@tailor-platform/sdk 1.60.2 → 1.62.0

package/dist/{runtime-CZpsV8vj.mjs → runtime-C6o4hiYq.mjs}

@@ -1,8 +1,10 @@
 
-import { t as db } from "./schema-DYKNTu-n.mjs";
-import { $ as Subgraph_ServiceType, A as IdPLang, B as AuthIDPConfig_AuthType, C as TailorDBGQLPermission_Operator, D as TailorDBType_PermitAction, E as TailorDBType_Permission_Permit, F as ExecutorJobStatus, G as AuthSCIMAttribute_Type, H as AuthOAuth2Client_ClientType, I as ExecutorTargetType, K as AuthSCIMAttribute_Uniqueness, L as ExecutorTriggerType, M as IdPPermissionPermit, N as FunctionExecution_Status, Q as ApplicationSchemaUpdateAttemptStatus, R as AuthConnection_Type, S as TailorDBGQLPermission_Action, T as TailorDBType_Permission_Operator, U as AuthOAuth2Client_GrantType, V as AuthInvokerSchema, W as AuthSCIMAttribute_Mutability, X as UserProfileProviderConfig_UserProfileProviderType, Y as TenantProviderConfig_TenantProviderType, Z as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, _ as userAgent, a as fetchAll, b as WorkflowExecution_Status, et as ConditionSchema, f as initOperatorClient, h as resolveStaticWebsiteUrls, j as IdPPermissionOperator, k as PipelineResolver_OperationType, m as platformBaseUrl, nt as FilterSchema, o as fetchMachineUserToken, q as AuthSCIMConfig_AuthorizationType, rt as PageDirection, s as fetchPaged, tt as Condition_Operator, v as OperatorService, w as TailorDBGQLPermission_Permit, x as WorkflowJobExecution_Status, y as WorkspacePlatformUserRole, z as AuthHookPoint } from "./client-W5P4NYYX.mjs";
+import { t as db } from "./schema-1msIhXwA.mjs";
+import { $ as CreateExecutorExecutorRequestSchema, A as TailorDBGQLPermission_Permit, At as AuthSCIMAttribute_Type, B as UpdateSecretManagerSecretRequestSchema, Bt as Subgraph_ServiceType, C as WorkflowExecution_Status, Ct as AuthConnection_Type, D as UpdateTailorDBTypeRequestSchema, Dt as AuthOAuth2Client_ClientType, E as CreateTailorDBTypeRequestSchema, Et as AuthInvokerSchema, F as CreateStaticWebsiteRequestSchema, Ft as UserProfileProviderConfig_UserProfileProviderType, G as PipelineResolver_OperationType, H as CreatePipelineServiceRequestSchema, Ht as Condition_Operator, I as UpdateStaticWebsiteRequestSchema, It as CreateApplicationRequestSchema, J as IdPLang, K as CreateIdPServiceRequestSchema, Lt as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, M as TailorDBType_Permission_Permit, Mt as AuthSCIMConfig_AuthorizationType, N as TailorDBType_PermitAction, O as TailorDBGQLPermission_Action, Ot as AuthOAuth2Client_GrantType, P as AddCustomDomainRequestSchema, Pt as TenantProviderConfig_TenantProviderType, R as CreateSecretManagerSecretRequestSchema, Rt as UpdateApplicationRequestSchema, S as UpdateWorkflowRequestSchema, St as UpdateUserProfileConfigRequestSchema, T as CreateTailorDBServiceRequestSchema, Tt as AuthIDPConfig_AuthType, U as UpdatePipelineResolverRequestSchema, Ut as FilterSchema, V as CreatePipelineResolverRequestSchema, Vt as ConditionSchema, W as UpdatePipelineServiceRequestSchema, Wt as PageDirection, X as IdPPermissionPermit, Y as IdPPermissionOperator, Z as FunctionExecution_Status, _ as userAgent, _t as UpdateAuthOAuth2ClientRequestSchema, a as fetchAll, at as CreateAuthHookRequestSchema, b as CreateWorkflowJobFunctionRequestSchema, bt as UpdateAuthServiceRequestSchema, ct as CreateAuthOAuth2ClientRequestSchema, dt as CreateAuthServiceRequestSchema, et as UpdateExecutorExecutorRequestSchema, f as initOperatorClient, ft as CreateTenantConfigRequestSchema, gt as UpdateAuthMachineUserRequestSchema, h as resolveStaticWebsiteUrls, ht as UpdateAuthIDPConfigRequestSchema, it as CreateAuthConnectionRequestSchema, j as TailorDBType_Permission_Operator, jt as AuthSCIMAttribute_Uniqueness, k as TailorDBGQLPermission_Operator, kt as AuthSCIMAttribute_Mutability, lt as CreateAuthSCIMConfigRequestSchema, m as platformBaseUrl, mt as UpdateAuthHookRequestSchema, nt as ExecutorTargetType, o as fetchMachineUserToken, ot as CreateAuthIDPConfigRequestSchema, pt as CreateUserProfileConfigRequestSchema, q as UpdateIdPServiceRequestSchema, rt as ExecutorTriggerType, s as fetchPaged, st as CreateAuthMachineUserRequestSchema, tt as ExecutorJobStatus, ut as CreateAuthSCIMResourceRequestSchema, v as OperatorService, vt as UpdateAuthSCIMConfigRequestSchema, w as WorkflowJobExecution_Status, wt as AuthHookPoint, x as CreateWorkflowRequestSchema, xt as UpdateTenantConfigRequestSchema, y as WorkspacePlatformUserRole, yt as UpdateAuthSCIMResourceRequestSchema, z as CreateSecretManagerVaultRequestSchema, zt as ApplicationSchemaUpdateAttemptStatus } from "./client-CobIRHl-.mjs";
+import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
 import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DpJyJvNz.mjs";
-import { A as loadConfigPath, C as getDistDir, E as loadConfig, F as writePlatformConfig, M as readPlatformConfig, S as createBundleCache, T as hashFile, _ as loadFilesWithIgnores, c as createExecutorService, d as buildExecutorArgsExpr, f as buildResolverOperationHookExpr, g as stringifyFunction, h as TailorDBTypeSchema, j as loadWorkspaceId, k as loadAccessToken, m as assertUniqueTailorDBTypeNamesWithExternal, n as generatePluginFilesIfNeeded, p as assertUniqueLocalTailorDBTypeNames, r as loadApplication, s as HTTP_METHODS, t as defineApplication, v as platformBundleDefinePlugin } from "./application-pusdxz35.mjs";
+import { C as loadConfig, D as loadConfigPath, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, S as hashFile, b as getDistDir, d as assertUniqueLocalTailorDBTypeNames, f as assertUniqueTailorDBTypeNamesWithExternal, h as platformBundleDefinePlugin, k as readPlatformConfig, l as buildExecutorArgsExpr, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, u as buildResolverOperationHookExpr, y as createBundleCache } from "./application-BezXGbrU.mjs";
+import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
 import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
 import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
 import { n as isCLIError, t as createCLIError } from "./errors-EsY4XO6O.mjs";
@@ -33,6 +35,9 @@ import * as fs from "node:fs/promises";
 import { glob } from "node:fs/promises";
 import { parseSync } from "oxc-parser";
 import * as inflection from "inflection";
+import pLimit from "p-limit";
+import { pathToString } from "@bufbuild/protobuf/reflect";
+import { createValidator } from "@bufbuild/protovalidate";
 import { setTimeout as setTimeout$1 } from "timers/promises";
 import { spawn } from "node:child_process";
 import { watch } from "chokidar";
@@ -54,7 +59,9 @@ const durationPattern = /^(\d+)(ms|s|m)$/;
 */
 const durationArg = z.string().refine((val) => durationPattern.test(val), { message: "Invalid duration format. Expected format: '3s', '500ms', '1m'" }).refine((val) => {
 	const match = val.match(durationPattern);
-	return parseInt(match[1], 10) > 0;
+	if (!match) return false;
+	const digits = match[1];
+	return digits !== void 0 && parseInt(digits, 10) > 0;
 }, { message: "Duration must be greater than 0" });
 /**
 * Parse a validated duration string into milliseconds
@@ -62,8 +69,8 @@ const durationArg = z.string().refine((val) => durationPattern.test(val), { mess
 * @returns Duration in milliseconds
 */
 function parseDuration(duration) {
-	const match = duration.match(durationPattern);
-	return parseInt(match[1], 10) * unitToMs[match[2]];
+	const match = assertDefined(duration.match(durationPattern), `invalid duration format: ${duration}`);
+	return parseInt(assertDefined(match[1], "duration digits group missing"), 10) * unitToMs[assertDefined(match[2], "duration unit group missing")];
 }
 /**
 * Schema for positive integer validation (from string input)
@@ -308,10 +315,7 @@ async function assertWritable(opts) {
 * @returns Response status and data
 */
 async function apiCall(options) {
-	const accessToken = await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	});
+	const accessToken = await loadAccessToken({ profile: options.profile });
 	let endpointPath;
 	if (options.endpoint.includes("/")) endpointPath = options.endpoint;
 	else endpointPath = `tailor.v1.OperatorService/${options.endpoint}`;
@@ -650,7 +654,7 @@ const listCommand$10 = defineAppCommand({
 function resolveNamespaceName(methodName, config) {
 	if (/Auth|Tenant|UserProfile/.test(methodName)) return config.auth?.name;
 	if (/IdP/.test(methodName)) {
-		if (config.idp?.length === 1) return config.idp[0].name;
+		if (config.idp?.length === 1) return assertDefined(config.idp[0], "idp config missing").name;
 		return;
 	}
 	if (/TailorDB/.test(methodName)) {
@@ -691,12 +695,12 @@ function parseBodyAsObject(body) {
 function setNestedPath(obj, path, value) {
 	let cursor = obj;
 	for (let i = 0; i < path.length - 1; i++) {
-		const key = path[i];
+		const key = assertDefined(path[i], "path segment missing");
 		const next = cursor[key];
 		if (typeof next !== "object" || next === null || Array.isArray(next)) cursor[key] = {};
 		cursor = cursor[key];
 	}
-	cursor[path[path.length - 1]] = value;
+	cursor[assertDefined(path[path.length - 1], "path last segment missing")] = value;
 }
 /**
 * Coerces a raw `--field` string value to match the leaf proto type so the
@@ -1321,7 +1325,7 @@ var PluginManager = class {
 			};
 		}
 		if (output.types && Object.keys(output.types).length > 0) {
-			const importPath = plugin.importPath;
+			const importPath = assertDefined(plugin.importPath, `plugin "${plugin.id}" missing importPath`);
 			for (const [kind, type] of Object.entries(output.types)) this.generatedTypes.push({
 				pluginId: context.pluginId,
 				pluginImportPath: importPath,
@@ -1384,7 +1388,7 @@ var PluginManager = class {
 				});
 			}
 			if (output.types && Object.keys(output.types).length > 0) {
-				const importPath = plugin.importPath;
+				const importPath = assertDefined(plugin.importPath, `plugin "${plugin.id}" missing importPath`);
 				for (const [kind, type] of Object.entries(output.types)) {
 					const typeKey = `${pluginId}:${kind}:${type.name}`;
 					if (this.namespaceGeneratedTypeKeys.has(typeKey)) continue;
@@ -1593,13 +1597,13 @@ function copyMetadataToExtendedType(original, extended) {
 	let result = extended;
 	if (original._description) result = result.description(original._description);
 	const metadata = original.metadata;
-	if (metadata.files && Object.keys(metadata.files).length > 0) result = result.files(metadata.files);
+	if (Object.keys(metadata.files).length > 0) result = result.files(metadata.files);
 	if (metadata.settings) {
 		const { pluralForm: _pluralForm, ...features } = metadata.settings;
 		if (Object.keys(features).length > 0) result = result.features(features);
 	}
-	if (metadata.permissions?.record) result = result.permission(metadata.permissions.record);
-	if (metadata.permissions?.gql) result = result.gqlPermission(metadata.permissions.gql);
+	if (metadata.permissions.record) result = result.permission(metadata.permissions.record);
+	if (metadata.permissions.gql) result = result.gqlPermission(metadata.permissions.gql);
 	if (metadata.indexes && Object.keys(metadata.indexes).length > 0) {
 		const indexDefs = Object.entries(metadata.indexes).map(([name, def]) => ({
 			name,
@@ -1608,7 +1612,7 @@ function copyMetadataToExtendedType(original, extended) {
 		}));
 		result = result.indexes(...indexDefs);
 	}
-	if (original.plugins && original.plugins.length > 0) for (const plugin of original.plugins) result = result.plugin({ [plugin.pluginId]: plugin.config });
+	if (original.plugins.length > 0) for (const plugin of original.plugins) result = result.plugin({ [plugin.pluginId]: plugin.config });
 	return result;
 }
 
