@tailor-platform/sdk 1.67.1 → 1.69.0

package/docs/cli-reference.md

@@ -10,8 +10,6 @@ tailor-sdk <command> [options]
 
 ## Global Options
 
-<!-- politty:global-options:start -->
-
 <a id="global-options"></a>
 | Option | Alias | Description | Required | Default |
 |--------|-------|-------------|----------|---------|
@@ -20,8 +18,6 @@ tailor-sdk <command> [options]
 | `--verbose` | - | Enable verbose logging | No | `false` |
 | `--json` | `-j` | Output as JSON | No | `false` |
 
-<!-- politty:global-options:end -->
-
 ### JSON Output
 
 For commands that return structured results, passing `--json` writes one parseable JSON document
@@ -103,8 +99,6 @@ Workspace ID resolution follows this priority order:
 
 ## Commands
 
-<!-- politty:index:docs/cli-reference.md:start -->
-
 ### [Application Commands](./cli/application.md)
 
 Commands for managing Tailor Platform applications (work with `tailor.config.ts`).
@@ -117,8 +111,9 @@ Commands for managing Tailor Platform applications (work with `tailor.config.ts`
 | [remove](./cli/application.md#remove)           | Remove all resources managed by the application from the workspace. |
 | [show](./cli/application.md#show)               | Show information about the deployed application.                    |
 | [open](./cli/application.md#open)               | Open Tailor Platform Console.                                       |
-| [api list](./cli/application.md#api-list)       | List all invocable OperatorService methods.                         |
+| [api](./cli/application.md#api)                 | Call Tailor Platform API endpoints directly.                        |
 | [api inspect](./cli/application.md#api-inspect) | Print the input message tree of an OperatorService endpoint.        |
+| [api list](./cli/application.md#api-list)       | List all invocable OperatorService methods.                         |
 
 ### [TailorDB Commands](./cli/tailordb.md)
 
@@ -126,12 +121,15 @@ Commands for managing TailorDB tables, data, and schema migrations.
 
 | Command                                                                      | Description                                                                                                               |
 | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
+| [tailordb](./cli/tailordb.md#tailordb)                                       | Manage TailorDB tables and data.                                                                                          |
 | [tailordb truncate](./cli/tailordb.md#tailordb-truncate)                     | Truncate (delete all records from) TailorDB tables.                                                                       |
+| [tailordb migration](./cli/tailordb.md#tailordb-migration)                   | Manage TailorDB schema migrations.                                                                                        |
 | [tailordb migration generate](./cli/tailordb.md#tailordb-migration-generate) | Generate migration files by detecting schema differences between current local types and the previous migration snapshot. |
 | [tailordb migration script](./cli/tailordb.md#tailordb-migration-script)     | Add a migration script (migrate.ts) template to an existing migration directory.                                          |
 | [tailordb migration set](./cli/tailordb.md#tailordb-migration-set)           | Set migration checkpoint to a specific number.                                                                            |
 | [tailordb migration status](./cli/tailordb.md#tailordb-migration-status)     | Show the current migration status for TailorDB namespaces, including applied and pending migrations.                      |
 | [tailordb migration sync](./cli/tailordb.md#tailordb-migration-sync)         | Sync remote TailorDB schema to a specific migration snapshot (recovery from --no-schema-check drift).                     |
+| [tailordb erd](./cli/tailordb.md#tailordb-erd)                               | Generate TailorDB ERD viewer artifacts from local TailorDB schema. (beta)                                                 |
 | [tailordb erd export](./cli/tailordb.md#tailordb-erd-export)                 | Export TailorDB ERD static viewer from local TailorDB schema.                                                             |
 | [tailordb erd serve](./cli/tailordb.md#tailordb-erd-serve)                   | Generate and serve TailorDB ERD locally with watch reload. (beta)                                                         |
 | [tailordb erd deploy](./cli/tailordb.md#tailordb-erd-deploy)                 | Deploy ERD static website for TailorDB namespace(s).                                                                      |
@@ -152,13 +150,15 @@ Commands for authentication and user management.
 | ------------------------------------------------ | ----------------------------------------------------- |
 | [login](./cli/user.md#login)                     | Login to Tailor Platform.                             |
 | [logout](./cli/user.md#logout)                   | Logout from Tailor Platform.                          |
+| [user](./cli/user.md#user)                       | Manage Tailor Platform users.                         |
 | [user current](./cli/user.md#user-current)       | Show current user.                                    |
 | [user list](./cli/user.md#user-list)             | List all users.                                       |
-| [user switch](./cli/user.md#user-switch)         | Set current user.                                     |
-| [user pat list](./cli/user.md#user-pat-list)     | List all personal access tokens.                      |
+| [user pat](./cli/user.md#user-pat)               | Manage personal access tokens.                        |
 | [user pat create](./cli/user.md#user-pat-create) | Create a new personal access token.                   |
 | [user pat delete](./cli/user.md#user-pat-delete) | Delete a personal access token.                       |
+| [user pat list](./cli/user.md#user-pat-list)     | List all personal access tokens.                      |
 | [user pat update](./cli/user.md#user-pat-update) | Update a personal access token (delete and recreate). |
+| [user switch](./cli/user.md#user-switch)         | Set current user.                                     |
 
