@tailor-platform/sdk 1.62.0 → 1.65.0

package/dist/{runtime-C6o4hiYq.mjs → runtime-C7qTBDD2.mjs}

@@ -3,7 +3,7 @@ import { t as db } from "./schema-1msIhXwA.mjs";
 import { $ as CreateExecutorExecutorRequestSchema, A as TailorDBGQLPermission_Permit, At as AuthSCIMAttribute_Type, B as UpdateSecretManagerSecretRequestSchema, Bt as Subgraph_ServiceType, C as WorkflowExecution_Status, Ct as AuthConnection_Type, D as UpdateTailorDBTypeRequestSchema, Dt as AuthOAuth2Client_ClientType, E as CreateTailorDBTypeRequestSchema, Et as AuthInvokerSchema, F as CreateStaticWebsiteRequestSchema, Ft as UserProfileProviderConfig_UserProfileProviderType, G as PipelineResolver_OperationType, H as CreatePipelineServiceRequestSchema, Ht as Condition_Operator, I as UpdateStaticWebsiteRequestSchema, It as CreateApplicationRequestSchema, J as IdPLang, K as CreateIdPServiceRequestSchema, Lt as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, M as TailorDBType_Permission_Permit, Mt as AuthSCIMConfig_AuthorizationType, N as TailorDBType_PermitAction, O as TailorDBGQLPermission_Action, Ot as AuthOAuth2Client_GrantType, P as AddCustomDomainRequestSchema, Pt as TenantProviderConfig_TenantProviderType, R as CreateSecretManagerSecretRequestSchema, Rt as UpdateApplicationRequestSchema, S as UpdateWorkflowRequestSchema, St as UpdateUserProfileConfigRequestSchema, T as CreateTailorDBServiceRequestSchema, Tt as AuthIDPConfig_AuthType, U as UpdatePipelineResolverRequestSchema, Ut as FilterSchema, V as CreatePipelineResolverRequestSchema, Vt as ConditionSchema, W as UpdatePipelineServiceRequestSchema, Wt as PageDirection, X as IdPPermissionPermit, Y as IdPPermissionOperator, Z as FunctionExecution_Status, _ as userAgent, _t as UpdateAuthOAuth2ClientRequestSchema, a as fetchAll, at as CreateAuthHookRequestSchema, b as CreateWorkflowJobFunctionRequestSchema, bt as UpdateAuthServiceRequestSchema, ct as CreateAuthOAuth2ClientRequestSchema, dt as CreateAuthServiceRequestSchema, et as UpdateExecutorExecutorRequestSchema, f as initOperatorClient, ft as CreateTenantConfigRequestSchema, gt as UpdateAuthMachineUserRequestSchema, h as resolveStaticWebsiteUrls, ht as UpdateAuthIDPConfigRequestSchema, it as CreateAuthConnectionRequestSchema, j as TailorDBType_Permission_Operator, jt as AuthSCIMAttribute_Uniqueness, k as TailorDBGQLPermission_Operator, kt as AuthSCIMAttribute_Mutability, lt as CreateAuthSCIMConfigRequestSchema, m as platformBaseUrl, mt as UpdateAuthHookRequestSchema, nt as ExecutorTargetType, o as fetchMachineUserToken, ot as CreateAuthIDPConfigRequestSchema, pt as CreateUserProfileConfigRequestSchema, q as UpdateIdPServiceRequestSchema, rt as ExecutorTriggerType, s as fetchPaged, st as CreateAuthMachineUserRequestSchema, tt as ExecutorJobStatus, ut as CreateAuthSCIMResourceRequestSchema, v as OperatorService, vt as UpdateAuthSCIMConfigRequestSchema, w as WorkflowJobExecution_Status, wt as AuthHookPoint, x as CreateWorkflowRequestSchema, xt as UpdateTenantConfigRequestSchema, y as WorkspacePlatformUserRole, yt as UpdateAuthSCIMResourceRequestSchema, z as CreateSecretManagerVaultRequestSchema, zt as ApplicationSchemaUpdateAttemptStatus } from "./client-CobIRHl-.mjs";
 import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
 import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DpJyJvNz.mjs";
-import { C as loadConfig, D as loadConfigPath, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, S as hashFile, b as getDistDir, d as assertUniqueLocalTailorDBTypeNames, f as assertUniqueTailorDBTypeNamesWithExternal, h as platformBundleDefinePlugin, k as readPlatformConfig, l as buildExecutorArgsExpr, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, u as buildResolverOperationHookExpr, y as createBundleCache } from "./application-BezXGbrU.mjs";
+import { A as readPlatformConfig, C as loadConfig, D as loadConfigPath, E as loadAccessToken, N as writePlatformConfig, O as loadMachineUserName, S as hashFile, b as getDistDir, d as assertUniqueLocalTailorDBTypeNames, f as assertUniqueTailorDBTypeNamesWithExternal, h as platformBundleDefinePlugin, k as loadWorkspaceId, l as buildExecutorArgsExpr, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, u as buildResolverOperationHookExpr, y as createBundleCache } from "./application-76hhIhnJ.mjs";
 import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
 import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
 import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
@@ -3003,7 +3003,7 @@ function parseIdPPermission(rawPermission) {
 function findOmittedPermitRules(permission) {
 	if (!permission) return [];
 	const locations = [];
-	for (const action of Object.keys(permission)) permission[action]?.forEach((rule, index) => {
+	for (const action of Object.keys(permission)) permission[action].forEach((rule, index) => {
 		if (isObjectFormat(rule) && rule.permit === void 0) locations.push(`${String(action)}[${index}]`);
 	});
 	return locations;
@@ -4677,6 +4677,72 @@ async function ensureConfigId(configPath) {
 		injected: true
 	};
 }
+/**
+* Read the resolved `defineConfig({...})` `id` from a config file without
+* mutating it. Returns null when the file has no inline `defineConfig()` call
+* (wrapper/re-export config), and `{ id: null }` when the call exists but has
+* no usable `id` property.
+* @param configPath - Absolute path to the config file
+* @returns The existing id (or null when absent), or null for wrapper configs
+*/
+async function readConfigId(configPath) {
+	const { program } = parseSync(configPath, await fs$1.promises.readFile(configPath, "utf-8"));
+	const calls = [];
+	findDefineConfigCalls(program, calls);
+	if (calls.length === 0) return null;
+	if (calls.length > 1) throw new Error(`Multiple defineConfig() calls found in ${configPath}. Only one is supported.`);
+	const { configObj } = assertDefined(calls[0], "defineConfig call site missing");
+	if (!configObj) throw new Error(`defineConfig() argument must be an inline object literal in ${configPath} so the SDK can manage the 'id' field.`);
+	const idProp = findIdProperty(configObj);
+	if (!idProp || idProp.value.type !== "Literal") return { id: null };
+	const value = idProp.value.value;
+	return { id: typeof value === "string" && value !== "" ? value : null };
+}
+/**
+* Read-only CI check: the config must already carry a valid app id.
+* Wrapper/re-export configs (no inline defineConfig call) are exempt,
+* mirroring the local behavior where {@link ensureConfigId} no-ops.
+* @param configPath - Absolute path to the config file
+*/
+async function assertConfigIdInCI(configPath) {
+	const result = await readConfigId(configPath);
+	if (result === null) return;
+	if (!result.id) throw new Error("tailor.config.ts is missing an 'id'. CI does not auto-generate one (each run would be treated as a separate app and break resource ownership). Run 'tailor-sdk setup github' or 'tailor-sdk apply' locally and commit the injected id.");
+	if (!uuidRegex.test(result.id)) throw new Error(`'id' in ${configPath} must be a UUID. To use this config for a separate app, delete it.`);
+}
+/**
+* Ensure the config has an app id for a deploy run.
