@tailor-platform/sdk 1.66.1 → 2.0.0-next.1

package/CHANGELOG.md

@@ -1,11 +1,98 @@
 # @tailor-platform/sdk
 
-## 1.66.1
+## 2.0.0-next.1
+### Major Changes
+
+
+
+- [#1442](https://github.com/tailor-platform/sdk/pull/1442) [`07cc256`](https://github.com/tailor-platform/sdk/commit/07cc256b9f1d695694d67438e1b0cb6df096ece8) Thanks [@dqn](https://github.com/dqn)! - Remove the deprecated `auth.invoker("<machine-user>")` helper. Pass machine user names directly as `authInvoker` strings in resolver, executor, and workflow APIs.
+
+
+
+- [#1440](https://github.com/tailor-platform/sdk/pull/1440) [`f0895f4`](https://github.com/tailor-platform/sdk/commit/f0895f4231578e54229004d3aa5bac6bd24361e3) Thanks [@dqn](https://github.com/dqn)! - Remove `defineGenerators()` and legacy `generators` config support. Use `definePlugins()` with the built-in plugin packages for code generation.
+
+
+
+- [#1441](https://github.com/tailor-platform/sdk/pull/1441) [`7604ad5`](https://github.com/tailor-platform/sdk/commit/7604ad5fdf27b791e8f1db880faed156cd6554d5) Thanks [@dqn](https://github.com/dqn)! - Remove support for wrapping `tailor-sdk function test-run --arg` resolver input in an `input` object. Pass resolver input fields directly as the `--arg` JSON value.
+
+
+
+- [#1460](https://github.com/tailor-platform/sdk/pull/1460) [`f49c6d1`](https://github.com/tailor-platform/sdk/commit/f49c6d1b5a856969cb4e04ae7d3a87ed34aa020f) Thanks [@dqn](https://github.com/dqn)! - Remove the v1 runtime globals compatibility layer. Importing from `@tailor-platform/sdk` no longer activates the ambient `tailor.*` / `tailordb.*` declarations; opt into globals with `@tailor-platform/sdk/runtime/globals` or use the typed wrappers from `@tailor-platform/sdk/runtime`.
+  
+  The capital-cased `Tailordb.*` namespace is removed. If your project still references `Tailordb.QueryResult`, `Tailordb.CommandType`, `Tailordb.Client`, or `typeof Tailordb.Client`, migrate before upgrading: run `pnpm dlx @tailor-platform/sdk-codemod v2/tailordb-namespace` to rewrite them to lowercase `tailordb.*`, then add `import "@tailor-platform/sdk/runtime/globals"` so the rewritten references resolve.
+
+
+- [#1459](https://github.com/tailor-platform/sdk/pull/1459) [`2c3d7ad`](https://github.com/tailor-platform/sdk/commit/2c3d7add213b171df2959b8a14e8dc2e3c3a7ec7) Thanks [@dqn](https://github.com/dqn)! - Remove the deprecated `tailor-sdk-skills` binary shim. Use `tailor-sdk skills install` to install the bundled Tailor SDK agent skill.
+
+
+
+- [#1457](https://github.com/tailor-platform/sdk/pull/1457) [`84325f8`](https://github.com/tailor-platform/sdk/commit/84325f8602a5631b7c323c997b1425235509920e) Thanks [@dqn](https://github.com/dqn)! - Remove deprecated CLI aliases for the v2 command surface. Use `tailor-sdk deploy` instead of `tailor-sdk apply`, `tailor-sdk crashreport` instead of `tailor-sdk crash-report`, and the hyphenated `--machine-user` option instead of the hidden `--machineuser` alias.
+  
+  Fix the v2 CLI rename codemod to migrate the hidden `--machineuser` option to `--machine-user`.
+
+
+- [#1462](https://github.com/tailor-platform/sdk/pull/1462) [`77e7f45`](https://github.com/tailor-platform/sdk/commit/77e7f4512ddd141a8858ab37a3c48d8ad7e16543) Thanks [@dqn](https://github.com/dqn)! - Require `FunctionExecution.contentHash` for `function logs` stack trace source mapping. Executions without a content hash now show raw stack traces instead of mapping against the current function bundle.
+
+
+
+- [#1458](https://github.com/tailor-platform/sdk/pull/1458) [`ad04913`](https://github.com/tailor-platform/sdk/commit/ad049131d61dfc9f96bff8ffe7c5e5e261523b14) Thanks [@dqn](https://github.com/dqn)! - Store CLI human users by stable subject ID in the platform config instead of email, while preserving email for display and migrating legacy email-keyed entries on login or token refresh.
+
+
+
+- [#1438](https://github.com/tailor-platform/sdk/pull/1438) [`2c552cd`](https://github.com/tailor-platform/sdk/commit/2c552cd716f9abbe90ec4b22e51d0cde155c2bf9) Thanks [@dqn](https://github.com/dqn)! - Align workflow job `.trigger()` with the platform runtime. Job triggers now require a mocked workflow runtime in tests instead of running job bodies locally, and `trigger()` returns the job result directly instead of a Promise wrapper. Use `mockWorkflow()` to mock trigger results in tests, or `runWorkflowLocally()` for full-chain local workflow tests.
+
+
+### Patch Changes
+
+
+
+- [#1425](https://github.com/tailor-platform/sdk/pull/1425) [`644dca8`](https://github.com/tailor-platform/sdk/commit/644dca8ee631ff18550646d3d82bad76fba6bc33) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update dependency graphql to v16.14.2
+
+
+
+- [#1429](https://github.com/tailor-platform/sdk/pull/1429) [`b933f29`](https://github.com/tailor-platform/sdk/commit/b933f291b99efb3668077cd7870abe979dc3b10b) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update rolldown to v1.1.1
+
+
+
+- [#1433](https://github.com/tailor-platform/sdk/pull/1433) [`4d07f2f`](https://github.com/tailor-platform/sdk/commit/4d07f2fd814bda5886c8f0c9546f21128dcce74b) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update dependency es-toolkit to v1.47.1
+
+
+
+- [#1448](https://github.com/tailor-platform/sdk/pull/1448) [`4ce01dd`](https://github.com/tailor-platform/sdk/commit/4ce01dd851dae7754103a918ba89afe073f942c6) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update @connectrpc to v2.1.2
+
+
+
+- [#1390](https://github.com/tailor-platform/sdk/pull/1390) [`388f3d6`](https://github.com/tailor-platform/sdk/commit/388f3d69b722589cd5cca7bbbc3667a849ecaa3b) Thanks [@toiroakr](https://github.com/toiroakr)! - Guarantee that importing the SDK never loads zod in user projects — neither zod runtime code in bundled functions nor zod type computation in tsc. Internal type definitions are reorganized into per-layer pure type modules, and new CI checks verify every user-facing entry point stays zod-free at both the type and runtime level and that the internal module graph has no import cycles.
+
+## 2.0.0-next.0
+### Major Changes
+
+
+
+- [#1451](https://github.com/tailor-platform/sdk/pull/1451) [`3e6d582`](https://github.com/tailor-platform/sdk/commit/3e6d582a37d83a42302339cc4aea1d3dd11e8a81) Thanks [@tailor-platform-pr-trigger](https://github.com/apps/tailor-platform-pr-trigger)! - Start the v2 release line. v2 introduces breaking changes to the SDK API and CLI; run `tailor-sdk upgrade` to apply the bundled codemods when migrating. Prereleases are published to the `next` dist-tag — install with `@tailor-platform/sdk@next`.
+
+
 ### Patch Changes
 
