@tailor-platform/sdk 2.0.0-next.0 → 2.0.0-next.1

package/dist/{application-76hhIhnJ.mjs → application-DqS1yBg3.mjs}

@@ -1,17 +1,13 @@
-
-import { n as isSdkBranded } from "./brand-DlnJ375c.mjs";
-import { a as fetchAll, d as initOAuth2Client } from "./client-CobIRHl-.mjs";
-import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
-import { a as parseBoolean, n as logger, r as styles } from "./logger-DpJyJvNz.mjs";
-import { a as TailorFieldSchema, i as AuthInvokerSchema, n as ExecutorSchema, o as loadFilesWithIgnores, r as AuthConfigSchema, s as functionSchema, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
-import { n as enumConstantsPlugin, t as EnumConstantsGeneratorID } from "./enum-constants-C7DaWeQo.mjs";
-import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
-import { n as fileUtilsPlugin, t as FileUtilsGeneratorID } from "./file-utils-BHPxPXmn.mjs";
-import { n as kyselyTypePlugin, t as KyselyGeneratorID } from "./kysely-type-D1e0Vwkd.mjs";
-import { n as seedPlugin, r as isPluginGeneratedType, t as SeedGeneratorID } from "./seed-BH2FbrPV.mjs";
-import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
-import { t as createCLIError } from "./errors-EsY4XO6O.mjs";
-import { n as tightenSecretFilePermissions, r as writeSecretFile } from "./secret-file-CWzF8rry.mjs";
+import { n as isSdkBranded } from "./brand-Eo4pLXPJ.mjs";
+import { a as fetchAll, d as initOAuth2Client, l as fetchUserInfo } from "./client-z_oHGVNy.mjs";
+import { t as assertDefined } from "./assert-DBxo8jPo.mjs";
+import { a as parseBoolean, n as logger, r as styles } from "./logger-CxF-Ex5d.mjs";
+import { a as TailorFieldSchema, i as AuthInvokerSchema, n as ExecutorSchema, o as loadFilesWithIgnores, r as AuthConfigSchema, s as functionSchema, t as createExecutorService } from "./service-CCL8ruDf.mjs";
+import { t as multiline } from "./multiline-sfHpTZZK.mjs";
+import { t as readPackageJson } from "./package-json-8b0O9TlX.mjs";
+import { t as createCLIError } from "./errors-Dtf2WPaW.mjs";
+import { n as tightenSecretFilePermissions, r as writeSecretFile } from "./secret-file-DBqZhjFQ.mjs";
+import { t as isPluginGeneratedType } from "./type-source-DH_LH20p.mjs";
 import { builtinModules, createRequire } from "node:module";
 import { z } from "zod";
 import * as fs$1 from "node:fs";
@@ -83,46 +79,10 @@ const AppConfigSchema = z.object({
 	workflow: z.unknown().optional(),
 	httpAdapter: z.unknown().optional(),
 	staticWebsites: z.unknown().optional(),
+	aiGateways: z.unknown().optional(),
 	secrets: z.unknown().optional()
 });
 
-//#endregion
-//#region src/parser/generator-config/schema.ts
-const DependencyKindSchema = z.enum([
-	"tailordb",
-	"resolver",
-	"executor"
-]);
-const KyselyTypeConfigSchema = z.tuple([z.literal("@tailor-platform/kysely-type"), z.object({ distPath: z.string() })]);
-const SeedConfigSchema = z.tuple([z.literal("@tailor-platform/seed"), z.object({
-	distPath: z.string(),
-	machineUserName: z.string().optional(),
-	disableIdpUserSync: z.object({
-		userToIdp: z.boolean().optional(),
-		idpToUser: z.boolean().optional()
-	}).optional()
-})]);
-const EnumConstantsConfigSchema = z.tuple([z.literal("@tailor-platform/enum-constants"), z.object({ distPath: z.string() })]);
-const FileUtilsConfigSchema = z.tuple([z.literal("@tailor-platform/file-utils"), z.object({ distPath: z.string() })]);
-const CodeGeneratorSchema = z.object({
-	id: z.string(),
-	description: z.string(),
-	dependencies: z.array(DependencyKindSchema),
-	processType: z.function().optional(),