+*
+* Locally, the id is auto-injected when missing (via {@link ensureConfigId}).
+* In CI, the id is never auto-injected — a missing id is a hard error, because
+* generating one per run would create a fresh app each time and break resource
+* ownership. CI dry-runs (plan) perform the same check read-only, so a
+* forgotten id fails at PR time instead of at deploy. Ephemeral pipelines that
+* intentionally deploy a fresh app per run (such as e2e harnesses) can opt
+* back into injection with `TAILOR_PLATFORM_SDK_ALLOW_CI_ID_INJECTION=true`.
+* Local dry-run and build-only flows skip both injection and the check (no
+* on-disk side effects are expected, and build-only never talks to the
+* platform).
+* @param obj - Inputs
+* @param obj.configPath - Absolute path to the config file
+* @param obj.dryRun - Whether this is a dry-run
+* @param obj.buildOnly - Whether this is a build-only run
+*/
+async function ensureConfigIdForDeploy(obj) {
+	const { configPath, dryRun, buildOnly } = obj;
+	if (buildOnly) return;
+	const allowCIInjection = parseBoolean(process.env.TAILOR_PLATFORM_SDK_ALLOW_CI_ID_INJECTION) === true;
+	const strictCI = isCI && !allowCIInjection;
+	if (dryRun) {
+		if (strictCI) await assertConfigIdInCI(configPath);
+		return;
+	}
+	if (strictCI) {
+		await assertConfigIdInCI(configPath);
+		return;
+	}
+	await ensureConfigId(configPath);
+}
 const idComment = "// SDK-managed app id — do not edit, except when copying this config to a separate app.";
 function insertIdProperty(source, configObj, id) {
 	const idLiteral = `id: ${JSON.stringify(id)}`;
@@ -4684,6 +4750,7 @@ function insertIdProperty(source, configObj, id) {
 		const firstProp = assertDefined(configObj.properties[0], "first property missing");
 		const lineStart = source.lastIndexOf("\n", firstProp.start - 1) + 1;
 		const indent = source.slice(lineStart, firstProp.start);
+		if (!/^[\t ]*$/.test(indent)) return source.slice(0, firstProp.start) + `${idLiteral}, ` + source.slice(firstProp.start);
 		const insertion = `${idComment}\n${indent}${idLiteral},\n${indent}`;
 		return source.slice(0, firstProp.start) + insertion + source.slice(firstProp.start);
 	}
@@ -6344,6 +6411,317 @@ function parseMigrationNumberArg(numberStr) {
 	throw new Error(`Invalid migration number format: ${numberStr}. Expected 4-digit format (e.g., 0001) or integer 0-9999 (e.g., 1).`);
 }
 
+//#endregion
+//#region src/cli/commands/tailordb/migrate/snapshot-schema.ts
+/**
+* Zod schemas for TailorDB migration snapshot and diff files.
+*
+* Each schema mirrors the corresponding hand-written interface from
+* snapshot-types.ts / diff-calculator.ts. Schemas are cast to
+* `z.ZodType<T>` to keep them aligned with the interfaces at compile time.
+*
+* All object schemas use `z.looseObject` so that unknown keys written
+* by newer CLI versions survive a load → save round-trip.
+*/
+const snapshotHookSchema = z.looseObject({ expr: z.string() });
+const snapshotValidationSchema = z.looseObject({
+	script: z.looseObject({ expr: z.string() }).optional(),
+	errorMessage: z.string()
+});
+const snapshotSerialSchema = z.looseObject({
+	start: z.number(),
+	maxValue: z.number().optional(),
+	format: z.string().optional()
+});
+const snapshotEnumValueSchema = z.looseObject({
+	value: z.string(),
+	description: z.string().optional()
+});
+const snapshotFieldConfigSchema = z.looseObject({
+	type: z.string(),
+	required: z.boolean().default(true),
+	array: z.boolean().optional(),
+	index: z.boolean().optional(),
+	unique: z.boolean().optional(),
+	allowedValues: z.array(snapshotEnumValueSchema).optional(),
+	foreignKey: z.boolean().optional(),
+	foreignKeyType: z.string().optional(),
+	foreignKeyField: z.string().optional(),
+	description: z.string().optional(),
+	vector: z.boolean().optional(),
+	hooks: z.looseObject({
+		create: snapshotHookSchema.optional(),
+		update: snapshotHookSchema.optional()
+	}).optional(),
+	validate: z.array(snapshotValidationSchema).optional(),
+	serial: snapshotSerialSchema.optional(),
+	scale: z.number().optional(),
+	fields: z.lazy(() => z.record(z.string(), snapshotFieldConfigSchema)).optional()
+});
+const snapshotIndexConfigSchema = z.looseObject({
+	fields: z.array(z.string()),
+	unique: z.boolean().optional()
+});
+const snapshotRelationshipSchema = z.looseObject({
+	targetType: z.string(),
+	targetField: z.string(),
+	sourceField: z.string(),
+	isArray: z.boolean(),
+	description: z.string()
+});
+const FIELD_REF_KEYS = [
+	"user",
+	"record",
+	"newRecord",
+	"oldRecord"
+];
+const snapshotPermissionOperandSchema = z.unknown().refine((v) => {
+	if (typeof v !== "object" || v === null || Array.isArray(v)) return true;
+	const keys = Object.keys(v);
+	return FIELD_REF_KEYS.filter((k) => keys.includes(k)).length < 2;
+}, "Ambiguous field-ref operand: contains more than one of user/record/newRecord/oldRecord");
+const snapshotGqlPermissionOperandSchema = z.unknown().refine((v) => {
+	if (typeof v !== "object" || v === null || Array.isArray(v)) return true;
+	const keys = Object.keys(v);
+	return FIELD_REF_KEYS.filter((k) => keys.includes(k)).length < 2;
+}, "Ambiguous field-ref operand: contains more than one of user/record/newRecord/oldRecord").refine((v) => {
+	if (typeof v !== "object" || v === null || Array.isArray(v)) return true;
+	const keys = Object.keys(v);
+	return ![
+		"record",
+		"newRecord",
+		"oldRecord"
+	].some((k) => keys.includes(k));
+}, "GQL permissions only support { user } field references");
+const snapshotPermissionOperatorSchema = z.string();
+const snapshotPermissionConditionSchema = z.tuple([
+	snapshotPermissionOperandSchema,
+	snapshotPermissionOperatorSchema,
+	snapshotPermissionOperandSchema
+]).rest(z.unknown());
+const snapshotGqlPermissionConditionSchema = z.tuple([
+	snapshotGqlPermissionOperandSchema,
+	snapshotPermissionOperatorSchema,
+	snapshotGqlPermissionOperandSchema
+]).rest(z.unknown());
+const snapshotActionPermissionSchema = z.looseObject({
+	conditions: z.array(snapshotPermissionConditionSchema),
+	description: z.string().optional(),
+	permit: z.enum(["allow", "deny"])
+});
+const snapshotRecordPermissionSchema = z.looseObject({
+	create: z.array(snapshotActionPermissionSchema).default([]),
+	read: z.array(snapshotActionPermissionSchema).default([]),
+	update: z.array(snapshotActionPermissionSchema).default([]),
+	delete: z.array(snapshotActionPermissionSchema).default([])
+});
+const snapshotGqlActionSchema = z.string();
+const snapshotGqlPermissionPolicySchema = z.looseObject({
+	conditions: z.array(snapshotGqlPermissionConditionSchema),
+	actions: z.array(snapshotGqlActionSchema),
+	permit: z.enum(["allow", "deny"]),
+	description: z.string().optional()
+});
+const snapshotGqlPermissionSchema = z.array(snapshotGqlPermissionPolicySchema);
+const tailorDBSnapshotTypeSchema = z.looseObject({
+	name: z.string(),
+	pluralForm: z.string().optional(),
+	description: z.string().optional(),
+	fields: z.record(z.string(), snapshotFieldConfigSchema),
+	settings: z.looseObject({
+		aggregation: z.boolean().optional(),