@@ -1815,15 +1819,15 @@ async function applyApplication(client, changeSet, phase = "create-update") {
 	if (phase === "create-update") {
 		const updates = [...changeSet.updates, ...changeSet.unchanged];
 		await Promise.all([...changeSet.creates.map(async (create) => {
-			create.request.cors = await resolveStaticWebsiteUrls(client, create.request.workspaceId, create.request.cors, "CORS");
+			create.request.cors = await resolveStaticWebsiteUrls(client, assertDefined(create.request.workspaceId, "request missing workspaceId"), create.request.cors, "CORS");
 			await client.createApplication(create.request);
 			await client.setMetadata(create.metaRequest);
 		}), ...updates.map(async (update) => {
-			update.request.cors = await resolveStaticWebsiteUrls(client, update.request.workspaceId, update.request.cors, "CORS");
+			update.request.cors = await resolveStaticWebsiteUrls(client, assertDefined(update.request.workspaceId, "request missing workspaceId"), update.request.cors, "CORS");
 			await client.updateApplication(update.request);
 			await client.setMetadata(update.metaRequest);
 		})]);
-	} else if (phase === "delete") await Promise.all(changeSet.deletes.map(async (del) => {
+	} else await Promise.all(changeSet.deletes.map(async (del) => {
 		await client.deleteApplication(del.request);
 	}));
 }
@@ -1832,7 +1836,7 @@ function sortStrings(values) {
 }
 function normalizeSubgraphs(subgraphs) {
 	return [...subgraphs ?? []].map((subgraph) => ({
-		serviceType: subgraph.serviceType,
+		serviceType: assertDefined(subgraph.serviceType, "subgraph missing serviceType"),
 		serviceNamespace: subgraph.serviceNamespace ?? ""
 	})).toSorted((left, right) => {
 		if (left.serviceType !== right.serviceType) return left.serviceType - right.serviceType;
@@ -1928,7 +1932,7 @@ async function planApplication(context, httpAdapterBuildResult) {
 	if (application.subgraphs.length === 0) return changeSet;
 	let authNamespace;
 	let authIdpConfigName;
-	if (application.authService && application.authService.config) {
+	if (application.authService) {
 		authNamespace = application.authService.config.name;
 		const idProvider = application.authService.config.idProvider;
 		if (idProvider) authIdpConfigName = idProvider.name;
@@ -1938,7 +1942,7 @@ async function planApplication(context, httpAdapterBuildResult) {
 			try {
 				const { idpConfigs, nextPageToken } = await client.listAuthIDPConfigs({
 					workspaceId,
-					namespaceName: authNamespace,
+					namespaceName: assertDefined(authNamespace, "authNamespace must be set before listing IDP configs"),
 					pageToken,
 					pageSize: maxPageSize
 				});
@@ -1948,7 +1952,10 @@ async function planApplication(context, httpAdapterBuildResult) {
 				throw error;
 			}
 		});
-		if (idpConfigs.length > 0) authIdpConfigName = idpConfigs[0].name;
+		if (idpConfigs.length > 0) {
+			const [firstConfig] = idpConfigs;
+			if (firstConfig) authIdpConfigName = firstConfig.name;
+		}
 	}
 	const metaRequest = await buildMetaRequest({
 		trn: resourceTrn(workspaceId, "application", application.name),
@@ -2191,7 +2198,7 @@ async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 	const unmanaged = [];
 	const resourceOwners = /* @__PURE__ */ new Set();
 	const desiredConnections = {};
-	for (const auth of auths) if (auth.connections) for (const [name, config] of Object.entries(auth.connections)) desiredConnections[name] = config;
+	for (const auth of auths) for (const [name, config] of Object.entries(auth.connections)) desiredConnections[name] = config;
 	const existingList = await fetchAll(async (pageToken, maxPageSize) => {
 		try {
 			const { connections, nextPageToken } = await client.listAuthConnections({
@@ -2280,7 +2287,7 @@ async function planAuthConnections(client, workspaceId, appName, appId, auths) {
 function extractOAuth2Config(connection) {
 	if (!connection) return void 0;
 	const config = connection.config;
-	if (!config || config.case !== "oauth2" || !config.value) return void 0;
+	if (!config || config.case !== "oauth2") return void 0;
 	const v = config.value;
 	return {
 		type: "oauth2",
@@ -2324,7 +2331,7 @@ async function applyAuthConnections(client, result, phase) {
 			if (oauth2) state.connections[replace.name] = hashConnectionConfig(oauth2);
 		}
 		saveSecretsState(state);
-	} else if (phase === "delete-resources" || phase === "delete") {
+	} else {
 		await Promise.all(changeSet.deletes.map(async (del) => {
 			await client.deleteAuthConnection(del.request);
 		}));
@@ -2662,7 +2669,7 @@ async function applyFunctionRegistry(client, workspaceId, result, phase = "creat
 			await uploadFunctionScript(client, workspaceId, update.entry, false);
 			await client.setMetadata(update.metaRequest);
 		}
-	} else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteFunctionRegistry({
+	} else await Promise.all(changeSet.deletes.map((del) => client.deleteFunctionRegistry({
 		workspaceId: del.workspaceId,
 		name: del.name
 	})));
@@ -2874,11 +2881,11 @@ function printGroupedDisplaySection(title, entries, serviceActions) {
 			namespaceOrder.push(ns);
 			byNamespace.set(ns, []);
 		}
-		byNamespace.get(ns).push(entry);
+		assertDefined(byNamespace.get(ns), "namespace group missing").push(entry);
 	}
 	const printedServices = /* @__PURE__ */ new Set();
 	for (const ns of namespaceOrder) {
-		const group = byNamespace.get(ns);
+		const group = assertDefined(byNamespace.get(ns), "namespace group missing");
 		if (ns) {
 			const svcAction = serviceMap.get(ns);
 			const prefix = svcAction ? `${ACTION_SYMBOLS[svcAction]} ` : "";
@@ -3041,8 +3048,8 @@ async function applyIdP(client, result, phase = "create-update") {
 		})]);
 		await Promise.all([...changeSet.client.creates.map(async (create) => {
 			const resp = await client.createIdPClient(create.request);
-			const vaultName = idpClientVaultName(create.request.namespaceName, create.request.client?.name || "");
-			const secretName = idpClientSecretName(create.request.namespaceName, create.request.client?.name || "");
+			const vaultName = idpClientVaultName(assertDefined(create.request.namespaceName, "request missing namespaceName"), create.request.client?.name || "");
+			const secretName = idpClientSecretName(assertDefined(create.request.namespaceName, "request missing namespaceName"), create.request.client?.name || "");
 			await client.createSecretManagerVault({
 				workspaceId: create.request.workspaceId,
 				secretmanagerVaultName: vaultName
@@ -3084,7 +3091,7 @@ async function applyIdP(client, result, phase = "create-update") {
 			secretmanagerVaultName: vaultName
 		});
 	}));
-	else if (phase === "delete-services") await Promise.all(changeSet.service.deletes.map((del) => client.deleteIdPService(del.request)));
+	else await Promise.all(changeSet.service.deletes.map((del) => client.deleteIdPService(del.request)));
 }
 /**
 * Plan IdP-related changes based on current and desired state.
@@ -3323,10 +3330,9 @@ async function planClients(client, workspaceId, idps, deletedServices, forceAppl
 		});
 	};
 	const clientsByIdp = await Promise.all(idps.map((idp) => fetchClients(idp.name)));
-	for (let i = 0; i < idps.length; i++) {
-		const idp = idps[i];
+	for (const [i, idp] of idps.entries()) {
 		const namespaceName = idp.name;
-		const existingClients = clientsByIdp[i];
+		const existingClients = assertDefined(clientsByIdp[i], "clientsByIdp missing entry for idp index");
 		const existingNameMap = /* @__PURE__ */ new Map();
 		existingClients.forEach((client) => {
 			existingNameMap.set(client.name, client.clientSecret);
@@ -3360,19 +3366,16 @@ async function planClients(client, workspaceId, idps, deletedServices, forceAppl
 		});
 	}
 	const deletedClientsByService = await Promise.all(deletedServices.map((namespaceName) => fetchClients(namespaceName)));
-	for (let i = 0; i < deletedServices.length; i++) {
-		const namespaceName = deletedServices[i];
-		deletedClientsByService[i].forEach((client) => {
-			changeSet.deletes.push({
-				name: client.name,
-				request: {
-					workspaceId,
-					namespaceName,
-					name: client.name
-				}
-			});
+	for (const [i, namespaceName] of deletedServices.entries()) assertDefined(deletedClientsByService[i], "deletedClientsByService missing entry for service index").forEach((client) => {
+		changeSet.deletes.push({
+			name: client.name,
+			request: {
+				workspaceId,
+				namespaceName,
+				name: client.name
+			}
 		});
-	}
+	});
 	return changeSet;
 }
 function convertLang(lang) {
@@ -3487,12 +3490,12 @@ async function applyAuth(client, result, phase = "create-update") {
 			await client.updateAuthService(update.request);
 			await client.setMetadata(update.metaRequest);
 		})]);
-		if (changeSet.connection) await applyAuthConnections(client, { changeSet: changeSet.connection }, "create-update");
+		await applyAuthConnections(client, { changeSet: changeSet.connection }, "create-update");
 		await Promise.all([...changeSet.idpConfig.creates.map(async (create) => {
-			if (create.idpConfig.kind === "BuiltInIdP") create.request.idpConfig.config = await protoBuiltinIdPConfig(client, create.request.workspaceId, create.idpConfig);
+			if (create.idpConfig.kind === "BuiltInIdP") assertDefined(create.request.idpConfig, "request missing idpConfig").config = await protoBuiltinIdPConfig(client, assertDefined(create.request.workspaceId, "request missing workspaceId"), create.idpConfig);
 			return client.createAuthIDPConfig(create.request);
 		}), ...changeSet.idpConfig.updates.map(async (update) => {
-			if (update.idpConfig.kind === "BuiltInIdP") update.request.idpConfig.config = await protoBuiltinIdPConfig(client, update.request.workspaceId, update.idpConfig);
+			if (update.idpConfig.kind === "BuiltInIdP") assertDefined(update.request.idpConfig, "request missing idpConfig").config = await protoBuiltinIdPConfig(client, assertDefined(update.request.workspaceId, "request missing workspaceId"), update.idpConfig);
 			return client.updateAuthIDPConfig(update.request);
 		})]);
 		await Promise.all([...changeSet.userProfileConfig.creates.map((create) => client.createUserProfileConfig(create.request)), ...changeSet.userProfileConfig.updates.map((update) => client.updateUserProfileConfig(update.request))]);
@@ -3500,15 +3503,18 @@ async function applyAuth(client, result, phase = "create-update") {
 		await Promise.all([...changeSet.machineUser.creates.map((create) => client.createAuthMachineUser(create.request)), ...changeSet.machineUser.updates.map((update) => client.updateAuthMachineUser(update.request))]);
 		await Promise.all([...changeSet.authHook.creates.map((create) => client.createAuthHook(create.request)), ...changeSet.authHook.updates.map((update) => client.updateAuthHook(update.request))]);
 		await Promise.all([...changeSet.oauth2Client.creates.map(async (create) => {
-			create.request.oauth2Client.redirectUris = await resolveStaticWebsiteUrls(client, create.request.workspaceId, create.request.oauth2Client.redirectUris, "OAuth2 redirect URIs");
+			const oauth2Client = assertDefined(create.request.oauth2Client, "request missing oauth2Client");
+			oauth2Client.redirectUris = await resolveStaticWebsiteUrls(client, assertDefined(create.request.workspaceId, "request missing workspaceId"), oauth2Client.redirectUris, "OAuth2 redirect URIs");
 			return client.createAuthOAuth2Client(create.request);
 		}), ...changeSet.oauth2Client.updates.map(async (update) => {
-			update.request.oauth2Client.redirectUris = await resolveStaticWebsiteUrls(client, update.request.workspaceId, update.request.oauth2Client.redirectUris, "OAuth2 redirect URIs");
+			const oauth2Client = assertDefined(update.request.oauth2Client, "request missing oauth2Client");
+			oauth2Client.redirectUris = await resolveStaticWebsiteUrls(client, assertDefined(update.request.workspaceId, "request missing workspaceId"), oauth2Client.redirectUris, "OAuth2 redirect URIs");
 			return client.updateAuthOAuth2Client(update.request);
 		})]);
 		for (const replace of changeSet.oauth2Client.replaces) {
 			await client.deleteAuthOAuth2Client(replace.deleteRequest);
-			replace.createRequest.oauth2Client.redirectUris = await resolveStaticWebsiteUrls(client, replace.createRequest.workspaceId, replace.createRequest.oauth2Client.redirectUris, "OAuth2 redirect URIs");
+			const replaceOauth2Client = assertDefined(replace.createRequest.oauth2Client, "createRequest missing oauth2Client");
+			replaceOauth2Client.redirectUris = await resolveStaticWebsiteUrls(client, assertDefined(replace.createRequest.workspaceId, "createRequest missing workspaceId"), replaceOauth2Client.redirectUris, "OAuth2 redirect URIs");
 			await client.createAuthOAuth2Client(replace.createRequest);
 		}
 		await Promise.all([...changeSet.scim.creates.map((create) => client.createAuthSCIMConfig(create.request)), ...changeSet.scim.updates.map((update) => client.updateAuthSCIMConfig(update.request))]);
@@ -3522,8 +3528,8 @@ async function applyAuth(client, result, phase = "create-update") {
 		await Promise.all(changeSet.tenantConfig.deletes.map((del) => client.deleteTenantConfig(del.request)));
 		await Promise.all(changeSet.userProfileConfig.deletes.map((del) => client.deleteUserProfileConfig(del.request)));
 		await Promise.all(changeSet.idpConfig.deletes.map((del) => client.deleteAuthIDPConfig(del.request)));
-		if (changeSet.connection) await applyAuthConnections(client, { changeSet: changeSet.connection }, "delete-resources");
-	} else if (phase === "delete-services") await Promise.all(changeSet.service.deletes.map((del) => client.deleteAuthService(del.request)));
+		await applyAuthConnections(client, { changeSet: changeSet.connection }, "delete-resources");
+	} else await Promise.all(changeSet.service.deletes.map((del) => client.deleteAuthService(del.request)));
 }
 /**
 * Plan auth-related changes based on current and desired state.
@@ -3789,7 +3795,7 @@ function protoIdPConfig(idpConfig) {
 			config: { config: {
 				case: "saml",
 				value: {
-					...idpConfig.metadataURL !== void 0 ? { metadataUrl: idpConfig.metadataURL } : { rawMetadata: idpConfig.rawMetadata },
+					...idpConfig.metadataURL !== void 0 ? { metadataUrl: idpConfig.metadataURL } : { rawMetadata: assertDefined(idpConfig.rawMetadata, "SAML config missing rawMetadata") },
 					enableSignRequest: idpConfig.enableSignRequest,
 					defaultRedirectUrl: idpConfig.defaultRedirectURL
 				}
@@ -4191,7 +4197,7 @@ async function planOAuth2Clients(client, workspaceId, auths, deletedServices, ex
 			const newOAuth2Client = protoOAuth2Client(oauth2ClientName, oauth2Client);
 			const resolvedRedirectUris = await resolveStaticWebsiteUrls(client, workspaceId, newOAuth2Client.redirectUris ?? [], "OAuth2 redirect URIs", { expectedLocalNames: expectedLocalWebsites });
 			if (existingClientsMap.has(oauth2ClientName)) {
-				const existingClient = existingClientsMap.get(oauth2ClientName);
+				const existingClient = assertDefined(existingClientsMap.get(oauth2ClientName), "existingClientsMap missing entry for oauth2ClientName");
 				if (existingClient.clientType !== newOAuth2Client.clientType) changeSet.replaces.push({
 					name: oauth2ClientName,
 					deleteRequest: {
@@ -4648,7 +4654,7 @@ async function ensureConfigId(configPath) {
 	findDefineConfigCalls(program, calls);
 	if (calls.length === 0) return null;
 	if (calls.length > 1) throw new Error(`Multiple defineConfig() calls found in ${configPath}. Only one is supported.`);
-	const { configObj } = calls[0];
+	const { configObj } = assertDefined(calls[0], "defineConfig call site missing");
 	if (!configObj) throw new Error(`defineConfig() argument must be an inline object literal in ${configPath} so the SDK can manage the 'id' field.`);
 	const idProp = findIdProperty(configObj);
 	if (idProp) {
@@ -4675,7 +4681,7 @@ const idComment = "// SDK-managed app id — do not edit, except when copying th
 function insertIdProperty(source, configObj, id) {
 	const idLiteral = `id: ${JSON.stringify(id)}`;
 	if (configObj.properties.length > 0) {
-		const firstProp = configObj.properties[0];
+		const firstProp = assertDefined(configObj.properties[0], "first property missing");
 		const lineStart = source.lastIndexOf("\n", firstProp.start - 1) + 1;
 		const indent = source.slice(lineStart, firstProp.start);
 		const insertion = `${idComment}\n${indent}${idLiteral},\n${indent}`;
@@ -4927,7 +4933,7 @@ async function applyExecutor(client, result, phase = "create-update") {
 		await client.updateExecutorExecutor(update.request);
 		await client.setMetadata(update.metaRequest);
 	})]);
-	else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteExecutorExecutor(del.request)));
+	else await Promise.all(changeSet.deletes.map((del) => client.deleteExecutorExecutor(del.request)));
 }
 /**
 * Plan executor-related changes based on current and desired state.
@@ -5042,7 +5048,7 @@ function formatExecutorChangeEntries(changeSet, executors, functionRegistryExecu
 	});
 }
 function normalizeComparableExecutor(executor) {
-	const normalized = normalizeProtoConfig(executor) ?? {};
+	const normalized = normalizeProtoConfig(executor);
 	const webhookHeaders = normalized.targetConfig?.config?.case === "webhook" ? (normalized.targetConfig.config.value.headers ?? []).toSorted((left, right) => (left.key ?? "").localeCompare(right.key ?? "")) : void 0;
 	const triggerConfig = normalized.triggerConfig?.config?.case === "incomingWebhook" ? {
 		...normalized.triggerConfig,
@@ -5095,7 +5101,7 @@ function areExecutorsEqual(existing, desired) {
 	return areNormalizedEqual(normalizeComparableExecutor(existing), normalizeComparableExecutor(desired));
 }
 function resolveTailorDBNamespace(application, typeName) {
-	for (const service of application.tailorDBServices) if (service.types[typeName]) return service.namespace;
+	for (const service of application.tailorDBServices) if (Object.hasOwn(service.types, typeName)) return service.namespace;
 	throw new Error(`TailorDB type "${typeName}" not found in any namespace. Available namespaces: ${application.tailorDBServices.map((s) => s.namespace).join(", ")}`);
 }
 function resolveResolverNamespace(application, resolverName) {
@@ -5116,7 +5122,7 @@ function resolveIdpNamespace(application, executorName, idpName) {
 		const available = application.idpServices.map((idp) => idp.name).join(", ");
 		throw new Error(`Executor "${executorName}" uses an idpUser trigger but the project defines multiple IdPs (${available}). Specify which IdP to subscribe to via the trigger's "idp" option.`);
 	}
-	return application.idpServices[0].name;
+	return assertDefined(application.idpServices[0], "idp service missing").name;
 }
 function resolveAuthNamespace(application) {
 	if (!application.authService) throw new Error("No Auth service configured");
@@ -5345,7 +5351,7 @@ async function applyPipeline(client, result, phase = "create-update") {
 		})]);
 		await Promise.all([...changeSet.resolver.creates.map((create) => client.createPipelineResolver(create.request)), ...changeSet.resolver.updates.map((update) => client.updatePipelineResolver(update.request))]);
 	} else if (phase === "delete-resources") await Promise.all(changeSet.resolver.deletes.map((del) => client.deletePipelineResolver(del.request)));
-	else if (phase === "delete-services") await Promise.all(changeSet.service.deletes.map((del) => client.deletePipelineService(del.request)));
+	else await Promise.all(changeSet.service.deletes.map((del) => client.deletePipelineService(del.request)));
 }
 /**
 * Plan resolver pipeline changes based on current and desired state.
@@ -5544,7 +5550,7 @@ function formatResolverChangeEntries(changeSet, resolverFunctionChanges) {
 	}, { getNamespace: (item) => item.request.namespaceName });
 }
 function normalizeComparableResolver(resolver) {
-	const normalized = normalizeProtoConfig(resolver) ?? {};
+	const normalized = normalizeProtoConfig(resolver);
 	return {
 		name: normalized.name,
 		description: normalized.description ?? "",
@@ -5609,7 +5615,7 @@ function processResolver(namespace, resolver, executorUsedResolvers, env, authNa
 	}];
 	const typeBaseName = inflection.camelize(resolver.name);
 	const inputs = resolver.input ? protoFields(resolver.input, `${typeBaseName}Input`, true) : [];
-	const response = protoFields({ "": resolver.output }, `${typeBaseName}Output`, false)[0];
+	const response = assertDefined(protoFields({ "": resolver.output }, `${typeBaseName}Output`, false)[0], "resolver output field missing");
 	const resolverDescription = resolver.description || `${resolver.name} resolver`;
 	const outputDescription = resolver.output.metadata.description;
 	const combinedDescription = outputDescription ? `${resolverDescription}\n\nReturns:\n${outputDescription}` : resolverDescription;
@@ -5628,7 +5634,6 @@ function processResolver(namespace, resolver, executorUsedResolvers, env, authNa
 	};
 }
 function protoFields(fields, baseName, isInput) {
-	if (!fields) return [];
 	return Object.entries(fields).map(([fieldName, field]) => {
 		let type;
 		const required = isInput && field.metadata.hooks?.create !== void 0 ? false : field.metadata.required ?? true;
@@ -5664,6 +5669,43 @@ function protoFields(fields, baseName, isInput) {
 //#endregion
 //#region src/cli/commands/deploy/secret-manager.ts
 /**
+* Build the CreateSecretManagerVault request for a planned vault create.
+* @param create - Planned vault create
+* @returns Request init shape
+*/
+function vaultCreateRequest(create) {
+	return {
+		workspaceId: create.workspaceId,
+		secretmanagerVaultName: create.name
+	};
+}
+/**
+* Build the CreateSecretManagerSecret request for a planned secret create.
+* @param create - Planned secret create
+* @returns Request init shape
+*/
+function secretCreateRequest(create) {
+	return {
+		workspaceId: create.workspaceId,
+		secretmanagerVaultName: create.vaultName,
+		secretmanagerSecretName: create.secretName,
+		secretmanagerSecretValue: create.value
+	};
+}
+/**
+* Build the UpdateSecretManagerSecret request for a planned secret update.
+* @param update - Planned secret update
+* @returns Request init shape
+*/
+function secretUpdateRequest(update) {
+	return {
+		workspaceId: update.workspaceId,
+		secretmanagerVaultName: update.vaultName,
+		secretmanagerSecretName: update.secretName,
+		secretmanagerSecretValue: update.value
+	};
+}
+/**
 * Plan secret manager changes based on current and desired state.
 * @param context - Planning context
 * @returns Planned changes for vaults and secrets
@@ -5830,10 +5872,7 @@ async function applySecretManager(client, result, phase = "create-update", appli
 	const { vaultChangeSet, secretChangeSet } = result;
 	if (phase === "create-update") {
 		await Promise.all(vaultChangeSet.creates.map(async (create) => {
-			await client.createSecretManagerVault({
-				workspaceId: create.workspaceId,
-				secretmanagerVaultName: create.name
-			});
+			await client.createSecretManagerVault(vaultCreateRequest(create));
 			if (application) {
 				const metaRequest = await buildMetaRequest({
 					trn: resourceTrn(create.workspaceId, "vault", create.name),
@@ -5851,27 +5890,17 @@ async function applySecretManager(client, result, phase = "create-update", appli
 			});
 			await client.setMetadata(metaRequest);
 		}));
-		await Promise.all(secretChangeSet.creates.map((create) => client.createSecretManagerSecret({
-			workspaceId: create.workspaceId,
-			secretmanagerVaultName: create.vaultName,
-			secretmanagerSecretName: create.secretName,
-			secretmanagerSecretValue: create.value
-		})));
-		await Promise.all(secretChangeSet.updates.map((update) => client.updateSecretManagerSecret({
-			workspaceId: update.workspaceId,
-			secretmanagerVaultName: update.vaultName,
-			secretmanagerSecretName: update.secretName,
-			secretmanagerSecretValue: update.value
-		})));
+		await Promise.all(secretChangeSet.creates.map((create) => client.createSecretManagerSecret(secretCreateRequest(create))));
+		await Promise.all(secretChangeSet.updates.map((update) => client.updateSecretManagerSecret(secretUpdateRequest(update))));
 		if (application) {
 			const state = loadSecretsState();
 			for (const vault of application.secrets) {
-				if (!state.vaults[vault.vaultName]) state.vaults[vault.vaultName] = {};
-				for (const secret of vault.secrets) if (secret.value != null) state.vaults[vault.vaultName][secret.name] = hashValue(secret.value);
+				if (!Object.hasOwn(state.vaults, vault.vaultName)) state.vaults[vault.vaultName] = {};
+				for (const secret of vault.secrets) if (secret.value != null) assertDefined(state.vaults[vault.vaultName], "vault state entry missing")[secret.name] = hashValue(secret.value);
 			}
 			saveSecretsState(state);
 		}
-	} else if (phase === "delete") {
+	} else {
 		await Promise.all(secretChangeSet.deletes.map((del) => client.deleteSecretManagerSecret({
 			workspaceId: del.workspaceId,
 			secretmanagerVaultName: del.vaultName,
@@ -5883,9 +5912,9 @@ async function applySecretManager(client, result, phase = "create-update", appli
 		})));
 		if (secretChangeSet.deletes.length > 0 || vaultChangeSet.deletes.length > 0) {
 			const state = loadSecretsState();
-			for (const del of secretChangeSet.deletes) if (state.vaults[del.vaultName]) {
-				delete state.vaults[del.vaultName][del.secretName];
-				if (Object.keys(state.vaults[del.vaultName]).length === 0) delete state.vaults[del.vaultName];
+			for (const del of secretChangeSet.deletes) if (Object.hasOwn(state.vaults, del.vaultName)) {
+				delete assertDefined(state.vaults[del.vaultName], "vault state entry missing")[del.secretName];
+				if (Object.keys(assertDefined(state.vaults[del.vaultName], "vault state entry missing")).length === 0) delete state.vaults[del.vaultName];
 			}
 			for (const del of vaultChangeSet.deletes) delete state.vaults[del.name];
 			saveSecretsState(state);
@@ -5916,7 +5945,7 @@ async function applyStaticWebsite(client, result, phase = "create-update") {
 			await client.addCustomDomain(add.request);
 			await client.setMetadata(add.metaRequest);
 		}), ...customDomainChangeSet.deletes.map((del) => client.removeCustomDomain(del.request))]);
-	} else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteStaticWebsite(del.request)));
+	} else await Promise.all(changeSet.deletes.map((del) => client.deleteStaticWebsite(del.request)));
 }
 function customDomainTrn(workspaceId, websiteName, domain) {
 	return `trn:v1:workspace:${workspaceId}:staticwebsite:${websiteName}:custom_domain:${domain}`;
@@ -6296,6 +6325,24 @@ function formatDiffSummary(diff) {
 function formatMigrationNumber(num) {
 	return num.toString().padStart(4, "0");
 }
+/**
+* Parse a migration number CLI argument.
+*
+* Accepts the canonical 4-digit form ("0001") or a bare integer without
+* leading zeros ("0"–"9999"). Commands that disallow the baseline reject
+* 0 themselves with a context-specific message.
+* @param numberStr - Raw CLI argument
+* @returns Parsed migration number
+*/
+function parseMigrationNumberArg(numberStr) {
+	if (/^\d{4}$/.test(numberStr)) return parseInt(numberStr, 10);
+	if (/^(0|[1-9]\d*)$/.test(numberStr)) {
+		const parsed = parseInt(numberStr, 10);
+		if (parsed > 9999) throw new Error(`Migration number ${numberStr} is out of range. Expected 0-9999.`);
+		return parsed;
+	}
+	throw new Error(`Invalid migration number format: ${numberStr}. Expected 4-digit format (e.g., 0001) or integer 0-9999 (e.g., 1).`);
+}
 
