRegistries as _t, updateUser as a, getNextMigrationNumber as an, createCommand$1 as at, createCommand as b, apiCall as bn, listWebhookExecutors as bt, listCommand as c, reconstructSnapshotFromMigrations as cn, listOAuth2Clients as ct, inviteUser as d, formatMigrationDiff as dn, getMachineUserToken as dt, createSnapshotFromLocalTypes as en, listFolders as et, restoreCommand as f, hasChanges as fn, tokenCommand as ft, getCommand as g, PluginManager as gn, listCommand$8 as gt, listWorkspaces as h, sdkNameLabelKey as hn, generate$1 as ht, updateCommand as i, getMigrationFiles as in, deleteFolder as it, truncateCommand as j, workspaceArgs as jn, startWorkflow as jt, listWorkflows as k, paginationArgs as kn, watchExecutorJob as kt, listUsers as l, formatMigrationNumber as ln, getCommand$3 as lt, listCommand$1 as m, resourceTrn as mn, listMachineUsers as mt, query as n, getMigrationDirPath as nn, getFolder as nt, removeCommand as o, isValidMigrationNumber as on, createFolder as ot, restoreWorkspace as p, getNamespacesWithMigrations as pn, listCommand$7 as pt, listCommand$4 as q, DB_TYPES_FILE_NAME as qt, queryCommand as r, getMigrationFilePath as rn, deleteCommand$1 as rt, removeUser as s, loadDiff as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, getLatestMigrationNumber as tn, getCommand$2 as tt, inviteCommand as u, formatDiffSummary as un, getOAuth2Client as ut, deleteCommand as v, prompt as vn, getCommand$4 as vt, getAppHealth as w, configArg as wn, listCommand$9 as wt, createWorkspace as x, assertWritable as xn, webhookCommand as xt, deleteWorkspace as y, apiCommand as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
+//# sourceMappingURL=runtime-BC-FbQkg.mjs.map