@tailor-platform/sdk 1.67.1 → 1.69.0

package/dist/{runtime-BU6KtCvk.mjs → runtime-jowoN6qC.mjs}

@@ -1,9 +1,10 @@
 
 import { t as db } from "./schema-1msIhXwA.mjs";
-import { $ as WorkflowJobExecution_Status, $t as AuthHookPoint, A as loadMachineUserName, At as ExecutorJobStatus, Bt as CreateAuthServiceRequestSchema, Ct as IdPLang, Et as FunctionExecution_Status, F as writePlatformConfig, Ft as CreateAuthIDPConfigRequestSchema, G as resolveStaticWebsiteUrls, Gt as UpdateAuthMachineUserRequestSchema, Ht as CreateUserProfileConfigRequestSchema, It as CreateAuthMachineUserRequestSchema, J as WorkspacePlatformUserRole, Jt as UpdateAuthSCIMResourceRequestSchema, K as byName, Kt as UpdateAuthOAuth2ClientRequestSchema, L as fetchAll, Lt as CreateAuthOAuth2ClientRequestSchema, M as readPlatformConfig, Mt as ExecutorTriggerType, Nt as CreateAuthConnectionRequestSchema, O as loadAccessToken, Ot as CreateExecutorExecutorRequestSchema, Pt as CreateAuthHookRequestSchema, Q as WorkflowExecution_Status, Qt as AuthConnection_Type, R as fetchMachineUserToken, Rt as CreateAuthSCIMConfigRequestSchema, S as getDistDir, St as UpdateIdPServiceRequestSchema, T as loadConfig, Tt as IdPPermissionPermit, U as initOperatorClient, Ut as UpdateAuthHookRequestSchema, Vt as CreateTenantConfigRequestSchema, W as platformBaseUrl, Wt as UpdateAuthIDPConfigRequestSchema, X as CreateWorkflowRequestSchema, Xt as UpdateTenantConfigRequestSchema, Y as CreateWorkflowJobFunctionRequestSchema, Yt as UpdateAuthServiceRequestSchema, Z as UpdateWorkflowRequestSchema, Zt as UpdateUserProfileConfigRequestSchema, _n as Condition_Operator, _t as CreatePipelineServiceRequestSchema, an as AuthSCIMAttribute_Type, at as TailorDBGQLPermission_Permit, b as hasGenerationHooks, bt as PipelineResolver_OperationType, ct as TailorDBType_PermitAction, d as assertUniqueLocalTailorDBTypeNames, dn as CreateApplicationRequestSchema, dt as UpdateStaticWebsiteRequestSchema, en as AuthIDPConfig_AuthType, et as CreateTailorDBServiceRequestSchema, f as assertUniqueTailorDBTypeNamesWithExternal, fn as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, gn as ConditionSchema, gt as CreatePipelineResolverRequestSchema, h as platformBundleDefinePlugin, hn as Subgraph_ServiceType, ht as UpdateSecretManagerSecretRequestSchema, in as AuthSCIMAttribute_Mutability, it as TailorDBGQLPermission_Operator, j as loadWorkspaceId, jt as ExecutorTargetType, k as loadConfigPath, kt as UpdateExecutorExecutorRequestSchema, l as buildExecutorArgsExpr, ln as TenantProviderConfig_TenantProviderType, lt as AddCustomDomainRequestSchema, m as stringifyFunction, mn as ApplicationSchemaUpdateAttemptStatus, mt as CreateSecretManagerVaultRequestSchema, n as generatePluginFilesIfNeeded, nn as AuthOAuth2Client_ClientType, nt as UpdateTailorDBTypeRequestSchema, on as AuthSCIMAttribute_Uniqueness, ot as TailorDBType_Permission_Operator, p as TailorDBTypeSchema, pn as UpdateApplicationRequestSchema, pt as CreateSecretManagerSecretRequestSchema, q as OperatorService, qt as UpdateAuthSCIMConfigRequestSchema, r as loadApplication, rn as AuthOAuth2Client_GrantType, rt as TailorDBGQLPermission_Action, s as HTTP_METHODS, sn as AuthSCIMConfig_AuthorizationType, st as TailorDBType_Permission_Permit, t as defineApplication, tn as AuthInvokerSchema, tt as CreateTailorDBTypeRequestSchema, u as buildResolverOperationHookExpr, un as UserProfileProviderConfig_UserProfileProviderType, ut as CreateStaticWebsiteRequestSchema, vn as FilterSchema, vt as UpdatePipelineResolverRequestSchema, w as hashFile, wt as IdPPermissionOperator, x as createBundleCache, xt as CreateIdPServiceRequestSchema, y as getPluginGenerationDependencies, yn as PageDirection, yt as UpdatePipelineServiceRequestSchema, z as fetchPaged, zt as CreateAuthSCIMResourceRequestSchema } from "./application-WpWwTyk9.mjs";
+import { $ as CreateUserProfileConfigRequestSchema, A as UpdatePipelineServiceRequestSchema, At as PageDirection, B as UpdateExecutorExecutorRequestSchema, Ct as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, D as CreatePipelineResolverRequestSchema, Dt as ConditionSchema, E as UpdateSecretManagerSecretRequestSchema, Et as Subgraph_ServiceType, F as IdPPermissionOperator, G as CreateAuthHookRequestSchema, H as ExecutorTargetType, I as IdPPermissionPermit, J as CreateAuthOAuth2ClientRequestSchema, K as CreateAuthIDPConfigRequestSchema, L as FunctionExecution_Status, M as CreateIdPServiceRequestSchema, N as UpdateIdPServiceRequestSchema, O as CreatePipelineServiceRequestSchema, Ot as Condition_Operator, P as IdPLang, Q as CreateTenantConfigRequestSchema, S as UpdateStaticWebsiteRequestSchema, St as CreateApplicationRequestSchema, T as CreateSecretManagerVaultRequestSchema, Tt as ApplicationSchemaUpdateAttemptStatus, U as ExecutorTriggerType, V as ExecutorJobStatus, W as CreateAuthConnectionRequestSchema, X as CreateAuthSCIMResourceRequestSchema, Y as CreateAuthSCIMConfigRequestSchema, Z as CreateAuthServiceRequestSchema, _ as TailorDBType_Permission_Operator, _t as AuthSCIMAttribute_Uniqueness, a as WorkspacePlatformUserRole, at as UpdateAuthSCIMResourceRequestSchema, b as AddCustomDomainRequestSchema, bt as TenantProviderConfig_TenantProviderType, c as UpdateWorkflowRequestSchema, ct as UpdateUserProfileConfigRequestSchema, d as CreateTailorDBServiceRequestSchema, dt as AuthIDPConfig_AuthType, et as UpdateAuthHookRequestSchema, f as CreateTailorDBTypeRequestSchema, ft as AuthInvokerSchema, g as TailorDBGQLPermission_Permit, gt as AuthSCIMAttribute_Type, h as TailorDBGQLPermission_Operator, ht as AuthSCIMAttribute_Mutability, it as UpdateAuthSCIMConfigRequestSchema, j as PipelineResolver_OperationType, k as UpdatePipelineResolverRequestSchema, kt as FilterSchema, l as WorkflowExecution_Status, lt as AuthConnection_Type, m as TailorDBGQLPermission_Action, mt as AuthOAuth2Client_GrantType, nt as UpdateAuthMachineUserRequestSchema, o as CreateWorkflowJobFunctionRequestSchema, ot as UpdateAuthServiceRequestSchema, p as UpdateTailorDBTypeRequestSchema, pt as AuthOAuth2Client_ClientType, q as CreateAuthMachineUserRequestSchema, rt as UpdateAuthOAuth2ClientRequestSchema, s as CreateWorkflowRequestSchema, st as UpdateTenantConfigRequestSchema, t as OperatorService, tt as UpdateAuthIDPConfigRequestSchema, u as WorkflowJobExecution_Status, ut as AuthHookPoint, v as TailorDBType_Permission_Permit, vt as AuthSCIMConfig_AuthorizationType, w as CreateSecretManagerSecretRequestSchema, wt as UpdateApplicationRequestSchema, x as CreateStaticWebsiteRequestSchema, xt as UserProfileProviderConfig_UserProfileProviderType, y as TailorDBType_PermitAction, z as CreateExecutorExecutorRequestSchema } from "./service_pb-DSNjrcbW.mjs";
 import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
-import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DpJyJvNz.mjs";
-import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
+import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DKF-JsAK.mjs";
+import { A as loadMachineUserName, F as writePlatformConfig, G as resolveStaticWebsiteUrls, K as byName, L as fetchAll, M as readPlatformConfig, O as loadAccessToken, R as fetchMachineUserToken, S as getDistDir, T as loadConfig, U as initOperatorClient, W as platformBaseUrl, b as hasGenerationHooks, d as assertUniqueLocalTailorDBTypeNames, f as assertUniqueTailorDBTypeNamesWithExternal, h as platformBundleDefinePlugin, j as loadWorkspaceId, k as loadConfigPath, l as buildExecutorArgsExpr, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, u as buildResolverOperationHookExpr, w as hashFile, x as createBundleCache, y as getPluginGenerationDependencies, z as fetchPaged } from "./application-Cr-limKC.mjs";
+import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-B2Jd9CxS.mjs";
 import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
 import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
 import { i as userAgent } from "./secret-file-eB3R3Fil.mjs";
@@ -39,6 +40,7 @@ import * as inflection from "inflection";
 import { pathToString } from "@bufbuild/protobuf/reflect";
 import { createValidator } from "@bufbuild/protovalidate";
 import { setTimeout as setTimeout$1 } from "timers/promises";
+import { setTimeout as setTimeout$2 } from "node:timers/promises";
 import { spawn } from "node:child_process";
 import { watch } from "chokidar";
 import * as madgeModule from "madge";
@@ -384,7 +386,7 @@ function nestedMessage(field) {
 function isWellKnownType(message) {
 	return message.typeName.startsWith("google.protobuf.");
 }
-const UNREPRESENTABLE_WELL_KNOWN_TYPES = new Set([
+const UNREPRESENTABLE_WELL_KNOWN_TYPES = /* @__PURE__ */ new Set([
 	"google.protobuf.Struct",
 	"google.protobuf.Value",
 	"google.protobuf.ListValue",
@@ -567,7 +569,7 @@ function fieldToJson(field, visited) {
 	return json;
 }
 function renderInspectJson(method) {
-	const visited = new Set([method.input]);
+	const visited = /* @__PURE__ */ new Set([method.input]);
 	return {
 		method: method.name,
 		input: {
@@ -598,7 +600,7 @@ function renderInspectText(method) {
 	const lines = [];
 	lines.push(`${method.name}`);
 	lines.push(`  request: ${method.input.typeName}`);
-	const visited = new Set([method.input]);
+	const visited = /* @__PURE__ */ new Set([method.input]);
 	for (const f of method.input.fields) lines.push(...renderFieldText(f, "    ", visited));
 	lines.push(`  response: ${method.output.typeName}`);
 	return lines.join("\n");
@@ -749,7 +751,7 @@ function normalizeBodyFieldKeys(body, fields) {
 	}
 	return changed;
 }
-const FORBIDDEN_SEGMENTS = new Set([
+const FORBIDDEN_SEGMENTS = /* @__PURE__ */ new Set([
 	"__proto__",
 	"constructor",
 	"prototype"
@@ -3161,7 +3163,8 @@ function normalizeIdPPermission(permission) {
 		read: permission.read.map((p) => normalizeIdPActionPermission(p)),
 		update: permission.update.map((p) => normalizeIdPActionPermission(p)),
 		delete: permission.delete.map((p) => normalizeIdPActionPermission(p)),
-		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => normalizeIdPActionPermission(p))
+		sendPasswordResetEmail: (permission.sendPasswordResetEmail ?? []).map((p) => normalizeIdPActionPermission(p)),
+		unenrollMfa: (permission.unenrollMfa ?? []).map((p) => normalizeIdPActionPermission(p))
 	};
 }
 /**
@@ -3187,7 +3190,7 @@ function parseIdPPermission(rawPermission) {
 function findOmittedPermitRules(permission) {
 	if (!permission) return [];
 	const locations = [];
-	for (const action of Object.keys(permission)) permission[action].forEach((rule, index) => {
+	for (const action of Object.keys(permission)) permission[action]?.forEach((rule, index) => {
 		if (isObjectFormat(rule) && rule.permit === void 0) locations.push(`${String(action)}[${index}]`);
 	});
 	return locations;
@@ -3195,6 +3198,14 @@ function findOmittedPermitRules(permission) {
 
 //#endregion
 //#region src/cli/commands/deploy/idp.ts
+async function resolveServiceReturnOrigins(client, request) {
+	const policy = request.userAuthPolicy;
+	const originals = policy?.allowedReturnOrigins;
+	if (!policy || !originals?.length) return;
+	const resolved = await resolveStaticWebsiteUrls(client, assertDefined(request.workspaceId, "request missing workspaceId"), originals, `IdP service "${request.namespaceName ?? ""}" allowedReturnOrigins`);
+	if (resolved.length !== originals.length) throw new Error(`IdP service "${request.namespaceName ?? ""}" allowedReturnOrigins: ${originals.length - resolved.length} of ${originals.length} entries could not be resolved. Check that each "<name>:url" entry refers to a deployed static website.`);
+	policy.allowedReturnOrigins = resolved;
+}
 /**
 * Build the vault name for an IdP client.
