workos 0.16.0 → 0.17.1

package/dist/lib/validation/security-checks.js

@@ -0,0 +1,105 @@
+import { checkAuthPatterns } from '../../doctor/checks/auth-patterns.js';
+/**
+ * The "security subset" of `workos doctor`'s auth-pattern checks that the
+ * installer enforces. These are the patterns that are *unsafe* or *leak secrets*
+ * (an unsafe GET sign-out, an API key in client env/source, an ungitignored
+ * .env). Completeness checks (missing middleware/callback/provider) are
+ * intentionally excluded here — `validateInstallation` already covers those, and
+ * they carry higher false-positive risk than we want gating install success.
+ *
+ * Keep in sync with the codes emitted by `src/doctor/checks/auth-patterns.ts`.
+ */
+const SECURITY_FINDING_CODES = new Set([
+    'SIGNOUT_GET_HANDLER',
+    'SIGNOUT_LINK_PREFETCH',
+    'API_KEY_LEAKED_TO_CLIENT',
+    'API_KEY_IN_SOURCE',
+    'ENV_FILE_NOT_GITIGNORED',
+    'MIXED_ENVIRONMENT',
+]);
+/** Map an installer integration id to the framework name doctor's checks expect. */
+const INTEGRATION_FRAMEWORK_NAME = {
+    nextjs: 'Next.js',
+    'react-router': 'React Router',
+    'tanstack-start': 'TanStack Start',
+};
+/**
+ * Run the security subset of doctor's auth-pattern checks against an install
+ * directory. Pure file inspection — no network — so it is safe to call both
+ * inside the installer's self-correction loop and as the final pre-success gate.
+ *
+ * This closes the install-validate ↔ doctor gap: previously install could report
+ * `success: true` while `workos doctor` immediately found a security hole,
+ * because neither the retry loop nor `validateInstallation` ran these checks.
+ */
+export async function runInstallSecurityChecks(integration, installDir) {
+    const framework = {
+        name: INTEGRATION_FRAMEWORK_NAME[integration] ?? null,
+        version: null,
+    };
+    // checkAuthPatterns loads .env files itself; these structs only satisfy the
+    // shape its non-Next.js checks read from.
+    const environment = {
+        apiKeyConfigured: false,
+        apiKeyType: null,
+        clientId: null,
+        redirectUri: null,
+        cookieDomain: null,
+        baseUrl: null,
+    };
+    const sdk = {
+        name: null,
+        version: null,
+        latest: null,
+        outdated: false,
+        isAuthKit: false,
+        language: 'javascript',
+    };
+    const result = await checkAuthPatterns({ installDir }, framework, environment, sdk);
+    const findings = result.findings.filter((f) => SECURITY_FINDING_CODES.has(f.code));
+    const blocking = findings.filter((f) => f.severity === 'error');
+    return { findings, blocking };
+}
+/** Convert security findings into ValidationIssues for the emitter/report surfaces. */
+export function securityFindingsToIssues(findings) {
+    return findings.map((f) => ({
+        type: 'pattern',
+        severity: f.severity,
+        message: f.filePath ? `${f.message} (${f.filePath})` : f.message,
+        hint: f.remediation,
+    }));
+}
+/**
+ * Build an agent correction prompt from security findings so the installer's
+ * self-correction loop fixes them before declaring success. Returns an empty
+ * string when there is nothing to correct.
+ */
+export function formatSecurityFindingsForAgent(findings) {
+    if (findings.length === 0)
+        return '';
+    const lines = findings.map((f) => {
+        const loc = f.filePath ? ` in ${f.filePath}` : '';
+        const fix = f.remediation ? ` Fix: ${f.remediation}` : '';
+        return `- [${f.severity}] ${f.message}${loc}.${fix}`;
+    });
+    return `Security checks found issues that must be fixed:\n\n${lines.join('\n')}\n\nApply the fixes above, then make sure the project still builds.`;
+}
+/**
+ * Build the error message thrown when error-severity security findings survive
+ * the installer's retries — the message that turns a silent insecure "success"
+ * into a visible failure.
+ */
+export function formatBlockingSecurityError(blocking) {
+    const lines = blocking.map((f) => {
+        const loc = f.filePath ? ` (${f.filePath})` : '';
+        return `  • ${f.code}: ${f.message}${loc}`;
+    });
+    return [
+        'Installation produced insecure code that could not be auto-corrected:',
+        '',
+        ...lines,
+        '',
+        'Fix the issues above (or run `workos doctor` for details and remediation) and re-run the installer.',
+    ].join('\n');
+}
+//# sourceMappingURL=security-checks.js.map

