@tailor-platform/sdk 1.60.3 → 1.63.0

package/dist/cli/index.mjs

@@ -1,14 +1,16 @@
 #!/usr/bin/env node
 
-import { J as PATScope, O as CustomDomainStatus, P as FunctionExecution_Type, V as AuthInvokerSchema, _ as userAgent, a as fetchAll, c as fetchPlatformMachineUserToken, d as initOAuth2Client, f as initOperatorClient, l as fetchUserInfo, r as closeConnectionPool, s as fetchPaged } from "../client-W5P4NYYX.mjs";
+import { Et as AuthInvokerSchema, L as CustomDomainStatus, Nt as PATScope, Q as FunctionExecution_Type, _ as userAgent, a as fetchAll, c as fetchPlatformMachineUserToken, d as initOAuth2Client, f as initOperatorClient, l as fetchUserInfo, r as closeConnectionPool, s as fetchPaged } from "../client-CobIRHl-.mjs";
+import { t as assertDefined } from "../assert-CKfwrmCV.mjs";
 import { n as logger, r as styles } from "../logger-DpJyJvNz.mjs";
-import { $ as listCommand$10, An as toPageDirection, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as commonArgs, Dn as isVerbose, Dt as jobsCommand, E as resumeCommand, En as deploymentArgs, F as writeDbTypesFile, Gt as parseMigrationLabelNumber, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, K as treeCommand, L as openInConfiguredEditor, Lt as functionExecutionStatusToString, Mt as getCommand$6, N as generateCommand$1, O as listCommand$12, On as pagedLogArgs, P as generateMigrationScript, Pt as executionsCommand, Rt as formatKeyValueTable, Sn as defineAppCommand, St as triggerCommand, T as healthCommand, Tn as confirmationArgs, U as updateCommand$3, Vt as deploy, Y as getCommand$5, Yt as INITIAL_SCHEMA_NUMBER, Z as updateCommand$2, _n as generateUserTypes, at as createCommand$3, b as createCommand$4, c as listCommand$14, cn as reconstructSnapshotFromMigrations, f as restoreCommand, ft as tokenCommand, g as getCommand$7, gn as PluginManager, gt as listCommand$7, hn as sdkNameLabelKey, ht as generate, i as updateCommand$4, in as getMigrationFiles, j as truncateCommand, jn as workspaceArgs, kn as paginationArgs, ln as formatMigrationNumber, lt as getCommand$3, m as listCommand$15, mn as resourceTrn, o as removeCommand, on as isValidMigrationNumber, pn as getNamespacesWithMigrations, pt as listCommand$8, q as listCommand$11, r as queryCommand, rn as getMigrationFilePath, rt as deleteCommand$3, sn as loadDiff, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as prompt, vt as getCommand$2, wn as configArg, wt as listCommand$6, xn as assertWritable, xt as webhookCommand, yn as apiCommand, z as showCommand, zt as getCommand$1 } from "../runtime-C0_FZWdE.mjs";
-import { C as getDistDir, D as deleteUserTokens, E as loadConfig, F as writePlatformConfig, M as readPlatformConfig, N as resolveTokens, O as fetchLatestToken, P as saveUserTokens, a as WorkflowJobSchema, b as createLogLevelTreeshakeOptions, i as resolveInlineSourcemap, j as loadWorkspaceId, k as loadAccessToken, l as ExecutorSchema, o as ResolverSchema, t as defineApplication, u as INVOKER_EXPR, v as platformBundleDefinePlugin, w as hashContent, x as resolveBundleLogLevel, y as composeFunctionTreeshakeOptions } from "../application-pusdxz35.mjs";
+import { $ as listCommand$10, $t as INITIAL_SCHEMA_NUMBER, An as commonArgs, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as PluginManager, Dt as jobsCommand, E as resumeCommand, En as apiCommand, F as writeDbTypesFile, Fn as pagedLogArgs, Gt as MIGRATION_LABEL_KEY, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, In as paginationArgs, Jt as compareSnapshotWithRemote, K as treeCommand, Kt as handleOptionalToRequiredError, L as openInConfiguredEditor, Ln as toPageDirection, Lt as functionExecutionStatusToString, Mn as confirmationArgs, Mt as getCommand$6, N as generateCommand$1, Nn as deploymentArgs, O as listCommand$12, On as assertWritable, P as generateMigrationScript, Pn as isVerbose, Pt as executionsCommand, Rn as workspaceArgs, Rt as formatKeyValueTable, Sn as sdkNameLabelKey, St as triggerCommand, T as healthCommand, Tn as prompt, U as updateCommand$3, Vt as deploy, Xt as protoGqlPermission, Y as getCommand$5, Yt as generateAllTypeManifestsFromSnapshot, Z as updateCommand$2, _n as formatMigrationDiff, an as createSnapshotFromLocalTypes, at as createCommand$3, b as createCommand$4, bn as ensureConfigId, c as listCommand$14, cn as getMigrationFilePath, dn as isValidMigrationNumber, f as restoreCommand, fn as loadDiff, ft as tokenCommand, g as getCommand$7, gt as listCommand$7, hn as parseMigrationNumberArg, ht as generate, i as updateCommand$4, j as truncateCommand, jn as configArg, kn as defineAppCommand, ln as getMigrationFiles, lt as getCommand$3, m as listCommand$15, mn as formatMigrationNumber, nn as assertValidMigrationFiles, o as removeCommand, on as getLatestMigrationNumber, pn as reconstructSnapshotFromMigrations, pt as listCommand$8, q as listCommand$11, qt as parseMigrationLabelNumber, r as queryCommand, rn as compareLocalTypesWithSnapshot, rt as deleteCommand$3, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as hasChanges, vt as getCommand$2, wn as generateUserTypes, wt as listCommand$6, xn as resourceTrn, xt as webhookCommand, yn as getNamespacesWithMigrations, z as showCommand, zt as getCommand$1 } from "../runtime-CW3jcQCc.mjs";
+import { A as resolveTokens, C as loadConfig, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, T as fetchLatestToken, _ as createLogLevelTreeshakeOptions, a as WorkflowJobSchema, b as getDistDir, c as INVOKER_EXPR, g as composeFunctionTreeshakeOptions, h as platformBundleDefinePlugin, i as resolveInlineSourcemap, j as saveUserTokens, k as readPlatformConfig, o as ResolverSchema, t as defineApplication, v as resolveBundleLogLevel, w as deleteUserTokens, x as hashContent$1 } from "../application-BezXGbrU.mjs";
+import { n as ExecutorSchema } from "../service-wI3Hvrgx.mjs";
 import { t as multiline } from "../multiline-Cf9ODpr1.mjs";
-import { r as isPluginGeneratedType } from "../seed-C0fE2sJB.mjs";
+import { r as isPluginGeneratedType } from "../seed-BH2FbrPV.mjs";
 import { t as readPackageJson } from "../package-json-DcQApfPQ.mjs";
 import { n as isCLIError } from "../errors-EsY4XO6O.mjs";
-import { a as JSON_FOOTER_MARKER, i as CRASH_LOG_EXTENSION, o as parseCrashReportConfig, r as sendCrashReport, t as initCrashReporting } from "../crashreport-D3DvAzdg.mjs";
+import { a as JSON_FOOTER_MARKER, i as CRASH_LOG_EXTENSION, o as parseCrashReportConfig, r as sendCrashReport, t as initCrashReporting } from "../crashreport-BhD0y14F.mjs";
 import { arg, defineCommand, runCommand, runMain } from "politty";
 import { withCompletionCommand } from "politty/completion";
 import { z } from "zod";
@@ -22,6 +24,7 @@ import { generateCodeVerifier } from "@badgateway/oauth2-client";
 import { Code, ConnectError } from "@connectrpc/connect";
 import { resolvePackageJSON, resolveTSConfig } from "pkg-types";
 import * as crypto from "node:crypto";
+import { createHash } from "node:crypto";
 import * as http from "node:http";
 import open from "open";
 import * as rolldown from "rolldown";
@@ -74,10 +77,7 @@ const authorizeAuthConnectionCommand = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -178,10 +178,7 @@ const deleteAuthConnectionCommand = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -228,10 +225,7 @@ const listAuthConnectionCommand = defineAppCommand({
 		...paginationArgs()
 	}).strict(),
 	run: async (args) => {
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -308,10 +302,7 @@ const revokeAuthConnectionCommand = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -487,6 +478,7 @@ const deployCommand$1 = defineAppCommand({
 			description: "Run the command without making any changes"
 		}),
 		"no-schema-check": arg(z.boolean().optional(), { description: "Skip schema diff check against migration snapshots" }),
+		"no-validate": arg(z.boolean().optional(), { description: "Skip client-side validation against platform resource constraints" }),
 		"no-cache": arg(z.boolean().optional(), { description: "Disable bundle caching for this run" }),
 		"clean-cache": arg(z.boolean().optional(), { description: "Clean the bundle cache before building" })
 	}).strict(),
@@ -501,6 +493,7 @@ const deployCommand$1 = defineAppCommand({
 			dryRun: args["dry-run"],
 			yes: args.yes,
 			noSchemaCheck: args["no-schema-check"],
+			noValidate: args["no-validate"],
 			noCache: args["no-cache"],
 			cleanCache: args["clean-cache"]
 		});
@@ -644,9 +637,9 @@ function parseStackTrace(error) {
 		const match = STACK_FRAME_REGEX.exec(line);
 		if (match) frames.push({
 			functionName: match[1] || "<anonymous>",
-			file: match[2],
-			line: Number(match[3]),
-			column: Number(match[4])
+			file: assertDefined(match[2], "stack frame file missing"),
+			line: Number(assertDefined(match[3], "stack frame line missing")),
+			column: Number(assertDefined(match[4], "stack frame column missing"))
 		});
 	}
 	return {
@@ -664,7 +657,7 @@ function extractInlineSourcemap(bundledCode) {
 	const match = INLINE_SOURCEMAP_REGEX.exec(bundledCode);
 	if (!match) return null;
 	try {
-		const decoded = Buffer.from(match[1], "base64").toString("utf-8");
+		const decoded = Buffer.from(assertDefined(match[1], "sourcemap base64 data missing"), "base64").toString("utf-8");
 		return new TraceMap(JSON.parse(decoded));
 	} catch {
 		return null;
@@ -918,7 +911,7 @@ function composeExecutionErrorString(error) {
 */
 function formatExecutionErrorFallback(error) {
 	const [headerLine, ...frameLines] = composeExecutionErrorString(error).split("\n");
-	return [`  ${styles.error(headerLine ?? "")}`, ...frameLines.map((line) => `  ${styles.dim(line)}`)].join("\n");
+	return [`  ${styles.error(headerLine)}`, ...frameLines.map((line) => `  ${styles.dim(line)}`)].join("\n");
 }
 /**
 * Format an execution error for display, applying sourcemap mapping