 * @param namespaceName - IdP namespace name
@@ -3224,9 +3235,11 @@ async function applyIdP(client, result, phase = "create-update") {
 	const { changeSet } = result;
 	if (phase === "create-update") {
 		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await resolveServiceReturnOrigins(client, create.request);
 			await client.createIdPService(create.request);
 			await client.setMetadata(create.metaRequest);
 		}), ...changeSet.service.updates.map(async (update) => {
+			await resolveServiceReturnOrigins(client, update.request);
 			await client.updateIdPService(update.request);
 			await client.setMetadata(update.metaRequest);
 		})]);
@@ -3285,7 +3298,8 @@ async function applyIdP(client, result, phase = "create-update") {
 async function planIdP(context) {
 	const { client, workspaceId, application, forRemoval, forceApplyAll = false, idpUserTriggerTargets } = context;
 	const idps = forRemoval ? [] : application.idpServices;
-	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, application.id, idps, idpUserTriggerTargets ?? /* @__PURE__ */ new Set());
+	const expectedLocalWebsites = new Set(application.staticWebsiteServices.map((website) => website.name));
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, application.id, idps, idpUserTriggerTargets ?? /* @__PURE__ */ new Set(), expectedLocalWebsites);
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -3309,7 +3323,11 @@ function normalizeComparableUserAuthPolicy(policy) {
 		allowedEmailDomains: (policy?.allowedEmailDomains ?? []).toSorted(),
 		allowGoogleOauth: policy?.allowGoogleOauth ?? false,
 		disablePasswordAuth: policy?.disablePasswordAuth ?? false,
-		allowMicrosoftOauth: policy?.allowMicrosoftOauth ?? false
+		allowMicrosoftOauth: policy?.allowMicrosoftOauth ?? false,
+		enableMfa: policy?.enableMfa ?? false,
+		requireMfa: policy?.requireMfa ?? false,
+		allowedReturnOrigins: (policy?.allowedReturnOrigins ?? []).toSorted(),
+		mfaIssuer: policy?.mfaIssuer ?? ""
 	};
 }
 function normalizeComparableDisableGqlOperations(value) {
@@ -3318,7 +3336,9 @@ function normalizeComparableDisableGqlOperations(value) {
 		update: value?.update ?? false,
 		delete: value?.delete ?? false,
 		read: value?.read ?? false,
-		sendPasswordResetEmail: value?.sendPasswordResetEmail ?? false
+		sendPasswordResetEmail: value?.sendPasswordResetEmail ?? false,
+		requestMfaSettingsUrl: value?.requestMfaSettingsUrl ?? false,
+		unenrollMfa: value?.unenrollMfa ?? false
 	};
 }
 function normalizeComparableEmailConfig(value) {
@@ -3340,7 +3360,7 @@ function normalizeComparableIdPService(input) {
 }
 function normalizeComparablePermission(permission) {
 	if (!permission) return;
-	if (permission.create.length === 0 && permission.read.length === 0 && permission.update.length === 0 && permission.delete.length === 0 && permission.sendPasswordResetEmail.length === 0) return;
+	if (permission.create.length === 0 && permission.read.length === 0 && permission.update.length === 0 && permission.delete.length === 0 && permission.sendPasswordResetEmail.length === 0 && permission.unenrollMfa.length === 0) return;
 	const normalizePolicy = (policy) => ({
 		conditions: policy.conditions.map((c) => ({
 			left: c.left ? { kind: c.left.kind } : void 0,
@@ -3355,7 +3375,8 @@ function normalizeComparablePermission(permission) {
 		read: permission.read.map(normalizePolicy),
 		update: permission.update.map(normalizePolicy),
 		delete: permission.delete.map(normalizePolicy),
-		sendPasswordResetEmail: permission.sendPasswordResetEmail.map(normalizePolicy)
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map(normalizePolicy),
+		unenrollMfa: permission.unenrollMfa.map(normalizePolicy)
 	};
 }
 function areIdPServicesEqual(existing, desired) {
@@ -3369,7 +3390,7 @@ function areIdPServicesEqual(existing, desired) {
 		permission: normalizeComparablePermission(existing.permission)
 	}), desired);
 }
-async function planServices$3(client, workspaceId, appName, appId, idps, idpUserTriggerTargets) {
+async function planServices$3(client, workspaceId, appName, appId, idps, idpUserTriggerTargets, expectedLocalWebsites) {
 	const changeSet = createChangeSet("IdP services");
 	const conflicts = [];
 	const unmanaged = [];
@@ -3431,10 +3452,15 @@ async function planServices$3(client, workspaceId, appName, appId, idps, idpUser
 		if (omittedPermitLocations.length > 0) logger.warn(`IdP service "${namespaceName}" has permission rule(s) ${omittedPermitLocations.join(", ")} in object form without an explicit "permit"; they default to "deny". Set permit: true (allow) or permit: false (deny) to silence this warning.`);
 		const parsedPermission = parseIdPPermission(idp.permission);
 		const protoPermission = parsedPermission ? protoIdPPermission(parsedPermission) : void 0;
+		const resolvedReturnOrigins = await resolveStaticWebsiteUrls(client, workspaceId, userAuthPolicy?.allowedReturnOrigins ? [...userAuthPolicy.allowedReturnOrigins] : [], `IdP service "${namespaceName}" allowedReturnOrigins`, { expectedLocalNames: expectedLocalWebsites });
+		const userAuthPolicyForCompare = userAuthPolicy ? {
+			...userAuthPolicy,
+			allowedReturnOrigins: resolvedReturnOrigins
+		} : userAuthPolicy;
 		const desired = normalizeComparableIdPService({
 			authorization,
 			lang,
-			userAuthPolicy: normalizeComparableUserAuthPolicy(userAuthPolicy),
+			userAuthPolicy: normalizeComparableUserAuthPolicy(userAuthPolicyForCompare),
 			publishUserEvents,
 			disableGqlOperations: normalizeComparableDisableGqlOperations(convertGqlOperationsToDisable(idp.gqlOperations)),
 			emailConfig: normalizeComparableEmailConfig(emailConfig),
@@ -3576,7 +3602,9 @@ function convertGqlOperationsToDisable(gqlOperations) {
 		update: gqlOperations.update === false,
 		delete: gqlOperations.delete === false,
 		read: gqlOperations.read === false,
-		sendPasswordResetEmail: gqlOperations.sendPasswordResetEmail === false
+		sendPasswordResetEmail: gqlOperations.sendPasswordResetEmail === false,
+		requestMfaSettingsUrl: gqlOperations.requestMfaSettingsUrl === false,
+		unenrollMfa: gqlOperations.unenrollMfa === false
 	};
 }
 function protoIdPPermission(permission) {
@@ -3585,7 +3613,8 @@ function protoIdPPermission(permission) {
 		read: permission.read.map((p) => protoIdPPolicy(p)),
 		update: permission.update.map((p) => protoIdPPolicy(p)),
 		delete: permission.delete.map((p) => protoIdPPolicy(p)),
-		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => protoIdPPolicy(p))
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => protoIdPPolicy(p)),
+		unenrollMfa: permission.unenrollMfa.map((p) => protoIdPPolicy(p))
 	};
 }
 function protoIdPPolicy(policy) {
@@ -3756,7 +3785,7 @@ async function planAuth(context) {
 		},
 		conflicts: [...conflicts, ...connectionResult.conflicts],
 		unmanaged: [...unmanaged, ...connectionResult.unmanaged],
-		resourceOwners: new Set([...resourceOwners, ...connectionResult.resourceOwners])
+		resourceOwners: /* @__PURE__ */ new Set([...resourceOwners, ...connectionResult.resourceOwners])
 	};
 }
 async function planServices$2(client, workspaceId, appName, appId, auths, forceApplyAll = false) {
@@ -4891,7 +4920,7 @@ async function readConfigId(configPath) {
 async function assertConfigIdInCI(configPath) {
 	const result = await readConfigId(configPath);
 	if (result === null) return;
-	if (!result.id) throw new Error("tailor.config.ts is missing an 'id'. CI does not auto-generate one (each run would be treated as a separate app and break resource ownership). Run 'tailor-sdk setup github' or 'tailor-sdk apply' locally and commit the injected id.");
+	if (!result.id) throw new Error("tailor.config.ts is missing an 'id'. CI does not auto-generate one (each run would be treated as a separate app and break resource ownership). Run 'tailor-sdk setup' or 'tailor-sdk apply' locally and commit the injected id.");
 	if (!uuidRegex.test(result.id)) throw new Error(`'id' in ${configPath} must be a UUID. To use this config for a separate app, delete it.`);
 }
 /**
@@ -6975,7 +7004,7 @@ function createSnapshotFieldConfig(field) {
 }
 /**
 * Create a snapshot field config from an OperatorFieldConfig (for nested fields)
-* @param {import("@/parser/service/tailordb/types").OperatorFieldConfig} fieldConfig - Field configuration
+* @param {import("#/parser/service/tailordb/types").OperatorFieldConfig} fieldConfig - Field configuration
 * @returns {SnapshotFieldConfig} Snapshot field configuration
 */
 function createSnapshotFieldConfigFromOperatorConfig(fieldConfig) {
@@ -7825,7 +7854,7 @@ function validateMigrationFiles(migrationsDir) {
 		message: `Schema file found at migration ${formatMigrationNumber(num)}, but schema should only exist at ${formatMigrationNumber(0)}`,
 		migrationNumber: num
 	});
-	const allNumbers = [...new Set([...schemaFiles, ...diffFiles])].toSorted((a, b) => a - b);
+	const allNumbers = [.../* @__PURE__ */ new Set([...schemaFiles, ...diffFiles])].toSorted((a, b) => a - b);
 	if (allNumbers.length === 0) return errors;
 	for (const num of schemaFiles) if (num !== 0 && diffFiles.includes(num)) errors.push({
 		type: "duplicate",
@@ -7957,7 +7986,7 @@ function compareFields(typeName, fieldName, remoteField, snapshotField) {
 /**
 * System fields that are auto-generated and should be excluded from comparison
 */
-const SYSTEM_FIELDS = new Set(["id"]);
+const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id"]);
 /**
 * Compare remote TailorDB types with a local snapshot
 * @param {ProtoTailorDBType[]} remoteTypes - Remote types from listParsedTailorDBTypes API
@@ -8485,7 +8514,7 @@ function protoGqlOperand(operand) {
 /**
 * Diff change kinds that require pre-migration schema adjustments.
