workos 0.11.2 → 0.12.0

package/dist/emulate/workos/helpers.js

@@ -0,0 +1,211 @@
+import { randomBytes, createHash, createCipheriv } from 'node:crypto';
+import { WorkOSApiError } from '../core/index.js';
+const INTERNAL_FIELDS = new Set(['password_hash', 'code_challenge', 'code_challenge_method']);
+export function formatEntity(entity, opts) {
+    const exclude = opts?.exclude ?? INTERNAL_FIELDS;
+    const result = {};
+    for (const [key, value] of Object.entries(entity)) {
+        if (!exclude.has(key))
+            result[key] = value;
+    }
+    return result;
+}
+export function formatListResponse(result, formatter) {
+    return {
+        object: 'list',
+        data: result.data.map(formatter),
+        list_metadata: result.list_metadata,
+    };
+}
+export function formatOrganization(org, ws, opts) {
+    const domains = (opts?.domains ?? ws.organizationDomains.findBy('organization_id', org.id)).map(formatDomain);
+    return {
+        object: 'organization',
+        id: org.id,
+        name: org.name,
+        external_id: org.external_id,
+        metadata: org.metadata,
+        domains,
+        stripe_customer_id: org.stripe_customer_id,
+        created_at: org.created_at,
+        updated_at: org.updated_at,
+    };
+}
+export function formatDomain(domain) {
+    return formatEntity(domain);
+}
+export function formatMembership(m) {
+    return formatEntity(m);
+}
+const USER_EXCLUDE = new Set([...INTERNAL_FIELDS, 'impersonator']);
+export function formatUser(user) {
+    return formatEntity(user, { exclude: USER_EXCLUDE });
+}
+export function formatSession(s) {
+    return formatEntity(s);
+}
+export function formatEmailVerification(ev) {
+    return formatEntity(ev);
+}
+export function formatPasswordReset(pr) {
+    return formatEntity(pr);
+}
+export function formatMagicAuth(ma) {
+    return formatEntity(ma);
+}
+export function formatAuthFactor(f) {
+    return formatEntity(f);
+}
+export function formatIdentity(i) {
+    return formatEntity(i);
+}
+export function generateVerificationToken() {
+    return randomBytes(16).toString('hex');
+}
+export function generateCode() {
+    return String(Math.floor(100000 + Math.random() * 900000));
+}
+export function hashPassword(password) {
+    return createHash('sha256').update(password).digest('hex');
+}
+export function verifyPassword(password, hash) {
+    return hashPassword(password) === hash;
+}
+export function expiresIn(minutes) {
+    return new Date(Date.now() + minutes * 60 * 1000).toISOString();
+}
+export function isExpired(expiresAt) {
+    return new Date(expiresAt).getTime() < Date.now();
+}
+export function formatConnection(conn) {
+    return formatEntity(conn);
+}
+export function formatSSOProfile(p) {
+    return formatEntity(p);
+}
+export function formatPipeConnection(pc) {
+    return formatEntity(pc);
+}
+export function formatInvitation(inv) {
+    return formatEntity(inv);
+}
+export function formatRedirectUri(r) {
+    return formatEntity(r);
+}
+export function formatCorsOrigin(o) {
+    return formatEntity(o);
+}
+export function formatAuthorizedApplication(a) {
+    return formatEntity(a);
+}
+export function formatConnectedAccount(a) {
+    return formatEntity(a);
+}
+/** Allowed redirect URI hosts for the emulator's authorize endpoints. */
+const ALLOWED_REDIRECT_HOSTS = new Set(['localhost', '127.0.0.1', '[::1]']);
+/**
+ * Validate that a redirect_uri points to a localhost origin.
+ * Prevents the emulator from being used as an open redirect.
+ */
+export function assertLocalRedirectUri(uri) {
+    let parsed;
+    try {
+        parsed = new URL(uri);
+    }
+    catch {
+        throw new WorkOSApiError(400, 'Invalid redirect_uri', 'invalid_redirect_uri');
+    }
+    if (!ALLOWED_REDIRECT_HOSTS.has(parsed.hostname)) {
+        throw new WorkOSApiError(400, `redirect_uri must point to localhost, got ${parsed.hostname}`, 'invalid_redirect_uri');
+    }
+}
+const AUTH_CHALLENGE_EXCLUDE = new Set([...INTERNAL_FIELDS, 'code']);
+export function formatAuthChallenge(c) {
+    return formatEntity(c, { exclude: AUTH_CHALLENGE_EXCLUDE });
+}
+export function formatRole(role) {
+    return formatEntity(role);
+}
+export function formatPermission(p) {
+    return formatEntity(p);
+}
+export function formatAuthorizationResource(r) {
+    return formatEntity(r);
+}
+export function formatRoleAssignment(ra) {
+    return formatEntity(ra);
+}
+export function formatDeviceAuthorization(d) {
+    return {
+        device_code: d.device_code,
+        user_code: d.user_code,
+        verification_uri: 'http://localhost:0/user_management/authorize/device/verify',
+        expires_in: Math.max(0, Math.floor((new Date(d.expires_at).getTime() - Date.now()) / 1000)),
+        interval: d.interval,
+    };
+}
+export function formatDirectory(d) {
+    return formatEntity(d);
+}
+export function formatDirectoryUser(u) {
+    return formatEntity(u);
+}
+export function formatDirectoryGroup(g) {
+    return formatEntity(g);
+}
+export function formatAuditLogAction(a) {
+    return formatEntity(a);
+}
+export function formatAuditLogEvent(e) {
