@tailor-platform/sdk 1.63.0 → 1.65.0

package/dist/{tailordb-BlBGmQK-.d.mts → tailordb-C-ar4XCX.d.mts}

@@ -11,8 +11,8 @@ type InferFieldsOutput<F extends Record<string, {
   _output: any;
   [key: string]: any;
 }>> = DeepWritable<Prettify<NullableToOptional<{ [K in keyof F]: output<F[K]> }>>>;
-type JsonValue = string | number | boolean | null | JsonValue[] | {
-  [key: string]: JsonValue;
+type JsonValue$1 = string | number | boolean | null | JsonValue$1[] | {
+  [key: string]: JsonValue$1;
 };
 /**
  * A looser version of JsonValue that accepts interfaces.
@@ -859,5 +859,5 @@ interface TailorDBType {
   files?: TailorDBTypeMetadata["files"];
 }
 //#endregion
-export { InferredAttributeList as A, FieldOutput as C, Validators as D, FieldValidateInput as E, InferFieldsOutput as F, JsonCompatible as I, JsonValue as L, TailorInvoker as M, TailorUser as N, AttributeList as O, unauthenticatedTailorUser as P, Prettify as R, FieldOptions as S, TailorToTs as T, PluginAttachment as _, TypeSourceInfoEntry as a, EnumValue as b, TailorAnyDBType as c, TailorDBType$1 as d, DBFieldMetadata as f, TailorField as g, SerialConfig as h, TailorDBType as i, InferredAttributeMap as j, AttributeMap as k, TailorDBField as l, GqlOperationsConfig as m, RelationType as n, ValueOperand as o, DefinedDBFieldMetadata as p, TailorDBServiceInput as r, TailorAnyDBField as s, IndexDef as t, TailorDBInstance as u, ArrayFieldOutput as v, TailorFieldType as w, FieldMetadata as x, DefinedFieldMetadata as y, output as z };
-//# sourceMappingURL=tailordb-BlBGmQK-.d.mts.map
+export { InferredAttributeList as A, FieldOutput as C, Validators as D, FieldValidateInput as E, InferFieldsOutput as F, JsonCompatible as I, JsonValue$1 as L, TailorInvoker as M, TailorUser as N, AttributeList as O, unauthenticatedTailorUser as P, Prettify as R, FieldOptions as S, TailorToTs as T, PluginAttachment as _, TypeSourceInfoEntry as a, EnumValue as b, TailorAnyDBType as c, TailorDBType$1 as d, DBFieldMetadata as f, TailorField as g, SerialConfig as h, TailorDBType as i, InferredAttributeMap as j, AttributeMap as k, TailorDBField as l, GqlOperationsConfig as m, RelationType as n, ValueOperand as o, DefinedDBFieldMetadata as p, TailorDBServiceInput as r, TailorAnyDBField as s, IndexDef as t, TailorDBInstance as u, ArrayFieldOutput as v, TailorFieldType as w, FieldMetadata as x, DefinedFieldMetadata as y, output as z };
+//# sourceMappingURL=tailordb-C-ar4XCX.d.mts.map

package/dist/utils/test/index.d.mts

@@ -1,6 +1,6 @@
-import { M as TailorInvoker } from "../../tailordb-BlBGmQK-.mjs";
-import { W as TailorDBType } from "../../workflow.generated-Bf1tWylx.mjs";
-import { At as TailorField, Ct as WORKFLOW_TEST_ENV_KEY, n as output } from "../../index-CLxubakC.mjs";
+import { M as TailorInvoker } from "../../tailordb-C-ar4XCX.mjs";
+import { J as TailorDBType } from "../../workflow.generated-CCDsY0ce.mjs";
+import { At as TailorField, Ct as WORKFLOW_TEST_ENV_KEY, n as output } from "../../index-DcXIjt9F.mjs";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/utils/test/mock.d.ts

package/dist/{workflow.generated-Bf1tWylx.d.mts → workflow.generated-CCDsY0ce.d.mts}