 */
-const PRE_MIGRATION_FIELD_KINDS = new Set([
+const PRE_MIGRATION_FIELD_KINDS = /* @__PURE__ */ new Set([
 	"field_added",
 	"field_modified",
 	"field_removed"
@@ -8700,7 +8729,7 @@ const DEFAULT_POLL_INTERVAL = 1e3;
 * @returns {Promise<ExecutionWaitResult>} Execution result
 * @throws {Error} If execution is not found
 */
-async function waitForExecution$1(client, workspaceId, executionId, pollInterval = DEFAULT_POLL_INTERVAL) {
+async function waitForExecution(client, workspaceId, executionId, pollInterval = DEFAULT_POLL_INTERVAL) {
 	while (true) {
 		const { execution } = await client.getFunctionExecution({
 			workspaceId,
@@ -8735,7 +8764,7 @@ async function executeScript(options) {
 		invoker
 	});
 	const executionId = response.executionId;
-	const result = await waitForExecution$1(client, workspaceId, executionId, pollInterval);
+	const result = await waitForExecution(client, workspaceId, executionId, pollInterval);
 	if (result.status === FunctionExecution_Status.SUCCESS) return {
 		success: true,
 		logs: result.logs,
@@ -9628,7 +9657,7 @@ async function rollbackSingleMigrationPrePhase(client, changeSet, migration, wor
 		const name = update.request.tailordbType?.name;
 		if (update.request.namespaceName === migration.namespace && name) namespaceTypes.add(name);
 	}
-	const applied = new Set([...processedTypes.created, ...processedTypes.updated]);
+	const applied = /* @__PURE__ */ new Set([...processedTypes.created, ...processedTypes.updated]);
 	const rollbackTypes = new Set([...namespaceTypes].filter((name) => applied.has(name)));
 	if (rollbackTypes.size === 0) return;
 	const priorSnapshot = reconstructSnapshotFromMigrations(migration.migrationsDir, migration.number - 1);
@@ -9949,7 +9978,7 @@ const tailordbCompareKnownDefaults = {
 	* Proto bigint-backed values can round-trip as numbers locally and strings remotely.
 	* Canonicalize them to strings at compare time.
 	*/
-	numericStringPaths: new Set([
+	numericStringPaths: /* @__PURE__ */ new Set([
 		"schema.fields.*.serial.start",
 		"schema.fields.*.serial.maxValue",
 		"schema.settings.defaultQueryLimitSize",
@@ -10529,8 +10558,13 @@ function validateItems(params) {
 *
 * Collections not validated: idp client, tailorDB gqlPermission, functionRegistry — no
 * buf.validate annotations.
-* Application cors is excluded: static-website URL placeholders are resolved at apply time
-* and a bare cors array carries no constraint that would false-positive when omitted.
+* Application cors and IdP userAuthPolicy.allowedReturnOrigins receive special
+* handling: static-website URL placeholders are resolved at apply time, so the
+* relevant origin/URL constraints would false-positive on `<name>:url` entries
+* here. Application cors is dropped entirely (no other constraint to lose); IdP
+* `allowedReturnOrigins` substitutes placeholder entries with a dummy origin so
+* the per-item regex and the cross-field `enable_mfa requires ≥1 origin` rule
+* still get exercised on the rest of the payload.
 * Workflow jobFunctions map excluded: versions are registered at apply time (registerJobFunctions)
 * and the map field carries no min_items constraint. Job names are validated separately via
 * CreateWorkflowJobFunctionRequestSchema using usedJobNames from the workflow change set.
@@ -10582,8 +10616,25 @@ async function validatePlan(input) {
 	creates(CreateStaticWebsiteRequestSchema, "StaticWebsite", staticWebsite.changeSet.creates);
 	updates(UpdateStaticWebsiteRequestSchema, "StaticWebsite", staticWebsite.changeSet.updates);
 	creates(AddCustomDomainRequestSchema, "StaticWebsite custom domain", staticWebsite.customDomainChangeSet.creates);
-	creates(CreateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.creates);
-	updates(UpdateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.updates);
+	const placeholderOriginReplacement = "https://placeholder.invalid";
+	const substituteIdpReturnOrigins = (item) => {
+		const request = item.request;
+		const origins = request.userAuthPolicy?.allowedReturnOrigins;
+		if (!Array.isArray(origins) || origins.length === 0) return item;
+		const substituted = origins.map((origin) => typeof origin === "string" && /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]:url$/.test(origin) ? placeholderOriginReplacement : origin);
+		return {
+			...item,
+			request: {
+				...request,
+				userAuthPolicy: {
+					...request.userAuthPolicy,
+					allowedReturnOrigins: substituted
+				}
+			}
+		};
+	};
+	creates(CreateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.creates.map(substituteIdpReturnOrigins));
+	updates(UpdateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.updates.map(substituteIdpReturnOrigins));
 	const idpClientVaultItems = [...idp.changeSet.client.creates.map((c) => ({
 		clientName: c.request.client?.name ?? "",
 		namespaceName: c.request.namespaceName ?? "",
@@ -11064,7 +11115,7 @@ async function deploy(options) {
 			await confirmImportantResourceDeletion(importantDeletions, yes);
 			const emptyApps = computeRenamedAppDeletions({
 				conflicts: allConflicts,
-				resourceOwners: new Set([
+				resourceOwners: /* @__PURE__ */ new Set([
 					...functionRegistry.resourceOwners,
 					...tailorDB.resourceOwners,
 					...staticWebsite.resourceOwners,
@@ -11178,7 +11229,42 @@ function colorizeExecutorJobStatus(status) {
 * @returns True if status is terminal
 */
 function isExecutorJobTerminalStatus(status) {
-	return status === ExecutorJobStatus.SUCCESS || status === ExecutorJobStatus.FAILED || status === ExecutorJobStatus.CANCELED;
+	return isExecutorJobSuccessStatus(status) || isExecutorJobFailureStatus(status);
+}
+/**
+* Check if executor job status is successful.
+* @param status - Executor job status enum value
+* @returns True if status is success
+*/
+function isExecutorJobSuccessStatus(status) {
+	return status === ExecutorJobStatus.SUCCESS;
+}
+/**
+* Check if executor job status is a terminal failure.
+* @param status - Executor job status enum value
+* @returns True if status is failure
+*/
+function isExecutorJobFailureStatus(status) {
+	return status === ExecutorJobStatus.FAILED || status === ExecutorJobStatus.CANCELED;
+}
+/**
+* Check if executor job status can still progress.
+* @param status - Executor job status enum value
+* @returns True if status is transient
+*/
+function isExecutorJobTransientStatus(status) {
+	return status === ExecutorJobStatus.UNSPECIFIED || status === ExecutorJobStatus.PENDING || status === ExecutorJobStatus.RUNNING;
+}
+/**
+* Classify executor job status for waiter decisions.
+* @param status - Executor job status enum value
+* @returns Classified executor job status
+*/
+function classifyExecutorJobStatus(status) {
+	if (isExecutorJobSuccessStatus(status)) return "success";
+	if (isExecutorJobTerminalStatus(status)) return "failure";
+	if (isExecutorJobTransientStatus(status)) return "transient";
+	return "transient";
 }
 /**
 * Parse executor job status string to enum.
@@ -11570,36 +11656,158 @@ function functionExecutionStatusToString(status) {
 	}
 }
 
+//#endregion
+//#region src/cli/shared/wait-error.ts
+/**
+* Format a caught error into a string for diagnostics.
+* @param error - Error to format
+* @returns Error message string
+*/
+function formatWaitError(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+/**
+* Check whether a polling error is retryable (transient platform errors).
+* @param error - Error to check
+* @returns True if the error should be retried
+*/
+function isRetryableWaitError(error) {
+	if (!(error instanceof ConnectError)) return false;
+	return error.code === Code.Aborted || error.code === Code.ResourceExhausted || error.code === Code.Unavailable;
+}
+
 //#endregion
 //#region src/cli/commands/workflow/args.ts
+const workflowWaitUntilArg = z.enum([
+	"success",
+	"suspended",
+	"terminal"
+]);
 const nameArgs = { name: arg(z.string(), {
 	positional: true,
 	description: "Workflow name"
 }) };
-const waitArgs = {
-	wait: arg(z.boolean().default(false), {
-		alias: "W",
-		description: "Wait for execution to complete"
-	}),
+const workflowWaitControlArgs = {
 	interval: arg(durationArg.default("3s"), {
 		alias: "i",
-		description: "Polling interval when using --wait (e.g., '3s', '500ms', '1m')"
+		description: "Polling interval when waiting (e.g., '3s', '500ms', '1m')"
+	}),
+	timeout: arg(durationArg.default("10m"), {
+		alias: "t",
+		description: "Maximum time to wait (e.g., '30s', '10m')"
+	}),
+	until: arg(workflowWaitUntilArg.default("terminal"), {
+		alias: "u",
+		description: "Wait target (success, suspended, terminal)"
 	}),
 	logs: arg(z.boolean().default(false), {
 		alias: "l",
-		description: "Display job execution logs after completion (requires --wait)"
+		description: "Display job execution logs after completion"
 	})
 };
+const waitArgs = {
+	wait: arg(z.boolean().default(false), {
+		alias: "W",
+		description: "Wait for execution to complete"
+	}),
+	...workflowWaitControlArgs
+};
 
 //#endregion
 //#region src/cli/commands/workflow/status.ts
 /**
+* Check if workflow execution status is successful.