+		bulkUpsert: z.boolean().optional(),
+		gqlOperations: z.looseObject({
+			create: z.boolean().optional(),
+			update: z.boolean().optional(),
+			delete: z.boolean().optional(),
+			read: z.boolean().optional()
+		}).optional(),
+		publishEvents: z.boolean().optional()
+	}).optional(),
+	indexes: z.record(z.string(), snapshotIndexConfigSchema).optional(),
+	files: z.record(z.string(), z.string()).optional(),
+	forwardRelationships: z.record(z.string(), snapshotRelationshipSchema).optional(),
+	backwardRelationships: z.record(z.string(), snapshotRelationshipSchema).optional(),
+	permissions: z.looseObject({
+		record: snapshotRecordPermissionSchema.optional(),
+		gql: snapshotGqlPermissionSchema.optional()
+	}).optional()
+});
+const schemaSnapshotSchema = z.looseObject({
+	version: z.number(),
+	namespace: z.string(),
+	createdAt: z.string(),
+	types: z.record(z.string(), tailorDBSnapshotTypeSchema)
+});
+const typeSettingsPatchSchema = z.looseObject({
+	indexes: z.record(z.string(), snapshotIndexConfigSchema).optional(),
+	files: z.record(z.string(), z.string()).optional()
+});
+const snapshotPermissionStateSchema = z.looseObject({
+	recordPermission: snapshotRecordPermissionSchema.optional(),
+	gqlPermission: snapshotGqlPermissionSchema.optional()
+});
+const typeAddedChangeSchema = z.looseObject({
+	kind: z.literal("type_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	after: tailorDBSnapshotTypeSchema
+});
+const typeRemovedChangeSchema = z.looseObject({
+	kind: z.literal("type_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	before: tailorDBSnapshotTypeSchema
+});
+const typeModifiedChangeSchema = z.looseObject({
+	kind: z.literal("type_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	before: typeSettingsPatchSchema.optional(),
+	after: typeSettingsPatchSchema.optional()
+});
+const fieldAddedChangeSchema = z.looseObject({
+	kind: z.literal("field_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	after: snapshotFieldConfigSchema
+});
+const fieldRemovedChangeSchema = z.looseObject({
+	kind: z.literal("field_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	before: snapshotFieldConfigSchema
+});
+const fieldModifiedChangeSchema = z.looseObject({
+	kind: z.literal("field_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	before: snapshotFieldConfigSchema,
+	after: snapshotFieldConfigSchema
+});
+const indexAddedChangeSchema = z.looseObject({
+	kind: z.literal("index_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	indexName: z.string(),
+	after: snapshotIndexConfigSchema
+});
+const indexRemovedChangeSchema = z.looseObject({
+	kind: z.literal("index_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	indexName: z.string(),
+	before: snapshotIndexConfigSchema
+});
+const indexModifiedChangeSchema = z.looseObject({
+	kind: z.literal("index_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	indexName: z.string(),
+	before: snapshotIndexConfigSchema,
+	after: snapshotIndexConfigSchema
+});
+const fileAddedChangeSchema = z.looseObject({
+	kind: z.literal("file_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	after: z.string()
+});
+const fileRemovedChangeSchema = z.looseObject({
+	kind: z.literal("file_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	before: z.string()
+});
+const fileModifiedChangeSchema = z.looseObject({
+	kind: z.literal("file_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	before: z.string(),
+	after: z.string()
+});
+const relationshipAddedChangeSchema = z.looseObject({
+	kind: z.literal("relationship_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	relationshipName: z.string(),
+	relationshipType: z.enum(["forward", "backward"]).optional(),
+	after: snapshotRelationshipSchema
+});
+const relationshipRemovedChangeSchema = z.looseObject({
+	kind: z.literal("relationship_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	relationshipName: z.string(),
+	relationshipType: z.enum(["forward", "backward"]).optional(),
+	before: snapshotRelationshipSchema
+});
+const relationshipModifiedChangeSchema = z.looseObject({
+	kind: z.literal("relationship_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	relationshipName: z.string(),
+	relationshipType: z.enum(["forward", "backward"]).optional(),
+	before: snapshotRelationshipSchema,
+	after: snapshotRelationshipSchema
+});
+const permissionModifiedChangeSchema = z.looseObject({
+	kind: z.literal("permission_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	before: snapshotPermissionStateSchema.optional(),
+	after: snapshotPermissionStateSchema.optional()
+});
+const diffChangeSchema = z.discriminatedUnion("kind", [
+	typeAddedChangeSchema,
+	typeRemovedChangeSchema,
+	typeModifiedChangeSchema,
+	fieldAddedChangeSchema,
+	fieldRemovedChangeSchema,
+	fieldModifiedChangeSchema,
+	indexAddedChangeSchema,
+	indexRemovedChangeSchema,
+	indexModifiedChangeSchema,
+	fileAddedChangeSchema,
+	fileRemovedChangeSchema,
+	fileModifiedChangeSchema,
+	relationshipAddedChangeSchema,
+	relationshipRemovedChangeSchema,
+	relationshipModifiedChangeSchema,
+	permissionModifiedChangeSchema
+]);
+const breakingChangeInfoSchema = z.looseObject({
+	typeName: z.string(),
+	fieldName: z.string().optional(),
+	reason: z.string(),
+	unsupported: z.boolean().optional(),
+	showThreeStepHint: z.boolean().optional()
+});
+const warningChangeInfoSchema = z.looseObject({
+	typeName: z.string(),
+	fieldName: z.string().optional(),
+	reason: z.string()
+});
+const migrationDiffSchema = z.looseObject({
+	version: z.number(),
+	namespace: z.string(),
+	createdAt: z.string(),
+	description: z.string().optional(),
+	changes: z.array(diffChangeSchema),
+	hasBreakingChanges: z.boolean(),
+	breakingChanges: z.array(breakingChangeInfoSchema),
+	hasWarnings: z.boolean().optional(),
+	warnings: z.array(warningChangeInfoSchema).optional(),
+	requiresMigrationScript: z.boolean()
+});
+
 //#endregion
 //#region src/cli/commands/tailordb/migrate/snapshot-types.ts
 /**
@@ -6553,21 +6931,19 @@ function createSnapshotType(type) {
 		fields
 	};
 	if (type.description) snapshotType.description = type.description;
-	if (type.settings) {
-		snapshotType.settings = {};
-		if (type.settings.aggregation !== void 0) snapshotType.settings.aggregation = type.settings.aggregation;
-		if (type.settings.bulkUpsert !== void 0) snapshotType.settings.bulkUpsert = type.settings.bulkUpsert;
-		if (type.settings.gqlOperations) {
-			const ops = type.settings.gqlOperations;
-			snapshotType.settings.gqlOperations = {
-				...ops.create !== void 0 && { create: ops.create },
-				...ops.update !== void 0 && { update: ops.update },
-				...ops.delete !== void 0 && { delete: ops.delete },
-				...ops.read !== void 0 && { read: ops.read }
-			};
-		}
-		if (type.settings.publishEvents !== void 0) snapshotType.settings.publishEvents = type.settings.publishEvents;
+	snapshotType.settings = {};
+	if (type.settings.aggregation !== void 0) snapshotType.settings.aggregation = type.settings.aggregation;
+	if (type.settings.bulkUpsert !== void 0) snapshotType.settings.bulkUpsert = type.settings.bulkUpsert;