+    return formatEntity(e);
+}
+export function formatAuditLogExport(ex) {
+    return formatEntity(ex);
+}
+export function formatFeatureFlag(f) {
+    return formatEntity(f);
+}
+export function formatFlagTarget(t) {
+    return formatEntity(t);
+}
+export function formatConnectApplication(a) {
+    return formatEntity(a);
+}
+const CLIENT_SECRET_EXCLUDE = new Set([...INTERNAL_FIELDS, 'value']);
+export function formatClientSecret(s) {
+    return formatEntity(s, { exclude: CLIENT_SECRET_EXCLUDE });
+}
+export function formatRadarAttempt(a) {
+    return formatEntity(a);
+}
+const API_KEY_EXCLUDE = new Set([...INTERNAL_FIELDS, 'key', 'environment']);
+export function formatApiKeyRecord(k) {
+    return formatEntity(k, { exclude: API_KEY_EXCLUDE });
+}
+const EVENT_EXCLUDE = new Set([...INTERNAL_FIELDS, 'updated_at']);
+export function formatEvent(e) {
+    return formatEntity(e, { exclude: EVENT_EXCLUDE });
+}
+export function formatWebhookEndpoint(ep, opts) {
+    return {
+        object: 'webhook_endpoint',
+        id: ep.id,
+        url: ep.url,
+        secret: opts?.includeSecret ? ep.secret : `${ep.secret.slice(0, 8)}****`,
+        enabled: ep.enabled,
+        events: ep.events,
+        description: ep.description,
+        created_at: ep.created_at,
+        updated_at: ep.updated_at,
+    };
+}
+export function sealSession(data, apiKey) {
+    const key = createHash('sha256').update(apiKey).digest();
+    const iv = randomBytes(12);
+    const cipher = createCipheriv('aes-256-gcm', key, iv);
+    const plaintext = JSON.stringify(data);
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([iv, tag, encrypted]).toString('base64');
+}
+//# sourceMappingURL=helpers.js.map

package/dist/emulate/workos/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../../src/emulate/workos/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACtE,OAAO,EAAE,cAAc,EAA2C,MAAM,kBAAkB,CAAC;AA2C3F,MAAM,eAAe,GAAG,IAAI,GAAG,CAAS,CAAC,eAAe,EAAE,gBAAgB,EAAE,uBAAuB,CAAC,CAAC,CAAC;AAEtG,MAAM,UAAU,YAAY,CAAmB,MAAS,EAAE,IAAgC;IACxF,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,eAAe,CAAC;IACjD,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IAC7C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,MAAgC,EAChC,SAA+C;IAE/C,OAAO;QACL,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;QAChC,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,GAAuB,EACvB,EAAe,EACf,IAA+C;IAE/C,MAAM,OAAO,GAAG,CAAC,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC,mBAAmB,CAAC,MAAM,CAAC,iBAAiB,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAE9G,OAAO;QACL,MAAM,EAAE,cAAc;QACtB,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,OAAO;QACP,kBAAkB,EAAE,GAAG,CAAC,kBAAkB;QAC1C,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,UAAU,EAAE,GAAG,CAAC,UAAU;KAC3B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAgC;IAC3D,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAA+B;IAC9D,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,eAAe,EAAE,cAAc,CAAC,CAAC,CAAC;AAEnE,MAAM,UAAU,UAAU,CAAC,IAAgB;IACzC,OAAO,YAAY,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,CAAgB;IAC5C,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,EAA2B;IACjE,OAAO,YAAY,CAAC,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,EAAuB;IACzD,OAAO,YAAY,CAAC,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,EAAmB;IACjD,OAAO,YAAY,CAAC,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAA6B;IAC5D,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,CAAiB;IAC9C,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,QAAgB;IAC3C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,QAAgB,EAAE,IAAY;IAC3D,OAAO,YAAY,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,OAAe;IACvC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,SAAiB;IACzC,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,IAAsB;IACrD,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAmB;IAClD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,EAAwB;IAC3D,OAAO,YAAY,CAAC,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAqB;IACpD,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,CAAoB;IACpD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAmB;IAClD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,CAA8B;IACxE,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,CAAyB;IAC9D,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,yEAAyE;AACzE,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;AAE5E;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,GAAW;IAChD,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,sBAAsB,EAAE,sBAAsB,CAAC,CAAC;IAChF,CAAC;IACD,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,cAAc,CACtB,GAAG,EACH,6CAA6C,MAAM,CAAC,QAAQ,EAAE,EAC9D,sBAAsB,CACvB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;AAErE,MAAM,UAAU,mBAAmB,CAAC,CAAgC;IAClE,OAAO,YAAY,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAgB;IACzC,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAmB;IAClD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,CAA8B;IACxE,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,EAAwB;IAC3D,OAAO,YAAY,CAAC,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