+* @param status - Workflow execution status enum value
+* @returns True if status is success
+*/
+function isWorkflowExecutionSuccessStatus(status) {
+	return status === WorkflowExecution_Status.SUCCESS;
+}
+/**
+* Check if workflow job execution status is suspended or waiting.
+* @param status - Workflow job execution status enum value
+* @returns True if status represents a wait point
+*/
+function isWorkflowJobExecutionSuspendedStatus(status) {
+	return status === WorkflowJobExecution_Status.SUSPEND || status === WorkflowJobExecution_Status.WAITING;
+}
+/**
+* Check if workflow execution status is suspended or waiting.
+* @param status - Workflow execution status enum value
+* @returns True if status represents a suspended execution
+*/
+function isWorkflowExecutionSuspendedStatus(status) {
+	return status === WorkflowExecution_Status.PENDING_RESUME || status === WorkflowExecution_Status.WAITING;
+}
+/**
+* Check if workflow execution status is a terminal failure.
+* @param status - Workflow execution status enum value
+* @returns True if status represents failure
+*/
+function isWorkflowExecutionFailureStatus(status) {
+	return status === WorkflowExecution_Status.FAILED;
+}
+/**
+* Check if workflow execution status can still progress without user action.
+* @param status - Workflow execution status enum value
+* @returns True if status is transient
+*/
+function isWorkflowExecutionTransientStatus(status) {
+	return status === WorkflowExecution_Status.UNSPECIFIED || status === WorkflowExecution_Status.PENDING || status === WorkflowExecution_Status.RUNNING || status === WorkflowExecution_Status.PENDING_RETRY;
+}
+/**
 * Check if workflow execution status is terminal.
 * @param status - Workflow execution status enum value
 * @returns True if status is terminal
 */
 function isWorkflowExecutionTerminalStatus(status) {
-	return status === WorkflowExecution_Status.SUCCESS || status === WorkflowExecution_Status.FAILED || status === WorkflowExecution_Status.PENDING_RESUME;
+	return isWorkflowExecutionSuccessStatus(status) || isWorkflowExecutionFailureStatus(status) || isWorkflowExecutionSuspendedStatus(status);
+}
+/**
+* Classify workflow execution status for waiter decisions.
+* @param execution - Workflow execution to classify
+* @returns Classified workflow execution status
+*/
+function classifyWorkflowExecutionStatus(execution) {
+	if (isWorkflowExecutionTerminalStatus(execution.status)) {
+		if (isWorkflowExecutionSuccessStatus(execution.status)) return {
+			statusClass: "success",
+			status: execution.status
+		};
+		if (isWorkflowExecutionFailureStatus(execution.status)) return {
+			statusClass: "failure",
+			status: execution.status
+		};
+		return {
+			statusClass: "suspended",
+			status: execution.status
+		};
+	}
+	if (execution.jobExecutions.some((job) => isWorkflowJobExecutionSuspendedStatus(job.status))) return {
+		statusClass: "suspended",
+		status: execution.status
+	};
+	if (isWorkflowExecutionTransientStatus(execution.status)) return {
+		statusClass: "transient",
+		status: execution.status
+	};
+	return {
+		statusClass: "transient",
+		status: execution.status
+	};
+}
+/**
+* Check if a classified workflow execution has reached the requested waiter target.
+* @param classification - Workflow execution status classification
+* @param until - Requested wait target
+* @returns True if the wait target is reached
+*/
+function hasReachedWorkflowWaitTarget(classification, until) {
+	switch (until) {
+		case "success": return classification.statusClass === "success";
+		case "suspended": return classification.statusClass === "suspended";
+		case "terminal": return classification.statusClass === "success" || classification.statusClass === "failure" || classification.statusClass === "suspended";
+	}
 }
 
 //#endregion
@@ -11616,6 +11824,8 @@ function workflowExecutionStatusToString(status) {
 		case WorkflowExecution_Status.RUNNING: return "RUNNING";
 		case WorkflowExecution_Status.SUCCESS: return "SUCCESS";
 		case WorkflowExecution_Status.FAILED: return "FAILED";
+		case WorkflowExecution_Status.PENDING_RETRY: return "PENDING_RETRY";
+		case WorkflowExecution_Status.WAITING: return "WAITING";
 		default: return "UNSPECIFIED";
 	}
 }
@@ -11630,6 +11840,7 @@ function workflowJobExecutionStatusToString(status) {
 		case WorkflowJobExecution_Status.SUSPEND: return "SUSPEND";
 		case WorkflowJobExecution_Status.SUCCESS: return "SUCCESS";
 		case WorkflowJobExecution_Status.FAILED: return "FAILED";
+		case WorkflowJobExecution_Status.WAITING: return "WAITING";
 		default: return "UNSPECIFIED";
 	}
 }
@@ -11695,24 +11906,200 @@ function toWorkflowExecutionInfo(execution) {
 }
 
 //#endregion
-//#region src/cli/commands/workflow/executions.ts
-function sleep$1(ms) {
-	return new Promise((resolve) => setTimeout(resolve, ms));
-}
-function formatTime$2(date) {
+//#region src/cli/commands/workflow/waiter.ts
+const DEFAULT_WORKFLOW_WAIT_INTERVAL_MS = 3e3;
+function formatTime$1(date) {
 	return date.toLocaleTimeString("en-US", { hour12: false });
 }
-function colorizeStatus$1(status) {
+function colorizeStatus(status) {
 	const statusText = WorkflowExecution_Status[status];
 	switch (status) {
-		case WorkflowExecution_Status.PENDING: return styles.dim(statusText);
-		case WorkflowExecution_Status.PENDING_RESUME: return styles.warning(statusText);
+		case WorkflowExecution_Status.PENDING:
+		case WorkflowExecution_Status.UNSPECIFIED: return styles.dim(statusText);
+		case WorkflowExecution_Status.PENDING_RESUME:
+		case WorkflowExecution_Status.PENDING_RETRY:
+		case WorkflowExecution_Status.WAITING: return styles.warning(statusText);
 		case WorkflowExecution_Status.RUNNING: return styles.info(statusText);
 		case WorkflowExecution_Status.SUCCESS: return styles.success(statusText);
 		case WorkflowExecution_Status.FAILED: return styles.error(statusText);
 		default: return statusText;
 	}
 }
+function getActiveJobs(execution) {
+	return execution.jobExecutions.filter((job) => job.status === WorkflowJobExecution_Status.RUNNING || job.status === WorkflowJobExecution_Status.SUSPEND || job.status === WorkflowJobExecution_Status.WAITING).map((job) => job.stackedJobName).join(", ");
+}
+function createWorkflowWaitResult(options) {
+	const elapsedMs = Date.now() - options.startedAt;
+	if (options.execution) {
+		const classification = classifyWorkflowExecutionStatus(options.execution);
+		return {
+			...toWorkflowExecutionInfo(options.execution),
+			statusClass: classification.statusClass,
+			elapsedMs,
+			attempts: options.attempts,
+			timedOut: options.timedOut,
+			lastError: options.lastError
+		};
+	}
+	return {
+		id: options.executionId,
+		workflowName: "",
+		status: "UNKNOWN",
+		statusClass: "unknown",
+		jobExecutions: 0,
+		startedAt: null,
+		finishedAt: null,
+		elapsedMs,
+		attempts: options.attempts,
+		timedOut: options.timedOut,
+		lastError: options.lastError
+	};
+}
+/**
+* Wait for a workflow execution to reach the requested state.
+* @param options - Workflow waiter options
+* @returns Final or timed-out workflow wait result
+*/
+async function waitForWorkflowExecution(options) {
+	const interval = options.interval ?? 3e3;
+	const until = options.until ?? "terminal";
+	const startedAt = Date.now();
+	const sp = options.showProgress ? spinner({ indent: 2 }).start("Waiting for workflow to complete...") : null;
+	let attempts = 0;
+	let lastExecution;
+	let lastError = null;
+	let lastStatus;
+	let lastActiveJobs;
+	try {
+		while (true) {
+			const elapsedMs = Date.now() - startedAt;
+			const remainingMs = options.timeout === void 0 ? void 0 : options.timeout - elapsedMs;
+			if (remainingMs !== void 0 && remainingMs <= 0) {
+				sp?.fail("Workflow wait timed out.");
+				return createWorkflowWaitResult({
+					executionId: options.executionId,
+					execution: lastExecution,
+					startedAt,
+					attempts,
+					timedOut: true,
+					lastError
+				});
+			}
+			try {
+				attempts += 1;
+				const { execution } = await options.client.getWorkflowExecution({
+					workspaceId: options.workspaceId,
+					executionId: options.executionId
+				});
+				if (!execution) {
+					sp?.fail(`Execution '${options.executionId}' not found.`);
+					throw new Error(`Execution '${options.executionId}' not found.`);
+				}
+				lastExecution = execution;
+				lastError = null;
+				const classification = classifyWorkflowExecutionStatus(execution);
+				const coloredStatus = colorizeStatus(execution.status);
+				if (execution.status !== lastStatus) {
+					if (options.showProgress) {
+						sp?.stop();
+						logger.info(`Status: ${coloredStatus}`, {
+							mode: "stream",
+							indent: 2
+						});
+						sp?.start("Waiting for workflow to complete...");
+					}
+					lastStatus = execution.status;
+				}
+				if (options.trackJobs) {
+					const activeJobs = getActiveJobs(execution);
+					if (activeJobs && activeJobs !== lastActiveJobs) {
+						if (options.showProgress) {
+							sp?.stop();
+							logger.info(`Job | ${activeJobs}: ${coloredStatus}`, {
+								mode: "stream",
+								indent: 2
+							});
+							sp?.start("Waiting for workflow to complete...");
+						}
+						lastActiveJobs = activeJobs;
+					}
+				}
+				if (sp) sp.text = `Waiting for workflow to complete... (${formatTime$1(/* @__PURE__ */ new Date())})`;
+				if (hasReachedWorkflowWaitTarget(classification, until) || classification.statusClass === "failure" || until === "suspended" && classification.statusClass === "success") {
+					if (execution.status === WorkflowExecution_Status.SUCCESS) sp?.succeed(`Completed: ${coloredStatus}`);
+					else if (isWorkflowExecutionFailureStatus(execution.status)) sp?.fail(`Completed: ${coloredStatus}`);
+					else if (isWorkflowExecutionSuspendedStatus(execution.status)) sp?.warn(`Completed: ${coloredStatus}`);
+					else sp?.succeed(`Completed: ${coloredStatus}`);
+					return createWorkflowWaitResult({
+						executionId: options.executionId,
+						execution,
+						startedAt,
+						attempts,
+						timedOut: false,
+						lastError
+					});
+				}
+			} catch (error) {
+				if (!isRetryableWaitError(error)) throw error;
+				lastError = formatWaitError(error);
+				if (options.showProgress) {
+					if (sp) sp.text = `Retrying workflow status poll... (${formatTime$1(/* @__PURE__ */ new Date())})`;
+				}
+			}
+			const nextElapsedMs = Date.now() - startedAt;
+			const nextRemainingMs = options.timeout === void 0 ? void 0 : options.timeout - nextElapsedMs;
+			if (nextRemainingMs !== void 0 && nextRemainingMs <= 0) {
+				sp?.fail("Workflow wait timed out.");
+				return createWorkflowWaitResult({
+					executionId: options.executionId,
+					execution: lastExecution,
+					startedAt,
+					attempts,
+					timedOut: true,
+					lastError
+				});
+			}
+			await setTimeout$2(nextRemainingMs === void 0 ? interval : Math.min(interval, nextRemainingMs));
+		}
+	} finally {
+		sp?.stop();
+	}
+}
+/**
+* Wait for an existing workflow execution by ID.
