npm - @executor-js/emulate - Versions diffs - 0.6.0 - Mend

@executor-js/emulate 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/README.md +1044 -0
package/dist/api.d.ts +24 -0
package/dist/api.js +2665 -0
package/dist/api.js.map +1 -0
package/dist/chunk-D6EKRYGP.js +1615 -0
package/dist/chunk-D6EKRYGP.js.map +1 -0
package/dist/chunk-WVQMFHQM.js +83 -0
package/dist/chunk-WVQMFHQM.js.map +1 -0
package/dist/dist-7FDUSG5I.js +24368 -0
package/dist/dist-7FDUSG5I.js.map +1 -0
package/dist/dist-7N4COJHK.js +1814 -0
package/dist/dist-7N4COJHK.js.map +1 -0
package/dist/dist-BTEY33DJ.js +2334 -0
package/dist/dist-BTEY33DJ.js.map +1 -0
package/dist/dist-DK26ESP2.js +595 -0
package/dist/dist-DK26ESP2.js.map +1 -0
package/dist/dist-IYZPDKJW.js +1284 -0
package/dist/dist-IYZPDKJW.js.map +1 -0
package/dist/dist-JJ2ZRCAX.js +189 -0
package/dist/dist-JJ2ZRCAX.js.map +1 -0
package/dist/dist-K4CVTD6K.js +1570 -0
package/dist/dist-K4CVTD6K.js.map +1 -0
package/dist/dist-M3GVASMR.js +1254 -0
package/dist/dist-M3GVASMR.js.map +1 -0
package/dist/dist-OYYGWKZQ.js +1533 -0
package/dist/dist-OYYGWKZQ.js.map +1 -0
package/dist/dist-P3SBBRFR.js +3169 -0
package/dist/dist-P3SBBRFR.js.map +1 -0
package/dist/dist-RMPDKZUA.js +1183 -0
package/dist/dist-RMPDKZUA.js.map +1 -0
package/dist/dist-WBKONLOE.js +2154 -0
package/dist/dist-WBKONLOE.js.map +1 -0
package/dist/dist-XM5HSBDC.js +1090 -0
package/dist/dist-XM5HSBDC.js.map +1 -0
package/dist/dist-XVVIYXQG.js +4241 -0
package/dist/dist-XVVIYXQG.js.map +1 -0
package/dist/dist-YPRJYQHW.js +5109 -0
package/dist/dist-YPRJYQHW.js.map +1 -0
package/dist/dist-ZEC77OKZ.js +913 -0
package/dist/dist-ZEC77OKZ.js.map +1 -0
package/dist/fonts/GeistPixel-Square.woff2 +0 -0
package/dist/fonts/favicon.ico +0 -0
package/dist/fonts/geist-sans.woff2 +0 -0
package/dist/helpers-LXLP3DFE-LBOTATT5.js +17 -0
package/dist/helpers-LXLP3DFE-LBOTATT5.js.map +1 -0
package/dist/index.js +3005 -0
package/dist/index.js.map +1 -0
package/package.json +83 -0

package/dist/dist-IYZPDKJW.js ADDED Viewed

@@ -0,0 +1,1284 @@
+import {
+  SignJWT,
+  exportJWK,
+  generateKeyPair
+} from "./chunk-D6EKRYGP.js";
+// ../@emulators/workos/dist/index.js
+function getWorkosStore(store) {
+  return {
+    users: store.collection("workos.users", ["workos_id", "email"]),
+    organizations: store.collection("workos.organizations", ["workos_id"]),
+    memberships: store.collection("workos.memberships", [
+      "workos_id",
+      "user_id",
+      "organization_id"
+    ]),
+    invitations: store.collection("workos.invitations", [
+      "workos_id",
+      "email",
+      "organization_id",
+      "token"
+    ]),
+    apiKeys: store.collection("workos.api_keys", ["workos_id", "value", "user_id"]),
+    authCodes: store.collection("workos.auth_codes", ["code"]),
+    sessions: store.collection("workos.sessions", ["refresh_token", "workos_id"]),
+    vaultObjects: store.collection("workos.vault_objects", [
+      "workos_id",
+      "name"
+    ]),
+    oauthClients: store.collection("workos.oauth_clients", ["client_id"]),
+    oauthCodes: store.collection("workos.oauth_codes", ["code"])
+  };
+}
+function createErrorHandler(documentationUrl) {
+  return async (c, next) => {
+    if (documentationUrl) {
+      c.set("docsUrl", documentationUrl);
+    }
+    await next();
+  };
+}
+var errorHandler = createErrorHandler();
+var isDebug = typeof process !== "undefined" && (process.env.DEBUG === "1" || process.env.DEBUG === "true" || process.env.EMULATE_DEBUG === "1");
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function escapeAttr(s) {
+  return escapeHtml(s).replace(/'/g, "&#39;");
+}
+var CSS = `
+@font-face{
+  font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;
+  src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');
+}
+@font-face{
+  font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;
+  src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');
+}
+*{box-sizing:border-box;margin:0;padding:0}
+body{
+  font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;
+  background:#000;color:#33ff00;min-height:100vh;
+  -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;
+}
+.emu-bar{
+  border-bottom:1px solid #0a3300;padding:10px 20px;
+  display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;
+}
+.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}
+.emu-bar-links{margin-left:auto;display:flex;gap:16px;}
+.emu-bar-links a{
+  color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;
+}
+.emu-bar-links a:hover{color:#33ff00;}
+.emu-bar-links a .full{display:inline;}
+.emu-bar-links a .short{display:none;}
+@media(max-width:600px){
+  .emu-bar-links a .full{display:none;}
+  .emu-bar-links a .short{display:inline;}
+}
+.content{
+  display:flex;align-items:center;justify-content:center;
+  min-height:calc(100vh - 42px);padding:24px 16px;
+}
+.content-inner{width:100%;max-width:420px;}
+.card-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;
+}
+.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}
+.powered-by{
+  position:fixed;bottom:0;left:0;right:0;
+  text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;
+  font-family:'Geist Pixel',monospace;
+}
+.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.powered-by a:hover{color:#33ff00;}
+.error-title{
+  font-family:'Geist Pixel',monospace;
+  color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;
+}
+.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}
+.error-card{text-align:center;}
+.user-form{margin-bottom:8px;}
+.user-form:last-of-type{margin-bottom:0;}
+.user-btn{
+  width:100%;display:flex;align-items:center;gap:12px;
+  padding:10px 12px;border:1px solid #0a3300;border-radius:8px;
+  background:#000;color:inherit;cursor:pointer;text-align:left;
+  font:inherit;transition:border-color .15s;
+}
+.user-btn:hover{border-color:#33ff00;}
+.avatar{
+  width:36px;height:36px;border-radius:50%;
+  background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.user-text{min-width:0;}
+.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}
+.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}
+.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}
+.settings-layout{
+  max-width:920px;margin:0 auto;padding:28px 20px;
+  display:flex;gap:28px;
+}
+.settings-sidebar{width:200px;flex-shrink:0;}
+.settings-sidebar a{
+  display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;
+  text-decoration:none;font-size:.8125rem;transition:color .15s;
+}
+.settings-sidebar a:hover{color:#33ff00;}
+.settings-sidebar a.active{color:#33ff00;font-weight:600;}
+.settings-main{flex:1;min-width:0;}
+.s-card{
+  padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;
