workos 0.13.1 → 0.13.3

package/dist/lib/device-auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"device-auth.js","sourceRoot":"","sources":["../../src/lib/device-auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AA0CtD,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AACtD,MAAM,6BAA6B,GAAG,CAAC,CAAC;AACxC,MAAM,uBAAuB,GAAG,MAAM,CAAC;AACvC,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,sCAAsC,EAAE,gBAAgB,CAAC,CAAC;AAErG,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,SAAS,QAAQ,CAAC,KAAa;IAC7B,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC7D,OAAO,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;AAC5B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAA0B;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;IAChD,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,aAAa,8BAA8B,CAAC;IAEnE,OAAO,CAAC,4CAA4C,EAAE,GAAG,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACxB,CAAC;KACH,CAAC,CAAC;IAEH,OAAO,CAAC,4CAA4C,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAClE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,QAAQ,CAAC,4CAA4C,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACzE,MAAM,IAAI,eAAe,CAAC,gCAAgC,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;IACtD,OAAO,CAAC,gDAAgD,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IAC1E,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,UAAkB,EAClB,OAAiD;IAEjD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,IAAI,YAAY,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,6BAA6B,CAAC,GAAG,IAAI,CAAC;IAC9E,MAAM,QAAQ,GAAG,GAAG,OAAO,CAAC,aAAa,eAAe,CAAC;IACzD,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,eAAe,GAAG,4BAA4B,CAAC;IAEnD,OAAO,CAAC,gDAAgD,EAAE,SAAS,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,SAAS,EAAE,CAAC;QAC1C,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAC1B,SAAS,EAAE,CAAC;QACZ,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QAEnB,IAAI,GAAa,CAAC;QAClB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,uBAAuB,CAAC,CAAC;QAC9E,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBAC1B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,8CAA8C;oBAC1D,WAAW,EAAE,UAAU;oBACvB,SAAS,EAAE,OAAO,CAAC,QAAQ;iBAC5B,CAAC;gBACF,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CACL,mDAAmD,EACnD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CACvD,CAAC;YACF,SAAS;QACX,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QAED,IAAI,IAAI,CAAC;QACT,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,QAAQ,CAAC,uDAAuD,EAAE,OAAO,CAAC,CAAC;YAC3E,MAAM,IAAI,eAAe,CAAC,sCAAsC,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,SAAS,GAAG,IAAyB,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QACzC,eAAe,GAAG,GAAG,CAAC,EAAE;YACtB,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,UAAU;YACzB,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,SAAS,CAAC,KAAK,IAAI,eAAe,GAAG,SAAS,CAAC,iBAAiB,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACnI,OAAO,CAAC,oCAAoC,EAAE,WAAW,SAAS,EAAE,EAAE,aAAa,SAAS,EAAE,EAAE,eAAe,CAAC,CAAC;QACjH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,OAAO,CAAC,2CAA2C,CAAC,CAAC;YACrD,OAAO,kBAAkB,CAAC,IAAqB,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,SAAS,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;YAChD,SAAS;QACX,CAAC;QAED,IAAI,SAAS,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;YACpC,YAAY,IAAI,IAAI,CAAC;YACrB,OAAO,CAAC,2CAA2C,EAAE,YAAY,CAAC,CAAC;YACnE,OAAO,CAAC,UAAU,EAAE,CAAC,YAAY,CAAC,CAAC;YACnC,SAAS;QACX,CAAC;QAED,QAAQ,CAAC,4BAA4B,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QACxD,MAAM,IAAI,eAAe,CAAC,gBAAgB,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,QAAQ,CAAC,oDAAoD,EAAE,eAAe,CAAC,CAAC;IAChF,MAAM,IAAI,eAAe,CACvB,kCAAkC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,kCAAkC,eAAe,GAAG,CACnH,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAmB;IAC7C,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAElD,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,OAAO,EAAE,IAAI,CAAC,QAAQ;QACtB,SAAS,EAAE,SAAS,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC7G,MAAM,EAAE,MAAM,CAAC,SAAS,EAAE,GAAG,IAAI,SAAS,CAAC;QAC3C,KAAK,EAAE,SAAS,EAAE,KAA2B;QAC7C,YAAY,EAAE,IAAI,CAAC,aAAa;KACjC,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Device Authorization Flow\n *\n * Implements OAuth 2.0 Device Authorization Grant (RFC 8628) for CLI authentication.\n * Extracted from login.ts for reuse in wizard credential gathering.\n */\n\nimport { logInfo, logError } from '../utils/debug.js';\n\nexport interface DeviceAuthResponse {\n  device_code: string;\n  user_code: string;\n  verification_uri: string;\n  verification_uri_complete: string;\n  expires_in: number;\n  interval: number;\n}\n\nexport interface DeviceAuthOptions {\n  clientId: string;\n  authkitDomain: string;\n  scopes?: string[];\n  timeoutMs?: number;\n  onPoll?: () => void;\n  onSlowDown?: (newIntervalMs: number) => void;\n}\n\nexport interface DeviceAuthResult {\n  accessToken: string;\n  idToken: string;\n  expiresAt: number;\n  userId: string;\n  email?: string;\n  refreshToken?: string;\n}\n\ninterface TokenResponse {\n  access_token: string;\n  id_token: string;\n  token_type: string;\n  expires_in: number;\n  refresh_token?: string;\n}\n\ninterface AuthErrorResponse {\n  error: string;\n  error_description?: string;\n}\n\nexport class DeviceAuthError extends Error {\n  constructor(message: string) {\n    super(message);\n    this.name = 'DeviceAuthError';\n  }\n}\n\nconst DEFAULT_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_POLL_INTERVAL_SECONDS = 5;\nconst POLL_REQUEST_TIMEOUT_MS = 30_000;\nconst DEFAULT_SCOPES = ['openid', 'email', 'staging-environment:credentials:read', 'offline_access'];\n\nfunction sleep(ms: number): Promise<void> {\n  return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n/**\n * Parse JWT payload\n */\nfunction parseJwt(token: string): Record<string, unknown> | null {\n  try {\n    const parts = token.split('.');\n    if (parts.length !== 3) return null;\n    return JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf-8'));\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Extract expiry time from JWT token\n */\nfunction getJwtExpiry(token: string): number | null {\n  const payload = parseJwt(token);\n  if (!payload || typeof payload.exp !== 'number') return null;\n  return payload.exp * 1000;\n}\n\n/**\n * Request a device code from the OAuth authorization server.\n * Returns the device code, user code, and verification URIs.