@@ -1,7 +1,7 @@
-import { C as FieldOutput$1, D as Validators, E as FieldValidateInput, F as InferFieldsOutput, N as TailorUser, R as Prettify, S as FieldOptions, T as TailorToTs, b as EnumValue, d as TailorDBType$1, f as DBFieldMetadata, g as TailorField, h as SerialConfig, j as InferredAttributeMap, l as TailorDBField$1, m as GqlOperationsConfig, n as RelationType, o as ValueOperand, p as DefinedDBFieldMetadata, r as TailorDBServiceInput, s as TailorAnyDBField$1, t as IndexDef, u as TailorDBInstance$1, v as ArrayFieldOutput, w as TailorFieldType, x as FieldMetadata, y as DefinedFieldMetadata, z as output } from "./tailordb-BlBGmQK-.mjs";
-import { B as IdProvider, G as SCIMAttribute, H as OAuth2ClientInput, J as SCIMConfig, L as AuthInvoker, R as BuiltinIdP, V as OAuth2Client, X as TenantProvider, r as PluginConfigs } from "./plugin-C_FyVSdl.mjs";
+import { C as FieldOutput$1, D as Validators, E as FieldValidateInput, F as InferFieldsOutput, N as TailorUser, R as Prettify, S as FieldOptions, T as TailorToTs, b as EnumValue, d as TailorDBType$1, f as DBFieldMetadata, g as TailorField, h as SerialConfig, j as InferredAttributeMap, l as TailorDBField$1, m as GqlOperationsConfig, n as RelationType, o as ValueOperand, p as DefinedDBFieldMetadata, r as TailorDBServiceInput, s as TailorAnyDBField$1, t as IndexDef, u as TailorDBInstance$1, v as ArrayFieldOutput, w as TailorFieldType, x as FieldMetadata, y as DefinedFieldMetadata, z as output } from "./tailordb-C-ar4XCX.mjs";
+import { B as IdProvider, G as SCIMAttribute, H as OAuth2ClientInput, J as SCIMConfig, L as AuthInvoker, R as BuiltinIdP, V as OAuth2Client, X as TenantProvider, r as PluginConfigs } from "./plugin-DylAsA4Z.mjs";
 import { n as TailorEnv } from "./env-B-g-qgE4.mjs";
-import { IsAny, JsonObject, NonEmptyObject } from "type-fest";
+import { IsAny, JsonObject, JsonValue, NonEmptyObject } from "type-fest";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/configure/types/field.d.ts
@@ -700,8 +700,44 @@ type MachineUser<User extends TailorDBInstance$1, AttributeMap extends UserAttri
 } : {
   attributeList: AttributeListToTuple<User, AttributeList>;
 });
+/** Upstream OAuth provider that federated a login through the Built-in IdP. */
+type FederatedIdentityProvider = "google" | "microsoft";
+/**
+ * Profile claims forwarded from the upstream OAuth provider's ID token.
+ *
+ * Commonly present claims are typed; any other claim the provider issues is
+ * forwarded as-is and reachable through the index signature. Availability
+ * varies by provider (e.g. Microsoft does not issue `picture`).
+ */
+type FederatedIdentityClaims = {
+  name?: string;
+  given_name?: string;
+  family_name?: string;
+  picture?: string;
+  locale?: string;
+  [claim: string]: JsonValue | undefined;
+};
+/**
+ * The upstream identity that federated this login, populated when a user signs
+ * in through a Built-in IdP OAuth provider (Google or Microsoft).
+ *
+ * Available on {@link BeforeLoginClaims.federated_identity}; `undefined` for
+ * password logins.
+ */
+type FederatedIdentity = {
+  provider: FederatedIdentityProvider;
+  claims: FederatedIdentityClaims;
+};
+/**
+ * Token claims passed to the {@link BeforeLoginHook} handler. Carries the IdP's
+ * own claims (e.g. `sub`, `email`) plus, for federated logins, the upstream
+ * provider's profile under {@link BeforeLoginClaims.federated_identity}.