+* @param options - Workflow execution wait options
+* @returns Workflow wait result
+*/
+async function waitForWorkflowExecutionById(options) {
+	return await waitForWorkflowExecution({
+		client: await initOperatorClient(await loadAccessToken({ profile: options.profile })),
+		workspaceId: await loadWorkspaceId({
+			workspaceId: options.workspaceId,
+			profile: options.profile
+		}),
+		executionId: options.executionId,
+		interval: options.interval,
+		timeout: options.timeout,
+		until: options.until,
+		showProgress: options.showProgress,
+		trackJobs: options.trackJobs
+	});
+}
+/**
+* Build a user-facing failure message for a workflow wait result.
+* @param result - Workflow wait result
+* @param until - Requested wait target
+* @returns Failure message, or undefined when the wait succeeded
+*/
+function getWorkflowWaitFailureMessage(result, until) {
+	if (result.timedOut) return `Timed out waiting for workflow execution '${result.id}' to reach ${until}. Last status: ${result.status}.`;
+	if (result.status === "FAILED") return `Workflow execution '${result.id}' failed.`;
+	if (until === "success" && result.statusClass !== "success") return `Workflow execution '${result.id}' reached ${result.status} before success.`;
+	if (until === "suspended" && result.statusClass !== "suspended") return `Workflow execution '${result.id}' reached ${result.status} before suspension.`;
+}
+
+//#endregion
+//#region src/cli/commands/workflow/executions.ts
 function parseStatus(status) {
 	switch (status.toUpperCase()) {
 		case "PENDING": return WorkflowExecution_Status.PENDING;
@@ -11720,7 +12107,10 @@ function parseStatus(status) {
 		case "RUNNING": return WorkflowExecution_Status.RUNNING;
 		case "SUCCESS": return WorkflowExecution_Status.SUCCESS;
 		case "FAILED": return WorkflowExecution_Status.FAILED;
-		default: throw new Error(`Invalid status: ${status}. Valid values: PENDING, PENDING_RESUME, RUNNING, SUCCESS, FAILED`);
+		case "PENDING_RETRY": return WorkflowExecution_Status.PENDING_RETRY;
+		case "WAITING": return WorkflowExecution_Status.WAITING;
+		case "UNSPECIFIED": return WorkflowExecution_Status.UNSPECIFIED;
+		default: throw new Error(`Invalid status: ${status}. Valid values: UNSPECIFIED, PENDING, PENDING_RESUME, RUNNING, SUCCESS, FAILED, PENDING_RETRY, WAITING`);
 	}
 }
 async function listWorkflowExecutions(options) {
@@ -11809,37 +12199,28 @@ async function getWorkflowExecution(options) {
 	}
 	async function waitForCompletion() {
 		const interval = options.interval ?? 3e3;
-		while (true) {
-			const { execution } = await client.getWorkflowExecution({
-				workspaceId,
-				executionId: options.executionId
-			});
-			if (!execution) throw new Error(`Execution '${options.executionId}' not found.`);
-			if (isWorkflowExecutionTerminalStatus(execution.status)) return await fetchExecutionWithLogs(options.executionId, options.logs ?? false);
-			await sleep$1(interval);
-		}
+		const waitResult = await waitForWorkflowExecution({
+			client,
+			workspaceId,
+			executionId: options.executionId,
+			interval,
+			timeout: options.timeout,
+			until: options.until ?? "terminal"
+		});
+		return {
+			...await fetchExecutionWithLogs(options.executionId, options.logs ?? false),
+			statusClass: waitResult.statusClass,
+			elapsedMs: waitResult.elapsedMs,
+			attempts: waitResult.attempts,
+			timedOut: waitResult.timedOut,
+			lastError: waitResult.lastError
+		};
 	}
 	return {
 		execution: await fetchExecutionWithLogs(options.executionId, options.logs ?? false),
 		wait: waitForCompletion
 	};
 }
-async function waitWithSpinner(waitFn, interval, json) {
-	const sp = !json ? spinner().start("Waiting for workflow to complete...") : null;
-	const updateInterval = setInterval(() => {
-		if (sp) sp.text = `Waiting for workflow to complete... (${formatTime$2(/* @__PURE__ */ new Date())})`;
-	}, interval);
-	try {
-		const result = await waitFn();
-		const coloredStatus = colorizeStatus$1(WorkflowExecution_Status[result.status]);
-		if (result.status === "SUCCESS") sp?.succeed(`Completed: ${coloredStatus}`);
-		else sp?.fail(`Completed: ${coloredStatus}`);
-		return result;
-	} finally {
-		clearInterval(updateInterval);
-		sp?.stop();
-	}
-}
 /**
 * Print a workflow execution and its logs in a human-readable format.
 * @param execution - Workflow execution detail info
@@ -11901,19 +12282,55 @@ const executionsCommand = defineAppCommand({
 		logs: arg(z.boolean().default(false), { description: "Display job execution logs (detail mode only)" })
 	}).strict(),
 	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
 		if (args.executionId) {
 			const interval = parseDuration(args.interval);
-			const { execution, wait } = await getWorkflowExecution({
+			if (!jsonOutput) logger.info(`Execution ID: ${args.executionId}`, { mode: "stream" });
+			if (args.wait) {
+				const result = await waitForWorkflowExecutionById({
+					executionId: args.executionId,
+					workspaceId: args["workspace-id"],
+					profile: args.profile,
+					interval,
+					timeout: parseDuration(args.timeout),
+					until: args.until,
+					showProgress: !jsonOutput,
+					trackJobs: true
+				});
+				if (args.logs && !jsonOutput) {
+					const { execution } = await getWorkflowExecution({
+						executionId: args.executionId,
+						workspaceId: args["workspace-id"],
+						profile: args.profile,
+						logs: true
+					});
+					printExecutionWithLogs(execution);
+				} else if (args.logs) {
+					const { execution } = await getWorkflowExecution({
+						executionId: args.executionId,
+						workspaceId: args["workspace-id"],
+						profile: args.profile,
+						logs: true
+					});
+					const output = {
+						...result,
+						jobDetails: execution.jobDetails
+					};
+					logger.out(output);
+				} else logger.out(result);
+				const failureMessage = getWorkflowWaitFailureMessage(result, args.until);
+				if (failureMessage) throw new Error(failureMessage);
+				return;
+			}
+			const { execution } = await getWorkflowExecution({
 				executionId: args.executionId,
 				workspaceId: args["workspace-id"],
 				profile: args.profile,
 				interval,
 				logs: args.logs
 			});
-			if (!args.json) logger.info(`Execution ID: ${execution.id}`, { mode: "stream" });
-			const result = args.wait ? await waitWithSpinner(wait, interval, args.json) : execution;
-			if (args.logs && !args.json) printExecutionWithLogs(result);
-			else logger.out(result);
+			if (args.logs && !jsonOutput) printExecutionWithLogs(execution);
+			else logger.out(execution);
 		} else {
 			const executions = await listWorkflowExecutions({
 				workspaceId: args["workspace-id"],
@@ -11978,90 +12395,6 @@ const getCommand$5 = defineAppCommand({
 
 //#endregion
 //#region src/cli/commands/workflow/start.ts
-function sleep(ms) {
-	return new Promise((resolve) => setTimeout(resolve, ms));
-}
-function formatTime$1(date) {
-	return date.toLocaleTimeString("en-US", { hour12: false });
-}
-function colorizeStatus(status) {
-	const statusText = WorkflowExecution_Status[status];
-	switch (status) {
-		case WorkflowExecution_Status.PENDING: return styles.dim(statusText);
-		case WorkflowExecution_Status.PENDING_RESUME: return styles.warning(statusText);
-		case WorkflowExecution_Status.RUNNING: return styles.info(statusText);
-		case WorkflowExecution_Status.SUCCESS: return styles.success(statusText);
-		case WorkflowExecution_Status.FAILED: return styles.error(statusText);
-		default: return statusText;
-	}
-}
-/**
-* Wait for a workflow execution to reach a terminal state, optionally showing progress.