 
 
-- [#1428](https://github.com/tailor-platform/sdk/pull/1428) [`753ac38`](https://github.com/tailor-platform/sdk/commit/753ac3876319d007322c23a7052a2399d194fb72) Thanks [@renovate](https://github.com/apps/renovate)! - fix(deps): update dependency semver to v7.8.4
+- [#1449](https://github.com/tailor-platform/sdk/pull/1449) [`016aff6`](https://github.com/tailor-platform/sdk/commit/016aff6aab31c334c57a5e5244453f2dd559c008) Thanks [@k1LoW](https://github.com/k1LoW)! - Document the `userAuthPolicy`, `gqlOperations`, and `lang` options of `defineIdp()` in the IdP service guide, including the password policy fields, allowed email domains, Google/Microsoft social login, the read-only `"query"` shortcut, and the cross-field validation constraints.
+
+
+
+- [#1450](https://github.com/tailor-platform/sdk/pull/1450) [`162ba62`](https://github.com/tailor-platform/sdk/commit/162ba629e0d511593718f289b93788d5d56778da) Thanks [@toiroakr](https://github.com/toiroakr)! - Update OpenTelemetry runtime dependencies to 2.8.0 to resolve a moderate security advisory (GHSA-8988-4f7v-96qf) in `@opentelemetry/core`
+
+
+
+- [#1432](https://github.com/tailor-platform/sdk/pull/1432) [`3a854a3`](https://github.com/tailor-platform/sdk/commit/3a854a3a10b938ce3cf6fe7527de4ab56ecf48d5) Thanks [@toiroakr](https://github.com/toiroakr)! - Roll back a migration's pre-migration schema changes when its data migration (`migrate.ts`) fails during `apply`. A failed migration now leaves the workspace at its prior checkpoint and prior schema instead of half-applied, so subsequent deploys are no longer blocked by opaque "Remote schema drift detected" errors.
+
+
+
+- [#1422](https://github.com/tailor-platform/sdk/pull/1422) [`f3f8427`](https://github.com/tailor-platform/sdk/commit/f3f84277fe1942601d0fcbb8a64c2c26823b5624) Thanks [@dqn](https://github.com/dqn)! - Internal cleanup of proto field optionality handling. No behavior change.
+
+
+
+- [#1421](https://github.com/tailor-platform/sdk/pull/1421) [`b933f47`](https://github.com/tailor-platform/sdk/commit/b933f474d65f8dfed56f3991aae3a52589368b10) Thanks [@dqn](https://github.com/dqn)! - Corrupted or hand-edited TailorDB migration snapshot/diff files now fail with a clear validation error when loaded, instead of causing undefined behavior later.
 
