workos 8.0.0 → 9.0.0

data/test/workos/test_organization_membership_service.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+# This file is auto-generated by oagen. Do not edit.
+
+require "test_helper"
+
+class OrganizationMembershipServiceTest < Minitest::Test
+  include FixtureHelper
+
+  def setup
+    @client = WorkOS::Client.new(api_key: "sk_test_123")
+  end
+
+  def test_list_organization_memberships_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.organization_membership.list_organization_memberships
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
+
+  def test_create_organization_membership_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)})
+      .with(body: hash_including("user_id" => "stub", "organization_id" => "stub", "role_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.organization_membership.create_organization_membership(user_id: "stub", organization_id: "stub", role: WorkOS::OrganizationMembershipService::RoleSingle.new(role_slug: "stub"))
+    refute_nil result
+  end
+
+  def test_create_organization_membership_with_role_multiple_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)})
+      .with(body: hash_including("user_id" => "stub", "organization_id" => "stub", "role_slugs" => ["stub"]))
+      .to_return(body: "{}", status: 200)
+    result = @client.organization_membership.create_organization_membership(user_id: "stub", organization_id: "stub", role: WorkOS::OrganizationMembershipService::RoleMultiple.new(role_slugs: ["stub"]))
+    refute_nil result
+  end
+
+  def test_get_organization_membership_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.organization_membership.get_organization_membership(id: "stub")
+    refute_nil result
+  end
+
+  def test_update_organization_membership_returns_expected_result
+    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
+      .with(body: hash_including("role_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.organization_membership.update_organization_membership(id: "stub", role: WorkOS::OrganizationMembershipService::RoleSingle.new(role_slug: "stub"))
+    refute_nil result
+  end
+
+  def test_update_organization_membership_with_role_multiple_returns_expected_result
+    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
+      .with(body: hash_including("role_slugs" => ["stub"]))
+      .to_return(body: "{}", status: 200)
+    result = @client.organization_membership.update_organization_membership(id: "stub", role: WorkOS::OrganizationMembershipService::RoleMultiple.new(role_slugs: ["stub"]))
+    refute_nil result
+  end
+
+  def test_delete_organization_membership_returns_expected_result
+    stub_request(:delete, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.organization_membership.delete_organization_membership(id: "stub")
+    assert_nil result
+  end
+
+  def test_deactivate_organization_membership_returns_expected_result
+    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/deactivate(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.organization_membership.deactivate_organization_membership(id: "stub")
+    refute_nil result
+  end
+
+  def test_reactivate_organization_membership_returns_expected_result
+    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/reactivate(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.organization_membership.reactivate_organization_membership(id: "stub")
+    refute_nil result
+  end
+
+  def test_list_organization_membership_groups_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/groups(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.organization_membership.list_organization_membership_groups(om_id: "stub")
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
+
+  # Parameterized authentication error tests (one per endpoint).
+  [
+    {name: :list_organization_memberships, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)}},
+    {name: :create_organization_membership, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)}, args: {user_id: "stub", organization_id: "stub", role: WorkOS::OrganizationMembershipService::RoleSingle.new(role_slug: "stub")}},
+    {name: :get_organization_membership, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub"}},
+    {name: :update_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub", role: WorkOS::OrganizationMembershipService::RoleSingle.new(role_slug: "stub")}},
+    {name: :delete_organization_membership, verb: :delete, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub"}},
+    {name: :deactivate_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/deactivate(\?|\z)}, args: {id: "stub"}},
+    {name: :reactivate_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/reactivate(\?|\z)}, args: {id: "stub"}},
+    {name: :list_organization_membership_groups, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/groups(\?|\z)}, args: {om_id: "stub"}}
+  ].each do |spec|
+    define_method("test_#{spec[:name]}_raises_authentication_error_on_401") do
+      stub_request(spec[:verb], spec[:url])
+        .to_return(body: '{"message": "Unauthorized"}', status: 401)
+      assert_raises(WorkOS::AuthenticationError) do
+        @client.organization_membership.send(spec[:name], **(spec[:args] || {}))
+      end
+    end
+  end
+end

data/test/workos/test_session.rb

@@ -26,11 +26,27 @@ class SessionTest < Minitest::Test
 
   def test_unseal_with_wrong_key_raises
     sealed = @sm.seal_data({"x" => 1}, PASSWORD)
+    # Wrong key is the same length (>= 32 bytes) so the length guard doesn't
+    # short-circuit; we want to assert the underlying cipher rejection.
     assert_raises(OpenSSL::Cipher::CipherError) do
-      @sm.unseal_data(sealed, "wrong-password")
+      @sm.unseal_data(sealed, "wrong-cookie-password-32-bytes--")
     end
   end
 
