@tailor-platform/sdk 1.69.0 → 1.70.0

package/dist/cli/index.mjs

@@ -3,8 +3,8 @@
 import { C as CustomDomainStatus, R as FunctionExecution_Type, ft as AuthInvokerSchema, yt as PATScope } from "../service_pb-DSNjrcbW.mjs";
 import { t as assertDefined } from "../assert-CKfwrmCV.mjs";
 import { n as logger, r as styles } from "../logger-DKF-JsAK.mjs";
-import { $ as updateCommand$2, $t as protoGqlPermission, A as listCommand$12, At as jobsCommand, Bn as toPageDirection, Bt as functionExecutionStatusToString, C as listCommand$13, Cn as ensureConfigId, Ct as webhookCommand, Dn as generateUserTypes, E as waitCommand, En as PluginManager, Et as listCommand$6, F as generateCommand$1, Fn as confirmationArgs, Ft as getCommand$6, G as updateCommand$3, Gt as executeScript, H as logBetaWarning, Ht as getCommand$1, I as generateMigrationScript, In as deploymentArgs, J as treeCommand, Jt as MIGRATION_LABEL_KEY, L as writeDbTypesFile, Ln as isVerbose, Lt as executionsCommand, Mn as defineAppCommand, N as truncateCommand, Nn as commonArgs, Nt as startCommand, O as resumeCommand, On as prompt, Pn as configArg, Qt as generateAllTypeManifestsFromSnapshot, R as getConfiguredEditorCommand, Rn as pagedLogArgs, Sn as getNamespacesWithMigrations, T as healthCommand, Tn as sdkNameLabelKey, V as showCommand, Vn as workspaceArgs, Vt as formatKeyValueTable, W as removeCommand$1, Wt as deploy, Xt as parseMigrationLabelNumber, Y as listCommand$11, Yt as handleOptionalToRequiredError, Z as getCommand$5, Zt as compareSnapshotWithRemote, _n as formatMigrationNumber, _t as generate, an as assertValidMigrationFiles, at as deleteCommand$3, b as createCommand$4, bn as formatMigrationDiff, bt as getCommand$2, c as listCommand$14, cn as createSnapshotFromLocalTypes, dn as getMigrationFilePath, dt as getCommand$3, f as restoreCommand, fn as getMigrationFiles, g as getCommand$7, gn as reconstructSnapshotFromMigrations, hn as loadDiff, ht as listCommand$8, i as updateCommand$4, jn as assertWritable, kn as apiCommand, ln as getLatestMigrationNumber, lt as listCommand$9, m as listCommand$15, mn as isValidMigrationNumber, mt as tokenCommand, nn as INITIAL_SCHEMA_NUMBER, o as removeCommand, on as compareLocalTypesWithSnapshot, r as queryCommand, rt as getCommand$4, st as createCommand$3, t as isNativeTypeScriptRuntime, tt as listCommand$10, u as inviteCommand, v as deleteCommand$4, vn as parseMigrationNumberArg, vt as listCommand$7, wn as resourceTrn, wt as triggerCommand, xn as hasChanges, z as openInConfiguredEditor, zn as paginationArgs } from "../runtime-jowoN6qC.mjs";
-import { A as loadMachineUserName, B as fetchPlatformMachineUserToken, C as hashContent$1, D as fetchLatestToken, E as deleteUserTokens, F as writePlatformConfig, H as initOAuth2Client, I as closeConnectionPool, L as fetchAll, M as readPlatformConfig, N as resolveTokens, O as loadAccessToken, P as saveUserTokens, S as getDistDir, T as loadConfig, U as initOperatorClient, V as fetchUserInfo, _ as createLogLevelTreeshakeOptions, a as WorkflowJobSchema, c as INVOKER_EXPR, g as composeFunctionTreeshakeOptions, h as platformBundleDefinePlugin, i as resolveInlineSourcemap, j as loadWorkspaceId, o as ResolverSchema, t as defineApplication, v as resolveBundleLogLevel, z as fetchPaged } from "../application-Cr-limKC.mjs";
+import { $t as generateAllTypeManifestsFromSnapshot, A as listCommand$12, An as apiCommand, Bn as paginationArgs, C as listCommand$13, Cn as getNamespacesWithMigrations, Dn as PluginManager, Dt as listCommand$6, E as waitCommand, En as sdkNameLabelKey, F as generateCommand$1, Fn as configArg, G as removeCommand$1, Gt as deploy, H as extractOwnedNamespaces, Hn as workspaceArgs, Ht as formatKeyValueTable, I as generateMigrationScript, In as confirmationArgs, It as getCommand$6, K as updateCommand$3, Kt as executeScript, L as writeDbTypesFile, Ln as deploymentArgs, Mn as assertWritable, N as truncateCommand, Nn as defineAppCommand, O as resumeCommand, On as generateUserTypes, Pn as commonArgs, Pt as startCommand, Q as getCommand$5, Qt as compareSnapshotWithRemote, R as getConfiguredEditorCommand, Rn as isVerbose, Rt as executionsCommand, Sn as hasChanges, T as healthCommand, Tn as resourceTrn, Tt as triggerCommand, U as logBetaWarning, Ut as getCommand$1, V as showCommand, Vn as toPageDirection, Vt as functionExecutionStatusToString, X as listCommand$11, Xt as handleOptionalToRequiredError, Y as treeCommand, Yt as MIGRATION_LABEL_KEY, Zt as parseMigrationLabelNumber, _n as reconstructSnapshotFromMigrations, b as createCommand$4, c as listCommand$14, ct as createCommand$3, en as protoGqlPermission, et as updateCommand$2, f as restoreCommand, fn as getMigrationFilePath, ft as getCommand$3, g as getCommand$7, gn as loadDiff, gt as listCommand$8, hn as isValidMigrationNumber, ht as tokenCommand, i as updateCommand$4, it as getCommand$4, jt as jobsCommand, kn as prompt, ln as createSnapshotFromLocalTypes, m as listCommand$15, nt as listCommand$10, o as removeCommand, on as assertValidMigrationFiles, ot as deleteCommand$3, pn as getMigrationFiles, r as queryCommand, rn as INITIAL_SCHEMA_NUMBER, sn as compareLocalTypesWithSnapshot, t as isNativeTypeScriptRuntime, u as inviteCommand, un as getLatestMigrationNumber, ut as listCommand$9, v as deleteCommand$4, vn as formatMigrationNumber, vt as generate, wn as ensureConfigId, wt as webhookCommand, xn as formatMigrationDiff, xt as getCommand$2, yn as parseMigrationNumberArg, yt as listCommand$7, z as openInConfiguredEditor, zn as pagedLogArgs } from "../runtime-CSY0eD4_.mjs";
+import { $ as initOperatorClient, A as loadAccessToken, B as saveUserTokens, C as hashContent$1, D as fetchLatestToken, E as deleteUserTokens, F as loadStoredUserTokens, H as closeConnectionPool, I as loadWorkspaceId, J as fetchUserInfo, K as fetchPaged, L as platformConfigFromProfile, M as loadConsoleBaseUrl, N as loadMachineUserName, O as hasAnyUserTokenEntry, Q as initOAuth2Client, R as readPlatformConfig, S as getDistDir, T as loadConfig, U as defaultPlatformBaseUrl, V as writePlatformConfig, W as fetchAll, _ as createLogLevelTreeshakeOptions, a as WorkflowJobSchema, c as INVOKER_EXPR, et as isDefaultPlatform, g as composeFunctionTreeshakeOptions, h as platformBundleDefinePlugin, i as resolveInlineSourcemap, k as hasUserTokenEntry, o as ResolverSchema, q as fetchPlatformMachineUserToken, t as defineApplication, v as resolveBundleLogLevel, z as resolveUserTokenKey } from "../application-Df5_I83n.mjs";
 import { n as ExecutorSchema } from "../service-B2Jd9CxS.mjs";
 import { t as multiline } from "../multiline-Cf9ODpr1.mjs";
 import { r as isPluginGeneratedType } from "../seed-YAbtMy65.mjs";
@@ -255,7 +255,6 @@ const listAuthConnectionCommand = defineAppCommand({
 
 //#endregion
 //#region src/cli/commands/authconnection/open.ts
-const consoleBaseUrl$1 = "https://console.tailor.tech";
 const openAuthConnectionCommand = defineAppCommand({
 	name: "open",
 	description: "Open the auth connections page in the Tailor Platform Console.",
@@ -266,7 +265,11 @@ const openAuthConnectionCommand = defineAppCommand({
 			profile: args.profile
 		});
 		const consolePath = `/workspaces/${workspaceId}/settings/connections`;
-		const consoleUrl = new URL(consolePath, consoleBaseUrl$1).toString();
+		const consoleBaseUrl = await loadConsoleBaseUrl({
+			profile: args.profile,
+			...args["workspace-id"] !== void 0 ? { allowMissingProfile: true } : {}
+		});
+		const consoleUrl = new URL(consolePath, consoleBaseUrl).toString();
 		const jsonOutput = logger.jsonMode;
 		logger.info("Opening auth connections page in Tailor Platform Console...");
 		let opened = true;
@@ -1285,7 +1288,7 @@ async function detectFunctionType(options) {
 		const rawInput = module.default.input;
 		let inputSchema;
 		if (rawInput) {
-			const { t } = await import("../types-2Be3wSMc.mjs");
+			const { t } = await import("../types-32lUMToj.mjs");
 			inputSchema = t.object(rawInput);
 		}
 		return {
@@ -1734,8 +1737,15 @@ const redirectUri = `http://localhost:${redirectPort}/callback`;
 function randomState() {
 	return crypto.randomBytes(32).toString("base64url");
 }
-const startAuthServer = async () => {
-	const client = initOAuth2Client();
+function assertProfileLoginUser(args, authenticatedUser) {
+	if (args.profile && args.profileUser && authenticatedUser !== args.profileUser) throw new Error(`Profile "${args.profile}" is configured for "${args.profileUser}", but login authenticated "${authenticatedUser}".`);
+}
+function shouldUpdateCurrentUser(profile, platformConfig) {
+	if (!profile) return true;
+	return isDefaultPlatform(platformConfig);
+}
+const startAuthServer = async (args = {}) => {
+	const client = initOAuth2Client(args.platformConfig);
 	const state = randomState();
 	const codeVerifier = await generateCodeVerifier();
 	return new Promise((resolve, reject) => {
@@ -1747,13 +1757,14 @@ const startAuthServer = async () => {
 					state,
 					codeVerifier
 				});
-				const userInfo = await fetchUserInfo(tokens.accessToken);
+				const userInfo = await fetchUserInfo(tokens.accessToken, args.platformConfig);
+				assertProfileLoginUser(args, userInfo.email);
 				const pfConfig = await readPlatformConfig();
 				await saveUserTokens(pfConfig, userInfo.email, {
 					accessToken: tokens.accessToken,
 					refreshToken: tokens.refreshToken ?? void 0
-				}, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString());
-				pfConfig.current_user = userInfo.email;
+				}, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString(), args.platformConfig);
+				if (args.updateCurrentUser ?? true) pfConfig.current_user = userInfo.email;
 				writePlatformConfig(pfConfig);
 				res.writeHead(200, { "Content-Type": "application/json" });
 				res.end(JSON.stringify({
@@ -1795,17 +1806,22 @@ const startAuthServer = async () => {
 	});
 };
 async function loginAsMachineUser(args) {
+	assertProfileLoginUser(args, args.clientId);
 	const clientSecret = args.clientSecret ?? await prompt.password({ message: "Client secret" });
-	const tokens = await fetchPlatformMachineUserToken(args.clientId, clientSecret);
+	const tokens = await fetchPlatformMachineUserToken(args.clientId, clientSecret, args.platformConfig);
 	const pfConfig = await readPlatformConfig();
-	await saveUserTokens(pfConfig, args.clientId, { accessToken: tokens.accessToken }, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString());
-	pfConfig.current_user = args.clientId;