 ### [Organization Commands](./cli/organization.md)
 
@@ -166,6 +166,8 @@ Commands for managing organizations and folders.
 
 | Command                                                                        | Description                                      |
 | ------------------------------------------------------------------------------ | ------------------------------------------------ |
+| [organization](./cli/organization.md#organization)                             | Manage Tailor Platform organizations.            |
+| [organization folder](./cli/organization.md#organization-folder)               | Manage organization folders.                     |
 | [organization folder create](./cli/organization.md#organization-folder-create) | Create a new folder in an organization.          |
 | [organization folder delete](./cli/organization.md#organization-folder-delete) | Delete a folder from an organization.            |
 | [organization folder get](./cli/organization.md#organization-folder-get)       | Show detailed information about a folder.        |
@@ -180,23 +182,27 @@ Commands for managing organizations and folders.
 
 Commands for managing workspaces and profiles.
 
-| Command                                                           | Description                                 |
-| ----------------------------------------------------------------- | ------------------------------------------- |
-| [workspace app health](./cli/workspace.md#workspace-app-health)   | Check application schema health             |
-| [workspace app list](./cli/workspace.md#workspace-app-list)       | List applications in a workspace            |
-| [workspace create](./cli/workspace.md#workspace-create)           | Create a new Tailor Platform workspace.     |
-| [workspace delete](./cli/workspace.md#workspace-delete)           | Delete a Tailor Platform workspace.         |
-| [workspace get](./cli/workspace.md#workspace-get)                 | Show detailed information about a workspace |
-| [workspace list](./cli/workspace.md#workspace-list)               | List all Tailor Platform workspaces.        |
-| [workspace restore](./cli/workspace.md#workspace-restore)         | Restore a deleted workspace                 |
-| [workspace user invite](./cli/workspace.md#workspace-user-invite) | Invite a user to a workspace                |
-| [workspace user list](./cli/workspace.md#workspace-user-list)     | List users in a workspace                   |
-| [workspace user remove](./cli/workspace.md#workspace-user-remove) | Remove a user from a workspace              |
-| [workspace user update](./cli/workspace.md#workspace-user-update) | Update a user's role in a workspace         |
-| [profile create](./cli/workspace.md#profile-create)               | Create a new profile.                       |
-| [profile delete](./cli/workspace.md#profile-delete)               | Delete a profile.                           |
-| [profile list](./cli/workspace.md#profile-list)                   | List all profiles.                          |
-| [profile update](./cli/workspace.md#profile-update)               | Update profile properties.                  |
+| Command                                                           | Description                                                |
+| ----------------------------------------------------------------- | ---------------------------------------------------------- |
+| [workspace](./cli/workspace.md#workspace)                         | Manage Tailor Platform workspaces.                         |
+| [workspace app](./cli/workspace.md#workspace-app)                 | Manage workspace applications                              |
+| [workspace app health](./cli/workspace.md#workspace-app-health)   | Check application schema health                            |
+| [workspace app list](./cli/workspace.md#workspace-app-list)       | List applications in a workspace                           |
+| [workspace create](./cli/workspace.md#workspace-create)           | Create a new Tailor Platform workspace.                    |
+| [workspace delete](./cli/workspace.md#workspace-delete)           | Delete a Tailor Platform workspace.                        |
+| [workspace get](./cli/workspace.md#workspace-get)                 | Show detailed information about a workspace                |
+| [workspace list](./cli/workspace.md#workspace-list)               | List all Tailor Platform workspaces.                       |
+| [workspace restore](./cli/workspace.md#workspace-restore)         | Restore a deleted workspace                                |
+| [workspace user](./cli/workspace.md#workspace-user)               | Manage workspace users                                     |
+| [workspace user invite](./cli/workspace.md#workspace-user-invite) | Invite a user to a workspace                               |
+| [workspace user list](./cli/workspace.md#workspace-user-list)     | List users in a workspace                                  |
+| [workspace user remove](./cli/workspace.md#workspace-user-remove) | Remove a user from a workspace                             |
+| [workspace user update](./cli/workspace.md#workspace-user-update) | Update a user's role in a workspace                        |
+| [profile](./cli/workspace.md#profile)                             | Manage workspace profiles (user + workspace combinations). |
+| [profile create](./cli/workspace.md#profile-create)               | Create a new profile.                                      |
+| [profile delete](./cli/workspace.md#profile-delete)               | Delete a profile.                                          |
+| [profile list](./cli/workspace.md#profile-list)                   | List all profiles.                                         |
+| [profile update](./cli/workspace.md#profile-update)               | Update profile properties.                                 |
 
