@tailor-platform/sdk 1.68.0 → 1.69.0

package/dist/runtime/idp.mjs

@@ -1,4 +1,4 @@
 
-import { t as Client } from "../idp-BZPqpcYY.mjs";
+import { t as Client } from "../idp-ynUfzwpz.mjs";
 
 export { Client };

package/dist/runtime/index.d.mts

@@ -2,8 +2,8 @@ import { n as authconnection_d_exports } from "../authconnection-BIYzEh2p.mjs";
 import { i as context_d_exports } from "../context-CUBwSBq4.mjs";
 import { b as file_d_exports } from "../file-BzK8z3X-.mjs";
 import { u as iconv_d_exports } from "../iconv-kwrmd1U_.mjs";
-import { p as idp_d_exports } from "../idp-BlBPtXJ-.mjs";
+import { m as idp_d_exports } from "../idp-BmYwCXnJ.mjs";
 import { i as secretmanager_d_exports } from "../secretmanager-CKLB3wAQ.mjs";
 import { c as workflow_d_exports } from "../workflow-CMamswkK.mjs";
-import { a as TailordbQueryResult, i as TailordbCommandType, n as TailordbClientConstructor, o as TailordbRuntime, r as TailordbClientInstance, t as TailorRuntime } from "../index-DRhMpdnA.mjs";
+import { a as TailordbQueryResult, i as TailordbCommandType, n as TailordbClientConstructor, o as TailordbRuntime, r as TailordbClientInstance, t as TailorRuntime } from "../index-dKNk8hjo.mjs";
 export { TailorRuntime, TailordbClientConstructor, TailordbClientInstance, TailordbCommandType, TailordbQueryResult, TailordbRuntime, authconnection_d_exports as authconnection, context_d_exports as context, file_d_exports as file, iconv_d_exports as iconv, idp_d_exports as idp, secretmanager_d_exports as secretmanager, workflow_d_exports as workflow };

package/dist/runtime/index.mjs

@@ -2,7 +2,7 @@
 import { s as iconv_exports } from "../iconv-D1zmPjvi.mjs";
 import { r as secretmanager_exports } from "../secretmanager-h3tBJV8f.mjs";
 import { t as authconnection_exports } from "../authconnection-Ds2Ahpum.mjs";
-import { n as idp_exports } from "../idp-BZPqpcYY.mjs";
+import { n as idp_exports } from "../idp-ynUfzwpz.mjs";
 import { a as workflow_exports } from "../workflow-C8I7shjM.mjs";
 import { t as context_exports } from "../context-CDQqIv4u.mjs";
 import { a as file_exports } from "../file-BkxupbYP.mjs";

package/dist/{runtime-DxaBq6U8.mjs → runtime-jowoN6qC.mjs}

@@ -1,9 +1,10 @@
 
 import { t as db } from "./schema-1msIhXwA.mjs";
-import { $ as WorkflowJobExecution_Status, $t as AuthHookPoint, A as loadMachineUserName, At as ExecutorJobStatus, Bt as CreateAuthServiceRequestSchema, Ct as IdPLang, Et as FunctionExecution_Status, F as writePlatformConfig, Ft as CreateAuthIDPConfigRequestSchema, G as resolveStaticWebsiteUrls, Gt as UpdateAuthMachineUserRequestSchema, Ht as CreateUserProfileConfigRequestSchema, It as CreateAuthMachineUserRequestSchema, J as WorkspacePlatformUserRole, Jt as UpdateAuthSCIMResourceRequestSchema, K as byName, Kt as UpdateAuthOAuth2ClientRequestSchema, L as fetchAll, Lt as CreateAuthOAuth2ClientRequestSchema, M as readPlatformConfig, Mt as ExecutorTriggerType, Nt as CreateAuthConnectionRequestSchema, O as loadAccessToken, Ot as CreateExecutorExecutorRequestSchema, Pt as CreateAuthHookRequestSchema, Q as WorkflowExecution_Status, Qt as AuthConnection_Type, R as fetchMachineUserToken, Rt as CreateAuthSCIMConfigRequestSchema, S as getDistDir, St as UpdateIdPServiceRequestSchema, T as loadConfig, Tt as IdPPermissionPermit, U as initOperatorClient, Ut as UpdateAuthHookRequestSchema, Vt as CreateTenantConfigRequestSchema, W as platformBaseUrl, Wt as UpdateAuthIDPConfigRequestSchema, X as CreateWorkflowRequestSchema, Xt as UpdateTenantConfigRequestSchema, Y as CreateWorkflowJobFunctionRequestSchema, Yt as UpdateAuthServiceRequestSchema, Z as UpdateWorkflowRequestSchema, Zt as UpdateUserProfileConfigRequestSchema, _n as Condition_Operator, _t as CreatePipelineServiceRequestSchema, an as AuthSCIMAttribute_Type, at as TailorDBGQLPermission_Permit, b as hasGenerationHooks, bt as PipelineResolver_OperationType, ct