+	await saveUserTokens(pfConfig, args.clientId, { accessToken: tokens.accessToken }, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString(), args.platformConfig);
+	if (args.updateCurrentUser ?? true) pfConfig.current_user = args.clientId;
 	writePlatformConfig(pfConfig);
 }
 const loginCommand = defineAppCommand({
 	name: "login",
 	description: "Login to Tailor Platform.",
-	args: z.xor([z.object({}).strict().describe("User Login"), z.object({
+	args: z.xor([z.object({ profile: arg(z.string().optional(), {
+		alias: "p",
+		description: "Workspace profile whose platform settings should be used for login.",
+		env: "TAILOR_PLATFORM_PROFILE"
+	}) }).strict().describe("User Login"), z.object({
 		"machine-user": arg(z.literal(true), {
 			hiddenAlias: "machineuser",
 			description: "Login as a platform machine user.",
@@ -1819,14 +1835,37 @@ const loginCommand = defineAppCommand({
 		"client-secret": arg(z.string().optional(), {
 			description: "Client secret",
 			env: "TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET"
+		}),
+		profile: arg(z.string().optional(), {
+			alias: "p",
+			description: "Workspace profile whose platform settings should be used for login.",
+			env: "TAILOR_PLATFORM_PROFILE"
 		})
 	}).strict().describe("Machine User Login")]),
 	run: async (args) => {
+		let platformConfig;
+		let profileUser;
+		if ("profile" in args && args.profile) {
+			const profileEntry = (await readPlatformConfig()).profiles[args.profile];
+			if (!profileEntry) throw new Error(`Profile "${args.profile}" not found`);
+			platformConfig = platformConfigFromProfile(profileEntry);
+			profileUser = profileEntry.user;
+		}
+		const updateCurrentUser = shouldUpdateCurrentUser(args.profile, platformConfig);
 		if ("machine-user" in args) await loginAsMachineUser({
 			clientId: args.clientId,
-			clientSecret: args.clientSecret
+			clientSecret: args.clientSecret,
+			profile: args.profile,
+			profileUser,
+			platformConfig,
+			updateCurrentUser
+		});
+		else await startAuthServer({
+			profile: args.profile,
+			profileUser,
+			platformConfig,
+			updateCurrentUser
 		});
-		else await startAuthServer();
 		logger.success("Successfully logged in to Tailor Platform.");
 		await closeConnectionPool();
 	}
@@ -1837,30 +1876,53 @@ const loginCommand = defineAppCommand({
 const logoutCommand = defineAppCommand({
 	name: "logout",
 	description: "Logout from Tailor Platform.",
-	args: z.object({}).strict(),
-	run: async () => {
+	args: z.object({ profile: arg(z.string().optional(), {
+		alias: "p",
+		description: "Workspace profile whose platform settings should be used for logout.",
+		env: "TAILOR_PLATFORM_PROFILE"
+	}) }).strict(),
+	run: async (args) => {
+		const profile = args.profile || process.env.TAILOR_PLATFORM_PROFILE;
 		const pfConfig = await readPlatformConfig();
-		const currentUser = pfConfig.current_user;
-		const userEntry = currentUser ? pfConfig.users[currentUser] : void 0;
-		if (!userEntry || !currentUser) {
+		const profileEntry = profile ? pfConfig.profiles[profile] : void 0;
+		if (profile && !profileEntry) throw new Error(`Profile "${profile}" not found`);
+		const platformConfig = profileEntry ? platformConfigFromProfile(profileEntry) : void 0;
+		const currentUser = profileEntry ? profileEntry.user : pfConfig.current_user;
+		const deletesDefaultToken = isDefaultPlatform(platformConfig);
+		const lookupOptions = profile ? { allowLegacyUserKey: true } : void 0;
+		if (!currentUser) {
 			logger.info("You are not logged in.");
 			return;
 		}
+		const hasDefaultUserToken = () => hasUserTokenEntry(pfConfig, currentUser, { platformUrl: defaultPlatformBaseUrl });
+		const shouldClearCurrentUser = () => pfConfig.current_user === currentUser && (deletesDefaultToken ? !hasDefaultUserToken() : !hasAnyUserTokenEntry(pfConfig, currentUser) && !hasDefaultUserToken());
+		let storedTokens;
+		let tokenLoadFailed = false;
 		try {
-			const { accessToken, refreshToken } = await resolveTokens(userEntry, currentUser);
-			const client = initOAuth2Client();
-			const tokenTypeHint = refreshToken ? "refresh_token" : "access_token";
+			storedTokens = await loadStoredUserTokens(pfConfig, currentUser, platformConfig, lookupOptions);
+		} catch (error) {
+			tokenLoadFailed = true;
+			logger.warn(`Failed to revoke token: ${error instanceof Error ? error.message : error}`);
+		}
+		if (!storedTokens && !tokenLoadFailed) {
+			logger.info("You are not logged in.");
+			if (shouldClearCurrentUser()) pfConfig.current_user = null;
+			writePlatformConfig(pfConfig);
+			return;
+		}
+		if (storedTokens) try {
+			const client = initOAuth2Client(platformConfig);
+			const tokenTypeHint = storedTokens.refreshToken ? "refresh_token" : "access_token";
 			await client.revoke({
-				accessToken,
-				refreshToken: refreshToken ?? null,
-				expiresAt: Date.parse(userEntry.token_expires_at)
+				accessToken: storedTokens.accessToken,
+				refreshToken: storedTokens.refreshToken ?? null,
+				expiresAt: Date.parse(storedTokens.userEntry.token_expires_at)
 			}, tokenTypeHint);
 		} catch (error) {
 			logger.warn(`Failed to revoke token: ${error instanceof Error ? error.message : error}`);
 		}
-		await deleteUserTokens(pfConfig, currentUser);
-		delete pfConfig.users[currentUser];
-		pfConfig.current_user = null;
+		await deleteUserTokens(pfConfig, currentUser, platformConfig, lookupOptions);
+		if (shouldClearCurrentUser()) pfConfig.current_user = null;
 		writePlatformConfig(pfConfig);
 		logger.success("Successfully logged out from Tailor Platform.");
 	}
@@ -1896,7 +1958,6 @@ const oauth2clientCommand = defineCommand({
 
 //#endregion
 //#region src/cli/commands/open.ts
-const consoleBaseUrl = "https://console.tailor.tech";
 const openCommand = defineAppCommand({
 	name: "open",
 	description: "Open Tailor Platform Console.",
@@ -1909,6 +1970,10 @@ const openCommand = defineAppCommand({
 		const { config } = await loadConfig(args.config);
 		const applicationName = config.name;
 		const consolePath = `/workspaces/${workspaceId}/applications/${encodeURIComponent(applicationName)}/overview`;
+		const consoleBaseUrl = await loadConsoleBaseUrl({
+			profile: args.profile,
+			...args["workspace-id"] !== void 0 ? { allowMissingProfile: true } : {}
+		});
 		const consoleUrl = new URL(consolePath, consoleBaseUrl).toString();
 		const jsonOutput = logger.jsonMode;
 		logger.info("Opening Tailor Platform Console...");
@@ -1989,13 +2054,31 @@ const createCommand$2 = defineAppCommand({
 			alias: "m",
 			description: "Default machine user name for application-data commands (query, workflow start, function test-run, machineuser token)."
 		}),
-		"machine-user-override": arg(z.enum(["allow", "deny"]).optional(), { description: "Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user." })
+		"machine-user-override": arg(z.enum(["allow", "deny"]).optional(), { description: "Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user." }),
+		"platform-url": arg(z.url().optional(), {
+			description: "Platform API base URL for this profile.",
+			env: "TAILOR_PLATFORM_URL"
+		}),
+		"oauth2-client-id": arg(z.string().optional(), {
+			description: "OAuth2 client ID for logging in to this profile's platform.",
+			env: "TAILOR_PLATFORM_OAUTH2_CLIENT_ID"
+		}),
+		"console-url": arg(z.url().optional(), {
+			description: "Console base URL for this profile.",
+			env: "TAILOR_PLATFORM_CONSOLE_URL"
+		})
 	}).strict(),
 	run: async (args) => {
 		if (args["machine-user-override"] === "deny" && !args["machine-user"]) throw new Error("--machine-user-override deny requires --machine-user.");
 		const config = await readPlatformConfig();
 		if (config.profiles[args.name]) throw new Error(`Profile "${args.name}" already exists.`);
-		const client = await initOperatorClient(await fetchLatestToken(config, args.user));
+		const platformConfigInput = {
+			...args["platform-url"] ? { platformUrl: args["platform-url"] } : {},
+			...args["oauth2-client-id"] ? { oauth2ClientId: args["oauth2-client-id"] } : {},
+			...args["console-url"] ? { consoleUrl: args["console-url"] } : {}
+		};
+		const platformConfig = Object.keys(platformConfigInput).length > 0 ? platformConfigInput : void 0;
+		const client = await initOperatorClient(await fetchLatestToken(config, args.user, platformConfig), platformConfig);
 		if (!(await fetchAll(async (pageToken, maxPageSize) => {
 			const { workspaces, nextPageToken } = await client.listWorkspaces({
 				pageToken,
@@ -2008,7 +2091,10 @@ const createCommand$2 = defineAppCommand({
 			workspace_id: args["workspace-id"],
 			...args.permission === "read" ? { readonly: true } : {},
 			...args["machine-user"] ? { machine_user: args["machine-user"] } : {},
-			...args["machine-user-override"] === "deny" ? { machine_user_override: "deny" } : {}
+			...args["machine-user-override"] === "deny" ? { machine_user_override: "deny" } : {},
+			...args["platform-url"] ? { platform_url: args["platform-url"] } : {},
+			...args["oauth2-client-id"] ? { oauth2_client_id: args["oauth2-client-id"] } : {},
+			...args["console-url"] ? { console_url: args["console-url"] } : {}
 		};
 		writePlatformConfig(config);
 		if (!args.json) logger.success(`Profile "${args.name}" created successfully.`);
@@ -2020,7 +2106,10 @@ const createCommand$2 = defineAppCommand({
 			...args["machine-user"] ? {
 				machineUser: args["machine-user"],
 				machineUserOverride: args["machine-user-override"] ?? "allow"
-			} : {}
+			} : {},
+			...args["platform-url"] ? { platformUrl: args["platform-url"] } : {},
+			...args["oauth2-client-id"] ? { oauth2ClientId: args["oauth2-client-id"] } : {},
+			...args["console-url"] ? { consoleUrl: args["console-url"] } : {}
 		};
 		logger.out(profileInfo);
 	}
@@ -2072,7 +2161,10 @@ const listCommand$4 = defineAppCommand({
 				...p.machine_user ? {
 					machineUser: p.machine_user,
 					machineUserOverride: p.machine_user_override ?? "allow"
-				} : {}
+				} : {},
+				...p.platform_url ? { platformUrl: p.platform_url } : {},
+				...p.oauth2_client_id ? { oauth2ClientId: p.oauth2_client_id } : {},
+				...p.console_url ? { consoleUrl: p.console_url } : {}
 			};
 		});
 		logger.out(profileInfos);
@@ -2102,25 +2194,38 @@ const updateCommand$1 = defineAppCommand({
 			alias: "m",
 			description: "Default machine user name for application-data commands (query, workflow start, function test-run, machineuser token). Pass an empty string to clear."