-	processResolver: z.function().optional(),
-	processExecutor: z.function().optional(),
-	processTailorDBNamespace: z.function().optional(),
-	processResolverNamespace: z.function().optional(),
-	aggregate: z.function({ output: z.any() })
-});
-const BaseGeneratorConfigSchema = z.union([
-	KyselyTypeConfigSchema,
-	SeedConfigSchema,
-	EnumConstantsConfigSchema,
-	FileUtilsConfigSchema,
-	CodeGeneratorSchema
-]);
-
 //#endregion
 //#region src/parser/plugin-config/schema.ts
 const PluginConfigSchema = z.object({
@@ -140,15 +100,6 @@ const PluginConfigSchema = z.object({
 	return !(p.onTypeLoaded || p.onNamespaceLoaded) || !!p.importPath;
 }, { message: "importPath is required when plugin has definition-time hooks (onTypeLoaded/onNamespaceLoaded)" }).transform((plugin) => plugin);
 
-//#endregion
-//#region src/plugin/builtin/registry.ts
-const builtinPlugins = new Map([
-	[KyselyGeneratorID, (options) => kyselyTypePlugin(options)],
-	[SeedGeneratorID, (options) => seedPlugin(options)],
-	[EnumConstantsGeneratorID, (options) => enumConstantsPlugin(options)],
-	[FileUtilsGeneratorID, (options) => fileUtilsPlugin(options)]
-]);
-
 //#endregion
 //#region src/cli/shared/token-store.ts
 const SERVICE_NAME = "tailor-platform-cli";
@@ -237,14 +188,19 @@ const pfUserFileSchema = z.object({
 	refresh_token: z.string().optional()
 });
 const pfUserSchemaV2 = z.discriminatedUnion("storage", [pfUserKeyringSchema, pfUserFileSchema]);
+const pfUserKeyringSchemaV3 = pfUserKeyringSchema.extend({ email: z.string().optional() });
+const pfUserFileSchemaV3 = pfUserFileSchema.extend({ email: z.string().optional() });
+const pfUserSchemaV3 = z.discriminatedUnion("storage", [pfUserKeyringSchemaV3, pfUserFileSchemaV3]);
 const pfConfigSchemaV1 = z.object({
 	version: z.literal(1),
 	users: z.partialRecord(z.string(), pfUserSchemaV1),
 	profiles: z.partialRecord(z.string(), pfProfileSchema),
 	current_user: z.string().nullable()
 });
-const LATEST_CONFIG_VERSION = 2;
+const V2_CONFIG_VERSION = 2;
+const LATEST_CONFIG_VERSION = 3;
 const V2_MIN_SDK_VERSION = "1.29.0";
+const V3_MIN_SDK_VERSION = "2.0.0";
 const semverSchema = z.templateLiteral([
 	z.number().int(),
 	".",
@@ -253,7 +209,7 @@ const semverSchema = z.templateLiteral([
 	z.number().int()
 ]);
 const pfConfigSchemaV2 = z.object({
-	version: z.literal(LATEST_CONFIG_VERSION),
+	version: z.literal(V2_CONFIG_VERSION),
 	min_sdk_version: semverSchema,
 	latest_version: z.number().int().optional(),
 	latest_min_sdk_version: semverSchema.optional(),
@@ -261,6 +217,15 @@ const pfConfigSchemaV2 = z.object({
 	profiles: z.partialRecord(z.string(), pfProfileSchema),
 	current_user: z.string().nullable()
 });
+const pfConfigSchemaV3 = z.object({
+	version: z.literal(LATEST_CONFIG_VERSION),
+	min_sdk_version: semverSchema,
+	latest_version: z.number().int().optional(),
+	latest_min_sdk_version: semverSchema.optional(),
+	users: z.partialRecord(z.string(), pfUserSchemaV3),
+	profiles: z.partialRecord(z.string(), pfProfileSchema),
+	current_user: z.string().nullable()
+});
 function platformConfigPath() {
 	if (!xdgConfig) throw new Error("User home directory not found");
 	return path.join(xdgConfig, "tailor-platform", "config.yaml");
@@ -284,13 +249,48 @@ function migrateV1ToV2(v1Config) {
 		};
 	}
 	return {
-		version: LATEST_CONFIG_VERSION,
+		version: V2_CONFIG_VERSION,
 		min_sdk_version: V2_MIN_SDK_VERSION,
 		users,
 		profiles: v1Config.profiles,
 		current_user: v1Config.current_user
 	};
 }
+function inferEmailFromUserId(user) {
