workos 7.1.0 → 7.1.2

data/rbi/workos/user_management.rbi

@@ -6,6 +6,58 @@
 
 module WorkOS
   class UserManagement
+    class PasswordPlaintext
+      sig { returns(String) }
+      def password; end
+
+      sig do
+        params(
+          password: String
+        ).returns(WorkOS::UserManagement::PasswordPlaintext)
+      end
+      def self.new(password:); end
+    end
+
+    class PasswordHashed
+      sig { returns(String) }
+      def password_hash; end
+
+      sig { returns(String) }
+      def password_hash_type; end
+
+      sig do
+        params(
+          password_hash: String,
+          password_hash_type: String
+        ).returns(WorkOS::UserManagement::PasswordHashed)
+      end
+      def self.new(password_hash:, password_hash_type:); end
+    end
+
+    class RoleSingle
+      sig { returns(String) }
+      def role_slug; end
+
+      sig do
+        params(
+          role_slug: String
+        ).returns(WorkOS::UserManagement::RoleSingle)
+      end
+      def self.new(role_slug:); end
+    end
+
+    class RoleMultiple
+      sig { returns(T::Array[String]) }
+      def role_slugs; end
+
+      sig do
+        params(
+          role_slugs: T::Array[String]
+        ).returns(WorkOS::UserManagement::RoleMultiple)
+      end
+      def self.new(role_slugs:); end
+    end
+
     sig { params(client: WorkOS::BaseClient).void }
     def initialize(client); end
 
@@ -113,13 +165,11 @@ module WorkOS
         email_verified: T.nilable(T::Boolean),
         metadata: T.nilable(T::Hash[String, String]),
         external_id: T.nilable(String),
-        password: T.nilable(String),
-        password_hash: T.nilable(String),
-        password_hash_type: T.nilable(String),
+        password: T.nilable(T.any(WorkOS::UserManagement::PasswordPlaintext, WorkOS::UserManagement::PasswordHashed)),
         request_options: T::Hash[Symbol, T.untyped]
       ).returns(WorkOS::User)
     end
-    def create_user(email:, first_name:, last_name:, email_verified:, metadata:, external_id:, password:, password_hash:, password_hash_type:, request_options:); end
+    def create_user(email:, first_name:, last_name:, email_verified:, metadata:, external_id:, password:, request_options:); end
 
     sig do
       params(
@@ -147,13 +197,11 @@ module WorkOS
         metadata: T.nilable(T::Hash[String, String]),
         external_id: T.nilable(String),
         locale: T.nilable(String),
-        password: T.nilable(String),
-        password_hash: T.nilable(String),
-        password_hash_type: T.nilable(String),
+        password: T.nilable(T.any(WorkOS::UserManagement::PasswordPlaintext, WorkOS::UserManagement::PasswordHashed)),
         request_options: T::Hash[Symbol, T.untyped]
       ).returns(WorkOS::User)
     end
-    def update_user(id:, email:, first_name:, last_name:, email_verified:, metadata:, external_id:, locale:, password:, password_hash:, password_hash_type:, request_options:); end
+    def update_user(id:, email:, first_name:, last_name:, email_verified:, metadata:, external_id:, locale:, password:, request_options:); end
 
     sig do
       params(
@@ -328,12 +376,11 @@ module WorkOS
       params(
         user_id: String,
         organization_id: String,
-        role_slug: T.nilable(String),
-        role_slugs: T.nilable(T::Array[String]),
+        role: T.nilable(T.any(WorkOS::UserManagement::RoleSingle, WorkOS::UserManagement::RoleMultiple)),
         request_options: T::Hash[Symbol, T.untyped]
       ).returns(WorkOS::OrganizationMembership)
     end
-    def create_organization_membership(user_id:, organization_id:, role_slug:, role_slugs:, request_options:); end
+    def create_organization_membership(user_id:, organization_id:, role:, request_options:); end
 