 ### [Auth Resource Commands](./cli/auth.md)
 
@@ -204,13 +210,16 @@ Commands for managing Auth service resources.
 
 | Command                                                            | Description                                                                           |
 | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------- |
+| [authconnection](./cli/auth.md#authconnection)                     | Manage auth connections.                                                              |
 | [authconnection authorize](./cli/auth.md#authconnection-authorize) | Authorize an auth connection via OAuth2 flow.                                         |
+| [authconnection delete](./cli/auth.md#authconnection-delete)       | Delete an auth connection entirely.                                                   |
 | [authconnection list](./cli/auth.md#authconnection-list)           | List all auth connections.                                                            |
 | [authconnection open](./cli/auth.md#authconnection-open)           | Open the auth connections page in the Tailor Platform Console.                        |
 | [authconnection revoke](./cli/auth.md#authconnection-revoke)       | Revoke an auth connection's tokens (keeps the connection; use 'delete' to remove it). |
-| [authconnection delete](./cli/auth.md#authconnection-delete)       | Delete an auth connection entirely.                                                   |
+| [machineuser](./cli/auth.md#machineuser)                           | Manage machine users in your Tailor Platform application.                             |
 | [machineuser list](./cli/auth.md#machineuser-list)                 | List all machine users in the application.                                            |
 | [machineuser token](./cli/auth.md#machineuser-token)               | Get an access token for a machine user.                                               |
+| [oauth2client](./cli/auth.md#oauth2client)                         | Manage OAuth2 clients in your Tailor Platform application.                            |
 | [oauth2client list](./cli/auth.md#oauth2client-list)               | List all OAuth2 clients in the application.                                           |
 | [oauth2client get](./cli/auth.md#oauth2client-get)                 | Get OAuth2 client credentials (including client secret).                              |
 
@@ -220,9 +229,11 @@ Commands for managing workflows and executions.
 
 | Command                                                      | Description                                    |
 | ------------------------------------------------------------ | ---------------------------------------------- |
+| [workflow](./cli/workflow.md#workflow)                       | Manage workflows and workflow executions.      |
 | [workflow list](./cli/workflow.md#workflow-list)             | List all workflows in the workspace.           |
 | [workflow get](./cli/workflow.md#workflow-get)               | Get workflow details.                          |
 | [workflow start](./cli/workflow.md#workflow-start)           | Start a workflow execution.                    |
+| [workflow wait](./cli/workflow.md#workflow-wait)             | Wait for a workflow execution.                 |
 | [workflow executions](./cli/workflow.md#workflow-executions) | List or get workflow executions.               |
 | [workflow resume](./cli/workflow.md#workflow-resume)         | Resume a failed or pending workflow execution. |
 
@@ -232,6 +243,7 @@ Commands for managing function registries and viewing function execution logs.
 
 | Command                                                  | Description                                                     |
 | -------------------------------------------------------- | --------------------------------------------------------------- |
+| [function](./cli/function.md#function)                   | Manage functions                                                |
 | [function get](./cli/function.md#function-get)           | Get a function registry by name                                 |
 | [function list](./cli/function.md#function-list)         | List function registries in a workspace                         |
 | [function logs](./cli/function.md#function-logs)         | List or get function execution logs.                            |
@@ -243,10 +255,12 @@ Commands for managing executors and executor jobs.
 