+	if (type.settings.gqlOperations) {
+		const ops = type.settings.gqlOperations;
+		snapshotType.settings.gqlOperations = {
+			...ops.create !== void 0 && { create: ops.create },
+			...ops.update !== void 0 && { update: ops.update },
+			...ops.delete !== void 0 && { delete: ops.delete },
+			...ops.read !== void 0 && { read: ops.read }
+		};
 	}
+	if (type.settings.publishEvents !== void 0) snapshotType.settings.publishEvents = type.settings.publishEvents;
 	if (type.indexes && Object.keys(type.indexes).length > 0) {
 		snapshotType.indexes = {};
 		for (const [indexName, indexConfig] of Object.entries(type.indexes)) snapshotType.indexes[indexName] = {
@@ -6648,7 +7024,15 @@ function createSnapshotFromLocalTypes(types, namespace) {
 */
 function loadSnapshot(filePath) {
 	const content = fs$1.readFileSync(filePath, "utf-8");
-	const snapshot = JSON.parse(content);
+	let raw;
+	try {
+		raw = JSON.parse(content);
+	} catch (error) {
+		throw new Error(`Invalid schema snapshot at ${filePath}: ${String(error)}`, { cause: error });
+	}
+	const result = schemaSnapshotSchema.safeParse(raw);
+	if (!result.success) throw new Error(`Invalid schema snapshot at ${filePath}: ${z.prettifyError(result.error)}`, { cause: result.error });
+	const snapshot = result.data;
 	for (const type of Object.values(snapshot.types)) normalizeSnapshotType(type);
 	return snapshot;
 }
@@ -6659,7 +7043,15 @@ function loadSnapshot(filePath) {
 */
 function loadDiff(filePath) {
 	const content = fs$1.readFileSync(filePath, "utf-8");
-	const parsed = JSON.parse(content);
+	let raw;
+	try {
+		raw = JSON.parse(content);
+	} catch (error) {
+		throw new Error(`Invalid migration diff at ${filePath}: ${String(error)}`, { cause: error });
+	}
+	const result = migrationDiffSchema.safeParse(raw);
+	if (!result.success) throw new Error(`Invalid migration diff at ${filePath}: ${z.prettifyError(result.error)}`, { cause: result.error });
+	const parsed = result.data;
 	const warnings = parsed.warnings ?? [];
 	return {
 		...parsed,
@@ -6737,7 +7129,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		case "field_added":
 		case "field_modified": {
 			const existing = types[change.typeName];
-			if (existing && change.fieldName) types[change.typeName] = {
+			if (existing) types[change.typeName] = {
 				...existing,
 				fields: {
 					...existing.fields,
@@ -6748,7 +7140,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		}
 		case "field_removed": {
 			const existing = types[change.typeName];
-			if (existing && change.fieldName) {
+			if (existing) {
 				const { [change.fieldName]: _, ...remainingFields } = existing.fields;
 				types[change.typeName] = {
 					...existing,
@@ -6760,7 +7152,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		case "index_added":
 		case "index_modified": {
 			const existing = types[change.typeName];
-			if (existing && change.indexName) types[change.typeName] = {
+			if (existing) types[change.typeName] = {
 				...existing,
 				indexes: {
 					...existing.indexes,
@@ -6771,7 +7163,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		}
 		case "index_removed": {
 			const existing = types[change.typeName];
-			if (existing && change.indexName && existing.indexes) {
+			if (existing && existing.indexes) {
 				const { [change.indexName]: _, ...remainingIndexes } = existing.indexes;
 				types[change.typeName] = {
 					...existing,
@@ -6783,7 +7175,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		case "file_added":
 		case "file_modified": {
 			const existing = types[change.typeName];
-			if (existing && change.fieldName) types[change.typeName] = {
+			if (existing) types[change.typeName] = {
 				...existing,
 				files: {
 					...existing.files,
@@ -6794,7 +7186,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		}
 		case "file_removed": {
 			const existing = types[change.typeName];
-			if (existing && change.fieldName && existing.files) {
+			if (existing && existing.files) {
 				const { [change.fieldName]: _, ...remainingFiles } = existing.files;
 				types[change.typeName] = {
 					...existing,
@@ -6806,7 +7198,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		case "relationship_added":
 		case "relationship_modified": {
 			const existing = types[change.typeName];
-			if (existing && change.relationshipName) {
+			if (existing) {
 				const rel = change.after;
 				if ((change.relationshipType ?? (existing.forwardRelationships?.[change.relationshipName] ? "forward" : existing.backwardRelationships?.[change.relationshipName] ? "backward" : "forward")) === "forward") types[change.typeName] = {
 					...existing,
@@ -6827,7 +7219,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		}
 		case "relationship_removed": {
 			const type = types[change.typeName];
-			if (type && change.relationshipName) {
+			if (type) {
 				const targetType = change.relationshipType ?? (type.forwardRelationships?.[change.relationshipName] ? "forward" : type.backwardRelationships?.[change.relationshipName] ? "backward" : null);
 				if (targetType === "forward" && type.forwardRelationships?.[change.relationshipName]) {
 					const { [change.relationshipName]: _, ...remaining } = type.forwardRelationships;
@@ -6937,7 +7329,7 @@ function areFieldsDifferent(oldField, newField) {
 	for (let i = 0; i < oldValidate.length; i++) {
 		const oldV = assertDefined(oldValidate[i], `oldValidate missing index ${i}`);
 		const newV = assertDefined(newValidate[i], `newValidate missing index ${i}`);
-		if (oldV.script.expr !== newV.script.expr) return true;
+		if ((oldV.script?.expr ?? "") !== (newV.script?.expr ?? "")) return true;
 		if (oldV.errorMessage !== newV.errorMessage) return true;
 	}
 	const oldSerial = oldField.serial;
@@ -7385,7 +7777,7 @@ function convertRemoteFieldsToSnapshot(remoteType) {
 			if (remoteField.foreignKeyType) config.foreignKeyType = remoteField.foreignKeyType;
 			if (remoteField.foreignKeyField) config.foreignKeyField = remoteField.foreignKeyField;
 		}
-		if (remoteField.allowedValues && remoteField.allowedValues.length > 0) config.allowedValues = remoteField.allowedValues.map((v) => ({
+		if (remoteField.allowedValues.length > 0) config.allowedValues = remoteField.allowedValues.map((v) => ({
 			value: v.value,
 			...v.description && { description: v.description }
 		}));
@@ -7396,7 +7788,7 @@ function convertRemoteFieldsToSnapshot(remoteType) {
 			if (remoteField.hooks.create?.expr) config.hooks.create = { expr: remoteField.hooks.create.expr };
 			if (remoteField.hooks.update?.expr) config.hooks.update = { expr: remoteField.hooks.update.expr };
 		}
-		if (remoteField.validate && remoteField.validate.length > 0) config.validate = remoteField.validate.map((v) => ({
+		if (remoteField.validate.length > 0) config.validate = remoteField.validate.map((v) => ({
 			script: { expr: v.script?.expr ?? "" },
 			errorMessage: v.errorMessage ?? ""
 		}));
@@ -7620,7 +8012,7 @@ function convertFieldConfigToProto(config) {
 		foreignKey: config.foreignKey ?? false,
 		foreignKeyType: config.foreignKeyType,