 		}),
-		"machine-user-override": arg(z.enum(["allow", "deny"]).optional(), { description: "Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user; 'allow' lifts the restriction." })
+		"machine-user-override": arg(z.enum(["allow", "deny"]).optional(), { description: "Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user; 'allow' lifts the restriction." }),
+		"platform-url": arg(z.union([z.url(), z.literal("")]).optional(), { description: "Platform API base URL for this profile. Pass an empty string to clear." }),
+		"oauth2-client-id": arg(z.string().optional(), { description: "OAuth2 client ID for logging in to this profile's platform. Pass an empty string to clear." }),
+		"console-url": arg(z.union([z.url(), z.literal("")]).optional(), { description: "Console base URL for this profile. Pass an empty string to clear." })
 	}).strict(),
 	run: async (args) => {
 		const config = await readPlatformConfig();
 		const profile = config.profiles[args.name];
 		if (!profile) throw new Error(`Profile "${args.name}" not found.`);
-		if (!args.user && !args["workspace-id"] && args.permission === void 0 && args["machine-user"] === void 0 && args["machine-user-override"] === void 0) throw new Error("Please provide at least one property to update.");
+		if (!args.user && !args["workspace-id"] && args.permission === void 0 && args["machine-user"] === void 0 && args["machine-user-override"] === void 0 && args["platform-url"] === void 0 && args["oauth2-client-id"] === void 0 && args["console-url"] === void 0) throw new Error("Please provide at least one property to update.");
 		const oldUser = profile.user;
 		const newUser = args.user || oldUser;
 		const oldWorkspaceId = profile.workspace_id;
 		const newWorkspaceId = args["workspace-id"] || oldWorkspaceId;
 		const finalMachineUser = args["machine-user"] === "" ? void 0 : args["machine-user"] ?? profile.machine_user;
 		const finalOverride = args["machine-user-override"] === "allow" ? void 0 : args["machine-user-override"] ?? profile.machine_user_override;
+		const finalPlatformUrl = args["platform-url"] === "" ? void 0 : args["platform-url"] ?? profile.platform_url;
+		const finalOAuth2ClientId = args["oauth2-client-id"] === "" ? void 0 : args["oauth2-client-id"] ?? profile.oauth2_client_id;
+		const finalConsoleUrl = args["console-url"] === "" ? void 0 : args["console-url"] ?? profile.console_url;
+		const finalPlatformConfigInput = {
+			...finalPlatformUrl ? { platformUrl: finalPlatformUrl } : {},
+			...finalOAuth2ClientId ? { oauth2ClientId: finalOAuth2ClientId } : {},
+			...finalConsoleUrl ? { consoleUrl: finalConsoleUrl } : {}
+		};
+		const finalPlatformConfig = Object.keys(finalPlatformConfigInput).length > 0 ? finalPlatformConfigInput : void 0;
+		const tokenLookupPlatformConfig = args["platform-url"] === "" ? platformConfigFromProfile(profile) : finalPlatformConfig;
 		if ((args["machine-user"] !== void 0 || args["machine-user-override"] !== void 0) && finalOverride === "deny" && !finalMachineUser) {
 			if (args["machine-user-override"] === "deny") throw new Error("--machine-user-override deny requires --machine-user.");
 			throw new Error(`Cannot clear the machine user while machine-user-override is "deny". Also pass --machine-user-override allow.`);
 		}
-		if (args.user !== void 0 || args["workspace-id"] !== void 0) {
-			const client = await initOperatorClient(await fetchLatestToken(config, newUser));
+		if (args.user !== void 0 || args["workspace-id"] !== void 0 || args["platform-url"] !== void 0) {
+			const client = await initOperatorClient(await fetchLatestToken(config, newUser, tokenLookupPlatformConfig), finalPlatformConfig);
 			if (!(await fetchAll(async (pageToken, maxPageSize) => {
 				const { workspaces, nextPageToken } = await client.listWorkspaces({
 					pageToken,
@@ -2137,6 +2242,12 @@ const updateCommand$1 = defineAppCommand({
 		else profile.machine_user = args["machine-user"];
 		if (args["machine-user-override"] === "deny") profile.machine_user_override = "deny";
 		else if (args["machine-user-override"] === "allow") delete profile.machine_user_override;
+		if (args["platform-url"] !== void 0) if (args["platform-url"] === "") delete profile.platform_url;
+		else profile.platform_url = args["platform-url"];
+		if (args["oauth2-client-id"] !== void 0) if (args["oauth2-client-id"] === "") delete profile.oauth2_client_id;
+		else profile.oauth2_client_id = args["oauth2-client-id"];
+		if (args["console-url"] !== void 0) if (args["console-url"] === "") delete profile.console_url;
+		else profile.console_url = args["console-url"];
 		writePlatformConfig(config);
 		if (!args.json) logger.success(`Profile "${args.name}" updated successfully`);
 		const profileInfo = {
@@ -2147,7 +2258,10 @@ const updateCommand$1 = defineAppCommand({
 			...profile.machine_user ? {
 				machineUser: profile.machine_user,
 				machineUserOverride: profile.machine_user_override ?? "allow"
-			} : {}
+			} : {},
+			...profile.platform_url ? { platformUrl: profile.platform_url } : {},
+			...profile.oauth2_client_id ? { oauth2ClientId: profile.oauth2_client_id } : {},
+			...profile.console_url ? { consoleUrl: profile.console_url } : {}
 		};
 		logger.out(profileInfo);
 	}
@@ -2708,7 +2822,7 @@ function findTarget(lock, kind, workspaceName) {
 
 //#endregion
 //#region src/cli/commands/setup/branch.workflow.yml
-var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-generate-check\n        uses: tailor-platform/actions/generate-check@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n      - id: tailor-plan\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        uses: tailor-platform/actions/plan@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
+var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-generate-check\n        uses: tailor-platform/actions/generate-check@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n      - id: tailor-plan\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        uses: tailor-platform/actions/plan@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  # __ERD_PREVIEW_JOB_START__\n  tailor-erd-preview-matrix:\n    if: github.event_name == 'pull_request'\n    runs-on: ubuntu-latest\n    timeout-minutes: 5\n    permissions:\n      contents: read\n    outputs:\n      namespaces: ${{ steps.tailor-erd-preview-matrix.outputs.namespaces }}\n      base-app-dir: ${{ steps.tailor-erd-preview-matrix.outputs['base-app-dir'] }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0\n        with:\n          persist-credentials: false\n      - id: tailor-checkout-base\n        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0\n        with:\n          repository: ${{ github.event.pull_request.base.repo.full_name }}\n          ref: ${{ github.event.pull_request.base.sha }}\n          path: .tailor-erd-base\n          persist-credentials: false\n      - id: tailor-erd-preview-matrix\n        shell: bash\n        env:\n          APP_DIR: \"__APP_DIR__\"\n          WORKSPACE_NAME: \"__WORKSPACE_NAME__\"\n        run: |\n          set -euo pipefail\n          node <<'NODE'\n          const fs = require(\"node:fs\");\n\n          const appDir = process.env.APP_DIR || \".\";\n          const workspaceName = process.env.WORKSPACE_NAME;\n          const output = process.env.GITHUB_OUTPUT;\n          const dirPattern = /^[A-Za-z0-9._/-]+$/;\n          const namespacePattern = /^[A-Za-z0-9][A-Za-z0-9._-]*$/;\n\n          function lockTarget(file) {\n            try {\n              const lock = JSON.parse(fs.readFileSync(file, \"utf8\"));\n              return lock.targets?.find(\n                (candidate) =>\n                  candidate.kind === \"branch\" &&\n                  candidate.workspaceName === workspaceName,\n              );\n            } catch (error) {\n              if (error && error.code === \"ENOENT\") return undefined;\n              throw error;\n            }\n          }\n\n          function namespacesFromTarget(target, label) {\n            const namespaces =\n              target?.inputs?.erdPreview === true && Array.isArray(target.inputs?.erdNamespaces)\n                ? target.inputs.erdNamespaces\n                : [];\n            for (const namespace of namespaces) {\n              if (typeof namespace !== \"string\" || !namespacePattern.test(namespace)) {\n                throw new Error(`Invalid ERD namespace in ${label}: ${String(namespace)}`);\n              }\n            }\n            return namespaces;\n          }\n\n          function normalizeDir(value, label) {\n            const raw = typeof value === \"string\" && value.length > 0 ? value : appDir;\n            const normalized =\n              raw.replaceAll(\"\\\\\", \"/\").replace(/\\/{2,}/g, \"/\").replace(/^\\.\\//, \"\").replace(/\\/$/, \"\") ||\n              \".\";\n            if (\n              !dirPattern.test(normalized) ||\n              normalized.startsWith(\"/\") ||\n              normalized.split(\"/\").includes(\"..\")\n            ) {\n              throw new Error(`Invalid ERD app dir in ${label}: ${raw}`);\n            }\n            return normalized;\n          }\n\n          const headTarget = lockTarget(\".github/tailor-sdk.lock\");\n          const baseTarget = lockTarget(\".tailor-erd-base/.github/tailor-sdk.lock\");\n          const baseAppDir = normalizeDir(baseTarget?.inputs?.dir, \"base setup lock\");\n          const namespaces = [\n            ...new Set([\n              ...namespacesFromTarget(headTarget, \"head setup lock\"),\n              ...namespacesFromTarget(baseTarget, \"base setup lock\"),\n            ]),\n          ].sort((a, b) => a.localeCompare(b));\n\n          if (namespaces.length === 0) {\n            console.error(\"No ERD preview namespaces found in the head or base setup lock.