 | Command                                                          | Description                                   |
 | ---------------------------------------------------------------- | --------------------------------------------- |
-| [executor trigger](./cli/executor.md#executor-trigger)           | Trigger an executor manually.                 |
-| [executor jobs](./cli/executor.md#executor-jobs)                 | List or get executor jobs.                    |
+| [executor](./cli/executor.md#executor)                           | Manage executors                              |
 | [executor list](./cli/executor.md#executor-list)                 | List all executors                            |
 | [executor get](./cli/executor.md#executor-get)                   | Get executor details                          |
+| [executor jobs](./cli/executor.md#executor-jobs)                 | List or get executor jobs.                    |
+| [executor trigger](./cli/executor.md#executor-trigger)           | Trigger an executor manually.                 |
+| [executor webhook](./cli/executor.md#executor-webhook)           | Manage executor webhooks                      |
 | [executor webhook list](./cli/executor.md#executor-webhook-list) | List executors with incoming webhook triggers |
 
 ### [Secret Commands](./cli/secret.md)
@@ -255,13 +269,15 @@ Commands for managing secrets and vaults.
 
 | Command                                                    | Description                                      |
 | ---------------------------------------------------------- | ------------------------------------------------ |
+| [secret](./cli/secret.md#secret)                           | Manage Secret Manager vaults and secrets.        |
+| [secret create](./cli/secret.md#secret-create)             | Create a secret in a vault.                      |
+| [secret delete](./cli/secret.md#secret-delete)             | Delete a secret in a vault.                      |
+| [secret list](./cli/secret.md#secret-list)                 | List all secrets in a vault.                     |
+| [secret update](./cli/secret.md#secret-update)             | Update a secret in a vault.                      |
+| [secret vault](./cli/secret.md#secret-vault)               | Manage Secret Manager vaults.                    |
 | [secret vault create](./cli/secret.md#secret-vault-create) | Create a new Secret Manager vault.               |
 | [secret vault delete](./cli/secret.md#secret-vault-delete) | Delete a Secret Manager vault.                   |
 | [secret vault list](./cli/secret.md#secret-vault-list)     | List all Secret Manager vaults in the workspace. |
-| [secret create](./cli/secret.md#secret-create)             | Create a secret in a vault.                      |
-| [secret update](./cli/secret.md#secret-update)             | Update a secret in a vault.                      |
-| [secret list](./cli/secret.md#secret-list)                 | List all secrets in a vault.                     |
-| [secret delete](./cli/secret.md#secret-delete)             | Delete a secret in a vault.                      |
 
 ### [Static Website Commands](./cli/staticwebsite.md)
 
@@ -269,10 +285,12 @@ Commands for managing and deploying static websites.
 
 | Command                                                                       | Description                                           |
 | ----------------------------------------------------------------------------- | ----------------------------------------------------- |
+| [staticwebsite](./cli/staticwebsite.md#staticwebsite)                         | Manage static websites in your workspace.             |
 | [staticwebsite deploy](./cli/staticwebsite.md#staticwebsite-deploy)           | Deploy a static website from a local build directory. |
-| [staticwebsite domain list](./cli/staticwebsite.md#staticwebsite-domain-list) | List custom domains for a static website.             |
-| [staticwebsite domain get](./cli/staticwebsite.md#staticwebsite-domain-get)   | Get details of a custom domain.                       |
 | [staticwebsite list](./cli/staticwebsite.md#staticwebsite-list)               | List all static websites in a workspace.              |
+| [staticwebsite domain](./cli/staticwebsite.md#staticwebsite-domain)           | Manage custom domains for static websites.            |
+| [staticwebsite domain get](./cli/staticwebsite.md#staticwebsite-domain-get)   | Get details of a custom domain.                       |
+| [staticwebsite domain list](./cli/staticwebsite.md#staticwebsite-domain-list) | List custom domains for a static website.             |
 | [staticwebsite get](./cli/staticwebsite.md#staticwebsite-get)                 | Get details of a specific static website.             |
 
 ### [Crash Report Commands](./cli/crashreport.md)
@@ -281,6 +299,7 @@ Commands for managing crash reports.
 
 | Command                                                   | Description                                    |
 | --------------------------------------------------------- | ---------------------------------------------- |
+| [crashreport](./cli/crashreport.md#crashreport)           | Manage crash reports.                          |
 | [crashreport list](./cli/crashreport.md#crashreport-list) | List local crash report files.                 |
 | [crashreport send](./cli/crashreport.md#crashreport-send) | Submit a crash report to help improve the SDK. |
 
@@ -288,9 +307,10 @@ Commands for managing crash reports.
 
