@tailor-platform/sdk 1.63.0 → 1.66.0

package/dist/{tailordb-BlBGmQK-.d.mts → tailordb-C-ar4XCX.d.mts}

@@ -11,8 +11,8 @@ type InferFieldsOutput<F extends Record<string, {
   _output: any;
   [key: string]: any;
 }>> = DeepWritable<Prettify<NullableToOptional<{ [K in keyof F]: output<F[K]> }>>>;
-type JsonValue = string | number | boolean | null | JsonValue[] | {
-  [key: string]: JsonValue;
+type JsonValue$1 = string | number | boolean | null | JsonValue$1[] | {
+  [key: string]: JsonValue$1;
 };
 /**
  * A looser version of JsonValue that accepts interfaces.
@@ -859,5 +859,5 @@ interface TailorDBType {
   files?: TailorDBTypeMetadata["files"];
 }
 //#endregion
-export { InferredAttributeList as A, FieldOutput as C, Validators as D, FieldValidateInput as E, InferFieldsOutput as F, JsonCompatible as I, JsonValue as L, TailorInvoker as M, TailorUser as N, AttributeList as O, unauthenticatedTailorUser as P, Prettify as R, FieldOptions as S, TailorToTs as T, PluginAttachment as _, TypeSourceInfoEntry as a, EnumValue as b, TailorAnyDBType as c, TailorDBType$1 as d, DBFieldMetadata as f, TailorField as g, SerialConfig as h, TailorDBType as i, InferredAttributeMap as j, AttributeMap as k, TailorDBField as l, GqlOperationsConfig as m, RelationType as n, ValueOperand as o, DefinedDBFieldMetadata as p, TailorDBServiceInput as r, TailorAnyDBField as s, IndexDef as t, TailorDBInstance as u, ArrayFieldOutput as v, TailorFieldType as w, FieldMetadata as x, DefinedFieldMetadata as y, output as z };
-//# sourceMappingURL=tailordb-BlBGmQK-.d.mts.map
+export { InferredAttributeList as A, FieldOutput as C, Validators as D, FieldValidateInput as E, InferFieldsOutput as F, JsonCompatible as I, JsonValue$1 as L, TailorInvoker as M, TailorUser as N, AttributeList as O, unauthenticatedTailorUser as P, Prettify as R, FieldOptions as S, TailorToTs as T, PluginAttachment as _, TypeSourceInfoEntry as a, EnumValue as b, TailorAnyDBType as c, TailorDBType$1 as d, DBFieldMetadata as f, TailorField as g, SerialConfig as h, TailorDBType as i, InferredAttributeMap as j, AttributeMap as k, TailorDBField as l, GqlOperationsConfig as m, RelationType as n, ValueOperand as o, DefinedDBFieldMetadata as p, TailorDBServiceInput as r, TailorAnyDBField as s, IndexDef as t, TailorDBInstance as u, ArrayFieldOutput as v, TailorFieldType as w, FieldMetadata as x, DefinedFieldMetadata as y, output as z };
+//# sourceMappingURL=tailordb-C-ar4XCX.d.mts.map

package/dist/utils/test/index.d.mts

@@ -1,6 +1,6 @@
-import { M as TailorInvoker } from "../../tailordb-BlBGmQK-.mjs";
-import { W as TailorDBType } from "../../workflow.generated-Bf1tWylx.mjs";
-import { At as TailorField, Ct as WORKFLOW_TEST_ENV_KEY, n as output } from "../../index-CLxubakC.mjs";
+import { M as TailorInvoker } from "../../tailordb-C-ar4XCX.mjs";
+import { Z as TailorDBType } from "../../workflow.generated--1Qc15Et.mjs";
+import { jt as TailorField, n as output, wt as WORKFLOW_TEST_ENV_KEY } from "../../index-BdLqzJDu.mjs";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/utils/test/mock.d.ts

package/dist/{workflow.generated-Bf1tWylx.d.mts → workflow.generated--1Qc15Et.d.mts}