\");\n            process.exit(1);\n          }\n\n          fs.appendFileSync(output, `namespaces=${JSON.stringify(namespaces)}\\n`);\n          fs.appendFileSync(output, `base-app-dir=${baseAppDir}\\n`);\n          NODE\n\n  tailor-erd-preview:\n    needs: tailor-erd-preview-matrix\n    if: github.event_name == 'pull_request'\n    runs-on: ubuntu-latest\n    timeout-minutes: 15\n    permissions:\n      contents: read\n    strategy:\n      fail-fast: false\n      matrix:\n        namespace: ${{ fromJSON(needs.tailor-erd-preview-matrix.outputs.namespaces) }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0\n        with:\n          persist-credentials: false\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-checkout-base\n        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0\n        with:\n          repository: ${{ github.event.pull_request.base.repo.full_name }}\n          ref: ${{ github.event.pull_request.base.sha }}\n          path: .tailor-erd-base\n          persist-credentials: false\n      - id: tailor-detect-base-package-manager\n        shell: bash\n        run: |\n          set -euo pipefail\n          cd .tailor-erd-base\n          base_package_manager=\"$(\n            if [ -f pnpm-lock.yaml ]; then\n              echo pnpm\n            elif [ -f yarn.lock ]; then\n              echo yarn\n            elif [ -f bun.lockb ] || [ -f bun.lock ]; then\n              echo bun\n            elif [ -f package-lock.json ]; then\n              echo npm\n            else\n              echo \"__PACKAGE_MANAGER__\"\n            fi\n          )\"\n          echo \"package-manager=$base_package_manager\" >> \"$GITHUB_OUTPUT\"\n          if [ \"$base_package_manager\" = \"pnpm\" ]; then\n            base_pnpm_version=\"$(node <<'NODE'\n          const fs = require(\"node:fs\");\n\n          const fallback = \"10\";\n\n          function readManifest(file) {\n            try {\n              return JSON.parse(fs.readFileSync(file, \"utf8\"));\n            } catch {\n              return {};\n            }\n          }\n\n          function pnpmVersion(manifest) {\n            const packageManager = manifest.packageManager;\n            if (typeof packageManager === \"string\" && packageManager.startsWith(\"pnpm@\")) {\n              return packageManager.slice(\"pnpm@\".length).split(\"+\")[0];\n            }\n\n            const devPackageManager = manifest.devEngines?.packageManager;\n            if (devPackageManager?.name === \"pnpm\" && devPackageManager.version) {\n              return devPackageManager.version;\n            }\n\n            return undefined;\n          }\n\n          process.stdout.write(\n            pnpmVersion(readManifest(\"package.json\")) ?? fallback,\n          );\n          NODE\n          )\"\n            echo \"pnpm-version=$base_pnpm_version\" >> \"$GITHUB_OUTPUT\"\n          fi\n      - id: tailor-setup-base-pnpm\n        if: steps.tailor-detect-base-package-manager.outputs['package-manager'] == 'pnpm'\n        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9\n        with:\n          version: ${{ steps.tailor-detect-base-package-manager.outputs['pnpm-version'] }}\n          package_json_file: .tailor-erd-base/package.json\n          run_install: false\n      - id: tailor-setup-base-node\n        if: steps.tailor-detect-base-package-manager.outputs['package-manager'] != 'bun'\n        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n        with:\n          node-version-file: .tailor-erd-base/package.json\n      - id: tailor-setup-base-yarn\n        if: steps.tailor-detect-base-package-manager.outputs['package-manager'] == 'yarn'\n        shell: bash\n        working-directory: .tailor-erd-base\n        run: |\n          set -euo pipefail\n          corepack enable\n      - id: tailor-setup-base-bun\n        if: steps.tailor-detect-base-package-manager.outputs['package-manager'] == 'bun'\n        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0\n      - id: tailor-install-base\n        shell: bash\n        working-directory: .tailor-erd-base\n        env:\n          BASE_PACKAGE_MANAGER: ${{ steps.tailor-detect-base-package-manager.outputs['package-manager'] }}\n        run: |\n          set -euo pipefail\n          case \"$BASE_PACKAGE_MANAGER\" in\n            pnpm) pnpm install --frozen-lockfile ;;\n            npm) npm ci ;;\n            yarn)\n              if grep -q '^__metadata:' yarn.lock; then\n                yarn install --immutable\n              else\n                yarn install --frozen-lockfile\n              fi\n              ;;\n            bun) bun install --frozen-lockfile ;;\n            *)\n              echo \"::error::Unsupported base package-manager '$BASE_PACKAGE_MANAGER' (expected pnpm, npm, yarn, or bun)\"\n              exit 1\n              ;;\n          esac\n      - id: tailor-restore-head-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-build-erd-preview\n        shell: bash\n        env:\n          APP_DIR: \"__APP_DIR__\"\n          BASE_APP_DIR: ${{ needs.tailor-erd-preview-matrix.outputs['base-app-dir'] }}\n          BASE_PACKAGE_MANAGER: ${{ steps.tailor-detect-base-package-manager.outputs['package-manager'] }}\n          NAMESPACE: ${{ matrix.namespace }}\n        run: |\n          set -euo pipefail\n\n          run_tailor_sdk() {\n            case \"__PACKAGE_MANAGER__\" in\n              pnpm) pnpm exec tailor-sdk \"$@\" ;;\n              npm) npx tailor-sdk \"$@\" ;;\n              yarn) yarn tailor-sdk \"$@\" ;;\n              bun) bunx tailor-sdk \"$@\" ;;\n              *)\n                echo \"::error::Unsupported package-manager '__PACKAGE_MANAGER__' (expected pnpm, npm, yarn, or bun)\"\n                exit 1\n                ;;\n            esac\n          }\n\n          run_head_node() {\n            case \"__PACKAGE_MANAGER__\" in\n              pnpm) pnpm exec node \"$@\" ;;\n              npm) node \"$@\" ;;\n              yarn) yarn node \"$@\" ;;\n              bun) node \"$@\" ;;\n              *)\n                echo \"::error::Unsupported package-manager '__PACKAGE_MANAGER__' (expected pnpm, npm, yarn, or bun)\"\n                exit 1\n                ;;\n            esac\n          }\n\n          tailor_sdk_bin=\"$(\n            run_head_node - <<'NODE'\n          const path = require(\"node:path\");\n          const { createRequire } = require(\"node:module\");\n          const appDir = process.env.APP_DIR || \".\";\n          const githubWorkspace = process.env.GITHUB_WORKSPACE;\n          if (!githubWorkspace) {\n            throw new Error(\"GITHUB_WORKSPACE is required.\");\n          }\n\n          let lastError;\n          for (const manifestPath of [\n            path.join(githubWorkspace, appDir, \"package.json\"),\n            path.join(githubWorkspace, \"package.json\"),\n          ]) {\n            try {\n              const requireFromManifest = createRequire(manifestPath);\n              process.stdout.write(\n                path.join(\n                  path.dirname(requireFromManifest.resolve(\"@tailor-platform/sdk/cli\")),\n                  \"index.mjs\",\n                ),\n              );\n              process.exit(0);\n            } catch (error) {\n              lastError = error;\n            }\n          }\n          throw lastError || new Error(\"Failed to resolve @tailor-platform/sdk/cli.\");\n          NODE\n          )\"\n\n          run_head_tailor_sdk_bin() {\n            local command_cwd=\"$1\"\n            shift\n\n            run_head_cli_env() {\n              env TAILOR_SDK_BIN=\"$tailor_sdk_bin\" TAILOR_SDK_CWD=\"$command_cwd\" \"$@\"\n            }\n\n            (\n              cd \"$GITHUB_WORKSPACE\" || exit 1\n              case \"__PACKAGE_MANAGER__\" in\n                pnpm) run_head_cli_env pnpm exec node \"$head_cli_runner\" \"$@\" ;;\n                npm) run_head_cli_env node \"$head_cli_runner\" \"$@\" ;;\n                yarn) run_head_cli_env yarn node \"$head_cli_runner\" \"$@\" ;;\n                bun) run_head_cli_env bun \"$head_cli_runner\" \"$@\" ;;\n                *)\n                  echo \"::error::Unsupported package-manager '__PACKAGE_MANAGER__' (expected pnpm, npm, yarn, or bun)\"\n                  exit 1\n                  ;;\n              esac\n            )\n          }\n\n          run_base_tailor_sdk_bin() {\n            local command_cwd=\"$1\"\n            shift\n\n            run_head_cli_env() {\n              env TAILOR_SDK_BIN=\"$tailor_sdk_bin\" TAILOR_SDK_CWD=\"$command_cwd\" \"$@\"\n            }\n\n            (\n              cd \"$command_cwd\" || exit 1\n              case \"$BASE_PACKAGE_MANAGER\" in\n                pnpm) run_head_cli_env pnpm exec node \"$head_cli_runner\" \"$@\" ;;\n                npm) run_head_cli_env node \"$head_cli_runner\" \"$@\" ;;\n                yarn) run_head_cli_env yarn node \"$head_cli_runner\" \"$@\" ;;\n                bun) run_head_cli_env bun \"$head_cli_runner\" \"$@\" ;;\n                *)\n                  echo \"::error::Unsupported base package-manager '$BASE_PACKAGE_MANAGER' (expected pnpm, npm, yarn, or bun)\"\n                  exit 1\n                  ;;\n              esac\n            )\n          }\n\n          head_output=\"$RUNNER_TEMP/tailor-erd/head\"\n          base_output=\"$RUNNER_TEMP/tailor-erd/base\"\n          preview_output=\"$RUNNER_TEMP/tailor-erd/preview\"\n          dts_output=\"$RUNNER_TEMP/tailor-erd/dts\"\n          head_cli_runner=\"$RUNNER_TEMP/tailor-erd/run-head-tailor-sdk.mjs\"\n          head_log=\"$RUNNER_TEMP/tailor-erd/head-$NAMESPACE.log\"\n          base_log=\"$RUNNER_TEMP/tailor-erd/base-$NAMESPACE.log\"\n          rm -rf \"$head_output\" \"$base_output\" \"$preview_output\" \"$dts_output\"\n          mkdir -p \"$head_output\" \"$base_output\" \"$preview_output\" \"$dts_output\"\n          cat > \"$head_cli_runner\" <<'NODE'\n          import { pathToFileURL } from \"node:url\";\n\n          const cliBin = process.env.TAILOR_SDK_BIN;\n          const commandCwd = process.env.TAILOR_SDK_CWD;\n          if (!cliBin || !commandCwd) {\n            throw new Error(\"TAILOR_SDK_BIN and TAILOR_SDK_CWD are required.\");\n          }\n\n          process.chdir(commandCwd);\n          process.argv = [process.argv[0], cliBin, ...process.argv.slice(2)];\n          await import(pathToFileURL(cliBin).href);\n          NODE\n\n          head_config=\"$GITHUB_WORKSPACE/$APP_DIR/tailor.config.ts\"\n          base_config=\"$GITHUB_WORKSPACE/.tailor-erd-base/$BASE_APP_DIR/tailor.config.ts\"\n          head_html=\"$head_output/$NAMESPACE/dist/index.html\"\n          base_html=\"$base_output/$NAMESPACE/dist/index.html\"\n          preview_html=\"$preview_output/$NAMESPACE-viewer.html\"\n\n          head_missing=\"false\"\n          if [ ! -f \"$head_config\" ]; then\n            echo \"Head ERD config not found; rendering base objects as removed.