 Commands for setting up project infrastructure.
 
-| Command                                     | Description                                       |
-| ------------------------------------------- | ------------------------------------------------- |
-| [setup github](./cli/setup.md#setup-github) | Generate a GitHub Actions deploy workflow. (beta) |
+| Command                                   | Description                                                                      |
+| ----------------------------------------- | -------------------------------------------------------------------------------- |
+| [setup](./cli/setup.md#setup)             | Generate a CI deploy workflow for your project. (beta)                           |
+| [setup check](./cli/setup.md#setup-check) | Audit generated workflows for drift against the current config/repo (read-only). |
 
 ### [Upgrade Commands](./cli/upgrade.md)
 
@@ -306,6 +326,7 @@ Commands for installing Tailor SDK agent skills.
 
 | Command                                          | Description                                                        |
 | ------------------------------------------------ | ------------------------------------------------------------------ |
+| [skills](./cli/skills.md#skills)                 | Manage Tailor SDK agent skills.                                    |
 | [skills install](./cli/skills.md#skills-install) | Install the tailor-sdk agent skill from the installed SDK package. |
 
 ### [Completion](./cli/completion.md)
@@ -315,5 +336,3 @@ Generate shell completion scripts for bash, zsh, and fish.
 | Command                                      | Description                      |
 | -------------------------------------------- | -------------------------------- |
 | [completion](./cli/completion.md#completion) | Generate shell completion script |
-
-<!-- politty:index:docs/cli-reference.md:end -->

package/docs/configuration.md

@@ -118,8 +118,14 @@ Configure the Built-in IdP service using `defineIdp()`. See [IdP](./services/idp
 import { defineIdp } from "@tailor-platform/sdk";
 
 const idp = defineIdp("my-idp", {
-  authorization: "loggedIn",
   clients: ["my-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    read: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    update: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    delete: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+  },
 });
 
 export default defineConfig({

package/docs/github-actions.md

@@ -1,6 +1,6 @@
 # GitHub Actions Integration
 
-`tailor-sdk setup github` generates a GitHub Actions workflow that deploys your
+`tailor-sdk setup` generates a GitHub Actions workflow that deploys your
 Tailor Platform application automatically on push or tag.
 
 > **Beta:** This command is under active development. CLI flags, the generated
@@ -14,13 +14,16 @@ lives):
 
 ```bash
 # Branch target: deploy to stg on every push to main
-tailor-sdk setup github -n my-app-stg
+tailor-sdk setup -n my-app-stg
 
 # Tag target: deploy to production when a tag is pushed, with an approval gate
-tailor-sdk setup github -n my-app-prod \
+tailor-sdk setup -n my-app-prod \
   --tag --branch main --environment production
 ```
 
+`setup` defaults to the GitHub provider; `--provider github` (`-p github`) is
+accepted but optional, and other providers are not yet supported.
+
 After running the command, follow the **Next steps** printed to the terminal to
 set the required secrets, set the `TAILOR_PLATFORM_WORKSPACE_ID` variable, and
 commit the generated files.
@@ -33,7 +36,7 @@ before the first deploy (see [Targeting a workspace](#targeting-a-workspace)).
 ## Targets
 
 A _target_ is one workflow file that handles one deployment destination.
-Run `setup github` once per target.
+Run `setup` once per target.
 
 ### Branch target (recommended for staging)
 
@@ -41,9 +44,9 @@ The branch target fires on pull requests and pushes to the branch you specify
 (defaulting to the repository's default branch when `--branch` is omitted):
 
 ```bash
-tailor-sdk setup github -n my-app-stg
+tailor-sdk setup -n my-app-stg
 # Equivalent to:
-tailor-sdk setup github -n my-app-stg --branch main
+tailor-sdk setup -n my-app-stg --branch main
 ```
 
 What it does:
@@ -66,7 +69,7 @@ The tag target fires when a tag matching `--tag-pattern` (default `v*`) is
 pushed:
 
 ```bash
-tailor-sdk setup github -n my-app-prod \
+tailor-sdk setup -n my-app-prod \
   --tag --tag-pattern "v*" --branch main --environment production
 ```
 
@@ -136,7 +139,7 @@ environment is planned.)
 