+	return z.email().safeParse(user).success ? user : void 0;
+}
+function findConfigUserKey(config, user) {
+	if (config.users[user]) return user;
+	return Object.entries(config.users).find(([, entry]) => entry?.email === user)?.[0];
+}
+function migrateV2ToV3(v2Config) {
+	const users = {};
+	for (const [user, entry] of Object.entries(v2Config.users)) {
+		if (!entry) continue;
+		const email = inferEmailFromUserId(user);
+		users[user] = {
+			...entry,
+			...email ? { email } : {}
+		};
+	}
+	return {
+		version: LATEST_CONFIG_VERSION,
+		min_sdk_version: V3_MIN_SDK_VERSION,
+		users,
+		profiles: v2Config.profiles,
+		current_user: v2Config.current_user
+	};
+}
+function migrateV1ToV3(v1Config) {
+	return migrateV2ToV3(migrateV1ToV2(v1Config));
+}
+async function warnIfNewerConfigAvailable(config) {
+	if (!config.latest_min_sdk_version) return;
+	if (lt((await readPackageJson()).version ?? "0.0.0", config.latest_min_sdk_version)) logger.warn(multiline`
+      A newer config version (${String(config.latest_version)}) is available.
+      Please update your SDK to >= ${config.latest_min_sdk_version}: pnpm update @tailor-platform/sdk
+    `);
+}
 /**
 * Read Tailor Platform CLI configuration, migrating from tailorctl or v1 if necessary.
 * @returns Parsed platform configuration
@@ -307,7 +307,7 @@ async function readPlatformConfig() {
 			current_user: null
 		};
 		writePlatformConfig(v1Config);
-		return migrateV1ToV2(v1Config);
+		return migrateV1ToV3(v1Config);
 	}
 	const rawConfig = parseYAML(fs$1.readFileSync(configPath, "utf-8"));
 	tightenSecretFilePermissions(configPath);
@@ -320,18 +320,18 @@ async function readPlatformConfig() {
       ${updateHint}
     `);
 	}
+	const v3Result = pfConfigSchemaV3.safeParse(rawConfig);
+	if (v3Result.success) {
+		await warnIfNewerConfigAvailable(v3Result.data);
+		return v3Result.data;
+	}
 	const v2Result = pfConfigSchemaV2.safeParse(rawConfig);
 	if (v2Result.success) {
-		if (v2Result.data.latest_min_sdk_version) {
-			if (lt((await readPackageJson()).version ?? "0.0.0", v2Result.data.latest_min_sdk_version)) logger.warn(multiline`
-          A newer config version (${String(v2Result.data.latest_version)}) is available.
-          Please update your SDK to >= ${v2Result.data.latest_min_sdk_version}: pnpm update @tailor-platform/sdk
-        `);
-		}
-		return v2Result.data;
+		await warnIfNewerConfigAvailable(v2Result.data);
+		return migrateV2ToV3(v2Result.data);
 	}
 	const v1Result = pfConfigSchemaV1.safeParse(rawConfig);
-	if (v1Result.success) return migrateV1ToV2(v1Result.data);
+	if (v1Result.success) return migrateV1ToV3(v1Result.data);
 	throw new Error(multiline`
     Failed to parse config file at ${configPath}.
     The file may be corrupted or created by an incompatible SDK version.
@@ -360,9 +360,9 @@ function toV1ForDisk(config) {
 * By default, V2 configs are converted to V1 for backward compatibility, so an
 * older SDK can still read the file. Configs containing a keyring user are kept
 * as V2 regardless, because the keyring storage variant is not representable in
-* V1 and downgrading it would silently drop the user's login. Such configs are
-* already V2 on disk (a keyring entry is only ever persisted with
-* TAILOR_USE_KEYRING set), so keeping V2 does not regress backward compatibility.
+* V1 and downgrading it would silently drop the user's login. V3 configs are
+* kept as V3 because user keys are canonical subject IDs and may include email
+* metadata that is not representable in older versions.