 //#endregion
 //#region src/cli/commands/tailordb/migrate/snapshot-types.ts
@@ -6675,96 +6722,112 @@ function applyDiffToSnapshot(snapshot, diff) {
 		case "type_removed":
 			delete types[change.typeName];
 			break;
-		case "type_modified":
-			if (types[change.typeName] && change.after) {
+		case "type_modified": {
+			const existing = types[change.typeName];
+			if (existing && change.after) {
 				const after = change.after;
 				types[change.typeName] = {
-					...types[change.typeName],
+					...existing,
 					...after.indexes !== void 0 && { indexes: after.indexes },
 					...after.files !== void 0 && { files: after.files }
 				};
 			}
 			break;
+		}
 		case "field_added":
-		case "field_modified":
-			if (types[change.typeName] && change.fieldName) types[change.typeName] = {
-				...types[change.typeName],
+		case "field_modified": {
+			const existing = types[change.typeName];
+			if (existing && change.fieldName) types[change.typeName] = {
+				...existing,
 				fields: {
-					...types[change.typeName].fields,
+					...existing.fields,
 					[change.fieldName]: change.after
 				}
 			};
 			break;
-		case "field_removed":
-			if (types[change.typeName] && change.fieldName) {
-				const { [change.fieldName]: _, ...remainingFields } = types[change.typeName].fields;
+		}
+		case "field_removed": {
+			const existing = types[change.typeName];
+			if (existing && change.fieldName) {
+				const { [change.fieldName]: _, ...remainingFields } = existing.fields;
 				types[change.typeName] = {
-					...types[change.typeName],
+					...existing,
 					fields: remainingFields
 				};
 			}
 			break;
+		}
 		case "index_added":
-		case "index_modified":
-			if (types[change.typeName] && change.indexName) types[change.typeName] = {
-				...types[change.typeName],
+		case "index_modified": {
+			const existing = types[change.typeName];
+			if (existing && change.indexName) types[change.typeName] = {
+				...existing,
 				indexes: {
-					...types[change.typeName].indexes,
+					...existing.indexes,
 					[change.indexName]: change.after
 				}
 			};
 			break;
-		case "index_removed":
-			if (types[change.typeName] && change.indexName && types[change.typeName].indexes) {
-				const { [change.indexName]: _, ...remainingIndexes } = types[change.typeName].indexes;
+		}
+		case "index_removed": {
+			const existing = types[change.typeName];
+			if (existing && change.indexName && existing.indexes) {
+				const { [change.indexName]: _, ...remainingIndexes } = existing.indexes;
 				types[change.typeName] = {
-					...types[change.typeName],
+					...existing,
 					indexes: Object.keys(remainingIndexes).length > 0 ? remainingIndexes : void 0
 				};
 			}
 			break;
+		}
 		case "file_added":
-		case "file_modified":
-			if (types[change.typeName] && change.fieldName) types[change.typeName] = {
-				...types[change.typeName],
+		case "file_modified": {
+			const existing = types[change.typeName];
+			if (existing && change.fieldName) types[change.typeName] = {
+				...existing,
 				files: {
-					...types[change.typeName].files,
+					...existing.files,
 					[change.fieldName]: change.after
 				}
 			};
 			break;
-		case "file_removed":
-			if (types[change.typeName] && change.fieldName && types[change.typeName].files) {
-				const { [change.fieldName]: _, ...remainingFiles } = types[change.typeName].files;
+		}
+		case "file_removed": {
+			const existing = types[change.typeName];
+			if (existing && change.fieldName && existing.files) {
+				const { [change.fieldName]: _, ...remainingFiles } = existing.files;
 				types[change.typeName] = {
-					...types[change.typeName],
+					...existing,
 					files: Object.keys(remainingFiles).length > 0 ? remainingFiles : void 0
 				};
 			}
 			break;
+		}
 		case "relationship_added":
-		case "relationship_modified":
-			if (types[change.typeName] && change.relationshipName) {
+		case "relationship_modified": {
+			const existing = types[change.typeName];
+			if (existing && change.relationshipName) {
 				const rel = change.after;
-				if ((change.relationshipType ?? (types[change.typeName].forwardRelationships?.[change.relationshipName] ? "forward" : types[change.typeName].backwardRelationships?.[change.relationshipName] ? "backward" : "forward")) === "forward") types[change.typeName] = {
-					...types[change.typeName],
+				if ((change.relationshipType ?? (existing.forwardRelationships?.[change.relationshipName] ? "forward" : existing.backwardRelationships?.[change.relationshipName] ? "backward" : "forward")) === "forward") types[change.typeName] = {
+					...existing,
 					forwardRelationships: {
-						...types[change.typeName].forwardRelationships,
+						...existing.forwardRelationships,
 						[change.relationshipName]: rel
 					}
 				};
 				else types[change.typeName] = {
-					...types[change.typeName],
+					...existing,
 					backwardRelationships: {
-						...types[change.typeName].backwardRelationships,
+						...existing.backwardRelationships,
 						[change.relationshipName]: rel
 					}
 				};
 			}
 			break;
-		case "relationship_removed":
-			if (types[change.typeName] && change.relationshipName) {
-				const type = types[change.typeName];
+		}
+		case "relationship_removed": {
+			const type = types[change.typeName];
+			if (type && change.relationshipName) {
 				const targetType = change.relationshipType ?? (type.forwardRelationships?.[change.relationshipName] ? "forward" : type.backwardRelationships?.[change.relationshipName] ? "backward" : null);
 				if (targetType === "forward" && type.forwardRelationships?.[change.relationshipName]) {
 					const { [change.relationshipName]: _, ...remaining } = type.forwardRelationships;
@@ -6781,11 +6844,13 @@ function applyDiffToSnapshot(snapshot, diff) {
 				}
 			}
 			break;
-		case "permission_modified":
-			if (types[change.typeName] && change.after) {
+		}
+		case "permission_modified": {
+			const existing = types[change.typeName];
+			if (existing && change.after) {
 				const after = change.after;
 				types[change.typeName] = {
-					...types[change.typeName],
+					...existing,
 					permissions: {
 						record: after.recordPermission,
 						gql: after.gqlPermission
@@ -6793,6 +6858,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 				};
 			}
 			break;
+		}
 	}
 	return {
 		...snapshot,
@@ -6869,8 +6935,10 @@ function areFieldsDifferent(oldField, newField) {
 	const newValidate = newField.validate ?? [];
 	if (oldValidate.length !== newValidate.length) return true;
 	for (let i = 0; i < oldValidate.length; i++) {
-		if (oldValidate[i].script.expr !== newValidate[i].script.expr) return true;
-		if (oldValidate[i].errorMessage !== newValidate[i].errorMessage) return true;
+		const oldV = assertDefined(oldValidate[i], `oldValidate missing index ${i}`);
+		const newV = assertDefined(newValidate[i], `newValidate missing index ${i}`);
+		if (oldV.script.expr !== newV.script.expr) return true;
+		if (oldV.errorMessage !== newV.errorMessage) return true;
 	}
 	const oldSerial = oldField.serial;
 	const newSerial = newField.serial;
@@ -6887,8 +6955,10 @@ function areFieldsDifferent(oldField, newField) {
 	const newFieldNames = Object.keys(newFields);
 	if (oldFieldNames.length !== newFieldNames.length) return true;
 	for (const fieldName of oldFieldNames) {
-		if (!newFields[fieldName]) return true;
-		if (areFieldsDifferent(oldFields[fieldName], newFields[fieldName])) return true;
+		const oldF = oldFields[fieldName];
+		const newF = newFields[fieldName];
+		if (!newF) return true;
+		if (areFieldsDifferent(assertDefined(oldF, `field "${fieldName}" missing from oldFields`), newF)) return true;
 	}
 	return false;
 }
@@ -6973,22 +7043,28 @@ function addChange(ctx, change, oldField, newField) {
 function compareTypeFields(ctx, typeName, prevType, currType) {
 	const prevFieldNames = new Set(Object.keys(prevType.fields));
 	const currFieldNames = new Set(Object.keys(currType.fields));
-	for (const fieldName of currFieldNames) if (!prevFieldNames.has(fieldName)) addChange(ctx, {
-		kind: "field_added",
-		typeName,
-		fieldName,
-		after: currType.fields[fieldName]
-	}, void 0, currType.fields[fieldName]);
-	for (const fieldName of prevFieldNames) if (!currFieldNames.has(fieldName)) addChange(ctx, {
-		kind: "field_removed",
-		typeName,
-		fieldName,
-		before: prevType.fields[fieldName]
-	}, prevType.fields[fieldName], void 0);
+	for (const fieldName of currFieldNames) if (!prevFieldNames.has(fieldName)) {
+		const currField = assertDefined(currType.fields[fieldName], `field "${fieldName}" missing from currType`);
+		addChange(ctx, {
+			kind: "field_added",
+			typeName,
+			fieldName,
+			after: currField
+		}, void 0, currField);
+	}
+	for (const fieldName of prevFieldNames) if (!currFieldNames.has(fieldName)) {
+		const prevField = assertDefined(prevType.fields[fieldName], `field "${fieldName}" missing from prevType`);
+		addChange(ctx, {
+			kind: "field_removed",
+			typeName,
+			fieldName,
+			before: prevField
+		}, prevField, void 0);
+	}
 	for (const fieldName of currFieldNames) {
 		if (!prevFieldNames.has(fieldName)) continue;
-		const prevField = prevType.fields[fieldName];
-		const currField = currType.fields[fieldName];
+		const prevField = assertDefined(prevType.fields[fieldName], `field "${fieldName}" missing from prevType`);
+		const currField = assertDefined(currType.fields[fieldName], `field "${fieldName}" missing from currType`);
 		if (areFieldsDifferent(prevField, currField)) addChange(ctx, {
 			kind: "field_modified",
 			typeName,
@@ -7009,21 +7085,20 @@ function compareTypeFields(ctx, typeName, prevType, currType) {
 function compareIndexes(ctx, typeName, oldIndexes, newIndexes) {
 	const oldKeys = new Set(Object.keys(oldIndexes || {}));
 	const newKeys = new Set(Object.keys(newIndexes || {}));
-	for (const indexName of newKeys) if (!oldKeys.has(indexName)) ctx.changes.push({
+	for (const [indexName, indexConfig] of Object.entries(newIndexes ?? {})) if (!oldKeys.has(indexName)) ctx.changes.push({
 		kind: "index_added",
 		typeName,
 		indexName,
-		after: newIndexes[indexName]
+		after: indexConfig
 	});
-	for (const indexName of oldKeys) if (!newKeys.has(indexName)) ctx.changes.push({
+	for (const [indexName, indexConfig] of Object.entries(oldIndexes ?? {})) if (!newKeys.has(indexName)) ctx.changes.push({
 		kind: "index_removed",
 		typeName,
 		indexName,
-		before: oldIndexes[indexName]
+		before: indexConfig
 	});
-	for (const indexName of newKeys) if (oldKeys.has(indexName)) {
-		const oldIndex = oldIndexes[indexName];
-		const newIndex = newIndexes[indexName];
+	for (const [indexName, newIndex] of Object.entries(newIndexes ?? {})) if (oldKeys.has(indexName)) {
+		const oldIndex = assertDefined(assertDefined(oldIndexes, "oldIndexes is undefined when oldKeys has entry")[indexName], `index "${indexName}" missing from oldIndexes`);
 		const oldFieldsStr = JSON.stringify(oldIndex.fields.toSorted());
 		const newFieldsStr = JSON.stringify(newIndex.fields.toSorted());
 		if (oldFieldsStr !== newFieldsStr || oldIndex.unique !== newIndex.unique) {
@@ -7052,26 +7127,27 @@ function compareIndexes(ctx, typeName, oldIndexes, newIndexes) {
 function compareFiles(ctx, typeName, oldFiles, newFiles) {
 	const oldKeys = new Set(Object.keys(oldFiles || {}));
 	const newKeys = new Set(Object.keys(newFiles || {}));
-	for (const fileName of newKeys) if (!oldKeys.has(fileName)) ctx.changes.push({
+	for (const [fileName, fileDesc] of Object.entries(newFiles ?? {})) if (!oldKeys.has(fileName)) ctx.changes.push({
 		kind: "file_added",
 		typeName,
 		fieldName: fileName,
-		after: newFiles[fileName]
+		after: fileDesc
 	});
-	for (const fileName of oldKeys) if (!newKeys.has(fileName)) ctx.changes.push({
+	for (const [fileName, fileDesc] of Object.entries(oldFiles ?? {})) if (!newKeys.has(fileName)) ctx.changes.push({
 		kind: "file_removed",
 		typeName,
 		fieldName: fileName,
-		before: oldFiles[fileName]
+		before: fileDesc
 	});
-	for (const fileName of newKeys) if (oldKeys.has(fileName)) {
-		if (oldFiles[fileName] !== newFiles[fileName]) ctx.changes.push({
+	for (const [fileName, newDesc] of Object.entries(newFiles ?? {})) if (oldKeys.has(fileName)) {
+		const oldDesc = assertDefined(assertDefined(oldFiles, "oldFiles is undefined when oldKeys has entry")[fileName], `file "${fileName}" missing from oldFiles`);
+		if (oldDesc !== newDesc) ctx.changes.push({
 			kind: "file_modified",
 			typeName,
 			fieldName: fileName,
 			reason: "description changed",
-			before: oldFiles[fileName],
-			after: newFiles[fileName]
+			before: oldDesc,
+			after: newDesc
 		});
 	}
 }
@@ -7087,23 +7163,22 @@ function compareFiles(ctx, typeName, oldFiles, newFiles) {
 function compareRelationships(ctx, typeName, relationshipType, oldRelationships, newRelationships) {
 	const oldKeys = new Set(Object.keys(oldRelationships || {}));
 	const newKeys = new Set(Object.keys(newRelationships || {}));
-	for (const relName of newKeys) if (!oldKeys.has(relName)) ctx.changes.push({
+	for (const [relName, rel] of Object.entries(newRelationships ?? {})) if (!oldKeys.has(relName)) ctx.changes.push({
 		kind: "relationship_added",
 		typeName,
 		relationshipName: relName,
 		relationshipType,
-		after: newRelationships[relName]
+		after: rel
 	});
-	for (const relName of oldKeys) if (!newKeys.has(relName)) ctx.changes.push({
+	for (const [relName, rel] of Object.entries(oldRelationships ?? {})) if (!newKeys.has(relName)) ctx.changes.push({
 		kind: "relationship_removed",
 		typeName,
 		relationshipName: relName,
 		relationshipType,
-		before: oldRelationships[relName]
+		before: rel
 	});
-	for (const relName of newKeys) if (oldKeys.has(relName)) {
-		const oldRel = oldRelationships[relName];
-		const newRel = newRelationships[relName];
+	for (const [relName, newRel] of Object.entries(newRelationships ?? {})) if (oldKeys.has(relName)) {
+		const oldRel = assertDefined(assertDefined(oldRelationships, "oldRelationships is undefined when oldKeys has entry")[relName], `relationship "${relName}" missing from oldRelationships`);
 		const reasons = [];
 		if (oldRel.targetType !== newRel.targetType) reasons.push("targetType changed");
 		if (oldRel.targetField !== newRel.targetField) reasons.push("targetField changed");
@@ -7168,16 +7243,16 @@ function compareSnapshots(previous, current) {
 	};
 	const previousTypeNames = new Set(Object.keys(previous.types));
 	const currentTypeNames = new Set(Object.keys(current.types));
-	for (const typeName of currentTypeNames) if (!previousTypeNames.has(typeName)) ctx.changes.push({
+	for (const [typeName, type] of Object.entries(current.types)) if (!previousTypeNames.has(typeName)) ctx.changes.push({
 		kind: "type_added",
 		typeName,
-		after: current.types[typeName]
+		after: type
 	});
-	for (const typeName of previousTypeNames) if (!currentTypeNames.has(typeName)) {
+	for (const [typeName, type] of Object.entries(previous.types)) if (!currentTypeNames.has(typeName)) {
 		ctx.changes.push({
 			kind: "type_removed",
 			typeName,
-			before: previous.types[typeName]
+			before: type
 		});
 		ctx.warnings.push({
 			typeName,
@@ -7186,8 +7261,8 @@ function compareSnapshots(previous, current) {
 	}
 	for (const typeName of currentTypeNames) {
 		if (!previousTypeNames.has(typeName)) continue;
-		const prevType = previous.types[typeName];
-		const currType = current.types[typeName];
+		const prevType = assertDefined(previous.types[typeName], `type "${typeName}" missing from previous snapshot`);
+		const currType = assertDefined(current.types[typeName], `type "${typeName}" missing from current snapshot`);
 		compareTypeFields(ctx, typeName, prevType, currType);
 		compareIndexes(ctx, typeName, prevType.indexes, currType.indexes);
 		compareFiles(ctx, typeName, prevType.files, currType.files);
@@ -7245,7 +7320,7 @@ function validateMigrationFiles(migrationsDir) {
 	const schemaFiles = [];
 	const diffFiles = [];
 	for (const file of migrationFiles) if (file.type === "schema") schemaFiles.push(file.number);
-	else if (file.type === "diff") diffFiles.push(file.number);
+	else diffFiles.push(file.number);
 	if (!schemaFiles.includes(0)) errors.push({
 		type: "missing_schema",
 		message: `Initial schema snapshot (${formatMigrationNumber(0)}/schema.json) is missing`,
@@ -7414,8 +7489,8 @@ function compareRemoteWithSnapshot(remoteTypes, snapshot) {
 	});
 	for (const typeName of snapshotTypeNames) {
 		if (!remoteTypeNames.has(typeName)) continue;
-		const remoteType = remoteTypeMap.get(typeName);
-		const snapshotType = snapshot.types[typeName];
+		const remoteType = assertDefined(remoteTypeMap.get(typeName), `type "${typeName}" missing from remoteTypeMap`);
+		const snapshotType = assertDefined(snapshot.types[typeName], `type "${typeName}" missing from snapshot`);
 		const remoteFields = convertRemoteFieldsToSnapshot(remoteType);
 		const snapshotFields = snapshotType.fields;
 		const remoteFieldNames = new Set(Object.keys(remoteFields).filter((f) => !SYSTEM_FIELDS.has(f)));
@@ -7434,7 +7509,7 @@ function compareRemoteWithSnapshot(remoteTypes, snapshot) {
 		});
 		for (const fieldName of snapshotFieldNames) {
 			if (!remoteFieldNames.has(fieldName)) continue;
-			const drift = compareFields(typeName, fieldName, remoteFields[fieldName], snapshotFields[fieldName]);
+			const drift = compareFields(typeName, fieldName, assertDefined(remoteFields[fieldName], `field "${fieldName}" missing from remoteFields`), assertDefined(snapshotFields[fieldName], `field "${fieldName}" missing from snapshotFields`));
 			if (drift) drifts.push(drift);
 		}
 	}
@@ -7752,6 +7827,145 @@ function convertOperandToProto(operand) {
 		value: fromJson(ValueSchema, operand)
 	} };
 }
+/**
+* Generate all TailorDB type manifests from a schema snapshot
+* @param {SchemaSnapshot} snapshot - Schema snapshot
+* @param {GenerateAllManifestsOptions} options - Generation options
+* @returns {Map<string, MessageInitShape<typeof TailorDBTypeSchema>>} Map of type name to manifest
+*/
+function generateAllTypeManifestsFromSnapshot(snapshot, options = {}) {
+	const manifests = /* @__PURE__ */ new Map();
+	const { executorUsedTypes, ...baseOptions } = options;
+	for (const [typeName, snapshotType] of Object.entries(snapshot.types)) {
+		if (executorUsedTypes?.has(typeName) && snapshotType.settings?.publishEvents === false) throw new Error(`Type "${typeName}" has publishEvents set to false, but it is used by an executor with a record trigger. Either remove the publishEvents: false setting or remove the executor trigger for this type.`);
+		let publishRecordEvents;
+		if (snapshotType.settings?.publishEvents !== void 0) publishRecordEvents = snapshotType.settings.publishEvents;
+		else if (executorUsedTypes?.has(typeName)) publishRecordEvents = true;
+		else publishRecordEvents = baseOptions.publishRecordEvents ?? false;
+		const typeOptions = {
+			...baseOptions,
+			publishRecordEvents
+		};
+		manifests.set(typeName, generateTailorDBTypeManifestFromSnapshot(snapshotType, typeOptions));
+	}
+	return manifests;
+}
+/**
+* Compare snapshot types with existing remote type names
+* @param {SchemaSnapshot} snapshot - Schema snapshot
+* @param {ReadonlySet<string>} existingTypeNames - Set of existing type names in remote
+* @returns {SnapshotTypeComparison} Comparison result
+*/
+function compareSnapshotWithRemote(snapshot, existingTypeNames) {
+	const snapshotTypeNames = new Set(Object.keys(snapshot.types));
+	const creates = [];
+	const updates = [];
+	const deletes = [];
+	for (const typeName of snapshotTypeNames) if (existingTypeNames.has(typeName)) updates.push(typeName);
+	else creates.push(typeName);
+	for (const typeName of existingTypeNames) if (!snapshotTypeNames.has(typeName)) deletes.push(typeName);
+	return {
+		creates,
+		updates,
+		deletes
+	};
+}
+/**
+* Convert snapshot GQL permission policies to the proto request shape.
+* @param permission - Snapshot GQL permission policies
+* @returns Proto GQL permission
+*/
+function protoGqlPermission(permission) {
+	return { policies: permission.map((policy) => protoGqlPolicy(policy)) };
+}
+function protoGqlPolicy(policy) {
+	const actions = [];
+	for (const action of policy.actions) switch (action) {
+		case "all":
+			actions.push(TailorDBGQLPermission_Action.ALL);
+			break;
+		case "create":
+			actions.push(TailorDBGQLPermission_Action.CREATE);
+			break;
+		case "read":
+			actions.push(TailorDBGQLPermission_Action.READ);
+			break;
+		case "update":
+			actions.push(TailorDBGQLPermission_Action.UPDATE);
+			break;
+		case "delete":
+			actions.push(TailorDBGQLPermission_Action.DELETE);
+			break;
+		case "aggregate":
+			actions.push(TailorDBGQLPermission_Action.AGGREGATE);
+			break;
+		case "bulkUpsert":
+			actions.push(TailorDBGQLPermission_Action.BULK_UPSERT);
+			break;
+		default: throw new Error(`Unknown action: ${action}`);
+	}
+	let permit;
+	switch (policy.permit) {
+		case "allow":
+			permit = TailorDBGQLPermission_Permit.ALLOW;
+			break;
+		case "deny":
+			permit = TailorDBGQLPermission_Permit.DENY;
+			break;
+		default: throw new Error(`Unknown permission: ${policy.permit}`);
+	}
+	return {
+		conditions: policy.conditions.map((cond) => protoGqlCondition(cond)),
+		actions,
+		permit,
+		description: policy.description
+	};
+}
+function protoGqlCondition(condition) {
+	const [left, operator, right] = condition;
+	const l = protoGqlOperand(left);
+	const r = protoGqlOperand(right);
+	let op;
+	switch (operator) {
+		case "eq":
+			op = TailorDBGQLPermission_Operator.EQ;
+			break;
+		case "ne":
+			op = TailorDBGQLPermission_Operator.NE;
+			break;
+		case "in":
+			op = TailorDBGQLPermission_Operator.IN;
+			break;
+		case "nin":
+			op = TailorDBGQLPermission_Operator.NIN;
+			break;
+		case "hasAny":
+			op = TailorDBGQLPermission_Operator.HAS_ANY;
+			break;
+		case "nhasAny":
+			op = TailorDBGQLPermission_Operator.NHAS_ANY;
+			break;
+		default: throw new Error(`Unknown operator: ${operator}`);
+	}
+	return {
+		left: l,
+		operator: op,
+		right: r
+	};
+}
+function protoGqlOperand(operand) {
+	if (isSnapshotFieldRefOperand(operand)) {
+		if ("user" in operand) return { kind: {
+			case: "userField",
+			value: operand.user
+		} };
+		throw new Error(`Unsupported field-ref operand in GQL permission: ${JSON.stringify(operand)} — GQL permissions only support { user } field references`);
+	}
+	return { kind: {
+		case: "value",
+		value: fromJson(ValueSchema, operand)
+	} };
+}
 