@@ -1061,10 +1054,7 @@ Stack traces stay accurate even after later redeploys, because the trace is reso
 		})
 	}).strict(),
 	run: async (args) => {
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -1228,7 +1218,7 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
       `;
 		}
 		case "workflow-job": {
-			const exportName = detected.exportName;
+			const exportName = assertDefined(detected.exportName, "workflow job export name missing");
 			return multiline`
         import { ${exportName} } from "${absoluteSourcePath}";
 
@@ -1294,7 +1284,7 @@ async function detectFunctionType(options) {
 		const rawInput = module.default.input;
 		let inputSchema;
 		if (rawInput) {
-			const { t } = await import("../types-Ccwchyj5.mjs");
+			const { t } = await import("../types-2Be3wSMc.mjs");
 			inputSchema = t.object(rawInput);
 		}
 		return {
@@ -1362,11 +1352,15 @@ function detectWorkflowJob(module, jobName) {
 			exportName: match.exportName
 		};
 	}
-	if (jobs.length === 1) return {
-		type: "workflow-job",
-		name: jobs[0].name,
-		exportName: jobs[0].exportName
-	};
+	if (jobs.length === 1) {
+		const [jobEntry] = jobs;
+		const job = assertDefined(jobEntry, "workflow job missing");
+		return {
+			type: "workflow-job",
+			name: job.name,
+			exportName: job.exportName
+		};
+	}
 	const available = jobs.map((j) => `  - "${j.name}" (export: ${j.exportName})`).join("\n");
 	throw new Error(`Multiple workflow jobs found. Specify one with --name:\n${available}`);
 }
@@ -1441,10 +1435,7 @@ When a \`.js\` file is provided, detection and bundling are skipped and the file
 		const { config } = await loadConfig(args.config);
 		const authNamespace = resolveAuthNamespace(config.auth);
 		const machineUserName = resolveMachineUserName(args["machine-user"], config.auth);
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -1518,7 +1509,7 @@ When a \`.js\` file is provided, detection and bundling are skipped and the file
 		else {
 			if (result.success) logger.success("Execution succeeded");
 			else logger.error("Execution failed");
-			if (result.logs?.trim()) {
+			if (result.logs.trim()) {
 				logger.log(styles.bold("\nLogs:"));
 				for (const line of result.logs.split("\n")) logger.log(`  ${line}`);
 			}
@@ -1562,7 +1553,7 @@ function resolveMachineUserName(cliMachineUser, authConfig) {
 		const machineUsers = authConfig.machineUsers;
 		if (machineUsers) {
 			const keys = Object.keys(machineUsers);
-			if (keys.length > 0) return keys[0];
+			if (keys.length > 0) return assertDefined(keys[0], "machine user key missing");
 		}
 	}
 	throw new Error("Machine user is required. Provide --machine-user or ensure tailor.config.ts has machine users configured.");
@@ -1617,7 +1608,7 @@ function resolveResolverArg(argStr, inputSchema, machineUser, workspaceId) {
 		type: "machine_user",
 		workspaceId,
 		attributes: machineUser.attributes ?? null,
-		attributeList: machineUser.attributeList ?? []
+		attributeList: machineUser.attributeList
 	};
 	if (!inputSchema.parse({
 		value: parsed,
@@ -1751,7 +1742,7 @@ const startAuthServer = async () => {
 				await saveUserTokens(pfConfig, userInfo.email, {
 					accessToken: tokens.accessToken,
 					refreshToken: tokens.refreshToken ?? void 0
-				}, new Date(tokens.expiresAt).toISOString());
+				}, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString());
 				pfConfig.current_user = userInfo.email;
 				writePlatformConfig(pfConfig);
 				res.writeHead(200, { "Content-Type": "application/json" });
@@ -1797,7 +1788,7 @@ async function loginAsMachineUser(args) {
 	const clientSecret = args.clientSecret ?? await prompt.password({ message: "Client secret" });
 	const tokens = await fetchPlatformMachineUserToken(args.clientId, clientSecret);
 	const pfConfig = await readPlatformConfig();
-	await saveUserTokens(pfConfig, args.clientId, { accessToken: tokens.accessToken }, new Date(tokens.expiresAt).toISOString());
+	await saveUserTokens(pfConfig, args.clientId, { accessToken: tokens.accessToken }, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString());
 	pfConfig.current_user = args.clientId;
 	writePlatformConfig(pfConfig);
 }
@@ -1821,7 +1812,7 @@ const loginCommand = defineAppCommand({
 		})
 	}).strict().describe("Machine User Login")]),
 	run: async (args) => {
-		if ("machine-user" in args && args["machine-user"]) await loginAsMachineUser({
+		if ("machine-user" in args) await loginAsMachineUser({
 			clientId: args.clientId,
 			clientSecret: args.clientSecret
 		});
@@ -1839,13 +1830,14 @@ const logoutCommand = defineAppCommand({
 	args: z.object({}).strict(),
 	run: async () => {
 		const pfConfig = await readPlatformConfig();
-		const userEntry = pfConfig.current_user ? pfConfig.users[pfConfig.current_user] : void 0;
-		if (!userEntry) {
+		const currentUser = pfConfig.current_user;
+		const userEntry = currentUser ? pfConfig.users[currentUser] : void 0;
+		if (!userEntry || !currentUser) {
 			logger.info("You are not logged in.");
 			return;
 		}
 		try {
-			const { accessToken, refreshToken } = await resolveTokens(userEntry, pfConfig.current_user);
+			const { accessToken, refreshToken } = await resolveTokens(userEntry, currentUser);
 			const client = initOAuth2Client();
 			const tokenTypeHint = refreshToken ? "refresh_token" : "access_token";
 			await client.revoke({
@@ -1856,8 +1848,8 @@ const logoutCommand = defineAppCommand({
 		} catch (error) {
 			logger.warn(`Failed to revoke token: ${error instanceof Error ? error.message : error}`);
 		}
-		await deleteUserTokens(pfConfig, pfConfig.current_user);
-		delete pfConfig.users[pfConfig.current_user];
+		await deleteUserTokens(pfConfig, currentUser);
+		delete pfConfig.users[currentUser];
 		pfConfig.current_user = null;
 		writePlatformConfig(pfConfig);
 		logger.success("Successfully logged out from Tailor Platform.");
@@ -2048,12 +2040,15 @@ const listCommand$4 = defineAppCommand({
 			if (jsonOutput) logger.out([]);
 			return;
 		}
-		const profileInfos = profiles.map(([name, profile]) => ({
-			name,
-			user: profile.user,
-			workspaceId: profile.workspace_id,
-			permission: profile.readonly === true ? "read" : "write"
-		}));
+		const profileInfos = profiles.map(([name, profile]) => {
+			const p = assertDefined(profile, `profile entry "${name}" is undefined`);
+			return {
+				name,
+				user: p.user,
+				workspaceId: p.workspace_id,
+				permission: p.readonly === true ? "read" : "write"
+			};
+		});
 		logger.out(profileInfos);
 	}
 });
@@ -2080,9 +2075,9 @@ const updateCommand$1 = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		const config = await readPlatformConfig();
-		if (!config.profiles[args.name]) throw new Error(`Profile "${args.name}" not found.`);
-		if (!args.user && !args["workspace-id"] && args.permission === void 0) throw new Error("Please provide at least one property to update.");
 		const profile = config.profiles[args.name];
+		if (!profile) throw new Error(`Profile "${args.name}" not found.`);
+		if (!args.user && !args["workspace-id"] && args.permission === void 0) throw new Error("Please provide at least one property to update.");
 		const oldUser = profile.user;
 		const newUser = args.user || oldUser;
 		const oldWorkspaceId = profile.workspace_id;
@@ -2222,10 +2217,7 @@ const createSecretCommand = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -2275,10 +2267,7 @@ const deleteSecretCommand = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -2327,10 +2316,7 @@ function secretInfo(secret) {
 * @returns List of secrets
 */
 async function secretList(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -2384,10 +2370,7 @@ const updateSecretCommand = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -2440,10 +2423,7 @@ const createCommand$1 = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -2473,10 +2453,7 @@ const deleteCommand$1 = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -2521,10 +2498,7 @@ function vaultInfo(vault) {
 * @returns List of vaults
 */
 async function vaultList(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -2591,33 +2565,159 @@ const secretCommand = defineCommand({
 });
 
 //#endregion
-//#region src/cli/commands/setup/github/deploy.workflow.yml
-var deploy_workflow_default = "name: Tailor Platform\n\non:\n  pull_request:\n    branches:\n      - main\n  push:\n    branches:\n      - main\n  workflow_dispatch:\n\nconcurrency:\n  group: tailor-__WORKSPACE_NAME__-${{ github.head_ref || github.ref }}\n  cancel-in-progress: ${{ github.event_name == 'pull_request' }}\n\njobs:\n  # __PLAN_JOB_START__\n  plan:\n    if: github.event_name == 'pull_request'\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      pull-requests: write\n    steps:\n      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      # __SETUP_STEPS__\n      - uses: tailor-platform/actions/plan@e63ed98630a23fa21ee0636abf0f7fb75fcdce40 # v1.1.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  deploy:\n    if: github.event_name != 'pull_request'\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    steps:\n      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - uses: tailor-platform/actions/deploy@e63ed98630a23fa21ee0636abf0f7fb75fcdce40 # v1.1.0\n        with:\n          workspace-name: __WORKSPACE_NAME__\n          workspace-region: __WORKSPACE_REGION__\n          organization-id: __ORGANIZATION_ID__\n          folder-id: __FOLDER_ID__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
+//#region src/cli/commands/setup/github/git.ts
+const defaultGitRunner = (args, cwd) => {
+	const result = spawnSync("git", args, {
+		cwd,
+		encoding: "utf-8"
+	});
+	if (result.status !== 0 || typeof result.stdout !== "string") return null;
+	return result.stdout.trim();
+};
+/**
+* Detect the remote default branch by reading `refs/remotes/origin/HEAD`.