+ */
+type BeforeLoginClaims = JsonObject & {
+  /** Present only for federated (Google/Microsoft) logins; `undefined` for password logins. */federated_identity?: FederatedIdentity;
+};
 type BeforeLoginHookArgs = {
-  claims: JsonObject;
+  claims: BeforeLoginClaims;
   idpConfigName: string; /** Environment variables defined in `defineConfig({ env })`. */
   env: TailorEnv;
 };
@@ -1412,5 +1448,5 @@ type ConcurrencyPolicy = {
   /** Maximum number of concurrent executions (1-1000) */maxConcurrentExecutions: number;
 };
 //#endregion
-export { BeforeLoginHookArgs as A, TailorAnyDBField as B, IdPGqlOperationsInput as C, AuthExternalConfig as D, AuthConnectionTokenResult as E, UserAttributeListKey as F, db as G, TailorDBField as H, UserAttributeMap as I, TailorTypePermission as J, PermissionCondition as K, UsernameFieldKey as L, OAuth2ClientGrantType as M, SCIMAttributeType as N, AuthOwnConfig as O, UserAttributeKey as P, AllowedValuesOutput as Q, AuthConnectionConfig as R, IdPGqlOperations as S, AuthConfig as T, TailorDBInstance as U, TailorAnyDBType as V, TailorDBType as W, unsafeAllowAllTypePermission as X, unsafeAllowAllGqlPermission as Y, AllowedValues as Z, IdPConfig as _, ExecutorServiceConfig as a, IdpDefinitionBrand as b, ResolverServiceConfig as c, WorkflowServiceInput as d, StaticWebsiteConfig as f, SecretsDefinitionBrand as g, SecretsConfig as h, AppConfig as i, DefinedAuth as j, AuthServiceInput as k, ResolverServiceInput as l, StaticWebsiteInput as m, RetryPolicy as n, ExecutorServiceInput as o, StaticWebsiteDefinitionBrand as p, TailorTypeGqlPermission as q, HttpAdapterConfigInput as r, ResolverExternalConfig as s, ConcurrencyPolicy as t, WorkflowServiceConfig as u, IdPExternalConfig as v, IdPInput as w, IdPEmailConfig as x, IdPUserField as y, AuthConnectionOAuth2Config as z };
-//# sourceMappingURL=workflow.generated-Bf1tWylx.d.mts.map
+export { unsafeAllowAllGqlPermission as $, BeforeLoginClaims as A, UserAttributeMap as B, IdPGqlOperationsInput as C, AuthExternalConfig as D, AuthConnectionTokenResult as E, FederatedIdentityProvider as F, TailorAnyDBType as G, AuthConnectionConfig as H, OAuth2ClientGrantType as I, TailorDBType as J, TailorDBField as K, SCIMAttributeType as L, DefinedAuth as M, FederatedIdentity as N, AuthOwnConfig as O, FederatedIdentityClaims as P, TailorTypePermission as Q, UserAttributeKey as R, IdPGqlOperations as S, AuthConfig as T, AuthConnectionOAuth2Config as U, UsernameFieldKey as V, TailorAnyDBField as W, PermissionCondition as X, db as Y, TailorTypeGqlPermission as Z, IdPConfig as _, ExecutorServiceConfig as a, IdpDefinitionBrand as b, ResolverServiceConfig as c, WorkflowServiceInput as d, unsafeAllowAllTypePermission as et, StaticWebsiteConfig as f, SecretsDefinitionBrand as g, SecretsConfig as h, AppConfig as i, BeforeLoginHookArgs as j, AuthServiceInput as k, ResolverServiceInput as l, StaticWebsiteInput as m, RetryPolicy as n, AllowedValuesOutput as nt, ExecutorServiceInput as o, StaticWebsiteDefinitionBrand as p, TailorDBInstance as q, HttpAdapterConfigInput as r, ResolverExternalConfig as s, ConcurrencyPolicy as t, AllowedValues as tt, WorkflowServiceConfig as u, IdPExternalConfig as v, IdPInput as w, IdPEmailConfig as x, IdPUserField as y, UserAttributeListKey as z };
+//# sourceMappingURL=workflow.generated-CCDsY0ce.d.mts.map