-* @param options - Wait options
-* @returns Final workflow execution info
-*/
-async function waitForExecution(options) {
-	const { client, workspaceId, executionId, interval, showProgress, trackJobs } = options;
-	let lastStatus;
-	let lastRunningJobs;
-	const sp = showProgress ? spinner({ indent: 2 }).start("Waiting for workflow to complete...") : null;
-	try {
-		while (true) {
-			const { execution } = await client.getWorkflowExecution({
-				workspaceId,
-				executionId
-			});
-			if (!execution) {
-				sp?.fail(`Execution '${executionId}' not found.`);
-				throw new Error(`Execution '${executionId}' not found.`);
-			}
-			const now = formatTime$1(/* @__PURE__ */ new Date());
-			const coloredStatus = colorizeStatus(execution.status);
-			if (execution.status !== lastStatus) {
-				if (showProgress) {
-					sp?.stop();
-					logger.info(`Status: ${coloredStatus}`, {
-						mode: "stream",
-						indent: 2
-					});
-					sp?.start(`Waiting for workflow to complete...`);
-				}
-				lastStatus = execution.status;
-			}
-			if (trackJobs && execution.status === WorkflowExecution_Status.RUNNING) {
-				const runningJobs = getRunningJobs(execution);
-				if (runningJobs && runningJobs !== lastRunningJobs) {
-					if (showProgress) {
-						sp?.stop();
-						logger.info(`Job | ${runningJobs}: ${coloredStatus}`, {
-							mode: "stream",
-							indent: 2
-						});
-						sp?.start(`Waiting for workflow to complete...`);
-					}
-					lastRunningJobs = runningJobs;
-				}
-			}
-			if (sp) sp.text = `Waiting for workflow to complete... (${now})`;
-			if (isTerminalStatus(execution.status)) {
-				if (execution.status === WorkflowExecution_Status.SUCCESS) sp?.succeed(`Completed: ${coloredStatus}`);
-				else if (execution.status === WorkflowExecution_Status.FAILED) sp?.fail(`Completed: ${coloredStatus}`);
-				else sp?.warn(`Completed: ${coloredStatus}`);
-				return toWorkflowExecutionInfo(execution);
-			}
-			await sleep(interval);
-		}
-	} catch (error) {
-		sp?.stop();
-		throw error;
-	}
-}
-function getRunningJobs(execution) {
-	return execution.jobExecutions.filter((job) => job.status === WorkflowJobExecution_Status.RUNNING).map((job) => job.stackedJobName).join(", ");
-}
-function isTerminalStatus(status) {
-	return status === WorkflowExecution_Status.SUCCESS || status === WorkflowExecution_Status.FAILED || status === WorkflowExecution_Status.PENDING_RESUME;
-}
 async function startWorkflowCore(options) {
 	const { client, workspaceId, workflowName } = options;
 	try {
@@ -12076,11 +12409,13 @@ async function startWorkflowCore(options) {
 		});
 		return {
 			executionId,
-			wait: (waitOptions) => waitForExecution({
+			wait: (waitOptions) => waitForWorkflowExecution({
 				client,
 				workspaceId,
 				executionId,
 				interval: options.interval ?? 3e3,
+				timeout: waitOptions?.timeout,
+				until: waitOptions?.until,
 				showProgress: waitOptions?.showProgress,
 				trackJobs: true
 			})
@@ -12164,7 +12499,11 @@ const startCommand = defineAppCommand({
 		const jsonOutput = logger.jsonMode;
 		logger.info(`Execution ID: ${executionId}`, { mode: "stream" });
 		if (args.wait) {
-			const result = await wait({ showProgress: !jsonOutput });
+			const result = await wait({
+				showProgress: !jsonOutput,
+				timeout: parseDuration(args.timeout),
+				until: args.until
+			});
 			if (args.logs && !jsonOutput) {
 				const { execution } = await getWorkflowExecution({
 					executionId,
@@ -12173,7 +12512,20 @@ const startCommand = defineAppCommand({
 					logs: true
 				});
 				printExecutionWithLogs(execution);
+			} else if (args.logs) {
+				const { execution } = await getWorkflowExecution({
+					executionId,
+					workspaceId: args["workspace-id"],
+					profile: args.profile,
+					logs: true
+				});
+				logger.out({
+					...result,
+					jobDetails: execution.jobDetails
+				});
 			} else logger.out(result);
+			const failureMessage = getWorkflowWaitFailureMessage(result, args.until);
+			if (failureMessage) throw new Error(failureMessage);
 		} else logger.out({ executionId });
 	}
 });
@@ -12183,6 +12535,16 @@ const startCommand = defineAppCommand({
 function formatTime(date) {
 	return date.toLocaleTimeString("en-US", { hour12: false });
 }
+function createUnknownExecutorJob(executorName, jobId) {
+	return {
+		id: jobId,
+		executorName,
+		status: "UNKNOWN",
+		scheduledAt: "N/A",
+		createdAt: "N/A",
+		updatedAt: "N/A"
+	};
+}
 async function listExecutorJobs(options) {
 	const executorName = "executorName" in options ? options.executorName : options.executor.name;
 	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
@@ -12266,7 +12628,27 @@ async function watchExecutorJob(options) {
 		profile: options.profile
 	});
 	const interval = options.interval ?? 3e3;
-	const sp = spinner().start("Waiting for executor job to complete...");
+	const timeout = options.timeout;
+	const showProgress = options.showProgress ?? !logger.jsonMode;
+	const startedAt = Date.now();
+	const sp = showProgress ? spinner().start("Waiting for executor job to complete...") : null;
+	let attempts = 0;
+	let lastError = null;
+	const remainingTimeout = () => {
+		if (timeout === void 0) return;
+		return timeout - (Date.now() - startedAt);
+	};
+	const withWaitMetadata = (result, timedOut) => ({
+		...result,
+		elapsedMs: Date.now() - startedAt,
+		attempts,
+		timedOut,
+		lastError
+	});
+	const timeoutResult = (targetType, job) => withWaitMetadata({
+		job: job ? toExecutorJobInfo(job) : createUnknownExecutorJob(executorName, options.jobId),
+		targetType
+	}, true);
 	try {
 		const { executor } = await client.getExecutorExecutor({
 			workspaceId,
@@ -12277,29 +12659,47 @@ async function watchExecutorJob(options) {
 		const targetTypeStr = executorTargetTypeToString(targetType);
 		let job;
 		while (true) {
-			job = (await client.getExecutorJob({
-				workspaceId,
-				executorName,
-				jobId: options.jobId
-			})).job;
-			if (!job) throw new Error(`Job '${options.jobId}' not found.`);
-			if (isExecutorJobTerminalStatus(job.status)) break;
-			sp.text = `Waiting for executor job... (${formatTime(/* @__PURE__ */ new Date())})`;
-			await setTimeout$1(interval);
+			const remainingMs = remainingTimeout();
+			if (remainingMs !== void 0 && remainingMs <= 0) {
+				sp?.fail("Executor job wait timed out.");
+				return timeoutResult(targetTypeStr, job);
+			}
+			try {
+				attempts += 1;
+				job = (await client.getExecutorJob({
+					workspaceId,
+					executorName,
+					jobId: options.jobId
+				})).job;
+				if (!job) throw new Error(`Job '${options.jobId}' not found.`);
+				lastError = null;
+				if (classifyExecutorJobStatus(job.status) !== "transient") break;
+			} catch (error) {
+				if (!isRetryableWaitError(error)) throw error;
+				lastError = formatWaitError(error);
+				if (sp) sp.text = `Retrying executor job poll... (${formatTime(/* @__PURE__ */ new Date())})`;
+			}
+			const nextRemainingMs = remainingTimeout();
+			if (nextRemainingMs !== void 0 && nextRemainingMs <= 0) {
+				sp?.fail("Executor job wait timed out.");
+				return timeoutResult(targetTypeStr, job);
+			}
+			if (sp) sp.text = `Waiting for executor job... (${formatTime(/* @__PURE__ */ new Date())})`;
+			await setTimeout$1(nextRemainingMs === void 0 ? interval : Math.min(interval, nextRemainingMs));
 		}
 		const jobInfo = toExecutorJobInfo(job);
 		const coloredStatus = colorizeExecutorJobStatus(jobInfo.status);
-		if (job.status === ExecutorJobStatus.SUCCESS) sp.succeed(`Executor job completed: ${coloredStatus}`);
-		else sp.fail(`Executor job completed: ${coloredStatus}`);
+		if (job.status === ExecutorJobStatus.SUCCESS) sp?.succeed(`Executor job completed: ${coloredStatus}`);
+		else sp?.fail(`Executor job completed: ${coloredStatus}`);
 		const attemptInfos = (await fetchAll(async (pageToken, maxPageSize) => {
-			const { attempts, nextPageToken } = await client.listExecutorJobAttempts({
+			const { attempts: jobAttempts, nextPageToken } = await client.listExecutorJobAttempts({
 				workspaceId,
 				jobId: options.jobId,
 				pageToken,
 				pageSize: maxPageSize,
 				pageDirection: PageDirection.DESC
 			});
-			return [attempts, nextPageToken];
+			return [jobAttempts, nextPageToken];
 		})).map(toExecutorJobAttemptInfo);
 		const jobDetail = {
 			...jobInfo,
@@ -12308,18 +12708,27 @@ async function watchExecutorJob(options) {
 		const operationReference = attemptInfos[0]?.operationReference;
 		if (operationReference) switch (targetType) {
 			case ExecutorTargetType.WORKFLOW:
-				sp.stop();
+				sp?.stop();
 				try {
-					const executionResult = await waitForExecution({
+					const workflowTimeout = remainingTimeout();
+					if (workflowTimeout !== void 0 && workflowTimeout <= 0) return withWaitMetadata({
+						job: jobDetail,
+						targetType: targetTypeStr,
+						workflowExecutionId: operationReference
+					}, true);
+					const executionResult = await waitForWorkflowExecution({
 						client,
 						workspaceId,
 						executionId: operationReference,
 						interval,
-						showProgress: true,
+						timeout: workflowTimeout,
+						showProgress,
 						trackJobs: true
 					});
+					attempts += executionResult.attempts;
+					lastError = executionResult.lastError;
 					let workflowJobLogs;
-					if (options.logs) {
+					if (options.logs) try {
 						const { execution: execWithLogs } = await getWorkflowExecution({
 							executionId: operationReference,
 							workspaceId: options.workspaceId,
@@ -12331,67 +12740,109 @@ async function watchExecutorJob(options) {
 							logs: job.logs,
 							result: job.result
 						}));
+					} catch (error) {
+						logger.warn(`Could not fetch workflow execution logs: ${error instanceof Error ? error.message : error}`);
 					}
-					return {
+					return withWaitMetadata({
 						job: jobDetail,
 						targetType: targetTypeStr,
 						workflowExecutionId: operationReference,
 						workflowStatus: executionResult.status,
 						workflowJobLogs
-					};
+					}, executionResult.timedOut);
 				} catch (error) {
 					logger.warn(`Could not track workflow execution: ${error instanceof Error ? error.message : error}`);
-					return {
+					return withWaitMetadata({
 						job: jobDetail,
 						targetType: targetTypeStr,
 						workflowExecutionId: operationReference
-					};
+					}, false);
 				}
 			case ExecutorTargetType.FUNCTION:
 			case ExecutorTargetType.JOB_FUNCTION:
-				sp.start(`Waiting for function execution ${operationReference}...`);
+				sp?.start(`Waiting for function execution ${operationReference}...`);
 				try {
+					let functionStatus;
 					while (true) {
-						const { execution } = await client.getFunctionExecution({
-							workspaceId,
-							executionId: operationReference
-						});
-						if (!execution) throw new Error(`Function execution '${operationReference}' not found.`);
-						if (isFunctionExecutionTerminalStatus(execution.status)) {
-							const statusStr = functionExecutionStatusToString(execution.status);
-							const coloredFnStatus = colorizeFunctionExecutionStatus(statusStr);
-							if (execution.status === FunctionExecution_Status.SUCCESS) sp.succeed(`Function execution completed: ${coloredFnStatus}`);
-							else sp.fail(`Function execution completed: ${coloredFnStatus}`);
-							return {
+						const functionTimeout = remainingTimeout();
+						if (functionTimeout !== void 0 && functionTimeout <= 0) {
+							sp?.fail("Function execution wait timed out.");
+							return withWaitMetadata({
 								job: jobDetail,
 								targetType: targetTypeStr,
 								functionExecutionId: operationReference,
-								functionStatus: statusStr,
-								functionLogs: options.logs ? execution.logs || void 0 : void 0
-							};
+								functionStatus
+							}, true);
 						}
-						sp.text = `Waiting for function execution... (${formatTime(/* @__PURE__ */ new Date())})`;
-						await setTimeout$1(interval);
+						try {
+							attempts += 1;
+							const { execution } = await client.getFunctionExecution({
+								workspaceId,
+								executionId: operationReference
+							});
+							if (!execution) throw new Error(`Function execution '${operationReference}' not found.`);
+							lastError = null;
+							functionStatus = functionExecutionStatusToString(execution.status);
+							if (isFunctionExecutionTerminalStatus(execution.status)) {
+								const coloredFnStatus = colorizeFunctionExecutionStatus(functionStatus);
+								if (execution.status === FunctionExecution_Status.SUCCESS) sp?.succeed(`Function execution completed: ${coloredFnStatus}`);
+								else sp?.fail(`Function execution completed: ${coloredFnStatus}`);
+								return withWaitMetadata({
+									job: jobDetail,
+									targetType: targetTypeStr,
+									functionExecutionId: operationReference,
+									functionStatus,
+									functionLogs: options.logs ? execution.logs || void 0 : void 0
+								}, false);
+							}
+						} catch (error) {
+							if (!isRetryableWaitError(error)) throw error;
+							lastError = formatWaitError(error);
+							if (sp) sp.text = `Retrying function execution poll... (${formatTime(/* @__PURE__ */ new Date())})`;
+						}
+						const nextFunctionTimeout = remainingTimeout();
+						if (nextFunctionTimeout !== void 0 && nextFunctionTimeout <= 0) {
+							sp?.fail("Function execution wait timed out.");
+							return withWaitMetadata({
+								job: jobDetail,
+								targetType: targetTypeStr,
+								functionExecutionId: operationReference,
+								functionStatus
+							}, true);
+						}
+						if (sp) sp.text = `Waiting for function execution... (${formatTime(/* @__PURE__ */ new Date())})`;
+						await setTimeout$1(nextFunctionTimeout === void 0 ? interval : Math.min(interval, nextFunctionTimeout));
 					}
 				} catch (error) {
-					sp.warn(`Could not track function execution: ${error instanceof Error ? error.message : error}`);
-					return {
+					sp?.warn(`Could not track function execution: ${error instanceof Error ? error.message : error}`);
+					return withWaitMetadata({
 						job: jobDetail,
 						targetType: targetTypeStr,
 						functionExecutionId: operationReference
-					};
+					}, false);
 				}
 				break;
 			default: break;
 		}
-		return {
+		return withWaitMetadata({
 			job: jobDetail,
 			targetType: targetTypeStr
-		};
+		}, false);
 	} finally {
-		sp.stop();
+		sp?.stop();
 	}
 }
+/**
+* Build a user-facing failure message for an executor job wait result.
