npm - @tailor-platform/sdk - Versions diffs - 1.62.0 → 1.63.0 - Mend

@tailor-platform/sdk 1.62.0 → 1.63.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md +29 -0
package/dist/cli/index.mjs +445 -105
package/dist/cli/index.mjs.map +1 -1
package/dist/cli/lib.mjs +1 -1
package/dist/{runtime-C6o4hiYq.mjs → runtime-CW3jcQCc.mjs} +75 -4
package/dist/runtime-CW3jcQCc.mjs.map +1 -0
package/docs/cli/setup.md +18 -12
package/docs/cli-reference.md +3 -3
package/docs/github-actions.md +337 -0
package/package.json +3 -3
package/dist/runtime-C6o4hiYq.mjs.map +0 -1

package/dist/cli/index.mjs CHANGED Viewed

@@ -3,8 +3,8 @@
 import { Et as AuthInvokerSchema, L as CustomDomainStatus, Nt as PATScope, Q as FunctionExecution_Type, _ as userAgent, a as fetchAll, c as fetchPlatformMachineUserToken, d as initOAuth2Client, f as initOperatorClient, l as fetchUserInfo, r as closeConnectionPool, s as fetchPaged } from "../client-CobIRHl-.mjs";
 import { t as assertDefined } from "../assert-CKfwrmCV.mjs";
 import { n as logger, r as styles } from "../logger-DpJyJvNz.mjs";
-import { $ as listCommand$10, $t as INITIAL_SCHEMA_NUMBER, An as configArg, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as generateUserTypes, Dn as assertWritable, Dt as jobsCommand, E as resumeCommand, F as writeDbTypesFile, Fn as paginationArgs, Gt as MIGRATION_LABEL_KEY, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, In as toPageDirection, Jt as compareSnapshotWithRemote, K as treeCommand, Kt as handleOptionalToRequiredError, L as openInConfiguredEditor, Ln as workspaceArgs, Lt as functionExecutionStatusToString, Mn as deploymentArgs, Mt as getCommand$6, N as generateCommand$1, Nn as isVerbose, O as listCommand$12, On as defineAppCommand, P as generateMigrationScript, Pn as pagedLogArgs, Pt as executionsCommand, Rt as formatKeyValueTable, Sn as PluginManager, St as triggerCommand, T as healthCommand, Tn as apiCommand, U as updateCommand$3, Vt as deploy, Xt as protoGqlPermission, Y as getCommand$5, Yt as generateAllTypeManifestsFromSnapshot, Z as updateCommand$2, _n as formatMigrationDiff, an as createSnapshotFromLocalTypes, at as createCommand$3, b as createCommand$4, bn as resourceTrn, c as listCommand$14, cn as getMigrationFilePath, dn as isValidMigrationNumber, f as restoreCommand, fn as loadDiff, ft as tokenCommand, g as getCommand$7, gt as listCommand$7, hn as parseMigrationNumberArg, ht as generate, i as updateCommand$4, j as truncateCommand, jn as confirmationArgs, kn as commonArgs, ln as getMigrationFiles, lt as getCommand$3, m as listCommand$15, mn as formatMigrationNumber, nn as assertValidMigrationFiles, o as removeCommand, on as getLatestMigrationNumber, pn as reconstructSnapshotFromMigrations, pt as listCommand$8, q as listCommand$11, qt as parseMigrationLabelNumber, r as queryCommand, rn as compareLocalTypesWithSnapshot, rt as deleteCommand$3, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as hasChanges, vt as getCommand$2, wn as prompt, wt as listCommand$6, xn as sdkNameLabelKey, xt as webhookCommand, yn as getNamespacesWithMigrations, z as showCommand, zt as getCommand$1 } from "../runtime-C6o4hiYq.mjs";
-import { A as resolveTokens, C as loadConfig, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, T as fetchLatestToken, _ as createLogLevelTreeshakeOptions, a as WorkflowJobSchema, b as getDistDir, c as INVOKER_EXPR, g as composeFunctionTreeshakeOptions, h as platformBundleDefinePlugin, i as resolveInlineSourcemap, j as saveUserTokens, k as readPlatformConfig, o as ResolverSchema, t as defineApplication, v as resolveBundleLogLevel, w as deleteUserTokens, x as hashContent } from "../application-BezXGbrU.mjs";
+import { $ as listCommand$10, $t as INITIAL_SCHEMA_NUMBER, An as commonArgs, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as PluginManager, Dt as jobsCommand, E as resumeCommand, En as apiCommand, F as writeDbTypesFile, Fn as pagedLogArgs, Gt as MIGRATION_LABEL_KEY, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, In as paginationArgs, Jt as compareSnapshotWithRemote, K as treeCommand, Kt as handleOptionalToRequiredError, L as openInConfiguredEditor, Ln as toPageDirection, Lt as functionExecutionStatusToString, Mn as confirmationArgs, Mt as getCommand$6, N as generateCommand$1, Nn as deploymentArgs, O as listCommand$12, On as assertWritable, P as generateMigrationScript, Pn as isVerbose, Pt as executionsCommand, Rn