 		foreignKeyField: config.foreignKeyField,
-		required: config.required ?? true,
+		required: config.required,
 		vector: config.vector ?? false,
 		...toProtoSnapshotFieldHooks(config),
 		...config.serial && { serial: {
@@ -7637,7 +8029,7 @@ function toProtoSnapshotFieldValidate(config) {
 	return (config.validate ?? []).map((val) => ({
 		action: TailorDBType_PermitAction.DENY,
 		errorMessage: val.errorMessage || "",
-		...val.script && { script: { expr: val.script.expr ? `!${val.script.expr}` : "" } }
+		script: { expr: val.script && val.script.expr ? `!${val.script.expr}` : "" }
 	}));
 }
 function toProtoSnapshotFieldHooks(config) {
@@ -7661,7 +8053,7 @@ function processNestedFieldsFromSnapshot(fields) {
 			allowedValues: fieldConfig.allowedValues?.map((v) => ({ ...v })) ?? [],
 			description: fieldConfig.description || "",
 			validate: toProtoSnapshotFieldValidate(fieldConfig),
-			required: fieldConfig.required ?? true,
+			required: fieldConfig.required,
 			array: fieldConfig.array ?? false,
 			index: false,
 			unique: false,
@@ -7676,7 +8068,7 @@ function processNestedFieldsFromSnapshot(fields) {
 		allowedValues: fieldConfig.type === "enum" ? fieldConfig.allowedValues?.map((v) => ({ ...v })) ?? [] : [],
 		description: fieldConfig.description || "",
 		validate: toProtoSnapshotFieldValidate(fieldConfig),
-		required: fieldConfig.required ?? true,
+		required: fieldConfig.required,
 		array: fieldConfig.array ?? false,
 		index: false,
 		unique: false,
@@ -8037,19 +8429,19 @@ function buildPreMigrationChangesMap(pendingMigrations) {
 function applyPreMigrationFieldAdjustments(fields, typeChanges) {
 	for (const [fieldName, change] of typeChanges) {
 		if (change.kind === "field_removed") {
-			if (change.before) fields[fieldName] = convertFieldConfigToProto(change.before);
+			fields[fieldName] = convertFieldConfigToProto(change.before);
 			continue;
 		}
 		const field = fields[fieldName];
 		if (!field) continue;
 		if (change.kind === "field_added") {
-			if (change.after?.required) field.required = false;
+			if (change.after.required) field.required = false;
 			continue;
 		}
 		const { before, after } = change;
-		if (!before?.required && after?.required) field.required = false;
-		if (!(before?.unique ?? false) && (after?.unique ?? false)) field.unique = false;
-		if (before?.allowedValues && after?.allowedValues) {
+		if (!before.required && after.required) field.required = false;
+		if (!(before.unique ?? false) && (after.unique ?? false)) field.unique = false;
+		if (before.allowedValues && after.allowedValues) {
 			const afterValues = new Set(after.allowedValues.map((v) => v.value));
 			if (before.allowedValues.filter((v) => !afterValues.has(v.value)).length > 0) {
 				const valueMap = /* @__PURE__ */ new Map();
@@ -8818,8 +9210,17 @@ async function applyTailorDB(client, result, phase = "create-update") {
 				logger.newline();
 			}
 			for (const migration of pendingMigrations) {
-				await executeSingleMigrationPrePhase(client, changeSet, migration, migrationContext.tailorDBInputs, migrationContext.executorUsedTypes);
-				if (migration.hasScript && migrationCtx) await executeMigrations(migrationCtx, [migration]);
+				try {
+					await executeSingleMigrationPrePhase(client, changeSet, migration, migrationContext.tailorDBInputs, migrationContext.executorUsedTypes);
+					if (migration.hasScript && migrationCtx) await executeMigrations(migrationCtx, [migration]);
+				} catch (error) {
+					try {
+						await rollbackSingleMigrationPrePhase(client, changeSet, migration, migrationContext.workspaceId, migrationContext.tailorDBInputs, migrationContext.executorUsedTypes);
+					} catch (rollbackError) {
+						logger.warn(`Failed to roll back migration ${migration.namespace}/${formatMigrationNumber(migration.number)}: ${rollbackError instanceof Error ? rollbackError.message : String(rollbackError)}`);
+					}
+					throw error;
+				}
 				await executeSingleMigrationPostPhase(client, changeSet, migration, migrationContext.tailorDBInputs, migrationContext.executorUsedTypes);
 				await updateMigrationLabel(client, migrationContext.workspaceId, migration.namespace, migration.number);
 			}
@@ -8940,6 +9341,17 @@ function buildSnapshotTypeManifest(migration, typeName, tailorDBInputs, executor
 	});
 }
 /**
+* Await every promise to settle, then throw the first rejection. Unlike
+* `Promise.all`, this never leaves sibling operations in flight after a failure,
+* so a following rollback cannot race with still-pending DDL.
+* @param promises - Promises (or already-resolved values) to await
+* @returns {Promise<void>} Resolves once all settle; rejects with the first failure
+*/
+async function awaitAllSettledOrThrow(promises) {
+	const rejected = (await Promise.allSettled(promises)).find((r) => r.status === "rejected");
+	if (rejected) throw rejected.reason;
+}
+/**
 * Execute pre-migration phase for a single migration
 * @param {OperatorClient} client - Operator client instance
 * @param {TailorDBChangeSet} changeSet - TailorDB change set
@@ -8952,7 +9364,7 @@ async function executeSingleMigrationPrePhase(client, changeSet, migration, tail
 	const preMigrationChanges = buildPreMigrationChangesMap([migration]);
 	const affectedTypes = getAffectedTypeNames(migration);
 	const createdBeforeMigration = new Set(processedTypes.created);
-	await Promise.all([
+	await awaitAllSettledOrThrow([
 		...changeSet.type.creates.filter((create) => {
 			const typeName = create.request.tailordbType?.name;
 			return typeName && affectedTypes.has(typeName) && !createdBeforeMigration.has(typeName);
@@ -9007,13 +9419,13 @@ async function executeSingleMigrationPrePhase(client, changeSet, migration, tail
 			const typeName = create.request.tailordbType?.name;
 			return create.request.namespaceName === migration.namespace && typeName && gqlPermissionTypeNames.has(typeName) && !processedTypes.created.has(typeName);
 		});
-		if (missingTypeCreates.length > 0) await Promise.all(missingTypeCreates.map((create) => {
+		if (missingTypeCreates.length > 0) await awaitAllSettledOrThrow(missingTypeCreates.map((create) => {
 			const typeName = create.request.tailordbType?.name;
 			if (typeName) processedTypes.created.add(typeName);
 			return client.createTailorDBType(create.request);
 		}));
 		processedTypes.gqlPermissionsProcessed.add(migration.namespace);
-		await Promise.all([...gqlPermissionCreatesForNamespace.map((create) => client.createTailorDBGQLPermission(create.request)), ...gqlPermissionUpdatesForNamespace.map((update) => client.updateTailorDBGQLPermission(update.request))]);
+		await awaitAllSettledOrThrow([...gqlPermissionCreatesForNamespace.map((create) => client.createTailorDBGQLPermission(create.request)), ...gqlPermissionUpdatesForNamespace.map((update) => client.updateTailorDBGQLPermission(update.request))]);
 	}
 }
 /**
@@ -9094,6 +9506,67 @@ async function executeSingleMigrationPostPhase(client, changeSet, migration, tai
 	}
 }
 /**
+* Revert a single migration's Pre-phase DDL to the prior checkpoint's schema.