@@ -1,7 +1,7 @@
-import { C as FieldOutput$1, D as Validators, E as FieldValidateInput, F as InferFieldsOutput, N as TailorUser, R as Prettify, S as FieldOptions, T as TailorToTs, b as EnumValue, d as TailorDBType$1, f as DBFieldMetadata, g as TailorField, h as SerialConfig, j as InferredAttributeMap, l as TailorDBField$1, m as GqlOperationsConfig, n as RelationType, o as ValueOperand, p as DefinedDBFieldMetadata, r as TailorDBServiceInput, s as TailorAnyDBField$1, t as IndexDef, u as TailorDBInstance$1, v as ArrayFieldOutput, w as TailorFieldType, x as FieldMetadata, y as DefinedFieldMetadata, z as output } from "./tailordb-BlBGmQK-.mjs";
-import { B as IdProvider, G as SCIMAttribute, H as OAuth2ClientInput, J as SCIMConfig, L as AuthInvoker, R as BuiltinIdP, V as OAuth2Client, X as TenantProvider, r as PluginConfigs } from "./plugin-C_FyVSdl.mjs";
+import { C as FieldOutput$1, D as Validators, E as FieldValidateInput, F as InferFieldsOutput, N as TailorUser, R as Prettify, S as FieldOptions, T as TailorToTs, b as EnumValue, d as TailorDBType$1, f as DBFieldMetadata, g as TailorField, h as SerialConfig, j as InferredAttributeMap, l as TailorDBField$1, m as GqlOperationsConfig, n as RelationType, o as ValueOperand, p as DefinedDBFieldMetadata, r as TailorDBServiceInput, s as TailorAnyDBField$1, t as IndexDef, u as TailorDBInstance$1, v as ArrayFieldOutput, w as TailorFieldType, x as FieldMetadata, y as DefinedFieldMetadata, z as output } from "./tailordb-C-ar4XCX.mjs";
+import { B as IdProvider, G as SCIMAttribute, H as OAuth2ClientInput, J as SCIMConfig, L as AuthInvoker, R as BuiltinIdP, V as OAuth2Client, X as TenantProvider, r as PluginConfigs } from "./plugin-DylAsA4Z.mjs";
 import { n as TailorEnv } from "./env-B-g-qgE4.mjs";
-import { IsAny, JsonObject, NonEmptyObject } from "type-fest";
+import { IsAny, JsonObject, JsonValue, NonEmptyObject } from "type-fest";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/configure/types/field.d.ts
@@ -700,8 +700,44 @@ type MachineUser<User extends TailorDBInstance$1, AttributeMap extends UserAttri
 } : {
   attributeList: AttributeListToTuple<User, AttributeList>;
 });
+/** Upstream OAuth provider that federated a login through the Built-in IdP. */
+type FederatedIdentityProvider = "google" | "microsoft";
+/**
+ * Profile claims forwarded from the upstream OAuth provider's ID token.
+ *
+ * Commonly present claims are typed; any other claim the provider issues is
+ * forwarded as-is and reachable through the index signature. Availability
+ * varies by provider (e.g. Microsoft does not issue `picture`).
+ */
+type FederatedIdentityClaims = {
+  name?: string;
+  given_name?: string;
+  family_name?: string;
+  picture?: string;
+  locale?: string;
+  [claim: string]: JsonValue | undefined;
+};
+/**
+ * The upstream identity that federated this login, populated when a user signs
+ * in through a Built-in IdP OAuth provider (Google or Microsoft).
+ *
+ * Available on {@link BeforeLoginClaims.federated_identity}; `undefined` for
+ * password logins.
+ */
+type FederatedIdentity = {
+  provider: FederatedIdentityProvider;
+  claims: FederatedIdentityClaims;
+};
+/**
+ * Token claims passed to the {@link BeforeLoginHook} handler. Carries the IdP's
+ * own claims (e.g. `sub`, `email`) plus, for federated logins, the upstream
+ * provider's profile under {@link BeforeLoginClaims.federated_identity}.
+ */
+type BeforeLoginClaims = JsonObject & {
+  /** Present only for federated (Google/Microsoft) logins; `undefined` for password logins. */federated_identity?: FederatedIdentity;
+};
 type BeforeLoginHookArgs = {
-  claims: JsonObject;
+  claims: BeforeLoginClaims;
   idpConfigName: string; /** Environment variables defined in `defineConfig({ env })`. */
   env: TailorEnv;
 };
@@ -748,6 +784,22 @@ type AuthServiceInputLoose = AuthServiceInput<any, any, any, string, any>;
 type AuthOwnConfig = DefinedAuth<string, AuthServiceInputLoose, string>;
 type AuthConfig = AuthOwnConfig | AuthExternalConfig;
 //#endregion
+//#region src/types/aigateway.generated.d.ts
+type AIGateway = {
+  /** AI Gateway name */name: string; /** Auth namespace used to resolve request tokens against the workspace's auth */
+  authNamespace: string; /** Allowed CORS origins for browser-based clients. Each entry is `*`, `http(s)://*`, `http(s)://*.example.com`, or `http(s)://app.example.com`, optionally with `:port`. Empty list disables cross-origin access. */
+  cors?: string[] | undefined;
+};
+type AIGatewayInput = AIGateway;
+//#endregion
+//#region src/types/aigateway-config.d.ts
+declare const aiGatewayDefinitionBrand: unique symbol;
+type AIGatewayDefinitionBrand = {
+  readonly [aiGatewayDefinitionBrand]: true;
+};
+/** Type accepted by `AppConfig.aiGateways`. Only values returned by `defineAIGateway()` satisfy this. */