as workspaceArgs, Rt as formatKeyValueTable, Sn as sdkNameLabelKey, St as triggerCommand, T as healthCommand, Tn as prompt, U as updateCommand$3, Vt as deploy, Xt as protoGqlPermission, Y as getCommand$5, Yt as generateAllTypeManifestsFromSnapshot, Z as updateCommand$2, _n as formatMigrationDiff, an as createSnapshotFromLocalTypes, at as createCommand$3, b as createCommand$4, bn as ensureConfigId, c as listCommand$14, cn as getMigrationFilePath, dn as isValidMigrationNumber, f as restoreCommand, fn as loadDiff, ft as tokenCommand, g as getCommand$7, gt as listCommand$7, hn as parseMigrationNumberArg, ht as generate, i as updateCommand$4, j as truncateCommand, jn as configArg, kn as defineAppCommand, ln as getMigrationFiles, lt as getCommand$3, m as listCommand$15, mn as formatMigrationNumber, nn as assertValidMigrationFiles, o as removeCommand, on as getLatestMigrationNumber, pn as reconstructSnapshotFromMigrations, pt as listCommand$8, q as listCommand$11, qt as parseMigrationLabelNumber, r as queryCommand, rn as compareLocalTypesWithSnapshot, rt as deleteCommand$3, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as hasChanges, vt as getCommand$2, wn as generateUserTypes, wt as listCommand$6, xn as resourceTrn, xt as webhookCommand, yn as getNamespacesWithMigrations, z as showCommand, zt as getCommand$1 } from "../runtime-CW3jcQCc.mjs";
+import { A as resolveTokens, C as loadConfig, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, T as fetchLatestToken, _ as createLogLevelTreeshakeOptions, a as WorkflowJobSchema, b as getDistDir, c as INVOKER_EXPR, g as composeFunctionTreeshakeOptions, h as platformBundleDefinePlugin, i as resolveInlineSourcemap, j as saveUserTokens, k as readPlatformConfig, o as ResolverSchema, t as defineApplication, v as resolveBundleLogLevel, w as deleteUserTokens, x as hashContent$1 } from "../application-BezXGbrU.mjs";
 import { n as ExecutorSchema } from "../service-wI3Hvrgx.mjs";
 import { t as multiline } from "../multiline-Cf9ODpr1.mjs";
 import { r as isPluginGeneratedType } from "../seed-BH2FbrPV.mjs";
@@ -24,6 +24,7 @@ import { generateCodeVerifier } from "@badgateway/oauth2-client";
 import { Code, ConnectError } from "@connectrpc/connect";
 import { resolvePackageJSON, resolveTSConfig } from "pkg-types";
 import * as crypto from "node:crypto";
+import { createHash } from "node:crypto";
 import * as http from "node:http";
 import open from "open";
 import * as rolldown from "rolldown";
@@ -2564,33 +2565,159 @@ const secretCommand = defineCommand({
 });
 //#endregion
-//#region src/cli/commands/setup/github/deploy.workflow.yml
-var deploy_workflow_default = "name: Tailor Platform\n\non:\n  pull_request:\n    branches:\n      - main\n  push:\n    branches:\n      - main\n  workflow_dispatch:\n\nconcurrency:\n  group: tailor-__WORKSPACE_NAME__-${{ github.head_ref || github.ref }}\n  cancel-in-progress: ${{ github.event_name == 'pull_request' }}\n\njobs:\n  # __PLAN_JOB_START__\n  plan:\n    if: github.event_name == 'pull_request'\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      pull-requests: write\n    steps:\n      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      # __SETUP_STEPS__\n      - uses: tailor-platform/actions/plan@e63ed98630a23fa21ee0636abf0f7fb75fcdce40 # v1.1.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  deploy:\n    if: github.event_name != 'pull_request'\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    steps:\n      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - uses: tailor-platform/actions/deploy@e63ed98630a23fa21ee0636abf0f7fb75fcdce40 # v1.1.0\n        with:\n          workspace-name: __WORKSPACE_NAME__\n          workspace-region: __WORKSPACE_REGION__\n          organization-id: __ORGANIZATION_ID__\n          folder-id: __FOLDER_ID__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
+//#region src/cli/commands/setup/github/git.ts
+const defaultGitRunner = (args, cwd) => {
+	const result = spawnSync("git", args, {
+		cwd,
+		encoding: "utf-8"
+	});
+	if (result.status !== 0 || typeof result.stdout !== "string") return null;
+	return result.stdout.trim();
+};
+/**
+* Detect the remote default branch by reading `refs/remotes/origin/HEAD`.
+*
+* Throws an AI-first error (with a remediation hint) when the symbolic ref is
+* not set, so the caller can surface a clear next step instead of a silent
+* fallback.