     sig do
       params(
@@ -346,12 +393,11 @@ module WorkOS
     sig do
       params(
         id: String,
-        role_slug: T.nilable(String),
-        role_slugs: T.nilable(T::Array[String]),
+        role: T.nilable(T.any(WorkOS::UserManagement::RoleSingle, WorkOS::UserManagement::RoleMultiple)),
         request_options: T::Hash[Symbol, T.untyped]
       ).returns(WorkOS::UserOrganizationMembership)
     end
-    def update_organization_membership(id:, role_slug:, role_slugs:, request_options:); end
+    def update_organization_membership(id:, role:, request_options:); end
 
     sig do
       params(

data/test/workos/test_audit_logs.rb

@@ -42,7 +42,7 @@ class AuditLogsTest < Minitest::Test
   def test_create_schema_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/audit_logs/actions/stub/schemas(\?|\z)})
       .to_return(body: "{}", status: 200)
-    result = @client.audit_logs.create_schema(action_name: "stub", targets: [])
+    result = @client.audit_logs.create_schema(action_name: "stub", targets: [{}])
     refute_nil result
   end
 
@@ -73,7 +73,7 @@ class AuditLogsTest < Minitest::Test
     {name: :update_organization_audit_logs_retention, verb: :put, url: %r{\Ahttps://api\.workos\.com/organizations/stub/audit_logs_retention(\?|\z)}, args: {id: "stub", retention_period_in_days: 1}},
     {name: :list_actions, verb: :get, url: %r{\Ahttps://api\.workos\.com/audit_logs/actions(\?|\z)}},
     {name: :list_action_schemas, verb: :get, url: %r{\Ahttps://api\.workos\.com/audit_logs/actions/stub/schemas(\?|\z)}, args: {action_name: "stub"}},
-    {name: :create_schema, verb: :post, url: %r{\Ahttps://api\.workos\.com/audit_logs/actions/stub/schemas(\?|\z)}, args: {action_name: "stub", targets: []}},
+    {name: :create_schema, verb: :post, url: %r{\Ahttps://api\.workos\.com/audit_logs/actions/stub/schemas(\?|\z)}, args: {action_name: "stub", targets: [{}]}},
     {name: :create_event, verb: :post, url: %r{\Ahttps://api\.workos\.com/audit_logs/events(\?|\z)}, args: {organization_id: "stub", event: {}}},
     {name: :create_export, verb: :post, url: %r{\Ahttps://api\.workos\.com/audit_logs/exports(\?|\z)}, args: {organization_id: "stub", range_start: "stub", range_end: "stub"}},
     {name: :get_export, verb: :get, url: %r{\Ahttps://api\.workos\.com/audit_logs/exports/stub(\?|\z)}, args: {audit_log_export_id: "stub"}}

data/test/workos/test_authorization.rb

@@ -13,15 +13,31 @@ class AuthorizationTest < Minitest::Test
 
   def test_check_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)})
+      .with(body: hash_including("permission_slug" => "stub", "resource_id" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.check(organization_membership_id: "stub", permission_slug: "stub", resource_target: {type: "by_id"})
+    result = @client.authorization.check(organization_membership_id: "stub", permission_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub"))
+    refute_nil result
+  end
+
+  def test_check_with_resource_target_by_external_id_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)})
+      .with(body: hash_including("permission_slug" => "stub", "resource_external_id" => "stub", "resource_type_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.check(organization_membership_id: "stub", permission_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetByExternalId.new(resource_external_id: "stub", resource_type_slug: "stub"))
     refute_nil result
   end
 
   def test_list_resources_for_membership_returns_expected_result
     stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources(\?|\z)})
       .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
-    result = @client.authorization.list_resources_for_membership(organization_membership_id: "stub", permission_slug: "stub", parent_resource: {type: "by_id"})
+    result = @client.authorization.list_resources_for_membership(organization_membership_id: "stub", permission_slug: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub"))
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
+
+  def test_list_resources_for_membership_with_parent_resource_by_external_id_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.authorization.list_resources_for_membership(organization_membership_id: "stub", permission_slug: "stub", parent_resource: WorkOS::Authorization::ParentResourceByExternalId.new(parent_resource_type_slug: "stub", parent_resource_external_id: "stub"))
     assert_kind_of WorkOS::Types::ListStruct, result
   end
 
