@tailor-platform/sdk 1.63.0 → 1.66.0

package/dist/{runtime-CW3jcQCc.mjs → runtime-2nzOZCUb.mjs}

@@ -1,9 +1,9 @@
 
 import { t as db } from "./schema-1msIhXwA.mjs";
-import { $ as CreateExecutorExecutorRequestSchema, A as TailorDBGQLPermission_Permit, At as AuthSCIMAttribute_Type, B as UpdateSecretManagerSecretRequestSchema, Bt as Subgraph_ServiceType, C as WorkflowExecution_Status, Ct as AuthConnection_Type, D as UpdateTailorDBTypeRequestSchema, Dt as AuthOAuth2Client_ClientType, E as CreateTailorDBTypeRequestSchema, Et as AuthInvokerSchema, F as CreateStaticWebsiteRequestSchema, Ft as UserProfileProviderConfig_UserProfileProviderType, G as PipelineResolver_OperationType, H as CreatePipelineServiceRequestSchema, Ht as Condition_Operator, I as UpdateStaticWebsiteRequestSchema, It as CreateApplicationRequestSchema, J as IdPLang, K as CreateIdPServiceRequestSchema, Lt as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, M as TailorDBType_Permission_Permit, Mt as AuthSCIMConfig_AuthorizationType, N as TailorDBType_PermitAction, O as TailorDBGQLPermission_Action, Ot as AuthOAuth2Client_GrantType, P as AddCustomDomainRequestSchema, Pt as TenantProviderConfig_TenantProviderType, R as CreateSecretManagerSecretRequestSchema, Rt as UpdateApplicationRequestSchema, S as UpdateWorkflowRequestSchema, St as UpdateUserProfileConfigRequestSchema, T as CreateTailorDBServiceRequestSchema, Tt as AuthIDPConfig_AuthType, U as UpdatePipelineResolverRequestSchema, Ut as FilterSchema, V as CreatePipelineResolverRequestSchema, Vt as ConditionSchema, W as UpdatePipelineServiceRequestSchema, Wt as PageDirection, X as IdPPermissionPermit, Y as IdPPermissionOperator, Z as FunctionExecution_Status, _ as userAgent, _t as UpdateAuthOAuth2ClientRequestSchema, a as fetchAll, at as CreateAuthHookRequestSchema, b as CreateWorkflowJobFunctionRequestSchema, bt as UpdateAuthServiceRequestSchema, ct as CreateAuthOAuth2ClientRequestSchema, dt as CreateAuthServiceRequestSchema, et as UpdateExecutorExecutorRequestSchema, f as initOperatorClient, ft as CreateTenantConfigRequestSchema, gt as UpdateAuthMachineUserRequestSchema, h as resolveStaticWebsiteUrls, ht as UpdateAuthIDPConfigRequestSchema, it as CreateAuthConnectionRequestSchema, j as TailorDBType_Permission_Operator, jt as AuthSCIMAttribute_Uniqueness, k as TailorDBGQLPermission_Operator, kt as AuthSCIMAttribute_Mutability, lt as CreateAuthSCIMConfigRequestSchema, m as platformBaseUrl, mt as UpdateAuthHookRequestSchema, nt as ExecutorTargetType, o as fetchMachineUserToken, ot as CreateAuthIDPConfigRequestSchema, pt as CreateUserProfileConfigRequestSchema, q as UpdateIdPServiceRequestSchema, rt as ExecutorTriggerType, s as fetchPaged, st as CreateAuthMachineUserRequestSchema, tt as ExecutorJobStatus, ut as CreateAuthSCIMResourceRequestSchema, v as OperatorService, vt as UpdateAuthSCIMConfigRequestSchema, w as WorkflowJobExecution_Status, wt as AuthHookPoint, x as CreateWorkflowRequestSchema, xt as UpdateTenantConfigRequestSchema, y as WorkspacePlatformUserRole, yt as UpdateAuthSCIMResourceRequestSchema, z as CreateSecretManagerVaultRequestSchema, zt as ApplicationSchemaUpdateAttemptStatus } from "./client-CobIRHl-.mjs";
+import { $ as CreateExecutorExecutorRequestSchema, A as TailorDBGQLPermission_Permit, At as AuthSCIMAttribute_Type, B as UpdateSecretManagerSecretRequestSchema, Bt as Subgraph_ServiceType, C as WorkflowExecution_Status, Ct as AuthConnection_Type, D as UpdateTailorDBTypeRequestSchema, Dt as AuthOAuth2Client_ClientType, E as CreateTailorDBTypeRequestSchema, Et as AuthInvokerSchema, F as CreateStaticWebsiteRequestSchema, Ft as UserProfileProviderConfig_UserProfileProviderType, G as PipelineResolver_OperationType, H as CreatePipelineServiceRequestSchema, Ht as Condition_Operator, I as UpdateStaticWebsiteRequestSchema, It as CreateApplicationRequestSchema, J as IdPLang, K as CreateIdPServiceRequestSchema, Lt as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, M as TailorDBType_Permission_Permit, Mt as AuthSCIMConfig_AuthorizationType, N as TailorDBType_PermitAction, O as TailorDBGQLPermission_Action, Ot as AuthOAuth2Client_GrantType, P as AddCustomDomainRequestSchema, Pt as TenantProviderConfig_TenantProviderType, R as CreateSecretManagerSecretRequestSchema, Rt as UpdateApplicationRequestSchema, S as UpdateWorkflowRequestSchema, St as UpdateUserProfileConfigRequestSchema, T as CreateTailorDBServiceRequestSchema, Tt as AuthIDPConfig_AuthType, U as UpdatePipelineResolverRequestSchema, Ut as FilterSchema, V as CreatePipelineResolverRequestSchema, Vt as ConditionSchema, W as UpdatePipelineServiceRequestSchema, Wt as PageDirection, X as IdPPermissionPermit, Y as IdPPermissionOperator, Z as FunctionExecution_Status, _ as userAgent, _t as UpdateAuthOAuth2ClientRequestSchema, a as fetchAll, at as CreateAuthHookRequestSchema, b as CreateWorkflowJobFunctionRequestSchema, bt as UpdateAuthServiceRequestSchema, ct as CreateAuthOAuth2ClientRequestSchema, dt as CreateAuthServiceRequestSchema, et as UpdateExecutorExecutorRequestSchema, f as initOperatorClient, ft as CreateTenantConfigRequestSchema, gt as UpdateAuthMachineUserRequestSchema, h as resolveStaticWebsiteUrls, ht as UpdateAuthIDPConfigRequestSchema, it as CreateAuthConnectionRequestSchema, j as TailorDBType_Permission_Operator, jt as AuthSCIMAttribute_Uniqueness, k as TailorDBGQLPermission_Operator, kt as AuthSCIMAttribute_Mutability, lt as CreateAuthSCIMConfigRequestSchema, m as platformBaseUrl, mt as UpdateAuthHookRequestSchema, nt as ExecutorTargetType, o as fetchMachineUserToken, ot as CreateAuthIDPConfigRequestSchema, pt as CreateUserProfileConfigRequestSchema, q as UpdateIdPServiceRequestSchema, rt as ExecutorTriggerType, s as fetchPaged, st as CreateAuthMachineUserRequestSchema, tt as ExecutorJobStatus, ut as CreateAuthSCIMResourceRequestSchema, v as OperatorService, vt as UpdateAuthSCIMConfigRequestSchema, w as WorkflowJobExecution_Status, wt as AuthHookPoint, x as CreateWorkflowRequestSchema, xt as UpdateTenantConfigRequestSchema, y as WorkspacePlatformUserRole, yt as UpdateAuthSCIMResourceRequestSchema, z as CreateSecretManagerVaultRequestSchema, zt as ApplicationSchemaUpdateAttemptStatus } from "./client-F0a4cWUM.mjs";
 import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
 import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DpJyJvNz.mjs";
-import { C as loadConfig, D as loadConfigPath, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, S as hashFile, b as getDistDir, d as assertUniqueLocalTailorDBTypeNames, f as assertUniqueTailorDBTypeNamesWithExternal, h as platformBundleDefinePlugin, k as readPlatformConfig, l as buildExecutorArgsExpr, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, u as buildResolverOperationHookExpr, y as createBundleCache } from "./application-BezXGbrU.mjs";
+import { A as readPlatformConfig, C as loadConfig, D as loadConfigPath, E as loadAccessToken, N as writePlatformConfig, O as loadMachineUserName, S as hashFile, b as getDistDir, d as assertUniqueLocalTailorDBTypeNames, f as assertUniqueTailorDBTypeNamesWithExternal, h as platformBundleDefinePlugin, k as loadWorkspaceId, l as buildExecutorArgsExpr, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, u as buildResolverOperationHookExpr, y as createBundleCache } from "./application-DGDmL8i_.mjs";
 import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
 import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
 import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
@@ -1806,6 +1806,219 @@ async function buildMetaRequest(params) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/deploy/owned-resource.ts
+/**
+* Fetch a workspace-scoped resource list and attach SDK ownership metadata.
