@tailor-platform/sdk 2.0.0-next.0 → 2.0.0-next.2

package/dist/cli/index.mjs

@@ -1,16 +1,15 @@
 #!/usr/bin/env node
-
-import { Et as AuthInvokerSchema, L as CustomDomainStatus, Nt as PATScope, Q as FunctionExecution_Type, _ as userAgent, a as fetchAll, c as fetchPlatformMachineUserToken, d as initOAuth2Client, f as initOperatorClient, l as fetchUserInfo, r as closeConnectionPool, s as fetchPaged } from "../client-CobIRHl-.mjs";
-import { t as assertDefined } from "../assert-CKfwrmCV.mjs";
-import { n as logger, r as styles } from "../logger-DpJyJvNz.mjs";
-import { $ as listCommand$10, $t as INITIAL_SCHEMA_NUMBER, An as commonArgs, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as PluginManager, Dt as jobsCommand, E as resumeCommand, En as apiCommand, F as writeDbTypesFile, Fn as pagedLogArgs, Gt as MIGRATION_LABEL_KEY, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, In as paginationArgs, Jt as compareSnapshotWithRemote, K as treeCommand, Kt as handleOptionalToRequiredError, L as openInConfiguredEditor, Ln as toPageDirection, Lt as functionExecutionStatusToString, Mn as confirmationArgs, Mt as getCommand$6, N as generateCommand$1, Nn as deploymentArgs, O as listCommand$12, On as assertWritable, P as generateMigrationScript, Pn as isVerbose, Pt as executionsCommand, Rn as workspaceArgs, Rt as formatKeyValueTable, Sn as sdkNameLabelKey, St as triggerCommand, T as healthCommand, Tn as prompt, U as updateCommand$3, Vt as deploy, Xt as protoGqlPermission, Y as getCommand$5, Yt as generateAllTypeManifestsFromSnapshot, Z as updateCommand$2, _n as formatMigrationDiff, an as createSnapshotFromLocalTypes, at as createCommand$3, b as createCommand$4, bn as ensureConfigId, c as listCommand$14, cn as getMigrationFilePath, dn as isValidMigrationNumber, f as restoreCommand, fn as loadDiff, ft as tokenCommand, g as getCommand$7, gt as listCommand$7, hn as parseMigrationNumberArg, ht as generate, i as updateCommand$4, j as truncateCommand, jn as configArg, kn as defineAppCommand, ln as getMigrationFiles, lt as getCommand$3, m as listCommand$15, mn as formatMigrationNumber, nn as assertValidMigrationFiles, o as removeCommand, on as getLatestMigrationNumber, pn as reconstructSnapshotFromMigrations, pt as listCommand$8, q as listCommand$11, qt as parseMigrationLabelNumber, r as queryCommand, rn as compareLocalTypesWithSnapshot, rt as deleteCommand$3, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as hasChanges, vt as getCommand$2, wn as generateUserTypes, wt as listCommand$6, xn as resourceTrn, xt as webhookCommand, yn as getNamespacesWithMigrations, z as showCommand, zt as getCommand$1 } from "../runtime-C7qTBDD2.mjs";
-import { A as readPlatformConfig, C as loadConfig, E as loadAccessToken, M as saveUserTokens, N as writePlatformConfig, O as loadMachineUserName, T as fetchLatestToken, _ as createLogLevelTreeshakeOptions, a as WorkflowJobSchema, b as getDistDir, c as INVOKER_EXPR, g as composeFunctionTreeshakeOptions, h as platformBundleDefinePlugin, i as resolveInlineSourcemap, j as resolveTokens, k as loadWorkspaceId, o as ResolverSchema, t as defineApplication, v as resolveBundleLogLevel, w as deleteUserTokens, x as hashContent$1 } from "../application-76hhIhnJ.mjs";
-import { n as ExecutorSchema } from "../service-wI3Hvrgx.mjs";
-import { t as multiline } from "../multiline-Cf9ODpr1.mjs";
-import { r as isPluginGeneratedType } from "../seed-BH2FbrPV.mjs";
-import { t as readPackageJson } from "../package-json-DcQApfPQ.mjs";
-import { n as isCLIError } from "../errors-EsY4XO6O.mjs";
-import { a as JSON_FOOTER_MARKER, i as CRASH_LOG_EXTENSION, o as parseCrashReportConfig, r as sendCrashReport, t as initCrashReporting } from "../crashreport-BhD0y14F.mjs";
+import { A as loadAccessToken, At as FunctionExecution_Type, B as fetchAll, C as getDistDir, D as deleteUserTokens, E as loadConfig, F as removeLegacyUserAlias, G as initOAuth2Client, H as fetchPaged, I as resolveTokens, K as initOperatorClient, L as saveUserTokens, M as loadMachineUserName, N as loadWorkspaceId, O as fetchLatestToken, P as readPlatformConfig, R as writePlatformConfig, U as fetchPlatformMachineUserToken, W as fetchUserInfo, _ as composeFunctionTreeshakeOptions, dn as PATScope, g as platformBundleDefinePlugin, ht as CustomDomainStatus, i as resolveInlineSourcemap, in as AuthInvokerSchema, k as findConfigUserKey, l as INVOKER_EXPR, o as WorkflowJobSchema, s as ResolverSchema, t as defineApplication, v as createLogLevelTreeshakeOptions, w as hashContent$1, y as resolveBundleLogLevel, z as closeConnectionPool } from "../application-XuMWK4eq.mjs";
+import { t as assertDefined } from "../assert-DBxo8jPo.mjs";
+import { n as logger, r as styles } from "../logger-CxF-Ex5d.mjs";
+import { $ as updateCommand$2, $t as protoGqlPermission, A as listCommand$12, At as jobsCommand, Bn as toPageDirection, Bt as functionExecutionStatusToString, C as listCommand$13, Cn as ensureConfigId, Ct as webhookCommand, Dn as generateUserTypes, E as waitCommand, En as PluginManager, Et as listCommand$6, F as generateCommand$1, Fn as confirmationArgs, Ft as getCommand$6, G as updateCommand$3, Gt as executeScript, H as logBetaWarning, Ht as getCommand$1, I as generateMigrationScript, In as deploymentArgs, J as treeCommand, Jt as MIGRATION_LABEL_KEY, L as writeDbTypesFile, Ln as isVerbose, Lt as executionsCommand, Mn as defineAppCommand, N as truncateCommand, Nn as commonArgs, Nt as startCommand, O as resumeCommand, On as prompt, Pn as configArg, Qt as generateAllTypeManifestsFromSnapshot, R as getConfiguredEditorCommand, Rn as pagedLogArgs, Sn as getNamespacesWithMigrations, T as healthCommand, Tn as sdkNameLabelKey, V as showCommand, Vn as workspaceArgs, Vt as formatKeyValueTable, W as removeCommand$1, Wt as deploy, Xt as parseMigrationLabelNumber, Y as listCommand$11, Yt as handleOptionalToRequiredError, Z as getCommand$5, Zt as compareSnapshotWithRemote, _n as formatMigrationNumber, _t as generate, an as assertValidMigrationFiles, at as deleteCommand$3, b as createCommand$4, bn as formatMigrationDiff, bt as getCommand$2, c as listCommand$14, cn as createSnapshotFromLocalTypes, dn as getMigrationFilePath, dt as getCommand$3, f as restoreCommand, fn as getMigrationFiles, g as getCommand$7, gn as reconstructSnapshotFromMigrations, hn as loadDiff, ht as listCommand$8, i as updateCommand$4, jn as assertWritable, kn as apiCommand, ln as getLatestMigrationNumber, lt as listCommand$9, m as listCommand$15, mn as isValidMigrationNumber, mt as tokenCommand, nn as INITIAL_SCHEMA_NUMBER, o as removeCommand, on as compareLocalTypesWithSnapshot, r as queryCommand, rt as getCommand$4, st as createCommand$3, t as isNativeTypeScriptRuntime, tt as listCommand$10, u as inviteCommand, v as deleteCommand$4, vn as parseMigrationNumberArg, vt as listCommand$7, wn as resourceTrn, wt as triggerCommand, xn as hasChanges, z as openInConfiguredEditor, zn as paginationArgs } from "../runtime-CY4JvrDj.mjs";
+import { n as ExecutorSchema } from "../service-DjyqbCaJ.mjs";
+import { t as multiline } from "../multiline-sfHpTZZK.mjs";
+import { t as readPackageJson } from "../package-json-8b0O9TlX.mjs";
+import { i as userAgent } from "../secret-file-VSVGy1V0.mjs";
+import { n as isCLIError } from "../errors-Dtf2WPaW.mjs";
+import { a as JSON_FOOTER_MARKER, i as CRASH_LOG_EXTENSION, o as parseCrashReportConfig, r as sendCrashReport, t as initCrashReporting } from "../crashreport-DFq-vsU0.mjs";
+import { t as isPluginGeneratedType } from "../type-source-DH_LH20p.mjs";
 import { arg, defineCommand, runCommand, runMain } from "politty";
 import { withCompletionCommand } from "politty/completion";
 import { z } from "zod";
@@ -22,6 +21,7 @@ import { dirname, resolve } from "pathe";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { generateCodeVerifier } from "@badgateway/oauth2-client";
 import { Code, ConnectError } from "@connectrpc/connect";
+import pLimit from "p-limit";
 import { resolvePackageJSON, resolveTSConfig } from "pkg-types";
 import * as crypto from "node:crypto";
 import { createHash } from "node:crypto";
@@ -30,13 +30,12 @@ import open from "open";
 import * as rolldown from "rolldown";
 import * as fsPromises from "node:fs/promises";
 import { glob } from "node:fs/promises";
-import pLimit from "p-limit";
+import { setTimeout as setTimeout$1 } from "node:timers/promises";
 import { TraceMap, generatedPositionFor, originalPositionFor } from "@jridgewell/trace-mapping";
 import { spawn, spawnSync } from "node:child_process";
 import { watch } from "chokidar";
 import * as fs from "fs";
 import { lookup } from "mime-types";
-import { setTimeout as setTimeout$1 } from "node:timers/promises";
 
