@tailor-platform/sdk 2.0.0-next.0 → 2.0.0-next.1

package/dist/{runtime-C7qTBDD2.mjs → runtime-n9NCkjee.mjs}

@@ -1,14 +1,13 @@
-
-import { t as db } from "./schema-1msIhXwA.mjs";
-import { $ as CreateExecutorExecutorRequestSchema, A as TailorDBGQLPermission_Permit, At as AuthSCIMAttribute_Type, B as UpdateSecretManagerSecretRequestSchema, Bt as Subgraph_ServiceType, C as WorkflowExecution_Status, Ct as AuthConnection_Type, D as UpdateTailorDBTypeRequestSchema, Dt as AuthOAuth2Client_ClientType, E as CreateTailorDBTypeRequestSchema, Et as AuthInvokerSchema, F as CreateStaticWebsiteRequestSchema, Ft as UserProfileProviderConfig_UserProfileProviderType, G as PipelineResolver_OperationType, H as CreatePipelineServiceRequestSchema, Ht as Condition_Operator, I as UpdateStaticWebsiteRequestSchema, It as CreateApplicationRequestSchema, J as IdPLang, K as CreateIdPServiceRequestSchema, Lt as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, M as TailorDBType_Permission_Permit, Mt as AuthSCIMConfig_AuthorizationType, N as TailorDBType_PermitAction, O as TailorDBGQLPermission_Action, Ot as AuthOAuth2Client_GrantType, P as AddCustomDomainRequestSchema, Pt as TenantProviderConfig_TenantProviderType, R as CreateSecretManagerSecretRequestSchema, Rt as UpdateApplicationRequestSchema, S as UpdateWorkflowRequestSchema, St as UpdateUserProfileConfigRequestSchema, T as CreateTailorDBServiceRequestSchema, Tt as AuthIDPConfig_AuthType, U as UpdatePipelineResolverRequestSchema, Ut as FilterSchema, V as CreatePipelineResolverRequestSchema, Vt as ConditionSchema, W as UpdatePipelineServiceRequestSchema, Wt as PageDirection, X as IdPPermissionPermit, Y as IdPPermissionOperator, Z as FunctionExecution_Status, _ as userAgent, _t as UpdateAuthOAuth2ClientRequestSchema, a as fetchAll, at as CreateAuthHookRequestSchema, b as CreateWorkflowJobFunctionRequestSchema, bt as UpdateAuthServiceRequestSchema, ct as CreateAuthOAuth2ClientRequestSchema, dt as CreateAuthServiceRequestSchema, et as UpdateExecutorExecutorRequestSchema, f as initOperatorClient, ft as CreateTenantConfigRequestSchema, gt as UpdateAuthMachineUserRequestSchema, h as resolveStaticWebsiteUrls, ht as UpdateAuthIDPConfigRequestSchema, it as CreateAuthConnectionRequestSchema, j as TailorDBType_Permission_Operator, jt as AuthSCIMAttribute_Uniqueness, k as TailorDBGQLPermission_Operator, kt as AuthSCIMAttribute_Mutability, lt as CreateAuthSCIMConfigRequestSchema, m as platformBaseUrl, mt as UpdateAuthHookRequestSchema, nt as ExecutorTargetType, o as fetchMachineUserToken, ot as CreateAuthIDPConfigRequestSchema, pt as CreateUserProfileConfigRequestSchema, q as UpdateIdPServiceRequestSchema, rt as ExecutorTriggerType, s as fetchPaged, st as CreateAuthMachineUserRequestSchema, tt as ExecutorJobStatus, ut as CreateAuthSCIMResourceRequestSchema, v as OperatorService, vt as UpdateAuthSCIMConfigRequestSchema, w as WorkflowJobExecution_Status, wt as AuthHookPoint, x as CreateWorkflowRequestSchema, xt as UpdateTenantConfigRequestSchema, y as WorkspacePlatformUserRole, yt as UpdateAuthSCIMResourceRequestSchema, z as CreateSecretManagerVaultRequestSchema, zt as ApplicationSchemaUpdateAttemptStatus } from "./client-CobIRHl-.mjs";
-import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
-import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DpJyJvNz.mjs";
-import { A as readPlatformConfig, C as loadConfig, D as loadConfigPath, E as loadAccessToken, N as writePlatformConfig, O as loadMachineUserName, S as hashFile, b as getDistDir, d as assertUniqueLocalTailorDBTypeNames, f as assertUniqueTailorDBTypeNamesWithExternal, h as platformBundleDefinePlugin, k as loadWorkspaceId, l as buildExecutorArgsExpr, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, u as buildResolverOperationHookExpr, y as createBundleCache } from "./application-76hhIhnJ.mjs";
-import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
-import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
-import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
-import { n as isCLIError, t as createCLIError } from "./errors-EsY4XO6O.mjs";
-import { r as withSpan } from "./telemetry-BQbbVo2t.mjs";
+import { t as db } from "./schema-BhkpP5Hw.mjs";
+import { $ as CreateExecutorExecutorRequestSchema, A as TailorDBGQLPermission_Permit, At as AuthSCIMAttribute_Type, B as UpdateSecretManagerSecretRequestSchema, Bt as Subgraph_ServiceType, C as WorkflowExecution_Status, Ct as AuthConnection_Type, D as UpdateTailorDBTypeRequestSchema, Dt as AuthOAuth2Client_ClientType, E as CreateTailorDBTypeRequestSchema, Et as AuthInvokerSchema, F as CreateStaticWebsiteRequestSchema, Ft as UserProfileProviderConfig_UserProfileProviderType, G as PipelineResolver_OperationType, H as CreatePipelineServiceRequestSchema, Ht as Condition_Operator, I as UpdateStaticWebsiteRequestSchema, It as CreateApplicationRequestSchema, J as IdPLang, K as CreateIdPServiceRequestSchema, Lt as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, M as TailorDBType_Permission_Permit, Mt as AuthSCIMConfig_AuthorizationType, N as TailorDBType_PermitAction, O as TailorDBGQLPermission_Action, Ot as AuthOAuth2Client_GrantType, P as AddCustomDomainRequestSchema, Pt as TenantProviderConfig_TenantProviderType, R as CreateSecretManagerSecretRequestSchema, Rt as UpdateApplicationRequestSchema, S as UpdateWorkflowRequestSchema, St as UpdateUserProfileConfigRequestSchema, T as CreateTailorDBServiceRequestSchema, Tt as AuthIDPConfig_AuthType, U as UpdatePipelineResolverRequestSchema, Ut as FilterSchema, V as CreatePipelineResolverRequestSchema, Vt as ConditionSchema, W as UpdatePipelineServiceRequestSchema, Wt as PageDirection, X as IdPPermissionPermit, Y as IdPPermissionOperator, Z as FunctionExecution_Status, _ as userAgent, _t as UpdateAuthOAuth2ClientRequestSchema, a as fetchAll, at as CreateAuthHookRequestSchema, b as CreateWorkflowJobFunctionRequestSchema, bt as UpdateAuthServiceRequestSchema, ct as CreateAuthOAuth2ClientRequestSchema, dt as CreateAuthServiceRequestSchema, et as UpdateExecutorExecutorRequestSchema, f as initOperatorClient, ft as CreateTenantConfigRequestSchema, gt as UpdateAuthMachineUserRequestSchema, h as resolveStaticWebsiteUrls, ht as UpdateAuthIDPConfigRequestSchema, it