+* @param client - Operator client instance
+* @param changeSet - TailorDB change set
+* @param migration - The migration whose Pre-phase DDL must be reverted
+* @param workspaceId - Workspace ID
+* @param tailorDBInputs - Deploy inputs, used to resolve namespace gqlOperations for the snapshot
+* @param executorUsedTypes - Types used by executors (drives publishRecordEvents default)
+* @returns {Promise<void>} Promise that resolves when rollback attempts complete
+*/
+async function rollbackSingleMigrationPrePhase(client, changeSet, migration, workspaceId, tailorDBInputs, executorUsedTypes) {
+	if (migration.number <= 0) return;
+	const namespaceTypes = getAffectedTypeNames(migration);
+	for (const create of changeSet.type.creates) {
+		const name = create.request.tailordbType?.name;
+		if (create.request.namespaceName === migration.namespace && name) namespaceTypes.add(name);
+	}
+	for (const update of changeSet.type.updates) {
+		const name = update.request.tailordbType?.name;
+		if (update.request.namespaceName === migration.namespace && name) namespaceTypes.add(name);
+	}
+	const applied = new Set([...processedTypes.created, ...processedTypes.updated]);
+	const rollbackTypes = new Set([...namespaceTypes].filter((name) => applied.has(name)));
+	if (rollbackTypes.size === 0) return;
+	const priorSnapshot = reconstructSnapshotFromMigrations(migration.migrationsDir, migration.number - 1);
+	if (!priorSnapshot) {
+		logger.warn(`Cannot roll back migration ${migration.namespace}/${formatMigrationNumber(migration.number)}: prior snapshot (migration ${formatMigrationNumber(migration.number - 1)}) could not be reconstructed. Leaving schema as-is; manual repair may be required.`);
+		return;
+	}
+	const input = tailorDBInputs.find((i) => i.namespace === migration.namespace);
+	logger.warn(`Migration ${migration.namespace}/${formatMigrationNumber(migration.number)} failed; rolling back its pre-migration schema changes.`);
+	for (const typeName of rollbackTypes) {
+		const priorType = priorSnapshot.types[typeName];
+		try {
+			if (priorType) {
+				const manifest = generateTailorDBTypeManifestFromSnapshot(priorType, {
+					publishRecordEvents: executorUsedTypes.has(priorType.name),
+					namespaceGqlOperations: input?.config.gqlOperations
+				});
+				await client.updateTailorDBType({
+					workspaceId,
+					namespaceName: migration.namespace,
+					tailordbType: manifest
+				});
+			} else {
+				await client.deleteTailorDBGQLPermission({
+					workspaceId,
+					namespaceName: migration.namespace,
+					typeName
+				}).catch(() => void 0);
+				await client.deleteTailorDBType({
+					workspaceId,
+					namespaceName: migration.namespace,
+					tailordbTypeName: typeName
+				});
+			}
+		} catch (rollbackError) {
+			logger.warn(`Failed to roll back type '${typeName}' in namespace '${migration.namespace}': ${rollbackError instanceof Error ? rollbackError.message : String(rollbackError)}`);
+		}
+	}
+}
+/**
 * Convert a runtime TailorDBService to the snapshot-shaped deploy input.
 * @param service - Loaded TailorDB service (after `loadTypes()`)
 * @returns The canonical snapshot-shaped deploy input for downstream plan/apply phases.
@@ -9512,17 +9985,7 @@ async function checkMigrationDiffs(typesByNamespace, namespacesWithMigrations) {
 	for (const { namespace, migrationsDir } of namespacesWithMigrations) {
 		const localTypes = typesByNamespace.get(namespace);
 		if (!localTypes) continue;
-		let previousSnapshot;
-		try {
-			previousSnapshot = reconstructSnapshotFromMigrations(migrationsDir);
-		} catch {
-			results.push({
-				namespace,
-				migrationsDir,
-				hasDiff: false
-			});
-			continue;
-		}
+		const previousSnapshot = reconstructSnapshotFromMigrations(migrationsDir);
 		if (!previousSnapshot) {
 			results.push({
 				namespace,
@@ -9610,7 +10073,7 @@ async function applyWorkflow(client, result, phase = "create-update") {
 				workflowId: del.workflowId
 			})
 		})));
-		await deleteAllSettled((result.jobFunctionDeletes ?? collectDeletableJobFunctions(changeSet.deletes)).map((del) => ({
+		await deleteAllSettled(result.jobFunctionDeletes.map((del) => ({
 			resourceType: "workflow job function",
 			resourceName: del.jobFunctionName,
 			run: () => client.deleteWorkflowJobFunction({
@@ -9637,20 +10100,6 @@ async function deleteAllSettled(operations) {
 	const firstError = errors[0];
 	if (firstError) throw firstError;
 }
-function collectDeletableJobFunctions(deletes) {
-	const seen = /* @__PURE__ */ new Set();
-	const jobFunctions = [];
-	for (const del of deletes) for (const jobFunctionName of del.deletableJobNames) {
-		const key = `${del.workspaceId}\0${jobFunctionName}`;
-		if (seen.has(key)) continue;
-		seen.add(key);
-		jobFunctions.push({
-			workspaceId: del.workspaceId,
-			jobFunctionName
-		});
-	}
-	return jobFunctions;
-}
 /**
 * Filter job function versions to only include those used by a workflow
 * @param allVersions - Map of job function names to versions
@@ -10195,7 +10644,7 @@ async function shouldForceApplyAll(client, workspaceId, application, functionEnt
 	});
 	for (const trn of candidateTrns) try {
 		const { metadata } = await client.getMetadata({ trn });
-		if (metadata?.labels?.["sdk-name"] !== application.name) continue;
+		if (metadata?.labels["sdk-name"] !== application.name) continue;
 		if (!hasMatchingSdkVersion(metadata.labels, desiredLabels)) return true;
 	} catch (error) {
 		if (error instanceof ConnectError && error.code === Code.NotFound) continue;
@@ -10322,9 +10771,13 @@ async function deploy(options) {
 			const buildOnly = options?.buildOnly ?? parseBoolean(process.env.TAILOR_PLATFORM_SDK_BUILD_ONLY) === true;
 			const { config, plugins } = await withSpan("build.loadConfig", async () => {
 				const foundPath = loadConfigPath(options?.configPath);
-				if (foundPath && !dryRun && !buildOnly) {
+				if (foundPath) {
 					const resolvedPath = path.resolve(process.cwd(), foundPath);
-					if (fs$1.existsSync(resolvedPath)) await ensureConfigId(resolvedPath);
+					if (fs$1.existsSync(resolvedPath)) await ensureConfigIdForDeploy({
+						configPath: resolvedPath,
+						dryRun,
+						buildOnly
+					});
 				}
 				return loadConfig(options?.configPath);
 			});
@@ -10732,7 +11185,7 @@ function formatSubjectEvent(subject, eventTypes) {
 }
 function formatTypedEventTrigger(config) {
 	const typedConfig = config.typedConfig;
-	if (!typedConfig || typedConfig.case === void 0) return null;
+	if (typedConfig.case === void 0) return null;
 	switch (typedConfig.case) {
 		case "tailordb": return formatSubjectEvent(typedConfig.value.typeName, typedConfig.value.eventTypes);
 		case "pipeline": return formatSubjectEvent(typedConfig.value.resolverName, typedConfig.value.eventTypes);
@@ -10804,7 +11257,7 @@ function formatTriggerConfig(executor) {
 }
 function formatEventTriggerConfig(config) {
 	const typedConfig = config.typedConfig;
-	if (!typedConfig || typedConfig.case === void 0) return {
+	if (typedConfig.case === void 0) return {
 		eventType: config.eventType,
 		condition: config.condition?.expr || ""
 	};
@@ -11516,6 +11969,11 @@ async function startWorkflowCore(options) {
 	}
 }
 async function startWorkflowByName(options) {
+	const machineUser = await loadMachineUserName({