\"\n            head_missing=\"true\"\n          elif ! (\n            cd \"$GITHUB_WORKSPACE/$APP_DIR\" || exit 1\n            TAILOR_PLATFORM_SDK_DTS_PATH=\"$dts_output/head-$NAMESPACE.d.ts\" \\\n              run_tailor_sdk tailordb erd export --config \"$head_config\" --namespace \"$NAMESPACE\" --output \"$head_output\"\n          ) >\"$head_log\" 2>&1; then\n            if grep -q 'not found in local config.db' \"$head_log\"; then\n              cat \"$head_log\"\n              echo \"Head ERD namespace '$NAMESPACE' not found; rendering base objects as removed.\"\n              head_missing=\"true\"\n            else\n              cat \"$head_log\"\n              exit 1\n            fi\n          elif [ -s \"$head_log\" ]; then\n            cat \"$head_log\"\n          fi\n\n          base_missing=\"false\"\n          if [ ! -f \"$base_config\" ]; then\n            echo \"Base ERD config not found; rendering current objects as added.\"\n            base_missing=\"true\"\n          elif ! (\n            TAILOR_PLATFORM_SDK_DTS_PATH=\"$dts_output/base-$NAMESPACE.d.ts\" \\\n              run_base_tailor_sdk_bin \"$GITHUB_WORKSPACE/.tailor-erd-base/$BASE_APP_DIR\" tailordb erd export --config \"$base_config\" --namespace \"$NAMESPACE\" --output \"$base_output\"\n          ) >\"$base_log\" 2>&1; then\n            if grep -q 'not found in local config.db' \"$base_log\"; then\n              cat \"$base_log\"\n              echo \"Base ERD namespace '$NAMESPACE' not found; rendering current objects as added.\"\n              base_missing=\"true\"\n            else\n              cat \"$base_log\"\n              exit 1\n            fi\n          elif [ -s \"$base_log\" ]; then\n            cat \"$base_log\"\n          fi\n\n          if [ \"$head_missing\" = \"true\" ] && [ \"$base_missing\" = \"true\" ]; then\n            echo \"::error::ERD namespace '$NAMESPACE' was not found in head or base.\"\n            exit 1\n          fi\n          if [ \"$head_missing\" = \"false\" ] && [ ! -f \"$head_html\" ]; then\n            echo \"::error::Head ERD viewer was not generated at $head_html\"\n            exit 1\n          fi\n          if [ \"$base_missing\" = \"false\" ] && [ ! -f \"$base_html\" ]; then\n            echo \"::error::Base ERD viewer was not generated at $base_html\"\n            exit 1\n          fi\n\n          diff_args=(--namespace \"$NAMESPACE\" --output \"$preview_html\")\n          if [ \"$head_missing\" = \"false\" ]; then\n            diff_args+=(--head-html \"$head_html\")\n          fi\n          if [ \"$base_missing\" = \"false\" ]; then\n            diff_args+=(--base-html \"$base_html\")\n          fi\n          run_head_tailor_sdk_bin \"$GITHUB_WORKSPACE\" tailordb erd diff \"${diff_args[@]}\"\n      - id: tailor-upload-erd-viewer\n        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1\n        with:\n          name: ${{ matrix.namespace }}-viewer.html\n          path: ${{ runner.temp }}/tailor-erd/preview/${{ matrix.namespace }}-viewer.html\n          if-no-files-found: error\n          archive: false\n          retention-days: 7\n\n  # __ERD_PREVIEW_JOB_END__\n  # __ERD_PREVIEW_COMMENT_JOB_START__\n  tailor-erd-preview-comment:\n    needs: tailor-erd-preview\n    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository\n    runs-on: ubuntu-latest\n    timeout-minutes: 5\n    permissions:\n      actions: read\n      pull-requests: write\n    steps:\n      - id: tailor-comment-erd-preview\n        env:\n          GH_TOKEN: ${{ github.token }}\n          REPO: ${{ github.repository }}\n          RUN_ID: ${{ github.run_id }}\n          SERVER: ${{ github.server_url }}\n          PR_NUMBER: ${{ github.event.pull_request.number }}\n          BASE_REF: ${{ github.event.pull_request.base.ref }}\n          HEAD_SHA: ${{ github.event.pull_request.head.sha }}\n          MARKER: \"<!-- tailor-erd-preview: __WORKSPACE_NAME__ -->\"\n        run: |\n          set -euo pipefail\n\n          current_head=$(gh api \"repos/$REPO/pulls/$PR_NUMBER\" --jq '.head.sha')\n          if [ \"$current_head\" != \"$HEAD_SHA\" ]; then\n            echo \"Skipping stale ERD preview comment for $HEAD_SHA; current head is $current_head.\"\n            exit 0\n          fi\n\n          body=\"$MARKER\"$'\\n'\"### TailorDB ERD preview (__WORKSPACE_NAME__)\"$'\\n\\n'\n          body+=\"Self-contained ERD viewer HTML artifacts for this pull request. Each viewer can switch between the current schema and a diff against base branch \\`$BASE_REF\\`.\"$'\\n'\n\n          while IFS=$'\\t' read -r name id; do\n            [ -z \"$name\" ] && continue\n            if [[ \"$name\" != *-viewer.html ]]; then\n              continue\n            fi\n            ns=${name%-viewer.html}\n            label=\"$ns viewer\"\n            body+=$'\\n'\"- **$label**: [$name]($SERVER/$REPO/actions/runs/$RUN_ID/artifacts/$id)\"\n          done < <(gh api \"repos/$REPO/actions/runs/$RUN_ID/artifacts\" --paginate \\\n            --jq '.artifacts[] | select(.name | endswith(\"-viewer.html\")) | [.name, (.id|tostring)] | @tsv' | sort)\n\n          existing=$(gh api \"repos/$REPO/issues/$PR_NUMBER/comments\" --paginate \\\n            --jq 'map(select(.body | contains(env.MARKER))) | .[0].id // empty')\n          if [ -n \"$existing\" ]; then\n            gh api --method PATCH \"repos/$REPO/issues/comments/$existing\" -f body=\"$body\" >/dev/null\n          else\n            gh api --method POST \"repos/$REPO/issues/$PR_NUMBER/comments\" -f body=\"$body\" >/dev/null\n          fi\n\n  # __ERD_PREVIEW_COMMENT_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
 
 //#endregion
 //#region src/cli/commands/setup/tag.workflow.yml
@@ -2752,7 +2866,7 @@ function applyCommon(content, params) {
 	const { workingDirectory, environment, packageManager } = params;
 	let out = line(content, "HEADER", HEADER);
 	out = line(out, "WORKING_DIRECTORY", workingDirectory ? `working-directory: ${workingDirectory}` : void 0);
-	return out.replaceAll("__WORKSPACE_NAME__", () => params.workspaceName).replaceAll("__ENVIRONMENT__", () => environment).replaceAll("__PACKAGE_MANAGER__", () => packageManager);
+	return out.replaceAll("__WORKSPACE_NAME__", () => params.workspaceName).replaceAll("__ENVIRONMENT__", () => environment).replaceAll("__PACKAGE_MANAGER__", () => packageManager).replaceAll("__APP_DIR__", () => workingDirectory ?? ".");
 }
 /**
 * Render the branch-target deploy workflow.
@@ -2765,8 +2879,11 @@ function applyCommon(content, params) {
 */
 function renderBranchWorkflow(params) {
 	const { branch, plan } = params;
+	const erdPreview = plan ? params.erdPreview : null;
 	let out = branch_workflow_default;
 	out = block(out, "PLAN_JOB", plan);
+	out = block(out, "ERD_PREVIEW_JOB", erdPreview !== null);
+	out = block(out, "ERD_PREVIEW_COMMENT_JOB", erdPreview !== null);
 	out = block(out, "PULL_REQUEST", plan);
 	out = block(out, "DISPATCH_INPUTS", plan);
 	out = line(out, "DEPLOY_IF", plan ? `if: >-\n  github.event_name == 'push' ||\n  (github.event_name == 'workflow_dispatch' && !inputs['dry-run'])` : void 0);
@@ -2774,6 +2891,7 @@ function renderBranchWorkflow(params) {
 	out = applyCommon(out, params).replaceAll("__BRANCH__", () => branch);
 	const generatedIds = [];
 	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", "tailor-plan/tailor-setup", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan");
+	if (erdPreview) generatedIds.push("tailor-erd-preview-matrix", "tailor-erd-preview-matrix/tailor-checkout", "tailor-erd-preview-matrix/tailor-checkout-base", "tailor-erd-preview-matrix/tailor-erd-preview-matrix", "tailor-erd-preview", "tailor-erd-preview/tailor-checkout", "tailor-erd-preview/tailor-setup", "tailor-erd-preview/tailor-checkout-base", "tailor-erd-preview/tailor-detect-base-package-manager", "tailor-erd-preview/tailor-setup-base-pnpm", "tailor-erd-preview/tailor-setup-base-node", "tailor-erd-preview/tailor-setup-base-yarn", "tailor-erd-preview/tailor-setup-base-bun", "tailor-erd-preview/tailor-install-base", "tailor-erd-preview/tailor-restore-head-setup", "tailor-erd-preview/tailor-build-erd-preview", "tailor-erd-preview/tailor-upload-erd-viewer", "tailor-erd-preview-comment", "tailor-erd-preview-comment/tailor-comment-erd-preview");
 	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", "tailor-deploy/tailor-setup", "tailor-deploy/tailor-apply");
 	return {
 		content: out,
@@ -2843,6 +2961,15 @@ function findTargetDrift(target, state) {
 		rule: "default-branch",
 		message: `The workflow triggers on "${target.inputs.branch}" but the repository default branch is now "${state.defaultBranch}". If this is intentional, ignore this; otherwise re-run setup so the trigger matches the default branch.`
 	});
+	if (target.kind === "branch" && target.inputs.erdPreview && state.configExists) {
+		const recorded = [...target.inputs.erdNamespaces ?? []].toSorted((a, b) => a.localeCompare(b));
+		const current = state.erdNamespaces?.toSorted((a, b) => a.localeCompare(b)) ?? null;
+		if (current === null || recorded.length !== current.length || recorded.some((namespace, index) => namespace !== current[index])) findings.push({
+			target: id,
+			rule: "erd-namespaces",
+			message: "TailorDB namespaces for ERD preview changed. Re-run setup so the ERD preview matrix is regenerated."
+		});
+	}
 	return findings;
 }
 function detectDefaultBranchSafe(cwd, run) {
@@ -2871,6 +2998,10 @@ function readHash(absFile) {
 		return null;
 	}
 }
+async function defaultLoadErdNamespaces$1(configPath) {
+	const { config } = await loadConfig(configPath);
+	return extractOwnedNamespaces(config);
+}
 /**
 * Audit the generated workflows for drift against the current config/repo
 * state. Read-only: never writes files, the lock, or the config.
@@ -2880,24 +3011,28 @@ function readHash(absFile) {
 * (per-rule ignore / continue-on-error); the CLI itself reports via exit code.