as TailorDBType_PermitAction, d as assertUniqueLocalTailorDBTypeNames, dn as CreateApplicationRequestSchema, dt as UpdateStaticWebsiteRequestSchema, en as AuthIDPConfig_AuthType, et as CreateTailorDBServiceRequestSchema, f as assertUniqueTailorDBTypeNamesWithExternal, fn as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, gn as ConditionSchema, gt as CreatePipelineResolverRequestSchema, h as platformBundleDefinePlugin, hn as Subgraph_ServiceType, ht as UpdateSecretManagerSecretRequestSchema, in as AuthSCIMAttribute_Mutability, it as TailorDBGQLPermission_Operator, j as loadWorkspaceId, jt as ExecutorTargetType, k as loadConfigPath, kt as UpdateExecutorExecutorRequestSchema, l as buildExecutorArgsExpr, ln as TenantProviderConfig_TenantProviderType, lt as AddCustomDomainRequestSchema, m as stringifyFunction, mn as ApplicationSchemaUpdateAttemptStatus, mt as CreateSecretManagerVaultRequestSchema, n as generatePluginFilesIfNeeded, nn as AuthOAuth2Client_ClientType, nt as UpdateTailorDBTypeRequestSchema, on as AuthSCIMAttribute_Uniqueness, ot as TailorDBType_Permission_Operator, p as TailorDBTypeSchema, pn as UpdateApplicationRequestSchema, pt as CreateSecretManagerSecretRequestSchema, q as OperatorService, qt as UpdateAuthSCIMConfigRequestSchema, r as loadApplication, rn as AuthOAuth2Client_GrantType, rt as TailorDBGQLPermission_Action, s as HTTP_METHODS, sn as AuthSCIMConfig_AuthorizationType, st as TailorDBType_Permission_Permit, t as defineApplication, tn as AuthInvokerSchema, tt as CreateTailorDBTypeRequestSchema, u as buildResolverOperationHookExpr, un as UserProfileProviderConfig_UserProfileProviderType, ut as CreateStaticWebsiteRequestSchema, vn as FilterSchema, vt as UpdatePipelineResolverRequestSchema, w as hashFile, wt as IdPPermissionOperator, x as createBundleCache, xt as CreateIdPServiceRequestSchema, y as getPluginGenerationDependencies, yn as PageDirection, yt as UpdatePipelineServiceRequestSchema, z as fetchPaged, zt as CreateAuthSCIMResourceRequestSchema } from "./application-WpWwTyk9.mjs";
+import { $ as CreateUserProfileConfigRequestSchema, A as UpdatePipelineServiceRequestSchema, At as PageDirection, B as UpdateExecutorExecutorRequestSchema, Ct as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, D as CreatePipelineResolverRequestSchema, Dt as ConditionSchema, E as UpdateSecretManagerSecretRequestSchema, Et as Subgraph_ServiceType, F as IdPPermissionOperator, G as CreateAuthHookRequestSchema, H as ExecutorTargetType, I as IdPPermissionPermit, J as CreateAuthOAuth2ClientRequestSchema, K as CreateAuthIDPConfigRequestSchema, L as FunctionExecution_Status, M as CreateIdPServiceRequestSchema, N as UpdateIdPServiceRequestSchema, O as CreatePipelineServiceRequestSchema, Ot as Condition_Operator, P as IdPLang, Q as CreateTenantConfigRequestSchema, S as UpdateStaticWebsiteRequestSchema, St as CreateApplicationRequestSchema, T as CreateSecretManagerVaultRequestSchema, Tt as ApplicationSchemaUpdateAttemptStatus, U as ExecutorTriggerType, V as ExecutorJobStatus, W as CreateAuthConnectionRequestSchema, X as CreateAuthSCIMResourceRequestSchema, Y as CreateAuthSCIMConfigRequestSchema, Z as CreateAuthServiceRequestSchema, _ as TailorDBType_Permission_Operator, _t as AuthSCIMAttribute_Uniqueness, a as WorkspacePlatformUserRole, at as UpdateAuthSCIMResourceRequestSchema, b as AddCustomDomainRequestSchema, bt as TenantProviderConfig_TenantProviderType, c as UpdateWorkflowRequestSchema, ct as UpdateUserProfileConfigRequestSchema, d as CreateTailorDBServiceRequestSchema, dt as AuthIDPConfig_AuthType, et as UpdateAuthHookRequestSchema, f as CreateTailorDBTypeRequestSchema, ft as AuthInvokerSchema, g as TailorDBGQLPermission_Permit, gt as AuthSCIMAttribute_Type, h as TailorDBGQLPermission_Operator, ht as AuthSCIMAttribute_Mutability, it as UpdateAuthSCIMConfigRequestSchema, j as PipelineResolver_OperationType, k