workos 0.11.2 → 0.12.0-beta.1

package/dist/emulate/core/jwt.js

@@ -0,0 +1,78 @@
+import { createSign, createVerify, generateKeyPairSync } from 'node:crypto';
+function base64url(input) {
+    const buf = typeof input === 'string' ? Buffer.from(input) : input;
+    return buf.toString('base64url');
+}
+function base64urlDecode(input) {
+    return Buffer.from(input, 'base64url');
+}
+export class JWTManager {
+    privateKey;
+    publicKey;
+    kid;
+    issuer;
+    constructor(issuer = 'https://api.workos.com') {
+        this.issuer = issuer;
+        const { privateKey, publicKey } = generateKeyPairSync('rsa', {
+            modulusLength: 2048,
+        });
+        this.privateKey = privateKey;
+        this.publicKey = publicKey;
+        this.kid = `workos_emulate_${Date.now()}`;
+    }
+    sign(payload, options) {
+        const now = Math.floor(Date.now() / 1000);
+        const expiresIn = options?.expiresIn ?? 3600;
+        const fullPayload = {
+            ...payload,
+            iss: this.issuer,
+            iat: now,
+            exp: now + expiresIn,
+        };
+        const header = { alg: 'RS256', typ: 'JWT', kid: this.kid };
+        const headerB64 = base64url(JSON.stringify(header));
+        const payloadB64 = base64url(JSON.stringify(fullPayload));
+        const signingInput = `${headerB64}.${payloadB64}`;
+        const signer = createSign('RSA-SHA256');
+        signer.update(signingInput);
+        const signature = signer.sign(this.privateKey, 'base64url');
+        return `${signingInput}.${signature}`;
+    }
+    verify(token) {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            throw new Error('Invalid token format');
+        }
+        const [headerB64, payloadB64, signature] = parts;
+        const signingInput = `${headerB64}.${payloadB64}`;
+        const verifier = createVerify('RSA-SHA256');
+        verifier.update(signingInput);
+        const valid = verifier.verify(this.publicKey, signature, 'base64url');
+        if (!valid) {
+            throw new Error('Invalid token signature');
+        }
+        const payload = JSON.parse(base64urlDecode(payloadB64).toString('utf-8'));
+        const now = Math.floor(Date.now() / 1000);
+        if (payload.exp && payload.exp < now) {
+            throw new Error('Token has expired');
+        }
+        return payload;
+    }
+    getJWKS() {
+        const jwk = this.publicKey.export({ format: 'jwk' });
+        return {
+            keys: [
+                {
+                    ...jwk,
+                    kid: this.kid,
+                    alg: 'RS256',
+                    use: 'sig',
+                },
+            ],
+        };
+    }
+    getPublicKeyPem() {
+        return this.publicKey.export({ type: 'spki', format: 'pem' });
+    }
+}
+//# sourceMappingURL=jwt.js.map

package/dist/emulate/core/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/emulate/core/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,mBAAmB,EAAkB,MAAM,aAAa,CAAC;AAkB5F,SAAS,SAAS,CAAC,KAAsB;IACvC,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IACnE,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,OAAO,UAAU;IACb,UAAU,CAAY;IACtB,SAAS,CAAY;IACrB,GAAG,CAAS;IACpB,MAAM,CAAS;IAEf,YAAY,MAAM,GAAG,wBAAwB;QAC3C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;YAC3D,aAAa,EAAE,IAAI;SACpB,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,GAAG,GAAG,kBAAkB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC5C,CAAC;IAED,IAAI,CAAC,OAAgD,EAAE,OAAqB;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,OAAO,EAAE,SAAS,IAAI,IAAI,CAAC;QAE7C,MAAM,WAAW,GAAe;YAC9B,GAAG,OAAO;YACV,GAAG,EAAE,IAAI,CAAC,MAAM;YAChB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,SAAS;SACrB,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;QAC3D,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QACpD,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;QAC1D,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QAElD,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC5B,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QAE5D,OAAO,GAAG,YAAY,IAAI,SAAS,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QACjD,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QAElD,MAAM,QAAQ,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;QAC5C,QAAQ,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC9B,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;QAEtE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAe,CAAC;QAExF,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACrD,OAAO;YACL,IAAI,EAAE;gBACJ;oBACE,GAAG,GAAG;oBACN,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,GAAG,EAAE,OAAO;oBACZ,GAAG,EAAE,KAAK;iBACX;aACF;SACF,CAAC;IACJ,CAAC;IAED,eAAe;QACb,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IAC1E,CAAC;CACF","sourcesContent":["import { createSign, createVerify, generateKeyPairSync, type KeyObject } from 'node:crypto';\n\nexport interface JWTPayload {\n  sub: string;\n  sid?: string;\n  org_id?: string;\n  role?: string;\n  permissions?: string[];\n  iss: string;\n  aud: string;\n  exp: number;\n  iat: number;\n}\n\ninterface SignOptions {\n  expiresIn?: number;\n}\n\nfunction base64url(input: Buffer | string): string {\n  const buf = typeof input === 'string' ? Buffer.from(input) : input;\n  return buf.toString('base64url');\n}\n\nfunction base64urlDecode(input: string): Buffer {\n  return Buffer.from(input, 'base64url');\n}\n\nexport class JWTManager {\n  private privateKey: KeyObject;\n  private publicKey: KeyObject;\n  private kid: string;\n  issuer: string;\n\n  constructor(issuer = 'https://api.workos.com') {\n    this.issuer = issuer;\n    const { privateKey, publicKey } = generateKeyPairSync('rsa', {\n      modulusLength: 2048,\n    });\n    this.privateKey = privateKey;\n    this.publicKey = publicKey;\n    this.kid = `workos_emulate_${Date.now()}`;\n  }\n\n  sign(payload: Omit<JWTPayload, 'iss' | 'iat' | 'exp'>, options?: SignOptions): string {\n    const now = Math.floor(Date.now() / 1000);\n    const expiresIn = options?.expiresIn ?? 3600;\n\n    const fullPayload: JWTPayload = {\n      ...payload,\n      iss: this.issuer,\n      iat: now,\n      exp: now + expiresIn,\n    };\n\n    const header = { alg: 'RS256', typ: 'JWT', kid: this.kid };\n    const headerB64 = base64url(JSON.stringify(header));\n    const payloadB64 = base64url(JSON.stringify(fullPayload));\n    const signingInput = `${headerB64}.${payloadB64}`;\n\n    const signer = createSign('RSA-SHA256');\n    signer.update(signingInput);\n    const signature = signer.sign(this.privateKey, 'base64url');\n\n    return `${signingInput}.${signature}`;\n  }\n\n  verify(token: string): JWTPayload {\n    const parts = token.split('.');\n    if (parts.length !== 3) {\n      throw new Error('Invalid token format');\n    }\n\n    const [headerB64, payloadB64, signature] = parts;\n    const signingInput = `${headerB64}.${payloadB64}`;\n\n    const verifier = createVerify('RSA-SHA256');\n    verifier.update(signingInput);\n    const valid = verifier.verify(this.publicKey, signature, 'base64url');\n\n    if (!valid) {\n      throw new Error('Invalid token signature');\n    }\n\n    const payload = JSON.parse(base64urlDecode(payloadB64).toString('utf-8')) as JWTPayload;\n\n    const now = Math.floor(Date.now() / 1000);\n    if (payload.exp && payload.exp < now) {\n      throw new Error('Token has expired');\n    }\n\n    return payload;\n  }\n\n  getJWKS(): { keys: Record<string, unknown>[] } {\n    const jwk = this.publicKey.export({ format: 'jwk' });\n    return {\n      keys: [\n        {\n          ...jwk,\n          kid: this.kid,\n          alg: 'RS256',\n          use: 'sig',\n        },\n      ],\n    };\n  }\n\n  getPublicKeyPem(): string {\n    return this.publicKey.export({ type: 'spki', format: 'pem' }) as string;\n  }\n}\n"]}

