@tailor-platform/sdk 1.68.0 → 1.70.0

package/docs/cli-reference.md

@@ -10,8 +10,6 @@ tailor-sdk <command> [options]
 
 ## Global Options
 
-<!-- politty:global-options:start -->
-
 <a id="global-options"></a>
 | Option | Alias | Description | Required | Default |
 |--------|-------|-------------|----------|---------|
@@ -20,8 +18,6 @@ tailor-sdk <command> [options]
 | `--verbose` | - | Enable verbose logging | No | `false` |
 | `--json` | `-j` | Output as JSON | No | `false` |
 
-<!-- politty:global-options:end -->
-
 ### JSON Output
 
 For commands that return structured results, passing `--json` writes one parseable JSON document
@@ -78,6 +74,9 @@ You can use environment variables to configure workspace and authentication:
 | `TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID`     | Client ID for `login --machine-user`                                                                         |
 | `TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET` | Client secret for `login --machine-user`                                                                     |
 | `TAILOR_PLATFORM_MACHINE_USER_NAME`          | Default machine user name for `query`, `workflow start`, `function test-run`, `machineuser token`            |
+| `TAILOR_PLATFORM_URL`                        | Platform API base URL. Saved into profiles created with `profile create --platform-url`                      |
+| `TAILOR_PLATFORM_OAUTH2_CLIENT_ID`           | OAuth2 client ID for user login. Saved into profiles created with `profile create --oauth2-client-id`        |
+| `TAILOR_PLATFORM_CONSOLE_URL`                | Console base URL. Saved into profiles created with `profile create --console-url`                            |
 | `TAILOR_BUNDLE_CONCURRENCY`                  | Max concurrent bundle workers for `deploy` (resolvers/executors/workflows). Defaults to CPU count            |
 | `TAILOR_APPLY_CONCURRENCY`                   | Max concurrent unary platform RPCs during `apply`/`deploy` (streaming uploads are not gated). Defaults to 16 |
 | `VISUAL` / `EDITOR`                          | Preferred editor for commands that open files (e.g., `vim`, `code`, `nano`)                                  |
@@ -93,6 +92,8 @@ Token resolution follows this priority order:
 3. Profile specified via `--profile` option or `TAILOR_PLATFORM_PROFILE`
 4. Current user from platform config (`~/.config/tailor-platform/config.yaml`)
 
+Config-backed login tokens are scoped to the Platform API URL. Profiles with `--platform-url` use the token saved for that URL, so switching profiles can also switch between Platform API environments.
+
 ### Workspace ID Priority
 
 Workspace ID resolution follows this priority order:
@@ -103,8 +104,6 @@ Workspace ID resolution follows this priority order:
 
 ## Commands
 
-<!-- politty:index:docs/cli-reference.md:start -->
-
 ### [Application Commands](./cli/application.md)
 
 Commands for managing Tailor Platform applications (work with `tailor.config.ts`).
@@ -117,8 +116,9 @@ Commands for managing Tailor Platform applications (work with `tailor.config.ts`
 | [remove](./cli/application.md#remove)           | Remove all resources managed by the application from the workspace. |
 | [show](./cli/application.md#show)               | Show information about the deployed application.                    |
 | [open](./cli/application.md#open)               | Open Tailor Platform Console.                                       |
-| [api list](./cli/application.md#api-list)       | List all invocable OperatorService methods.                         |
+| [api](./cli/application.md#api)                 | Call Tailor Platform API endpoints directly.                        |
 | [api inspect](./cli/application.md#api-inspect) | Print the input message tree of an OperatorService endpoint.        |
+| [api list](./cli/application.md#api-list)       | List all invocable OperatorService methods.                         |
 
 ### [TailorDB Commands](./cli/tailordb.md)
 
@@ -126,13 +126,17 @@ Commands for managing TailorDB tables, data, and schema migrations.
 