+*
+* Throws an AI-first error (with a remediation hint) when the symbolic ref is
+* not set, so the caller can surface a clear next step instead of a silent
+* fallback.
+* @param cwd - Repository directory to inspect
+* @param run - Git runner, injectable for testing
+* @returns The default branch name (e.g. `main`)
+*/
+function detectDefaultBranch(cwd, run = defaultGitRunner) {
+	const ref = run([
+		"symbolic-ref",
+		"--short",
+		"refs/remotes/origin/HEAD"
+	], cwd);
+	const branch = ref?.startsWith("origin/") ? ref.slice(7) : ref;
+	if (!branch) throw new Error("Could not detect the default branch from git. Pass --branch <name>, or run 'git remote set-head origin --auto' to record it.");
+	return branch;
+}
+
+//#endregion
+//#region src/cli/commands/setup/github/lock.ts
+/** Current lock schema version. Bumped only on breaking lock-format changes. */
+const LOCK_VERSION = 1;
+/** Lock file path, relative to the repository root. */
+const LOCK_FILENAME = ".github/tailor-sdk.lock";
+/**
+* Compute the lock content hash for a rendered workflow file.
+* @param content - File content to hash
+* @returns `sha256:<hex>` digest string
+*/
+function hashContent(content) {
+	return `sha256:${createHash("sha256").update(content, "utf-8").digest("hex")}`;
+}
+/**
+* Resolve the absolute lock file path for an output directory.
+* @param outputDir - Repository root where `.github` lives
+* @returns Absolute path to the lock file
+*/
+function lockPath(outputDir) {
+	return path.join(outputDir, LOCK_FILENAME);
+}
+/**
+* Read and validate the lock file from disk.
+*
+* Returns null when no lock exists. Throws when the lock was written by a
+* newer SDK (forward-compatibility guard).
+* @param outputDir - Repository root where `.github` lives
+* @returns Parsed lock file, or null when absent
+*/
+function readLock(outputDir) {
+	const file = lockPath(outputDir);
+	if (!fs$1.existsSync(file)) return null;
+	let parsed;
+	try {
+		parsed = JSON.parse(fs$1.readFileSync(file, "utf-8"));
+	} catch (cause) {
+		throw new Error(`${LOCK_FILENAME} is not valid JSON. The lock file is machine-owned; restore it from git (git checkout -- .github/tailor-sdk.lock) and re-run setup.`, { cause });
+	}
+	if (typeof parsed.version !== "number") throw new Error(`${LOCK_FILENAME} has no valid 'version' field. The lock file is machine-owned; restore it from git (git checkout -- .github/tailor-sdk.lock) and re-run setup.`);
+	if (parsed.version > 1) throw new Error(`${LOCK_FILENAME} was written by a newer SDK (lock version ${String(parsed.version)}). Update @tailor-platform/sdk to continue (e.g. pnpm update @tailor-platform/sdk).`);
+	if (!Array.isArray(parsed.targets)) throw new Error(`${LOCK_FILENAME} has no valid 'targets' array. The lock file is machine-owned; restore it from git (git checkout -- .github/tailor-sdk.lock) and re-run setup.`);
+	return parsed;
+}
+/**
+* Write the lock file to disk (2-space JSON, trailing newline).
+* @param outputDir - Repository root where `.github` lives
+* @param lock - Lock file contents to serialize
+*/
+function writeLock(outputDir, lock) {
+	const file = lockPath(outputDir);
+	fs$1.mkdirSync(path.dirname(file), { recursive: true });
+	fs$1.writeFileSync(file, `${JSON.stringify(lock, null, 2)}\n`, "utf-8");
+}
+/**
+* Find a lock target by identity. Targets are identified by (kind,
+* workspaceName); the full trigger/path cross-check is deferred to P2.
+* @param lock - Lock file to search, or null
+* @param kind - Target kind
+* @param workspaceName - Workspace name
+* @returns Matching target, or undefined
+*/
+function findTarget(lock, kind, workspaceName) {
+	return lock?.targets.find((t) => t.kind === kind && t.workspaceName === workspaceName);
+}
+
+//#endregion
+//#region src/cli/commands/setup/github/branch.workflow.yml
+var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/setup-bun.yml
-var setup_bun_default = "- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0\n- run: bun install --frozen-lockfile\n";
+var setup_bun_default = "- id: tailor-setup-bun\n  uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0\n- id: tailor-install\n  run: bun install --frozen-lockfile\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/setup-npm.yml
-var setup_npm_default = "- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: npm\n- run: npm ci\n";
+var setup_npm_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: npm\n- id: tailor-install\n  run: npm ci\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/setup-pnpm.yml
-var setup_pnpm_default = "- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8\n- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: pnpm\n- run: pnpm install --frozen-lockfile\n";
+var setup_pnpm_default = "- id: tailor-setup-pnpm\n  uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8\n- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: pnpm\n- id: tailor-install\n  run: pnpm install --frozen-lockfile\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/setup-yarn.yml
-var setup_yarn_default = "- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: yarn\n- run: yarn install --frozen-lockfile\n";
+var setup_yarn_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: yarn\n- id: tailor-install\n  run: yarn install --frozen-lockfile\n";
 
 //#endregion
-//#region src/cli/commands/setup/github/template-deploy.ts
+//#region src/cli/commands/setup/github/tag.workflow.yml
+var tag_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  push:\n    tags: [\"__TAG_PATTERN__\"]\n  workflow_dispatch:\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n\npermissions:\n  contents: read\n\njobs:\n  # __TAG_GUARD_JOB_START__\n  tailor-tag-guard:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    permissions:\n      contents: read\n    outputs:\n      on-branch: ${{ steps.tailor-tag-guard.outputs.on-branch }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-tag-guard\n        env:\n          TARGET_BRANCH: \"__BRANCH__\"\n        run: |\n          git fetch origin \"$TARGET_BRANCH\"\n          if git merge-base --is-ancestor \"$GITHUB_SHA\" \"origin/$TARGET_BRANCH\"; then\n            echo \"on-branch=true\" >> \"$GITHUB_OUTPUT\"\n          else\n            # A tag outside the target branch is not an error — just skip.\n            echo \"on-branch=false\" >> \"$GITHUB_OUTPUT\"\n            echo \"::notice::Tag $GITHUB_REF_NAME is not reachable from $TARGET_BRANCH; skipping deploy.\"\n          fi\n  # __TAG_GUARD_JOB_END__\n  tailor-plan:\n    # __PLAN_NEEDS__\n    # __PLAN_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n\n  tailor-deploy:\n    needs: tailor-plan\n    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['dry-run']) }}\n    environment: __ENVIRONMENT__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
+
+//#endregion
+//#region src/cli/commands/setup/github/templates.ts
+const setupStepIds = {
+	pnpm: [
+		"tailor-setup-pnpm",
+		"tailor-setup-node",
+		"tailor-install"
+	],
+	yarn: ["tailor-setup-node", "tailor-install"],
+	npm: ["tailor-setup-node", "tailor-install"],
+	bun: ["tailor-setup-bun", "tailor-install"]
+};
 const setupSteps = {
 	pnpm: setup_pnpm_default,
 	yarn: setup_yarn_default,
 	npm: setup_npm_default,
 	bun: setup_bun_default
 };
+const execPrefix = {
+	npm: "npx",
+	pnpm: "pnpm exec",
+	yarn: "yarn",
+	bun: "bunx"
+};
+const HEADER = `# Generated by \`tailor-sdk setup github\` — managed by the Tailor SDK.
