@workos/oagen-emitters 0.2.1 → 0.3.0

package/oagen.config.ts

@@ -1,6 +1,9 @@
-import type { OagenConfig } from '@workos/oagen';
+import type { OagenConfig, OperationHint } from '@workos/oagen';
 import { toCamelCase } from '@workos/oagen';
 import { nodeEmitter } from './src/node/index.js';
+import { pythonEmitter } from './src/python/index.js';
+import { phpEmitter } from './src/php/index.js';
+import { goEmitter } from './src/go/index.js';
 import { nodeExtractor } from './src/compat/extractors/node.js';
 import { rubyExtractor } from './src/compat/extractors/ruby.js';
 import { pythonExtractor } from './src/compat/extractors/python.js';
@@ -21,8 +24,282 @@ function nestjsOperationIdTransform(id: string): string {
   return idx !== -1 ? toCamelCase(stripped.slice(idx + 1)) : toCamelCase(stripped);
 }
 
+// ---------------------------------------------------------------------------
+// Operation hints — per-operation overrides for the operation resolver.
+// Keyed by "METHOD /path". Only operations that need overrides are listed;
+// the algorithm handles the rest.
+// ---------------------------------------------------------------------------
+const operationHints: Record<string, OperationHint> = {
+  // ── Radar ────────────────────────────────────────────────────────────────
+  'POST /radar/lists/{type}/{action}': { name: 'add_list_entry' },
+  'DELETE /radar/lists/{type}/{action}': { name: 'remove_list_entry' },
+
+  // ── SSO ──────────────────────────────────────────────────────────────────
+  'GET /sso/authorize': {
+    name: 'get_authorization_url',
+    defaults: { response_type: 'code' },
+    inferFromClient: ['client_id'],
+  },
+  'GET /sso/logout': { name: 'get_logout_url' },
+  'GET /sso/profile': { name: 'get_profile' },
+  'POST /sso/token': {
+    name: 'get_profile_and_token',
+    defaults: { grant_type: 'authorization_code' },
+    inferFromClient: ['client_id', 'client_secret'],
+  },
+
+  // ── SSO / JWKS (mounted on UserManagement via mountRules) ────────────────
+  'GET /sso/jwks/{clientId}': { name: 'get_jwks' },
+
+  // ── User Management — auth ──────────────────────────────────────────────
+  'GET /user_management/authorize': {
+    name: 'get_authorization_url',
+    defaults: { response_type: 'code' },
+    inferFromClient: ['client_id'],
+  },
+  'GET /user_management/sessions/logout': { name: 'get_logout_url' },
+
+  // ── User Management — org membership actions ────────────────────────────
+  'PUT /user_management/organization_memberships/{id}/deactivate': {
+    name: 'deactivate_organization_membership',
+  },
+  'PUT /user_management/organization_memberships/{id}/reactivate': {
+    name: 'reactivate_organization_membership',
+  },
+
+  // ── Admin Portal ────────────────────────────────────────────────────────
+  'POST /portal/generate_link': { name: 'generate_link' },
+
+  // ── Feature Flags — disambiguate co-mounted list operations ─────────────
+  'GET /organizations/{organizationId}/feature-flags': { name: 'list_organization_feature_flags' },
+  'GET /user_management/users/{userId}/feature-flags': { name: 'list_user_feature_flags' },
+
+  // ── External ID lookups (not derivable from path) ──────────────────────