\n */\nexport async function requestDeviceCode(options: DeviceAuthOptions): Promise<DeviceAuthResponse> {\n  const scopes = options.scopes ?? DEFAULT_SCOPES;\n  const url = `${options.authkitDomain}/oauth2/device_authorization`;\n\n  logInfo('[device-auth] Requesting device code from:', url);\n  const res = await fetch(url, {\n    method: 'POST',\n    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n    body: new URLSearchParams({\n      client_id: options.clientId,\n      scope: scopes.join(' '),\n    }),\n  });\n\n  logInfo('[device-auth] Device code response status:', res.status);\n  if (!res.ok) {\n    const text = await res.text();\n    logError('[device-auth] Device authorization failed:', res.status, text);\n    throw new DeviceAuthError(`Device authorization failed: ${res.status} ${text}`);\n  }\n\n  const data = (await res.json()) as DeviceAuthResponse;\n  logInfo('[device-auth] Device code received, user_code:', data.user_code);\n  return data;\n}\n\n/**\n * Poll for token after user has authorized in the browser.\n * Handles authorization_pending and slow_down responses per RFC 8628.\n */\nexport async function pollForToken(\n  deviceCode: string,\n  options: DeviceAuthOptions & { interval: number },\n): Promise<DeviceAuthResult> {\n  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n  const startTime = Date.now();\n  let pollInterval = (options.interval || DEFAULT_POLL_INTERVAL_SECONDS) * 1000;\n  const tokenUrl = `${options.authkitDomain}/oauth2/token`;\n  let pollCount = 0;\n  let lastPollSummary = 'no token response received';\n\n  logInfo('[device-auth] Starting token polling, timeout:', timeoutMs);\n  while (Date.now() - startTime < timeoutMs) {\n    await sleep(pollInterval);\n    pollCount++;\n    options.onPoll?.();\n\n    let res: Response;\n    const controller = new AbortController();\n    const timeout = setTimeout(() => controller.abort(), POLL_REQUEST_TIMEOUT_MS);\n    try {\n      res = await fetch(tokenUrl, {\n        method: 'POST',\n        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n        body: new URLSearchParams({\n          grant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n          device_code: deviceCode,\n          client_id: options.clientId,\n        }),\n        signal: controller.signal,\n      });\n    } catch (error) {\n      logInfo(\n        '[device-auth] Token poll network error, retrying:',\n        error instanceof Error ? error.message : String(error),\n      );\n      continue;\n    } finally {\n      clearTimeout(timeout);\n    }\n\n    let data;\n    try {\n      data = await res.json();\n    } catch (error) {\n      const message = error instanceof Error ? error.message : String(error);\n      logError('[device-auth] Invalid JSON response from auth server:', message);\n      throw new DeviceAuthError(`Invalid response from auth server: ${message}`);\n    }\n\n    const errorData = data as AuthErrorResponse;\n    const elapsedMs = Date.now() - startTime;\n    lastPollSummary = res.ok\n      ? `${res.status} success`\n      : `${res.status} ${errorData.error ?? 'unknown_error'}${errorData.error_description ? ` (${errorData.error_description})` : ''}`;\n    logInfo('[device-auth] Token poll response:', `attempt=${pollCount}`, `elapsedMs=${elapsedMs}`, lastPollSummary);\n    if (res.ok) {\n      logInfo('[device-auth] Token received successfully');\n      return parseTokenResponse(data as TokenResponse);\n    }\n\n    if (errorData.error === 'authorization_pending') {\n      continue;\n    }\n\n    if (errorData.error === 'slow_down') {\n      pollInterval += 5000;\n      logInfo('[device-auth] Slowing down, new interval:', pollInterval);\n      options.onSlowDown?.(pollInterval);\n      continue;\n    }\n\n    logError('[device-auth] Token error:', errorData.error);\n    throw new DeviceAuthError(`Token error: ${errorData.error}`);\n  }\n\n  logError('[device-auth] Authentication timed out, last poll:', lastPollSummary);\n  throw new DeviceAuthError(\n    `Authentication timed out after ${Math.round(timeoutMs / 1000)} seconds (last token response: ${lastPollSummary})`,\n  );\n}\n\nfunction parseTokenResponse(data: TokenResponse): DeviceAuthResult {\n  const idPayload = parseJwt(data.id_token);\n  const jwtExpiry = getJwtExpiry(data.access_token);\n\n  return {\n    accessToken: data.access_token,\n    idToken: data.id_token,\n    expiresAt: jwtExpiry ?? (data.expires_in ? Date.now() + data.expires_in * 1000 : Date.now() + 15 * 60 * 1000),\n    userId: String(idPayload?.sub ?? 'unknown'),\n    email: idPayload?.email as string | undefined,\n    refreshToken: data.refresh_token,\n  };\n}\n"]}
+{"version":3,"file":"device-auth.js","sourceRoot":"","sources":["../../src/lib/device-auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AA0CtD,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,eAAe;IACzD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AAED,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AACtD,MAAM,6BAA6B,GAAG,CAAC,CAAC;AACxC,MAAM,uBAAuB,GAAG,MAAM,CAAC;AACvC,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,sCAAsC,EAAE,gBAAgB,CAAC,CAAC;AAErG,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,SAAS,QAAQ,CAAC,KAAa;IAC7B,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC7D,OAAO,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;AAC5B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAA0B;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;IAChD,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,aAAa,8BAA8B,CAAC;IAEnE,OAAO,CAAC,4CAA4C,EAAE,GAAG,CAAC,CAAC;IAC3D,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,uBAAuB,CAAC,CAAC;IAC9E,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YACrB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,SAAS,EAAE,OAAO,CAAC,QAAQ;gBAC3B,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;aACxB,CAAC;YACF,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,YAAY,CAAC,OAAO,CAAC,CAAC;QACtB,IAAI,KAAK,YAAY,YAAY,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACjE,MAAM,IAAI,sBAAsB,CAAC,wCAAwC,CAAC,CAAC;QAC7E,CAAC;QACD,MAAM,IAAI,eAAe,CACvB,wCAAwC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjG,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,OAAO,CAAC,CAAC;IACxB,CAAC;IAED,OAAO,CAAC,4CAA4C,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAClE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,QAAQ,CAAC,4CAA4C,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACzE,MAAM,IAAI,eAAe,CAAC,gCAAgC,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;IACtD,OAAO,CAAC,gDAAgD,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IAC1E,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,UAAkB,EAClB,OAAiD;IAEjD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,IAAI,YAAY,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,6BAA6B,CAAC,GAAG,IAAI,CAAC;IAC9E,MAAM,QAAQ,GAAG,GAAG,OAAO,CAAC,aAAa,eAAe,CAAC;IACzD,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,eAAe,GAAG,4BAA4B,CAAC;IAEnD,OAAO,CAAC,gDAAgD,EAAE,SAAS,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,SAAS,EAAE,CAAC;QAC1C,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAC1B,SAAS,EAAE,CAAC;QACZ,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QAEnB,IAAI,GAAa,CAAC;QAClB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,uBAAuB,CAAC,CAAC;QAC9E,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBAC1B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,8CAA8C;oBAC1D,WAAW,EAAE,UAAU;oBACvB,SAAS,EAAE,OAAO,CAAC,QAAQ;iBAC5B,CAAC;gBACF,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CACL,mDAAmD,EACnD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CACvD,CAAC;YACF,SAAS;QACX,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QAED,IAAI,IAAI,CAAC;QACT,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,QAAQ,CAAC,uDAAuD,EAAE,OAAO,CAAC,CAAC;YAC3E,MAAM,IAAI,eAAe,CAAC,sCAAsC,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,SAAS,GAAG,IAAyB,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QACzC,eAAe,GAAG,GAAG,CAAC,EAAE;YACtB,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,UAAU;YACzB,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,SAAS,CAAC,KAAK,IAAI,eAAe,GAAG,SAAS,CAAC,iBAAiB,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACnI,OAAO,CAAC,oCAAoC,EAAE,WAAW,SAAS,EAAE,EAAE,aAAa,SAAS,EAAE,EAAE,eAAe,CAAC,CAAC;QACjH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,OAAO,CAAC,2CAA2C,CAAC,CAAC;YACrD,OAAO,kBAAkB,CAAC,IAAqB,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,SAAS,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;YAChD,SAAS;QACX,CAAC;QAED,IAAI,SAAS,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;YACpC,YAAY,IAAI,IAAI,CAAC;YACrB,OAAO,CAAC,2CAA2C,EAAE,YAAY,CAAC,CAAC;YACnE,OAAO,CAAC,UAAU,EAAE,CAAC,YAAY,CAAC,CAAC;YACnC,SAAS;QACX,CAAC;QAED,QAAQ,CAAC,4BAA4B,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QACxD,MAAM,IAAI,eAAe,CAAC,gBAAgB,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,QAAQ,CAAC,oDAAoD,EAAE,eAAe,CAAC,CAAC;IAChF,MAAM,IAAI,sBAAsB,CAC9B,kCAAkC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,kCAAkC,eAAe,GAAG,CACnH,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAmB;IAC7C,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAElD,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,OAAO,EAAE,IAAI,CAAC,QAAQ;QACtB,SAAS,EAAE,SAAS,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC7G,MAAM,EAAE,MAAM,CAAC,SAAS,EAAE,GAAG,IAAI,SAAS,CAAC;QAC3C,KAAK,EAAE,SAAS,EAAE,KAA2B;QAC7C,YAAY,EAAE,IAAI,CAAC,aAAa;KACjC,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Device Authorization Flow\n *\n * Implements OAuth 2.0 Device Authorization Grant (RFC 8628) for CLI authentication.\n * Extracted from login.ts for reuse in wizard credential gathering.\n */\n\nimport { logInfo, logError } from '../utils/debug.js';\n\nexport interface DeviceAuthResponse {\n  device_code: string;\n  user_code: string;\n  verification_uri: string;\n  verification_uri_complete: string;\n  expires_in: number;\n  interval: number;\n}\n\nexport interface DeviceAuthOptions {\n  clientId: string;\n  authkitDomain: string;\n  scopes?: string[];\n  timeoutMs?: number;\n  onPoll?: () => void;\n  onSlowDown?: (newIntervalMs: number) => void;\n}\n\nexport interface DeviceAuthResult {\n  accessToken: string;\n  idToken: string;\n  expiresAt: number;\n  userId: string;\n  email?: string;\n  refreshToken?: string;\n}\n\ninterface TokenResponse {\n  access_token: string;\n  id_token: string;\n  token_type: string;\n  expires_in: number;\n  refresh_token?: string;\n}\n\ninterface AuthErrorResponse {\n  error: string;\n  error_description?: string;\n}\n\nexport class DeviceAuthError extends Error {\n  constructor(message: string) {\n    super(message);\n    this.name = 'DeviceAuthError';\n  }\n}\n\nexport class DeviceAuthTimeoutError extends DeviceAuthError {\n  constructor(message: string) {\n    super(message);\n    this.name = 'DeviceAuthTimeoutError';\n  }\n}\n\nconst DEFAULT_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_POLL_INTERVAL_SECONDS = 5;\nconst POLL_REQUEST_TIMEOUT_MS = 30_000;\nconst DEFAULT_SCOPES = ['openid', 'email', 'staging-environment:credentials:read', 'offline_access'];\n\nfunction sleep(ms: number): Promise<void> {\n  return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n/**\n * Parse JWT payload\n */\nfunction parseJwt(token: string): Record<string, unknown> | null {\n  try {\n    const parts = token.split('.');\n    if (parts.length !== 3) return null;\n    return JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf-8'));\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Extract expiry time from JWT token\n */\nfunction getJwtExpiry(token: string): number | null {\n  const payload = parseJwt(token);\n  if (!payload || typeof payload.exp !== 'number') return null;\n  return payload.exp * 1000;\n}\n\n/**\n * Request a device code from the OAuth authorization server.\n * Returns the device code, user code, and verification URIs.\n */\nexport async function requestDeviceCode(options: DeviceAuthOptions): Promise<DeviceAuthResponse> {\n  const scopes = options.scopes ?? DEFAULT_SCOPES;\n  const url = `${options.authkitDomain}/oauth2/device_authorization`;\n\n  logInfo('[device-auth] Requesting device code from:', url);\n  const controller = new AbortController();\n  const timeout = setTimeout(() => controller.abort(), POLL_REQUEST_TIMEOUT_MS);\n  let res: Response;\n  try {\n    res = await fetch(url, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: new URLSearchParams({\n        client_id: options.clientId,\n        scope: scopes.join(' '),\n      }),\n      signal: controller.signal,\n    });\n  } catch (error) {\n    clearTimeout(timeout);\n    if (error instanceof DOMException && error.name === 'AbortError') {\n      throw new DeviceAuthTimeoutError('Device authorization request timed out');\n    }\n    throw new DeviceAuthError(\n      `Device authorization request failed: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  } finally {\n    clearTimeout(timeout);\n  }\n\n  logInfo('[device-auth] Device code response status:', res.status);\n  if (!res.ok) {\n    const text = await res.text();\n    logError('[device-auth] Device authorization failed:', res.status, text);\n    throw new DeviceAuthError(`Device authorization failed: ${res.status} ${text}`);\n  }\n\n  const data = (await res.json()) as DeviceAuthResponse;\n  logInfo('[device-auth] Device code received, user_code:', data.user_code);\n  return data;\n}\n\n/**\n * Poll for token after user has authorized in the browser.