+#
+# - Jobs and steps whose id starts with \`tailor-\` are managed by the SDK.
+#   Do not edit or rename them.
+# - State is tracked in .github/tailor-sdk.lock (machine-owned: commit it, never edit it).
+# - Re-running \`tailor-sdk setup github\` regenerates this file. If you have
+#   edited it by hand, regeneration stops and asks for --force (which discards
+#   your edits), so prefer keeping customizations in your own jobs/steps and
+#   re-running setup after SDK updates.`;
 function indentSnippet(snippet, spaces) {
 	const indent = " ".repeat(spaces);
 	return snippet.trimEnd().split("\n").map((line) => line ? indent + line : line).join("\n");
@@ -2634,139 +2734,352 @@ function detectPackageManager(dir) {
 	if (fs$1.existsSync(path.join(dir, "package-lock.json"))) return "npm";
 	return "npm";
 }
+function block(content, name, keep) {
+	if (keep) return content.replace(new RegExp(`^ *# __${name}_(?:START|END)__\\n`, "gm"), "");
+	return content.replace(new RegExp(`^ *# __${name}_START__\\n[\\s\\S]*?^ *# __${name}_END__\\n`, "m"), "");
+}
+function line(content, name, replacement) {
+	const re = new RegExp(`^([ \\t]*)# __${name}__\\n`, "gm");
+	return content.replace(re, (_match, indent) => {
+		if (replacement === void 0) return "";
+		return replacement.split("\n").map((l) => l ? indent + l : l).join("\n") + "\n";
+	});
+}
+function applyCommon(content, params) {
+	const { workingDirectory, environment, packageManager } = params;
+	let out = line(content, "HEADER", HEADER);
+	out = line(out, "WORKING_DIRECTORY", workingDirectory ? `working-directory: ${workingDirectory}` : void 0);
+	out = out.replace(/^ *# __SETUP_STEPS__$/gm, () => indentSnippet(setupSteps[packageManager], 6));
+	return out.replaceAll("__WORKSPACE_NAME__", () => params.workspaceName).replaceAll("__ENVIRONMENT__", () => environment).replaceAll("__PM_EXEC__", () => execPrefix[packageManager]);
+}
+function setupIds(job, packageManager) {
+	return setupStepIds[packageManager].map((id) => `${job}/${id}`);
+}
 /**
-* Render the deploy workflow YAML.
+* Render the branch-target deploy workflow.
 *
-* Generates a workflow that calls the composite deploy action
-* from tailor-platform/actions. The environment setup steps (Node.js,
-* package manager, dependency install) are generated based on the
-* detected package manager.
+* When `plan` is false the plan job, the pull_request trigger, and the
+* workflow_dispatch dry-run input are all removed (a plan-less workflow has no
+* meaningful dry-run), and the deploy job runs unconditionally.
+* @param params - Workspace and rendering configuration
+* @returns Rendered YAML and the list of managed job/step ids
+*/
+function renderBranchWorkflow(params) {
+	const { branch, plan, packageManager } = params;
+	let out = branch_workflow_default;
+	out = block(out, "PLAN_JOB", plan);
+	out = block(out, "PULL_REQUEST", plan);
+	out = block(out, "DISPATCH_INPUTS", plan);
+	out = line(out, "DEPLOY_IF", plan ? `if: >-\n  github.event_name == 'push' ||\n  (github.event_name == 'workflow_dispatch' && !inputs['dry-run'])` : void 0);
+	out = line(out, "PATHS", params.workingDirectory ? `paths: ["${params.workingDirectory}/**"]` : void 0);
+	out = applyCommon(out, params).replaceAll("__BRANCH__", () => branch);
+	const generatedIds = [];
+	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan");
+	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	return {
+		content: out,
+		generatedIds
+	};
+}
+/**
+* Render the tag-target deploy workflow.
 *
-* If withPlan is true, also includes a plan job that runs on pull requests.
-* Otherwise, the plan job section delimited by __PLAN_JOB_START__ /
-* __PLAN_JOB_END__ markers is stripped from the template.
-* @param params - Workspace and deployment configuration
-* @returns Workflow YAML content
+* When `branch` is set, a tag-reachability guard job is generated and the plan
+* job gates on it; otherwise no guard is emitted and tags deploy unconditionally.
+* @param params - Workspace and rendering configuration
+* @returns Rendered YAML and the list of managed job/step ids
 */
-function renderDeploy(params) {
-	const { workspaceName, workspaceRegion, organizationId, folderId, workingDirectory, packageManager, withPlan } = params;
-	const workingDirectoryLine = workingDirectory ? `          working-directory: ${workingDirectory}\n` : "";
-	const stripPlanSection = (content) => withPlan ? content.replace(/^ *# __PLAN_JOB_(?:START|END)__\n/gm, "") : content.replace(/^ *# __PLAN_JOB_START__\n[\s\S]*?^ *# __PLAN_JOB_END__\n/m, "");
-	return stripPlanSection(deploy_workflow_default).replaceAll("__WORKSPACE_NAME__", () => workspaceName).replaceAll("__WORKSPACE_REGION__", () => workspaceRegion).replaceAll("__ORGANIZATION_ID__", () => organizationId).replaceAll("__FOLDER_ID__", () => folderId).replace(/ *# __WORKING_DIRECTORY__\n/g, () => workingDirectoryLine).replace(/^ *# __SETUP_STEPS__$/gm, () => indentSnippet(setupSteps[packageManager], 6));
+function renderTagWorkflow(params) {
+	const { tagPattern, branch, packageManager } = params;
+	const hasGuard = branch !== void 0;
+	let out = tag_workflow_default;
+	out = block(out, "TAG_GUARD_JOB", hasGuard);
+	out = line(out, "PLAN_NEEDS", hasGuard ? "needs: tailor-tag-guard" : void 0);
+	out = line(out, "PLAN_IF", hasGuard ? `if: >-\n  github.event_name == 'workflow_dispatch' ||\n  needs.tailor-tag-guard.outputs.on-branch == 'true'` : void 0);
+	out = applyCommon(out, params).replaceAll("__TAG_PATTERN__", () => tagPattern);
+	if (hasGuard) out = out.replaceAll("__BRANCH__", () => branch);
+	const generatedIds = [];
+	if (hasGuard) generatedIds.push("tailor-tag-guard", "tailor-tag-guard/tailor-checkout", "tailor-tag-guard/tailor-tag-guard");
+	generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan", "tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	return {
+		content: out,
+		generatedIds
+	};
 }
 
 //#endregion
 //#region src/cli/commands/setup/github/github.ts
+async function defaultLoadConfigName(configPath) {
+	const { config } = await loadConfig(configPath);
+	return config.name;
+}
+const WORKSPACE_NAME_RE = /^[a-z0-9-]+$/;
+function validateWorkspaceName(name) {
+	if (name.length < 3 || name.length > 63 || !WORKSPACE_NAME_RE.test(name) || name.startsWith("-") || name.endsWith("-")) throw new Error(`Invalid workspace name "${name}". Names must be 3-63 characters of lowercase letters, numbers, and hyphens, and cannot start or end with a hyphen. Pass a valid name with --workspace-name.`);
+}
+const BRANCH_RE = /^[A-Za-z0-9._/-]+$/;
+const TAG_PATTERN_RE = /^[A-Za-z0-9._/*?![\]-]+$/;
+function validateBranch(branch) {
+	if (!BRANCH_RE.test(branch)) throw new Error(`Invalid branch name "${branch}". Only letters, numbers, ".", "_", "/", and "-" are supported here.`);
+}
+function validateTagPattern(pattern) {
+	if (!TAG_PATTERN_RE.test(pattern)) throw new Error(`Invalid tag pattern "${pattern}". Only letters, numbers, ".", "_", "/", "-", and the glob characters "*?![]" are supported.`);
+}
+const ENVIRONMENT_RE = /^[A-Za-z0-9._/-]+$/;
+function validateEnvironment(environment) {
+	if (!ENVIRONMENT_RE.test(environment)) throw new Error(`Invalid environment name "${environment}". Only letters, numbers, ".", "_", "/", and "-" are supported.`);
+}
+const DIR_RE = /^[A-Za-z0-9._/-]+$/;
+function validateDir(dir) {
+	if (!DIR_RE.test(dir)) throw new Error(`Invalid --dir "${dir}". Only letters, numbers, ".", "_", "/", and "-" are supported.`);
+}
+function escapesRoot(rel) {
+	return rel === ".." || rel.startsWith(`..${path.sep}`) || rel.startsWith("../") || path.isAbsolute(rel);
+}
 /**
-* Build the list of GitHub Actions files to generate.
-* @param options - Setup options including workspace config and output directory
-* @returns Array of files with paths and rendered content
+* Resolve the config file path for the given app directory.
+*
+* `--dir` must stay inside the repository: the value is embedded in workflow
+* `paths:` filters and the config under it gets mutated (id injection), so
+* absolute paths and `..` traversal are rejected.
