@tailor-platform/sdk 1.66.1 → 2.0.0-next.1

package/dist/cli/index.mjs

@@ -1,16 +1,15 @@
 #!/usr/bin/env node
-
-import { Et as AuthInvokerSchema, L as CustomDomainStatus, Nt as PATScope, Q as FunctionExecution_Type, _ as userAgent, a as fetchAll, c as fetchPlatformMachineUserToken, d as initOAuth2Client, f as initOperatorClient, l as fetchUserInfo, r as closeConnectionPool, s as fetchPaged } from "../client-F0a4cWUM.mjs";
-import { t as assertDefined } from "../assert-CKfwrmCV.mjs";
-import { n as logger, r as styles } from "../logger-DpJyJvNz.mjs";
-import { $ as listCommand$10, $t as INITIAL_SCHEMA_NUMBER, An as commonArgs, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as PluginManager, Dt as jobsCommand, E as resumeCommand, En as apiCommand, F as writeDbTypesFile, Fn as pagedLogArgs, Gt as MIGRATION_LABEL_KEY, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, In as paginationArgs, Jt as compareSnapshotWithRemote, K as treeCommand, Kt as handleOptionalToRequiredError, L as openInConfiguredEditor, Ln as toPageDirection, Lt as functionExecutionStatusToString, Mn as confirmationArgs, Mt as getCommand$6, N as generateCommand$1, Nn as deploymentArgs, O as listCommand$12, On as assertWritable, P as generateMigrationScript, Pn as isVerbose, Pt as executionsCommand, Rn as workspaceArgs, Rt as formatKeyValueTable, Sn as sdkNameLabelKey, St as triggerCommand, T as healthCommand, Tn as prompt, U as updateCommand$3, Vt as deploy, Xt as protoGqlPermission, Y as getCommand$5, Yt as generateAllTypeManifestsFromSnapshot, Z as updateCommand$2, _n as formatMigrationDiff, an as createSnapshotFromLocalTypes, at as createCommand$3, b as createCommand$4, bn as ensureConfigId, c as listCommand$14, cn as getMigrationFilePath, dn as isValidMigrationNumber, f as restoreCommand, fn as loadDiff, ft as tokenCommand, g as getCommand$7, gt as listCommand$7, hn as parseMigrationNumberArg, ht as generate, i as updateCommand$4, j as truncateCommand, jn as configArg, kn as defineAppCommand, ln as getMigrationFiles, lt as getCommand$3, m as listCommand$15, mn as formatMigrationNumber, nn as assertValidMigrationFiles, o as removeCommand, on as getLatestMigrationNumber, pn as reconstructSnapshotFromMigrations, pt as listCommand$8, q as listCommand$11, qt as parseMigrationLabelNumber, r as queryCommand, rn as compareLocalTypesWithSnapshot, rt as deleteCommand$3, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as hasChanges, vt as getCommand$2, wn as generateUserTypes, wt as listCommand$6, xn as resourceTrn, xt as webhookCommand, yn as getNamespacesWithMigrations, z as showCommand, zt as getCommand$1 } from "../runtime-2nzOZCUb.mjs";
-import { A as readPlatformConfig, C as loadConfig, E as loadAccessToken, M as saveUserTokens, N as writePlatformConfig, O as loadMachineUserName, T as fetchLatestToken, _ as createLogLevelTreeshakeOptions, a as WorkflowJobSchema, b as getDistDir, c as INVOKER_EXPR, g as composeFunctionTreeshakeOptions, h as platformBundleDefinePlugin, i as resolveInlineSourcemap, j as resolveTokens, k as loadWorkspaceId, o as ResolverSchema, t as defineApplication, v as resolveBundleLogLevel, w as deleteUserTokens, x as hashContent$1 } from "../application-DGDmL8i_.mjs";
-import { n as ExecutorSchema } from "../service-wI3Hvrgx.mjs";
-import { t as multiline } from "../multiline-Cf9ODpr1.mjs";
-import { r as isPluginGeneratedType } from "../seed-BH2FbrPV.mjs";
-import { t as readPackageJson } from "../package-json-DcQApfPQ.mjs";
-import { n as isCLIError } from "../errors-EsY4XO6O.mjs";
-import { a as JSON_FOOTER_MARKER, i as CRASH_LOG_EXTENSION, o as parseCrashReportConfig, r as sendCrashReport, t as initCrashReporting } from "../crashreport-0EHy-ayY.mjs";
+import { Et as AuthInvokerSchema, L as CustomDomainStatus, Nt as PATScope, Q as FunctionExecution_Type, _ as userAgent, a as fetchAll, c as fetchPlatformMachineUserToken, d as initOAuth2Client, f as initOperatorClient, l as fetchUserInfo, r as closeConnectionPool, s as fetchPaged } from "../client-z_oHGVNy.mjs";
+import { t as assertDefined } from "../assert-DBxo8jPo.mjs";
+import { n as logger, r as styles } from "../logger-CxF-Ex5d.mjs";
+import { $ as listCommand$10, $t as INITIAL_SCHEMA_NUMBER, An as commonArgs, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as PluginManager, Dt as jobsCommand, E as resumeCommand, En as apiCommand, F as writeDbTypesFile, Fn as pagedLogArgs, Gt as MIGRATION_LABEL_KEY, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, In as paginationArgs, Jt as compareSnapshotWithRemote, K as treeCommand, Kt as handleOptionalToRequiredError, L as openInConfiguredEditor, Ln as toPageDirection, Lt as functionExecutionStatusToString, Mn as confirmationArgs, Mt as getCommand$6, N as generateCommand$1, Nn as deploymentArgs, O as listCommand$12, On as assertWritable, P as generateMigrationScript, Pn as isVerbose, Pt as executionsCommand, Rn as workspaceArgs, Rt as formatKeyValueTable, Sn as sdkNameLabelKey, St as triggerCommand, T as healthCommand, Tn as prompt, U as updateCommand$3, Vt as deploy, Xt as protoGqlPermission, Y as getCommand$5, Yt as generateAllTypeManifestsFromSnapshot, Z as updateCommand$2, _n as formatMigrationDiff, an as createSnapshotFromLocalTypes, at as createCommand$3, b as createCommand$4, bn as ensureConfigId, c