package/docs/cli/auth.md

@@ -350,7 +350,7 @@ Get an access token for a machine user.
 **Usage**
 
 ```
-tailor-sdk machineuser token [options] <name>
+tailor-sdk machineuser token [options] [name]
 ```
 
 <!-- politty:command:machineuser token:usage:end -->
@@ -359,9 +359,9 @@ tailor-sdk machineuser token [options] <name>
 
 **Arguments**
 
-| Argument | Description       | Required |
-| -------- | ----------------- | -------- |
-| `name`   | Machine user name | Yes      |
+| Argument | Description                                                                 | Required |
+| -------- | --------------------------------------------------------------------------- | -------- |
+| `name`   | Machine user name. Falls back to the active profile's default machine user. | No       |
 
 <!-- politty:command:machineuser token:arguments:end -->
 

package/docs/cli/function.md

@@ -245,14 +245,14 @@ tailor-sdk function test-run [options] <file>
 
 **Options**
 
-| Option                          | Alias | Description                                                              | Required | Default              | Env                                 |
-| ------------------------------- | ----- | ------------------------------------------------------------------------ | -------- | -------------------- | ----------------------------------- |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                             | No       | -                    | `TAILOR_PLATFORM_WORKSPACE_ID`      |
-| `--profile <PROFILE>`           | `-p`  | Workspace profile                                                        | No       | -                    | `TAILOR_PLATFORM_PROFILE`           |
-| `--name <NAME>`                 | `-n`  | Workflow job name to run (matches the `name` field of createWorkflowJob) | No       | -                    | -                                   |
-| `--arg <ARG>`                   | `-a`  | JSON argument to pass to the function                                    | No       | -                    | -                                   |
-| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name for authentication                                     | No       | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
-| `--config <CONFIG>`             | `-c`  | Path to SDK config file                                                  | No       | `"tailor.config.ts"` | -                                   |
+| Option                          | Alias | Description                                                                                    | Required | Default              | Env                                 |
+| ------------------------------- | ----- | ---------------------------------------------------------------------------------------------- | -------- | -------------------- | ----------------------------------- |
+| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                                                   | No       | -                    | `TAILOR_PLATFORM_WORKSPACE_ID`      |
+| `--profile <PROFILE>`           | `-p`  | Workspace profile                                                                              | No       | -                    | `TAILOR_PLATFORM_PROFILE`           |
+| `--name <NAME>`                 | `-n`  | Workflow job name to run (matches the `name` field of createWorkflowJob)                       | No       | -                    | -                                   |
+| `--arg <ARG>`                   | `-a`  | JSON argument to pass to the function                                                          | No       | -                    | -                                   |
+| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name for authentication. Falls back to the active profile's default machine user. | No       | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
+| `--config <CONFIG>`             | `-c`  | Path to SDK config file                                                                        | No       | `"tailor.config.ts"` | -                                   |
 
 <!-- politty:command:function test-run:options:end -->
 <!-- politty:command:function test-run:examples:start -->

package/docs/cli/query.md

@@ -33,7 +33,7 @@ tailor-sdk query [options]
 | `--query <QUERY>`               | `-q`  | Query string to execute directly; omit to start REPL mode                                            | No       | -                    | -                                   |
 | `--file <FILE>`                 | `-f`  | Read query string from file; omit to start REPL mode                                                 | No       | -                    | -                                   |
 | `--edit`                        | -     | Open a temporary file in your editor; omit to start REPL mode                                        | No       | `false`              | -                                   |
-| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name for query execution                                                                | Yes      | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
+| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name for query execution. Falls back to the active profile's default machine user.      | No       | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
 | `--newline-on-enter`            | -     | REPL: when true, Enter inserts a newline and Shift+Enter submits. Use --no-newline-on-enter to swap. | No       | -                    | -                                   |
 