+  'GET /organizations/external_id/{external_id}': { name: 'get_organization_by_external_id' },
+  'GET /user_management/users/external_id/{external_id}': { name: 'get_user_by_external_id' },
+
+  // ── Authorization — environment-scoped roles ─────────────────────────────
+  'GET /authorization/roles': { name: 'list_environment_roles' },
+  'POST /authorization/roles': { name: 'create_environment_role' },
+  'GET /authorization/roles/{slug}': { name: 'get_environment_role' },
+  'PATCH /authorization/roles/{slug}': { name: 'update_environment_role' },
+  'PUT /authorization/roles/{slug}/permissions': {
+    name: 'set_environment_role_permissions',
+  },
+  'POST /authorization/roles/{slug}/permissions': {
+    name: 'add_environment_role_permission',
+  },
+
+  // ── Authorization — singularized/shortened names ────────────────────────
+  'POST /authorization/permissions': { name: 'create_permission' },
+  'POST /authorization/resources': { name: 'create_resource' },
+  'POST /authorization/organization_memberships/{organization_membership_id}/check': {
+    name: 'check',
+  },
+  'POST /authorization/organization_memberships/{organization_membership_id}/role_assignments': {
+    name: 'assign_role',
+  },
+  'DELETE /authorization/organization_memberships/{organization_membership_id}/role_assignments': {
+    name: 'remove_role',
+  },
+  'POST /authorization/organizations/{organizationId}/roles': {
+    name: 'create_organization_role',
+  },
+
+  // ── Authorization — env-scoped resource memberships ────────────────────
+  'GET /authorization/resources/{resource_id}/organization_memberships': { name: 'list_memberships_for_resource' },
+
+  // ── User Management — singularized/shortened names ─────────────────────
+  'POST /user_management/users': { name: 'create_user' },
+  'POST /user_management/organization_memberships': {
+    name: 'create_organization_membership',
+  },
+  'POST /user_management/invitations': { name: 'send_invitation' },
+  'GET /user_management/invitations/by_token/{token}': {
+    name: 'find_invitation_by_token',
+  },
+  'POST /user_management/users/{id}/email_verification/send': {
+    name: 'send_verification_email',
+  },
+  'POST /user_management/users/{id}/email_verification/confirm': {
+    name: 'verify_email',
+  },
+  'POST /user_management/password_reset': { name: 'reset_password' },
+  'POST /user_management/password_reset/confirm': {
+    name: 'confirm_password_reset',
+  },
+  'GET /user_management/users/{id}/sessions': { name: 'list_sessions' },
+  'GET /user_management/users/{id}/identities': { name: 'get_user_identities' },
+  'POST /user_management/cors_origins': { name: 'create_cors_origin' },
+  'POST /user_management/redirect_uris': { name: 'create_redirect_uri' },
+
+  // ── Organizations — singularized names ─────────────────────────────────
+  'POST /organizations': { name: 'create_organization' },
+
+  // ── Directory Sync — shortened names ───────────────────────────────────
+  'GET /directory_groups': { name: 'list_groups' },
+  'GET /directory_groups/{id}': { name: 'get_group' },
+  'GET /directory_users': { name: 'list_users' },
+  'GET /directory_users/{id}': { name: 'get_user' },
+
+  // ── Audit Logs — singularized names ────────────────────────────────────
