@tailor-platform/sdk 2.0.0-next.0 → 2.0.0-next.2

package/dist/{runtime-C7qTBDD2.mjs → runtime-CY4JvrDj.mjs}

@@ -1,14 +1,13 @@
-
-import { t as db } from "./schema-1msIhXwA.mjs";
-import { $ as CreateExecutorExecutorRequestSchema, A as TailorDBGQLPermission_Permit, At as AuthSCIMAttribute_Type, B as UpdateSecretManagerSecretRequestSchema, Bt as Subgraph_ServiceType, C as WorkflowExecution_Status, Ct as AuthConnection_Type, D as UpdateTailorDBTypeRequestSchema, Dt as AuthOAuth2Client_ClientType, E as CreateTailorDBTypeRequestSchema, Et as AuthInvokerSchema, F as CreateStaticWebsiteRequestSchema, Ft as UserProfileProviderConfig_UserProfileProviderType, G as PipelineResolver_OperationType, H as CreatePipelineServiceRequestSchema, Ht as Condition_Operator, I as UpdateStaticWebsiteRequestSchema, It as CreateApplicationRequestSchema, J as IdPLang, K as CreateIdPServiceRequestSchema, Lt as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, M as TailorDBType_Permission_Permit, Mt as AuthSCIMConfig_AuthorizationType, N as TailorDBType_PermitAction, O as TailorDBGQLPermission_Action, Ot as AuthOAuth2Client_GrantType, P as AddCustomDomainRequestSchema, Pt as TenantProviderConfig_TenantProviderType, R as CreateSecretManagerSecretRequestSchema, Rt as UpdateApplicationRequestSchema, S as UpdateWorkflowRequestSchema, St as UpdateUserProfileConfigRequestSchema, T as CreateTailorDBServiceRequestSchema, Tt as AuthIDPConfig_AuthType, U as UpdatePipelineResolverRequestSchema, Ut as FilterSchema, V as CreatePipelineResolverRequestSchema, Vt as ConditionSchema, W as UpdatePipelineServiceRequestSchema, Wt as PageDirection, X as IdPPermissionPermit, Y as IdPPermissionOperator, Z as FunctionExecution_Status, _ as userAgent, _t as UpdateAuthOAuth2ClientRequestSchema, a as fetchAll, at as CreateAuthHookRequestSchema, b as CreateWorkflowJobFunctionRequestSchema, bt as UpdateAuthServiceRequestSchema, ct as CreateAuthOAuth2ClientRequestSchema, dt as CreateAuthServiceRequestSchema, et as UpdateExecutorExecutorRequestSchema, f as initOperatorClient, ft as CreateTenantConfigRequestSchema, gt as UpdateAuthMachineUserRequestSchema, h as resolveStaticWebsiteUrls, ht as UpdateAuthIDPConfigRequestSchema, it as CreateAuthConnectionRequestSchema, j as TailorDBType_Permission_Operator, jt as AuthSCIMAttribute_Uniqueness, k as TailorDBGQLPermission_Operator, kt as AuthSCIMAttribute_Mutability, lt as CreateAuthSCIMConfigRequestSchema, m as platformBaseUrl, mt as UpdateAuthHookRequestSchema, nt as ExecutorTargetType, o as fetchMachineUserToken, ot as CreateAuthIDPConfigRequestSchema, pt as CreateUserProfileConfigRequestSchema, q as UpdateIdPServiceRequestSchema, rt as ExecutorTriggerType, s as fetchPaged, st as CreateAuthMachineUserRequestSchema, tt as ExecutorJobStatus, ut as CreateAuthSCIMResourceRequestSchema, v as OperatorService, vt as UpdateAuthSCIMConfigRequestSchema, w as WorkflowJobExecution_Status, wt as AuthHookPoint, x as CreateWorkflowRequestSchema, xt as UpdateTenantConfigRequestSchema, y as WorkspacePlatformUserRole, yt as UpdateAuthSCIMResourceRequestSchema, z as CreateSecretManagerVaultRequestSchema, zt as ApplicationSchemaUpdateAttemptStatus } from "./client-CobIRHl-.mjs";
-import { t as assertDefined } from "./assert-CKfwrmCV.mjs";
-import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-DpJyJvNz.mjs";
-import { A as readPlatformConfig, C as loadConfig, D as loadConfigPath, E as loadAccessToken, N as writePlatformConfig, O as loadMachineUserName, S as hashFile, b as getDistDir, d as assertUniqueLocalTailorDBTypeNames, f as assertUniqueTailorDBTypeNamesWithExternal, h as platformBundleDefinePlugin, k as loadWorkspaceId, l as buildExecutorArgsExpr, m as stringifyFunction, n as generatePluginFilesIfNeeded, p as TailorDBTypeSchema, r as loadApplication, s as HTTP_METHODS, t as defineApplication, u as buildResolverOperationHookExpr, y as createBundleCache } from "./application-76hhIhnJ.mjs";
-import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-wI3Hvrgx.mjs";
-import { t as multiline } from "./multiline-Cf9ODpr1.mjs";
-import { t as readPackageJson } from "./package-json-DcQApfPQ.mjs";
-import { n as isCLIError, t as createCLIError } from "./errors-EsY4XO6O.mjs";
-import { r as withSpan } from "./telemetry-BQbbVo2t.mjs";
+import { t as db } from "./schema-Dtw9Orye.mjs";
+import { $ as CreateWorkflowRequestSchema, $t as UpdateTenantConfigRequestSchema, A as loadAccessToken, B as fetchAll, Bt as CreateAuthOAuth2ClientRequestSchema, C as getDistDir, Ct as PipelineResolver_OperationType, Dt as IdPPermissionOperator, E as loadConfig, Et as IdPLang, Ft as ExecutorTriggerType, Gt as CreateUserProfileConfigRequestSchema, H as fetchPaged, Ht as CreateAuthSCIMResourceRequestSchema, It as CreateAuthConnectionRequestSchema, J as resolveStaticWebsiteUrls, Jt as UpdateAuthMachineUserRequestSchema, K as initOperatorClient, Kt as UpdateAuthHookRequestSchema, Lt as CreateAuthHookRequestSchema, M as loadMachineUserName, Mt as UpdateExecutorExecutorRequestSchema, N as loadWorkspaceId, Nt as ExecutorJobStatus, Ot as IdPPermissionPermit, P as readPlatformConfig, Pt as ExecutorTargetType, Q as CreateWorkflowJobFunctionRequestSchema, Qt as UpdateAuthServiceRequestSchema, R as writePlatformConfig, Rt as CreateAuthIDPConfigRequestSchema, S as createBundleCache, Sn as PageDirection, St as UpdatePipelineServiceRequestSchema, T as hashFile, Tt as UpdateIdPServiceRequestSchema, Ut as CreateAuthServiceRequestSchema, V as fetchMachineUserToken, Vt as CreateAuthSCIMConfigRequestSchema, Wt as CreateTenantConfigRequestSchema, X as OperatorService, Xt as UpdateAuthSCIMConfigRequestSchema, Y as byName, Yt as UpdateAuthOAuth2ClientRequestSchema, Z as WorkspacePlatformUserRole, Zt as UpdateAuthSCIMResourceRequestSchema, _n as ApplicationSchemaUpdateAttemptStatus, _t as CreateSecretManagerVaultRequestSchema, a as getApplicationAuthNamespace, an as AuthOAuth2Client_ClientType, at as UpdateTailorDBTypeRequestSchema, b as getPluginGenerationDependencies, bn as Condition_Operator, bt as CreatePipelineServiceRequestSchema, c as HTTP_METHODS, cn as AuthSCIMAttribute_Type, ct as TailorDBGQLPermission_Permit, d as buildResolverOperationHookExpr, dt as TailorDBType_PermitAction, en as UpdateUserProfileConfigRequestSchema, et as UpdateWorkflowRequestSchema, f as assertUniqueLocalTailorDBTypeNames, fn as TenantProviderConfig_TenantProviderType, ft as AddCustomDomainRequestSchema, g as platformBundleDefinePlugin, gn as UpdateApplicationRequestSchema, gt as CreateSecretManagerSecretRequestSchema, h as stringifyFunction, hn as GetApplicationSchemaHealthResponse_ApplicationSchemaHealthStatus, in as AuthInvokerSchema, it as CreateTailorDBTypeRequestSchema, j as loadConfigPath, jt as CreateExecutorExecutorRequestSchema, kt as FunctionExecution_Status, ln as AuthSCIMAttribute_Uniqueness, lt as TailorDBType_Permission_Operator, m as TailorDBTypeSchema, mn as CreateApplicationRequestSchema, mt as UpdateStaticWebsiteRequestSchema, n as generatePluginFilesIfNeeded, nn as AuthHookPoint, nt as WorkflowJobExecution_Status, on as AuthOAuth2Client_GrantType, ot as TailorDBGQLPermission_Action, p as assertUniqueTailorDBTypeNamesWithExternal, pn as UserProfileProviderConfig_UserProfileProviderType, pt as CreateStaticWebsiteRequestSchema, q as platformBaseUrl, qt as UpdateAuthIDPConfigRequestSchema, r as loadApplication, rn as AuthIDPConfig_AuthType, rt as CreateTailorDBServiceRequestSchema, sn as AuthSCIMAttribute_Mutability, st as TailorDBGQLPermission_Operator, t as defineApplication, tn as AuthConnection_Type, tt as WorkflowExecution_Status, u as buildExecutorArgsExpr, un as AuthSCIMConfig_AuthorizationType, ut as TailorDBType_Permission_Permit, vn as Subgraph_ServiceType, vt as UpdateSecretManagerSecretRequestSchema, wt as CreateIdPServiceRequestSchema, x as hasGenerationHooks, xn as FilterSchema, xt as UpdatePipelineResolverRequestSchema, yn as ConditionSchema, yt as CreatePipelineResolverRequestSchema, zt as CreateAuthMachineUserRequestSchema } from "./application-XuMWK4eq.mjs";
+import { t as assertDefined } from "./assert-DBxo8jPo.mjs";
+import { a as parseBoolean, i as symbols, n as logger, r as styles, t as CIPromptError } from "./logger-CxF-Ex5d.mjs";
+import { o as loadFilesWithIgnores, t as createExecutorService } from "./service-DjyqbCaJ.mjs";
+import { t as multiline } from "./multiline-sfHpTZZK.mjs";
+import { t as readPackageJson } from "./package-json-8b0O9TlX.mjs";
+import { i as userAgent } from "./secret-file-VSVGy1V0.mjs";
+import { n as isCLIError, t as createCLIError } from "./errors-Dtf2WPaW.mjs";
+import { r as withSpan } from "./telemetry-CdqJEzkj.mjs";
 import { arg, createDefineCommand, defineCommand, runCommand } from "politty";
 import { z } from "zod";
 import { ScalarType, create, fromJson, toJson } from "@bufbuild/protobuf";
@@ -24,6 +23,7 @@ import { tmpdir } from "node:os";
 import { findUpSync } from "find-up-simple";
 import { xdgConfig } from "xdg-basedir";
 import { Code, ConnectError } from "@connectrpc/connect";
+import pLimit from "p-limit";
 import { resolveTSConfig } from "pkg-types";
 import * as crypto$1 from "node:crypto";
 import { createHash } from "node:crypto";
@@ -35,10 +35,10 @@ import * as fs from "node:fs/promises";
 import { glob } from "node:fs/promises";
 import { parseSync } from "oxc-parser";
 import * as inflection from "inflection";
-import pLimit from "p-limit";
 import { pathToString } from "@bufbuild/protobuf/reflect";
 import { createValidator } from "@bufbuild/protovalidate";
 import { setTimeout as setTimeout$1 } from "timers/promises";
+import { setTimeout as setTimeout$2 } from "node:timers/promises";
 import { spawn } from "node:child_process";
 import { watch } from "chokidar";
 import * as madgeModule from "madge";
@@ -1103,7 +1103,7 @@ function extractAttributesFromConfig(config) {
 * @param attributeMap - Attribute map configuration
 * @param attributeList - Attribute list configuration
 * @param env - Environment configuration
-* @param machineUserNames - Registered machine user names (used to narrow `authInvoker` strings)
+* @param machineUserNames - Registered machine user names (used to narrow `invoker` strings)
 * @param idpNames - Registered IdP names (used to narrow `idpUser*Trigger({ idp })` strings)
 * @returns Generated type definition source
 */
@@ -1240,35 +1240,6 @@ async function generateUserTypes(options) {
 	}
 }
 
-//#endregion
-//#region src/types/plugin-generation.ts
-/**
-* Derives generation-time dependency set from hook presence on a plugin.
-* @param plugin - The plugin object to inspect.
-* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
-* @param plugin.onResolverReady - Hook for resolver readiness.
-* @param plugin.onExecutorReady - Hook for executor readiness.
-* @returns Set of dependency kinds required by the plugin.
-*/
-function getPluginGenerationDependencies(plugin) {
-	const deps = /* @__PURE__ */ new Set();
-	if (plugin.onTailorDBReady) deps.add("tailordb");
-	if (plugin.onResolverReady) deps.add("resolver");
-	if (plugin.onExecutorReady) deps.add("executor");
-	return deps;
-}
-/**
-* Checks if a plugin has any generation-time hooks.
-* @param plugin - The plugin object to inspect.
-* @param plugin.onTailorDBReady - Hook for TailorDB readiness.
-* @param plugin.onResolverReady - Hook for resolver readiness.
-* @param plugin.onExecutorReady - Hook for executor readiness.
-* @returns True if the plugin has at least one generation hook.
-*/
-function hasGenerationHooks(plugin) {
-	return !!(plugin.onTailorDBReady || plugin.onResolverReady || plugin.onExecutorReady);
-}
-
 //#endregion
 //#region src/plugin/manager.ts
 /**
@@ -1806,6 +1777,219 @@ async function buildMetaRequest(params) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/deploy/owned-resource.ts
+/**
+* Fetch a workspace-scoped resource list and attach SDK ownership metadata.
+* @template T
+* @param params - Resource fetch parameters
+* @param params.client - Operator client instance
+* @param params.workspaceId - Workspace ID
+* @param params.fetchPage - Function that fetches one resource page
+* @param params.getName - Function that extracts the resource name
+* @param params.getTrn - Function that builds the resource TRN
+* @returns Existing resources keyed by resource name, with SDK labels attached
+*/
+async function fetchExistingResourcesWithLabels(params) {
+	const { client, workspaceId, fetchPage, getName, getTrn } = params;
+	const withoutLabel = await fetchAll(async (pageToken, maxPageSize) => {
+		try {
+			return await fetchPage(pageToken, maxPageSize);
+		} catch (error) {
+			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
+			throw error;
+		}
+	});
+	const existingResources = {};
+	await Promise.all(withoutLabel.map(async (resource) => {
+		const name = getName(resource);
+		if (!name) return;
+		const { metadata } = await client.getMetadata({ trn: getTrn(workspaceId, name) });
+		existingResources[name] = {
+			resource,
+			label: metadata?.labels[sdkNameLabelKey],
+			allLabels: metadata?.labels
+		};
+	}));
+	return existingResources;
+}
+/**
+* Determine whether a same-named existing resource is managed by this app.