 //#region src/cli/commands/authconnection/args.ts
 /**
@@ -453,7 +452,6 @@ function parseCrashLogFile(content) {
 //#region src/cli/commands/crashreport/index.ts
 const crashReportCommand = defineCommand({
 	name: "crashreport",
-	aliases: ["crash-report"],
 	description: "Manage crash reports.",
 	subCommands: {
 		list: listCommand$5,
@@ -468,7 +466,6 @@ const crashReportCommand = defineCommand({
 //#region src/cli/commands/deploy/index.ts
 const deployCommand$1 = defineAppCommand({
 	name: "deploy",
-	aliases: ["apply"],
 	description: "Deploy your application by applying the Tailor configuration.",
 	args: z.object({
 		...deploymentArgs,
@@ -484,7 +481,7 @@ const deployCommand$1 = defineAppCommand({
 	}).strict(),
 	run: async (args) => {
 		await assertWritable({ profile: args.profile });
-		const { initTelemetry } = await import("../telemetry-w92bvGdC.mjs");
+		const { initTelemetry } = await import("../telemetry-ClwW5ohF.mjs");
 		await initTelemetry();
 		await deploy({
 			workspaceId: args["workspace-id"],
@@ -572,32 +569,24 @@ function scriptNameToRegistryName(scriptName, executionType) {
 /**
 * Download a deployed function script.
 *
-* Returns the bundled script content together with the registry
-* entry's `updatedAt` timestamp. Returns null when the download fails
-* (script removed, network error, etc.) or when no content chunks are
-* received; errors are swallowed so callers can fall back to a
-* non-sourcemap display.
+* Returns the bundled script content. Returns null when the download
+* fails (script removed, network error, etc.) or when no content
+* chunks are received; errors are swallowed so callers can fall back
+* to a non-sourcemap display.
 * @param options - Download options
-* @returns Script content plus metadata, or null on failure / empty response
+* @returns Script content, or null on failure / empty response
 */
 async function downloadFunctionScript(options) {
 	const { client, workspaceId, name, contentHash } = options;
 	try {
 		const chunks = [];
-		let registryUpdatedAt = null;
 		for await (const response of client.downloadFunctionRegistryScript({
 			workspaceId,
 			name,
 			contentHash
-		})) if (response.payload.case === "metadata") {
-			const updatedAt = response.payload.value.function?.updatedAt;
-			if (updatedAt) registryUpdatedAt = timestampDate(updatedAt);
-		} else if (response.payload.case === "chunk") chunks.push(response.payload.value);
+		})) if (response.payload.case === "chunk") chunks.push(response.payload.value);
 		if (chunks.length === 0) return null;
-		return {
-			code: Buffer.concat(chunks).toString("utf-8"),
-			registryUpdatedAt
-		};
+		return { code: Buffer.concat(chunks).toString("utf-8") };
 	} catch (error) {
 		logger.debug(`Failed to download function script "${options.name}": ${error}`);
 		return null;
@@ -966,13 +955,12 @@ function printFunctionExecutionDetail(options) {
 /**
 * Download a deployed function script for sourcemap mapping. Logs a
 * debug message on failure but never throws. Error display falls back
-* to a plain-text format when the script cannot be retrieved or when
-* the current registry entry is stale relative to the execution.
+* to a plain-text format when the script cannot be retrieved.
 *
 * When `executionContentHash` is non-empty, the download is pinned to
 * that exact bundle so mapping stays correct across redeploys. When
-* empty (older servers), falls back to comparing `registryUpdatedAt`
-* against `executionStartedAt`.
+* empty, mapping is skipped because the exact bundle cannot be
+* identified.
 *
 * `FunctionExecution.scriptName` does not match the function registry
 * name directly; `scriptNameToRegistryName` translates between the two
@@ -983,50 +971,37 @@ function printFunctionExecutionDetail(options) {
 * @param options.scriptName - Script name (matches FunctionExecution.scriptName)
 * @param options.executionType - Execution type used to discriminate registry name translation
 * @param options.executionContentHash - Content hash of the bundle that ran; pins the download when non-empty
-* @param options.executionStartedAt - Execution start timestamp used as fallback staleness signal
-* @returns Bundled script content, or null when unavailable / stale
+* @returns Bundled script content, or null when unavailable
 */
 async function downloadScriptForMapping(options) {
-	const { client, workspaceId, scriptName, executionType, executionContentHash, executionStartedAt } = options;
+	const { client, workspaceId, scriptName, executionType, executionContentHash } = options;
 	const registryName = scriptNameToRegistryName(scriptName, executionType);
 	if (registryName == null) {
 		logger.debug(`Script "${scriptName}" is not a deployed registry script (e.g. test-run or seed); skipping sourcemap mapping.`);
 		return null;
 	}
-	if (executionContentHash !== "") {
-		const pinned = await downloadFunctionScript({
-			client,
-			workspaceId,
-			name: registryName,
-			contentHash: executionContentHash
-		});
-		if (pinned == null) {
-			logger.debug(`Could not download pinned script "${scriptName}" (registry: "${registryName}", contentHash: "${executionContentHash}") for stack trace mapping; showing raw stack trace.`);
-			return null;
-		}
-		return pinned.code;
+	if (executionContentHash === "") {
+		logger.debug(`Function execution "${scriptName}" has no contentHash; skipping sourcemap mapping because the exact bundle cannot be identified.`);
+		return null;
 	}
-	const result = await downloadFunctionScript({
+	const pinned = await downloadFunctionScript({
 		client,
 		workspaceId,
-		name: registryName
+		name: registryName,
+		contentHash: executionContentHash
 	});
-	if (result == null) {
-		logger.debug(`Could not download script "${scriptName}" (registry: "${registryName}") for stack trace mapping; showing raw stack trace.`);
+	if (pinned == null) {
+		logger.debug(`Could not download pinned script "${scriptName}" (registry: "${registryName}", contentHash: "${executionContentHash}") for stack trace mapping; showing raw stack trace.`);
 		return null;
 	}
-	if (executionStartedAt != null && result.registryUpdatedAt != null && result.registryUpdatedAt.getTime() > executionStartedAt.getTime()) {
-		logger.debug(`Registry script "${registryName}" was updated at ${result.registryUpdatedAt.toISOString()} after execution started at ${executionStartedAt.toISOString()}; skipping sourcemap mapping to avoid stale source locations.`);
-		return null;
-	}
-	return result.code;
+	return pinned.code;
 }
 const logsCommand = defineAppCommand({
 	name: "logs",
 	description: "List or get function execution logs.",
 	notes: `When viewing a specific execution that failed, the command displays error details with the stack trace mapped back to your original source files (clickable file links and code snippets, matching \`function test-run\` output).
 
