@tailor-platform/sdk 1.63.0 → 1.65.0

package/CHANGELOG.md

@@ -1,5 +1,45 @@
 # @tailor-platform/sdk
 
+## 1.65.0
+### Minor Changes
+
+
+
+- [#1456](https://github.com/tailor-platform/sdk/pull/1456) [`5401fa8`](https://github.com/tailor-platform/sdk/commit/5401fa8a179af6adbf6edddba2307d55ae1cbc0b) Thanks [@k1LoW](https://github.com/k1LoW)! - Type the `federated_identity` claim in the `beforeLogin` hook. When a user signs in through a Built-in IdP OAuth provider (Google or Microsoft), `claims.federated_identity` now exposes the upstream provider's profile (`provider` plus profile claims such as `picture`, `name`, `given_name`, `family_name`, `locale`) with autocompletion, while arbitrary IdP claims remain reachable. Adds the `FederatedIdentity`, `FederatedIdentityClaims`, `FederatedIdentityProvider`, and `BeforeLoginClaims` types.
+
+
+### Patch Changes
+
+
+
+- [#1449](https://github.com/tailor-platform/sdk/pull/1449) [`016aff6`](https://github.com/tailor-platform/sdk/commit/016aff6aab31c334c57a5e5244453f2dd559c008) Thanks [@k1LoW](https://github.com/k1LoW)! - Document the `userAuthPolicy`, `gqlOperations`, and `lang` options of `defineIdp()` in the IdP service guide, including the password policy fields, allowed email domains, Google/Microsoft social login, the read-only `"query"` shortcut, and the cross-field validation constraints.
+
+
+
+- [#1450](https://github.com/tailor-platform/sdk/pull/1450) [`162ba62`](https://github.com/tailor-platform/sdk/commit/162ba629e0d511593718f289b93788d5d56778da) Thanks [@toiroakr](https://github.com/toiroakr)! - Update OpenTelemetry runtime dependencies to 2.8.0 to resolve a moderate security advisory (GHSA-8988-4f7v-96qf) in `@opentelemetry/core`
+
+
+
+- [#1432](https://github.com/tailor-platform/sdk/pull/1432) [`3a854a3`](https://github.com/tailor-platform/sdk/commit/3a854a3a10b938ce3cf6fe7527de4ab56ecf48d5) Thanks [@toiroakr](https://github.com/toiroakr)! - Roll back a migration's pre-migration schema changes when its data migration (`migrate.ts`) fails during `apply`. A failed migration now leaves the workspace at its prior checkpoint and prior schema instead of half-applied, so subsequent deploys are no longer blocked by opaque "Remote schema drift detected" errors.
+
+
+
+- [#1422](https://github.com/tailor-platform/sdk/pull/1422) [`f3f8427`](https://github.com/tailor-platform/sdk/commit/f3f84277fe1942601d0fcbb8a64c2c26823b5624) Thanks [@dqn](https://github.com/dqn)! - Internal cleanup of proto field optionality handling. No behavior change.
+
+
+
+- [#1421](https://github.com/tailor-platform/sdk/pull/1421) [`b933f47`](https://github.com/tailor-platform/sdk/commit/b933f474d65f8dfed56f3991aae3a52589368b10) Thanks [@dqn](https://github.com/dqn)! - Corrupted or hand-edited TailorDB migration snapshot/diff files now fail with a clear validation error when loaded, instead of causing undefined behavior later.
+
+## 1.64.0
+
+### Minor Changes
+
+- [#1419](https://github.com/tailor-platform/sdk/pull/1419) [`d9b5755`](https://github.com/tailor-platform/sdk/commit/d9b57557d812f107fc02721680aecf2ea5ba24ad) Thanks [@dqn](https://github.com/dqn)! - Add default machine user to CLI profiles. Use `tailor-sdk profile create <name> --machine-user <name>` or `tailor-sdk profile update <name> --machine-user <name>` to store a default machine user on a profile. Commands that require a machine user (`query`, `workflow start`, `function test-run`, `machineuser token`) now fall back to the active profile's default when no machine user is given via the command line (`--machine-user`, or the `NAME` argument for `machineuser token`) or the `TAILOR_PLATFORM_MACHINE_USER_NAME` environment variable. Pass an empty string to `profile update --machine-user ""` to clear the stored default. Profiles also support `--machine-user-override deny`, which locks the machine user to the stored default: any explicit machine user supplied on the command line or via `TAILOR_PLATFORM_MACHINE_USER_NAME` that differs from the profile's value causes commands to fail immediately with error code `PROFILE_MACHINE_USER_OVERRIDE_DENIED`. Use `--machine-user-override allow` (the default) to restore the previous behavior.
+
+### Patch Changes
+
+- [#1414](https://github.com/tailor-platform/sdk/pull/1414) [`1d04806`](https://github.com/tailor-platform/sdk/commit/1d04806e331377d847ac55ac3b9c1dcbb887a1f7) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update oxc
+
 ## 1.63.0
 