\n * Handles authorization_pending and slow_down responses per RFC 8628.\n */\nexport async function pollForToken(\n  deviceCode: string,\n  options: DeviceAuthOptions & { interval: number },\n): Promise<DeviceAuthResult> {\n  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n  const startTime = Date.now();\n  let pollInterval = (options.interval || DEFAULT_POLL_INTERVAL_SECONDS) * 1000;\n  const tokenUrl = `${options.authkitDomain}/oauth2/token`;\n  let pollCount = 0;\n  let lastPollSummary = 'no token response received';\n\n  logInfo('[device-auth] Starting token polling, timeout:', timeoutMs);\n  while (Date.now() - startTime < timeoutMs) {\n    await sleep(pollInterval);\n    pollCount++;\n    options.onPoll?.();\n\n    let res: Response;\n    const controller = new AbortController();\n    const timeout = setTimeout(() => controller.abort(), POLL_REQUEST_TIMEOUT_MS);\n    try {\n      res = await fetch(tokenUrl, {\n        method: 'POST',\n        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n        body: new URLSearchParams({\n          grant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n          device_code: deviceCode,\n          client_id: options.clientId,\n        }),\n        signal: controller.signal,\n      });\n    } catch (error) {\n      logInfo(\n        '[device-auth] Token poll network error, retrying:',\n        error instanceof Error ? error.message : String(error),\n      );\n      continue;\n    } finally {\n      clearTimeout(timeout);\n    }\n\n    let data;\n    try {\n      data = await res.json();\n    } catch (error) {\n      const message = error instanceof Error ? error.message : String(error);\n      logError('[device-auth] Invalid JSON response from auth server:', message);\n      throw new DeviceAuthError(`Invalid response from auth server: ${message}`);\n    }\n\n    const errorData = data as AuthErrorResponse;\n    const elapsedMs = Date.now() - startTime;\n    lastPollSummary = res.ok\n      ? `${res.status} success`\n      : `${res.status} ${errorData.error ?? 'unknown_error'}${errorData.error_description ? ` (${errorData.error_description})` : ''}`;\n    logInfo('[device-auth] Token poll response:', `attempt=${pollCount}`, `elapsedMs=${elapsedMs}`, lastPollSummary);\n    if (res.ok) {\n      logInfo('[device-auth] Token received successfully');\n      return parseTokenResponse(data as TokenResponse);\n    }\n\n    if (errorData.error === 'authorization_pending') {\n      continue;\n    }\n\n    if (errorData.error === 'slow_down') {\n      pollInterval += 5000;\n      logInfo('[device-auth] Slowing down, new interval:', pollInterval);\n      options.onSlowDown?.(pollInterval);\n      continue;\n    }\n\n    logError('[device-auth] Token error:', errorData.error);\n    throw new DeviceAuthError(`Token error: ${errorData.error}`);\n  }\n\n  logError('[device-auth] Authentication timed out, last poll:', lastPollSummary);\n  throw new DeviceAuthTimeoutError(\n    `Authentication timed out after ${Math.round(timeoutMs / 1000)} seconds (last token response: ${lastPollSummary})`,\n  );\n}\n\nfunction parseTokenResponse(data: TokenResponse): DeviceAuthResult {\n  const idPayload = parseJwt(data.id_token);\n  const jwtExpiry = getJwtExpiry(data.access_token);\n\n  return {\n    accessToken: data.access_token,\n    idToken: data.id_token,\n    expiresAt: jwtExpiry ?? (data.expires_in ? Date.now() + data.expires_in * 1000 : Date.now() + 15 * 60 * 1000),\n    userId: String(idPayload?.sub ?? 'unknown'),\n    email: idPayload?.email as string | undefined,\n    refreshToken: data.refresh_token,\n  };\n}\n"]}

package/dist/lib/workos-client.d.ts

@@ -9,7 +9,7 @@ import { WorkOS } from '@workos-inc/node';
 import { type WorkOSListResponse } from './workos-api.js';
 export interface WebhookEndpoint {
     id: string;
-    url: string;
+    endpoint_url: string;
     events: string[];
     secret?: string;
     created_at: string;

package/dist/lib/workos-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"workos-client.js","sourceRoot":"","sources":["../../src/lib/workos-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,aAAa,EAA2B,MAAM,iBAAiB,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AA0ChE;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAe,EAAE,OAAgB;IAClE,MAAM,GAAG,GAAG,MAAM,IAAI,aAAa,EAAE,CAAC;IACtC,MAAM,IAAI,GAAG,OAAO,IAAI,iBAAiB,EAAE,CAAC;IAE5C,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,MAAM,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,CAAC;IAEvD,OAAO;QACL,GAAG;QAEH,QAAQ,EAAE;YACR,KAAK,CAAC,IAAI;gBACR,OAAO,aAAa,CAAsC;oBACxD,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,oBAAoB;oBAC1B,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;YACD,KAAK,CAAC,MAAM,CAAC,WAAmB,EAAE,MAAgB;gBAChD,OAAO,aAAa,CAAkB;oBACpC,MAAM,EAAE,MAAM;oBACd,IAAI,EAAE,oBAAoB;oBAC1B,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,EAAE;iBAC5C,CAAC,CAAC;YACL,CAAC;YACD,KAAK,CAAC,MAAM,CAAC,EAAU;gBACrB,MAAM,aAAa,CAAO;oBACxB,MAAM,EAAE,QAAQ;oBAChB,IAAI,EAAE,sBAAsB,EAAE,EAAE;oBAChC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;SACF;QAED,YAAY,EAAE;YACZ,KAAK,CAAC,GAAG,CAAC,GAAW;gBACnB,IAAI,CAAC;oBACH,MAAM,aAAa,CAAC;wBAClB,MAAM,EAAE,MAAM;wBACd,IAAI,EAAE,gCAAgC;wBACtC,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,EAAE,GAAG,EAAE;qBACd,CAAC,CAAC;oBACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACjD,CAAC;gBAAC,OAAO,KAAc,EAAE,CAAC;oBACxB,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;oBAC3D,IAAI,KAAK,YAAY,cAAc,EAAE,CAAC;wBACpC,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC;4BACvG,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;wBAChD,CAAC;oBACH,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;SACF;QAED,WAAW,EAAE;YACX,KAAK,CAAC,GAAG,CAAC,MAAc;gBACtB,IAAI,CAAC;oBACH,MAAM,aAAa,CAAC;wBAClB,MAAM,EAAE,MAAM;wBACd,IAAI,EAAE,+BAA+B;wBACrC,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,EAAE,MAAM,EAAE;qBACjB,CAAC,CAAC;oBACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACjD,CAAC;gBAAC,OAAO,KAAc,EAAE,CAAC;oBACxB,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;oBAC3D,IAAI,KAAK,YAAY,cAAc,EAAE,CAAC;wBACpC,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC;4BACvG,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;wBAChD,CAAC;oBACH,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;SACF;QAED,WAAW,EAAE;YACX,KAAK,CAAC,GAAG,CAAC,GAAW;gBACnB,MAAM,aAAa,CAAC;oBAClB,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,mCAAmC;oBACzC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,EAAE,GAAG,EAAE;iBACd,CAAC,CAAC;YACL,CAAC;SACF;QAED,SAAS,EAAE;YACT,KAAK,CAAC,WAAW;gBACf,OAAO,aAAa,CAAqC;oBACvD,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,qBAAqB;oBAC3B,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;YACD,KAAK,CAAC,SAAS,CAAC,MAAc;gBAC5B,OAAO,aAAa,CAAU;oBAC5B,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,uBAAuB,kBAAkB,CAAC,MAAM,CAAC,UAAU;oBACjE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;YACD,KAAK,CAAC,YAAY,CAAC,KAAa;gBAC9B,OAAO,aAAa,CAAoB;oBACtC,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,kBAAkB,kBAAkB,CAAC,KAAK,CAAC,uBAAuB;oBACxE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;SACF;KACF,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Unified WorkOS client for CLI commands.