-Stack traces stay accurate even after later redeploys, because the trace is resolved against the exact build that produced the execution. If that build is no longer available, the command falls back to a plain-text error display.`,
+Stack traces are mapped only when the execution includes a content hash for the exact build that ran. If the content hash is missing or the build is no longer available, the command falls back to a plain-text error display.`,
 	examples: [
 		{
 			cmd: "",
@@ -1074,8 +1049,7 @@ Stack traces stay accurate even after later redeploys, because the trace is reso
 					workspaceId,
 					scriptName: detail.scriptName,
 					executionType: execution.type,
-					executionContentHash: execution.contentHash,
-					executionStartedAt: detail.startedAt
+					executionContentHash: execution.contentHash
 				}) : null
 			});
 		} else {
@@ -1169,21 +1143,21 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
         export { _fn as main };
       `;
 		case "resolver": {
-			const userExpr = buildMachineUserExpr(machineUser, workspaceId);
+			const principalExpr = buildMachinePrincipalExpr(machineUser, workspaceId);
 			return multiline`
         import _internalResolver from "${absoluteSourcePath}";
         import { t } from "@tailor-platform/sdk";
 
         const _env = ${JSON.stringify(env)};
-        const _user = ${userExpr};
+        const _caller = ${principalExpr};
 
         const $tailor_resolver_body = async (context) => {
-          const _invoker = ${INVOKER_EXPR};
+          const _invoker = ${INVOKER_EXPR} ?? _caller;
           if (_internalResolver.input) {
             const result = t.object(_internalResolver.input).parse({
               value: context,
               data: context,
-              user: _user,
+              invoker: _invoker,
             });
 
             if (result.issues) {
@@ -1194,7 +1168,7 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
             }
           }
 
-          const enrichedContext = { input: context, env: _env, user: _user, invoker: _invoker };
+          const enrichedContext = { input: context, env: _env, caller: _caller, invoker: _invoker };
           return _internalResolver.body(enrichedContext);
         };
 
@@ -1202,15 +1176,15 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
       `;
 		}
 		case "executor": {
-			const actorExpr = buildMachineActorExpr(machineUser, workspaceId);
+			const principalExpr = buildMachinePrincipalExpr(machineUser, workspaceId);
 			return multiline`
         import _internalExecutor from "${absoluteSourcePath}";
 
         const _env = ${JSON.stringify(env)};
-        const _actor = ${actorExpr};
+        const _actor = ${principalExpr};
 
         const __executor_function = async (args) => {
-          const _invoker = ${INVOKER_EXPR};
+          const _invoker = ${INVOKER_EXPR} ?? _actor;
           return _internalExecutor.operation.body({ ...args, env: _env, actor: _actor, invoker: _invoker });
         };
 
@@ -1219,13 +1193,15 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
 		}
 		case "workflow-job": {
 			const exportName = assertDefined(detected.exportName, "workflow job export name missing");
+			const principalExpr = buildMachinePrincipalExpr(machineUser, workspaceId);
 			return multiline`
         import { ${exportName} } from "${absoluteSourcePath}";
 
         const env = ${JSON.stringify(env)};
+        const fallbackInvoker = ${principalExpr};
 
         export async function main(input) {
-          const invoker = ${INVOKER_EXPR};
+          const invoker = ${INVOKER_EXPR} ?? fallbackInvoker;
           return await ${exportName}.body(input, { env, invoker });
         }
       `;
@@ -1233,35 +1209,20 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
 	}
 }
 /**
-* Build a JSON expression for a machine user TailorUser object.
+* Build a JSON expression for a machine user TailorPrincipal object.
 * @param machineUser - Resolved machine user info
 * @param workspaceId - Workspace ID
 * @returns JSON string for the user expression
 */
-function buildMachineUserExpr(machineUser, workspaceId) {
+function buildMachinePrincipalExpr(machineUser, workspaceId) {
 	return JSON.stringify({
 		id: machineUser.id,
 		type: "machine_user",
 		workspaceId,
-		attributes: machineUser.attributes,
+		attributes: machineUser.attributes ?? {},
 		attributeList: machineUser.attributeList
 	});
 }
-/**
-* Build a JSON expression for a machine user TailorActor object.
-* @param machineUser - Resolved machine user info
-* @param workspaceId - Workspace ID
-* @returns JSON string for the actor expression
-*/
-function buildMachineActorExpr(machineUser, workspaceId) {
-	return JSON.stringify({
-		workspaceId,
-		userId: machineUser.id,
-		attributes: machineUser.attributes,
-		attributeList: machineUser.attributeList,
-		userType: "USER_TYPE_MACHINE_USER"
-	});
-}
 