package/dist/lib/validation/security-checks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-checks.js","sourceRoot":"","sources":["../../../src/lib/validation/security-checks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AAIzE;;;;;;;;;GASG;AACH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAS;IAC7C,qBAAqB;IACrB,uBAAuB;IACvB,0BAA0B;IAC1B,mBAAmB;IACnB,yBAAyB;IACzB,mBAAmB;CACpB,CAAC,CAAC;AAEH,oFAAoF;AACpF,MAAM,0BAA0B,GAA2B;IACzD,MAAM,EAAE,SAAS;IACjB,cAAc,EAAE,cAAc;IAC9B,gBAAgB,EAAE,gBAAgB;CACnC,CAAC;AAYF;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,WAAmB,EAAE,UAAkB;IACpF,MAAM,SAAS,GAAkB;QAC/B,IAAI,EAAE,0BAA0B,CAAC,WAAW,CAAC,IAAI,IAAI;QACrD,OAAO,EAAE,IAAI;KACd,CAAC;IACF,4EAA4E;IAC5E,0CAA0C;IAC1C,MAAM,WAAW,GAAoB;QACnC,gBAAgB,EAAE,KAAK;QACvB,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,IAAI;QACjB,YAAY,EAAE,IAAI;QAClB,OAAO,EAAE,IAAI;KACd,CAAC;IACF,MAAM,GAAG,GAAY;QACnB,IAAI,EAAE,IAAI;QACV,OAAO,EAAE,IAAI;QACb,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,YAAY;KACvB,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,EAAE,UAAU,EAAE,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACnF,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;IAChE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED,uFAAuF;AACvF,MAAM,UAAU,wBAAwB,CAAC,QAA8B;IACrE,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1B,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO;QAChE,IAAI,EAAE,CAAC,CAAC,WAAW;KACpB,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,8BAA8B,CAAC,QAA8B;IAC3E,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/B,MAAM,GAAG,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAClD,MAAM,GAAG,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D,OAAO,MAAM,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,EAAE,CAAC;IACvD,CAAC,CAAC,CAAC;IACH,OAAO,uDAAuD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,qEAAqE,CAAC;AACtJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,2BAA2B,CAAC,QAA8B;IACxE,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/B,MAAM,GAAG,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QACjD,OAAO,OAAO,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;IAC7C,CAAC,CAAC,CAAC;IACH,OAAO;QACL,uEAAuE;QACvE,EAAE;QACF,GAAG,KAAK;QACR,EAAE;QACF,qGAAqG;KACtG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC","sourcesContent":["import { checkAuthPatterns } from '../../doctor/checks/auth-patterns.js';\nimport type { AuthPatternFinding, FrameworkInfo, EnvironmentInfo, SdkInfo } from '../../doctor/types.js';\nimport type { ValidationIssue } from './types.js';\n\n/**\n * The \"security subset\" of `workos doctor`'s auth-pattern checks that the\n * installer enforces. These are the patterns that are *unsafe* or *leak secrets*\n * (an unsafe GET sign-out, an API key in client env/source, an ungitignored\n * .env). Completeness checks (missing middleware/callback/provider) are\n * intentionally excluded here — `validateInstallation` already covers those, and\n * they carry higher false-positive risk than we want gating install success.\n *\n * Keep in sync with the codes emitted by `src/doctor/checks/auth-patterns.ts`.\n */\nconst SECURITY_FINDING_CODES = new Set<string>([\n  'SIGNOUT_GET_HANDLER',\n  'SIGNOUT_LINK_PREFETCH',\n  'API_KEY_LEAKED_TO_CLIENT',\n  'API_KEY_IN_SOURCE',\n  'ENV_FILE_NOT_GITIGNORED',\n  'MIXED_ENVIRONMENT',\n]);\n\n/** Map an installer integration id to the framework name doctor's checks expect. */\nconst INTEGRATION_FRAMEWORK_NAME: Record<string, string> = {\n  nextjs: 'Next.js',\n  'react-router': 'React Router',\n  'tanstack-start': 'TanStack Start',\n};\n\nexport interface SecurityCheckResult {\n  /** All security-class findings for this install (errors + warnings). */\n  findings: AuthPatternFinding[];\n  /**\n   * Error-severity findings that must block a successful install. Empty when the\n   * install is secure; a non-empty list means install should not report success.\n   */\n  blocking: AuthPatternFinding[];\n}\n\n/**\n * Run the security subset of doctor's auth-pattern checks against an install\n * directory. Pure file inspection — no network — so it is safe to call both\n * inside the installer's self-correction loop and as the final pre-success gate.\n *\n * This closes the install-validate ↔ doctor gap: previously install could report\n * `success: true` while `workos doctor` immediately found a security hole,\n * because neither the retry loop nor `validateInstallation` ran these checks.\n */\nexport async function runInstallSecurityChecks(integration: string, installDir: string): Promise<SecurityCheckResult> {\n  const framework: FrameworkInfo = {\n    name: INTEGRATION_FRAMEWORK_NAME[integration] ?? null,\n    version: null,\n  };\n  // checkAuthPatterns loads .env files itself; these structs only satisfy the\n  // shape its non-Next.js checks read from.\n  const environment: EnvironmentInfo = {\n    apiKeyConfigured: false,\n    apiKeyType: null,\n    clientId: null,\n    redirectUri: null,\n    cookieDomain: null,\n    baseUrl: null,\n  };\n  const sdk: SdkInfo = {\n    name: null,\n    version: null,\n    latest: null,\n    outdated: false,\n    isAuthKit: false,\n    language: 'javascript',\n  };\n\n  const result = await checkAuthPatterns({ installDir }, framework, environment, sdk);\n  const findings = result.findings.filter((f) => SECURITY_FINDING_CODES.has(f.code));\n  const blocking = findings.filter((f) => f.severity === 'error');\n  return { findings, blocking };\n}\n\n/** Convert security findings into ValidationIssues for the emitter/report surfaces. */\nexport function securityFindingsToIssues(findings: AuthPatternFinding[]): ValidationIssue[] {\n  return findings.map((f) => ({\n    type: 'pattern',\n    severity: f.severity,\n    message: f.filePath ? `${f.message} (${f.filePath})` : f.message,\n    hint: f.remediation,\n  }));\n}\n\n/**\n * Build an agent correction prompt from security findings so the installer's\n * self-correction loop fixes them before declaring success. Returns an empty\n * string when there is nothing to correct.\n */\nexport function formatSecurityFindingsForAgent(findings: AuthPatternFinding[]): string {\n  if (findings.length === 0) return '';\n  const lines = findings.map((f) => {\n    const loc = f.filePath ? ` in ${f.filePath}` : '';\n    const fix = f.remediation ? ` Fix: ${f.remediation}` : '';\n    return `- [${f.severity}] ${f.message}${loc}.${fix}`;\n  });\n  return `Security checks found issues that must be fixed:\\n\\n${lines.join('\\n')}\\n\\nApply the fixes above, then make sure the project still builds.`;\n}\n\n/**\n * Build the error message thrown when error-severity security findings survive\n * the installer's retries — the message that turns a silent insecure \"success\"\n * into a visible failure.\n */\nexport function formatBlockingSecurityError(blocking: AuthPatternFinding[]): string {\n  const lines = blocking.map((f) => {\n    const loc = f.filePath ? ` (${f.filePath})` : '';\n    return `  • ${f.code}: ${f.message}${loc}`;\n  });\n  return [\n    'Installation produced insecure code that could not be auto-corrected:',\n    '',\n    ...lines,\n    '',\n    'Fix the issues above (or run `workos doctor` for details and remediation) and re-run the installer.',\n  ].join('\\n');\n}\n"]}