 | Command                                                                      | Description                                                                                                               |
 | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
+| [tailordb](./cli/tailordb.md#tailordb)                                       | Manage TailorDB tables and data.                                                                                          |
 | [tailordb truncate](./cli/tailordb.md#tailordb-truncate)                     | Truncate (delete all records from) TailorDB tables.                                                                       |
+| [tailordb migration](./cli/tailordb.md#tailordb-migration)                   | Manage TailorDB schema migrations.                                                                                        |
 | [tailordb migration generate](./cli/tailordb.md#tailordb-migration-generate) | Generate migration files by detecting schema differences between current local types and the previous migration snapshot. |
 | [tailordb migration script](./cli/tailordb.md#tailordb-migration-script)     | Add a migration script (migrate.ts) template to an existing migration directory.                                          |
 | [tailordb migration set](./cli/tailordb.md#tailordb-migration-set)           | Set migration checkpoint to a specific number.                                                                            |
 | [tailordb migration status](./cli/tailordb.md#tailordb-migration-status)     | Show the current migration status for TailorDB namespaces, including applied and pending migrations.                      |
 | [tailordb migration sync](./cli/tailordb.md#tailordb-migration-sync)         | Sync remote TailorDB schema to a specific migration snapshot (recovery from --no-schema-check drift).                     |
+| [tailordb erd](./cli/tailordb.md#tailordb-erd)                               | Generate TailorDB ERD viewer artifacts from local TailorDB schema. (beta)                                                 |
 | [tailordb erd export](./cli/tailordb.md#tailordb-erd-export)                 | Export TailorDB ERD static viewer from local TailorDB schema.                                                             |
+| [tailordb erd diff](./cli/tailordb.md#tailordb-erd-diff)                     | Render TailorDB ERD schema diff HTML from exported ERD viewers.                                                           |
 | [tailordb erd serve](./cli/tailordb.md#tailordb-erd-serve)                   | Generate and serve TailorDB ERD locally with watch reload. (beta)                                                         |
 | [tailordb erd deploy](./cli/tailordb.md#tailordb-erd-deploy)                 | Deploy ERD static website for TailorDB namespace(s).                                                                      |
 
@@ -152,13 +156,15 @@ Commands for authentication and user management.
 | ------------------------------------------------ | ----------------------------------------------------- |
 | [login](./cli/user.md#login)                     | Login to Tailor Platform.                             |
 | [logout](./cli/user.md#logout)                   | Logout from Tailor Platform.                          |
+| [user](./cli/user.md#user)                       | Manage Tailor Platform users.                         |
 | [user current](./cli/user.md#user-current)       | Show current user.                                    |
 | [user list](./cli/user.md#user-list)             | List all users.                                       |
-| [user switch](./cli/user.md#user-switch)         | Set current user.                                     |
-| [user pat list](./cli/user.md#user-pat-list)     | List all personal access tokens.                      |
+| [user pat](./cli/user.md#user-pat)               | Manage personal access tokens.                        |
 | [user pat create](./cli/user.md#user-pat-create) | Create a new personal access token.                   |
 | [user pat delete](./cli/user.md#user-pat-delete) | Delete a personal access token.                       |
+| [user pat list](./cli/user.md#user-pat-list)     | List all personal access tokens.                      |
 | [user pat update](./cli/user.md#user-pat-update) | Update a personal access token (delete and recreate). |
+| [user switch](./cli/user.md#user-switch)         | Set current user.                                     |
 
 ### [Organization Commands](./cli/organization.md)
 
@@ -166,6 +172,8 @@ Commands for managing organizations and folders.
 
 | Command                                                                        | Description                                      |
 | ------------------------------------------------------------------------------ | ------------------------------------------------ |
+| [organization](./cli/organization.md#organization)                             | Manage Tailor Platform organizations.            |
+| [organization folder](./cli/organization.md#organization-folder)               | Manage organization folders.                     |
 | [organization folder create](./cli/organization.md#organization-folder-create) | Create a new folder in an organization.          |
 | [organization folder delete](./cli/organization.md#organization-folder-delete) | Delete a folder from an organization.            |
 | [organization folder get](./cli/organization.md#organization-folder-get)       | Show detailed information about a folder.        |
@@ -180,23 +188,27 @@ Commands for managing organizations and folders.
 
 Commands for managing workspaces and profiles.
 
