npm - @tailor-platform/sdk - Versions diffs - 1.62.0 → 2.0.0-next.0 - Mend

@tailor-platform/sdk 1.62.0 → 2.0.0-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/CHANGELOG.md +69 -0
package/dist/{application-BezXGbrU.mjs → application-76hhIhnJ.mjs} +42 -5
package/dist/application-76hhIhnJ.mjs.map +1 -0
package/dist/application-av2raLs6.mjs +4 -0
package/dist/cli/index.mjs +505 -121
package/dist/cli/index.mjs.map +1 -1
package/dist/cli/lib.d.mts +17 -24
package/dist/cli/lib.mjs +2 -2
package/dist/{runtime-C6o4hiYq.mjs → runtime-C7qTBDD2.mjs} +565 -99
package/dist/runtime-C7qTBDD2.mjs.map +1 -0
package/docs/cli/auth.md +4 -4
package/docs/cli/function.md +8 -8
package/docs/cli/query.md +1 -1
package/docs/cli/setup.md +18 -12
package/docs/cli/workflow.md +10 -10
package/docs/cli/workspace.md +14 -10
package/docs/cli-reference.md +4 -4
package/docs/github-actions.md +337 -0
package/docs/services/idp.md +96 -0
package/docs/services/tailordb-migration.md +17 -6
package/package.json +12 -12
package/dist/application-BezXGbrU.mjs.map +0 -1
package/dist/application-DSXntqnV.mjs +0 -4
package/dist/runtime-C6o4hiYq.mjs.map +0 -1

package/docs/services/idp.md CHANGED Viewed

@@ -125,6 +125,89 @@ defineIdp("my-idp", {
 });
 ```
+### userAuthPolicy
+User authentication policy. Controls password requirements, the identifier used for login, allowed email domains, and social login providers. Every field is optional. The boolean options default to disabled, and the password length fields default to a minimum of 6 and a maximum of 4096.
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  userAuthPolicy: {
+    useNonEmailIdentifier: false,
+    allowSelfPasswordReset: true,
+    passwordRequireUppercase: true,
+    passwordRequireLowercase: true,
+    passwordRequireNonAlphanumeric: true,
+    passwordRequireNumeric: true,
+    passwordMinLength: 8,
+    passwordMaxLength: 128,
+  },
+});
+```
+**Login behavior:**
+- `useNonEmailIdentifier` - Allow a non-email identifier (username) instead of requiring an email address. Default `false`.
+- `allowSelfPasswordReset` - Show the "Forgot password?" flow so users can reset their own password. Default `false`.
+- `disablePasswordAuth` - Remove password authentication entirely. Default `false`. Requires at least one social login provider to be enabled.
+**Password requirements:**
+- `passwordRequireUppercase` - Require at least one uppercase letter. Default `false`.
+- `passwordRequireLowercase` - Require at least one lowercase letter. Default `false`.
+- `passwordRequireNumeric` - Require at least one numeric character. Default `false`.
+- `passwordRequireNonAlphanumeric` - Require at least one non-alphanumeric character. Default `false`.
+- `passwordMinLength` - Minimum password length. Must be between 6 and 30. Default `6`.
+- `passwordMaxLength` - Maximum password length. Must be between 6 and 4096. Default `4096`.
+**Email domains and social login:**
+- `allowedEmailDomains` - Restrict registration to these email domains. An empty list (the default) allows all domains, but a non-empty list is required when `allowGoogleOauth` or `allowMicrosoftOauth` is enabled.
+- `allowGoogleOauth` - Enable the "Sign in with Google" button. Default `false`.
+- `allowMicrosoftOauth` - Enable the "Sign in with Microsoft" button. Default `false`.
+**Constraints:** the following combinations are rejected at parse time.
+- `passwordMinLength` must be less than or equal to `passwordMaxLength`.
+- A non-empty `allowedEmailDomains` cannot be combined with `useNonEmailIdentifier: true` (an empty list is allowed). Enabling `allowGoogleOauth` or `allowMicrosoftOauth` is likewise rejected with `useNonEmailIdentifier: true` (leaving them `false` or unset is fine).