package/dist/run.d.ts

@@ -1,6 +1,4 @@
-import type { Integration } from './lib/constants.js';
 export type InstallerArgs = {
-    integration?: Integration;
     debug?: boolean;
     forceInstall?: boolean;
     installDir?: string;
@@ -24,6 +22,8 @@ export type InstallerArgs = {
     noGitCheck?: boolean;
     gitCheck?: boolean;
     direct?: boolean;
+    scaffold?: boolean;
+    pm?: string;
 };
 /**
  * Main entry point for the wizard CLI.

package/dist/run.js

@@ -31,7 +31,6 @@ function buildOptions(argv) {
         homepageUrl: merged.homepageUrl,
         redirectUri: merged.redirectUri,
         dashboard: merged.dashboard ?? false,
-        integration: merged.integration,
         inspect: merged.inspect ?? false,
         noValidate: merged.noValidate ?? merged.validate === false,
         noCommit: merged.noCommit ?? merged.commit === false,
@@ -39,6 +38,8 @@ function buildOptions(argv) {
         createPr: merged.createPr ?? false,
         noGitCheck: merged.noGitCheck ?? merged.gitCheck === false,
         direct: merged.direct ?? false,
+        scaffold: merged.scaffold ?? false,
+        pm: merged.pm,
         emitter: createInstallerEventEmitter(), // Will be replaced in runWithCore
     };
 }