+type AIGatewayConfig = AIGatewayInput & AIGatewayDefinitionBrand;
+//#endregion
 //#region src/types/app-config.generated.d.ts
 type LogLevelEnum = "DEBUG" | "INFO" | "WARN" | "ERROR" | "SILENT";
 //#endregion
@@ -1332,9 +1384,10 @@ type WorkflowServiceInput = WorkflowServiceConfig;
  * - `auth`: Single auth config object (not an array)
  * - `idp`: Array of IdP configs, e.g. `[myIdp]`
  * - `staticWebsites`: Array of static website configs, e.g. `[website]`
+ * - `aiGateways`: Array of AI Gateway configs, e.g. `[gateway]`
  * - `db`, `resolver`, `executor`, `workflow`: Service configs with file globs
  */
-interface AppConfig<Auth extends AuthConfig = AuthConfig, Idp extends IdPConfig[] = IdPConfig[], StaticWebsites extends StaticWebsiteConfig[] = StaticWebsiteConfig[], Env extends Record<string, string | number | boolean> = Record<string, string | number | boolean>> {
+interface AppConfig<Auth extends AuthConfig = AuthConfig, Idp extends IdPConfig[] = IdPConfig[], StaticWebsites extends StaticWebsiteConfig[] = StaticWebsiteConfig[], AIGateways extends AIGatewayConfig[] = AIGatewayConfig[], Env extends Record<string, string | number | boolean> = Record<string, string | number | boolean>> {
   /** Application name (required). */
   name: string;
   /**
@@ -1371,6 +1424,8 @@ interface AppConfig<Auth extends AuthConfig = AuthConfig, Idp extends IdPConfig[
   httpAdapter?: HttpAdapterServiceInput;
   /** Static website configurations. Must be an array, e.g. `[website]`. */
   staticWebsites?: StaticWebsites;
+  /** AI Gateway configurations. Must be an array, e.g. `[gateway]`. */
+  aiGateways?: AIGateways;
   /** Secret Manager vault configurations. Keys are vault names, values are records of secret names to values. */
   secrets?: SecretsConfig;
   /**
@@ -1412,5 +1467,5 @@ type ConcurrencyPolicy = {
   /** Maximum number of concurrent executions (1-1000) */maxConcurrentExecutions: number;
 };
 //#endregion
-export { BeforeLoginHookArgs as A, TailorAnyDBField as B, IdPGqlOperationsInput as C, AuthExternalConfig as D, AuthConnectionTokenResult as E, UserAttributeListKey as F, db as G, TailorDBField as H, UserAttributeMap as I, TailorTypePermission as J, PermissionCondition as K, UsernameFieldKey as L, OAuth2ClientGrantType as M, SCIMAttributeType as N, AuthOwnConfig as O, UserAttributeKey as P, AllowedValuesOutput as Q, AuthConnectionConfig as R, IdPGqlOperations as S, AuthConfig as T, TailorDBInstance as U, TailorAnyDBType as V, TailorDBType as W, unsafeAllowAllTypePermission as X, unsafeAllowAllGqlPermission as Y, AllowedValues as Z, IdPConfig as _, ExecutorServiceConfig as a, IdpDefinitionBrand as b, ResolverServiceConfig as c, WorkflowServiceInput as d, StaticWebsiteConfig as f, SecretsDefinitionBrand as g, SecretsConfig as h, AppConfig as i, DefinedAuth as j, AuthServiceInput as k, ResolverServiceInput as l, StaticWebsiteInput as m, RetryPolicy as n, ExecutorServiceInput as o, StaticWebsiteDefinitionBrand as p, TailorTypeGqlPermission as q, HttpAdapterConfigInput as r, ResolverExternalConfig as s, ConcurrencyPolicy as t, WorkflowServiceConfig as u, IdPExternalConfig as v, IdPInput as w, IdPEmailConfig as x, IdPUserField as y, AuthConnectionOAuth2Config as z };
-//# sourceMappingURL=workflow.generated-Bf1tWylx.d.mts.map
+export { PermissionCondition as $, AuthExternalConfig as A, SCIMAttributeType as B, IdPGqlOperationsInput as C, AIGatewayInput as D, AIGatewayDefinitionBrand as E, DefinedAuth as F, AuthConnectionConfig as G, UserAttributeListKey as H, FederatedIdentity as I, TailorAnyDBType as J, AuthConnectionOAuth2Config as K, FederatedIdentityClaims as L, AuthServiceInput as M, BeforeLoginClaims as N, AuthConfig as O, BeforeLoginHookArgs as P, db as Q, FederatedIdentityProvider as R, IdPGqlOperations as S, AIGatewayConfig as T, UserAttributeMap as U, UserAttributeKey as V, UsernameFieldKey as W, TailorDBInstance as X, TailorDBField as Y, TailorDBType as Z, IdPConfig as _, ExecutorServiceConfig as a, AllowedValuesOutput as at, IdpDefinitionBrand as b, ResolverServiceConfig as c, WorkflowServiceInput as d, TailorTypeGqlPermission as et, StaticWebsiteConfig as f, SecretsDefinitionBrand as g, SecretsConfig as h, AppConfig as i, AllowedValues as it, AuthOwnConfig as j, AuthConnectionTokenResult as k, ResolverServiceInput as l, StaticWebsiteInput as m, RetryPolicy as n, unsafeAllowAllGqlPermission as nt, ExecutorServiceInput as o, StaticWebsiteDefinitionBrand as p, TailorAnyDBField as q, HttpAdapterConfigInput as r, unsafeAllowAllTypePermission as rt, ResolverExternalConfig as s, ConcurrencyPolicy as t, TailorTypePermission as tt, WorkflowServiceConfig as u, IdPExternalConfig as v, IdPInput as w, IdPEmailConfig as x, IdPUserField as y, OAuth2ClientGrantType as z };
+//# sourceMappingURL=workflow.generated--1Qc15Et.d.mts.map