 ## 1.66.0
 ### Minor Changes

package/dist/application-DB2r36Et.mjs

@@ -0,0 +1,3 @@
+import { n as generatePluginFilesIfNeeded, r as loadApplication, t as defineApplication } from "./application-DqS1yBg3.mjs";
+
+export { defineApplication, generatePluginFilesIfNeeded };

package/dist/{application-DGDmL8i_.mjs → application-DqS1yBg3.mjs}

@@ -1,17 +1,13 @@
-
-import { n as isSdkBranded } from "./brand-DlnJ375c.mjs";
-import { a as fetchAll, d as initOAuth2Client } from "./client-F0a4cWUM.mjs";
-import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
-import { a as parseBoolean, n as logger, r as styles } from "./logger-DpJyJvNz.mjs";
-import { a as TailorFieldSchema, i as AuthInvokerSchema, n as ExecutorSchema, o as loadFilesWithIgnores, r as AuthConfigSchema, s as functionSchema, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
-import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "./enum-constants-C7DaWeQo.mjs";
-import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
-import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "./file-utils-BHPxPXmn.mjs";
-import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "./kysely-type-D1e0Vwkd.mjs";
-import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-BH2FbrPV.mjs";
-import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
-import { t as createCLIError } from "./errors-EsY4XO6O.mjs";
-import { n as tightenSecretFilePermissions, r as writeSecretFile } from "./secret-file-CWzF8rry.mjs";
+import { n as isSdkBranded } from "./brand-Eo4pLXPJ.mjs";
+import { a as fetchAll, d as initOAuth2Client, l as fetchUserInfo } from "./client-z_oHGVNy.mjs";
+import { t as assertDefined } from "./assert-DBxo8jPo.mjs";
+import { a as parseBoolean, n as logger, r as styles } from "./logger-CxF-Ex5d.mjs";
+import { a as TailorFieldSchema, i as AuthInvokerSchema, n as ExecutorSchema, o as loadFilesWithIgnores, r as AuthConfigSchema, s as functionSchema, t as createExecutorService } from "./service-CCL8ruDf.mjs";
+import { t as multiline } from "./multiline-sfHpTZZK.mjs";
+import { t as readPackageJson } from "./package-json-8b0O9TlX.mjs";
+import { t as createCLIError } from "./errors-Dtf2WPaW.mjs";
+import { n as tightenSecretFilePermissions, r as writeSecretFile } from "./secret-file-DBqZhjFQ.mjs";
+import { t as isPluginGeneratedType } from "./type-source-DH_LH20p.mjs";
 import { builtinModules, createRequire } from "node:module";
 import { z } from "zod";
 import * as fs$1 from "node:fs";
@@ -87,43 +83,6 @@ const AppConfigSchema = z.object({
 	secrets: z.unknown().optional()
 });
 
-//#endregion
-//#region src/parser/generator-config/schema.ts
-const DependencyKindSchema = z.enum([
-	"tailordb",
-	"resolver",
-	"executor"
-]);
-const KyselyTypeConfigSchema = z.tuple([z.literal("@tailor-platform/kysely-type"), z.object({ distPath: z.string() })]);
-const SeedConfigSchema = z.tuple([z.literal("@tailor-platform/seed"), z.object({
-	distPath: z.string(),
-	machineUserName: z.string().optional(),
-	disableIdpUserSync: z.object({
-		userToIdp: z.boolean().optional(),
-		idpToUser: z.boolean().optional()
-	}).optional()
-})]);
-const EnumConstantsConfigSchema = z.tuple([z.literal("@tailor-platform/enum-constants"), z.object({ distPath: z.string() })]);
-const FileUtilsConfigSchema = z.tuple([z.literal("@tailor-platform/file-utils"), z.object({ distPath: z.string() })]);
-const CodeGeneratorSchema = z.object({
-	id: z.string(),
-	description: z.string(),
-	dependencies: z.array(DependencyKindSchema),
-	processType: z.function().optional(),
-	processResolver: z.function().optional(),
-	processExecutor: z.function().optional(),
-	processTailorDBNamespace: z.function().optional(),
-	processResolverNamespace: z.function().optional(),
-	aggregate: z.function({ output: z.any() })
-});
-const BaseGeneratorConfigSchema = z.union([
-	KyselyTypeConfigSchema,
-	SeedConfigSchema,
-	EnumConstantsConfigSchema,
-	FileUtilsConfigSchema,
-	CodeGeneratorSchema
-]);
-
 //#endregion
 //#region src/parser/plugin-config/schema.ts
 const PluginConfigSchema = z.object({
@@ -141,15 +100,6 @@ const PluginConfigSchema = z.object({
 	return !(p.onTypeLoaded || p.onNamespaceLoaded) || !!p.importPath;
 }, { message: "importPath is required when plugin has definition-time hooks (onTypeLoaded/onNamespaceLoaded)" }).transform((plugin) => plugin);
 