+  'POST /audit_logs/events': { name: 'create_event' },
+  'POST /audit_logs/exports': { name: 'create_export' },
+  'POST /audit_logs/actions/{actionName}/schemas': { name: 'create_schema' },
+
+  // ── Feature Flags — match SDK conventions ──────────────────────────────
+  'POST /feature-flags/{slug}/targets/{resourceId}': { name: 'add_flag_target' },
+  'DELETE /feature-flags/{slug}/targets/{resourceId}': {
+    name: 'remove_flag_target',
+  },
+
+  // ── Organizations — audit logs retention (mounted on AuditLogs) ─────────
+  'GET /organizations/{id}/audit_logs_retention': { mountOn: 'AuditLogs' },
+  'PUT /organizations/{id}/audit_logs_retention': { mountOn: 'AuditLogs' },
+
+  // ── Union split: POST /user_management/authenticate (8 variants) ────────
+  'POST /user_management/authenticate': {
+    split: [
+      {
+        name: 'authenticate_with_password',
+        targetVariant: 'PasswordSessionAuthenticateRequest',
+        defaults: { grant_type: 'password' },
+        inferFromClient: ['client_id', 'client_secret'],
+        exposedParams: ['email', 'password', 'invitation_token'],
+      },
+      {
+        name: 'authenticate_with_code',
+        targetVariant: 'CodeSessionAuthenticateRequest',
+        defaults: { grant_type: 'authorization_code' },
+        inferFromClient: ['client_id', 'client_secret'],
+        exposedParams: ['code'],
+      },
+      {
+        name: 'authenticate_with_refresh_token',
+        targetVariant: 'RefreshTokenSessionAuthenticateRequest',
+        defaults: { grant_type: 'refresh_token' },
+        inferFromClient: ['client_id', 'client_secret'],
+        exposedParams: ['refresh_token', 'organization_id'],
+      },
+      {
+        name: 'authenticate_with_magic_auth',
+        targetVariant: 'MagicAuthSessionAuthenticateRequest',
+        defaults: { grant_type: 'urn:workos:oauth:grant-type:magic-auth:code' },
+        inferFromClient: ['client_id', 'client_secret'],
+        exposedParams: ['code', 'email', 'invitation_token'],
+      },
+      {
+        name: 'authenticate_with_email_verification',
+        targetVariant: 'EmailVerificationSessionAuthenticateRequest',
+        defaults: { grant_type: 'urn:workos:oauth:grant-type:email-verification:code' },
+        inferFromClient: ['client_id', 'client_secret'],
+        exposedParams: ['code', 'pending_authentication_token'],
+      },
+      {
+        name: 'authenticate_with_totp',
+        targetVariant: 'TotpSessionAuthenticateRequest',
+        defaults: { grant_type: 'urn:workos:oauth:grant-type:mfa-totp' },
+        inferFromClient: ['client_id', 'client_secret'],
+        exposedParams: ['code', 'pending_authentication_token', 'authentication_challenge_id'],
+      },
+      {
+        name: 'authenticate_with_organization_selection',
+        targetVariant: 'OrganizationSelectionSessionAuthenticateRequest',
+        defaults: { grant_type: 'urn:workos:oauth:grant-type:organization-selection' },
+        inferFromClient: ['client_id', 'client_secret'],
+        exposedParams: ['pending_authentication_token', 'organization_id'],
+      },
+      {
+        name: 'authenticate_with_device_code',