 //#endregion
 //#region src/cli/commands/function/detect.ts
@@ -1284,7 +1245,7 @@ async function detectFunctionType(options) {
 		const rawInput = module.default.input;
 		let inputSchema;
 		if (rawInput) {
-			const { t } = await import("../types-2Be3wSMc.mjs");
+			const { t } = await import("../types-74etvaxy.mjs");
 			inputSchema = t.object(rawInput);
 		}
 		return {
@@ -1470,11 +1431,9 @@ When a \`.js\` file is provided, detection and bundling are skipped and the file
 			functionType = detected.type;
 			functionName = detected.name;
 			logger.info(`Detected: ${styles.bold(detected.type)} ${styles.info(`"${detected.name}"`)}`);
-			if (detected.type === "resolver" && args.arg) {
-				if (!detected.hasInput) {
-					logger.warn("--arg is ignored because this resolver has no input schema. Define \"input\" in your resolver to use --arg.");
-					args.arg = void 0;
-				} else if (detected.inputSchema) args.arg = resolveResolverArg(args.arg, detected.inputSchema, machineUser, workspaceId);
+			if (detected.type === "resolver" && args.arg && !detected.hasInput) {
+				logger.warn("--arg is ignored because this resolver has no input schema. Define \"input\" in your resolver to use --arg.");
+				args.arg = void 0;
 			}
 			logger.info("Bundling...");
 			({bundledCode, scriptName} = await bundleForTestRun({
@@ -1488,18 +1447,24 @@ When a \`.js\` file is provided, detection and bundling are skipped and the file
 			}));
 			logger.info(`Bundled as ${styles.bold(scriptName)}`);
 		}
-		const authInvoker = create(AuthInvokerSchema, {
+		const invoker = create(AuthInvokerSchema, {
 			namespace: authNamespace,
 			machineUserName: machineUser.name
 		});
 		logger.info(`Executing on workspace ${styles.dim(workspaceId)}...`);
+		let parsedArg;
+		if (args.arg !== void 0) try {
+			parsedArg = JSON.parse(args.arg);
+		} catch (error) {
+			throw new Error(`Invalid --arg JSON: ${error instanceof Error ? error.message : error}`, { cause: error });
+		}
 		const result = await executeScript({
 			client,
 			workspaceId,
 			name: scriptName,
 			code: bundledCode,
-			arg: args.arg,
-			invoker: authInvoker
+			arg: parsedArg,
+			invoker
 		});
 		if (jsonOutput) logger.out({
 			success: result.success,
@@ -1600,42 +1565,6 @@ async function resolveMachineUser(options) {
 		attributeList
 	};
 }
-/**
-* Resolve resolver arg format: detect and unwrap deprecated {"input":{...}} wrapper.
-* Tries new format (arg = input fields) first via schema parse.
-* If that fails and arg looks like old format, tries unwrapping.
-* @param argStr - JSON string of the arg
-* @param inputSchema - Pre-built schema object from detect (has .parse())
-* @param machineUser - Resolved machine user info
-* @param workspaceId - Workspace ID
-* @returns Resolved JSON string (unwrapped if old format)
-*/
-function resolveResolverArg(argStr, inputSchema, machineUser, workspaceId) {
-	const parsed = JSON.parse(argStr);
-	const user = {
-		id: machineUser.id,
-		type: "machine_user",
-		workspaceId,
-		attributes: machineUser.attributes ?? null,
-		attributeList: machineUser.attributeList
-	};
-	if (!inputSchema.parse({
-		value: parsed,
-		data: parsed,
-		user
-	}).issues) return argStr;
-	if (Object.keys(parsed).length === 1 && parsed.input != null && typeof parsed.input === "object" && !Array.isArray(parsed.input)) {
-		if (!inputSchema.parse({
-			value: parsed.input,
-			data: parsed.input,
-			user
-		}).issues) {
-			logger.warn("[DEPRECATED] Wrapping args with \"input\" key (e.g. {\"input\":{...}}) is deprecated. Pass input fields directly (e.g. {\"a\":1}). The \"input\" wrapper will be removed in v2.");
-			return JSON.stringify(parsed.input);
-		}
-	}
-	return argStr;
-}
 