as UpdatePipelineResolverRequestSchema, kt as FilterSchema, l as WorkflowExecution_Status, lt as AuthConnection_Type, m as TailorDBGQLPermission_Action, mt as AuthOAuth2Client_GrantType, nt as UpdateAuthMachineUserRequestSchema, o as CreateWorkflowJobFunctionRequestSchema, ot as UpdateAuthServiceRequestSchema, p as UpdateTailorDBTypeRequestSchema, pt as AuthOAuth2Client_ClientType, q as CreateAuthMachineUserRequestSchema, rt as UpdateAuthOAuth2ClientRequestSchema, s as CreateWorkflowRequestSchema, st as UpdateTenantConfigRequestSchema, t as OperatorService, tt as UpdateAuthIDPConfigRequestSchema, u as WorkflowJobExecution_Status, ut as AuthHookPoint, v as TailorDBType_Permission_Permit, vt as AuthSCIMConfig_AuthorizationType, w as CreateSecretManagerSecretRequestSchema, wt as UpdateApplicationRequestSchema, x as CreateStaticWebsiteRequestSchema, xt as UserProfileProviderConfig_UserProfileProviderType, y as TailorDBType_PermitAction, z as CreateExecutorExecutorRequestSchema } from "./service_pb-DSNjrcbW.mjs";
 import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
-import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DpJyJvNz.mjs";
-import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
+import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DKF-JsAK.mjs";
+import { A as loadMachineUserName, F as writePlatformConfig, G as resolveStaticWebsiteUrls, K as byName, L as fetchAll, M as readPlatformConfig, O as loadAccessToken, R as fetchMachineUserToken, S as getDistDir, T as loadConfig, U as initOperatorClient, W as platformBaseUrl, b as hasGenerationHooks, d as assertUniqueLocalTailorDBTypeNames, f as assertUniqueTailorDBTypeNamesWithExternal, h as platformBundleDefinePlugin, j as loadWorkspaceId, k as loadConfigPath, l as buildExecutorArgsExpr, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, u as buildResolverOperationHookExpr, w as hashFile, x as createBundleCache, y as getPluginGenerationDependencies, z as fetchPaged } from "./application-Cr-limKC.mjs";
+import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-B2Jd9CxS.mjs";
 import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
 import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
 import { i as userAgent } from "./secret-file-eB3R3Fil.mjs";
@@ -385,7 +386,7 @@ function nestedMessage(field) {
 function isWellKnownType(message) {
 	return message.typeName.startsWith("google.protobuf.");
 }
-const UNREPRESENTABLE_WELL_KNOWN_TYPES = new Set([
+const UNREPRESENTABLE_WELL_KNOWN_TYPES = /* @__PURE__ */ new Set([
 	"google.protobuf.Struct",
 	"google.protobuf.Value",
 	"google.protobuf.ListValue",
@@ -568,7 +569,7 @@ function fieldToJson(field, visited) {
 	return json;
 }
 function renderInspectJson(method) {
-	const visited = new Set([method.input]);
+	const visited = /* @__PURE__ */ new Set([method.input]);
 	return {
 		method: method.name,
 		input: {
@@ -599,7 +600,7 @@ function renderInspectText(method) {
 	const lines = [];
 	lines.push(`${method.name}`);
 	lines.push(`  request: ${method.input.typeName}`);
-	const visited = new Set([method.input]);
+	const visited = /* @__PURE__ */ new Set([method.input]);
 	for (const f of method.input.fields) lines.push(...renderFieldText(f, "    ", visited));
 	lines.push(`  response: ${method.output.typeName}`);
 	return lines.join("\n");
@@ -750,7 +751,7 @@ function normalizeBodyFieldKeys(body, fields) {
 	}
 	return changed;
 }
-const FORBIDDEN_SEGMENTS = new Set([
+const FORBIDDEN_SEGMENTS = /* @__PURE__ */ new Set([
 	"__proto__",
 	"constructor",
 	"prototype"
@@ -3162,7 +3163,8 @@ function normalizeIdPPermission(permission) {
 		read: permission.read.map((p) => normalizeIdPActionPermission(p)),
 		update: permission.update.map((p) => normalizeIdPActionPermission(p)),
 		delete: permission.delete.map((p) => normalizeIdPActionPermission(p)),