 ### Minor Changes

package/dist/{actor-J2gJ0eK5.d.mts → actor-D_2aJjYO.d.mts}

@@ -1,4 +1,4 @@
-import { A as InferredAttributeList, j as InferredAttributeMap } from "./tailordb-BlBGmQK-.mjs";
+import { A as InferredAttributeList, j as InferredAttributeMap } from "./tailordb-C-ar4XCX.mjs";
 
 //#region src/types/actor.d.ts
 /** User type enum values from the Tailor Platform server. */
@@ -21,4 +21,4 @@ type TailorActor = {
 };
 //#endregion
 export { TailorActor as t };
-//# sourceMappingURL=actor-J2gJ0eK5.d.mts.map
+//# sourceMappingURL=actor-D_2aJjYO.d.mts.map

package/dist/{application-BezXGbrU.mjs → application-76hhIhnJ.mjs}

@@ -10,6 +10,7 @@ import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "./file-utils-BH
 import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "./kysely-type-D1e0Vwkd.mjs";
 import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-BH2FbrPV.mjs";
 import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
+import { t as createCLIError } from "./errors-EsY4XO6O.mjs";
 import { n as tightenSecretFilePermissions, r as writeSecretFile } from "./secret-file-CWzF8rry.mjs";
 import { builtinModules, createRequire } from "node:module";
 import { z } from "zod";
@@ -216,7 +217,9 @@ async function deleteKeyringTokens(account) {
 const pfProfileSchema = z.object({
 	user: z.string(),
 	workspace_id: z.string(),
-	readonly: z.boolean().optional()
+	readonly: z.boolean().optional(),
+	machine_user: z.string().optional(),
+	machine_user_override: z.enum(["allow", "deny"]).optional()
 });
 const pfUserSchemaV1 = z.object({
 	access_token: z.string(),
@@ -441,6 +444,40 @@ async function loadWorkspaceId(opts) {
   `);
 }
 /**
+* Load machine user name from command options, environment variables, or platform config.
+* In CLI context, env fallback is also handled by politty's arg env option.
+* Priority: opts/machineUser > env/TAILOR_PLATFORM_MACHINE_USER_NAME > opts/profile (profile default) > undefined.
+* An explicitly empty `opts.machineUser` is rejected with a CLIError (`MACHINE_USER_NAME_EMPTY`) rather than falling back to the env var or profile default.
+* When the active profile has `machine_user_override: "deny"`, an explicit value that differs from the profile's machine user throws a CLIError with code `PROFILE_MACHINE_USER_OVERRIDE_DENIED`.
+* @param opts - Machine user and profile options
+* @returns Resolved machine user name, or undefined if not set
+*/
+async function loadMachineUserName(opts) {
+	if (opts?.machineUser === "") throw createCLIError({
+		code: "MACHINE_USER_NAME_EMPTY",
+		message: "Machine user name cannot be empty.",
+		suggestion: "Pass a non-empty machine user name, or omit the option to use the environment variable or profile default."
+	});
+	const explicit = opts?.machineUser || process.env.TAILOR_PLATFORM_MACHINE_USER_NAME || void 0;
+	const profile = opts?.profile || process.env.TAILOR_PLATFORM_PROFILE;
+	if (!profile) return explicit;
+	const entry = (await readPlatformConfig()).profiles[profile];
+	if (!entry) {
+		if (explicit) return explicit;
+		throw new Error(`Profile "${profile}" not found`);
+	}
+	if (entry.machine_user && entry.machine_user_override === "deny") {
+		if (explicit && explicit !== entry.machine_user) throw createCLIError({
+			code: "PROFILE_MACHINE_USER_OVERRIDE_DENIED",
+			message: `Profile "${profile}" denies overriding the machine user.`,
+			details: `This profile fixes the machine user to "${entry.machine_user}" for application-data commands.`,
+			suggestion: `Omit the machine user option, unset TAILOR_PLATFORM_MACHINE_USER_NAME, or run 'tailor-sdk profile update ${profile} --machine-user-override allow'.`
+		});
+		return entry.machine_user;
+	}
+	return explicit || entry.machine_user;
+}
+/**
 * Load access token from environment variables, command options, or platform config.
 * In CLI context, profile env fallback is also handled by politty's arg env option.
 * Priority: env/TAILOR_PLATFORM_TOKEN > env/TAILOR_TOKEN (deprecated) > opts/profile > env/profile > config/currentUser > error
@@ -2484,7 +2521,7 @@ function normalizeGqlPermission(permission) {
 }
 function normalizeGqlPolicy(policy) {
 	return {
-		conditions: policy.conditions ? normalizeConditions(policy.conditions) : [],
+		conditions: normalizeConditions(policy.conditions),
 		actions: policy.actions === "all" ? ["all"] : policy.actions,
 		permit: policy.permit ? "allow" : "deny",
 		description: policy.description
@@ -2557,7 +2594,7 @@ function normalizeActionPermission(permission) {
 function findOmittedPermitRules(rawPermissions) {
 	const locations = [];
 	const record = rawPermissions.record;
-	if (record) for (const action of Object.keys(record)) record[action]?.forEach((rule, index) => {
+	if (record) for (const action of Object.keys(record)) record[action].forEach((rule, index) => {
 		if (isObjectFormat(rule) && rule.permit === void 0) locations.push(`record.${String(action)}[${index}]`);
 	});
 	const gql = rawPermissions.gql;
@@ -5553,5 +5590,5 @@ async function loadApplication(params) {
 }
 