as listCommand$14, cn as getMigrationFilePath, dn as isValidMigrationNumber, f as restoreCommand, fn as loadDiff, ft as tokenCommand, g as getCommand$7, gt as listCommand$7, hn as parseMigrationNumberArg, ht as generate, i as updateCommand$4, j as truncateCommand, jn as configArg, kn as defineAppCommand, ln as getMigrationFiles, lt as getCommand$3, m as listCommand$15, mn as formatMigrationNumber, nn as assertValidMigrationFiles, o as removeCommand, on as getLatestMigrationNumber, pn as reconstructSnapshotFromMigrations, pt as listCommand$8, q as listCommand$11, qt as parseMigrationLabelNumber, r as queryCommand, rn as compareLocalTypesWithSnapshot, rt as deleteCommand$3, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as hasChanges, vt as getCommand$2, wn as generateUserTypes, wt as listCommand$6, xn as resourceTrn, xt as webhookCommand, yn as getNamespacesWithMigrations, z as showCommand, zt as getCommand$1 } from "../runtime-n9NCkjee.mjs";
+import { A as loadAccessToken, C as getDistDir, D as deleteUserTokens, E as loadConfig, F as removeLegacyUserAlias, I as resolveTokens, L as saveUserTokens, M as loadMachineUserName, N as loadWorkspaceId, O as fetchLatestToken, P as readPlatformConfig, R as writePlatformConfig, _ as composeFunctionTreeshakeOptions, g as platformBundleDefinePlugin, i as resolveInlineSourcemap, k as findConfigUserKey, l as INVOKER_EXPR, o as WorkflowJobSchema, s as ResolverSchema, t as defineApplication, v as createLogLevelTreeshakeOptions, w as hashContent$1, y as resolveBundleLogLevel } from "../application-DqS1yBg3.mjs";
+import { n as ExecutorSchema } from "../service-CCL8ruDf.mjs";
+import { t as multiline } from "../multiline-sfHpTZZK.mjs";
+import { t as readPackageJson } from "../package-json-8b0O9TlX.mjs";
+import { n as isCLIError } from "../errors-Dtf2WPaW.mjs";
+import { a as JSON_FOOTER_MARKER, i as CRASH_LOG_EXTENSION, o as parseCrashReportConfig, r as sendCrashReport, t as initCrashReporting } from "../crashreport-BsjAkFWw.mjs";
+import { t as isPluginGeneratedType } from "../type-source-DH_LH20p.mjs";
 import { arg, defineCommand, runCommand, runMain } from "politty";
 import { withCompletionCommand } from "politty/completion";
 import { z } from "zod";
@@ -453,7 +452,6 @@ function parseCrashLogFile(content) {
 //#region src/cli/commands/crashreport/index.ts
 const crashReportCommand = defineCommand({
 	name: "crashreport",
-	aliases: ["crash-report"],
 	description: "Manage crash reports.",
 	subCommands: {
 		list: listCommand$5,
@@ -468,7 +466,6 @@ const crashReportCommand = defineCommand({
 //#region src/cli/commands/deploy/index.ts
 const deployCommand$1 = defineAppCommand({
 	name: "deploy",
-	aliases: ["apply"],
 	description: "Deploy your application by applying the Tailor configuration.",
 	args: z.object({
 		...deploymentArgs,
@@ -484,7 +481,7 @@ const deployCommand$1 = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const { initTelemetry } = await import("../telemetry-w92bvGdC.mjs");
+		const { initTelemetry } = await import("../telemetry-ClwW5ohF.mjs");
 		await initTelemetry();
 		await deploy({
 			workspaceId: args["workspace-id"],
@@ -572,32 +569,24 @@ function scriptNameToRegistryName(scriptName, executionType) {
 /**
 * Download a deployed function script.
 *
-* Returns the bundled script content together with the registry
-* entry's `updatedAt` timestamp. Returns null when the download fails
-* (script removed, network error, etc.) or when no content chunks are
-* received; errors are swallowed so callers can fall back to a
-* non-sourcemap display.
+* Returns the bundled script content. Returns null when the download
+* fails (script removed, network error, etc.) or when no content
+* chunks are received; errors are swallowed so callers can fall back
+* to a non-sourcemap display.
 * @param options - Download options
-* @returns Script content plus metadata, or null on failure / empty response
+* @returns Script content, or null on failure / empty response
 */
 async function downloadFunctionScript(options) {
 	const { client, workspaceId, name, contentHash } = options;
 	try {
 		const chunks = [];
-		let registryUpdatedAt = null;
 		for await (const response of client.downloadFunctionRegistryScript({
 			workspaceId,
 			name,
 			contentHash
-		})) if (response.payload.case === "metadata") {
-			const updatedAt = response.payload.value.function?.updatedAt;
-			if (updatedAt) registryUpdatedAt = timestampDate(updatedAt);
-		} else if (response.payload.case === "chunk") chunks.push(response.payload.value);
+		})) if (response.payload.case === "chunk") chunks.push(response.payload.value);
 		if (chunks.length === 0) return null;
-		return {
-			code: Buffer.concat(chunks).toString("utf-8"),
-			registryUpdatedAt
-		};
+		return { code: Buffer.concat(chunks).toString("utf-8") };
 	} catch (error) {
 		logger.debug(`Failed to download function script "${options.name}": ${error}`);
 		return null;
@@ -966,13 +955,12 @@ function printFunctionExecutionDetail(options) {
 /**
 * Download a deployed function script for sourcemap mapping. Logs a
 * debug message on failure but never throws. Error display falls back
-* to a plain-text format when the script cannot be retrieved or when
-* the current registry entry is stale relative to the execution.