+- `allowGoogleOauth` requires a non-empty `allowedEmailDomains`.
+- `allowMicrosoftOauth` requires both a non-empty `allowedEmailDomains` and `disablePasswordAuth: true`.
+- `disablePasswordAuth` requires `allowGoogleOauth` or `allowMicrosoftOauth`, and cannot be combined with `allowSelfPasswordReset`.
+### gqlOperations
+Controls which GraphQL user-management operations the IdP exposes. All operations are enabled by default. Use this to turn operations off entirely, independent of the `permission` policies that decide who may call them.
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  gqlOperations: {
+    create: true,
+    read: true,
+    update: true,
+    delete: false,
+    sendPasswordResetEmail: false,
+  },
+});
+```
+**Fields:** each field defaults to `true` (enabled). Set a field to `false` to disable that operation.
+- `create` - The `_createUser` mutation.
+- `read` - The `_users` and `_user` query operations.
+- `update` - The `_updateUser` mutation.
+- `delete` - The `_deleteUser` mutation.
+- `sendPasswordResetEmail` - The `_sendPasswordResetEmail` mutation.
+**Shortcut:** pass the string `"query"` to expose a read-only IdP. It enables `read` and disables every mutation.
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  gqlOperations: "query",
+});
+```
 ### authorization (optional, legacy)
 Legacy access control field. Use `permission` instead for fine-grained per-operation control. This field is kept for backward compatibility.
@@ -170,6 +253,19 @@ defineIdp("my-idp", {
 **Validation:** Each field must be 200 characters or less and must not contain newline characters.
+### lang
+UI language for the IdP-hosted pages such as the login and password reset screens.
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  lang: "ja",
+});
+```
+**Values:** `"en"` or `"ja"`.
 ### publishUserEvents
 Publish IdP user lifecycle events (`idp.user.created`, `idp.user.updated`, `idp.user.deleted`). These events are consumed by executors that use `idpUserCreatedTrigger`, `idpUserUpdatedTrigger`, `idpUserDeletedTrigger`, or `idpUserTrigger`.

package/docs/services/tailordb-migration.md CHANGED Viewed

@@ -355,20 +355,21 @@ Coordinate this with your team because everyone else's local migrations will be
 ## Failure Recovery
-If a `migrate.ts` throws:
+If the pre-migration phase or `migrate.ts` fails:
 - **The transaction rolls back** for that migration's script. Database changes the script made are undone.
-- **The pre-migration phase already ran** before the script. Type-level relaxations (e.g., a field changed to optional) **are not undone**. The post-migration phase, including the label bump, does not run.
-- The whole `apply` aborts. Subsequent migrations in the same run do not execute.
+- **The pre-migration schema changes are rolled back** to the prior checkpoint: types that already existed are restored to their previous shape, and types the migration newly introduced are dropped. The workspace is left at its prior checkpoint and prior schema — not half-applied.
+- The whole `apply` aborts and the checkpoint label is not bumped. Subsequent migrations in the same run do not execute.
+The rollback is best-effort per type; if reverting a type fails, a warning is logged and the original migration error is still reported.
 After a failure:
 1. Read the `Logs:` block in the apply output to find the cause.
 2. Fix `migrate.ts` (or the data it depends on).
-3. Re-run `tailor-sdk deploy`. The same migration runs again because its label was never bumped.
-4. If the pre-migration relaxation is causing problems for application code in the meantime, accept the temporary optionality or roll forward with a fix; do not try to manually re-tighten the schema, or you'll create remote drift.
+3. Re-run `tailor-sdk deploy`. The same migration runs again because its label was never bumped, and the prior-checkpoint schema is a clean baseline to retry against.
-If a migration **succeeds in script** but the post-migration phase fails (rare; usually due to constraint violation that the script should have prevented), the situation is the same as above plus the data changes from the script are persisted. Investigate, fix, and re-run.