-| Command                                                           | Description                                 |
-| ----------------------------------------------------------------- | ------------------------------------------- |
-| [workspace app health](./cli/workspace.md#workspace-app-health)   | Check application schema health             |
-| [workspace app list](./cli/workspace.md#workspace-app-list)       | List applications in a workspace            |
-| [workspace create](./cli/workspace.md#workspace-create)           | Create a new Tailor Platform workspace.     |
-| [workspace delete](./cli/workspace.md#workspace-delete)           | Delete a Tailor Platform workspace.         |
-| [workspace get](./cli/workspace.md#workspace-get)                 | Show detailed information about a workspace |
-| [workspace list](./cli/workspace.md#workspace-list)               | List all Tailor Platform workspaces.        |
-| [workspace restore](./cli/workspace.md#workspace-restore)         | Restore a deleted workspace                 |
-| [workspace user invite](./cli/workspace.md#workspace-user-invite) | Invite a user to a workspace                |
-| [workspace user list](./cli/workspace.md#workspace-user-list)     | List users in a workspace                   |
-| [workspace user remove](./cli/workspace.md#workspace-user-remove) | Remove a user from a workspace              |
-| [workspace user update](./cli/workspace.md#workspace-user-update) | Update a user's role in a workspace         |
-| [profile create](./cli/workspace.md#profile-create)               | Create a new profile.                       |
-| [profile delete](./cli/workspace.md#profile-delete)               | Delete a profile.                           |
-| [profile list](./cli/workspace.md#profile-list)                   | List all profiles.                          |
-| [profile update](./cli/workspace.md#profile-update)               | Update profile properties.                  |
+| Command                                                           | Description                                                |
+| ----------------------------------------------------------------- | ---------------------------------------------------------- |
+| [workspace](./cli/workspace.md#workspace)                         | Manage Tailor Platform workspaces.                         |
+| [workspace app](./cli/workspace.md#workspace-app)                 | Manage workspace applications                              |
+| [workspace app health](./cli/workspace.md#workspace-app-health)   | Check application schema health                            |
+| [workspace app list](./cli/workspace.md#workspace-app-list)       | List applications in a workspace                           |
+| [workspace create](./cli/workspace.md#workspace-create)           | Create a new Tailor Platform workspace.                    |
+| [workspace delete](./cli/workspace.md#workspace-delete)           | Delete a Tailor Platform workspace.                        |
+| [workspace get](./cli/workspace.md#workspace-get)                 | Show detailed information about a workspace                |
+| [workspace list](./cli/workspace.md#workspace-list)               | List all Tailor Platform workspaces.                       |
+| [workspace restore](./cli/workspace.md#workspace-restore)         | Restore a deleted workspace                                |
+| [workspace user](./cli/workspace.md#workspace-user)               | Manage workspace users                                     |
+| [workspace user invite](./cli/workspace.md#workspace-user-invite) | Invite a user to a workspace                               |
+| [workspace user list](./cli/workspace.md#workspace-user-list)     | List users in a workspace                                  |
+| [workspace user remove](./cli/workspace.md#workspace-user-remove) | Remove a user from a workspace                             |
+| [workspace user update](./cli/workspace.md#workspace-user-update) | Update a user's role in a workspace                        |
+| [profile](./cli/workspace.md#profile)                             | Manage workspace profiles (user + workspace combinations). |
+| [profile create](./cli/workspace.md#profile-create)               | Create a new profile.                                      |
+| [profile delete](./cli/workspace.md#profile-delete)               | Delete a profile.                                          |
+| [profile list](./cli/workspace.md#profile-list)                   | List all profiles.                                         |
+| [profile update](./cli/workspace.md#profile-update)               | Update profile properties.                                 |
 
 ### [Auth Resource Commands](./cli/auth.md)
 
@@ -204,13 +216,16 @@ Commands for managing Auth service resources.
 
 | Command                                                            | Description                                                                           |
 | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------- |
+| [authconnection](./cli/auth.md#authconnection)                     | Manage auth connections.                                                              |
 | [authconnection authorize](./cli/auth.md#authconnection-authorize) | Authorize an auth connection via OAuth2 flow.                                         |
+| [authconnection delete](./cli/auth.md#authconnection-delete)       | Delete an auth connection entirely.                                                   |
 | [authconnection list](./cli/auth.md#authconnection-list)           | List all auth connections.                                                            |
 | [authconnection open](./cli/auth.md#authconnection-open)           | Open the auth connections page in the Tailor Platform Console.                        |
 | [authconnection revoke](./cli/auth.md#authconnection-revoke)       | Revoke an auth connection's tokens (keeps the connection; use 'delete' to remove it). |
-| [authconnection delete](./cli/auth.md#authconnection-delete)       | Delete an auth connection entirely.                                                   |
+| [machineuser](./cli/auth.md#machineuser)                           | Manage machine users in your Tailor Platform application.                             |
 | [machineuser list](./cli/auth.md#machineuser-list)                 | List all machine users in the application.                                            |
 | [machineuser token](./cli/auth.md#machineuser-token)               | Get an access token for a machine user.                                               |
+| [oauth2client](./cli/auth.md#oauth2client)                         | Manage OAuth2 clients in your Tailor Platform application.                            |
 | [oauth2client list](./cli/auth.md#oauth2client-list)               | List all OAuth2 clients in the application.                                           |
 | [oauth2client get](./cli/auth.md#oauth2client-get)                 | Get OAuth2 client credentials (including client secret).                              |
 
@@ -220,6 +235,7 @@ Commands for managing workflows and executions.
 
 | Command                                                      | Description                                    |
 | ------------------------------------------------------------ | ---------------------------------------------- |
+| [workflow](./cli/workflow.md#workflow)                       | Manage workflows and workflow executions.      |
 | [workflow list](./cli/workflow.md#workflow-list)             | List all workflows in the workspace.           |
 | [workflow get](./cli/workflow.md#workflow-get)               | Get workflow details.                          |
 | [workflow start](./cli/workflow.md#workflow-start)           | Start a workflow execution.                    |
@@ -233,6 +249,7 @@ Commands for managing function registries and viewing function execution logs.
 
 | Command                                                  | Description                                                     |
 | -------------------------------------------------------- | --------------------------------------------------------------- |
+| [function](./cli/function.md#function)                   | Manage functions                                                |
 | [function get](./cli/function.md#function-get)           | Get a function registry by name                                 |
 | [function list](./cli/function.md#function-list)         | List function registries in a workspace                         |
 | [function logs](./cli/function.md#function-logs)         | List or get function execution logs.                            |
@@ -244,10 +261,12 @@ Commands for managing executors and executor jobs.
 