package/dist/emulate/core/middleware/auth.d.ts

@@ -0,0 +1,18 @@
+import type { Context, Next } from 'hono';
+export interface WorkOSAuthContext {
+    environment: string;
+    apiKey: string;
+}
+export type WorkOSAppEnv = {
+    Variables: {
+        auth?: WorkOSAuthContext;
+        requestId?: string;
+    };
+};
+export type ApiKeyMap = Record<string, {
+    environment: string;
+}>;
+export declare function authMiddleware(apiKeys: ApiKeyMap): (c: Context, next: Next) => Promise<(Response & import("hono").TypedResponse<{
+    message: string;
+    code: string;
+}, 401, "json">) | undefined>;

package/dist/emulate/core/middleware/auth.js

@@ -0,0 +1,28 @@
+export function authMiddleware(apiKeys) {
+    return async (c, next) => {
+        const authHeader = c.req.header('Authorization');
+        if (!authHeader) {
+            return c.json({
+                message: 'Unauthorized',
+                code: 'unauthorized',
+            }, 401);
+        }
+        const token = authHeader.replace(/^Bearer\s+/i, '').trim();
+        if (!token.startsWith('sk_')) {
+            return c.json({
+                message: 'Unauthorized',
+                code: 'unauthorized',
+            }, 401);
+        }
+        const keyInfo = apiKeys[token];
+        if (!keyInfo) {
+            return c.json({
+                message: 'Unauthorized',
+                code: 'unauthorized',
+            }, 401);
+        }
+        c.set('auth', { environment: keyInfo.environment, apiKey: token });
+        await next();
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/emulate/core/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../../src/emulate/core/middleware/auth.ts"],"names":[],"mappings":"AAgBA,MAAM,UAAU,cAAc,CAAC,OAAkB;IAC/C,OAAO,KAAK,EAAE,CAAU,EAAE,IAAU,EAAE,EAAE;QACtC,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,CAAC,IAAI,CACX;gBACE,OAAO,EAAE,cAAc;gBACvB,IAAI,EAAE,cAAc;aACrB,EACD,GAAG,CACJ,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAE3D,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,CAAC,IAAI,CACX;gBACE,OAAO,EAAE,cAAc;gBACvB,IAAI,EAAE,cAAc;aACrB,EACD,GAAG,CACJ,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;QAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,CAAC,IAAI,CACX;gBACE,OAAO,EAAE,cAAc;gBACvB,IAAI,EAAE,cAAc;aACrB,EACD,GAAG,CACJ,CAAC;QACJ,CAAC;QAED,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAA8B,CAAC,CAAC;QAC/F,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC","sourcesContent":["import type { Context, Next } from 'hono';\n\nexport interface WorkOSAuthContext {\n  environment: string;\n  apiKey: string;\n}\n\nexport type WorkOSAppEnv = {\n  Variables: {\n    auth?: WorkOSAuthContext;\n    requestId?: string;\n  };\n};\n\nexport type ApiKeyMap = Record<string, { environment: string }>;\n\nexport function authMiddleware(apiKeys: ApiKeyMap) {\n  return async (c: Context, next: Next) => {\n    const authHeader = c.req.header('Authorization');\n    if (!authHeader) {\n      return c.json(\n        {\n          message: 'Unauthorized',\n          code: 'unauthorized',\n        },\n        401,\n      );\n    }\n\n    const token = authHeader.replace(/^Bearer\\s+/i, '').trim();\n\n    if (!token.startsWith('sk_')) {\n      return c.json(\n        {\n          message: 'Unauthorized',\n          code: 'unauthorized',\n        },\n        401,\n      );\n    }\n\n    const keyInfo = apiKeys[token];\n    if (!keyInfo) {\n      return c.json(\n        {\n          message: 'Unauthorized',\n          code: 'unauthorized',\n        },\n        401,\n      );\n    }\n\n    c.set('auth', { environment: keyInfo.environment, apiKey: token } satisfies WorkOSAuthContext);\n    await next();\n  };\n}\n"]}