+        targetVariant: 'DeviceCodeSessionAuthenticateRequest',
+        defaults: { grant_type: 'urn:ietf:params:oauth:grant-type:device_code' },
+        inferFromClient: ['client_id'],
+        exposedParams: ['device_code'],
+      },
+    ],
+  },
+
+  // ── Union split: POST /connect/applications (2 variants) ────────────────
+  'POST /connect/applications': {
+    split: [
+      {
+        name: 'create_oauth_application',
+        targetVariant: 'CreateOAuthApplication',
+        defaults: { application_type: 'oauth' },
+        exposedParams: [
+          'name',
+          'is_first_party',
+          'description',
+          'scopes',
+          'redirect_uris',
+          'uses_pkce',
+          'organization_id',
+        ],
+      },
+      {
+        name: 'create_m2m_application',
+        targetVariant: 'CreateM2MApplication',
+        defaults: { application_type: 'm2m' },
+        exposedParams: ['name', 'organization_id', 'description', 'scopes'],
+      },
+    ],
+  },
+};
+
+// ---------------------------------------------------------------------------
+// Mount rules — service-level remounting. Maps IR service name → target
+// service/namespace (PascalCase). All operations in the source service are
+// mounted on the target unless overridden per-operation in operationHints.
+// ---------------------------------------------------------------------------
+const mountRules: Record<string, string> = {
+  // MFA sub-services → MultiFactorAuth
+  MultiFactorAuthChallenges: 'MultiFactorAuth',
+
+  // RBAC permissions → Authorization
+  Permissions: 'Authorization',
+
+  // Connect sub-services → Connect
+  WorkosConnect: 'Connect',
+  Applications: 'Connect',
+  ApplicationClientSecrets: 'Connect',
+
+  // SSO connections → SSO
+  Connections: 'SSO',
+
+  // Directory Sync sub-services → DirectorySync
+  Directories: 'DirectorySync',
+  DirectoryGroups: 'DirectorySync',
+  DirectoryUsers: 'DirectorySync',
+
+  // Feature flag sub-services → FeatureFlags
+  FeatureFlagsTargets: 'FeatureFlags',
+  OrganizationsFeatureFlags: 'FeatureFlags',
+  UserManagementUsersFeatureFlags: 'FeatureFlags',
+
+  // Org API keys → ApiKeys
+  OrganizationsApiKeys: 'ApiKeys',
+
+  // User Management sub-services → UserManagement
+  UserManagementSessionTokens: 'UserManagement',
+  UserManagementAuthentication: 'UserManagement',
+  UserManagementCorsOrigins: 'UserManagement',
+  UserManagementUsers: 'UserManagement',
+  UserManagementInvitations: 'UserManagement',
+  UserManagementJWTTemplate: 'UserManagement',
+  UserManagementMagicAuth: 'UserManagement',
+  UserManagementOrganizationMembership: 'UserManagement',
+  UserManagementRedirectUris: 'UserManagement',
+  UserManagementUsersAuthorizedApplications: 'UserManagement',
+
+  // Pipes / Data Providers → Pipes
+  UserManagementDataProviders: 'Pipes',
+
+  // User Management MFA → MultiFactorAuth
+  UserManagementMultiFactorAuthentication: 'MultiFactorAuth',
+};
+
 const config: OagenConfig = {
-  emitters: [nodeEmitter],
+  emitters: [nodeEmitter, pythonEmitter, phpEmitter, goEmitter],
   extractors: [
     nodeExtractor,
     rubyExtractor,
@@ -47,5 +324,24 @@ const config: OagenConfig = {
   },
   docUrl: 'https://workos.com/docs',