-		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => normalizeIdPActionPermission(p))
+		sendPasswordResetEmail: (permission.sendPasswordResetEmail ?? []).map((p) => normalizeIdPActionPermission(p)),
+		unenrollMfa: (permission.unenrollMfa ?? []).map((p) => normalizeIdPActionPermission(p))
 	};
 }
 /**
@@ -3188,7 +3190,7 @@ function parseIdPPermission(rawPermission) {
 function findOmittedPermitRules(permission) {
 	if (!permission) return [];
 	const locations = [];
-	for (const action of Object.keys(permission)) permission[action].forEach((rule, index) => {
+	for (const action of Object.keys(permission)) permission[action]?.forEach((rule, index) => {
 		if (isObjectFormat(rule) && rule.permit === void 0) locations.push(`${String(action)}[${index}]`);
 	});
 	return locations;
@@ -3196,6 +3198,14 @@ function findOmittedPermitRules(permission) {
 
 //#endregion
 //#region src/cli/commands/deploy/idp.ts
+async function resolveServiceReturnOrigins(client, request) {
+	const policy = request.userAuthPolicy;
+	const originals = policy?.allowedReturnOrigins;
+	if (!policy || !originals?.length) return;
+	const resolved = await resolveStaticWebsiteUrls(client, assertDefined(request.workspaceId, "request missing workspaceId"), originals, `IdP service "${request.namespaceName ?? ""}" allowedReturnOrigins`);
+	if (resolved.length !== originals.length) throw new Error(`IdP service "${request.namespaceName ?? ""}" allowedReturnOrigins: ${originals.length - resolved.length} of ${originals.length} entries could not be resolved. Check that each "<name>:url" entry refers to a deployed static website.`);
+	policy.allowedReturnOrigins = resolved;
+}
 /**
 * Build the vault name for an IdP client.
 * @param namespaceName - IdP namespace name
@@ -3225,9 +3235,11 @@ async function applyIdP(client, result, phase = "create-update") {
 	const { changeSet } = result;
 	if (phase === "create-update") {
 		await Promise.all([...changeSet.service.creates.map(async (create) => {
+			await resolveServiceReturnOrigins(client, create.request);
 			await client.createIdPService(create.request);
 			await client.setMetadata(create.metaRequest);
 		}), ...changeSet.service.updates.map(async (update) => {
+			await resolveServiceReturnOrigins(client, update.request);
 			await client.updateIdPService(update.request);
 			await client.setMetadata(update.metaRequest);
 		})]);
@@ -3286,7 +3298,8 @@ async function applyIdP(client, result, phase = "create-update") {
 async function planIdP(context) {
 	const { client, workspaceId, application, forRemoval, forceApplyAll = false, idpUserTriggerTargets } = context;
 	const idps = forRemoval ? [] : application.idpServices;
-	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, application.id, idps, idpUserTriggerTargets ?? /* @__PURE__ */ new Set());
+	const expectedLocalWebsites = new Set(application.staticWebsiteServices.map((website) => website.name));
+	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$3(client, workspaceId, application.name, application.id, idps, idpUserTriggerTargets ?? /* @__PURE__ */ new Set(), expectedLocalWebsites);
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -3310,7 +3323,11 @@ function normalizeComparableUserAuthPolicy(policy) {
 		allowedEmailDomains: (policy?.allowedEmailDomains ?? []).toSorted(),
 		allowGoogleOauth: policy?.allowGoogleOauth ?? false,
 		disablePasswordAuth: policy?.disablePasswordAuth ?? false,
-		allowMicrosoftOauth: policy?.allowMicrosoftOauth ?? false
+		allowMicrosoftOauth: policy?.allowMicrosoftOauth ?? false,
+		enableMfa: policy?.enableMfa ?? false,
+		requireMfa: policy?.requireMfa ?? false,
+		allowedReturnOrigins: (policy?.allowedReturnOrigins ?? []).toSorted(),
+		mfaIssuer: policy?.mfaIssuer ?? ""
 	};
 }
 function normalizeComparableDisableGqlOperations(value) {
@@ -3319,7 +3336,9 @@ function normalizeComparableDisableGqlOperations(value) {