@@ -48,15 +64,31 @@ class AuthorizationTest < Minitest::Test
 
   def test_assign_role_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)})
+      .with(body: hash_including("role_slug" => "stub", "resource_id" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.assign_role(organization_membership_id: "stub", role_slug: "stub", resource_target: {type: "by_id"})
+    result = @client.authorization.assign_role(organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub"))
+    refute_nil result
+  end
+
+  def test_assign_role_with_resource_target_by_external_id_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)})
+      .with(body: hash_including("role_slug" => "stub", "resource_external_id" => "stub", "resource_type_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.assign_role(organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetByExternalId.new(resource_external_id: "stub", resource_type_slug: "stub"))
     refute_nil result
   end
 
   def test_remove_role_returns_expected_result
     stub_request(:delete, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)})
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.remove_role(organization_membership_id: "stub", role_slug: "stub", resource_target: {type: "by_id"})
+    result = @client.authorization.remove_role(organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub"))
+    assert_nil result
+  end
+
+  def test_remove_role_with_resource_target_by_external_id_returns_expected_result
+    stub_request(:delete, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.remove_role(organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetByExternalId.new(resource_external_id: "stub", resource_type_slug: "stub"))
     assert_nil result
   end
 
@@ -112,7 +144,7 @@ class AuthorizationTest < Minitest::Test
   def test_set_organization_role_permissions_returns_expected_result
     stub_request(:put, %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions(\?|\z)})
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.set_organization_role_permissions(organization_id: "stub", slug: "stub", permissions: [])
+    result = @client.authorization.set_organization_role_permissions(organization_id: "stub", slug: "stub", permissions: ["stub"])
     refute_nil result
   end
 
@@ -132,8 +164,17 @@ class AuthorizationTest < Minitest::Test
 
   def test_update_resource_by_external_id_returns_expected_result
     stub_request(:patch, %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)})
+      .with(body: hash_including("parent_resource_id" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.update_resource_by_external_id(organization_id: "stub", resource_type_slug: "stub", external_id: "stub")
+    result = @client.authorization.update_resource_by_external_id(organization_id: "stub", resource_type_slug: "stub", external_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub"))
+    refute_nil result
+  end
+
+  def test_update_resource_by_external_id_with_parent_resource_by_external_id_returns_expected_result
+    stub_request(:patch, %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)})
+      .with(body: hash_including("parent_resource_external_id" => "stub", "parent_resource_type_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.update_resource_by_external_id(organization_id: "stub", resource_type_slug: "stub", external_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceByExternalId.new(parent_resource_external_id: "stub", parent_resource_type_slug: "stub"))
     refute_nil result
   end
 
@@ -154,14 +195,30 @@ class AuthorizationTest < Minitest::Test
   def test_list_resources_returns_expected_result
     stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)})
       .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
-    result = @client.authorization.list_resources
+    result = @client.authorization.list_resources(parent: WorkOS::Authorization::ParentById.new(parent_resource_id: "stub"))
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
+
+  def test_list_resources_with_parent_by_external_id_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.authorization.list_resources(parent: WorkOS::Authorization::ParentByExternalId.new(parent_resource_type_slug: "stub", parent_external_id: "stub"))
     assert_kind_of WorkOS::Types::ListStruct, result
   end
 
   def test_create_resource_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)})
+      .with(body: hash_including("external_id" => "stub", "name" => "stub", "resource_type_slug" => "stub", "organization_id" => "stub", "parent_resource_id" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.create_resource(external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub")
+    result = @client.authorization.create_resource(external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub"))
+    refute_nil result
+  end
+
+  def test_create_resource_with_parent_resource_by_external_id_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)})
+      .with(body: hash_including("external_id" => "stub", "name" => "stub", "resource_type_slug" => "stub", "organization_id" => "stub", "parent_resource_external_id" => "stub", "parent_resource_type_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.create_resource(external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceByExternalId.new(parent_resource_external_id: "stub", parent_resource_type_slug: "stub"))
     refute_nil result
   end
 