 * Set TAILOR_USE_KEYRING to write V2 format unconditionally.
 *
 * The config file may contain access/refresh tokens when the OS keyring is
@@ -505,7 +505,7 @@ async function loadAccessToken(opts) {
       `);
 		user = u;
 	}
-	return await fetchLatestToken(pfConfig, user);
+	return (await fetchLatestToken(pfConfig, user)).accessToken;
 }
 /**
 * Resolve the actual token values for a user, reading from keyring or config as appropriate.
@@ -532,22 +532,26 @@ async function resolveTokens(userEntry, user) {
 * @param config - Platform config
 * @param user - User identifier
 * @param tokens - Token data to save
-* @param tokens.accessToken
-* @param tokens.refreshToken
+* @param tokens.accessToken - Access token to save
+* @param tokens.refreshToken - Optional refresh token to save
 * @param expiresAt - Token expiration date
+* @param metadata - Optional user metadata to persist with the token entry
 */
-async function saveUserTokens(config, user, tokens, expiresAt) {
+async function saveUserTokens(config, user, tokens, expiresAt, metadata) {
+	const email = metadata?.email ?? config.users[user]?.email;
 	if (process.env.TAILOR_USE_KEYRING && await isKeyringAvailable()) {
 		await saveKeyringTokens(user, tokens);
 		config.users[user] = {
 			token_expires_at: expiresAt,
-			storage: "keyring"
+			storage: "keyring",
+			...email ? { email } : {}
 		};
 	} else config.users[user] = {
 		access_token: tokens.accessToken,
 		refresh_token: tokens.refreshToken,
 		token_expires_at: expiresAt,
-		storage: "file"
+		storage: "file",
+		...email ? { email } : {}
 	};
 }
 /**
@@ -558,20 +562,50 @@ async function saveUserTokens(config, user, tokens, expiresAt) {
 async function deleteUserTokens(config, user) {
 	if (config.users[user]?.storage === "keyring") await deleteKeyringTokens(user);
 }
+function updateUserReferences(config, fromUser, toUser) {
+	if (fromUser === toUser) return;
+	if (config.current_user === fromUser) config.current_user = toUser;
+	for (const profile of Object.values(config.profiles)) if (profile?.user === fromUser) profile.user = toUser;
+}
+/**
+* Remove a legacy alias after a canonical user ID has been written.
+* @param config - Platform config
+* @param legacyUser - Previous user key
+* @param canonicalUser - Canonical user key
+*/
+async function removeLegacyUserAlias(config, legacyUser, canonicalUser) {
+	if (legacyUser === canonicalUser) return;
+	updateUserReferences(config, legacyUser, canonicalUser);
+	await deleteUserTokens(config, legacyUser);
+	delete config.users[legacyUser];
+}
+function shouldResolveSubjectOnRefresh(user, userEntry) {
+	return Boolean(userEntry.email || inferEmailFromUserId(user));
+}
 /**
 * Fetch the latest access token, refreshing if necessary.
 * @param config - Platform config
-* @param user - User name
-* @returns Latest access token
+* @param user - User identifier
+* @returns Latest access token and the canonical user ID it is stored under
+*   (the resolved subject when a legacy email key was migrated during refresh,
+*   otherwise the matching config user)
 */
 async function fetchLatestToken(config, user) {
-	const userEntry = config.users[user];
+	const storedUser = findConfigUserKey(config, user);
+	if (!storedUser) throw new Error(multiline`
+      User "${user}" not found.
+      Please verify your user name and login using 'tailor-sdk login' command.
+    `);
+	const userEntry = config.users[storedUser];
 	if (!userEntry) throw new Error(multiline`
       User "${user}" not found.
       Please verify your user name and login using 'tailor-sdk login' command.
     `);
-	const tokens = await resolveTokens(userEntry, user);
-	if (new Date(userEntry.token_expires_at) > /* @__PURE__ */ new Date()) return tokens.accessToken;
+	const tokens = await resolveTokens(userEntry, storedUser);
+	if (new Date(userEntry.token_expires_at) > /* @__PURE__ */ new Date()) return {
+		accessToken: tokens.accessToken,
+		user: storedUser
+	};
 	if (!tokens.refreshToken) throw new Error(multiline`
       Token expired.