+* Records the user-facing confirmation data when ownership does not match.
+* @param params - Ownership classification inputs
+* @param params.labels - Existing resource labels
+* @param params.ownerLabel - Existing `sdk-name` label, when present
+* @param params.appName - Current application name
+* @param params.appId - Current application id, when present
+* @param params.resourceType - Resource kind for confirmation messages
+* @param params.resourceName - Resource name for confirmation messages
+* @param params.conflicts - Conflict accumulator
+* @param params.unmanaged - Unmanaged-resource accumulator
+* @returns True when the resource is owned by the current app
+*/
+function trackDesiredResourceOwnership(params) {
+	const { labels, ownerLabel, appName, appId, resourceType, resourceName, conflicts, unmanaged } = params;
+	const owned = isOwnedByApp(labels, appName, appId);
+	if (!owned) if (!ownerLabel) unmanaged.push({
+		resourceType,
+		resourceName
+	});
+	else conflicts.push({
+		resourceType,
+		resourceName,
+		currentOwner: ownerLabel
+	});
+	return owned;
+}
+/**
+* Determine whether a remote-only resource is still owned by this app.
+* Also records other SDK owners so renamed-empty applications can be handled.
+* @param params - Ownership classification inputs
+* @param params.labels - Existing resource labels
+* @param params.ownerLabel - Existing `sdk-name` label, when present
+* @param params.appName - Current application name
+* @param params.appId - Current application id, when present
+* @param params.resourceOwners - Other-owner accumulator
+* @returns True when the resource is owned by the current app
+*/
+function trackRemainingResourceOwner(params) {
+	const { labels, ownerLabel, appName, appId, resourceOwners } = params;
+	const owned = isOwnedByApp(labels, appName, appId);
+	if (ownerLabel && !owned) resourceOwners.add(ownerLabel);
+	return owned;
+}
+
+//#endregion
+//#region src/cli/commands/deploy/aigateway.ts
+/**
+* Apply AI Gateway changes for the given phase.
+* @param client - Operator client instance
+* @param result - Planned AI Gateway changes
+* @param phase - Apply phase
+* @returns Promise that resolves when AI Gateways are applied
+*/
+async function applyAIGateway(client, result, phase = "create-update") {
+	const { changeSet } = result;
+	if (phase === "create-update") await Promise.all([...changeSet.creates.map(async (create) => {
+		create.request.cors = await resolveStaticWebsiteUrls(client, assertDefined(create.request.workspaceId, "request missing workspaceId"), create.request.cors, "AIGateway CORS");
+		await client.createAIGateway(create.request);
+		await client.setMetadata(create.metaRequest);
+	}), ...changeSet.updates.map(async (update) => {
+		update.request.cors = await resolveStaticWebsiteUrls(client, assertDefined(update.request.workspaceId, "request missing workspaceId"), update.request.cors, "AIGateway CORS");
+		await client.updateAIGateway(update.request);
+		await client.setMetadata(update.metaRequest);
+	})]);
+	else await Promise.all(changeSet.deletes.map((del) => client.deleteAIGateway(del.request)));
+}
+function normalizeComparableAIGatewayShape(input) {
+	return {
+		authNamespace: input.authNamespace,
+		cors: input.cors.toSorted()
+	};
+}
+function normalizeComparableAIGateway(input) {
+	return normalizeComparableAIGatewayShape({
+		authNamespace: input.authNamespace || "",
+		cors: [...input.cors || []]
+	});
+}
+function areAIGatewaysEqual(existing, desired) {
+	return areNormalizedEqual(normalizeComparableAIGateway(existing), normalizeComparableAIGateway(desired));
+}
+/**
+* Plan AI Gateway changes based on current and desired state.
+* @param context - Planning context
+* @returns Planned changes
+*/
+async function planAIGateway(context) {
+	const { client, workspaceId, application, forRemoval } = context;
+	const changeSet = createChangeSet("AIGateways");
+	const conflicts = [];
+	const unmanaged = [];
+	const resourceOwners = /* @__PURE__ */ new Set();
+	const existingGateways = await fetchExistingResourcesWithLabels({
+		client,
+		workspaceId,
+		fetchPage: async (pageToken, pageSize) => {
+			const { aigateways, nextPageToken } = await client.listAIGateways({
+				workspaceId,
+				pageToken,
+				pageSize
+			});
+			return [aigateways, nextPageToken];
+		},
+		getName: (resource) => resource.name,
+		getTrn: (workspaceId, name) => resourceTrn(workspaceId, "aigateway", name)
+	});
+	const aiGatewayServices = forRemoval ? [] : application.aiGatewayServices;
+	const expectedLocalWebsites = new Set(application.staticWebsiteServices.map((website) => website.name));
+	for (const gatewayService of aiGatewayServices) {
+		const config = gatewayService;
+		const name = gatewayService.name;
+		const existing = existingGateways[name];
+		const metaRequest = await buildMetaRequest({
+			trn: resourceTrn(workspaceId, "aigateway", name),
+			appName: application.name,
+			appId: application.id
+		});
+		const resolvedCors = await resolveStaticWebsiteUrls(client, workspaceId, config.cors ? [...config.cors] : [], "AIGateway CORS", { expectedLocalNames: expectedLocalWebsites });
+		const desired = normalizeComparableAIGateway({
+			...config,
+			cors: resolvedCors
+		});
+		const request = {
+			workspaceId,
+			aigatewayName: name,
+			authNamespace: config.authNamespace,
+			cors: config.cors ? [...config.cors] : []
+		};
+		if (existing) {
+			if (trackDesiredResourceOwnership({
+				labels: existing.allLabels,
+				ownerLabel: existing.label,
+				appName: application.name,
+				appId: application.id,
+				resourceType: "AIGateway",
+				resourceName: name,
+				conflicts,
+				unmanaged
+			}) && hasMatchingSdkVersion(existing.allLabels, metaRequest.labels) && areAIGatewaysEqual(existing.resource, desired)) changeSet.unchanged.push({ name });
+			else changeSet.updates.push({
+				name,
+				request,
+				metaRequest
+			});
+			delete existingGateways[name];
+		} else changeSet.creates.push({
+			name,
+			request,
+			metaRequest
+		});
+	}
+	Object.entries(existingGateways).forEach(([name, entry]) => {
+		const label = entry?.label;
+		if (trackRemainingResourceOwner({
+			labels: entry?.allLabels,
+			ownerLabel: label,
+			appName: application.name,
+			appId: application.id,
+			resourceOwners
+		})) changeSet.deletes.push({
+			name,
+			request: {
+				workspaceId,
+				aigatewayName: name
+			}
+		});
+	});
+	return {
+		changeSet,
+		conflicts,
+		unmanaged,
+		resourceOwners
+	};
+}
+
 //#endregion
 //#region src/cli/commands/deploy/application.ts
 /**
@@ -4707,7 +4891,7 @@ async function readConfigId(configPath) {
 async function assertConfigIdInCI(configPath) {
 	const result = await readConfigId(configPath);
 	if (result === null) return;
-	if (!result.id) throw new Error("tailor.config.ts is missing an 'id'. CI does not auto-generate one (each run would be treated as a separate app and break resource ownership). Run 'tailor-sdk setup github' or 'tailor-sdk apply' locally and commit the injected id.");
+	if (!result.id) throw new Error("tailor.config.ts is missing an 'id'. CI does not auto-generate one (each run would be treated as a separate app and break resource ownership). Run 'tailor-sdk setup' or 'tailor-sdk deploy' locally and commit the injected id.");
 	if (!uuidRegex.test(result.id)) throw new Error(`'id' in ${configPath} must be a UUID. To use this config for a separate app, delete it.`);
 }
 /**
@@ -4875,111 +5059,29 @@ async function confirmImportantResourceDeletion(resources, yes) {
 }
 
 //#endregion
-//#region src/cli/commands/deploy/auth-invoker.ts
+//#region src/cli/commands/deploy/invoker.ts
 /**
-* Normalize an authInvoker value to the object form required by the proto payload.
+* Normalize an invoker value to the object form required by the proto payload.
 *
 * Accepts either:
 * - `undefined` — returns undefined
 * - a plain string (machine user name) — expands to `{ namespace, machineUserName }` using `authNamespace`
-* - an object `{ namespace, machineUserName }` — returned as-is
-* @param authInvoker - String machine user name or object form
-* @param authNamespace - Auth service namespace (required when authInvoker is a string)
+* - an internal object `{ namespace, machineUserName }` — returned as-is
+* @param invoker - String machine user name or internal object form
+* @param authNamespace - Auth service namespace (required when invoker is a string)
 * @param context - Contextual label used in error messages (e.g. `resolver "foo"`)
-* @returns Object form of auth invoker, or undefined
+* @returns Object form of the invoker, or undefined
 */
-function normalizeAuthInvoker(authInvoker, authNamespace, context) {
-	if (authInvoker === void 0) return void 0;
-	if (typeof authInvoker === "string") {
-		if (!authNamespace) throw new Error(`${context} uses a string authInvoker ("${authInvoker}"), but no Auth service is configured. Configure an Auth service or use the object form { namespace, machineUserName }.`);
+function normalizeInvoker(invoker, authNamespace, context) {
+	if (invoker === void 0) return void 0;
+	if (typeof invoker === "string") {
+		if (!authNamespace) throw new Error(`${context} uses a string invoker ("${invoker}"), but no Auth service is configured. Configure an Auth service before using invoker.`);
 		return {
 			namespace: authNamespace,
-			machineUserName: authInvoker
+			machineUserName: invoker
 		};
 	}
-	return authInvoker;
-}
-
-//#endregion
-//#region src/cli/commands/deploy/owned-resource.ts
-/**
-* Fetch a workspace-scoped resource list and attach SDK ownership metadata.
-* @template T
-* @param params - Resource fetch parameters
-* @param params.client - Operator client instance
-* @param params.workspaceId - Workspace ID
-* @param params.fetchPage - Function that fetches one resource page
-* @param params.getName - Function that extracts the resource name
-* @param params.getTrn - Function that builds the resource TRN
-* @returns Existing resources keyed by resource name, with SDK labels attached
-*/
-async function fetchExistingResourcesWithLabels(params) {
-	const { client, workspaceId, fetchPage, getName, getTrn } = params;
-	const withoutLabel = await fetchAll(async (pageToken, maxPageSize) => {
-		try {
-			return await fetchPage(pageToken, maxPageSize);
-		} catch (error) {
-			if (error instanceof ConnectError && error.code === Code.NotFound) return [[], ""];
-			throw error;
-		}
-	});
-	const existingResources = {};
-	await Promise.all(withoutLabel.map(async (resource) => {
-		const name = getName(resource);
-		if (!name) return;
-		const { metadata } = await client.getMetadata({ trn: getTrn(workspaceId, name) });
-		existingResources[name] = {
-			resource,
-			label: metadata?.labels[sdkNameLabelKey],
-			allLabels: metadata?.labels
-		};
-	}));
-	return existingResources;
-}
-/**
-* Determine whether a same-named existing resource is managed by this app.
-* Records the user-facing confirmation data when ownership does not match.
-* @param params - Ownership classification inputs
-* @param params.labels - Existing resource labels
-* @param params.ownerLabel - Existing `sdk-name` label, when present
-* @param params.appName - Current application name
-* @param params.appId - Current application id, when present
-* @param params.resourceType - Resource kind for confirmation messages
-* @param params.resourceName - Resource name for confirmation messages
-* @param params.conflicts - Conflict accumulator
-* @param params.unmanaged - Unmanaged-resource accumulator
-* @returns True when the resource is owned by the current app
-*/
-function trackDesiredResourceOwnership(params) {
-	const { labels, ownerLabel, appName, appId, resourceType, resourceName, conflicts, unmanaged } = params;
-	const owned = isOwnedByApp(labels, appName, appId);
-	if (!owned) if (!ownerLabel) unmanaged.push({
-		resourceType,
-		resourceName
-	});
-	else conflicts.push({
-		resourceType,
-		resourceName,
-		currentOwner: ownerLabel
-	});
-	return owned;
-}
-/**
-* Determine whether a remote-only resource is still owned by this app.
-* Also records other SDK owners so renamed-empty applications can be handled.