as CreateAuthConnectionRequestSchema, j as TailorDBType_Permission_Operator, jt as AuthSCIMAttribute_Uniqueness, k as TailorDBGQLPermission_Operator, kt as AuthSCIMAttribute_Mutability, lt as CreateAuthSCIMConfigRequestSchema, m as platformBaseUrl, mt as UpdateAuthHookRequestSchema, nt as ExecutorTargetType, o as fetchMachineUserToken, ot as CreateAuthIDPConfigRequestSchema, pt as CreateUserProfileConfigRequestSchema, q as UpdateIdPServiceRequestSchema, rt as ExecutorTriggerType, s as fetchPaged, st as CreateAuthMachineUserRequestSchema, tt as ExecutorJobStatus, ut as CreateAuthSCIMResourceRequestSchema, v as OperatorService, vt as UpdateAuthSCIMConfigRequestSchema, w as WorkflowJobExecution_Status, wt as AuthHookPoint, x as CreateWorkflowRequestSchema, xt as UpdateTenantConfigRequestSchema, y as WorkspacePlatformUserRole, yt as UpdateAuthSCIMResourceRequestSchema, z as CreateSecretManagerVaultRequestSchema, zt as ApplicationSchemaUpdateAttemptStatus } from "./client-z_oHGVNy.mjs";
+import { t as assertDefined } from "./assert-DBxo8jPo.mjs";
+import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-CxF-Ex5d.mjs";
+import { A as loadAccessToken, C as getDistDir, E as loadConfig, M as loadMachineUserName, N as loadWorkspaceId, P as readPlatformConfig, R as writePlatformConfig, S as createBundleCache, T as hashFile, a as getApplicationAuthNamespace, b as getPluginGenerationDependencies, c as HTTP_METHODS, d as buildResolverOperationHookExpr, f as assertUniqueLocalTailorDBTypeNames, g as platformBundleDefinePlugin, h as stringifyFunction, j as loadConfigPath, m as TailorDBTypeSchema, n as generatePluginFilesIfNeeded, p as assertUniqueTailorDBTypeNamesWithExternal, r as loadApplication, t as defineApplication, u as buildExecutorArgsExpr, x as hasGenerationHooks } from "./application-DqS1yBg3.mjs";
+import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-CCL8ruDf.mjs";
+import { t as multiline } from "./multiline-sfHpTZZK.mjs";
+import { t as readPackageJson } from "./package-json-8b0O9TlX.mjs";
+import { n as isCLIError, t as createCLIError } from "./errors-Dtf2WPaW.mjs";
+import { r as withSpan } from "./telemetry-CdqJEzkj.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
 import { ScalarType, create, fromJson, toJson } from "@bufbuild/protobuf";
@@ -1240,35 +1239,6 @@ async function generateUserTypes(options) {
 	}
 }
 
-//#endregion
-//#region src/types/plugin-generation.ts
-/**
-* Derives generation-time dependency set from hook presence on a plugin.
-* @param plugin - The plugin object to inspect.
-* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
-* @param plugin.onResolverReady - Hook for resolver readiness.
-* @param plugin.onExecutorReady - Hook for executor readiness.
-* @returns Set of dependency kinds required by the plugin.
-*/
-function getPluginGenerationDependencies(plugin) {
-	const deps = /* @__PURE__ */ new Set();
-	if (plugin.onTailorDBReady) deps.add("tailordb");
-	if (plugin.onResolverReady) deps.add("resolver");
-	if (plugin.onExecutorReady) deps.add("executor");
-	return deps;
-}
-/**
-* Checks if a plugin has any generation-time hooks.
-* @param plugin - The plugin object to inspect.
-* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
-* @param plugin.onResolverReady - Hook for resolver readiness.
-* @param plugin.onExecutorReady - Hook for executor readiness.
-* @returns True if the plugin has at least one generation hook.
-*/
-function hasGenerationHooks(plugin) {
-	return !!(plugin.onTailorDBReady || plugin.onResolverReady || plugin.onExecutorReady);
-}
-
 //#endregion
 //#region src/plugin/manager.ts
 /**
@@ -1806,6 +1776,219 @@ async function buildMetaRequest(params) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/deploy/owned-resource.ts
+/**
+* Fetch a workspace-scoped resource list and attach SDK ownership metadata.
+* @template T
+* @param params - Resource fetch parameters
+* @param params.client - Operator client instance
+* @param params.workspaceId - Workspace ID
+* @param params.fetchPage - Function that fetches one resource page
+* @param params.getName - Function that extracts the resource name
+* @param params.getTrn - Function that builds the resource TRN
+* @returns Existing resources keyed by resource name, with SDK labels attached
+*/
+async function fetchExistingResourcesWithLabels(params) {
+	const { client, workspaceId, fetchPage, getName, getTrn } = params;
+	const withoutLabel = await fetchAll(async (pageToken, maxPageSize) => {
+		try {
+			return await fetchPage(pageToken, maxPageSize);
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+			throw error;
+		}
+	});
+	const existingResources = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		const name = getName(resource);
+		if (!name) return;
+		const { metadata } = await client.getMetadata({ trn: getTrn(workspaceId, name) });
+		existingResources[name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
+		};
+	}));
+	return existingResources;
+}
+/**
+* Determine whether a same-named existing resource is managed by this app.
+* Records the user-facing confirmation data when ownership does not match.
+* @param params - Ownership classification inputs
+* @param params.labels - Existing resource labels
+* @param params.ownerLabel - Existing `sdk-name` label, when present
+* @param params.appName - Current application name
+* @param params.appId - Current application id, when present
+* @param params.resourceType - Resource kind for confirmation messages
+* @param params.resourceName - Resource name for confirmation messages
+* @param params.conflicts - Conflict accumulator
+* @param params.unmanaged - Unmanaged-resource accumulator
+* @returns True when the resource is owned by the current app
+*/
+function trackDesiredResourceOwnership(params) {
+	const { labels, ownerLabel, appName, appId, resourceType, resourceName, conflicts, unmanaged } = params;
+	const owned = isOwnedByApp(labels, appName, appId);
+	if (!owned) if (!ownerLabel) unmanaged.push({
+		resourceType,
+		resourceName
+	});
+	else conflicts.push({
+		resourceType,
+		resourceName,
+		currentOwner: ownerLabel
+	});
+	return owned;
+}
+/**
+* Determine whether a remote-only resource is still owned by this app.