 		update: value?.update ?? false,
 		delete: value?.delete ?? false,
 		read: value?.read ?? false,
-		sendPasswordResetEmail: value?.sendPasswordResetEmail ?? false
+		sendPasswordResetEmail: value?.sendPasswordResetEmail ?? false,
+		requestMfaSettingsUrl: value?.requestMfaSettingsUrl ?? false,
+		unenrollMfa: value?.unenrollMfa ?? false
 	};
 }
 function normalizeComparableEmailConfig(value) {
@@ -3341,7 +3360,7 @@ function normalizeComparableIdPService(input) {
 }
 function normalizeComparablePermission(permission) {
 	if (!permission) return;
-	if (permission.create.length === 0 && permission.read.length === 0 && permission.update.length === 0 && permission.delete.length === 0 && permission.sendPasswordResetEmail.length === 0) return;
+	if (permission.create.length === 0 && permission.read.length === 0 && permission.update.length === 0 && permission.delete.length === 0 && permission.sendPasswordResetEmail.length === 0 && permission.unenrollMfa.length === 0) return;
 	const normalizePolicy = (policy) => ({
 		conditions: policy.conditions.map((c) => ({
 			left: c.left ? { kind: c.left.kind } : void 0,
@@ -3356,7 +3375,8 @@ function normalizeComparablePermission(permission) {
 		read: permission.read.map(normalizePolicy),
 		update: permission.update.map(normalizePolicy),
 		delete: permission.delete.map(normalizePolicy),
-		sendPasswordResetEmail: permission.sendPasswordResetEmail.map(normalizePolicy)
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map(normalizePolicy),
+		unenrollMfa: permission.unenrollMfa.map(normalizePolicy)
 	};
 }
 function areIdPServicesEqual(existing, desired) {
@@ -3370,7 +3390,7 @@ function areIdPServicesEqual(existing, desired) {
 		permission: normalizeComparablePermission(existing.permission)
 	}), desired);
 }
-async function planServices$3(client, workspaceId, appName, appId, idps, idpUserTriggerTargets) {
+async function planServices$3(client, workspaceId, appName, appId, idps, idpUserTriggerTargets, expectedLocalWebsites) {
 	const changeSet = createChangeSet("IdP services");
 	const conflicts = [];
 	const unmanaged = [];
@@ -3432,10 +3452,15 @@ async function planServices$3(client, workspaceId, appName, appId, idps, idpUser
 		if (omittedPermitLocations.length > 0) logger.warn(`IdP service "${namespaceName}" has permission rule(s) ${omittedPermitLocations.join(", ")} in object form without an explicit "permit"; they default to "deny". Set permit: true (allow) or permit: false (deny) to silence this warning.`);
 		const parsedPermission = parseIdPPermission(idp.permission);
 		const protoPermission = parsedPermission ? protoIdPPermission(parsedPermission) : void 0;
+		const resolvedReturnOrigins = await resolveStaticWebsiteUrls(client, workspaceId, userAuthPolicy?.allowedReturnOrigins ? [...userAuthPolicy.allowedReturnOrigins] : [], `IdP service "${namespaceName}" allowedReturnOrigins`, { expectedLocalNames: expectedLocalWebsites });
+		const userAuthPolicyForCompare = userAuthPolicy ? {
+			...userAuthPolicy,
+			allowedReturnOrigins: resolvedReturnOrigins
+		} : userAuthPolicy;
 		const desired = normalizeComparableIdPService({
 			authorization,
 			lang,
-			userAuthPolicy: normalizeComparableUserAuthPolicy(userAuthPolicy),
+			userAuthPolicy: normalizeComparableUserAuthPolicy(userAuthPolicyForCompare),
 			publishUserEvents,
 			disableGqlOperations: normalizeComparableDisableGqlOperations(convertGqlOperationsToDisable(idp.gqlOperations)),
 			emailConfig: normalizeComparableEmailConfig(emailConfig),
@@ -3577,7 +3602,9 @@ function convertGqlOperationsToDisable(gqlOperations) {
 		update: gqlOperations.update === false,
 		delete: gqlOperations.delete === false,
 		read: gqlOperations.read === false,
-		sendPasswordResetEmail: gqlOperations.sendPasswordResetEmail === false
+		sendPasswordResetEmail: gqlOperations.sendPasswordResetEmail === false,