+* @param result - Executor job wait result
+* @returns Failure message, or undefined when the wait succeeded
+*/
+function getExecutorWaitFailureMessage(result) {
+	if (result.timedOut) return `Timed out waiting for executor job '${result.job.id}'. Last status: ${result.job.status}.`;
+	if (result.job.status === "FAILED" || result.job.status === "CANCELED") return `Executor job '${result.job.id}' completed with status ${result.job.status}.`;
+	if (result.workflowStatus === "FAILED") return `Workflow execution '${result.workflowExecutionId}' failed.`;
+	if (result.functionStatus === "FAILED") return `Function execution '${result.functionExecutionId}' failed.`;
+}
 function printJobWithAttempts(job) {
 	const summaryData = [
 		["id", job.id],
@@ -12473,6 +12924,10 @@ const jobsCommand = defineAppCommand({
 			alias: "i",
 			description: "Polling interval when using --wait (e.g., '3s', '500ms', '1m')"
 		}),
+		timeout: arg(durationArg.default("5m"), {
+			alias: "t",
+			description: "Maximum time to wait when using --wait (e.g., '30s', '5m')"
+		}),
 		...pagedLogArgs,
 		limit: arg(nonNegativeIntArg.default(50), { description: "Maximum number of jobs to list (0: unlimited, default: 50) (list mode only)" }),
 		logs: arg(z.boolean().default(false), {
@@ -12481,6 +12936,7 @@ const jobsCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
 		if (args.jobId) {
 			if (args.wait) {
 				const result = await watchExecutorJob({
@@ -12489,9 +12945,11 @@ const jobsCommand = defineAppCommand({
 					workspaceId: args["workspace-id"],
 					profile: args.profile,
 					interval: parseDuration(args.interval),
-					logs: args.logs
+					timeout: parseDuration(args.timeout),
+					logs: args.logs,
+					showProgress: !jsonOutput
 				});
-				if (!args.json) {
+				if (!jsonOutput) {
 					logger.log(styles.bold(`Target Type: ${result.targetType}\n`));
 					printJobWithAttempts(result.job);
 					if (result.workflowExecutionId) {
@@ -12526,6 +12984,8 @@ const jobsCommand = defineAppCommand({
 						}
 					}
 				} else logger.out(result);
+				const failureMessage = getExecutorWaitFailureMessage(result);
+				if (failureMessage) throw new Error(failureMessage);
 				return;
 			}
 			const job = await getExecutorJob({
@@ -12535,7 +12995,7 @@ const jobsCommand = defineAppCommand({
 				workspaceId: args["workspace-id"],
 				profile: args.profile
 			});
-			if (args.attempts && !args.json) printJobWithAttempts(job);
+			if (args.attempts && !jsonOutput) printJobWithAttempts(job);
 			else logger.out(job);
 		} else {
 			if (args.wait) logger.warn("--wait flag is ignored in list mode. Specify a job ID to wait.");
@@ -12722,12 +13182,17 @@ The \`--logs\` option displays logs from the downstream execution when available
 			alias: "i",
 			description: "Polling interval when using --wait (e.g., '3s', '500ms', '1m')"
 		}),
+		timeout: arg(durationArg.default("5m"), {
+			alias: "t",
+			description: "Maximum time to wait when using --wait (e.g., '30s', '5m')"
+		}),
 		logs: arg(z.boolean().default(false), {
 			alias: "l",
 			description: "Display function execution logs after completion (requires --wait)"
 		})
 	}).strict(),
 	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
 		await assertWritable({ profile: args.profile });
 		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
@@ -12768,9 +13233,11 @@ The \`--logs\` option displays logs from the downstream execution when available
 				workspaceId: args["workspace-id"],
 				profile: args.profile,
 				interval: parseDuration(args.interval),
-				logs: args.logs
+				timeout: parseDuration(args.timeout),
+				logs: args.logs,
+				showProgress: !jsonOutput
 			});
-			if (!args.json) {
+			if (!jsonOutput) {
 				logger.log(styles.bold(`\nTarget Type: ${watchResult.targetType}`));
 				logger.log(`Job Status: ${watchResult.job.status}`);
 				if (watchResult.workflowExecutionId) {
@@ -12805,6 +13272,8 @@ The \`--logs\` option displays logs from the downstream execution when available
 					}
 				}
 			} else logger.out(watchResult);
+			const failureMessage = getExecutorWaitFailureMessage(watchResult);
+			if (failureMessage) throw new Error(failureMessage);
 		}
 	}
 });
@@ -15182,7 +15651,7 @@ function formatEnumUnion(values) {
 	return values.map((v) => `"${v}"`).join(" | ");
 }
 function generateEnumChangeColumnType(enumValueChange, config) {
-	const selectType = formatEnumUnion([...new Set([...enumValueChange.beforeValues, ...enumValueChange.afterValues])]);
+	const selectType = formatEnumUnion([.../* @__PURE__ */ new Set([...enumValueChange.beforeValues, ...enumValueChange.afterValues])]);
 	const afterType = formatEnumUnion(enumValueChange.afterValues);
 	if (config.array && !config.required) return `ColumnType<(${selectType})[] | null, (${afterType})[] | null, (${afterType})[] | null>`;
 	if (config.array) return `ColumnType<(${selectType})[], (${afterType})[], (${afterType})[]>`;
@@ -15509,7 +15978,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-Djeezk3m.mjs");
+	const { defineApplication } = await import("./application-Br48NXBD.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -15942,11 +16411,13 @@ async function resumeWorkflow(options) {
 		});
 		return {
 			executionId,
-			wait: (waitOptions) => waitForExecution({
+			wait: (waitOptions) => waitForWorkflowExecution({
 				client,
 				workspaceId,
 				executionId,
 				interval: options.interval ?? 3e3,
+				timeout: waitOptions?.timeout,
+				until: waitOptions?.until,
 				showProgress: waitOptions?.showProgress
 			})
 		};
@@ -15970,16 +16441,21 @@ const resumeCommand = defineAppCommand({
 		...waitArgs
 	}).strict(),
 	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
 		const { executionId, wait } = await resumeWorkflow({
 			executionId: args.executionId,
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
 			interval: parseDuration(args.interval)
 		});
-		if (!args.json) logger.info(`Execution ID: ${executionId}`, { mode: "stream" });
+		if (!jsonOutput) logger.info(`Execution ID: ${executionId}`, { mode: "stream" });
 		if (args.wait) {
-			const result = await wait({ showProgress: !args.json });
-			if (args.logs && !args.json) {
+			const result = await wait({
+				showProgress: !jsonOutput,
+				timeout: parseDuration(args.timeout),
+				until: args.until
+			});
+			if (args.logs && !jsonOutput) {
 				const { execution } = await getWorkflowExecution({
 					executionId,
 					workspaceId: args["workspace-id"],
@@ -15987,11 +16463,112 @@ const resumeCommand = defineAppCommand({
 					logs: true
 				});
 				printExecutionWithLogs(execution);
+			} else if (args.logs) {
+				const { execution } = await getWorkflowExecution({
+					executionId,
+					workspaceId: args["workspace-id"],
+					profile: args.profile,
+					logs: true
+				});
+				logger.out({
+					...result,
+					jobDetails: execution.jobDetails
+				});
 			} else logger.out(result);
+			const failureMessage = getWorkflowWaitFailureMessage(result, args.until);
+			if (failureMessage) throw new Error(failureMessage);
 		} else logger.out({ executionId });
 	}
 });
 
+//#endregion
+//#region src/cli/commands/workflow/wait.ts
+/**
+* Wait for an existing workflow execution by ID.