+}
+.s-card:last-child{border-bottom:none;}
+.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}
+.s-icon{
+  width:42px;height:42px;border-radius:8px;
+  background:#0a3300;display:flex;align-items:center;justify-content:center;
+  font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.s-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.25rem;font-weight:600;color:#33ff00;
+}
+.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.section-heading{
+  font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;
+  display:flex;align-items:center;justify-content:space-between;
+}
+.perm-list{list-style:none;}
+.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}
+.check{color:#33ff00;}
+.org-row{
+  display:flex;align-items:center;gap:8px;padding:7px 0;
+  border-bottom:1px solid #0a3300;font-size:.8125rem;
+}
+.org-row:last-child{border-bottom:none;}
+.org-icon{
+  width:22px;height:22px;border-radius:4px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;
+  font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.org-name{font-weight:600;color:#33ff00;}
+.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}
+.badge-granted{background:#0a3300;color:#33ff00;}
+.badge-denied{background:#1a0a0a;color:#ff4444;}
+.badge-requested{background:#0a3300;color:#1a8c00;}
+.btn-revoke{
+  display:inline-block;padding:5px 14px;border-radius:6px;
+  border:1px solid #0a3300;background:transparent;color:#ff4444;
+  font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;
+}
+.btn-revoke:hover{border-color:#ff4444;}
+.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}
+.info-text a,.section-heading a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.info-text a:hover,.section-heading a:hover{color:#33ff00;}
+code{font-family:'Geist Mono','SF Mono',ui-monospace,monospace;font-size:.8125rem;color:#33ff00;word-break:break-all;}
+.code-block{
+  background:#020;border:1px solid #0a3300;border-radius:6px;padding:10px 12px;
+  margin:8px 0 12px;overflow-x:auto;
+}
+.code-block code{white-space:pre;word-break:normal;display:block;line-height:1.5;}
+.app-link{
+  display:flex;align-items:center;gap:12px;padding:12px;
+  border:1px solid #0a3300;border-radius:8px;background:#000;
+  text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;
+}
+.app-link:hover{border-color:#33ff00;}
+.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}
+.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}
+.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}
+.inspector-layout{max-width:960px;margin:0 auto;padding:28px 20px;}
+.inspector-tabs{display:flex;gap:4px;margin-bottom:20px;}
+.inspector-tabs a{
+  padding:7px 16px;border-radius:6px;text-decoration:none;
+  font-size:.8125rem;color:#1a8c00;border:1px solid transparent;
+  transition:color .15s,border-color .15s;
+}
+.inspector-tabs a:hover{color:#33ff00;}
+.inspector-tabs a.active{color:#33ff00;font-weight:600;border-color:#0a3300;background:#0a3300;}
+.inspector-section{margin-bottom:24px;}
+.inspector-section h2{
+  font-family:'Geist Pixel',monospace;
+  font-size:1rem;font-weight:600;color:#33ff00;margin-bottom:10px;
+}
+.inspector-section h3{
+  font-family:'Geist Pixel',monospace;
+  font-size:.875rem;font-weight:600;color:#1a8c00;margin:16px 0 8px;
+}
+.inspector-table{width:100%;border-collapse:collapse;margin-bottom:12px;}
+.inspector-table th,.inspector-table td{
+  text-align:left;padding:8px 12px;border-bottom:1px solid #0a3300;
+  font-size:.8125rem;
+}
+.inspector-table th{color:#1a8c00;font-weight:600;font-size:.75rem;text-transform:uppercase;letter-spacing:.04em;}
+.inspector-table td{color:#33ff00;}
+.inspector-table tbody tr{transition:background .1s;}
+.inspector-table tbody tr:hover{background:#0a3300;}
+.inspector-empty{color:#1a8c00;text-align:center;padding:20px 0;font-size:.8125rem;}
+.checkout-layout{
+  display:flex;min-height:calc(100vh - 42px);
+}
+.checkout-summary{
+  flex:1;background:#020;padding:48px 40px 48px 10%;
+  display:flex;flex-direction:column;justify-content:center;
+  border-right:1px solid #0a3300;
+}
+.checkout-form-side{
+  flex:1;background:#000;padding:48px 10% 48px 40px;
+  display:flex;flex-direction:column;justify-content:center;
+}
+.checkout-merchant{
+  display:flex;align-items:center;gap:10px;margin-bottom:6px;
+}
+.checkout-merchant-name{
+  font-family:'Geist Pixel',monospace;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-test-badge{
+  font-size:.625rem;font-weight:700;letter-spacing:.04em;text-transform:uppercase;
+  background:#0a3300;color:#1a8c00;padding:2px 8px;border-radius:4px;
+}
+.checkout-total{
+  font-family:'Geist Pixel',monospace;
+  font-size:2rem;font-weight:700;color:#33ff00;margin:8px 0 28px;
+}
+.checkout-line-item{
+  display:flex;align-items:center;gap:14px;padding:14px 0;
+  border-bottom:1px solid #0a3300;
+}
+.checkout-line-item:first-child{border-top:1px solid #0a3300;}
+.checkout-item-icon{
+  width:42px;height:42px;border-radius:6px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;font-size:.875rem;font-weight:700;color:#116600;
+}
+.checkout-item-details{flex:1;min-width:0;}
+.checkout-item-name{font-size:.875rem;font-weight:600;color:#33ff00;}
+.checkout-item-qty{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.checkout-item-price{
+  font-size:.875rem;font-weight:600;color:#33ff00;text-align:right;white-space:nowrap;
+}
+.checkout-item-unit{font-size:.6875rem;color:#1a8c00;text-align:right;margin-top:2px;}
+.checkout-totals{margin-top:20px;}
+.checkout-totals-row{
+  display:flex;justify-content:space-between;padding:6px 0;
+  font-size:.8125rem;color:#1a8c00;
+}
+.checkout-totals-row.total{
+  border-top:1px solid #0a3300;margin-top:8px;padding-top:14px;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-form-section{margin-bottom:24px;}
+.checkout-form-label{
+  font-size:.8125rem;font-weight:600;color:#33ff00;margin-bottom:8px;display:block;
+}
+.checkout-input{
+  width:100%;padding:10px 12px;border:1px solid #0a3300;border-radius:6px;
+  background:#020;color:#33ff00;font:inherit;font-size:.875rem;
+  transition:border-color .15s;outline:none;
+}
+.checkout-input:focus{border-color:#33ff00;}
+.checkout-input::placeholder{color:#116600;}
+.checkout-card-box{
+  border:1px solid #0a3300;border-radius:6px;padding:14px;
+  background:#020;
+}
+.checkout-card-row{
+  display:flex;gap:12px;margin-top:10px;
+}
+.checkout-card-row .checkout-input{flex:1;}
+.checkout-sim-note{
+  font-size:.6875rem;color:#1a8c00;margin-top:10px;text-align:center;
+  font-style:italic;
+}
+.checkout-pay-btn{
+  width:100%;padding:14px;border:none;border-radius:8px;