@@ -174,8 +231,17 @@ class AuthorizationTest < Minitest::Test
 
   def test_update_resource_returns_expected_result
     stub_request(:patch, %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)})
+      .with(body: hash_including("parent_resource_id" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.update_resource(resource_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub"))
+    refute_nil result
+  end
+
+  def test_update_resource_with_parent_resource_by_external_id_returns_expected_result
+    stub_request(:patch, %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)})
+      .with(body: hash_including("parent_resource_external_id" => "stub", "parent_resource_type_slug" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.update_resource(resource_id: "stub")
+    result = @client.authorization.update_resource(resource_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceByExternalId.new(parent_resource_external_id: "stub", parent_resource_type_slug: "stub"))
     refute_nil result
   end
 
@@ -231,7 +297,7 @@ class AuthorizationTest < Minitest::Test
   def test_set_environment_role_permissions_returns_expected_result
     stub_request(:put, %r{\Ahttps://api\.workos\.com/authorization/roles/stub/permissions(\?|\z)})
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.set_environment_role_permissions(slug: "stub", permissions: [])
+    result = @client.authorization.set_environment_role_permissions(slug: "stub", permissions: ["stub"])
     refute_nil result
   end
 
@@ -272,13 +338,13 @@ class AuthorizationTest < Minitest::Test
 
   # Parameterized authentication error tests (one per endpoint).
   [
-    {name: :check, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", resource_target: {type: "by_id"}}},
-    {name: :list_resources_for_membership, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", parent_resource: {type: "by_id"}}},
+    {name: :check, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub")}},
+    {name: :list_resources_for_membership, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :list_effective_permissions, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources/stub/permissions(\?|\z)}, args: {organization_membership_id: "stub", resource_id: "stub"}},
     {name: :list_effective_permissions_by_external_id, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources/stub/stub/permissions(\?|\z)}, args: {organization_membership_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
     {name: :list_role_assignments, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub"}},
-    {name: :assign_role, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub", role_slug: "stub", resource_target: {type: "by_id"}}},
-    {name: :remove_role, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub", role_slug: "stub", resource_target: {type: "by_id"}}},
+    {name: :assign_role, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub")}},
+    {name: :remove_role, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub")}},
     {name: :remove_role_assignment, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments/stub(\?|\z)}, args: {organization_membership_id: "stub", role_assignment_id: "stub"}},
     {name: :list_organization_roles, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles(\?|\z)}, args: {organization_id: "stub"}},
     {name: :create_organization_role, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles(\?|\z)}, args: {organization_id: "stub", name: "stub"}},
@@ -286,16 +352,16 @@ class AuthorizationTest < Minitest::Test
     {name: :update_organization_role, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub(\?|\z)}, args: {organization_id: "stub", slug: "stub"}},
     {name: :delete_organization_role, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub(\?|\z)}, args: {organization_id: "stub", slug: "stub"}},
     {name: :add_organization_role_permission, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions(\?|\z)}, args: {organization_id: "stub", slug: "stub", body_slug: "stub"}},
-    {name: :set_organization_role_permissions, verb: :put, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions(\?|\z)}, args: {organization_id: "stub", slug: "stub", permissions: []}},
+    {name: :set_organization_role_permissions, verb: :put, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions(\?|\z)}, args: {organization_id: "stub", slug: "stub", permissions: ["stub"]}},
     {name: :remove_organization_role_permission, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions/stub(\?|\z)}, args: {organization_id: "stub", slug: "stub", permission_slug: "stub"}},
     {name: :get_resource_by_external_id, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
-    {name: :update_resource_by_external_id, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
+    {name: :update_resource_by_external_id, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :delete_resource_by_external_id, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
     {name: :list_memberships_for_resource_by_external_id, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub/organization_memberships(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub", permission_slug: "stub"}},
-    {name: :list_resources, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}},
-    {name: :create_resource, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}, args: {external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub"}},
+    {name: :list_resources, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}, args: {parent: WorkOS::Authorization::ParentById.new(parent_resource_id: "stub")}},
+    {name: :create_resource, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}, args: {external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :get_resource, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub"}},
-    {name: :update_resource, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub"}},
+    {name: :update_resource, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :delete_resource, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub"}},
     {name: :list_memberships_for_resource, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub/organization_memberships(\?|\z)}, args: {resource_id: "stub", permission_slug: "stub"}},
     {name: :list_environment_roles, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/roles(\?|\z)}},
@@ -303,7 +369,7 @@ class AuthorizationTest < Minitest::Test
     {name: :get_environment_role, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub(\?|\z)}, args: {slug: "stub"}},
     {name: :update_environment_role, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub(\?|\z)}, args: {slug: "stub"}},
     {name: :add_environment_role_permission, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub/permissions(\?|\z)}, args: {slug: "stub", body_slug: "stub"}},
-    {name: :set_environment_role_permissions, verb: :put, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub/permissions(\?|\z)}, args: {slug: "stub", permissions: []}},
+    {name: :set_environment_role_permissions, verb: :put, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub/permissions(\?|\z)}, args: {slug: "stub", permissions: ["stub"]}},
     {name: :list_permissions, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/permissions(\?|\z)}},
     {name: :create_permission, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/permissions(\?|\z)}, args: {slug: "stub", name: "stub"}},
     {name: :get_permission, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/permissions/stub(\?|\z)}, args: {slug: "stub"}},