   operationIdTransform: nestjsOperationIdTransform,
+  schemaNameTransform: (name: string) => {
+    // Explicit renames for Dto models that collide with response models
+    const COLLISION_RENAMES: Record<string, string> = {
+      OrganizationDto: 'OrganizationInput',
+      RedirectUriDto: 'RedirectUriInput',
+      // Generic list-derived names that need domain-specific identifiers
+      ListData: 'Role',
+      ListModel: 'RoleList',
+      // Double-List naming artifact
+      EventListListMetadata: 'EventListMetadata',
+    };
+    if (COLLISION_RENAMES[name]) return COLLISION_RENAMES[name];
+    return name
+      .replace(/Dto/g, '')
+      .replace(/DTO/g, '')
+      .replace(/^Urn(?:IetfParams|Workos)O[Aa]uthGrantType/, '');
+  },
+  operationHints,
+  mountRules,
 };
 export default config;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@workos/oagen-emitters",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "description": "WorkOS' oagen emitters",
   "license": "MIT",
   "author": "WorkOS",
@@ -28,6 +28,10 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "typecheck": "tsc --noEmit",
+    "git:push": "sh ./scripts/git-push-with-published-oagen.sh",
+    "oagen:build:local": "npm --prefix ../oagen run build",
+    "oagen:use:local": "npm run oagen:build:local && npm link ../oagen",
+    "oagen:use:published": "sh -c 'npm unlink @workos/oagen >/dev/null 2>&1 || true; npm install --ignore-scripts @workos/oagen@^0.4.0'",
     "prepare": "husky",
     "sdk:generate:dotnet": "oagen generate --lang dotnet --output ./sdk-dotnet --namespace workos --api-surface ./sdk-dotnet-surface.json",
     "sdk:verify:dotnet": "oagen verify --lang dotnet --output ./sdk-dotnet --api-surface ./sdk-dotnet-surface.json",
@@ -44,7 +48,7 @@
     "sdk:generate:node": "oagen generate --lang node --output ./sdk-node --namespace workos --api-surface ./sdk-node-surface.json",
     "sdk:verify:node": "oagen verify --lang node --output ./sdk-node --api-surface ./sdk-node-surface.json",
     "sdk:extract:node": "oagen extract --lang node --sdk-path ../backend/workos-node --output ./sdk-node-surface.json",
-    "sdk:generate:php": "oagen generate --lang php --output ./sdk-php --namespace workos --api-surface ./sdk-php-surface.json",
+    "sdk:generate:php": "node scripts/generate-php.js",
     "sdk:verify:php": "oagen verify --lang php --output ./sdk-php --api-surface ./sdk-php-surface.json",
     "sdk:extract:php": "oagen extract --lang php --sdk-path ../backend/workos-php --output ./sdk-php-surface.json",
     "sdk:generate:python": "oagen generate --lang python --output ./sdk-python --namespace workos --api-surface ./sdk-python-surface.json",
@@ -57,9 +61,6 @@
     "sdk:verify:rust": "oagen verify --lang rust --output ./sdk-rust --api-surface ./sdk-rust-surface.json",
     "sdk:extract:rust": "oagen extract --lang rust --sdk-path ../backend/workos-rust --output ./sdk-rust-surface.json"
   },
-  "dependencies": {
-    "@workos/oagen": "^0.3.0"
-  },
   "devDependencies": {
     "@commitlint/cli": "^20.5.0",
     "@commitlint/config-conventional": "^20.5.0",
@@ -75,5 +76,8 @@
   },
   "engines": {
     "node": ">=24.10.0"
+  },
+  "dependencies": {
+    "@workos/oagen": "^0.5.0"
   }
 }