+  background:#33ff00;color:#000;font:inherit;font-size:.9375rem;font-weight:700;
+  cursor:pointer;transition:background .15s;
+  font-family:'Geist Pixel',monospace;
+}
+.checkout-pay-btn:hover{background:#44ff22;}
+.checkout-cancel{
+  text-align:center;margin-top:14px;
+}
+.checkout-cancel a{
+  color:#1a8c00;text-decoration:none;font-size:.8125rem;
+  transition:color .15s;
+}
+.checkout-cancel a:hover{color:#33ff00;}
+@media(max-width:768px){
+  .checkout-layout{flex-direction:column;}
+  .checkout-summary{padding:32px 20px;border-right:none;border-bottom:1px solid #0a3300;}
+  .checkout-form-side{padding:32px 20px;}
+}
+`;
+var POWERED_BY = `<div class="powered-by">Powered by <a href="https://emulate.dev" target="_blank" rel="noopener">emulate</a></div>`;
+function emuBar(service) {
+  const title = service ? `${escapeHtml(service)} Emulator` : "Emulator";
+  return `<div class="emu-bar">
+  <span class="emu-bar-title">${title}</span>
+  <nav class="emu-bar-links">
+    <a href="https://github.com/vercel-labs/emulate/issues" target="_blank" rel="noopener"><span class="full">Report Issue</span><span class="short">Report</span></a>
+    <a href="https://github.com/vercel-labs/emulate" target="_blank" rel="noopener"><span class="full">Source Code</span><span class="short">Source</span></a>
+    <a href="https://emulate.dev" target="_blank" rel="noopener"><span class="full">Learn More</span><span class="short">Learn</span></a>
+  </nav>
+</div>`;
+}
+function head(title) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta name="viewport" content="width=device-width,initial-scale=1"/>
+<link rel="icon" href="/_emulate/favicon.ico"/>
+<title>${escapeHtml(title)} | emulate</title>
+<style>${CSS}</style>
+</head>`;
+}
+function renderCardPage(title, subtitle, body, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner">
+    <div class="card-title">${escapeHtml(title)}</div>
+    <div class="card-subtitle">${subtitle}</div>
+    ${body}
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+function renderUserButton(opts) {
+  const hiddens = Object.entries(opts.hiddenFields).map(([k, v]) => `<input type="hidden" name="${escapeAttr(k)}" value="${escapeAttr(v)}"/>`).join("");
+  const nameLine = opts.name ? `<div class="user-meta">${escapeHtml(opts.name)}</div>` : "";
+  const emailLine = opts.email ? `<div class="user-email">${escapeHtml(opts.email)}</div>` : "";
+  return `<form class="user-form" method="post" action="${escapeAttr(opts.formAction)}">
+${hiddens}
+<button type="submit" class="user-btn">
+  <span class="avatar">${escapeHtml(opts.letter)}</span>
+  <span class="user-text">
+    <span class="user-login">${escapeHtml(opts.login)}</span>
+    ${nameLine}${emailLine}
+  </span>
+</button>
+</form>`;
+}
+var keyPairPromise = generateKeyPair("RS256", { extractable: true });
+var KID = "emulate-workos-1";
+async function jwksResponse() {
+  const { publicKey } = await keyPairPromise;
+  const jwk = await exportJWK(publicKey);
+  return { keys: [{ ...jwk, kid: KID, use: "sig", alg: "RS256" }] };
+}
+async function signAccessToken(claims, options) {
+  const { privateKey } = await keyPairPromise;
+  let jwt = new SignJWT(claims).setProtectedHeader({ alg: "RS256", kid: KID, typ: "JWT" }).setIssuer(options.issuer).setIssuedAt().setJti(`jti_${Math.random().toString(36).slice(2)}`).setExpirationTime(options.expiresIn ?? "1h");
+  if (options.audience) jwt = jwt.setAudience(options.audience);
+  return jwt.sign(privateKey);
+}
+var counter = 0;
+function workosId(prefix) {
+  counter += 1;
+  return `${prefix}_${String(counter).padStart(4, "0")}${Math.random().toString(36).slice(2, 8).toUpperCase()}`;
+}
+function randomToken(prefix) {
+  return `${prefix}_${Math.random().toString(36).slice(2)}${Math.random().toString(36).slice(2)}`;
+}
+function workosError(c, status, code, message) {
+  return c.json({ code, message, error: code, error_description: message }, status);
+}
+function listEnvelope(data) {
+  return {
+    object: "list",
+    data,
+    list_metadata: { before: null, after: null },
+    // Some SDK paths read the camelCase variant on raw responses.
+    listMetadata: { before: null, after: null }
+  };
+}
+function serializeUser(user) {
+  return {
+    object: "user",
+    id: user.workos_id,
+    email: user.email,
+    email_verified: user.email_verified,
+    first_name: user.first_name,
+    last_name: user.last_name,
+    profile_picture_url: user.profile_picture_url,
+    last_sign_in_at: user.updated_at,
+    external_id: null,
+    metadata: {},
+    created_at: user.created_at,
+    updated_at: user.updated_at
+  };
+}
+function serializeOrganization(org) {
+  return {
+    object: "organization",
+    id: org.workos_id,
+    name: org.name,
+    allow_profiles_outside_organization: false,
+    domains: [],
+    stripe_customer_id: null,
+    external_id: org.external_id,
+    metadata: {},
+    created_at: org.created_at,
+    updated_at: org.updated_at
+  };
+}
+function serializeMembership(membership, organizationName) {
+  return {
+    object: "organization_membership",
+    id: membership.workos_id,
+    user_id: membership.user_id,
+    organization_id: membership.organization_id,
+    organization_name: organizationName,
+    status: membership.status,
+    role: { slug: membership.role_slug },
+    created_at: membership.created_at,
+    updated_at: membership.updated_at
+  };
+}
+function serializeInvitation(invitation) {
+  return {
+    object: "invitation",
+    id: invitation.workos_id,
+    email: invitation.email,
+    state: invitation.state,
+    organization_id: invitation.organization_id,
+    inviter_user_id: invitation.inviter_user_id,
+    accepted_user_id: null,
+    token: invitation.token,
+    accept_invitation_url: `https://example.invalid/invite/${invitation.token}`,
+    expires_at: invitation.expires_at,
+    created_at: invitation.created_at,
+    updated_at: invitation.updated_at
+  };
+}
+function serializeApiKey(key, options = {}) {
+  return {
+    object: "api_key",
+    id: key.workos_id,
+    name: key.name,
+    obfuscated_value: `${key.value.slice(0, 7)}\u2026${key.value.slice(-4)}`,
+    owner: { type: "user", id: key.user_id, organization_id: key.organization_id },
+    last_used_at: key.last_used_at,
+    created_at: key.created_at,
+    updated_at: key.updated_at,
+    ...options.includeValue ? { value: key.value } : {}
+  };
+}
+function serializeVaultMetadata(object) {
+  return {
+    id: object.workos_id,
+    context: object.key_context,
+    environment_id: "environment_emulate",
+    key_id: "key_emulate",
+    updated_at: object.updated_at,
+    updated_by: { id: "key_emulate", name: "emulate" },