package/docs/cli/auth.md

@@ -350,7 +350,7 @@ Get an access token for a machine user.
 **Usage**
 
 ```
-tailor-sdk machineuser token [options] <name>
+tailor-sdk machineuser token [options] [name]
 ```
 
 <!-- politty:command:machineuser token:usage:end -->
@@ -359,9 +359,9 @@ tailor-sdk machineuser token [options] <name>
 
 **Arguments**
 
-| Argument | Description       | Required |
-| -------- | ----------------- | -------- |
-| `name`   | Machine user name | Yes      |
+| Argument | Description                                                                 | Required |
+| -------- | --------------------------------------------------------------------------- | -------- |
+| `name`   | Machine user name. Falls back to the active profile's default machine user. | No       |
 
 <!-- politty:command:machineuser token:arguments:end -->
 

package/docs/cli/completion.md

@@ -41,6 +41,9 @@ tailor-sdk completion [options] [shell]
 | `--instructions` | `-i`  | Show installation instructions                                                                                                       | No       | `false` |
 | `--loader`       | -     | Print just the rc loader snippet (bash/zsh). Add it to ~/.bashrc or ~/.zshrc; it auto-regenerates the cache when the binary changes. | No       | `false` |
 | `--install`      | -     | Write the completion script to its on-disk cache (bash/zsh) or autoload location (fish) instead of printing it.                      | No       | `false` |
+| `--static`       | -     | Generate the legacy static completion script with command metadata baked in.                                                         | No       | `false` |
+| `--dispatcher`   | -     | Generate the runtime dispatcher completion script. This is the default.                                                              | No       | `false` |
+| `--worker`       | -     | Generate an internal static worker artifact for dispatcher mode.                                                                     | No       | `false` |
 
 <!-- politty:command:completion:options:end -->
 

package/docs/cli/function.md

@@ -245,14 +245,14 @@ tailor-sdk function test-run [options] <file>
 
 **Options**
 
-| Option                          | Alias | Description                                                              | Required | Default              | Env                                 |
-| ------------------------------- | ----- | ------------------------------------------------------------------------ | -------- | -------------------- | ----------------------------------- |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                             | No       | -                    | `TAILOR_PLATFORM_WORKSPACE_ID`      |
-| `--profile <PROFILE>`           | `-p`  | Workspace profile                                                        | No       | -                    | `TAILOR_PLATFORM_PROFILE`           |
-| `--name <NAME>`                 | `-n`  | Workflow job name to run (matches the `name` field of createWorkflowJob) | No       | -                    | -                                   |
-| `--arg <ARG>`                   | `-a`  | JSON argument to pass to the function                                    | No       | -                    | -                                   |
-| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name for authentication                                     | No       | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
-| `--config <CONFIG>`             | `-c`  | Path to SDK config file                                                  | No       | `"tailor.config.ts"` | -                                   |
+| Option                          | Alias | Description                                                                                    | Required | Default              | Env                                 |
+| ------------------------------- | ----- | ---------------------------------------------------------------------------------------------- | -------- | -------------------- | ----------------------------------- |
+| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                                                   | No       | -                    | `TAILOR_PLATFORM_WORKSPACE_ID`      |
+| `--profile <PROFILE>`           | `-p`  | Workspace profile                                                                              | No       | -                    | `TAILOR_PLATFORM_PROFILE`           |
+| `--name <NAME>`                 | `-n`  | Workflow job name to run (matches the `name` field of createWorkflowJob)                       | No       | -                    | -                                   |
+| `--arg <ARG>`                   | `-a`  | JSON argument to pass to the function                                                          | No       | -                    | -                                   |
+| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name for authentication. Falls back to the active profile's default machine user. | No       | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
+| `--config <CONFIG>`             | `-c`  | Path to SDK config file                                                                        | No       | `"tailor.config.ts"` | -                                   |
 