+  def test_unseal_with_short_key_raises_argument_error
+    sealed = @sm.seal_data({"x" => 1}, PASSWORD)
+    assert_raises(ArgumentError) { @sm.unseal_data(sealed, "too-short") }
+  end
+
+  def test_seal_with_short_key_raises_argument_error
+    assert_raises(ArgumentError) { @sm.seal_data({"x" => 1}, "too-short") }
+  end
+
+  def test_session_load_requires_min_length_cookie_password
+    short = "x" * 31
+    assert_raises(ArgumentError) { @sm.load(seal_data: "x", cookie_password: short) }
+  end
+
   def test_unseal_rejects_short_payload
     assert_raises(ArgumentError) do
       @sm.unseal_data(Base64.strict_encode64("short"), PASSWORD)
@@ -334,6 +350,19 @@ class SessionTest < Minitest::Test
     assert_equal WorkOS::SessionManager::INVALID_SESSION_COOKIE, result.reason
   end
 
+  def test_refresh_raises_argument_error_for_short_cookie_password_override
+    sealed = @sm.seal_data({"access_token" => "at", "refresh_token" => "rt"}, PASSWORD)
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    err = assert_raises(ArgumentError) { session.refresh(cookie_password: "x" * 31) }
+    assert_match(/at least 32 bytes/, err.message)
+  end
+
+  def test_refresh_raises_argument_error_for_empty_cookie_password_override
+    sealed = @sm.seal_data({"access_token" => "at", "refresh_token" => "rt"}, PASSWORD)
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    assert_raises(ArgumentError) { session.refresh(cookie_password: "") }
+  end
+
   def test_refresh_returns_error_when_no_refresh_token
     sealed = @sm.seal_data({"access_token" => "at_only"}, PASSWORD)
     result = @sm.refresh(seal_data: sealed, cookie_password: PASSWORD)
@@ -361,7 +390,7 @@ class SessionTest < Minitest::Test
     assert_requested(stub)
   end
 
-  def test_refresh_returns_error_on_malformed_access_token_without_mutating_state
+  def test_refresh_persists_seal_data_even_when_access_token_decode_fails
     rsa, pub = signing_key_pair
     old_access = make_jwt({"sid" => "session_old", "exp" => Time.now.to_i - 60}, rsa)
     sealed = @sm.seal_data({"access_token" => old_access, "refresh_token" => "rt_old", "user" => {"id" => "u_1"}}, PASSWORD)
@@ -383,8 +412,18 @@ class SessionTest < Minitest::Test
     assert_kind_of WorkOS::SessionManager::RefreshError, result
     refute result.authenticated
 
-    # Session state should not have been mutated
-    assert_equal sealed, session.seal_data
+    # Session state IS updated to the freshly-sealed cookie before decode runs,
+    # so a transient JWT/JWKS failure leaves a usable seal the caller can
+    # re-#authenticate against rather than half-updated state pinned to the
+    # stale (already-rotated) refresh token.
+    refute_equal sealed, session.seal_data
+    refute_nil session.seal_data
+
+    # The rotated cookie is also reachable through the RefreshError result, so a
+    # caller that doesn't retain the Session object across requests (typical in
+    # a Rails request cycle) can still write the new cookie back to the browser
+    # rather than re-sending the now-revoked refresh token on the next request.
+    assert_equal session.seal_data, result.sealed_session
   end
 
   # --- Session constructor validation ---------------------------------------

data/test/workos/test_user_management.rb

@@ -373,73 +373,6 @@ class UserManagementTest < Minitest::Test
     refute_nil result
   end
 