-* @param params - Ownership classification inputs
-* @param params.labels - Existing resource labels
-* @param params.ownerLabel - Existing `sdk-name` label, when present
-* @param params.appName - Current application name
-* @param params.appId - Current application id, when present
-* @param params.resourceOwners - Other-owner accumulator
-* @returns True when the resource is owned by the current app
-*/
-function trackRemainingResourceOwner(params) {
-	const { labels, ownerLabel, appName, appId, resourceOwners } = params;
-	const owned = isOwnedByApp(labels, appName, appId);
-	if (ownerLabel && !owned) resourceOwners.add(ownerLabel);
-	return owned;
+	return invoker;
 }
 
 //#endregion
@@ -5192,8 +5294,9 @@ function resolveIdpNamespace(application, executorName, idpName) {
 	return assertDefined(application.idpServices[0], "idp service missing").name;
 }
 function resolveAuthNamespace(application) {
-	if (!application.authService) throw new Error("No Auth service configured");
-	return application.authService.config.name;
+	const authNamespace = getApplicationAuthNamespace(application);
+	if (!authNamespace) throw new Error("No Auth service configured");
+	return authNamespace;
 }
 function protoExecutor(application, executor) {
 	const appName = application.name;
@@ -5278,7 +5381,7 @@ function protoExecutor(application, executor) {
 	const target = executor.operation;
 	let targetType;
 	let targetConfig;
-	const authNamespace = application.authService?.config.name;
+	const authNamespace = getApplicationAuthNamespace(application);
 	const invokerContext = `Executor "${executor.name}"`;
 	switch (target.kind) {
 		case "webhook":
@@ -5317,7 +5420,7 @@ function protoExecutor(application, executor) {
 					appName: target.appName ?? appName,
 					query: target.query,
 					variables: target.variables ? { expr: `(${stringifyFunction(target.variables)})(${argsExpr})` } : void 0,
-					invoker: normalizeAuthInvoker(target.authInvoker, authNamespace, invokerContext)
+					invoker: normalizeInvoker(target.invoker, authNamespace, invokerContext)
 				}
 			} };
 			break;
@@ -5331,7 +5434,7 @@ function protoExecutor(application, executor) {
 					name: "operation",
 					scriptRef: executorFunctionName(executor.name),
 					variables: { expr: argsExpr },
-					invoker: normalizeAuthInvoker(target.authInvoker, authNamespace, invokerContext)
+					invoker: normalizeInvoker(target.invoker, authNamespace, invokerContext)
 				}
 			} };
 			break;
@@ -5342,7 +5445,7 @@ function protoExecutor(application, executor) {
 				value: {
 					workflowName: target.workflowName,
 					variables: target.args ? typeof target.args === "function" ? { expr: `(${stringifyFunction(target.args)})(${argsExpr})` } : { expr: JSON.stringify(target.args) } : void 0,
-					invoker: normalizeAuthInvoker(target.authInvoker, authNamespace, invokerContext)
+					invoker: normalizeInvoker(target.invoker, authNamespace, invokerContext)
 				}
 			} };
 			break;
@@ -5434,7 +5537,7 @@ async function planPipeline(context) {
 	}
 	const executors = forRemoval ? [] : Object.values(await application.executorService?.loadExecutors() ?? {});
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices$1(client, workspaceId, application.name, application.id, pipelines);
-	const { changeSet: resolverChangeSet } = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, application.authService?.config.name, forceApplyAll);
+	const { changeSet: resolverChangeSet } = await planResolvers(client, workspaceId, pipelines, executors, serviceChangeSet.deletes.map((del) => del.name), application.env, getApplicationAuthNamespace(application), forceApplyAll);
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -5678,7 +5781,7 @@ function processResolver(namespace, resolver, executorUsedResolvers, env, authNa
 		operationSourceRef: resolverFunctionName(namespace, resolver.name),
 		operationHook: { expr: buildResolverOperationHookExpr(env) },
 		postScript: `args.body`,
-		invoker: normalizeAuthInvoker(resolver.authInvoker, authNamespace, `Resolver "${resolver.name}"`)
+		invoker: normalizeInvoker(resolver.invoker, authNamespace, `Resolver "${resolver.name}"`)
 	}];
 	const typeBaseName = inflection.camelize(resolver.name);
 	const inputs = resolver.input ? protoFields(resolver.input, `${typeBaseName}Input`, true) : [];
@@ -6873,7 +6976,7 @@ function createSnapshotFieldConfig(field) {
 }
 /**
 * Create a snapshot field config from an OperatorFieldConfig (for nested fields)
-* @param {import("@/types/tailordb").OperatorFieldConfig} fieldConfig - Field configuration
+* @param {import("@/parser/service/tailordb/types").OperatorFieldConfig} fieldConfig - Field configuration
 * @returns {SnapshotFieldConfig} Snapshot field configuration
 */
 function createSnapshotFieldConfigFromOperatorConfig(fieldConfig) {
@@ -8598,7 +8701,7 @@ const DEFAULT_POLL_INTERVAL = 1e3;
 * @returns {Promise<ExecutionWaitResult>} Execution result
 * @throws {Error} If execution is not found
 */
-async function waitForExecution$1(client, workspaceId, executionId, pollInterval = DEFAULT_POLL_INTERVAL) {
+async function waitForExecution(client, workspaceId, executionId, pollInterval = DEFAULT_POLL_INTERVAL) {
 	while (true) {
 		const { execution } = await client.getFunctionExecution({
 			workspaceId,
@@ -8629,11 +8732,11 @@ async function executeScript(options) {
 		workspaceId,
 		name,
 		code,
-		arg: arg ?? JSON.stringify({}),
+		arg: JSON.stringify(arg === void 0 ? {} : arg),
 		invoker
 	});
 	const executionId = response.executionId;
-	const result = await waitForExecution$1(client, workspaceId, executionId, pollInterval);
+	const result = await waitForExecution(client, workspaceId, executionId, pollInterval);
 	if (result.status === FunctionExecution_Status.SUCCESS) return {
 		success: true,
 		logs: result.logs,
@@ -8882,13 +8985,13 @@ async function detectPendingMigrations(client, workspaceId, namespacesWithMigrat
 * @returns {Promise<ExecutionResult>} Execution result
 */
 async function executeSingleMigration(options, migration) {
-	const { client, workspaceId, authInvoker, env } = options;
+	const { client, workspaceId, invoker, env } = options;
 	const result = await executeScript({
 		client,
 		workspaceId,
 		name: `migration-${migration.namespace}-${formatMigrationNumber(migration.number)}.js`,
 		code: (await bundleMigrationScript(migration.scriptPath, migration.namespace, migration.number, env)).bundledCode,
-		invoker: authInvoker
+		invoker
 	});
 	return {
 		namespace: migration.namespace,
@@ -8933,14 +9036,14 @@ async function executeMigrations(context, migrations) {
 		const migrationConfig = context.dbConfig[namespace]?.migration;
 		const machineUserName = getMigrationMachineUser(migrationConfig, context.machineUsers);
 		if (!machineUserName) throw new Error(`No machine user available for migration execution in namespace '${namespace}'. Either configure 'migration.machineUser' in db config or define machine users in auth config.`);
-		const authInvoker = create(AuthInvokerSchema, {
+		const invoker = create(AuthInvokerSchema, {
 			namespace: context.authNamespace,
 			machineUserName
 		});
 		const options = {
 			client: context.client,
 			workspaceId: context.workspaceId,
-			authInvoker,
+			invoker,
 			env: context.env
 		};
 		logger.info(`Using machine user: ${styles.bold(machineUserName)} for namespace '${namespace}'`);
@@ -9593,6 +9696,9 @@ async function planTailorDB(context) {
 	const { changeSet: serviceChangeSet, conflicts, unmanaged, resourceOwners } = await planServices(client, workspaceId, application.name, application.id, tailordbs);
 	const deletedServices = serviceChangeSet.deletes.map((del) => del.name);
 	const [typeChangeSet, gqlPermissionChangeSet] = await Promise.all([planTypes(client, workspaceId, tailordbs, executorUsedTypes, deletedServices, void 0, forceApplyAll), planGqlPermissions(client, workspaceId, tailordbs, deletedServices, forceApplyAll)]);
+	typeChangeSet.creates.sort(byName);
+	typeChangeSet.updates.sort(byName);
+	typeChangeSet.deletes.sort(byName);
 	return {
 		changeSet: {
 			service: serviceChangeSet,
@@ -10620,6 +10726,9 @@ async function shouldForceApplyAll(client, workspaceId, application, functionEnt
 	application.staticWebsiteServices.forEach((website) => {
 		candidateTrns.add(resourceTrn(workspaceId, "staticwebsite", website.name));
 	});
+	application.aiGatewayServices.forEach((gateway) => {
+		candidateTrns.add(resourceTrn(workspaceId, "aigateway", gateway.name));
+	});
 	application.resolverServices.forEach((pipeline) => {
 		candidateTrns.add(resourceTrn(workspaceId, "pipeline", pipeline.namespace));
 	});
@@ -10698,6 +10807,7 @@ function printPlanResults(results) {
 	const authServiceActions = extractServiceActions(results.auth.changeSet.service);
 	results.staticWebsite.changeSet.print();
 	results.staticWebsite.customDomainChangeSet.print();
+	results.aiGateway.changeSet.print();
 	results.app.print();
 	printGroupedDisplaySection("TailorDB", tailorDBEntries, tailorDBServiceActions);
 	printGroupedDisplaySection("Resolver", pipelineEntries, pipelineServiceActions);
@@ -10748,6 +10858,7 @@ function summarizePlanResults(results, displayEntries, serviceActions) {
 		otherChanges,
 		results.staticWebsite.changeSet,
 		results.staticWebsite.customDomainChangeSet,
+		results.aiGateway.changeSet,
 		results.app,
 		results.secretManager.vaultChangeSet,
 		results.secretManager.secretChangeSet
@@ -10852,7 +10963,7 @@ async function deploy(options) {
 		const dryRun = options?.dryRun ?? false;
 		const yes = options?.yes ?? false;
 		const forceApplyAll = await withSpan("plan.detectSdkVersionChange", () => shouldForceApplyAll(client, workspaceId, application, functionEntries));
-		const { functionRegistry, tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager } = await withSpan("plan", async () => {
+		const { functionRegistry, tailorDB, staticWebsite, aiGateway, idp, auth, pipeline, app, executor, workflow, secretManager } = await withSpan("plan", async () => {
 			const idpUserTriggerTargets = collectIdpUserTriggerTargets(application);
 			const ctx = {
 				client,
@@ -10866,9 +10977,10 @@ async function deploy(options) {
 			};
 			const functionRegistry = await withSpan("plan.functionRegistry", () => planFunctionRegistry(client, workspaceId, application.name, application.id, functionEntries));
 			const unchangedWorkflowJobs = new Set(functionRegistry.changeSet.unchanged.filter((entry) => entry.name.startsWith(WORKFLOW_PREFIX)).map((entry) => entry.name.slice(WORKFLOW_PREFIX.length)));
-			const [tailorDB, staticWebsite, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
+			const [tailorDB, staticWebsite, aiGateway, idp, auth, pipeline, app, executor, workflow, secretManager] = await Promise.all([
 				withSpan("plan.tailorDB", () => planTailorDB(ctx)),
 				withSpan("plan.staticWebsite", () => planStaticWebsite(ctx)),
+				withSpan("plan.aiGateway", () => planAIGateway(ctx)),
 				withSpan("plan.idp", () => planIdP(ctx)),
 				withSpan("plan.auth", () => planAuth(ctx)),
 				withSpan("plan.pipeline", () => planPipeline(ctx)),
@@ -10881,6 +10993,7 @@ async function deploy(options) {
 				functionRegistry,
 				tailorDB,
 				staticWebsite,
+				aiGateway,
 				idp,
 				auth,
 				pipeline,
@@ -10895,6 +11008,7 @@ async function deploy(options) {
 				...functionRegistry.conflicts,
 				...tailorDB.conflicts,
 				...staticWebsite.conflicts,
+				...aiGateway.conflicts,
 				...idp.conflicts,
 				...auth.conflicts,
 				...pipeline.conflicts,
@@ -10907,6 +11021,7 @@ async function deploy(options) {
 				...functionRegistry.unmanaged,
 				...tailorDB.unmanaged,
 				...staticWebsite.unmanaged,
+				...aiGateway.unmanaged,
 				...idp.unmanaged,
 				...auth.unmanaged,
 				...pipeline.unmanaged,
@@ -10923,6 +11038,10 @@ async function deploy(options) {
 				resourceType: "StaticWebsite",
 				resourceName: del.name
 			});
+			for (const del of aiGateway.changeSet.deletes) importantDeletions.push({
+				resourceType: "AIGateway",
+				resourceName: del.name
+			});
 			for (const del of auth.changeSet.oauth2Client.deletes) importantDeletions.push({
 				resourceType: "OAuth2 client",
 				resourceName: del.name
@@ -10950,6 +11069,7 @@ async function deploy(options) {
 					...functionRegistry.resourceOwners,
 					...tailorDB.resourceOwners,
 					...staticWebsite.resourceOwners,
+					...aiGateway.resourceOwners,
 					...idp.resourceOwners,
 					...auth.resourceOwners,
 					...pipeline.resourceOwners,
@@ -10971,6 +11091,7 @@ async function deploy(options) {
 			functionRegistry,
 			tailorDB,
 			staticWebsite,
+			aiGateway,
 			idp,
 			auth,
 			pipeline,
@@ -11000,6 +11121,7 @@ async function deploy(options) {
 			await applySecretManager(client, secretManager, "create-update", application);
 			await applyFunctionRegistry(client, workspaceId, functionRegistry, "create-update");
 			await applyStaticWebsite(client, staticWebsite, "create-update");
+			await applyAIGateway(client, aiGateway, "create-update");
 			await applyIdP(client, idp, "create-update");
 			await applyAuth(client, auth, "create-update");
 			await applyTailorDB(client, tailorDB, "create-update");
@@ -11019,6 +11141,7 @@ async function deploy(options) {
 			await applyWorkflow(client, workflow, "delete");
 			await applyExecutor(client, executor, "delete");
 			await applyStaticWebsite(client, staticWebsite, "delete");
+			await applyAIGateway(client, aiGateway, "delete");
 			await applySecretManager(client, secretManager, "delete");
 		});
 		await withSpan("apply.deleteApplication", () => applyApplication(client, app, "delete"));
@@ -11056,7 +11179,42 @@ function colorizeExecutorJobStatus(status) {
 * @returns True if status is terminal
 */
 function isExecutorJobTerminalStatus(status) {
-	return status === ExecutorJobStatus.SUCCESS || status === ExecutorJobStatus.FAILED || status === ExecutorJobStatus.CANCELED;
+	return isExecutorJobSuccessStatus(status) || isExecutorJobFailureStatus(status);
+}
+/**
+* Check if executor job status is successful.
+* @param status - Executor job status enum value
+* @returns True if status is success
+*/
+function isExecutorJobSuccessStatus(status) {
+	return status === ExecutorJobStatus.SUCCESS;
+}
+/**
+* Check if executor job status is a terminal failure.
+* @param status - Executor job status enum value
+* @returns True if status is failure
+*/
+function isExecutorJobFailureStatus(status) {
+	return status === ExecutorJobStatus.FAILED || status === ExecutorJobStatus.CANCELED;
+}
+/**
+* Check if executor job status can still progress.
+* @param status - Executor job status enum value
+* @returns True if status is transient
+*/
+function isExecutorJobTransientStatus(status) {
+	return status === ExecutorJobStatus.UNSPECIFIED || status === ExecutorJobStatus.PENDING || status === ExecutorJobStatus.RUNNING;
+}
+/**
+* Classify executor job status for waiter decisions.
+* @param status - Executor job status enum value
+* @returns Classified executor job status
+*/
+function classifyExecutorJobStatus(status) {
+	if (isExecutorJobSuccessStatus(status)) return "success";
+	if (isExecutorJobTerminalStatus(status)) return "failure";
+	if (isExecutorJobTransientStatus(status)) return "transient";
+	return "transient";
 }
 /**
 * Parse executor job status string to enum.
@@ -11448,36 +11606,158 @@ function functionExecutionStatusToString(status) {
 	}
 }
 
+//#endregion
+//#region src/cli/shared/wait-error.ts
+/**
+* Format a caught error into a string for diagnostics.
+* @param error - Error to format
+* @returns Error message string
+*/
+function formatWaitError(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+/**
+* Check whether a polling error is retryable (transient platform errors).
+* @param error - Error to check
+* @returns True if the error should be retried
+*/
+function isRetryableWaitError(error) {
+	if (!(error instanceof ConnectError)) return false;
+	return error.code === Code.Aborted || error.code === Code.ResourceExhausted || error.code === Code.Unavailable;
+}
+
 //#endregion
 //#region src/cli/commands/workflow/args.ts
+const workflowWaitUntilArg = z.enum([
+	"success",
+	"suspended",
+	"terminal"
+]);
 const nameArgs = { name: arg(z.string(), {
 	positional: true,
 	description: "Workflow name"
 }) };
-const waitArgs = {
-	wait: arg(z.boolean().default(false), {
-		alias: "W",
-		description: "Wait for execution to complete"
-	}),
+const workflowWaitControlArgs = {
 	interval: arg(durationArg.default("3s"), {
 		alias: "i",
-		description: "Polling interval when using --wait (e.g., '3s', '500ms', '1m')"
+		description: "Polling interval when waiting (e.g., '3s', '500ms', '1m')"
+	}),
+	timeout: arg(durationArg.default("10m"), {
+		alias: "t",
+		description: "Maximum time to wait (e.g., '30s', '10m')"
+	}),
+	until: arg(workflowWaitUntilArg.default("terminal"), {
+		alias: "u",
+		description: "Wait target (success, suspended, terminal)"
 	}),
 	logs: arg(z.boolean().default(false), {
 		alias: "l",
-		description: "Display job execution logs after completion (requires --wait)"
+		description: "Display job execution logs after completion"
 	})
 };
+const waitArgs = {
+	wait: arg(z.boolean().default(false), {
+		alias: "W",
+		description: "Wait for execution to complete"
+	}),
+	...workflowWaitControlArgs
+};
 
 //#endregion
 //#region src/cli/commands/workflow/status.ts
 /**
+* Check if workflow execution status is successful.