+		requestMfaSettingsUrl: gqlOperations.requestMfaSettingsUrl === false,
+		unenrollMfa: gqlOperations.unenrollMfa === false
 	};
 }
 function protoIdPPermission(permission) {
@@ -3586,7 +3613,8 @@ function protoIdPPermission(permission) {
 		read: permission.read.map((p) => protoIdPPolicy(p)),
 		update: permission.update.map((p) => protoIdPPolicy(p)),
 		delete: permission.delete.map((p) => protoIdPPolicy(p)),
-		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => protoIdPPolicy(p))
+		sendPasswordResetEmail: permission.sendPasswordResetEmail.map((p) => protoIdPPolicy(p)),
+		unenrollMfa: permission.unenrollMfa.map((p) => protoIdPPolicy(p))
 	};
 }
 function protoIdPPolicy(policy) {
@@ -3757,7 +3785,7 @@ async function planAuth(context) {
 		},
 		conflicts: [...conflicts, ...connectionResult.conflicts],
 		unmanaged: [...unmanaged, ...connectionResult.unmanaged],
-		resourceOwners: new Set([...resourceOwners, ...connectionResult.resourceOwners])
+		resourceOwners: /* @__PURE__ */ new Set([...resourceOwners, ...connectionResult.resourceOwners])
 	};
 }
 async function planServices$2(client, workspaceId, appName, appId, auths, forceApplyAll = false) {
@@ -6976,7 +7004,7 @@ function createSnapshotFieldConfig(field) {
 }
 /**
 * Create a snapshot field config from an OperatorFieldConfig (for nested fields)
-* @param {import("@/parser/service/tailordb/types").OperatorFieldConfig} fieldConfig - Field configuration
+* @param {import("#/parser/service/tailordb/types").OperatorFieldConfig} fieldConfig - Field configuration
 * @returns {SnapshotFieldConfig} Snapshot field configuration
 */
 function createSnapshotFieldConfigFromOperatorConfig(fieldConfig) {
@@ -7826,7 +7854,7 @@ function validateMigrationFiles(migrationsDir) {
 		message: `Schema file found at migration ${formatMigrationNumber(num)}, but schema should only exist at ${formatMigrationNumber(0)}`,
 		migrationNumber: num
 	});
-	const allNumbers = [...new Set([...schemaFiles, ...diffFiles])].toSorted((a, b) => a - b);
+	const allNumbers = [.../* @__PURE__ */ new Set([...schemaFiles, ...diffFiles])].toSorted((a, b) => a - b);
 	if (allNumbers.length === 0) return errors;
 	for (const num of schemaFiles) if (num !== 0 && diffFiles.includes(num)) errors.push({
 		type: "duplicate",
@@ -7958,7 +7986,7 @@ function compareFields(typeName, fieldName, remoteField, snapshotField) {
 /**
 * System fields that are auto-generated and should be excluded from comparison
 */
-const SYSTEM_FIELDS = new Set(["id"]);
+const SYSTEM_FIELDS = /* @__PURE__ */ new Set(["id"]);
 /**
 * Compare remote TailorDB types with a local snapshot
 * @param {ProtoTailorDBType[]} remoteTypes - Remote types from listParsedTailorDBTypes API
@@ -8486,7 +8514,7 @@ function protoGqlOperand(operand) {
 /**
 * Diff change kinds that require pre-migration schema adjustments.
 */
-const PRE_MIGRATION_FIELD_KINDS = new Set([
+const PRE_MIGRATION_FIELD_KINDS = /* @__PURE__ */ new Set([
 	"field_added",
 	"field_modified",
 	"field_removed"
@@ -9629,7 +9657,7 @@ async function rollbackSingleMigrationPrePhase(client, changeSet, migration, wor
 		const name = update.request.tailordbType?.name;
 		if (update.request.namespaceName === migration.namespace && name) namespaceTypes.add(name);
 	}
-	const applied = new Set([...processedTypes.created, ...processedTypes.updated]);
+	const applied = /* @__PURE__ */ new Set([...processedTypes.created, ...processedTypes.updated]);
 	const rollbackTypes = new Set([...namespaceTypes].filter((name) => applied.has(name)));
 	if (rollbackTypes.size === 0) return;
 	const priorSnapshot = reconstructSnapshotFromMigrations(migration.migrationsDir, migration.number - 1);
@@ -9950,7 +9978,7 @@ const tailordbCompareKnownDefaults = {
 	* Proto bigint-backed values can round-trip as numbers locally and strings remotely.
 	* Canonicalize them to strings at compare time.
