@tailor-platform/sdk 1.63.0 → 1.66.0

package/CHANGELOG.md

@@ -1,5 +1,56 @@
 # @tailor-platform/sdk
 
+## 1.66.0
+### Minor Changes
+
+
+
+- [#1343](https://github.com/tailor-platform/sdk/pull/1343) [`f8ad2f7`](https://github.com/tailor-platform/sdk/commit/f8ad2f7f17b9453fc6ac20d25e780b6c420d4525) Thanks [@dqn](https://github.com/dqn)! - Adopt dispatcher-mode shell completion so generated completion scripts resolve the currently visible `tailor-sdk` binary at completion time, allowing project-local SDK installations to provide matching completions. Published SDK packages now include a bundled zsh completion worker so the dispatcher can skip first-use cache generation.
+
+
+
+- [#1402](https://github.com/tailor-platform/sdk/pull/1402) [`2720c06`](https://github.com/tailor-platform/sdk/commit/2720c06e1b7029df6518449abd7d5b7c480903e3) Thanks [@dragon3](https://github.com/dragon3)! - Add `defineAIGateway()` for declaring AI Gateways in `tailor.config.ts`. Configure with `authNamespace` (required) and an optional `cors` allow-list; reference the deployed gateway domain via the `domain` getter. Gateways are created, updated, and removed by `tailor deploy` / `tailor remove` against the platform's AI Gateway API.
+
+## 1.65.0
+### Minor Changes
+
+
+
+- [#1456](https://github.com/tailor-platform/sdk/pull/1456) [`5401fa8`](https://github.com/tailor-platform/sdk/commit/5401fa8a179af6adbf6edddba2307d55ae1cbc0b) Thanks [@k1LoW](https://github.com/k1LoW)! - Type the `federated_identity` claim in the `beforeLogin` hook. When a user signs in through a Built-in IdP OAuth provider (Google or Microsoft), `claims.federated_identity` now exposes the upstream provider's profile (`provider` plus profile claims such as `picture`, `name`, `given_name`, `family_name`, `locale`) with autocompletion, while arbitrary IdP claims remain reachable. Adds the `FederatedIdentity`, `FederatedIdentityClaims`, `FederatedIdentityProvider`, and `BeforeLoginClaims` types.
+
+
+### Patch Changes
+
+
+
+- [#1449](https://github.com/tailor-platform/sdk/pull/1449) [`016aff6`](https://github.com/tailor-platform/sdk/commit/016aff6aab31c334c57a5e5244453f2dd559c008) Thanks [@k1LoW](https://github.com/k1LoW)! - Document the `userAuthPolicy`, `gqlOperations`, and `lang` options of `defineIdp()` in the IdP service guide, including the password policy fields, allowed email domains, Google/Microsoft social login, the read-only `"query"` shortcut, and the cross-field validation constraints.
+
+
+
+- [#1450](https://github.com/tailor-platform/sdk/pull/1450) [`162ba62`](https://github.com/tailor-platform/sdk/commit/162ba629e0d511593718f289b93788d5d56778da) Thanks [@toiroakr](https://github.com/toiroakr)! - Update OpenTelemetry runtime dependencies to 2.8.0 to resolve a moderate security advisory (GHSA-8988-4f7v-96qf) in `@opentelemetry/core`
+
+
+
+- [#1432](https://github.com/tailor-platform/sdk/pull/1432) [`3a854a3`](https://github.com/tailor-platform/sdk/commit/3a854a3a10b938ce3cf6fe7527de4ab56ecf48d5) Thanks [@toiroakr](https://github.com/toiroakr)! - Roll back a migration's pre-migration schema changes when its data migration (`migrate.ts`) fails during `apply`. A failed migration now leaves the workspace at its prior checkpoint and prior schema instead of half-applied, so subsequent deploys are no longer blocked by opaque "Remote schema drift detected" errors.
+
+
+
+- [#1422](https://github.com/tailor-platform/sdk/pull/1422) [`f3f8427`](https://github.com/tailor-platform/sdk/commit/f3f84277fe1942601d0fcbb8a64c2c26823b5624) Thanks [@dqn](https://github.com/dqn)! - Internal cleanup of proto field optionality handling. No behavior change.
+
+
+
+- [#1421](https://github.com/tailor-platform/sdk/pull/1421) [`b933f47`](https://github.com/tailor-platform/sdk/commit/b933f474d65f8dfed56f3991aae3a52589368b10) Thanks [@dqn](https://github.com/dqn)! - Corrupted or hand-edited TailorDB migration snapshot/diff files now fail with a clear validation error when loaded, instead of causing undefined behavior later.
+
+## 1.64.0
+
+### Minor Changes
+
+- [#1419](https://github.com/tailor-platform/sdk/pull/1419) [`d9b5755`](https://github.com/tailor-platform/sdk/commit/d9b57557d812f107fc02721680aecf2ea5ba24ad) Thanks [@dqn](https://github.com/dqn)! - Add default machine user to CLI profiles. Use `tailor-sdk profile create <name> --machine-user <name>` or `tailor-sdk profile update <name> --machine-user <name>` to store a default machine user on a profile. Commands that require a machine user (`query`, `workflow start`, `function test-run`, `machineuser token`) now fall back to the active profile's default when no machine user is given via the command line (`--machine-user`, or the `NAME` argument for `machineuser token`) or the `TAILOR_PLATFORM_MACHINE_USER_NAME` environment variable. Pass an empty string to `profile update --machine-user ""` to clear the stored default. Profiles also support `--machine-user-override deny`, which locks the machine user to the stored default: any explicit machine user supplied on the command line or via `TAILOR_PLATFORM_MACHINE_USER_NAME` that differs from the profile's value causes commands to fail immediately with error code `PROFILE_MACHINE_USER_OVERRIDE_DENIED`. Use `--machine-user-override allow` (the default) to restore the previous behavior.
+
+### Patch Changes
+
+- [#1414](https://github.com/tailor-platform/sdk/pull/1414) [`1d04806`](https://github.com/tailor-platform/sdk/commit/1d04806e331377d847ac55ac3b9c1dcbb887a1f7) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update oxc
+
 ## 1.63.0
 