+* Also records other SDK owners so renamed-empty applications can be handled.
+* @param params - Ownership classification inputs
+* @param params.labels - Existing resource labels
+* @param params.ownerLabel - Existing `sdk-name` label, when present
+* @param params.appName - Current application name
+* @param params.appId - Current application id, when present
+* @param params.resourceOwners - Other-owner accumulator
+* @returns True when the resource is owned by the current app
+*/
+function trackRemainingResourceOwner(params) {
+	const { labels, ownerLabel, appName, appId, resourceOwners } = params;
+	const owned = isOwnedByApp(labels, appName, appId);
+	if (ownerLabel && !owned) resourceOwners.add(ownerLabel);
+	return owned;
+}
+
+//#endregion
+//#region src/cli/commands/deploy/aigateway.ts
+/**
+* Apply AI Gateway changes for the given phase.
+* @param client - Operator client instance
+* @param result - Planned AI Gateway changes
+* @param phase - Apply phase
+* @returns Promise that resolves when AI Gateways are applied
+*/
+async function applyAIGateway(client, result, phase = "create-update") {
+	const { changeSet } = result;
+	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
+		create.request.cors = await resolveStaticWebsiteUrls(client, assertDefined(create.request.workspaceId, "request missing workspaceId"), create.request.cors, "AIGateway CORS");
+		await client.createAIGateway(create.request);
+		await client.setMetadata(create.metaRequest);
+	}), ...changeSet.updates.map(async (update) => {
+		update.request.cors = await resolveStaticWebsiteUrls(client, assertDefined(update.request.workspaceId, "request missing workspaceId"), update.request.cors, "AIGateway CORS");
+		await client.updateAIGateway(update.request);
+		await client.setMetadata(update.metaRequest);
+	})]);
+	else await Promise.all(changeSet.deletes.map((del) => client.deleteAIGateway(del.request)));
+}
+function normalizeComparableAIGatewayShape(input) {
+	return {
+		authNamespace: input.authNamespace,
+		cors: input.cors.toSorted()
+	};
+}
+function normalizeComparableAIGateway(input) {
+	return normalizeComparableAIGatewayShape({
+		authNamespace: input.authNamespace || "",
+		cors: [...input.cors || []]
+	});
+}
+function areAIGatewaysEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableAIGateway(existing), normalizeComparableAIGateway(desired));
+}
+/**
+* Plan AI Gateway changes based on current and desired state.
+* @param context - Planning context
+* @returns Planned changes
+*/
+async function planAIGateway(context) {
+	const { client, workspaceId, application, forRemoval } = context;
+	const changeSet = createChangeSet("AIGateways");
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const existingGateways = await fetchExistingResourcesWithLabels({
+		client,
+		workspaceId,
+		fetchPage: async (pageToken, pageSize) => {
+			const { aigateways, nextPageToken } = await client.listAIGateways({
+				workspaceId,
+				pageToken,
+				pageSize
+			});
+			return [aigateways, nextPageToken];
+		},
+		getName: (resource) => resource.name,
+		getTrn: (workspaceId, name) => resourceTrn(workspaceId, "aigateway", name)
+	});
+	const aiGatewayServices = forRemoval ? [] : application.aiGatewayServices;
+	const expectedLocalWebsites = new Set(application.staticWebsiteServices.map((website) => website.name));
+	for (const gatewayService of aiGatewayServices) {
+		const config = gatewayService;
+		const name = gatewayService.name;
+		const existing = existingGateways[name];
+		const metaRequest = await buildMetaRequest({
+			trn: resourceTrn(workspaceId, "aigateway", name),
+			appName: application.name,
+			appId: application.id
+		});
+		const resolvedCors = await resolveStaticWebsiteUrls(client, workspaceId, config.cors ? [...config.cors] : [], "AIGateway CORS", { expectedLocalNames: expectedLocalWebsites });
+		const desired = normalizeComparableAIGateway({
+			...config,
+			cors: resolvedCors
+		});
+		const request = {
+			workspaceId,
+			aigatewayName: name,
+			authNamespace: config.authNamespace,
+			cors: config.cors ? [...config.cors] : []
+		};
+		if (existing) {
+			if (trackDesiredResourceOwnership({
+				labels: existing.allLabels,
+				ownerLabel: existing.label,
+				appName: application.name,
+				appId: application.id,
+				resourceType: "AIGateway",
+				resourceName: name,
+				conflicts,
+				unmanaged
+			}) && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areAIGatewaysEqual(existing.resource, desired)) changeSet.unchanged.push({ name });
+			else changeSet.updates.push({
+				name,
+				request,
+				metaRequest
+			});
+			delete existingGateways[name];
+		} else changeSet.creates.push({
+			name,
+			request,
+			metaRequest
+		});
+	}
+	Object.entries(existingGateways).forEach(([name, entry]) => {
+		const label = entry?.label;
+		if (trackRemainingResourceOwner({
+			labels: entry?.allLabels,
+			ownerLabel: label,
+			appName: application.name,
+			appId: application.id,
+			resourceOwners
+		})) changeSet.deletes.push({
+			name,
+			request: {
+				workspaceId,
+				aigatewayName: name
+			}
+		});
+	});
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
+}
+
 //#endregion
 //#region src/cli/commands/deploy/application.ts
 /**
@@ -4707,7 +4890,7 @@ async function readConfigId(configPath) {
 async function assertConfigIdInCI(configPath) {
 	const result = await readConfigId(configPath);
 	if (result === null) return;
-	if (!result.id) throw new Error("tailor.config.ts is missing an 'id'. CI does not auto-generate one (each run would be treated as a separate app and break resource ownership). Run 'tailor-sdk setup github' or 'tailor-sdk apply' locally and commit the injected id.");
+	if (!result.id) throw new Error("tailor.config.ts is missing an 'id'. CI does not auto-generate one (each run would be treated as a separate app and break resource ownership). Run 'tailor-sdk setup github' or 'tailor-sdk deploy' locally and commit the injected id.");
 	if (!uuidRegex.test(result.id)) throw new Error(`'id' in ${configPath} must be a UUID. To use this config for a separate app, delete it.`);
 }
 /**
@@ -4882,8 +5065,8 @@ async function confirmImportantResourceDeletion(resources, yes) {
 * Accepts either:
 * - `undefined` — returns undefined
 * - a plain string (machine user name) — expands to `{ namespace, machineUserName }` using `authNamespace`
-* - an object `{ namespace, machineUserName }` — returned as-is
-* @param authInvoker - String machine user name or object form
+* - an internal object `{ namespace, machineUserName }` — returned as-is
+* @param authInvoker - String machine user name or internal object form
 * @param authNamespace - Auth service namespace (required when authInvoker is a string)
 * @param context - Contextual label used in error messages (e.g. `resolver "foo"`)
 * @returns Object form of auth invoker, or undefined
@@ -4891,7 +5074,7 @@ async function confirmImportantResourceDeletion(resources, yes) {
 function normalizeAuthInvoker(authInvoker, authNamespace, context) {
 	if (authInvoker === void 0) return void 0;
 	if (typeof authInvoker === "string") {
-		if (!authNamespace) throw new Error(`${context} uses a string authInvoker ("${authInvoker}"), but no Auth service is configured. Configure an Auth service or use the object form { namespace, machineUserName }.`);
+		if (!authNamespace) throw new Error(`${context} uses a string authInvoker ("${authInvoker}"), but no Auth service is configured. Configure an Auth service before using authInvoker.`);
 		return {
 			namespace: authNamespace,
 			machineUserName: authInvoker
@@ -4900,88 +5083,6 @@ function normalizeAuthInvoker(authInvoker, authNamespace, context) {
 	return authInvoker;
 }
 
-//#endregion
-//#region src/cli/commands/deploy/owned-resource.ts
-/**
-* Fetch a workspace-scoped resource list and attach SDK ownership metadata.