package/dist/emulate/core/middleware/error-handler.d.ts

@@ -0,0 +1,22 @@
+import type { Context, ErrorHandler, MiddlewareHandler } from 'hono';
+export declare class WorkOSApiError extends Error {
+    status: number;
+    code: string;
+    errors?: Array<{
+        field: string;
+        code: string;
+        message?: string;
+    }> | undefined;
+    constructor(status: number, message: string, code: string, errors?: Array<{
+        field: string;
+        code: string;
+        message?: string;
+    }> | undefined);
+}
+export declare function createApiErrorHandler(): ErrorHandler;
+export declare function requestIdMiddleware(): MiddlewareHandler;
+export declare function notFound(resource?: string): WorkOSApiError;
+export declare function validationError(message: string, errors?: WorkOSApiError['errors']): WorkOSApiError;
+export declare function unauthorized(): WorkOSApiError;
+export declare function forbidden(): WorkOSApiError;
+export declare function parseJsonBody(c: Context): Promise<Record<string, unknown>>;

package/dist/emulate/core/middleware/error-handler.js

@@ -0,0 +1,72 @@
+export class WorkOSApiError extends Error {
+    status;
+    code;
+    errors;
+    constructor(status, message, code, errors) {
+        super(message);
+        this.status = status;
+        this.code = code;
+        this.errors = errors;
+        this.name = 'WorkOSApiError';
+    }
+}
+export function createApiErrorHandler() {
+    return (err, c) => {
+        if (err instanceof WorkOSApiError) {
+            const body = {
+                message: err.message,
+                code: err.code,
+            };
+            if (err.errors) {
+                body.errors = err.errors;
+            }
+            return c.json(body, err.status);
+        }
+        const status = errorStatus(err);
+        return c.json({
+            message: 'Internal Server Error',
+            code: 'server_error',
+        }, status);
+    };
+}
+export function requestIdMiddleware() {
+    return async (c, next) => {
+        const requestId = c.req.header('X-Request-ID') ?? `req_${crypto.randomUUID()}`;
+        c.set('requestId', requestId);
+        c.header('X-Request-ID', requestId);
+        await next();
+    };
+}
+export function notFound(resource) {
+    return new WorkOSApiError(404, resource ? `${resource} not found` : 'Not Found', 'not_found');
+}
+export function validationError(message, errors) {
+    return new WorkOSApiError(422, message, 'unprocessable_entity', errors);
+}
+export function unauthorized() {
+    return new WorkOSApiError(401, 'Unauthorized', 'unauthorized');
+}
+export function forbidden() {
+    return new WorkOSApiError(403, 'Forbidden', 'forbidden');
+}
+export async function parseJsonBody(c) {
+    try {
+        const body = await c.req.json();
+        if (body && typeof body === 'object' && !Array.isArray(body)) {
+            return body;
+        }
+        return {};
+    }
+    catch {
+        throw new WorkOSApiError(400, 'Problems parsing JSON', 'invalid_request_body');
+    }
+}
+function errorStatus(err) {
+    if (err && typeof err === 'object' && 'status' in err) {
+        const s = err.status;
+        if (typeof s === 'number' && Number.isFinite(s))
+            return s;
+    }
+    return 500;
+}
+//# sourceMappingURL=error-handler.js.map