+* @param cwd - Repository directory to inspect
+* @param run - Git runner, injectable for testing
+* @returns The default branch name (e.g. `main`)
+*/
+function detectDefaultBranch(cwd, run = defaultGitRunner) {
+	const ref = run([
+		"symbolic-ref",
+		"--short",
+		"refs/remotes/origin/HEAD"
+	], cwd);
+	const branch = ref?.startsWith("origin/") ? ref.slice(7) : ref;
+	if (!branch) throw new Error("Could not detect the default branch from git. Pass --branch <name>, or run 'git remote set-head origin --auto' to record it.");
+	return branch;
+}
+//#endregion
+//#region src/cli/commands/setup/github/lock.ts
+/** Current lock schema version. Bumped only on breaking lock-format changes. */
+const LOCK_VERSION = 1;
+/** Lock file path, relative to the repository root. */
+const LOCK_FILENAME = ".github/tailor-sdk.lock";
+/**
+* Compute the lock content hash for a rendered workflow file.
+* @param content - File content to hash
+* @returns `sha256:<hex>` digest string
+*/
+function hashContent(content) {
+	return `sha256:${createHash("sha256").update(content, "utf-8").digest("hex")}`;
+}
+/**
+* Resolve the absolute lock file path for an output directory.
+* @param outputDir - Repository root where `.github` lives
+* @returns Absolute path to the lock file
+*/
+function lockPath(outputDir) {
+	return path.join(outputDir, LOCK_FILENAME);
+}
+/**
+* Read and validate the lock file from disk.
+*
+* Returns null when no lock exists. Throws when the lock was written by a
+* newer SDK (forward-compatibility guard).
+* @param outputDir - Repository root where `.github` lives
+* @returns Parsed lock file, or null when absent
+*/
+function readLock(outputDir) {
+	const file = lockPath(outputDir);
+	if (!fs$1.existsSync(file)) return null;
+	let parsed;
+	try {
+		parsed = JSON.parse(fs$1.readFileSync(file, "utf-8"));
+	} catch (cause) {
+		throw new Error(`${LOCK_FILENAME} is not valid JSON. The lock file is machine-owned; restore it from git (git checkout -- .github/tailor-sdk.lock) and re-run setup.`, { cause });
+	}
+	if (typeof parsed.version !== "number") throw new Error(`${LOCK_FILENAME} has no valid 'version' field. The lock file is machine-owned; restore it from git (git checkout -- .github/tailor-sdk.lock) and re-run setup.`);
+	if (parsed.version > 1) throw new Error(`${LOCK_FILENAME} was written by a newer SDK (lock version ${String(parsed.version)}). Update @tailor-platform/sdk to continue (e.g. pnpm update @tailor-platform/sdk).`);
+	if (!Array.isArray(parsed.targets)) throw new Error(`${LOCK_FILENAME} has no valid 'targets' array. The lock file is machine-owned; restore it from git (git checkout -- .github/tailor-sdk.lock) and re-run setup.`);
+	return parsed;
+}
+/**
+* Write the lock file to disk (2-space JSON, trailing newline).
+* @param outputDir - Repository root where `.github` lives
+* @param lock - Lock file contents to serialize
+*/
+function writeLock(outputDir, lock) {
+	const file = lockPath(outputDir);
+	fs$1.mkdirSync(path.dirname(file), { recursive: true });
+	fs$1.writeFileSync(file, `${JSON.stringify(lock, null, 2)}\n`, "utf-8");
+}
+/**
+* Find a lock target by identity. Targets are identified by (kind,
+* workspaceName); the full trigger/path cross-check is deferred to P2.
+* @param lock - Lock file to search, or null
+* @param kind - Target kind
+* @param workspaceName - Workspace name
+* @returns Matching target, or undefined
+*/
+function findTarget(lock, kind, workspaceName) {
+	return lock?.targets.find((t) => t.kind === kind && t.workspaceName === workspaceName);
+}
+//#endregion
+//#region src/cli/commands/setup/github/branch.workflow.yml
+var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
 //#endregion
 //#region src/cli/commands/setup/github/setup-bun.yml
-var setup_bun_default = "- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0\n- run: bun install --frozen-lockfile\n";
+var setup_bun_default = "- id: tailor-setup-bun\n  uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0\n- id: tailor-install\n  run: bun install --frozen-lockfile\n";
 //#endregion
 //#region src/cli/commands/setup/github/setup-npm.yml
-var setup_npm_default = "- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: npm\n- run: npm ci\n";
+var setup_npm_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: npm\n- id: tailor-install\n  run: npm ci\n";
 //#endregion
 //#region src/cli/commands/setup/github/setup-pnpm.yml
-var setup_pnpm_default = "- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8\n- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: pnpm\n- run: pnpm install --frozen-lockfile\n";
+var setup_pnpm_default = "- id: tailor-setup-pnpm\n  uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8\n- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: pnpm\n- id: tailor-install\n  run: pnpm install --frozen-lockfile\n";
 //#endregion
 //#region src/cli/commands/setup/github/setup-yarn.yml