 ### Minor Changes

package/dist/{actor-J2gJ0eK5.d.mts → actor-D_2aJjYO.d.mts}

@@ -1,4 +1,4 @@
-import { A as InferredAttributeList, j as InferredAttributeMap } from "./tailordb-BlBGmQK-.mjs";
+import { A as InferredAttributeList, j as InferredAttributeMap } from "./tailordb-C-ar4XCX.mjs";
 
 //#region src/types/actor.d.ts
 /** User type enum values from the Tailor Platform server. */
@@ -21,4 +21,4 @@ type TailorActor = {
 };
 //#endregion
 export { TailorActor as t };
-//# sourceMappingURL=actor-J2gJ0eK5.d.mts.map
+//# sourceMappingURL=actor-D_2aJjYO.d.mts.map

package/dist/{application-BezXGbrU.mjs → application-DGDmL8i_.mjs}

@@ -1,6 +1,6 @@
 
 import { n as isSdkBranded } from "./brand-DlnJ375c.mjs";
-import { a as fetchAll, d as initOAuth2Client } from "./client-CobIRHl-.mjs";
+import { a as fetchAll, d as initOAuth2Client } from "./client-F0a4cWUM.mjs";
 import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
 import { a as parseBoolean, n as logger, r as styles } from "./logger-DpJyJvNz.mjs";
 import { a as TailorFieldSchema, i as AuthInvokerSchema, n as ExecutorSchema, o as loadFilesWithIgnores, r as AuthConfigSchema, s as functionSchema, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
@@ -10,6 +10,7 @@ import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "./file-utils-BH
 import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "./kysely-type-D1e0Vwkd.mjs";
 import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-BH2FbrPV.mjs";
 import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
+import { t as createCLIError } from "./errors-EsY4XO6O.mjs";
 import { n as tightenSecretFilePermissions, r as writeSecretFile } from "./secret-file-CWzF8rry.mjs";
 import { builtinModules, createRequire } from "node:module";
 import { z } from "zod";
@@ -82,6 +83,7 @@ const AppConfigSchema = z.object({
 	workflow: z.unknown().optional(),
 	httpAdapter: z.unknown().optional(),
 	staticWebsites: z.unknown().optional(),
+	aiGateways: z.unknown().optional(),
 	secrets: z.unknown().optional()
 });
 