-  def test_list_organization_memberships_returns_expected_result
-    stub_request(:get, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)})
-      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
-    result = @client.user_management.list_organization_memberships
-    assert_kind_of WorkOS::Types::ListStruct, result
-  end
-
-  def test_create_organization_membership_returns_expected_result
-    stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)})
-      .with(body: hash_including("user_id" => "stub", "organization_id" => "stub", "role_slug" => "stub"))
-      .to_return(body: "{}", status: 200)
-    result = @client.user_management.create_organization_membership(user_id: "stub", organization_id: "stub", role: WorkOS::UserManagement::RoleSingle.new(role_slug: "stub"))
-    refute_nil result
-  end
-
-  def test_create_organization_membership_with_role_multiple_returns_expected_result
-    stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)})
-      .with(body: hash_including("user_id" => "stub", "organization_id" => "stub", "role_slugs" => ["stub"]))
-      .to_return(body: "{}", status: 200)
-    result = @client.user_management.create_organization_membership(user_id: "stub", organization_id: "stub", role: WorkOS::UserManagement::RoleMultiple.new(role_slugs: ["stub"]))
-    refute_nil result
-  end
-
-  def test_get_organization_membership_returns_expected_result
-    stub_request(:get, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
-      .to_return(body: "{}", status: 200)
-    result = @client.user_management.get_organization_membership(id: "stub")
-    refute_nil result
-  end
-
-  def test_update_organization_membership_returns_expected_result
-    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
-      .with(body: hash_including("role_slug" => "stub"))
-      .to_return(body: "{}", status: 200)
-    result = @client.user_management.update_organization_membership(id: "stub", role: WorkOS::UserManagement::RoleSingle.new(role_slug: "stub"))
-    refute_nil result
-  end
-
-  def test_update_organization_membership_with_role_multiple_returns_expected_result
-    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
-      .with(body: hash_including("role_slugs" => ["stub"]))
-      .to_return(body: "{}", status: 200)
-    result = @client.user_management.update_organization_membership(id: "stub", role: WorkOS::UserManagement::RoleMultiple.new(role_slugs: ["stub"]))
-    refute_nil result
-  end
-
-  def test_delete_organization_membership_returns_expected_result
-    stub_request(:delete, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
-      .to_return(body: "{}", status: 200)
-    result = @client.user_management.delete_organization_membership(id: "stub")
-    assert_nil result
-  end
-
-  def test_deactivate_organization_membership_returns_expected_result
-    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/deactivate(\?|\z)})
-      .to_return(body: "{}", status: 200)
-    result = @client.user_management.deactivate_organization_membership(id: "stub")
-    refute_nil result
-  end
-
-  def test_reactivate_organization_membership_returns_expected_result
-    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/reactivate(\?|\z)})
-      .to_return(body: "{}", status: 200)
-    result = @client.user_management.reactivate_organization_membership(id: "stub")
-    refute_nil result
-  end
-
   def test_create_redirect_uri_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/redirect_uris(\?|\z)})
       .to_return(body: "{}", status: 200)
@@ -509,13 +442,6 @@ class UserManagementTest < Minitest::Test
     {name: :update_jwt_template, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/jwt_template(\?|\z)}, args: {content: "stub"}},
     {name: :create_magic_auth, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/magic_auth(\?|\z)}, args: {email: "stub"}},
     {name: :get_magic_auth, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/magic_auth/stub(\?|\z)}, args: {id: "stub"}},
-    {name: :list_organization_memberships, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)}},
-    {name: :create_organization_membership, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)}, args: {user_id: "stub", organization_id: "stub", role: WorkOS::UserManagement::RoleSingle.new(role_slug: "stub")}},
-    {name: :get_organization_membership, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub"}},
-    {name: :update_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub", role: WorkOS::UserManagement::RoleSingle.new(role_slug: "stub")}},
-    {name: :delete_organization_membership, verb: :delete, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub"}},
-    {name: :deactivate_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/deactivate(\?|\z)}, args: {id: "stub"}},
-    {name: :reactivate_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/reactivate(\?|\z)}, args: {id: "stub"}},
     {name: :create_redirect_uri, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/redirect_uris(\?|\z)}, args: {uri: "stub"}},
     {name: :list_user_authorized_applications, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub/authorized_applications(\?|\z)}, args: {user_id: "stub"}},
     {name: :delete_user_authorized_application, verb: :delete, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub/authorized_applications/stub(\?|\z)}, args: {application_id: "stub", user_id: "stub"}},