+* @param status - Workflow execution status enum value
+* @returns True if status is success
+*/
+function isWorkflowExecutionSuccessStatus(status) {
+	return status === WorkflowExecution_Status.SUCCESS;
+}
+/**
+* Check if workflow job execution status is suspended or waiting.
+* @param status - Workflow job execution status enum value
+* @returns True if status represents a wait point
+*/
+function isWorkflowJobExecutionSuspendedStatus(status) {
+	return status === WorkflowJobExecution_Status.SUSPEND || status === WorkflowJobExecution_Status.WAITING;
+}
+/**
+* Check if workflow execution status is suspended or waiting.
+* @param status - Workflow execution status enum value
+* @returns True if status represents a suspended execution
+*/
+function isWorkflowExecutionSuspendedStatus(status) {
+	return status === WorkflowExecution_Status.PENDING_RESUME || status === WorkflowExecution_Status.WAITING;
+}
+/**
+* Check if workflow execution status is a terminal failure.
+* @param status - Workflow execution status enum value
+* @returns True if status represents failure
+*/
+function isWorkflowExecutionFailureStatus(status) {
+	return status === WorkflowExecution_Status.FAILED;
+}
+/**
+* Check if workflow execution status can still progress without user action.
+* @param status - Workflow execution status enum value
+* @returns True if status is transient
+*/
+function isWorkflowExecutionTransientStatus(status) {
+	return status === WorkflowExecution_Status.UNSPECIFIED || status === WorkflowExecution_Status.PENDING || status === WorkflowExecution_Status.RUNNING || status === WorkflowExecution_Status.PENDING_RETRY;
+}
+/**
 * Check if workflow execution status is terminal.
 * @param status - Workflow execution status enum value
 * @returns True if status is terminal
 */
 function isWorkflowExecutionTerminalStatus(status) {
-	return status === WorkflowExecution_Status.SUCCESS || status === WorkflowExecution_Status.FAILED || status === WorkflowExecution_Status.PENDING_RESUME;
+	return isWorkflowExecutionSuccessStatus(status) || isWorkflowExecutionFailureStatus(status) || isWorkflowExecutionSuspendedStatus(status);
+}
+/**
+* Classify workflow execution status for waiter decisions.
+* @param execution - Workflow execution to classify
+* @returns Classified workflow execution status
+*/
+function classifyWorkflowExecutionStatus(execution) {
+	if (isWorkflowExecutionTerminalStatus(execution.status)) {
+		if (isWorkflowExecutionSuccessStatus(execution.status)) return {
+			statusClass: "success",
+			status: execution.status
+		};
+		if (isWorkflowExecutionFailureStatus(execution.status)) return {
+			statusClass: "failure",
+			status: execution.status
+		};
+		return {
+			statusClass: "suspended",
+			status: execution.status
+		};
+	}
+	if (execution.jobExecutions.some((job) => isWorkflowJobExecutionSuspendedStatus(job.status))) return {
+		statusClass: "suspended",
+		status: execution.status
+	};
+	if (isWorkflowExecutionTransientStatus(execution.status)) return {
+		statusClass: "transient",
+		status: execution.status
+	};
+	return {
+		statusClass: "transient",
+		status: execution.status
+	};
+}
+/**
+* Check if a classified workflow execution has reached the requested waiter target.
+* @param classification - Workflow execution status classification
+* @param until - Requested wait target
+* @returns True if the wait target is reached
+*/
+function hasReachedWorkflowWaitTarget(classification, until) {
+	switch (until) {
+		case "success": return classification.statusClass === "success";
+		case "suspended": return classification.statusClass === "suspended";
+		case "terminal": return classification.statusClass === "success" || classification.statusClass === "failure" || classification.statusClass === "suspended";
+	}
 }
 
 //#endregion
@@ -11494,6 +11774,8 @@ function workflowExecutionStatusToString(status) {
 		case WorkflowExecution_Status.RUNNING: return "RUNNING";
 		case WorkflowExecution_Status.SUCCESS: return "SUCCESS";
 		case WorkflowExecution_Status.FAILED: return "FAILED";
+		case WorkflowExecution_Status.PENDING_RETRY: return "PENDING_RETRY";
+		case WorkflowExecution_Status.WAITING: return "WAITING";
 		default: return "UNSPECIFIED";
 	}
 }
@@ -11508,6 +11790,7 @@ function workflowJobExecutionStatusToString(status) {
 		case WorkflowJobExecution_Status.SUSPEND: return "SUSPEND";
 		case WorkflowJobExecution_Status.SUCCESS: return "SUCCESS";
 		case WorkflowJobExecution_Status.FAILED: return "FAILED";
+		case WorkflowJobExecution_Status.WAITING: return "WAITING";
 		default: return "UNSPECIFIED";
 	}
 }
@@ -11573,24 +11856,200 @@ function toWorkflowExecutionInfo(execution) {
 }
 
 //#endregion
-//#region src/cli/commands/workflow/executions.ts
-function sleep$1(ms) {
-	return new Promise((resolve) => setTimeout(resolve, ms));
-}
-function formatTime$2(date) {
+//#region src/cli/commands/workflow/waiter.ts
+const DEFAULT_WORKFLOW_WAIT_INTERVAL_MS = 3e3;
+function formatTime$1(date) {
 	return date.toLocaleTimeString("en-US", { hour12: false });
 }
-function colorizeStatus$1(status) {
+function colorizeStatus(status) {
 	const statusText = WorkflowExecution_Status[status];
 	switch (status) {
-		case WorkflowExecution_Status.PENDING: return styles.dim(statusText);
-		case WorkflowExecution_Status.PENDING_RESUME: return styles.warning(statusText);
+		case WorkflowExecution_Status.PENDING:
+		case WorkflowExecution_Status.UNSPECIFIED: return styles.dim(statusText);
+		case WorkflowExecution_Status.PENDING_RESUME:
+		case WorkflowExecution_Status.PENDING_RETRY:
+		case WorkflowExecution_Status.WAITING: return styles.warning(statusText);
 		case WorkflowExecution_Status.RUNNING: return styles.info(statusText);
 		case WorkflowExecution_Status.SUCCESS: return styles.success(statusText);
 		case WorkflowExecution_Status.FAILED: return styles.error(statusText);
 		default: return statusText;
 	}
 }
+function getActiveJobs(execution) {
+	return execution.jobExecutions.filter((job) => job.status === WorkflowJobExecution_Status.RUNNING || job.status === WorkflowJobExecution_Status.SUSPEND || job.status === WorkflowJobExecution_Status.WAITING).map((job) => job.stackedJobName).join(", ");
+}
+function createWorkflowWaitResult(options) {
+	const elapsedMs = Date.now() - options.startedAt;
+	if (options.execution) {
+		const classification = classifyWorkflowExecutionStatus(options.execution);
+		return {
+			...toWorkflowExecutionInfo(options.execution),
+			statusClass: classification.statusClass,
+			elapsedMs,
+			attempts: options.attempts,
+			timedOut: options.timedOut,
+			lastError: options.lastError
+		};
+	}
+	return {
+		id: options.executionId,
+		workflowName: "",
+		status: "UNKNOWN",
+		statusClass: "unknown",
+		jobExecutions: 0,
+		startedAt: null,
+		finishedAt: null,
+		elapsedMs,
+		attempts: options.attempts,
+		timedOut: options.timedOut,
+		lastError: options.lastError
+	};
+}
+/**
+* Wait for a workflow execution to reach the requested state.
+* @param options - Workflow waiter options
+* @returns Final or timed-out workflow wait result
+*/
+async function waitForWorkflowExecution(options) {
+	const interval = options.interval ?? 3e3;
+	const until = options.until ?? "terminal";
+	const startedAt = Date.now();
+	const sp = options.showProgress ? spinner({ indent: 2 }).start("Waiting for workflow to complete...") : null;
+	let attempts = 0;
+	let lastExecution;
+	let lastError = null;
+	let lastStatus;
+	let lastActiveJobs;
+	try {
+		while (true) {
+			const elapsedMs = Date.now() - startedAt;
+			const remainingMs = options.timeout === void 0 ? void 0 : options.timeout - elapsedMs;
+			if (remainingMs !== void 0 && remainingMs <= 0) {
+				sp?.fail("Workflow wait timed out.");
+				return createWorkflowWaitResult({
+					executionId: options.executionId,
+					execution: lastExecution,
+					startedAt,
+					attempts,
+					timedOut: true,
+					lastError
+				});
+			}
+			try {
+				attempts += 1;
+				const { execution } = await options.client.getWorkflowExecution({
+					workspaceId: options.workspaceId,
+					executionId: options.executionId
+				});
+				if (!execution) {
+					sp?.fail(`Execution '${options.executionId}' not found.`);
+					throw new Error(`Execution '${options.executionId}' not found.`);
+				}
+				lastExecution = execution;
+				lastError = null;
+				const classification = classifyWorkflowExecutionStatus(execution);
+				const coloredStatus = colorizeStatus(execution.status);
+				if (execution.status !== lastStatus) {
+					if (options.showProgress) {
+						sp?.stop();
+						logger.info(`Status: ${coloredStatus}`, {
+							mode: "stream",
+							indent: 2
+						});
+						sp?.start("Waiting for workflow to complete...");
+					}
+					lastStatus = execution.status;
+				}
+				if (options.trackJobs) {
+					const activeJobs = getActiveJobs(execution);
+					if (activeJobs && activeJobs !== lastActiveJobs) {
+						if (options.showProgress) {
+							sp?.stop();
+							logger.info(`Job | ${activeJobs}: ${coloredStatus}`, {
+								mode: "stream",
+								indent: 2
+							});
+							sp?.start("Waiting for workflow to complete...");
+						}
+						lastActiveJobs = activeJobs;
+					}
+				}
+				if (sp) sp.text = `Waiting for workflow to complete... (${formatTime$1(/* @__PURE__ */ new Date())})`;
+				if (hasReachedWorkflowWaitTarget(classification, until) || classification.statusClass === "failure" || until === "suspended" && classification.statusClass === "success") {
+					if (execution.status === WorkflowExecution_Status.SUCCESS) sp?.succeed(`Completed: ${coloredStatus}`);
+					else if (isWorkflowExecutionFailureStatus(execution.status)) sp?.fail(`Completed: ${coloredStatus}`);
+					else if (isWorkflowExecutionSuspendedStatus(execution.status)) sp?.warn(`Completed: ${coloredStatus}`);
+					else sp?.succeed(`Completed: ${coloredStatus}`);
+					return createWorkflowWaitResult({
+						executionId: options.executionId,
+						execution,
+						startedAt,
+						attempts,
+						timedOut: false,
+						lastError
+					});
+				}
+			} catch (error) {
+				if (!isRetryableWaitError(error)) throw error;
+				lastError = formatWaitError(error);
+				if (options.showProgress) {
+					if (sp) sp.text = `Retrying workflow status poll... (${formatTime$1(/* @__PURE__ */ new Date())})`;
+				}
+			}
+			const nextElapsedMs = Date.now() - startedAt;
+			const nextRemainingMs = options.timeout === void 0 ? void 0 : options.timeout - nextElapsedMs;
+			if (nextRemainingMs !== void 0 && nextRemainingMs <= 0) {
+				sp?.fail("Workflow wait timed out.");
+				return createWorkflowWaitResult({
+					executionId: options.executionId,
+					execution: lastExecution,
+					startedAt,
+					attempts,
+					timedOut: true,
+					lastError
+				});
+			}
+			await setTimeout$2(nextRemainingMs === void 0 ? interval : Math.min(interval, nextRemainingMs));
+		}
+	} finally {
+		sp?.stop();
+	}
+}
+/**
+* Wait for an existing workflow execution by ID.
+* @param options - Workflow execution wait options
+* @returns Workflow wait result
+*/
+async function waitForWorkflowExecutionById(options) {
+	return await waitForWorkflowExecution({
+		client: await initOperatorClient(await loadAccessToken({ profile: options.profile })),
+		workspaceId: await loadWorkspaceId({
+			workspaceId: options.workspaceId,
+			profile: options.profile
+		}),
+		executionId: options.executionId,
+		interval: options.interval,
+		timeout: options.timeout,
+		until: options.until,
+		showProgress: options.showProgress,
+		trackJobs: options.trackJobs
+	});
+}
+/**
+* Build a user-facing failure message for a workflow wait result.