 //#endregion
 //#region src/cli/commands/function/index.ts
@@ -1669,7 +1598,7 @@ const generateCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
-		const { initTelemetry } = await import("../telemetry-w92bvGdC.mjs");
+		const { initTelemetry } = await import("../telemetry-ClwW5ohF.mjs");
 		await initTelemetry();
 		await generate({
 			configPath: args.config,
@@ -1748,11 +1677,12 @@ const startAuthServer = async () => {
 				});
 				const userInfo = await fetchUserInfo(tokens.accessToken);
 				const pfConfig = await readPlatformConfig();
-				await saveUserTokens(pfConfig, userInfo.email, {
+				await saveUserTokens(pfConfig, userInfo.sub, {
 					accessToken: tokens.accessToken,
 					refreshToken: tokens.refreshToken ?? void 0
-				}, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString());
-				pfConfig.current_user = userInfo.email;
+				}, new Date(assertDefined(tokens.expiresAt, "token response missing expiresAt")).toISOString(), { email: userInfo.email });
+				await removeLegacyUserAlias(pfConfig, userInfo.email, userInfo.sub);
+				pfConfig.current_user = userInfo.sub;
 				writePlatformConfig(pfConfig);
 				res.writeHead(200, { "Content-Type": "application/json" });
 				res.end(JSON.stringify({
@@ -1806,7 +1736,6 @@ const loginCommand = defineAppCommand({
 	description: "Login to Tailor Platform.",
 	args: z.xor([z.object({}).strict().describe("User Login"), z.object({
 		"machine-user": arg(z.literal(true), {
-			hiddenAlias: "machineuser",
 			description: "Login as a platform machine user.",
 			required: true
 		}),
@@ -1977,7 +1906,7 @@ const createCommand$2 = defineAppCommand({
 		}),
 		user: arg(z.string(), {
 			alias: "u",
-			description: "User email"
+			description: "User email address or machine user client ID"
 		}),
 		"workspace-id": arg(z.string(), {
 			alias: "w",
@@ -1994,7 +1923,8 @@ const createCommand$2 = defineAppCommand({
 		if (args["machine-user-override"] === "deny" && !args["machine-user"]) throw new Error("--machine-user-override deny requires --machine-user.");
 		const config = await readPlatformConfig();
 		if (config.profiles[args.name]) throw new Error(`Profile "${args.name}" already exists.`);
-		const client = await initOperatorClient(await fetchLatestToken(config, args.user));
+		const { accessToken: token, user: resolvedUser } = await fetchLatestToken(config, args.user);
+		const client = await initOperatorClient(token);
 		if (!(await fetchAll(async (pageToken, maxPageSize) => {
 			const { workspaces, nextPageToken } = await client.listWorkspaces({
 				pageToken,
@@ -2003,7 +1933,7 @@ const createCommand$2 = defineAppCommand({
 			return [workspaces, nextPageToken];
 		})).find((ws) => ws.id === args["workspace-id"])) throw new Error(`Workspace "${args["workspace-id"]}" not found.`);
 		config.profiles[args.name] = {
-			user: args.user,
+			user: resolvedUser,
 			workspace_id: args["workspace-id"],
 			...args.permission === "read" ? { readonly: true } : {},
 			...args["machine-user"] ? { machine_user: args["machine-user"] } : {},
@@ -2013,7 +1943,7 @@ const createCommand$2 = defineAppCommand({
 		if (!args.json) logger.success(`Profile "${args.name}" created successfully.`);
 		const profileInfo = {
 			name: args.name,
-			user: args.user,
+			user: resolvedUser,
 			workspaceId: args["workspace-id"],
 			permission: args.permission,
 			...args["machine-user"] ? {
@@ -2090,7 +2020,7 @@ const updateCommand$1 = defineAppCommand({
 		}),
 		user: arg(z.string().optional(), {
 			alias: "u",
-			description: "New user email"
+			description: "New user email address or machine user client ID"
 		}),
 		"workspace-id": arg(z.string().optional(), {
 			alias: "w",
@@ -2112,6 +2042,7 @@ const updateCommand$1 = defineAppCommand({
 		const newUser = args.user || oldUser;
 		const oldWorkspaceId = profile.workspace_id;
 		const newWorkspaceId = args["workspace-id"] || oldWorkspaceId;
+		let resolvedUser = newUser;
 		const finalMachineUser = args["machine-user"] === "" ? void 0 : args["machine-user"] ?? profile.machine_user;
 		const finalOverride = args["machine-user-override"] === "allow" ? void 0 : args["machine-user-override"] ?? profile.machine_user_override;
 		if ((args["machine-user"] !== void 0 || args["machine-user-override"] !== void 0) && finalOverride === "deny" && !finalMachineUser) {
@@ -2119,7 +2050,9 @@ const updateCommand$1 = defineAppCommand({
 			throw new Error(`Cannot clear the machine user while machine-user-override is "deny". Also pass --machine-user-override allow.`);
 		}
 		if (args.user !== void 0 || args["workspace-id"] !== void 0) {
-			const client = await initOperatorClient(await fetchLatestToken(config, newUser));
+			const refreshed = await fetchLatestToken(config, newUser);
+			resolvedUser = refreshed.user;
+			const client = await initOperatorClient(refreshed.accessToken);
 			if (!(await fetchAll(async (pageToken, maxPageSize) => {
 				const { workspaces, nextPageToken } = await client.listWorkspaces({
 					pageToken,
@@ -2128,7 +2061,7 @@ const updateCommand$1 = defineAppCommand({
 				return [workspaces, nextPageToken];
 			})).find((ws) => ws.id === newWorkspaceId)) throw new Error(`Workspace "${newWorkspaceId}" not found.`);
 		}
-		profile.user = newUser;
+		profile.user = resolvedUser;
 		profile.workspace_id = newWorkspaceId;
 		if (args.permission === "read") profile.readonly = true;
 		else if (args.permission === "write") delete profile.readonly;
@@ -2140,7 +2073,7 @@ const updateCommand$1 = defineAppCommand({
 		if (!args.json) logger.success(`Profile "${args.name}" updated successfully`);
 		const profileInfo = {
 			name: args.name,
-			user: newUser,
+			user: resolvedUser,
 			workspaceId: newWorkspaceId,
 			permission: profile.readonly === true ? "read" : "write",
 			...profile.machine_user ? {
@@ -2609,7 +2542,7 @@ const secretCommand = defineCommand({
 });
 
 //#endregion
-//#region src/cli/commands/setup/github/git.ts
+//#region src/cli/commands/setup/git.ts
 const defaultGitRunner = (args, cwd) => {
 	const result = spawnSync("git", args, {
 		cwd,
@@ -2640,7 +2573,7 @@ function detectDefaultBranch(cwd, run = defaultGitRunner) {
 }
 
 //#endregion
-//#region src/cli/commands/setup/github/lock.ts
+//#region src/cli/commands/setup/lock.ts
 /** Current lock schema version. Bumped only on breaking lock-format changes. */
 const LOCK_VERSION = 1;
 /** Lock file path, relative to the repository root. */
@@ -2706,66 +2639,24 @@ function findTarget(lock, kind, workspaceName) {
 }
 
 //#endregion
-//#region src/cli/commands/setup/github/branch.workflow.yml
-var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
-
-//#endregion
-//#region src/cli/commands/setup/github/setup-bun.yml
-var setup_bun_default = "- id: tailor-setup-bun\n  uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0\n- id: tailor-install\n  run: bun install --frozen-lockfile\n";
+//#region src/cli/commands/setup/branch.workflow.yml
+var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-generate-check\n        uses: tailor-platform/actions/generate-check@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n      - id: tailor-plan\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        uses: tailor-platform/actions/plan@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
 
 //#endregion
-//#region src/cli/commands/setup/github/setup-npm.yml
-var setup_npm_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: npm\n- id: tailor-install\n  run: npm ci\n";
+//#region src/cli/commands/setup/tag.workflow.yml
+var tag_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  push:\n    tags: [\"__TAG_PATTERN__\"]\n  workflow_dispatch:\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n\npermissions:\n  contents: read\n\njobs:\n  # __TAG_GUARD_JOB_START__\n  tailor-tag-guard:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    permissions:\n      contents: read\n    outputs:\n      on-branch: ${{ steps.tailor-tag-guard.outputs.on-branch }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-tag-guard\n        uses: tailor-platform/actions/tag-guard@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          target-branch: \"__BRANCH__\"\n  # __TAG_GUARD_JOB_END__\n  tailor-plan:\n    # __PLAN_NEEDS__\n    # __PLAN_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-generate-check\n        uses: tailor-platform/actions/generate-check@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n      - id: tailor-plan\n        uses: tailor-platform/actions/plan@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n\n  tailor-deploy:\n    needs: tailor-plan\n    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['dry-run']) }}\n    environment: __ENVIRONMENT__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
 