\n *\n * Wraps @workos-inc/node SDK for documented endpoints and extends with\n * raw-fetch methods for undocumented/write-only endpoints (webhooks, redirect URIs, etc.).\n * Commands import one client; they don't care whether a method is SDK-backed or raw fetch.\n */\n\nimport { WorkOS } from '@workos-inc/node';\nimport { workosRequest, type WorkOSListResponse } from './workos-api.js';\nimport { resolveApiKey, resolveApiBaseUrl } from './api-key.js';\n\nexport interface WebhookEndpoint {\n  id: string;\n  url: string;\n  events: string[];\n  secret?: string;\n  created_at: string;\n  updated_at: string;\n}\n\nexport interface AuditLogAction {\n  action: string;\n}\n\nexport interface AuditLogRetention {\n  retention_period_in_days: number;\n}\n\nexport interface WorkOSCLIClient {\n  sdk: WorkOS;\n  webhooks: {\n    list(): Promise<WorkOSListResponse<WebhookEndpoint>>;\n    create(endpointUrl: string, events: string[]): Promise<WebhookEndpoint>;\n    delete(id: string): Promise<void>;\n  };\n  redirectUris: {\n    add(uri: string): Promise<{ success: boolean; alreadyExists: boolean }>;\n  };\n  corsOrigins: {\n    add(origin: string): Promise<{ success: boolean; alreadyExists: boolean }>;\n  };\n  homepageUrl: {\n    set(url: string): Promise<void>;\n  };\n  auditLogs: {\n    listActions(): Promise<WorkOSListResponse<AuditLogAction>>;\n    getSchema(action: string): Promise<unknown>;\n    getRetention(orgId: string): Promise<AuditLogRetention>;\n  };\n}\n\n/**\n * Create a unified WorkOS client.\n *\n * @param apiKey  - Explicit API key; falls back to resolveApiKey()\n * @param baseUrl - Explicit base URL; falls back to resolveApiBaseUrl()\n */\nexport function createWorkOSClient(apiKey?: string, baseUrl?: string): WorkOSCLIClient {\n  const key = apiKey ?? resolveApiKey();\n  const base = baseUrl ?? resolveApiBaseUrl();\n\n  // Parse hostname from base URL for SDK init\n  const hostname = new URL(base).hostname;\n  const sdk = new WorkOS(key, { apiHostname: hostname });\n\n  return {\n    sdk,\n\n    webhooks: {\n      async list() {\n        return workosRequest<WorkOSListResponse<WebhookEndpoint>>({\n          method: 'GET',\n          path: '/webhook_endpoints',\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n      async create(endpointUrl: string, events: string[]) {\n        return workosRequest<WebhookEndpoint>({\n          method: 'POST',\n          path: '/webhook_endpoints',\n          apiKey: key,\n          baseUrl: base,\n          body: { endpoint_url: endpointUrl, events },\n        });\n      },\n      async delete(id: string) {\n        await workosRequest<null>({\n          method: 'DELETE',\n          path: `/webhook_endpoints/${id}`,\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n    },\n\n    redirectUris: {\n      async add(uri: string) {\n        try {\n          await workosRequest({\n            method: 'POST',\n            path: '/user_management/redirect_uris',\n            apiKey: key,\n            baseUrl: base,\n            body: { uri },\n          });\n          return { success: true, alreadyExists: false };\n        } catch (error: unknown) {\n          const { WorkOSApiError } = await import('./workos-api.js');\n          if (error instanceof WorkOSApiError) {\n            if (error.statusCode === 409 || (error.statusCode === 422 && error.message.includes('already exists'))) {\n              return { success: true, alreadyExists: true };\n            }\n          }\n          throw error;\n        }\n      },\n    },\n\n    corsOrigins: {\n      async add(origin: string) {\n        try {\n          await workosRequest({\n            method: 'POST',\n            path: '/user_management/cors_origins',\n            apiKey: key,\n            baseUrl: base,\n            body: { origin },\n          });\n          return { success: true, alreadyExists: false };\n        } catch (error: unknown) {\n          const { WorkOSApiError } = await import('./workos-api.js');\n          if (error instanceof WorkOSApiError) {\n            if (error.statusCode === 409 || (error.statusCode === 422 && error.message.includes('already exists'))) {\n              return { success: true, alreadyExists: true };\n            }\n          }\n          throw error;\n        }\n      },\n    },\n\n    homepageUrl: {\n      async set(url: string) {\n        await workosRequest({\n          method: 'PUT',\n          path: '/user_management/app_homepage_url',\n          apiKey: key,\n          baseUrl: base,\n          body: { url },\n        });\n      },\n    },\n\n    auditLogs: {\n      async listActions() {\n        return workosRequest<WorkOSListResponse<AuditLogAction>>({\n          method: 'GET',\n          path: '/audit_logs/actions',\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n      async getSchema(action: string) {\n        return workosRequest<unknown>({\n          method: 'GET',\n          path: `/audit_logs/actions/${encodeURIComponent(action)}/schemas`,\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n      async getRetention(orgId: string) {\n        return workosRequest<AuditLogRetention>({\n          method: 'GET',\n          path: `/organizations/${encodeURIComponent(orgId)}/audit_logs_retention`,\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n    },\n  };\n}\n"]}