 ## Generated files
 
-Running `setup github` creates or updates:
+Running `setup` creates or updates:
 
 ### `.github/workflows/tailor-<workspace-name>.yml`
 
@@ -151,7 +154,7 @@ project-specific setup (such as private registry authentication or a system
 dependency), add a step _before_ the managed `tailor-setup` step. For
 post-install extras (such as `playwright install`), add a step _after_ it.
 
-Note that re-running `setup github` currently regenerates the whole file: if
+Note that re-running `setup` currently regenerates the whole file: if
 the file differs from what the SDK last wrote — whether you edited a managed
 step or added your own — the command stops and reports the conflict. Pass
 `--force` to discard your edits and regenerate from the current template, then
@@ -167,7 +170,7 @@ detect hand edits.
 
 ### `tailor.config.ts` (id injection)
 
-If your config does not already have an `id` field, `setup github` injects one.
+If your config does not already have an `id` field, `setup` injects one.
 This `id` must be committed alongside the workflow file. In CI, `tailor-sdk
 deploy` refuses to inject a new id — if the id were assigned fresh on each CI
 run, every deploy would create a brand-new application and lose ownership of
@@ -238,7 +241,7 @@ you can deploy any commit regardless of branch membership.
 For a monorepo where your SDK app lives in a subdirectory, pass `--dir`:
 
 ```bash
-tailor-sdk setup github -n my-app --dir apps/backend
+tailor-sdk setup -n my-app --dir apps/backend
 ```
 
 The generated workflow adds a `paths` filter on `apps/backend/**` so the
@@ -303,10 +306,10 @@ A typical setup with staging and production:
 
 ```bash
 # Staging: main → stg (deploy on every push to main)
-tailor-sdk setup github -n my-app-stg
+tailor-sdk setup -n my-app-stg
 
 # Production: tagged commits → prod, with approval gate and branch guard
-tailor-sdk setup github -n my-app-prod \
+tailor-sdk setup -n my-app-prod \
   --tag --branch main --environment production
 ```
 
@@ -326,9 +329,19 @@ gh secret set TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET --env production
 
 Commit both workflow files and `.github/tailor-sdk.lock`.
 
+## Checking for drift
+
+`tailor-sdk setup check` audits the workflows recorded in
+`.github/tailor-sdk.lock` against your current config and repository, without
+writing anything. It reports when a workflow file is missing or hand-edited, a
+newer template is available, `tailor.config.ts` is no longer under the recorded
+`--dir`, or the repository default branch no longer matches a branch target's
+trigger. It exits non-zero when it finds drift, so you can run it in CI. Each
+finding names a stable rule key for future suppression.
+
 ## Updating the generated workflow
 
-When you upgrade the SDK, re-run `setup github` with the same flags to pick up
+When you upgrade the SDK, re-run `setup` with the same flags to pick up
 template improvements. If the SDK detects that you have hand-edited a managed
 section, it stops and asks you to use `--force` to overwrite your edits, or to
 move your customizations into your own steps before regenerating.

package/docs/services/idp.md

@@ -86,7 +86,8 @@ defineIdp("my-idp", {
 - `read` - Controls who can read IdP users
 - `update` - Controls who can update IdP users
 - `delete` - Controls who can delete IdP users
-- `sendPasswordResetEmail` - Controls who can send password reset emails. The examples above disable this operation; to enable it, use a permission such as `[{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }]`.
+- `sendPasswordResetEmail` - Controls who can send password reset emails. Required unless `userAuthPolicy.disablePasswordAuth` is `true` or `gqlOperations.sendPasswordResetEmail` is `false` (the password-reset flow has no meaning when password authentication is off or the operation is disabled). Set `[{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }]` to allow, or `[]` to deny.
+- `unenrollMfa` - Controls who can remove an enrolled MFA factor from a user. Required when `userAuthPolicy.enableMfa` is `true` unless `gqlOperations.unenrollMfa` is `false`; omit otherwise. Typically restricted to administrators.
 
 **Policy fields:** each entry in an operation's policy array supports:
 
@@ -166,6 +167,37 @@ defineIdp("my-idp", {
 - `allowGoogleOauth` - Enable the "Sign in with Google" button. Default `false`.
 - `allowMicrosoftOauth` - Enable the "Sign in with Microsoft" button. Default `false`.
 