-* @template T
-* @param params - Resource fetch parameters
-* @param params.client - Operator client instance
-* @param params.workspaceId - Workspace ID
-* @param params.fetchPage - Function that fetches one resource page
-* @param params.getName - Function that extracts the resource name
-* @param params.getTrn - Function that builds the resource TRN
-* @returns Existing resources keyed by resource name, with SDK labels attached
-*/
-async function fetchExistingResourcesWithLabels(params) {
-	const { client, workspaceId, fetchPage, getName, getTrn } = params;
-	const withoutLabel = await fetchAll(async (pageToken, maxPageSize) => {
-		try {
-			return await fetchPage(pageToken, maxPageSize);
-		} catch (error) {
-			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
-			throw error;
-		}
-	});
-	const existingResources = {};
-	await Promise.all(withoutLabel.map(async (resource) => {
-		const name = getName(resource);
-		if (!name) return;
-		const { metadata } = await client.getMetadata({ trn: getTrn(workspaceId, name) });
-		existingResources[name] = {
-			resource,
-			label: metadata?.labels[sdkNameLabelKey],
-			allLabels: metadata?.labels
-		};
-	}));
-	return existingResources;
-}
-/**
-* Determine whether a same-named existing resource is managed by this app.
-* Records the user-facing confirmation data when ownership does not match.
-* @param params - Ownership classification inputs
-* @param params.labels - Existing resource labels
-* @param params.ownerLabel - Existing `sdk-name` label, when present
-* @param params.appName - Current application name
-* @param params.appId - Current application id, when present
-* @param params.resourceType - Resource kind for confirmation messages
-* @param params.resourceName - Resource name for confirmation messages
-* @param params.conflicts - Conflict accumulator
-* @param params.unmanaged - Unmanaged-resource accumulator
-* @returns True when the resource is owned by the current app
-*/
-function trackDesiredResourceOwnership(params) {
-	const { labels, ownerLabel, appName, appId, resourceType, resourceName, conflicts, unmanaged } = params;
-	const owned = isOwnedByApp(labels, appName, appId);
-	if (!owned) if (!ownerLabel) unmanaged.push({
-		resourceType,
-		resourceName
-	});
-	else conflicts.push({
-		resourceType,
-		resourceName,
-		currentOwner: ownerLabel
-	});
-	return owned;
-}
-/**
-* Determine whether a remote-only resource is still owned by this app.
-* Also records other SDK owners so renamed-empty applications can be handled.
-* @param params - Ownership classification inputs
-* @param params.labels - Existing resource labels
-* @param params.ownerLabel - Existing `sdk-name` label, when present
-* @param params.appName - Current application name
-* @param params.appId - Current application id, when present
-* @param params.resourceOwners - Other-owner accumulator
-* @returns True when the resource is owned by the current app
-*/
-function trackRemainingResourceOwner(params) {
-	const { labels, ownerLabel, appName, appId, resourceOwners } = params;
-	const owned = isOwnedByApp(labels, appName, appId);
-	if (ownerLabel && !owned) resourceOwners.add(ownerLabel);
-	return owned;
-}
-
 //#endregion
 //#region src/cli/commands/deploy/executor.ts
 /**
@@ -5192,8 +5293,9 @@ function resolveIdpNamespace(application, executorName, idpName) {
 	return assertDefined(application.idpServices[0], "idp service missing").name;
 }
 function resolveAuthNamespace(application) {
-	if (!application.authService) throw new Error("No Auth service configured");
-	return application.authService.config.name;
+	const authNamespace = getApplicationAuthNamespace(application);
+	if (!authNamespace) throw new Error("No Auth service configured");
+	return authNamespace;
 }
 function protoExecutor(application, executor) {
 	const appName = application.name;
@@ -5278,7 +5380,7 @@ function protoExecutor(application, executor) {
 	const target = executor.operation;
 	let targetType;
 	let targetConfig;
-	const authNamespace = application.authService?.config.name;
+	const authNamespace = getApplicationAuthNamespace(application);
 	const invokerContext = `Executor "${executor.name}"`;
 	switch (target.kind) {
 		case "webhook":
@@ -5434,7 +5536,7 @@ async function planPipeline(context) {
 	}
 	const executors = forRemoval ? [] : Object.values(await application.executorService?.loadExecutors() ?? {});
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$1(client, workspaceId, application.name, application.id, pipelines);
-	const { changeSet: resolverChangeSet } = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, application.authService?.config.name, forceApplyAll);
+	const { changeSet: resolverChangeSet } = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, getApplicationAuthNamespace(application), forceApplyAll);
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -6873,7 +6975,7 @@ function createSnapshotFieldConfig(field) {
 }
 /**
 * Create a snapshot field config from an OperatorFieldConfig (for nested fields)
-* @param {import("@/types/tailordb").OperatorFieldConfig} fieldConfig - Field configuration
+* @param {import("@/parser/service/tailordb/types").OperatorFieldConfig} fieldConfig - Field configuration
 * @returns {SnapshotFieldConfig} Snapshot field configuration
 */
 function createSnapshotFieldConfigFromOperatorConfig(fieldConfig) {
@@ -10620,6 +10722,9 @@ async function shouldForceApplyAll(client, workspaceId, application, functionEnt
 	application.staticWebsiteServices.forEach((website) => {
 		candidateTrns.add(resourceTrn(workspaceId, "staticwebsite", website.name));
 	});
+	application.aiGatewayServices.forEach((gateway) => {
+		candidateTrns.add(resourceTrn(workspaceId, "aigateway", gateway.name));
+	});
 	application.resolverServices.forEach((pipeline) => {
 		candidateTrns.add(resourceTrn(workspaceId, "pipeline", pipeline.namespace));
 	});
@@ -10698,6 +10803,7 @@ function printPlanResults(results) {
 	const authServiceActions = extractServiceActions(results.auth.changeSet.service);
 	results.staticWebsite.changeSet.print();
 	results.staticWebsite.customDomainChangeSet.print();
+	results.aiGateway.changeSet.print();
 	results.app.print();
 	printGroupedDisplaySection("TailorDB", tailorDBEntries, tailorDBServiceActions);
 	printGroupedDisplaySection("Resolver", pipelineEntries, pipelineServiceActions);
@@ -10748,6 +10854,7 @@ function summarizePlanResults(results, displayEntries, serviceActions) {
 		otherChanges,
 		results.staticWebsite.changeSet,
 		results.staticWebsite.customDomainChangeSet,
+		results.aiGateway.changeSet,
 		results.app,
 		results.secretManager.vaultChangeSet,
 		results.secretManager.secretChangeSet
@@ -10852,7 +10959,7 @@ async function deploy(options) {
 		const dryRun = options?.dryRun ?? false;
 		const yes = options?.yes ?? false;