package/dist/emulate/core/middleware/error-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.js","sourceRoot":"","sources":["../../../../src/emulate/core/middleware/error-handler.ts"],"names":[],"mappings":"AAGA,MAAM,OAAO,cAAe,SAAQ,KAAK;IAE9B;IAEA;IACA;IAJT,YACS,MAAc,EACrB,OAAe,EACR,IAAY,EACZ,MAAiE;QAExE,KAAK,CAAC,OAAO,CAAC,CAAC;QALR,WAAM,GAAN,MAAM,CAAQ;QAEd,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAA2D;QAGxE,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAChB,IAAI,GAAG,YAAY,cAAc,EAAE,CAAC;YAClC,MAAM,IAAI,GAA4B;gBACpC,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;aACf,CAAC;YACF,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;gBACf,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;YAC3B,CAAC;YACD,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,MAA8B,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAChC,OAAO,CAAC,CAAC,IAAI,CACX;YACE,OAAO,EAAE,uBAAuB;YAChC,IAAI,EAAE,cAAc;SACrB,EACD,MAA8B,CAC/B,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACvB,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,OAAO,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;QAC/E,CAAC,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAC9B,CAAC,CAAC,MAAM,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC;QACpC,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,QAAiB;IACxC,OAAO,IAAI,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,YAAY,CAAC,CAAC,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAe,EAAE,MAAiC;IAChF,OAAO,IAAI,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,OAAO,IAAI,cAAc,CAAC,GAAG,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,SAAS;IACvB,OAAO,IAAI,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,CAAU;IAC5C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAChC,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7D,OAAO,IAA+B,CAAC;QACzC,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,sBAAsB,CAAC,CAAC;IACjF,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,QAAQ,IAAI,GAAG,EAAE,CAAC;QACtD,MAAM,CAAC,GAAI,GAA2B,CAAC,MAAM,CAAC;QAC9C,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAC5D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC","sourcesContent":["import type { Context, ErrorHandler, MiddlewareHandler } from 'hono';\nimport type { ContentfulStatusCode } from 'hono/utils/http-status';\n\nexport class WorkOSApiError extends Error {\n  constructor(\n    public status: number,\n    message: string,\n    public code: string,\n    public errors?: Array<{ field: string; code: string; message?: string }>,\n  ) {\n    super(message);\n    this.name = 'WorkOSApiError';\n  }\n}\n\nexport function createApiErrorHandler(): ErrorHandler {\n  return (err, c) => {\n    if (err instanceof WorkOSApiError) {\n      const body: Record<string, unknown> = {\n        message: err.message,\n        code: err.code,\n      };\n      if (err.errors) {\n        body.errors = err.errors;\n      }\n      return c.json(body, err.status as ContentfulStatusCode);\n    }\n\n    const status = errorStatus(err);\n    return c.json(\n      {\n        message: 'Internal Server Error',\n        code: 'server_error',\n      },\n      status as ContentfulStatusCode,\n    );\n  };\n}\n\nexport function requestIdMiddleware(): MiddlewareHandler {\n  return async (c, next) => {\n    const requestId = c.req.header('X-Request-ID') ?? `req_${crypto.randomUUID()}`;\n    c.set('requestId', requestId);\n    c.header('X-Request-ID', requestId);\n    await next();\n  };\n}\n\nexport function notFound(resource?: string): WorkOSApiError {\n  return new WorkOSApiError(404, resource ? `${resource} not found` : 'Not Found', 'not_found');\n}\n\nexport function validationError(message: string, errors?: WorkOSApiError['errors']): WorkOSApiError {\n  return new WorkOSApiError(422, message, 'unprocessable_entity', errors);\n}\n\nexport function unauthorized(): WorkOSApiError {\n  return new WorkOSApiError(401, 'Unauthorized', 'unauthorized');\n}\n\nexport function forbidden(): WorkOSApiError {\n  return new WorkOSApiError(403, 'Forbidden', 'forbidden');\n}\n\nexport async function parseJsonBody(c: Context): Promise<Record<string, unknown>> {\n  try {\n    const body = await c.req.json();\n    if (body && typeof body === 'object' && !Array.isArray(body)) {\n      return body as Record<string, unknown>;\n    }\n    return {};\n  } catch {\n    throw new WorkOSApiError(400, 'Problems parsing JSON', 'invalid_request_body');\n  }\n}\n\nfunction errorStatus(err: unknown): number {\n  if (err && typeof err === 'object' && 'status' in err) {\n    const s = (err as { status: unknown }).status;\n    if (typeof s === 'number' && Number.isFinite(s)) return s;\n  }\n  return 500;\n}\n"]}

package/dist/emulate/core/pagination.d.ts

@@ -0,0 +1,21 @@
+export interface Entity {
+    id: string;
+    created_at: string;
+    updated_at: string;
+}
+export interface CursorPaginationOptions<T> {
+    filter?: (item: T) => boolean;
+    sort?: (a: T, b: T) => number;
+    limit?: number;
+    order?: 'asc' | 'desc';
+    before?: string;
+    after?: string;
+}
+export interface CursorPaginatedResult<T> {
+    data: T[];
+    list_metadata: {
+        before: string | null;
+        after: string | null;
+    };
+}
+export declare function cursorPaginate<T extends Entity>(items: T[], options?: CursorPaginationOptions<T>): CursorPaginatedResult<T>;

package/dist/emulate/core/pagination.js

@@ -0,0 +1,35 @@
+export function cursorPaginate(items, options = {}) {
+    let filtered = options.filter ? items.filter(options.filter) : [...items];
+    const order = options.order ?? 'desc';
+    const defaultSort = (a, b) => order === 'desc'
+        ? b.created_at.localeCompare(a.created_at) || b.id.localeCompare(a.id)
+        : a.created_at.localeCompare(b.created_at) || a.id.localeCompare(b.id);
+    filtered.sort(options.sort ?? defaultSort);
+    const limit = Math.max(1, Math.min(options.limit ?? 10, 100));
+    let startIndex = 0;
+    let endIndex = filtered.length;
+    if (options.after) {
+        const afterIndex = filtered.findIndex((item) => item.id === options.after);
+        if (afterIndex !== -1) {
+            startIndex = afterIndex + 1;
+        }
+    }
+    if (options.before) {
+        const beforeIndex = filtered.findIndex((item) => item.id === options.before);
+        if (beforeIndex !== -1) {
+            endIndex = beforeIndex;
+        }
+    }
+    const window = filtered.slice(startIndex, endIndex);
+    const page = window.slice(0, limit);
+    const hasMore = window.length > limit;
+    const hasPrev = startIndex > 0;
+    return {
+        data: page,
+        list_metadata: {
+            before: page.length > 0 && hasPrev ? page[0].id : null,
+            after: page.length > 0 && hasMore ? page[page.length - 1].id : null,
+        },
+    };
+}
+//# sourceMappingURL=pagination.js.map