 <!-- politty:command:query:options:end -->

package/docs/cli/workflow.md

@@ -167,16 +167,16 @@ tailor-sdk workflow start [options] <name>
 
 **Options**
 
-| Option                          | Alias | Description                                                    | Required | Default              | Env                                 |
-| ------------------------------- | ----- | -------------------------------------------------------------- | -------- | -------------------- | ----------------------------------- |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                   | No       | -                    | `TAILOR_PLATFORM_WORKSPACE_ID`      |
-| `--profile <PROFILE>`           | `-p`  | Workspace profile                                              | No       | -                    | `TAILOR_PLATFORM_PROFILE`           |
-| `--config <CONFIG>`             | `-c`  | Path to SDK config file                                        | No       | `"tailor.config.ts"` | `TAILOR_PLATFORM_SDK_CONFIG_PATH`   |
-| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name                                              | Yes      | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
-| `--arg <ARG>`                   | `-a`  | Workflow argument (JSON string)                                | No       | -                    | -                                   |
-| `--wait`                        | `-W`  | Wait for execution to complete                                 | No       | `false`              | -                                   |
-| `--interval <INTERVAL>`         | `-i`  | Polling interval when using --wait (e.g., '3s', '500ms', '1m') | No       | `"3s"`               | -                                   |
-| `--logs`                        | `-l`  | Display job execution logs after completion (requires --wait)  | No       | `false`              | -                                   |
+| Option                          | Alias | Description                                                                 | Required | Default              | Env                                 |
+| ------------------------------- | ----- | --------------------------------------------------------------------------- | -------- | -------------------- | ----------------------------------- |
+| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                                | No       | -                    | `TAILOR_PLATFORM_WORKSPACE_ID`      |
+| `--profile <PROFILE>`           | `-p`  | Workspace profile                                                           | No       | -                    | `TAILOR_PLATFORM_PROFILE`           |
+| `--config <CONFIG>`             | `-c`  | Path to SDK config file                                                     | No       | `"tailor.config.ts"` | `TAILOR_PLATFORM_SDK_CONFIG_PATH`   |
+| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name. Falls back to the active profile's default machine user. | No       | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
+| `--arg <ARG>`                   | `-a`  | Workflow argument (JSON string)                                             | No       | -                    | -                                   |
+| `--wait`                        | `-W`  | Wait for execution to complete                                              | No       | `false`              | -                                   |
+| `--interval <INTERVAL>`         | `-i`  | Polling interval when using --wait (e.g., '3s', '500ms', '1m')              | No       | `"3s"`               | -                                   |
+| `--logs`                        | `-l`  | Display job execution logs after completion (requires --wait)               | No       | `false`              | -                                   |
 
 <!-- politty:command:workflow start:options:end -->
 

package/docs/cli/workspace.md

@@ -241,11 +241,13 @@ tailor-sdk profile create [options] <name>
 
 **Options**
 
-| Option                          | Alias | Description                                                                       | Required | Default   |
-| ------------------------------- | ----- | --------------------------------------------------------------------------------- | -------- | --------- |
-| `--user <USER>`                 | `-u`  | User email                                                                        | Yes      | -         |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                                      | Yes      | -         |
-| `--permission <PERMISSION>`     | -     | Profile permission. 'read' blocks all write commands while the profile is active. | No       | `"write"` |
+| Option                                            | Alias | Description                                                                                                                            | Required | Default   |
+| ------------------------------------------------- | ----- | -------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
+| `--user <USER>`                                   | `-u`  | User email                                                                                                                             | Yes      | -         |
+| `--workspace-id <WORKSPACE_ID>`                   | `-w`  | Workspace ID                                                                                                                           | Yes      | -         |
+| `--permission <PERMISSION>`                       | -     | Profile permission. 'read' blocks all write commands while the profile is active.                                                      | No       | `"write"` |
+| `--machine-user <MACHINE_USER>`                   | `-m`  | Default machine user name for application-data commands (query, workflow start, function test-run, machineuser token).                 | No       | -         |
+| `--machine-user-override <MACHINE_USER_OVERRIDE>` | -     | Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user. | No       | -         |
 
 <!-- politty:command:profile create:options:end -->
 
@@ -320,11 +322,13 @@ tailor-sdk profile update [options] <name>
 
 **Options**
 
-| Option                          | Alias | Description                                                                          | Required | Default |
-| ------------------------------- | ----- | ------------------------------------------------------------------------------------ | -------- | ------- |
-| `--user <USER>`                 | `-u`  | New user email                                                                       | No       | -       |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | New workspace ID                                                                     | No       | -       |
-| `--permission <PERMISSION>`     | -     | Profile permission. 'read' blocks all write commands; 'write' lifts the restriction. | No       | -       |
+| Option                                            | Alias | Description                                                                                                                                                           | Required | Default |
+| ------------------------------------------------- | ----- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------- |
+| `--user <USER>`                                   | `-u`  | New user email                                                                                                                                                        | No       | -       |
+| `--workspace-id <WORKSPACE_ID>`                   | `-w`  | New workspace ID                                                                                                                                                      | No       | -       |
+| `--permission <PERMISSION>`                       | -     | Profile permission. 'read' blocks all write commands; 'write' lifts the restriction.                                                                                  | No       | -       |
+| `--machine-user <MACHINE_USER>`                   | `-m`  | Default machine user name for application-data commands (query, workflow start, function test-run, machineuser token). Pass an empty string to clear.                 | No       | -       |
+| `--machine-user-override <MACHINE_USER_OVERRIDE>` | -     | Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user; 'allow' lifts the restriction. | No       | -       |
 