package/dist/run.js.map

@@ -1 +1 @@
-{"version":3,"file":"run.js","sourceRoot":"","sources":["../src/run.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAGrD,OAAO,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAEtC,YAAY,CAAC,mBAAmB,GAAG,EAAE,CAAC;AA6BtC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAmB;IACpD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,IAAmB;IACvC,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAEvC,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAExD,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;QAC5B,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,KAAK;QAC1C,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;QAC5B,EAAE,EAAE,MAAM,CAAC,EAAE,IAAI,KAAK;QACtB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;QACpC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,KAAK;QAChC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK;QAC1D,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK;QACpD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK;QACpD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK;QAC1D,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,KAAK;QAC9B,OAAO,EAAE,2BAA2B,EAAE,EAAE,kCAAkC;KAC3E,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAY;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,OAAO,CAAC,GAAG,EAAE,CAAC;IAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;AACpE,CAAC","sourcesContent":["import { readEnvironment } from './utils/environment.js';\nimport { runWithCore } from './lib/run-with-core.js';\nimport type { InstallerOptions } from './utils/types.js';\nimport type { Integration } from './lib/constants.js';\nimport { createInstallerEventEmitter } from './lib/events.js';\nimport path from 'path';\nimport { EventEmitter } from 'events';\n\nEventEmitter.defaultMaxListeners = 50;\n\nexport type InstallerArgs = {\n  integration?: Integration;\n  debug?: boolean;\n  forceInstall?: boolean;\n  installDir?: string;\n  default?: boolean;\n  local?: boolean;\n  ci?: boolean;\n  skipAuth?: boolean;\n  apiKey?: string;\n  clientId?: string;\n  homepageUrl?: string;\n  redirectUri?: string;\n  dashboard?: boolean;\n  inspect?: boolean;\n  noValidate?: boolean;\n  validate?: boolean;\n  noCommit?: boolean;\n  commit?: boolean;\n  noBranch?: boolean;\n  branch?: boolean;\n  createPr?: boolean;\n  noGitCheck?: boolean;\n  gitCheck?: boolean;\n  direct?: boolean;\n};\n\n/**\n * Main entry point for the wizard CLI.\n * Builds options from args and delegates to the core.\n */\nexport async function runInstaller(argv: InstallerArgs): Promise<void> {\n  const options = buildOptions(argv);\n  await runWithCore(options);\n}\n\n/**\n * Build InstallerOptions from CLI args and environment.\n */\nfunction buildOptions(argv: InstallerArgs): InstallerOptions {\n  const envArgs = readEnvironment();\n  const merged = { ...argv, ...envArgs };\n\n  const installDir = resolveInstallDir(merged.installDir);\n\n  return {\n    debug: merged.debug ?? false,\n    forceInstall: merged.forceInstall ?? false,\n    installDir,\n    local: merged.local ?? false,\n    ci: merged.ci ?? false,\n    skipAuth: merged.skipAuth ?? false,\n    apiKey: merged.apiKey,\n    clientId: merged.clientId,\n    homepageUrl: merged.homepageUrl,\n    redirectUri: merged.redirectUri,\n    dashboard: merged.dashboard ?? false,\n    integration: merged.integration,\n    inspect: merged.inspect ?? false,\n    noValidate: merged.noValidate ?? merged.validate === false,\n    noCommit: merged.noCommit ?? merged.commit === false,\n    noBranch: merged.noBranch ?? merged.branch === false,\n    createPr: merged.createPr ?? false,\n    noGitCheck: merged.noGitCheck ?? merged.gitCheck === false,\n    direct: merged.direct ?? false,\n    emitter: createInstallerEventEmitter(), // Will be replaced in runWithCore\n  };\n}\n\n/**\n * Resolve install directory to absolute path.\n */\nfunction resolveInstallDir(dir?: string): string {\n  if (!dir) return process.cwd();\n  return path.isAbsolute(dir) ? dir : path.join(process.cwd(), dir);\n}\n"]}