 <!-- politty:command:function test-run:options:end -->
 <!-- politty:command:function test-run:examples:start -->

package/docs/cli/query.md

@@ -33,7 +33,7 @@ tailor-sdk query [options]
 | `--query <QUERY>`               | `-q`  | Query string to execute directly; omit to start REPL mode                                            | No       | -                    | -                                   |
 | `--file <FILE>`                 | `-f`  | Read query string from file; omit to start REPL mode                                                 | No       | -                    | -                                   |
 | `--edit`                        | -     | Open a temporary file in your editor; omit to start REPL mode                                        | No       | `false`              | -                                   |
-| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name for query execution                                                                | Yes      | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
+| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name for query execution. Falls back to the active profile's default machine user.      | No       | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
 | `--newline-on-enter`            | -     | REPL: when true, Enter inserts a newline and Shift+Enter submits. Use --no-newline-on-enter to swap. | No       | -                    | -                                   |
 
 <!-- politty:command:query:options:end -->

package/docs/cli/workflow.md

@@ -167,16 +167,16 @@ tailor-sdk workflow start [options] <name>
 
 **Options**
 
-| Option                          | Alias | Description                                                    | Required | Default              | Env                                 |
-| ------------------------------- | ----- | -------------------------------------------------------------- | -------- | -------------------- | ----------------------------------- |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                   | No       | -                    | `TAILOR_PLATFORM_WORKSPACE_ID`      |
-| `--profile <PROFILE>`           | `-p`  | Workspace profile                                              | No       | -                    | `TAILOR_PLATFORM_PROFILE`           |
-| `--config <CONFIG>`             | `-c`  | Path to SDK config file                                        | No       | `"tailor.config.ts"` | `TAILOR_PLATFORM_SDK_CONFIG_PATH`   |
-| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name                                              | Yes      | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
-| `--arg <ARG>`                   | `-a`  | Workflow argument (JSON string)                                | No       | -                    | -                                   |
-| `--wait`                        | `-W`  | Wait for execution to complete                                 | No       | `false`              | -                                   |
-| `--interval <INTERVAL>`         | `-i`  | Polling interval when using --wait (e.g., '3s', '500ms', '1m') | No       | `"3s"`               | -                                   |
-| `--logs`                        | `-l`  | Display job execution logs after completion (requires --wait)  | No       | `false`              | -                                   |
+| Option                          | Alias | Description                                                                 | Required | Default              | Env                                 |
+| ------------------------------- | ----- | --------------------------------------------------------------------------- | -------- | -------------------- | ----------------------------------- |
+| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                                | No       | -                    | `TAILOR_PLATFORM_WORKSPACE_ID`      |
+| `--profile <PROFILE>`           | `-p`  | Workspace profile                                                           | No       | -                    | `TAILOR_PLATFORM_PROFILE`           |
+| `--config <CONFIG>`             | `-c`  | Path to SDK config file                                                     | No       | `"tailor.config.ts"` | `TAILOR_PLATFORM_SDK_CONFIG_PATH`   |
+| `--machine-user <MACHINE_USER>` | `-m`  | Machine user name. Falls back to the active profile's default machine user. | No       | -                    | `TAILOR_PLATFORM_MACHINE_USER_NAME` |
+| `--arg <ARG>`                   | `-a`  | Workflow argument (JSON string)                                             | No       | -                    | -                                   |
+| `--wait`                        | `-W`  | Wait for execution to complete                                              | No       | `false`              | -                                   |
+| `--interval <INTERVAL>`         | `-i`  | Polling interval when using --wait (e.g., '3s', '500ms', '1m')              | No       | `"3s"`               | -                                   |
+| `--logs`                        | `-l`  | Display job execution logs after completion (requires --wait)               | No       | `false`              | -                                   |
 
 <!-- politty:command:workflow start:options:end -->
 

package/docs/cli/workspace.md

@@ -241,11 +241,13 @@ tailor-sdk profile create [options] <name>
 
 **Options**
 
-| Option                          | Alias | Description                                                                       | Required | Default   |
-| ------------------------------- | ----- | --------------------------------------------------------------------------------- | -------- | --------- |
-| `--user <USER>`                 | `-u`  | User email                                                                        | Yes      | -         |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                                                                      | Yes      | -         |
-| `--permission <PERMISSION>`     | -     | Profile permission. 'read' blocks all write commands while the profile is active. | No       | `"write"` |
+| Option                                            | Alias | Description                                                                                                                            | Required | Default   |
+| ------------------------------------------------- | ----- | -------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
+| `--user <USER>`                                   | `-u`  | User email                                                                                                                             | Yes      | -         |
+| `--workspace-id <WORKSPACE_ID>`                   | `-w`  | Workspace ID                                                                                                                           | Yes      | -         |
+| `--permission <PERMISSION>`                       | -     | Profile permission. 'read' blocks all write commands while the profile is active.                                                      | No       | `"write"` |
+| `--machine-user <MACHINE_USER>`                   | `-m`  | Default machine user name for application-data commands (query, workflow start, function test-run, machineuser token).                 | No       | -         |
+| `--machine-user-override <MACHINE_USER_OVERRIDE>` | -     | Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user. | No       | -         |
 