,CAA4B;IACpE,OAAO;QACL,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,gBAAgB,EAAE,4DAA4D;QAC9E,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3F,QAAQ,EAAE,CAAC,CAAC,QAAQ;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,CAAkB;IAChD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,CAAsB;IACxD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,CAAuB;IAC1D,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,CAAuB;IAC1D,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,CAAsB;IACxD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,EAAwB;IAC3D,OAAO,YAAY,CAAC,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,CAAoB;IACpD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAmB;IAClD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,CAA2B;IAClE,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,eAAe,EAAE,OAAO,CAAC,CAAC,CAAC;AAErE,MAAM,UAAU,kBAAkB,CAAC,CAAqB;IACtD,OAAO,YAAY,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,qBAAqB,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,CAAqB;IACtD,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,eAAe,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;AAE5E,MAAM,UAAU,kBAAkB,CAAC,CAAe;IAChD,OAAO,YAAY,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,eAAe,EAAE,YAAY,CAAC,CAAC,CAAC;AAElE,MAAM,UAAU,WAAW,CAAC,CAAc;IACxC,OAAO,YAAY,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,EAAyB,EACzB,IAAkC;IAElC,OAAO;QACL,MAAM,EAAE,kBAAkB;QAC1B,EAAE,EAAE,EAAE,CAAC,EAAE;QACT,GAAG,EAAE,EAAE,CAAC,GAAG;QACX,MAAM,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM;QACxE,OAAO,EAAE,EAAE,CAAC,OAAO;QACnB,MAAM,EAAE,EAAE,CAAC,MAAM;QACjB,WAAW,EAAE,EAAE,CAAC,WAAW;QAC3B,UAAU,EAAE,EAAE,CAAC,UAAU;QACzB,UAAU,EAAE,EAAE,CAAC,UAAU;KAC1B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,IAAyE,EACzE,MAAc;IAEd,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;IACzD,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAChE,CAAC","sourcesContent":["import { randomBytes, createHash, createCipheriv } from 'node:crypto';\nimport { WorkOSApiError, type CursorPaginatedResult, type Entity } from '../core/index.js';\nimport type { WorkOSStore } from './store.js';\nimport type {\n  WorkOSOrganization,\n  WorkOSOrganizationDomain,\n  WorkOSOrganizationMembership,\n  WorkOSUser,\n  WorkOSSession,\n  WorkOSEmailVerification,\n  WorkOSPasswordReset,\n  WorkOSMagicAuth,\n  WorkOSAuthenticationFactor,\n  WorkOSIdentity,\n  WorkOSConnection,\n  WorkOSSSOProfile,\n  WorkOSPipeConnection,\n  WorkOSInvitation,\n  WorkOSRedirectUri,\n  WorkOSCorsOrigin,\n  WorkOSAuthorizedApplication,\n  WorkOSConnectedAccount,\n  WorkOSAuthenticationChallenge,\n  WorkOSDeviceAuthorization,\n  WorkOSRole,\n  WorkOSPermission,\n  WorkOSAuthorizationResource,\n  WorkOSRoleAssignment,\n  WorkOSDirectory,\n  WorkOSDirectoryUser,\n  WorkOSDirectoryGroup,\n  WorkOSAuditLogAction,\n  WorkOSAuditLogEvent,\n  WorkOSAuditLogExport,\n  WorkOSFeatureFlag,\n  WorkOSFlagTarget,\n  WorkOSConnectApplication,\n  WorkOSClientSecret,\n  WorkOSRadarAttempt,\n  WorkOSApiKey,\n  WorkOSEvent,\n  WorkOSWebhookEndpoint,\n} from './entities.js';\n\nconst INTERNAL_FIELDS = new Set<string>(['password_hash', 'code_challenge', 'code_challenge_method']);\n\nexport function formatEntity<T extends Entity>(entity: T, opts?: { exclude?: Set<string> }): Record<string, unknown> {\n  const exclude = opts?.exclude ?? INTERNAL_FIELDS;\n  const result: Record<string, unknown> = {};\n  for (const [key, value] of Object.entries(entity)) {\n    if (!exclude.has(key)) result[key] = value;\n  }\n  return result;\n}\n\nexport function formatListResponse<T>(\n  result: CursorPaginatedResult<T>,\n  formatter: (item: T) => Record<string, unknown>,\n): { object: 'list'; data: Record<string, unknown>[]; list_metadata: { before: string | null; after: string | null } } {\n  return {\n    object: 'list',\n    data: result.data.map(formatter),\n    list_metadata: result.list_metadata,\n  };\n}\n\nexport function formatOrganization(\n  org: WorkOSOrganization,\n  ws: WorkOSStore,\n  opts?: { domains?: WorkOSOrganizationDomain[] },\n): Record<string, unknown> {\n  const domains = (opts?.domains ?? ws.organizationDomains.findBy('organization_id', org.id)).map(formatDomain);\n\n  return {\n    object: 'organization',\n    id: org.id,\n    name: org.name,\n    external_id: org.external_id,\n    metadata: org.metadata,\n    domains,\n    stripe_customer_id: org.stripe_customer_id,\n    created_at: org.created_at,\n    updated_at: org.updated_at,\n  };\n}\n\nexport function formatDomain(domain: WorkOSOrganizationDomain): Record<string, unknown> {\n  return formatEntity(domain);\n}\n\nexport function formatMembership(m: WorkOSOrganizationMembership): Record<string, unknown> {\n  return formatEntity(m);\n}\n\nconst USER_EXCLUDE = new Set([...INTERNAL_FIELDS, 'impersonator']);\n\nexport function formatUser(user: WorkOSUser): Record<string, unknown> {\n  return formatEntity(user, { exclude: USER_EXCLUDE });\n}\n\nexport function formatSession(s: WorkOSSession): Record<string, unknown> {\n  return formatEntity(s);\n}\n\nexport function