+    version_id: object.version_id
+  };
+}
+function serializeVaultObject(object) {
+  return {
+    id: object.workos_id,
+    name: object.name,
+    value: object.value,
+    metadata: serializeVaultMetadata(object)
+  };
+}
+function parseStatuses(c) {
+  const repeated = c.req.queries("statuses") ?? [];
+  const bracketed = c.req.queries("statuses[]") ?? [];
+  return [...repeated, ...bracketed].flatMap((value) => value.split(",")).filter(Boolean);
+}
+function ensureUserByEmail(ws, email) {
+  const existing = ws.users.findOneBy("email", email);
+  if (existing) return existing;
+  return ws.users.insert({
+    workos_id: workosId("user"),
+    email,
+    first_name: "Test",
+    last_name: "User",
+    email_verified: true,
+    profile_picture_url: null
+  });
+}
+async function authenticationResponse(c, ws, baseUrl, user, organizationId, clientId) {
+  const session = ws.sessions.insert({
+    workos_id: workosId("session"),
+    refresh_token: randomToken("rt"),
+    user_id: user.workos_id,
+    organization_id: organizationId,
+    client_id: clientId,
+    revoked: false
+  });
+  const membership = organizationId ? ws.memberships.findBy("user_id", user.workos_id).find((m) => m.organization_id === organizationId) : void 0;
+  const accessToken = await signAccessToken(
+    {
+      sub: user.workos_id,
+      sid: session.workos_id,
+      ...organizationId ? { org_id: organizationId } : {},
+      ...membership ? { role: membership.role_slug } : {},
+      permissions: []
+    },
+    { issuer: baseUrl, audience: clientId }
+  );
+  return c.json({
+    user: serializeUser(user),
+    organization_id: organizationId,
+    access_token: accessToken,
+    refresh_token: session.refresh_token,
+    authentication_method: "SSO"
+  });
+}
+function userManagementRoutes(ctx) {
+  const { app, store, baseUrl } = ctx;
+  const ws = () => getWorkosStore(store);
+  app.get("/user_management/authorize", (c) => {
+    const clientId = c.req.query("client_id") ?? "";
+    const redirectUri = c.req.query("redirect_uri") ?? "";
+    const state = c.req.query("state") ?? "";
+    const loginHint = c.req.query("login_hint");
+    if (loginHint) {
+      return issueCodeRedirect(c, ws(), loginHint, clientId, redirectUri, state);
+    }
+    const users = ws().users.all();
+    const buttons = users.map(
+      (user) => renderUserButton({
+        letter: (user.email[0] ?? "?").toUpperCase(),
+        login: user.email,
+        name: `${user.first_name ?? ""} ${user.last_name ?? ""}`.trim() || user.email,
+        email: user.email,
+        formAction: `${baseUrl}/user_management/authorize/submit`,
+        hiddenFields: { email: user.email, client_id: clientId, redirect_uri: redirectUri, state }
+      })
+    ).join("\n");
+    const newUserForm = `
+      <form method="post" action="${baseUrl}/user_management/authorize/submit" class="new-user">
+        <input type="hidden" name="client_id" value="${escapeHtml(clientId)}" />
+        <input type="hidden" name="redirect_uri" value="${escapeHtml(redirectUri)}" />
+        <input type="hidden" name="state" value="${escapeHtml(state)}" />
+        <input type="email" name="email" class="checkout-input" placeholder="new-user@example.com" required />
+        <button type="submit" class="checkout-pay-btn">Continue as new user</button>
+      </form>`;
+    return c.html(
+      renderCardPage(
+        "Sign in with AuthKit",
+        "Pick an existing emulator user or continue as a new one.",
+        `${buttons}${newUserForm}`
+      ),
+      200
+    );
+  });
+  app.post("/user_management/authorize/submit", async (c) => {
+    const form = await c.req.parseBody();
+    const email = String(form.email ?? "");
+    if (!email) return workosError(c, 422, "invalid_request", "email is required");
+    return issueCodeRedirect(
+      c,
+      ws(),
+      email,
+      String(form.client_id ?? ""),
+      String(form.redirect_uri ?? ""),
+      String(form.state ?? "")
+    );
+  });
+  function issueCodeRedirect(c, storeRef, email, clientId, redirectUri, state) {
+    if (!redirectUri) return workosError(c, 422, "invalid_request", "redirect_uri is required");
+    const user = ensureUserByEmail(storeRef, email);
+    const code = randomToken("code");
+    const activeMembership = storeRef.memberships.findBy("user_id", user.workos_id).find((m) => m.status === "active");
+    storeRef.authCodes.insert({
+      code,
+      user_id: user.workos_id,
+      organization_id: activeMembership?.organization_id ?? null,
+      client_id: clientId,
+      redirect_uri: redirectUri,
+      used: false
+    });
+    const target = new URL(redirectUri);
+    target.searchParams.set("code", code);
+    if (state) target.searchParams.set("state", state);
+    return c.redirect(target.toString(), 302);
+  }
+  app.post("/user_management/authenticate", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const grantType = String(body.grant_type ?? "");
+    const clientId = String(body.client_id ?? "");
+    if (grantType === "authorization_code") {
+      const code = String(body.code ?? "");
+      const authCode = ws().authCodes.findOneBy("code", code);
+      if (!authCode || authCode.used) {
+        return workosError(c, 400, "invalid_grant", "The code is invalid or has been used.");
+      }
+      ws().authCodes.update(authCode.id, { used: true });
+      const user = ws().users.findOneBy("workos_id", authCode.user_id);
+      if (!user) return workosError(c, 400, "invalid_grant", "Unknown user for code.");
+      return authenticationResponse(c, ws(), baseUrl, user, authCode.organization_id, clientId);
+    }
+    if (grantType === "refresh_token") {
+      const refreshToken = String(body.refresh_token ?? "");
+      const session = ws().sessions.findOneBy("refresh_token", refreshToken);
+      if (!session || session.revoked) {
+        return workosError(c, 400, "invalid_grant", "Refresh token is invalid.");
+      }
+      const user = ws().users.findOneBy("workos_id", session.user_id);
+      if (!user) return workosError(c, 400, "invalid_grant", "Unknown user for session.");
+      const requestedOrg = typeof body.organization_id === "string" && body.organization_id.length > 0 ? body.organization_id : session.organization_id;
+      if (requestedOrg) {
+        const membership = ws().memberships.findBy("user_id", user.workos_id).find((m) => m.organization_id === requestedOrg && m.status === "active");
+        if (!membership) {
+          return workosError(
+            c,
+            403,
+            "sso_required",
+            "User does not have an active membership in the requested organization."