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../src/run.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD,OAAO,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAEtC,YAAY,CAAC,mBAAmB,GAAG,EAAE,CAAC;AA8BtC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAmB;IACpD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,IAAmB;IACvC,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAEvC,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAExD,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;QAC5B,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,KAAK;QAC1C,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;QAC5B,EAAE,EAAE,MAAM,CAAC,EAAE,IAAI,KAAK;QACtB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;QACpC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,KAAK;QAChC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK;QAC1D,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK;QACpD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK;QACpD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK;QAC1D,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,KAAK;QAC9B,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,OAAO,EAAE,2BAA2B,EAAE,EAAE,kCAAkC;KAC3E,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAY;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,OAAO,CAAC,GAAG,EAAE,CAAC;IAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;AACpE,CAAC","sourcesContent":["import { readEnvironment } from './utils/environment.js';\nimport { runWithCore } from './lib/run-with-core.js';\nimport type { InstallerOptions } from './utils/types.js';\nimport { createInstallerEventEmitter } from './lib/events.js';\nimport path from 'path';\nimport { EventEmitter } from 'events';\n\nEventEmitter.defaultMaxListeners = 50;\n\nexport type InstallerArgs = {\n  debug?: boolean;\n  forceInstall?: boolean;\n  installDir?: string;\n  default?: boolean;\n  local?: boolean;\n  ci?: boolean;\n  skipAuth?: boolean;\n  apiKey?: string;\n  clientId?: string;\n  homepageUrl?: string;\n  redirectUri?: string;\n  dashboard?: boolean;\n  inspect?: boolean;\n  noValidate?: boolean;\n  validate?: boolean;\n  noCommit?: boolean;\n  commit?: boolean;\n  noBranch?: boolean;\n  branch?: boolean;\n  createPr?: boolean;\n  noGitCheck?: boolean;\n  gitCheck?: boolean;\n  direct?: boolean;\n  scaffold?: boolean;\n  pm?: string;\n};\n\n/**\n * Main entry point for the wizard CLI.\n * Builds options from args and delegates to the core.\n */\nexport async function runInstaller(argv: InstallerArgs): Promise<void> {\n  const options = buildOptions(argv);\n  await runWithCore(options);\n}\n\n/**\n * Build InstallerOptions from CLI args and environment.\n */\nfunction buildOptions(argv: InstallerArgs): InstallerOptions {\n  const envArgs = readEnvironment();\n  const merged = { ...argv, ...envArgs };\n\n  const installDir = resolveInstallDir(merged.installDir);\n\n  return {\n    debug: merged.debug ?? false,\n    forceInstall: merged.forceInstall ?? false,\n    installDir,\n    local: merged.local ?? false,\n    ci: merged.ci ?? false,\n    skipAuth: merged.skipAuth ?? false,\n    apiKey: merged.apiKey,\n    clientId: merged.clientId,\n    homepageUrl: merged.homepageUrl,\n    redirectUri: merged.redirectUri,\n    dashboard: merged.dashboard ?? false,\n    inspect: merged.inspect ?? false,\n    noValidate: merged.noValidate ?? merged.validate === false,\n    noCommit: merged.noCommit ?? merged.commit === false,\n    noBranch: merged.noBranch ?? merged.branch === false,\n    createPr: merged.createPr ?? false,\n    noGitCheck: merged.noGitCheck ?? merged.gitCheck === false,\n    direct: merged.direct ?? false,\n    scaffold: merged.scaffold ?? false,\n    pm: merged.pm,\n    emitter: createInstallerEventEmitter(), // Will be replaced in runWithCore\n  };\n}\n\n/**\n * Resolve install directory to absolute path.\n */\nfunction resolveInstallDir(dir?: string): string {\n  if (!dir) return process.cwd();\n  return path.isAbsolute(dir) ? dir : path.join(process.cwd(), dir);\n}\n"]}