 		const forceApplyAll = await withSpan("plan.detectSdkVersionChange", () => shouldForceApplyAll(client, workspaceId, application, functionEntries));
-		const { functionRegistry, tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager } = await withSpan("plan", async () => {
+		const { functionRegistry, tailorDB, staticWebsite, aiGateway, idp, auth, pipeline, app, executor, workflow, secretManager } = await withSpan("plan", async () => {
 			const idpUserTriggerTargets = collectIdpUserTriggerTargets(application);
 			const ctx = {
 				client,
@@ -10866,9 +10973,10 @@ async function deploy(options) {
 			};
 			const functionRegistry = await withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, application.id, functionEntries));
 			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.filter((entry) => entry.name.startsWith(WORKFLOW_PREFIX)).map((entry) => entry.name.slice(WORKFLOW_PREFIX.length)));
-			const [tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
+			const [tailorDB, staticWebsite, aiGateway, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
 				withSpan("plan.tailorDB", () => planTailorDB(ctx)),
 				withSpan("plan.staticWebsite", () => planStaticWebsite(ctx)),
+				withSpan("plan.aiGateway", () => planAIGateway(ctx)),
 				withSpan("plan.idp", () => planIdP(ctx)),
 				withSpan("plan.auth", () => planAuth(ctx)),
 				withSpan("plan.pipeline", () => planPipeline(ctx)),
@@ -10881,6 +10989,7 @@ async function deploy(options) {
 				functionRegistry,
 				tailorDB,
 				staticWebsite,
+				aiGateway,
 				idp,
 				auth,
 				pipeline,
@@ -10895,6 +11004,7 @@ async function deploy(options) {
 				...functionRegistry.conflicts,
 				...tailorDB.conflicts,
 				...staticWebsite.conflicts,
+				...aiGateway.conflicts,
 				...idp.conflicts,
 				...auth.conflicts,
 				...pipeline.conflicts,
@@ -10907,6 +11017,7 @@ async function deploy(options) {
 				...functionRegistry.unmanaged,
 				...tailorDB.unmanaged,
 				...staticWebsite.unmanaged,
+				...aiGateway.unmanaged,
 				...idp.unmanaged,
 				...auth.unmanaged,
 				...pipeline.unmanaged,
@@ -10923,6 +11034,10 @@ async function deploy(options) {
 				resourceType: "StaticWebsite",
 				resourceName: del.name
 			});
+			for (const del of aiGateway.changeSet.deletes) importantDeletions.push({
+				resourceType: "AIGateway",
+				resourceName: del.name
+			});
 			for (const del of auth.changeSet.oauth2Client.deletes) importantDeletions.push({
 				resourceType: "OAuth2 client",
 				resourceName: del.name
@@ -10950,6 +11065,7 @@ async function deploy(options) {
 					...functionRegistry.resourceOwners,
 					...tailorDB.resourceOwners,
 					...staticWebsite.resourceOwners,
+					...aiGateway.resourceOwners,
 					...idp.resourceOwners,
 					...auth.resourceOwners,
 					...pipeline.resourceOwners,
@@ -10971,6 +11087,7 @@ async function deploy(options) {
 			functionRegistry,
 			tailorDB,
 			staticWebsite,
+			aiGateway,
 			idp,
 			auth,
 			pipeline,
@@ -11000,6 +11117,7 @@ async function deploy(options) {
 			await applySecretManager(client, secretManager, "create-update", application);
 			await applyFunctionRegistry(client, workspaceId, functionRegistry, "create-update");
 			await applyStaticWebsite(client, staticWebsite, "create-update");
+			await applyAIGateway(client, aiGateway, "create-update");
 			await applyIdP(client, idp, "create-update");
 			await applyAuth(client, auth, "create-update");
 			await applyTailorDB(client, tailorDB, "create-update");
@@ -11019,6 +11137,7 @@ async function deploy(options) {
 			await applyWorkflow(client, workflow, "delete");
 			await applyExecutor(client, executor, "delete");
 			await applyStaticWebsite(client, staticWebsite, "delete");
+			await applyAIGateway(client, aiGateway, "delete");
 			await applySecretManager(client, secretManager, "delete");
 		});
 		await withSpan("apply.deleteApplication", () => applyApplication(client, app, "delete"));
@@ -11968,6 +12087,16 @@ async function startWorkflowCore(options) {
 		throw error;
 	}
 }
+async function resolveApplicationAuthNamespace(options) {
+	const { config } = await loadConfig(options.configPath);
+	const { application } = await options.client.getApplication({
+		workspaceId: options.workspaceId,
+		applicationName: config.name
+	});
+	const authNamespace = application?.authNamespace || config.auth?.name;
+	if (!authNamespace) throw new Error(`Application ${config.name} does not have an auth configuration.`);
+	return authNamespace;
+}
 async function startWorkflowByName(options) {
 	const machineUser = await loadMachineUserName({
 		machineUser: options.machineUser,
@@ -11979,18 +12108,17 @@ async function startWorkflowByName(options) {
 		workspaceId: options.workspaceId,
 		profile: options.profile
 	});
-	const { config } = await loadConfig(options.configPath);
-	const { application } = await client.getApplication({
+	const authNamespace = await resolveApplicationAuthNamespace({
+		client,
 		workspaceId,
-		applicationName: config.name
+		configPath: options.configPath
 	});
-	if (!application?.authNamespace) throw new Error(`Application ${config.name} does not have an auth configuration.`);
 	return await startWorkflowCore({
 		client,
 		workspaceId,
 		workflowName: options.name,
 		authInvoker: {
-			namespace: application.authNamespace,
+			namespace: authNamespace,
 			machineUserName: machineUser
 		},
 		arg: options.arg,
@@ -11999,14 +12127,24 @@ async function startWorkflowByName(options) {
 }
 async function startWorkflow(options) {
 	if ("name" in options) return await startWorkflowByName(options);
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
+	const workspaceId = await loadWorkspaceId({
+		workspaceId: options.workspaceId,
+		profile: options.profile
+	});
+	const authNamespace = await resolveApplicationAuthNamespace({
+		client,
+		workspaceId,
+		configPath: options.configPath
+	});
 	return await startWorkflowCore({
-		client: await initOperatorClient(await loadAccessToken({ profile: options.profile })),
-		workspaceId: await loadWorkspaceId({
-			workspaceId: options.workspaceId,
-			profile: options.profile
-		}),
+		client,
+		workspaceId,
 		workflowName: options.workflow.name,
-		authInvoker: options.authInvoker,
+		authInvoker: {
+			namespace: authNamespace,
+			machineUserName: options.authInvoker
+		},
 		arg: options.arg,
 		interval: options.interval
 	});
@@ -12019,7 +12157,6 @@ const startCommand = defineAppCommand({
 		...nameArgs,
 		"machine-user": arg(z.string().optional(), {
 			alias: "m",
-			hiddenAlias: "machineuser",
 			description: "Machine user name. Falls back to the active profile's default machine user.",
 			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
@@ -12894,19 +13031,6 @@ const listCommand$8 = defineAppCommand({
 	}
 });
 
-//#endregion
-//#region src/cli/commands/generate/types.ts
-/**
-* Type guard to check if a generator has a specific dependency.