 //#endregion
 //#region src/cli/commands/tailordb/migrate/pre-migration-schema.ts
@@ -7850,6 +8064,45 @@ function applyPreMigrationFieldAdjustments(fields, typeChanges) {
 	}
 }
 
+//#endregion
+//#region src/cli/commands/tailordb/migrate/types.ts
+/**
+* Types for TailorDB migration execution
+*/
+/**
+* Prefix added to migration numbers in labels (required because migration names start with numbers)
+*/
+const MIGRATION_LABEL_PREFIX = "m";
+/**
+* Label key for storing migration state in TailorDB Service metadata
+*/
+const MIGRATION_LABEL_KEY = "sdk-migration";
+/**
+* Parse migration number from label value
+* @param {string} label - Label value (e.g., "m0001")
+* @returns {number | null} Parsed number or null if invalid
+*/
+function parseMigrationLabelNumber(label) {
+	if (!label.startsWith("m")) return null;
+	const numStr = label.slice(1);
+	if (!/^\d+$/.test(numStr)) return null;
+	const num = parseInt(numStr, 10);
+	return num > 9999 ? null : num;
+}
+/**
+* Handle optional-to-required field change error with helpful message
+* @param {unknown} error - Error to handle
+* @param {string[]} messages - Additional messages to display
+*/
+function handleOptionalToRequiredError(error, messages) {
+	if (error instanceof ConnectError && error.code === Code.FailedPrecondition && error.message.includes("cannot be updated from non-required to required when records exist")) {
+		logger.error("Schema change failed: Cannot change field from optional to required when records exist.");
+		logger.newline();
+		for (const message of messages) logger.info(message);
+	}
+	throw error;
+}
+
 //#endregion
 //#region src/cli/commands/tailordb/migrate/bundler.ts
 /**
@@ -7929,28 +8182,6 @@ async function bundleMigrationScript(sourceFile, namespace, migrationNumber, env
 	};
 }
 