+* @template T
+* @param params - Resource fetch parameters
+* @param params.client - Operator client instance
+* @param params.workspaceId - Workspace ID
+* @param params.fetchPage - Function that fetches one resource page
+* @param params.getName - Function that extracts the resource name
+* @param params.getTrn - Function that builds the resource TRN
+* @returns Existing resources keyed by resource name, with SDK labels attached
+*/
+async function fetchExistingResourcesWithLabels(params) {
+	const { client, workspaceId, fetchPage, getName, getTrn } = params;
+	const withoutLabel = await fetchAll(async (pageToken, maxPageSize) => {
+		try {
+			return await fetchPage(pageToken, maxPageSize);
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+			throw error;
+		}
+	});
+	const existingResources = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		const name = getName(resource);
+		if (!name) return;
+		const { metadata } = await client.getMetadata({ trn: getTrn(workspaceId, name) });
+		existingResources[name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
+		};
+	}));
+	return existingResources;
+}
+/**
+* Determine whether a same-named existing resource is managed by this app.
+* Records the user-facing confirmation data when ownership does not match.
+* @param params - Ownership classification inputs
+* @param params.labels - Existing resource labels
+* @param params.ownerLabel - Existing `sdk-name` label, when present
+* @param params.appName - Current application name
+* @param params.appId - Current application id, when present
+* @param params.resourceType - Resource kind for confirmation messages
+* @param params.resourceName - Resource name for confirmation messages
+* @param params.conflicts - Conflict accumulator
+* @param params.unmanaged - Unmanaged-resource accumulator
+* @returns True when the resource is owned by the current app
+*/
+function trackDesiredResourceOwnership(params) {
+	const { labels, ownerLabel, appName, appId, resourceType, resourceName, conflicts, unmanaged } = params;
+	const owned = isOwnedByApp(labels, appName, appId);
+	if (!owned) if (!ownerLabel) unmanaged.push({
+		resourceType,
+		resourceName
+	});
+	else conflicts.push({
+		resourceType,
+		resourceName,
+		currentOwner: ownerLabel
+	});
+	return owned;
+}
+/**
+* Determine whether a remote-only resource is still owned by this app.
+* Also records other SDK owners so renamed-empty applications can be handled.
+* @param params - Ownership classification inputs
+* @param params.labels - Existing resource labels
+* @param params.ownerLabel - Existing `sdk-name` label, when present
+* @param params.appName - Current application name
+* @param params.appId - Current application id, when present
+* @param params.resourceOwners - Other-owner accumulator
+* @returns True when the resource is owned by the current app
+*/
+function trackRemainingResourceOwner(params) {
+	const { labels, ownerLabel, appName, appId, resourceOwners } = params;
+	const owned = isOwnedByApp(labels, appName, appId);
+	if (ownerLabel && !owned) resourceOwners.add(ownerLabel);
+	return owned;
+}
+
+//#endregion
+//#region src/cli/commands/deploy/aigateway.ts
+/**
+* Apply AI Gateway changes for the given phase.
+* @param client - Operator client instance
+* @param result - Planned AI Gateway changes
+* @param phase - Apply phase
+* @returns Promise that resolves when AI Gateways are applied
+*/
+async function applyAIGateway(client, result, phase = "create-update") {
+	const { changeSet } = result;
+	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
+		create.request.cors = await resolveStaticWebsiteUrls(client, assertDefined(create.request.workspaceId, "request missing workspaceId"), create.request.cors, "AIGateway CORS");
+		await client.createAIGateway(create.request);
+		await client.setMetadata(create.metaRequest);
+	}), ...changeSet.updates.map(async (update) => {
+		update.request.cors = await resolveStaticWebsiteUrls(client, assertDefined(update.request.workspaceId, "request missing workspaceId"), update.request.cors, "AIGateway CORS");
+		await client.updateAIGateway(update.request);
+		await client.setMetadata(update.metaRequest);
+	})]);
+	else await Promise.all(changeSet.deletes.map((del) => client.deleteAIGateway(del.request)));
+}
+function normalizeComparableAIGatewayShape(input) {
+	return {
+		authNamespace: input.authNamespace,
+		cors: input.cors.toSorted()
+	};
+}
+function normalizeComparableAIGateway(input) {
+	return normalizeComparableAIGatewayShape({
+		authNamespace: input.authNamespace || "",
+		cors: [...input.cors || []]
+	});
+}
+function areAIGatewaysEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableAIGateway(existing), normalizeComparableAIGateway(desired));
+}
+/**
+* Plan AI Gateway changes based on current and desired state.
+* @param context - Planning context
+* @returns Planned changes
+*/
+async function planAIGateway(context) {
+	const { client, workspaceId, application, forRemoval } = context;
+	const changeSet = createChangeSet("AIGateways");
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const existingGateways = await fetchExistingResourcesWithLabels({
+		client,
+		workspaceId,
+		fetchPage: async (pageToken, pageSize) => {
+			const { aigateways, nextPageToken } = await client.listAIGateways({
+				workspaceId,
+				pageToken,
+				pageSize
+			});
+			return [aigateways, nextPageToken];
+		},
+		getName: (resource) => resource.name,
+		getTrn: (workspaceId, name) => resourceTrn(workspaceId, "aigateway", name)
+	});
+	const aiGatewayServices = forRemoval ? [] : application.aiGatewayServices;
+	const expectedLocalWebsites = new Set(application.staticWebsiteServices.map((website) => website.name));
+	for (const gatewayService of aiGatewayServices) {
+		const config = gatewayService;
+		const name = gatewayService.name;
+		const existing = existingGateways[name];
+		const metaRequest = await buildMetaRequest({
+			trn: resourceTrn(workspaceId, "aigateway", name),
+			appName: application.name,
+			appId: application.id
+		});
+		const resolvedCors = await resolveStaticWebsiteUrls(client, workspaceId, config.cors ? [...config.cors] : [], "AIGateway CORS", { expectedLocalNames: expectedLocalWebsites });
+		const desired = normalizeComparableAIGateway({
+			...config,
+			cors: resolvedCors
+		});
+		const request = {
+			workspaceId,
+			aigatewayName: name,
+			authNamespace: config.authNamespace,
+			cors: config.cors ? [...config.cors] : []
+		};
+		if (existing) {
+			if (trackDesiredResourceOwnership({
+				labels: existing.allLabels,
+				ownerLabel: existing.label,
+				appName: application.name,
+				appId: application.id,
+				resourceType: "AIGateway",
+				resourceName: name,
+				conflicts,
+				unmanaged
+			}) && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areAIGatewaysEqual(existing.resource, desired)) changeSet.unchanged.push({ name });
+			else changeSet.updates.push({
+				name,
+				request,
+				metaRequest
+			});
+			delete existingGateways[name];
+		} else changeSet.creates.push({
+			name,
+			request,
+			metaRequest
+		});
+	}
+	Object.entries(existingGateways).forEach(([name, entry]) => {
+		const label = entry?.label;
+		if (trackRemainingResourceOwner({
+			labels: entry?.allLabels,
+			ownerLabel: label,
+			appName: application.name,
+			appId: application.id,
+			resourceOwners
+		})) changeSet.deletes.push({
+			name,
+			request: {
+				workspaceId,
+				aigatewayName: name
+			}
+		});
+	});
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
+}
+
 //#endregion
 //#region src/cli/commands/deploy/application.ts
 /**
@@ -3003,7 +3216,7 @@ function parseIdPPermission(rawPermission) {
 function findOmittedPermitRules(permission) {
 	if (!permission) return [];
 	const locations = [];
-	for (const action of Object.keys(permission)) permission[action]?.forEach((rule, index) => {
+	for (const action of Object.keys(permission)) permission[action].forEach((rule, index) => {
 		if (isObjectFormat(rule) && rule.permit === void 0) locations.push(`${String(action)}[${index}]`);
 	});
 	return locations;
@@ -4900,88 +5113,6 @@ function normalizeAuthInvoker(authInvoker, authNamespace, context) {
 	return authInvoker;
 }
 
-//#endregion
-//#region src/cli/commands/deploy/owned-resource.ts
-/**
-* Fetch a workspace-scoped resource list and attach SDK ownership metadata.
-* @template T
-* @param params - Resource fetch parameters
-* @param params.client - Operator client instance
-* @param params.workspaceId - Workspace ID
-* @param params.fetchPage - Function that fetches one resource page
-* @param params.getName - Function that extracts the resource name
-* @param params.getTrn - Function that builds the resource TRN
-* @returns Existing resources keyed by resource name, with SDK labels attached
-*/
-async function fetchExistingResourcesWithLabels(params) {
-	const { client, workspaceId, fetchPage, getName, getTrn } = params;
-	const withoutLabel = await fetchAll(async (pageToken, maxPageSize) => {
-		try {
-			return await fetchPage(pageToken, maxPageSize);
-		} catch (error) {
-			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
-			throw error;
-		}
-	});
-	const existingResources = {};
-	await Promise.all(withoutLabel.map(async (resource) => {
-		const name = getName(resource);
-		if (!name) return;
-		const { metadata } = await client.getMetadata({ trn: getTrn(workspaceId, name) });
-		existingResources[name] = {
-			resource,
-			label: metadata?.labels[sdkNameLabelKey],
-			allLabels: metadata?.labels
-		};
-	}));
-	return existingResources;
-}
-/**
-* Determine whether a same-named existing resource is managed by this app.
-* Records the user-facing confirmation data when ownership does not match.