+		machineUser: options.machineUser,
+		profile: options.profile
+	});
+	if (!machineUser) throw new Error("Machine user is required. Specify --machine-user, set TAILOR_PLATFORM_MACHINE_USER_NAME, or set a profile default with 'tailor-sdk profile update <profile> --machine-user <name>'.");
 	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
@@ -11533,7 +11991,7 @@ async function startWorkflowByName(options) {
 		workflowName: options.name,
 		authInvoker: {
 			namespace: application.authNamespace,
-			machineUserName: options.machineUser
+			machineUserName: machineUser
 		},
 		arg: options.arg,
 		interval: options.interval
@@ -11559,10 +12017,10 @@ const startCommand = defineAppCommand({
 	args: z.object({
 		...deploymentArgs,
 		...nameArgs,
-		"machine-user": arg(z.string(), {
+		"machine-user": arg(z.string().optional(), {
 			alias: "m",
 			hiddenAlias: "machineuser",
-			description: "Machine user name",
+			description: "Machine user name. Falls back to the active profile's default machine user.",
 			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
 		arg: arg(z.string().optional(), {
@@ -13387,6 +13845,11 @@ const listCommand$7 = defineAppCommand({
 * @returns Machine user token info
 */
 async function getMachineUserToken(options) {
+	const name = await loadMachineUserName({
+		machineUser: options.name,
+		profile: options.profile
+	});
+	if (!name) throw new Error("Machine user is required. Provide the NAME positional argument, set TAILOR_PLATFORM_MACHINE_USER_NAME, or set a profile default with 'tailor-sdk profile update <profile> --machine-user <name>'.");
 	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
@@ -13401,9 +13864,9 @@ async function getMachineUserToken(options) {
 	const { machineUser } = await client.getAuthMachineUser({
 		workspaceId,
 		authNamespace: application.authNamespace,
-		name: options.name
+		name
 	});
-	if (!machineUser) throw new Error(`Machine user ${options.name} not found.`);
+	if (!machineUser) throw new Error(`Machine user ${name} not found.`);
 	const resp = await fetchMachineUserToken(application.url, machineUser.clientId, machineUser.clientSecret);
 	const expiresAt = /* @__PURE__ */ new Date();
 	expiresAt.setSeconds(expiresAt.getSeconds() + resp.expires_in);
@@ -13418,9 +13881,10 @@ const tokenCommand = defineAppCommand({
 	description: "Get an access token for a machine user.",
 	args: z.object({
 		...deploymentArgs,
-		name: arg(z.string(), {
+		name: arg(z.string().optional(), {
 			positional: true,
-			description: "Machine user name"
+			description: "Machine user name. Falls back to the active profile's default machine user.",
+			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		})
 	}).strict(),
 	run: async (args) => {
@@ -14415,13 +14879,13 @@ function extractBreakingChangeFields(diff) {
 	const optionalToRequired = /* @__PURE__ */ new Map();
 	const addedRequiredFields = /* @__PURE__ */ new Map();
 	const enumValueChanges = /* @__PURE__ */ new Map();
-	for (const change of diff.changes) if (change.kind === "field_modified" && change.fieldName) {
+	for (const change of diff.changes) if (change.kind === "field_modified") {
 		const { before, after } = change;
-		if (before && after && !before.required && after.required) {
+		if (!before.required && after.required) {
 			if (!optionalToRequired.has(change.typeName)) optionalToRequired.set(change.typeName, /* @__PURE__ */ new Set());
 			assertDefined(optionalToRequired.get(change.typeName), "optionalToRequired entry missing").add(change.fieldName);
 		}
-		if (before && after && before.type === "enum" && after.type === "enum" && before.allowedValues && after.allowedValues) {
+		if (before.type === "enum" && after.type === "enum" && before.allowedValues && after.allowedValues) {
 			const beforeValues = before.allowedValues.map((v) => v.value);
 			const afterValues = after.allowedValues.map((v) => v.value);
 			const beforeSet = new Set(beforeValues);
@@ -14434,9 +14898,9 @@ function extractBreakingChangeFields(diff) {
 				});
 			}
 		}
-	} else if (change.kind === "field_added" && change.fieldName) {
+	} else if (change.kind === "field_added") {
 		const { after } = change;
-		if (after && after.required) {
+		if (after.required) {
 			if (!addedRequiredFields.has(change.typeName)) addedRequiredFields.set(change.typeName, /* @__PURE__ */ new Map());
 			assertDefined(addedRequiredFields.get(change.typeName), "addedRequiredFields entry missing").set(change.fieldName, after);
 		}
@@ -14920,7 +15384,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-DSXntqnV.mjs");
+	const { defineApplication } = await import("./application-av2raLs6.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -14937,10 +15401,7 @@ async function generate(options) {
 		await tailordbService.processNamespacePlugins();
 		const localTypesObj = tailordbService.types;
 		const currentSnapshot = createSnapshotFromLocalTypes(localTypesObj, namespace);
-		let previousSnapshot = null;
-		try {
-			previousSnapshot = reconstructSnapshotFromMigrations(migrationsDir);
-		} catch {}
+		const previousSnapshot = reconstructSnapshotFromMigrations(migrationsDir);
 		if (!previousSnapshot) await generateInitialSnapshot(currentSnapshot, migrationsDir);
 		else await generateDiffFromSnapshot(previousSnapshot, currentSnapshot, migrationsDir, options);
 	}
@@ -16506,7 +16967,7 @@ const queryBaseOptionsSchema = z.object({
 	profile: z.string().optional(),
 	configPath: z.string().optional(),
 	engine: queryEngineSchema,
-	machineUser: z.string()
+	machineUser: z.string().optional()
 });
 const queryOptionsSchema = queryBaseOptionsSchema.extend({ query: z.string() });
 async function getNamespaceFromSqlQuery(workspaceId, query, client, namespaces) {
@@ -16529,6 +16990,11 @@ async function getNamespaceFromSqlQuery(workspaceId, query, client, namespaces)
 async function loadOptions(options) {
 	const result = queryBaseOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "validation error missing issues").message);
+	const machineUser = await loadMachineUserName({
+		machineUser: result.data.machineUser,
+		profile: result.data.profile
+	});
+	if (!machineUser) throw new Error("Machine user is required. Specify --machine-user, set TAILOR_PLATFORM_MACHINE_USER_NAME, or set a profile default with 'tailor-sdk profile update <profile> --machine-user <name>'.");
 	const client = await initOperatorClient(await loadAccessToken({ profile: result.data.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: result.data.workspaceId,
@@ -16544,9 +17010,9 @@ async function loadOptions(options) {
 	const { machineUser: machineUserResource } = await client.getAuthMachineUser({
 		workspaceId,
 		authNamespace: application.authNamespace,
-		name: result.data.machineUser
+		name: machineUser
 	});
-	if (!machineUserResource) throw new Error(`Machine user ${result.data.machineUser} not found.`);
+	if (!machineUserResource) throw new Error(`Machine user ${machineUser} not found.`);
 	return {
 		engine: result.data.engine,
 		client,
@@ -16696,7 +17162,7 @@ async function prepareQueryExecutor(options) {
 				error,
 				engine,
 				namespace,
-				machineUser: options.machineUser
+				machineUser: machineUserResource.name
 			});
 		}
 	};
@@ -16910,10 +17376,10 @@ const queryCommand = defineAppCommand({