+* @param outputDir - Repository root (cwd)
+* @param dir - App directory relative to the repo root
+* @returns Absolute path to tailor.config.ts
 */
-function buildFiles(options) {
-	const githubDir = path.join(options.outputDir, ".github");
+function resolveConfigPath(outputDir, dir) {
+	const appDir = path.resolve(outputDir, dir);
+	const rel = path.relative(outputDir, appDir);
+	if (path.isAbsolute(dir) || escapesRoot(rel)) throw new Error(`--dir must be a relative path inside the repository (got "${dir}").`);
+	if (fs$1.existsSync(appDir)) {
+		const realAppDir = path.normalize(fs$1.realpathSync(appDir));
+		const realOutputDir = path.normalize(fs$1.realpathSync(outputDir));
+		if (escapesRoot(path.relative(realOutputDir, realAppDir))) throw new Error(`--dir must resolve to a directory inside the repository (got "${dir}", which links outside it).`);
+	}
+	const configPath = path.join(appDir, "tailor.config.ts");
+	if (!fs$1.existsSync(configPath)) throw new Error(`tailor.config.ts not found at ${configPath}. Run this from your SDK project root, or pass the app directory with --dir.`);
+	return configPath;
+}
+/**
+* Resolve all derived values and render the workflow content.
+* @param options - Setup options
+* @returns Resolved target metadata and rendered content
+*/
+async function resolve$1(options) {
+	if (options.tag && !options.plan) throw new Error("--no-plan cannot be combined with --tag (tag targets always run plan before deploy). Drop --no-plan or use a branch target.");
+	const dir = options.dir.replaceAll("\\", "/").replace(/\/{2,}/g, "/").replace(/^\.\//, "").replace(/\/$/, "") || ".";
+	validateDir(dir);
+	const workingDirectory = dir !== "." ? dir : void 0;
+	const configPath = resolveConfigPath(options.outputDir, dir);
+	const loadName = options.loadConfigName ?? defaultLoadConfigName;
+	const workspaceName = options.workspaceName ?? await loadName(configPath);
+	if (!workspaceName) throw new Error("Could not determine the workspace name. Pass --workspace-name, or set 'name' in tailor.config.ts.");
+	validateWorkspaceName(workspaceName);
+	const kind = options.tag ? "tag" : "branch";
 	const packageManager = detectPackageManager(options.outputDir);
-	const workingDirectory = options.dir !== "." ? options.dir : void 0;
-	return [{
-		path: path.join(githubDir, `workflows/tailor-${options.workspaceName}.yml`),
-		content: renderDeploy({
-			workspaceName: options.workspaceName,
-			workspaceRegion: options.workspaceRegion,
-			organizationId: options.organizationId,
-			folderId: options.folderId,
+	const environment = options.environment ?? workspaceName;
+	validateEnvironment(environment);
+	if (kind === "tag") validateTagPattern(options.tagPattern);
+	let branch = null;
+	let render;
+	if (kind === "branch") {
+		branch = options.branch ?? detectDefaultBranch(options.outputDir, options.gitRunner);
+		validateBranch(branch);
+		render = renderBranchWorkflow({
+			workspaceName,
+			branch,
 			workingDirectory,
+			environment,
 			packageManager,
-			withPlan: options.withPlan
-		})
-	}];
+			plan: options.plan
+		});
+	} else {
+		branch = options.branch ?? null;
+		if (branch !== null) validateBranch(branch);
+		render = renderTagWorkflow({
+			workspaceName,
+			tagPattern: options.tagPattern,
+			branch: options.branch,
+			workingDirectory,
+			environment,
+			packageManager
+		});
+	}
+	const file = `.github/workflows/tailor-${workspaceName}.yml`;
+	const inputs = {
+		branch,
+		tagPattern: kind === "tag" ? options.tagPattern : null,
+		environment,
+		dir,
+		packageManager,
+		plan: kind === "branch" ? options.plan : true
+	};
+	return {
+		kind,
+		workspaceName,
+		branch,
+		environment,
+		packageManager,
+		render,
+		inputs,
+		file,
+		configPath
+	};
 }
 /**
-* Write files to disk, skipping any that already exist.
-* @param files - Files to write
-* @returns Result with lists of written and skipped file paths
+* Decide how to reconcile a target with the on-disk file and lock state.
+* @param obj - Decision inputs
+* @param obj.existing - The matching lock target, if any
+* @param obj.fileExists - Whether the workflow file is present on disk
+* @param obj.currentContent - On-disk content when present
+* @param obj.force - Whether --force was passed
+* @returns The reconciliation action
 */
-function writeFiles(files) {
-	const written = [];
-	const skipped = [];
-	for (const file of files) {
-		if (fs$1.existsSync(file.path)) {
-			skipped.push(file.path);
-			continue;
-		}
-		fs$1.mkdirSync(path.dirname(file.path), { recursive: true });
-		fs$1.writeFileSync(file.path, file.content);
-		written.push(file.path);
+function decideAction(obj) {
+	const { existing, fileExists, currentContent, force } = obj;
+	if (!existing) {
+		if (!fileExists) return { action: "create" };
+		if (force) return { action: "regenerate" };
+		return {
+			action: "conflict",
+			reason: "An unmanaged workflow file already exists at this path. Delete it, or pass --force to bring it under SDK management (this overwrites it)."
+		};
 	}
+	if (!fileExists) return { action: "restore" };
+	if (currentContent !== null && hashContent(currentContent) === existing.contentHash) return { action: "regenerate" };
+	if (force) return { action: "regenerate" };
 	return {
-		written,
-		skipped
+		action: "conflict",
+		reason: "This workflow file has been edited by hand since it was generated. Re-run with --force to discard those edits and regenerate, or revert your changes."
 	};
 }
 /**
-* Generate GitHub Actions workflow files and print next steps.
-* @param options - Setup options including workspace config and output directory
+* Guard against two targets of different kinds colliding on the same file path.
+* @param obj - Conflict inputs
+* @param obj.lock - Existing lock file, or null
+* @param obj.kind - Target kind being generated
+* @param obj.workspaceName - Workspace name being generated
+* @param obj.file - Target file path
 */
-function setupGitHub(options) {
-	logBetaWarning("setup github");
-	const result = writeFiles(buildFiles(options));
-	for (const filePath of result.written) {
-		const relativePath = path.relative(options.outputDir, filePath);
-		logger.success(`Generated ${styles.path(relativePath)}`);
-	}
-	for (const filePath of result.skipped) {
-		const relativePath = path.relative(options.outputDir, filePath);
-		logger.warn(`Skipped ${styles.path(relativePath)} (already exists)`);
-	}
+function assertNoKindCollision(obj) {
+	const { lock, kind, workspaceName, file } = obj;
+	const collision = lock?.targets.find((t) => t.file === file && !(t.kind === kind && t.workspaceName === workspaceName));
+	if (collision) throw new Error(`A ${collision.kind} target already owns ${file}, which conflicts with this ${kind} target. Pass a different name with --workspace-name to generate a separate workflow.`);
+}
+/**
+* Print next-step guidance after generating workflow files.
+* @param obj - Output context
+* @param obj.environment - Resolved GitHub Environment name for this target
+* @param obj.idInjected - Whether an app id was injected into the config
+*/
+function printNextSteps(obj) {
+	const { environment, idInjected } = obj;
 	logger.newline();
-	logger.info("Next steps - set GitHub secrets:");
-	logger.log(`  gh secret set PLATFORM_MACHINE_USER_CLIENT_ID`);
-	logger.log(`  gh secret set PLATFORM_MACHINE_USER_CLIENT_SECRET`);
-	if (options.withPlan) {
-		logger.newline();
-		logger.info("For plan job - set GitHub variable with your workspace ID:");
-		logger.log(`  gh variable set TAILOR_PLATFORM_WORKSPACE_ID`);
-	}
+	logger.info("Next steps:");
+	logger.newline();
+	logger.log(`1. Set the machine-user credentials as secrets on the "${environment}" environment:`);
+	logger.log(`   gh secret set TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID --env ${environment}`);
+	logger.log(`   gh secret set TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET --env ${environment}`);
+	logger.newline();
+	logger.log(`2. Provision the workspace and set its id as the TAILOR_PLATFORM_WORKSPACE_ID variable on the "${environment}" environment:`);
+	logger.log("   tailor-sdk workspace create   # if it does not exist yet; copy the id");
+	logger.log(`   gh variable set TAILOR_PLATFORM_WORKSPACE_ID --env ${environment}`);
+	logger.newline();
+	logger.log("3. Commit the generated files:");
+	logger.log("   - .github/workflows/tailor-*.yml");
+	logger.log("   - .github/tailor-sdk.lock");
+	if (idInjected) logger.log("   - tailor.config.ts (app id was added)");
+}
+/**
+* Generate the GitHub Actions workflow for a deploy target and reconcile it
+* with the lock file.