-var setup_yarn_default = "- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: yarn\n- run: yarn install --frozen-lockfile\n";
+var setup_yarn_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: yarn\n- id: tailor-install\n  run: yarn install --frozen-lockfile\n";
 //#endregion
-//#region src/cli/commands/setup/github/template-deploy.ts
+//#region src/cli/commands/setup/github/tag.workflow.yml
+var tag_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  push:\n    tags: [\"__TAG_PATTERN__\"]\n  workflow_dispatch:\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n\npermissions:\n  contents: read\n\njobs:\n  # __TAG_GUARD_JOB_START__\n  tailor-tag-guard:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    permissions:\n      contents: read\n    outputs:\n      on-branch: ${{ steps.tailor-tag-guard.outputs.on-branch }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-tag-guard\n        env:\n          TARGET_BRANCH: \"__BRANCH__\"\n        run: |\n          git fetch origin \"$TARGET_BRANCH\"\n          if git merge-base --is-ancestor \"$GITHUB_SHA\" \"origin/$TARGET_BRANCH\"; then\n            echo \"on-branch=true\" >> \"$GITHUB_OUTPUT\"\n          else\n            # A tag outside the target branch is not an error — just skip.\n            echo \"on-branch=false\" >> \"$GITHUB_OUTPUT\"\n            echo \"::notice::Tag $GITHUB_REF_NAME is not reachable from $TARGET_BRANCH; skipping deploy.\"\n          fi\n  # __TAG_GUARD_JOB_END__\n  tailor-plan:\n    # __PLAN_NEEDS__\n    # __PLAN_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n\n  tailor-deploy:\n    needs: tailor-plan\n    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['dry-run']) }}\n    environment: __ENVIRONMENT__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
+//#endregion
+//#region src/cli/commands/setup/github/templates.ts
+const setupStepIds = {
+	pnpm: [
+		"tailor-setup-pnpm",
+		"tailor-setup-node",
+		"tailor-install"
+	],
+	yarn: ["tailor-setup-node", "tailor-install"],
+	npm: ["tailor-setup-node", "tailor-install"],
+	bun: ["tailor-setup-bun", "tailor-install"]
+};
 const setupSteps = {
 	pnpm: setup_pnpm_default,
 	yarn: setup_yarn_default,
 	npm: setup_npm_default,
 	bun: setup_bun_default
 };
+const execPrefix = {
+	npm: "npx",
+	pnpm: "pnpm exec",
+	yarn: "yarn",
+	bun: "bunx"
+};
+const HEADER = `# Generated by \`tailor-sdk setup github\` — managed by the Tailor SDK.
+#
+# - Jobs and steps whose id starts with \`tailor-\` are managed by the SDK.
+#   Do not edit or rename them.
+# - State is tracked in .github/tailor-sdk.lock (machine-owned: commit it, never edit it).
+# - Re-running \`tailor-sdk setup github\` regenerates this file. If you have
+#   edited it by hand, regeneration stops and asks for --force (which discards
+#   your edits), so prefer keeping customizations in your own jobs/steps and
+#   re-running setup after SDK updates.`;
 function indentSnippet(snippet, spaces) {
 	const indent = " ".repeat(spaces);
 	return snippet.trimEnd().split("\n").map((line) => line ? indent + line : line).join("\n");
@@ -2607,139 +2734,352 @@ function detectPackageManager(dir) {
 	if (fs$1.existsSync(path.join(dir, "package-lock.json"))) return "npm";
 	return "npm";
 }
+function block(content, name, keep) {
+	if (keep) return content.replace(new RegExp(`^ *# __${name}_(?:START|END)__\\n`, "gm"), "");
+	return content.replace(new RegExp(`^ *# __${name}_START__\\n[\\s\\S]*?^ *# __${name}_END__\\n`, "m"), "");
+}
+function line(content, name, replacement) {
+	const re = new RegExp(`^([ \\t]*)# __${name}__\\n`, "gm");
+	return content.replace(re, (_match, indent) => {
+		if (replacement === void 0) return "";
+		return replacement.split("\n").map((l) => l ? indent + l : l).join("\n") + "\n";
+	});
+}
+function applyCommon(content, params) {
+	const { workingDirectory, environment, packageManager } = params;
+	let out = line(content, "HEADER", HEADER);
+	out = line(out, "WORKING_DIRECTORY", workingDirectory ? `working-directory: ${workingDirectory}` : void 0);
+	out = out.replace(/^ *# __SETUP_STEPS__$/gm, () => indentSnippet(setupSteps[packageManager], 6));
+	return out.replaceAll("__WORKSPACE_NAME__", () => params.workspaceName).replaceAll("__ENVIRONMENT__", () => environment).replaceAll("__PM_EXEC__", () => execPrefix[packageManager]);
+}
+function setupIds(job, packageManager) {
+	return setupStepIds[packageManager].map((id) => `${job}/${id}`);
+}
 /**
-* Render the deploy workflow YAML.
+* Render the branch-target deploy workflow.
 *
-* Generates a workflow that calls the composite deploy action
-* from tailor-platform/actions. The environment setup steps (Node.js,
-* package manager, dependency install) are generated based on the
-* detected package manager.
+* When `plan` is false the plan job, the pull_request trigger, and the
+* workflow_dispatch dry-run input are all removed (a plan-less workflow has no
+* meaningful dry-run), and the deploy job runs unconditionally.