 //#endregion
-//#region src/cli/commands/setup/github/setup-pnpm.yml
-var setup_pnpm_default = "- id: tailor-setup-pnpm\n  uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9\n- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: pnpm\n- id: tailor-install\n  run: pnpm install --frozen-lockfile\n";
-
-//#endregion
-//#region src/cli/commands/setup/github/setup-yarn.yml
-var setup_yarn_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: yarn\n- id: tailor-install\n  run: yarn install --frozen-lockfile\n";
-
-//#endregion
-//#region src/cli/commands/setup/github/tag.workflow.yml
-var tag_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  push:\n    tags: [\"__TAG_PATTERN__\"]\n  workflow_dispatch:\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n\npermissions:\n  contents: read\n\njobs:\n  # __TAG_GUARD_JOB_START__\n  tailor-tag-guard:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    permissions:\n      contents: read\n    outputs:\n      on-branch: ${{ steps.tailor-tag-guard.outputs.on-branch }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-tag-guard\n        env:\n          TARGET_BRANCH: \"__BRANCH__\"\n        run: |\n          git fetch origin \"$TARGET_BRANCH\"\n          if git merge-base --is-ancestor \"$GITHUB_SHA\" \"origin/$TARGET_BRANCH\"; then\n            echo \"on-branch=true\" >> \"$GITHUB_OUTPUT\"\n          else\n            # A tag outside the target branch is not an error — just skip.\n            echo \"on-branch=false\" >> \"$GITHUB_OUTPUT\"\n            echo \"::notice::Tag $GITHUB_REF_NAME is not reachable from $TARGET_BRANCH; skipping deploy.\"\n          fi\n  # __TAG_GUARD_JOB_END__\n  tailor-plan:\n    # __PLAN_NEEDS__\n    # __PLAN_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n\n  tailor-deploy:\n    needs: tailor-plan\n    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['dry-run']) }}\n    environment: __ENVIRONMENT__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
-
-//#endregion
-//#region src/cli/commands/setup/github/templates.ts
-const setupStepIds = {
-	pnpm: [
-		"tailor-setup-pnpm",
-		"tailor-setup-node",
-		"tailor-install"
-	],
-	yarn: ["tailor-setup-node", "tailor-install"],
-	npm: ["tailor-setup-node", "tailor-install"],
-	bun: ["tailor-setup-bun", "tailor-install"]
-};
-const setupSteps = {
-	pnpm: setup_pnpm_default,
-	yarn: setup_yarn_default,
-	npm: setup_npm_default,
-	bun: setup_bun_default
-};
-const execPrefix = {
-	npm: "npx",
-	pnpm: "pnpm exec",
-	yarn: "yarn",
-	bun: "bunx"
-};
-const HEADER = `# Generated by \`tailor-sdk setup github\` — managed by the Tailor SDK.
+//#region src/cli/commands/setup/templates.ts
+const HEADER = `# Generated by \`tailor-sdk setup\` — managed by the Tailor SDK.
 #
 # - Jobs and steps whose id starts with \`tailor-\` are managed by the SDK.
 #   Do not edit or rename them.
 # - State is tracked in .github/tailor-sdk.lock (machine-owned: commit it, never edit it).
-# - Re-running \`tailor-sdk setup github\` regenerates this file. If you have
+# - Re-running \`tailor-sdk setup\` regenerates this file. If you have
 #   edited it by hand, regeneration stops and asks for --force (which discards
 #   your edits), so prefer keeping customizations in your own jobs/steps and
 #   re-running setup after SDK updates.`;
-function indentSnippet(snippet, spaces) {
-	const indent = " ".repeat(spaces);
-	return snippet.trimEnd().split("\n").map((line) => line ? indent + line : line).join("\n");
-}
 /**
 * Detect the package manager used in a project directory by checking for lockfiles.
 * @param dir - Project directory to inspect
@@ -2793,11 +2684,7 @@ function applyCommon(content, params) {
 	const { workingDirectory, environment, packageManager } = params;
 	let out = line(content, "HEADER", HEADER);
 	out = line(out, "WORKING_DIRECTORY", workingDirectory ? `working-directory: ${workingDirectory}` : void 0);
-	out = out.replace(/^ *# __SETUP_STEPS__$/gm, () => indentSnippet(setupSteps[packageManager], 6));
-	return out.replaceAll("__WORKSPACE_NAME__", () => params.workspaceName).replaceAll("__ENVIRONMENT__", () => environment).replaceAll("__PM_EXEC__", () => execPrefix[packageManager]);
-}
-function setupIds(job, packageManager) {
-	return setupStepIds[packageManager].map((id) => `${job}/${id}`);
+	return out.replaceAll("__WORKSPACE_NAME__", () => params.workspaceName).replaceAll("__ENVIRONMENT__", () => environment).replaceAll("__PACKAGE_MANAGER__", () => packageManager);
 }
 /**
 * Render the branch-target deploy workflow.
@@ -2809,7 +2696,7 @@ function setupIds(job, packageManager) {
 * @returns Rendered YAML and the list of managed job/step ids
 */
 function renderBranchWorkflow(params) {
-	const { branch, plan, packageManager } = params;
+	const { branch, plan } = params;
 	let out = branch_workflow_default;
 	out = block(out, "PLAN_JOB", plan);
 	out = block(out, "PULL_REQUEST", plan);
@@ -2818,8 +2705,8 @@ function renderBranchWorkflow(params) {
 	out = line(out, "PATHS", params.workingDirectory ? `paths: ["${params.workingDirectory}/**"]` : void 0);
 	out = applyCommon(out, params).replaceAll("__BRANCH__", () => branch);
 	const generatedIds = [];
-	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan");
-	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", "tailor-plan/tailor-setup", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan");
+	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", "tailor-deploy/tailor-setup", "tailor-deploy/tailor-apply");
 	return {
 		content: out,
 		generatedIds
@@ -2834,7 +2721,7 @@ function renderBranchWorkflow(params) {
 * @returns Rendered YAML and the list of managed job/step ids
 */
 function renderTagWorkflow(params) {
-	const { tagPattern, branch, packageManager } = params;
+	const { tagPattern, branch } = params;
 	const hasGuard = branch !== void 0;
 	let out = tag_workflow_default;
 	out = block(out, "TAG_GUARD_JOB", hasGuard);
@@ -2844,7 +2731,7 @@ function renderTagWorkflow(params) {
 	if (hasGuard) out = out.replaceAll("__BRANCH__", () => branch);
 	const generatedIds = [];
 	if (hasGuard) generatedIds.push("tailor-tag-guard", "tailor-tag-guard/tailor-checkout", "tailor-tag-guard/tailor-tag-guard");
-	generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan", "tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", "tailor-plan/tailor-setup", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan", "tailor-deploy", "tailor-deploy/tailor-checkout", "tailor-deploy/tailor-setup", "tailor-deploy/tailor-apply");
 	return {
 		content: out,
 		generatedIds
@@ -2852,7 +2739,110 @@ function renderTagWorkflow(params) {
 }
 
