@executor-js/emulate 0.6.0 → 0.7.0

package/dist/{dist-BTEY33DJ.js → dist-QXFWC3LV.js}

@@ -45,9 +45,9 @@ function boolFromQuery(value, fallback) {
   if (lowered === "false" || lowered === "0") return false;
   return fallback;
 }
-function resolveOktaIssuer(baseUrl, authServerId) {
-  if (authServerId === ORG_AUTH_SERVER_ID) return baseUrl;
-  return `${baseUrl}/oauth2/${authServerId}`;
+function resolveOktaIssuer(baseUrl, authServerId2) {
+  if (authServerId2 === ORG_AUTH_SERVER_ID) return baseUrl;
+  return `${baseUrl}/oauth2/${authServerId2}`;
 }
 function userDisplayName(user) {
   if (user.display_name) return user.display_name;
@@ -695,10 +695,10 @@ function appRoutes({ app, store, baseUrl, tokenMap }) {
   app.get("/api/v1/apps", (c) => {
     const auth = requireManagementAuth(c, tokenMap);
     if (auth instanceof Response) return auth;
-    const q = (c.req.query("q") ?? "").toLowerCase();
+    const q2 = (c.req.query("q") ?? "").toLowerCase();
     let apps = oktaStore.apps.all();
-    if (q) {
-      apps = apps.filter((entry) => `${entry.name} ${entry.label}`.toLowerCase().includes(q));
+    if (q2) {
+      apps = apps.filter((entry) => `${entry.name} ${entry.label}`.toLowerCase().includes(q2));
     }
     const { page, per_page } = parsePagination(c);
     const total = apps.length;
@@ -919,10 +919,10 @@ function groupRoutes({ app, store, baseUrl, tokenMap }) {
   app.get("/api/v1/groups", (c) => {
     const auth = requireManagementAuth(c, tokenMap);
     if (auth instanceof Response) return auth;
-    const q = (c.req.query("q") ?? "").toLowerCase();
+    const q2 = (c.req.query("q") ?? "").toLowerCase();
     let groups = oktaStore.groups.all();
-    if (q) {
-      groups = groups.filter((group) => `${group.name} ${group.description ?? ""}`.toLowerCase().includes(q));
+    if (q2) {
+      groups = groups.filter((group) => `${group.name} ${group.description ?? ""}`.toLowerCase().includes(q2));
     }
     const { page, per_page } = parsePagination(c);
     const total = groups.length;
@@ -1060,26 +1060,26 @@ function getRefreshTokens(store) {
 function isCodeExpired(code) {
   return Date.now() - code.createdAt > CODE_TTL_MS;
 }
-function buildOAuthBasePath(authServerId) {
-  if (authServerId === ORG_AUTH_SERVER_ID) return "/oauth2/v1";
-  return `/oauth2/${encodeURIComponent(authServerId)}/v1`;
+function buildOAuthBasePath(authServerId2) {
+  if (authServerId2 === ORG_AUTH_SERVER_ID) return "/oauth2/v1";
+  return `/oauth2/${encodeURIComponent(authServerId2)}/v1`;
 }
-function getClientsForServer(clients, authServerId) {
-  return clients.filter((client) => client.auth_server_id === authServerId);
+function getClientsForServer(clients, authServerId2) {
+  return clients.filter((client) => client.auth_server_id === authServerId2);
 }
-function resolveServer(authServerId, baseUrl, store) {
-  if (authServerId === ORG_AUTH_SERVER_ID) {
+function resolveServer(authServerId2, baseUrl, store) {
+  if (authServerId2 === ORG_AUTH_SERVER_ID) {
     return {
-      authServerId,
+      authServerId: authServerId2,
       issuer: baseUrl,
       audiences: [DEFAULT_AUDIENCE]
     };
   }
-  const server = store.authorizationServers.findOneBy("server_id", authServerId);
+  const server = store.authorizationServers.findOneBy("server_id", authServerId2);
   if (!server) return null;
   return {
-    authServerId,
-    issuer: resolveOktaIssuer(baseUrl, authServerId),
+    authServerId: authServerId2,
+    issuer: resolveOktaIssuer(baseUrl, authServerId2),
     audiences: server.audiences.length > 0 ? server.audiences : [DEFAULT_AUDIENCE]
   };
 }
@@ -1162,8 +1162,8 @@ function parseClientCredentials(c, body) {
   }
   return { clientId, clientSecret };
 }
-function validateClient(clients, authServerId, clientId, clientSecret) {
-  const scopedClients = getClientsForServer(clients, authServerId);
+function validateClient(clients, authServerId2, clientId, clientSecret) {
+  const scopedClients = getClientsForServer(clients, authServerId2);
   if (scopedClients.length === 0) {
     return { client: null, error: null };
   }
@@ -1238,9 +1238,9 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     return c.json(buildOidcConfiguration(baseUrl, server));
   });
   app.get("/oauth2/:authServerId/.well-known/openid-configuration", (c) => {
-    const authServerId = c.req.param("authServerId");
-    const server = resolveServer(authServerId, baseUrl, oktaStore);
-    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
+    const authServerId2 = c.req.param("authServerId");
+    const server = resolveServer(authServerId2, baseUrl, oktaStore);
+    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId2}'`);
     return c.json(buildOidcConfiguration(baseUrl, server));
   });
   app.get("/oauth2/v1/keys", async (c) => {
@@ -1251,18 +1251,18 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     });
   });
   app.get("/oauth2/:authServerId/v1/keys", async (c) => {
-    const authServerId = c.req.param("authServerId");
-    const server = resolveServer(authServerId, baseUrl, oktaStore);
-    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
+    const authServerId2 = c.req.param("authServerId");