 	*/
-	numericStringPaths: new Set([
+	numericStringPaths: /* @__PURE__ */ new Set([
 		"schema.fields.*.serial.start",
 		"schema.fields.*.serial.maxValue",
 		"schema.settings.defaultQueryLimitSize",
@@ -10530,8 +10558,13 @@ function validateItems(params) {
 *
 * Collections not validated: idp client, tailorDB gqlPermission, functionRegistry — no
 * buf.validate annotations.
-* Application cors is excluded: static-website URL placeholders are resolved at apply time
-* and a bare cors array carries no constraint that would false-positive when omitted.
+* Application cors and IdP userAuthPolicy.allowedReturnOrigins receive special
+* handling: static-website URL placeholders are resolved at apply time, so the
+* relevant origin/URL constraints would false-positive on `<name>:url` entries
+* here. Application cors is dropped entirely (no other constraint to lose); IdP
+* `allowedReturnOrigins` substitutes placeholder entries with a dummy origin so
+* the per-item regex and the cross-field `enable_mfa requires ≥1 origin` rule
+* still get exercised on the rest of the payload.
 * Workflow jobFunctions map excluded: versions are registered at apply time (registerJobFunctions)
 * and the map field carries no min_items constraint. Job names are validated separately via
 * CreateWorkflowJobFunctionRequestSchema using usedJobNames from the workflow change set.
@@ -10583,8 +10616,25 @@ async function validatePlan(input) {
 	creates(CreateStaticWebsiteRequestSchema, "StaticWebsite", staticWebsite.changeSet.creates);
 	updates(UpdateStaticWebsiteRequestSchema, "StaticWebsite", staticWebsite.changeSet.updates);
 	creates(AddCustomDomainRequestSchema, "StaticWebsite custom domain", staticWebsite.customDomainChangeSet.creates);
-	creates(CreateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.creates);
-	updates(UpdateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.updates);
+	const placeholderOriginReplacement = "https://placeholder.invalid";
+	const substituteIdpReturnOrigins = (item) => {
+		const request = item.request;
+		const origins = request.userAuthPolicy?.allowedReturnOrigins;
+		if (!Array.isArray(origins) || origins.length === 0) return item;
+		const substituted = origins.map((origin) => typeof origin === "string" && /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]:url$/.test(origin) ? placeholderOriginReplacement : origin);
+		return {
+			...item,
+			request: {
+				...request,
+				userAuthPolicy: {
+					...request.userAuthPolicy,
+					allowedReturnOrigins: substituted
+				}
+			}
+		};
+	};
+	creates(CreateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.creates.map(substituteIdpReturnOrigins));
+	updates(UpdateIdPServiceRequestSchema, "IdP service", idp.changeSet.service.updates.map(substituteIdpReturnOrigins));
 	const idpClientVaultItems = [...idp.changeSet.client.creates.map((c) => ({
 		clientName: c.request.client?.name ?? "",
 		namespaceName: c.request.namespaceName ?? "",
@@ -11065,7 +11115,7 @@ async function deploy(options) {
 			await confirmImportantResourceDeletion(importantDeletions, yes);
 			const emptyApps = computeRenamedAppDeletions({
 				conflicts: allConflicts,
-				resourceOwners: new Set([
+				resourceOwners: /* @__PURE__ */ new Set([
 					...functionRegistry.resourceOwners,
 					...tailorDB.resourceOwners,
 					...staticWebsite.resourceOwners,
@@ -15601,7 +15651,7 @@ function formatEnumUnion(values) {
 	return values.map((v) => `"${v}"`).join(" | ");
 }
 function generateEnumChangeColumnType(enumValueChange, config) {
-	const selectType = formatEnumUnion([...new Set([...enumValueChange.beforeValues, ...enumValueChange.afterValues])]);
+	const selectType = formatEnumUnion([.../* @__PURE__ */ new Set([...enumValueChange.beforeValues, ...enumValueChange.afterValues])]);
 	const afterType = formatEnumUnion(enumValueChange.afterValues);
 	if (config.array && !config.required) return `ColumnType<(${selectType})[] | null, (${afterType})[] | null, (${afterType})[] | null>`;
 	if (config.array) return `ColumnType<(${selectType})[], (${afterType})[], (${afterType})[]>`;
@@ -15928,7 +15978,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-Djeezk3m.mjs");