-//#endregion
-//#region src/plugin/builtin/registry.ts
-const builtinPlugins = new Map([
-	[KyselyGeneratorID, (options) => kyselyTypePlugin(options)],
-	[SeedGeneratorID, (options) => seedPlugin(options)],
-	[EnumConstantsGeneratorID, (options) => enumConstantsPlugin(options)],
-	[FileUtilsGeneratorID, (options) => fileUtilsPlugin(options)]
-]);
-
 //#endregion
 //#region src/cli/shared/token-store.ts
 const SERVICE_NAME = "tailor-platform-cli";
@@ -238,14 +188,19 @@ const pfUserFileSchema = z.object({
 	refresh_token: z.string().optional()
 });
 const pfUserSchemaV2 = z.discriminatedUnion("storage", [pfUserKeyringSchema, pfUserFileSchema]);
+const pfUserKeyringSchemaV3 = pfUserKeyringSchema.extend({ email: z.string().optional() });
+const pfUserFileSchemaV3 = pfUserFileSchema.extend({ email: z.string().optional() });
+const pfUserSchemaV3 = z.discriminatedUnion("storage", [pfUserKeyringSchemaV3, pfUserFileSchemaV3]);
 const pfConfigSchemaV1 = z.object({
 	version: z.literal(1),
 	users: z.partialRecord(z.string(), pfUserSchemaV1),
 	profiles: z.partialRecord(z.string(), pfProfileSchema),
 	current_user: z.string().nullable()
 });
-const LATEST_CONFIG_VERSION = 2;
+const V2_CONFIG_VERSION = 2;
+const LATEST_CONFIG_VERSION = 3;
 const V2_MIN_SDK_VERSION = "1.29.0";
+const V3_MIN_SDK_VERSION = "2.0.0";
 const semverSchema = z.templateLiteral([
 	z.number().int(),
 	".",
@@ -254,7 +209,7 @@ const semverSchema = z.templateLiteral([
 	z.number().int()
 ]);
 const pfConfigSchemaV2 = z.object({
-	version: z.literal(LATEST_CONFIG_VERSION),
+	version: z.literal(V2_CONFIG_VERSION),
 	min_sdk_version: semverSchema,
 	latest_version: z.number().int().optional(),
 	latest_min_sdk_version: semverSchema.optional(),
@@ -262,6 +217,15 @@ const pfConfigSchemaV2 = z.object({
 	profiles: z.partialRecord(z.string(), pfProfileSchema),
 	current_user: z.string().nullable()
 });
+const pfConfigSchemaV3 = z.object({
+	version: z.literal(LATEST_CONFIG_VERSION),
+	min_sdk_version: semverSchema,
+	latest_version: z.number().int().optional(),
+	latest_min_sdk_version: semverSchema.optional(),
+	users: z.partialRecord(z.string(), pfUserSchemaV3),
+	profiles: z.partialRecord(z.string(), pfProfileSchema),
+	current_user: z.string().nullable()
+});
 function platformConfigPath() {
 	if (!xdgConfig) throw new Error("User home directory not found");
 	return path.join(xdgConfig, "tailor-platform", "config.yaml");
@@ -285,13 +249,48 @@ function migrateV1ToV2(v1Config) {
 		};
 	}
 	return {
-		version: LATEST_CONFIG_VERSION,
+		version: V2_CONFIG_VERSION,
 		min_sdk_version: V2_MIN_SDK_VERSION,
 		users,
 		profiles: v1Config.profiles,
 		current_user: v1Config.current_user
 	};
 }
+function inferEmailFromUserId(user) {
+	return z.email().safeParse(user).success ? user : void 0;
+}
+function findConfigUserKey(config, user) {
+	if (config.users[user]) return user;
+	return Object.entries(config.users).find(([, entry]) => entry?.email === user)?.[0];
+}
+function migrateV2ToV3(v2Config) {
+	const users = {};
+	for (const [user, entry] of Object.entries(v2Config.users)) {
+		if (!entry) continue;
+		const email = inferEmailFromUserId(user);
+		users[user] = {
+			...entry,
+			...email ? { email } : {}
+		};
+	}
+	return {
+		version: LATEST_CONFIG_VERSION,
+		min_sdk_version: V3_MIN_SDK_VERSION,
+		users,
+		profiles: v2Config.profiles,
+		current_user: v2Config.current_user
+	};
+}
+function migrateV1ToV3(v1Config) {
+	return migrateV2ToV3(migrateV1ToV2(v1Config));
+}
+async function warnIfNewerConfigAvailable(config) {
+	if (!config.latest_min_sdk_version) return;
+	if (lt((await readPackageJson()).version ?? "0.0.0", config.latest_min_sdk_version)) logger.warn(multiline`
+      A newer config version (${String(config.latest_version)}) is available.
+      Please update your SDK to >= ${config.latest_min_sdk_version}: pnpm update @tailor-platform/sdk
+    `);
+}
 /**
 * Read Tailor Platform CLI configuration, migrating from tailorctl or v1 if necessary.
 * @returns Parsed platform configuration
@@ -308,7 +307,7 @@ async function readPlatformConfig() {
 			current_user: null
 		};
 		writePlatformConfig(v1Config);
-		return migrateV1ToV2(v1Config);
+		return migrateV1ToV3(v1Config);
 	}
 	const rawConfig = parseYAML(fs$1.readFileSync(configPath, "utf-8"));
 	tightenSecretFilePermissions(configPath);
@@ -321,18 +320,18 @@ async function readPlatformConfig() {
       ${updateHint}
     `);
 	}
+	const v3Result = pfConfigSchemaV3.safeParse(rawConfig);
+	if (v3Result.success) {
+		await warnIfNewerConfigAvailable(v3Result.data);
+		return v3Result.data;
+	}
 	const v2Result = pfConfigSchemaV2.safeParse(rawConfig);
 	if (v2Result.success) {
-		if (v2Result.data.latest_min_sdk_version) {
-			if (lt((await readPackageJson()).version ?? "0.0.0", v2Result.data.latest_min_sdk_version)) logger.warn(multiline`
-          A newer config version (${String(v2Result.data.latest_version)}) is available.
-          Please update your SDK to >= ${v2Result.data.latest_min_sdk_version}: pnpm update @tailor-platform/sdk
-        `);
-		}
-		return v2Result.data;
+		await warnIfNewerConfigAvailable(v2Result.data);
+		return migrateV2ToV3(v2Result.data);
 	}
 	const v1Result = pfConfigSchemaV1.safeParse(rawConfig);
-	if (v1Result.success) return migrateV1ToV2(v1Result.data);
+	if (v1Result.success) return migrateV1ToV3(v1Result.data);
 	throw new Error(multiline`
     Failed to parse config file at ${configPath}.
     The file may be corrupted or created by an incompatible SDK version.
@@ -361,9 +360,9 @@ function toV1ForDisk(config) {
 * By default, V2 configs are converted to V1 for backward compatibility, so an
 * older SDK can still read the file. Configs containing a keyring user are kept
 * as V2 regardless, because the keyring storage variant is not representable in
-* V1 and downgrading it would silently drop the user's login. Such configs are
-* already V2 on disk (a keyring entry is only ever persisted with
-* TAILOR_USE_KEYRING set), so keeping V2 does not regress backward compatibility.
+* V1 and downgrading it would silently drop the user's login. V3 configs are
+* kept as V3 because user keys are canonical subject IDs and may include email
+* metadata that is not representable in older versions.
 * Set TAILOR_USE_KEYRING to write V2 format unconditionally.
 *
 * The config file may contain access/refresh tokens when the OS keyring is
@@ -506,7 +505,7 @@ async function loadAccessToken(opts) {
       `);
 		user = u;
 	}
-	return await fetchLatestToken(pfConfig, user);
+	return (await fetchLatestToken(pfConfig, user)).accessToken;
 }
 /**
 * Resolve the actual token values for a user, reading from keyring or config as appropriate.
@@ -533,22 +532,26 @@ async function resolveTokens(userEntry, user) {
 * @param config - Platform config
 * @param user - User identifier
 * @param tokens - Token data to save
-* @param tokens.accessToken
-* @param tokens.refreshToken
+* @param tokens.accessToken - Access token to save
+* @param tokens.refreshToken - Optional refresh token to save
 * @param expiresAt - Token expiration date
+* @param metadata - Optional user metadata to persist with the token entry
 */
-async function saveUserTokens(config, user, tokens, expiresAt) {
+async function saveUserTokens(config, user, tokens, expiresAt, metadata) {
+	const email = metadata?.email ?? config.users[user]?.email;
 	if (process.env.TAILOR_USE_KEYRING && await isKeyringAvailable()) {
 		await saveKeyringTokens(user, tokens);
 		config.users[user] = {
 			token_expires_at: expiresAt,
-			storage: "keyring"
+			storage: "keyring",
+			...email ? { email } : {}
 		};
 	} else config.users[user] = {
 		access_token: tokens.accessToken,
 		refresh_token: tokens.refreshToken,
 		token_expires_at: expiresAt,
-		storage: "file"
+		storage: "file",
+		...email ? { email } : {}
 	};
 }
 /**
@@ -559,20 +562,50 @@ async function saveUserTokens(config, user, tokens, expiresAt) {
 async function deleteUserTokens(config, user) {
 	if (config.users[user]?.storage === "keyring") await deleteKeyringTokens(user);
 }
+function updateUserReferences(config, fromUser, toUser) {
+	if (fromUser === toUser) return;
+	if (config.current_user === fromUser) config.current_user = toUser;
+	for (const profile of Object.values(config.profiles)) if (profile?.user === fromUser) profile.user = toUser;
+}
+/**
+* Remove a legacy alias after a canonical user ID has been written.
+* @param config - Platform config
+* @param legacyUser - Previous user key
+* @param canonicalUser - Canonical user key
+*/
+async function removeLegacyUserAlias(config, legacyUser, canonicalUser) {
+	if (legacyUser === canonicalUser) return;
+	updateUserReferences(config, legacyUser, canonicalUser);
+	await deleteUserTokens(config, legacyUser);
+	delete config.users[legacyUser];
+}
+function shouldResolveSubjectOnRefresh(user, userEntry) {
+	return Boolean(userEntry.email || inferEmailFromUserId(user));
+}
 /**
 * Fetch the latest access token, refreshing if necessary.
 * @param config - Platform config
-* @param user - User name
-* @returns Latest access token
+* @param user - User identifier
+* @returns Latest access token and the canonical user ID it is stored under
+*   (the resolved subject when a legacy email key was migrated during refresh,
+*   otherwise the matching config user)
 */
 async function fetchLatestToken(config, user) {
-	const userEntry = config.users[user];
+	const storedUser = findConfigUserKey(config, user);
+	if (!storedUser) throw new Error(multiline`
+      User "${user}" not found.
+      Please verify your user name and login using 'tailor-sdk login' command.
+    `);
+	const userEntry = config.users[storedUser];
 	if (!userEntry) throw new Error(multiline`
       User "${user}" not found.
       Please verify your user name and login using 'tailor-sdk login' command.
     `);
-	const tokens = await resolveTokens(userEntry, user);
-	if (new Date(userEntry.token_expires_at) > /* @__PURE__ */ new Date()) return tokens.accessToken;
+	const tokens = await resolveTokens(userEntry, storedUser);
+	if (new Date(userEntry.token_expires_at) > /* @__PURE__ */ new Date()) return {
+		accessToken: tokens.accessToken,
+		user: storedUser
+	};
 	if (!tokens.refreshToken) throw new Error(multiline`
       Token expired.
       Please run 'tailor-sdk login' and try again.
@@ -592,12 +625,27 @@ async function fetchLatestToken(config, user) {
     `);
 	}
 	const newExpiresAt = new Date(assertDefined(resp.expiresAt, "token refresh response missing expiresAt")).toISOString();
-	await saveUserTokens(config, user, {
+	let resolvedUser = storedUser;
+	const previousEmail = userEntry.email ?? inferEmailFromUserId(storedUser);
+	let email = previousEmail;
+	if (shouldResolveSubjectOnRefresh(storedUser, userEntry)) try {
+		const userInfo = await fetchUserInfo(resp.accessToken);
+		resolvedUser = userInfo.sub;
+		email = userInfo.email;
+	} catch (error) {
+		logger.debug(`Failed to resolve refreshed token user info: ${String(error)}`);
+	}
+	await saveUserTokens(config, resolvedUser, {
 		accessToken: resp.accessToken,
 		refreshToken: resp.refreshToken ?? void 0
-	}, newExpiresAt);
+	}, newExpiresAt, { email });
+	await removeLegacyUserAlias(config, storedUser, resolvedUser);
+	if (previousEmail && email && previousEmail !== email) logger.info(`Updated local user email from "${previousEmail}" to "${email}".`);
 	writePlatformConfig(config);
-	return resp.accessToken;
+	return {
+		accessToken: resp.accessToken,
+		user: resolvedUser
+	};
 }
 const DEFAULT_CONFIG_FILENAME = "tailor.config.ts";
 /**
@@ -639,12 +687,11 @@ function installCliTailordbStub() {
 