data/test/workos/test_vault.rb

@@ -1,119 +1,118 @@
 # frozen_string_literal: true
 
-# @oagen-ignore-file
+# This file is auto-generated by oagen. Do not edit.
+
 require "test_helper"
 require "base64"
 
 class VaultTest < Minitest::Test
+  include FixtureHelper
+
   def setup
-    @client = WorkOS::Client.new(api_key: "sk_test_vault")
+    @client = WorkOS::Client.new(api_key: "sk_test_123")
   end
 
-  def test_vault_accessor_exists
-    assert_kind_of WorkOS::Vault, @client.vault
+  def test_create_data_key_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/vault/v1/keys/data-key(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.vault.create_data_key(context: {})
+    refute_nil result
   end
 
-  def test_create_object_returns_metadata
-    body = {
-      "id" => "obj_01", "key_id" => "key_01", "version_id" => "v1",
-      "context" => {"tenant" => "t1"}, "environment_id" => "env_1",
-      "updated_at" => "2026-04-15T00:00:00Z",
-      "updated_by" => {"id" => "u1", "name" => "alice"}
-    }
-    stub_request(:post, "https://api.workos.com/vault/v1/kv")
-      .with(body: hash_including("name" => "secret", "value" => "hello"))
-      .to_return(status: 200, body: body.to_json)
-
-    meta = @client.vault.create_object(name: "secret", value: "hello", key_context: {"tenant" => "t1"})
-    assert_equal "obj_01", meta.id
-    assert_equal "v1", meta.version_id
-    assert_equal "alice", meta.updated_by.name
+  def test_create_decrypt_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/vault/v1/keys/decrypt(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.vault.create_decrypt(keys: "stub")
+    refute_nil result
   end
 
-  def test_read_object_returns_decrypted_value
-    body = {
-      "id" => "obj_01", "name" => "secret", "value" => "hello",
-      "metadata" => {
-        "id" => "obj_01", "key_id" => "k", "version_id" => "v",
-        "context" => {}, "environment_id" => "env",
-        "updated_at" => "x", "updated_by" => {"id" => "u", "name" => "n"}
-      }
-    }
-    stub_request(:get, "https://api.workos.com/vault/v1/kv/obj_01")
-      .to_return(status: 200, body: body.to_json)
-
-    obj = @client.vault.read_object(object_id: "obj_01")
-    assert_equal "hello", obj.value
-    assert_equal "secret", obj.name
+  def test_create_rekey_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/vault/v1/keys/rekey(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.vault.create_rekey(context: {}, encrypted_keys: "stub")
+    refute_nil result
   end
 
-  def test_list_objects_returns_digests
-    body = {"data" => [{"id" => "o1", "name" => "a", "updated_at" => "x"}, {"id" => "o2", "name" => "b", "updated_at" => "y"}]}
-    stub_request(:get, /vault\/v1\/kv\?/).to_return(status: 200, body: body.to_json)
-
-    digests = @client.vault.list_objects(limit: 10)
-    assert_equal 2, digests.size
-    assert_equal "o1", digests.first.id
+  def test_list_kv_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/vault/v1/kv(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.vault.list_kv
+    assert_kind_of WorkOS::Types::ListStruct, result
   end
 
-  def test_list_object_versions
-    body = {"data" => [{"id" => "v1", "created_at" => "x", "current_version" => true}]}
-    stub_request(:get, "https://api.workos.com/vault/v1/kv/obj_1/versions").to_return(status: 200, body: body.to_json)
-
-    versions = @client.vault.list_object_versions(object_id: "obj_1")
-    assert_equal 1, versions.size
-    assert versions.first.current_version
+  def test_create_kv_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/vault/v1/kv(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.vault.create_kv(key_context: {}, name: "stub", value: "stub")
+    refute_nil result
   end
 