-* @param params - Ownership classification inputs
-* @param params.labels - Existing resource labels
-* @param params.ownerLabel - Existing `sdk-name` label, when present
-* @param params.appName - Current application name
-* @param params.appId - Current application id, when present
-* @param params.resourceType - Resource kind for confirmation messages
-* @param params.resourceName - Resource name for confirmation messages
-* @param params.conflicts - Conflict accumulator
-* @param params.unmanaged - Unmanaged-resource accumulator
-* @returns True when the resource is owned by the current app
-*/
-function trackDesiredResourceOwnership(params) {
-	const { labels, ownerLabel, appName, appId, resourceType, resourceName, conflicts, unmanaged } = params;
-	const owned = isOwnedByApp(labels, appName, appId);
-	if (!owned) if (!ownerLabel) unmanaged.push({
-		resourceType,
-		resourceName
-	});
-	else conflicts.push({
-		resourceType,
-		resourceName,
-		currentOwner: ownerLabel
-	});
-	return owned;
-}
-/**
-* Determine whether a remote-only resource is still owned by this app.
-* Also records other SDK owners so renamed-empty applications can be handled.
-* @param params - Ownership classification inputs
-* @param params.labels - Existing resource labels
-* @param params.ownerLabel - Existing `sdk-name` label, when present
-* @param params.appName - Current application name
-* @param params.appId - Current application id, when present
-* @param params.resourceOwners - Other-owner accumulator
-* @returns True when the resource is owned by the current app
-*/
-function trackRemainingResourceOwner(params) {
-	const { labels, ownerLabel, appName, appId, resourceOwners } = params;
-	const owned = isOwnedByApp(labels, appName, appId);
-	if (ownerLabel && !owned) resourceOwners.add(ownerLabel);
-	return owned;
-}
-
 //#endregion
 //#region src/cli/commands/deploy/executor.ts
 /**
@@ -6411,6 +6542,317 @@ function parseMigrationNumberArg(numberStr) {
 	throw new Error(`Invalid migration number format: ${numberStr}. Expected 4-digit format (e.g., 0001) or integer 0-9999 (e.g., 1).`);
 }
 
+//#endregion
+//#region src/cli/commands/tailordb/migrate/snapshot-schema.ts
+/**
+* Zod schemas for TailorDB migration snapshot and diff files.
+*
+* Each schema mirrors the corresponding hand-written interface from
+* snapshot-types.ts / diff-calculator.ts. Schemas are cast to
+* `z.ZodType<T>` to keep them aligned with the interfaces at compile time.
+*
+* All object schemas use `z.looseObject` so that unknown keys written
+* by newer CLI versions survive a load → save round-trip.
+*/
+const snapshotHookSchema = z.looseObject({ expr: z.string() });
+const snapshotValidationSchema = z.looseObject({
+	script: z.looseObject({ expr: z.string() }).optional(),
+	errorMessage: z.string()
+});
+const snapshotSerialSchema = z.looseObject({
+	start: z.number(),
+	maxValue: z.number().optional(),
+	format: z.string().optional()
+});
+const snapshotEnumValueSchema = z.looseObject({
+	value: z.string(),
+	description: z.string().optional()
+});
+const snapshotFieldConfigSchema = z.looseObject({
+	type: z.string(),
+	required: z.boolean().default(true),
+	array: z.boolean().optional(),
+	index: z.boolean().optional(),
+	unique: z.boolean().optional(),
+	allowedValues: z.array(snapshotEnumValueSchema).optional(),
+	foreignKey: z.boolean().optional(),
+	foreignKeyType: z.string().optional(),
+	foreignKeyField: z.string().optional(),
+	description: z.string().optional(),
+	vector: z.boolean().optional(),
+	hooks: z.looseObject({
+		create: snapshotHookSchema.optional(),
+		update: snapshotHookSchema.optional()
+	}).optional(),
+	validate: z.array(snapshotValidationSchema).optional(),
+	serial: snapshotSerialSchema.optional(),
+	scale: z.number().optional(),
+	fields: z.lazy(() => z.record(z.string(), snapshotFieldConfigSchema)).optional()
+});
+const snapshotIndexConfigSchema = z.looseObject({
+	fields: z.array(z.string()),
+	unique: z.boolean().optional()
+});
+const snapshotRelationshipSchema = z.looseObject({
+	targetType: z.string(),
+	targetField: z.string(),
+	sourceField: z.string(),
+	isArray: z.boolean(),
+	description: z.string()
+});
+const FIELD_REF_KEYS = [
+	"user",
+	"record",
+	"newRecord",
+	"oldRecord"
+];
+const snapshotPermissionOperandSchema = z.unknown().refine((v) => {
+	if (typeof v !== "object" || v === null || Array.isArray(v)) return true;
+	const keys = Object.keys(v);
+	return FIELD_REF_KEYS.filter((k) => keys.includes(k)).length < 2;
+}, "Ambiguous field-ref operand: contains more than one of user/record/newRecord/oldRecord");
+const snapshotGqlPermissionOperandSchema = z.unknown().refine((v) => {
+	if (typeof v !== "object" || v === null || Array.isArray(v)) return true;
+	const keys = Object.keys(v);
+	return FIELD_REF_KEYS.filter((k) => keys.includes(k)).length < 2;
+}, "Ambiguous field-ref operand: contains more than one of user/record/newRecord/oldRecord").refine((v) => {
+	if (typeof v !== "object" || v === null || Array.isArray(v)) return true;
+	const keys = Object.keys(v);
+	return ![
+		"record",
+		"newRecord",
+		"oldRecord"
+	].some((k) => keys.includes(k));
+}, "GQL permissions only support { user } field references");
+const snapshotPermissionOperatorSchema = z.string();
+const snapshotPermissionConditionSchema = z.tuple([
+	snapshotPermissionOperandSchema,
+	snapshotPermissionOperatorSchema,
+	snapshotPermissionOperandSchema
+]).rest(z.unknown());
+const snapshotGqlPermissionConditionSchema = z.tuple([
+	snapshotGqlPermissionOperandSchema,
+	snapshotPermissionOperatorSchema,
+	snapshotGqlPermissionOperandSchema
+]).rest(z.unknown());
+const snapshotActionPermissionSchema = z.looseObject({
+	conditions: z.array(snapshotPermissionConditionSchema),
+	description: z.string().optional(),
+	permit: z.enum(["allow", "deny"])
+});
+const snapshotRecordPermissionSchema = z.looseObject({
+	create: z.array(snapshotActionPermissionSchema).default([]),
+	read: z.array(snapshotActionPermissionSchema).default([]),
+	update: z.array(snapshotActionPermissionSchema).default([]),
+	delete: z.array(snapshotActionPermissionSchema).default([])
+});
+const snapshotGqlActionSchema = z.string();
+const snapshotGqlPermissionPolicySchema = z.looseObject({
+	conditions: z.array(snapshotGqlPermissionConditionSchema),
+	actions: z.array(snapshotGqlActionSchema),
+	permit: z.enum(["allow", "deny"]),
+	description: z.string().optional()
+});
+const snapshotGqlPermissionSchema = z.array(snapshotGqlPermissionPolicySchema);
+const tailorDBSnapshotTypeSchema = z.looseObject({
+	name: z.string(),
+	pluralForm: z.string().optional(),
+	description: z.string().optional(),
+	fields: z.record(z.string(), snapshotFieldConfigSchema),
+	settings: z.looseObject({
+		aggregation: z.boolean().optional(),
+		bulkUpsert: z.boolean().optional(),
+		gqlOperations: z.looseObject({
+			create: z.boolean().optional(),
+			update: z.boolean().optional(),
+			delete: z.boolean().optional(),
+			read: z.boolean().optional()
+		}).optional(),
+		publishEvents: z.boolean().optional()
+	}).optional(),
+	indexes: z.record(z.string(), snapshotIndexConfigSchema).optional(),
+	files: z.record(z.string(), z.string()).optional(),
+	forwardRelationships: z.record(z.string(), snapshotRelationshipSchema).optional(),
+	backwardRelationships: z.record(z.string(), snapshotRelationshipSchema).optional(),
+	permissions: z.looseObject({
+		record: snapshotRecordPermissionSchema.optional(),
+		gql: snapshotGqlPermissionSchema.optional()
+	}).optional()
+});
+const schemaSnapshotSchema = z.looseObject({
+	version: z.number(),
+	namespace: z.string(),
+	createdAt: z.string(),
+	types: z.record(z.string(), tailorDBSnapshotTypeSchema)
+});
+const typeSettingsPatchSchema = z.looseObject({
+	indexes: z.record(z.string(), snapshotIndexConfigSchema).optional(),
+	files: z.record(z.string(), z.string()).optional()
+});
+const snapshotPermissionStateSchema = z.looseObject({
+	recordPermission: snapshotRecordPermissionSchema.optional(),
+	gqlPermission: snapshotGqlPermissionSchema.optional()
+});
+const typeAddedChangeSchema = z.looseObject({
+	kind: z.literal("type_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	after: tailorDBSnapshotTypeSchema
+});
+const typeRemovedChangeSchema = z.looseObject({
+	kind: z.literal("type_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	before: tailorDBSnapshotTypeSchema
+});
+const typeModifiedChangeSchema = z.looseObject({