+          );
+        }
+        const organization = ws().organizations.findOneBy("workos_id", requestedOrg);
+        if (!organization) return workosError(c, 404, "not_found", "Organization not found.");
+      }
+      ws().sessions.update(session.id, { revoked: true });
+      return authenticationResponse(c, ws(), baseUrl, user, requestedOrg ?? null, clientId);
+    }
+    return workosError(c, 400, "unsupported_grant_type", `Unsupported grant_type: ${grantType}`);
+  });
+  app.get("/user_management/users/:id", (c) => {
+    const user = ws().users.findOneBy("workos_id", c.req.param("id"));
+    if (!user) return workosError(c, 404, "entity_not_found", "User not found.");
+    return c.json(serializeUser(user));
+  });
+  app.get("/user_management/organization_memberships", (c) => {
+    const userId = c.req.query("user_id");
+    const organizationId = c.req.query("organization_id");
+    const statuses = parseStatuses(c);
+    let memberships = ws().memberships.all();
+    if (userId) memberships = memberships.filter((m) => m.user_id === userId);
+    if (organizationId) {
+      memberships = memberships.filter((m) => m.organization_id === organizationId);
+    }
+    if (statuses.length > 0) memberships = memberships.filter((m) => statuses.includes(m.status));
+    return c.json(
+      listEnvelope(
+        memberships.map(
+          (m) => serializeMembership(
+            m,
+            ws().organizations.findOneBy("workos_id", m.organization_id)?.name ?? m.organization_id
+          )
+        )
+      )
+    );
+  });
+  app.post("/user_management/organization_memberships", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const userId = String(body.user_id ?? "");
+    const organizationId = String(body.organization_id ?? "");
+    const user = ws().users.findOneBy("workos_id", userId);
+    const organization = ws().organizations.findOneBy("workos_id", organizationId);
+    if (!user) return workosError(c, 404, "entity_not_found", "User not found.");
+    if (!organization) return workosError(c, 404, "entity_not_found", "Organization not found.");
+    const existing = ws().memberships.findBy("user_id", userId).find((m) => m.organization_id === organizationId);
+    if (existing) {
+      return workosError(c, 409, "organization_membership_already_exists", "Already a member.");
+    }
+    const membership = ws().memberships.insert({
+      workos_id: workosId("om"),
+      user_id: userId,
+      organization_id: organizationId,
+      status: "active",
+      role_slug: typeof body.role_slug === "string" && body.role_slug ? body.role_slug : "member"
+    });
+    return c.json(serializeMembership(membership, organization.name), 201);
+  });
+  app.get("/user_management/organization_memberships/:id", (c) => {
+    const membership = ws().memberships.findOneBy("workos_id", c.req.param("id"));
+    if (!membership) return workosError(c, 404, "entity_not_found", "Membership not found.");
+    const organizationName = ws().organizations.findOneBy("workos_id", membership.organization_id)?.name ?? membership.organization_id;
+    return c.json(serializeMembership(membership, organizationName));
+  });
+  app.put("/user_management/organization_memberships/:id", async (c) => {
+    const membership = ws().memberships.findOneBy("workos_id", c.req.param("id"));
+    if (!membership) return workosError(c, 404, "entity_not_found", "Membership not found.");
+    const body = await c.req.json().catch(() => ({}));
+    const updated = ws().memberships.update(membership.id, {
+      role_slug: typeof body.role_slug === "string" && body.role_slug ? body.role_slug : membership.role_slug
+    });
+    const organizationName = ws().organizations.findOneBy("workos_id", updated.organization_id)?.name ?? updated.organization_id;
+    return c.json(serializeMembership(updated, organizationName));
+  });
+  app.delete("/user_management/organization_memberships/:id", (c) => {
+    const membership = ws().memberships.findOneBy("workos_id", c.req.param("id"));
+    if (!membership) return workosError(c, 404, "entity_not_found", "Membership not found.");
+    ws().memberships.delete(membership.id);
+    return c.body(null, 204);
+  });
+  app.get("/user_management/invitations", (c) => {
+    const email = c.req.query("email");
+    const organizationId = c.req.query("organization_id");
+    let invitations = ws().invitations.all();
+    if (email) invitations = invitations.filter((i) => i.email === email);
+    if (organizationId) {
+      invitations = invitations.filter((i) => i.organization_id === organizationId);
+    }
+    return c.json(listEnvelope(invitations.map(serializeInvitation)));
+  });
+  app.post("/user_management/invitations", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const email = String(body.email ?? "");
+    const organizationId = String(body.organization_id ?? "");
+    if (!email) return workosError(c, 422, "invalid_request", "email is required");
+    if (!ws().organizations.findOneBy("workos_id", organizationId)) {
+      return workosError(c, 404, "entity_not_found", "Organization not found.");
+    }
+    const invitation = ws().invitations.insert({
+      workos_id: workosId("invitation"),
+      email,
+      organization_id: organizationId,
+      inviter_user_id: typeof body.inviter_user_id === "string" ? body.inviter_user_id : null,
+      role_slug: typeof body.role_slug === "string" ? body.role_slug : null,
+      state: "pending",
+      token: randomToken("invite"),
+      expires_at: new Date(Date.now() + 7 * 24 * 3600 * 1e3).toISOString()
+    });
+    return c.json(serializeInvitation(invitation), 201);
+  });
+  app.post("/user_management/invitations/:id/accept", (c) => {
+    const invitation = ws().invitations.findOneBy("workos_id", c.req.param("id"));
+    if (!invitation) return workosError(c, 404, "entity_not_found", "Invitation not found.");
+    if (invitation.state !== "pending") {
+      return workosError(c, 400, "invalid_request", "Invitation is not pending.");
+    }
+    const updated = ws().invitations.update(invitation.id, { state: "accepted" });
+    const user = ws().users.findOneBy("email", invitation.email);
+    if (user) {
+      const already = ws().memberships.findBy("user_id", user.workos_id).find((m) => m.organization_id === invitation.organization_id);
+      if (!already) {
+        ws().memberships.insert({
+          workos_id: workosId("om"),
+          user_id: user.workos_id,
+          organization_id: invitation.organization_id,
+          status: "active",
+          role_slug: invitation.role_slug ?? "member"
+        });
+      }
+    }
+    return c.json(serializeInvitation(updated));
+  });
+  app.get("/user_management/users/:id/api_keys", (c) => {
+    const userId = c.req.param("id");
+    const organizationId = c.req.query("organization_id");
+    let keys = ws().apiKeys.findBy("user_id", userId);
+    if (organizationId) keys = keys.filter((k) => k.organization_id === organizationId);
+    return c.json(listEnvelope(keys.map((k) => serializeApiKey(k))));
+  });
+  app.post("/user_management/users/:id/api_keys", async (c) => {
+    const userId = c.req.param("id");
+    const body = await c.req.json().catch(() => ({}));
+    const user = ws().users.findOneBy("workos_id", userId);
+    if (!user) return workosError(c, 404, "entity_not_found", "User not found.");