 //#endregion
 //#region src/cli/shared/config-loader.ts
-const GeneratorConfigSchema = CodeGeneratorSchema.brand("CodeGenerator");
 /**
-* Load Tailor configuration file and associated generators and plugins.
+* Load Tailor configuration file and associated plugins.
 * @param configPath - Optional explicit config path
 * @param options - Optional module import behavior.
-* @returns Loaded config, generators, plugins, and config path
+* @returns Loaded config, plugins, and config path
 */
 async function loadConfig(configPath, options = {}) {
 	installCliTailordbStub();
@@ -661,34 +708,8 @@ async function loadConfig(configPath, options = {}) {
 		const issues = validated.error.issues.map((i) => `  - ${i.path.join(".") || "(root)"}: ${i.message}`).join("\n");
 		throw new Error(`Invalid Tailor config in ${resolvedPath}:\n${issues}`);
 	}
-	const allGenerators = [];
 	const allPlugins = [];
 	for (const value of Object.values(configModule)) if (Array.isArray(value)) {
-		const generatorParsed = value.reduce((acc, item) => {
-			if (!acc.success) return acc;
-			const baseResult = BaseGeneratorConfigSchema.safeParse(item);
-			if (baseResult.success && Array.isArray(baseResult.data)) {
-				const [id, options] = baseResult.data;
-				const pluginFactory = builtinPlugins.get(id);
-				if (pluginFactory) {
-					acc.convertedPlugins.push(pluginFactory(options));
-					return acc;
-				}
-			}
-			const result = GeneratorConfigSchema.safeParse(item);
-			if (result.success) acc.items.push(result.data);
-			else acc.success = false;
-			return acc;
-		}, {
-			success: true,
-			items: [],
-			convertedPlugins: []
-		});
-		if (generatorParsed.success && (generatorParsed.items.length > 0 || generatorParsed.convertedPlugins.length > 0)) {
-			allGenerators.push(...generatorParsed.items);
-			allPlugins.push(...generatorParsed.convertedPlugins);
-			continue;
-		}
 		const pluginParsed = value.reduce((acc, item) => {
 			if (!acc.success) return acc;
 			const result = PluginConfigSchema.safeParse(item);
@@ -706,7 +727,6 @@ async function loadConfig(configPath, options = {}) {
 			...configModule.default,
 			path: resolvedPath
 		},
-		generators: allGenerators,
 		plugins: allPlugins
 	};
 }
@@ -907,7 +927,33 @@ function resolveRelativePluginImportPath(pluginImportPath, baseDirs) {
 }
 