@@ -216,7 +218,9 @@ async function deleteKeyringTokens(account) {
 const pfProfileSchema = z.object({
 	user: z.string(),
 	workspace_id: z.string(),
-	readonly: z.boolean().optional()
+	readonly: z.boolean().optional(),
+	machine_user: z.string().optional(),
+	machine_user_override: z.enum(["allow", "deny"]).optional()
 });
 const pfUserSchemaV1 = z.object({
 	access_token: z.string(),
@@ -441,6 +445,40 @@ async function loadWorkspaceId(opts) {
   `);
 }
 /**
+* Load machine user name from command options, environment variables, or platform config.
+* In CLI context, env fallback is also handled by politty's arg env option.
+* Priority: opts/machineUser > env/TAILOR_PLATFORM_MACHINE_USER_NAME > opts/profile (profile default) > undefined.
+* An explicitly empty `opts.machineUser` is rejected with a CLIError (`MACHINE_USER_NAME_EMPTY`) rather than falling back to the env var or profile default.
+* When the active profile has `machine_user_override: "deny"`, an explicit value that differs from the profile's machine user throws a CLIError with code `PROFILE_MACHINE_USER_OVERRIDE_DENIED`.
+* @param opts - Machine user and profile options
+* @returns Resolved machine user name, or undefined if not set
+*/
+async function loadMachineUserName(opts) {
+	if (opts?.machineUser === "") throw createCLIError({
+		code: "MACHINE_USER_NAME_EMPTY",
+		message: "Machine user name cannot be empty.",
+		suggestion: "Pass a non-empty machine user name, or omit the option to use the environment variable or profile default."
+	});
+	const explicit = opts?.machineUser || process.env.TAILOR_PLATFORM_MACHINE_USER_NAME || void 0;
+	const profile = opts?.profile || process.env.TAILOR_PLATFORM_PROFILE;
+	if (!profile) return explicit;
+	const entry = (await readPlatformConfig()).profiles[profile];
+	if (!entry) {
+		if (explicit) return explicit;
+		throw new Error(`Profile "${profile}" not found`);
+	}
+	if (entry.machine_user && entry.machine_user_override === "deny") {
+		if (explicit && explicit !== entry.machine_user) throw createCLIError({
+			code: "PROFILE_MACHINE_USER_OVERRIDE_DENIED",
+			message: `Profile "${profile}" denies overriding the machine user.`,
+			details: `This profile fixes the machine user to "${entry.machine_user}" for application-data commands.`,
+			suggestion: `Omit the machine user option, unset TAILOR_PLATFORM_MACHINE_USER_NAME, or run 'tailor-sdk profile update ${profile} --machine-user-override allow'.`
+		});
+		return entry.machine_user;
+	}
+	return explicit || entry.machine_user;
+}
+/**
 * Load access token from environment variables, command options, or platform config.
 * In CLI context, profile env fallback is also handled by politty's arg env option.
 * Priority: env/TAILOR_PLATFORM_TOKEN > env/TAILOR_TOKEN (deprecated) > opts/profile > env/profile > config/currentUser > error
@@ -2484,7 +2522,7 @@ function normalizeGqlPermission(permission) {
 }
 function normalizeGqlPolicy(policy) {
 	return {
-		conditions: policy.conditions ? normalizeConditions(policy.conditions) : [],
+		conditions: normalizeConditions(policy.conditions),
 		actions: policy.actions === "all" ? ["all"] : policy.actions,
 		permit: policy.permit ? "allow" : "deny",
 		description: policy.description
@@ -2557,7 +2595,7 @@ function normalizeActionPermission(permission) {
 function findOmittedPermitRules(rawPermissions) {
 	const locations = [];
 	const record = rawPermissions.record;
-	if (record) for (const action of Object.keys(record)) record[action]?.forEach((rule, index) => {
+	if (record) for (const action of Object.keys(record)) record[action].forEach((rule, index) => {
 		if (isObjectFormat(rule) && rule.permit === void 0) locations.push(`record.${String(action)}[${index}]`);
 	});
 	const gql = rawPermissions.gql;
@@ -4018,7 +4056,7 @@ const HTTP_METHOD_KEYS = Object.keys(HTTP_METHODS);
 