       Please run 'tailor-sdk login' and try again.
@@ -591,12 +625,27 @@ async function fetchLatestToken(config, user) {
     `);
 	}
 	const newExpiresAt = new Date(assertDefined(resp.expiresAt, "token refresh response missing expiresAt")).toISOString();
-	await saveUserTokens(config, user, {
+	let resolvedUser = storedUser;
+	const previousEmail = userEntry.email ?? inferEmailFromUserId(storedUser);
+	let email = previousEmail;
+	if (shouldResolveSubjectOnRefresh(storedUser, userEntry)) try {
+		const userInfo = await fetchUserInfo(resp.accessToken);
+		resolvedUser = userInfo.sub;
+		email = userInfo.email;
+	} catch (error) {
+		logger.debug(`Failed to resolve refreshed token user info: ${String(error)}`);
+	}
+	await saveUserTokens(config, resolvedUser, {
 		accessToken: resp.accessToken,
 		refreshToken: resp.refreshToken ?? void 0
-	}, newExpiresAt);
+	}, newExpiresAt, { email });
+	await removeLegacyUserAlias(config, storedUser, resolvedUser);
+	if (previousEmail && email && previousEmail !== email) logger.info(`Updated local user email from "${previousEmail}" to "${email}".`);
 	writePlatformConfig(config);
-	return resp.accessToken;
+	return {
+		accessToken: resp.accessToken,
+		user: resolvedUser
+	};
 }
 const DEFAULT_CONFIG_FILENAME = "tailor.config.ts";
 /**
@@ -638,12 +687,11 @@ function installCliTailordbStub() {
 
 //#endregion
 //#region src/cli/shared/config-loader.ts
-const GeneratorConfigSchema = CodeGeneratorSchema.brand("CodeGenerator");
 /**
-* Load Tailor configuration file and associated generators and plugins.
+* Load Tailor configuration file and associated plugins.
 * @param configPath - Optional explicit config path
 * @param options - Optional module import behavior.
-* @returns Loaded config, generators, plugins, and config path
+* @returns Loaded config, plugins, and config path
 */
 async function loadConfig(configPath, options = {}) {
 	installCliTailordbStub();
@@ -660,34 +708,8 @@ async function loadConfig(configPath, options = {}) {
 		const issues = validated.error.issues.map((i) => `  - ${i.path.join(".") || "(root)"}: ${i.message}`).join("\n");
 		throw new Error(`Invalid Tailor config in ${resolvedPath}:\n${issues}`);
 	}
-	const allGenerators = [];
 	const allPlugins = [];
 	for (const value of Object.values(configModule)) if (Array.isArray(value)) {
-		const generatorParsed = value.reduce((acc, item) => {
-			if (!acc.success) return acc;
-			const baseResult = BaseGeneratorConfigSchema.safeParse(item);
-			if (baseResult.success && Array.isArray(baseResult.data)) {
-				const [id, options] = baseResult.data;
-				const pluginFactory = builtinPlugins.get(id);
-				if (pluginFactory) {
-					acc.convertedPlugins.push(pluginFactory(options));
-					return acc;
-				}
-			}
-			const result = GeneratorConfigSchema.safeParse(item);
-			if (result.success) acc.items.push(result.data);
-			else acc.success = false;
-			return acc;
-		}, {
-			success: true,
-			items: [],
-			convertedPlugins: []
-		});
-		if (generatorParsed.success && (generatorParsed.items.length > 0 || generatorParsed.convertedPlugins.length > 0)) {
-			allGenerators.push(...generatorParsed.items);
-			allPlugins.push(...generatorParsed.convertedPlugins);
-			continue;
-		}
 		const pluginParsed = value.reduce((acc, item) => {
 			if (!acc.success) return acc;
 			const result = PluginConfigSchema.safeParse(item);
@@ -705,7 +727,6 @@ async function loadConfig(configPath, options = {}) {
 			...configModule.default,
 			path: resolvedPath
 		},
-		generators: allGenerators,
 		plugins: allPlugins
 	};
 }
@@ -906,7 +927,33 @@ function resolveRelativePluginImportPath(pluginImportPath, baseDirs) {
 }
 
 //#endregion
-//#region src/types/plugin.ts
+//#region src/plugin/guards.ts
+/**
+* Collects the generation-time dependency kinds a plugin requires.