+* @param params - Workspace and rendering configuration
+* @returns Rendered YAML and the list of managed job/step ids
+*/
+function renderBranchWorkflow(params) {
+	const { branch, plan, packageManager } = params;
+	let out = branch_workflow_default;
+	out = block(out, "PLAN_JOB", plan);
+	out = block(out, "PULL_REQUEST", plan);
+	out = block(out, "DISPATCH_INPUTS", plan);
+	out = line(out, "DEPLOY_IF", plan ? `if: >-\n  github.event_name == 'push' ||\n  (github.event_name == 'workflow_dispatch' && !inputs['dry-run'])` : void 0);
+	out = line(out, "PATHS", params.workingDirectory ? `paths: ["${params.workingDirectory}/**"]` : void 0);
+	out = applyCommon(out, params).replaceAll("__BRANCH__", () => branch);
+	const generatedIds = [];
+	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan");
+	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	return {
+		content: out,
+		generatedIds
+	};
+}
+/**
+* Render the tag-target deploy workflow.
 *
-* If withPlan is true, also includes a plan job that runs on pull requests.
-* Otherwise, the plan job section delimited by __PLAN_JOB_START__ /
-* __PLAN_JOB_END__ markers is stripped from the template.
-* @param params - Workspace and deployment configuration
-* @returns Workflow YAML content
+* When `branch` is set, a tag-reachability guard job is generated and the plan
+* job gates on it; otherwise no guard is emitted and tags deploy unconditionally.
+* @param params - Workspace and rendering configuration
+* @returns Rendered YAML and the list of managed job/step ids
 */
-function renderDeploy(params) {
-	const { workspaceName, workspaceRegion, organizationId, folderId, workingDirectory, packageManager, withPlan } = params;
-	const workingDirectoryLine = workingDirectory ? `          working-directory: ${workingDirectory}\n` : "";
-	const stripPlanSection = (content) => withPlan ? content.replace(/^ *# __PLAN_JOB_(?:START|END)__\n/gm, "") : content.replace(/^ *# __PLAN_JOB_START__\n[\s\S]*?^ *# __PLAN_JOB_END__\n/m, "");
-	return stripPlanSection(deploy_workflow_default).replaceAll("__WORKSPACE_NAME__", () => workspaceName).replaceAll("__WORKSPACE_REGION__", () => workspaceRegion).replaceAll("__ORGANIZATION_ID__", () => organizationId).replaceAll("__FOLDER_ID__", () => folderId).replace(/ *# __WORKING_DIRECTORY__\n/g, () => workingDirectoryLine).replace(/^ *# __SETUP_STEPS__$/gm, () => indentSnippet(setupSteps[packageManager], 6));
+function renderTagWorkflow(params) {
+	const { tagPattern, branch, packageManager } = params;
+	const hasGuard = branch !== void 0;
+	let out = tag_workflow_default;
+	out = block(out, "TAG_GUARD_JOB", hasGuard);
+	out = line(out, "PLAN_NEEDS", hasGuard ? "needs: tailor-tag-guard" : void 0);
+	out = line(out, "PLAN_IF", hasGuard ? `if: >-\n  github.event_name == 'workflow_dispatch' ||\n  needs.tailor-tag-guard.outputs.on-branch == 'true'` : void 0);
+	out = applyCommon(out, params).replaceAll("__TAG_PATTERN__", () => tagPattern);
+	if (hasGuard) out = out.replaceAll("__BRANCH__", () => branch);
+	const generatedIds = [];
+	if (hasGuard) generatedIds.push("tailor-tag-guard", "tailor-tag-guard/tailor-checkout", "tailor-tag-guard/tailor-tag-guard");
+	generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan", "tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	return {
+		content: out,
+		generatedIds
+	};
 }
 //#endregion
 //#region src/cli/commands/setup/github/github.ts
+async function defaultLoadConfigName(configPath) {
+	const { config } = await loadConfig(configPath);
+	return config.name;
+}
+const WORKSPACE_NAME_RE = /^[a-z0-9-]+$/;
+function validateWorkspaceName(name) {
+	if (name.length < 3 || name.length > 63 || !WORKSPACE_NAME_RE.test(name) || name.startsWith("-") || name.endsWith("-")) throw new Error(`Invalid workspace name "${name}". Names must be 3-63 characters of lowercase letters, numbers, and hyphens, and cannot start or end with a hyphen. Pass a valid name with --workspace-name.`);
+}
+const BRANCH_RE = /^[A-Za-z0-9._/-]+$/;
+const TAG_PATTERN_RE = /^[A-Za-z0-9._/*?![\]-]+$/;
+function validateBranch(branch) {
+	if (!BRANCH_RE.test(branch)) throw new Error(`Invalid branch name "${branch}". Only letters, numbers, ".", "_", "/", and "-" are supported here.`);
+}
+function validateTagPattern(pattern) {
+	if (!TAG_PATTERN_RE.test(pattern)) throw new Error(`Invalid tag pattern "${pattern}". Only letters, numbers, ".", "_", "/", "-", and the glob characters "*?![]" are supported.`);
+}
+const ENVIRONMENT_RE = /^[A-Za-z0-9._/-]+$/;
+function validateEnvironment(environment) {
+	if (!ENVIRONMENT_RE.test(environment)) throw new Error(`Invalid environment name "${environment}". Only letters, numbers, ".", "_", "/", and "-" are supported.`);
+}
+const DIR_RE = /^[A-Za-z0-9._/-]+$/;
+function validateDir(dir) {
+	if (!DIR_RE.test(dir)) throw new Error(`Invalid --dir "${dir}". Only letters, numbers, ".", "_", "/", and "-" are supported.`);
+}
+function escapesRoot(rel) {
+	return rel === ".." || rel.startsWith(`..${path.sep}`) || rel.startsWith("../") || path.isAbsolute(rel);
+}
+/**
+* Resolve the config file path for the given app directory.