+* @param options - Setup options
+*/
+async function setupGitHub(options) {
+	logBetaWarning("setup github");
+	const resolved = await resolve$1(options);
+	const lock = readLock(options.outputDir);
+	const absFile = path.join(options.outputDir, resolved.file);
+	assertNoKindCollision({
+		lock,
+		kind: resolved.kind,
+		workspaceName: resolved.workspaceName,
+		file: resolved.file
+	});
+	const existing = findTarget(lock, resolved.kind, resolved.workspaceName);
+	const fileExists = fs$1.existsSync(absFile);
+	const decision = decideAction({
+		existing,
+		fileExists,
+		currentContent: fileExists ? fs$1.readFileSync(absFile, "utf-8") : null,
+		force: options.force
+	});
+	if (decision.action === "conflict") throw new Error(`${resolved.file}: ${decision.reason}`);
+	const idResult = await ensureConfigId(resolved.configPath);
+	if (idResult === null) logger.warn("Could not find a defineConfig() call to confirm an app id. The CI deploy will fail unless your config resolves to one with an 'id'.");
+	const idInjected = idResult?.injected ?? false;
+	fs$1.mkdirSync(path.dirname(absFile), { recursive: true });
+	fs$1.writeFileSync(absFile, resolved.render.content, "utf-8");
+	const newTarget = {
+		kind: resolved.kind,
+		workspaceName: resolved.workspaceName,
+		file: resolved.file,
+		templateVersion: 1,
+		inputs: resolved.inputs,
+		generatedIds: resolved.render.generatedIds,
+		ejectedIds: existing?.ejectedIds ?? [],
+		contentHash: hashContent(resolved.render.content)
+	};
+	const targets = [...lock?.targets ?? []];
+	const index = targets.findIndex((t) => t.kind === newTarget.kind && t.workspaceName === newTarget.workspaceName);
+	if (index === -1) targets.push(newTarget);
+	else targets[index] = newTarget;
+	writeLock(options.outputDir, {
+		version: 1,
+		targets
+	});
+	if (decision.action === "restore") logger.success(`Regenerated ${styles.path(resolved.file)} (was missing on disk)`);
+	else if (decision.action === "regenerate") logger.success(`Regenerated ${styles.path(resolved.file)}`);
+	else logger.success(`Generated ${styles.path(resolved.file)}`);
+	printNextSteps({
+		environment: resolved.environment,
+		idInjected
+	});
 }
 
 //#endregion
 //#region src/cli/commands/setup/github/index.ts
 const githubCommand = defineAppCommand({
 	name: "github",
-	description: "Generate GitHub Actions workflow for deployment. (beta)",
+	description: "Generate a GitHub Actions deploy workflow. (beta)",
 	args: z.object({
-		"workspace-name": arg(z.string(), {
+		"workspace-name": arg(z.string().min(1).optional(), {
 			alias: "n",
-			description: "Workspace name"
-		}),
-		"workspace-region": arg(z.string(), {
-			alias: "r",
-			description: "Workspace region"
+			description: "Workspace name (defaults to the config 'name')"
 		}),
-		"organization-id": arg(z.string(), {
-			alias: "o",
-			description: "Organization ID"
-		}),
-		"folder-id": arg(z.string(), {
-			alias: "f",
-			description: "Folder ID"
-		}),
-		dir: arg(z.string().default("."), {
+		branch: arg(z.string().min(1).optional(), { description: "Branch target: deploy trigger branch (defaults to the detected default branch). Tag target: tag-reachability guard branch (no guard when omitted)" }),
+		tag: arg(z.boolean().default(false), { description: "Generate a tag target (deploy on tag push)" }),
+		"tag-pattern": arg(z.string().min(1).optional(), { description: "Tag glob to match (requires --tag; defaults to v*)" }),
+		environment: arg(z.string().min(1).optional(), { description: "GitHub Environment for the plan/deploy jobs (defaults to the workspace name)" }),
+		"no-plan": arg(z.boolean().default(false), { description: "Disable the plan job for a branch target (cannot be combined with --tag)" }),
+		dir: arg(z.string().min(1).default("."), {
 			alias: "d",
 			description: "App directory (for monorepo setups)"
 		}),
-		"with-plan": arg(z.boolean().default(false), {
-			alias: "p",
-			description: "Include plan job for PR previews"
-		})
+		force: arg(z.boolean().default(false), { description: "Discard hand edits / take over unmanaged files and regenerate" })
 	}).strict(),
-	run: (args) => {
-		setupGitHub({
+	run: async (args) => {
+		if (args["tag-pattern"] !== void 0 && !args.tag) throw new Error("--tag-pattern requires --tag.");
+		if (args["no-plan"] && args.tag) throw new Error("--no-plan cannot be combined with --tag.");
+		await setupGitHub({
 			workspaceName: args["workspace-name"],
-			workspaceRegion: args["workspace-region"],
-			organizationId: args["organization-id"],
-			folderId: args["folder-id"],
+			branch: args.branch,
+			tag: args.tag,
+			tagPattern: args["tag-pattern"] ?? "v*",
+			environment: args.environment,
+			plan: !args["no-plan"],
 			dir: args.dir,
-			outputDir: process.cwd(),
-			withPlan: args["with-plan"]
+			force: args.force,
+			outputDir: process.cwd()
 		});
 	}
 });
@@ -3044,10 +3357,7 @@ const deployCommand = defineAppCommand({
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
 		logger.info(`Deploying static website "${args.name}" from directory: ${args.dir}`);
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const name = args.name;
 		const dir = path.resolve(process.cwd(), args.dir);
 		const workspaceId = await loadWorkspaceId({
@@ -3093,10 +3403,7 @@ const domainGetCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -3136,10 +3443,7 @@ const domainListCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -3191,10 +3495,7 @@ const getCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
-		const client = await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		}));
+		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
@@ -3229,10 +3530,7 @@ const getCommand = defineAppCommand({
 * @returns List of static websites
 */
 async function listStaticWebsites(options) {
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: true,
-		profile: options?.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options?.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options?.workspaceId,
 		profile: options?.profile
@@ -3250,7 +3548,7 @@ async function listStaticWebsites(options) {
 		workspaceId,
 		name: site.name,
 		description: site.description,
-		url: site.url ?? "",
+		url: site.url,
 		allowedIpAddresses: site.allowedIpAddresses
 	}));
 }
@@ -3365,7 +3663,7 @@ const CLEAN_ROOM_NOTES = [
 	"It does not copy Liam source code, generated JavaScript/CSS, parser internals, or layout internals."
 ];
 function buildRevision(schema) {
-	return hashContent(JSON.stringify(schema)).slice(0, 16);
+	return hashContent$1(JSON.stringify(schema)).slice(0, 16);
 }
 function toTypeSource(source) {
 	if (!source) return void 0;
@@ -3551,10 +3849,7 @@ function initErdCommand() {
 async function initErdDeployContext(args) {
 	initErdCommand();
 	return {
-		client: await initOperatorClient(await loadAccessToken({
-			useProfile: true,
-			profile: args.profile
-		})),
+		client: await initOperatorClient(await loadAccessToken({ profile: args.profile })),
 		workspaceId: await loadWorkspaceId({
 			workspaceId: args.workspaceId,
 			profile: args.profile
@@ -4153,18 +4448,13 @@ const erdCommand = defineCommand({
 */
 async function script(options) {
 	logBetaWarning("tailordb migration");
-	let migrationNumber;
-	if (isValidMigrationNumber(options.number)) migrationNumber = parseInt(options.number, 10);
-	else if (/^[1-9]\d*$/.test(options.number)) {
-		migrationNumber = parseInt(options.number, 10);
-		if (migrationNumber > 9999) throw new Error(`Migration number ${options.number} is out of range. Expected 1-9999.`);
-	} else throw new Error(`Invalid migration number format: ${options.number}. Expected 4-digit format (e.g., 0001) or integer 1-9999 (e.g., 1).`);
+	const migrationNumber = parseMigrationNumberArg(options.number);
 	if (migrationNumber === 0) throw new Error(`Migration ${options.number} is the initial schema snapshot and cannot have a migration script.`);
 	const { config } = await loadConfig(options.configPath);
 	const namespacesWithMigrations = getNamespacesWithMigrations(config, path.dirname(config.path));
 	if (namespacesWithMigrations.length === 0) throw new Error("No TailorDB services with migrations configuration found");
 	const targetNamespace = resolveTargetNamespace(namespacesWithMigrations, options.namespace);
-	const { migrationsDir } = namespacesWithMigrations.find((ns) => ns.namespace === targetNamespace);
+	const { migrationsDir } = assertDefined(namespacesWithMigrations.find((ns) => ns.namespace === targetNamespace), "namespace with migrations not found");
 	const diffPath = getMigrationFilePath(migrationsDir, migrationNumber, "diff");
 	if (!fs$1.existsSync(diffPath)) throw new Error(`Migration ${options.number} not found in ${migrationsDir}. Expected ${diffPath}.`);
 	const migratePath = getMigrationFilePath(migrationsDir, migrationNumber, "migrate");
@@ -4196,7 +4486,10 @@ function resolveTargetNamespace(namespacesWithMigrations, requested) {
 		if (!namespacesWithMigrations.some((ns) => ns.namespace === requested)) throw new Error(`Namespace "${requested}" not found or does not have migrations configured`);
 		return requested;
 	}
-	if (namespacesWithMigrations.length === 1) return namespacesWithMigrations[0].namespace;
+	if (namespacesWithMigrations.length === 1) {
+		const [ns] = namespacesWithMigrations;
+		return assertDefined(ns, "namespace with migrations missing").namespace;
+	}
 	throw new Error(`Multiple TailorDB services found. Please specify namespace with --namespace flag: ${namespacesWithMigrations.map((ns) => ns.namespace).join(", ")}`);
 }
 const scriptCommand = defineAppCommand({
@@ -4244,12 +4537,11 @@ async function set(options) {