+    const key = ws().apiKeys.insert({
+      workos_id: workosId("key"),
+      name: String(body.name ?? "api key"),
+      value: randomToken("sk_emulate"),
+      user_id: userId,
+      organization_id: String(body.organization_id ?? ""),
+      last_used_at: null
+    });
+    return c.json(serializeApiKey(key, { includeValue: true }), 201);
+  });
+}
+function organizationRoutes(ctx) {
+  const { app, store, baseUrl } = ctx;
+  const ws = () => getWorkosStore(store);
+  app.post("/organizations", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const name = String(body.name ?? "");
+    if (!name) return workosError(c, 422, "invalid_request", "name is required");
+    const organization = ws().organizations.insert({
+      workos_id: workosId("org"),
+      name,
+      external_id: typeof body.external_id === "string" ? body.external_id : null
+    });
+    return c.json(serializeOrganization(organization), 201);
+  });
+  app.get("/organizations/:id", (c) => {
+    const organization = ws().organizations.findOneBy("workos_id", c.req.param("id"));
+    if (!organization) return workosError(c, 404, "entity_not_found", "Organization not found.");
+    return c.json(serializeOrganization(organization));
+  });
+  app.put("/organizations/:id", async (c) => {
+    const organization = ws().organizations.findOneBy("workos_id", c.req.param("id"));
+    if (!organization) return workosError(c, 404, "entity_not_found", "Organization not found.");
+    const body = await c.req.json().catch(() => ({}));
+    const updated = ws().organizations.update(organization.id, {
+      name: typeof body.name === "string" && body.name ? body.name : organization.name
+    });
+    return c.json(serializeOrganization(updated));
+  });
+  app.get("/organizations/:id/roles", (c) => {
+    const organization = ws().organizations.findOneBy("workos_id", c.req.param("id"));
+    if (!organization) return workosError(c, 404, "entity_not_found", "Organization not found.");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const role = (slug, name) => ({
+      object: "role",
+      id: `role_${slug}`,
+      name,
+      slug,
+      description: null,
+      permissions: [],
+      resource_type_slug: "organization",
+      type: "OrganizationRole",
+      created_at: now,
+      updated_at: now
+    });
+    return c.json(listEnvelope([role("admin", "Admin"), role("member", "Member")]));
+  });
+  app.post("/portal/generate_link", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const organization = String(body.organization ?? "");
+    return c.json({ link: `${baseUrl}/_portal/${organization}?intent=${body.intent ?? ""}` });
+  });
+  app.get(
+    "/organization_domains/:id",
+    (c) => c.json({
+      object: "organization_domain",
+      id: c.req.param("id"),
+      organization_id: "org_unknown",
+      domain: "example.com",
+      state: "verified",
+      verification_strategy: "dns",
+      verification_token: "token"
+    })
+  );
+  app.delete("/organization_domains/:id", (c) => c.body(null, 204));
+}
+function apiKeyRoutes(ctx) {
+  const { app, store } = ctx;
+  const ws = () => getWorkosStore(store);
+  app.post("/api_keys/validations", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const value = String(body.value ?? "");
+    const key = ws().apiKeys.findOneBy("value", value);
+    if (!key) return workosError(c, 404, "invalid_api_key", "API key is invalid.");
+    ws().apiKeys.update(key.id, { last_used_at: (/* @__PURE__ */ new Date()).toISOString() });
+    return c.json({ api_key: serializeApiKey(key) });
+  });
+  app.delete("/api_keys/:id", (c) => {
+    const key = ws().apiKeys.findOneBy("workos_id", c.req.param("id"));
+    if (!key) return workosError(c, 404, "entity_not_found", "API key not found.");
+    ws().apiKeys.delete(key.id);
+    return c.body(null, 204);
+  });
+}
+function vaultRoutes(ctx) {
+  const { app, store } = ctx;
+  const ws = () => getWorkosStore(store);
+  app.post("/vault/v1/kv", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const name = String(body.name ?? "");
+    if (!name) return workosError(c, 400, "invalid_request", "name is required");
+    if (ws().vaultObjects.findOneBy("name", name)) {
+      return workosError(c, 409, "conflict", `An object named '${name}' already exists.`);
+    }
+    const object = ws().vaultObjects.insert({
+      workos_id: workosId("kv"),
+      name,
+      value: String(body.value ?? ""),
+      key_context: body.key_context ?? {},
+      version_id: randomToken("version")
+    });
+    return c.json(serializeVaultMetadata(object), 201);
+  });
+  app.get(
+    "/vault/v1/kv",
+    (c) => c.json(
+      listEnvelope(
+        ws().vaultObjects.all().map((object) => ({ id: object.workos_id, name: object.name }))
+      )
+    )
+  );
+  app.get("/vault/v1/kv/name/:name", (c) => {
+    const object = ws().vaultObjects.findOneBy("name", c.req.param("name"));
+    if (!object) return workosError(c, 404, "not_found", "Object not found.");
+    return c.json(serializeVaultObject(object));
+  });
+  app.get("/vault/v1/kv/:id", (c) => {
+    const object = ws().vaultObjects.findOneBy("workos_id", c.req.param("id"));
+    if (!object) return workosError(c, 404, "not_found", "Object not found.");
+    return c.json(serializeVaultObject(object));
+  });
+  app.put("/vault/v1/kv/:id", async (c) => {
+    const object = ws().vaultObjects.findOneBy("workos_id", c.req.param("id"));
+    if (!object) return workosError(c, 404, "not_found", "Object not found.");
+    const body = await c.req.json().catch(() => ({}));
+    const versionCheck = body.version_check;
+    if (typeof versionCheck === "string" && versionCheck !== object.version_id) {
+      return workosError(c, 409, "conflict", "Version check failed.");
+    }
+    const updated = ws().vaultObjects.update(object.id, {
+      value: String(body.value ?? object.value),
+      version_id: randomToken("version")
+    });
+    return c.json(serializeVaultObject(updated));
+  });
+  app.delete("/vault/v1/kv/:id", (c) => {
+    const object = ws().vaultObjects.findOneBy("workos_id", c.req.param("id"));
+    if (!object) return workosError(c, 404, "not_found", "Object not found.");
+    ws().vaultObjects.delete(object.id);
+    return c.body(null, 204);
+  });
+}
+function oauthRoutes(ctx) {
+  const { app, store, baseUrl } = ctx;
+  const ws = () => getWorkosStore(store);
+  app.get("/sso/jwks/:clientId", async (c) => c.json(await jwksResponse()));
+  app.get("/oauth2/jwks", async (c) => c.json(await jwksResponse()));
+  app.get(
+    "/.well-known/oauth-authorization-server",
+    (c) => c.json({
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}/oauth2/authorize`,
+      token_endpoint: `${baseUrl}/oauth2/token`,
+      registration_endpoint: `${baseUrl}/oauth2/register`,
+      jwks_uri: `${baseUrl}/oauth2/jwks`,
+      response_types_supported: ["code"],
+      grant_types_supported: ["authorization_code", "refresh_token"],
+      code_challenge_methods_supported: ["S256"],
+      token_endpoint_auth_methods_supported: ["client_secret_post", "none"]
+    })
+  );
+  app.post("/oauth2/register", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const client = ws().oauthClients.insert({
+      client_id: workosId("client"),
+      client_secret: null,