package/dist/emulate/core/pagination.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pagination.js","sourceRoot":"","sources":["../../../src/emulate/core/pagination.ts"],"names":[],"mappings":"AAuBA,MAAM,UAAU,cAAc,CAC5B,KAAU,EACV,UAAsC,EAAE;IAExC,IAAI,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;IAE1E,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,MAAM,CAAC;IACtC,MAAM,WAAW,GAAG,CAAC,CAAI,EAAE,CAAI,EAAE,EAAE,CACjC,KAAK,KAAK,MAAM;QACd,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAE3E,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,CAAC,CAAC;IAE3C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAE9D,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC;IAE/B,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,UAAU,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;QAC3E,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;YACtB,UAAU,GAAG,UAAU,GAAG,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,WAAW,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;QAC7E,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;YACvB,QAAQ,GAAG,WAAW,CAAC;QACzB,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAEpC,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC;IACtC,MAAM,OAAO,GAAG,UAAU,GAAG,CAAC,CAAC;IAE/B,OAAO;QACL,IAAI,EAAE,IAAI;QACV,aAAa,EAAE;YACb,MAAM,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI;YACtD,KAAK,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI;SACpE;KACF,CAAC;AACJ,CAAC","sourcesContent":["export interface Entity {\n  id: string;\n  created_at: string;\n  updated_at: string;\n}\n\nexport interface CursorPaginationOptions<T> {\n  filter?: (item: T) => boolean;\n  sort?: (a: T, b: T) => number;\n  limit?: number;\n  order?: 'asc' | 'desc';\n  before?: string;\n  after?: string;\n}\n\nexport interface CursorPaginatedResult<T> {\n  data: T[];\n  list_metadata: {\n    before: string | null;\n    after: string | null;\n  };\n}\n\nexport function cursorPaginate<T extends Entity>(\n  items: T[],\n  options: CursorPaginationOptions<T> = {},\n): CursorPaginatedResult<T> {\n  let filtered = options.filter ? items.filter(options.filter) : [...items];\n\n  const order = options.order ?? 'desc';\n  const defaultSort = (a: T, b: T) =>\n    order === 'desc'\n      ? b.created_at.localeCompare(a.created_at) || b.id.localeCompare(a.id)\n      : a.created_at.localeCompare(b.created_at) || a.id.localeCompare(b.id);\n\n  filtered.sort(options.sort ?? defaultSort);\n\n  const limit = Math.max(1, Math.min(options.limit ?? 10, 100));\n\n  let startIndex = 0;\n  let endIndex = filtered.length;\n\n  if (options.after) {\n    const afterIndex = filtered.findIndex((item) => item.id === options.after);\n    if (afterIndex !== -1) {\n      startIndex = afterIndex + 1;\n    }\n  }\n\n  if (options.before) {\n    const beforeIndex = filtered.findIndex((item) => item.id === options.before);\n    if (beforeIndex !== -1) {\n      endIndex = beforeIndex;\n    }\n  }\n\n  const window = filtered.slice(startIndex, endIndex);\n  const page = window.slice(0, limit);\n\n  const hasMore = window.length > limit;\n  const hasPrev = startIndex > 0;\n\n  return {\n    data: page,\n    list_metadata: {\n      before: page.length > 0 && hasPrev ? page[0].id : null,\n      after: page.length > 0 && hasMore ? page[page.length - 1].id : null,\n    },\n  };\n}\n"]}

package/dist/emulate/core/plugin.d.ts

@@ -0,0 +1,15 @@
+import type { Hono } from 'hono';
+import type { Store } from './store.js';
+import type { JWTManager } from './jwt.js';
+import type { WorkOSAppEnv } from './middleware/auth.js';
+export interface RouteContext {
+    app: Hono<WorkOSAppEnv>;
+    store: Store;
+    jwt: JWTManager;
+    baseUrl: string;
+}
+export interface ServicePlugin {
+    name: string;
+    register(ctx: RouteContext): void;
+    seed?(store: Store, baseUrl: string): void;
+}

package/dist/emulate/core/plugin.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=plugin.js.map

package/dist/emulate/core/plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.js","sourceRoot":"","sources":["../../../src/emulate/core/plugin.ts"],"names":[],"mappings":"","sourcesContent":["import type { Hono } from 'hono';\nimport type { Store } from './store.js';\nimport type { JWTManager } from './jwt.js';\nimport type { WorkOSAppEnv } from './middleware/auth.js';\n\nexport interface RouteContext {\n  app: Hono<WorkOSAppEnv>;\n  store: Store;\n  jwt: JWTManager;\n  baseUrl: string;\n}\n\nexport interface ServicePlugin {\n  name: string;\n  register(ctx: RouteContext): void;\n  seed?(store: Store, baseUrl: string): void;\n}\n"]}

package/dist/emulate/core/server.d.ts

@@ -0,0 +1,17 @@
+import { Hono } from 'hono';
+import { Store } from './store.js';
+import { JWTManager } from './jwt.js';
+import { type ApiKeyMap, type WorkOSAppEnv } from './middleware/auth.js';
+import type { ServicePlugin } from './plugin.js';
+export interface ServerOptions {
+    port?: number;
+    baseUrl?: string;
+    apiKeys?: ApiKeyMap;
+}
+export declare function createServer(plugin: ServicePlugin, options?: ServerOptions): {
+    app: Hono<WorkOSAppEnv, import("hono/types").BlankSchema, "/">;
+    store: Store;
+    jwt: JWTManager;
+    port: number;
+    baseUrl: string;
+};