 	if (options.namespace) {
 		if (!namespacesWithMigrations.some((ns) => ns.namespace === options.namespace)) throw new Error(`Namespace "${options.namespace}" not found or does not have migrations configured`);
 		targetNamespace = options.namespace;
-	} else if (namespacesWithMigrations.length === 1) targetNamespace = namespacesWithMigrations[0].namespace;
-	else throw new Error(`Multiple TailorDB services found. Please specify namespace with --namespace flag: ${namespacesWithMigrations.map((ns) => ns.namespace).join(", ")}`);
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: false,
-		profile: options.profile
-	}));
+	} else if (namespacesWithMigrations.length === 1) {
+		const [ns] = namespacesWithMigrations;
+		targetNamespace = assertDefined(ns, "namespace with migrations missing").namespace;
+	} else throw new Error(`Multiple TailorDB services found. Please specify namespace with --namespace flag: ${namespacesWithMigrations.map((ns) => ns.namespace).join(", ")}`);
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const trn = resourceTrn(await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -4257,7 +4549,7 @@ async function set(options) {
 	let currentMigration;
 	try {
 		const { metadata } = await client.getMetadata({ trn });
-		const label = metadata?.labels?.["sdk-migration"];
+		const label = metadata?.labels["sdk-migration"];
 		currentMigration = label ? parseMigrationLabelNumber(label) ?? 0 : 0;
 	} catch {
 		currentMigration = 0;
@@ -4332,10 +4624,7 @@ async function collectMigrationStatuses(options) {
 	if (namespacesWithMigrations.length === 0) throw new Error("No TailorDB services with migrations configuration found");
 	const targetNamespaces = options.namespace ? namespacesWithMigrations.filter((ns) => ns.namespace === options.namespace) : namespacesWithMigrations;
 	if (targetNamespaces.length === 0) throw new Error(`Namespace "${options.namespace}" not found or does not have migrations configured`);
-	const client = await initOperatorClient(await loadAccessToken({
-		useProfile: false,
-		profile: options.profile
-	}));
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
 		profile: options.profile
@@ -4346,7 +4635,7 @@ async function collectMigrationStatuses(options) {
 		let currentMigration;
 		try {
 			const { metadata } = await client.getMetadata({ trn });
-			const label = metadata?.labels?.["sdk-migration"];
+			const label = metadata?.labels["sdk-migration"];
 			currentMigration = label ? parseMigrationLabelNumber(label) ?? 0 : 0;
 		} catch {
 			currentMigration = 0;
@@ -4419,6 +4708,295 @@ const statusCommand = defineAppCommand({
 	}
 });
 
+//#endregion
+//#region src/cli/commands/tailordb/migrate/sync.ts
+async function fetchRemoteGqlPermissions(client, workspaceId, namespace) {
+	return fetchAll(async (pageToken, maxPageSize) => {
+		try {
+			const { permissions, nextPageToken } = await client.listTailorDBGQLPermissions({
+				workspaceId,
+				namespaceName: namespace,
+				pageToken,
+				pageSize: maxPageSize
+			});
+			return [permissions, nextPageToken];
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+			throw error;
+		}
+	});
+}
+async function fetchRemoteTypes(client, workspaceId, namespace) {
+	return fetchAll(async (pageToken, maxPageSize) => {
+		try {
+			const { tailordbTypes, nextPageToken } = await client.listTailorDBTypes({
+				workspaceId,
+				namespaceName: namespace,
+				pageToken,
+				pageSize: maxPageSize
+			});
+			return [tailordbTypes, nextPageToken];
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) throw new Error(`Cannot sync: TailorDB namespace "${namespace}" has not been deployed yet.`, { cause: error });
+			throw error;
+		}
+	});
+}
+/**
+* Verify that replaying the full migration history reproduces the current
+* local type definitions, before anything is sent to the remote.
+*
+* Sync force-applies a snapshot reconstructed from the migration history, so
+* the history itself must be trustworthy. When the reconstruction at the
+* latest migration does not match the schema defined in the local type files,
+* either the migration files were edited incorrectly or a schema change has
+* not been recorded as a migration yet — and overwriting the remote with an
+* unverified snapshot could destroy data. Fails before any RPC is issued.
+*
+* Returns the manifest generation options deploy would use for this
+* namespace (executor-driven publishRecordEvents and namespace
+* gqlOperations), so the synced manifests match what deploy produces.
+* @param loaded - Result of `loadConfig` (config and plugins)
+* @param target - Namespace whose migration history is being synced
+* @returns Options for `generateAllTypeManifestsFromSnapshot`
+*/
+async function assertMigrationsReproduceLocalTypes(loaded, target) {
+	const { config, plugins } = loaded;
+	const pluginManager = plugins.length > 0 ? new PluginManager(plugins) : void 0;
+	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-DSXntqnV.mjs");
+	const application = defineApplication({
+		config,
+		pluginManager
+	});
+	const tailordbService = application.tailorDBServices.find((s) => s.namespace === target.namespace);
+	if (!tailordbService) throw new Error(`No TailorDB service found for namespace "${target.namespace}"`);
+	for (const service of application.tailorDBServices) {
+		await service.loadTypes();
+		await service.processNamespacePlugins();
+	}
+	const pluginExecutorFiles = generatePluginFilesIfNeeded(pluginManager, application.tailorDBServices, config.path);
+	const executorService = application.executorService ?? (pluginExecutorFiles.length > 0 ? (await import("../service-BHQIerYh.mjs")).createExecutorService({ config: { files: [] } }) : void 0);
+	await executorService?.loadExecutors();
+	if (pluginExecutorFiles.length > 0) await executorService?.loadPluginExecutorFiles([...pluginExecutorFiles]);
+	const executorUsedTypes = /* @__PURE__ */ new Set();
+	for (const executor of Object.values(executorService?.executors ?? {})) if (executor.trigger.kind === "tailordb") executorUsedTypes.add(executor.trigger.typeName);
+	const manifestOptions = {
+		executorUsedTypes,
+		namespaceGqlOperations: tailordbService.config.gqlOperations
+	};
+	const latestSnapshot = reconstructSnapshotFromMigrations(target.migrationsDir);
+	if (!latestSnapshot) return manifestOptions;
+	const diff = compareLocalTypesWithSnapshot(latestSnapshot, createSnapshotFromLocalTypes(tailordbService.types, target.namespace).types, target.namespace);
+	if (!hasChanges(diff)) return manifestOptions;
+	logger.error(`Migration history does not reproduce the current local schema for namespace ${styles.bold(target.namespace)}:`);
+	logger.log(formatMigrationDiff(diff));
+	logger.newline();
+	logger.info("This usually means one of the following:");
+	logger.info("  - Migration files were edited and replaying them no longer matches the type definitions — fix the migration files.", { mode: "plain" });
+	logger.info("  - Type definitions changed without a new migration — run 'tailor-sdk tailordb migration generate' first.", { mode: "plain" });
+	logger.newline();
+	throw new Error("Refusing to sync: the migration history must reproduce the current local schema before it can be applied to the remote.");
+}
+/**
+* Fetch the namespace's metadata labels and current migration number.
+*
+* Only GetMetadata NotFound is treated as "metadata does not exist yet".
+* Any other failure aborts the sync (which has not mutated anything at this
+* point): the fetched labels are written back verbatim at the end, so
+* proceeding with empty labels after a transient error would wipe the
+* namespace's existing metadata.
+* @param client - Operator client
+* @param trn - Namespace TRN
+* @returns Existing labels and the parsed current migration number
+*/
+async function fetchRemoteMigrationState(client, trn) {
+	try {
+		const { metadata } = await client.getMetadata({ trn });
+		const labels = metadata?.labels ?? {};
+		const label = labels[MIGRATION_LABEL_KEY];
+		return {
+			labels,
+			current: label ? parseMigrationLabelNumber(label) : null
+		};
+	} catch (error) {
+		if (error instanceof ConnectError && error.code === Code.NotFound) return {
+			labels: {},
+			current: null
+		};
+		throw error;
+	}
+}
+function selectTargetNamespace(namespacesWithMigrations, requested) {
+	if (namespacesWithMigrations.length === 0) throw new Error("No TailorDB services with migrations configuration found");
+	if (requested) {
+		const found = namespacesWithMigrations.find((ns) => ns.namespace === requested);
+		if (!found) throw new Error(`Namespace "${requested}" not found or does not have migrations configured`);
+		return found;
+	}
+	if (namespacesWithMigrations.length > 1) throw new Error(`Multiple TailorDB services found. Please specify namespace with --namespace flag: ${namespacesWithMigrations.map((ns) => ns.namespace).join(", ")}`);
+	return assertDefined(namespacesWithMigrations[0], "namespace with migrations missing");
+}
+/**
+* Sync remote TailorDB schema to a specific migration snapshot.
+*
+* Reconstructs the schema state at `<number>` from `0000/schema.json` + diffs,
+* then issues create/update/delete RPCs so the remote matches that snapshot.
+* Updates the migration label to `<number>` on success. Before any remote
+* mutation, verifies that the migration history reproduces the current local
+* type definitions (see {@link assertMigrationsReproduceLocalTypes}).
+*
+* Intended for recovering from drift introduced by `deploy --no-schema-check`
+* runs against an older revision: instead of having to `git checkout` that
+* revision and re-deploy, the operator can sync the remote back to a known
+* snapshot version directly.