 <!-- politty:command:profile create:options:end -->
 
@@ -320,11 +322,13 @@ tailor-sdk profile update [options] <name>
 
 **Options**
 
-| Option                          | Alias | Description                                                                          | Required | Default |
-| ------------------------------- | ----- | ------------------------------------------------------------------------------------ | -------- | ------- |
-| `--user <USER>`                 | `-u`  | New user email                                                                       | No       | -       |
-| `--workspace-id <WORKSPACE_ID>` | `-w`  | New workspace ID                                                                     | No       | -       |
-| `--permission <PERMISSION>`     | -     | Profile permission. 'read' blocks all write commands; 'write' lifts the restriction. | No       | -       |
+| Option                                            | Alias | Description                                                                                                                                                           | Required | Default |
+| ------------------------------------------------- | ----- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------- |
+| `--user <USER>`                                   | `-u`  | New user email                                                                                                                                                        | No       | -       |
+| `--workspace-id <WORKSPACE_ID>`                   | `-w`  | New workspace ID                                                                                                                                                      | No       | -       |
+| `--permission <PERMISSION>`                       | -     | Profile permission. 'read' blocks all write commands; 'write' lifts the restriction.                                                                                  | No       | -       |
+| `--machine-user <MACHINE_USER>`                   | `-m`  | Default machine user name for application-data commands (query, workflow start, function test-run, machineuser token). Pass an empty string to clear.                 | No       | -       |
+| `--machine-user-override <MACHINE_USER_OVERRIDE>` | -     | Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user; 'allow' lifts the restriction. | No       | -       |
 
 <!-- politty:command:profile update:options:end -->
 

package/docs/cli-reference.md

@@ -77,7 +77,7 @@ You can use environment variables to configure workspace and authentication:
 | `TAILOR_PLATFORM_SDK_DTS_PATH`               | Output path for generated `tailor.d.ts` type definition file                                      |
 | `TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID`     | Client ID for `login --machine-user`                                                              |
 | `TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET` | Client secret for `login --machine-user`                                                          |
-| `TAILOR_PLATFORM_MACHINE_USER_NAME`          | Default machine user name for `query`, `workflow start`, `function test-run`                      |
+| `TAILOR_PLATFORM_MACHINE_USER_NAME`          | Default machine user name for `query`, `workflow start`, `function test-run`, `machineuser token` |
 | `TAILOR_BUNDLE_CONCURRENCY`                  | Max concurrent bundle workers for `deploy` (resolvers/executors/workflows). Defaults to CPU count |
 | `VISUAL` / `EDITOR`                          | Preferred editor for commands that open files (e.g., `vim`, `code`, `nano`)                       |
 | `TAILOR_CRASH_REPORTS_LOCAL`                 | Local crash log writing: `on` (default) or `off`                                                  |

package/docs/services/aigateway.md

@@ -0,0 +1,97 @@
+# AI Gateway
+
+AI Gateway provides a unified endpoint for accessing multiple LLM providers (Azure OpenAI, Google Vertex AI Gemini, Anthropic via Vertex AI) through a single OpenAI-compatible API, with platform-managed credentials and workspace-scoped authentication.
+
+## Overview
+
+AI Gateway provides:
+
+- A unified, OpenAI-compatible endpoint for multiple LLM providers
+- Mandatory authentication via your workspace's auth (request tokens are resolved against the configured auth namespace)
+- Per-workspace isolation: each gateway is provisioned with its own platform-assigned URL
+- Optional CORS allow-list for browser-based clients
+- Built-in usage tracking and rate limiting (configured platform-side)
+
+## Configuration
+
+Configure an AI Gateway using `defineAIGateway()`:
+
+**Definition Rules:**
+
+- **Multiple gateways allowed**: You can define multiple AI Gateways in your config file
+- **Configuration location**: Define in `tailor.config.ts` and add to the `aiGateways` array
+- **Uniqueness**: Gateway names must be unique across all AI Gateways
+- **Name pattern**: `name` must match `^[a-z0-9][a-z0-9-]{1,28}[a-z0-9]$` (lowercase alphanumeric and hyphens, 3-30 characters)
+
+```typescript
+import { defineAIGateway, defineConfig } from "@tailor-platform/sdk";
+
+const aiGateway = defineAIGateway("my-aigateway", {
+  authNamespace: "default",
+});
+
+export default defineConfig({
+  aiGateways: [aiGateway],
+});
+```
+
+## Options
+
+### authNamespace
+
+The auth namespace used to resolve request tokens against your workspace's auth configuration. Must match an existing auth namespace.
+
+```typescript
+defineAIGateway("my-aigateway", {
+  authNamespace: "default",
+});
+```
+
+### cors
+
+Optional list of allowed origins for browser-based clients. Each entry is one of:
+
+- `*` — any origin (any scheme, any host)
+- `http(s)://*` — any host on the given scheme
+- `http(s)://*.example.com` — any subdomain of `example.com` on the given scheme
+- `http(s)://app.example.com` — an exact origin
+
+An optional `:port` may be appended in all URL forms. Omitting `cors` (or passing `[]`) disables cross-origin access — browsers will block any cross-origin reads.
+
+```typescript
+defineAIGateway("my-aigateway", {
+  authNamespace: "default",
+  cors: ["https://app.example.com", "https://*.example.com"],
+});
+```
+
+## Complete Example
+
+```typescript
+import {
+  defineAIGateway,
+  defineAuth,
+  defineConfig,
+  defineStaticWebSite,
+} from "@tailor-platform/sdk";
+
+const website = defineStaticWebSite("my-frontend", {
+  description: "Frontend application",
+});
+
+const aiGateway = defineAIGateway("my-aigateway", {
+  authNamespace: "default",
+  cors: [website.url],
+});
+
+const auth = defineAuth("my-auth", {
+  // ...auth configuration...
+});
+
+export default defineConfig({
+  name: "my-app",
+  auth,
+  staticWebsites: [website],
+  aiGateways: [aiGateway],
+});
+```