+* @param options - Workflow wait options
+* @returns Workflow wait result
+*/
+async function waitWorkflowExecution(options) {
+	return await waitForWorkflowExecutionById({
+		...options,
+		showProgress: options.showProgress ?? !logger.jsonMode,
+		trackJobs: options.trackJobs ?? true
+	});
+}
+/**
+* Attach workflow job logs to a wait result when requested.
+* @param result - Workflow wait result
+* @param options - Workflow wait options
+* @returns Workflow wait result with optional job details
+*/
+async function addWorkflowLogsToWaitResult(result, options) {
+	const { execution } = await getWorkflowExecution({
+		executionId: options.executionId,
+		workspaceId: options.workspaceId,
+		profile: options.profile,
+		logs: true
+	});
+	return {
+		...result,
+		jobDetails: execution.jobDetails
+	};
+}
+const waitCommand = defineAppCommand({
+	name: "wait",
+	description: "Wait for a workflow execution.",
+	examples: [
+		{
+			cmd: "execution-id --until success --timeout 10m --json",
+			desc: "Wait for workflow success"
+		},
+		{
+			cmd: "execution-id --until suspended --timeout 6m --logs --json",
+			desc: "Wait for a workflow wait point"
+		},
+		{
+			cmd: "execution-id --until terminal",
+			desc: "Wait for success, failure, or suspension"
+		}
+	],
+	args: z.object({
+		...workspaceArgs,
+		"execution-id": arg(z.string(), {
+			positional: true,
+			description: "Execution ID"
+		}),
+		...workflowWaitControlArgs
+	}).strict(),
+	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
+		const result = await waitWorkflowExecution({
+			executionId: args.executionId,
+			workspaceId: args["workspace-id"],
+			profile: args.profile,
+			interval: parseDuration(args.interval),
+			timeout: parseDuration(args.timeout),
+			until: args.until,
+			showProgress: !jsonOutput
+		});
+		const output = args.logs ? await addWorkflowLogsToWaitResult(result, {
+			executionId: args.executionId,
+			workspaceId: args["workspace-id"],
+			profile: args.profile
+		}) : result;
+		if (!jsonOutput && output.jobDetails) printExecutionWithLogs({
+			id: output.id,
+			workflowName: output.workflowName,
+			status: output.status,
+			jobExecutions: output.jobExecutions,
+			startedAt: output.startedAt,
+			finishedAt: output.finishedAt,
+			jobDetails: output.jobDetails
+		});
+		else logger.out(output);
+		const failureMessage = getWorkflowWaitFailureMessage(result, args.until);
+		if (failureMessage) throw new Error(failureMessage);
+	}
+});
+
 //#endregion
 //#region src/cli/commands/workspace/app/transform.ts
 const statusToString = (status) => {
@@ -17335,7 +17912,7 @@ async function runRepl(options) {
 	const execute = await prepareQueryExecutor(options);
 	const historyPath = getReplHistoryPath(options.engine, options.profile, options.workspaceId);
 	const validate = createReplValidator(options.engine);
-	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-CJG3sz7A.mjs");
+	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-DD5YP5mt.mjs");
 	const highlight = options.engine === "sql" ? highlightSqlLine : highlightGraphqlLine;
 	const prompt = createPrompt({
 		prefix: "",
@@ -17669,5 +18246,5 @@ function isDeno() {
 }
 
 //#endregion
-export { listCommand$5 as $, INITIAL_SCHEMA_NUMBER as $t, truncate as A, commonArgs as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, PluginManager as Cn, triggerExecutor as Ct, resumeWorkflow as D, apiCall as Dn, jobsCommand as Dt, resumeCommand as E, apiCommand as En, getExecutorJob as Et, writeDbTypesFile as F, pagedLogArgs as Fn, getWorkflowExecution as Ft, organizationTree as G, MIGRATION_LABEL_KEY as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, paginationArgs as In, listWorkflowExecutions as It, listOrganizations as J, compareSnapshotWithRemote as Jt, treeCommand as K, handleOptionalToRequiredError as Kt, openInConfiguredEditor as L, toPageDirection as Ln, functionExecutionStatusToString as Lt, generate as M, confirmationArgs as Mn, getCommand$5 as Mt, generateCommand as N, deploymentArgs as Nn, getWorkflow as Nt, listCommand$3 as O, assertWritable as On, listExecutorJobs as Ot, generateMigrationScript as P, isVerbose as Pn, executionsCommand as Pt, updateFolder as Q, DIFF_FILE_NAME as Qt, show as R, workspaceArgs as Rn, formatKeyValueTable as Rt, listApps as S, sdkNameLabelKey as Sn, triggerCommand as St, healthCommand as T, prompt as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, bundleMigrationScript as Wt, getOrganization as X, protoGqlPermission as Xt, getCommand$1 as Y, generateAllTypeManifestsFromSnapshot as Yt, updateCommand$2 as Z, DB_TYPES_FILE_NAME as Zt, getWorkspace as _, formatMigrationDiff as _n, listFunctionRegistries as _t, updateUser as a, createSnapshotFromLocalTypes as an, createCommand$1 as at, createCommand as b, ensureConfigId as bn, listWebhookExecutors as bt, listCommand as c, getMigrationFilePath as cn, listOAuth2Clients as ct, inviteUser as d, isValidMigrationNumber as dn, getMachineUserToken as dt, MIGRATE_FILE_NAME as en, listFolders as et, restoreCommand as f, loadDiff as fn, tokenCommand as ft, getCommand as g, formatDiffSummary as gn, listCommand$8 as gt, listWorkspaces as h, parseMigrationNumberArg as hn, generate$1 as ht, updateCommand as i, compareSnapshots as in, deleteFolder as it, truncateCommand as j, configArg as jn, startWorkflow as jt, listWorkflows as k, defineAppCommand as kn, watchExecutorJob as kt, listUsers as l, getMigrationFiles as ln, getCommand$3 as lt, listCommand$1 as m, formatMigrationNumber as mn, listMachineUsers as mt, query as n, assertValidMigrationFiles as nn, getFolder as nt, removeCommand as o, getLatestMigrationNumber as on, createFolder as ot, restoreWorkspace as p, reconstructSnapshotFromMigrations as pn, listCommand$7 as pt, listCommand$4 as q, parseMigrationLabelNumber as qt, queryCommand as r, compareLocalTypesWithSnapshot as rn, deleteCommand$1 as rt, removeUser as s, getMigrationDirPath as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, SCHEMA_FILE_NAME as tn, getCommand$2 as tt, inviteCommand as u, getNextMigrationNumber as un, getOAuth2Client as ut, deleteCommand as v, hasChanges as vn, getCommand$4 as vt, getAppHealth as w, generateUserTypes as wn, listCommand$9 as wt, createWorkspace as x, resourceTrn as xn, webhookCommand as xt, deleteWorkspace as y, getNamespacesWithMigrations as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
-//# sourceMappingURL=runtime-BU6KtCvk.mjs.map
+export { updateCommand$2 as $, protoGqlPermission as $t, listCommand$3 as A, apiCall as An, jobsCommand as At, show as B, toPageDirection as Bn, functionExecutionStatusToString as Bt, listCommand$2 as C, ensureConfigId as Cn, webhookCommand as Ct, waitWorkflowExecution as D, generateUserTypes as Dn, listExecutors as Dt, waitCommand as E, PluginManager as En, listCommand$9 as Et, generateCommand as F, confirmationArgs as Fn, getCommand$5 as Ft, updateCommand$1 as G, executeScript as Gt, logBetaWarning as H, getCommand$6 as Ht, generateMigrationScript as I, deploymentArgs as In, getWorkflow as It, treeCommand as J, MIGRATION_LABEL_KEY as Jt, updateOrganization as K, waitForExecution as Kt, writeDbTypesFile as L, isVerbose as Ln, executionsCommand as Lt, truncate as M, defineAppCommand as Mn, watchExecutorJob as Mt, truncateCommand as N, commonArgs as Nn, startCommand as Nt, resumeCommand as O, prompt as On, getExecutorJob as Ot, generate as P, configArg as Pn, startWorkflow as Pt, getOrganization as Q, generateAllTypeManifestsFromSnapshot as Qt, getConfiguredEditorCommand as R, pagedLogArgs as Rn, getWorkflowExecution as Rt, listApps as S, getNamespacesWithMigrations as Sn, listWebhookExecutors as St, healthCommand as T, sdkNameLabelKey as Tn, triggerExecutor as Tt, remove as U, getExecutor as Ut, showCommand as V, workspaceArgs as Vn, formatKeyValueTable as Vt, removeCommand$1 as W, deploy as Wt, listOrganizations as X, parseMigrationLabelNumber as Xt, listCommand$4 as Y, handleOptionalToRequiredError as Yt, getCommand$1 as Z, compareSnapshotWithRemote as Zt, getWorkspace as _, formatMigrationNumber as _n, generate$1 as _t, updateUser as a, assertValidMigrationFiles as an, deleteCommand$1 as at, createCommand as b, formatMigrationDiff as bn, getCommand$4 as bt, listCommand as c, createSnapshotFromLocalTypes as cn, createFolder as ct, inviteUser as d, getMigrationFilePath as dn, getCommand$3 as dt, DB_TYPES_FILE_NAME as en, updateFolder as et, restoreCommand as f, getMigrationFiles as fn, getOAuth2Client as ft, getCommand as g, reconstructSnapshotFromMigrations as gn, listMachineUsers as gt, listWorkspaces as h, loadDiff as hn, listCommand$7 as ht, updateCommand as i, SCHEMA_FILE_NAME as in, getFolder as it, listWorkflows as j, assertWritable as jn, listExecutorJobs as jt, resumeWorkflow as k, apiCommand as kn, getExecutorWaitFailureMessage as kt, listUsers as l, getLatestMigrationNumber as ln, listCommand$6 as lt, listCommand$1 as m, isValidMigrationNumber as mn, tokenCommand as mt, query as n, INITIAL_SCHEMA_NUMBER as nn, listFolders as nt, removeCommand as o, compareLocalTypesWithSnapshot as on, deleteFolder as ot, restoreWorkspace as p, getNextMigrationNumber as pn, getMachineUserToken as pt, organizationTree as q, bundleMigrationScript as qt, queryCommand as r, MIGRATE_FILE_NAME as rn, getCommand$2 as rt, removeUser as s, compareSnapshots as sn, createCommand$1 as st, isNativeTypeScriptRuntime as t, DIFF_FILE_NAME as tn, listCommand$5 as tt, inviteCommand as u, getMigrationDirPath as un, listOAuth2Clients as ut, deleteCommand as v, parseMigrationNumberArg as vn, listCommand$8 as vt, getAppHealth as w, resourceTrn as wn, triggerCommand as wt, createWorkspace as x, hasChanges as xn, getFunctionRegistry as xt, deleteWorkspace as y, formatDiffSummary as yn, listFunctionRegistries as yt, openInConfiguredEditor as z, paginationArgs as zn, listWorkflowExecutions as zt };
+//# sourceMappingURL=runtime-jowoN6qC.mjs.map