formatEmailVerification(ev: WorkOSEmailVerification): Record<string, unknown> {\n  return formatEntity(ev);\n}\n\nexport function formatPasswordReset(pr: WorkOSPasswordReset): Record<string, unknown> {\n  return formatEntity(pr);\n}\n\nexport function formatMagicAuth(ma: WorkOSMagicAuth): Record<string, unknown> {\n  return formatEntity(ma);\n}\n\nexport function formatAuthFactor(f: WorkOSAuthenticationFactor): Record<string, unknown> {\n  return formatEntity(f);\n}\n\nexport function formatIdentity(i: WorkOSIdentity): Record<string, unknown> {\n  return formatEntity(i);\n}\n\nexport function generateVerificationToken(): string {\n  return randomBytes(16).toString('hex');\n}\n\nexport function generateCode(): string {\n  return String(Math.floor(100000 + Math.random() * 900000));\n}\n\nexport function hashPassword(password: string): string {\n  return createHash('sha256').update(password).digest('hex');\n}\n\nexport function verifyPassword(password: string, hash: string): boolean {\n  return hashPassword(password) === hash;\n}\n\nexport function expiresIn(minutes: number): string {\n  return new Date(Date.now() + minutes * 60 * 1000).toISOString();\n}\n\nexport function isExpired(expiresAt: string): boolean {\n  return new Date(expiresAt).getTime() < Date.now();\n}\n\nexport function formatConnection(conn: WorkOSConnection): Record<string, unknown> {\n  return formatEntity(conn);\n}\n\nexport function formatSSOProfile(p: WorkOSSSOProfile): Record<string, unknown> {\n  return formatEntity(p);\n}\n\nexport function formatPipeConnection(pc: WorkOSPipeConnection): Record<string, unknown> {\n  return formatEntity(pc);\n}\n\nexport function formatInvitation(inv: WorkOSInvitation): Record<string, unknown> {\n  return formatEntity(inv);\n}\n\nexport function formatRedirectUri(r: WorkOSRedirectUri): Record<string, unknown> {\n  return formatEntity(r);\n}\n\nexport function formatCorsOrigin(o: WorkOSCorsOrigin): Record<string, unknown> {\n  return formatEntity(o);\n}\n\nexport function formatAuthorizedApplication(a: WorkOSAuthorizedApplication): Record<string, unknown> {\n  return formatEntity(a);\n}\n\nexport function formatConnectedAccount(a: WorkOSConnectedAccount): Record<string, unknown> {\n  return formatEntity(a);\n}\n\n/** Allowed redirect URI hosts for the emulator's authorize endpoints. */\nconst ALLOWED_REDIRECT_HOSTS = new Set(['localhost', '127.0.0.1', '[::1]']);\n\n/**\n * Validate that a redirect_uri points to a localhost origin.\n * Prevents the emulator from being used as an open redirect.\n */\nexport function assertLocalRedirectUri(uri: string): void {\n  let parsed: URL;\n  try {\n    parsed = new URL(uri);\n  } catch {\n    throw new WorkOSApiError(400, 'Invalid redirect_uri', 'invalid_redirect_uri');\n  }\n  if (!ALLOWED_REDIRECT_HOSTS.has(parsed.hostname)) {\n    throw new WorkOSApiError(\n      400,\n      `redirect_uri must point to localhost, got ${parsed.hostname}`,\n      'invalid_redirect_uri',\n    );\n  }\n}\n\nconst AUTH_CHALLENGE_EXCLUDE = new Set([...INTERNAL_FIELDS, 'code']);\n\nexport function formatAuthChallenge(c: WorkOSAuthenticationChallenge): Record<string, unknown> {\n  return formatEntity(c, { exclude: AUTH_CHALLENGE_EXCLUDE });\n}\n\nexport function formatRole(role: WorkOSRole): Record<string, unknown> {\n  return formatEntity(role);\n}\n\nexport function formatPermission(p: WorkOSPermission): Record<string, unknown> {\n  return formatEntity(p);\n}\n\nexport function formatAuthorizationResource(r: WorkOSAuthorizationResource): Record<string, unknown> {\n  return formatEntity(r);\n}\n\nexport function formatRoleAssignment(ra: WorkOSRoleAssignment): Record<string, unknown> {\n  return formatEntity(ra);\n}\n\nexport function formatDeviceAuthorization(d: WorkOSDeviceAuthorization): Record<string, unknown> {\n  return {\n    device_code: d.device_code,\n    user_code: d.user_code,\n    verification_uri: 'http://localhost:0/user_management/authorize/device/verify',\n    expires_in: Math.max(0, Math.floor((new Date(d.expires_at).getTime() - Date.now()) / 1000)),\n    interval: d.interval,\n  };\n}\n\nexport function formatDirectory(d: WorkOSDirectory): Record<string, unknown> {\n  return formatEntity(d);\n}\n\nexport function formatDirectoryUser(u: WorkOSDirectoryUser): Record<string, unknown> {\n  return formatEntity(u);\n}\n\nexport function formatDirectoryGroup(g: WorkOSDirectoryGroup): Record<string, unknown> {\n  return formatEntity(g);\n}\n\nexport function formatAuditLogAction(a: WorkOSAuditLogAction): Record<string, unknown> {\n  return formatEntity(a);\n}\n\nexport function formatAuditLogEvent(e: WorkOSAuditLogEvent): Record<string, unknown> {\n  return formatEntity(e);\n}\n\nexport function formatAuditLogExport(ex: WorkOSAuditLogExport): Record<string, unknown> {\n  return formatEntity(ex);\n}\n\nexport function formatFeatureFlag(f: WorkOSFeatureFlag): Record<string, unknown> {\n  return formatEntity(f);\n}\n\nexport function formatFlagTarget(t: WorkOSFlagTarget): Record<string, unknown> {\n  return formatEntity(t);\n}\n\nexport function formatConnectApplication(a: WorkOSConnectApplication): Record<string, unknown> {\n  