-* @template D
-* @param generator - Code generator instance
-* @param dependency - Dependency kind to check
-* @returns True if the generator has the dependency
-*/
-function hasDependency(generator, dependency) {
-	return generator.dependencies.includes(dependency);
-}
-
 //#endregion
 //#region src/cli/commands/generate/watch/index.ts
 /**
@@ -13295,12 +13419,11 @@ function createDependencyWatcher(options = {}) {
 * @param params - Parameters for creating the generation manager
 * @param params.application - Application instance to generate code for
 * @param params.config - Loaded configuration
-* @param params.generators - Code generators to run
 * @param params.pluginManager - Plugin manager for processing plugins
 * @returns GenerationManager instance
 */
 function createGenerationManager(params) {
-	const { application, config, generators = [], pluginManager } = params;
+	const { application, config, pluginManager } = params;
 	const baseDir = path.join(getDistDir(), "generated");
 	fs$1.mkdirSync(baseDir, { recursive: true });
 	const services = {
@@ -13309,11 +13432,7 @@ function createGenerationManager(params) {
 		executor: {}
 	};
 	let watcher = null;
-	const generatorResults = {};
 	const generationPlugins = pluginManager?.getPluginsWithGenerationHooks() ?? [];
-	function getReadyGenerators(dep) {
-		return generators.filter((g) => g.dependencies.includes(dep));
-	}
 	function getAuthInput() {
 		const authService = application.authService;
 		if (!authService) return void 0;
@@ -13331,98 +13450,6 @@ function createGenerationManager(params) {
 			idProvider: authConfig.idProvider
 		};
 	}
-	async function processTailorDBNamespace(gen, namespace, typeInfo) {
-		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
-		results.tailordbResults[namespace] = {};
-		if (!gen.processType) return;
-		const processType = gen.processType;
-		await Promise.allSettled(Object.entries(typeInfo.types).map(async ([typeName, type]) => {
-			try {
-				assertDefined(results.tailordbResults[namespace], `tailordb results not initialized for namespace ${namespace}`)[typeName] = await processType({
-					type,
-					namespace,
-					source: typeInfo.sourceInfo[typeName],
-					plugins: typeInfo.pluginAttachments.get(typeName) ?? []
-				});
-			} catch (error) {
-				logger.error(`Error processing type ${styles.bold(typeName)} in ${namespace} with generator ${gen.id}`);
-				logger.error(String(error));
-			}
-		}));
-		if ("processTailorDBNamespace" in gen && typeof gen.processTailorDBNamespace === "function") try {
-			results.tailordbNamespaceResults[namespace] = await gen.processTailorDBNamespace({
-				namespace,
-				types: results.tailordbResults[namespace]
-			});
-		} catch (error) {
-			logger.error(`Error processing TailorDB namespace ${styles.bold(namespace)} with generator ${gen.id}`);
-			logger.error(String(error));
-		}
-		else results.tailordbNamespaceResults[namespace] = results.tailordbResults[namespace];
-	}
-	async function processResolverNamespace(gen, namespace, resolvers) {
-		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
-		results.resolverResults[namespace] = {};
-		if (!gen.processResolver) return;
-		const processResolver = gen.processResolver;
-		await Promise.allSettled(Object.entries(resolvers).map(async ([resolverName, resolver]) => {
-			try {
-				assertDefined(results.resolverResults[namespace], `resolver results not initialized for namespace ${namespace}`)[resolverName] = await processResolver({
-					resolver,
-					namespace
-				});
-			} catch (error) {
-				logger.error(`Error processing resolver ${styles.bold(resolverName)} in ${namespace} with generator ${gen.id}`);
-				logger.error(String(error));
-			}
-		}));
-		if ("processResolverNamespace" in gen && typeof gen.processResolverNamespace === "function") try {
-			results.resolverNamespaceResults[namespace] = await gen.processResolverNamespace({
-				namespace,
-				resolvers: results.resolverResults[namespace]
-			});
-		} catch (error) {
-			logger.error(`Error processing Resolver namespace ${styles.bold(namespace)} with generator ${gen.id}`);
-			logger.error(String(error));
-		}
-		else results.resolverNamespaceResults[namespace] = results.resolverResults[namespace];
-	}
-	async function processExecutors(gen) {
-		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
-		if (!gen.processExecutor) return;
-		const processExecutor = gen.processExecutor;
-		await Promise.allSettled(Object.entries(services.executor).map(async ([executorId, executor]) => {
-			try {
-				results.executorResults[executorId] = await processExecutor(executor);
-			} catch (error) {
-				logger.error(`Error processing executor ${styles.bold(executor.name)} with generator ${gen.id}`);
-				logger.error(String(error));
-			}
-		}));
-	}
-	async function aggregate(gen) {
-		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
-		const tailordbResults = [];
-		const resolverResults = [];
-		for (const [namespace, types] of Object.entries(results.tailordbNamespaceResults)) tailordbResults.push({
-			namespace,
-			types
-		});
-		for (const [namespace, resolvers] of Object.entries(results.resolverNamespaceResults)) resolverResults.push({
-			namespace,
-			resolvers
-		});
-		const input = { auth: getAuthInput() };
-		if (hasDependency(gen, "tailordb")) input.tailordb = tailordbResults;
-		if (hasDependency(gen, "resolver")) input.resolver = resolverResults;
-		if (hasDependency(gen, "executor")) input.executor = Object.values(results.executorResults);
-		const result = await gen.aggregate({
-			input,
-			baseDir: path.join(baseDir, gen.id),
-			configPath: config.path
-		});
-		await writeGeneratedFiles(gen.id, result);
-	}
 	/**
 	* Build TailorDB namespace data array from loaded services.