+* @param result - Workflow wait result
+* @param until - Requested wait target
+* @returns Failure message, or undefined when the wait succeeded
+*/
+function getWorkflowWaitFailureMessage(result, until) {
+	if (result.timedOut) return `Timed out waiting for workflow execution '${result.id}' to reach ${until}. Last status: ${result.status}.`;
+	if (result.status === "FAILED") return `Workflow execution '${result.id}' failed.`;
+	if (until === "success" && result.statusClass !== "success") return `Workflow execution '${result.id}' reached ${result.status} before success.`;
+	if (until === "suspended" && result.statusClass !== "suspended") return `Workflow execution '${result.id}' reached ${result.status} before suspension.`;
+}
+
+//#endregion
+//#region src/cli/commands/workflow/executions.ts
 function parseStatus(status) {
 	switch (status.toUpperCase()) {
 		case "PENDING": return WorkflowExecution_Status.PENDING;
@@ -11598,7 +12057,10 @@ function parseStatus(status) {
 		case "RUNNING": return WorkflowExecution_Status.RUNNING;
 		case "SUCCESS": return WorkflowExecution_Status.SUCCESS;
 		case "FAILED": return WorkflowExecution_Status.FAILED;
-		default: throw new Error(`Invalid status: ${status}. Valid values: PENDING, PENDING_RESUME, RUNNING, SUCCESS, FAILED`);
+		case "PENDING_RETRY": return WorkflowExecution_Status.PENDING_RETRY;
+		case "WAITING": return WorkflowExecution_Status.WAITING;
+		case "UNSPECIFIED": return WorkflowExecution_Status.UNSPECIFIED;
+		default: throw new Error(`Invalid status: ${status}. Valid values: UNSPECIFIED, PENDING, PENDING_RESUME, RUNNING, SUCCESS, FAILED, PENDING_RETRY, WAITING`);
 	}
 }
 async function listWorkflowExecutions(options) {
@@ -11685,39 +12147,30 @@ async function getWorkflowExecution(options) {
 		}));
 		return result;
 	}
-	async function waitForCompletion() {
-		const interval = options.interval ?? 3e3;
-		while (true) {
-			const { execution } = await client.getWorkflowExecution({
-				workspaceId,
-				executionId: options.executionId
-			});
-			if (!execution) throw new Error(`Execution '${options.executionId}' not found.`);
-			if (isWorkflowExecutionTerminalStatus(execution.status)) return await fetchExecutionWithLogs(options.executionId, options.logs ?? false);
-			await sleep$1(interval);
-		}
+	async function waitForCompletion() {
+		const interval = options.interval ?? 3e3;
+		const waitResult = await waitForWorkflowExecution({
+			client,
+			workspaceId,
+			executionId: options.executionId,
+			interval,
+			timeout: options.timeout,
+			until: options.until ?? "terminal"
+		});
+		return {
+			...await fetchExecutionWithLogs(options.executionId, options.logs ?? false),
+			statusClass: waitResult.statusClass,
+			elapsedMs: waitResult.elapsedMs,
+			attempts: waitResult.attempts,
+			timedOut: waitResult.timedOut,
+			lastError: waitResult.lastError
+		};
 	}
 	return {
 		execution: await fetchExecutionWithLogs(options.executionId, options.logs ?? false),
 		wait: waitForCompletion
 	};
 }
-async function waitWithSpinner(waitFn, interval, json) {
-	const sp = !json ? spinner().start("Waiting for workflow to complete...") : null;
-	const updateInterval = setInterval(() => {
-		if (sp) sp.text = `Waiting for workflow to complete... (${formatTime$2(/* @__PURE__ */ new Date())})`;
-	}, interval);
-	try {
-		const result = await waitFn();
-		const coloredStatus = colorizeStatus$1(WorkflowExecution_Status[result.status]);
-		if (result.status === "SUCCESS") sp?.succeed(`Completed: ${coloredStatus}`);
-		else sp?.fail(`Completed: ${coloredStatus}`);
-		return result;
-	} finally {
-		clearInterval(updateInterval);
-		sp?.stop();
-	}
-}
 /**
 * Print a workflow execution and its logs in a human-readable format.
 * @param execution - Workflow execution detail info
@@ -11779,19 +12232,55 @@ const executionsCommand = defineAppCommand({
 		logs: arg(z.boolean().default(false), { description: "Display job execution logs (detail mode only)" })
 	}).strict(),
 	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
 		if (args.executionId) {
 			const interval = parseDuration(args.interval);
-			const { execution, wait } = await getWorkflowExecution({
+			if (!jsonOutput) logger.info(`Execution ID: ${args.executionId}`, { mode: "stream" });
+			if (args.wait) {
+				const result = await waitForWorkflowExecutionById({
+					executionId: args.executionId,
+					workspaceId: args["workspace-id"],
+					profile: args.profile,
+					interval,
+					timeout: parseDuration(args.timeout),
+					until: args.until,
+					showProgress: !jsonOutput,
+					trackJobs: true
+				});
+				if (args.logs && !jsonOutput) {
+					const { execution } = await getWorkflowExecution({
+						executionId: args.executionId,
+						workspaceId: args["workspace-id"],
+						profile: args.profile,
+						logs: true
+					});
+					printExecutionWithLogs(execution);
+				} else if (args.logs) {
+					const { execution } = await getWorkflowExecution({
+						executionId: args.executionId,
+						workspaceId: args["workspace-id"],
+						profile: args.profile,
+						logs: true
+					});
+					const output = {
+						...result,
+						jobDetails: execution.jobDetails
+					};
+					logger.out(output);
+				} else logger.out(result);
+				const failureMessage = getWorkflowWaitFailureMessage(result, args.until);
+				if (failureMessage) throw new Error(failureMessage);
+				return;
+			}
+			const { execution } = await getWorkflowExecution({
 				executionId: args.executionId,
 				workspaceId: args["workspace-id"],
 				profile: args.profile,
 				interval,
 				logs: args.logs
 			});
-			if (!args.json) logger.info(`Execution ID: ${execution.id}`, { mode: "stream" });
-			const result = args.wait ? await waitWithSpinner(wait, interval, args.json) : execution;
-			if (args.logs && !args.json) printExecutionWithLogs(result);
-			else logger.out(result);
+			if (args.logs && !jsonOutput) printExecutionWithLogs(execution);
+			else logger.out(execution);
 		} else {
 			const executions = await listWorkflowExecutions({
 				workspaceId: args["workspace-id"],
@@ -11856,109 +12345,27 @@ const getCommand$5 = defineAppCommand({
 
 //#endregion
 //#region src/cli/commands/workflow/start.ts
-function sleep(ms) {
-	return new Promise((resolve) => setTimeout(resolve, ms));
-}
-function formatTime$1(date) {
-	return date.toLocaleTimeString("en-US", { hour12: false });
-}
-function colorizeStatus(status) {
-	const statusText = WorkflowExecution_Status[status];
-	switch (status) {
-		case WorkflowExecution_Status.PENDING: return styles.dim(statusText);
-		case WorkflowExecution_Status.PENDING_RESUME: return styles.warning(statusText);
-		case WorkflowExecution_Status.RUNNING: return styles.info(statusText);
-		case WorkflowExecution_Status.SUCCESS: return styles.success(statusText);
-		case WorkflowExecution_Status.FAILED: return styles.error(statusText);
-		default: return statusText;
-	}
-}
-/**
-* Wait for a workflow execution to reach a terminal state, optionally showing progress.
-* @param options - Wait options
-* @returns Final workflow execution info
-*/
-async function waitForExecution(options) {
-	const { client, workspaceId, executionId, interval, showProgress, trackJobs } = options;
-	let lastStatus;
-	let lastRunningJobs;
-	const sp = showProgress ? spinner({ indent: 2 }).start("Waiting for workflow to complete...") : null;
-	try {
-		while (true) {
-			const { execution } = await client.getWorkflowExecution({
-				workspaceId,
-				executionId
-			});
-			if (!execution) {
-				sp?.fail(`Execution '${executionId}' not found.`);
-				throw new Error(`Execution '${executionId}' not found.`);
-			}
-			const now = formatTime$1(/* @__PURE__ */ new Date());
-			const coloredStatus = colorizeStatus(execution.status);
-			if (execution.status !== lastStatus) {
-				if (showProgress) {
-					sp?.stop();
-					logger.info(`Status: ${coloredStatus}`, {
-						mode: "stream",
-						indent: 2
-					});
-					sp?.start(`Waiting for workflow to complete...`);
-				}
-				lastStatus = execution.status;
-			}
-			if (trackJobs && execution.status === WorkflowExecution_Status.RUNNING) {
-				const runningJobs = getRunningJobs(execution);
-				if (runningJobs && runningJobs !== lastRunningJobs) {
-					if (showProgress) {
-						sp?.stop();
-						logger.info(`Job | ${runningJobs}: ${coloredStatus}`, {
-							mode: "stream",
-							indent: 2
-						});
-						sp?.start(`Waiting for workflow to complete...`);
-					}
-					lastRunningJobs = runningJobs;
-				}
-			}
-			if (sp) sp.text = `Waiting for workflow to complete... (${now})`;
-			if (isTerminalStatus(execution.status)) {
-				if (execution.status === WorkflowExecution_Status.SUCCESS) sp?.succeed(`Completed: ${coloredStatus}`);
-				else if (execution.status === WorkflowExecution_Status.FAILED) sp?.fail(`Completed: ${coloredStatus}`);
-				else sp?.warn(`Completed: ${coloredStatus}`);
-				return toWorkflowExecutionInfo(execution);
-			}
-			await sleep(interval);
-		}
-	} catch (error) {
-		sp?.stop();
-		throw error;
-	}
-}
-function getRunningJobs(execution) {
-	return execution.jobExecutions.filter((job) => job.status === WorkflowJobExecution_Status.RUNNING).map((job) => job.stackedJobName).join(", ");
-}
-function isTerminalStatus(status) {
-	return status === WorkflowExecution_Status.SUCCESS || status === WorkflowExecution_Status.FAILED || status === WorkflowExecution_Status.PENDING_RESUME;
-}
 async function startWorkflowCore(options) {
 	const { client, workspaceId, workflowName } = options;
 	try {
 		const workflow = await resolveWorkflow(client, workspaceId, workflowName);
-		const authInvoker = create(AuthInvokerSchema, options.authInvoker);
+		const invoker = create(AuthInvokerSchema, options.invoker);
 		const arg = options.arg === void 0 ? void 0 : typeof options.arg === "string" ? options.arg : JSON.stringify(options.arg);
 		const { executionId } = await client.testStartWorkflow({
 			workspaceId,
 			workflowId: workflow.id,
-			authInvoker,
+			authInvoker: invoker,
 			arg
 		});
 		return {
 			executionId,
-			wait: (waitOptions) => waitForExecution({
+			wait: (waitOptions) => waitForWorkflowExecution({
 				client,
 				workspaceId,
 				executionId,
 				interval: options.interval ?? 3e3,
+				timeout: waitOptions?.timeout,
+				until: waitOptions?.until,
 				showProgress: waitOptions?.showProgress,
 				trackJobs: true
 			})
@@ -11968,6 +12375,16 @@ async function startWorkflowCore(options) {
 		throw error;
 	}
 }
+async function resolveApplicationAuthNamespace(options) {
+	const { config } = await loadConfig(options.configPath);
+	const { application } = await options.client.getApplication({
+		workspaceId: options.workspaceId,
+		applicationName: config.name
+	});
+	const authNamespace = application?.authNamespace || config.auth?.name;
+	if (!authNamespace) throw new Error(`Application ${config.name} does not have an auth configuration.`);
+	return authNamespace;
+}
 async function startWorkflowByName(options) {
 	const machineUser = await loadMachineUserName({
 		machineUser: options.machineUser,
@@ -11979,18 +12396,17 @@ async function startWorkflowByName(options) {
 		workspaceId: options.workspaceId,
 		profile: options.profile
 	});
-	const { config } = await loadConfig(options.configPath);
-	const { application } = await client.getApplication({
+	const authNamespace = await resolveApplicationAuthNamespace({
+		client,
 		workspaceId,
-		applicationName: config.name
+		configPath: options.configPath
 	});
-	if (!application?.authNamespace) throw new Error(`Application ${config.name} does not have an auth configuration.`);
 	return await startWorkflowCore({
 		client,
 		workspaceId,
 		workflowName: options.name,
-		authInvoker: {
-			namespace: application.authNamespace,
+		invoker: {
+			namespace: authNamespace,
 			machineUserName: machineUser
 		},
 		arg: options.arg,
@@ -11999,14 +12415,24 @@ async function startWorkflowByName(options) {
 }
 async function startWorkflow(options) {
 	if ("name" in options) return await startWorkflowByName(options);
+	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
+	const workspaceId = await loadWorkspaceId({
+		workspaceId: options.workspaceId,
+		profile: options.profile
+	});
+	const authNamespace = await resolveApplicationAuthNamespace({
+		client,
+		workspaceId,
+		configPath: options.configPath
+	});
 	return await startWorkflowCore({
-		client: await initOperatorClient(await loadAccessToken({ profile: options.profile })),
-		workspaceId: await loadWorkspaceId({
-			workspaceId: options.workspaceId,
-			profile: options.profile
-		}),
+		client,
+		workspaceId,
 		workflowName: options.workflow.name,
-		authInvoker: options.authInvoker,
+		invoker: {
+			namespace: authNamespace,
+			machineUserName: options.invoker
+		},
 		arg: options.arg,
 		interval: options.interval
 	});
@@ -12019,7 +12445,6 @@ const startCommand = defineAppCommand({
 		...nameArgs,
 		"machine-user": arg(z.string().optional(), {
 			alias: "m",
-			hiddenAlias: "machineuser",
 			description: "Machine user name. Falls back to the active profile's default machine user.",
 			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
@@ -12042,7 +12467,11 @@ const startCommand = defineAppCommand({
 		const jsonOutput = logger.jsonMode;
 		logger.info(`Execution ID: ${executionId}`, { mode: "stream" });
 		if (args.wait) {
-			const result = await wait({ showProgress: !jsonOutput });
+			const result = await wait({
+				showProgress: !jsonOutput,
+				timeout: parseDuration(args.timeout),
+				until: args.until
+			});
 			if (args.logs && !jsonOutput) {
 				const { execution } = await getWorkflowExecution({
 					executionId,
@@ -12051,7 +12480,20 @@ const startCommand = defineAppCommand({
 					logs: true
 				});
 				printExecutionWithLogs(execution);
+			} else if (args.logs) {
+				const { execution } = await getWorkflowExecution({
+					executionId,
+					workspaceId: args["workspace-id"],
+					profile: args.profile,
+					logs: true
+				});
+				logger.out({
+					...result,
+					jobDetails: execution.jobDetails
+				});
 			} else logger.out(result);
+			const failureMessage = getWorkflowWaitFailureMessage(result, args.until);
+			if (failureMessage) throw new Error(failureMessage);
 		} else logger.out({ executionId });
 	}
 });
@@ -12061,6 +12503,16 @@ const startCommand = defineAppCommand({
 function formatTime(date) {
 	return date.toLocaleTimeString("en-US", { hour12: false });
 }
+function createUnknownExecutorJob(executorName, jobId) {
+	return {
+		id: jobId,
+		executorName,