data/test/workos/test_encryptors_aes_gcm.rb

@@ -3,6 +3,9 @@
 # @oagen-ignore-file
 require "test_helper"
 require "base64"
+require "json"
+require "openssl"
+require "securerandom"
 
 class EncryptorsAesGcmTest < Minitest::Test
   PASSWORD = "test-cookie-password-at-least-32"
@@ -51,4 +54,22 @@ class EncryptorsAesGcmTest < Minitest::Test
     sealed2 = @enc.seal(data, PASSWORD)
     refute_equal sealed1, sealed2
   end
+
+  def test_unseal_reads_legacy_v6_payload
+    data = {"access_token" => "tok_abc", "refresh_token" => "ref_xyz"}
+    sealed = legacy_v6_seal(data, PASSWORD)
+    assert_equal data, @enc.unseal(sealed, PASSWORD)
+  end
+
+  private
+
+  def legacy_v6_seal(data, key)
+    cipher = OpenSSL::Cipher.new("aes-256-gcm").encrypt
+    iv = SecureRandom.random_bytes(12)
+    cipher.key = key
+    cipher.iv = iv
+    ciphertext = cipher.update(JSON.generate(data)) + cipher.final
+
+    Base64.encode64(iv + ciphertext + cipher.auth_tag)
+  end
 end

data/test/workos/test_session.rb

@@ -6,6 +6,7 @@ require "json"
 require "openssl"
 require "jwt"
 require "base64"
+require "securerandom"
 
 class SessionTest < Minitest::Test
   PASSWORD = "very-long-cookie-password-secret"
@@ -84,6 +85,22 @@ class SessionTest < Minitest::Test
     assert_equal "u_1", result.user["id"]
   end
 
+  def test_authenticate_reads_legacy_v6_sealed_session
+    rsa, pub = signing_key_pair
+    access_token = make_jwt({"sid" => "session_v6", "org_id" => "org_legacy", "exp" => Time.now.to_i + 60}, rsa)
+    sealed = legacy_v6_seal({"access_token" => access_token, "user" => {"id" => "u_legacy"}}, PASSWORD)
+
+    stub_request(:get, "https://api.workos.com/sso/jwks/client_001")
+      .to_return(status: 200, body: jwks_payload(pub).to_json)
+
+    result = @sm.authenticate(seal_data: sealed, cookie_password: PASSWORD)
+    assert_kind_of WorkOS::SessionManager::AuthSuccess, result
+    assert result.authenticated
+    assert_equal "session_v6", result.session_id
+    assert_equal "org_legacy", result.organization_id
+    assert_equal "u_legacy", result.user["id"]
+  end
+
   def test_authenticate_merges_custom_claims_from_block
     rsa, pub = signing_key_pair
     access_token = make_jwt(
@@ -206,6 +223,170 @@ class SessionTest < Minitest::Test
     assert_equal "https://app/cb", params["return_to"]
   end
 