+* to a plain-text format when the script cannot be retrieved.
 *
 * When `executionContentHash` is non-empty, the download is pinned to
 * that exact bundle so mapping stays correct across redeploys. When
-* empty (older servers), falls back to comparing `registryUpdatedAt`
-* against `executionStartedAt`.
+* empty, mapping is skipped because the exact bundle cannot be
+* identified.
 *
 * `FunctionExecution.scriptName` does not match the function registry
 * name directly; `scriptNameToRegistryName` translates between the two
@@ -983,50 +971,37 @@ function printFunctionExecutionDetail(options) {
 * @param options.scriptName - Script name (matches FunctionExecution.scriptName)
 * @param options.executionType - Execution type used to discriminate registry name translation
 * @param options.executionContentHash - Content hash of the bundle that ran; pins the download when non-empty
-* @param options.executionStartedAt - Execution start timestamp used as fallback staleness signal
-* @returns Bundled script content, or null when unavailable / stale
+* @returns Bundled script content, or null when unavailable
 */
 async function downloadScriptForMapping(options) {
-	const { client, workspaceId, scriptName, executionType, executionContentHash, executionStartedAt } = options;
+	const { client, workspaceId, scriptName, executionType, executionContentHash } = options;
 	const registryName = scriptNameToRegistryName(scriptName, executionType);
 	if (registryName == null) {
 		logger.debug(`Script "${scriptName}" is not a deployed registry script (e.g. test-run or seed); skipping sourcemap mapping.`);
 		return null;
 	}
-	if (executionContentHash !== "") {
-		const pinned = await downloadFunctionScript({
-			client,
-			workspaceId,
-			name: registryName,
-			contentHash: executionContentHash
-		});
-		if (pinned == null) {
-			logger.debug(`Could not download pinned script "${scriptName}" (registry: "${registryName}", contentHash: "${executionContentHash}") for stack trace mapping; showing raw stack trace.`);
-			return null;
-		}
-		return pinned.code;
+	if (executionContentHash === "") {
+		logger.debug(`Function execution "${scriptName}" has no contentHash; skipping sourcemap mapping because the exact bundle cannot be identified.`);
+		return null;
 	}
-	const result = await downloadFunctionScript({
+	const pinned = await downloadFunctionScript({
 		client,
 		workspaceId,
-		name: registryName
+		name: registryName,
+		contentHash: executionContentHash
 	});
-	if (result == null) {
-		logger.debug(`Could not download script "${scriptName}" (registry: "${registryName}") for stack trace mapping; showing raw stack trace.`);
+	if (pinned == null) {
+		logger.debug(`Could not download pinned script "${scriptName}" (registry: "${registryName}", contentHash: "${executionContentHash}") for stack trace mapping; showing raw stack trace.`);
 		return null;
 	}
-	if (executionStartedAt != null && result.registryUpdatedAt != null && result.registryUpdatedAt.getTime() > executionStartedAt.getTime()) {
-		logger.debug(`Registry script "${registryName}" was updated at ${result.registryUpdatedAt.toISOString()} after execution started at ${executionStartedAt.toISOString()}; skipping sourcemap mapping to avoid stale source locations.`);
-		return null;
-	}
-	return result.code;
+	return pinned.code;
 }
 const logsCommand = defineAppCommand({
 	name: "logs",
 	description: "List or get function execution logs.",
 	notes: `When viewing a specific execution that failed, the command displays error details with the stack trace mapped back to your original source files (clickable file links and code snippets, matching \`function test-run\` output).
 
-Stack traces stay accurate even after later redeploys, because the trace is resolved against the exact build that produced the execution. If that build is no longer available, the command falls back to a plain-text error display.`,
+Stack traces are mapped only when the execution includes a content hash for the exact build that ran. If the content hash is missing or the build is no longer available, the command falls back to a plain-text error display.`,
 	examples: [
 		{
 			cmd: "",
@@ -1074,8 +1049,7 @@ Stack traces stay accurate even after later redeploys, because the trace is reso
 					workspaceId,
 					scriptName: detail.scriptName,
 					executionType: execution.type,
-					executionContentHash: execution.contentHash,
-					executionStartedAt: detail.startedAt
+					executionContentHash: execution.contentHash
 				}) : null
 			});
 		} else {
@@ -1284,7 +1258,7 @@ async function detectFunctionType(options) {
 		const rawInput = module.default.input;
 		let inputSchema;
 		if (rawInput) {
-			const { t } = await import("../types-2Be3wSMc.mjs");
+			const { t } = await import("../types-ClhIrW_C.mjs");
 			inputSchema = t.object(rawInput);
 		}
 		return {
@@ -1474,7 +1448,7 @@ When a \`.js\` file is provided, detection and bundling are skipped and the file
 				if (!detected.hasInput) {
 					logger.warn("--arg is ignored because this resolver has no input schema. Define \"input\" in your resolver to use --arg.");
 					args.arg = void 0;
-				} else if (detected.inputSchema) args.arg = resolveResolverArg(args.arg, detected.inputSchema, machineUser, workspaceId);
+				} else if (detected.inputSchema) JSON.parse(args.arg);
 			}
 			logger.info("Bundling...");
 			({bundledCode, scriptName} = await bundleForTestRun({
@@ -1600,42 +1574,6 @@ async function resolveMachineUser(options) {
 		attributeList
 	};
 }
-/**
-* Resolve resolver arg format: detect and unwrap deprecated {"input":{...}} wrapper.
-* Tries new format (arg = input fields) first via schema parse.
-* If that fails and arg looks like old format, tries unwrapping.