+		status: "UNKNOWN",
+		scheduledAt: "N/A",
+		createdAt: "N/A",
+		updatedAt: "N/A"
+	};
+}
 async function listExecutorJobs(options) {
 	const executorName = "executorName" in options ? options.executorName : options.executor.name;
 	const client = await initOperatorClient(await loadAccessToken({ profile: options.profile }));
@@ -12144,7 +12596,27 @@ async function watchExecutorJob(options) {
 		profile: options.profile
 	});
 	const interval = options.interval ?? 3e3;
-	const sp = spinner().start("Waiting for executor job to complete...");
+	const timeout = options.timeout;
+	const showProgress = options.showProgress ?? !logger.jsonMode;
+	const startedAt = Date.now();
+	const sp = showProgress ? spinner().start("Waiting for executor job to complete...") : null;
+	let attempts = 0;
+	let lastError = null;
+	const remainingTimeout = () => {
+		if (timeout === void 0) return;
+		return timeout - (Date.now() - startedAt);
+	};
+	const withWaitMetadata = (result, timedOut) => ({
+		...result,
+		elapsedMs: Date.now() - startedAt,
+		attempts,
+		timedOut,
+		lastError
+	});
+	const timeoutResult = (targetType, job) => withWaitMetadata({
+		job: job ? toExecutorJobInfo(job) : createUnknownExecutorJob(executorName, options.jobId),
+		targetType
+	}, true);
 	try {
 		const { executor } = await client.getExecutorExecutor({
 			workspaceId,
@@ -12155,29 +12627,47 @@ async function watchExecutorJob(options) {
 		const targetTypeStr = executorTargetTypeToString(targetType);
 		let job;
 		while (true) {
-			job = (await client.getExecutorJob({
-				workspaceId,
-				executorName,
-				jobId: options.jobId
-			})).job;
-			if (!job) throw new Error(`Job '${options.jobId}' not found.`);
-			if (isExecutorJobTerminalStatus(job.status)) break;
-			sp.text = `Waiting for executor job... (${formatTime(/* @__PURE__ */ new Date())})`;
-			await setTimeout$1(interval);
+			const remainingMs = remainingTimeout();
+			if (remainingMs !== void 0 && remainingMs <= 0) {
+				sp?.fail("Executor job wait timed out.");
+				return timeoutResult(targetTypeStr, job);
+			}
+			try {
+				attempts += 1;
+				job = (await client.getExecutorJob({
+					workspaceId,
+					executorName,
+					jobId: options.jobId
+				})).job;
+				if (!job) throw new Error(`Job '${options.jobId}' not found.`);
+				lastError = null;
+				if (classifyExecutorJobStatus(job.status) !== "transient") break;
+			} catch (error) {
+				if (!isRetryableWaitError(error)) throw error;
+				lastError = formatWaitError(error);
+				if (sp) sp.text = `Retrying executor job poll... (${formatTime(/* @__PURE__ */ new Date())})`;
+			}
+			const nextRemainingMs = remainingTimeout();
+			if (nextRemainingMs !== void 0 && nextRemainingMs <= 0) {
+				sp?.fail("Executor job wait timed out.");
+				return timeoutResult(targetTypeStr, job);
+			}
+			if (sp) sp.text = `Waiting for executor job... (${formatTime(/* @__PURE__ */ new Date())})`;
+			await setTimeout$1(nextRemainingMs === void 0 ? interval : Math.min(interval, nextRemainingMs));
 		}
 		const jobInfo = toExecutorJobInfo(job);
 		const coloredStatus = colorizeExecutorJobStatus(jobInfo.status);
-		if (job.status === ExecutorJobStatus.SUCCESS) sp.succeed(`Executor job completed: ${coloredStatus}`);
-		else sp.fail(`Executor job completed: ${coloredStatus}`);
+		if (job.status === ExecutorJobStatus.SUCCESS) sp?.succeed(`Executor job completed: ${coloredStatus}`);
+		else sp?.fail(`Executor job completed: ${coloredStatus}`);
 		const attemptInfos = (await fetchAll(async (pageToken, maxPageSize) => {
-			const { attempts, nextPageToken } = await client.listExecutorJobAttempts({
+			const { attempts: jobAttempts, nextPageToken } = await client.listExecutorJobAttempts({
 				workspaceId,
 				jobId: options.jobId,
 				pageToken,
 				pageSize: maxPageSize,
 				pageDirection: PageDirection.DESC
 			});
-			return [attempts, nextPageToken];
+			return [jobAttempts, nextPageToken];
 		})).map(toExecutorJobAttemptInfo);
 		const jobDetail = {
 			...jobInfo,
@@ -12186,18 +12676,27 @@ async function watchExecutorJob(options) {
 		const operationReference = attemptInfos[0]?.operationReference;
 		if (operationReference) switch (targetType) {
 			case ExecutorTargetType.WORKFLOW:
-				sp.stop();
+				sp?.stop();
 				try {
-					const executionResult = await waitForExecution({
+					const workflowTimeout = remainingTimeout();
+					if (workflowTimeout !== void 0 && workflowTimeout <= 0) return withWaitMetadata({
+						job: jobDetail,
+						targetType: targetTypeStr,
+						workflowExecutionId: operationReference
+					}, true);
+					const executionResult = await waitForWorkflowExecution({
 						client,
 						workspaceId,
 						executionId: operationReference,
 						interval,
-						showProgress: true,
+						timeout: workflowTimeout,
+						showProgress,
 						trackJobs: true
 					});
+					attempts += executionResult.attempts;
+					lastError = executionResult.lastError;
 					let workflowJobLogs;
-					if (options.logs) {
+					if (options.logs) try {
 						const { execution: execWithLogs } = await getWorkflowExecution({
 							executionId: operationReference,
 							workspaceId: options.workspaceId,
@@ -12209,67 +12708,109 @@ async function watchExecutorJob(options) {
 							logs: job.logs,
 							result: job.result
 						}));
+					} catch (error) {
+						logger.warn(`Could not fetch workflow execution logs: ${error instanceof Error ? error.message : error}`);
 					}
-					return {
+					return withWaitMetadata({
 						job: jobDetail,
 						targetType: targetTypeStr,
 						workflowExecutionId: operationReference,
 						workflowStatus: executionResult.status,
 						workflowJobLogs
-					};
+					}, executionResult.timedOut);
 				} catch (error) {
 					logger.warn(`Could not track workflow execution: ${error instanceof Error ? error.message : error}`);
-					return {
+					return withWaitMetadata({
 						job: jobDetail,
 						targetType: targetTypeStr,
 						workflowExecutionId: operationReference
-					};
+					}, false);
 				}
 			case ExecutorTargetType.FUNCTION:
 			case ExecutorTargetType.JOB_FUNCTION:
-				sp.start(`Waiting for function execution ${operationReference}...`);
+				sp?.start(`Waiting for function execution ${operationReference}...`);
 				try {
+					let functionStatus;
 					while (true) {
-						const { execution } = await client.getFunctionExecution({
-							workspaceId,
-							executionId: operationReference
-						});
-						if (!execution) throw new Error(`Function execution '${operationReference}' not found.`);
-						if (isFunctionExecutionTerminalStatus(execution.status)) {
-							const statusStr = functionExecutionStatusToString(execution.status);
-							const coloredFnStatus = colorizeFunctionExecutionStatus(statusStr);
-							if (execution.status === FunctionExecution_Status.SUCCESS) sp.succeed(`Function execution completed: ${coloredFnStatus}`);
-							else sp.fail(`Function execution completed: ${coloredFnStatus}`);
-							return {
+						const functionTimeout = remainingTimeout();
+						if (functionTimeout !== void 0 && functionTimeout <= 0) {
+							sp?.fail("Function execution wait timed out.");
+							return withWaitMetadata({
 								job: jobDetail,
 								targetType: targetTypeStr,
 								functionExecutionId: operationReference,
-								functionStatus: statusStr,
-								functionLogs: options.logs ? execution.logs || void 0 : void 0
-							};
+								functionStatus
+							}, true);
+						}
+						try {
+							attempts += 1;
+							const { execution } = await client.getFunctionExecution({
+								workspaceId,
+								executionId: operationReference
+							});
+							if (!execution) throw new Error(`Function execution '${operationReference}' not found.`);
+							lastError = null;
+							functionStatus = functionExecutionStatusToString(execution.status);
+							if (isFunctionExecutionTerminalStatus(execution.status)) {
+								const coloredFnStatus = colorizeFunctionExecutionStatus(functionStatus);
+								if (execution.status === FunctionExecution_Status.SUCCESS) sp?.succeed(`Function execution completed: ${coloredFnStatus}`);
+								else sp?.fail(`Function execution completed: ${coloredFnStatus}`);
+								return withWaitMetadata({
+									job: jobDetail,
+									targetType: targetTypeStr,
+									functionExecutionId: operationReference,
+									functionStatus,
+									functionLogs: options.logs ? execution.logs || void 0 : void 0
+								}, false);
+							}
+						} catch (error) {
+							if (!isRetryableWaitError(error)) throw error;
+							lastError = formatWaitError(error);
+							if (sp) sp.text = `Retrying function execution poll... (${formatTime(/* @__PURE__ */ new Date())})`;
+						}
+						const nextFunctionTimeout = remainingTimeout();
+						if (nextFunctionTimeout !== void 0 && nextFunctionTimeout <= 0) {
+							sp?.fail("Function execution wait timed out.");
+							return withWaitMetadata({
+								job: jobDetail,
+								targetType: targetTypeStr,
+								functionExecutionId: operationReference,
+								functionStatus
+							}, true);
 						}
-						sp.text = `Waiting for function execution... (${formatTime(/* @__PURE__ */ new Date())})`;
-						await setTimeout$1(interval);
+						if (sp) sp.text = `Waiting for function execution... (${formatTime(/* @__PURE__ */ new Date())})`;
+						await setTimeout$1(nextFunctionTimeout === void 0 ? interval : Math.min(interval, nextFunctionTimeout));
 					}
 				} catch (error) {
-					sp.warn(`Could not track function execution: ${error instanceof Error ? error.message : error}`);
-					return {
+					sp?.warn(`Could not track function execution: ${error instanceof Error ? error.message : error}`);
+					return withWaitMetadata({
 						job: jobDetail,
 						targetType: targetTypeStr,
 						functionExecutionId: operationReference
-					};
+					}, false);
 				}
 				break;
 			default: break;
 		}
-		return {
+		return withWaitMetadata({
 			job: jobDetail,
 			targetType: targetTypeStr
-		};
+		}, false);
 	} finally {
-		sp.stop();
+		sp?.stop();
 	}
 }
+/**
+* Build a user-facing failure message for an executor job wait result.
+* @param result - Executor job wait result
+* @returns Failure message, or undefined when the wait succeeded
+*/
+function getExecutorWaitFailureMessage(result) {
+	if (result.timedOut) return `Timed out waiting for executor job '${result.job.id}'. Last status: ${result.job.status}.`;
+	if (result.job.status === "FAILED" || result.job.status === "CANCELED") return `Executor job '${result.job.id}' completed with status ${result.job.status}.`;
+	if (result.workflowStatus === "FAILED") return `Workflow execution '${result.workflowExecutionId}' failed.`;
+	if (result.functionStatus === "FAILED") return `Function execution '${result.functionExecutionId}' failed.`;
+}
 function printJobWithAttempts(job) {
 	const summaryData = [
 		["id", job.id],
@@ -12351,6 +12892,10 @@ const jobsCommand = defineAppCommand({
 			alias: "i",
 			description: "Polling interval when using --wait (e.g., '3s', '500ms', '1m')"
 		}),
+		timeout: arg(durationArg.default("5m"), {
+			alias: "t",
+			description: "Maximum time to wait when using --wait (e.g., '30s', '5m')"
+		}),
 		...pagedLogArgs,
 		limit: arg(nonNegativeIntArg.default(50), { description: "Maximum number of jobs to list (0: unlimited, default: 50) (list mode only)" }),
 		logs: arg(z.boolean().default(false), {
@@ -12359,6 +12904,7 @@ const jobsCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
 		if (args.jobId) {
 			if (args.wait) {
 				const result = await watchExecutorJob({
@@ -12367,9 +12913,11 @@ const jobsCommand = defineAppCommand({
 					workspaceId: args["workspace-id"],
 					profile: args.profile,
 					interval: parseDuration(args.interval),
-					logs: args.logs
+					timeout: parseDuration(args.timeout),
+					logs: args.logs,
+					showProgress: !jsonOutput
 				});
-				if (!args.json) {
+				if (!jsonOutput) {
 					logger.log(styles.bold(`Target Type: ${result.targetType}\n`));
 					printJobWithAttempts(result.job);
 					if (result.workflowExecutionId) {
@@ -12404,6 +12952,8 @@ const jobsCommand = defineAppCommand({
 						}
 					}
 				} else logger.out(result);
+				const failureMessage = getExecutorWaitFailureMessage(result);
+				if (failureMessage) throw new Error(failureMessage);
 				return;
 			}
 			const job = await getExecutorJob({
@@ -12413,7 +12963,7 @@ const jobsCommand = defineAppCommand({
 				workspaceId: args["workspace-id"],
 				profile: args.profile
 			});
-			if (args.attempts && !args.json) printJobWithAttempts(job);
+			if (args.attempts && !jsonOutput) printJobWithAttempts(job);
 			else logger.out(job);
 		} else {
 			if (args.wait) logger.warn("--wait flag is ignored in list mode. Specify a job ID to wait.");
@@ -12600,12 +13150,17 @@ The \`--logs\` option displays logs from the downstream execution when available
 			alias: "i",
 			description: "Polling interval when using --wait (e.g., '3s', '500ms', '1m')"
 		}),
+		timeout: arg(durationArg.default("5m"), {
+			alias: "t",
+			description: "Maximum time to wait when using --wait (e.g., '30s', '5m')"
+		}),
 		logs: arg(z.boolean().default(false), {
 			alias: "l",
 			description: "Display function execution logs after completion (requires --wait)"
 		})
 	}).strict(),
 	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
 		await assertWritable({ profile: args.profile });
 		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
@@ -12646,9 +13201,11 @@ The \`--logs\` option displays logs from the downstream execution when available
 				workspaceId: args["workspace-id"],
 				profile: args.profile,
 				interval: parseDuration(args.interval),
-				logs: args.logs
+				timeout: parseDuration(args.timeout),
+				logs: args.logs,
+				showProgress: !jsonOutput
 			});
-			if (!args.json) {
+			if (!jsonOutput) {
 				logger.log(styles.bold(`\nTarget Type: ${watchResult.targetType}`));
 				logger.log(`Job Status: ${watchResult.job.status}`);
 				if (watchResult.workflowExecutionId) {
@@ -12683,6 +13240,8 @@ The \`--logs\` option displays logs from the downstream execution when available
 					}
 				}
 			} else logger.out(watchResult);
+			const failureMessage = getExecutorWaitFailureMessage(watchResult);
+			if (failureMessage) throw new Error(failureMessage);
 		}
 	}
 });
@@ -12894,19 +13453,6 @@ const listCommand$8 = defineAppCommand({
 	}
 });
 
-//#endregion
-//#region src/cli/commands/generate/types.ts
-/**
-* Type guard to check if a generator has a specific dependency.