 //#endregion
-//#region src/types/plugin.ts
+//#region src/plugin/guards.ts
+/**
+* Collects the generation-time dependency kinds a plugin requires.
+* @param plugin - The plugin object to inspect.
+* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
+* @param plugin.onResolverReady - Hook for resolver readiness.
+* @param plugin.onExecutorReady - Hook for executor readiness.
+* @returns Set of dependency kinds required by the plugin.
+*/
+function getPluginGenerationDependencies(plugin) {
+	const deps = /* @__PURE__ */ new Set();
+	if (plugin.onTailorDBReady) deps.add("tailordb");
+	if (plugin.onResolverReady) deps.add("resolver");
+	if (plugin.onExecutorReady) deps.add("executor");
+	return deps;
+}
+/**
+* Checks if a plugin has any generation-time hooks.
+* @param plugin - The plugin object to inspect.
+* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
+* @param plugin.onResolverReady - Hook for resolver readiness.
+* @param plugin.onExecutorReady - Hook for executor readiness.
+* @returns True if the plugin has at least one generation hook.
+*/
+function hasGenerationHooks(plugin) {
+	return !!(plugin.onTailorDBReady || plugin.onResolverReady || plugin.onExecutorReady);
+}
 /**
 * Checks if a plugin executor uses file-based resolution.
 * @param executor - The plugin executor to check.
@@ -1922,14 +1968,14 @@ const NORMALIZER_IDENTIFIER = "__tailor_normalizeAuthInvoker";
 /**
 * Build the source text of the injected normalizer helper.
 *
-* Accepts either a plain string (machine user name) or the object form
-* `{ namespace, machineUserName }`, and always returns the object form.
+* Accepts a plain string machine user name and returns the object form
+* expected by the platform RPC.
 * The auth namespace is baked in at bundle time.
 * @param authNamespace - Auth service namespace to embed
 * @returns Source line defining the helper
 */
 function buildNormalizerHelperSource(authNamespace) {
-	return `const ${NORMALIZER_IDENTIFIER} = (v) => typeof v === "string" ? { namespace: ${JSON.stringify(authNamespace)}, machineUserName: v } : v;\n`;
+	return `const ${NORMALIZER_IDENTIFIER} = (machineUserName) => ({ namespace: ${JSON.stringify(authNamespace)}, machineUserName });\n`;
 }
 /**
 * Extract authInvoker info from a config object expression
@@ -2189,7 +2235,7 @@ function transformFunctionTriggers(source, workflowNameMap, jobNameMap, workflow
 	} else if (call.kind === "job") {
 		const jobName = jobNameMap.get(call.identifierName);
 		if (jobName) {
-			const transformedCall = `(async () => tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"}))()`;
+			const transformedCall = `tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"})`;
 			replacements.push({
 				start: call.callRange.start,
 				end: call.callRange.end,
@@ -4668,7 +4714,7 @@ function transformWorkflowSource(source, targetJobName, targetJobExportName, oth
 		if (isInsideRemovedRange(call.callRange.start)) continue;
 		const jobName = jobNameMap.get(call.identifierName);
 		if (jobName) {
-			const transformedCall = `(async () => tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"}))()`;
+			const transformedCall = `tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"})`;
 			replacements.push({
 				start: call.callRange.start,
 				end: call.callRange.end,
@@ -5066,6 +5112,17 @@ async function loadFileContent(filePath) {
 	};
 }
 