+	kind: z.literal("type_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	before: typeSettingsPatchSchema.optional(),
+	after: typeSettingsPatchSchema.optional()
+});
+const fieldAddedChangeSchema = z.looseObject({
+	kind: z.literal("field_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	after: snapshotFieldConfigSchema
+});
+const fieldRemovedChangeSchema = z.looseObject({
+	kind: z.literal("field_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	before: snapshotFieldConfigSchema
+});
+const fieldModifiedChangeSchema = z.looseObject({
+	kind: z.literal("field_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	before: snapshotFieldConfigSchema,
+	after: snapshotFieldConfigSchema
+});
+const indexAddedChangeSchema = z.looseObject({
+	kind: z.literal("index_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	indexName: z.string(),
+	after: snapshotIndexConfigSchema
+});
+const indexRemovedChangeSchema = z.looseObject({
+	kind: z.literal("index_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	indexName: z.string(),
+	before: snapshotIndexConfigSchema
+});
+const indexModifiedChangeSchema = z.looseObject({
+	kind: z.literal("index_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	indexName: z.string(),
+	before: snapshotIndexConfigSchema,
+	after: snapshotIndexConfigSchema
+});
+const fileAddedChangeSchema = z.looseObject({
+	kind: z.literal("file_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	after: z.string()
+});
+const fileRemovedChangeSchema = z.looseObject({
+	kind: z.literal("file_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	before: z.string()
+});
+const fileModifiedChangeSchema = z.looseObject({
+	kind: z.literal("file_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	fieldName: z.string(),
+	before: z.string(),
+	after: z.string()
+});
+const relationshipAddedChangeSchema = z.looseObject({
+	kind: z.literal("relationship_added"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	relationshipName: z.string(),
+	relationshipType: z.enum(["forward", "backward"]).optional(),
+	after: snapshotRelationshipSchema
+});
+const relationshipRemovedChangeSchema = z.looseObject({
+	kind: z.literal("relationship_removed"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	relationshipName: z.string(),
+	relationshipType: z.enum(["forward", "backward"]).optional(),
+	before: snapshotRelationshipSchema
+});
+const relationshipModifiedChangeSchema = z.looseObject({
+	kind: z.literal("relationship_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	relationshipName: z.string(),
+	relationshipType: z.enum(["forward", "backward"]).optional(),
+	before: snapshotRelationshipSchema,
+	after: snapshotRelationshipSchema
+});
+const permissionModifiedChangeSchema = z.looseObject({
+	kind: z.literal("permission_modified"),
+	typeName: z.string(),
+	reason: z.string().optional(),
+	before: snapshotPermissionStateSchema.optional(),
+	after: snapshotPermissionStateSchema.optional()
+});
+const diffChangeSchema = z.discriminatedUnion("kind", [
+	typeAddedChangeSchema,
+	typeRemovedChangeSchema,
+	typeModifiedChangeSchema,
+	fieldAddedChangeSchema,
+	fieldRemovedChangeSchema,
+	fieldModifiedChangeSchema,
+	indexAddedChangeSchema,
+	indexRemovedChangeSchema,
+	indexModifiedChangeSchema,
+	fileAddedChangeSchema,
+	fileRemovedChangeSchema,
+	fileModifiedChangeSchema,
+	relationshipAddedChangeSchema,
+	relationshipRemovedChangeSchema,
+	relationshipModifiedChangeSchema,
+	permissionModifiedChangeSchema
+]);
+const breakingChangeInfoSchema = z.looseObject({
+	typeName: z.string(),
+	fieldName: z.string().optional(),
+	reason: z.string(),
+	unsupported: z.boolean().optional(),
+	showThreeStepHint: z.boolean().optional()
+});
+const warningChangeInfoSchema = z.looseObject({
+	typeName: z.string(),
+	fieldName: z.string().optional(),
+	reason: z.string()
+});
+const migrationDiffSchema = z.looseObject({
+	version: z.number(),
+	namespace: z.string(),
+	createdAt: z.string(),
+	description: z.string().optional(),
+	changes: z.array(diffChangeSchema),
+	hasBreakingChanges: z.boolean(),
+	breakingChanges: z.array(breakingChangeInfoSchema),
+	hasWarnings: z.boolean().optional(),
+	warnings: z.array(warningChangeInfoSchema).optional(),
+	requiresMigrationScript: z.boolean()
+});
+
 //#endregion
 //#region src/cli/commands/tailordb/migrate/snapshot-types.ts
 /**
@@ -6620,21 +7062,19 @@ function createSnapshotType(type) {
 		fields
 	};
 	if (type.description) snapshotType.description = type.description;
-	if (type.settings) {
-		snapshotType.settings = {};
-		if (type.settings.aggregation !== void 0) snapshotType.settings.aggregation = type.settings.aggregation;
-		if (type.settings.bulkUpsert !== void 0) snapshotType.settings.bulkUpsert = type.settings.bulkUpsert;
-		if (type.settings.gqlOperations) {
-			const ops = type.settings.gqlOperations;
-			snapshotType.settings.gqlOperations = {
-				...ops.create !== void 0 && { create: ops.create },
-				...ops.update !== void 0 && { update: ops.update },
-				...ops.delete !== void 0 && { delete: ops.delete },
-				...ops.read !== void 0 && { read: ops.read }
-			};
-		}
-		if (type.settings.publishEvents !== void 0) snapshotType.settings.publishEvents = type.settings.publishEvents;
+	snapshotType.settings = {};
+	if (type.settings.aggregation !== void 0) snapshotType.settings.aggregation = type.settings.aggregation;
+	if (type.settings.bulkUpsert !== void 0) snapshotType.settings.bulkUpsert = type.settings.bulkUpsert;
+	if (type.settings.gqlOperations) {
+		const ops = type.settings.gqlOperations;
+		snapshotType.settings.gqlOperations = {
+			...ops.create !== void 0 && { create: ops.create },
+			...ops.update !== void 0 && { update: ops.update },
+			...ops.delete !== void 0 && { delete: ops.delete },
+			...ops.read !== void 0 && { read: ops.read }
+		};
 	}
+	if (type.settings.publishEvents !== void 0) snapshotType.settings.publishEvents = type.settings.publishEvents;
 	if (type.indexes && Object.keys(type.indexes).length > 0) {
 		snapshotType.indexes = {};
 		for (const [indexName, indexConfig] of Object.entries(type.indexes)) snapshotType.indexes[indexName] = {
@@ -6715,7 +7155,15 @@ function createSnapshotFromLocalTypes(types, namespace) {
 */
 function loadSnapshot(filePath) {
 	const content = fs$1.readFileSync(filePath, "utf-8");
-	const snapshot = JSON.parse(content);
+	let raw;
+	try {
+		raw = JSON.parse(content);
+	} catch (error) {
+		throw new Error(`Invalid schema snapshot at ${filePath}: ${String(error)}`, { cause: error });
+	}
+	const result = schemaSnapshotSchema.safeParse(raw);
+	if (!result.success) throw new Error(`Invalid schema snapshot at ${filePath}: ${z.prettifyError(result.error)}`, { cause: result.error });
+	const snapshot = result.data;
 	for (const type of Object.values(snapshot.types)) normalizeSnapshotType(type);
 	return snapshot;
 }
@@ -6726,7 +7174,15 @@ function loadSnapshot(filePath) {
 */
 function loadDiff(filePath) {
 	const content = fs$1.readFileSync(filePath, "utf-8");
-	const parsed = JSON.parse(content);
+	let raw;
+	try {
+		raw = JSON.parse(content);
+	} catch (error) {
+		throw new Error(`Invalid migration diff at ${filePath}: ${String(error)}`, { cause: error });
+	}
+	const result = migrationDiffSchema.safeParse(raw);
+	if (!result.success) throw new Error(`Invalid migration diff at ${filePath}: ${z.prettifyError(result.error)}`, { cause: result.error });
+	const parsed = result.data;
 	const warnings = parsed.warnings ?? [];
 	return {
 		...parsed,
@@ -6804,7 +7260,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		case "field_added":
 		case "field_modified": {
 			const existing = types[change.typeName];
-			if (existing && change.fieldName) types[change.typeName] = {
+			if (existing) types[change.typeName] = {
 				...existing,
 				fields: {
 					...existing.fields,
@@ -6815,7 +7271,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		}
 		case "field_removed": {
 			const existing = types[change.typeName];
-			if (existing && change.fieldName) {
+			if (existing) {
 				const { [change.fieldName]: _, ...remainingFields } = existing.fields;
 				types[change.typeName] = {
 					...existing,
@@ -6827,7 +7283,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		case "index_added":
 		case "index_modified": {
 			const existing = types[change.typeName];
-			if (existing && change.indexName) types[change.typeName] = {
+			if (existing) types[change.typeName] = {
 				...existing,
 				indexes: {
 					...existing.indexes,
@@ -6838,7 +7294,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		}