return formatEntity(a);\n}\n\nconst CLIENT_SECRET_EXCLUDE = new Set([...INTERNAL_FIELDS, 'value']);\n\nexport function formatClientSecret(s: WorkOSClientSecret): Record<string, unknown> {\n  return formatEntity(s, { exclude: CLIENT_SECRET_EXCLUDE });\n}\n\nexport function formatRadarAttempt(a: WorkOSRadarAttempt): Record<string, unknown> {\n  return formatEntity(a);\n}\n\nconst API_KEY_EXCLUDE = new Set([...INTERNAL_FIELDS, 'key', 'environment']);\n\nexport function formatApiKeyRecord(k: WorkOSApiKey): Record<string, unknown> {\n  return formatEntity(k, { exclude: API_KEY_EXCLUDE });\n}\n\nconst EVENT_EXCLUDE = new Set([...INTERNAL_FIELDS, 'updated_at']);\n\nexport function formatEvent(e: WorkOSEvent): Record<string, unknown> {\n  return formatEntity(e, { exclude: EVENT_EXCLUDE });\n}\n\nexport function formatWebhookEndpoint(\n  ep: WorkOSWebhookEndpoint,\n  opts?: { includeSecret?: boolean },\n): Record<string, unknown> {\n  return {\n    object: 'webhook_endpoint',\n    id: ep.id,\n    url: ep.url,\n    secret: opts?.includeSecret ? ep.secret : `${ep.secret.slice(0, 8)}****`,\n    enabled: ep.enabled,\n    events: ep.events,\n    description: ep.description,\n    created_at: ep.created_at,\n    updated_at: ep.updated_at,\n  };\n}\n\nexport function sealSession(\n  data: { access_token: string; refresh_token: string; session_id: string },\n  apiKey: string,\n): string {\n  const key = createHash('sha256').update(apiKey).digest();\n  const iv = randomBytes(12);\n  const cipher = createCipheriv('aes-256-gcm', key, iv);\n  const plaintext = JSON.stringify(data);\n  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n  const tag = cipher.getAuthTag();\n  return Buffer.concat([iv, tag, encrypted]).toString('base64');\n}\n"]}

package/dist/emulate/workos/index.d.ts

@@ -0,0 +1,91 @@
+import type { ServicePlugin, Store } from '../core/index.js';
+import type { WorkOSConnectionType, PipeProvider, PipeConnectionStatus } from './entities.js';
+export { getWorkOSStore, type WorkOSStore } from './store.js';
+export * from './entities.js';
+export interface WorkOSSeedOrganization {
+    name: string;
+    external_id?: string;
+    metadata?: Record<string, string>;
+    domains?: Array<{
+        domain: string;
+        state?: 'verified' | 'pending';
+    }>;
+    memberships?: Array<{
+        user_id: string;
+        role?: string;
+        status?: 'active' | 'inactive' | 'pending';
+    }>;
+}
+export interface WorkOSSeedUser {
+    email: string;
+    first_name?: string;
+    last_name?: string;
+    password?: string;
+    email_verified?: boolean;
+    external_id?: string;
+    metadata?: Record<string, string>;
+    impersonator?: {
+        email: string;
+        reason: string;
+    };
+}
+export interface WorkOSSeedConnection {
+    name: string;
+    connection_type?: WorkOSConnectionType;
+    organization: string;
+    state?: 'active' | 'inactive' | 'validating';
+    domains?: string[];
+    profiles?: Array<{
+        email: string;
+        first_name?: string;
+        last_name?: string;
+        idp_id?: string;
+        groups?: string[];
+    }>;
+}
+export interface WorkOSSeedPipeConnection {
+    user_id: string;
+    provider: PipeProvider;
+    scopes: string[];
+    status?: PipeConnectionStatus;
+    external_account_id?: string;
+}
+export interface WorkOSSeedInvitation {
+    email: string;
+    organization_id?: string;
+    inviter_user_id?: string;
+    role_slug?: string;
+}
+export interface WorkOSSeedRole {
+    slug: string;
+    name: string;
+    description?: string;
+    type?: 'EnvironmentRole' | 'OrganizationRole';
+    organization_id?: string;
+    is_default_role?: boolean;
+    priority?: number;
+    permissions?: string[];
+}
+export interface WorkOSSeedPermission {
+    slug: string;
+    name: string;
+    description?: string;
+}
+export interface WorkOSSeedWebhookEndpoint {
+    url: string;
+    events?: string[];
+    enabled?: boolean;
+}
+export interface WorkOSSeedConfig {
+    organizations?: WorkOSSeedOrganization[];
+    users?: WorkOSSeedUser[];
+    connections?: WorkOSSeedConnection[];
+    pipeConnections?: WorkOSSeedPipeConnection[];
+    invitations?: WorkOSSeedInvitation[];
+    roles?: WorkOSSeedRole[];
+    permissions?: WorkOSSeedPermission[];
+    webhookEndpoints?: WorkOSSeedWebhookEndpoint[];
+}
+export declare function seedFromConfig(store: Store, _baseUrl: string, config: WorkOSSeedConfig): void;
+export declare const workosPlugin: ServicePlugin;
+export default workosPlugin;

package/dist/emulate/workos/index.js

@@ -0,0 +1,322 @@
+import { randomBytes } from 'node:crypto';
+import { generateId } from '../core/index.js';
+import { getWorkOSStore } from './store.js';
+import { organizationRoutes } from './routes/organizations.js';
+import { organizationDomainRoutes } from './routes/organization-domains.js';
+import { membershipRoutes } from './routes/memberships.js';
+import { userRoutes } from './routes/users.js';
+import { emailVerificationRoutes } from './routes/email-verification.js';
+import { passwordResetRoutes } from './routes/password-reset.js';