+* @param plugin - The plugin object to inspect.
+* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
+* @param plugin.onResolverReady - Hook for resolver readiness.
+* @param plugin.onExecutorReady - Hook for executor readiness.
+* @returns Set of dependency kinds required by the plugin.
+*/
+function getPluginGenerationDependencies(plugin) {
+	const deps = /* @__PURE__ */ new Set();
+	if (plugin.onTailorDBReady) deps.add("tailordb");
+	if (plugin.onResolverReady) deps.add("resolver");
+	if (plugin.onExecutorReady) deps.add("executor");
+	return deps;
+}
+/**
+* Checks if a plugin has any generation-time hooks.
+* @param plugin - The plugin object to inspect.
+* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
+* @param plugin.onResolverReady - Hook for resolver readiness.
+* @param plugin.onExecutorReady - Hook for executor readiness.
+* @returns True if the plugin has at least one generation hook.
+*/
+function hasGenerationHooks(plugin) {
+	return !!(plugin.onTailorDBReady || plugin.onResolverReady || plugin.onExecutorReady);
+}
 /**
 * Checks if a plugin executor uses file-based resolution.
 * @param executor - The plugin executor to check.
@@ -1921,14 +1968,14 @@ const NORMALIZER_IDENTIFIER = "__tailor_normalizeAuthInvoker";
 /**
 * Build the source text of the injected normalizer helper.
 *
-* Accepts either a plain string (machine user name) or the object form
-* `{ namespace, machineUserName }`, and always returns the object form.
+* Accepts a plain string machine user name and returns the object form
+* expected by the platform RPC.
 * The auth namespace is baked in at bundle time.
 * @param authNamespace - Auth service namespace to embed
 * @returns Source line defining the helper
 */
 function buildNormalizerHelperSource(authNamespace) {
-	return `const ${NORMALIZER_IDENTIFIER} = (v) => typeof v === "string" ? { namespace: ${JSON.stringify(authNamespace)}, machineUserName: v } : v;\n`;
+	return `const ${NORMALIZER_IDENTIFIER} = (machineUserName) => ({ namespace: ${JSON.stringify(authNamespace)}, machineUserName });\n`;
 }
 /**
 * Extract authInvoker info from a config object expression
@@ -2188,7 +2235,7 @@ function transformFunctionTriggers(source, workflowNameMap, jobNameMap, workflow
 	} else if (call.kind === "job") {
 		const jobName = jobNameMap.get(call.identifierName);
 		if (jobName) {
-			const transformedCall = `(async () => tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"}))()`;
+			const transformedCall = `tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"})`;
 			replacements.push({
 				start: call.callRange.start,
 				end: call.callRange.end,
@@ -4055,7 +4102,7 @@ const HTTP_METHOD_KEYS = Object.keys(HTTP_METHODS);
 
 //#endregion
 //#region src/parser/service/http-adapter/schema.ts
-const NAME_PATTERN = /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/;
+const NAME_PATTERN$1 = /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/;
 const inputHandlersSchema = z.strictObject({
 	get: functionSchema.optional().describe("Handler for GET requests"),
 	post: functionSchema.optional().describe("Handler for POST requests"),
@@ -4064,7 +4111,7 @@ const inputHandlersSchema = z.strictObject({
 	delete: functionSchema.optional().describe("Handler for DELETE requests")
 }).refine((val) => Object.values(val).some((v) => v !== void 0), "input must declare at least one HTTP method handler").describe("Per-method functions that transform HTTP requests to GraphQL requests");
 const HttpAdapterConfigSchema = z.strictObject({
-	name: z.string().regex(NAME_PATTERN, "name must be 3-63 chars, lowercase alphanumeric with hyphens, not starting or ending with a hyphen").describe("Unique adapter name within the domain"),
+	name: z.string().regex(NAME_PATTERN$1, "name must be 3-63 chars, lowercase alphanumeric with hyphens, not starting or ending with a hyphen").describe("Unique adapter name within the domain"),
 	pathPattern: z.string().min(1).describe("Path pattern with segment wildcards (trailing or single-segment)"),
 	enabled: z.boolean().default(true).describe("Whether the adapter is active"),
 	priority: z.number().int().min(0).default(0).describe("Matching priority; the lowest value wins when multiple adapters match"),
@@ -4667,7 +4714,7 @@ function transformWorkflowSource(source, targetJobName, targetJobExportName, oth
 		if (isInsideRemovedRange(call.callRange.start)) continue;
 		const jobName = jobNameMap.get(call.identifierName);
 		if (jobName) {
-			const transformedCall = `(async () => tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"}))()`;
+			const transformedCall = `tailor.workflow.triggerJobFunction("${jobName}", ${call.argsText || "undefined"})`;
 			replacements.push({
 				start: call.callRange.start,
 				end: call.callRange.end,
@@ -5065,6 +5112,17 @@ async function loadFileContent(filePath) {
 	};
 }
 
+//#endregion
+//#region src/cli/shared/auth-namespace.ts
+/**
+* Resolve the auth namespace configured for an application.