-//#endregion
-//#region src/cli/commands/tailordb/migrate/types.ts
-/**
-* Prefix added to migration numbers in labels (required because migration names start with numbers)
-*/
-const MIGRATION_LABEL_PREFIX = "m";
-/**
-* Label key for storing migration state in TailorDB Service metadata
-*/
-const MIGRATION_LABEL_KEY = "sdk-migration";
-/**
-* Parse migration number from label value
-* @param {string} label - Label value (e.g., "m0001")
-* @returns {number | null} Parsed number or null if invalid
-*/
-function parseMigrationLabelNumber(label) {
-	if (!label.startsWith("m")) return null;
-	const numStr = label.slice(1);
-	const num = parseInt(numStr, 10);
-	return isNaN(num) ? null : num;
-}
-
 //#endregion
 //#region src/cli/shared/script-executor.ts
 /**
@@ -8155,7 +8386,7 @@ var Spinner = class {
 	#renderFrame() {
 		this.#stream.write(SYNC_BEGIN);
 		this.#clearDrawn();
-		const frame = styles.info(FRAMES[this.#frame] ?? FRAMES[0]);
+		const frame = styles.info(FRAMES[this.#frame] ?? assertDefined(FRAMES[0], "spinner frames empty"));
 		this.#frame = (this.#frame + 1) % FRAMES.length;
 		const line = `${" ".repeat(this.#indent)}${frame} ${this.text}`;
 		this.#stream.write(line);
@@ -8401,10 +8632,10 @@ async function getRemoteMigrationNumber(client, workspaceId, namespace) {
 	try {
 		const trn = resourceTrn(workspaceId, "tailordb", namespace);
 		const { metadata } = await client.getMetadata({ trn });
-		const label = metadata?.labels?.["sdk-migration"];
+		const label = metadata?.labels["sdk-migration"];
 		if (!label) return null;
 		const match = label.match(/^m(\d+)$/);
-		return match ? parseInt(match[1], 10) : null;
+		return match ? parseInt(assertDefined(match[1], "migration label capture group missing"), 10) : null;
 	} catch {
 		return null;
 	}
@@ -8619,20 +8850,7 @@ async function applyTailorDB(client, result, phase = "create-update") {
 	} else if (phase === "delete-resources") {
 		await Promise.all(changeSet.gqlPermission.deletes.map((del) => client.deleteTailorDBGQLPermission(del.request)));
 		await Promise.all(changeSet.type.deletes.map((del) => client.deleteTailorDBType(del.request)));
-	} else if (phase === "delete-services") await Promise.all(changeSet.service.deletes.map((del) => client.deleteTailorDBService(del.request)));
-}
-/**
-* Handle optional-to-required field change error with helpful message
-* @param {unknown} error - Error to handle
-* @param {string[]} messages - Additional messages to display
-*/
-function handleOptionalToRequiredError(error, messages) {
-	if (error instanceof ConnectError && error.code === Code.FailedPrecondition && error.message.includes("cannot be updated from non-required to required when records exist")) {
-		logger.error("Schema change failed: Cannot change field from optional to required when records exist.");
-		logger.newline();
-		for (const message of messages) logger.info(message);
-	}
-	throw error;
+	} else await Promise.all(changeSet.service.deletes.map((del) => client.deleteTailorDBService(del.request)));
 }
 /**
 * Get the set of type names affected by a migration
@@ -8746,7 +8964,7 @@ async function executeSingleMigrationPrePhase(client, changeSet, migration, tail
 			const clonedRequest = structuredClone(create.request);
 			clonedRequest.tailordbType = snapshotType;
 			const typeChanges = typeName ? preMigrationChanges.get(typeName) : void 0;
-			if (typeChanges && typeChanges.size > 0 && clonedRequest.tailordbType?.schema?.fields) applyPreMigrationFieldAdjustments(clonedRequest.tailordbType.schema.fields, typeChanges);
+			if (typeChanges && typeChanges.size > 0 && clonedRequest.tailordbType.schema?.fields) applyPreMigrationFieldAdjustments(clonedRequest.tailordbType.schema.fields, typeChanges);
 			return client.createTailorDBType(clonedRequest);
 		}),
 		...changeSet.type.creates.filter((create) => {
@@ -8777,7 +8995,7 @@ async function executeSingleMigrationPrePhase(client, changeSet, migration, tail
 			const clonedRequest = structuredClone(update.request);
 			clonedRequest.tailordbType = snapshotType;
 			const typeChanges = typeName ? preMigrationChanges.get(typeName) : void 0;
-			if (typeChanges && typeChanges.size > 0 && clonedRequest.tailordbType?.schema?.fields) applyPreMigrationFieldAdjustments(clonedRequest.tailordbType.schema.fields, typeChanges);
+			if (typeChanges && typeChanges.size > 0 && clonedRequest.tailordbType.schema?.fields) applyPreMigrationFieldAdjustments(clonedRequest.tailordbType.schema.fields, typeChanges);
 			return client.updateTailorDBType(clonedRequest);
 		})
 	]);
@@ -9075,17 +9293,14 @@ async function planTypes(client, workspaceId, tailordbs, executorUsedTypes, dele
 	};
 	for (const tailordb of tailordbs) {
 		const types = filteredTypesByNamespace?.get(tailordb.namespace) ?? tailordb.types;
-		for (const typeName of Object.keys(types)) {
-			const type = types[typeName];
-			if (executorUsedTypes.has(typeName) && type.settings?.publishEvents === false) throw new Error(`Type "${typeName}" has publishEvents set to false, but it is used by an executor with a record trigger. Either remove the publishEvents: false setting or remove the executor trigger for this type.`);
-		}
+		for (const [typeName, type] of Object.entries(types)) if (executorUsedTypes.has(typeName) && type.settings?.publishEvents === false) throw new Error(`Type "${typeName}" has publishEvents set to false, but it is used by an executor with a record trigger. Either remove the publishEvents: false setting or remove the executor trigger for this type.`);
 	}
 	for (const tailordb of tailordbs) {
 		const existingTypes = await fetchTypes(tailordb.namespace);
 		const existingTypesMap = new Map(existingTypes.map((type) => [type.name, type]));
 		const types = filteredTypesByNamespace?.get(tailordb.namespace) ?? tailordb.types;
-		for (const typeName of Object.keys(types)) {
-			const tailordbType = generateTailorDBTypeManifestFromSnapshot(types[typeName], {
+		for (const [typeName, tailordbTypeSnapshot] of Object.entries(types)) {
+			const tailordbType = generateTailorDBTypeManifestFromSnapshot(tailordbTypeSnapshot, {
 				publishRecordEvents: executorUsedTypes.has(typeName),
 				namespaceGqlOperations: tailordb.config.gqlOperations
 			});
@@ -9230,8 +9445,8 @@ async function planGqlPermissions(client, workspaceId, tailordbs, deletedService
 			existingNameSet.add(gqlPermission.typeName);
 		});
 		const types = tailordb.types;
-		for (const typeName of Object.keys(types)) {
-			const gqlPermission = types[typeName].permissions?.gql;
+		for (const [typeName, typeEntry] of Object.entries(types)) {
+			const gqlPermission = typeEntry.permissions?.gql;
 			if (!gqlPermission) continue;
 			const desiredPermission = protoGqlPermission(gqlPermission);
 			const existingPermission = existingGqlPermissions.find((entry) => entry.typeName === typeName);
@@ -9286,97 +9501,6 @@ function normalizeComparableGqlPermission(permission) {
 		actions: (policy.actions ?? []).toSorted((left, right) => left - right)
 	})) };
 }
-function protoGqlPermission(permission) {
-	return { policies: permission.map((policy) => protoGqlPolicy(policy)) };
-}
-function protoGqlPolicy(policy) {
-	const actions = [];
-	for (const action of policy.actions) switch (action) {
-		case "all":
-			actions.push(TailorDBGQLPermission_Action.ALL);
-			break;
-		case "create":
-			actions.push(TailorDBGQLPermission_Action.CREATE);
-			break;
-		case "read":
-			actions.push(TailorDBGQLPermission_Action.READ);
-			break;
-		case "update":
-			actions.push(TailorDBGQLPermission_Action.UPDATE);
-			break;
-		case "delete":
-			actions.push(TailorDBGQLPermission_Action.DELETE);
-			break;
-		case "aggregate":
-			actions.push(TailorDBGQLPermission_Action.AGGREGATE);
-			break;
-		case "bulkUpsert":
-			actions.push(TailorDBGQLPermission_Action.BULK_UPSERT);
-			break;
-		default: throw new Error(`Unknown action: ${action}`);
-	}
-	let permit;
-	switch (policy.permit) {
-		case "allow":
-			permit = TailorDBGQLPermission_Permit.ALLOW;
-			break;
-		case "deny":
-			permit = TailorDBGQLPermission_Permit.DENY;
-			break;
-		default: throw new Error(`Unknown permission: ${policy.permit}`);
-	}
-	return {
-		conditions: policy.conditions.map((cond) => protoGqlCondition(cond)),
-		actions,
-		permit,
-		description: policy.description
-	};
-}
-function protoGqlCondition(condition) {
-	const [left, operator, right] = condition;
-	const l = protoGqlOperand(left);
-	const r = protoGqlOperand(right);
-	let op;
-	switch (operator) {
-		case "eq":
-			op = TailorDBGQLPermission_Operator.EQ;
-			break;
-		case "ne":
-			op = TailorDBGQLPermission_Operator.NE;
-			break;
-		case "in":
-			op = TailorDBGQLPermission_Operator.IN;
-			break;
-		case "nin":
-			op = TailorDBGQLPermission_Operator.NIN;
-			break;
-		case "hasAny":
-			op = TailorDBGQLPermission_Operator.HAS_ANY;
-			break;
-		case "nhasAny":
-			op = TailorDBGQLPermission_Operator.NHAS_ANY;
-			break;
-		default: throw new Error(`Unknown operator: ${operator}`);
-	}
-	return {
-		left: l,
-		operator: op,
-		right: r
-	};
-}
-function protoGqlOperand(operand) {
-	if (isSnapshotFieldRefOperand(operand)) {
-		if ("user" in operand) return { kind: {
-			case: "userField",
-			value: operand.user
-		} };
-		throw new Error(`Unsupported field-ref operand in GQL permission: ${JSON.stringify(operand)} — GQL permissions only support { user } field references`);
-	}
-	return { kind: {
-		case: "value",
-		value: fromJson(ValueSchema, operand)
-	} };
-}
 /**
 * Check if there are schema differences between migration snapshots and local definitions
 * @param {ReadonlyMap<string, Record<string, TailorDBSnapshotType>>} typesByNamespace - Snapshot-shaped local types by namespace
@@ -9454,31 +9578,78 @@ async function applyWorkflow(client, result, phase = "create-update") {
 		const jobFunctionVersions = await registerJobFunctions(client, changeSet, appName, appId, result.unchangedWorkflowJobNames);
 		await Promise.all([...changeSet.creates.map(async (create) => {
 			const filteredVersions = filterJobFunctionVersions(jobFunctionVersions, create.usedJobNames);
+			const shape = buildWorkflowValidationShape(create.workspaceId, create.workflow);
 			await client.createWorkflow({
-				workspaceId: create.workspaceId,
-				workflowName: create.workflow.name,
-				mainJobFunctionName: create.workflow.mainJob.name,
-				jobFunctions: filteredVersions,
-				...create.workflow.retryPolicy && { retryPolicy: toRetryPolicy(create.workflow.retryPolicy) },
-				...create.workflow.concurrencyPolicy && { concurrencyPolicy: toConcurrencyPolicy(create.workflow.concurrencyPolicy) }
+				workspaceId: shape.workspaceId,
+				workflowName: shape.workflowName,
+				mainJobFunctionName: shape.mainJobFunctionName,
+				retryPolicy: shape.retryPolicy,
+				concurrencyPolicy: shape.concurrencyPolicy,
+				jobFunctions: filteredVersions
 			});
 			await client.setMetadata(create.metaRequest);
 		}), ...changeSet.updates.map(async (update) => {
 			const filteredVersions = filterJobFunctionVersions(jobFunctionVersions, update.usedJobNames);
+			const shape = buildWorkflowValidationShape(update.workspaceId, update.workflow);
 			await client.updateWorkflow({
-				workspaceId: update.workspaceId,
-				workflowName: update.workflow.name,
-				mainJobFunctionName: update.workflow.mainJob.name,
-				jobFunctions: filteredVersions,
-				...update.workflow.retryPolicy && { retryPolicy: toRetryPolicy(update.workflow.retryPolicy) },
-				...update.workflow.concurrencyPolicy && { concurrencyPolicy: toConcurrencyPolicy(update.workflow.concurrencyPolicy) }
+				workspaceId: shape.workspaceId,
+				workflowName: shape.workflowName,
+				mainJobFunctionName: shape.mainJobFunctionName,
+				retryPolicy: shape.retryPolicy,
+				concurrencyPolicy: shape.concurrencyPolicy,
+				jobFunctions: filteredVersions
 			});
 			await client.setMetadata(update.metaRequest);
 		})]);
-	} else if (phase === "delete") await Promise.all(changeSet.deletes.map((del) => client.deleteWorkflow({
-		workspaceId: del.workspaceId,
-		workflowId: del.workflowId
-	})));
+	} else {
+		await deleteAllSettled(changeSet.deletes.map((del) => ({
+			resourceType: "workflow",
+			resourceName: del.name,
+			run: () => client.deleteWorkflow({
+				workspaceId: del.workspaceId,
+				workflowId: del.workflowId
+			})
+		})));
+		await deleteAllSettled((result.jobFunctionDeletes ?? collectDeletableJobFunctions(changeSet.deletes)).map((del) => ({
+			resourceType: "workflow job function",
+			resourceName: del.jobFunctionName,
+			run: () => client.deleteWorkflowJobFunction({
+				workspaceId: del.workspaceId,
+				jobFunctionName: del.jobFunctionName
+			})
+		})));
+	}
+}
+async function deleteAllSettled(operations) {
+	const results = await Promise.allSettled(operations.map((operation) => operation.run()));
+	const errors = [];
+	results.forEach((result, index) => {
+		if (result.status === "fulfilled") return;
+		const operation = assertDefined(operations[index], "operation missing at index");
+		const error = result.reason;
+		if (error instanceof ConnectError && error.code === Code.NotFound) return;
+		if (error instanceof ConnectError && error.code === Code.FailedPrecondition) {
+			logger.warn(`Skipped deleting ${operation.resourceType} "${operation.resourceName}" because it is still referenced.`);
+			return;
+		}
+		errors.push(error);
+	});
+	const firstError = errors[0];
+	if (firstError) throw firstError;
+}
+function collectDeletableJobFunctions(deletes) {
+	const seen = /* @__PURE__ */ new Set();
+	const jobFunctions = [];
+	for (const del of deletes) for (const jobFunctionName of del.deletableJobNames) {
+		const key = `${del.workspaceId}\0${jobFunctionName}`;
+		if (seen.has(key)) continue;
+		seen.add(key);
+		jobFunctions.push({
+			workspaceId: del.workspaceId,
+			jobFunctionName
+		});
+	}
+	return jobFunctions;
 }
 /**
 * Filter job function versions to only include those used by a workflow
@@ -9495,7 +9666,7 @@ function filterJobFunctionVersions(allVersions, usedJobNames) {
 * Register job functions used by any workflow.
 * Only registers jobs that are actually used (based on usedJobNames in changeSet).
 * Uses create for new jobs and update for existing jobs.
-* Sets metadata on used JobFunctions and removes metadata from unused ones.
+* Sets metadata on used JobFunctions.
 * @param client - Operator client instance
 * @param changeSet - Workflow change set
 * @param appName - Application name
@@ -9543,14 +9714,6 @@ async function registerJobFunctions(client, changeSet, appName, appId, unchanged
 		}));
 		for (const { jobName, version } of results) if (version) jobFunctionVersions[jobName] = version;
 	}
-	const unusedJobFunctions = existingJobFunctions.filter((jobName) => !allUsedJobNames.has(jobName));
-	await Promise.all(unusedJobFunctions.map(async (jobName) => {
-		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "workflow_job_function", jobName) });
-		if (isOwnedByApp(metadata?.labels, appName, appId)) await client.setMetadata({
-			trn: resourceTrn(workspaceId, "workflow_job_function", jobName),
-			labels: { [sdkNameLabelKey]: "" }
-		});
-	}));
 	return jobFunctionVersions;
 }
 function parseDurationToProto(duration) {
@@ -9574,6 +9737,21 @@ function toConcurrencyPolicy(policy) {
 	return { maxConcurrentExecutions: policy.maxConcurrentExecutions };
 }
 /**
+* Build the plan-time validation init shape for a workflow.
+* @param workspaceId - Workspace ID
+* @param workflow - Parsed workflow object
+* @returns Init shape suitable for validating against CreateWorkflowRequestSchema and UpdateWorkflowRequestSchema
+*/
+function buildWorkflowValidationShape(workspaceId, workflow) {
+	return {
+		workspaceId,
+		workflowName: workflow.name,
+		mainJobFunctionName: workflow.mainJob.name,
+		...workflow.retryPolicy && { retryPolicy: toRetryPolicy(workflow.retryPolicy) },
+		...workflow.concurrencyPolicy && { concurrencyPolicy: toConcurrencyPolicy(workflow.concurrencyPolicy) }
+	};
+}
+/**
 * Plan workflow changes and job functions based on current and desired state.
 * @param client - Operator client instance
 * @param workspaceId - Workspace ID
@@ -9590,6 +9768,7 @@ async function planWorkflow(client, workspaceId, appName, appId, workflows, main
 	const unmanaged = [];
 	const resourceOwners = /* @__PURE__ */ new Set();
 	const unchangedWorkflowJobNames = /* @__PURE__ */ new Set();
+	const retainedWorkflowJobNames = /* @__PURE__ */ new Set();
 	const existingWorkflows = await fetchExistingResourcesWithLabels({
 		client,
 		workspaceId,
@@ -9613,6 +9792,7 @@ async function planWorkflow(client, workspaceId, appName, appId, workflows, main
 		});
 		const usedJobNames = mainJobDeps[workflow.mainJob.name];
 		if (!usedJobNames) throw new Error(`Job "${workflow.mainJob.name}" (mainJob of workflow "${workflow.name}") was not found.\n\nPossible causes:\n  - The job is not exported as a named export\n  - The file containing the job is not included in workflow.files glob pattern\n\nSolution:\n  export const ${workflow.mainJob.name} = createWorkflowJob({ name: "${workflow.mainJob.name}", ... })`);
+		usedJobNames.forEach((jobName) => retainedWorkflowJobNames.add(jobName));
 		if (existing) {
 			if (trackDesiredResourceOwnership({
 				labels: existing.allLabels,
@@ -9642,20 +9822,37 @@ async function planWorkflow(client, workspaceId, appName, appId, workflows, main
 			metaRequest
 		});
 	}
+	const deleteWorkflows = [];
 	Object.values(existingWorkflows).forEach((existing) => {
 		if (!existing) return;
-		if (trackRemainingResourceOwner({
+		const owned = trackRemainingResourceOwner({
 			labels: existing.allLabels,
 			ownerLabel: existing.label,
 			appName,
 			appId,
 			resourceOwners
-		})) changeSet.deletes.push({
+		});
+		const usedJobNames = getExistingWorkflowJobNames(existing.resource);
+		if (owned) deleteWorkflows.push({
 			name: existing.resource.name,
 			workspaceId,
 			workflowId: existing.resource.id,
-			usedJobNames: getExistingWorkflowJobNames(existing.resource)
+			usedJobNames,
+			deletableJobNames: []
 		});
+		else usedJobNames.forEach((jobName) => retainedWorkflowJobNames.add(jobName));
+	});
+	const jobFunctionDeletes = await planWorkflowJobFunctionDeletes({
+		client,
+		workspaceId,
+		appName,
+		appId,
+		retainedWorkflowJobNames
+	});
+	const deletableJobNames = new Set(jobFunctionDeletes.map((del) => del.jobFunctionName));
+	for (const del of deleteWorkflows) changeSet.deletes.push({
+		...del,
+		deletableJobNames: del.usedJobNames.filter((jobName) => !retainedWorkflowJobNames.has(jobName) && deletableJobNames.has(jobName))
 	});
 	return {
 		changeSet,
@@ -9664,9 +9861,29 @@ async function planWorkflow(client, workspaceId, appName, appId, workflows, main
 		resourceOwners,
 		appName,
 		appId,
-		unchangedWorkflowJobNames
+		unchangedWorkflowJobNames,
+		jobFunctionDeletes
 	};
 }
+async function planWorkflowJobFunctionDeletes(params) {
+	const { client, workspaceId, appName, appId, retainedWorkflowJobNames } = params;
+	const existingJobFunctions = await fetchAll(async (pageToken, maxPageSize) => {
+		const response = await client.listWorkflowJobFunctions({
+			workspaceId,
+			pageToken,
+			pageSize: maxPageSize
+		});
+		return [response.jobFunctions.map((jobFunction) => jobFunction.name), response.nextPageToken];
+	});
+	const candidates = [...new Set(existingJobFunctions)].filter((jobName) => !retainedWorkflowJobNames.has(jobName));
+	return (await Promise.all(candidates.map(async (jobFunctionName) => {
+		const { metadata } = await client.getMetadata({ trn: resourceTrn(workspaceId, "workflow_job_function", jobFunctionName) });
+		return isOwnedByApp(metadata?.labels, appName, appId) ? {
+			workspaceId,
+			jobFunctionName
+		} : void 0;
+	}))).filter((item) => item !== void 0);
+}
 /**
 * Format workflow changes for grouped dry-run display.
 * @param changeSet - Workflow changes
@@ -9734,6 +9951,191 @@ function normalizeRetryPolicyForCompare(policy) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/deploy/validate-plan.ts
+function validateItems(params) {
+	const { validator, schema, kind, action, items, requestKey, violations } = params;
+	for (const item of items) {
+		const init = item[requestKey];
+		const msg = create(schema, init);
+		const result = validator.validate(schema, msg);
+		if (result.kind === "invalid") for (const v of result.violations) violations.push({
+			kind,
+			name: item.name,
+			action,
+			fieldPath: v.field.length > 0 ? pathToString(v.field) : "(message)",
+			message: v.message
+		});
+		else if (result.kind === "error") logger.warn(`Could not validate ${kind} "${item.name}" (${action}): ${result.error.message}`);
+	}
+}
+/**
+* Validate all plan-time create/update requests against buf.validate constraints embedded in the
+* generated proto descriptors.
+*
+* Collections not validated: idp client, tailorDB gqlPermission, functionRegistry — no
+* buf.validate annotations.
+* Application cors is excluded: static-website URL placeholders are resolved at apply time
+* and a bare cors array carries no constraint that would false-positive when omitted.
+* Workflow jobFunctions map excluded: versions are registered at apply time (registerJobFunctions)
+* and the map field carries no min_items constraint. Job names are validated separately via
+* CreateWorkflowJobFunctionRequestSchema using usedJobNames from the workflow change set.
+* auth idpConfig.config (provider oneof) is absent at plan time for BuiltInIdP but carries no
+* required constraint — the request is validated as-is from the changeset.
+*
+* @param input - Plan results from the plan phase
+*/
+async function validatePlan(input) {
+	const { tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager } = input;
+	const validator = createValidator();
+	const violations = [];
+	function creates(schema, kind, items) {
+		validateItems({
+			validator,
+			schema,
+			kind,
+			action: "create",
+			items,
+			requestKey: "request",
+			violations
+		});
+	}
+	function updates(schema, kind, items) {
+		validateItems({
+			validator,
+			schema,
+			kind,
+			action: "update",
+			items,
+			requestKey: "request",
+			violations
+		});
+	}
+	function replaces(schema, kind, items) {
+		validateItems({
+			validator,
+			schema,
+			kind,
+			action: "replace",
+			items,
+			requestKey: "createRequest",
+			violations
+		});
+	}
+	creates(CreateTailorDBServiceRequestSchema, "TailorDB service", tailorDB.changeSet.service.creates);
+	creates(CreateTailorDBTypeRequestSchema, "TailorDB type", tailorDB.changeSet.type.creates);
+	updates(UpdateTailorDBTypeRequestSchema, "TailorDB type", tailorDB.changeSet.type.updates);
+	creates(CreateStaticWebsiteRequestSchema, "StaticWebsite", staticWebsite.changeSet.creates);
+	updates(UpdateStaticWebsiteRequestSchema, "StaticWebsite", staticWebsite.changeSet.updates);
+	creates(AddCustomDomainRequestSchema, "StaticWebsite custom domain", staticWebsite.customDomainChangeSet.creates);
+	creates(CreateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.creates);
+	updates(UpdateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.updates);
+	const idpClientVaultItems = [...idp.changeSet.client.creates.map((c) => ({
+		clientName: c.request.client?.name ?? "",
+		namespaceName: c.request.namespaceName ?? "",
+		workspaceId: c.request.workspaceId ?? ""
+	})), ...idp.changeSet.client.updates.map((u) => ({
+		clientName: u.name,
+		namespaceName: u.namespaceName,
+		workspaceId: u.workspaceId
+	}))];
+	creates(CreateSecretManagerVaultRequestSchema, "IdP client secret", idpClientVaultItems.map((item) => ({
+		name: item.clientName,
+		request: {
+			workspaceId: item.workspaceId,
+			secretmanagerVaultName: idpClientVaultName(item.namespaceName, item.clientName)
+		}
+	})));
+	creates(CreateSecretManagerSecretRequestSchema, "IdP client secret", idpClientVaultItems.map((item) => ({
+		name: item.clientName,
+		request: {
+			workspaceId: item.workspaceId,
+			secretmanagerVaultName: idpClientVaultName(item.namespaceName, item.clientName),
+			secretmanagerSecretName: idpClientSecretName(item.namespaceName, item.clientName)
+		}
+	})));
+	creates(CreateAuthServiceRequestSchema, "Auth service", auth.changeSet.service.creates);
+	updates(UpdateAuthServiceRequestSchema, "Auth service", auth.changeSet.service.updates);
+	creates(CreateAuthIDPConfigRequestSchema, "Auth IDP config", auth.changeSet.idpConfig.creates);
+	updates(UpdateAuthIDPConfigRequestSchema, "Auth IDP config", auth.changeSet.idpConfig.updates);
+	creates(CreateUserProfileConfigRequestSchema, "Auth user profile config", auth.changeSet.userProfileConfig.creates);
+	updates(UpdateUserProfileConfigRequestSchema, "Auth user profile config", auth.changeSet.userProfileConfig.updates);
+	creates(CreateTenantConfigRequestSchema, "Auth tenant config", auth.changeSet.tenantConfig.creates);
+	updates(UpdateTenantConfigRequestSchema, "Auth tenant config", auth.changeSet.tenantConfig.updates);
+	creates(CreateAuthMachineUserRequestSchema, "Auth machine user", auth.changeSet.machineUser.creates);
+	updates(UpdateAuthMachineUserRequestSchema, "Auth machine user", auth.changeSet.machineUser.updates);
+	creates(CreateAuthHookRequestSchema, "Auth hook", auth.changeSet.authHook.creates);
+	updates(UpdateAuthHookRequestSchema, "Auth hook", auth.changeSet.authHook.updates);
+	creates(CreateAuthSCIMConfigRequestSchema, "Auth SCIM config", auth.changeSet.scim.creates);
+	updates(UpdateAuthSCIMConfigRequestSchema, "Auth SCIM config", auth.changeSet.scim.updates);
+	creates(CreateAuthSCIMResourceRequestSchema, "Auth SCIM resource", auth.changeSet.scimResource.creates);
+	updates(UpdateAuthSCIMResourceRequestSchema, "Auth SCIM resource", auth.changeSet.scimResource.updates);
+	creates(CreateAuthOAuth2ClientRequestSchema, "OAuth2 client", auth.changeSet.oauth2Client.creates);
+	updates(UpdateAuthOAuth2ClientRequestSchema, "OAuth2 client", auth.changeSet.oauth2Client.updates);
+	replaces(CreateAuthOAuth2ClientRequestSchema, "OAuth2 client", auth.changeSet.oauth2Client.replaces);
+	creates(CreatePipelineServiceRequestSchema, "Pipeline service", pipeline.changeSet.service.creates);
+	updates(UpdatePipelineServiceRequestSchema, "Pipeline service", pipeline.changeSet.service.updates);
+	creates(CreatePipelineResolverRequestSchema, "Resolver", pipeline.changeSet.resolver.creates);
+	updates(UpdatePipelineResolverRequestSchema, "Resolver", pipeline.changeSet.resolver.updates);
+	creates(CreateExecutorExecutorRequestSchema, "Executor", executor.changeSet.creates);
+	updates(UpdateExecutorExecutorRequestSchema, "Executor", executor.changeSet.updates);
+	creates(CreateWorkflowRequestSchema, "Workflow", workflow.changeSet.creates.map((item) => ({
+		name: item.name,
+		request: buildWorkflowValidationShape(item.workspaceId, item.workflow)
+	})));
+	updates(UpdateWorkflowRequestSchema, "Workflow", workflow.changeSet.updates.map((item) => ({
+		name: item.name,
+		request: buildWorkflowValidationShape(item.workspaceId, item.workflow)
+	})));
+	const workflowJobNameWorkspaceId = workflow.changeSet.creates[0]?.workspaceId ?? workflow.changeSet.updates[0]?.workspaceId ?? "";
+	if (workflowJobNameWorkspaceId) {
+		const allJobNames = /* @__PURE__ */ new Set();
+		for (const item of [...workflow.changeSet.creates, ...workflow.changeSet.updates]) for (const jobName of item.usedJobNames) allJobNames.add(jobName);
+		for (const jobName of workflow.unchangedWorkflowJobNames) allJobNames.add(jobName);
+		creates(CreateWorkflowJobFunctionRequestSchema, "Workflow job function", [...allJobNames].map((jobName) => ({
+			name: jobName,
+			request: {
+				workspaceId: workflowJobNameWorkspaceId,
+				jobFunctionName: jobName,
+				scriptRef: jobName
+			}
+		})));
+	}
+	creates(CreateSecretManagerVaultRequestSchema, "Secret Manager vault", secretManager.vaultChangeSet.creates.map((item) => ({
+		name: item.name,
+		request: vaultCreateRequest(item)
+	})));
+	creates(CreateSecretManagerSecretRequestSchema, "Secret Manager secret", secretManager.secretChangeSet.creates.map((item) => ({
+		name: item.name,
+		request: secretCreateRequest(item)
+	})));
+	updates(UpdateSecretManagerSecretRequestSchema, "Secret Manager secret", secretManager.secretChangeSet.updates.map((item) => ({
+		name: item.name,
+		request: secretUpdateRequest(item)
+	})));
+	creates(CreateApplicationRequestSchema, "Application", app.creates.map((item) => ({
+		name: item.name,
+		request: {
+			...item.request,
+			cors: void 0
+		}
+	})));
+	updates(UpdateApplicationRequestSchema, "Application", [...app.updates, ...app.unchanged].map((item) => ({
+		name: item.name,
+		request: {
+			...item.request,
+			cors: void 0
+		}
+	})));
+	creates(CreateAuthConnectionRequestSchema, "Auth connection", auth.changeSet.connection.creates);
+	replaces(CreateAuthConnectionRequestSchema, "Auth connection", auth.changeSet.connection.replaces);
+	if (violations.length === 0) return;
+	const resourceNames = new Set(violations.map((v) => `${v.kind}:${v.name}`));
+	logger.error(`Pre-flight validation found ${violations.length} violation(s) across ${resourceNames.size} resource(s):`);
+	for (const v of violations) logger.log(`  ${styles.resourceType(v.kind)} ${styles.resourceName(v.name)} (${v.action}) — ${styles.bold(v.fieldPath)}: ${v.message}`);
+	throw new Error(`${violations.length} validation error(s) found in ${resourceNames.size} resource(s)`);
+}
+
 //#endregion
 //#region src/cli/commands/deploy/deploy.ts
 /**
@@ -9751,7 +10153,10 @@ function collectIdpUserTriggerTargets(application) {
 	for (const executor of Object.values(application.executorService?.executors ?? {})) {
 		if (executor.trigger.kind !== "idpUser") continue;
 		if (executor.trigger.idp != null) targets.add(executor.trigger.idp);
-		else if (idps.length === 1) targets.add(idps[0].name);
+		else if (idps.length === 1) {
+			const [idp] = idps;
+			if (idp) targets.add(idp.name);
+		}
 	}
 	return targets;
 }
@@ -9834,7 +10239,7 @@ function printPlanResults(results) {
 		...formatChangeSetEntries(results.auth.changeSet.oauth2Client, ["oauth2Client"], namespaceOf),
 		...formatChangeSetEntries(results.auth.changeSet.scim, ["scimConfig"], namespaceOf),
 		...formatChangeSetEntries(results.auth.changeSet.scimResource, ["scimResource"], namespaceOf),
-		...results.auth.changeSet.connection ? formatChangeSetEntries(results.auth.changeSet.connection, ["connection"], namespaceOf) : []
+		...formatChangeSetEntries(results.auth.changeSet.connection, ["connection"], namespaceOf)
 	];
 	const { otherChanges: otherFunctionRegistryChanges } = splitFunctionRegistryChanges(results.functionRegistry.changeSet);
 	printGroupedDisplaySection(results.functionRegistry.changeSet.title, formatChangeSetEntries(otherFunctionRegistryChanges));
@@ -9976,10 +10381,7 @@ async function deploy(options) {
 			};
 		});
 		if (buildOnly) return { bundledScripts };
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: options?.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: options?.workspaceId,
 			profile: options?.profile
@@ -10124,6 +10526,19 @@ async function deploy(options) {
 			workflow,
 			secretManager
 		});
+		if (options?.noValidate) logger.warn("Client-side validation skipped (--no-validate).");
+		else await validatePlan({
+			functionRegistry,
+			tailorDB,
+			staticWebsite,
+			idp,
+			auth,
+			pipeline,
+			app,
+			executor,
+			workflow,
+			secretManager
+		});
 		if (dryRun) {
 			logger.info("Dry run enabled. No changes applied.");
 			return;
@@ -10486,10 +10901,7 @@ async function resolveExecutor(client, workspaceId, name) {
 }
 async function getExecutor(options) {
 	const name = "name" in options ? options.name : options.executor.name;
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -10738,10 +11150,7 @@ function parseStatus(status) {
 }
 async function listWorkflowExecutions(options) {
 	const workflowName = options && "workflowName" in options ? options.workflowName : options && "workflow" in options ? options.workflow?.name : void 0;
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -10778,10 +11187,7 @@ async function listWorkflowExecutions(options) {
 * @returns Workflow execution with optional logs
 */
 async function getWorkflowExecution(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -10966,10 +11372,7 @@ async function resolveWorkflow(client, workspaceId, name) {
 }
 async function getWorkflow(options) {
 	const name = "name" in options ? options.name : options.workflow.name;
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -11113,10 +11516,7 @@ async function startWorkflowCore(options) {
 	}
 }
 async function startWorkflowByName(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -11142,10 +11542,7 @@ async function startWorkflowByName(options) {
 async function startWorkflow(options) {
 	if ("name" in options) return await startWorkflowByName(options);
 	return await startWorkflowCore({
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: options.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: options.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: options.workspaceId,
 			profile: options.profile
@@ -11208,10 +11605,7 @@ function formatTime(date) {
 }
 async function listExecutorJobs(options) {
 	const executorName = "executorName" in options ? options.executorName : options.executor.name;
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -11249,10 +11643,7 @@ async function listExecutorJobs(options) {
 }
 async function getExecutorJob(options) {
 	const executorName = "executorName" in options ? options.executorName : options.executor.name;
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -11289,10 +11680,7 @@ async function getExecutorJob(options) {
 }
 async function watchExecutorJob(options) {
 	const executorName = "executorName" in options ? options.executorName : options.executor.name;
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -11592,10 +11980,7 @@ const jobsCommand = defineAppCommand({
 * @returns List of executors
 */
 async function listExecutors(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -11668,10 +12053,7 @@ const headerArg = z.string().superRefine((val, ctx) => {
 	};
 }).refine((h) => h.key.length > 0, { message: "Header name cannot be empty" });
 async function triggerExecutorByName(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -11767,10 +12149,7 @@ The \`--logs\` option displays logs from the downstream execution when available
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -11858,10 +12237,7 @@ The \`--logs\` option displays logs from the downstream execution when available
 * @returns List of webhook executors with URLs
 */
 async function listWebhookExecutors(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -11936,12 +12312,9 @@ const getFunctionRegistryOptionsSchema = z.object({
 });
 async function loadOptions$12(options) {
 	const result = getFunctionRegistryOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: result.data.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: result.data.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -12004,12 +12377,9 @@ const listFunctionRegistriesOptionsSchema = z.object({
 });
 async function loadOptions$11(options) {
 	const result = listFunctionRegistriesOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: result.data.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: result.data.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -12504,13 +12874,13 @@ function createGenerationManager(params) {
 		};
 	}
 	async function processTailorDBNamespace(gen, namespace, typeInfo) {
-		const results = generatorResults[gen.id];
+		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
 		results.tailordbResults[namespace] = {};
 		if (!gen.processType) return;
 		const processType = gen.processType;
 		await Promise.allSettled(Object.entries(typeInfo.types).map(async ([typeName, type]) => {
 			try {
-				results.tailordbResults[namespace][typeName] = await processType({
+				assertDefined(results.tailordbResults[namespace], `tailordb results not initialized for namespace ${namespace}`)[typeName] = await processType({
 					type,
 					namespace,
 					source: typeInfo.sourceInfo[typeName],
@@ -12533,13 +12903,13 @@ function createGenerationManager(params) {
 		else results.tailordbNamespaceResults[namespace] = results.tailordbResults[namespace];
 	}
 	async function processResolverNamespace(gen, namespace, resolvers) {
-		const results = generatorResults[gen.id];
+		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
 		results.resolverResults[namespace] = {};
 		if (!gen.processResolver) return;
 		const processResolver = gen.processResolver;
 		await Promise.allSettled(Object.entries(resolvers).map(async ([resolverName, resolver]) => {
 			try {
-				results.resolverResults[namespace][resolverName] = await processResolver({
+				assertDefined(results.resolverResults[namespace], `resolver results not initialized for namespace ${namespace}`)[resolverName] = await processResolver({
 					resolver,
 					namespace
 				});
@@ -12560,7 +12930,7 @@ function createGenerationManager(params) {
 		else results.resolverNamespaceResults[namespace] = results.resolverResults[namespace];
 	}
 	async function processExecutors(gen) {
-		const results = generatorResults[gen.id];
+		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
 		if (!gen.processExecutor) return;
 		const processExecutor = gen.processExecutor;
 		await Promise.allSettled(Object.entries(services.executor).map(async ([executorId, executor]) => {
@@ -12573,7 +12943,7 @@ function createGenerationManager(params) {
 		}));
 	}
 	async function aggregate(gen) {
-		const results = generatorResults[gen.id];
+		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
 		const tailordbResults = [];
 		const resolverResults = [];
 		for (const [namespace, types] of Object.entries(results.tailordbNamespaceResults)) tailordbResults.push({
@@ -12631,7 +13001,7 @@ function createGenerationManager(params) {
 		let result;
 		switch (hookName) {
 			case "onTailorDBReady":
-				result = await plugin.onTailorDBReady({
+				result = await assertDefined(plugin.onTailorDBReady, "plugin.onTailorDBReady hook missing")({
 					tailordb,
 					auth,
 					baseDir: pluginBaseDir,
@@ -12640,7 +13010,7 @@ function createGenerationManager(params) {
 				});
 				break;
 			case "onResolverReady":
-				result = await plugin.onResolverReady({
+				result = await assertDefined(plugin.onResolverReady, "plugin.onResolverReady hook missing")({
 					tailordb,
 					resolvers: buildResolverData(),
 					auth,
@@ -12650,7 +13020,7 @@ function createGenerationManager(params) {
 				});
 				break;
 			case "onExecutorReady":
-				result = await plugin.onExecutorReady({
+				result = await assertDefined(plugin.onExecutorReady, "plugin.onExecutorReady hook missing")({
 					tailordb,
 					resolvers: buildResolverData(),
 					executors: { ...services.executor },
@@ -12764,7 +13134,7 @@ function createGenerationManager(params) {
 			...process.env,
 			TAILOR_WATCH_GENERATION: (parseInt(process.env.TAILOR_WATCH_GENERATION || "0", 10) + 1).toString()
 		};
-		const child = spawn(process.argv[0], [process.argv[1], ...args], {
+		const child = spawn(assertDefined(process.argv[0], "argv[0] missing"), [assertDefined(process.argv[1], "argv[1] missing"), ...args], {
 			stdio: "inherit",
 			env,
 			detached: false
@@ -12828,7 +13198,10 @@ function createGenerationManager(params) {
 					executorService: app.executorService ?? (pluginExecutorFiles.length > 0 ? createExecutorService({ config: { files: [] } }) : void 0)
 				};
 			});
-			if (app.authService) await withSpan("generate.resolveAuthNamespaces", async () => app.authService.resolveNamespaces());
+			if (app.authService) {
+				const authService = app.authService;
+				await withSpan("generate.resolveAuthNamespaces", async () => authService.resolveNamespaces());
+			}
 			if (app.tailorDBServices.length > 0 || pluginExecutorFiles.length > 0) logger.newline();
 			const readyAfterTailorDB = getReadyGenerators("tailordb");
 			const hasOnTailorDBReady = generationPlugins.some((p) => p.onTailorDBReady != null);
@@ -12844,9 +13217,10 @@ function createGenerationManager(params) {
 					await withSpan(`generate.loadResolvers.${namespace}`, async () => {
 						try {
 							await resolverService.loadResolvers();
-							services.resolver[namespace] = {};
+							const namespaceResolvers = {};
+							services.resolver[namespace] = namespaceResolvers;
 							Object.entries(resolverService.resolvers).forEach(([_, resolver]) => {
-								services.resolver[namespace][resolver.name] = resolver;
+								namespaceResolvers[resolver.name] = resolver;
 							});
 						} catch (error) {
 							logger.error(`Error loading resolvers for Resolver service ${styles.bold(namespace)}`);
@@ -12892,11 +13266,11 @@ function createGenerationManager(params) {
 			const app = application;
 			for (const db of app.tailorDBServices) {
 				const dbNamespace = db.namespace;
-				await watcher?.addWatchGroup(`TailorDB/${dbNamespace}`, db.config.files);
+				await watcher.addWatchGroup(`TailorDB/${dbNamespace}`, db.config.files);
 			}
 			for (const resolverService of app.resolverServices) {
 				const resolverNamespace = resolverService.namespace;
-				await watcher?.addWatchGroup(`Resolver/${resolverNamespace}`, resolverService["config"].files);
+				await watcher.addWatchGroup(`Resolver/${resolverNamespace}`, resolverService["config"].files);
 			}
 			await new Promise(() => {});
 		}
@@ -12960,10 +13334,7 @@ function machineUserInfo(user) {
 * @returns List of machine users
 */
 async function listMachineUsers(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -13016,10 +13387,7 @@ const listCommand$7 = defineAppCommand({
 * @returns Machine user token info
 */
 async function getMachineUserToken(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -13120,10 +13488,7 @@ function toOAuth2ClientCredentials(client) {
 * @returns OAuth2 client credentials
 */
 async function getOAuth2Client(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -13140,7 +13505,7 @@ async function getOAuth2Client(options) {
 			namespaceName: application.authNamespace,
 			name: options.name
 		});
-		return toOAuth2ClientCredentials(oauth2Client);
+		return toOAuth2ClientCredentials(assertDefined(oauth2Client, "oauth2Client missing in response"));
 	} catch (error) {
 		if (error instanceof ConnectError && error.code === Code.NotFound) throw new Error(`OAuth2 client '${options.name}' not found.`, { cause: error });
 		throw error;
@@ -13175,10 +13540,7 @@ const getCommand$3 = defineAppCommand({
 * @returns List of OAuth2 clients
 */
 async function listOAuth2Clients(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -13262,7 +13624,7 @@ const createFolderOptionsSchema = z.object({
 */
 async function createFolder(options) {
 	const result = createFolderOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	const response = await (await initOperatorClient(await loadAccessToken())).createOrganizationFolder({
 		organizationId: result.data.organizationId,
 		parentFolderId: result.data.parentFolderId ?? "",
@@ -13307,7 +13669,7 @@ const deleteFolderOptionsSchema = z.object({
 */
 async function deleteFolder(options) {
 	const result = deleteFolderOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	await (await initOperatorClient(await loadAccessToken())).deleteOrganizationFolder({
 		organizationId: result.data.organizationId,
 		folderId: result.data.folderId
@@ -13360,7 +13722,7 @@ const getFolderOptionsSchema = z.object({
 */
 async function getFolder(options) {
 	const result = getFolderOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	const response = await (await initOperatorClient(await loadAccessToken())).getOrganizationFolder({
 		organizationId: result.data.organizationId,
 		folderId: result.data.folderId
@@ -13404,7 +13766,7 @@ const listFoldersOptionsSchema = z.object({
 */
 async function listFolders(options) {
 	const result = listFoldersOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	const { organizationId, parentFolderId, order, limit } = result.data;
 	const client = await initOperatorClient(await loadAccessToken());
 	const pageDirection = toPageDirection(order);
@@ -13452,7 +13814,7 @@ const updateFolderOptionsSchema = z.object({
 */
 async function updateFolder(options) {
 	const result = updateFolderOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	const response = await (await initOperatorClient(await loadAccessToken())).updateOrganizationFolder({
 		organizationId: result.data.organizationId,
 		folderId: result.data.folderId,
@@ -13494,7 +13856,7 @@ const getOrganizationOptionsSchema = z.object({ organizationId: z.uuid({ message
 */
 async function getOrganization(options) {
 	const result = getOrganizationOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	const response = await (await initOperatorClient(await loadAccessToken())).getOrganization({ organizationId: result.data.organizationId });
 	if (!response.organization) throw new Error(`Organization "${result.data.organizationId}" not found.`);
 	return organizationInfo(response.organization);
@@ -13588,12 +13950,12 @@ async function buildFolderTreeJson(client, organizationId, parentFolderId, curre
 }
 function renderTree(nodes, prefix) {
 	let output = "";
-	for (let i = 0; i < nodes.length; i++) {
+	for (const [i, node] of nodes.entries()) {
 		const isLast = i === nodes.length - 1;
 		const connector = isLast ? "└── " : "├── ";
 		const childPrefix = isLast ? "    " : "│   ";
-		output += `${prefix}${connector}${nodes[i].name}\n`;
-		if (nodes[i].children.length > 0) output += renderTree(nodes[i].children, prefix + childPrefix);
+		output += `${prefix}${connector}${node.name}\n`;
+		if (node.children.length > 0) output += renderTree(node.children, prefix + childPrefix);
 	}
 	return output;
 }
@@ -13680,7 +14042,7 @@ const updateOrganizationOptionsSchema = z.object({
 */
 async function updateOrganization(options) {
 	const result = updateOrganizationOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	const response = await (await initOperatorClient(await loadAccessToken())).updateOrganization({
 		organizationId: result.data.organizationId,
 		organizationName: result.data.name
@@ -13712,10 +14074,7 @@ const updateCommand$1 = defineAppCommand({
 //#endregion
 //#region src/cli/commands/remove.ts
 async function loadOptions$10(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -13767,7 +14126,7 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	auth.changeSet.authHook.print();
 	auth.changeSet.scim.print();
 	auth.changeSet.scimResource.print();
-	auth.changeSet.connection?.print();
+	auth.changeSet.connection.print();
 	secretManager.vaultChangeSet.print();
 	secretManager.secretChangeSet.print();
 	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
@@ -13838,6 +14197,82 @@ function logBetaWarning(featureName) {
 	logger.newline();
 }
 