 //#endregion
 //#region src/parser/service/http-adapter/schema.ts
-const NAME_PATTERN = /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/;
+const NAME_PATTERN$1 = /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/;
 const inputHandlersSchema = z.strictObject({
 	get: functionSchema.optional().describe("Handler for GET requests"),
 	post: functionSchema.optional().describe("Handler for POST requests"),
@@ -4027,7 +4065,7 @@ const inputHandlersSchema = z.strictObject({
 	delete: functionSchema.optional().describe("Handler for DELETE requests")
 }).refine((val) => Object.values(val).some((v) => v !== void 0), "input must declare at least one HTTP method handler").describe("Per-method functions that transform HTTP requests to GraphQL requests");
 const HttpAdapterConfigSchema = z.strictObject({
-	name: z.string().regex(NAME_PATTERN, "name must be 3-63 chars, lowercase alphanumeric with hyphens, not starting or ending with a hyphen").describe("Unique adapter name within the domain"),
+	name: z.string().regex(NAME_PATTERN$1, "name must be 3-63 chars, lowercase alphanumeric with hyphens, not starting or ending with a hyphen").describe("Unique adapter name within the domain"),
 	pathPattern: z.string().min(1).describe("Path pattern with segment wildcards (trailing or single-segment)"),
 	enabled: z.boolean().default(true).describe("Whether the adapter is active"),
 	priority: z.number().int().min(0).default(0).describe("Matching priority; the lowest value wins when multiple adapters match"),
@@ -5047,6 +5085,16 @@ function resolveInlineSourcemap(configValue) {
 	return true;
 }
 