+    const server = resolveServer(authServerId2, baseUrl, oktaStore);
+    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId2}'`);
     const { publicKey } = await keyPairPromise;
     const jwk = await exportJWK(publicKey);
     return c.json({
       keys: [{ ...jwk, kid: KID, use: "sig", alg: "RS256" }]
     });
   });
-  const renderAuthorizePage = (c, authServerId) => {
-    const server = resolveServer(authServerId, baseUrl, oktaStore);
-    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
+  const renderAuthorizePage = (c, authServerId2) => {
+    const server = resolveServer(authServerId2, baseUrl, oktaStore);
+    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId2}'`);
     const clientId = c.req.query("client_id") ?? "";
     const redirectUri = c.req.query("redirect_uri") ?? "";
     const scope = c.req.query("scope") ?? "openid profile email";
@@ -1284,7 +1284,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
         400
       );
     }
-    const configuredClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);
+    const configuredClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId2);
     let clientName = "";
     if (configuredClients.length > 0) {
       const client = configuredClients.find((entry) => entry.client_id === clientId);
@@ -1307,7 +1307,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
       clientName = client.name;
     }
     const users = oktaStore.users.all();
-    const callbackPath = `${baseUrl}${buildOAuthBasePath(authServerId)}/authorize/callback`;
+    const callbackPath = `${baseUrl}${buildOAuthBasePath(authServerId2)}/authorize/callback`;
     const buttons = users.map(
       (user) => renderUserButton({
         letter: (user.login[0] ?? "?").toUpperCase(),
@@ -1325,7 +1325,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
           response_mode: responseMode,
           code_challenge: codeChallenge,
           code_challenge_method: codeChallengeMethod,
-          auth_server_id: authServerId
+          auth_server_id: authServerId2
         }
       })
     ).join("\n");
@@ -1341,9 +1341,9 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
   };
   app.get("/oauth2/v1/authorize", (c) => renderAuthorizePage(c, ORG_AUTH_SERVER_ID));
   app.get("/oauth2/:authServerId/v1/authorize", (c) => renderAuthorizePage(c, c.req.param("authServerId")));
-  const handleAuthorizeCallback = async (c, authServerId) => {
-    const server = resolveServer(authServerId, baseUrl, oktaStore);
-    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
+  const handleAuthorizeCallback = async (c, authServerId2) => {
+    const server = resolveServer(authServerId2, baseUrl, oktaStore);
+    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId2}'`);
     const body = await c.req.parseBody();
     const userRef = bodyStr(body.user_ref);
     const redirectUri = bodyStr(body.redirect_uri);
@@ -1364,7 +1364,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     if (!user) {
       return c.html(renderErrorPage("Unknown user", "The selected user is not available.", SERVICE_LABEL), 400);
     }
-    const configuredClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);
+    const configuredClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId2);
     if (configuredClients.length > 0) {
       const client = configuredClients.find((entry) => entry.client_id === clientId);
       if (!client) {
@@ -1393,10 +1393,10 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
       nonce: nonce || null,
       codeChallenge: codeChallenge || null,
       codeChallengeMethod: codeChallengeMethod || null,
-      authServerId,
+      authServerId: authServerId2,
       createdAt: Date.now()
     });
-    debug("okta.oauth", `[callback] code=${code.slice(0, 8)}... user=${user.login} server=${authServerId}`);
+    debug("okta.oauth", `[callback] code=${code.slice(0, 8)}... user=${user.login} server=${authServerId2}`);
     if (responseMode === "form_post") {
       return c.html(renderFormPostPage(redirectUri, { code, state }, SERVICE_LABEL));
     }
@@ -1410,9 +1410,9 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     "/oauth2/:authServerId/v1/authorize/callback",
     (c) => handleAuthorizeCallback(c, c.req.param("authServerId"))
   );
-  const handleToken = async (c, authServerId) => {
-    const server = resolveServer(authServerId, baseUrl, oktaStore);
-    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
+  const handleToken = async (c, authServerId2) => {
+    const server = resolveServer(authServerId2, baseUrl, oktaStore);
+    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId2}'`);
     const body = await parseTokenLikeBody(c);
     const grantType = body.grant_type ?? "";
     const code = body.code ?? "";
@@ -1421,7 +1421,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     const refreshToken = body.refresh_token ?? "";
     const requestedScope = body.scope ?? "";
     const creds = parseClientCredentials(c, body);
-    const validation = validateClient(oktaStore.oauthClients.all(), authServerId, creds.clientId, creds.clientSecret);