 | Command                                                          | Description                                   |
 | ---------------------------------------------------------------- | --------------------------------------------- |
-| [executor trigger](./cli/executor.md#executor-trigger)           | Trigger an executor manually.                 |
-| [executor jobs](./cli/executor.md#executor-jobs)                 | List or get executor jobs.                    |
+| [executor](./cli/executor.md#executor)                           | Manage executors                              |
 | [executor list](./cli/executor.md#executor-list)                 | List all executors                            |
 | [executor get](./cli/executor.md#executor-get)                   | Get executor details                          |
+| [executor jobs](./cli/executor.md#executor-jobs)                 | List or get executor jobs.                    |
+| [executor trigger](./cli/executor.md#executor-trigger)           | Trigger an executor manually.                 |
+| [executor webhook](./cli/executor.md#executor-webhook)           | Manage executor webhooks                      |
 | [executor webhook list](./cli/executor.md#executor-webhook-list) | List executors with incoming webhook triggers |
 
 ### [Secret Commands](./cli/secret.md)
@@ -256,13 +275,15 @@ Commands for managing secrets and vaults.
 
 | Command                                                    | Description                                      |
 | ---------------------------------------------------------- | ------------------------------------------------ |
+| [secret](./cli/secret.md#secret)                           | Manage Secret Manager vaults and secrets.        |
+| [secret create](./cli/secret.md#secret-create)             | Create a secret in a vault.                      |
+| [secret delete](./cli/secret.md#secret-delete)             | Delete a secret in a vault.                      |
+| [secret list](./cli/secret.md#secret-list)                 | List all secrets in a vault.                     |
+| [secret update](./cli/secret.md#secret-update)             | Update a secret in a vault.                      |
+| [secret vault](./cli/secret.md#secret-vault)               | Manage Secret Manager vaults.                    |
 | [secret vault create](./cli/secret.md#secret-vault-create) | Create a new Secret Manager vault.               |
 | [secret vault delete](./cli/secret.md#secret-vault-delete) | Delete a Secret Manager vault.                   |
 | [secret vault list](./cli/secret.md#secret-vault-list)     | List all Secret Manager vaults in the workspace. |
-| [secret create](./cli/secret.md#secret-create)             | Create a secret in a vault.                      |
-| [secret update](./cli/secret.md#secret-update)             | Update a secret in a vault.                      |
-| [secret list](./cli/secret.md#secret-list)                 | List all secrets in a vault.                     |
-| [secret delete](./cli/secret.md#secret-delete)             | Delete a secret in a vault.                      |
 
 ### [Static Website Commands](./cli/staticwebsite.md)
 
@@ -270,10 +291,12 @@ Commands for managing and deploying static websites.
 
 | Command                                                                       | Description                                           |
 | ----------------------------------------------------------------------------- | ----------------------------------------------------- |
+| [staticwebsite](./cli/staticwebsite.md#staticwebsite)                         | Manage static websites in your workspace.             |
 | [staticwebsite deploy](./cli/staticwebsite.md#staticwebsite-deploy)           | Deploy a static website from a local build directory. |
-| [staticwebsite domain list](./cli/staticwebsite.md#staticwebsite-domain-list) | List custom domains for a static website.             |
-| [staticwebsite domain get](./cli/staticwebsite.md#staticwebsite-domain-get)   | Get details of a custom domain.                       |
 | [staticwebsite list](./cli/staticwebsite.md#staticwebsite-list)               | List all static websites in a workspace.              |
+| [staticwebsite domain](./cli/staticwebsite.md#staticwebsite-domain)           | Manage custom domains for static websites.            |
+| [staticwebsite domain get](./cli/staticwebsite.md#staticwebsite-domain-get)   | Get details of a custom domain.                       |
+| [staticwebsite domain list](./cli/staticwebsite.md#staticwebsite-domain-list) | List custom domains for a static website.             |
 | [staticwebsite get](./cli/staticwebsite.md#staticwebsite-get)                 | Get details of a specific static website.             |
 
 ### [Crash Report Commands](./cli/crashreport.md)
@@ -282,6 +305,7 @@ Commands for managing crash reports.
 
 | Command                                                   | Description                                    |
 | --------------------------------------------------------- | ---------------------------------------------- |
+| [crashreport](./cli/crashreport.md#crashreport)           | Manage crash reports.                          |
 | [crashreport list](./cli/crashreport.md#crashreport-list) | List local crash report files.                 |
 | [crashreport send](./cli/crashreport.md#crashreport-send) | Submit a crash report to help improve the SDK. |
 
@@ -291,6 +315,7 @@ Commands for setting up project infrastructure.
 