+*
+* `--dir` must stay inside the repository: the value is embedded in workflow
+* `paths:` filters and the config under it gets mutated (id injection), so
+* absolute paths and `..` traversal are rejected.
+* @param outputDir - Repository root (cwd)
+* @param dir - App directory relative to the repo root
+* @returns Absolute path to tailor.config.ts
+*/
+function resolveConfigPath(outputDir, dir) {
+	const appDir = path.resolve(outputDir, dir);
+	const rel = path.relative(outputDir, appDir);
+	if (path.isAbsolute(dir) || escapesRoot(rel)) throw new Error(`--dir must be a relative path inside the repository (got "${dir}").`);
+	if (fs$1.existsSync(appDir)) {
+		const realAppDir = path.normalize(fs$1.realpathSync(appDir));
+		const realOutputDir = path.normalize(fs$1.realpathSync(outputDir));
+		if (escapesRoot(path.relative(realOutputDir, realAppDir))) throw new Error(`--dir must resolve to a directory inside the repository (got "${dir}", which links outside it).`);
+	}
+	const configPath = path.join(appDir, "tailor.config.ts");
+	if (!fs$1.existsSync(configPath)) throw new Error(`tailor.config.ts not found at ${configPath}. Run this from your SDK project root, or pass the app directory with --dir.`);
+	return configPath;
+}
 /**
-* Build the list of GitHub Actions files to generate.
-* @param options - Setup options including workspace config and output directory
-* @returns Array of files with paths and rendered content
+* Resolve all derived values and render the workflow content.
+* @param options - Setup options
+* @returns Resolved target metadata and rendered content
 */
-function buildFiles(options) {
-	const githubDir = path.join(options.outputDir, ".github");
+async function resolve$1(options) {
+	if (options.tag && !options.plan) throw new Error("--no-plan cannot be combined with --tag (tag targets always run plan before deploy). Drop --no-plan or use a branch target.");
+	const dir = options.dir.replaceAll("\\", "/").replace(/\/{2,}/g, "/").replace(/^\.\//, "").replace(/\/$/, "") || ".";
+	validateDir(dir);
+	const workingDirectory = dir !== "." ? dir : void 0;
+	const configPath = resolveConfigPath(options.outputDir, dir);
+	const loadName = options.loadConfigName ?? defaultLoadConfigName;
+	const workspaceName = options.workspaceName ?? await loadName(configPath);
+	if (!workspaceName) throw new Error("Could not determine the workspace name. Pass --workspace-name, or set 'name' in tailor.config.ts.");
+	validateWorkspaceName(workspaceName);
+	const kind = options.tag ? "tag" : "branch";
 	const packageManager = detectPackageManager(options.outputDir);
-	const workingDirectory = options.dir !== "." ? options.dir : void 0;
-	return [{
-		path: path.join(githubDir, `workflows/tailor-${options.workspaceName}.yml`),
-		content: renderDeploy({
-			workspaceName: options.workspaceName,
-			workspaceRegion: options.workspaceRegion,
-			organizationId: options.organizationId,
-			folderId: options.folderId,
+	const environment = options.environment ?? workspaceName;
+	validateEnvironment(environment);
+	if (kind === "tag") validateTagPattern(options.tagPattern);
+	let branch = null;
+	let render;
+	if (kind === "branch") {
+		branch = options.branch ?? detectDefaultBranch(options.outputDir, options.gitRunner);
+		validateBranch(branch);
+		render = renderBranchWorkflow({
+			workspaceName,
+			branch,
 			workingDirectory,
+			environment,
 			packageManager,
-			withPlan: options.withPlan
-		})
-	}];
+			plan: options.plan
+		});
+	} else {
+		branch = options.branch ?? null;
+		if (branch !== null) validateBranch(branch);
+		render = renderTagWorkflow({
+			workspaceName,
+			tagPattern: options.tagPattern,
+			branch: options.branch,
+			workingDirectory,
+			environment,
+			packageManager
+		});
+	}
+	const file = `.github/workflows/tailor-${workspaceName}.yml`;
+	const inputs = {
+		branch,
+		tagPattern: kind === "tag" ? options.tagPattern : null,
+		environment,
+		dir,
+		packageManager,
+		plan: kind === "branch" ? options.plan : true
+	};
+	return {
+		kind,
+		workspaceName,
+		branch,
+		environment,
+		packageManager,
+		render,
+		inputs,
+		file,
+		configPath
+	};
 }
 /**
-* Write files to disk, skipping any that already exist.
-* @param files - Files to write
-* @returns Result with lists of written and skipped file paths
+* Decide how to reconcile a target with the on-disk file and lock state.