+If a migration **succeeds in script** but the **post-migration phase** fails (rare; usually a constraint violation the script should have prevented), the pre-migration changes are **not** rolled back: the script's data changes are already committed and the post-migration phase may have dropped removed columns or types, which cannot be reverted without data loss. Investigate, fix, and re-run.
 ## Rollback Strategy
@@ -444,6 +445,16 @@ For genuinely different schemas across environments, prefer separate workspaces
 4. To force the remote schema back to a known snapshot, use `migration sync <N>` (see [`migration sync` Semantics](#migration-sync-semantics)).
 5. As a last resort in non-production environments, `--no-schema-check` skips both checks. Do not use this as a routine workaround.
+### "Invalid schema snapshot" or "Invalid migration diff" error
+**Cause:** A `schema.json` or `diff.json` file in the `migrations/` directory is corrupted or does not match the expected structure. Merge conflicts left in these files are a common cause.
+**Resolution:**
+1. Read the error message — it includes the file path and the offending field.
+2. Restore the file from version control (`git checkout -- <path>`), or regenerate migration files with `migration generate` / `migration script`.
+3. Do not hand-edit `schema.json` or `diff.json`; they are managed by the CLI.
 ### "No machine user available for migration execution"
 **Cause:** Neither `migration.machineUser` is set nor are there any machine users in `auth.machineUsers`.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.62.0",
+  "version": "2.0.0-next.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {
@@ -146,11 +146,11 @@
     "@jridgewell/trace-mapping": "0.3.31",
     "@napi-rs/keyring": "1.3.0",
     "@opentelemetry/api": "1.9.1",
-    "@opentelemetry/exporter-trace-otlp-proto": "0.218.0",
-    "@opentelemetry/resources": "2.7.1",
-    "@opentelemetry/sdk-trace-node": "2.7.1",
+    "@opentelemetry/exporter-trace-otlp-proto": "0.219.0",
+    "@opentelemetry/resources": "2.8.0",
+    "@opentelemetry/sdk-trace-node": "2.8.0",
     "@opentelemetry/semantic-conventions": "1.41.1",
-    "@oxc-project/types": "0.134.0",
+    "@oxc-project/types": "0.135.0",
     "@standard-schema/spec": "1.1.0",
     "@tailor-platform/function-kysely-tailordb": "0.1.3",
     "@toiroakr/lines-db": "0.9.2",
@@ -169,34 +169,34 @@
     "madge": "8.0.0",
     "mime-types": "3.0.2",
     "open": "11.0.0",
-    "oxc-parser": "0.134.0",
+    "oxc-parser": "0.135.0",
     "p-limit": "7.3.0",
     "pathe": "2.0.3",
     "pgsql-ast-parser": "12.0.2",
     "pkg-types": "2.3.1",
     "politty": "0.5.1",
     "rolldown": "1.1.0",
-    "semver": "7.8.2",
+    "semver": "7.8.3",
     "sql-highlight": "6.1.0",
     "std-env": "4.1.0",
     "table": "6.9.0",
     "ts-cron-validator": "1.1.5",
     "tsx": "4.22.4",
     "type-fest": "5.7.0",
-    "undici": "8.4.0",
+    "undici": "8.4.1",
     "xdg-basedir": "5.1.0",
     "zod": "4.4.3"
   },
   "devDependencies": {
-    "@opentelemetry/sdk-trace-base": "2.7.1",
+    "@opentelemetry/sdk-trace-base": "2.8.0",
     "@types/madge": "5.0.3",
     "@types/mime-types": "3.0.1",
     "@types/node": "24.13.1",
     "@types/semver": "7.7.1",
-    "@typescript/native-preview": "7.0.0-dev.20260605.1",
+    "@typescript/native-preview": "7.0.0-dev.20260612.1",
     "@vitest/coverage-v8": "4.1.8",
-    "oxfmt": "0.53.0",
-    "oxlint": "1.68.0",
+    "oxfmt": "0.54.0",
+    "oxlint": "1.69.0",
     "oxlint-tsgolint": "0.23.0",
     "sonda": "0.11.1",
     "tsdown": "0.22.2",