workos 0.15.1 → 0.16.0

package/dist/utils/exit-codes.js.map

@@ -1 +1 @@
-{"version":3,"file":"exit-codes.js","sourceRoot":"","sources":["../../src/utils/exit-codes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,WAAW,EAAwB,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAE3D,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,OAAO,EAAE,CAAC;IACV,aAAa,EAAE,CAAC;IAChB,SAAS,EAAE,CAAC;IACZ,aAAa,EAAE,CAAC;CACR,CAAC;AAIX,8EAA8E;AAC9E,MAAM,UAAU,YAAY,CAAC,IAAmB,EAAE,KAAuB;IACvE,IAAI,KAAK,EAAE,CAAC;QACV,WAAW,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAgB,EAAE,OAAoD;IACzG,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC,IAAI,CAAC;IACvC,YAAY,CAAC,QAAQ,CAAC,aAAa,EAAE;QACnC,IAAI,EAAE,eAAe;QACrB,OAAO,EACL,OAAO;YACP,4BAA4B,mBAAmB,CAAC,YAAY,CAAC,uDAAuD;QACtH,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,iBAAiB,CAAC,EAAE,IAAI,EAAE,CAAC;KAC3D,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Standardized exit codes following gh CLI convention.\n *\n * 0 = Success\n * 1 = General error\n * 2 = Cancelled (e.g., Ctrl+C, user cancelled prompt)\n * 4 = Authentication required\n */\n\nimport { outputError, type StructuredError } from './output.js';\nimport { formatWorkOSCommand } from './command-invocation.js';\nimport { authLoginRecovery } from './recovery-hints.js';\nimport { getInteractionMode } from './interaction-mode.js';\n\nexport const ExitCode = {\n  SUCCESS: 0,\n  GENERAL_ERROR: 1,\n  CANCELLED: 2,\n  AUTH_REQUIRED: 4,\n} as const;\n\nexport type ExitCodeValue = (typeof ExitCode)[keyof typeof ExitCode];\n\n/** Exit with a specific code, optionally writing a structured error first. */\nexport function exitWithCode(code: ExitCodeValue, error?: StructuredError): never {\n  if (error) {\n    outputError(error);\n  }\n  process.exit(code);\n}\n\n/**\n * Convenience: exit with code 4 and auth-required error.\n *\n * Recovery hints are inferred from interaction mode unless explicitly provided.\n */\nexport function exitWithAuthRequired(message?: string, options?: { recovery?: StructuredError['recovery'] }): never {\n  const mode = getInteractionMode().mode;\n  exitWithCode(ExitCode.AUTH_REQUIRED, {\n    code: 'auth_required',\n    message:\n      message ??\n      `Not authenticated. Run \\`${formatWorkOSCommand('auth login')}\\` in an interactive terminal, or set WORKOS_API_KEY.`,\n    recovery: options?.recovery ?? authLoginRecovery({ mode }),\n  });\n}\n"]}
+{"version":3,"file":"exit-codes.js","sourceRoot":"","sources":["../../src/utils/exit-codes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,WAAW,EAAwB,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAG3D,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,OAAO,EAAE,CAAC;IACV,aAAa,EAAE,CAAC;IAChB,SAAS,EAAE,CAAC;IACZ,aAAa,EAAE,CAAC;CACR,CAAC;AAIX,MAAM,cAAc,GAAuE;IACzF,aAAa,EAAE,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,aAAa,EAAE;IACxE,6EAA6E;IAC7E,sEAAsE;IACtE,UAAU,EAAE,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,aAAa,EAAE;IACrE,SAAS,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE;CAC7D,CAAC;AAEF,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAI3C,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,CAAC,aAAa,EAAE,CAAC;IAC/D,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,IAAI,EAAE,QAAQ,CAAC,aAAa,EAAE,CAAC;AACtE,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAmB;IAC5C,IAAI,IAAI,KAAK,QAAQ,CAAC,aAAa;QAAE,OAAO,eAAe,CAAC;IAC5D,IAAI,IAAI,KAAK,QAAQ,CAAC,SAAS;QAAE,OAAO,WAAW,CAAC;IACpD,IAAI,IAAI,KAAK,QAAQ,