-* @param argStr - JSON string of the arg
-* @param inputSchema - Pre-built schema object from detect (has .parse())
-* @param machineUser - Resolved machine user info
-* @param workspaceId - Workspace ID
-* @returns Resolved JSON string (unwrapped if old format)
-*/
-function resolveResolverArg(argStr, inputSchema, machineUser, workspaceId) {
-	const parsed = JSON.parse(argStr);
-	const user = {
-		id: machineUser.id,
-		type: "machine_user",
-		workspaceId,
-		attributes: machineUser.attributes ?? null,
-		attributeList: machineUser.attributeList
-	};
-	if (!inputSchema.parse({
-		value: parsed,
-		data: parsed,
-		user
-	}).issues) return argStr;
-	if (Object.keys(parsed).length === 1 && parsed.input != null && typeof parsed.input === "object" && !Array.isArray(parsed.input)) {
-		if (!inputSchema.parse({
-			value: parsed.input,
-			data: parsed.input,
-			user
-		}).issues) {
-			logger.warn("[DEPRECATED] Wrapping args with \"input\" key (e.g. {\"input\":{...}}) is deprecated. Pass input fields directly (e.g. {\"a\":1}). The \"input\" wrapper will be removed in v2.");
-			return JSON.stringify(parsed.input);
-		}
-	}
-	return argStr;
-}
 
 //#endregion
 //#region src/cli/commands/function/index.ts
@@ -1669,7 +1607,7 @@ const generateCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
-		const { initTelemetry } = await import("../telemetry-w92bvGdC.mjs");
+		const { initTelemetry } = await import("../telemetry-ClwW5ohF.mjs");
 		await initTelemetry();
 		await generate({
 			configPath: args.config,
@@ -1748,11 +1686,12 @@ const startAuthServer = async () => {
 				});
 				const userInfo = await fetchUserInfo(tokens.accessToken);
 				const pfConfig = await readPlatformConfig();
-				await saveUserTokens(pfConfig, userInfo.email, {
+				await saveUserTokens(pfConfig, userInfo.sub, {
 					accessToken: tokens.accessToken,
 					refreshToken: tokens.refreshToken ?? void 0
-				}, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString());
-				pfConfig.current_user = userInfo.email;
+				}, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString(), { email: userInfo.email });
+				await removeLegacyUserAlias(pfConfig, userInfo.email, userInfo.sub);
+				pfConfig.current_user = userInfo.sub;
 				writePlatformConfig(pfConfig);
 				res.writeHead(200, { "Content-Type": "application/json" });
 				res.end(JSON.stringify({
@@ -1806,7 +1745,6 @@ const loginCommand = defineAppCommand({
 	description: "Login to Tailor Platform.",
 	args: z.xor([z.object({}).strict().describe("User Login"), z.object({
 		"machine-user": arg(z.literal(true), {
-			hiddenAlias: "machineuser",
 			description: "Login as a platform machine user.",
 			required: true
 		}),
@@ -1977,7 +1915,7 @@ const createCommand$2 = defineAppCommand({
 		}),
 		user: arg(z.string(), {
 			alias: "u",
-			description: "User email"
+			description: "User email address or machine user client ID"
 		}),
 		"workspace-id": arg(z.string(), {
 			alias: "w",
@@ -1994,7 +1932,8 @@ const createCommand$2 = defineAppCommand({
 		if (args["machine-user-override"] === "deny" && !args["machine-user"]) throw new Error("--machine-user-override deny requires --machine-user.");
 		const config = await readPlatformConfig();
 		if (config.profiles[args.name]) throw new Error(`Profile "${args.name}" already exists.`);
-		const client = await initOperatorClient(await fetchLatestToken(config, args.user));
+		const { accessToken: token, user: resolvedUser } = await fetchLatestToken(config, args.user);
+		const client = await initOperatorClient(token);
 		if (!(await fetchAll(async (pageToken, maxPageSize) => {
 			const { workspaces, nextPageToken } = await client.listWorkspaces({
 				pageToken,
@@ -2003,7 +1942,7 @@ const createCommand$2 = defineAppCommand({
 			return [workspaces, nextPageToken];
 		})).find((ws) => ws.id === args["workspace-id"])) throw new Error(`Workspace "${args["workspace-id"]}" not found.`);
 		config.profiles[args.name] = {
-			user: args.user,
+			user: resolvedUser,
 			workspace_id: args["workspace-id"],
 			...args.permission === "read" ? { readonly: true } : {},
 			...args["machine-user"] ? { machine_user: args["machine-user"] } : {},
@@ -2013,7 +1952,7 @@ const createCommand$2 = defineAppCommand({
 		if (!args.json) logger.success(`Profile "${args.name}" created successfully.`);
 		const profileInfo = {
 			name: args.name,
-			user: args.user,
+			user: resolvedUser,
 			workspaceId: args["workspace-id"],
 			permission: args.permission,
 			...args["machine-user"] ? {
@@ -2090,7 +2029,7 @@ const updateCommand$1 = defineAppCommand({
 		}),
 		user: arg(z.string().optional(), {
 			alias: "u",
-			description: "New user email"
+			description: "New user email address or machine user client ID"
 		}),
 		"workspace-id": arg(z.string().optional(), {
 			alias: "w",
@@ -2112,6 +2051,7 @@ const updateCommand$1 = defineAppCommand({
 		const newUser = args.user || oldUser;
 		const oldWorkspaceId = profile.workspace_id;
 		const newWorkspaceId = args["workspace-id"] || oldWorkspaceId;
+		let resolvedUser = newUser;
 		const finalMachineUser = args["machine-user"] === "" ? void 0 : args["machine-user"] ?? profile.machine_user;
 		const finalOverride = args["machine-user-override"] === "allow" ? void 0 : args["machine-user-override"] ?? profile.machine_user_override;
 		if ((args["machine-user"] !== void 0 || args["machine-user-override"] !== void 0) && finalOverride === "deny" && !finalMachineUser) {
@@ -2119,7 +2059,9 @@ const updateCommand$1 = defineAppCommand({
 			throw new Error(`Cannot clear the machine user while machine-user-override is "deny". Also pass --machine-user-override allow.`);
 		}
 		if (args.user !== void 0 || args["workspace-id"] !== void 0) {
-			const client = await initOperatorClient(await fetchLatestToken(config, newUser));
+			const refreshed = await fetchLatestToken(config, newUser);
+			resolvedUser = refreshed.user;
+			const client = await initOperatorClient(refreshed.accessToken);
 			if (!(await fetchAll(async (pageToken, maxPageSize) => {