+//#endregion
+//#region src/parser/service/aigateway/schema.ts
+const NAME_PATTERN = /^[a-z0-9][a-z0-9-]{1,28}[a-z0-9]$/;
+const AUTH_NAMESPACE_PATTERN = /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/;
+const AIGatewaySchema = z.object({
+	name: z.string().regex(NAME_PATTERN, "Must be 3-30 lowercase alphanumeric characters or hyphens").describe("AI Gateway name"),
+	authNamespace: z.string().regex(AUTH_NAMESPACE_PATTERN, "Must be 3-63 lowercase alphanumeric characters or hyphens").describe("Auth namespace used to resolve request tokens against the workspace's auth"),
+	cors: z.array(z.string()).optional().describe("Allowed CORS origins for browser-based clients. Each entry is `*`, `http(s)://*`, `http(s)://*.example.com`, or `http(s)://app.example.com`, optionally with `:port`. Empty list disables cross-origin access.")
+}).brand("AIGatewayConfig");
+
 //#endregion
 //#region src/parser/service/idp/schema.ts
 /**
@@ -5339,6 +5387,17 @@ function defineStaticWebsites(websites) {
 	});
 	return staticWebsiteServices;
 }
+function defineAIGateways(gateways) {
+	const aiGatewayServices = [];
+	const gatewayNames = /* @__PURE__ */ new Set();
+	(gateways ?? []).forEach((config) => {
+		const gateway = AIGatewaySchema.parse(config);
+		if (gatewayNames.has(gateway.name)) throw new Error(`AI Gateway with name "${gateway.name}" already defined.`);
+		gatewayNames.add(gateway.name);
+		aiGatewayServices.push(gateway);
+	});
+	return aiGatewayServices;
+}
 function parseSecretManager(config) {
 	if (!config) return {
 		secrets: [],
@@ -5367,6 +5426,7 @@ function defineServices(config, pluginManager) {
 	const idpResult = defineIdp(config.idp);
 	const authResult = defineAuth(config.auth, tailordbResult.tailorDBServices, tailordbResult.externalTailorDBNamespaces);
 	const staticWebsiteServices = defineStaticWebsites(config.staticWebsites);
+	const aiGatewayServices = defineAIGateways(config.aiGateways);
 	const { secrets, ignoreNullishValues } = parseSecretManager(config.secrets);
 	return {
 		tailordbResult,
@@ -5374,6 +5434,7 @@ function defineServices(config, pluginManager) {
 		idpResult,
 		authResult,
 		staticWebsiteServices,
+		aiGatewayServices,
 		secrets,
 		ignoreNullishValues
 	};
@@ -5398,6 +5459,7 @@ function buildApplication(params) {
 		workflowService: params.workflowService,
 		httpAdapterService: params.httpAdapterService,
 		staticWebsiteServices: params.staticWebsiteServices,
+		aiGatewayServices: params.aiGatewayServices,
 		secrets: params.secrets,
 		ignoreNullishValues: params.ignoreNullishValues,
 		env: params.env,
@@ -5464,7 +5526,7 @@ function generatePluginFilesIfNeeded(pluginManager, tailorDBServices, configPath
 */
 async function loadApplication(params) {
 	const { config, pluginManager, bundleCache } = params;
-	const { tailordbResult, resolverResult, idpResult, authResult, staticWebsiteServices, secrets, ignoreNullishValues } = defineServices(config, pluginManager);
+	const { tailordbResult, resolverResult, idpResult, authResult, staticWebsiteServices, aiGatewayServices, secrets, ignoreNullishValues } = defineServices(config, pluginManager);
 	for (const tailordb of tailordbResult.tailorDBServices) {
 		await tailordb.loadTypes();
 		await tailordb.processNamespacePlugins();
@@ -5542,6 +5604,7 @@ async function loadApplication(params) {
 			workflowService,
 			httpAdapterService,
 			staticWebsiteServices,
+			aiGatewayServices,
 			secrets,
 			ignoreNullishValues,
 			env: config.env ?? {}
@@ -5553,5 +5616,5 @@ async function loadApplication(params) {
 }
 
 //#endregion
-export { resolveTokens as A, loadConfig as C, loadConfigPath as D, loadAccessToken as E, writePlatformConfig as M, loadWorkspaceId as O, hashFile as S, fetchLatestToken as T, createLogLevelTreeshakeOptions as _, WorkflowJobSchema as a, getDistDir as b, INVOKER_EXPR as c, assertUniqueLocalTailorDBTypeNames as d, assertUniqueTailorDBTypeNamesWithExternal as f, composeFunctionTreeshakeOptions as g, platformBundleDefinePlugin as h, resolveInlineSourcemap as i, saveUserTokens as j, readPlatformConfig as k, buildExecutorArgsExpr as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, HTTP_METHODS as s, defineApplication as t, buildResolverOperationHookExpr as u, resolveBundleLogLevel as v, deleteUserTokens as w, hashContent as x, createBundleCache as y };
-//# sourceMappingURL=application-BezXGbrU.mjs.map
+export { readPlatformConfig as A, loadConfig as C, loadConfigPath as D, loadAccessToken as E, saveUserTokens as M, writePlatformConfig as N, loadMachineUserName as O, hashFile as S, fetchLatestToken as T, createLogLevelTreeshakeOptions as _, WorkflowJobSchema as a, getDistDir as b, INVOKER_EXPR as c, assertUniqueLocalTailorDBTypeNames as d, assertUniqueTailorDBTypeNamesWithExternal as f, composeFunctionTreeshakeOptions as g, platformBundleDefinePlugin as h, resolveInlineSourcemap as i, resolveTokens as j, loadWorkspaceId as k, buildExecutorArgsExpr as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, HTTP_METHODS as s, defineApplication as t, buildResolverOperationHookExpr as u, resolveBundleLogLevel as v, deleteUserTokens as w, hashContent as x, createBundleCache as y };
+//# sourceMappingURL=application-DGDmL8i_.mjs.map