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAChD,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,YAAY,CAAC,IAAmB,EAAE,KAAuB;IACvE,IAAI,KAAK,EAAE,CAAC;QACV,WAAW,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IACD,MAAM,IAAI,OAAO,CAAC,IAAI,EAAE;QACtB,MAAM,EAAE,iBAAiB,CAAC,IAAI,CAAC;QAC/B,SAAS,EAAE,KAAK,EAAE,IAAI;KACvB,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAgB,EAAE,OAAoD;IACzG,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC,IAAI,CAAC;IACvC,YAAY,CAAC,QAAQ,CAAC,aAAa,EAAE;QACnC,IAAI,EAAE,eAAe;QACrB,OAAO,EACL,OAAO;YACP,4BAA4B,mBAAmB,CAAC,YAAY,CAAC,uDAAuD;QACtH,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,iBAAiB,CAAC,EAAE,IAAI,EAAE,CAAC;KAC3D,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Standardized exit codes following gh CLI convention.\n *\n * 0 = Success\n * 1 = General error\n * 2 = Cancelled (e.g., Ctrl+C, user cancelled prompt)\n * 4 = Authentication required\n */\n\nimport { CliExit } from './cli-exit.js';\nimport { outputError, type StructuredError } from './output.js';\nimport { formatWorkOSCommand } from './command-invocation.js';\nimport { authLoginRecovery } from './recovery-hints.js';\nimport { getInteractionMode } from './interaction-mode.js';\nimport type { TerminationReason } from './telemetry-types.js';\n\nexport const ExitCode = {\n  SUCCESS: 0,\n  GENERAL_ERROR: 1,\n  CANCELLED: 2,\n  AUTH_REQUIRED: 4,\n} as const;\n\nexport type ExitCodeValue = (typeof ExitCode)[keyof typeof ExitCode];\n\nconst ERROR_CODE_MAP: Record<string, { reason: TerminationReason; exit: ExitCodeValue }> = {\n  auth_required: { reason: 'auth_required', exit: ExitCode.AUTH_REQUIRED },\n  // resolveApiKey() emits `no_api_key` when no key is configured; semantically\n  // an auth failure, so it must not fall through to `validation_error`.\n  no_api_key: { reason: 'auth_required', exit: ExitCode.AUTH_REQUIRED },\n  cancelled: { reason: 'cancelled', exit: ExitCode.CANCELLED },\n};\n\nexport function resolveErrorCode(code: string): {\n  reason: TerminationReason;\n  exit: ExitCodeValue;\n} {\n  const mapped = ERROR_CODE_MAP[code];\n  if (mapped) return mapped;\n  if (code.startsWith('http_')) {\n    return { reason: 'api_error', exit: ExitCode.GENERAL_ERROR };\n  }\n  return { reason: 'validation_error', exit: ExitCode.GENERAL_ERROR };\n}\n\nfunction reasonForExitCode(code: ExitCodeValue): TerminationReason {\n  if (code === ExitCode.AUTH_REQUIRED) return 'auth_required';\n  if (code === ExitCode.CANCELLED) return 'cancelled';\n  if (code === ExitCode.SUCCESS) return 'success';\n  return 'validation_error';\n}\n\n/** Exit with a specific code, optionally writing a structured error first. */\nexport function exitWithCode(code: ExitCodeValue, error?: StructuredError): never {\n  if (error) {\n    outputError(error);\n  }\n  throw new CliExit(code, {\n    reason: reasonForExitCode(code),\n    errorCode: error?.code,\n  });\n}\n\n/**\n * Convenience: exit with code 4 and auth-required error.\n *\n * Recovery hints are inferred from interaction mode unless explicitly provided.\n */\nexport function exitWithAuthRequired(message?: string, options?: { recovery?: StructuredError['recovery'] }): never {\n  const mode = getInteractionMode().mode;\n  exitWithCode(ExitCode.AUTH_REQUIRED, {\n    code: 'auth_required',\n    message:\n      message ??\n      `Not authenticated. Run \\`${formatWorkOSCommand('auth login')}\\` in an interactive terminal, or set WORKOS_API_KEY.`,\n    recovery: options?.recovery ?? authLoginRecovery({ mode }),\n  });\n}\n"]}