+* @param obj - Decision inputs
+* @param obj.existing - The matching lock target, if any
+* @param obj.fileExists - Whether the workflow file is present on disk
+* @param obj.currentContent - On-disk content when present
+* @param obj.force - Whether --force was passed
+* @returns The reconciliation action
 */
-function writeFiles(files) {
-	const written = [];
-	const skipped = [];
-	for (const file of files) {
-		if (fs$1.existsSync(file.path)) {
-			skipped.push(file.path);
-			continue;
-		}
-		fs$1.mkdirSync(path.dirname(file.path), { recursive: true });
-		fs$1.writeFileSync(file.path, file.content);
-		written.push(file.path);
+function decideAction(obj) {
+	const { existing, fileExists, currentContent, force } = obj;
+	if (!existing) {
+		if (!fileExists) return { action: "create" };
+		if (force) return { action: "regenerate" };
+		return {
+			action: "conflict",
+			reason: "An unmanaged workflow file already exists at this path. Delete it, or pass --force to bring it under SDK management (this overwrites it)."
+		};
 	}
+	if (!fileExists) return { action: "restore" };
+	if (currentContent !== null && hashContent(currentContent) === existing.contentHash) return { action: "regenerate" };
+	if (force) return { action: "regenerate" };
 	return {
-		written,
-		skipped
+		action: "conflict",
+		reason: "This workflow file has been edited by hand since it was generated. Re-run with --force to discard those edits and regenerate, or revert your changes."
 	};
 }
 /**
-* Generate GitHub Actions workflow files and print next steps.
-* @param options - Setup options including workspace config and output directory
+* Guard against two targets of different kinds colliding on the same file path.
+* @param obj - Conflict inputs
+* @param obj.lock - Existing lock file, or null
+* @param obj.kind - Target kind being generated
+* @param obj.workspaceName - Workspace name being generated
+* @param obj.file - Target file path
 */
-function setupGitHub(options) {
-	logBetaWarning("setup github");
-	const result = writeFiles(buildFiles(options));
-	for (const filePath of result.written) {
-		const relativePath = path.relative(options.outputDir, filePath);
-		logger.success(`Generated ${styles.path(relativePath)}`);
-	}
-	for (const filePath of result.skipped) {
-		const relativePath = path.relative(options.outputDir, filePath);
-		logger.warn(`Skipped ${styles.path(relativePath)} (already exists)`);
-	}
+function assertNoKindCollision(obj) {
+	const { lock, kind, workspaceName, file } = obj;
+	const collision = lock?.targets.find((t) => t.file === file && !(t.kind === kind && t.workspaceName === workspaceName));
+	if (collision) throw new Error(`A ${collision.kind} target already owns ${file}, which conflicts with this ${kind} target. Pass a different name with --workspace-name to generate a separate workflow.`);
+}
+/**
+* Print next-step guidance after generating workflow files.
+* @param obj - Output context
+* @param obj.environment - Resolved GitHub Environment name for this target
+* @param obj.idInjected - Whether an app id was injected into the config
+*/
+function printNextSteps(obj) {
+	const { environment, idInjected } = obj;
 	logger.newline();
-	logger.info("Next steps - set GitHub secrets:");
-	logger.log(`  gh secret set PLATFORM_MACHINE_USER_CLIENT_ID`);
-	logger.log(`  gh secret set PLATFORM_MACHINE_USER_CLIENT_SECRET`);
-	if (options.withPlan) {
-		logger.newline();
-		logger.info("For plan job - set GitHub variable with your workspace ID:");
-		logger.log(`  gh variable set TAILOR_PLATFORM_WORKSPACE_ID`);
-	}
+	logger.info("Next steps:");
+	logger.newline();
+	logger.log(`1. Set the machine-user credentials as secrets on the "${environment}" environment:`);
+	logger.log(`   gh secret set TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID --env ${environment}`);
+	logger.log(`   gh secret set TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET --env ${environment}`);
+	logger.newline();
+	logger.log(`2. Provision the workspace and set its id as the TAILOR_PLATFORM_WORKSPACE_ID variable on the "${environment}" environment:`);
+	logger.log("   tailor-sdk workspace create   # if it does not exist yet; copy the id");
+	logger.log(`   gh variable set TAILOR_PLATFORM_WORKSPACE_ID --env ${environment}`);
+	logger.newline();
+	logger.log("3. Commit the generated files:");
+	logger.log("   - .github/workflows/tailor-*.yml");
+	logger.log("   - .github/tailor-sdk.lock");
+	if (idInjected) logger.log("   - tailor.config.ts (app id was added)");
+}
+/**
+* Generate the GitHub Actions workflow for a deploy target and reconcile it
+* with the lock file.