+  # --- Session#refresh -------------------------------------------------------
+
+  def test_refresh_seals_session_client_side_and_returns_refresh_success
+    rsa, pub = signing_key_pair
+    old_access = make_jwt({"sid" => "session_old", "exp" => Time.now.to_i - 60}, rsa)
+    sealed = @sm.seal_data({"access_token" => old_access, "refresh_token" => "rt_old", "user" => {"id" => "u_1"}}, PASSWORD)
+
+    new_access = make_jwt({"sid" => "session_new", "org_id" => "org_1", "role" => "admin", "exp" => Time.now.to_i + 300}, rsa)
+    api_response = {
+      "access_token" => new_access,
+      "refresh_token" => "rt_new",
+      "user" => {"id" => "u_1", "email" => "a@b.com"},
+      "impersonator" => nil
+    }
+
+    stub_request(:post, "https://api.workos.com/user_management/authenticate")
+      .with(body: hash_including("grant_type" => "refresh_token", "refresh_token" => "rt_old"))
+      .to_return(status: 200, body: api_response.to_json)
+    stub_request(:get, "https://api.workos.com/sso/jwks/client_001")
+      .to_return(status: 200, body: jwks_payload(pub).to_json)
+
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    result = session.refresh
+
+    assert_kind_of WorkOS::SessionManager::RefreshSuccess, result
+    assert result.authenticated
+    assert_equal "session_new", result.session_id
+    assert_equal "org_1", result.organization_id
+    assert_equal "admin", result.role
+    assert_equal "u_1", result.user["id"]
+
+    # sealed_session should be a non-empty string that round-trips
+    refute_empty result.sealed_session
+    unsealed = @sm.unseal_data(result.sealed_session, PASSWORD)
+    assert_equal new_access, unsealed["access_token"]
+    assert_equal "rt_new", unsealed["refresh_token"]
+  end
+
+  def test_refresh_reads_legacy_v6_sealed_session
+    rsa, pub = signing_key_pair
+    old_access = make_jwt({"sid" => "session_old_v6", "exp" => Time.now.to_i - 60}, rsa)
+    sealed = legacy_v6_seal(
+      {"access_token" => old_access, "refresh_token" => "rt_old_v6", "user" => {"id" => "u_v6"}},
+      PASSWORD
+    )
+
+    new_access = make_jwt({"sid" => "session_new_v6", "org_id" => "org_v6", "role" => "member", "exp" => Time.now.to_i + 300}, rsa)
+    api_response = {
+      "access_token" => new_access,
+      "refresh_token" => "rt_new_v6",
+      "user" => {"id" => "u_v6", "email" => "legacy@example.com"},
+      "impersonator" => nil
+    }
+
+    stub_request(:post, "https://api.workos.com/user_management/authenticate")
+      .with(body: hash_including("grant_type" => "refresh_token", "refresh_token" => "rt_old_v6"))
+      .to_return(status: 200, body: api_response.to_json)
+    stub_request(:get, "https://api.workos.com/sso/jwks/client_001")
+      .to_return(status: 200, body: jwks_payload(pub).to_json)
+
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    result = session.refresh
+
+    assert_kind_of WorkOS::SessionManager::RefreshSuccess, result
+    assert result.authenticated
+    assert_equal "session_new_v6", result.session_id
+    assert_equal "org_v6", result.organization_id
+    assert_equal "member", result.role
+    assert_equal "u_v6", result.user["id"]
+
+    refute_empty result.sealed_session
+    unsealed = @sm.unseal_data(result.sealed_session, PASSWORD)
+    assert_equal new_access, unsealed["access_token"]
+    assert_equal "rt_new_v6", unsealed["refresh_token"]
+    assert_equal "u_v6", unsealed["user"]["id"]
+  end
+
+  def test_refresh_updates_internal_seal_data_for_subsequent_authenticate
+    rsa, pub = signing_key_pair
+    old_access = make_jwt({"sid" => "session_old", "exp" => Time.now.to_i - 60}, rsa)
+    sealed = @sm.seal_data({"access_token" => old_access, "refresh_token" => "rt_old", "user" => {"id" => "u_1"}}, PASSWORD)
+
+    new_access = make_jwt({"sid" => "session_refreshed", "org_id" => "org_2", "exp" => Time.now.to_i + 300}, rsa)
+    api_response = {
+      "access_token" => new_access,