 * @param options - Check options
 */
-function checkGitHub(options) {
+async function checkGitHub(options) {
 	logBetaWarning("setup");
 	const { outputDir } = options;
 	const lock = readLock(outputDir);
 	if (!lock || lock.targets.length === 0) throw new Error("No managed workflows found (.github/tailor-sdk.lock is missing or empty). Run `tailor-sdk setup` first.");
 	const exists = options.configExistsAt ?? ((p) => fs$1.existsSync(p));
 	const defaultBranch = detectDefaultBranchSafe(outputDir, options.gitRunner);
+	const loadErdNamespaces = options.loadErdNamespaces ?? defaultLoadErdNamespaces$1;
 	const findings = [];
 	for (const target of lock.targets) {
 		const absFile = resolveWithinRoot(outputDir, target.file);
 		const currentHash = absFile === null ? null : readHash(absFile);
 		const configAbs = resolveWithinRoot(outputDir, path.join(target.inputs.dir, "tailor.config.ts"));
+		const configExists = configAbs !== null && exists(configAbs);
+		const erdNamespaces = target.kind === "branch" && target.inputs.erdPreview && configAbs !== null && configExists ? await loadErdNamespaces(configAbs) : null;
 		findings.push(...findTargetDrift(target, {
 			fileExists: currentHash !== null,
 			currentHash,
-			configExists: configAbs !== null && exists(configAbs),
+			configExists,
 			defaultBranch,
-			templateVersion: 2
+			templateVersion: 5,
+			erdNamespaces
 		}));
 	}
 	const count = lock.targets.length;
@@ -2915,6 +3050,10 @@ async function defaultLoadConfigName(configPath) {
 	const { config } = await loadConfig(configPath);
 	return config.name;
 }
+async function defaultLoadErdNamespaces(configPath) {
+	const { config } = await loadConfig(configPath);
+	return extractOwnedNamespaces(config);
+}
 const WORKSPACE_NAME_RE = /^[a-z0-9-]+$/;
 function validateWorkspaceName(name) {
 	if (name.length < 3 || name.length > 63 || !WORKSPACE_NAME_RE.test(name) || name.startsWith("-") || name.endsWith("-")) throw new Error(`Invalid workspace name "${name}". Names must be 3-63 characters of lowercase letters, numbers, and hyphens, and cannot start or end with a hyphen. Pass a valid name with --workspace-name.`);
@@ -2935,6 +3074,10 @@ const DIR_RE = /^[A-Za-z0-9._/-]+$/;
 function validateDir(dir) {
 	if (!DIR_RE.test(dir)) throw new Error(`Invalid --dir "${dir}". Only letters, numbers, ".", "_", "/", and "-" are supported.`);
 }
+const ERD_NAMESPACE_RE = /^[A-Za-z0-9][A-Za-z0-9._-]*$/;
+function validateErdNamespaces(namespaces) {
+	for (const namespace of namespaces) if (!ERD_NAMESPACE_RE.test(namespace)) throw new Error(`TailorDB namespace "${namespace}" cannot be used in --erd-preview. Only letters, numbers, '.', '_', and '-' are supported, and the name must start with a letter or number.`);
+}
 function escapesRoot(rel) {
 	return rel === ".." || rel.startsWith(`..${path.sep}`) || rel.startsWith("../") || path.isAbsolute(rel);
 }
@@ -2968,6 +3111,7 @@ function resolveConfigPath(outputDir, dir) {
 */
 async function resolve$1(options) {
 	if (options.tag && !options.plan) throw new Error("--no-plan cannot be combined with --tag (tag targets always run plan before deploy). Drop --no-plan or use a branch target.");
+	if (options.erdPreview && (options.tag || !options.plan)) throw new Error("--erd-preview requires a branch target with plan enabled.");
 	const dir = options.dir.replaceAll("\\", "/").replace(/\/{2,}/g, "/").replace(/^\.\//, "").replace(/\/$/, "") || ".";
 	validateDir(dir);
 	const workingDirectory = dir !== "." ? dir : void 0;
@@ -2984,6 +3128,12 @@ async function resolve$1(options) {
 	let branch = null;
 	let branchAutoDetected = false;
 	let render;
+	let erdNamespaces = [];
+	if (options.erdPreview) {
+		erdNamespaces = await (options.loadErdNamespaces ?? defaultLoadErdNamespaces)(configPath);
+		if (erdNamespaces.length === 0) throw new Error("No TailorDB namespaces found for --erd-preview. Define owned db namespaces in tailor.config.ts.");
+		validateErdNamespaces(erdNamespaces);
+	}
 	if (kind === "branch") {
 		branchAutoDetected = options.branch === void 0;
 		branch = options.branch ?? detectDefaultBranch(options.outputDir, options.gitRunner);
@@ -2994,7 +3144,8 @@ async function resolve$1(options) {
 			workingDirectory,
 			environment,
 			packageManager,
-			plan: options.plan
+			plan: options.plan,
+			erdPreview: options.erdPreview ? { namespaces: erdNamespaces } : null
 		});
 	} else {
 		branch = options.branch ?? null;
@@ -3016,7 +3167,9 @@ async function resolve$1(options) {
 		environment,
 		dir,
 		packageManager,
-		plan: kind === "branch" ? options.plan : true
+		plan: kind === "branch" ? options.plan : true,
+		erdPreview: kind === "branch" ? options.erdPreview : false,
+		erdNamespaces: kind === "branch" && options.erdPreview ? erdNamespaces : void 0
 	};
 	return {
 		kind,
@@ -3024,6 +3177,7 @@ async function resolve$1(options) {
 		branch,
 		environment,
 		packageManager,
+		erdNamespaces,
 		render,
 		inputs,
 		file,
@@ -3128,7 +3282,7 @@ async function setupGitHub(options) {
 		kind: resolved.kind,
 		workspaceName: resolved.workspaceName,
 		file: resolved.file,
-		templateVersion: 2,
+		templateVersion: 5,
 		inputs: resolved.inputs,
 		generatedIds: resolved.render.generatedIds,
 		ejectedIds: existing?.ejectedIds ?? [],
@@ -3157,8 +3311,8 @@ const checkCommand = defineAppCommand({
 	name: "check",
 	description: "Audit generated workflows for drift against the current config/repo (read-only).",
 	args: z.object({}).strict(),
-	run: () => {
-		checkGitHub({ outputDir: process.cwd() });
+	run: async () => {
+		await checkGitHub({ outputDir: process.cwd() });
 	}
 });
 const setupCommand = defineAppCommand({
@@ -3178,6 +3332,7 @@ const setupCommand = defineAppCommand({
 		"tag-pattern": arg(z.string().min(1).optional(), { description: "Tag glob to match (requires --tag; defaults to v*)" }),
 		environment: arg(z.string().min(1).optional(), { description: "GitHub Environment for the plan/deploy jobs (defaults to the workspace name)" }),
 		"no-plan": arg(z.boolean().default(false), { description: "Disable the plan job for a branch target (cannot be combined with --tag)" }),
+		"erd-preview": arg(z.boolean().default(false), { description: "Add PR ERD viewer artifacts with current/diff previews for TailorDB namespaces" }),
 		dir: arg(z.string().min(1).default("."), {
 			alias: "d",
 			description: "App directory (for monorepo setups)"
@@ -3195,6 +3350,7 @@ const setupCommand = defineAppCommand({
 			tagPattern: args["tag-pattern"] ?? "v*",
 			environment: args.environment,
 			plan: !args["no-plan"],
+			erdPreview: args["erd-preview"],
 			dir: args.dir,
 			force: args.force,
 			outputDir: process.cwd()
@@ -3972,6 +4128,9 @@ async function initErdDeployContext(args) {
 const VIEWER_ASSETS_DIR = "erd-viewer-assets";
 const STYLES_LINK = "<link rel=\"stylesheet\" href=\"./styles.css\" />";
 const APP_SCRIPT = "<script src=\"./app.js\" type=\"module\"><\/script>";
+function escapeHtml(value) {
+	return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;");
+}
 function assetDirCandidates() {
 	const currentDir = path.dirname(fileURLToPath(import.meta.url));
 	return [
@@ -3994,8 +4153,8 @@ function resolveViewerAssetsDir() {
 * are inlined as separately extractable blocks: a `<style>` element, a
 * `<script type="module">`, and a `<script type="application/json"
 * id="erd-schema">` data block. This renders without any sibling asset files
-* and lets external tooling (e.g. a future ERD diff) pull out the schema via
-* `JSON.parse`.
+* and lets external tooling (including the ERD diff command) pull out the
+* schema via `JSON.parse`.
 * @param options - Viewer build options.
 * @returns The self-contained HTML document.
 */
@@ -4006,8 +4165,10 @@ function buildViewerHtml(options) {
 	const appJs = fs$1.readFileSync(path.join(assetsDir, "app.js"), "utf8");
 	if (!html.includes(STYLES_LINK) || !html.includes(APP_SCRIPT)) throw new Error("ERD viewer index.html is missing expected asset references for inlining.");
 	const embedScript = `<script type="application/json" id="erd-schema">${JSON.stringify(options.schema).replaceAll("<", "\\u003c")}<\/script>`;
+	const currentSchemaScript = options.currentSchema === void 0 ? "" : `\n    <script type="application/json" id="erd-current-schema">${JSON.stringify(options.currentSchema).replaceAll("<", "\\u003c")}<\/script>`;
+	const diffScript = options.diff === void 0 ? "" : `\n    <script type="application/json" id="erd-diff">${JSON.stringify(options.diff).replaceAll("<", "\\u003c")}<\/script>`;
 	const inlineScript = `<script type="module">\n${appJs.replace(/<\/script/gi, "<\\/script")}\n<\/script>`;
-	return html.replace(STYLES_LINK, `<style>\n${css}\n</style>`).replace(APP_SCRIPT, `${embedScript}\n    ${inlineScript}`);
+	return html.replace("<title>TailorDB ERD</title>", `<title>${escapeHtml(options.title ?? "TailorDB ERD")}</title>`).replace(STYLES_LINK, `<style>\n${css}\n</style>`).replace(APP_SCRIPT, `${embedScript}${currentSchemaScript}${diffScript}\n    ${inlineScript}`);
 }
 /**
 * Write the self-contained TailorDB ERD viewer to `<distDir>/index.html`.