 		case "index_removed": {
 			const existing = types[change.typeName];
-			if (existing && change.indexName && existing.indexes) {
+			if (existing && existing.indexes) {
 				const { [change.indexName]: _, ...remainingIndexes } = existing.indexes;
 				types[change.typeName] = {
 					...existing,
@@ -6850,7 +7306,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		case "file_added":
 		case "file_modified": {
 			const existing = types[change.typeName];
-			if (existing && change.fieldName) types[change.typeName] = {
+			if (existing) types[change.typeName] = {
 				...existing,
 				files: {
 					...existing.files,
@@ -6861,7 +7317,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		}
 		case "file_removed": {
 			const existing = types[change.typeName];
-			if (existing && change.fieldName && existing.files) {
+			if (existing && existing.files) {
 				const { [change.fieldName]: _, ...remainingFiles } = existing.files;
 				types[change.typeName] = {
 					...existing,
@@ -6873,7 +7329,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		case "relationship_added":
 		case "relationship_modified": {
 			const existing = types[change.typeName];
-			if (existing && change.relationshipName) {
+			if (existing) {
 				const rel = change.after;
 				if ((change.relationshipType ?? (existing.forwardRelationships?.[change.relationshipName] ? "forward" : existing.backwardRelationships?.[change.relationshipName] ? "backward" : "forward")) === "forward") types[change.typeName] = {
 					...existing,
@@ -6894,7 +7350,7 @@ function applyDiffToSnapshot(snapshot, diff) {
 		}
 		case "relationship_removed": {
 			const type = types[change.typeName];
-			if (type && change.relationshipName) {
+			if (type) {
 				const targetType = change.relationshipType ?? (type.forwardRelationships?.[change.relationshipName] ? "forward" : type.backwardRelationships?.[change.relationshipName] ? "backward" : null);
 				if (targetType === "forward" && type.forwardRelationships?.[change.relationshipName]) {
 					const { [change.relationshipName]: _, ...remaining } = type.forwardRelationships;
@@ -7004,7 +7460,7 @@ function areFieldsDifferent(oldField, newField) {
 	for (let i = 0; i < oldValidate.length; i++) {
 		const oldV = assertDefined(oldValidate[i], `oldValidate missing index ${i}`);
 		const newV = assertDefined(newValidate[i], `newValidate missing index ${i}`);
-		if (oldV.script.expr !== newV.script.expr) return true;
+		if ((oldV.script?.expr ?? "") !== (newV.script?.expr ?? "")) return true;
 		if (oldV.errorMessage !== newV.errorMessage) return true;
 	}
 	const oldSerial = oldField.serial;
@@ -7452,7 +7908,7 @@ function convertRemoteFieldsToSnapshot(remoteType) {
 			if (remoteField.foreignKeyType) config.foreignKeyType = remoteField.foreignKeyType;
 			if (remoteField.foreignKeyField) config.foreignKeyField = remoteField.foreignKeyField;
 		}
-		if (remoteField.allowedValues && remoteField.allowedValues.length > 0) config.allowedValues = remoteField.allowedValues.map((v) => ({
+		if (remoteField.allowedValues.length > 0) config.allowedValues = remoteField.allowedValues.map((v) => ({
 			value: v.value,
 			...v.description && { description: v.description }
 		}));
@@ -7463,7 +7919,7 @@ function convertRemoteFieldsToSnapshot(remoteType) {
 			if (remoteField.hooks.create?.expr) config.hooks.create = { expr: remoteField.hooks.create.expr };
 			if (remoteField.hooks.update?.expr) config.hooks.update = { expr: remoteField.hooks.update.expr };
 		}
-		if (remoteField.validate && remoteField.validate.length > 0) config.validate = remoteField.validate.map((v) => ({
+		if (remoteField.validate.length > 0) config.validate = remoteField.validate.map((v) => ({
 			script: { expr: v.script?.expr ?? "" },
 			errorMessage: v.errorMessage ?? ""
 		}));
@@ -7687,7 +8143,7 @@ function convertFieldConfigToProto(config) {
 		foreignKey: config.foreignKey ?? false,
 		foreignKeyType: config.foreignKeyType,
 		foreignKeyField: config.foreignKeyField,
-		required: config.required ?? true,
+		required: config.required,
 		vector: config.vector ?? false,
 		...toProtoSnapshotFieldHooks(config),
 		...config.serial && { serial: {
@@ -7704,7 +8160,7 @@ function toProtoSnapshotFieldValidate(config) {
 	return (config.validate ?? []).map((val) => ({
 		action: TailorDBType_PermitAction.DENY,
 		errorMessage: val.errorMessage || "",
-		...val.script && { script: { expr: val.script.expr ? `!${val.script.expr}` : "" } }
+		script: { expr: val.script && val.script.expr ? `!${val.script.expr}` : "" }
 	}));
 }
 function toProtoSnapshotFieldHooks(config) {
@@ -7728,7 +8184,7 @@ function processNestedFieldsFromSnapshot(fields) {
 			allowedValues: fieldConfig.allowedValues?.map((v) => ({ ...v })) ?? [],
 			description: fieldConfig.description || "",
 			validate: toProtoSnapshotFieldValidate(fieldConfig),
-			required: fieldConfig.required ?? true,
+			required: fieldConfig.required,
 			array: fieldConfig.array ?? false,
 			index: false,
 			unique: false,
@@ -7743,7 +8199,7 @@ function processNestedFieldsFromSnapshot(fields) {
 		allowedValues: fieldConfig.type === "enum" ? fieldConfig.allowedValues?.map((v) => ({ ...v })) ?? [] : [],
 		description: fieldConfig.description || "",
 		validate: toProtoSnapshotFieldValidate(fieldConfig),
-		required: fieldConfig.required ?? true,
+		required: fieldConfig.required,
 		array: fieldConfig.array ?? false,
 		index: false,
 		unique: false,
@@ -8104,19 +8560,19 @@ function buildPreMigrationChangesMap(pendingMigrations) {
 function applyPreMigrationFieldAdjustments(fields, typeChanges) {
 	for (const [fieldName, change] of typeChanges) {
 		if (change.kind === "field_removed") {
-			if (change.before) fields[fieldName] = convertFieldConfigToProto(change.before);
+			fields[fieldName] = convertFieldConfigToProto(change.before);
 			continue;
 		}
 		const field = fields[fieldName];
 		if (!field) continue;
 		if (change.kind === "field_added") {
-			if (change.after?.required) field.required = false;
+			if (change.after.required) field.required = false;
 			continue;
 		}
 		const { before, after } = change;
-		if (!before?.required && after?.required) field.required = false;
-		if (!(before?.unique ?? false) && (after?.unique ?? false)) field.unique = false;
-		if (before?.allowedValues && after?.allowedValues) {
+		if (!before.required && after.required) field.required = false;
+		if (!(before.unique ?? false) && (after.unique ?? false)) field.unique = false;
+		if (before.allowedValues && after.allowedValues) {
 			const afterValues = new Set(after.allowedValues.map((v) => v.value));
 			if (before.allowedValues.filter((v) => !afterValues.has(v.value)).length > 0) {
 				const valueMap = /* @__PURE__ */ new Map();
@@ -8885,8 +9341,17 @@ async function applyTailorDB(client, result, phase = "create-update") {
 				logger.newline();
 			}
 			for (const migration of pendingMigrations) {
-				await executeSingleMigrationPrePhase(client, changeSet, migration, migrationContext.tailorDBInputs, migrationContext.executorUsedTypes);
-				if (migration.hasScript && migrationCtx) await executeMigrations(migrationCtx, [migration]);
+				try {
+					await executeSingleMigrationPrePhase(client, changeSet, migration, migrationContext.tailorDBInputs, migrationContext.executorUsedTypes);
+					if (migration.hasScript && migrationCtx) await executeMigrations(migrationCtx, [migration]);
+				} catch (error) {
+					try {
+						await rollbackSingleMigrationPrePhase(client, changeSet, migration, migrationContext.workspaceId, migrationContext.tailorDBInputs, migrationContext.executorUsedTypes);
+					} catch (rollbackError) {
+						logger.warn(`Failed to roll back migration ${migration.namespace}/${formatMigrationNumber(migration.number)}: ${rollbackError instanceof Error ? rollbackError.message : String(rollbackError)}`);
+					}
+					throw error;
+				}
 				await executeSingleMigrationPostPhase(client, changeSet, migration, migrationContext.tailorDBInputs, migrationContext.executorUsedTypes);
 				await updateMigrationLabel(client, migrationContext.workspaceId, migration.namespace, migration.number);
 			}
@@ -9007,6 +9472,17 @@ function buildSnapshotTypeManifest(migration, typeName, tailorDBInputs, executor
 	});
 }
 /**
+* Await every promise to settle, then throw the first rejection. Unlike
+* `Promise.all`, this never leaves sibling operations in flight after a failure,
+* so a following rollback cannot race with still-pending DDL.