package/dist/utils/help-json.d.ts

@@ -49,4 +49,10 @@ export declare function extractHelpJsonCommand(argv: string[]): string | undefin
  * @param subcommand - Optional command name to return a subtree for (e.g. "env").
  *                     Returns full tree if omitted or if command not found.
  */
+/**
+ * Top-level command names (first token of each registered command). Used by
+ * telemetry to recognise real commands without trusting arbitrary argv tokens
+ * (so option values / secrets are never recorded as a command name).
+ */
+export declare function getTopLevelCommandNames(): string[];
 export declare function buildCommandTree(subcommand?: string): HelpOutput | CommandSchema;

package/dist/utils/help-json.js

@@ -6,6 +6,7 @@
  * so we maintain a parallel typed registry.
  */
 import { getVersion } from '../lib/settings.js';
+import { COMMAND_ALIASES } from '../lib/command-aliases.js';
 // ---------------------------------------------------------------------------
 // Shared option fragments (mirrors bin.ts shared option objects)
 // ---------------------------------------------------------------------------
@@ -68,6 +69,15 @@ const commands = [
         description: 'Show current authentication status',
         options: [insecureStorageOpt],
     },
+    {
+        name: 'telemetry',
+        description: 'Manage telemetry collection (opt-out, opt-in, status)',
+        commands: [
+            { name: 'opt-out', description: 'Disable telemetry collection (persists across runs)' },
+            { name: 'opt-in', description: 'Re-enable telemetry collection' },
+            { name: 'status', description: 'Show whether telemetry is enabled and why' },
+        ],
+    },
     {
         name: 'skills',
         description: 'Manage WorkOS skills for coding agents (Claude Code, Codex, Cursor, Goose)',
@@ -969,29 +979,61 @@ const commands = [
             { name: 'list', description: 'List vault objects', options: [...paginationOpts] },
             {
                 name: 'get',
-                description: 'Get a vault object',
+                description: 'Get a vault object (metadata only; use --decrypt to include value)',
                 positionals: [{ name: 'id', type: 'string', description: 'Object ID', required: true }],
+                options: [
+                    {
+                        name: 'decrypt',
+                        type: 'boolean',
+                        description: 'Include the decrypted secret value',
+                        required: false,
+                        default: false,
+                        hidden: false,
+                    },
+                ],
             },
             {
                 name: 'get-by-name',
-                description: 'Get a vault object by name',
+                description: 'Get a vault object by name (metadata only; use --decrypt to include value)',
                 positionals: [{ name: 'name', type: 'string', description: 'Object name', required: true }],
+                options: [
+                    {
+                        name: 'decrypt',
+                        type: 'boolean',
+                        description: 'Include the decrypted secret value',
+                        required: false,
+                        default: false,
+                        hidden: false,
+                    },
+                ],
             },
             {
                 name: 'create',
-                description: 'Create a vault object',
+                description: 'Create a vault object (reads value from stdin when --value is omitted or -)',
                 options: [
                     { name: 'name', type: 'string', description: 'Object name', required: true, hidden: false },
-                    { name: 'value', type: 'string', description: 'Secret value', required: true, hidden: false },
-                    { name: 'org', type: 'string', description: 'Organization ID', required: false, hidden: false },
+                    {
+                        name: 'value',
+                        type: 'string',
+                        description: 'Secret value (omit or use - to read from stdin)',
+                        required: false,
+                        hidden: false,
+                    },
+                    { name: 'org', type: 'string', description: 'Organization ID (required)', required: true, hidden: false },
                 ],
             },
             {
                 name: 'update',
-                description: 'Update a vault object',
+                description: 'Update a vault object (reads value from stdin when --value is omitted or -)',
                 positionals: [{ name: 'id', type: 'string', description: 'Object ID', required: true }],
                 options: [
-                    { name: 'value', type: 'string', description: 'New value', required: true, hidden: false },
+                    {
+                        name: 'value',
+                        type: 'string',
+                        description: 'New value (omit or use - to read from stdin)',
+                        required: false,
+                        hidden: false,
+                    },
                     { name: 'version-check', type: 'string', description: 'Version check ID', required: false, hidden: false },
                 ],
             },
@@ -1010,6 +1052,34 @@ const commands = [
                 description: 'List vault object versions',
                 positionals: [{ name: 'id', type: 'string', description: 'Object ID', required: true }],
             },
+            {
+                name: 'run',
+                description: 'Run a command with Vault secrets injected as environment variables',
+                options: [
+                    {
+                        name: 'secret',
+                        type: 'array',
+                        description: 'Map a vault object to an env var: ENV_VAR=vault-name (repeatable)',
+                        required: true,
+                        hidden: false,
+                    },
+                    {
+                        name: 'env',
+                        type: 'string',
+                        description: 'Environment name to read API key from (defaults to active)',
+                        required: false,
+                        hidden: false,
+                    },
+                    {
+                        name: 'dry-run',
+                        type: 'boolean',
+                        description: 'Print which secrets would be injected, no fetch',
+                        required: false,
+                        default: false,
+                        hidden: false,
+                    },
+                ],
+            },
         ],
     },
     {
@@ -1301,10 +1371,9 @@ const globalOptions = [
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
-const commandAliases = { org: 'organization' };
 const helpJsonCommandNames = new Set([
     ...commands.map((command) => command.name.split(' ')[0]),
-    ...Object.keys(commandAliases),
+    ...Object.keys(COMMAND_ALIASES),
 ]);
 /**
  * Extract the requested command from raw argv before yargs parses --help.
@@ -1323,7 +1392,7 @@ export function extractHelpJsonCommand(argv) {
             continue;
         }
         if (!arg.startsWith('-') && helpJsonCommandNames.has(arg)) {
-            return commandAliases[arg] ?? arg;
+            return COMMAND_ALIASES[arg] ?? arg;
         }
     }
     return undefined;
@@ -1334,6 +1403,14 @@ export function extractHelpJsonCommand(argv) {
  * @param subcommand - Optional command name to return a subtree for (e.g. "env").
  *                     Returns full tree if omitted or if command not found.
  */
+/**
+ * Top-level command names (first token of each registered command). Used by
+ * telemetry to recognise real commands without trusting arbitrary argv tokens
+ * (so option values / secrets are never recorded as a command name).
+ */
+export function getTopLevelCommandNames() {
+    return commands.map((c) => c.name.split(' ')[0]);
+}
 export function buildCommandTree(subcommand) {
     if (subcommand) {
         const match = commands.find((c) => c.name === subcommand);