+import { magicAuthRoutes } from './routes/magic-auth.js';
+import { authFactorRoutes } from './routes/auth-factors.js';
+import { sessionRoutes } from './routes/sessions.js';
+import { authRoutes } from './routes/auth.js';
+import { connectionRoutes } from './routes/connections.js';
+import { ssoRoutes } from './routes/sso.js';
+import { pipeRoutes } from './routes/pipes.js';
+import { authChallengeRoutes } from './routes/auth-challenges.js';
+import { invitationRoutes } from './routes/invitations.js';
+import { configRoutes } from './routes/config.js';
+import { userFeatureRoutes } from './routes/user-features.js';
+import { widgetRoutes } from './routes/widgets.js';
+import { authorizationRoleRoutes } from './routes/authorization-roles.js';
+import { authorizationPermissionRoutes } from './routes/authorization-permissions.js';
+import { authorizationOrgRoleRoutes } from './routes/authorization-org-roles.js';
+import { authorizationResourceRoutes } from './routes/authorization-resources.js';
+import { authorizationCheckRoutes } from './routes/authorization-checks.js';
+import { portalRoutes } from './routes/portal.js';
+import { legacyMfaRoutes } from './routes/legacy-mfa.js';
+import { apiKeyRoutes } from './routes/api-keys.js';
+import { radarRoutes } from './routes/radar.js';
+import { connectRoutes } from './routes/connect.js';
+import { directoryRoutes } from './routes/directories.js';
+import { auditLogRoutes } from './routes/audit-logs.js';
+import { featureFlagRoutes } from './routes/feature-flags.js';
+import { dataIntegrationRoutes } from './routes/data-integrations.js';
+import { webhookEndpointRoutes } from './routes/webhook-endpoints.js';
+import { eventRoutes } from './routes/events.js';
+import { EventBus } from './event-bus.js';
+import { STORE_KEYS, EVENTS } from './constants.js';
+import { generateVerificationToken, hashPassword, expiresIn, formatUser, formatOrganization, formatMembership, formatConnection, formatSession, formatInvitation, formatRole, formatPermission, formatDirectory, formatDirectoryUser, formatDirectoryGroup, formatDomain, } from './helpers.js';
+export { getWorkOSStore } from './store.js';
+export * from './entities.js';
+export function seedFromConfig(store, _baseUrl, config) {
+    const ws = getWorkOSStore(store);
+    if (config.users) {
+        for (const userConfig of config.users) {
+            ws.users.insert({
+                object: 'user',
+                email: userConfig.email,
+                first_name: userConfig.first_name ?? null,
+                last_name: userConfig.last_name ?? null,
+                email_verified: userConfig.email_verified ?? false,
+                profile_picture_url: null,
+                last_sign_in_at: null,
+                external_id: userConfig.external_id ?? null,
+                metadata: userConfig.metadata ?? {},
+                locale: null,
+                password_hash: userConfig.password ? hashPassword(userConfig.password) : null,
+                impersonator: userConfig.impersonator ?? null,
+            });
+        }
+    }
+    if (config.organizations) {
+        for (const orgConfig of config.organizations) {
+            const org = ws.organizations.insert({
+                object: 'organization',
+                name: orgConfig.name,
+                external_id: orgConfig.external_id ?? null,
+                metadata: orgConfig.metadata ?? {},
+                stripe_customer_id: null,
+            });
+            if (orgConfig.domains) {
+                for (const dd of orgConfig.domains) {
+                    ws.organizationDomains.insert({
+                        object: 'organization_domain',
+                        organization_id: org.id,
+                        domain: dd.domain,
+                        state: dd.state ?? 'pending',
+                        verification_strategy: 'manual',
+                        verification_token: generateVerificationToken(),
+                        verification_prefix: 'workos-verify',
+                    });
+                }
+            }
+            if (orgConfig.memberships) {
+                for (const mm of orgConfig.memberships) {
+                    ws.organizationMemberships.insert({
+                        object: 'organization_membership',
+                        organization_id: org.id,
+                        user_id: mm.user_id,
+                        role: { slug: mm.role ?? 'member' },
+                        status: mm.status ?? 'active',
+                        external_id: null,
+                        metadata: {},
+                    });
+                }
+            }
+        }
+    }
+    if (config.connections) {
+        for (const connConfig of config.connections) {
+            const org = ws.organizations.findOneBy('name', connConfig.organization);
+            if (!org)
+                continue;
+            const domains = (connConfig.domains ?? []).map((d) => ({
+                object: 'connection_domain',
+                id: generateId('conn_domain'),
+                domain: d,