 //#endregion
-export { resolveTokens as A, loadConfig as C, loadConfigPath as D, loadAccessToken as E, writePlatformConfig as M, loadWorkspaceId as O, hashFile as S, fetchLatestToken as T, createLogLevelTreeshakeOptions as _, WorkflowJobSchema as a, getDistDir as b, INVOKER_EXPR as c, assertUniqueLocalTailorDBTypeNames as d, assertUniqueTailorDBTypeNamesWithExternal as f, composeFunctionTreeshakeOptions as g, platformBundleDefinePlugin as h, resolveInlineSourcemap as i, saveUserTokens as j, readPlatformConfig as k, buildExecutorArgsExpr as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, HTTP_METHODS as s, defineApplication as t, buildResolverOperationHookExpr as u, resolveBundleLogLevel as v, deleteUserTokens as w, hashContent as x, createBundleCache as y };
-//# sourceMappingURL=application-BezXGbrU.mjs.map
+export { readPlatformConfig as A, loadConfig as C, loadConfigPath as D, loadAccessToken as E, saveUserTokens as M, writePlatformConfig as N, loadMachineUserName as O, hashFile as S, fetchLatestToken as T, createLogLevelTreeshakeOptions as _, WorkflowJobSchema as a, getDistDir as b, INVOKER_EXPR as c, assertUniqueLocalTailorDBTypeNames as d, assertUniqueTailorDBTypeNamesWithExternal as f, composeFunctionTreeshakeOptions as g, platformBundleDefinePlugin as h, resolveInlineSourcemap as i, resolveTokens as j, loadWorkspaceId as k, buildExecutorArgsExpr as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, HTTP_METHODS as s, defineApplication as t, buildResolverOperationHookExpr as u, resolveBundleLogLevel as v, deleteUserTokens as w, hashContent as x, createBundleCache as y };
+//# sourceMappingURL=application-76hhIhnJ.mjs.map