+* @param options - Command options
+*/
+async function sync(options) {
+	logBetaWarning("tailordb migration");
+	const targetVersion = parseMigrationNumberArg(options.number);
+	const loaded = await loadConfig(options.configPath);
+	const { config } = loaded;
+	const target = selectTargetNamespace(getNamespacesWithMigrations(config, path.dirname(config.path)), options.namespace);
+	assertValidMigrationFiles(target.migrationsDir, target.namespace);
+	const latest = getLatestMigrationNumber(target.migrationsDir);
+	if (targetVersion > latest) throw new Error(`Migration ${formatMigrationNumber(targetVersion)} does not exist in working tree (latest is ${formatMigrationNumber(latest)}).`);
+	const snapshot = reconstructSnapshotFromMigrations(target.migrationsDir, targetVersion);
+	if (!snapshot) throw new Error(`No initial schema snapshot found in ${target.migrationsDir}. Expected 0000/schema.json.`);
+	const manifestOptions = await assertMigrationsReproduceLocalTypes(loaded, target);
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
+	const workspaceId = await loadWorkspaceId({
+		workspaceId: options.workspaceId,
+		profile: options.profile
+	});
+	const trn = resourceTrn(workspaceId, "tailordb", target.namespace);
+	const remoteState = await fetchRemoteMigrationState(client, trn);
+	const remoteTypes = await fetchRemoteTypes(client, workspaceId, target.namespace);
+	const { creates, updates, deletes } = compareSnapshotWithRemote(snapshot, new Set(remoteTypes.map((t) => t.name)));
+	const remoteGqlPermissions = await fetchRemoteGqlPermissions(client, workspaceId, target.namespace);
+	const remoteGqlPermissionTypes = new Set(remoteGqlPermissions.map((p) => p.typeName));
+	const desiredGqlPermissions = Object.entries(snapshot.types).flatMap(([typeName, snapshotType]) => snapshotType.permissions?.gql ? [{
+		typeName,
+		permission: protoGqlPermission(snapshotType.permissions.gql)
+	}] : []);
+	const desiredGqlPermissionTypes = new Set(desiredGqlPermissions.map((p) => p.typeName));
+	const gqlPermissionDeletes = remoteGqlPermissions.filter((p) => !desiredGqlPermissionTypes.has(p.typeName));
+	const current = remoteState.current;
+	logger.newline();
+	logger.info(`Namespace: ${styles.bold(target.namespace)}`);
+	logger.log(`  Current migration: ${current === null ? "<unset>" : styles.bold(formatMigrationNumber(current))}`);
+	logger.log(`  Target migration: ${styles.bold(formatMigrationNumber(targetVersion))}`);
+	logger.log(`  Types to create: ${styles.bold(String(creates.length))}`);
+	logger.log(`  Types to update: ${styles.bold(String(updates.length))}`);
+	logger.log(`  Types to delete: ${styles.bold(String(deletes.length))}`);
+	logger.log(`  GQL permissions to set: ${styles.bold(String(desiredGqlPermissions.length))}`);
+	logger.log(`  GQL permissions to delete: ${styles.bold(String(gqlPermissionDeletes.length))}`);
+	logger.newline();
+	if (creates.length + updates.length + deletes.length + desiredGqlPermissions.length + gqlPermissionDeletes.length === 0) logger.info("No types to apply; only the migration label will be updated.");
+	else {
+		logger.warn("This operation will overwrite remote TailorDB types to match the selected snapshot.");
+		if (deletes.length > 0) logger.warn("Existing data in deleted types will be lost.");
+		logger.newline();
+	}
+	logger.warn("Sync never runs migrate.ts scripts; it only applies the schema snapshot and moves the migration label.");
+	logger.newline();
+	if (current !== null && targetVersion < current) {
+		logger.warn(`Migrations ${formatMigrationNumber(targetVersion + 1)}–${formatMigrationNumber(current)} will become pending again and re-execute on the next deploy, including their migrate.ts scripts. Make sure those scripts are idempotent (safe to re-run).`);
+		logger.newline();
+	} else if (current !== null && targetVersion > current) {
+		logger.warn(`Moving the migration label forwards (${formatMigrationNumber(current)} → ${formatMigrationNumber(targetVersion)}): migrate.ts scripts for migrations ${formatMigrationNumber(current + 1)}–${formatMigrationNumber(targetVersion)} will not run on the next deploy.`);
+		logger.newline();
+	}
+	if (!options.yes) {
+		if (!await prompt.confirm({
+			message: `Continue and set migration label to ${formatMigrationNumber(targetVersion)}?`,
+			default: false
+		})) {
+			logger.info("Operation cancelled.");
+			return;
+		}
+		logger.newline();
+	}
+	const manifests = generateAllTypeManifestsFromSnapshot(snapshot, manifestOptions);
+	const manifestFor = (typeName) => {
+		const manifest = manifests.get(typeName);
+		if (!manifest) throw new Error(`Internal error: no manifest generated for type "${typeName}". No changes were applied.`);
+		return manifest;
+	};
+	const createManifests = creates.map((typeName) => manifestFor(typeName));
+	const updateManifests = updates.map((typeName) => manifestFor(typeName));
+	try {
+		await Promise.all([...createManifests.map((tailordbType) => client.createTailorDBType({
+			workspaceId,
+			namespaceName: target.namespace,
+			tailordbType
+		})), ...updateManifests.map((tailordbType) => client.updateTailorDBType({
+			workspaceId,
+			namespaceName: target.namespace,
+			tailordbType
+		}))]);
+	} catch (error) {
+		handleOptionalToRequiredError(error, ["The target snapshot marks a field as required, but existing remote records have no value for it.", "Populate those records first (e.g. with a migration script applied via 'tailor-sdk deploy'), then re-run the sync."]);
+	}
+	await Promise.all(desiredGqlPermissions.map(({ typeName, permission }) => {
+		const request = {
+			workspaceId,
+			namespaceName: target.namespace,
+			typeName,
+			permission
+		};
+		return remoteGqlPermissionTypes.has(typeName) ? client.updateTailorDBGQLPermission(request) : client.createTailorDBGQLPermission(request);
+	}));
+	await Promise.all(gqlPermissionDeletes.map((p) => client.deleteTailorDBGQLPermission({
+		workspaceId,
+		namespaceName: target.namespace,
+		typeName: p.typeName
+	})));
+	await Promise.all(deletes.map((typeName) => client.deleteTailorDBType({
+		workspaceId,
+		namespaceName: target.namespace,
+		tailordbTypeName: typeName
+	})));
+	await client.setMetadata({
+		trn,
+		labels: {
+			...remoteState.labels,
+			[MIGRATION_LABEL_KEY]: `${"m"}${formatMigrationNumber(targetVersion)}`
+		}
+	});
+	logger.success(`Synced namespace ${styles.bold(target.namespace)} to migration ${styles.bold(formatMigrationNumber(targetVersion))}.`);
+	if (targetVersion < latest) {
+		logger.newline();
+		logger.info(`Run 'tailor-sdk deploy' to apply migrations ${formatMigrationNumber(targetVersion + 1)}–${formatMigrationNumber(latest)} from the working tree.`);
+	}
+}
+const syncCommand = defineAppCommand({
+	name: "sync",
+	description: "Sync remote TailorDB schema to a specific migration snapshot (recovery from --no-schema-check drift).",
+	args: z.object({
+		...deploymentArgs,
+		...confirmationArgs,
+		number: arg(z.string(), {
+			positional: true,
+			description: "Migration number to sync to (e.g., 0001 or 1; 0 targets the baseline snapshot)"
+		}),
+		namespace: arg(z.string().optional(), {
+			alias: "n",
+			description: "Target TailorDB namespace (required if multiple namespaces exist)"
+		})
+	}).strict(),
+	run: async (args) => {
+		await assertWritable({ profile: args.profile });
+		await sync({
+			configPath: args.config,
+			number: args.number,
+			namespace: args.namespace,
+			yes: args.yes,
+			workspaceId: args["workspace-id"],
+			profile: args.profile
+		});
+	}
+});
+
 //#endregion
 //#region src/cli/commands/tailordb/migrate/index.ts
 /**
@@ -4429,6 +5007,7 @@ const statusCommand = defineAppCommand({
 * - script:   Add a migrate.ts template to an existing migration
 * - set:      Set migration checkpoint to a specific number
 * - status:   Show migration status for TailorDB namespaces
+* - sync:     Sync remote TailorDB schema to a specific migration snapshot
 */
 const migrationCommand = defineCommand({
 	name: "migration",
@@ -4437,7 +5016,8 @@ const migrationCommand = defineCommand({
 		generate: generateCommand$1,
 		script: scriptCommand,
 		set: setCommand,
-		status: statusCommand
+		status: statusCommand,
+		sync: syncCommand
 	}
 });
 
@@ -4472,7 +5052,7 @@ const upgradeCommand = defineAppCommand({
 	run: async (args) => {
 		const { initTelemetry } = await import("../telemetry-w92bvGdC.mjs");
 		await initTelemetry();
-		const { upgrade } = await import("../service-aPT0fx3y.mjs");
+		const { upgrade } = await import("../service-DMohAx8a2.mjs");
 		await upgrade({
 			from: args.from,
 			dryRun: args["dry-run"],
@@ -4898,7 +5478,7 @@ runMain(mainCommand, {
 				if (isVerbose() && error.stack) logger.debug(`\nStack trace:\n${error.stack}`);
 			} else logger.error(`Unknown error: ${error}`);
 			if (!isCLIError(error) && (!(error instanceof Error) || error instanceof TypeError || error instanceof RangeError)) {
-				const { reportCrash } = await import("../crashreport-lnVTnbB5.mjs");
+				const { reportCrash } = await import("../crashreport-D1wKBJ8N.mjs");
 				await reportCrash(error, "handledError");
 			}
 		}