package/dist/emulate/core/server.js

@@ -0,0 +1,116 @@
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import { Store } from './store.js';
+import { JWTManager } from './jwt.js';
+import { createApiErrorHandler, requestIdMiddleware } from './middleware/error-handler.js';
+import { authMiddleware } from './middleware/auth.js';
+export function createServer(plugin, options = {}) {
+    const port = options.port ?? 4100;
+    const baseUrl = options.baseUrl ?? `http://localhost:${port}`;
+    const app = new Hono();
+    const store = new Store();
+    const jwt = new JWTManager(baseUrl);
+    const apiKeys = options.apiKeys ?? {
+        sk_test_default: { environment: 'test' },
+    };
+    app.onError(createApiErrorHandler());
+    app.use('*', cors());
+    app.use('*', requestIdMiddleware());
+    // JWKS endpoint (public, no auth)
+    app.get('/sso/jwks/:client_id', (c) => {
+        return c.json(jwt.getJWKS());
+    });
+    // Auth middleware for API routes
+    app.use('/api/*', authMiddleware(apiKeys));
+    app.use('/user_management/*', async (c, next) => {
+        const path = new URL(c.req.url).pathname;
+        // Public endpoints (no auth required)
+        if (path === '/user_management/authorize' ||
+            path === '/user_management/authenticate' ||
+            path === '/user_management/sessions/logout' ||
+            path.startsWith('/user_management/sessions/jwks/')) {
+            return next();
+        }
+        return authMiddleware(apiKeys)(c, next);
+    });
+    app.use('/x/authkit/*', authMiddleware(apiKeys));
+    app.use('/organizations', authMiddleware(apiKeys));
+    app.use('/organizations/*', authMiddleware(apiKeys));
+    app.use('/organization_memberships', authMiddleware(apiKeys));
+    app.use('/organization_memberships/*', authMiddleware(apiKeys));
+    app.use('/organization_domains', authMiddleware(apiKeys));
+    app.use('/organization_domains/*', authMiddleware(apiKeys));
+    app.use('/connections', authMiddleware(apiKeys));
+    app.use('/connections/*', authMiddleware(apiKeys));
+    app.use('/directories', authMiddleware(apiKeys));
+    app.use('/directories/*', authMiddleware(apiKeys));
+    app.use('/directory_groups', authMiddleware(apiKeys));
+    app.use('/directory_groups/*', authMiddleware(apiKeys));
+    app.use('/directory_users', authMiddleware(apiKeys));
+    app.use('/directory_users/*', authMiddleware(apiKeys));
+    app.use('/events', authMiddleware(apiKeys));
+    app.use('/events/*', authMiddleware(apiKeys));
+    app.use('/pipes/*', authMiddleware(apiKeys));
+    app.use('/audit_logs/*', authMiddleware(apiKeys));
+    app.use('/feature-flags', authMiddleware(apiKeys));
+    app.use('/feature-flags/*', authMiddleware(apiKeys));
+    app.use('/connect/*', authMiddleware(apiKeys));
+    app.use('/data-integrations/*', async (c, next) => {
+        const path = new URL(c.req.url).pathname;
+        if (path.endsWith('/authorize'))
+            return next();
+        return authMiddleware(apiKeys)(c, next);
+    });
+    app.use('/radar/*', authMiddleware(apiKeys));
+    app.use('/api_keys', authMiddleware(apiKeys));
+    app.use('/api_keys/*', authMiddleware(apiKeys));
+    app.use('/portal/*', authMiddleware(apiKeys));
+    app.use('/webhook_endpoints', authMiddleware(apiKeys));
+    app.use('/webhook_endpoints/*', authMiddleware(apiKeys));
+    app.use('/auth/factors', authMiddleware(apiKeys));
+    app.use('/auth/factors/*', authMiddleware(apiKeys));
+    app.use('/auth/challenges/*', authMiddleware(apiKeys));
+    // Rate limiting
+    const rateLimitCounters = new Map();
+    let lastPruneAt = Math.floor(Date.now() / 1000);
+    app.use('*', async (c, next) => {
+        const auth = c.get('auth');
+        const key = auth?.apiKey ?? '__anonymous__';
+        const now = Math.floor(Date.now() / 1000);
+        if (now - lastPruneAt > 3600) {
+            for (const [k, val] of rateLimitCounters) {
+                if (val.resetAt <= now)
+                    rateLimitCounters.delete(k);
+            }
+            lastPruneAt = now;
+        }
+        let counter = rateLimitCounters.get(key);
+        if (!counter || counter.resetAt <= now) {
+            counter = { remaining: 1000, resetAt: now + 60 };
+            rateLimitCounters.set(key, counter);
+        }
+        counter.remaining = Math.max(0, counter.remaining - 1);
+        c.header('X-RateLimit-Limit', '1000');
+        c.header('X-RateLimit-Remaining', String(counter.remaining));
+        c.header('X-RateLimit-Reset', String(counter.resetAt));
+        if (counter.remaining === 0) {
+            c.header('Retry-After', String(counter.resetAt - now));
+            return c.json({
+                message: 'Too Many Requests',
+                code: 'rate_limit_exceeded',
+            }, 429);
+        }
+        await next();
+    });
+    // Store API key map for route access
+    store.setData('apiKeyMap', apiKeys);
+    // Register plugin routes
+    plugin.register({ app, store, jwt, baseUrl });
+    // Not found handler
+    app.notFound((c) => c.json({
+        message: 'Not Found',
+        code: 'not_found',
+    }, 404));
+    return { app, store, jwt, port, baseUrl };
+}
+//# sourceMappingURL=server.js.map