 	* @returns Array of TailorDB namespace data
@@ -13517,8 +13544,8 @@ function createGenerationManager(params) {
 	}
 	/**
 	* Write generated files to disk.
-	* @param sourceId - Generator or plugin ID for logging
-	* @param result - Generator result containing files to write
+	* @param sourceId - Plugin ID for logging
+	* @param result - Generation result containing files to write
 	*/
 	async function writeGeneratedFiles(sourceId, result) {
 		await Promise.all(result.files.map(async (file) => {
@@ -13552,36 +13579,6 @@ function createGenerationManager(params) {
 			});
 		}));
 	}
-	async function processGenerator(gen) {
-		generatorResults[gen.id] = {
-			tailordbResults: {},
-			resolverResults: {},
-			tailordbNamespaceResults: {},
-			resolverNamespaceResults: {},
-			executorResults: {}
-		};
-		if (hasDependency(gen, "tailordb")) for (const [namespace, types] of Object.entries(services.tailordb)) await processTailorDBNamespace(gen, namespace, types);
-		if (hasDependency(gen, "resolver")) for (const [namespace, resolvers] of Object.entries(services.resolver)) await processResolverNamespace(gen, namespace, resolvers);
-		if (hasDependency(gen, "executor")) await processExecutors(gen);
-		await aggregate(gen);
-	}
-	async function runGenerators(gens, watch) {
-		const results = await Promise.allSettled(gens.map(async (gen) => {
-			await withSpan(`generate.generator.${gen.id}`, async () => {
-				try {
-					await processGenerator(gen);
-				} catch (error) {
-					logger.error(`Error processing generator ${styles.bold(gen.id)}`);
-					logger.error(String(error));
-					if (!watch) throw error;
-				}
-			});
-		}));
-		if (!watch) {
-			const failures = results.filter((r) => r.status === "rejected");
-			if (failures.length > 0) throw new AggregateError(failures.map((f) => f.reason));
-		}
-	}
 	async function restartWatchProcess() {
 		logger.newline();
 		logger.info("Restarting watch process to clear module cache...", { mode: "stream" });
@@ -13609,14 +13606,7 @@ function createGenerationManager(params) {
 	return {
 		application,
 		baseDir,
-		generators,
 		services,
-		generatorResults,
-		processGenerator,
-		processTailorDBNamespace,
-		processResolverNamespace,
-		processExecutors,
-		aggregate,
 		async generate(watch) {
 			logger.newline();
 			logger.log(`Generation for application: ${styles.highlight(application.config.name)}`);
@@ -13661,11 +13651,9 @@ function createGenerationManager(params) {
 				await withSpan("generate.resolveAuthNamespaces", async () => authService.resolveNamespaces());
 			}
 			if (app.tailorDBServices.length > 0 || pluginExecutorFiles.length > 0) logger.newline();
-			const readyAfterTailorDB = getReadyGenerators("tailordb");
-			const hasOnTailorDBReady = generationPlugins.some((p) => p.onTailorDBReady != null);
-			if (readyAfterTailorDB.length > 0 || hasOnTailorDBReady) {
+			if (generationPlugins.some((p) => p.onTailorDBReady != null)) {
 				await withSpan("generate.onTailorDBReady", async () => {
-					await Promise.all([runGenerators(readyAfterTailorDB, watch), runPluginHook("onTailorDBReady", watch)]);
+					await runPluginHook("onTailorDBReady", watch);
 				});
 				logger.newline();
 			}
@@ -13688,11 +13676,9 @@ function createGenerationManager(params) {
 					});
 				}
 			});
-			const readyAfterResolvers = getReadyGenerators("resolver");
-			const hasOnResolverReady = generationPlugins.some((p) => p.onResolverReady != null);
-			if (readyAfterResolvers.length > 0 || hasOnResolverReady) {
+			if (generationPlugins.some((p) => p.onResolverReady != null)) {
 				await withSpan("generate.onResolversReady", async () => {
-					await Promise.all([runGenerators(readyAfterResolvers, watch), runPluginHook("onResolverReady", watch)]);
+					await runPluginHook("onResolverReady", watch);
 				});
 				logger.newline();
 			}
@@ -13706,11 +13692,9 @@ function createGenerationManager(params) {
 					services.executor[key] = executor;
 				});
 			});
-			const readyAfterExecutors = getReadyGenerators("executor");
-			const hasOnExecutorReady = generationPlugins.some((p) => p.onExecutorReady != null);
-			if (readyAfterExecutors.length > 0 || hasOnExecutorReady) {
+			if (generationPlugins.some((p) => p.onExecutorReady != null)) {
 				await withSpan("generate.onExecutorsReady", async () => {
-					await Promise.all([runGenerators(readyAfterExecutors, watch), runPluginHook("onExecutorReady", watch)]);
+					await runPluginHook("onExecutorReady", watch);
 				});
 				logger.newline();
 			}
@@ -13735,18 +13719,17 @@ function createGenerationManager(params) {
 	};
 }
 /**
-* Run code generation using the Tailor configuration and generators.
+* Run code generation using the Tailor configuration.