+      redirect_uris: Array.isArray(body.redirect_uris) ? body.redirect_uris : [],
+      name: typeof body.client_name === "string" ? body.client_name : null
+    });
+    return c.json(
+      {
+        client_id: client.client_id,
+        client_id_issued_at: Math.floor(Date.now() / 1e3),
+        redirect_uris: client.redirect_uris,
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        token_endpoint_auth_method: "none"
+      },
+      201
+    );
+  });
+  app.get("/oauth2/authorize", (c) => {
+    const clientId = c.req.query("client_id") ?? "";
+    const redirectUri = c.req.query("redirect_uri") ?? "";
+    const state = c.req.query("state") ?? "";
+    const codeChallenge = c.req.query("code_challenge") ?? "";
+    const loginHint = c.req.query("login_hint");
+    if (!redirectUri) return workosError(c, 422, "invalid_request", "redirect_uri is required");
+    const issue = (email) => {
+      const user = ensureUserByEmail(ws(), email);
+      const activeMembership = ws().memberships.findBy("user_id", user.workos_id).find((m) => m.status === "active");
+      const code = randomToken("mcpcode");
+      ws().oauthCodes.insert({
+        code,
+        user_id: user.workos_id,
+        organization_id: activeMembership?.organization_id ?? null,
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        code_challenge: codeChallenge || null,
+        used: false
+      });
+      const target = new URL(redirectUri);
+      target.searchParams.set("code", code);
+      if (state) target.searchParams.set("state", state);
+      return c.redirect(target.toString(), 302);
+    };
+    if (loginHint) return issue(loginHint);
+    const users = ws().users.all();
+    const buttons = users.map(
+      (user) => renderUserButton({
+        letter: (user.email[0] ?? "?").toUpperCase(),
+        login: user.email,
+        name: `${user.first_name ?? ""} ${user.last_name ?? ""}`.trim() || user.email,
+        email: user.email,
+        formAction: `${baseUrl}/oauth2/authorize/submit`,
+        hiddenFields: {
+          email: user.email,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          state,
+          code_challenge: codeChallenge
+        }
+      })
+    ).join("\n");
+    const newUserForm = `
+      <form method="post" action="${baseUrl}/oauth2/authorize/submit" class="new-user">
+        <input type="hidden" name="client_id" value="${escapeHtml(clientId)}" />
+        <input type="hidden" name="redirect_uri" value="${escapeHtml(redirectUri)}" />
+        <input type="hidden" name="state" value="${escapeHtml(state)}" />
+        <input type="hidden" name="code_challenge" value="${escapeHtml(codeChallenge)}" />
+        <input type="email" name="email" class="checkout-input" placeholder="new-user@example.com" required />
+        <button type="submit" class="checkout-pay-btn">Continue as new user</button>
+      </form>`;
+    return c.html(
+      renderCardPage("Authorize MCP client", "Sign in to connect this MCP client.", `${buttons}${newUserForm}`),
+      200
+    );
+  });
+  app.post("/oauth2/authorize/submit", async (c) => {
+    const form = await c.req.parseBody();
+    const email = String(form.email ?? "");
+    const redirectUri = String(form.redirect_uri ?? "");
+    if (!email || !redirectUri) {
+      return workosError(c, 422, "invalid_request", "email and redirect_uri are required");
+    }
+    const user = ensureUserByEmail(ws(), email);
+    const activeMembership = ws().memberships.findBy("user_id", user.workos_id).find((m) => m.status === "active");
+    const code = randomToken("mcpcode");
+    ws().oauthCodes.insert({
+      code,
+      user_id: user.workos_id,
+      organization_id: activeMembership?.organization_id ?? null,
+      client_id: String(form.client_id ?? ""),
+      redirect_uri: redirectUri,
+      code_challenge: String(form.code_challenge ?? "") || null,
+      used: false
+    });
+    const target = new URL(redirectUri);
+    target.searchParams.set("code", code);
+    const state = String(form.state ?? "");
+    if (state) target.searchParams.set("state", state);
+    return c.redirect(target.toString(), 302);
+  });
+  app.post("/oauth2/token", async (c) => {
+    const contentType = c.req.header("content-type") ?? "";
+    const body = contentType.includes("json") ? await c.req.json().catch(() => ({})) : await c.req.parseBody();
+    const grantType = String(body.grant_type ?? "");
+    if (grantType === "refresh_token") {
+      const refreshToken = String(body.refresh_token ?? "");
+      const session2 = ws().sessions.findOneBy("refresh_token", refreshToken);
+      if (!session2 || session2.revoked) {
+        return workosError(c, 400, "invalid_grant", "Refresh token is invalid.");
+      }
+      ws().sessions.update(session2.id, { revoked: true });
+      const rotated = ws().sessions.insert({
+        workos_id: workosId("session"),
+        refresh_token: randomToken("rt"),
+        user_id: session2.user_id,
+        organization_id: session2.organization_id,
+        client_id: session2.client_id,
+        revoked: false
+      });
+      const audience2 = process.env.EMULATE_WORKOS_AUDIENCE ?? session2.client_id;
+      const accessToken2 = await signAccessToken(
+        {
+          sub: session2.user_id,
+          sid: rotated.workos_id,
+          ...session2.organization_id ? { org_id: session2.organization_id } : {},
+          permissions: []
+        },
+        { issuer: baseUrl, audience: audience2 }
+      );
+      return c.json({
+        access_token: accessToken2,
+        token_type: "Bearer",
+        expires_in: 3600,
+        refresh_token: rotated.refresh_token
+      });
+    }
+    if (grantType !== "authorization_code") {
+      return workosError(c, 400, "unsupported_grant_type", `Unsupported grant_type: ${grantType}`);
+    }
+    const code = String(body.code ?? "");
+    const oauthCode = ws().oauthCodes.findOneBy("code", code);
+    if (!oauthCode || oauthCode.used) {
+      return workosError(c, 400, "invalid_grant", "The code is invalid or has been used.");
+    }
+    ws().oauthCodes.update(oauthCode.id, { used: true });
+    const audience = process.env.EMULATE_WORKOS_AUDIENCE ?? oauthCode.client_id;
+    const session = ws().sessions.insert({
+      workos_id: workosId("session"),
+      refresh_token: randomToken("rt"),
+      user_id: oauthCode.user_id,
+      organization_id: oauthCode.organization_id,
+      client_id: oauthCode.client_id,
+      revoked: false
+    });
+    const accessToken = await signAccessToken(
+      {
+        sub: oauthCode.user_id,
+        sid: session.workos_id,
+        ...oauthCode.organization_id ? { org_id: oauthCode.organization_id } : {},
+        permissions: []
+      },
+      { issuer: baseUrl, audience }
+    );
+    return c.json({
+      access_token: accessToken,
+      token_type: "Bearer",
+      expires_in: 3600,
+      refresh_token: session.refresh_token
+    });
+  });
+}
+var manifest = {
+  id: "workos",
+  name: "WorkOS",
+  description: "Stateful WorkOS emulator: AuthKit user management (hosted login, code + refresh grants, sealed-session JWKS), organizations, memberships, invitations, API keys, Vault KV, and an OAuth authorization server for MCP clients.",
+  docsUrl: "https://docs.emulators.dev/workos",
+  surfaces: [
+    { id: "rest", kind: "rest", title: "WorkOS REST API", status: "partial", basePath: "/" },