+    const validation = validateClient(oktaStore.oauthClients.all(), authServerId2, creds.clientId, creds.clientSecret);
     if (validation.error) {
       return c.json(validation.error.body, validation.error.status);
     }
@@ -1432,7 +1432,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
         if (pending) getPendingCodes(store).delete(code);
         return c.json({ error: "invalid_grant", error_description: "Authorization code is invalid or expired." }, 400);
       }
-      if (pending.authServerId !== authServerId) {
+      if (pending.authServerId !== authServerId2) {
         return c.json({ error: "invalid_grant", error_description: "Authorization server mismatch." }, 400);
       }
       if (redirectUri && redirectUri !== pending.redirectUri) {
@@ -1471,7 +1471,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
       const accessToken = `okta_${randomBytes(20).toString("base64url")}`;
       const newRefreshToken = `r_okta_${randomBytes(20).toString("base64url")}`;
       getAccessTokens(store).set(accessToken, {
-        authServerId,
+        authServerId: authServerId2,
         clientId: audienceClient,
         scope,
         issuedAt: now,
@@ -1480,7 +1480,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
         username: user.login
       });
       getRefreshTokens(store).set(newRefreshToken, {
-        authServerId,
+        authServerId: authServerId2,
         clientId: audienceClient,
         scope,
         userOktaId: user.okta_id,
@@ -1507,7 +1507,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
       if (!existing) {
         return c.json({ error: "invalid_grant", error_description: "Invalid refresh token." }, 400);
       }
-      if (existing.authServerId !== authServerId) {
+      if (existing.authServerId !== authServerId2) {
         return c.json({ error: "invalid_grant", error_description: "Authorization server mismatch." }, 400);
       }
       if (validatedClient && validatedClient.client_id !== existing.clientId) {
@@ -1524,7 +1524,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
       const nextRefreshToken = `r_okta_${randomBytes(20).toString("base64url")}`;
       const scope = requestedScope || existing.scope;
       getAccessTokens(store).set(nextAccessToken, {
-        authServerId,
+        authServerId: authServerId2,
         clientId: existing.clientId,
         scope,
         issuedAt: now,
@@ -1572,7 +1572,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
         return c.json({ error: "invalid_client", error_description: "client_id is required." }, 401);
       }
       getAccessTokens(store).set(accessToken, {
-        authServerId,
+        authServerId: authServerId2,
         clientId,
         scope,
         issuedAt: now,
@@ -1596,12 +1596,12 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
   };
   app.post("/oauth2/v1/token", (c) => handleToken(c, ORG_AUTH_SERVER_ID));
   app.post("/oauth2/:authServerId/v1/token", (c) => handleToken(c, c.req.param("authServerId")));
-  const handleUserInfo = (c, authServerId) => {
-    const server = resolveServer(authServerId, baseUrl, oktaStore);
-    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
+  const handleUserInfo = (c, authServerId2) => {
+    const server = resolveServer(authServerId2, baseUrl, oktaStore);
+    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId2}'`);
     const token = c.get("authToken") ?? "";
     const access = getAccessTokens(store).get(token);
-    if (!access || access.authServerId !== authServerId || !access.userOktaId) {
+    if (!access || access.authServerId !== authServerId2 || !access.userOktaId) {
       return unauthorizedOAuthError();
     }
     const user = oktaStore.users.findOneBy("okta_id", access.userOktaId);
@@ -1622,9 +1622,9 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
   };
   app.get("/oauth2/v1/userinfo", (c) => handleUserInfo(c, ORG_AUTH_SERVER_ID));
   app.get("/oauth2/:authServerId/v1/userinfo", (c) => handleUserInfo(c, c.req.param("authServerId")));
-  const handleRevoke = async (c, authServerId) => {
-    const server = resolveServer(authServerId, baseUrl, oktaStore);
-    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
+  const handleRevoke = async (c, authServerId2) => {
+    const server = resolveServer(authServerId2, baseUrl, oktaStore);
+    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId2}'`);
     const body = await parseTokenLikeBody(c);
     const token = body.token ?? "";
     getAccessTokens(store).delete(token);
@@ -1634,19 +1634,19 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
   };
   app.post("/oauth2/v1/revoke", (c) => handleRevoke(c, ORG_AUTH_SERVER_ID));
   app.post("/oauth2/:authServerId/v1/revoke", (c) => handleRevoke(c, c.req.param("authServerId")));
-  const handleIntrospect = async (c, authServerId) => {
-    const server = resolveServer(authServerId, baseUrl, oktaStore);
-    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
+  const handleIntrospect = async (c, authServerId2) => {
+    const server = resolveServer(authServerId2, baseUrl, oktaStore);
+    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId2}'`);
     const body = await parseTokenLikeBody(c);