package/scripts/generate-php.js

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+/**
+ * PHP SDK generation wrapper.
+ */
+import { execSync } from 'node:child_process';
+
+// Build oagen command with all passed arguments
+const extraArgs = process.argv.slice(2).join(' ');
+const baseCmd = 'oagen generate --lang php --output ./sdk-php --namespace WorkOS --api-surface ./sdk-php-surface.json';
+const fullCmd = extraArgs ? `${baseCmd} ${extraArgs}` : baseCmd;
+
+// Run oagen generate
+execSync(fullCmd, { stdio: 'inherit' });

package/scripts/git-push-with-published-oagen.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env sh
+set -eu
+
+repo_root="$(git rev-parse --show-toplevel)"
+cd "$repo_root"
+
+restore_local() {
+  echo "push wrapper: restoring local ../oagen link"
+  npm run oagen:use:local
+}
+
+cleanup() {
+  restore_local
+}
+
+trap cleanup EXIT INT TERM HUP
+
+echo "push wrapper: switching @workos/oagen to the published package"
+npm run oagen:use:published
+
+git push "$@"

package/smoke/sdk-go.ts

@@ -140,6 +140,43 @@ function loadManifest(sdkPath: string): Map<string, ManifestEntry> | null {
   return manifest;
 }
 
+// ---------------------------------------------------------------------------
+// Accessor map -- discover actual method names from the generated workos.go
+// ---------------------------------------------------------------------------
+
+function buildAccessorMap(sdkPath: string): Map<string, string> {
+  const map = new Map<string, string>();
+  // Find the main workos.go or *.go file that has Client methods
+  const candidates = ['workos.go'];
+  for (const fname of candidates) {
+    const fpath = resolve(sdkPath, fname);
+    if (!existsSync(fpath)) continue;
+    const content = readFileSync(fpath, 'utf-8');
+    // Match: func (c *Client) ServiceName() *serviceNameService {
+    const re = /func \(c \*Client\) (\w+)\(\)/g;
+    let m;
+    while ((m = re.exec(content)) !== null) {
+      const accessor = m[1];
+      // Map by lowercase key for case-insensitive matching
+      map.set(accessor.toLowerCase(), accessor);
+    }
+  }
+  return map;
+}
+
+/**
+ * Resolve the Go service accessor name from the manifest service name.
+ * Uses the accessor map (built from the generated SDK) for exact matching.
+ * Falls back to PascalCase for services not found in the map.
+ */
+function resolveAccessorName(manifestService: string, accessorMap: Map<string, string>): string {
+  // Try case-insensitive lookup: "sso" -> "SSO", "api_keys" -> "ApiKeys"
+  const pascalized = toPascalCase(manifestService);
+  const found = accessorMap.get(pascalized.toLowerCase());
+  if (found) return found;
+  return pascalized;
+}
+
 // ---------------------------------------------------------------------------
 // Method resolution
 // ---------------------------------------------------------------------------
@@ -345,15 +382,16 @@ function detectModulePath(sdkPath: string): string {
     const match = goMod.match(/^module\s+(\S+)/m);
     if (match) return match[1];
   }
-  return 'github.com/workos/workos-go/v4';
+  return 'github.com/workos/workos-go/v2';
 }
 
 function generateGoImports(
   modulePath: string,
-  servicePackages: Set<string>,
+  _servicePackages: Set<string>,
   needsJson: boolean,
-  needsServicePkg: boolean,
+  _needsServicePkg: boolean,
 ): string {
+  // New emitter: flat package -- everything lives in the root module, no sub-packages.
   const lines: string[] = [];
   lines.push('import (');
   lines.push('\t"context"');
@@ -363,20 +401,21 @@ function generateGoImports(
   lines.push('\t"fmt"');
   lines.push('\t"os"');
   lines.push('');
-  lines.push(`\tworkos "${modulePath}/pkg"`);
-  if (needsServicePkg) {
-    for (const pkg of [...servicePackages].sort()) {
-      lines.push(`\t"${modulePath}/pkg/${pkg}"`);
-    }
-  }
+  lines.push(`\t"${modulePath}"`);
   lines.push(')');
   return lines.join('\n');
 }
 
-function generateGoPayloadStruct(payload: Record<string, unknown>, optsType: string, servicePackage: string): string {
+function generateGoPayloadStruct(payload: Record<string, unknown>, paramsType: string): string {
+  // New emitter: all types in root workos package, params are pointers.
+  // Skip nested objects, arrays, and nil values since Go requires typed structs
+  // and primitive fields can't be nil.
   const lines: string[] = [];
-  lines.push(`${servicePackage}.${optsType}{`);
+  lines.push(`&workos.${paramsType}{`);
   for (const [key, value] of Object.entries(payload)) {
+    // Skip nil, nested objects, and arrays
+    if (value === null || value === undefined) continue;
+    if (typeof value === 'object') continue;
     const goField = goFieldName(key);
     lines.push(`\t\t${goField}: ${goLiteral(value)},`);
   }
@@ -414,9 +453,9 @@ function generateGoCallBlock(
   pathParams: Record<string, string>,
   spec: any,
   callIndex: number,
+  accessorMap: Map<string, string>,
 ): string {
   const lines: string[] = [];
-  const servicePackage = goServicePackageName(resolution.service);
   const method = resolution.method;
 
   // Build arguments
@@ -427,52 +466,63 @@ function generateGoCallBlock(
     args.push(`"${pathParams[p.name] || ''}"`);
   }
 