+      "refresh_token" => "rt_new",
+      "user" => {"id" => "u_1"}
+    }
+
+    stub_request(:post, "https://api.workos.com/user_management/authenticate")
+      .to_return(status: 200, body: api_response.to_json)
+    stub_request(:get, "https://api.workos.com/sso/jwks/client_001")
+      .to_return(status: 200, body: jwks_payload(pub).to_json)
+
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    session.refresh
+
+    # A subsequent authenticate should use the refreshed token
+    auth = session.authenticate
+    assert_kind_of WorkOS::SessionManager::AuthSuccess, auth
+    assert auth.authenticated
+    assert_equal "session_refreshed", auth.session_id
+  end
+
+  def test_refresh_returns_error_on_invalid_cookie
+    result = @sm.refresh(seal_data: "garbage", cookie_password: PASSWORD)
+    assert_kind_of WorkOS::SessionManager::RefreshError, result
+    refute result.authenticated
+    assert_equal WorkOS::SessionManager::INVALID_SESSION_COOKIE, result.reason
+  end
+
+  def test_refresh_returns_error_when_no_refresh_token
+    sealed = @sm.seal_data({"access_token" => "at_only"}, PASSWORD)
+    result = @sm.refresh(seal_data: sealed, cookie_password: PASSWORD)
+    assert_kind_of WorkOS::SessionManager::RefreshError, result
+    assert_equal WorkOS::SessionManager::INVALID_SESSION_COOKIE, result.reason
+  end
+
+  def test_refresh_does_not_send_session_param_to_api
+    rsa, pub = signing_key_pair
+    old_access = make_jwt({"sid" => "s", "exp" => Time.now.to_i - 60}, rsa)
+    sealed = @sm.seal_data({"access_token" => old_access, "refresh_token" => "rt_x", "user" => {"id" => "u"}}, PASSWORD)
+
+    new_access = make_jwt({"sid" => "s2", "exp" => Time.now.to_i + 300}, rsa)
+    api_response = {"access_token" => new_access, "refresh_token" => "rt_y", "user" => {"id" => "u"}}
+
+    stub = stub_request(:post, "https://api.workos.com/user_management/authenticate")
+      .with { |req| !req.body.include?("seal_session") }
+      .to_return(status: 200, body: api_response.to_json)
+    stub_request(:get, "https://api.workos.com/sso/jwks/client_001")
+      .to_return(status: 200, body: jwks_payload(pub).to_json)
+
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    session.refresh
+
+    assert_requested(stub)
+  end
+
+  def test_refresh_returns_error_on_malformed_access_token_without_mutating_state
+    rsa, pub = signing_key_pair
+    old_access = make_jwt({"sid" => "session_old", "exp" => Time.now.to_i - 60}, rsa)
+    sealed = @sm.seal_data({"access_token" => old_access, "refresh_token" => "rt_old", "user" => {"id" => "u_1"}}, PASSWORD)
+
+    api_response = {
+      "access_token" => "not-a-valid-jwt",
+      "refresh_token" => "rt_new",
+      "user" => {"id" => "u_1"}
+    }
+
+    stub_request(:post, "https://api.workos.com/user_management/authenticate")
+      .to_return(status: 200, body: api_response.to_json)
+    stub_request(:get, "https://api.workos.com/sso/jwks/client_001")
+      .to_return(status: 200, body: jwks_payload(pub).to_json)
+
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    result = session.refresh
+
+    assert_kind_of WorkOS::SessionManager::RefreshError, result
+    refute result.authenticated
+
+    # Session state should not have been mutated
+    assert_equal sealed, session.seal_data
+  end
+
   # --- Session constructor validation ---------------------------------------
 
   def test_session_load_requires_cookie_password
@@ -258,4 +439,16 @@ class SessionTest < Minitest::Test
     assert_kind_of WorkOS::SessionManager::AuthSuccess, result
     assert_equal "s_custom", result.session_id
   end
+
+  private
+
+  def legacy_v6_seal(data, key)
+    cipher = OpenSSL::Cipher.new("aes-256-gcm").encrypt
+    iv = SecureRandom.random_bytes(12)
+    cipher.key = key
+    cipher.iv = iv
+    ciphertext = cipher.update(JSON.generate(data)) + cipher.final
+
+    Base64.encode64(iv + ciphertext + cipher.auth_tag)
+  end
 end