     const token = body.token ?? "";
     const creds = parseClientCredentials(c, body);
-    const validation = validateClient(oktaStore.oauthClients.all(), authServerId, creds.clientId, creds.clientSecret);
+    const validation = validateClient(oktaStore.oauthClients.all(), authServerId2, creds.clientId, creds.clientSecret);
     if (validation.error) {
       return c.json(validation.error.body, validation.error.status);
     }
     const now = Math.floor(Date.now() / 1e3);
     const access = getAccessTokens(store).get(token);
-    if (access && access.authServerId === authServerId && access.expiresAt > now) {
+    if (access && access.authServerId === authServerId2 && access.expiresAt > now) {
       return c.json({
         active: true,
         token_type: "Bearer",
@@ -1661,7 +1661,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
       });
     }
     const refresh = getRefreshTokens(store).get(token);
-    if (refresh && refresh.authServerId === authServerId) {
+    if (refresh && refresh.authServerId === authServerId2) {
       return c.json({
         active: true,
         token_type: "refresh_token",
@@ -1677,12 +1677,12 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
   };
   app.post("/oauth2/v1/introspect", (c) => handleIntrospect(c, ORG_AUTH_SERVER_ID));
   app.post("/oauth2/:authServerId/v1/introspect", (c) => handleIntrospect(c, c.req.param("authServerId")));
-  const handleLogout = (c, authServerId) => {
-    const server = resolveServer(authServerId, baseUrl, oktaStore);
-    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
+  const handleLogout = (c, authServerId2) => {
+    const server = resolveServer(authServerId2, baseUrl, oktaStore);
+    if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId2}'`);
     const postLogoutRedirectUri = c.req.query("post_logout_redirect_uri");
     if (!postLogoutRedirectUri) return c.text("Logged out");
-    const scopedClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);
+    const scopedClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId2);
     if (scopedClients.length > 0) {
       const isAllowed = scopedClients.some((client) => matchesRedirectUri(postLogoutRedirectUri, client.redirect_uris));
       if (!isAllowed) return c.text("Invalid post_logout_redirect_uri", 400);
@@ -1692,6 +1692,429 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
   app.get("/oauth2/v1/logout", (c) => handleLogout(c, ORG_AUTH_SERVER_ID));
   app.get("/oauth2/:authServerId/v1/logout", (c) => handleLogout(c, c.req.param("authServerId")));
 }
+function openapiRoutes({ app, baseUrl }) {
+  app.get("/openapi.json", (c) => c.json(buildSpec(baseUrl)));
+}
+var ok = (description) => ({
+  description,
+  content: { "application/json": { schema: { type: "object" } } }
+});
+var noContent = (description) => ({ description });
+var userId = { name: "userId", in: "path", required: true, schema: { type: "string" } };
+var groupId = { name: "groupId", in: "path", required: true, schema: { type: "string" } };
+var appId = { name: "appId", in: "path", required: true, schema: { type: "string" } };
+var authServerId = { name: "authServerId", in: "path", required: true, schema: { type: "string" } };
+var q = { name: "q", in: "query", required: false, schema: { type: "string" } };
+var jsonBody = (properties, required, description) => ({
+  required: true,
+  description,
+  content: {
+    "application/json": {
+      schema: { type: "object", properties, required: [...required] }
+    }
+  }
+});
+var userProfileBody = (description) => jsonBody(
+  {
+    profile: {
+      type: "object",
+      properties: {
+        login: { type: "string" },
+        email: { type: "string" },
+        firstName: { type: "string" },
+        lastName: { type: "string" },
+        displayName: { type: "string" },
+        locale: { type: "string" },
+        timeZone: { type: "string" }
+      }
+    }
+  },
+  ["profile"],
+  description
+);
+var groupProfileBody = (description) => jsonBody(
+  {
+    profile: {
+      type: "object",
+      properties: { name: { type: "string" }, description: { type: "string" } }
+    },
+    type: { type: "string" }
+  },
+  ["profile"],
+  description
+);
+var appBody = (description, required) => jsonBody(
+  {
+    name: { type: "string" },
+    label: { type: "string" },
+    status: { type: "string", enum: ["ACTIVE", "INACTIVE"] },
+    signOnMode: { type: "string" },
+    settings: { type: "object" },
+    credentials: { type: "object" }
+  },
+  required,
+  description
+);
+var authServerBody = (description, required) => jsonBody(
+  {
+    id: { type: "string" },
+    name: { type: "string" },
+    description: { type: "string" },
+    audiences: { type: "array", items: { type: "string" } },
+    status: { type: "string", enum: ["ACTIVE", "INACTIVE"] }
+  },
+  required,
+  description
+);
+function buildSpec(baseUrl) {
+  return {
+    openapi: "3.1.0",
+    info: {
+      title: "Okta Management API (Emulated)",
+      version: "1.0.0",
+      description: 'Emulated subset of the Okta management REST API. Authenticate with an SSWS API token (mint one at POST /_emulate/credentials with {"type":"api-key"}).'