-  // Request body opts struct
+  // Build service-prefixed params struct name (matches emitter's paramsStructName)
+  const servicePrefix = goExportedName(resolution.service);
+  const paramsTypeName = method.startsWith(servicePrefix) ? `${method}Params` : `${servicePrefix}${method}Params`;
+
+  // Request body params struct (emitter uses &workos.{ServicePrefix}{Method}Params{...})
+  const hasQueryParams = op.queryParams && op.queryParams.length > 0;
   if (op.requestBody) {
     const payload = generatePayload(op, spec);
     if (payload && Object.keys(payload).length > 0) {
-      const optsType = `${method}Opts`;
-      args.push(generateGoPayloadStruct(payload, optsType, servicePackage));
-    }
-  }
-
-  // Paginated operations: pass opts with Limit=1
-  if (op.pagination && !op.requestBody) {
-    const extraParams = op.queryParams.filter((p: any) => !['limit', 'before', 'after', 'order'].includes(p.name));
-    if (extraParams.length > 0) {
-      // Match the emitter convention: List → ListFilterOpts, others → ${method}Opts
-      const optsType = method === 'List' ? 'ListFilterOpts' : `${method}Opts`;
-      args.push(`${servicePackage}.${optsType}{Limit: 1}`);
+      args.push(generateGoPayloadStruct(payload, paramsTypeName));
     } else {
-      args.push(`${servicePackage}.ListOpts{Limit: 1}`);
+      // Even with empty payload, the method signature requires the params arg
+      args.push(`&workos.${paramsTypeName}{}`);
     }
+  } else if (op.pagination || hasQueryParams) {
+    // Paginated or query-param operations need a params struct
+    args.push(`&workos.${paramsTypeName}{}`);
   }
 
-  // Determine the service accessor on the client
-  const serviceProp = goExportedName(resolution.service);
+  // Service accessor: resolve from the generated SDK's actual accessor names
+  const serviceProp = resolveAccessorName(resolution.service, accessorMap);
 
   lines.push(`\t// Call ${callIndex}: ${op.httpMethod.toUpperCase()} ${op.path}`);
   lines.push(`\tfmt.Fprintf(os.Stderr, "CALL_START:${callIndex}\\n")`);
 
-  // Determine return type: paginated and GET-with-response return (result, error),
-  // DELETE returns just error
+  // Determine return type: paginated returns Iterator, DELETE and void/redirect return just error
   const isDelete = op.httpMethod === 'delete';
-  const hasResponse = !isDelete;
-
-  if (hasResponse) {
-    lines.push(`\tresult${callIndex}, err${callIndex} := client.${serviceProp}.${method}(${args.join(', ')})`);
+  const isPaginated = !!op.pagination;
+  const isVoidResponse =
+    !isPaginated &&
+    !isDelete &&
+    ((op.response.kind === 'primitive' && (op.response as any).type === 'unknown') ||
+      (op.successResponses && op.successResponses.some((r: any) => r.statusCode >= 300 && r.statusCode < 400)));
+
+  if (isPaginated) {
+    // Iterator-based: call Next() once to trigger the first HTTP request
+    lines.push(`\titer${callIndex} := client.${serviceProp}().${method}(${args.join(', ')})`);
+    lines.push(`\titer${callIndex}.Next()`);
+    lines.push(`\tif err${callIndex} := iter${callIndex}.Err(); err${callIndex} != nil {`);
+    lines.push(`\t\tfmt.Fprintf(os.Stderr, "CALL_ERROR:${callIndex}:%s\\n", err${callIndex}.Error())`);
+    lines.push('\t} else {');
+    lines.push(`\t\tfmt.Fprintf(os.Stderr, "CALL_OK:${callIndex}:\\n")`);
+    lines.push('\t}');
+  } else if (isDelete || isVoidResponse) {
+    lines.push(`\terr${callIndex} := client.${serviceProp}().${method}(${args.join(', ')})`);
     lines.push(`\tif err${callIndex} != nil {`);
     lines.push(`\t\tfmt.Fprintf(os.Stderr, "CALL_ERROR:${callIndex}:%s\\n", err${callIndex}.Error())`);
     lines.push('\t} else {');
-    lines.push(`\t\tjsonResult${callIndex}, _ := json.Marshal(result${callIndex})`);
-    lines.push(`\t\tfmt.Fprintf(os.Stderr, "CALL_OK:${callIndex}:%s\\n", string(jsonResult${callIndex}))`);
+    lines.push(`\t\tfmt.Fprintf(os.Stderr, "CALL_OK:${callIndex}:\\n")`);
     lines.push('\t}');
   } else {
-    lines.push(`\terr${callIndex} := client.${serviceProp}.${method}(${args.join(', ')})`);
+    lines.push(`\tresult${callIndex}, err${callIndex} := client.${serviceProp}().${method}(${args.join(', ')})`);
     lines.push(`\tif err${callIndex} != nil {`);
     lines.push(`\t\tfmt.Fprintf(os.Stderr, "CALL_ERROR:${callIndex}:%s\\n", err${callIndex}.Error())`);
     lines.push('\t} else {');
-    lines.push(`\t\tfmt.Fprintf(os.Stderr, "CALL_OK:${callIndex}:\\n")`);
+    lines.push(`\t\tjsonResult${callIndex}, _ := json.Marshal(result${callIndex})`);
+    lines.push(`\t\tfmt.Fprintf(os.Stderr, "CALL_OK:${callIndex}:%s\\n", string(jsonResult${callIndex}))`);
     lines.push('\t}');
   }
 