 				const { workspaces, nextPageToken } = await client.listWorkspaces({
 					pageToken,
@@ -2128,7 +2070,7 @@ const updateCommand$1 = defineAppCommand({
 				return [workspaces, nextPageToken];
 			})).find((ws) => ws.id === newWorkspaceId)) throw new Error(`Workspace "${newWorkspaceId}" not found.`);
 		}
-		profile.user = newUser;
+		profile.user = resolvedUser;
 		profile.workspace_id = newWorkspaceId;
 		if (args.permission === "read") profile.readonly = true;
 		else if (args.permission === "write") delete profile.readonly;
@@ -2140,7 +2082,7 @@ const updateCommand$1 = defineAppCommand({
 		if (!args.json) logger.success(`Profile "${args.name}" updated successfully`);
 		const profileInfo = {
 			name: args.name,
-			user: newUser,
+			user: resolvedUser,
 			workspaceId: newWorkspaceId,
 			permission: profile.readonly === true ? "read" : "write",
 			...profile.machine_user ? {
@@ -2707,7 +2649,7 @@ function findTarget(lock, kind, workspaceName) {
 
 //#endregion
 //#region src/cli/commands/setup/github/branch.workflow.yml
-var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
+var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-merge-base\n        if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork\n        env:\n          BASE_REF: ${{ github.base_ref }}\n        run: |\n          git config user.name \"github-actions[bot]\"\n          git config user.email \"41898282+github-actions[bot]@users.noreply.github.com\"\n          git fetch origin \"$BASE_REF:refs/remotes/origin/$BASE_REF\"\n          git merge --no-edit \"origin/$BASE_REF\"\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-mask-credentials\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: >-\n          (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) &&\n          vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        run: |\n          echo \"::add-mask::$CLIENT_ID\"\n          echo \"::add-mask::$CLIENT_SECRET\"\n        env:\n          CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-login\n        if: >-\n          (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) &&\n          vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk login --machine-user\n        env:\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-plan\n        if: >-\n          (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) &&\n          vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        # __WORKING_DIRECTORY__\n        run: |\n          if [ -z \"$TAILOR_PLATFORM_WORKSPACE_ID\" ]; then\n            echo \"exit-code=\" >> \"$GITHUB_OUTPUT\"\n            exit 0\n          fi\n\n          set +e\n          OUTPUT=$(__PM_EXEC__ tailor-sdk deploy --dry-run --yes 2>&1)\n          EXIT_CODE=$?\n          set -e\n\n          MAX_OUTPUT=60000\n          if [ \"${#OUTPUT}\" -gt \"$MAX_OUTPUT\" ]; then\n            LOG_STOP_TOKEN=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)\n            echo \"::group::Full Tailor Platform plan output\"\n            echo \"::stop-commands::$LOG_STOP_TOKEN\"\n            printf '%s\\n' \"$OUTPUT\"\n            echo \"::$LOG_STOP_TOKEN::\"\n            echo \"::endgroup::\"\n            OUTPUT_TAIL=\"${OUTPUT: -$MAX_OUTPUT}\"\n            OUTPUT=$(printf '%s\\n\\n%s' \"[output truncated to the last $MAX_OUTPUT characters - see the workflow logs for the full plan]\" \"$OUTPUT_TAIL\")\n          fi\n\n          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)\n          {\n            echo \"exit-code=$EXIT_CODE\"\n            echo \"output<<$EOF\"\n            echo \"$OUTPUT\"\n            echo \"$EOF\"\n          } >> \"$GITHUB_OUTPUT\"\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n      - id: tailor-plan-summary\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        run: |\n          if [ -n \"$LABEL\" ]; then\n            KEY=\"$LABEL\"\n          elif [ -n \"$WORKSPACE_ID\" ]; then\n            KEY=\"$WORKSPACE_ID\"\n          else\n            KEY=\"workspace\"\n          fi\n\n          if [ -z \"$WORKSPACE_ID\" ]; then\n            {\n              echo \"## Tailor Platform Plan ($KEY)\"\n              echo \"\"\n              echo \"Workspace is not provisioned yet. Set TAILOR_PLATFORM_WORKSPACE_ID after provisioning the workspace.\"\n            } >> \"$GITHUB_STEP_SUMMARY\"\n            exit 0\n          fi\n\n          if [ \"$DRY_RUN_EXIT_CODE\" = \"0\" ]; then\n            STATUS=\"PASS\"\n          else\n            STATUS=\"FAIL\"\n          fi\n\n          {\n            echo \"## $STATUS Tailor Platform Plan ($KEY)\"\n            echo \"\"\n            echo \"<details>\"\n            echo \"<summary>Plan output (exit code: $DRY_RUN_EXIT_CODE)</summary>\"\n            echo \"\"\n            echo '```'\n            echo \"$DRY_RUN_OUTPUT\"\n            echo '```'\n            echo \"\"\n            echo \"</details>\"\n          } >> \"$GITHUB_STEP_SUMMARY\"\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          LABEL: __WORKSPACE_NAME__\n          DRY_RUN_OUTPUT: ${{ steps.tailor-plan.outputs.output }}\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n      - id: tailor-plan-comment\n        if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork\n        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          LABEL: __WORKSPACE_NAME__\n          DRY_RUN_OUTPUT: ${{ steps.tailor-plan.outputs.output }}\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n        with:\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n          script: |\n            const workspaceId = process.env.WORKSPACE_ID;\n            const label = process.env.LABEL;\n            const key = label || workspaceId || 'workspace';\n            const marker = `<!