 | Command                                   | Description                                                                      |
 | ----------------------------------------- | -------------------------------------------------------------------------------- |
+| [setup](./cli/setup.md#setup)             | Generate a CI deploy workflow for your project. (beta)                           |
 | [setup check](./cli/setup.md#setup-check) | Audit generated workflows for drift against the current config/repo (read-only). |
 
 ### [Upgrade Commands](./cli/upgrade.md)
@@ -307,6 +332,7 @@ Commands for installing Tailor SDK agent skills.
 
 | Command                                          | Description                                                        |
 | ------------------------------------------------ | ------------------------------------------------------------------ |
+| [skills](./cli/skills.md#skills)                 | Manage Tailor SDK agent skills.                                    |
 | [skills install](./cli/skills.md#skills-install) | Install the tailor-sdk agent skill from the installed SDK package. |
 
 ### [Completion](./cli/completion.md)
@@ -316,5 +342,3 @@ Generate shell completion scripts for bash, zsh, and fish.
 | Command                                      | Description                      |
 | -------------------------------------------- | -------------------------------- |
 | [completion](./cli/completion.md#completion) | Generate shell completion script |
-
-<!-- politty:index:docs/cli-reference.md:end -->

package/docs/configuration.md

@@ -118,8 +118,14 @@ Configure the Built-in IdP service using `defineIdp()`. See [IdP](./services/idp
 import { defineIdp } from "@tailor-platform/sdk";
 
 const idp = defineIdp("my-idp", {
-  authorization: "loggedIn",
   clients: ["my-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    read: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    update: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    delete: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+  },
 });
 
 export default defineConfig({

package/docs/github-actions.md

@@ -63,6 +63,33 @@ What it does:
 Fork pull requests cannot read repository secrets. For forks, the plan step is
 automatically skipped; `generate-check` and other non-secret checks still run.
 
+#### ERD preview artifacts
+
+Pass `--erd-preview` on a branch target to add TailorDB ERD preview artifacts
+to pull requests:
+
+```bash
+tailor-sdk setup -n my-app-stg --erd-preview
+```
+
+The generated workflow builds one self-contained ERD viewer HTML file for each
+owned TailorDB namespace in `tailor.config.ts`. The viewer compares the pull
+request merge result with the base branch, can switch between the current schema
+and highlighted diff, uploads the HTML files as unarchived Actions artifacts,
+and upserts a PR comment with artifact links.
+
+ERD preview does not use Tailor Platform credentials. Fork pull requests still
+build artifacts, but the comment step is skipped because fork tokens cannot
+write PR comments.
+
+`--erd-preview` is only available for branch targets with the plan job enabled;
+it cannot be combined with `--tag` or `--no-plan`. The namespace list is
+recorded in `.github/tailor-sdk.lock`; the pull request workflow compares the
+head and base lock files so newly added or removed namespaces can still produce
+all-added or all-removed viewer artifacts. Re-run `setup` after adding or
+removing TailorDB namespaces. `setup check` reports drift when the recorded ERD
+preview namespaces no longer match the current config.
+
 ### Tag target (recommended for production)
 
 The tag target fires when a tag matching `--tag-pattern` (default `v*`) is

package/docs/multi-environment.md

@@ -25,6 +25,28 @@ tailor-sdk deploy -p staging
 
 Profiles are created with `write` permission by default. The production profile above opts into `--permission read`, which blocks write commands such as `deploy` while the profile is active — a guard against deploying to production by accident. To deploy to production deliberately, pass the workspace explicitly with `-w` without selecting the profile — the guard applies only while a profile is selected via `-p` or `TAILOR_PLATFORM_PROFILE` — or use a separate profile created with `write` permission.
 
+If a profile targets a non-default Tailor Platform API, save that connection on the profile as well. User login tokens are stored per Platform URL, so you can log in once for each Platform and then switch with only the profile:
+
+```bash
+export TAILOR_PLATFORM_URL=<platform-api-url>
+export TAILOR_PLATFORM_OAUTH2_CLIENT_ID=<oauth2-client-id>
+export TAILOR_PLATFORM_CONSOLE_URL=<console-url>
+
+tailor-sdk login
+tailor-sdk profile create development \
+  -u you@example.com \
+  -w <development-workspace-id> \
+  --platform-url "$TAILOR_PLATFORM_URL" \
+  --oauth2-client-id "$TAILOR_PLATFORM_OAUTH2_CLIENT_ID" \
+  --console-url "$TAILOR_PLATFORM_CONSOLE_URL"
+
+unset TAILOR_PLATFORM_URL TAILOR_PLATFORM_OAUTH2_CLIENT_ID TAILOR_PLATFORM_CONSOLE_URL
+tailor-sdk deploy -p development
+tailor-sdk open -p development
+```
+
+After the profile exists, run `tailor-sdk login -p development` to refresh the login for that Platform without re-exporting the connection variables.
+
 ## Varying config values per environment
 