-* @template D
-* @param generator - Code generator instance
-* @param dependency - Dependency kind to check
-* @returns True if the generator has the dependency
-*/
-function hasDependency(generator, dependency) {
-	return generator.dependencies.includes(dependency);
-}
-
 //#endregion
 //#region src/cli/commands/generate/watch/index.ts
 /**
@@ -13295,12 +13841,11 @@ function createDependencyWatcher(options = {}) {
 * @param params - Parameters for creating the generation manager
 * @param params.application - Application instance to generate code for
 * @param params.config - Loaded configuration
-* @param params.generators - Code generators to run
 * @param params.pluginManager - Plugin manager for processing plugins
 * @returns GenerationManager instance
 */
 function createGenerationManager(params) {
-	const { application, config, generators = [], pluginManager } = params;
+	const { application, config, pluginManager } = params;
 	const baseDir = path.join(getDistDir(), "generated");
 	fs$1.mkdirSync(baseDir, { recursive: true });
 	const services = {
@@ -13309,11 +13854,7 @@ function createGenerationManager(params) {
 		executor: {}
 	};
 	let watcher = null;
-	const generatorResults = {};
 	const generationPlugins = pluginManager?.getPluginsWithGenerationHooks() ?? [];
-	function getReadyGenerators(dep) {
-		return generators.filter((g) => g.dependencies.includes(dep));
-	}
 	function getAuthInput() {
 		const authService = application.authService;
 		if (!authService) return void 0;
@@ -13331,98 +13872,6 @@ function createGenerationManager(params) {
 			idProvider: authConfig.idProvider
 		};
 	}
-	async function processTailorDBNamespace(gen, namespace, typeInfo) {
-		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
-		results.tailordbResults[namespace] = {};
-		if (!gen.processType) return;
-		const processType = gen.processType;
-		await Promise.allSettled(Object.entries(typeInfo.types).map(async ([typeName, type]) => {
-			try {
-				assertDefined(results.tailordbResults[namespace], `tailordb results not initialized for namespace ${namespace}`)[typeName] = await processType({
-					type,
-					namespace,
-					source: typeInfo.sourceInfo[typeName],
-					plugins: typeInfo.pluginAttachments.get(typeName) ?? []
-				});
-			} catch (error) {
-				logger.error(`Error processing type ${styles.bold(typeName)} in ${namespace} with generator ${gen.id}`);
-				logger.error(String(error));
-			}
-		}));
-		if ("processTailorDBNamespace" in gen && typeof gen.processTailorDBNamespace === "function") try {
-			results.tailordbNamespaceResults[namespace] = await gen.processTailorDBNamespace({
-				namespace,
-				types: results.tailordbResults[namespace]
-			});
-		} catch (error) {
-			logger.error(`Error processing TailorDB namespace ${styles.bold(namespace)} with generator ${gen.id}`);
-			logger.error(String(error));
-		}
-		else results.tailordbNamespaceResults[namespace] = results.tailordbResults[namespace];
-	}
-	async function processResolverNamespace(gen, namespace, resolvers) {
-		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
-		results.resolverResults[namespace] = {};
-		if (!gen.processResolver) return;
-		const processResolver = gen.processResolver;
-		await Promise.allSettled(Object.entries(resolvers).map(async ([resolverName, resolver]) => {
-			try {
-				assertDefined(results.resolverResults[namespace], `resolver results not initialized for namespace ${namespace}`)[resolverName] = await processResolver({
-					resolver,
-					namespace
-				});
-			} catch (error) {
-				logger.error(`Error processing resolver ${styles.bold(resolverName)} in ${namespace} with generator ${gen.id}`);
-				logger.error(String(error));
-			}
-		}));
-		if ("processResolverNamespace" in gen && typeof gen.processResolverNamespace === "function") try {
-			results.resolverNamespaceResults[namespace] = await gen.processResolverNamespace({
-				namespace,
-				resolvers: results.resolverResults[namespace]
-			});
-		} catch (error) {
-			logger.error(`Error processing Resolver namespace ${styles.bold(namespace)} with generator ${gen.id}`);
-			logger.error(String(error));
-		}
-		else results.resolverNamespaceResults[namespace] = results.resolverResults[namespace];
-	}
-	async function processExecutors(gen) {
-		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
-		if (!gen.processExecutor) return;
-		const processExecutor = gen.processExecutor;
-		await Promise.allSettled(Object.entries(services.executor).map(async ([executorId, executor]) => {
-			try {
-				results.executorResults[executorId] = await processExecutor(executor);
-			} catch (error) {
-				logger.error(`Error processing executor ${styles.bold(executor.name)} with generator ${gen.id}`);
-				logger.error(String(error));
-			}
-		}));
-	}
-	async function aggregate(gen) {
-		const results = assertDefined(generatorResults[gen.id], `generator result not initialized for ${gen.id}`);
-		const tailordbResults = [];
-		const resolverResults = [];
-		for (const [namespace, types] of Object.entries(results.tailordbNamespaceResults)) tailordbResults.push({
-			namespace,
-			types
-		});
-		for (const [namespace, resolvers] of Object.entries(results.resolverNamespaceResults)) resolverResults.push({
-			namespace,
-			resolvers
-		});
-		const input = { auth: getAuthInput() };
-		if (hasDependency(gen, "tailordb")) input.tailordb = tailordbResults;
-		if (hasDependency(gen, "resolver")) input.resolver = resolverResults;
-		if (hasDependency(gen, "executor")) input.executor = Object.values(results.executorResults);
-		const result = await gen.aggregate({
-			input,
-			baseDir: path.join(baseDir, gen.id),
-			configPath: config.path
-		});
-		await writeGeneratedFiles(gen.id, result);
-	}
 	/**
 	* Build TailorDB namespace data array from loaded services.
 	* @returns Array of TailorDB namespace data
@@ -13517,8 +13966,8 @@ function createGenerationManager(params) {
 	}
 	/**
 	* Write generated files to disk.
-	* @param sourceId - Generator or plugin ID for logging
-	* @param result - Generator result containing files to write
+	* @param sourceId - Plugin ID for logging
+	* @param result - Generation result containing files to write
 	*/
 	async function writeGeneratedFiles(sourceId, result) {
 		await Promise.all(result.files.map(async (file) => {
@@ -13552,36 +14001,6 @@ function createGenerationManager(params) {
 			});
 		}));
 	}
-	async function processGenerator(gen) {
-		generatorResults[gen.id] = {
-			tailordbResults: {},
-			resolverResults: {},
-			tailordbNamespaceResults: {},
-			resolverNamespaceResults: {},
-			executorResults: {}
-		};
-		if (hasDependency(gen, "tailordb")) for (const [namespace, types] of Object.entries(services.tailordb)) await processTailorDBNamespace(gen, namespace, types);
-		if (hasDependency(gen, "resolver")) for (const [namespace, resolvers] of Object.entries(services.resolver)) await processResolverNamespace(gen, namespace, resolvers);
-		if (hasDependency(gen, "executor")) await processExecutors(gen);
-		await aggregate(gen);
-	}
-	async function runGenerators(gens, watch) {
-		const results = await Promise.allSettled(gens.map(async (gen) => {
-			await withSpan(`generate.generator.${gen.id}`, async () => {
-				try {
-					await processGenerator(gen);
-				} catch (error) {
-					logger.error(`Error processing generator ${styles.bold(gen.id)}`);
-					logger.error(String(error));
-					if (!watch) throw error;
-				}
-			});
-		}));
-		if (!watch) {
-			const failures = results.filter((r) => r.status === "rejected");
-			if (failures.length > 0) throw new AggregateError(failures.map((f) => f.reason));
-		}
-	}
 	async function restartWatchProcess() {
 		logger.newline();
 		logger.info("Restarting watch process to clear module cache...", { mode: "stream" });
@@ -13609,14 +14028,7 @@ function createGenerationManager(params) {
 	return {
 		application,
 		baseDir,
-		generators,
 		services,
-		generatorResults,
-		processGenerator,
-		processTailorDBNamespace,
-		processResolverNamespace,
-		processExecutors,
-		aggregate,
 		async generate(watch) {
 			logger.newline();
 			logger.log(`Generation for application: ${styles.highlight(application.config.name)}`);
@@ -13661,11 +14073,9 @@ function createGenerationManager(params) {
 				await withSpan("generate.resolveAuthNamespaces", async () => authService.resolveNamespaces());
 			}
 			if (app.tailorDBServices.length > 0 || pluginExecutorFiles.length > 0) logger.newline();
-			const readyAfterTailorDB = getReadyGenerators("tailordb");
-			const hasOnTailorDBReady = generationPlugins.some((p) => p.onTailorDBReady != null);
-			if (readyAfterTailorDB.length > 0 || hasOnTailorDBReady) {
+			if (generationPlugins.some((p) => p.onTailorDBReady != null)) {
 				await withSpan("generate.onTailorDBReady", async () => {
-					await Promise.all([runGenerators(readyAfterTailorDB, watch), runPluginHook("onTailorDBReady", watch)]);
+					await runPluginHook("onTailorDBReady", watch);
 				});
 				logger.newline();
 			}
@@ -13688,11 +14098,9 @@ function createGenerationManager(params) {
 					});
 				}
 			});
-			const readyAfterResolvers = getReadyGenerators("resolver");
-			const hasOnResolverReady = generationPlugins.some((p) => p.onResolverReady != null);
-			if (readyAfterResolvers.length > 0 || hasOnResolverReady) {
+			if (generationPlugins.some((p) => p.onResolverReady != null)) {
 				await withSpan("generate.onResolversReady", async () => {
-					await Promise.all([runGenerators(readyAfterResolvers, watch), runPluginHook("onResolverReady", watch)]);
+					await runPluginHook("onResolverReady", watch);
 				});
 				logger.newline();
 			}
@@ -13706,11 +14114,9 @@ function createGenerationManager(params) {
 					services.executor[key] = executor;
 				});
 			});
-			const readyAfterExecutors = getReadyGenerators("executor");
-			const hasOnExecutorReady = generationPlugins.some((p) => p.onExecutorReady != null);
-			if (readyAfterExecutors.length > 0 || hasOnExecutorReady) {
+			if (generationPlugins.some((p) => p.onExecutorReady != null)) {
 				await withSpan("generate.onExecutorsReady", async () => {
-					await Promise.all([runGenerators(readyAfterExecutors, watch), runPluginHook("onExecutorReady", watch)]);
+					await runPluginHook("onExecutorReady", watch);
 				});
 				logger.newline();
 			}
@@ -13735,18 +14141,17 @@ function createGenerationManager(params) {
 	};
 }
 /**
-* Run code generation using the Tailor configuration and generators.
+* Run code generation using the Tailor configuration.
 * @param options - Generation options
 * @returns Promise that resolves when generation (and watch, if enabled) completes
 */
 async function generate$1(options) {
 	return withSpan("generate", async (rootSpan) => {
-		const { config, generators, plugins } = await withSpan("generate.loadConfig", async () => {
+		const { config, plugins } = await withSpan("generate.loadConfig", async () => {
 			return loadConfig(options?.configPath);
 		});
 		const watch = options?.watch ?? false;
 		rootSpan.setAttribute("generate.watch", watch);
-		rootSpan.setAttribute("generate.generators.count", generators.length);
 		await withSpan("generate.generateUserTypes", async () => generateUserTypes({
 			config,
 			configPath: config.path
@@ -13761,7 +14166,6 @@ async function generate$1(options) {
 		const manager = createGenerationManager({
 			application,
 			config,
-			generators,
 			pluginManager
 		});
 		await manager.generate(watch);
@@ -14561,6 +14965,7 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	};
 	const tailorDB = await planTailorDB(ctx);
 	const staticWebsite = await planStaticWebsite(ctx);
+	const aiGateway = await planAIGateway(ctx);
 	const idp = await planIdP(ctx);
 	const auth = await planAuth(ctx);
 	const pipeline = await planPipeline(ctx);
@@ -14571,6 +14976,7 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	const secretManager = await planSecretManager(ctx);
 	functionRegistry.changeSet.print();
 	staticWebsite.changeSet.print();
+	aiGateway.changeSet.print();
 	app.print();
 	tailorDB.changeSet.service.print();
 	tailorDB.changeSet.type.print();
@@ -14593,11 +14999,12 @@ async function execRemove(client, workspaceId, application, config, confirm) {
 	auth.changeSet.connection.print();
 	secretManager.vaultChangeSet.print();
 	secretManager.secretChangeSet.print();
-	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
+	if (tailorDB.changeSet.service.deletes.length === 0 && staticWebsite.changeSet.deletes.length === 0 && aiGateway.changeSet.deletes.length === 0 && idp.changeSet.service.deletes.length === 0 && auth.changeSet.service.deletes.length === 0 && pipeline.changeSet.service.deletes.length === 0 && app.deletes.length === 0 && executor.changeSet.deletes.length === 0 && workflow.changeSet.deletes.length === 0 && functionRegistry.changeSet.deletes.length === 0 && secretManager.vaultChangeSet.deletes.length === 0 && secretManager.secretChangeSet.deletes.length === 0) return;
 	if (confirm) await confirm();
 	await applyWorkflow(client, workflow, "delete");
 	await applyExecutor(client, executor, "delete");
 	await applyStaticWebsite(client, staticWebsite, "delete");
+	await applyAIGateway(client, aiGateway, "delete");
 	await applyApplication(client, app, "delete");
 	await applyPipeline(client, pipeline, "delete-resources");
 	await applyPipeline(client, pipeline, "delete-services");
@@ -15064,6 +15471,11 @@ function generateEnumChangeColumnType(enumValueChange, config) {
 	if (!config.required) return `ColumnType<(${selectType}) | null, (${afterType}) | null, (${afterType}) | null>`;
 	return `ColumnType<${selectType}, ${afterType}, ${afterType}>`;
 }
+function generateOptionalToRequiredDateColumnType(config) {
+	if (config.type !== "date" && config.type !== "datetime") return null;
+	if (config.array) return "ColumnType<Date[] | null, (Date | string)[], (Date | string)[]>";
+	return "ColumnType<Date | null, Date | string, Date | string>";
+}
 /**
 * Generate field type from snapshot field config
 * @param {SnapshotFieldConfig} config - Field configuration
@@ -15089,11 +15501,19 @@ function generateFieldType(config, isOptionalToRequired, enumValueChange) {
 	}
 	let type = baseType;
 	if (config.array) type = config.type === "enum" && config.allowedValues && config.allowedValues.length > 0 ? `(${baseType})[]` : `${baseType}[]`;
-	if (isOptionalToRequired) return {
-		type: `ColumnType<${type} | null, ${type}, ${type}>`,
-		usedTimestamp,
-		usedColumnType: true
-	};
+	if (isOptionalToRequired) {
+		const dateColumnType = generateOptionalToRequiredDateColumnType(config);
+		if (dateColumnType) return {
+			type: dateColumnType,
+			usedTimestamp: false,
+			usedColumnType: true
+		};
+		return {
+			type: `ColumnType<${type} | null, ${type}, ${type}>`,
+			usedTimestamp,
+			usedColumnType: true
+		};
+	}
 	if (!config.required) type = `${type} | null`;
 	return {
 		type,
@@ -15384,7 +15804,7 @@ async function generate(options) {
 	if (options.init) await handleInitOption(namespacesWithMigrations, options.yes);
 	let pluginManager;
 	if (plugins.length > 0) pluginManager = new PluginManager(plugins);
-	const { defineApplication } = await import("./application-av2raLs6.mjs");
+	const { defineApplication } = await import("./application-Dtqap5jM.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -15817,11 +16237,13 @@ async function resumeWorkflow(options) {
 		});
 		return {
 			executionId,
-			wait: (waitOptions) => waitForExecution({
+			wait: (waitOptions) => waitForWorkflowExecution({
 				client,
 				workspaceId,
 				executionId,
 				interval: options.interval ?? 3e3,
+				timeout: waitOptions?.timeout,
+				until: waitOptions?.until,
 				showProgress: waitOptions?.showProgress
 			})
 		};
@@ -15845,16 +16267,21 @@ const resumeCommand = defineAppCommand({
 		...waitArgs
 	}).strict(),
 	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
 		const { executionId, wait } = await resumeWorkflow({
 			executionId: args.executionId,
 			workspaceId: args["workspace-id"],
 			profile: args.profile,
 			interval: parseDuration(args.interval)
 		});
-		if (!args.json) logger.info(`Execution ID: ${executionId}`, { mode: "stream" });
+		if (!jsonOutput) logger.info(`Execution ID: ${executionId}`, { mode: "stream" });
 		if (args.wait) {
-			const result = await wait({ showProgress: !args.json });
-			if (args.logs && !args.json) {
+			const result = await wait({
+				showProgress: !jsonOutput,
+				timeout: parseDuration(args.timeout),
+				until: args.until
+			});
+			if (args.logs && !jsonOutput) {
 				const { execution } = await getWorkflowExecution({
 					executionId,
 					workspaceId: args["workspace-id"],
@@ -15862,11 +16289,112 @@ const resumeCommand = defineAppCommand({
 					logs: true
 				});
 				printExecutionWithLogs(execution);
+			} else if (args.logs) {
+				const { execution } = await getWorkflowExecution({
+					executionId,
+					workspaceId: args["workspace-id"],
+					profile: args.profile,
+					logs: true
+				});
+				logger.out({
+					...result,
+					jobDetails: execution.jobDetails
+				});
 			} else logger.out(result);
+			const failureMessage = getWorkflowWaitFailureMessage(result, args.until);
+			if (failureMessage) throw new Error(failureMessage);
 		} else logger.out({ executionId });
 	}
 });
 
+//#endregion
+//#region src/cli/commands/workflow/wait.ts
+/**
+* Wait for an existing workflow execution by ID.