+* @param options - Setup options
+*/
+async function setupGitHub(options) {
+	logBetaWarning("setup github");
+	const resolved = await resolve$1(options);
+	const lock = readLock(options.outputDir);
+	const absFile = path.join(options.outputDir, resolved.file);
+	assertNoKindCollision({
+		lock,
+		kind: resolved.kind,
+		workspaceName: resolved.workspaceName,
+		file: resolved.file
+	});
+	const existing = findTarget(lock, resolved.kind, resolved.workspaceName);
+	const fileExists = fs$1.existsSync(absFile);
+	const decision = decideAction({
+		existing,
+		fileExists,
+		currentContent: fileExists ? fs$1.readFileSync(absFile, "utf-8") : null,
+		force: options.force
+	});
+	if (decision.action === "conflict") throw new Error(`${resolved.file}: ${decision.reason}`);
+	const idResult = await ensureConfigId(resolved.configPath);
+	if (idResult === null) logger.warn("Could not find a defineConfig() call to confirm an app id. The CI deploy will fail unless your config resolves to one with an 'id'.");
+	const idInjected = idResult?.injected ?? false;
+	fs$1.mkdirSync(path.dirname(absFile), { recursive: true });
+	fs$1.writeFileSync(absFile, resolved.render.content, "utf-8");
+	const newTarget = {
+		kind: resolved.kind,
+		workspaceName: resolved.workspaceName,
+		file: resolved.file,
+		templateVersion: 1,
+		inputs: resolved.inputs,
+		generatedIds: resolved.render.generatedIds,
+		ejectedIds: existing?.ejectedIds ?? [],
+		contentHash: hashContent(resolved.render.content)
+	};
+	const targets = [...lock?.targets ?? []];
+	const index = targets.findIndex((t) => t.kind === newTarget.kind && t.workspaceName === newTarget.workspaceName);
+	if (index === -1) targets.push(newTarget);
+	else targets[index] = newTarget;
+	writeLock(options.outputDir, {
+		version: 1,
+		targets
+	});
+	if (decision.action === "restore") logger.success(`Regenerated ${styles.path(resolved.file)} (was missing on disk)`);
+	else if (decision.action === "regenerate") logger.success(`Regenerated ${styles.path(resolved.file)}`);
+	else logger.success(`Generated ${styles.path(resolved.file)}`);
+	printNextSteps({
+		environment: resolved.environment,
+		idInjected
+	});
 }
 //#endregion
 //#region src/cli/commands/setup/github/index.ts
 const githubCommand = defineAppCommand({
 	name: "github",
-	description: "Generate GitHub Actions workflow for deployment. (beta)",
+	description: "Generate a GitHub Actions deploy workflow. (beta)",
 	args: z.object({
-		"workspace-name": arg(z.string(), {
+		"workspace-name": arg(z.string().min(1).optional(), {
 			alias: "n",
-			description: "Workspace name"
+			description: "Workspace name (defaults to the config 'name')"
 		}),
-		"workspace-region": arg(z.string(), {
-			alias: "r",
-			description: "Workspace region"
-		}),
-		"organization-id": arg(z.string(), {
-			alias: "o",
-			description: "Organization ID"
-		}),
-		"folder-id": arg(z.string(), {
-			alias: "f",
-			description: "Folder ID"
-		}),
-		dir: arg(z.string().default("."), {
+		branch: arg(z.string().min(1).optional(), { description: "Branch target: deploy trigger branch (defaults to the detected default branch). Tag target: tag-reachability guard branch (no guard when omitted)" }),
+		tag: arg(z.boolean().default(false), { description: "Generate a tag target (deploy on tag push)" }),
+		"tag-pattern": arg(z.string().min(1).optional(), { description: "Tag glob to match (requires --tag; defaults to v*)" }),
+		environment: arg(z.string().min(1).optional(), { description: "GitHub Environment for the plan/deploy jobs (defaults to the workspace name)" }),
+		"no-plan": arg(z.boolean().default(false), { description: "Disable the plan job for a branch target (cannot be combined with --tag)" }),
+		dir: arg(z.string().min(1).default("."), {
 			alias: "d",
 			description: "App directory (for monorepo setups)"
 		}),
-		"with-plan": arg(z.boolean().default(false), {
-			alias: "p",
-			description: "Include plan job for PR previews"
-		})
+		force: arg(z.boolean().default(false), { description: "Discard hand edits / take over unmanaged files and regenerate" })
 	}).strict(),
-	run: (args) => {
-		setupGitHub({
+	run: async (args) => {
+		if (args["tag-pattern"] !== void 0 && !args.tag) throw new Error("--tag-pattern requires --tag.");
+		if (args["no-plan"] && args.tag) throw new Error("--no-plan cannot be combined with --tag.");
+		await setupGitHub({
 			workspaceName: args["workspace-name"],
-			workspaceRegion: args["workspace-region"],
-			organizationId: args["organization-id"],
-			folderId: args["folder-id"],
+			branch: args.branch,
+			tag: args.tag,
+			tagPattern: args["tag-pattern"] ?? "v*",
+			environment: args.environment,
+			plan: !args["no-plan"],
 			dir: args.dir,
-			outputDir: process.cwd(),
-			withPlan: args["with-plan"]
+			force: args.force,
+			outputDir: process.cwd()
 		});
 	}
 });
@@ -3323,7 +3663,7 @@ const CLEAN_ROOM_NOTES = [
 	"It does not copy Liam source code, generated JavaScript/CSS, parser internals, or layout internals."
 ];
 function buildRevision(schema) {
-	return hashContent(JSON.stringify(schema)).slice(0, 16);
+	return hashContent$1(JSON.stringify(schema)).slice(0, 16);
 }
 function toTypeSource(source) {
 	if (!source) return void 0;