 //#endregion
-//#region src/cli/commands/setup/github/github.ts
+//#region src/cli/commands/setup/check.ts
+/**
+* Compute drift findings for one target by comparing its recorded lock state
+* against the current repository/config state.
+* @param target - The lock target being audited
+* @param state - Current repository/config state for this target
+* @returns Drift findings (empty when the target is in sync)
+*/
+function findTargetDrift(target, state) {
+	const id = `${target.kind} ${target.workspaceName}`;
+	const findings = [];
+	if (!state.fileExists) findings.push({
+		target: id,
+		rule: "missing-file",
+		message: `${target.file} is missing or unreadable. Re-run setup to restore it.`
+	});
+	else if (state.currentHash !== null && state.currentHash !== target.contentHash) findings.push({
+		target: id,
+		rule: "hand-edit",
+		message: `${target.file} was edited by hand since it was generated. Re-run setup with --force to regenerate, or keep customizations in your own jobs/steps.`
+	});
+	if (target.templateVersion < state.templateVersion) findings.push({
+		target: id,
+		rule: "template-version",
+		message: `A newer workflow template is available (generated with v${String(target.templateVersion)}, current v${String(state.templateVersion)}). Re-run setup to update.`
+	});
+	if (!state.configExists) findings.push({
+		target: id,
+		rule: "config-dir",
+		message: `tailor.config.ts not found under "${target.inputs.dir}". The app directory may have moved; re-run setup with the correct --dir.`
+	});
+	if (target.kind === "branch" && target.inputs.branchAutoDetected !== false && state.defaultBranch !== null && target.inputs.branch !== null && target.inputs.branch !== state.defaultBranch) findings.push({
+		target: id,
+		rule: "default-branch",
+		message: `The workflow triggers on "${target.inputs.branch}" but the repository default branch is now "${state.defaultBranch}". If this is intentional, ignore this; otherwise re-run setup so the trigger matches the default branch.`
+	});
+	return findings;
+}
+function detectDefaultBranchSafe(cwd, run) {
+	try {
+		return detectDefaultBranch(cwd, run);
+	} catch {
+		return null;
+	}
+}
+function escapesRoot$1(rel) {
+	return path.isAbsolute(rel) || rel === ".." || rel.startsWith(`..${path.sep}`) || rel.startsWith("../");
+}
+function resolveWithinRoot(outputDir, relPath) {
+	if (path.isAbsolute(relPath)) return null;
+	const abs = path.join(outputDir, relPath);
+	if (escapesRoot$1(path.relative(outputDir, abs))) return null;
+	try {
+		if (escapesRoot$1(path.relative(fs$1.realpathSync(outputDir), fs$1.realpathSync(abs)))) return null;
+	} catch {}
+	return abs;
+}
+function readHash(absFile) {
+	try {
+		return hashContent(fs$1.readFileSync(absFile, "utf-8"));
+	} catch {
+		return null;
+	}
+}
+/**
+* Audit the generated workflows for drift against the current config/repo
+* state. Read-only: never writes files, the lock, or the config.
+*
+* Throws when drift is found (so it composes like the other `:check`
+* commands). The workflow drift-check step layers advisory behaviour on top
+* (per-rule ignore / continue-on-error); the CLI itself reports via exit code.
+* @param options - Check options
+*/
+function checkGitHub(options) {
+	logBetaWarning("setup");
+	const { outputDir } = options;
+	const lock = readLock(outputDir);
+	if (!lock || lock.targets.length === 0) throw new Error("No managed workflows found (.github/tailor-sdk.lock is missing or empty). Run `tailor-sdk setup` first.");
+	const exists = options.configExistsAt ?? ((p) => fs$1.existsSync(p));
+	const defaultBranch = detectDefaultBranchSafe(outputDir, options.gitRunner);
+	const findings = [];
+	for (const target of lock.targets) {
+		const absFile = resolveWithinRoot(outputDir, target.file);
+		const currentHash = absFile === null ? null : readHash(absFile);
+		const configAbs = resolveWithinRoot(outputDir, path.join(target.inputs.dir, "tailor.config.ts"));
+		findings.push(...findTargetDrift(target, {
+			fileExists: currentHash !== null,
+			currentHash,
+			configExists: configAbs !== null && exists(configAbs),
+			defaultBranch,
+			templateVersion: 2
+		}));
+	}
+	const count = lock.targets.length;
+	if (findings.length === 0) {
+		logger.success(`No drift detected across ${String(count)} target(s).`);
+		return;
+	}
+	for (const finding of findings) logger.warn(`[${finding.target}] ${finding.message} (ignore key: ${finding.rule})`);
+	throw new Error(`Detected ${String(findings.length)} drift finding(s) across ${String(count)} target(s). Re-run \`tailor-sdk setup\` to regenerate, or address each finding above.`);
+}
+
+//#endregion
+//#region src/cli/commands/setup/generate.ts
 async function defaultLoadConfigName(configPath) {
 	const { config } = await loadConfig(configPath);
 	return config.name;
@@ -2924,8 +2914,10 @@ async function resolve$1(options) {
 	validateEnvironment(environment);
 	if (kind === "tag") validateTagPattern(options.tagPattern);
 	let branch = null;
+	let branchAutoDetected = false;
 	let render;
 	if (kind === "branch") {
+		branchAutoDetected = options.branch === void 0;
 		branch = options.branch ?? detectDefaultBranch(options.outputDir, options.gitRunner);
 		validateBranch(branch);
 		render = renderBranchWorkflow({
@@ -2951,6 +2943,7 @@ async function resolve$1(options) {
 	const file = `.github/workflows/tailor-${workspaceName}.yml`;
 	const inputs = {
 		branch,
+		branchAutoDetected: kind === "branch" ? branchAutoDetected : void 0,
 		tagPattern: kind === "tag" ? options.tagPattern : null,
 		environment,
 		dir,
@@ -3039,7 +3032,7 @@ function printNextSteps(obj) {
 * @param options - Setup options
 */
 async function setupGitHub(options) {
-	logBetaWarning("setup github");
+	logBetaWarning("setup");
 	const resolved = await resolve$1(options);
 	const lock = readLock(options.outputDir);
 	const absFile = path.join(options.outputDir, resolved.file);
@@ -3067,7 +3060,7 @@ async function setupGitHub(options) {
 		kind: resolved.kind,
 		workspaceName: resolved.workspaceName,
 		file: resolved.file,
-		templateVersion: 1,
+		templateVersion: 2,
 		inputs: resolved.inputs,
 		generatedIds: resolved.render.generatedIds,
 		ejectedIds: existing?.ejectedIds ?? [],
@@ -3091,11 +3084,23 @@ async function setupGitHub(options) {
 }
 
 //#endregion
-//#region src/cli/commands/setup/github/index.ts
-const githubCommand = defineAppCommand({
-	name: "github",
-	description: "Generate a GitHub Actions deploy workflow. (beta)",
+//#region src/cli/commands/setup/index.ts
+const checkCommand = defineAppCommand({
+	name: "check",
+	description: "Audit generated workflows for drift against the current config/repo (read-only).",
+	args: z.object({}).strict(),
+	run: () => {
+		checkGitHub({ outputDir: process.cwd() });
+	}
+});
+const setupCommand = defineAppCommand({
+	name: "setup",
+	description: "Generate a CI deploy workflow for your project. (beta)",
 	args: z.object({
+		provider: arg(z.enum(["github"], { message: "Only the 'github' provider is supported." }).default("github"), {
+			alias: "p",
+			description: "CI provider to generate for (only 'github' is supported)"
+		}),
 		"workspace-name": arg(z.string().min(1).optional(), {
 			alias: "n",
 			description: "Workspace name (defaults to the config 'name')"
@@ -3111,6 +3116,7 @@ const githubCommand = defineAppCommand({
 		}),
 		force: arg(z.boolean().default(false), { description: "Discard hand edits / take over unmanaged files and regenerate" })
 	}).strict(),
+	subCommands: { check: checkCommand },
 	run: async (args) => {
 		if (args["tag-pattern"] !== void 0 && !args.tag) throw new Error("--tag-pattern requires --tag.");
 		if (args["no-plan"] && args.tag) throw new Error("--no-plan cannot be combined with --tag.");
@@ -3128,14 +3134,6 @@ const githubCommand = defineAppCommand({
 	}
 });
 