+//#endregion
+//#region src/cli/commands/workspace/transform.ts
+const workspaceInfo = (workspace, folderName) => {
+	const info = {
+		id: workspace.id,
+		name: workspace.name,
+		region: workspace.region,
+		createdAt: formatTimestamp(workspace.createTime),
+		updatedAt: formatTimestamp(workspace.updateTime)
+	};
+	return folderName ? {
+		...info,
+		folderName
+	} : info;
+};
+const workspaceDetails = (workspace, folderName) => {
+	return {
+		...workspaceInfo(workspace, folderName),
+		deleteProtection: workspace.deleteProtection,
+		organizationId: workspace.organizationId,
+		folderId: workspace.folderId
+	};
+};
+async function resolveWorkspaceFolderName(client, workspace) {
+	if (!workspace.organizationId || !workspace.folderId) return void 0;
+	try {
+		return (await client.getOrganizationFolder({
+			organizationId: workspace.organizationId,
+			folderId: workspace.folderId
+		})).folder?.name || void 0;
+	} catch (error) {
+		if (error instanceof ConnectError && (error.code === Code.NotFound || error.code === Code.PermissionDenied)) return;
+		logger.warn(`Failed to resolve workspace folder name: ${error}`);
+		return;
+	}
+}
+function createWorkspaceFolderNameResolver(client) {
+	const cache = /* @__PURE__ */ new Map();
+	return (workspace) => {
+		if (!workspace.organizationId || !workspace.folderId) return Promise.resolve(void 0);
+		const cacheKey = `${workspace.organizationId}/${workspace.folderId}`;
+		const cached = cache.get(cacheKey);
+		if (cached) return cached;
+		const promise = resolveWorkspaceFolderName(client, workspace);
+		cache.set(cacheKey, promise);
+		return promise;
+	};
+}
+async function workspaceInfoWithFolderName(client, workspace) {
+	return workspaceInfo(workspace, await resolveWorkspaceFolderName(client, workspace));
+}
+async function workspaceDetailsWithFolderName(client, workspace) {
+	return workspaceDetails(workspace, await resolveWorkspaceFolderName(client, workspace));
+}
+async function workspaceInfosWithFolderNames(client, workspaces) {
+	const resolveFolderName = createWorkspaceFolderNameResolver(client);
+	const limit = pLimit(5);
+	return Promise.all(workspaces.map((workspace) => limit(async () => workspaceInfo(workspace, await resolveFolderName(workspace)))));
+}
+function workspaceDisplayName(workspace) {
+	return workspace.folderName ? `${workspace.folderName}/${workspace.name}` : workspace.name;
+}
+function createWorkspaceNameTransformer(nameKey, folderNameKey) {
+	return (value, item) => {
+		const workspace = item;
+		const name = workspace[nameKey];
+		const folderName = workspace[folderNameKey];
+		if (typeof name === "string" && typeof folderName === "string") return workspaceDisplayName({
+			name,
+			folderName
+		});
+		return String(value ?? "");
+	};
+}
+const workspaceNameTransformer = createWorkspaceNameTransformer("name", "folderName");
+
 //#endregion
 //#region src/cli/commands/show.ts
 function applicationInfo(app) {
@@ -13859,10 +14294,7 @@ function applicationInfo(app) {
 * @returns Application information
 */
 async function show(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -13872,15 +14304,19 @@ async function show(options) {
 		workspaceId,
 		applicationName: config.name
 	})]);
-	const { name, ...appInfo } = applicationInfo(resp.application);
+	const { name, ...appInfo } = applicationInfo(assertDefined(resp.application, `application "${config.name}" not found in workspace`));
+	const workspace = workspaceResp.workspace;
+	const workspaceFolderName = workspace ? await resolveWorkspaceFolderName(client, workspace) : "";
 	return {
 		name,
 		workspaceId,
-		workspaceName: workspaceResp.workspace?.name ?? "",
-		workspaceRegion: workspaceResp.workspace?.region ?? "",
+		workspaceName: workspace?.name ?? "",
+		...workspaceFolderName ? { workspaceFolderName } : {},
+		workspaceRegion: workspace?.region ?? "",
 		...appInfo
 	};
 }
+const showWorkspaceNameTransformer = createWorkspaceNameTransformer("workspaceName", "workspaceFolderName");
 const showCommand = defineAppCommand({
 	name: "show",
 	description: "Show information about the deployed application.",
@@ -13891,7 +14327,10 @@ const showCommand = defineAppCommand({
 			profile: args.profile,
 			configPath: args.config
 		});
-		logger.out(appInfo);
+		logger.out(appInfo, { display: {
+			workspaceName: showWorkspaceNameTransformer,
+			workspaceFolderName: null
+		} });
 	}
 });
 