+* @param application - Loaded application with local or external Auth config
+* @returns Auth namespace, or undefined when no Auth config is present
+*/
+function getApplicationAuthNamespace(application) {
+	return application.authService?.config.name ?? application.config?.auth?.name;
+}
+
 //#endregion
 //#region src/cli/shared/inline-sourcemap.ts
 /**
@@ -5084,6 +5142,16 @@ function resolveInlineSourcemap(configValue) {
 	return true;
 }
 
+//#endregion
+//#region src/parser/service/aigateway/schema.ts
+const NAME_PATTERN = /^[a-z0-9][a-z0-9-]{1,28}[a-z0-9]$/;
+const AUTH_NAMESPACE_PATTERN = /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/;
+const AIGatewaySchema = z.object({
+	name: z.string().regex(NAME_PATTERN, "Must be 3-30 lowercase alphanumeric characters or hyphens").describe("AI Gateway name"),
+	authNamespace: z.string().regex(AUTH_NAMESPACE_PATTERN, "Must be 3-63 lowercase alphanumeric characters or hyphens").describe("Auth namespace used to resolve request tokens against the workspace's auth"),
+	cors: z.array(z.string()).optional().describe("Allowed CORS origins for browser-based clients. Each entry is `*`, `http(s)://*`, `http(s)://*.example.com`, or `http(s)://app.example.com`, optionally with `:port`. Empty list disables cross-origin access.")
+}).brand("AIGatewayConfig");
+
 //#endregion
 //#region src/parser/service/idp/schema.ts
 /**
@@ -5376,6 +5444,17 @@ function defineStaticWebsites(websites) {
 	});
 	return staticWebsiteServices;
 }
+function defineAIGateways(gateways) {
+	const aiGatewayServices = [];
+	const gatewayNames = /* @__PURE__ */ new Set();
+	(gateways ?? []).forEach((config) => {
+		const gateway = AIGatewaySchema.parse(config);
+		if (gatewayNames.has(gateway.name)) throw new Error(`AI Gateway with name "${gateway.name}" already defined.`);
+		gatewayNames.add(gateway.name);
+		aiGatewayServices.push(gateway);
+	});
+	return aiGatewayServices;
+}
 function parseSecretManager(config) {
 	if (!config) return {
 		secrets: [],
@@ -5404,6 +5483,7 @@ function defineServices(config, pluginManager) {
 	const idpResult = defineIdp(config.idp);
 	const authResult = defineAuth(config.auth, tailordbResult.tailorDBServices, tailordbResult.externalTailorDBNamespaces);
 	const staticWebsiteServices = defineStaticWebsites(config.staticWebsites);
+	const aiGatewayServices = defineAIGateways(config.aiGateways);
 	const { secrets, ignoreNullishValues } = parseSecretManager(config.secrets);
 	return {
 		tailordbResult,
@@ -5411,6 +5491,7 @@ function defineServices(config, pluginManager) {
 		idpResult,
 		authResult,
 		staticWebsiteServices,
+		aiGatewayServices,
 		secrets,
 		ignoreNullishValues
 	};
@@ -5435,6 +5516,7 @@ function buildApplication(params) {
 		workflowService: params.workflowService,
 		httpAdapterService: params.httpAdapterService,
 		staticWebsiteServices: params.staticWebsiteServices,
+		aiGatewayServices: params.aiGatewayServices,
 		secrets: params.secrets,
 		ignoreNullishValues: params.ignoreNullishValues,
 		env: params.env,
@@ -5501,7 +5583,7 @@ function generatePluginFilesIfNeeded(pluginManager, tailorDBServices, configPath
 */
 async function loadApplication(params) {
 	const { config, pluginManager, bundleCache } = params;