-- tailor-plan: ${key} -->`;\n\n            let body;\n            if (!workspaceId) {\n              body = [\n                marker,\n                `## Tailor Platform Plan (${key})`,\n                '',\n                'Workspace is not provisioned yet. Set TAILOR_PLATFORM_WORKSPACE_ID after provisioning the workspace.',\n                '',\n              ].join('\\n');\n            } else {\n              const exitCode = process.env.DRY_RUN_EXIT_CODE;\n              let output = process.env.DRY_RUN_OUTPUT;\n              const MAX_OUTPUT = 60000;\n              if (output.length > MAX_OUTPUT) {\n                const note = `[output truncated to the last ${MAX_OUTPUT} characters - see the job's step summary for the full plan]\\n\\n`;\n                output = note + output.slice(output.length - MAX_OUTPUT);\n              }\n              const status = exitCode === '0' ? 'PASS' : 'FAIL';\n              body = [\n                marker,\n                `## ${status} Tailor Platform Plan (${key})`,\n                '',\n                '<details>',\n                `<summary>Plan output (exit code: ${exitCode})</summary>`,\n                '',\n                '```',\n                output,\n                '```',\n                '',\n                '</details>',\n                '',\n              ].join('\\n');\n            }\n\n            const comments = await github.paginate(github.rest.issues.listComments, {\n              owner: context.repo.owner,\n              repo: context.repo.repo,\n              issue_number: context.issue.number,\n              per_page: 100,\n            });\n            const existingComment = comments.find(comment =>\n              comment.body?.includes(marker) &&\n              comment.user?.type === 'Bot' &&\n              comment.user?.login === 'github-actions[bot]'\n            );\n            if (existingComment) {\n              await github.rest.issues.updateComment({\n                owner: context.repo.owner,\n                repo: context.repo.repo,\n                comment_id: existingComment.id,\n                body,\n              });\n            } else {\n              await github.rest.issues.createComment({\n                owner: context.repo.owner,\n                repo: context.repo.repo,\n                issue_number: context.issue.number,\n                body,\n              });\n            }\n      - id: tailor-plan-fail\n        if: >-\n          (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) &&\n          vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        run: |\n          if [ \"$DRY_RUN_EXIT_CODE\" != \"0\" ]; then\n            echo \"::error::Plan dry-run failed with exit code $DRY_RUN_EXIT_CODE\"\n            exit \"$DRY_RUN_EXIT_CODE\"\n          fi\n        env:\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-validate-workspace\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n        run: |\n          if [ -z \"$WORKSPACE_ID\" ]; then\n            echo \"::error::Workspace is not provisioned: TAILOR_PLATFORM_WORKSPACE_ID is empty. Provision the workspace and set the variable.\"\n            exit 1\n          fi\n      - id: tailor-mask-credentials\n        run: |\n          echo \"::add-mask::$CLIENT_ID\"\n          echo \"::add-mask::$CLIENT_SECRET\"\n        env:\n          CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-login\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk login --machine-user\n        env:\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n      - id: tailor-deploy\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk deploy --yes\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/setup-bun.yml
@@ -2727,7 +2669,7 @@ var setup_yarn_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48
 
 //#endregion
 //#region src/cli/commands/setup/github/tag.workflow.yml
-var tag_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  push:\n    tags: [\"__TAG_PATTERN__\"]\n  workflow_dispatch:\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n\npermissions:\n  contents: read\n\njobs:\n  # __TAG_GUARD_JOB_START__\n  tailor-tag-guard:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    permissions:\n      contents: read\n    outputs:\n      on-branch: ${{ steps.tailor-tag-guard.outputs.on-branch }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-tag-guard\n        env:\n          TARGET_BRANCH: \"__BRANCH__\"\n        run: |\n          git fetch origin \"$TARGET_BRANCH\"\n          if git merge-base --is-ancestor \"$GITHUB_SHA\" \"origin/$TARGET_BRANCH\"; then\n            echo \"on-branch=true\" >> \"$GITHUB_OUTPUT\"\n          else\n            # A tag outside the target branch is not an error — just skip.\n            echo \"on-branch=false\" >> \"$GITHUB_OUTPUT\"\n            echo \"::notice::Tag $GITHUB_REF_NAME is not reachable from $TARGET_BRANCH; skipping deploy.\"\n          fi\n  # __TAG_GUARD_JOB_END__\n  tailor-plan:\n    # __PLAN_NEEDS__\n    # __PLAN_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n\n  tailor-deploy:\n    needs: tailor-plan\n    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['dry-run']) }}\n    environment: __ENVIRONMENT__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
+var tag_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  push:\n    tags: [\"__TAG_PATTERN__\"]\n  workflow_dispatch:\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n\npermissions:\n  contents: read\n\njobs:\n  # __TAG_GUARD_JOB_START__\n  tailor-tag-guard:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    permissions:\n      contents: read\n    outputs:\n      on-branch: ${{ steps.tailor-tag-guard.outputs.on-branch }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-tag-guard\n        env:\n          TARGET_BRANCH: \"__BRANCH__\"\n        run: |\n          git fetch origin \"$TARGET_BRANCH\"\n          if git merge-base --is-ancestor \"$GITHUB_SHA\" \"origin/$TARGET_BRANCH\"; then\n            echo \"on-branch=true\" >> \"$GITHUB_OUTPUT\"\n          else\n            # A tag outside the target branch is not an error — just skip.\n            echo \"on-branch=false\" >> \"$GITHUB_OUTPUT\"\n            echo \"::notice::Tag $GITHUB_REF_NAME is not reachable from $TARGET_BRANCH; skipping deploy.