@@ -4177,6 +4338,362 @@ const erdDeployCommand = defineAppCommand({
 	}
 });
 
+//#endregion
+//#region src/cli/commands/tailordb/erd/diff.ts
+const SCHEMA_BLOCK_PATTERN = /<script type="application\/json" id="erd-schema">([\s\S]*?)<\/script>/;
+function stableValue(value) {
+	if (Array.isArray(value)) return value.map((item) => stableValue(item));
+	if (value && typeof value === "object") return Object.fromEntries(Object.entries(value).toSorted(([a], [b]) => a.localeCompare(b)).map(([key, item]) => [key, stableValue(item)]));
+	return value;
+}
+function stableJson(value) {
+	return JSON.stringify(stableValue(value));
+}
+function changedFields(base, head) {
+	return [.../* @__PURE__ */ new Set([...Object.keys(base), ...Object.keys(head)])].toSorted((a, b) => a.localeCompare(b)).filter((key) => stableJson(base[key]) !== stableJson(head[key]));
+}
+function detailForChangedFields(fields) {
+	return `Changed fields: ${fields.join(", ")}`;
+}
+function mapByName(items) {
+	return new Map(items.map((item) => [item.name, item]));
+}
+function compareCommonNamed(baseItems, headItems, addChange) {
+	const baseByName = mapByName(baseItems);
+	const headByName = mapByName(headItems);
+	const commonNames = [...baseByName.keys()].filter((name) => headByName.has(name)).toSorted((a, b) => a.localeCompare(b));
+	for (const name of commonNames) {
+		const base = baseByName.get(name);
+		const head = headByName.get(name);
+		if (!base || !head) continue;
+		const fields = changedFields(base, head);
+		if (fields.length > 0) addChange(name, fields);
+	}
+}
+function removedNames(baseItems, headItems) {
+	const headByName = mapByName(headItems);
+	return baseItems.map((item) => item.name).filter((name) => !headByName.has(name)).toSorted((a, b) => a.localeCompare(b));
+}
+function addedNames(baseItems, headItems) {
+	const baseByName = mapByName(baseItems);
+	return headItems.map((item) => item.name).filter((name) => !baseByName.has(name)).toSorted((a, b) => a.localeCompare(b));
+}
+function tableMetadata(table) {
+	return {
+		backwardRelationships: table.backwardRelationships,
+		description: table.description,
+		forwardRelationships: table.forwardRelationships,
+		pluralForm: table.pluralForm,
+		source: table.source
+	};
+}
+function pushChange(changes, change) {
+	changes.push(change);
+}
+function diffColumns(changes, tableName, baseColumns, headColumns) {
+	compareCommonNamed(baseColumns, headColumns, (name, fields) => {
+		pushChange(changes, {
+			action: "changed",
+			entity: "column",
+			path: `${tableName}.${name}`,
+			detail: detailForChangedFields(fields)
+		});
+	});
+	for (const name of removedNames(baseColumns, headColumns)) pushChange(changes, {
+		action: "removed",
+		entity: "column",
+		path: `${tableName}.${name}`,
+		detail: "Column removed"
+	});
+	for (const name of addedNames(baseColumns, headColumns)) pushChange(changes, {
+		action: "added",
+		entity: "column",
+		path: `${tableName}.${name}`,
+		detail: "Column added"
+	});
+}
+function diffIndexes(changes, tableName, baseIndexes, headIndexes) {
+	compareCommonNamed(baseIndexes, headIndexes, (name, fields) => {
+		pushChange(changes, {
+			action: "changed",
+			entity: "index",
+			path: `${tableName}.${name}`,
+			detail: detailForChangedFields(fields)
+		});
+	});
+	for (const name of removedNames(baseIndexes, headIndexes)) pushChange(changes, {
+		action: "removed",
+		entity: "index",
+		path: `${tableName}.${name}`,
+		detail: "Index removed"
+	});
+	for (const name of addedNames(baseIndexes, headIndexes)) pushChange(changes, {
+		action: "added",
+		entity: "index",
+		path: `${tableName}.${name}`,
+		detail: "Index added"
+	});
+}
+function diffTables(changes, baseTables, headTables) {
+	const baseByName = mapByName(baseTables);
+	const headByName = mapByName(headTables);
+	for (const name of removedNames(baseTables, headTables)) pushChange(changes, {
+		action: "removed",
+		entity: "table",
+		path: name,
+		detail: "Table removed"
+	});
+	for (const name of addedNames(baseTables, headTables)) pushChange(changes, {
+		action: "added",
+		entity: "table",
+		path: name,
+		detail: "Table added"
+	});
+	const commonNames = [...baseByName.keys()].filter((name) => headByName.has(name)).toSorted((a, b) => a.localeCompare(b));
+	for (const name of commonNames) {
+		const base = baseByName.get(name);
+		const head = headByName.get(name);
+		if (!base || !head) continue;
+		const tableFields = changedFields(tableMetadata(base), tableMetadata(head));
+		if (tableFields.length > 0) pushChange(changes, {
+			action: "changed",
+			entity: "table",
+			path: name,
+			detail: detailForChangedFields(tableFields)
+		});
+		diffColumns(changes, name, base.columns, head.columns);
+		diffIndexes(changes, name, base.indexes, head.indexes);
+	}
+}
+function diffRelations(changes, baseRelations, headRelations) {
+	compareCommonNamed(baseRelations, headRelations, (name, fields) => {
+		pushChange(changes, {
+			action: "changed",
+			entity: "relation",
+			path: name,
+			detail: detailForChangedFields(fields)
+		});
+	});
+	for (const name of removedNames(baseRelations, headRelations)) pushChange(changes, {
+		action: "removed",
+		entity: "relation",
+		path: name,
+		detail: "Relation removed"
+	});
+	for (const name of addedNames(baseRelations, headRelations)) pushChange(changes, {
+		action: "added",
+		entity: "relation",
+		path: name,
+		detail: "Relation added"
+	});
+}
+function summarize(changes) {
+	return {
+		added: changes.filter((change) => change.action === "added").length,
+		changed: changes.filter((change) => change.action === "changed").length,
+		removed: changes.filter((change) => change.action === "removed").length
+	};
+}
+function extractEmbeddedErdSchema(html) {
+	const match = SCHEMA_BLOCK_PATTERN.exec(html);
+	if (!match?.[1]) throw new Error("ERD schema block not found.");
+	try {
+		return JSON.parse(match[1]);
+	} catch (error) {
+		throw new Error(`Failed to parse ERD schema block: ${String(error)}`, { cause: error });
+	}
+}
+function createEmptyErdSchema(options) {
+	return {
+		version: 1,
+		namespace: options.namespace,
+		generatedAt: (/* @__PURE__ */ new Date(0)).toISOString(),
+		revision: options.revision,
+		source: "local",
+		cleanRoom: {
+			implementation: "tailor-sdk",
+			notes: ["Synthetic empty schema used for ERD diff generation."]
+		},
+		tables: [],
+		relations: []
+	};
+}
+function buildErdSchemaDiff(options) {
+	const { base, head } = options;
+	if (base.namespace !== head.namespace) throw new Error(`Cannot diff ERD schemas from different namespaces: ${base.namespace}, ${head.namespace}`);
+	const changes = [];
+	diffTables(changes, base.tables, head.tables);
+	diffRelations(changes, base.relations, head.relations);
+	const summary = summarize(changes);
+	return {
+		namespace: head.namespace,
+		baseRevision: base.revision,
+		headRevision: head.revision,
+		changed: changes.length > 0,
+		summary,
+		changes
+	};
+}
+function mergeNamedByHead(baseItems, headItems) {
+	const headByName = mapByName(headItems);
+	const removedItems = baseItems.filter((item) => !headByName.has(item.name)).toSorted((a, b) => a.name.localeCompare(b.name));
+	return [...headItems, ...removedItems];
+}
+function mergeDiffViewerTable(baseTable, headTable) {
+	return {
+		...headTable,
+		columns: mergeNamedByHead(baseTable.columns, headTable.columns),
+		indexes: mergeNamedByHead(baseTable.indexes, headTable.indexes)
+	};
+}
+function mergeDiffViewerTables(baseTables, headTables) {
+	const baseByName = mapByName(baseTables);
+	const headByName = mapByName(headTables);
+	const merged = headTables.map((headTable) => {
+		const baseTable = baseByName.get(headTable.name);
+		return baseTable ? mergeDiffViewerTable(baseTable, headTable) : headTable;
+	});
+	const removedTables = baseTables.filter((table) => !headByName.has(table.name)).toSorted((a, b) => a.name.localeCompare(b.name));
+	return [...merged, ...removedTables];
+}
+/**
+* Build the schema rendered by the diff viewer. The ordinary ERD viewer only
+* knows how to draw objects present in its schema, so the diff schema keeps
+* base-only tables, columns, indexes, and relations visible for removal
+* highlighting while preferring head-side metadata for unchanged objects.
+* @param options - Base and head schemas to merge for diff rendering.
+* @returns A TailorDB ERD schema suitable for the visual diff viewer.