+            }));
+            const conn = ws.connections.insert({
+                object: 'connection',
+                organization_id: org.id,
+                connection_type: connConfig.connection_type ?? 'GenericSAML',
+                name: connConfig.name,
+                state: connConfig.state ?? 'active',
+                domains,
+            });
+            if (connConfig.profiles) {
+                for (const p of connConfig.profiles) {
+                    ws.ssoProfiles.insert({
+                        object: 'profile',
+                        connection_id: conn.id,
+                        connection_type: conn.connection_type,
+                        organization_id: org.id,
+                        idp_id: p.idp_id ?? `idp_${generateId('usr')}`,
+                        email: p.email,
+                        first_name: p.first_name ?? null,
+                        last_name: p.last_name ?? null,
+                        groups: p.groups ?? [],
+                        raw_attributes: { email: p.email },
+                    });
+                }
+            }
+        }
+    }
+    if (config.pipeConnections) {
+        for (const pc of config.pipeConnections) {
+            ws.pipeConnections.insert({
+                object: 'pipe_connection',
+                user_id: pc.user_id,
+                provider: pc.provider,
+                scopes: pc.scopes,
+                status: pc.status ?? 'connected',
+                external_account_id: pc.external_account_id ?? null,
+            });
+        }
+    }
+    if (config.permissions) {
+        for (const permConfig of config.permissions) {
+            ws.permissions.insert({
+                object: 'permission',
+                slug: permConfig.slug,
+                name: permConfig.name,
+                description: permConfig.description ?? null,
+            });
+        }
+    }
+    if (config.roles) {
+        for (const roleConfig of config.roles) {
+            const role = ws.roles.insert({
+                object: 'role',
+                slug: roleConfig.slug,
+                name: roleConfig.name,
+                description: roleConfig.description ?? null,
+                type: roleConfig.type ?? 'EnvironmentRole',
+                organization_id: roleConfig.organization_id ?? null,
+                is_default_role: roleConfig.is_default_role ?? false,
+                priority: roleConfig.priority ?? 0,
+            });
+            if (roleConfig.permissions) {
+                for (const permSlug of roleConfig.permissions) {
+                    const perm = ws.permissions.findOneBy('slug', permSlug);
+                    if (perm) {
+                        ws.rolePermissions.insert({ role_id: role.id, permission_id: perm.id });
+                    }
+                }
+            }
+        }
+    }
+    if (config.invitations) {
+        for (const invConfig of config.invitations) {
+            const token = generateVerificationToken();
+            ws.invitations.insert({
+                object: 'invitation',
+                email: invConfig.email,
+                state: 'pending',
+                token,
+                accept_invitation_url: `${_baseUrl}/user_management/invitations/accept?token=${token}`,
+                organization_id: invConfig.organization_id ?? null,
+                inviter_user_id: invConfig.inviter_user_id ?? null,
+                role_slug: invConfig.role_slug ?? null,
+                expires_at: expiresIn(72 * 60),
+            });
+        }
+    }
+    if (config.webhookEndpoints) {
+        for (const whConfig of config.webhookEndpoints) {
+            ws.webhookEndpoints.insert({
+                object: 'webhook_endpoint',
+                url: whConfig.url,
+                secret: randomBytes(32).toString('hex'),
+                enabled: whConfig.enabled !== false,
+                events: whConfig.events ?? [],
+                description: null,
+            });
+        }
+    }
+}
+export const workosPlugin = {
+    name: 'workos',
+    register(ctx) {
+        organizationRoutes(ctx);
+        organizationDomainRoutes(ctx);
+        membershipRoutes(ctx);
+        userRoutes(ctx);
+        emailVerificationRoutes(ctx);
+        passwordResetRoutes(ctx);
+        magicAuthRoutes(ctx);
+        authFactorRoutes(ctx);
+        authChallengeRoutes(ctx);
+        sessionRoutes(ctx);
+        authRoutes(ctx);
+        connectionRoutes(ctx);
+        ssoRoutes(ctx);
+        pipeRoutes(ctx);
+        invitationRoutes(ctx);
+        configRoutes(ctx);
+        userFeatureRoutes(ctx);
+        widgetRoutes(ctx);
+        authorizationRoleRoutes(ctx);
+        authorizationPermissionRoutes(ctx);
+        authorizationOrgRoleRoutes(ctx);
+        authorizationResourceRoutes(ctx);
+        authorizationCheckRoutes(ctx);
+        portalRoutes(ctx);
+        legacyMfaRoutes(ctx);
+        apiKeyRoutes(ctx);
+        radarRoutes(ctx);
+        connectRoutes(ctx);
+        directoryRoutes(ctx);
+        auditLogRoutes(ctx);
+        featureFlagRoutes(ctx);
+        dataIntegrationRoutes(ctx);