+//#endregion
+//#region src/cli/shared/auth-namespace.ts
+/**
+* Resolve the auth namespace configured for an application.
+* @param application - Loaded application with local or external Auth config
+* @returns Auth namespace, or undefined when no Auth config is present
+*/
+function getApplicationAuthNamespace(application) {
+	return application.authService?.config.name ?? application.config?.auth?.name;
+}
+
 //#endregion
 //#region src/cli/shared/inline-sourcemap.ts
 /**
@@ -5538,7 +5595,10 @@ async function loadApplication(params) {
 	if (workflowService) await workflowService.loadWorkflows();
 	const httpAdapterService = defineHttpAdapterService(config.httpAdapter);
 	if (httpAdapterService) await httpAdapterService.loadAdapters();
-	const triggerContext = await buildTriggerContext(config.workflow, authResult.authService?.config.name);
+	const triggerContext = await buildTriggerContext(config.workflow, getApplicationAuthNamespace({
+		authService: authResult.authService,
+		config
+	}));
 	const inlineSourcemap = resolveInlineSourcemap(config.inlineSourcemap);
 	const bundleLogLevel = resolveBundleLogLevel(config.logLevel);
 	const bundledScripts = {
@@ -5616,5 +5676,5 @@ async function loadApplication(params) {
 }
 