 `tailor.config.ts` is a TypeScript module evaluated locally each time an SDK command loads it, so any value can branch on `process.env`. If the config also defines an auth before-login hook, mind the `process.env` caveat in [Environment Variables](./configuration.md#environment-variables). Keep one env file per environment and load it with the global [`--env-file`](./cli-reference.md#environment-file-loading) option:

package/docs/services/aigateway.md

@@ -1,12 +1,12 @@
 # AI Gateway
 
-AI Gateway provides a unified endpoint for accessing multiple LLM providers (Azure OpenAI, Google Vertex AI Gemini, Anthropic via Vertex AI) through a single OpenAI-compatible API, with platform-managed credentials and workspace-scoped authentication.
+AI Gateway provides a unified endpoint for accessing a range of large language models through a single OpenAI-compatible API, with platform-managed credentials and workspace-scoped authentication.
 
 ## Overview
 
 AI Gateway provides:
 
-- A unified, OpenAI-compatible endpoint for multiple LLM providers
+- A unified, OpenAI-compatible endpoint for multiple LLM models
 - Mandatory authentication via your workspace's auth (request tokens are resolved against the configured auth namespace)
 - Per-workspace isolation: each gateway is provisioned with its own platform-assigned URL
 - Optional CORS allow-list for browser-based clients
@@ -31,6 +31,7 @@ const aiGateway = defineAIGateway("my-aigateway", {
 });
 