+    },
+    servers: [{ url: baseUrl }],
+    components: {
+      securitySchemes: {
+        ssws: {
+          type: "apiKey",
+          in: "header",
+          name: "Authorization",
+          description: "Okta API token, sent as `Authorization: SSWS {token}`."
+        }
+      }
+    },
+    security: [{ ssws: [] }],
+    paths: {
+      "/api/v1/users": {
+        get: {
+          operationId: "users/list",
+          tags: ["users"],
+          summary: "List users",
+          parameters: [
+            q,
+            { name: "search", in: "query", required: false, schema: { type: "string" } },
+            { name: "filter", in: "query", required: false, schema: { type: "string" } }
+          ],
+          responses: { "200": ok("User list.") }
+        },
+        post: {
+          operationId: "users/create",
+          tags: ["users"],
+          summary: "Create a user",
+          parameters: [{ name: "activate", in: "query", required: false, schema: { type: "boolean" } }],
+          requestBody: userProfileBody("The user profile (profile.login and profile.email are required)."),
+          responses: { "201": ok("The created user."), "400": ok("Validation error.") }
+        }
+      },
+      "/api/v1/users/me": {
+        get: {
+          operationId: "users/getCurrent",
+          tags: ["users"],
+          summary: "Get the current user",
+          responses: { "200": ok("The current user."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/users/{userId}": {
+        get: {
+          operationId: "users/get",
+          tags: ["users"],
+          summary: "Retrieve a user by id, login, or email",
+          parameters: [userId],
+          responses: { "200": ok("The user."), "404": ok("Not found.") }
+        },
+        put: {
+          operationId: "users/update",
+          tags: ["users"],
+          summary: "Update a user profile",
+          parameters: [userId],
+          requestBody: userProfileBody("The profile fields to replace."),
+          responses: { "200": ok("The updated user."), "404": ok("Not found.") }
+        },
+        post: {
+          operationId: "users/partialUpdate",
+          tags: ["users"],
+          summary: "Partially update a user profile",
+          parameters: [userId],
+          requestBody: userProfileBody("The profile fields to merge."),
+          responses: { "200": ok("The updated user."), "404": ok("Not found.") }
+        },
+        delete: {
+          operationId: "users/delete",
+          tags: ["users"],
+          summary: "Deactivate, then delete a user",
+          description: "Like real Okta, the first delete deactivates the user; a second delete removes them.",
+          parameters: [userId],
+          responses: { "204": noContent("Deactivated or deleted."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/users/{userId}/groups": {
+        get: {
+          operationId: "users/listGroups",
+          tags: ["users"],
+          summary: "List a user's groups",
+          parameters: [userId],
+          responses: { "200": ok("Group list."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/users/{userId}/lifecycle/activate": {
+        post: {
+          operationId: "users/activate",
+          tags: ["users"],
+          summary: "Activate a user",
+          parameters: [userId],
+          responses: { "200": ok("The activated user."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/users/{userId}/lifecycle/deactivate": {
+        post: {
+          operationId: "users/deactivate",
+          tags: ["users"],
+          summary: "Deactivate a user",
+          parameters: [userId],
+          responses: { "200": ok("The deactivated user."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/users/{userId}/lifecycle/suspend": {
+        post: {
+          operationId: "users/suspend",
+          tags: ["users"],
+          summary: "Suspend a user",
+          parameters: [userId],
+          responses: { "200": ok("The suspended user."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/users/{userId}/lifecycle/unsuspend": {
+        post: {
+          operationId: "users/unsuspend",
+          tags: ["users"],
+          summary: "Unsuspend a user",