package/docs/services/auth.md

@@ -515,6 +515,25 @@ export const auth = defineAuth("my-auth", {
 
 **invoker**: The machine user whose permissions are used to execute the hook. Must reference a machine user defined in the same auth configuration.
 
+### Federated identity claims
+
+When a user signs in through a Built-in IdP OAuth provider (Google or Microsoft), the upstream provider's profile is available on `claims.federated_identity`. It is `undefined` for password logins, so guard before reading it. Commonly present claims (`name`, `given_name`, `family_name`, `picture`, `locale`) are typed; any other claim the provider issues is forwarded as-is. Availability varies by provider (for example, Microsoft does not issue `picture`).
+
+```typescript
+hooks: {
+  beforeLogin: {
+    handler: async ({ claims }) => {
+      const federated = claims.federated_identity;
+      if (federated?.provider === "google") {
+        // Populate the user record from the upstream profile
+        const avatarUrl = federated.claims.picture;
+      }
+    },
+    invoker: "hook-invoker",
+  },
+}
+```
+
 ## CLI Commands
 
 Manage Auth resources using the CLI:

package/docs/services/idp.md

@@ -125,6 +125,89 @@ defineIdp("my-idp", {
 });
 ```
 
+### userAuthPolicy
+
+User authentication policy. Controls password requirements, the identifier used for login, allowed email domains, and social login providers. Every field is optional. The boolean options default to disabled, and the password length fields default to a minimum of 6 and a maximum of 4096.
+
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  userAuthPolicy: {
+    useNonEmailIdentifier: false,
+    allowSelfPasswordReset: true,
+    passwordRequireUppercase: true,
+    passwordRequireLowercase: true,
+    passwordRequireNonAlphanumeric: true,
+    passwordRequireNumeric: true,
+    passwordMinLength: 8,
+    passwordMaxLength: 128,
+  },
+});
+```
+
+**Login behavior:**
+
+- `useNonEmailIdentifier` - Allow a non-email identifier (username) instead of requiring an email address. Default `false`.
+- `allowSelfPasswordReset` - Show the "Forgot password?" flow so users can reset their own password. Default `false`.
+- `disablePasswordAuth` - Remove password authentication entirely. Default `false`. Requires at least one social login provider to be enabled.
+
+**Password requirements:**
+
+- `passwordRequireUppercase` - Require at least one uppercase letter. Default `false`.
+- `passwordRequireLowercase` - Require at least one lowercase letter. Default `false`.
+- `passwordRequireNumeric` - Require at least one numeric character. Default `false`.
+- `passwordRequireNonAlphanumeric` - Require at least one non-alphanumeric character. Default `false`.
+- `passwordMinLength` - Minimum password length. Must be between 6 and 30. Default `6`.
+- `passwordMaxLength` - Maximum password length. Must be between 6 and 4096. Default `4096`.
+
+**Email domains and social login:**
+
+- `allowedEmailDomains` - Restrict registration to these email domains. An empty list (the default) allows all domains, but a non-empty list is required when `allowGoogleOauth` or `allowMicrosoftOauth` is enabled.
+- `allowGoogleOauth` - Enable the "Sign in with Google" button. Default `false`.
+- `allowMicrosoftOauth` - Enable the "Sign in with Microsoft" button. Default `false`.
+
+**Constraints:** the following combinations are rejected at parse time.
+
+- `passwordMinLength` must be less than or equal to `passwordMaxLength`.
+- A non-empty `allowedEmailDomains` cannot be combined with `useNonEmailIdentifier: true` (an empty list is allowed). Enabling `allowGoogleOauth` or `allowMicrosoftOauth` is likewise rejected with `useNonEmailIdentifier: true` (leaving them `false` or unset is fine).
+- `allowGoogleOauth` requires a non-empty `allowedEmailDomains`.
+- `allowMicrosoftOauth` requires both a non-empty `allowedEmailDomains` and `disablePasswordAuth: true`.
+- `disablePasswordAuth` requires `allowGoogleOauth` or `allowMicrosoftOauth`, and cannot be combined with `allowSelfPasswordReset`.
+
+### gqlOperations
+
+Controls which GraphQL user-management operations the IdP exposes. All operations are enabled by default. Use this to turn operations off entirely, independent of the `permission` policies that decide who may call them.
+
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  gqlOperations: {
+    create: true,
+    read: true,
+    update: true,
+    delete: false,
+    sendPasswordResetEmail: false,
+  },
+});
+```
+
+**Fields:** each field defaults to `true` (enabled). Set a field to `false` to disable that operation.
+
+- `create` - The `_createUser` mutation.
+- `read` - The `_users` and `_user` query operations.
+- `update` - The `_updateUser` mutation.
+- `delete` - The `_deleteUser` mutation.