+**MFA (TOTP):**
+
+```typescript
+import { defineIdp, defineStaticWebSite } from "@tailor-platform/sdk";
+
+const website = defineStaticWebSite("my-frontend", { description: "App frontend" });
+
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  userAuthPolicy: {
+    enableMfa: true,
+    requireMfa: false,
+    allowedReturnOrigins: [website.url, "https://admin.example.com"],
+    mfaIssuer: "My App",
+  },
+  permission: {
+    create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    read: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    update: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    unenrollMfa: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+  },
+});
+```
+
+- `enableMfa` - Make TOTP MFA available for users in this namespace. Default `false`. When enabled, users can register an authenticator app (Google Authenticator, 1Password, etc.) from the IdP self-service page.
+- `requireMfa` - Force password-authenticated users to enroll and pass an MFA challenge on each sign-in. Default `false`. Social sign-in (`allowGoogleOauth` / `allowMicrosoftOauth`) is not affected; the upstream provider's MFA covers those sessions.
+- `allowedReturnOrigins` - Origins the IdP self-service pages (such as `/mfa/settings`) are allowed to redirect back to. Each entry is either a literal origin (`https://app.example.com`, scheme + host + optional port, no path/query/fragment) or a static-website placeholder `<name>:url` (e.g. `website.url`) that the CLI resolves to the deployed website's URL at apply time. Required when `enableMfa` is `true`.
+- `mfaIssuer` - Label shown next to the user account in authenticator apps when TOTP is enrolled. Up to 64 characters. Falls back to `"Tailor Platform IdP"` when empty.
+
 **Constraints:** the following combinations are rejected at parse time.
 
 - `passwordMinLength` must be less than or equal to `passwordMaxLength`.
@@ -173,6 +205,23 @@ defineIdp("my-idp", {
 - `allowGoogleOauth` requires a non-empty `allowedEmailDomains`.
 - `allowMicrosoftOauth` requires both a non-empty `allowedEmailDomains` and `disablePasswordAuth: true`.
 - `disablePasswordAuth` requires `allowGoogleOauth` or `allowMicrosoftOauth`, and cannot be combined with `allowSelfPasswordReset`.
+- `requireMfa: true` requires `enableMfa: true`.
+- `enableMfa: true` requires at least one entry in `allowedReturnOrigins`.
+- `enableMfa: true` requires `permission` to be defined and to include an explicit `unenrollMfa` policy (an empty array `[]` to deny is fine), unless `gqlOperations.unenrollMfa` is `false` (or `gqlOperations: "query"`, which normalizes to the same), in which case the operation is turned off and the policy may be omitted.
+
+**Runtime API:** function code can inspect and revoke a user's enrolled factor through `idp.Client`. The `User` records returned by `user`, `userByName`, `users`, `createUser`, and `updateUser` expose `mfaEnrolled` (boolean) and `mfaFactorIds` (string array), and `client.unenrollMfa({ userId, mfaFactorId })` removes a single factor. The factor ID to pass back is one of the entries in `user.mfaFactorIds`. Calling `unenrollMfa` requires the `unenrollMfa` permission above.
+
+```typescript
+import { idp } from "@tailor-platform/sdk/runtime";
+
+const client = new idp.Client({ namespace: "my-idp" });
+const user = await client.user("user-id");
+if (user.mfaEnrolled) {
+  for (const factorId of user.mfaFactorIds) {
+    await client.unenrollMfa({ userId: user.id, mfaFactorId: factorId });
+  }
+}
+```
 
 ### gqlOperations
 
@@ -187,6 +236,8 @@ defineIdp("my-idp", {
     update: true,
     delete: false,
     sendPasswordResetEmail: false,
+    requestMfaSettingsUrl: false,
+    unenrollMfa: false,
   },
 });
 ```
@@ -198,8 +249,10 @@ defineIdp("my-idp", {
 - `update` - The `_updateUser` mutation.
 - `delete` - The `_deleteUser` mutation.
 - `sendPasswordResetEmail` - The `_sendPasswordResetEmail` mutation.
+- `requestMfaSettingsUrl` - The `_requestMfaSettingsUrl` query that issues a self-service URL for MFA settings.
+- `unenrollMfa` - The `_unenrollMfa` mutation that removes a user's enrolled MFA factor. When set to `false`, `permission.unenrollMfa` may be omitted even with `userAuthPolicy.enableMfa: true`.
 
-**Shortcut:** pass the string `"query"` to expose a read-only IdP. It enables `read` and disables every mutation.
+**Shortcut:** pass the string `"query"` to expose a read-only IdP. It enables the queries (`read`, `requestMfaSettingsUrl`) and disables every mutation.
 