 <!-- politty:command:profile update:options:end -->
 

package/docs/cli-reference.md

@@ -77,7 +77,7 @@ You can use environment variables to configure workspace and authentication:
 | `TAILOR_PLATFORM_SDK_DTS_PATH`               | Output path for generated `tailor.d.ts` type definition file                                      |
 | `TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID`     | Client ID for `login --machine-user`                                                              |
 | `TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET` | Client secret for `login --machine-user`                                                          |
-| `TAILOR_PLATFORM_MACHINE_USER_NAME`          | Default machine user name for `query`, `workflow start`, `function test-run`                      |
+| `TAILOR_PLATFORM_MACHINE_USER_NAME`          | Default machine user name for `query`, `workflow start`, `function test-run`, `machineuser token` |
 | `TAILOR_BUNDLE_CONCURRENCY`                  | Max concurrent bundle workers for `deploy` (resolvers/executors/workflows). Defaults to CPU count |
 | `VISUAL` / `EDITOR`                          | Preferred editor for commands that open files (e.g., `vim`, `code`, `nano`)                       |
 | `TAILOR_CRASH_REPORTS_LOCAL`                 | Local crash log writing: `on` (default) or `off`                                                  |

package/docs/services/auth.md

@@ -515,6 +515,25 @@ export const auth = defineAuth("my-auth", {
 
 **invoker**: The machine user whose permissions are used to execute the hook. Must reference a machine user defined in the same auth configuration.
 
+### Federated identity claims
+
+When a user signs in through a Built-in IdP OAuth provider (Google or Microsoft), the upstream provider's profile is available on `claims.federated_identity`. It is `undefined` for password logins, so guard before reading it. Commonly present claims (`name`, `given_name`, `family_name`, `picture`, `locale`) are typed; any other claim the provider issues is forwarded as-is. Availability varies by provider (for example, Microsoft does not issue `picture`).
+
+```typescript
+hooks: {
+  beforeLogin: {
+    handler: async ({ claims }) => {
+      const federated = claims.federated_identity;
+      if (federated?.provider === "google") {
+        // Populate the user record from the upstream profile
+        const avatarUrl = federated.claims.picture;
+      }
+    },
+    invoker: "hook-invoker",
+  },
+}
+```
+
 ## CLI Commands
 
 Manage Auth resources using the CLI:

package/docs/services/idp.md

@@ -125,6 +125,89 @@ defineIdp("my-idp", {
 });
 ```
 
+### userAuthPolicy
+
+User authentication policy. Controls password requirements, the identifier used for login, allowed email domains, and social login providers. Every field is optional. The boolean options default to disabled, and the password length fields default to a minimum of 6 and a maximum of 4096.
+
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  userAuthPolicy: {
+    useNonEmailIdentifier: false,
+    allowSelfPasswordReset: true,
+    passwordRequireUppercase: true,
+    passwordRequireLowercase: true,
+    passwordRequireNonAlphanumeric: true,
+    passwordRequireNumeric: true,
+    passwordMinLength: 8,
+    passwordMaxLength: 128,
+  },
+});
+```
+
+**Login behavior:**
+
+- `useNonEmailIdentifier` - Allow a non-email identifier (username) instead of requiring an email address. Default `false`.
+- `allowSelfPasswordReset` - Show the "Forgot password?" flow so users can reset their own password. Default `false`.
+- `disablePasswordAuth` - Remove password authentication entirely. Default `false`. Requires at least one social login provider to be enabled.
+
+**Password requirements:**
+
+- `passwordRequireUppercase` - Require at least one uppercase letter. Default `false`.
+- `passwordRequireLowercase` - Require at least one lowercase letter. Default `false`.
+- `passwordRequireNumeric` - Require at least one numeric character. Default `false`.
+- `passwordRequireNonAlphanumeric` - Require at least one non-alphanumeric character. Default `false`.
+- `passwordMinLength` - Minimum password length. Must be between 6 and 30. Default `6`.
+- `passwordMaxLength` - Maximum password length. Must be between 6 and 4096. Default `4096`.
+
+**Email domains and social login:**
+
+- `allowedEmailDomains` - Restrict registration to these email domains. An empty list (the default) allows all domains, but a non-empty list is required when `allowGoogleOauth` or `allowMicrosoftOauth` is enabled.
+- `allowGoogleOauth` - Enable the "Sign in with Google" button. Default `false`.
+- `allowMicrosoftOauth` - Enable the "Sign in with Microsoft" button. Default `false`.
+
+**Constraints:** the following combinations are rejected at parse time.
+
+- `passwordMinLength` must be less than or equal to `passwordMaxLength`.
+- A non-empty `allowedEmailDomains` cannot be combined with `useNonEmailIdentifier: true` (an empty list is allowed). Enabling `allowGoogleOauth` or `allowMicrosoftOauth` is likewise rejected with `useNonEmailIdentifier: true` (leaving them `false` or unset is fine).
+- `allowGoogleOauth` requires a non-empty `allowedEmailDomains`.
+- `allowMicrosoftOauth` requires both a non-empty `allowedEmailDomains` and `disablePasswordAuth: true`.
+- `disablePasswordAuth` requires `allowGoogleOauth` or `allowMicrosoftOauth`, and cannot be combined with `allowSelfPasswordReset`.
+
+### gqlOperations
+
+Controls which GraphQL user-management operations the IdP exposes. All operations are enabled by default. Use this to turn operations off entirely, independent of the `permission` policies that decide who may call them.
+
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  gqlOperations: {
+    create: true,
+    read: true,
+    update: true,
+    delete: false,
+    sendPasswordResetEmail: false,
+  },
+});
+```
+
+**Fields:** each field defaults to `true` (enabled). Set a field to `false` to disable that operation.
+
+- `create` - The `_createUser` mutation.
+- `read` - The `_users` and `_user` query operations.
+- `update` - The `_updateUser` mutation.
+- `delete` - The `_deleteUser` mutation.
+- `sendPasswordResetEmail` - The `_sendPasswordResetEmail` mutation.
+
+**Shortcut:** pass the string `"query"` to expose a read-only IdP. It enables `read` and disables every mutation.
+
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  gqlOperations: "query",
+});
+```
+
 ### authorization (optional, legacy)
 
 Legacy access control field. Use `permission` instead for fine-grained per-operation control. This field is kept for backward compatibility.
@@ -170,6 +253,19 @@ defineIdp("my-idp", {
 
 **Validation:** Each field must be 200 characters or less and must not contain newline characters.
 
+### lang
+
+UI language for the IdP-hosted pages such as the login and password reset screens.
+
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  lang: "ja",
+});
+```
+
+**Values:** `"en"` or `"ja"`.
+
 ### publishUserEvents
 
 Publish IdP user lifecycle events (`idp.user.created`, `idp.user.updated`, `idp.user.deleted`). These events are consumed by executors that use `idpUserCreatedTrigger`, `idpUserUpdatedTrigger`, `idpUserDeletedTrigger`, or `idpUserTrigger`.

package/docs/services/tailordb-migration.md

@@ -355,20 +355,21 @@ Coordinate this with your team because everyone else's local migrations will be
 
 ## Failure Recovery
 
-If a `migrate.ts` throws:
+If the pre-migration phase or `migrate.ts` fails:
 
 - **The transaction rolls back** for that migration's script. Database changes the script made are undone.