@@ -523,6 +573,11 @@ async function main(): Promise<void> {
   // Load manifest
   const manifest = loadManifest(sdkPath);
 
+  // Build accessor name map by scanning the generated workos.go for
+  // `func (c *Client) XxxYyy()` patterns, then matching them to manifest
+  // service names via case-insensitive comparison.
+  const accessorMap = buildAccessorMap(sdkPath);
+
   const baseUrl = process.env.WORKOS_BASE_URL || spec.baseUrl;
 
   // Start capture proxy
@@ -633,7 +688,7 @@ async function main(): Promise<void> {
       // Generate all call blocks for this wave
       const callBlocks: string[] = [];
       for (const call of plannedCalls) {
-        callBlocks.push(generateGoCallBlock(call.op, call.resolution, call.pathParams, spec, call.index));
+        callBlocks.push(generateGoCallBlock(call.op, call.resolution, call.pathParams, spec, call.index, accessorMap));
       }
 
       const imports = generateGoImports(modulePath, servicePackages, needsJson, needsServicePkg);
@@ -644,7 +699,7 @@ async function main(): Promise<void> {
         imports,
         '',
         'func main() {',
-        `\tclient := workos.NewClient("${apiKey}", workos.WithEndpoint("http://127.0.0.1:${proxyPort}"))`,
+        `\tclient := workos.NewClient("${apiKey}", workos.WithBaseURL("http://127.0.0.1:${proxyPort}"))`,
         '\tctx := context.Background()',
         '',
         ...callBlocks,
@@ -660,8 +715,10 @@ async function main(): Promise<void> {
 
       // Step 1: Build (sync — no proxy needed during compilation)
       let buildError: string | null = null;
+
+      // Run go mod tidy first to resolve dependencies
       try {
-        execSync('go build -o smoke-driver main.go', {
+        execSync('go mod tidy', {
           cwd: tmpDir,
           timeout: 120_000,
           env: {
@@ -673,9 +730,26 @@ async function main(): Promise<void> {
         });
       } catch (err: any) {
         const stderr = typeof err.stderr === 'string' ? err.stderr : '';
-        buildError = stderr.trim().split('\n').slice(0, 5).join(' ') || 'go build failed';
+        buildError = `go mod tidy failed: ${stderr.trim().split('\n').slice(0, 3).join(' ')}`;
       }
 
+      if (!buildError)
+        try {
+          execSync('go build -o smoke-driver main.go', {
+            cwd: tmpDir,
+            timeout: 120_000,
+            env: {
+              ...process.env,
+              GOPATH: process.env.GOPATH || resolve(process.env.HOME || '~', 'go'),
+            },
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+          });
+        } catch (err: any) {
+          const stderr = typeof err.stderr === 'string' ? err.stderr : '';
+          buildError = stderr.trim().split('\n').slice(0, 5).join(' ') || 'go build failed';
+        }
+
       if (buildError) {
         // Build failure affects entire wave
         const elapsed = Date.now() - waveStart;