+{"version":3,"file":"workos-client.js","sourceRoot":"","sources":["../../src/lib/workos-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,aAAa,EAA2B,MAAM,iBAAiB,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AA0ChE;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAe,EAAE,OAAgB;IAClE,MAAM,GAAG,GAAG,MAAM,IAAI,aAAa,EAAE,CAAC;IACtC,MAAM,IAAI,GAAG,OAAO,IAAI,iBAAiB,EAAE,CAAC;IAE5C,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,MAAM,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,CAAC;IAEvD,OAAO;QACL,GAAG;QAEH,QAAQ,EAAE;YACR,KAAK,CAAC,IAAI;gBACR,OAAO,aAAa,CAAsC;oBACxD,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,oBAAoB;oBAC1B,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;YACD,KAAK,CAAC,MAAM,CAAC,WAAmB,EAAE,MAAgB;gBAChD,OAAO,aAAa,CAAkB;oBACpC,MAAM,EAAE,MAAM;oBACd,IAAI,EAAE,oBAAoB;oBAC1B,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,EAAE;iBAC5C,CAAC,CAAC;YACL,CAAC;YACD,KAAK,CAAC,MAAM,CAAC,EAAU;gBACrB,MAAM,aAAa,CAAO;oBACxB,MAAM,EAAE,QAAQ;oBAChB,IAAI,EAAE,sBAAsB,EAAE,EAAE;oBAChC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;SACF;QAED,YAAY,EAAE;YACZ,KAAK,CAAC,GAAG,CAAC,GAAW;gBACnB,IAAI,CAAC;oBACH,MAAM,aAAa,CAAC;wBAClB,MAAM,EAAE,MAAM;wBACd,IAAI,EAAE,gCAAgC;wBACtC,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,EAAE,GAAG,EAAE;qBACd,CAAC,CAAC;oBACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACjD,CAAC;gBAAC,OAAO,KAAc,EAAE,CAAC;oBACxB,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;oBAC3D,IAAI,KAAK,YAAY,cAAc,EAAE,CAAC;wBACpC,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC;4BACvG,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;wBAChD,CAAC;oBACH,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;SACF;QAED,WAAW,EAAE;YACX,KAAK,CAAC,GAAG,CAAC,MAAc;gBACtB,IAAI,CAAC;oBACH,MAAM,aAAa,CAAC;wBAClB,MAAM,EAAE,MAAM;wBACd,IAAI,EAAE,+BAA+B;wBACrC,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,EAAE,MAAM,EAAE;qBACjB,CAAC,CAAC;oBACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACjD,CAAC;gBAAC,OAAO,KAAc,EAAE,CAAC;oBACxB,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;oBAC3D,IAAI,KAAK,YAAY,cAAc,EAAE,CAAC;wBACpC,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC;4BACvG,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;wBAChD,CAAC;oBACH,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;SACF;QAED,WAAW,EAAE;YACX,KAAK,CAAC,GAAG,CAAC,GAAW;gBACnB,MAAM,aAAa,CAAC;oBAClB,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,mCAAmC;oBACzC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,EAAE,GAAG,EAAE;iBACd,CAAC,CAAC;YACL,CAAC;SACF;QAED,SAAS,EAAE;YACT,KAAK,CAAC,WAAW;gBACf,OAAO,aAAa,CAAqC;oBACvD,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,qBAAqB;oBAC3B,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;YACD,KAAK,CAAC,SAAS,CAAC,MAAc;gBAC5B,OAAO,aAAa,CAAU;oBAC5B,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,uBAAuB,kBAAkB,CAAC,MAAM,CAAC,UAAU;oBACjE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;YACD,KAAK,CAAC,YAAY,CAAC,KAAa;gBAC9B,OAAO,aAAa,CAAoB;oBACtC,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,kBAAkB,kBAAkB,CAAC,KAAK,CAAC,uBAAuB;oBACxE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,IAAI;iBACd,CAAC,CAAC;YACL,CAAC;SACF;KACF,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Unified WorkOS client for CLI commands.\n *\n * Wraps @workos-inc/node SDK for documented endpoints and extends with\n * raw-fetch methods for undocumented/write-only endpoints (webhooks, redirect URIs, etc.).\n * Commands import one client; they don't care whether a method is SDK-backed or raw fetch.\n */\n\nimport { WorkOS } from '@workos-inc/node';\nimport { workosRequest, type WorkOSListResponse } from './workos-api.js';\nimport { resolveApiKey, resolveApiBaseUrl } from './api-key.js';\n\nexport interface WebhookEndpoint {\n  id: string;\n  endpoint_url: string;\n  events: string[];\n  secret?: string;\n  created_at: string;\n  updated_at: string;\n}\n\nexport interface AuditLogAction {\n  action: string;\n}\n\nexport interface AuditLogRetention {\n  retention_period_in_days: number;\n}\n\nexport interface WorkOSCLIClient {\n  sdk: WorkOS;\n  webhooks: {\n    list(): Promise<WorkOSListResponse<WebhookEndpoint>>;\n    create(endpointUrl: string, events: string[]): Promise<WebhookEndpoint>;\n    delete(id: string): Promise<void>;\n  };\n  redirectUris: {\n    add(uri: string): Promise<{ success: boolean; alreadyExists: boolean }>;\n  };\n  corsOrigins: {\n    add(origin: string): Promise<{ success: boolean; alreadyExists: boolean }>;\n  };\n  homepageUrl: {\n    set(url: string): Promise<void>;\n  };\n  auditLogs: {\n    listActions(): Promise<WorkOSListResponse<AuditLogAction>>;\n    getSchema(action: string): Promise<unknown>;\n    getRetention(orgId: string): Promise<AuditLogRetention>;\n  };\n}\n\n/**\n * Create a unified WorkOS client.\n *\n * @param apiKey  - Explicit API key; falls back to resolveApiKey()\n * @param baseUrl - Explicit base URL; falls back to resolveApiBaseUrl()\n */\nexport function createWorkOSClient(apiKey?: string, baseUrl?: string): WorkOSCLIClient {\n  const key = apiKey ?? resolveApiKey();\n  const base = baseUrl ?? resolveApiBaseUrl();\n\n  // Parse hostname from base URL for SDK init\n  const hostname = new URL(base).hostname;\n  const sdk = new WorkOS(key, { apiHostname: hostname });\n\n  return {\n    sdk,\n\n    webhooks: {\n      async list() {\n        return workosRequest<WorkOSListResponse<WebhookEndpoint>>({\n          method: 'GET',\n          path: '/webhook_endpoints',\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n      async create(endpointUrl: string, events: string[]) {\n        return workosRequest<WebhookEndpoint>({\n          method: 'POST',\n          path: '/webhook_endpoints',\n          apiKey: key,\n          baseUrl: base,\n          body: { endpoint_url: endpointUrl, events },\n        });\n      },\n      async delete(id: string) {\n        await workosRequest<null>({\n          method: 'DELETE',\n          path: `/webhook_endpoints/${id}`,\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n    },\n\n    redirectUris: {\n      async add(uri: string) {\n        try {\n          await workosRequest({\n            method: 'POST',\n            path: '/user_management/redirect_uris',\n            apiKey: key,\n            baseUrl: base,\n            body: { uri },\n          });\n          return { success: true, alreadyExists: false };\n        } catch (error: unknown) {\n          const { WorkOSApiError } = await import('./workos-api.js');\n          if (error instanceof WorkOSApiError) {\n            if (error.statusCode === 409 || (error.statusCode === 422 && error.message.includes('already exists'))) {\n              return { success: true, alreadyExists: true };\n            }\n          }\n          throw error;\n        }\n      },\n    },\n\n    corsOrigins: {\n      async add(origin: string) {\n        try {\n          await workosRequest({\n            method: 'POST',\n            path: '/user_management/cors_origins',\n            apiKey: key,\n            baseUrl: base,\n            body: { origin },\n          });\n          return { success: true, alreadyExists: false };\n        } catch (error: unknown) {\n          const { WorkOSApiError } = await import('./workos-api.js');\n          