-  def test_get_object_metadata
-    body = {"id" => "obj_1", "name" => "n", "metadata" => {
-      "id" => "obj_1", "key_id" => "k", "version_id" => "v",
-      "context" => {}, "environment_id" => "env",
-      "updated_at" => "x", "updated_by" => {"id" => "u", "name" => "n"}
-    }}
-    stub_request(:get, "https://api.workos.com/vault/v1/kv/obj_1/metadata").to_return(status: 200, body: body.to_json)
-
-    obj = @client.vault.get_object_metadata(object_id: "obj_1")
-    assert_nil obj.value
-    assert_equal "obj_1", obj.metadata.id
+  def test_get_name_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/vault/v1/kv/name/stub(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.vault.get_name(name: "stub")
+    refute_nil result
   end
 
-  def test_delete_object_returns_nil
-    stub_request(:delete, "https://api.workos.com/vault/v1/kv/obj_1").to_return(status: 200, body: "")
-    assert_nil @client.vault.delete_object(object_id: "obj_1")
+  def test_get_kv_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.vault.get_kv(id: "stub")
+    refute_nil result
   end
 
-  def test_update_object_with_version_check
-    body = {"id" => "obj_1", "name" => "n", "value" => "newval", "metadata" => nil}
-    stub_request(:put, "https://api.workos.com/vault/v1/kv/obj_1")
-      .with(body: hash_including("value" => "newval", "version_check" => "v1"))
-      .to_return(status: 200, body: body.to_json)
-
-    obj = @client.vault.update_object(object_id: "obj_1", value: "newval", version_check: "v1")
-    assert_equal "newval", obj.value
+  def test_update_kv_returns_expected_result
+    stub_request(:put, %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.vault.update_kv(id: "stub", value: "stub")
+    refute_nil result
   end
 
-  def test_create_data_key
-    body = {"context" => {"t" => "1"}, "id" => "dek_1", "data_key" => Base64.strict_encode64("k" * 32), "encrypted_keys" => Base64.strict_encode64("blob")}
-    stub_request(:post, "https://api.workos.com/vault/v1/keys/data-key")
-      .with(body: hash_including("context" => {"t" => "1"}))
-      .to_return(status: 200, body: body.to_json)
+  def test_delete_kv_returns_expected_result
+    stub_request(:delete, %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.vault.delete_kv(id: "stub")
+    refute_nil result
+  end
 
-    pair = @client.vault.create_data_key(key_context: {"t" => "1"})
-    assert_equal "dek_1", pair.data_key.id
-    assert_equal "blob", Base64.decode64(pair.encrypted_keys)
+  def test_list_kv_metadata_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub/metadata(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.vault.list_kv_metadata(id: "stub")
+    refute_nil result
   end
 
-  def test_decrypt_data_key
-    body = {"id" => "dek_1", "data_key" => Base64.strict_encode64("k" * 32)}
-    stub_request(:post, "https://api.workos.com/vault/v1/keys/decrypt")
-      .with(body: hash_including("keys" => "abc"))
-      .to_return(status: 200, body: body.to_json)
+  def test_list_kv_versions_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub/versions(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.vault.list_kv_versions(id: "stub")
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
 