+          parameters: [userId],
+          responses: { "200": ok("The unsuspended user."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/users/{userId}/lifecycle/reactivate": {
+        post: {
+          operationId: "users/reactivate",
+          tags: ["users"],
+          summary: "Reactivate a user",
+          parameters: [userId],
+          responses: { "200": ok("The reactivated user."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/groups": {
+        get: {
+          operationId: "groups/list",
+          tags: ["groups"],
+          summary: "List groups",
+          parameters: [q],
+          responses: { "200": ok("Group list.") }
+        },
+        post: {
+          operationId: "groups/create",
+          tags: ["groups"],
+          summary: "Create a group",
+          requestBody: groupProfileBody("The group to create (profile.name is required)."),
+          responses: { "201": ok("The created group."), "400": ok("Validation error.") }
+        }
+      },
+      "/api/v1/groups/{groupId}": {
+        get: {
+          operationId: "groups/get",
+          tags: ["groups"],
+          summary: "Retrieve a group",
+          parameters: [groupId],
+          responses: { "200": ok("The group."), "404": ok("Not found.") }
+        },
+        put: {
+          operationId: "groups/update",
+          tags: ["groups"],
+          summary: "Update a group",
+          parameters: [groupId],
+          requestBody: groupProfileBody("The group fields to replace."),
+          responses: { "200": ok("The updated group."), "404": ok("Not found.") }
+        },
+        delete: {
+          operationId: "groups/delete",
+          tags: ["groups"],
+          summary: "Delete a group",
+          parameters: [groupId],
+          responses: { "204": noContent("Deleted."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/groups/{groupId}/users": {
+        get: {
+          operationId: "groups/listUsers",
+          tags: ["groups"],
+          summary: "List a group's members",
+          parameters: [groupId],
+          responses: { "200": ok("User list."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/groups/{groupId}/users/{userId}": {
+        put: {
+          operationId: "groups/addUser",
+          tags: ["groups"],
+          summary: "Add a user to a group",
+          parameters: [groupId, userId],
+          responses: { "204": noContent("Added."), "404": ok("Not found.") }
+        },
+        delete: {
+          operationId: "groups/removeUser",
+          tags: ["groups"],
+          summary: "Remove a user from a group",
+          parameters: [groupId, userId],
+          responses: { "204": noContent("Removed."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/apps": {
+        get: {
+          operationId: "apps/list",
+          tags: ["apps"],
+          summary: "List applications",
+          parameters: [q],
+          responses: { "200": ok("Application list.") }
+        },
+        post: {
+          operationId: "apps/create",
+          tags: ["apps"],
+          summary: "Create an application",
+          requestBody: appBody("The application to create.", []),
+          responses: { "201": ok("The created application.") }
+        }
+      },
+      "/api/v1/apps/{appId}": {
+        get: {
+          operationId: "apps/get",
+          tags: ["apps"],
+          summary: "Retrieve an application",
+          parameters: [appId],
+          responses: { "200": ok("The application."), "404": ok("Not found.") }
+        },
+        put: {
+          operationId: "apps/update",
+          tags: ["apps"],
+          summary: "Update an application",
+          parameters: [appId],
+          requestBody: appBody("The application fields to replace.", []),
+          responses: { "200": ok("The updated application."), "404": ok("Not found.") }
+        },
+        delete: {
+          operationId: "apps/delete",
+          tags: ["apps"],
+          summary: "Delete an INACTIVE application",
+          parameters: [appId],
+          responses: {
+            "204": noContent("Deleted."),
+            "400": ok("App must be INACTIVE before deletion."),
+            "404": ok("Not found.")