@@ -13980,7 +14419,7 @@ function extractBreakingChangeFields(diff) {
 		const { before, after } = change;
 		if (before && after && !before.required && after.required) {
 			if (!optionalToRequired.has(change.typeName)) optionalToRequired.set(change.typeName, /* @__PURE__ */ new Set());
-			optionalToRequired.get(change.typeName).add(change.fieldName);
+			assertDefined(optionalToRequired.get(change.typeName), "optionalToRequired entry missing").add(change.fieldName);
 		}
 		if (before && after && before.type === "enum" && after.type === "enum" && before.allowedValues && after.allowedValues) {
 			const beforeValues = before.allowedValues.map((v) => v.value);
@@ -13989,7 +14428,7 @@ function extractBreakingChangeFields(diff) {
 			const afterSet = new Set(afterValues);
 			if (beforeValues.some((v) => !afterSet.has(v)) || afterValues.some((v) => !beforeSet.has(v))) {
 				if (!enumValueChanges.has(change.typeName)) enumValueChanges.set(change.typeName, /* @__PURE__ */ new Map());
-				enumValueChanges.get(change.typeName).set(change.fieldName, {
+				assertDefined(enumValueChanges.get(change.typeName), "enumValueChanges entry missing").set(change.fieldName, {
 					beforeValues,
 					afterValues
 				});
@@ -13999,7 +14438,7 @@ function extractBreakingChangeFields(diff) {
 		const { after } = change;
 		if (after && after.required) {
 			if (!addedRequiredFields.has(change.typeName)) addedRequiredFields.set(change.typeName, /* @__PURE__ */ new Map());
-			addedRequiredFields.get(change.typeName).set(change.fieldName, after);
+			assertDefined(addedRequiredFields.get(change.typeName), "addedRequiredFields entry missing").set(change.fieldName, after);
 		}
 	}
 	return {
@@ -14481,7 +14920,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-D4tRNn90.mjs");
+	const { defineApplication } = await import("./application-DSXntqnV.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -14652,7 +15091,7 @@ function extractAllNamespaces(config) {
 function extractOwnedNamespaces(config) {
 	const namespaces = /* @__PURE__ */ new Set();
 	if (config.db) for (const [namespaceName, nsConfig] of Object.entries(config.db)) {
-		if ("external" in nsConfig && nsConfig.external === true) continue;
+		if ("external" in nsConfig) continue;
 		namespaces.add(namespaceName);
 	}
 	return Array.from(namespaces);
@@ -14729,18 +15168,15 @@ async function truncate(options) {
 		yes: true
 	});
 }
-async function $truncate(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+async function $truncate(options = {}) {
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
-		workspaceId: options?.workspaceId,
-		profile: options?.profile
+		workspaceId: options.workspaceId,
+		profile: options.profile
 	});
-	const hasTypes = options?.types && options.types.length > 0;
-	const hasNamespace = !!options?.namespace;
-	const hasAll = !!options?.all;
+	const hasTypes = options.types && options.types.length > 0;
+	const hasNamespace = !!options.namespace;
+	const hasAll = !!options.all;
 	const optionCount = [
 		hasAll,
 		hasNamespace,
@@ -14748,14 +15184,14 @@ async function $truncate(options) {
 	].filter(Boolean).length;
 	if (optionCount === 0) throw new Error("Please specify one of: --all, --namespace <name>, or type names");
 	if (optionCount > 1) throw new Error("Options --all, --namespace, and type names are mutually exclusive. Please specify only one.");
-	const { config } = await loadConfig(options?.configPath);
+	const { config } = await loadConfig(options.configPath);
 	const namespaces = extractOwnedNamespaces(config);
 	if (hasAll) {
 		if (namespaces.length === 0) {
 			logger.warn("No namespaces found in config file.");
 			return;
 		}
-		if (!options?.yes) {
+		if (!options.yes) {
 			const namespaceList = namespaces.join(", ");
 			if (!await prompt.confirm({
 				message: `This will truncate ALL tables in the following owned namespaces (external namespaces are excluded): ${namespaceList}. Continue?`,
@@ -14769,11 +15205,11 @@ async function $truncate(options) {
 		logger.success("Truncated all tables in all owned namespaces");
 		return;
 	}
-	if (hasNamespace && options?.namespace) {
-		const namespace = options.namespace;
+	if (hasNamespace) {
+		const namespace = assertDefined(options.namespace, "namespace option missing");
 		if (!namespaces.includes(namespace)) {
 			const dbConfig = config.db?.[namespace];
-			if (dbConfig && "external" in dbConfig && dbConfig.external === true) throw new Error(`Namespace "${namespace}" is declared as external in this app's config and cannot be truncated from here. Run truncate from the app that owns it.`);
+			if (dbConfig && "external" in dbConfig) throw new Error(`Namespace "${namespace}" is declared as external in this app's config and cannot be truncated from here. Run truncate from the app that owns it.`);
 			throw new Error(`Namespace "${namespace}" not found in config. Available owned namespaces (external namespaces are excluded): ${namespaces.join(", ")}`);
 		}
 		if (!options.yes) {
@@ -14788,8 +15224,8 @@ async function $truncate(options) {
 		await truncateNamespace(workspaceId, namespace, client);
 		return;
 	}
-	if (hasTypes && options?.types) {
-		const typeNames = options.types;
+	if (hasTypes) {
+		const typeNames = assertDefined(options.types, "types option missing");
 		const typeNamespaceMap = await resolveTypeNamespaces({
 			workspaceId,
 			namespaces,
@@ -14861,10 +15297,7 @@ const truncateCommand = defineAppCommand({
 * @returns List of workflows
 */
 async function listWorkflows(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -14911,10 +15344,7 @@ const listCommand$3 = defineAppCommand({
 * @returns Resume result with wait helper
 */
 async function resumeWorkflow(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -15022,12 +15452,9 @@ const healthOptionsSchema = z.object({
 });
 async function loadOptions$9(options) {
 	const result = healthOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: result.data.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: result.data.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -15082,12 +15509,9 @@ const listAppsOptionsSchema = z.object({
 });
 async function loadOptions$8(options) {
 	const result = listAppsOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: result.data.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: result.data.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -15137,26 +15561,6 @@ const listCommand$2 = defineAppCommand({
 	}
 });
 