+*/
+function buildErdDiffViewerSchema(options) {
+	const { base, head } = options;
+	if (base.namespace !== head.namespace) throw new Error(`Cannot diff ERD schemas from different namespaces: ${base.namespace}, ${head.namespace}`);
+	return {
+		...head,
+		tables: mergeDiffViewerTables(base.tables, head.tables),
+		relations: mergeNamedByHead(base.relations, head.relations)
+	};
+}
+function renderErdDiffHtml(options) {
+	return buildViewerHtml({
+		schema: options.schema,
+		currentSchema: options.currentSchema,
+		diff: options.diff,
+		title: `TailorDB ERD diff - ${options.diff.namespace}`
+	});
+}
+
+//#endregion
+//#region src/cli/commands/tailordb/erd/diff-command.ts
+function readSchema(filePath) {
+	if (!filePath) return void 0;
+	return extractEmbeddedErdSchema(fs$1.readFileSync(filePath, "utf8"));
+}
+function resolveNamespace(options) {
+	const namespace = options.namespace ?? options.head?.namespace ?? options.base?.namespace;
+	if (!namespace) throw new Error("Missing --namespace when one side of the ERD diff is omitted.");
+	if (options.base && options.base.namespace !== namespace) throw new Error(`Base ERD namespace "${options.base.namespace}" does not match "${namespace}".`);
+	if (options.head && options.head.namespace !== namespace) throw new Error(`Head ERD namespace "${options.head.namespace}" does not match "${namespace}".`);
+	return namespace;
+}
+function writeFile(filePath, content) {
+	fs$1.mkdirSync(path.dirname(filePath), { recursive: true });
+	fs$1.writeFileSync(filePath, content, "utf8");
+}
+function writeErdDiff(options) {
+	const base = readSchema(options.baseHtml);
+	const head = readSchema(options.headHtml);
+	if (!base && !head) throw new Error("At least one of --base-html or --head-html is required.");
+	const namespace = resolveNamespace({
+		namespace: options.namespace,
+		base,
+		head
+	});
+	const baseSchema = base ?? createEmptyErdSchema({
+		namespace,
+		revision: "missing-base"
+	});
+	const headSchema = head ?? createEmptyErdSchema({
+		namespace,
+		revision: "missing-head"
+	});
+	const diff = buildErdSchemaDiff({
+		base: baseSchema,
+		head: headSchema
+	});
+	const viewerSchema = buildErdDiffViewerSchema({
+		base: baseSchema,
+		head: headSchema
+	});
+	writeFile(options.outputHtml, renderErdDiffHtml({
+		schema: viewerSchema,
+		currentSchema: headSchema,
+		diff
+	}));
+	if (options.outputJson) writeFile(options.outputJson, `${JSON.stringify(diff, null, 2)}\n`);
+	return {
+		namespace,
+		outputHtml: options.outputHtml,
+		outputJson: options.outputJson,
+		diff
+	};
+}
+const erdDiffCommand = defineAppCommand({
+	name: "diff",
+	description: "Render TailorDB ERD schema diff HTML from exported ERD viewers.",
+	args: z.object({
+		"base-html": arg(z.string().optional(), {
+			description: "Base ERD viewer HTML file",
+			completion: {
+				type: "file",
+				matcher: [".html"]
+			}
+		}),
+		"head-html": arg(z.string().optional(), {
+			description: "Head ERD viewer HTML file",
+			completion: {
+				type: "file",
+				matcher: [".html"]
+			}
+		}),
+		namespace: arg(z.string().optional(), {
+			alias: "n",
+			description: "TailorDB namespace name (defaults to the provided ERD schema namespace)"
+		}),
+		output: arg(z.string().min(1), {
+			alias: "o",
+			description: "Output ERD diff HTML file",
+			completion: {
+				type: "file",
+				matcher: [".html"]
+			}
+		}),
+		"output-json": arg(z.string().optional(), {
+			description: "Optional output JSON file for the computed diff",
+			completion: {
+				type: "file",
+				matcher: [".json"]
+			}
+		})
+	}).strict(),
+	run: (args) => {
+		initErdCommand();
+		const result = writeErdDiff({
+			baseHtml: args["base-html"],
+			headHtml: args["head-html"],
+			namespace: args.namespace,
+			outputHtml: args.output,
+			outputJson: args["output-json"]
+		});
+		if (args.json) logger.out({
+			namespace: result.namespace,
+			outputHtml: result.outputHtml,
+			outputJson: result.outputJson,
+			summary: result.diff.summary
+		});
+		else logger.success(`Wrote ERD diff to ${path.relative(process.cwd(), result.outputHtml)}`);
+	}
+});
+
 //#endregion
 //#region src/cli/commands/tailordb/erd/serve.ts
 const DEFAULT_ERD_BASE_DIR = ".tailor-sdk/erd";
@@ -4537,6 +5054,7 @@ const erdCommand = defineCommand({
 	description: "Generate TailorDB ERD viewer artifacts from local TailorDB schema. (beta)",
 	subCommands: {
 		export: erdExportCommand,
+		diff: erdDiffCommand,
 		serve: erdServeCommand,
 		deploy: erdDeployCommand
 	}
@@ -4873,7 +5391,7 @@ async function fetchRemoteTypes(client, workspaceId, namespace) {
 async function assertMigrationsReproduceLocalTypes(loaded, target) {
 	const { config, plugins } = loaded;
 	const pluginManager = plugins.length > 0 ? new PluginManager(plugins) : void 0;
-	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-Br48NXBD.mjs");
+	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-BakHtldG.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -5179,25 +5697,52 @@ const currentCommand = defineAppCommand({
 	args: z.object({}).strict(),
 	run: async () => {
 		const config = await readPlatformConfig();
+		const profile = process.env.TAILOR_PLATFORM_PROFILE;
+		const profileEntry = profile ? config.profiles[profile] : void 0;
+		if (profile && !profileEntry) throw new Error(`Profile "${profile}" not found`);
+		const platformConfig = profileEntry ? platformConfigFromProfile(profileEntry) : void 0;
+		const currentUser = profile ? profileEntry?.user ?? null : config.current_user;
 		const jsonOutput = logger.jsonMode;
-		if (!config.current_user) throw new Error(multiline`
+		if (!currentUser) throw new Error(multiline`
         Current user not set.
         Please login first using 'tailor-sdk login' command to register a user.
       `);
-		if (!config.users[config.current_user]) throw new Error(multiline`
-        Current user '${config.current_user}' not found in registered users.
+		if (!hasUserTokenEntry(config, currentUser, platformConfig)) throw new Error(multiline`
+        Current user '${currentUser}' not found in registered users.
         Please login again using 'tailor-sdk login' command to register the user.
       `);
 		if (jsonOutput) {
-			logger.out({ user: config.current_user });
+			logger.out({ user: currentUser });
 			return;
 		}
-		logger.out(config.current_user);
+		logger.out(currentUser);
 	}
 });
 
 //#endregion
 //#region src/cli/commands/user/list.ts
+function activeCurrentUserKey(config) {
+	const activeProfile = process.env.TAILOR_PLATFORM_PROFILE;
+	if (!activeProfile) {
+		if (!config.current_user) return null;
+		return resolveUserTokenKey(config, config.current_user);
+	}
+	const profile = config.profiles[activeProfile];
+	if (!profile) return null;
+	return resolveUserTokenKey(config, profile.user, platformConfigFromProfile(profile));
+}
+function toUserListInfo(userKey, currentUserKey) {
+	const separatorIndex = userKey.indexOf("|");
+	const platformUrl = separatorIndex === -1 ? null : userKey.slice(0, separatorIndex);
+	return {
+		user: separatorIndex === -1 ? userKey : userKey.slice(separatorIndex + 1),
+		platformUrl,
+		current: currentUserKey === userKey
+	};
+}
+function formatUserListInfo(info) {
+	return `${info.user}${info.platformUrl ? ` [${info.platformUrl}]` : ""}${info.current ? " (current)" : ""}`;
+}
 const listCommand$1 = defineAppCommand({
 	name: "list",
 	description: "List all users.",
@@ -5214,13 +5759,15 @@ const listCommand$1 = defineAppCommand({
 			if (jsonOutput) logger.out([]);
 			return;
 		}
+		const currentUserKey = activeCurrentUserKey(config);
+		const userInfos = users.map((user) => toUserListInfo(user, currentUserKey));
 		if (jsonOutput) {
-			logger.out(users);
+			logger.out([...new Set(userInfos.map((userInfo) => userInfo.user))]);
 			return;
 		}
-		users.forEach((user) => {
-			if (user === config.current_user) logger.success(`${user} (current)`, { mode: "plain" });
-			else logger.log(user);
+		userInfos.forEach((userInfo) => {
+			if (userInfo.current) logger.success(formatUserListInfo(userInfo), { mode: "plain" });
+			else logger.log(formatUserListInfo(userInfo));
 		});
 	}
 });
@@ -5281,6 +5828,24 @@ function printCreatedToken(name, token, write, action) {
     `);
 }
 
+//#endregion
+//#region src/cli/commands/user/pat/user.ts
+function resolvePatUser(config) {
+	const activeProfile = process.env.TAILOR_PLATFORM_PROFILE;
+	if (activeProfile) return config.profiles[activeProfile]?.user ?? null;
+	return config.current_user;
+}
+async function createPatOperatorClient() {
+	const config = await readPlatformConfig();
+	const activeProfile = process.env.TAILOR_PLATFORM_PROFILE;
+	const profileEntry = activeProfile ? config.profiles[activeProfile] : void 0;
+	if (activeProfile && !profileEntry) throw new Error(`Profile "${activeProfile}" not found`);
+	const platformConfig = profileEntry ? platformConfigFromProfile(profileEntry) : void 0;
+	const user = resolvePatUser(config);
+	if (!user) throw new Error("No user logged in.\nPlease login first using 'tailor-sdk login' command.");
+	return await initOperatorClient(await fetchLatestToken(config, user, platformConfig), platformConfig);
+}
+
 //#endregion
 //#region src/cli/commands/user/pat/create.ts
 const createCommand = defineAppCommand({
@@ -5298,12 +5863,7 @@ const createCommand = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable();
-		const config = await readPlatformConfig();
-		if (!config.current_user) throw new Error(multiline`
-        No user logged in.
-        Please login first using 'tailor-sdk login' command.
-      `);
-		const client = await initOperatorClient(await fetchLatestToken(config, config.current_user));
+		const client = await createPatOperatorClient();
 		const scopes = getScopesFromWriteFlag(args.write);
 		const result = await client.createPersonalAccessToken({
 			name: args.name,
@@ -5325,12 +5885,7 @@ const deleteCommand = defineAppCommand({
 	}) }).strict(),
 	run: async (args) => {
 		await assertWritable();
-		const config = await readPlatformConfig();
-		if (!config.current_user) throw new Error(multiline`
-        No user logged in.
-        Please login first using 'tailor-sdk login' command.
-      `);
-		await (await initOperatorClient(await fetchLatestToken(config, config.current_user))).deletePersonalAccessToken({ name: args.name });
+		await (await createPatOperatorClient()).deletePersonalAccessToken({ name: args.name });
 		logger.success(`Personal access token "${args.name}" deleted successfully.`);
 	}
 });
@@ -5343,12 +5898,7 @@ const listCommand = defineAppCommand({
 	args: z.object({ ...paginationArgs() }).strict(),
 	run: async (args) => {
 		const jsonOutput = logger.jsonMode;
-		const config = await readPlatformConfig();
-		if (!config.current_user) throw new Error(multiline`
-        No user logged in.
-        Please login first using 'tailor-sdk login' command.
-      `);
-		const client = await initOperatorClient(await fetchLatestToken(config, config.current_user));
+		const client = await createPatOperatorClient();
 		const pageDirection = toPageDirection(args.order);
 		const pats = await fetchPaged(async (pageToken, pageSize) => {
 			const { personalAccessTokens, nextPageToken } = await client.listPersonalAccessTokens({
@@ -5396,12 +5946,7 @@ const updateCommand = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable();
-		const config = await readPlatformConfig();
-		if (!config.current_user) throw new Error(multiline`
-        No user logged in.
-        Please login first using 'tailor-sdk login' command.
-      `);
-		const client = await initOperatorClient(await fetchLatestToken(config, config.current_user));
+		const client = await createPatOperatorClient();
 		await client.deletePersonalAccessToken({ name: args.name });
 		const scopes = getScopesFromWriteFlag(args.write);
 		const result = await client.createPersonalAccessToken({
@@ -5440,11 +5985,17 @@ const switchCommand = defineAppCommand({
 	}) }).strict(),
 	run: async (args) => {
 		const config = await readPlatformConfig();
-		if (!config.users[args.user]) throw new Error(multiline`
+		const activeProfileName = process.env.TAILOR_PLATFORM_PROFILE;
+		const activeProfileEntry = activeProfileName ? config.profiles[activeProfileName] : void 0;
+		if (activeProfileName && !activeProfileEntry) throw new Error(`Profile "${activeProfileName}" not found`);
+		const platformConfig = activeProfileEntry ? platformConfigFromProfile(activeProfileEntry) : void 0;
+		if (args.user.includes("|")) throw new Error(`User "${args.user}" looks like a platform-scoped token key. Pass the user name without the platform URL and select the platform with TAILOR_PLATFORM_URL or a profile.`);
+		if (!hasUserTokenEntry(config, args.user, platformConfig)) throw new Error(multiline`
         User "${args.user}" not found.
         Please login first using 'tailor-sdk login' command to register this user.
       `);
-		config.current_user = args.user;
+		if (activeProfileEntry) activeProfileEntry.user = args.user;
+		else config.current_user = args.user;
 		writePlatformConfig(config);
 		logger.success(`Current user set to "${args.user}" successfully.`);
 	}