-	const { tailordbResult, resolverResult, idpResult, authResult, staticWebsiteServices, secrets, ignoreNullishValues } = defineServices(config, pluginManager);
+	const { tailordbResult, resolverResult, idpResult, authResult, staticWebsiteServices, aiGatewayServices, secrets, ignoreNullishValues } = defineServices(config, pluginManager);
 	for (const tailordb of tailordbResult.tailorDBServices) {
 		await tailordb.loadTypes();
 		await tailordb.processNamespacePlugins();
@@ -5513,7 +5595,10 @@ async function loadApplication(params) {
 	if (workflowService) await workflowService.loadWorkflows();
 	const httpAdapterService = defineHttpAdapterService(config.httpAdapter);
 	if (httpAdapterService) await httpAdapterService.loadAdapters();
-	const triggerContext = await buildTriggerContext(config.workflow, authResult.authService?.config.name);
+	const triggerContext = await buildTriggerContext(config.workflow, getApplicationAuthNamespace({
+		authService: authResult.authService,
+		config
+	}));
 	const inlineSourcemap = resolveInlineSourcemap(config.inlineSourcemap);
 	const bundleLogLevel = resolveBundleLogLevel(config.logLevel);
 	const bundledScripts = {
@@ -5579,6 +5664,7 @@ async function loadApplication(params) {
 			workflowService,
 			httpAdapterService,
 			staticWebsiteServices,
+			aiGatewayServices,
 			secrets,
 			ignoreNullishValues,
 			env: config.env ?? {}
@@ -5590,5 +5676,5 @@ async function loadApplication(params) {
 }
 
 //#endregion
-export { readPlatformConfig as A, loadConfig as C, loadConfigPath as D, loadAccessToken as E, saveUserTokens as M, writePlatformConfig as N, loadMachineUserName as O, hashFile as S, fetchLatestToken as T, createLogLevelTreeshakeOptions as _, WorkflowJobSchema as a, getDistDir as b, INVOKER_EXPR as c, assertUniqueLocalTailorDBTypeNames as d, assertUniqueTailorDBTypeNamesWithExternal as f, composeFunctionTreeshakeOptions as g, platformBundleDefinePlugin as h, resolveInlineSourcemap as i, resolveTokens as j, loadWorkspaceId as k, buildExecutorArgsExpr as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, HTTP_METHODS as s, defineApplication as t, buildResolverOperationHookExpr as u, resolveBundleLogLevel as v, deleteUserTokens as w, hashContent as x, createBundleCache as y };
-//# sourceMappingURL=application-76hhIhnJ.mjs.map
+export { loadAccessToken as A, getDistDir as C, deleteUserTokens as D, loadConfig as E, removeLegacyUserAlias as F, resolveTokens as I, saveUserTokens as L, loadMachineUserName as M, loadWorkspaceId as N, fetchLatestToken as O, readPlatformConfig as P, writePlatformConfig as R, createBundleCache as S, hashFile as T, composeFunctionTreeshakeOptions as _, getApplicationAuthNamespace as a, getPluginGenerationDependencies as b, HTTP_METHODS as c, buildResolverOperationHookExpr as d, assertUniqueLocalTailorDBTypeNames as f, platformBundleDefinePlugin as g, stringifyFunction as h, resolveInlineSourcemap as i, loadConfigPath as j, findConfigUserKey as k, INVOKER_EXPR as l, TailorDBTypeSchema as m, generatePluginFilesIfNeeded as n, WorkflowJobSchema as o, assertUniqueTailorDBTypeNamesWithExternal as p, loadApplication as r, ResolverSchema as s, defineApplication as t, buildExecutorArgsExpr as u, createLogLevelTreeshakeOptions as v, hashContent as w, hasGenerationHooks as x, resolveBundleLogLevel as y };
+//# sourceMappingURL=application-DqS1yBg3.mjs.map