 * @param options - Generation options
 * @returns Promise that resolves when generation (and watch, if enabled) completes
 */
 async function generate$1(options) {
 	return withSpan("generate", async (rootSpan) => {
-		const { config, generators, plugins } = await withSpan("generate.loadConfig", async () => {
+		const { config, plugins } = await withSpan("generate.loadConfig", async () => {
 			return loadConfig(options?.configPath);
 		});
 		const watch = options?.watch ?? false;
 		rootSpan.setAttribute("generate.watch", watch);
-		rootSpan.setAttribute("generate.generators.count", generators.length);
 		await withSpan("generate.generateUserTypes", async () => generateUserTypes({
 			config,
 			configPath: config.path
@@ -13761,7 +13744,6 @@ async function generate$1(options) {
 		const manager = createGenerationManager({
 			application,
 			config,
-			generators,
 			pluginManager
 		});
 		await manager.generate(watch);
@@ -14561,6 +14543,7 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	};
 	const tailorDB = await planTailorDB(ctx);
 	const staticWebsite = await planStaticWebsite(ctx);
+	const aiGateway = await planAIGateway(ctx);
 	const idp = await planIdP(ctx);
 	const auth = await planAuth(ctx);
 	const pipeline = await planPipeline(ctx);
@@ -14571,6 +14554,7 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	const secretManager = await planSecretManager(ctx);
 	functionRegistry.changeSet.print();
 	staticWebsite.changeSet.print();
+	aiGateway.changeSet.print();
 	app.print();
 	tailorDB.changeSet.service.print();
 	tailorDB.changeSet.type.print();
@@ -14593,11 +14577,12 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	auth.changeSet.connection.print();
 	secretManager.vaultChangeSet.print();
 	secretManager.secretChangeSet.print();
-	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
+	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && aiGateway.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
 	if (confirm) await confirm();
 	await applyWorkflow(client, workflow, "delete");
 	await applyExecutor(client, executor, "delete");
 	await applyStaticWebsite(client, staticWebsite, "delete");
+	await applyAIGateway(client, aiGateway, "delete");
 	await applyApplication(client, app, "delete");
 	await applyPipeline(client, pipeline, "delete-resources");
 	await applyPipeline(client, pipeline, "delete-services");
@@ -15384,7 +15369,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-av2raLs6.mjs");
+	const { defineApplication } = await import("./application-DB2r36Et.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -16089,7 +16074,7 @@ const createCommand = defineAppCommand({
 			alias: "p",
 			description: "Profile name to create"
 		}),
-		"profile-user": arg(z.string().optional(), { description: "User email for the profile (defaults to current user)" }),
+		"profile-user": arg(z.string().optional(), { description: "User email address or machine user client ID for the profile (defaults to current user)" }),
 		permission: arg(z.enum(["write", "read"]).default("write"), { description: "Profile permission (requires --profile-name). 'read' blocks all write commands while the profile is active." })
 	}).strict(),
 	run: async (args) => {
@@ -17210,7 +17195,7 @@ async function runRepl(options) {
 	const execute = await prepareQueryExecutor(options);
 	const historyPath = getReplHistoryPath(options.engine, options.profile, options.workspaceId);
 	const validate = createReplValidator(options.engine);
-	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-CJG3sz7A.mjs");
+	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-DmGr9zMw.mjs");
 	const highlight = options.engine === "sql" ? highlightSqlLine : highlightGraphqlLine;
 	const prompt = createPrompt({
 		prefix: "",
@@ -17378,7 +17363,6 @@ const queryCommand = defineAppCommand({
 		edit: arg(z.boolean().default(false), { description: "Open a temporary file in your editor; omit to start REPL mode" }),
 		"machine-user": arg(z.string().optional(), {
 			alias: "m",
-			hiddenAlias: "machineuser",
 			description: "Machine user name for query execution. Falls back to the active profile's default machine user.",
 			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
@@ -17545,4 +17529,4 @@ function isDeno() {
 
 //#endregion
 export { listCommand$5 as $, INITIAL_SCHEMA_NUMBER as $t, truncate as A, commonArgs as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, PluginManager as Cn, triggerExecutor as Ct, resumeWorkflow as D, apiCall as Dn, jobsCommand as Dt, resumeCommand as E, apiCommand as En, getExecutorJob as Et, writeDbTypesFile as F, pagedLogArgs as Fn, getWorkflowExecution as Ft, organizationTree as G, MIGRATION_LABEL_KEY as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, paginationArgs as In, listWorkflowExecutions as It, listOrganizations as J, compareSnapshotWithRemote as Jt, treeCommand as K, handleOptionalToRequiredError as Kt, openInConfiguredEditor as L, toPageDirection as Ln, functionExecutionStatusToString as Lt, generate as M, confirmationArgs as Mn, getCommand$5 as Mt, generateCommand as N, deploymentArgs as Nn, getWorkflow as Nt, listCommand$3 as O, assertWritable as On, listExecutorJobs as Ot, generateMigrationScript as P, isVerbose as Pn, executionsCommand as Pt, updateFolder as Q, DIFF_FILE_NAME as Qt, show as R, workspaceArgs as Rn, formatKeyValueTable as Rt, listApps as S, sdkNameLabelKey as Sn, triggerCommand as St, healthCommand as T, prompt as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, bundleMigrationScript as Wt, getOrganization as X, protoGqlPermission as Xt, getCommand$1 as Y, generateAllTypeManifestsFromSnapshot as Yt, updateCommand$2 as Z, DB_TYPES_FILE_NAME as Zt, getWorkspace as _, formatMigrationDiff as _n, listFunctionRegistries as _t, updateUser as a, createSnapshotFromLocalTypes as an, createCommand$1 as at, createCommand as b, ensureConfigId as bn, listWebhookExecutors as bt, listCommand as c, getMigrationFilePath as cn, listOAuth2Clients as ct, inviteUser as d, isValidMigrationNumber as dn, getMachineUserToken as dt, MIGRATE_FILE_NAME as en, listFolders as et, restoreCommand as f, loadDiff as fn, tokenCommand as ft, getCommand as g, formatDiffSummary as gn, listCommand$8 as gt, listWorkspaces as h, parseMigrationNumberArg as hn, generate$1 as ht, updateCommand as i, compareSnapshots as in, deleteFolder as it, truncateCommand as j, configArg as jn, startWorkflow as jt, listWorkflows as k, defineAppCommand as kn, watchExecutorJob as kt, listUsers as l, getMigrationFiles as ln, getCommand$3 as lt, listCommand$1 as m, formatMigrationNumber as mn, listMachineUsers as mt, query as n, assertValidMigrationFiles as nn, getFolder as nt, removeCommand as o, getLatestMigrationNumber as on, createFolder as ot, restoreWorkspace as p, reconstructSnapshotFromMigrations as pn, listCommand$7 as pt, listCommand$4 as q, parseMigrationLabelNumber as qt, queryCommand as r, compareLocalTypesWithSnapshot as rn, deleteCommand$1 as rt, removeUser as s, getMigrationDirPath as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, SCHEMA_FILE_NAME as tn, getCommand$2 as tt, inviteCommand as u, getNextMigrationNumber as un, getOAuth2Client as ut, deleteCommand as v, hasChanges as vn, getCommand$4 as vt, getAppHealth as w, generateUserTypes as wn, listCommand$9 as wt, createWorkspace as x, resourceTrn as xn, webhookCommand as xt, deleteWorkspace as y, getNamespacesWithMigrations as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
-//# sourceMappingURL=runtime-C7qTBDD2.mjs.map
+//# sourceMappingURL=runtime-n9NCkjee.mjs.map