 export default defineConfig({
+  name: "my-app",
   aiGateways: [aiGateway],
 });
 ```
@@ -80,6 +81,7 @@ const website = defineStaticWebSite("my-frontend", {
 });
 
 const aiGateway = defineAIGateway("my-aigateway", {
+  // Name of an auth namespace in your workspace; request tokens are resolved against it.
   authNamespace: "default",
   cors: [website.url],
 });

package/docs/services/http-adapter.md

@@ -7,7 +7,7 @@ HTTP adapters expose REST-style HTTP endpoints on your application by translatin
 Each HTTP adapter is a single file that declares:
 
 - A `pathPattern` (which methods it handles is derived from the `input` keys)
-- An `input` object keyed by lowercase HTTP method (`get`, `post`, `put`, `patch`, `delete`) — each value is a function that converts an incoming HTTP request into a GraphQL request (`query`, `variables`, `operationName`)
+- An `input` object keyed by lowercase HTTP method (`get`, `post`, `put`, `patch`, `delete`) — each value is a function that converts an incoming HTTP request into a GraphQL request (`query`, `variables`, `operationName`). `query` can be a GraphQL string or a generated `TypedDocumentNode`.
 - An optional `output` function — **shared across all methods** — that converts the GraphQL response into an HTTP response (`statusCode`, `headers`, `body`)
 
 Adapters are deployed together with your application. When a request arrives under the `/api/` prefix and matches an adapter, the handler for the request method runs server-side.
@@ -74,6 +74,21 @@ A request to `GET /api/users/abc-123` invokes the `get` handler, runs the result
 
 If `output` is omitted, the raw GraphQL response is returned as JSON.
 
+### Typed GraphQL Documents
+
+`input` handlers can return generated `TypedDocumentNode` values instead of query strings. The SDK uses the document's variables type for `variables`, and passes the document's result type to `output` as `resp.data`.
+
+```typescript
+import { GetUserDocument } from "../generated/graphql";
+
+get: (req) => ({
+  query: GetUserDocument,
+  variables: { id: req.path.split("/")[2] ?? "" },
+});
+```
+
+When multiple methods return different typed documents, `resp.data` is the union of those result types because `output` is shared across the adapter. If a method returns a plain string query, its result type is `unknown`. When extracting an input handler and annotating it separately, pass the document type to `HttpAdapterInputFn` so required variables stay typed.
+
 ### Optional fields
 
 Beyond `name`, `pathPattern`, `input`, and `output`, two optional fields control deploy-time behavior:

package/docs/services/idp.md

@@ -86,7 +86,8 @@ defineIdp("my-idp", {
 - `read` - Controls who can read IdP users
 - `update` - Controls who can update IdP users
 - `delete` - Controls who can delete IdP users
-- `sendPasswordResetEmail` - Controls who can send password reset emails. The examples above disable this operation; to enable it, use a permission such as `[{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }]`.
+- `sendPasswordResetEmail` - Controls who can send password reset emails. Required unless `userAuthPolicy.disablePasswordAuth` is `true` or `gqlOperations.sendPasswordResetEmail` is `false` (the password-reset flow has no meaning when password authentication is off or the operation is disabled). Set `[{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }]` to allow, or `[]` to deny.
+- `unenrollMfa` - Controls who can remove an enrolled MFA factor from a user. Required when `userAuthPolicy.enableMfa` is `true` unless `gqlOperations.unenrollMfa` is `false`; omit otherwise. Typically restricted to administrators.
 
 **Policy fields:** each entry in an operation's policy array supports:
 
@@ -166,6 +167,37 @@ defineIdp("my-idp", {
 - `allowGoogleOauth` - Enable the "Sign in with Google" button. Default `false`.
 - `allowMicrosoftOauth` - Enable the "Sign in with Microsoft" button. Default `false`.
 
+**MFA (TOTP):**
+
+```typescript
+import { defineIdp, defineStaticWebSite } from "@tailor-platform/sdk";
+
+const website = defineStaticWebSite("my-frontend", { description: "App frontend" });
+
+defineIdp("my-idp", {
+  clients: ["my-client"],
+  userAuthPolicy: {
+    enableMfa: true,
+    requireMfa: false,
+    allowedReturnOrigins: [website.url, "https://admin.example.com"],
+    mfaIssuer: "My App",
+  },
+  permission: {
+    create: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    read: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    update: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    delete: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    unenrollMfa: [{ conditions: [[{ user: "role" }, "=", "ADMIN"]], permit: true }],
+  },
+});
+```
+
+- `enableMfa` - Make TOTP MFA available for users in this namespace. Default `false`. When enabled, users can register an authenticator app (Google Authenticator, 1Password, etc.) from the IdP self-service page.
+- `requireMfa` - Force password-authenticated users to enroll and pass an MFA challenge on each sign-in. Default `false`. Social sign-in (`allowGoogleOauth` / `allowMicrosoftOauth`) is not affected; the upstream provider's MFA covers those sessions.
+- `allowedReturnOrigins` - Origins the IdP self-service pages (such as `/mfa/settings`) are allowed to redirect back to. Each entry is either a literal origin (`https://app.example.com`, scheme + host + optional port, no path/query/fragment) or a static-website placeholder `<name>:url` (e.g. `website.url`) that the CLI resolves to the deployed website's URL at apply time. Required when `enableMfa` is `true`.
+- `mfaIssuer` - Label shown next to the user account in authenticator apps when TOTP is enrolled. Up to 64 characters. Falls back to `"Tailor Platform IdP"` when empty.
+
 **Constraints:** the following combinations are rejected at parse time.
 
 - `passwordMinLength` must be less than or equal to `passwordMaxLength`.
@@ -173,6 +205,23 @@ defineIdp("my-idp", {
 - `allowGoogleOauth` requires a non-empty `allowedEmailDomains`.
 - `allowMicrosoftOauth` requires both a non-empty `allowedEmailDomains` and `disablePasswordAuth: true`.
 - `disablePasswordAuth` requires `allowGoogleOauth` or `allowMicrosoftOauth`, and cannot be combined with `allowSelfPasswordReset`.
+- `requireMfa: true` requires `enableMfa: true`.
+- `enableMfa: true` requires at least one entry in `allowedReturnOrigins`.
+- `enableMfa: true` requires `permission` to be defined and to include an explicit `unenrollMfa` policy (an empty array `[]` to deny is fine), unless `gqlOperations.unenrollMfa` is `false` (or `gqlOperations: "query"`, which normalizes to the same), in which case the operation is turned off and the policy may be omitted.
+
+**Runtime API:** function code can inspect and revoke a user's enrolled factor through `idp.Client`. The `User` records returned by `user`, `userByName`, `users`, `createUser`, and `updateUser` expose `mfaEnrolled` (boolean) and `mfaFactorIds` (string array), and `client.unenrollMfa({ userId, mfaFactorId })` removes a single factor. The factor ID to pass back is one of the entries in `user.mfaFactorIds`. Calling `unenrollMfa` requires the `unenrollMfa` permission above.
+
+```typescript
+import { idp } from "@tailor-platform/sdk/runtime";
+
+const client = new idp.Client({ namespace: "my-idp" });
+const user = await client.user("user-id");
+if (user.mfaEnrolled) {
+  for (const factorId of user.mfaFactorIds) {
+    await client.unenrollMfa({ userId: user.id, mfaFactorId: factorId });
+  }
+}
+```
 
 ### gqlOperations
 
@@ -187,6 +236,8 @@ defineIdp("my-idp", {
     update: true,
     delete: false,
     sendPasswordResetEmail: false,
+    requestMfaSettingsUrl: false,
+    unenrollMfa: false,
   },
 });
 ```
@@ -198,8 +249,10 @@ defineIdp("my-idp", {
 - `update` - The `_updateUser` mutation.
 - `delete` - The `_deleteUser` mutation.
 - `sendPasswordResetEmail` - The `_sendPasswordResetEmail` mutation.
+- `requestMfaSettingsUrl` - The `_requestMfaSettingsUrl` query that issues a self-service URL for MFA settings.
+- `unenrollMfa` - The `_unenrollMfa` mutation that removes a user's enrolled MFA factor. When set to `false`, `permission.unenrollMfa` may be omitted even with `userAuthPolicy.enableMfa: true`.
 