+          }
+        }
+      },
+      "/api/v1/apps/{appId}/users": {
+        get: {
+          operationId: "apps/listUsers",
+          tags: ["apps"],
+          summary: "List users assigned to an application",
+          parameters: [appId],
+          responses: { "200": ok("Assigned user list."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/apps/{appId}/users/{userId}": {
+        put: {
+          operationId: "apps/assignUser",
+          tags: ["apps"],
+          summary: "Assign a user to an application",
+          parameters: [appId, userId],
+          responses: { "204": noContent("Assigned."), "404": ok("Not found.") }
+        },
+        delete: {
+          operationId: "apps/unassignUser",
+          tags: ["apps"],
+          summary: "Unassign a user from an application",
+          parameters: [appId, userId],
+          responses: { "204": noContent("Unassigned."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/apps/{appId}/lifecycle/activate": {
+        post: {
+          operationId: "apps/activate",
+          tags: ["apps"],
+          summary: "Activate an application",
+          parameters: [appId],
+          responses: { "200": ok("The activated application."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/apps/{appId}/lifecycle/deactivate": {
+        post: {
+          operationId: "apps/deactivate",
+          tags: ["apps"],
+          summary: "Deactivate an application",
+          parameters: [appId],
+          responses: { "200": ok("The deactivated application."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/authorizationServers": {
+        get: {
+          operationId: "authorizationServers/list",
+          tags: ["authorizationServers"],
+          summary: "List authorization servers",
+          responses: { "200": ok("Authorization server list.") }
+        },
+        post: {
+          operationId: "authorizationServers/create",
+          tags: ["authorizationServers"],
+          summary: "Create an authorization server",
+          requestBody: authServerBody("The authorization server to create (name is required).", ["name"]),
+          responses: { "201": ok("The created authorization server."), "400": ok("Validation error.") }
+        }
+      },
+      "/api/v1/authorizationServers/{authServerId}": {
+        get: {
+          operationId: "authorizationServers/get",
+          tags: ["authorizationServers"],
+          summary: "Retrieve an authorization server",
+          parameters: [authServerId],
+          responses: { "200": ok("The authorization server."), "404": ok("Not found.") }
+        },
+        put: {
+          operationId: "authorizationServers/update",
+          tags: ["authorizationServers"],
+          summary: "Update an authorization server",
+          parameters: [authServerId],
+          requestBody: authServerBody("The authorization server fields to replace.", []),
+          responses: { "200": ok("The updated authorization server."), "404": ok("Not found.") }
+        },
+        delete: {
+          operationId: "authorizationServers/delete",
+          tags: ["authorizationServers"],
+          summary: "Delete an authorization server and its clients",
+          parameters: [authServerId],
+          responses: { "204": noContent("Deleted."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/authorizationServers/{authServerId}/lifecycle/activate": {
+        post: {
+          operationId: "authorizationServers/activate",
+          tags: ["authorizationServers"],
+          summary: "Activate an authorization server",
+          parameters: [authServerId],
+          responses: { "200": ok("The activated authorization server."), "404": ok("Not found.") }
+        }
+      },
+      "/api/v1/authorizationServers/{authServerId}/lifecycle/deactivate": {
+        post: {
+          operationId: "authorizationServers/deactivate",
+          tags: ["authorizationServers"],
+          summary: "Deactivate an authorization server",
+          parameters: [authServerId],
+          responses: { "200": ok("The deactivated authorization server."), "404": ok("Not found.") }
+        }
+      }
+    }
+  };
+}
 function updateUserProfile(user, profile) {
   const nextFirstName = typeof profile.firstName === "string" ? profile.firstName : user.first_name;
   const nextLastName = typeof profile.lastName === "string" ? profile.lastName : user.last_name;
@@ -1721,13 +2144,13 @@ function userRoutes({ app, store, baseUrl, tokenMap }) {
   app.get("/api/v1/users", (c) => {
     const auth = requireManagementAuth(c, tokenMap);
     if (auth instanceof Response) return auth;
-    const q = (c.req.query("q") ?? "").toLowerCase();
+    const q2 = (c.req.query("q") ?? "").toLowerCase();
     const search = (c.req.query("search") ?? "").toLowerCase();
     const filter = c.req.query("filter") ?? "";
     let users = oktaStore.users.all();
-    if (q) {
+    if (q2) {
       users = users.filter(
-        (user) => [user.login, user.email, user.first_name, user.last_name, user.display_name].join(" ").toLowerCase().includes(q)
+        (user) => [user.login, user.email, user.first_name, user.last_name, user.display_name].join(" ").toLowerCase().includes(q2)
       );
     }
     if (search) {
@@ -1930,7 +2353,8 @@ var manifest = {
       type: "oauth-client-credentials",
       status: "supported"
     },
-    { id: "oidc", title: "OIDC identity tokens", type: "oidc", status: "supported" }
+    { id: "oidc", title: "OIDC identity tokens", type: "oidc", status: "supported" },