 //#endregion
-export { readPlatformConfig as A, loadConfig as C, loadConfigPath as D, loadAccessToken as E, saveUserTokens as M, writePlatformConfig as N, loadMachineUserName as O, hashFile as S, fetchLatestToken as T, createLogLevelTreeshakeOptions as _, WorkflowJobSchema as a, getDistDir as b, INVOKER_EXPR as c, assertUniqueLocalTailorDBTypeNames as d, assertUniqueTailorDBTypeNamesWithExternal as f, composeFunctionTreeshakeOptions as g, platformBundleDefinePlugin as h, resolveInlineSourcemap as i, resolveTokens as j, loadWorkspaceId as k, buildExecutorArgsExpr as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, HTTP_METHODS as s, defineApplication as t, buildResolverOperationHookExpr as u, resolveBundleLogLevel as v, deleteUserTokens as w, hashContent as x, createBundleCache as y };
-//# sourceMappingURL=application-DGDmL8i_.mjs.map
+export { loadAccessToken as A, getDistDir as C, deleteUserTokens as D, loadConfig as E, removeLegacyUserAlias as F, resolveTokens as I, saveUserTokens as L, loadMachineUserName as M, loadWorkspaceId as N, fetchLatestToken as O, readPlatformConfig as P, writePlatformConfig as R, createBundleCache as S, hashFile as T, composeFunctionTreeshakeOptions as _, getApplicationAuthNamespace as a, getPluginGenerationDependencies as b, HTTP_METHODS as c, buildResolverOperationHookExpr as d, assertUniqueLocalTailorDBTypeNames as f, platformBundleDefinePlugin as g, stringifyFunction as h, resolveInlineSourcemap as i, loadConfigPath as j, findConfigUserKey as k, INVOKER_EXPR as l, TailorDBTypeSchema as m, generatePluginFilesIfNeeded as n, WorkflowJobSchema as o, assertUniqueTailorDBTypeNamesWithExternal as p, loadApplication as r, ResolverSchema as s, defineApplication as t, buildExecutorArgsExpr as u, createLogLevelTreeshakeOptions as v, hashContent as w, hasGenerationHooks as x, resolveBundleLogLevel as y };
+//# sourceMappingURL=application-DqS1yBg3.mjs.map