if (error instanceof WorkOSApiError) {\n            if (error.statusCode === 409 || (error.statusCode === 422 && error.message.includes('already exists'))) {\n              return { success: true, alreadyExists: true };\n            }\n          }\n          throw error;\n        }\n      },\n    },\n\n    homepageUrl: {\n      async set(url: string) {\n        await workosRequest({\n          method: 'PUT',\n          path: '/user_management/app_homepage_url',\n          apiKey: key,\n          baseUrl: base,\n          body: { url },\n        });\n      },\n    },\n\n    auditLogs: {\n      async listActions() {\n        return workosRequest<WorkOSListResponse<AuditLogAction>>({\n          method: 'GET',\n          path: '/audit_logs/actions',\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n      async getSchema(action: string) {\n        return workosRequest<unknown>({\n          method: 'GET',\n          path: `/audit_logs/actions/${encodeURIComponent(action)}/schemas`,\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n      async getRetention(orgId: string) {\n        return workosRequest<AuditLogRetention>({\n          method: 'GET',\n          path: `/organizations/${encodeURIComponent(orgId)}/audit_logs_retention`,\n          apiKey: key,\n          baseUrl: base,\n        });\n      },\n    },\n  };\n}\n"]}

package/dist/utils/output.d.ts

@@ -23,7 +23,12 @@ export declare function isJsonMode(): boolean;
 /** Write structured JSON to stdout (one line, no pretty-print). */
 export declare function outputJson(data: unknown): void;
 /** Write a success result — chalk in human mode, JSON in json mode. */
-export declare function outputSuccess(message: string, data?: object): void;
+export declare function outputSuccess(message: string, data?: object, options?: {
+    warnings?: Array<{
+        code: string;
+        message: string;
+    }>;
+}): void;
 /** Write a structured error to stderr. */
 export declare function outputError(error: {
     code: string;

package/dist/utils/output.js

@@ -45,15 +45,25 @@ export function outputJson(data) {
     console.log(JSON.stringify(data));
 }
 /** Write a success result — chalk in human mode, JSON in json mode. */
-export function outputSuccess(message, data) {
+export function outputSuccess(message, data, options) {
     if (currentMode === 'json') {
-        console.log(JSON.stringify(data ? { status: 'ok', message, data } : { status: 'ok', message }));
+        const result = { status: 'ok', message };
+        if (data)
+            result.data = data;
+        if (options?.warnings?.length)
+            result.warnings = options.warnings;
+        console.log(JSON.stringify(result));
     }
     else {
         console.log(chalk.green(message));
         if (data) {
             console.log(JSON.stringify(data, null, 2));
         }
+        if (options?.warnings?.length) {
+            for (const w of options.warnings) {
+                console.error(chalk.yellow(w.message));
+            }
+        }
     }
 }
 /** Write a structured error to stderr. */

package/dist/utils/output.js.map

@@ -1 +1 @@
-{"version":3,"file":"output.js","sourceRoot":"","sources":["../../src/utils/output.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,WAAW,EAAoB,MAAM,YAAY,CAAC;AAI3D,IAAI,WAAW,GAAe,OAAO,CAAC;AAEtC;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAkB;IAClD,IAAI,QAAQ;QAAE,OAAO,MAAM,CAAC;IAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACpG,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IACnG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK;QAAE,OAAO,MAAM,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAAgB;IAC5C,WAAW,GAAG,IAAI,CAAC;IACnB,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,OAAO,WAAW,KAAK,MAAM,CAAC;AAChC,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,UAAU,CAAC,IAAa;IACtC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,aAAa,CAAC,OAAe,EAAE,IAAa;IAC1D,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IAClG,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAClC,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;AACH,CAAC;AAED,0CAA0C;AAC1C,MAAM,UAAU,WAAW,CAAC,KAA2D;IACrF,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,WAAW,CAAC,OAAsB,EAAE,IAAgB,EAAE,OAAmB;IACvF,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBAChC,MAAM,GAAG,GAA2B,EAAE,CAAC;gBACvC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;oBACvB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACxB,CAAC,CAAC,CAAC;gBACH,OAAO,GAAG,CAAC;YACb,CAAC,CAAC,CAAC;YACH,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,aAAa,CAAC,KAA2D;IACvF,WAAW,CAAC,KAAK,CAAC,CAAC;IACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * Output mode system for non-TTY / JSON support.\n *\n * Resolves once at startup, drives all output formatting.\n * In JSON mode: structured JSON to stdout, structured errors to stderr.\n * In human mode: chalk-formatted output (existing behavior).\n */\n\nimport chalk from 'chalk';\nimport { formatTable, type TableColumn } from './table.js';\n\nexport type OutputMode = 'human' | 'json';\n\nlet currentMode: OutputMode = 'human';\n\n/**\n * Resolve the output mode based on flags and environment.\n *\n * Priority:\n * 1. Explicit --json flag\n * 2. WORKOS_FORCE_TTY env var → human\n * 3. Non-TTY auto-detection → json\n * 4. Default → human\n */\nexport function resolveOutputMode(jsonFlag?: boolean): OutputMode {\n  if (jsonFlag) return 'json';\n  if (process.env.WORKOS_FORCE_TTY === '1' || process.env.WORKOS_FORCE_TTY === 'true') return 'human';\n  if (process.env.WORKOS_NO_PROMPT === '1' || process.env.WORKOS_NO_PROMPT === 'true') return 'json';\n  if (!process.stdout.isTTY) return 'json';\n  return 'human';\n}\n\nexport function setOutputMode(mode: OutputMode): void {\n  currentMode = mode;\n  if (mode === 'json') {\n    chalk.level = 0;\n  }\n}\n\nexport function getOutputMode(): OutputMode {\n  return currentMode;\n}\n\nexport function isJsonMode(): boolean {\n  return currentMode === 'json';\n}\n\n/** Write structured JSON to stdout (one line, no pretty-print). */\nexport function outputJson(data: unknown): void {\n  console.log(JSON.stringify(data));\n}\n\n/** Write a success result — chalk in human mode, JSON in json mode. */\nexport function outputSuccess(message: string, data?: object): void {\n  if (currentMode === 'json') {\n    console.log(JSON.stringify(data ? { status: 'ok', message, data } : { status: 'ok', message }));\n  } else {\n    console.log(chalk.green(message));\n    if (data) {\n      console.log(JSON.stringify(data, null, 2));\n    }\n  }\n}\n\n/** Write a structured error to