 			description: "Read query string from file; omit to start REPL mode"
 		}),
 		edit: arg(z.boolean().default(false), { description: "Open a temporary file in your editor; omit to start REPL mode" }),
-		"machine-user": arg(z.string(), {
+		"machine-user": arg(z.string().optional(), {
 			alias: "m",
 			hiddenAlias: "machineuser",
-			description: "Machine user name for query execution",
+			description: "Machine user name for query execution. Falls back to the active profile's default machine user.",
 			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
 		"newline-on-enter": arg(z.boolean().optional(), { description: "REPL: when true, Enter inserts a newline and Shift+Enter submits. Use --no-newline-on-enter to swap." })
@@ -17078,5 +17544,5 @@ function isDeno() {
 }
 
 //#endregion
-export { listCommand$5 as $, INITIAL_SCHEMA_NUMBER as $t, truncate as A, configArg as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, generateUserTypes as Cn, triggerExecutor as Ct, resumeWorkflow as D, assertWritable as Dn, jobsCommand as Dt, resumeCommand as E, apiCall as En, getExecutorJob as Et, writeDbTypesFile as F, paginationArgs as Fn, getWorkflowExecution as Ft, organizationTree as G, MIGRATION_LABEL_KEY as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, toPageDirection as In, listWorkflowExecutions as It, listOrganizations as J, compareSnapshotWithRemote as Jt, treeCommand as K, handleOptionalToRequiredError as Kt, openInConfiguredEditor as L, workspaceArgs as Ln, functionExecutionStatusToString as Lt, generate as M, deploymentArgs as Mn, getCommand$5 as Mt, generateCommand as N, isVerbose as Nn, getWorkflow as Nt, listCommand$3 as O, defineAppCommand as On, listExecutorJobs as Ot, generateMigrationScript as P, pagedLogArgs as Pn, executionsCommand as Pt, updateFolder as Q, DIFF_FILE_NAME as Qt, show as R, formatKeyValueTable as Rt, listApps as S, PluginManager as Sn, triggerCommand as St, healthCommand as T, apiCommand as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, bundleMigrationScript as Wt, getOrganization as X, protoGqlPermission as Xt, getCommand$1 as Y, generateAllTypeManifestsFromSnapshot as Yt, updateCommand$2 as Z, DB_TYPES_FILE_NAME as Zt, getWorkspace as _, formatMigrationDiff as _n, listFunctionRegistries as _t, updateUser as a, createSnapshotFromLocalTypes as an, createCommand$1 as at, createCommand as b, resourceTrn as bn, listWebhookExecutors as bt, listCommand as c, getMigrationFilePath as cn, listOAuth2Clients as ct, inviteUser as d, isValidMigrationNumber as dn, getMachineUserToken as dt, MIGRATE_FILE_NAME as en, listFolders as et, restoreCommand as f, loadDiff as fn, tokenCommand as ft, getCommand as g, formatDiffSummary as gn, listCommand$8 as gt, listWorkspaces as h, parseMigrationNumberArg as hn, generate$1 as ht, updateCommand as i, compareSnapshots as in, deleteFolder as it, truncateCommand as j, confirmationArgs as jn, startWorkflow as jt, listWorkflows as k, commonArgs as kn, watchExecutorJob as kt, listUsers as l, getMigrationFiles as ln, getCommand$3 as lt, listCommand$1 as m, formatMigrationNumber as mn, listMachineUsers as mt, query as n, assertValidMigrationFiles as nn, getFolder as nt, removeCommand as o, getLatestMigrationNumber as on, createFolder as ot, restoreWorkspace as p, reconstructSnapshotFromMigrations as pn, listCommand$7 as pt, listCommand$4 as q, parseMigrationLabelNumber as qt, queryCommand as r, compareLocalTypesWithSnapshot as rn, deleteCommand$1 as rt, removeUser as s, getMigrationDirPath as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, SCHEMA_FILE_NAME as tn, getCommand$2 as tt, inviteCommand as u, getNextMigrationNumber as un, getOAuth2Client as ut, deleteCommand as v, hasChanges as vn, getCommand$4 as vt, getAppHealth as w, prompt as wn, listCommand$9 as wt, createWorkspace as x, sdkNameLabelKey as xn, webhookCommand as xt, deleteWorkspace as y, getNamespacesWithMigrations as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
-//# sourceMappingURL=runtime-C6o4hiYq.mjs.map
+export { listCommand$5 as $, INITIAL_SCHEMA_NUMBER as $t, truncate as A, commonArgs as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, PluginManager as Cn, triggerExecutor as Ct, resumeWorkflow as D, apiCall as Dn, jobsCommand as Dt, resumeCommand as E, apiCommand as En, getExecutorJob as Et, writeDbTypesFile as F, pagedLogArgs as Fn, getWorkflowExecution as Ft, organizationTree as G, MIGRATION_LABEL_KEY as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, paginationArgs as In, listWorkflowExecutions as It, listOrganizations as J, compareSnapshotWithRemote as Jt, treeCommand as K, handleOptionalToRequiredError as Kt, openInConfiguredEditor as L, toPageDirection as Ln, functionExecutionStatusToString as Lt, generate as M, confirmationArgs as Mn, getCommand$5 as Mt, generateCommand as N, deploymentArgs as Nn, getWorkflow as Nt, listCommand$3 as O, assertWritable as On, listExecutorJobs as Ot, generateMigrationScript as P, isVerbose as Pn, executionsCommand as Pt, updateFolder as Q, DIFF_FILE_NAME as Qt, show as R, workspaceArgs as Rn, formatKeyValueTable as Rt, listApps as S, sdkNameLabelKey as Sn, triggerCommand as St, healthCommand as T, prompt as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, bundleMigrationScript as Wt, getOrganization as X, protoGqlPermission as Xt, getCommand$1 as Y, generateAllTypeManifestsFromSnapshot as Yt, updateCommand$2 as Z, DB_TYPES_FILE_NAME as Zt, getWorkspace as _, formatMigrationDiff as _n, listFunctionRegistries as _t, updateUser as a, createSnapshotFromLocalTypes as an, createCommand$1 as at, createCommand as b, ensureConfigId as bn, listWebhookExecutors as bt, listCommand as c, getMigrationFilePath as cn, listOAuth2Clients as ct, inviteUser as d, isValidMigrationNumber as dn, getMachineUserToken as dt, MIGRATE_FILE_NAME as en, listFolders as et, restoreCommand as f, loadDiff as fn, tokenCommand as ft, getCommand as g, formatDiffSummary as gn, listCommand$8 as gt, listWorkspaces as h, parseMigrationNumberArg as hn, generate$1 as ht, updateCommand as i, compareSnapshots as in, deleteFolder as it, truncateCommand as j, configArg as jn, startWorkflow as jt, listWorkflows as k, defineAppCommand as kn, watchExecutorJob as kt, listUsers as l, getMigrationFiles as ln, getCommand$3 as lt, listCommand$1 as m, formatMigrationNumber as mn, listMachineUsers as mt, query as n, assertValidMigrationFiles as nn, getFolder as nt, removeCommand as o, getLatestMigrationNumber as on, createFolder as ot, restoreWorkspace as p, reconstructSnapshotFromMigrations as pn, listCommand$7 as pt, listCommand$4 as q, parseMigrationLabelNumber as qt, queryCommand as r, compareLocalTypesWithSnapshot as rn, deleteCommand$1 as rt, removeUser as s, getMigrationDirPath as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, SCHEMA_FILE_NAME as tn, getCommand$2 as tt, inviteCommand as u, getNextMigrationNumber as un, getOAuth2Client as ut, deleteCommand as v, hasChanges as vn, getCommand$4 as vt, getAppHealth as w, generateUserTypes as wn, listCommand$9 as wt, createWorkspace as x, resourceTrn as xn, webhookCommand as xt, deleteWorkspace as y, getNamespacesWithMigrations as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
+//# sourceMappingURL=runtime-C7qTBDD2.mjs.map