+* @param promises - Promises (or already-resolved values) to await
+* @returns {Promise<void>} Resolves once all settle; rejects with the first failure
+*/
+async function awaitAllSettledOrThrow(promises) {
+	const rejected = (await Promise.allSettled(promises)).find((r) => r.status === "rejected");
+	if (rejected) throw rejected.reason;
+}
+/**
 * Execute pre-migration phase for a single migration
 * @param {OperatorClient} client - Operator client instance
 * @param {TailorDBChangeSet} changeSet - TailorDB change set
@@ -9019,7 +9495,7 @@ async function executeSingleMigrationPrePhase(client, changeSet, migration, tail
 	const preMigrationChanges = buildPreMigrationChangesMap([migration]);
 	const affectedTypes = getAffectedTypeNames(migration);
 	const createdBeforeMigration = new Set(processedTypes.created);
-	await Promise.all([
+	await awaitAllSettledOrThrow([
 		...changeSet.type.creates.filter((create) => {
 			const typeName = create.request.tailordbType?.name;
 			return typeName && affectedTypes.has(typeName) && !createdBeforeMigration.has(typeName);
@@ -9074,13 +9550,13 @@ async function executeSingleMigrationPrePhase(client, changeSet, migration, tail
 			const typeName = create.request.tailordbType?.name;
 			return create.request.namespaceName === migration.namespace && typeName && gqlPermissionTypeNames.has(typeName) && !processedTypes.created.has(typeName);
 		});
-		if (missingTypeCreates.length > 0) await Promise.all(missingTypeCreates.map((create) => {
+		if (missingTypeCreates.length > 0) await awaitAllSettledOrThrow(missingTypeCreates.map((create) => {
 			const typeName = create.request.tailordbType?.name;
 			if (typeName) processedTypes.created.add(typeName);
 			return client.createTailorDBType(create.request);
 		}));
 		processedTypes.gqlPermissionsProcessed.add(migration.namespace);
-		await Promise.all([...gqlPermissionCreatesForNamespace.map((create) => client.createTailorDBGQLPermission(create.request)), ...gqlPermissionUpdatesForNamespace.map((update) => client.updateTailorDBGQLPermission(update.request))]);
+		await awaitAllSettledOrThrow([...gqlPermissionCreatesForNamespace.map((create) => client.createTailorDBGQLPermission(create.request)), ...gqlPermissionUpdatesForNamespace.map((update) => client.updateTailorDBGQLPermission(update.request))]);
 	}
 }
 /**
@@ -9161,6 +9637,67 @@ async function executeSingleMigrationPostPhase(client, changeSet, migration, tai
 	}
 }
 /**
+* Revert a single migration's Pre-phase DDL to the prior checkpoint's schema.
+* @param client - Operator client instance
+* @param changeSet - TailorDB change set
+* @param migration - The migration whose Pre-phase DDL must be reverted
+* @param workspaceId - Workspace ID
+* @param tailorDBInputs - Deploy inputs, used to resolve namespace gqlOperations for the snapshot
+* @param executorUsedTypes - Types used by executors (drives publishRecordEvents default)
+* @returns {Promise<void>} Promise that resolves when rollback attempts complete
+*/
+async function rollbackSingleMigrationPrePhase(client, changeSet, migration, workspaceId, tailorDBInputs, executorUsedTypes) {
+	if (migration.number <= 0) return;
+	const namespaceTypes = getAffectedTypeNames(migration);
+	for (const create of changeSet.type.creates) {
+		const name = create.request.tailordbType?.name;
+		if (create.request.namespaceName === migration.namespace && name) namespaceTypes.add(name);
+	}
+	for (const update of changeSet.type.updates) {
+		const name = update.request.tailordbType?.name;
+		if (update.request.namespaceName === migration.namespace && name) namespaceTypes.add(name);
+	}
+	const applied = new Set([...processedTypes.created, ...processedTypes.updated]);
+	const rollbackTypes = new Set([...namespaceTypes].filter((name) => applied.has(name)));
+	if (rollbackTypes.size === 0) return;
+	const priorSnapshot = reconstructSnapshotFromMigrations(migration.migrationsDir, migration.number - 1);
+	if (!priorSnapshot) {
+		logger.warn(`Cannot roll back migration ${migration.namespace}/${formatMigrationNumber(migration.number)}: prior snapshot (migration ${formatMigrationNumber(migration.number - 1)}) could not be reconstructed. Leaving schema as-is; manual repair may be required.`);
+		return;
+	}
+	const input = tailorDBInputs.find((i) => i.namespace === migration.namespace);
+	logger.warn(`Migration ${migration.namespace}/${formatMigrationNumber(migration.number)} failed; rolling back its pre-migration schema changes.`);
+	for (const typeName of rollbackTypes) {
+		const priorType = priorSnapshot.types[typeName];
+		try {
+			if (priorType) {
+				const manifest = generateTailorDBTypeManifestFromSnapshot(priorType, {
+					publishRecordEvents: executorUsedTypes.has(priorType.name),
+					namespaceGqlOperations: input?.config.gqlOperations
+				});
+				await client.updateTailorDBType({
+					workspaceId,
+					namespaceName: migration.namespace,
+					tailordbType: manifest
+				});
+			} else {
+				await client.deleteTailorDBGQLPermission({
+					workspaceId,
+					namespaceName: migration.namespace,
+					typeName
+				}).catch(() => void 0);
+				await client.deleteTailorDBType({
+					workspaceId,
+					namespaceName: migration.namespace,
+					tailordbTypeName: typeName
+				});
+			}
+		} catch (rollbackError) {
+			logger.warn(`Failed to roll back type '${typeName}' in namespace '${migration.namespace}': ${rollbackError instanceof Error ? rollbackError.message : String(rollbackError)}`);
+		}
+	}
+}
+/**
 * Convert a runtime TailorDBService to the snapshot-shaped deploy input.
 * @param service - Loaded TailorDB service (after `loadTypes()`)
 * @returns The canonical snapshot-shaped deploy input for downstream plan/apply phases.
@@ -9579,17 +10116,7 @@ async function checkMigrationDiffs(typesByNamespace, namespacesWithMigrations) {
 	for (const { namespace, migrationsDir } of namespacesWithMigrations) {
 		const localTypes = typesByNamespace.get(namespace);
 		if (!localTypes) continue;
-		let previousSnapshot;
-		try {
-			previousSnapshot = reconstructSnapshotFromMigrations(migrationsDir);
-		} catch {
-			results.push({
-				namespace,
-				migrationsDir,
-				hasDiff: false
-			});
-			continue;
-		}
+		const previousSnapshot = reconstructSnapshotFromMigrations(migrationsDir);
 		if (!previousSnapshot) {
 			results.push({
 				namespace,
@@ -9677,7 +10204,7 @@ async function applyWorkflow(client, result, phase = "create-update") {
 				workflowId: del.workflowId
 			})
 		})));
-		await deleteAllSettled((result.jobFunctionDeletes ?? collectDeletableJobFunctions(changeSet.deletes)).map((del) => ({
+		await deleteAllSettled(result.jobFunctionDeletes.map((del) => ({
 			resourceType: "workflow job function",
 			resourceName: del.jobFunctionName,
 			run: () => client.deleteWorkflowJobFunction({
@@ -9704,20 +10231,6 @@ async function deleteAllSettled(operations) {
 	const firstError = errors[0];
 	if (firstError) throw firstError;
 }
-function collectDeletableJobFunctions(deletes) {
-	const seen = /* @__PURE__ */ new Set();
-	const jobFunctions = [];
-	for (const del of deletes) for (const jobFunctionName of del.deletableJobNames) {
-		const key = `${del.workspaceId}\0${jobFunctionName}`;
-		if (seen.has(key)) continue;
-		seen.add(key);
-		jobFunctions.push({
-			workspaceId: del.workspaceId,
-			jobFunctionName
-		});
-	}
-	return jobFunctions;
-}
 /**
 * Filter job function versions to only include those used by a workflow
 * @param allVersions - Map of job function names to versions
@@ -10238,6 +10751,9 @@ async function shouldForceApplyAll(client, workspaceId, application, functionEnt
 	application.staticWebsiteServices.forEach((website) => {
 		candidateTrns.add(resourceTrn(workspaceId, "staticwebsite", website.name));
 	});
+	application.aiGatewayServices.forEach((gateway) => {
+		candidateTrns.add(resourceTrn(workspaceId, "aigateway", gateway.name));
+	});
 	application.resolverServices.forEach((pipeline) => {
 		candidateTrns.add(resourceTrn(workspaceId, "pipeline", pipeline.namespace));
 	});
@@ -10262,7 +10778,7 @@ async function shouldForceApplyAll(client, workspaceId, application, functionEnt
 	});
 	for (const trn of candidateTrns) try {
 		const { metadata } = await client.getMetadata({ trn });
-		if (metadata?.labels?.["sdk-name"] !== application.name) continue;
+		if (metadata?.labels["sdk-name"] !== application.name) continue;
 		if (!hasMatchingSdkVersion(metadata.labels, desiredLabels)) return true;
 	} catch (error) {
 		if (error instanceof ConnectError && error.code === Code.NotFound) continue;
@@ -10316,6 +10832,7 @@ function printPlanResults(results) {
 	const authServiceActions = extractServiceActions(results.auth.changeSet.service);
 	results.staticWebsite.changeSet.print();
 	results.staticWebsite.customDomainChangeSet.print();
+	results.aiGateway.changeSet.print();
 	results.app.print();
 	printGroupedDisplaySection("TailorDB", tailorDBEntries, tailorDBServiceActions);
 	printGroupedDisplaySection("Resolver", pipelineEntries, pipelineServiceActions);
@@ -10366,6 +10883,7 @@ function summarizePlanResults(results, displayEntries, serviceActions) {
 		otherChanges,