 ```typescript
 defineIdp("my-idp", {

package/docs/services/staticwebsite.md

@@ -124,8 +124,14 @@ const website = defineStaticWebSite("my-frontend", {
 });
 
 const idp = defineIdp("my-idp", {
-  authorization: "loggedIn",
   clients: ["default-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    read: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    update: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    delete: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+  },
 });
 
 const auth = defineAuth("my-auth", {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.67.1",
+  "version": "1.69.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {
@@ -16,6 +16,7 @@
     "CHANGELOG.md",
     "dist",
     "docs",
+    "!docs/**/*.*.md",
     "postinstall.mjs",
     "README.md",
     "agent-skills"
@@ -27,6 +28,9 @@
   ],
   "main": "./dist/configure/index.mjs",
   "types": "./dist/configure/index.d.mts",
+  "imports": {
+    "#/*": "./src/*.ts"
+  },
   "exports": {
     ".": {
       "types": "./dist/configure/index.d.mts",
@@ -150,40 +154,40 @@
     "@opentelemetry/resources": "2.8.0",
     "@opentelemetry/sdk-trace-node": "2.8.0",
     "@opentelemetry/semantic-conventions": "1.41.1",
-    "@oxc-project/types": "0.135.0",
+    "@oxc-project/types": "0.137.0",
     "@standard-schema/spec": "1.1.0",
     "@tailor-platform/function-kysely-tailordb": "0.1.3",
     "@toiroakr/lines-db": "0.9.2",
     "@toiroakr/read-multiline": "0.4.1",
-    "@urql/core": "6.0.1",
+    "@urql/core": "6.0.2",
     "chalk": "5.6.2",
     "chokidar": "5.0.0",
     "confbox": "0.2.4",
     "date-fns": "4.4.0",
-    "es-toolkit": "1.47.1",
+    "es-toolkit": "1.48.1",
     "find-up-simple": "1.0.1",
     "globals": "17.6.0",
-    "graphql": "16.14.2",
+    "graphql": "17.0.1",
     "inflection": "3.0.2",
     "kysely": "0.29.2",
     "madge": "8.0.0",
     "mime-types": "3.0.2",
     "open": "11.0.0",
-    "oxc-parser": "0.135.0",
+    "oxc-parser": "0.137.0",
     "p-limit": "7.3.0",
     "pathe": "2.0.3",
     "pgsql-ast-parser": "12.0.2",
     "pkg-types": "2.3.1",
-    "politty": "0.6.0",
-    "rolldown": "1.1.1",
-    "semver": "7.8.4",
+    "politty": "0.9.2",
+    "rolldown": "1.1.2",
+    "semver": "7.8.5",
     "sql-highlight": "6.1.0",
     "std-env": "4.1.0",
     "table": "6.9.0",
     "ts-cron-validator": "1.1.5",
     "tsx": "4.22.4",
     "type-fest": "5.7.0",
-    "undici": "8.4.1",
+    "undici": "8.5.0",
     "xdg-basedir": "5.1.0",
     "zod": "4.4.3"
   },
@@ -193,16 +197,17 @@
     "@types/mime-types": "3.0.1",
     "@types/node": "24.13.2",
     "@types/semver": "7.7.1",
-    "@typescript/native-preview": "7.0.0-dev.20260614.1",
-    "@vitest/coverage-v8": "4.1.8",
-    "oxfmt": "0.54.0",
-    "oxlint": "1.69.0",
+    "@typescript/native-preview": "7.0.0-dev.20260621.1",
+    "@vitest/coverage-v8": "4.1.9",
+    "oxfmt": "0.55.0",
+    "oxlint": "1.70.0",
     "oxlint-tsgolint": "0.23.0",
-    "sonda": "0.13.0",
-    "tsdown": "0.22.2",
+    "sonda": "0.13.1",
+    "tsdown": "0.22.3",
     "typescript": "6.0.3",
-    "vitest": "4.1.8",
-    "zinfer": "0.1.8"
+    "vitest": "4.1.9",
+    "zinfer": "0.2.2",
+    "@tailor-platform/tailor-proto": "^0.0.0"
   },
   "peerDependencies": {
     "vite": "^6.0.0 || ^7.0.0 || ^8.0.0",

package/dist/application-Djeezk3m.mjs

@@ -1,4 +0,0 @@
-
-import { n as generatePluginFilesIfNeeded, r as loadApplication, t as defineApplication } from "./application-WpWwTyk9.mjs";
-
-export { defineApplication, generatePluginFilesIfNeeded };