-//#endregion
-//#region src/cli/commands/setup/index.ts
-const setupCommand = defineCommand({
-	name: "setup",
-	description: "Set up project infrastructure.",
-	subCommands: { github: githubCommand }
-});
-
 //#endregion
 //#region src/cli/shared/skills-installer.ts
 const SKILL_NAME = "tailor-sdk";
@@ -4807,7 +4805,7 @@ async function fetchRemoteTypes(client, workspaceId, namespace) {
 async function assertMigrationsReproduceLocalTypes(loaded, target) {
 	const { config, plugins } = loaded;
 	const pluginManager = plugins.length > 0 ? new PluginManager(plugins) : void 0;
-	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-av2raLs6.mjs");
+	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-Dtqap5jM.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -4819,7 +4817,7 @@ async function assertMigrationsReproduceLocalTypes(loaded, target) {
 		await service.processNamespacePlugins();
 	}
 	const pluginExecutorFiles = generatePluginFilesIfNeeded(pluginManager, application.tailorDBServices, config.path);
-	const executorService = application.executorService ?? (pluginExecutorFiles.length > 0 ? (await import("../service-BHQIerYh.mjs")).createExecutorService({ config: { files: [] } }) : void 0);
+	const executorService = application.executorService ?? (pluginExecutorFiles.length > 0 ? (await import("../service-DCqIWibD.mjs")).createExecutorService({ config: { files: [] } }) : void 0);
 	await executorService?.loadExecutors();
 	if (pluginExecutorFiles.length > 0) await executorService?.loadPluginExecutorFiles([...pluginExecutorFiles]);
 	const executorUsedTypes = /* @__PURE__ */ new Set();
@@ -5094,9 +5092,9 @@ const upgradeCommand = defineAppCommand({
 		})
 	}).strict(),
 	run: async (args) => {
-		const { initTelemetry } = await import("../telemetry-w92bvGdC.mjs");
+		const { initTelemetry } = await import("../telemetry-ClwW5ohF.mjs");
 		await initTelemetry();
-		const { upgrade } = await import("../service-DMohAx8a2.mjs");
+		const { upgrade } = await import("../service-DU1mVzri2.mjs");
 		await upgrade({
 			from: args.from,
 			dryRun: args["dry-run"],
@@ -5237,7 +5235,8 @@ const createCommand = defineAppCommand({
         No user logged in.
         Please login first using 'tailor-sdk login' command.
       `);
-		const client = await initOperatorClient(await fetchLatestToken(config, config.current_user));
+		const { accessToken: token } = await fetchLatestToken(config, config.current_user);
+		const client = await initOperatorClient(token);
 		const scopes = getScopesFromWriteFlag(args.write);
 		const result = await client.createPersonalAccessToken({
 			name: args.name,
@@ -5264,7 +5263,8 @@ const deleteCommand = defineAppCommand({
         No user logged in.
         Please login first using 'tailor-sdk login' command.
       `);
-		await (await initOperatorClient(await fetchLatestToken(config, config.current_user))).deletePersonalAccessToken({ name: args.name });
+		const { accessToken: token } = await fetchLatestToken(config, config.current_user);
+		await (await initOperatorClient(token)).deletePersonalAccessToken({ name: args.name });
 		logger.success(`Personal access token "${args.name}" deleted successfully.`);
 	}
 });
@@ -5282,7 +5282,8 @@ const listCommand = defineAppCommand({
         No user logged in.
         Please login first using 'tailor-sdk login' command.
       `);
-		const client = await initOperatorClient(await fetchLatestToken(config, config.current_user));
+		const { accessToken: token } = await fetchLatestToken(config, config.current_user);
+		const client = await initOperatorClient(token);
 		const pageDirection = toPageDirection(args.order);
 		const pats = await fetchPaged(async (pageToken, pageSize) => {
 			const { personalAccessTokens, nextPageToken } = await client.listPersonalAccessTokens({
@@ -5335,7 +5336,8 @@ const updateCommand = defineAppCommand({
         No user logged in.
         Please login first using 'tailor-sdk login' command.
       `);
-		const client = await initOperatorClient(await fetchLatestToken(config, config.current_user));
+		const { accessToken: token } = await fetchLatestToken(config, config.current_user);
+		const client = await initOperatorClient(token);
 		await client.deletePersonalAccessToken({ name: args.name });
 		const scopes = getScopesFromWriteFlag(args.write);
 		const result = await client.createPersonalAccessToken({
@@ -5370,15 +5372,16 @@ const switchCommand = defineAppCommand({
 	description: "Set current user.",
 	args: z.object({ user: arg(z.string(), {
 		positional: true,
-		description: "User email"
+		description: "User email address or machine user client ID"
 	}) }).strict(),
 	run: async (args) => {
 		const config = await readPlatformConfig();
-		if (!config.users[args.user]) throw new Error(multiline`
+		const user = findConfigUserKey(config, args.user);
+		if (!user) throw new Error(multiline`
         User "${args.user}" not found.
         Please login first using 'tailor-sdk login' command to register this user.
       `);
-		config.current_user = args.user;
+		config.current_user = user;
 		writePlatformConfig(config);
 		logger.success(`Current user set to "${args.user}" successfully.`);
 	}
@@ -5409,6 +5412,7 @@ const workflowCommand = defineCommand({
 		list: listCommand$12,
 		get: getCommand$6,
 		start: startCommand,
+		wait: waitCommand,
 		executions: executionsCommand,
 		resume: resumeCommand
 	},
@@ -5522,11 +5526,11 @@ runMain(mainCommand, {
 				if (isVerbose() && error.stack) logger.debug(`\nStack trace:\n${error.stack}`);
 			} else logger.error(`Unknown error: ${error}`);
 			if (!isCLIError(error) && (!(error instanceof Error) || error instanceof TypeError || error instanceof RangeError)) {
-				const { reportCrash } = await import("../crashreport-D1wKBJ8N.mjs");
+				const { reportCrash } = await import("../crashreport-BMWcxeSE.mjs");
 				await reportCrash(error, "handledError");
 			}
 		}
-		const { shutdownTelemetry } = await import("../telemetry-w92bvGdC.mjs");
+		const { shutdownTelemetry } = await import("../telemetry-ClwW5ohF.mjs");
 		await shutdownTelemetry();
 	}
 });