 		results.staticWebsite.changeSet,
 		results.staticWebsite.customDomainChangeSet,
+		results.aiGateway.changeSet,
 		results.app,
 		results.secretManager.vaultChangeSet,
 		results.secretManager.secretChangeSet
@@ -10470,7 +10988,7 @@ async function deploy(options) {
 		const dryRun = options?.dryRun ?? false;
 		const yes = options?.yes ?? false;
 		const forceApplyAll = await withSpan("plan.detectSdkVersionChange", () => shouldForceApplyAll(client, workspaceId, application, functionEntries));
-		const { functionRegistry, tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager } = await withSpan("plan", async () => {
+		const { functionRegistry, tailorDB, staticWebsite, aiGateway, idp, auth, pipeline, app, executor, workflow, secretManager } = await withSpan("plan", async () => {
 			const idpUserTriggerTargets = collectIdpUserTriggerTargets(application);
 			const ctx = {
 				client,
@@ -10484,9 +11002,10 @@ async function deploy(options) {
 			};
 			const functionRegistry = await withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, application.id, functionEntries));
 			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.filter((entry) => entry.name.startsWith(WORKFLOW_PREFIX)).map((entry) => entry.name.slice(WORKFLOW_PREFIX.length)));
-			const [tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
+			const [tailorDB, staticWebsite, aiGateway, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
 				withSpan("plan.tailorDB", () => planTailorDB(ctx)),
 				withSpan("plan.staticWebsite", () => planStaticWebsite(ctx)),
+				withSpan("plan.aiGateway", () => planAIGateway(ctx)),
 				withSpan("plan.idp", () => planIdP(ctx)),
 				withSpan("plan.auth", () => planAuth(ctx)),
 				withSpan("plan.pipeline", () => planPipeline(ctx)),
@@ -10499,6 +11018,7 @@ async function deploy(options) {
 				functionRegistry,
 				tailorDB,
 				staticWebsite,
+				aiGateway,
 				idp,
 				auth,
 				pipeline,
@@ -10513,6 +11033,7 @@ async function deploy(options) {
 				...functionRegistry.conflicts,
 				...tailorDB.conflicts,
 				...staticWebsite.conflicts,
+				...aiGateway.conflicts,
 				...idp.conflicts,
 				...auth.conflicts,
 				...pipeline.conflicts,
@@ -10525,6 +11046,7 @@ async function deploy(options) {
 				...functionRegistry.unmanaged,
 				...tailorDB.unmanaged,
 				...staticWebsite.unmanaged,
+				...aiGateway.unmanaged,
 				...idp.unmanaged,
 				...auth.unmanaged,
 				...pipeline.unmanaged,
@@ -10541,6 +11063,10 @@ async function deploy(options) {
 				resourceType: "StaticWebsite",
 				resourceName: del.name
 			});
+			for (const del of aiGateway.changeSet.deletes) importantDeletions.push({
+				resourceType: "AIGateway",
+				resourceName: del.name
+			});
 			for (const del of auth.changeSet.oauth2Client.deletes) importantDeletions.push({
 				resourceType: "OAuth2 client",
 				resourceName: del.name
@@ -10568,6 +11094,7 @@ async function deploy(options) {
 					...functionRegistry.resourceOwners,
 					...tailorDB.resourceOwners,
 					...staticWebsite.resourceOwners,
+					...aiGateway.resourceOwners,
 					...idp.resourceOwners,
 					...auth.resourceOwners,
 					...pipeline.resourceOwners,
@@ -10589,6 +11116,7 @@ async function deploy(options) {
 			functionRegistry,
 			tailorDB,
 			staticWebsite,
+			aiGateway,
 			idp,
 			auth,
 			pipeline,
@@ -10618,6 +11146,7 @@ async function deploy(options) {
 			await applySecretManager(client, secretManager, "create-update", application);
 			await applyFunctionRegistry(client, workspaceId, functionRegistry, "create-update");
 			await applyStaticWebsite(client, staticWebsite, "create-update");
+			await applyAIGateway(client, aiGateway, "create-update");
 			await applyIdP(client, idp, "create-update");
 			await applyAuth(client, auth, "create-update");
 			await applyTailorDB(client, tailorDB, "create-update");
@@ -10637,6 +11166,7 @@ async function deploy(options) {
 			await applyWorkflow(client, workflow, "delete");
 			await applyExecutor(client, executor, "delete");
 			await applyStaticWebsite(client, staticWebsite, "delete");
+			await applyAIGateway(client, aiGateway, "delete");
 			await applySecretManager(client, secretManager, "delete");
 		});
 		await withSpan("apply.deleteApplication", () => applyApplication(client, app, "delete"));
@@ -10803,7 +11333,7 @@ function formatSubjectEvent(subject, eventTypes) {
 }
 function formatTypedEventTrigger(config) {
 	const typedConfig = config.typedConfig;
-	if (!typedConfig || typedConfig.case === void 0) return null;
+	if (typedConfig.case === void 0) return null;
 	switch (typedConfig.case) {
 		case "tailordb": return formatSubjectEvent(typedConfig.value.typeName, typedConfig.value.eventTypes);
 		case "pipeline": return formatSubjectEvent(typedConfig.value.resolverName, typedConfig.value.eventTypes);
@@ -10875,7 +11405,7 @@ function formatTriggerConfig(executor) {
 }
 function formatEventTriggerConfig(config) {
 	const typedConfig = config.typedConfig;
-	if (!typedConfig || typedConfig.case === void 0) return {
+	if (typedConfig.case === void 0) return {
 		eventType: config.eventType,
 		condition: config.condition?.expr || ""
 	};
@@ -11587,6 +12117,11 @@ async function startWorkflowCore(options) {
 	}
 }
 async function startWorkflowByName(options) {
+	const machineUser = await loadMachineUserName({
+		machineUser: options.machineUser,
+		profile: options.profile
+	});
+	if (!machineUser) throw new Error("Machine user is required. Specify --machine-user, set TAILOR_PLATFORM_MACHINE_USER_NAME, or set a profile default with 'tailor-sdk profile update <profile> --machine-user <name>'.");
 	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
@@ -11604,7 +12139,7 @@ async function startWorkflowByName(options) {
 		workflowName: options.name,
 		authInvoker: {
 			namespace: application.authNamespace,
-			machineUserName: options.machineUser
+			machineUserName: machineUser
 		},
 		arg: options.arg,
 		interval: options.interval
@@ -11630,10 +12165,10 @@ const startCommand = defineAppCommand({
 	args: z.object({
 		...deploymentArgs,
 		...nameArgs,
-		"machine-user": arg(z.string(), {
+		"machine-user": arg(z.string().optional(), {
 			alias: "m",
 			hiddenAlias: "machineuser",
-			description: "Machine user name",
+			description: "Machine user name. Falls back to the active profile's default machine user.",
 			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
 		arg: arg(z.string().optional(), {
@@ -13458,6 +13993,11 @@ const listCommand$7 = defineAppCommand({
 * @returns Machine user token info
 */
 async function getMachineUserToken(options) {
+	const name = await loadMachineUserName({
+		machineUser: options.name,
+		profile: options.profile
+	});
+	if (!name) throw new Error("Machine user is required. Provide the NAME positional argument, set TAILOR_PLATFORM_MACHINE_USER_NAME, or set a profile default with 'tailor-sdk profile update <profile> --machine-user <name>'.");
 	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: options.workspaceId,
@@ -13472,9 +14012,9 @@ async function getMachineUserToken(options) {
 	const { machineUser } = await client.getAuthMachineUser({
 		workspaceId,
 		authNamespace: application.authNamespace,
-		name: options.name
+		name
 	});
-	if (!machineUser) throw new Error(`Machine user ${options.name} not found.`);
+	if (!machineUser) throw new Error(`Machine user ${name} not found.`);
 	const resp = await fetchMachineUserToken(application.url, machineUser.clientId, machineUser.clientSecret);
 	const expiresAt = /* @__PURE__ */ new Date();
 	expiresAt.setSeconds(expiresAt.getSeconds() + resp.expires_in);
@@ -13489,9 +14029,10 @@ const tokenCommand = defineAppCommand({
 	description: "Get an access token for a machine user.",
 	args: z.object({
 		...deploymentArgs,
-		name: arg(z.string(), {
+		name: arg(z.string().optional(), {
 			positional: true,
-			description: "Machine user name"
+			description: "Machine user name. Falls back to the active profile's default machine user.",
+			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		})
 	}).strict(),
 	run: async (args) => {
@@ -14168,6 +14709,7 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	};
 	const tailorDB = await planTailorDB(ctx);
 	const staticWebsite = await planStaticWebsite(ctx);
+	const aiGateway = await planAIGateway(ctx);
 	const idp = await planIdP(ctx);
 	const auth = await planAuth(ctx);
 	const pipeline = await planPipeline(ctx);
@@ -14178,6 +14720,7 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	const secretManager = await planSecretManager(ctx);
 	functionRegistry.changeSet.print();
 	staticWebsite.changeSet.print();
+	aiGateway.changeSet.print();
 	app.print();
 	tailorDB.changeSet.service.print();
 	tailorDB.changeSet.type.print();
@@ -14200,11 +14743,12 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	auth.changeSet.connection.print();
 	secretManager.vaultChangeSet.print();
 	secretManager.secretChangeSet.print();
-	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
+	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && aiGateway.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