-//#endregion
-//#region src/cli/commands/workspace/transform.ts
-const workspaceInfo = (workspace) => {
-	return {
-		id: workspace.id,
-		name: workspace.name,
-		region: workspace.region,
-		createdAt: formatTimestamp(workspace.createTime),
-		updatedAt: formatTimestamp(workspace.updateTime)
-	};
-};
-const workspaceDetails = (workspace) => {
-	return {
-		...workspaceInfo(workspace),
-		deleteProtection: workspace.deleteProtection,
-		organizationId: workspace.organizationId,
-		folderId: workspace.folderId
-	};
-};
-
 //#endregion
 //#region src/cli/commands/workspace/create.ts
 /**
@@ -15182,17 +15586,17 @@ const validateRegion = async (region, client) => {
 */
 async function createWorkspace(options) {
 	const result = createWorkspaceOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	const validated = result.data;
 	const client = await initOperatorClient(await loadAccessToken());
 	await validateRegion(validated.region, client);
-	return workspaceInfo((await client.createWorkspace({
+	return workspaceInfoWithFolderName(client, assertDefined((await client.createWorkspace({
 		workspaceName: validated.name,
 		workspaceRegion: validated.region,
 		deleteProtection: validated.deleteProtection ?? false,
 		organizationId: validated.organizationId,
 		folderId: validated.folderId
-	})).workspace);
+	})).workspace, "createWorkspace response missing workspace"));
 }
 const createCommand = defineAppCommand({
 	name: "create",
@@ -15258,7 +15662,7 @@ const createCommand = defineAppCommand({
 			};
 			if (!args.json) logger.success(`Profile "${profileName}" created successfully.`);
 		}
-		if (!args.json) logger.success(`Workspace "${args.name}" created successfully.`);
+		if (!args.json) logger.success(`Workspace "${workspaceDisplayName(workspace)}" created successfully.`);
 		if (args.json && profileInfo) {
 			logger.out({
 				...workspace,
@@ -15266,7 +15670,10 @@ const createCommand = defineAppCommand({
 			});
 			return;
 		}
-		logger.out(workspace);
+		logger.out(workspace, { display: {
+			name: workspaceNameTransformer,
+			folderName: null
+		} });
 		if (profileInfo) {
 			logger.out("Profile:");
 			logger.out(profileInfo);
@@ -15279,7 +15686,7 @@ const createCommand = defineAppCommand({
 const deleteWorkspaceOptionsSchema = z.object({ workspaceId: z.uuid({ message: "workspace-id must be a valid UUID" }) });
 async function loadOptions$7(options) {
 	const result = deleteWorkspaceOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
 		client: await initOperatorClient(await loadAccessToken()),
 		workspaceId: result.data.workspaceId
@@ -15313,8 +15720,15 @@ const deleteCommand = defineAppCommand({
 		} catch {
 			throw new Error(`Workspace "${workspaceId}" not found.`);
 		}
+		const workspaceResource = workspace.workspace;
+		const workspaceName = workspaceResource?.name ?? workspaceId;
+		const displayName = workspaceDisplayName({
+			name: workspaceName,
+			folderName: workspaceResource ? await resolveWorkspaceFolderName(client, workspaceResource) : ""
+		});
 		if (!args.yes) {
-			if (await prompt.text({ message: `Enter the workspace name to confirm deletion (${workspace.workspace?.name}):` }) !== workspace.workspace?.name) {
+			const confirmation = await prompt.text({ message: `Enter the workspace name to confirm deletion (${displayName}):` });
+			if (confirmation !== workspaceName && confirmation !== displayName) {
 				logger.info("Workspace deletion cancelled.");
 				return;
 			}
@@ -15326,8 +15740,8 @@ const deleteCommand = defineAppCommand({
 			for (const [profileName] of profilesToDelete) delete pfConfig.profiles[profileName];
 			writePlatformConfig(pfConfig);
 		}
-		if (profilesToDelete.length > 0) logger.success(`Workspace "${args["workspace-id"]}" and ${profilesToDelete.length} associated profile(s) deleted successfully.`);
-		else logger.success(`Workspace "${args["workspace-id"]}" deleted successfully.`);
+		if (profilesToDelete.length > 0) logger.success(`Workspace "${displayName}" and ${profilesToDelete.length} associated profile(s) deleted successfully.`);
+		else logger.success(`Workspace "${displayName}" deleted successfully.`);
 	}
 });
 
@@ -15339,12 +15753,9 @@ const getWorkspaceOptionsSchema = z.object({
 });
 async function loadOptions$6(options) {
 	const result = getWorkspaceOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: result.data.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: result.data.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -15360,7 +15771,7 @@ async function getWorkspace(options) {
 	const { client, workspaceId } = await loadOptions$6(options);
 	const response = await client.getWorkspace({ workspaceId });
 	if (!response.workspace) throw new Error(`Workspace "${workspaceId}" not found.`);
-	return workspaceDetails(response.workspace);
+	return workspaceDetailsWithFolderName(client, response.workspace);
 }
 const getCommand = defineAppCommand({
 	name: "get",
@@ -15376,7 +15787,10 @@ const getCommand = defineAppCommand({
 			createdAt: humanizeRelativeTime(workspace.createdAt),
 			updatedAt: humanizeRelativeTime(workspace.updatedAt)
 		};
-		logger.out(formattedWorkspace);
+		logger.out(formattedWorkspace, { display: {
+			name: workspaceNameTransformer,
+			folderName: null
+		} });
 	}
 });
 
@@ -15390,14 +15804,14 @@ const getCommand = defineAppCommand({
 async function listWorkspaces(options) {
 	const client = await initOperatorClient(await loadAccessToken());
 	const pageDirection = toPageDirection(options?.order);
-	return (await fetchPaged(async (pageToken, pageSize) => {
+	return workspaceInfosWithFolderNames(client, await fetchPaged(async (pageToken, pageSize) => {
 		const { workspaces, nextPageToken } = await client.listWorkspaces({
 			pageToken,
 			pageSize,
 			pageDirection
 		});
 		return [workspaces, nextPageToken];
-	}, { limit: options?.limit })).map(workspaceInfo);
+	}, { limit: options?.limit }));
 }
 const listCommand$1 = defineAppCommand({
 	name: "list",
@@ -15408,7 +15822,11 @@ const listCommand$1 = defineAppCommand({
 			order: args.order,
 			limit: args.limit
 		});
-		logger.out(workspaces, { display: { updatedAt: null } });
+		logger.out(workspaces, { display: {
+			name: workspaceNameTransformer,
+			folderName: null,
+			updatedAt: null
+		} });
 	}
 });
 
@@ -15417,7 +15835,7 @@ const listCommand$1 = defineAppCommand({
 const restoreWorkspaceOptionsSchema = z.object({ workspaceId: z.uuid({ message: "workspace-id must be a valid UUID" }) });
 async function loadOptions$5(options) {
 	const result = restoreWorkspaceOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
 		client: await initOperatorClient(await loadAccessToken()),
 		workspaceId: result.data.workspaceId
@@ -15497,12 +15915,9 @@ const inviteUserOptionsSchema = z.object({
 });
 async function loadOptions$4(options) {
 	const result = inviteUserOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: result.data.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: result.data.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -15557,12 +15972,9 @@ const listUsersOptionsSchema = z.object({
 });
 async function loadOptions$3(options) {
 	const result = listUsersOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: result.data.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: result.data.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -15616,12 +16028,9 @@ const removeUserOptionsSchema = z.object({
 });
 async function loadOptions$2(options) {
 	const result = removeUserOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: result.data.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: result.data.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -15676,12 +16085,9 @@ const updateUserOptionsSchema = z.object({
 });
 async function loadOptions$1(options) {
 	const result = updateUserOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "Zod returned no issues").message);
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: result.data.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: result.data.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: result.data.workspaceId,
 			profile: result.data.profile
@@ -15902,7 +16308,7 @@ function isSqlInputComplete(input) {
 	let dollarQuoteTag = null;
 	let lastSignificantTokenWasSemicolon = false;
 	for (let i = 0; i < input.length; i += 1) {
-		const char = input[i];
+		const char = assertDefined(input[i], `character at index ${i} missing`);
 		const next = input[i + 1];
 		if (inLineComment) {
 			if (char === "\n") inLineComment = false;
@@ -16105,7 +16511,7 @@ const queryBaseOptionsSchema = z.object({
 const queryOptionsSchema = queryBaseOptionsSchema.extend({ query: z.string() });
 async function getNamespaceFromSqlQuery(workspaceId, query, client, namespaces) {
 	if (namespaces.length === 0) throw new Error("No namespaces found in configuration.");
-	if (namespaces.length === 1) return namespaces[0];
+	if (namespaces.length === 1) return assertDefined(namespaces[0], "namespace missing");
 	const typeNames = extractTypeNamesFromSql(query);
 	if (typeNames.length === 0) throw new Error(`Could not infer namespace from query. Detected namespaces: ${namespaces.join(", ")}.`);
 	const typeNamespaceMap = await resolveTypeNamespaces({
@@ -16117,16 +16523,13 @@ async function getNamespaceFromSqlQuery(workspaceId, query, client, namespaces)
 	const notFoundTypes = typeNames.filter((typeName) => !typeNamespaceMap.has(typeName));
 	if (notFoundTypes.length > 0) throw new Error(`Could not find namespace for types in query: ${notFoundTypes.join(", ")}.`);
 	const namespacesFromTypes = new Set(typeNamespaceMap.values());
-	if (namespacesFromTypes.size === 1) return [...namespacesFromTypes][0];
+	if (namespacesFromTypes.size === 1) return assertDefined([...namespacesFromTypes][0], "namespace from types missing");
 	throw new Error(`Query references types from multiple namespaces: ${[...namespacesFromTypes].join(", ")}.`);
 }
 async function loadOptions(options) {
 	const result = queryBaseOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: result.data.profile
-	}));
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "validation error missing issues").message);
+	const client = await initOperatorClient(await loadAccessToken({ profile: result.data.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: result.data.workspaceId,
 		profile: result.data.profile
@@ -16259,7 +16662,7 @@ async function resolveEditedQueryInput(engine) {
 */
 async function query(options) {
 	const result = queryOptionsSchema.safeParse(options);
-	if (!result.success) throw new Error(result.error.issues[0].message);
+	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "validation error missing issues").message);
 	return await (await prepareQueryExecutor(result.data))(result.data.query);
 }
 async function prepareQueryExecutor(options) {
@@ -16341,7 +16744,7 @@ async function runRepl(options) {
 	const execute = await prepareQueryExecutor(options);
 	const historyPath = getReplHistoryPath(options.engine, options.profile, options.workspaceId);
 	const validate = createReplValidator(options.engine);
-	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-Y9QJDL0K.mjs");
+	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-CJG3sz7A.mjs");
 	const highlight = options.engine === "sql" ? highlightSqlLine : highlightGraphqlLine;
 	const prompt = createPrompt({
 		prefix: "",
@@ -16602,8 +17005,9 @@ function printSingleSqlResult(execResult, options = {}) {
 function splitSqlStatements(query) {
 	const statements = parse(query, { locationTracking: true });
 	return statements.map((s, i) => {
-		const start = s._location.start;
-		const end = i + 1 < statements.length ? statements[i + 1]._location.start : query.length;
+		const start = assertDefined(s._location, "SQL statement location missing").start;
+		const nextStmt = statements[i + 1];
+		const end = nextStmt !== void 0 ? assertDefined(nextStmt._location, "SQL statement location missing").start : query.length;
 		return query.substring(start, end);
 	});
 }
@@ -16623,7 +17027,7 @@ function printSqlResult(result, options = {}) {
 		for (let i = 0; i < result.result.length; i++) {
 			if (i > 0) logger.log("");
 			logger.info(queries[i] ?? `Statement ${i + 1}`);
-			printSingleSqlResult(result.result[i], options);
+			printSingleSqlResult(assertDefined(result.result[i], `SQL result at index ${i} missing`), options);
 		}
 		return;
 	}
@@ -16674,5 +17078,5 @@ function isDeno() {
 }
 
 //#endregion
-export { listCommand$5 as $, compareSnapshots as $t, truncate as A, toPageDirection as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, commonArgs as Cn, triggerExecutor as Ct, resumeWorkflow as D, isVerbose as Dn, jobsCommand as Dt, resumeCommand as E, deploymentArgs as En, getExecutorJob as Et, writeDbTypesFile as F, getWorkflowExecution as Ft, organizationTree as G, parseMigrationLabelNumber as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, listWorkflowExecutions as It, listOrganizations as J, DIFF_FILE_NAME as Jt, treeCommand as K, bundleMigrationScript as Kt, openInConfiguredEditor as L, functionExecutionStatusToString as Lt, generate as M, getCommand$5 as Mt, generateCommand as N, getWorkflow as Nt, listCommand$3 as O, pagedLogArgs as On, listExecutorJobs as Ot, generateMigrationScript as P, executionsCommand as Pt, updateFolder as Q, compareLocalTypesWithSnapshot as Qt, show as R, formatKeyValueTable as Rt, listApps as S, defineAppCommand as Sn, triggerCommand as St, healthCommand as T, confirmationArgs as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, MIGRATION_LABEL_KEY as Wt, getOrganization as X, MIGRATE_FILE_NAME as Xt, getCommand$1 as Y, INITIAL_SCHEMA_NUMBER as Yt, updateCommand$2 as Z, SCHEMA_FILE_NAME as Zt, getWorkspace as _, generateUserTypes as _n, listFunctionRegistries as _t, updateUser as a, getNextMigrationNumber as an, createCommand$1 as at, createCommand as b, apiCall as bn, listWebhookExecutors as bt, listCommand as c, reconstructSnapshotFromMigrations as cn, listOAuth2Clients as ct, inviteUser as d, formatMigrationDiff as dn, getMachineUserToken as dt, createSnapshotFromLocalTypes as en, listFolders as et, restoreCommand as f, hasChanges as fn, tokenCommand as ft, getCommand as g, PluginManager as gn, listCommand$8 as gt, listWorkspaces as h, sdkNameLabelKey as hn, generate$1 as ht, updateCommand as i, getMigrationFiles as in, deleteFolder as it, truncateCommand as j, workspaceArgs as jn, startWorkflow as jt, listWorkflows as k, paginationArgs as kn, watchExecutorJob as kt, listUsers as l, formatMigrationNumber as ln, getCommand$3 as lt, listCommand$1 as m, resourceTrn as mn, listMachineUsers as mt, query as n, getMigrationDirPath as nn, getFolder as nt, removeCommand as o, isValidMigrationNumber as on, createFolder as ot, restoreWorkspace as p, getNamespacesWithMigrations as pn, listCommand$7 as pt, listCommand$4 as q, DB_TYPES_FILE_NAME as qt, queryCommand as r, getMigrationFilePath as rn, deleteCommand$1 as rt, removeUser as s, loadDiff as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, getLatestMigrationNumber as tn, getCommand$2 as tt, inviteCommand as u, formatDiffSummary as un, getOAuth2Client as ut, deleteCommand as v, prompt as vn, getCommand$4 as vt, getAppHealth as w, configArg as wn, listCommand$9 as wt, createWorkspace as x, assertWritable as xn, webhookCommand as xt, deleteWorkspace as y, apiCommand as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
-//# sourceMappingURL=runtime-CZpsV8vj.mjs.map
+export { listCommand$5 as $, INITIAL_SCHEMA_NUMBER as $t, truncate as A, configArg as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, generateUserTypes as Cn, triggerExecutor as Ct, resumeWorkflow as D, assertWritable as Dn, jobsCommand as Dt, resumeCommand as E, apiCall as En, getExecutorJob as Et, writeDbTypesFile as F, paginationArgs as Fn, getWorkflowExecution as Ft, organizationTree as G, MIGRATION_LABEL_KEY as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, toPageDirection as In, listWorkflowExecutions as It, listOrganizations as J, compareSnapshotWithRemote as Jt, treeCommand as K, handleOptionalToRequiredError as Kt, openInConfiguredEditor as L, workspaceArgs as Ln, functionExecutionStatusToString as Lt, generate as M, deploymentArgs as Mn, getCommand$5 as Mt, generateCommand as N, isVerbose as Nn, getWorkflow as Nt, listCommand$3 as O, defineAppCommand as On, listExecutorJobs as Ot, generateMigrationScript as P, pagedLogArgs as Pn, executionsCommand as Pt, updateFolder as Q, DIFF_FILE_NAME as Qt, show as R, formatKeyValueTable as Rt, listApps as S, PluginManager as Sn, triggerCommand as St, healthCommand as T, apiCommand as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, bundleMigrationScript as Wt, getOrganization as X, protoGqlPermission as Xt, getCommand$1 as Y, generateAllTypeManifestsFromSnapshot as Yt, updateCommand$2 as Z, DB_TYPES_FILE_NAME as Zt, getWorkspace as _, formatMigrationDiff as _n, listFunctionRegistries as _t, updateUser as a, createSnapshotFromLocalTypes as an, createCommand$1 as at, createCommand as b, resourceTrn as bn, listWebhookExecutors as bt, listCommand as c, getMigrationFilePath as cn, listOAuth2Clients as ct, inviteUser as d, isValidMigrationNumber as dn, getMachineUserToken as dt, MIGRATE_FILE_NAME as en, listFolders as et, restoreCommand as f, loadDiff as fn, tokenCommand as ft, getCommand as g, formatDiffSummary as gn, listCommand$8 as gt, listWorkspaces as h, parseMigrationNumberArg as hn, generate$1 as ht, updateCommand as i, compareSnapshots as in, deleteFolder as it, truncateCommand as j, confirmationArgs as jn, startWorkflow as jt, listWorkflows as k, commonArgs as kn, watchExecutorJob as kt, listUsers as l, getMigrationFiles as ln, getCommand$3 as lt, listCommand$1 as m, formatMigrationNumber as mn, listMachineUsers as mt, query as n, assertValidMigrationFiles as nn, getFolder as nt, removeCommand as o, getLatestMigrationNumber as on, createFolder as ot, restoreWorkspace as p, reconstructSnapshotFromMigrations as pn, listCommand$7 as pt, listCommand$4 as q, parseMigrationLabelNumber as qt, queryCommand as r, compareLocalTypesWithSnapshot as rn, deleteCommand$1 as rt, removeUser as s, getMigrationDirPath as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, SCHEMA_FILE_NAME as tn, getCommand$2 as tt, inviteCommand as u, getNextMigrationNumber as un, getOAuth2Client as ut, deleteCommand as v, hasChanges as vn, getCommand$4 as vt, getAppHealth as w, prompt as wn, listCommand$9 as wt, createWorkspace as x, sdkNameLabelKey as xn, webhookCommand as xt, deleteWorkspace as y, getNamespacesWithMigrations as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
+//# sourceMappingURL=runtime-C6o4hiYq.mjs.map