+    { id: "authkit", kind: "ui", title: "Hosted AuthKit login", status: "supported", basePath: "/user_management/authorize" },
+    { id: "oauth", kind: "rest", title: "OAuth authorization server (MCP)", status: "supported", basePath: "/oauth2" },
+    { id: "vault", kind: "rest", title: "Vault KV", status: "supported", basePath: "/vault/v1/kv" }
+  ],
+  auth: [{ id: "api-key", title: "WorkOS secret key", type: "api-key", status: "supported" }],
+  specs: [
+    {
+      kind: "manual",
+      title: "WorkOS User Management + Organizations subset",
+      coverage: "hand-authored",
+      operations: [
+        { operationId: "userManagement.authorize", method: "GET", path: "/user_management/authorize", status: "hand-authored" },
+        { operationId: "userManagement.authenticate", method: "POST", path: "/user_management/authenticate", status: "hand-authored" },
+        { operationId: "userManagement.getUser", method: "GET", path: "/user_management/users/:id", status: "hand-authored" },
+        { operationId: "memberships.list", method: "GET", path: "/user_management/organization_memberships", status: "hand-authored" },
+        { operationId: "memberships.create", method: "POST", path: "/user_management/organization_memberships", status: "hand-authored" },
+        { operationId: "memberships.get", method: "GET", path: "/user_management/organization_memberships/:id", status: "hand-authored" },
+        { operationId: "memberships.update", method: "PUT", path: "/user_management/organization_memberships/:id", status: "hand-authored" },
+        { operationId: "memberships.delete", method: "DELETE", path: "/user_management/organization_memberships/:id", status: "hand-authored" },
+        { operationId: "invitations.list", method: "GET", path: "/user_management/invitations", status: "hand-authored" },
+        { operationId: "invitations.send", method: "POST", path: "/user_management/invitations", status: "hand-authored" },
+        { operationId: "invitations.accept", method: "POST", path: "/user_management/invitations/:id/accept", status: "hand-authored" },
+        { operationId: "userApiKeys.list", method: "GET", path: "/user_management/users/:id/api_keys", status: "hand-authored" },
+        { operationId: "userApiKeys.create", method: "POST", path: "/user_management/users/:id/api_keys", status: "hand-authored" },
+        { operationId: "apiKeys.validate", method: "POST", path: "/api_keys/validations", status: "hand-authored" },
+        { operationId: "apiKeys.delete", method: "DELETE", path: "/api_keys/:id", status: "hand-authored" },
+        { operationId: "organizations.create", method: "POST", path: "/organizations", status: "hand-authored" },
+        { operationId: "organizations.get", method: "GET", path: "/organizations/:id", status: "hand-authored" },
+        { operationId: "organizations.update", method: "PUT", path: "/organizations/:id", status: "hand-authored" },
+        { operationId: "organizations.roles", method: "GET", path: "/organizations/:id/roles", status: "hand-authored" },
+        { operationId: "sso.jwks", method: "GET", path: "/sso/jwks/:clientId", status: "hand-authored" },
+        { operationId: "oauth.metadata", method: "GET", path: "/.well-known/oauth-authorization-server", status: "hand-authored" },
+        { operationId: "oauth.register", method: "POST", path: "/oauth2/register", status: "hand-authored" },
+        { operationId: "oauth.authorize", method: "GET", path: "/oauth2/authorize", status: "hand-authored" },
+        { operationId: "oauth.token", method: "POST", path: "/oauth2/token", status: "hand-authored" },
+        { operationId: "vault.create", method: "POST", path: "/vault/v1/kv", status: "hand-authored" },
+        { operationId: "vault.readByName", method: "GET", path: "/vault/v1/kv/name/:name", status: "hand-authored" },
+        { operationId: "vault.update", method: "PUT", path: "/vault/v1/kv/:id", status: "hand-authored" },
+        { operationId: "vault.delete", method: "DELETE", path: "/vault/v1/kv/:id", status: "hand-authored" }
+      ]
+    }
+  ],
+  seedSchema: {
+    description: "Seed users, organizations, and memberships.",
+    fields: [
+      {
+        key: "users",
+        title: "Users",
+        description: "AuthKit users (email is the identity; sign-in creates missing users on the fly).",
+        example: [{ email: "admin@example.com", first_name: "Admin", last_name: "User" }]
+      },
+      {
+        key: "organizations",
+        title: "Organizations",
+        description: "Organizations with optional member emails (memberships are created as active).",
+        example: [{ name: "Acme", members: ["admin@example.com"] }]
+      }
+    ],
+    example: {
+      users: [{ email: "admin@example.com", first_name: "Admin", last_name: "User" }],
+      organizations: [{ name: "Acme", members: ["admin@example.com"] }]
+    }
+  },
+  stateModel: {
+    description: "Entities mutated by WorkOS provider calls.",
+    collections: [
+      { name: "workos.users" },
+      { name: "workos.organizations" },
+      { name: "workos.memberships" },
+      { name: "workos.invitations" },
+      { name: "workos.api_keys" },
+      { name: "workos.sessions" },
+      { name: "workos.vault_objects" },
+      { name: "workos.oauth_clients" }
+    ]
+  },
+  connections: [
+    {
+      id: "workos-node",
+      title: "WorkOS Node SDK",
+      kind: "sdk",
+      language: "typescript",
+      description: "Point @workos-inc/node at the emulator via apiHostname \u2014 sealed sessions, JWKS, everything follows.",
+      template: 'import { WorkOS } from "@workos-inc/node";\n\nconst url = new URL("{{baseUrl}}");\nconst workos = new WorkOS("{{token}}", {\n  clientId: "client_emulate",\n  apiHostname: url.hostname,\n  port: Number(url.port),\n  https: url.protocol === "https:",\n});'
+    }
+  ]
+};
+function seedFromConfig(store, _baseUrl, config) {
+  const ws = getWorkosStore(store);
+  for (const user of config.users ?? []) {
+    const created = ensureUserByEmail(ws, user.email);
+    if (user.first_name || user.last_name) {
+      ws.users.update(created.id, {
+        first_name: user.first_name ?? created.first_name,
+        last_name: user.last_name ?? created.last_name
+      });
+    }
+  }
+  for (const organization of config.organizations ?? []) {
+    const org = ws.organizations.insert({
+      workos_id: workosId("org"),
+      name: organization.name,
+      external_id: null
+    });
+    for (const email of organization.members ?? []) {
+      const member = ensureUserByEmail(ws, email);
+      ws.memberships.insert({
+        workos_id: workosId("om"),
+        user_id: member.workos_id,
+        organization_id: org.workos_id,
+        status: "active",
+        role_slug: "admin"
+      });
+    }
+  }
+}
+var workosPlugin = {
+  name: "workos",
+  register(app, store, webhooks, baseUrl, tokenMap) {
+    const ctx = { app, store, webhooks, baseUrl, tokenMap };
+    oauthRoutes(ctx);
+    userManagementRoutes(ctx);
+    organizationRoutes(ctx);
+    apiKeyRoutes(ctx);
+    vaultRoutes(ctx);
+  },
+  seed(_store, _baseUrl) {
+  }
+};
+var index_default = workosPlugin;
+export {
+  index_default as default,
+  getWorkosStore,
+  manifest,
+  seedFromConfig,
+  workosPlugin
+};
+//# sourceMappingURL=dist-IYZPDKJW.js.map