 	if (confirm) await confirm();
 	await applyWorkflow(client, workflow, "delete");
 	await applyExecutor(client, executor, "delete");
 	await applyStaticWebsite(client, staticWebsite, "delete");
+	await applyAIGateway(client, aiGateway, "delete");
 	await applyApplication(client, app, "delete");
 	await applyPipeline(client, pipeline, "delete-resources");
 	await applyPipeline(client, pipeline, "delete-services");
@@ -14486,13 +15030,13 @@ function extractBreakingChangeFields(diff) {
 	const optionalToRequired = /* @__PURE__ */ new Map();
 	const addedRequiredFields = /* @__PURE__ */ new Map();
 	const enumValueChanges = /* @__PURE__ */ new Map();
-	for (const change of diff.changes) if (change.kind === "field_modified" && change.fieldName) {
+	for (const change of diff.changes) if (change.kind === "field_modified") {
 		const { before, after } = change;
-		if (before && after && !before.required && after.required) {
+		if (!before.required && after.required) {
 			if (!optionalToRequired.has(change.typeName)) optionalToRequired.set(change.typeName, /* @__PURE__ */ new Set());
 			assertDefined(optionalToRequired.get(change.typeName), "optionalToRequired entry missing").add(change.fieldName);
 		}
-		if (before && after && before.type === "enum" && after.type === "enum" && before.allowedValues && after.allowedValues) {
+		if (before.type === "enum" && after.type === "enum" && before.allowedValues && after.allowedValues) {
 			const beforeValues = before.allowedValues.map((v) => v.value);
 			const afterValues = after.allowedValues.map((v) => v.value);
 			const beforeSet = new Set(beforeValues);
@@ -14505,9 +15049,9 @@ function extractBreakingChangeFields(diff) {
 				});
 			}
 		}
-	} else if (change.kind === "field_added" && change.fieldName) {
+	} else if (change.kind === "field_added") {
 		const { after } = change;
-		if (after && after.required) {
+		if (after.required) {
 			if (!addedRequiredFields.has(change.typeName)) addedRequiredFields.set(change.typeName, /* @__PURE__ */ new Map());
 			assertDefined(addedRequiredFields.get(change.typeName), "addedRequiredFields entry missing").set(change.fieldName, after);
 		}
@@ -14991,7 +15535,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-DSXntqnV.mjs");
+	const { defineApplication } = await import("./application-nTydHJm8.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -15008,10 +15552,7 @@ async function generate(options) {
 		await tailordbService.processNamespacePlugins();
 		const localTypesObj = tailordbService.types;
 		const currentSnapshot = createSnapshotFromLocalTypes(localTypesObj, namespace);
-		let previousSnapshot = null;
-		try {
-			previousSnapshot = reconstructSnapshotFromMigrations(migrationsDir);
-		} catch {}
+		const previousSnapshot = reconstructSnapshotFromMigrations(migrationsDir);
 		if (!previousSnapshot) await generateInitialSnapshot(currentSnapshot, migrationsDir);
 		else await generateDiffFromSnapshot(previousSnapshot, currentSnapshot, migrationsDir, options);
 	}
@@ -16577,7 +17118,7 @@ const queryBaseOptionsSchema = z.object({
 	profile: z.string().optional(),
 	configPath: z.string().optional(),
 	engine: queryEngineSchema,
-	machineUser: z.string()
+	machineUser: z.string().optional()
 });
 const queryOptionsSchema = queryBaseOptionsSchema.extend({ query: z.string() });
 async function getNamespaceFromSqlQuery(workspaceId, query, client, namespaces) {
@@ -16600,6 +17141,11 @@ async function getNamespaceFromSqlQuery(workspaceId, query, client, namespaces)
 async function loadOptions(options) {
 	const result = queryBaseOptionsSchema.safeParse(options);
 	if (!result.success) throw new Error(assertDefined(result.error.issues[0], "validation error missing issues").message);
+	const machineUser = await loadMachineUserName({
+		machineUser: result.data.machineUser,
+		profile: result.data.profile
+	});
+	if (!machineUser) throw new Error("Machine user is required. Specify --machine-user, set TAILOR_PLATFORM_MACHINE_USER_NAME, or set a profile default with 'tailor-sdk profile update <profile> --machine-user <name>'.");
 	const client = await initOperatorClient(await loadAccessToken({ profile: result.data.profile }));
 	const workspaceId = await loadWorkspaceId({
 		workspaceId: result.data.workspaceId,
@@ -16615,9 +17161,9 @@ async function loadOptions(options) {
 	const { machineUser: machineUserResource } = await client.getAuthMachineUser({
 		workspaceId,
 		authNamespace: application.authNamespace,
-		name: result.data.machineUser
+		name: machineUser
 	});
-	if (!machineUserResource) throw new Error(`Machine user ${result.data.machineUser} not found.`);
+	if (!machineUserResource) throw new Error(`Machine user ${machineUser} not found.`);
 	return {
 		engine: result.data.engine,
 		client,
@@ -16767,7 +17313,7 @@ async function prepareQueryExecutor(options) {
 				error,
 				engine,
 				namespace,
-				machineUser: options.machineUser
+				machineUser: machineUserResource.name
 			});
 		}
 	};
@@ -16981,10 +17527,10 @@ const queryCommand = defineAppCommand({
 			description: "Read query string from file; omit to start REPL mode"
 		}),
 		edit: arg(z.boolean().default(false), { description: "Open a temporary file in your editor; omit to start REPL mode" }),
-		"machine-user": arg(z.string(), {
+		"machine-user": arg(z.string().optional(), {
 			alias: "m",
 			hiddenAlias: "machineuser",
-			description: "Machine user name for query execution",
+			description: "Machine user name for query execution. Falls back to the active profile's default machine user.",
 			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
 		"newline-on-enter": arg(z.boolean().optional(), { description: "REPL: when true, Enter inserts a newline and Shift+Enter submits. Use --no-newline-on-enter to swap." })
@@ -17150,4 +17696,4 @@ function isDeno() {
 
 //#endregion
 export { listCommand$5 as $, INITIAL_SCHEMA_NUMBER as $t, truncate as A, commonArgs as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, PluginManager as Cn, triggerExecutor as Ct, resumeWorkflow as D, apiCall as Dn, jobsCommand as Dt, resumeCommand as E, apiCommand as En, getExecutorJob as Et, writeDbTypesFile as F, pagedLogArgs as Fn, getWorkflowExecution as Ft, organizationTree as G, MIGRATION_LABEL_KEY as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, paginationArgs as In, listWorkflowExecutions as It, listOrganizations as J, compareSnapshotWithRemote as Jt, treeCommand as K, handleOptionalToRequiredError as Kt, openInConfiguredEditor as L, toPageDirection as Ln, functionExecutionStatusToString as Lt, generate as M, confirmationArgs as Mn, getCommand$5 as Mt, generateCommand as N, deploymentArgs as Nn, getWorkflow as Nt, listCommand$3 as O, assertWritable as On, listExecutorJobs as Ot, generateMigrationScript as P, isVerbose as Pn, executionsCommand as Pt, updateFolder as Q, DIFF_FILE_NAME as Qt, show as R, workspaceArgs as Rn, formatKeyValueTable as Rt, listApps as S, sdkNameLabelKey as Sn, triggerCommand as St, healthCommand as T, prompt as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, bundleMigrationScript as Wt, getOrganization as X, protoGqlPermission as Xt, getCommand$1 as Y, generateAllTypeManifestsFromSnapshot as Yt, updateCommand$2 as Z, DB_TYPES_FILE_NAME as Zt, getWorkspace as _, formatMigrationDiff as _n, listFunctionRegistries as _t, updateUser as a, createSnapshotFromLocalTypes as an, createCommand$1 as at, createCommand as b, ensureConfigId as bn, listWebhookExecutors as bt, listCommand as c, getMigrationFilePath as cn, listOAuth2Clients as ct, inviteUser as d, isValidMigrationNumber as dn, getMachineUserToken as dt, MIGRATE_FILE_NAME as en, listFolders as et, restoreCommand as f, loadDiff as fn, tokenCommand as ft, getCommand as g, formatDiffSummary as gn, listCommand$8 as gt, listWorkspaces as h, parseMigrationNumberArg as hn, generate$1 as ht, updateCommand as i, compareSnapshots as in, deleteFolder as it, truncateCommand as j, configArg as jn, startWorkflow as jt, listWorkflows as k, defineAppCommand as kn, watchExecutorJob as kt, listUsers as l, getMigrationFiles as ln, getCommand$3 as lt, listCommand$1 as m, formatMigrationNumber as mn, listMachineUsers as mt, query as n, assertValidMigrationFiles as nn, getFolder as nt, removeCommand as o, getLatestMigrationNumber as on, createFolder as ot, restoreWorkspace as p, reconstructSnapshotFromMigrations as pn, listCommand$7 as pt, listCommand$4 as q, parseMigrationLabelNumber as qt, queryCommand as r, compareLocalTypesWithSnapshot as rn, deleteCommand$1 as rt, removeUser as s, getMigrationDirPath as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, SCHEMA_FILE_NAME as tn, getCommand$2 as tt, inviteCommand as u, getNextMigrationNumber as un, getOAuth2Client as ut, deleteCommand as v, hasChanges as vn, getCommand$4 as vt, getAppHealth as w, generateUserTypes as wn, listCommand$9 as wt, createWorkspace as x, resourceTrn as xn, webhookCommand as xt, deleteWorkspace as y, getNamespacesWithMigrations as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
-//# sourceMappingURL=runtime-CW3jcQCc.mjs.map
+//# sourceMappingURL=runtime-2nzOZCUb.mjs.map