\"\n          fi\n  # __TAG_GUARD_JOB_END__\n  tailor-plan:\n    # __PLAN_NEEDS__\n    # __PLAN_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-mask-credentials\n        if: vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        run: |\n          echo \"::add-mask::$CLIENT_ID\"\n          echo \"::add-mask::$CLIENT_SECRET\"\n        env:\n          CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-login\n        if: vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk login --machine-user\n        env:\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-plan\n        if: vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        # __WORKING_DIRECTORY__\n        run: |\n          if [ -z \"$TAILOR_PLATFORM_WORKSPACE_ID\" ]; then\n            echo \"exit-code=\" >> \"$GITHUB_OUTPUT\"\n            exit 0\n          fi\n\n          set +e\n          OUTPUT=$(__PM_EXEC__ tailor-sdk deploy --dry-run --yes 2>&1)\n          EXIT_CODE=$?\n          set -e\n\n          MAX_OUTPUT=60000\n          if [ \"${#OUTPUT}\" -gt \"$MAX_OUTPUT\" ]; then\n            LOG_STOP_TOKEN=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)\n            echo \"::group::Full Tailor Platform plan output\"\n            echo \"::stop-commands::$LOG_STOP_TOKEN\"\n            printf '%s\\n' \"$OUTPUT\"\n            echo \"::$LOG_STOP_TOKEN::\"\n            echo \"::endgroup::\"\n            OUTPUT_TAIL=\"${OUTPUT: -$MAX_OUTPUT}\"\n            OUTPUT=$(printf '%s\\n\\n%s' \"[output truncated to the last $MAX_OUTPUT characters - see the workflow logs for the full plan]\" \"$OUTPUT_TAIL\")\n          fi\n\n          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)\n          {\n            echo \"exit-code=$EXIT_CODE\"\n            echo \"output<<$EOF\"\n            echo \"$OUTPUT\"\n            echo \"$EOF\"\n          } >> \"$GITHUB_OUTPUT\"\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n      - id: tailor-plan-summary\n        run: |\n          if [ -n \"$LABEL\" ]; then\n            KEY=\"$LABEL\"\n          elif [ -n \"$WORKSPACE_ID\" ]; then\n            KEY=\"$WORKSPACE_ID\"\n          else\n            KEY=\"workspace\"\n          fi\n\n          if [ -z \"$WORKSPACE_ID\" ]; then\n            {\n              echo \"## Tailor Platform Plan ($KEY)\"\n              echo \"\"\n              echo \"Workspace is not provisioned yet. Set TAILOR_PLATFORM_WORKSPACE_ID after provisioning the workspace.\"\n            } >> \"$GITHUB_STEP_SUMMARY\"\n            exit 0\n          fi\n\n          if [ \"$DRY_RUN_EXIT_CODE\" = \"0\" ]; then\n            STATUS=\"PASS\"\n          else\n            STATUS=\"FAIL\"\n          fi\n\n          {\n            echo \"## $STATUS Tailor Platform Plan ($KEY)\"\n            echo \"\"\n            echo \"<details>\"\n            echo \"<summary>Plan output (exit code: $DRY_RUN_EXIT_CODE)</summary>\"\n            echo \"\"\n            echo '```'\n            echo \"$DRY_RUN_OUTPUT\"\n            echo '```'\n            echo \"\"\n            echo \"</details>\"\n          } >> \"$GITHUB_STEP_SUMMARY\"\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          LABEL: __WORKSPACE_NAME__\n          DRY_RUN_OUTPUT: ${{ steps.tailor-plan.outputs.output }}\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n      - id: tailor-plan-fail\n        if: vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        run: |\n          if [ \"$DRY_RUN_EXIT_CODE\" != \"0\" ]; then\n            echo \"::error::Plan dry-run failed with exit code $DRY_RUN_EXIT_CODE\"\n            exit \"$DRY_RUN_EXIT_CODE\"\n          fi\n        env:\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n\n  tailor-deploy:\n    needs: tailor-plan\n    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['dry-run']) }}\n    environment: __ENVIRONMENT__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-validate-workspace\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n        run: |\n          if [ -z \"$WORKSPACE_ID\" ]; then\n            echo \"::error::Workspace is not provisioned: TAILOR_PLATFORM_WORKSPACE_ID is empty. Provision the workspace and set the variable.\"\n            exit 1\n          fi\n      - id: tailor-mask-credentials\n        run: |\n          echo \"::add-mask::$CLIENT_ID\"\n          echo \"::add-mask::$CLIENT_SECRET\"\n        env:\n          CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-login\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk login --machine-user\n        env:\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n      - id: tailor-deploy\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk deploy --yes\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/templates.ts
@@ -2818,8 +2760,8 @@ function renderBranchWorkflow(params) {
 	out = line(out, "PATHS", params.workingDirectory ? `paths: ["${params.workingDirectory}/**"]` : void 0);
 	out = applyCommon(out, params).replaceAll("__BRANCH__", () => branch);
 	const generatedIds = [];
-	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan");
-	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", "tailor-plan/tailor-merge-base", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-mask-credentials", "tailor-plan/tailor-login", "tailor-plan/tailor-plan", "tailor-plan/tailor-plan-summary", "tailor-plan/tailor-plan-comment", "tailor-plan/tailor-plan-fail");
+	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-validate-workspace", "tailor-deploy/tailor-mask-credentials", "tailor-deploy/tailor-login", "tailor-deploy/tailor-generate", "tailor-deploy/tailor-deploy");
 	return {
 		content: out,
 		generatedIds
@@ -2844,7 +2786,7 @@ function renderTagWorkflow(params) {
 	if (hasGuard) out = out.replaceAll("__BRANCH__", () => branch);
 	const generatedIds = [];
 	if (hasGuard) generatedIds.push("tailor-tag-guard", "tailor-tag-guard/tailor-checkout", "tailor-tag-guard/tailor-tag-guard");
-	generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan", "tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-mask-credentials", "tailor-plan/tailor-login", "tailor-plan/tailor-plan", "tailor-plan/tailor-plan-summary", "tailor-plan/tailor-plan-fail", "tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-validate-workspace", "tailor-deploy/tailor-mask-credentials", "tailor-deploy/tailor-login", "tailor-deploy/tailor-generate", "tailor-deploy/tailor-deploy");