stderr. */\nexport function outputError(error: { code: string; message: string; details?: unknown }): void {\n  if (currentMode === 'json') {\n    console.error(JSON.stringify({ error }));\n  } else {\n    console.error(chalk.red(error.message));\n  }\n}\n\n/** Write tabular data — chalk table in human mode, JSON array in json mode. */\nexport function outputTable(columns: TableColumn[], rows: string[][], rawData?: unknown[]): void {\n  if (currentMode === 'json') {\n    if (rawData) {\n      console.log(JSON.stringify(rawData));\n    } else {\n      const headers = columns.map((c) => c.header);\n      const jsonRows = rows.map((row) => {\n        const obj: Record<string, string> = {};\n        headers.forEach((h, i) => {\n          obj[h] = row[i] ?? '';\n        });\n        return obj;\n      });\n      console.log(JSON.stringify(jsonRows));\n    }\n  } else {\n    console.log(formatTable(columns, rows));\n  }\n}\n\n/** Exit with a structured error. Writes error then exits with code 1. */\nexport function exitWithError(error: { code: string; message: string; details?: unknown }): never {\n  outputError(error);\n  process.exit(1);\n}\n"]}
+{"version":3,"file":"output.js","sourceRoot":"","sources":["../../src/utils/output.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,WAAW,EAAoB,MAAM,YAAY,CAAC;AAI3D,IAAI,WAAW,GAAe,OAAO,CAAC;AAEtC;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAkB;IAClD,IAAI,QAAQ;QAAE,OAAO,MAAM,CAAC;IAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACpG,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IACnG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK;QAAE,OAAO,MAAM,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAAgB;IAC5C,WAAW,GAAG,IAAI,CAAC;IACnB,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,OAAO,WAAW,KAAK,MAAM,CAAC;AAChC,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,UAAU,CAAC,IAAa;IACtC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,aAAa,CAC3B,OAAe,EACf,IAAa,EACb,OAAiE;IAEjE,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,MAAM,MAAM,GAA4B,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAClE,IAAI,IAAI;YAAE,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;QAC7B,IAAI,OAAO,EAAE,QAAQ,EAAE,MAAM;YAAE,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAClC,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;YAC9B,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACjC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,0CAA0C;AAC1C,MAAM,UAAU,WAAW,CAAC,KAA2D;IACrF,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,WAAW,CAAC,OAAsB,EAAE,IAAgB,EAAE,OAAmB;IACvF,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBAChC,MAAM,GAAG,GAA2B,EAAE,CAAC;gBACvC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;oBACvB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACxB,CAAC,CAAC,CAAC;gBACH,OAAO,GAAG,CAAC;YACb,CAAC,CAAC,CAAC;YACH,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,aAAa,CAAC,KAA2D;IACvF,WAAW,CAAC,KAAK,CAAC,CAAC;IACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * Output mode system for non-TTY / JSON support.\n *\n * Resolves once at startup, drives all output formatting.\n * In JSON mode: structured JSON to stdout, structured errors to stderr.\n * In human mode: chalk-formatted output (existing behavior).\n */\n\nimport chalk from 'chalk';\nimport { formatTable, type TableColumn } from './table.js';\n\nexport type OutputMode = 'human' | 'json';\n\nlet currentMode: OutputMode = 'human';\n\n/**\n * Resolve the output mode based on flags and environment.\n *\n * Priority:\n * 1. Explicit --json flag\n * 2. WORKOS_FORCE_TTY env var → human\n * 3. Non-TTY auto-detection → json\n * 4. Default → human\n */\nexport function resolveOutputMode(jsonFlag?: boolean): OutputMode {\n  if (jsonFlag) return 'json';\n  if (process.env.WORKOS_FORCE_TTY === '1' || process.env.WORKOS_FORCE_TTY === 'true') return 'human';\n  if (process.env.WORKOS_NO_PROMPT === '1' || process.env.WORKOS_NO_PROMPT === 'true') return 'json';\n  if (!process.stdout.isTTY) return 'json';\n  return 'human';\n}\n\nexport function setOutputMode(mode: OutputMode): void {\n  currentMode = mode;\n  if (mode === 'json') {\n    chalk.level = 0;\n  }\n}\n\nexport function getOutputMode(): OutputMode {\n  return currentMode;\n}\n\nexport function isJsonMode(): boolean {\n  return currentMode === 'json';\n}\n\n/** Write structured JSON to stdout (one line, no pretty-print). */\nexport function outputJson(data: unknown): void {\n  console.log(JSON.stringify(data));\n}\n\n/** Write a success result — chalk in human mode, JSON in json mode. */\nexport function outputSuccess(\n  message: string,\n  data?: object,\n  options?: { warnings?: Array<{ code: string; message: string }> },\n): void {\n  if (currentMode === 'json') {\n    const result: Record<string, unknown> = { status: 'ok', message };\n    if (data) result.data = data;\n    if (options?.warnings?.length) result.warnings = options.warnings;\n    console.log(JSON.stringify(result));\n  } else {\n    console.log(chalk.green(message));\n    if (data) {\n      console.log(JSON.stringify(data, null, 2));\n    }\n    if (options?.warnings?.length) {\n      for (const w of options.warnings) {\n        console.error(chalk.yellow(w.message));\n      }\n    }\n  }\n}\n\n/** Write a structured error to stderr. */\nexport function outputError(error: { code: string; message: string; details?: unknown }): void {\n  if (currentMode === 'json') {\n    console.error(JSON.stringify({ error }));\n  } else {\n    console.error(chalk.red(error.message));\n  }\n}\n\n/** Write tabular data — chalk table in human mode, JSON array in json mode. */\nexport function outputTable(columns: TableColumn[], rows: string[][], rawData?: unknown[]): void {\n  if (currentMode === 'json') {\n    if (rawData) {\n      console.log(JSON.stringify(rawData));\n    } else {\n      const headers = columns.map((c) => c.header);\n      const jsonRows = rows.map((row) => {\n        const obj: Record<string, string> = {};\n        headers.forEach((h, i) => {\n          obj[h] = row[i] ?? '';\n        });\n        return obj;\n      });\n      console.log(JSON.stringify(jsonRows));\n    }\n  } else {\n    console.log(formatTable(columns, rows));\n  }\n}\n\n/** Exit with a structured error. Writes error then exits with code 1. */\nexport function exitWithError(error: { code: string; message: string; details?: unknown }): never {\n  outputError(error);\n  process.exit(1);\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "workos",
-  "version": "0.13.1",
+  "version": "0.13.3",
   "type": "module",
   "description": "The Official Workos CLI",
   "repository": {