-**Shortcut:** pass the string `"query"` to expose a read-only IdP. It enables `read` and disables every mutation.
+**Shortcut:** pass the string `"query"` to expose a read-only IdP. It enables the queries (`read`, `requestMfaSettingsUrl`) and disables every mutation.
 
 ```typescript
 defineIdp("my-idp", {

package/docs/services/staticwebsite.md

@@ -124,8 +124,14 @@ const website = defineStaticWebSite("my-frontend", {
 });
 
 const idp = defineIdp("my-idp", {
-  authorization: "loggedIn",
   clients: ["default-client"],
+  permission: {
+    create: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    read: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    update: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    delete: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+    sendPasswordResetEmail: [{ conditions: [[{ user: "_loggedIn" }, "=", true]], permit: true }],
+  },
 });
 
 const auth = defineAuth("my-auth", {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.68.0",
+  "version": "1.70.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {
@@ -16,6 +16,7 @@
     "CHANGELOG.md",
     "dist",
     "docs",
+    "!docs/**/*.*.md",
     "postinstall.mjs",
     "README.md",
     "agent-skills"
@@ -27,6 +28,9 @@
   ],
   "main": "./dist/configure/index.mjs",
   "types": "./dist/configure/index.d.mts",
+  "imports": {
+    "#/*": "./src/*.ts"
+  },
   "exports": {
     ".": {
       "types": "./dist/configure/index.d.mts",
@@ -150,40 +154,40 @@
     "@opentelemetry/resources": "2.8.0",
     "@opentelemetry/sdk-trace-node": "2.8.0",
     "@opentelemetry/semantic-conventions": "1.41.1",
-    "@oxc-project/types": "0.135.0",
+    "@oxc-project/types": "0.137.0",
     "@standard-schema/spec": "1.1.0",
     "@tailor-platform/function-kysely-tailordb": "0.1.3",
     "@toiroakr/lines-db": "0.9.2",
     "@toiroakr/read-multiline": "0.4.1",
-    "@urql/core": "6.0.1",
+    "@urql/core": "6.0.2",
     "chalk": "5.6.2",
     "chokidar": "5.0.0",
     "confbox": "0.2.4",
     "date-fns": "4.4.0",
-    "es-toolkit": "1.47.1",
+    "es-toolkit": "1.48.1",
     "find-up-simple": "1.0.1",
     "globals": "17.6.0",
-    "graphql": "16.14.2",
+    "graphql": "17.0.1",
     "inflection": "3.0.2",
     "kysely": "0.29.2",
     "madge": "8.0.0",
     "mime-types": "3.0.2",
     "open": "11.0.0",
-    "oxc-parser": "0.135.0",
+    "oxc-parser": "0.137.0",
     "p-limit": "7.3.0",
     "pathe": "2.0.3",
     "pgsql-ast-parser": "12.0.2",
     "pkg-types": "2.3.1",
-    "politty": "0.6.0",
-    "rolldown": "1.1.1",
-    "semver": "7.8.4",
+    "politty": "0.9.2",
+    "rolldown": "1.1.2",
+    "semver": "7.8.5",
     "sql-highlight": "6.1.0",
     "std-env": "4.1.0",
     "table": "6.9.0",
     "ts-cron-validator": "1.1.5",
     "tsx": "4.22.4",
     "type-fest": "5.7.0",
-    "undici": "8.4.1",
+    "undici": "8.5.0",
     "xdg-basedir": "5.1.0",
     "zod": "4.4.3"
   },
@@ -193,16 +197,17 @@
     "@types/mime-types": "3.0.1",
     "@types/node": "24.13.2",
     "@types/semver": "7.7.1",
-    "@typescript/native-preview": "7.0.0-dev.20260614.1",
-    "@vitest/coverage-v8": "4.1.8",
-    "oxfmt": "0.54.0",
-    "oxlint": "1.69.0",
+    "@typescript/native-preview": "7.0.0-dev.20260621.1",
+    "@vitest/coverage-v8": "4.1.9",
+    "oxfmt": "0.55.0",
+    "oxlint": "1.70.0",
     "oxlint-tsgolint": "0.23.0",
-    "sonda": "0.13.0",
-    "tsdown": "0.22.2",
+    "sonda": "0.13.1",
+    "tsdown": "0.22.3",
     "typescript": "6.0.3",
-    "vitest": "4.1.8",
-    "zinfer": "0.1.8"
+    "vitest": "4.1.9",
+    "zinfer": "0.2.2",
+    "@tailor-platform/tailor-proto": "^0.0.0"
   },
   "peerDependencies": {
     "vite": "^6.0.0 || ^7.0.0 || ^8.0.0",

package/dist/application-Djeezk3m.mjs

@@ -1,4 +0,0 @@
-
-import { n as generatePluginFilesIfNeeded, r as loadApplication, t as defineApplication } from "./application-WpWwTyk9.mjs";
-
-export { defineApplication, generatePluginFilesIfNeeded };