+    { id: "api-token", title: "SSWS API token", type: "api-key", status: "supported" }
   ],
   specs: [
     {
@@ -1960,15 +2384,17 @@ var manifest = {
       ]
     },
     {
-      kind: "manual",
-      title: "Okta management API behavior",
-      coverage: "partial",
+      kind: "openapi",
+      title: "Okta management API subset",
+      coverage: "hand-authored",
+      url: "/openapi.json",
       operations: [
         { operationId: "users/list", method: "GET", path: "/api/v1/users", status: "hand-authored" },
         { operationId: "users/create", method: "POST", path: "/api/v1/users", status: "hand-authored" },
         { operationId: "users/getCurrent", method: "GET", path: "/api/v1/users/me", status: "hand-authored" },
         { operationId: "users/get", method: "GET", path: "/api/v1/users/:userId", status: "hand-authored" },
         { operationId: "users/update", method: "PUT", path: "/api/v1/users/:userId", status: "hand-authored" },
+        { operationId: "users/partialUpdate", method: "POST", path: "/api/v1/users/:userId", status: "hand-authored" },
         { operationId: "users/delete", method: "DELETE", path: "/api/v1/users/:userId", status: "hand-authored" },
         {
           operationId: "users/listGroups",
@@ -1988,9 +2414,29 @@ var manifest = {
           path: "/api/v1/users/:userId/lifecycle/deactivate",
           status: "hand-authored"
         },
+        {
+          operationId: "users/suspend",
+          method: "POST",
+          path: "/api/v1/users/:userId/lifecycle/suspend",
+          status: "hand-authored"
+        },
+        {
+          operationId: "users/unsuspend",
+          method: "POST",
+          path: "/api/v1/users/:userId/lifecycle/unsuspend",
+          status: "hand-authored"
+        },
+        {
+          operationId: "users/reactivate",
+          method: "POST",
+          path: "/api/v1/users/:userId/lifecycle/reactivate",
+          status: "hand-authored"
+        },
         { operationId: "groups/list", method: "GET", path: "/api/v1/groups", status: "hand-authored" },
         { operationId: "groups/create", method: "POST", path: "/api/v1/groups", status: "hand-authored" },
         { operationId: "groups/get", method: "GET", path: "/api/v1/groups/:groupId", status: "hand-authored" },
+        { operationId: "groups/update", method: "PUT", path: "/api/v1/groups/:groupId", status: "hand-authored" },
+        { operationId: "groups/delete", method: "DELETE", path: "/api/v1/groups/:groupId", status: "hand-authored" },
         {
           operationId: "groups/listUsers",
           method: "GET",
@@ -2012,12 +2458,33 @@ var manifest = {
         { operationId: "apps/list", method: "GET", path: "/api/v1/apps", status: "hand-authored" },
         { operationId: "apps/create", method: "POST", path: "/api/v1/apps", status: "hand-authored" },
         { operationId: "apps/get", method: "GET", path: "/api/v1/apps/:appId", status: "hand-authored" },
+        { operationId: "apps/update", method: "PUT", path: "/api/v1/apps/:appId", status: "hand-authored" },
+        { operationId: "apps/delete", method: "DELETE", path: "/api/v1/apps/:appId", status: "hand-authored" },
+        { operationId: "apps/listUsers", method: "GET", path: "/api/v1/apps/:appId/users", status: "hand-authored" },
         {
           operationId: "apps/assignUser",
           method: "PUT",
           path: "/api/v1/apps/:appId/users/:userId",
           status: "hand-authored"
         },
+        {
+          operationId: "apps/unassignUser",
+          method: "DELETE",
+          path: "/api/v1/apps/:appId/users/:userId",
+          status: "hand-authored"
+        },
+        {
+          operationId: "apps/activate",
+          method: "POST",
+          path: "/api/v1/apps/:appId/lifecycle/activate",
+          status: "hand-authored"
+        },
+        {
+          operationId: "apps/deactivate",
+          method: "POST",
+          path: "/api/v1/apps/:appId/lifecycle/deactivate",
+          status: "hand-authored"
+        },
         {
           operationId: "authorizationServers/list",
           method: "GET",
@@ -2035,6 +2502,30 @@ var manifest = {
           method: "GET",
           path: "/api/v1/authorizationServers/:authServerId",
           status: "hand-authored"
+        },
+        {
+          operationId: "authorizationServers/update",
+          method: "PUT",
+          path: "/api/v1/authorizationServers/:authServerId",
+          status: "hand-authored"
+        },
+        {
+          operationId: "authorizationServers/delete",
+          method: "DELETE",
+          path: "/api/v1/authorizationServers/:authServerId",
+          status: "hand-authored"
+        },
+        {
+          operationId: "authorizationServers/activate",
+          method: "POST",
+          path: "/api/v1/authorizationServers/:authServerId/lifecycle/activate",
+          status: "hand-authored"
+        },
+        {
+          operationId: "authorizationServers/deactivate",
+          method: "POST",
+          path: "/api/v1/authorizationServers/:authServerId/lifecycle/deactivate",
+          status: "hand-authored"
         }
       ]
     }
@@ -2318,6 +2809,7 @@ var oktaPlugin = {
     groupRoutes(ctx);
     appRoutes(ctx);
     authorizationServerRoutes(ctx);
+    openapiRoutes(ctx);
   },
   seed(store, baseUrl) {
     seedDefaults(store, baseUrl);
@@ -2331,4 +2823,4 @@ export {
   oktaPlugin,
   seedFromConfig
 };
-//# sourceMappingURL=dist-BTEY33DJ.js.map
+//# sourceMappingURL=dist-QXFWC3LV.js.map