+* @param options - Workflow wait options
+* @returns Workflow wait result
+*/
+async function waitWorkflowExecution(options) {
+	return await waitForWorkflowExecutionById({
+		...options,
+		showProgress: options.showProgress ?? !logger.jsonMode,
+		trackJobs: options.trackJobs ?? true
+	});
+}
+/**
+* Attach workflow job logs to a wait result when requested.
+* @param result - Workflow wait result
+* @param options - Workflow wait options
+* @returns Workflow wait result with optional job details
+*/
+async function addWorkflowLogsToWaitResult(result, options) {
+	const { execution } = await getWorkflowExecution({
+		executionId: options.executionId,
+		workspaceId: options.workspaceId,
+		profile: options.profile,
+		logs: true
+	});
+	return {
+		...result,
+		jobDetails: execution.jobDetails
+	};
+}
+const waitCommand = defineAppCommand({
+	name: "wait",
+	description: "Wait for a workflow execution.",
+	examples: [
+		{
+			cmd: "execution-id --until success --timeout 10m --json",
+			desc: "Wait for workflow success"
+		},
+		{
+			cmd: "execution-id --until suspended --timeout 6m --logs --json",
+			desc: "Wait for a workflow wait point"
+		},
+		{
+			cmd: "execution-id --until terminal",
+			desc: "Wait for success, failure, or suspension"
+		}
+	],
+	args: z.object({
+		...workspaceArgs,
+		"execution-id": arg(z.string(), {
+			positional: true,
+			description: "Execution ID"
+		}),
+		...workflowWaitControlArgs
+	}).strict(),
+	run: async (args) => {
+		const jsonOutput = logger.jsonMode || args.json;
+		const result = await waitWorkflowExecution({
+			executionId: args.executionId,
+			workspaceId: args["workspace-id"],
+			profile: args.profile,
+			interval: parseDuration(args.interval),
+			timeout: parseDuration(args.timeout),
+			until: args.until,
+			showProgress: !jsonOutput
+		});
+		const output = args.logs ? await addWorkflowLogsToWaitResult(result, {
+			executionId: args.executionId,
+			workspaceId: args["workspace-id"],
+			profile: args.profile
+		}) : result;
+		if (!jsonOutput && output.jobDetails) printExecutionWithLogs({
+			id: output.id,
+			workflowName: output.workflowName,
+			status: output.status,
+			jobExecutions: output.jobExecutions,
+			startedAt: output.startedAt,
+			finishedAt: output.finishedAt,
+			jobDetails: output.jobDetails
+		});
+		else logger.out(output);
+		const failureMessage = getWorkflowWaitFailureMessage(result, args.until);
+		if (failureMessage) throw new Error(failureMessage);
+	}
+});
+
 //#endregion
 //#region src/cli/commands/workspace/app/transform.ts
 const statusToString = (status) => {
@@ -16089,7 +16617,7 @@ const createCommand = defineAppCommand({
 			alias: "p",
 			description: "Profile name to create"
 		}),
-		"profile-user": arg(z.string().optional(), { description: "User email for the profile (defaults to current user)" }),
+		"profile-user": arg(z.string().optional(), { description: "User email address or machine user client ID for the profile (defaults to current user)" }),
 		permission: arg(z.enum(["write", "read"]).default("write"), { description: "Profile permission (requires --profile-name). 'read' blocks all write commands while the profile is active." })
 	}).strict(),
 	run: async (args) => {
@@ -17030,10 +17558,10 @@ async function sqlQuery(client, invoker, args) {
 		workspaceId: args.workspaceId,
 		name: `query-sql-${args.namespace}.js`,
 		code: args.bundledCode,
-		arg: JSON.stringify({
+		arg: {
 			namespace: args.namespace,
 			queries
-		}),
+		},
 		invoker
 	});
 	if (!executed.success) throw new Error(executed.error);
@@ -17051,11 +17579,11 @@ async function gqlQuery(client, invoker, application, machineUser, args) {
 		workspaceId: args.workspaceId,
 		name: `query-gql.js`,
 		code: args.bundledCode,
-		arg: JSON.stringify({
+		arg: {
 			endpoint: `${application.url}/query`,
 			accessToken,
 			query: args.query
-		}),
+		},
 		invoker
 	});
 	if (!executed.success) throw new Error(executed.error);
@@ -17210,7 +17738,7 @@ async function runRepl(options) {
 	const execute = await prepareQueryExecutor(options);
 	const historyPath = getReplHistoryPath(options.engine, options.profile, options.workspaceId);
 	const validate = createReplValidator(options.engine);
-	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-CJG3sz7A.mjs");
+	const { highlightSqlLine, highlightGraphqlLine, replTransform } = await import("./repl-editor-DmGr9zMw.mjs");
 	const highlight = options.engine === "sql" ? highlightSqlLine : highlightGraphqlLine;
 	const prompt = createPrompt({
 		prefix: "",
@@ -17378,7 +17906,6 @@ const queryCommand = defineAppCommand({
 		edit: arg(z.boolean().default(false), { description: "Open a temporary file in your editor; omit to start REPL mode" }),
 		"machine-user": arg(z.string().optional(), {
 			alias: "m",
-			hiddenAlias: "machineuser",
 			description: "Machine user name for query execution. Falls back to the active profile's default machine user.",
 			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
@@ -17544,5 +18071,5 @@ function isDeno() {
 }
 
 //#endregion
-export { listCommand$5 as $, INITIAL_SCHEMA_NUMBER as $t, truncate as A, commonArgs as An, startCommand as At, logBetaWarning as B, getExecutor as Bt, listCommand$2 as C, PluginManager as Cn, triggerExecutor as Ct, resumeWorkflow as D, apiCall as Dn, jobsCommand as Dt, resumeCommand as E, apiCommand as En, getExecutorJob as Et, writeDbTypesFile as F, pagedLogArgs as Fn, getWorkflowExecution as Ft, organizationTree as G, MIGRATION_LABEL_KEY as Gt, removeCommand$1 as H, executeScript as Ht, getConfiguredEditorCommand as I, paginationArgs as In, listWorkflowExecutions as It, listOrganizations as J, compareSnapshotWithRemote as Jt, treeCommand as K, handleOptionalToRequiredError as Kt, openInConfiguredEditor as L, toPageDirection as Ln, functionExecutionStatusToString as Lt, generate as M, confirmationArgs as Mn, getCommand$5 as Mt, generateCommand as N, deploymentArgs as Nn, getWorkflow as Nt, listCommand$3 as O, assertWritable as On, listExecutorJobs as Ot, generateMigrationScript as P, isVerbose as Pn, executionsCommand as Pt, updateFolder as Q, DIFF_FILE_NAME as Qt, show as R, workspaceArgs as Rn, formatKeyValueTable as Rt, listApps as S, sdkNameLabelKey as Sn, triggerCommand as St, healthCommand as T, prompt as Tn, listExecutors as Tt, updateCommand$1 as U, waitForExecution$1 as Ut, remove as V, deploy as Vt, updateOrganization as W, bundleMigrationScript as Wt, getOrganization as X, protoGqlPermission as Xt, getCommand$1 as Y, generateAllTypeManifestsFromSnapshot as Yt, updateCommand$2 as Z, DB_TYPES_FILE_NAME as Zt, getWorkspace as _, formatMigrationDiff as _n, listFunctionRegistries as _t, updateUser as a, createSnapshotFromLocalTypes as an, createCommand$1 as at, createCommand as b, ensureConfigId as bn, listWebhookExecutors as bt, listCommand as c, getMigrationFilePath as cn, listOAuth2Clients as ct, inviteUser as d, isValidMigrationNumber as dn, getMachineUserToken as dt, MIGRATE_FILE_NAME as en, listFolders as et, restoreCommand as f, loadDiff as fn, tokenCommand as ft, getCommand as g, formatDiffSummary as gn, listCommand$8 as gt, listWorkspaces as h, parseMigrationNumberArg as hn, generate$1 as ht, updateCommand as i, compareSnapshots as in, deleteFolder as it, truncateCommand as j, configArg as jn, startWorkflow as jt, listWorkflows as k, defineAppCommand as kn, watchExecutorJob as kt, listUsers as l, getMigrationFiles as ln, getCommand$3 as lt, listCommand$1 as m, formatMigrationNumber as mn, listMachineUsers as mt, query as n, assertValidMigrationFiles as nn, getFolder as nt, removeCommand as o, getLatestMigrationNumber as on, createFolder as ot, restoreWorkspace as p, reconstructSnapshotFromMigrations as pn, listCommand$7 as pt, listCommand$4 as q, parseMigrationLabelNumber as qt, queryCommand as r, compareLocalTypesWithSnapshot as rn, deleteCommand$1 as rt, removeUser as s, getMigrationDirPath as sn, listCommand$6 as st, isNativeTypeScriptRuntime as t, SCHEMA_FILE_NAME as tn, getCommand$2 as tt, inviteCommand as u, getNextMigrationNumber as un, getOAuth2Client as ut, deleteCommand as v, hasChanges as vn, getCommand$4 as vt, getAppHealth as w, generateUserTypes as wn, listCommand$9 as wt, createWorkspace as x, resourceTrn as xn, webhookCommand as xt, deleteWorkspace as y, getNamespacesWithMigrations as yn, getFunctionRegistry as yt, showCommand as z, getCommand$6 as zt };
-//# sourceMappingURL=runtime-C7qTBDD2.mjs.map
+export { updateCommand$2 as $, protoGqlPermission as $t, listCommand$3 as A, apiCall as An, jobsCommand as At, show as B, toPageDirection as Bn, functionExecutionStatusToString as Bt, listCommand$2 as C, ensureConfigId as Cn, webhookCommand as Ct, waitWorkflowExecution as D, generateUserTypes as Dn, listExecutors as Dt, waitCommand as E, PluginManager as En, listCommand$9 as Et, generateCommand as F, confirmationArgs as Fn, getCommand$5 as Ft, updateCommand$1 as G, executeScript as Gt, logBetaWarning as H, getCommand$6 as Ht, generateMigrationScript as I, deploymentArgs as In, getWorkflow as It, treeCommand as J, MIGRATION_LABEL_KEY as Jt, updateOrganization as K, waitForExecution as Kt, writeDbTypesFile as L, isVerbose as Ln, executionsCommand as Lt, truncate as M, defineAppCommand as Mn, watchExecutorJob as Mt, truncateCommand as N, commonArgs as Nn, startCommand as Nt, resumeCommand as O, prompt as On, getExecutorJob as Ot, generate as P, configArg as Pn, startWorkflow as Pt, getOrganization as Q, generateAllTypeManifestsFromSnapshot as Qt, getConfiguredEditorCommand as R, pagedLogArgs as Rn, getWorkflowExecution as Rt, listApps as S, getNamespacesWithMigrations as Sn, listWebhookExecutors as St, healthCommand as T, sdkNameLabelKey as Tn, triggerExecutor as Tt, remove as U, getExecutor as Ut, showCommand as V, workspaceArgs as Vn, formatKeyValueTable as Vt, removeCommand$1 as W, deploy as Wt, listOrganizations as X, parseMigrationLabelNumber as Xt, listCommand$4 as Y, handleOptionalToRequiredError as Yt, getCommand$1 as Z, compareSnapshotWithRemote as Zt, getWorkspace as _, formatMigrationNumber as _n, generate$1 as _t, updateUser as a, assertValidMigrationFiles as an, deleteCommand$1 as at, createCommand as b, formatMigrationDiff as bn, getCommand$4 as bt, listCommand as c, createSnapshotFromLocalTypes as cn, createFolder as ct, inviteUser as d, getMigrationFilePath as dn, getCommand$3 as dt, DB_TYPES_FILE_NAME as en, updateFolder as et, restoreCommand as f, getMigrationFiles as fn, getOAuth2Client as ft, getCommand as g, reconstructSnapshotFromMigrations as gn, listMachineUsers as gt, listWorkspaces as h, loadDiff as hn, listCommand$7 as ht, updateCommand as i, SCHEMA_FILE_NAME as in, getFolder as it, listWorkflows as j, assertWritable as jn, listExecutorJobs as jt, resumeWorkflow as k, apiCommand as kn, getExecutorWaitFailureMessage as kt, listUsers as l, getLatestMigrationNumber as ln, listCommand$6 as lt, listCommand$1 as m, isValidMigrationNumber as mn, tokenCommand as mt, query as n, INITIAL_SCHEMA_NUMBER as nn, listFolders as nt, removeCommand as o, compareLocalTypesWithSnapshot as on, deleteFolder as ot, restoreWorkspace as p, getNextMigrationNumber as pn, getMachineUserToken as pt, organizationTree as q, bundleMigrationScript as qt, queryCommand as r, MIGRATE_FILE_NAME as rn, getCommand$2 as rt, removeUser as s, compareSnapshots as sn, createCommand$1 as st, isNativeTypeScriptRuntime as t, DIFF_FILE_NAME as tn, listCommand$5 as tt, inviteCommand as u, getMigrationDirPath as un, listOAuth2Clients as ut, deleteCommand as v, parseMigrationNumberArg as vn, listCommand$8 as vt, getAppHealth as w, resourceTrn as wn, triggerCommand as wt, createWorkspace as x, hasChanges as xn, getFunctionRegistry as xt, deleteWorkspace as y, formatDiffSummary as yn, listFunctionRegistries as yt, openInConfiguredEditor as z, paginationArgs as zn, listWorkflowExecutions as zt };
+//# sourceMappingURL=runtime-CY4JvrDj.mjs.map