+- `sendPasswordResetEmail` - The `_sendPasswordResetEmail` mutation.
+
+**Shortcut:** pass the string `"query"` to expose a read-only IdP. It enables `read` and disables every mutation.
+
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  gqlOperations: "query",
+});
+```
+
 ### authorization (optional, legacy)
 
 Legacy access control field. Use `permission` instead for fine-grained per-operation control. This field is kept for backward compatibility.
@@ -170,6 +253,19 @@ defineIdp("my-idp", {
 
 **Validation:** Each field must be 200 characters or less and must not contain newline characters.
 
+### lang
+
+UI language for the IdP-hosted pages such as the login and password reset screens.
+
+```typescript
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  lang: "ja",
+});
+```
+
+**Values:** `"en"` or `"ja"`.
+
 ### publishUserEvents
 
 Publish IdP user lifecycle events (`idp.user.created`, `idp.user.updated`, `idp.user.deleted`). These events are consumed by executors that use `idpUserCreatedTrigger`, `idpUserUpdatedTrigger`, `idpUserDeletedTrigger`, or `idpUserTrigger`.

package/docs/services/tailordb-migration.md

@@ -355,20 +355,21 @@ Coordinate this with your team because everyone else's local migrations will be
 
 ## Failure Recovery
 
-If a `migrate.ts` throws:
+If the pre-migration phase or `migrate.ts` fails:
 
 - **The transaction rolls back** for that migration's script. Database changes the script made are undone.
-- **The pre-migration phase already ran** before the script. Type-level relaxations (e.g., a field changed to optional) **are not undone**. The post-migration phase, including the label bump, does not run.
-- The whole `apply` aborts. Subsequent migrations in the same run do not execute.
+- **The pre-migration schema changes are rolled back** to the prior checkpoint: types that already existed are restored to their previous shape, and types the migration newly introduced are dropped. The workspace is left at its prior checkpoint and prior schema — not half-applied.
+- The whole `apply` aborts and the checkpoint label is not bumped. Subsequent migrations in the same run do not execute.
+
+The rollback is best-effort per type; if reverting a type fails, a warning is logged and the original migration error is still reported.
 
 After a failure:
 
 1. Read the `Logs:` block in the apply output to find the cause.
 2. Fix `migrate.ts` (or the data it depends on).
-3. Re-run `tailor-sdk deploy`. The same migration runs again because its label was never bumped.
-4. If the pre-migration relaxation is causing problems for application code in the meantime, accept the temporary optionality or roll forward with a fix; do not try to manually re-tighten the schema, or you'll create remote drift.
+3. Re-run `tailor-sdk deploy`. The same migration runs again because its label was never bumped, and the prior-checkpoint schema is a clean baseline to retry against.
 
-If a migration **succeeds in script** but the post-migration phase fails (rare; usually due to constraint violation that the script should have prevented), the situation is the same as above plus the data changes from the script are persisted. Investigate, fix, and re-run.
+If a migration **succeeds in script** but the **post-migration phase** fails (rare; usually a constraint violation the script should have prevented), the pre-migration changes are **not** rolled back: the script's data changes are already committed and the post-migration phase may have dropped removed columns or types, which cannot be reverted without data loss. Investigate, fix, and re-run.
 
 ## Rollback Strategy
 
@@ -444,6 +445,16 @@ For genuinely different schemas across environments, prefer separate workspaces
 4. To force the remote schema back to a known snapshot, use `migration sync <N>` (see [`migration sync` Semantics](#migration-sync-semantics)).
 5. As a last resort in non-production environments, `--no-schema-check` skips both checks. Do not use this as a routine workaround.
 
+### "Invalid schema snapshot" or "Invalid migration diff" error
+
+**Cause:** A `schema.json` or `diff.json` file in the `migrations/` directory is corrupted or does not match the expected structure. Merge conflicts left in these files are a common cause.
+
+**Resolution:**
+
+1. Read the error message — it includes the file path and the offending field.
+2. Restore the file from version control (`git checkout -- <path>`), or regenerate migration files with `migration generate` / `migration script`.
+3. Do not hand-edit `schema.json` or `diff.json`; they are managed by the CLI.
+
 ### "No machine user available for migration execution"
 
 **Cause:** Neither `migration.machineUser` is set nor are there any machine users in `auth.machineUsers`.