package/dist/emulate/core/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../../src/emulate/core/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AAC3F,OAAO,EAAE,cAAc,EAAqC,MAAM,sBAAsB,CAAC;AASzF,MAAM,UAAU,YAAY,CAAC,MAAqB,EAAE,UAAyB,EAAE;IAC7E,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,oBAAoB,IAAI,EAAE,CAAC;IAE9D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAgB,CAAC;IACrC,MAAM,KAAK,GAAG,IAAI,KAAK,EAAE,CAAC;IAC1B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;IAEpC,MAAM,OAAO,GAAc,OAAO,CAAC,OAAO,IAAI;QAC5C,eAAe,EAAE,EAAE,WAAW,EAAE,MAAM,EAAE;KACzC,CAAC;IAEF,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAAC;IACrC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACrB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,mBAAmB,EAAE,CAAC,CAAC;IAEpC,kCAAkC;IAClC,GAAG,CAAC,GAAG,CAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;QACpC,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,iCAAiC;IACjC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3C,GAAG,CAAC,GAAG,CAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACzC,sCAAsC;QACtC,IACE,IAAI,KAAK,4BAA4B;YACrC,IAAI,KAAK,+BAA+B;YACxC,IAAI,KAAK,kCAAkC;YAC3C,IAAI,CAAC,UAAU,CAAC,iCAAiC,CAAC,EAClD,CAAC;YACD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QACD,OAAO,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACjD,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACnD,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACrD,GAAG,CAAC,GAAG,CAAC,2BAA2B,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9D,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAChE,GAAG,CAAC,GAAG,CAAC,uBAAuB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1D,GAAG,CAAC,GAAG,CAAC,yBAAyB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5D,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACjD,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACnD,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACjD,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACnD,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACtD,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACxD,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACrD,GAAG,CAAC,GAAG,CAAC,oBAAoB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACvD,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9C,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC7C,GAAG,CAAC,GAAG,CAAC,eAAe,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAClD,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACnD,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACrD,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/C,GAAG,CAAC,GAAG,CAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAChD,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACzC,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;YAAE,OAAO,IAAI,EAAE,CAAC;QAC/C,OAAO,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC7C,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9C,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAChD,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9C,GAAG,CAAC,GAAG,CAAC,oBAAoB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACvD,GAAG,CAAC,GAAG,CAAC,sBAAsB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACzD,GAAG,CAAC,GAAG,CAAC,eAAe,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAClD,GAAG,CAAC,GAAG,CAAC,iBAAiB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,GAAG,CAAC,GAAG,CAAC,oBAAoB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;IAEvD,gBAAgB;IAChB,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAkD,CAAC;IACpF,IAAI,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEhD,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7B,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3B,MAAM,GAAG,GAAG,IAAI,EAAE,MAAM,IAAI,eAAe,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1C,IAAI,GAAG,GAAG,WAAW,GAAG,IAAI,EAAE,CAAC;YAC7B,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,iBAAiB,EAAE,CAAC;gBACzC,IAAI,GAAG,CAAC,OAAO,IAAI,GAAG;oBAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACtD,CAAC;YACD,WAAW,GAAG,GAAG,CAAC;QACpB,CAAC;QAED,IAAI,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC;YACvC,OAAO,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,GAAG,EAAE,EAAE,CAAC;YACjD,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACtC,CAAC;QAED,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;QAEvD,CAAC,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QAC7D,CAAC,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;QAEvD,IAAI,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,CAAC;YAC5B,CAAC,CAAC,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,CAAC,IAAI,CACX;gBACE,OAAO,EAAE,mBAAmB;gBAC5B,IAAI,EAAE,qBAAqB;aAC5B,EACD,GAAG,CACJ,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,qCAAqC;IACrC,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAEpC,yBAAyB;IACzB,MAAM,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAE9C,oBAAoB;IACpB,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CACjB,CAAC,CAAC,IAAI,CACJ;QACE,OAAO,EAAE,WAAW;QACpB,IAAI,EAAE,WAAW;KAClB,EACD,GAAG,CACJ,CACF,CAAC;IAEF,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC5C,CAAC","sourcesContent":["import { Hono } from 'hono';\nimport { cors } from 'hono/cors';\nimport { Store } from './store.js';\nimport { JWTManager } from './jwt.js';\nimport { createApiErrorHandler, requestIdMiddleware } from './middleware/error-handler.js';\nimport { authMiddleware, type ApiKeyMap, type WorkOSAppEnv } from './middleware/auth.js';\nimport type { ServicePlugin } from './plugin.js';\n\nexport interface ServerOptions {\n  port?: number;\n  baseUrl?: string;\n  apiKeys?: ApiKeyMap;\n}\n\nexport function createServer(plugin: ServicePlugin, options: ServerOptions = {}) {\n  const port = options.port ?? 4100;\n  const baseUrl = options.baseUrl ?? `http://localhost:${port}`;\n\n  const app = new Hono<WorkOSAppEnv>();\n  const store = new Store();\n  const jwt = new JWTManager(baseUrl);\n\n  const apiKeys: ApiKeyMap = options.apiKeys ?? {\n    sk_test_default: { environment: 'test' },\n  };\n\n  app.onError(createApiErrorHandler());\n  app.use('*', cors());\n  app.use('*', requestIdMiddleware());\n\n  // JWKS endpoint (public, no auth)\n  app.get('/sso/jwks/:client_id', (c) => {\n    return c.json(jwt.getJWKS());\n  });\n\n  // Auth middleware for API routes\n  app.use('/api/*', authMiddleware(apiKeys));\n  app.use('/user_management/*', async (c, next) => {\n    const path = new URL(c.req.url).pathname;\n    // Public endpoints (no auth required)\n    if (\n      path === '/user_management/authorize' ||\n      path === '/user_management/authenticate' ||\n      path === '/user_management/sessions/logout' ||\n      path.startsWith('/user_management/sessions/jwks/')\n    ) {\n      return next();\n    }\n    return authMiddleware(apiKeys)(c, next);\n  });\n  app.use('/x/authkit/*', authMiddleware(apiKeys));\n  app.use('/organizations', authMiddleware(apiKeys));\n  app.use('/organizations/*', authMiddleware(apiKeys));\n  app.use('/organization_memberships', authMiddleware(apiKeys));\n  app.use('/organization_memberships/*', authMiddleware(apiKeys));\n  app.use('/organization_domains', authMiddleware(apiKeys));\n  app.use('/organization_domains/*', authMiddleware(apiKeys));\n  app.use('/connections', authMiddleware(apiKeys));\n  app.use('/connections/*', authMiddleware(apiKeys));\n  app.use('/directories', authMiddleware(apiKeys));\n  app.use('/directories/*', authMiddleware(apiKeys));\n  app.use('/directory_groups', authMiddleware(apiKeys));\n  app.use('/directory_groups/*', authMiddleware(apiKeys));\n  app.use('/directory_users', authMiddleware(apiKeys));\n  app.use('/directory_users/*', authMiddleware(apiKeys));\n  app.use('/events', authMiddleware(apiKeys));\n  app.use('/events/*', authMiddleware(apiKeys));\n  app.use('/pipes/*', authMiddleware(apiKeys));\n  app.use('/audit_logs/*', authMiddleware(apiKeys));\n  app.use('/feature-flags', authMiddleware(apiKeys));\n  app.use('/feature-flags/*', authMiddleware(apiKeys));\n  app.use('/connect/*', authMiddleware(apiKeys));\n  app.use('/data-integrations/*', async (c, next) => {\n    const path = new URL(c.req.url).pathname;\n    if (path.endsWith('/authorize')) return next();\n    return authMiddleware(apiKeys)(c, next);\n  });\n  app.use('/radar/*', authMiddleware(apiKeys));\n  app.use('/api_keys', authMiddleware(apiKeys));\n  app.use('/api_keys/*', authMiddleware(apiKeys));\n  app.use('/portal/*', authMiddleware(apiKeys));\n  app.use('/webhook_endpoints', authMiddleware(apiKeys));\n  app.use('/webhook_endpoints/*', authMiddleware(apiKeys));\n  app.use('/auth/factors', authMiddleware(apiKeys));\n  app.use('/auth/factors/*', authMiddleware(apiKeys));\n  app.use('/auth/challenges/*', authMiddleware(apiKeys));\n\n  // Rate limiting\n  const rateLimitCounters = new Map<string, { remaining: number; resetAt: number }>();\n  let lastPruneAt = Math.floor(Date.now() / 1000);\n\n  app.use('*', async (c, next) => {\n    const auth = c.get('auth');\n    const key = auth?.apiKey ?? '__anonymous__';\n    const now = Math.floor(Date.now() / 1000);\n\n    if (now - lastPruneAt > 3600) {\n      for (const [k, val] of rateLimitCounters) {\n        if (val.resetAt <= now) rateLimitCounters.delete(k);\n      }\n      lastPruneAt = now;\n    }\n\n    let counter = rateLimitCounters.get(key);\n    if (!counter || counter.resetAt <= now) {\n      counter = { remaining: 1000, resetAt: now + 60 };\n      rateLimitCounters.set(key, counter);\n    }\n\n    counter.remaining = Math.max(0, counter.remaining - 1);\n\n    c.header('X-RateLimit-Limit', '1000');\n    c.header('X-RateLimit-Remaining', String(counter.remaining));\n    c.header('X-RateLimit-Reset', String(counter.resetAt));\n\n    if (counter.remaining === 0) {\n      c.header('Retry-After', String(counter.resetAt - now));\n      return c.json(\n        {\n          message: 'Too Many Requests',\n          code: 'rate_limit_exceeded',\n        },\n        429,\n      );\n    }\n\n    await next();\n  });\n\n  // Store API key map for route access\n  store.setData('apiKeyMap', apiKeys);\n\n  // Register plugin routes\n  plugin.register({ app, store, jwt, baseUrl });\n\n  // Not found handler\n  app.notFound((c) =>\n    c.json(\n      {\n        message: 'Not Found',\n        code: 'not_found',\n      },\n      404,\n    ),\n  );\n\n  return { app, store, jwt, port, baseUrl };\n}\n"]}