-    dk = @client.vault.decrypt_data_key(keys: "abc")
-    assert_equal "dek_1", dk.id
+  # Parameterized authentication error tests (one per endpoint).
+  [
+    {name: :create_data_key, verb: :post, url: %r{\Ahttps://api\.workos\.com/vault/v1/keys/data-key(\?|\z)}, args: {context: {}}},
+    {name: :create_decrypt, verb: :post, url: %r{\Ahttps://api\.workos\.com/vault/v1/keys/decrypt(\?|\z)}, args: {keys: "stub"}},
+    {name: :create_rekey, verb: :post, url: %r{\Ahttps://api\.workos\.com/vault/v1/keys/rekey(\?|\z)}, args: {context: {}, encrypted_keys: "stub"}},
+    {name: :list_kv, verb: :get, url: %r{\Ahttps://api\.workos\.com/vault/v1/kv(\?|\z)}},
+    {name: :create_kv, verb: :post, url: %r{\Ahttps://api\.workos\.com/vault/v1/kv(\?|\z)}, args: {key_context: {}, name: "stub", value: "stub"}},
+    {name: :get_name, verb: :get, url: %r{\Ahttps://api\.workos\.com/vault/v1/kv/name/stub(\?|\z)}, args: {name: "stub"}},
+    {name: :get_kv, verb: :get, url: %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub(\?|\z)}, args: {id: "stub"}},
+    {name: :update_kv, verb: :put, url: %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub(\?|\z)}, args: {id: "stub", value: "stub"}},
+    {name: :delete_kv, verb: :delete, url: %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub(\?|\z)}, args: {id: "stub"}},
+    {name: :list_kv_metadata, verb: :get, url: %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub/metadata(\?|\z)}, args: {id: "stub"}},
+    {name: :list_kv_versions, verb: :get, url: %r{\Ahttps://api\.workos\.com/vault/v1/kv/stub/versions(\?|\z)}, args: {id: "stub"}}
+  ].each do |spec|
+    define_method("test_#{spec[:name]}_raises_authentication_error_on_401") do
+      stub_request(spec[:verb], spec[:url])
+        .to_return(body: '{"message": "Unauthorized"}', status: 401)
+      assert_raises(WorkOS::AuthenticationError) do
+        @client.vault.send(spec[:name], **(spec[:args] || {}))
+      end
+    end
   end
 
+  # @oagen-ignore-start — client-side AES-GCM encrypt/decrypt tests (hand-maintained)
   def test_local_encrypt_then_decrypt_roundtrip
     plaintext_key = "k" * 32
     create_resp = {"context" => {"t" => "1"}, "id" => "dek_1",
@@ -125,7 +124,7 @@ class VaultTest < Minitest::Test
     stub_request(:post, "https://api.workos.com/vault/v1/keys/decrypt").to_return(status: 200, body: decrypt_resp.to_json)
 
     payload = "the quick brown fox"
-    encrypted = @client.vault.encrypt(data: payload, key_context: {"t" => "1"})
+    encrypted = @client.vault.encrypt(data: payload, context: {"t" => "1"})
     refute_equal payload, encrypted
 
     plaintext = @client.vault.decrypt(encrypted_data: encrypted)
@@ -140,7 +139,7 @@ class VaultTest < Minitest::Test
     stub_request(:post, "https://api.workos.com/vault/v1/keys/data-key").to_return(status: 200, body: create_resp.to_json)
     stub_request(:post, "https://api.workos.com/vault/v1/keys/decrypt").to_return(status: 200, body: decrypt_resp.to_json)
 
-    encrypted = @client.vault.encrypt(data: "secret", key_context: {}, associated_data: "tenant=42")
+    encrypted = @client.vault.encrypt(data: "secret", context: {}, associated_data: "tenant=42")
     plaintext = @client.vault.decrypt(encrypted_data: encrypted, associated_data: "tenant=42")
     assert_equal "secret", plaintext
 
@@ -148,4 +147,9 @@ class VaultTest < Minitest::Test
       @client.vault.decrypt(encrypted_data: encrypted, associated_data: "wrong")
     end
   end
+  # @oagen-ignore-end
+
+  # @oagen-ignore-start — client-side encrypt/decrypt test requires
+  require "base64"
+  # @oagen-ignore-end
 end

data/test/workos/test_webhook_verify.rb

@@ -60,6 +60,17 @@ class WebhookVerifyTest < Minitest::Test
     assert_match(/Timestamp outside the tolerance zone/, err.message)
   end
 
+  def test_verify_header_raises_on_future_timestamp
+    payload = '{"x":1}'
+    future_ts = now_ms + (10 * 60 * 1000) # 10 minutes ahead
+    sig = OpenSSL::HMAC.hexdigest("SHA256", SECRET, "#{future_ts}.#{payload}")
+    header = "t=#{future_ts}, v1=#{sig}"
+    err = assert_raises(WorkOS::SignatureVerificationError) do
+      @webhooks.verify_header(payload: payload, sig_header: header, secret: SECRET, tolerance: 60)
+    end
+    assert_match(/Timestamp outside the tolerance zone/, err.message)
+  end
+
   def test_verify_header_raises_on_malformed_header
     assert_raises(WorkOS::SignatureVerificationError) do
       @webhooks.verify_header(payload: "{}", sig_header: "garbage", secret: SECRET)