+	const { defineApplication } = await import("./application-Br48NXBD.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -17862,7 +17912,7 @@ async function runRepl(options) {
 	const execute = await prepareQueryExecutor(options);
 	const historyPath = getReplHistoryPath(options.engine, options.profile, options.workspaceId);
 	const validate = createReplValidator(options.engine);
-	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-CJG3sz7A.mjs");
+	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-DD5YP5mt.mjs");
 	const highlight = options.engine === "sql" ? highlightSqlLine : highlightGraphqlLine;
 	const prompt = createPrompt({
 		prefix: "",
@@ -18197,4 +18247,4 @@ function isDeno() {
 
 //#endregion
 export { updateCommand$2 as $, protoGqlPermission as $t, listCommand$3 as A, apiCall as An, jobsCommand as At, show as B, toPageDirection as Bn, functionExecutionStatusToString as Bt, listCommand$2 as C, ensureConfigId as Cn, webhookCommand as Ct, waitWorkflowExecution as D, generateUserTypes as Dn, listExecutors as Dt, waitCommand as E, PluginManager as En, listCommand$9 as Et, generateCommand as F, confirmationArgs as Fn, getCommand$5 as Ft, updateCommand$1 as G, executeScript as Gt, logBetaWarning as H, getCommand$6 as Ht, generateMigrationScript as I, deploymentArgs as In, getWorkflow as It, treeCommand as J, MIGRATION_LABEL_KEY as Jt, updateOrganization as K, waitForExecution as Kt, writeDbTypesFile as L, isVerbose as Ln, executionsCommand as Lt, truncate as M, defineAppCommand as Mn, watchExecutorJob as Mt, truncateCommand as N, commonArgs as Nn, startCommand as Nt, resumeCommand as O, prompt as On, getExecutorJob as Ot, generate as P, configArg as Pn, startWorkflow as Pt, getOrganization as Q, generateAllTypeManifestsFromSnapshot as Qt, getConfiguredEditorCommand as R, pagedLogArgs as Rn, getWorkflowExecution as Rt, listApps as S, getNamespacesWithMigrations as Sn, listWebhookExecutors as St, healthCommand as T, sdkNameLabelKey as Tn, triggerExecutor as Tt, remove as U, getExecutor as Ut, showCommand as V, workspaceArgs as Vn, formatKeyValueTable as Vt, removeCommand$1 as W, deploy as Wt, listOrganizations as X, parseMigrationLabelNumber as Xt, listCommand$4 as Y, handleOptionalToRequiredError as Yt, getCommand$1 as Z, compareSnapshotWithRemote as Zt, getWorkspace as _, formatMigrationNumber as _n, generate$1 as _t, updateUser as a, assertValidMigrationFiles as an, deleteCommand$1 as at, createCommand as b, formatMigrationDiff as bn, getCommand$4 as bt, listCommand as c, createSnapshotFromLocalTypes as cn, createFolder as ct, inviteUser as d, getMigrationFilePath as dn, getCommand$3 as dt, DB_TYPES_FILE_NAME as en, updateFolder as et, restoreCommand as f, getMigrationFiles as fn, getOAuth2Client as ft, getCommand as g, reconstructSnapshotFromMigrations as gn, listMachineUsers as gt, listWorkspaces as h, loadDiff as hn, listCommand$7 as ht, updateCommand as i, SCHEMA_FILE_NAME as in, getFolder as it, listWorkflows as j, assertWritable as jn, listExecutorJobs as jt, resumeWorkflow as k, apiCommand as kn, getExecutorWaitFailureMessage as kt, listUsers as l, getLatestMigrationNumber as ln, listCommand$6 as lt, listCommand$1 as m, isValidMigrationNumber as mn, tokenCommand as mt, query as n, INITIAL_SCHEMA_NUMBER as nn, listFolders as nt, removeCommand as o, compareLocalTypesWithSnapshot as on, deleteFolder as ot, restoreWorkspace as p, getNextMigrationNumber as pn, getMachineUserToken as pt, organizationTree as q, bundleMigrationScript as qt, queryCommand as r, MIGRATE_FILE_NAME as rn, getCommand$2 as rt, removeUser as s, compareSnapshots as sn, createCommand$1 as st, isNativeTypeScriptRuntime as t, DIFF_FILE_NAME as tn, listCommand$5 as tt, inviteCommand as u, getMigrationDirPath as un, listOAuth2Clients as ut, deleteCommand as v, parseMigrationNumberArg as vn, listCommand$8 as vt, getAppHealth as w, resourceTrn as wn, triggerCommand as wt, createWorkspace as x, hasChanges as xn, getFunctionRegistry as xt, deleteWorkspace as y, formatDiffSummary as yn, listFunctionRegistries as yt, openInConfiguredEditor as z, paginationArgs as zn, listWorkflowExecutions as zt };
-//# sourceMappingURL=runtime-DxaBq6U8.mjs.map
+//# sourceMappingURL=runtime-jowoN6qC.mjs.map