 	return {
 		content: out,
 		generatedIds
@@ -3067,7 +3009,7 @@ async function setupGitHub(options) {
 		kind: resolved.kind,
 		workspaceName: resolved.workspaceName,
 		file: resolved.file,
-		templateVersion: 1,
+		templateVersion: 2,
 		inputs: resolved.inputs,
 		generatedIds: resolved.render.generatedIds,
 		ejectedIds: existing?.ejectedIds ?? [],
@@ -4807,7 +4749,7 @@ async function fetchRemoteTypes(client, workspaceId, namespace) {
 async function assertMigrationsReproduceLocalTypes(loaded, target) {
 	const { config, plugins } = loaded;
 	const pluginManager = plugins.length > 0 ? new PluginManager(plugins) : void 0;
-	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-nTydHJm8.mjs");
+	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-DB2r36Et.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -4819,7 +4761,7 @@ async function assertMigrationsReproduceLocalTypes(loaded, target) {
 		await service.processNamespacePlugins();
 	}
 	const pluginExecutorFiles = generatePluginFilesIfNeeded(pluginManager, application.tailorDBServices, config.path);
-	const executorService = application.executorService ?? (pluginExecutorFiles.length > 0 ? (await import("../service-BHQIerYh.mjs")).createExecutorService({ config: { files: [] } }) : void 0);
+	const executorService = application.executorService ?? (pluginExecutorFiles.length > 0 ? (await import("../service-D6yonf2I.mjs")).createExecutorService({ config: { files: [] } }) : void 0);
 	await executorService?.loadExecutors();
 	if (pluginExecutorFiles.length > 0) await executorService?.loadPluginExecutorFiles([...pluginExecutorFiles]);
 	const executorUsedTypes = /* @__PURE__ */ new Set();
@@ -5094,9 +5036,9 @@ const upgradeCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
-		const { initTelemetry } = await import("../telemetry-w92bvGdC.mjs");
+		const { initTelemetry } = await import("../telemetry-ClwW5ohF.mjs");
 		await initTelemetry();
-		const { upgrade } = await import("../service-DMohAx8a2.mjs");
+		const { upgrade } = await import("../service-DU1mVzri.mjs");
 		await upgrade({
 			from: args.from,
 			dryRun: args["dry-run"],
@@ -5237,7 +5179,8 @@ const createCommand = defineAppCommand({
         No user logged in.
         Please login first using 'tailor-sdk login' command.
       `);
-		const client = await initOperatorClient(await fetchLatestToken(config, config.current_user));
+		const { accessToken: token } = await fetchLatestToken(config, config.current_user);
+		const client = await initOperatorClient(token);
 		const scopes = getScopesFromWriteFlag(args.write);
 		const result = await client.createPersonalAccessToken({
 			name: args.name,
@@ -5264,7 +5207,8 @@ const deleteCommand = defineAppCommand({
         No user logged in.
         Please login first using 'tailor-sdk login' command.
       `);
-		await (await initOperatorClient(await fetchLatestToken(config, config.current_user))).deletePersonalAccessToken({ name: args.name });
+		const { accessToken: token } = await fetchLatestToken(config, config.current_user);
+		await (await initOperatorClient(token)).deletePersonalAccessToken({ name: args.name });
 		logger.success(`Personal access token "${args.name}" deleted successfully.`);
 	}
 });
@@ -5282,7 +5226,8 @@ const listCommand = defineAppCommand({
         No user logged in.
         Please login first using 'tailor-sdk login' command.
       `);
-		const client = await initOperatorClient(await fetchLatestToken(config, config.current_user));
+		const { accessToken: token } = await fetchLatestToken(config, config.current_user);
+		const client = await initOperatorClient(token);
 		const pageDirection = toPageDirection(args.order);
 		const pats = await fetchPaged(async (pageToken, pageSize) => {
 			const { personalAccessTokens, nextPageToken } = await client.listPersonalAccessTokens({
@@ -5335,7 +5280,8 @@ const updateCommand = defineAppCommand({
         No user logged in.
         Please login first using 'tailor-sdk login' command.
       `);
-		const client = await initOperatorClient(await fetchLatestToken(config, config.current_user));
+		const { accessToken: token } = await fetchLatestToken(config, config.current_user);
+		const client = await initOperatorClient(token);
 		await client.deletePersonalAccessToken({ name: args.name });
 		const scopes = getScopesFromWriteFlag(args.write);
 		const result = await client.createPersonalAccessToken({
@@ -5370,15 +5316,16 @@ const switchCommand = defineAppCommand({
 	description: "Set current user.",
 	args: z.object({ user: arg(z.string(), {
 		positional: true,
-		description: "User email"
+		description: "User email address or machine user client ID"
 	}) }).strict(),
 	run: async (args) => {
 		const config = await readPlatformConfig();
-		if (!config.users[args.user]) throw new Error(multiline`
+		const user = findConfigUserKey(config, args.user);
+		if (!user) throw new Error(multiline`
         User "${args.user}" not found.
         Please login first using 'tailor-sdk login' command to register this user.
       `);
-		config.current_user = args.user;
+		config.current_user = user;
 		writePlatformConfig(config);
 		logger.success(`Current user set to "${args.user}" successfully.`);
 	}
@@ -5522,11 +5469,11 @@ runMain(mainCommand, {
 				if (isVerbose() && error.stack) logger.debug(`\nStack trace:\n${error.stack}`);
 			} else logger.error(`Unknown error: ${error}`);
 			if (!isCLIError(error) && (!(error instanceof Error) || error instanceof TypeError || error instanceof RangeError)) {
-				const { reportCrash } = await import("../crashreport-Bf6uT6mf.mjs");
+				const { reportCrash } = await import("../crashreport-pr6Rhvza.mjs");
 				await reportCrash(error, "handledError");
 			}
 		}
-		const { shutdownTelemetry } = await import("../telemetry-w92bvGdC.mjs");
+		const { shutdownTelemetry } = await import("../telemetry-ClwW5ohF.mjs");
 		await shutdownTelemetry();
 	}
 });