-- **The pre-migration phase already ran** before the script. Type-level relaxations (e.g., a field changed to optional) **are not undone**. The post-migration phase, including the label bump, does not run.
-- The whole `apply` aborts. Subsequent migrations in the same run do not execute.
+- **The pre-migration schema changes are rolled back** to the prior checkpoint: types that already existed are restored to their previous shape, and types the migration newly introduced are dropped. The workspace is left at its prior checkpoint and prior schema — not half-applied.
+- The whole `apply` aborts and the checkpoint label is not bumped. Subsequent migrations in the same run do not execute.
+
+The rollback is best-effort per type; if reverting a type fails, a warning is logged and the original migration error is still reported.
 
 After a failure:
 
 1. Read the `Logs:` block in the apply output to find the cause.
 2. Fix `migrate.ts` (or the data it depends on).
-3. Re-run `tailor-sdk deploy`. The same migration runs again because its label was never bumped.
-4. If the pre-migration relaxation is causing problems for application code in the meantime, accept the temporary optionality or roll forward with a fix; do not try to manually re-tighten the schema, or you'll create remote drift.
+3. Re-run `tailor-sdk deploy`. The same migration runs again because its label was never bumped, and the prior-checkpoint schema is a clean baseline to retry against.
 
-If a migration **succeeds in script** but the post-migration phase fails (rare; usually due to constraint violation that the script should have prevented), the situation is the same as above plus the data changes from the script are persisted. Investigate, fix, and re-run.
+If a migration **succeeds in script** but the **post-migration phase** fails (rare; usually a constraint violation the script should have prevented), the pre-migration changes are **not** rolled back: the script's data changes are already committed and the post-migration phase may have dropped removed columns or types, which cannot be reverted without data loss. Investigate, fix, and re-run.
 
 ## Rollback Strategy
 
@@ -444,6 +445,16 @@ For genuinely different schemas across environments, prefer separate workspaces
 4. To force the remote schema back to a known snapshot, use `migration sync <N>` (see [`migration sync` Semantics](#migration-sync-semantics)).
 5. As a last resort in non-production environments, `--no-schema-check` skips both checks. Do not use this as a routine workaround.
 
+### "Invalid schema snapshot" or "Invalid migration diff" error
+
+**Cause:** A `schema.json` or `diff.json` file in the `migrations/` directory is corrupted or does not match the expected structure. Merge conflicts left in these files are a common cause.
+
+**Resolution:**
+
+1. Read the error message — it includes the file path and the offending field.
+2. Restore the file from version control (`git checkout -- <path>`), or regenerate migration files with `migration generate` / `migration script`.
+3. Do not hand-edit `schema.json` or `diff.json`; they are managed by the CLI.
+
 ### "No machine user available for migration execution"
 
 **Cause:** Neither `migration.machineUser` is set nor are there any machine users in `auth.machineUsers`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.63.0",
+  "version": "1.65.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {
@@ -146,11 +146,11 @@
     "@jridgewell/trace-mapping": "0.3.31",
     "@napi-rs/keyring": "1.3.0",
     "@opentelemetry/api": "1.9.1",
-    "@opentelemetry/exporter-trace-otlp-proto": "0.218.0",
-    "@opentelemetry/resources": "2.7.1",
-    "@opentelemetry/sdk-trace-node": "2.7.1",
+    "@opentelemetry/exporter-trace-otlp-proto": "0.219.0",
+    "@opentelemetry/resources": "2.8.0",
+    "@opentelemetry/sdk-trace-node": "2.8.0",
     "@opentelemetry/semantic-conventions": "1.41.1",
-    "@oxc-project/types": "0.134.0",
+    "@oxc-project/types": "0.135.0",
     "@standard-schema/spec": "1.1.0",
     "@tailor-platform/function-kysely-tailordb": "0.1.3",
     "@toiroakr/lines-db": "0.9.2",
@@ -169,7 +169,7 @@
     "madge": "8.0.0",
     "mime-types": "3.0.2",
     "open": "11.0.0",
-    "oxc-parser": "0.134.0",
+    "oxc-parser": "0.135.0",
     "p-limit": "7.3.0",
     "pathe": "2.0.3",
     "pgsql-ast-parser": "12.0.2",
@@ -188,15 +188,15 @@
     "zod": "4.4.3"
   },
   "devDependencies": {
-    "@opentelemetry/sdk-trace-base": "2.7.1",
+    "@opentelemetry/sdk-trace-base": "2.8.0",
     "@types/madge": "5.0.3",
     "@types/mime-types": "3.0.1",
     "@types/node": "24.13.1",
     "@types/semver": "7.7.1",
-    "@typescript/native-preview": "7.0.0-dev.20260605.1",
+    "@typescript/native-preview": "7.0.0-dev.20260612.1",
     "@vitest/coverage-v8": "4.1.8",
-    "oxfmt": "0.53.0",
-    "oxlint": "1.68.0",
+    "oxfmt": "0.54.0",
+    "oxlint": "1.69.0",
     "oxlint-tsgolint": "0.23.0",
     "sonda": "0.11.1",
     "tsdown": "0.22.2",