+        webhookEndpointRoutes(ctx);
+        eventRoutes(ctx);
+        // Set up event bus with collection hooks (Option A from spec)
+        // Store on ctx.store for route-level access (hybrid Option A+B for action events)
+        const eventBus = new EventBus(ctx.store);
+        ctx.store.setData(STORE_KEYS.eventBus, eventBus);
+        const ws = getWorkOSStore(ctx.store);
+        ws.users.setHooks({
+            onInsert: (u) => eventBus.emit({ event: EVENTS.userCreated, data: formatUser(u) }),
+            onUpdate: (u) => eventBus.emit({ event: EVENTS.userUpdated, data: formatUser(u) }),
+            onDelete: (u) => eventBus.emit({ event: EVENTS.userDeleted, data: formatUser(u) }),
+        });
+        ws.organizations.setHooks({
+            onInsert: (o) => eventBus.emit({ event: EVENTS.organizationCreated, data: formatOrganization(o, ws) }),
+            onUpdate: (o) => eventBus.emit({ event: EVENTS.organizationUpdated, data: formatOrganization(o, ws) }),
+            onDelete: (o) => eventBus.emit({ event: EVENTS.organizationDeleted, data: formatOrganization(o, ws) }),
+        });
+        ws.organizationDomains.setHooks({
+            onInsert: (d) => eventBus.emit({ event: EVENTS.organizationDomainCreated, data: formatDomain(d) }),
+            onUpdate: (d) => eventBus.emit({
+                event: d.state === 'verified' ? EVENTS.organizationDomainVerified : EVENTS.organizationDomainUpdated,
+                data: formatDomain(d),
+            }),
+            onDelete: (d) => eventBus.emit({ event: EVENTS.organizationDomainDeleted, data: formatDomain(d) }),
+        });
+        ws.organizationMemberships.setHooks({
+            onInsert: (m) => eventBus.emit({ event: EVENTS.organizationMembershipCreated, data: formatMembership(m) }),
+            onUpdate: (m) => eventBus.emit({ event: EVENTS.organizationMembershipUpdated, data: formatMembership(m) }),
+            onDelete: (m) => eventBus.emit({ event: EVENTS.organizationMembershipDeleted, data: formatMembership(m) }),
+        });
+        ws.connections.setHooks({
+            onInsert: (c) => eventBus.emit({ event: EVENTS.connectionCreated, data: formatConnection(c) }),
+            onUpdate: (c) => eventBus.emit({ event: EVENTS.connectionUpdated, data: formatConnection(c) }),
+            onDelete: (c) => eventBus.emit({ event: EVENTS.connectionDeleted, data: formatConnection(c) }),
+        });
+        ws.sessions.setHooks({
+            onInsert: (s) => eventBus.emit({ event: EVENTS.sessionCreated, data: formatSession(s) }),
+            onDelete: (s) => eventBus.emit({ event: EVENTS.sessionRevoked, data: formatSession(s) }),
+        });
+        ws.invitations.setHooks({
+            onInsert: (i) => eventBus.emit({ event: EVENTS.invitationCreated, data: formatInvitation(i) }),
+        });
+        ws.roles.setHooks({
+            onInsert: (r) => eventBus.emit({ event: EVENTS.roleCreated, data: formatRole(r) }),
+            onUpdate: (r) => eventBus.emit({ event: EVENTS.roleUpdated, data: formatRole(r) }),
+            onDelete: (r) => eventBus.emit({ event: EVENTS.roleDeleted, data: formatRole(r) }),
+        });
+        ws.permissions.setHooks({
+            onInsert: (p) => eventBus.emit({ event: EVENTS.permissionCreated, data: formatPermission(p) }),
+            onUpdate: (p) => eventBus.emit({ event: EVENTS.permissionUpdated, data: formatPermission(p) }),
+            onDelete: (p) => eventBus.emit({ event: EVENTS.permissionDeleted, data: formatPermission(p) }),
+        });
+        ws.directories.setHooks({
+            onInsert: (d) => eventBus.emit({ event: EVENTS.directoryCreated, data: formatDirectory(d) }),
+            onUpdate: (d) => eventBus.emit({ event: EVENTS.directoryUpdated, data: formatDirectory(d) }),
+            onDelete: (d) => eventBus.emit({ event: EVENTS.directoryDeleted, data: formatDirectory(d) }),
+        });
+        ws.directoryUsers.setHooks({
+            onInsert: (u) => eventBus.emit({ event: EVENTS.directoryUserCreated, data: formatDirectoryUser(u) }),
+            onUpdate: (u) => eventBus.emit({ event: EVENTS.directoryUserUpdated, data: formatDirectoryUser(u) }),
+            onDelete: (u) => eventBus.emit({ event: EVENTS.directoryUserDeleted, data: formatDirectoryUser(u) }),
+        });
+        ws.directoryGroups.setHooks({
+            onInsert: (g) => eventBus.emit({ event: EVENTS.directoryGroupCreated, data: formatDirectoryGroup(g) }),
+            onUpdate: (g) => eventBus.emit({ event: EVENTS.directoryGroupUpdated, data: formatDirectoryGroup(g) }),
+            onDelete: (g) => eventBus.emit({ event: EVENTS.directoryGroupDeleted, data: formatDirectoryGroup(g) }),
+        });
+        ws.webhookEndpoints.setHooks({
+            onInsert: () => eventBus.rebuildIndex(),
+            onUpdate: () => eventBus.rebuildIndex(),
+            onDelete: () => eventBus.rebuildIndex(),
+        });
+    },
+    seed(_store, _baseUrl) {
+        // No default seed data — users provide their own via seedFromConfig
+    },
+};
+export default workosPlugin;
+//# sourceMappingURL=index.js.map