package/dist/emulate/core/store.d.ts

@@ -0,0 +1,42 @@
+import { type Entity, type CursorPaginationOptions, type CursorPaginatedResult } from './pagination.js';
+export type { Entity };
+export type InsertInput<T extends Entity> = Omit<T, 'id' | 'created_at' | 'updated_at'> & {
+    id?: string;
+};
+export type FilterFn<T> = (item: T) => boolean;
+export type SortFn<T> = (a: T, b: T) => number;
+export interface CollectionHooks<T extends Entity> {
+    onInsert?: (item: T) => void;
+    onUpdate?: (item: T) => void;
+    onDelete?: (item: T) => void;
+}
+export declare class Collection<T extends Entity> {
+    private prefix;
+    private indexFields;
+    private items;
+    private indexes;
+    private hooks;
+    readonly fieldNames: string[];
+    constructor(prefix: string, indexFields?: (keyof T)[]);
+    private addToIndex;
+    private removeFromIndex;
+    insert(data: InsertInput<T>): T;
+    get(id: string): T | undefined;
+    findBy(field: keyof T, value: string | number): T[];
+    findOneBy(field: keyof T, value: string | number): T | undefined;
+    update(id: string, data: Partial<T>): T | undefined;
+    delete(id: string): boolean;
+    setHooks(hooks: CollectionHooks<T>): void;
+    all(): T[];
+    list(options?: CursorPaginationOptions<T>): CursorPaginatedResult<T>;
+    count(filter?: FilterFn<T>): number;
+    clear(): void;
+}
+export declare class Store {
+    private collections;
+    private _data;
+    collection<T extends Entity>(name: string, prefix: string, indexFields?: (keyof T)[]): Collection<T>;
+    getData<V>(key: string): V | undefined;
+    setData<V>(key: string, value: V): void;
+    reset(): void;
+}