package/dist/utils/types.d.ts

@@ -54,10 +54,6 @@ export type InstallerOptions = {
      * Event emitter for dashboard mode
      */
     emitter?: import('../lib/events.js').InstallerEventEmitter;
-    /**
-     * Pre-selected framework integration (bypasses detection)
-     */
-    integration?: import('../lib/constants.js').Integration;
     /**
      * Enable XState inspector - opens browser to visualize state machine live
      */
@@ -93,6 +89,16 @@ export type InstallerOptions = {
      * Default: 2. Set to 0 to disable retries entirely.
      */
     maxRetries?: number;
+    /**
+     * Scaffold a new Next.js app when run in an empty directory.
+     * Auto-enabled in headless mode; opt-in via --scaffold in interactive mode.
+     */
+    scaffold?: boolean;
+    /**
+     * Package manager for the scaffolded app (npm/pnpm/yarn/bun).
+     * Overrides detection from npm_config_user_agent.
+     */
+    pm?: string;
 };
 export interface Feature {
     id: string;

package/dist/utils/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/utils/types.ts"],"names":[],"mappings":"","sourcesContent":["export type InstallerOptions = {\n  /**\n   * Whether to enable debug mode.\n   */\n  debug: boolean;\n\n  /**\n   * Whether to force install the SDK package to continue with the installation in case\n   * any package manager checks are failing (e.g. peer dependency versions).\n   *\n   * Use with caution and only if you know what you're doing.\n   *\n   * Does not apply to all wizard flows (currently NPM only)\n   */\n  forceInstall: boolean;\n\n  /**\n   * The directory to run the wizard in.\n   */\n  installDir: string;\n\n  /**\n   * Whether to use local services (LLM gateway on localhost:8000)\n   */\n  local: boolean;\n\n  /**\n   * CI mode - non-interactive execution\n   */\n  ci: boolean;\n\n  /**\n   * Skip authentication check (for local development only)\n   */\n  skipAuth: boolean;\n\n  /**\n   * WorkOS API key (sk_xxx)\n   */\n  apiKey?: string;\n\n  /**\n   * WorkOS Client ID (client_xxx)\n   */\n  clientId?: string;\n\n  /**\n   * App homepage URL for WorkOS dashboard config.\n   * Defaults to http://localhost:{detected_port}\n   */\n  homepageUrl?: string;\n\n  /**\n   * Redirect URI for WorkOS callback.\n   * Defaults to framework-specific convention (e.g., /api/auth/callback)\n   */\n  redirectUri?: string;\n\n  /**\n   * [Experimental] Enable visual dashboard mode\n   */\n  dashboard?: boolean;\n\n  /**\n   * Event emitter for dashboard mode\n   */\n  emitter?: import('../lib/events.js').InstallerEventEmitter;\n\n  /**\n   * Pre-selected framework integration (bypasses detection)\n   */\n  integration?: import('../lib/constants.js').Integration;\n\n  /**\n   * Enable XState inspector - opens browser to visualize state machine live\n   */\n  inspect?: boolean;\n\n  /**\n   * Skip post-installation validation (includes build check)\n   */\n  noValidate?: boolean;\n\n  /**\n   * Skip post-install commit and PR workflow\n   */\n  noCommit?: boolean;\n\n  /**\n   * Skip branch creation (continue on current branch)\n   */\n  noBranch?: boolean;\n\n  /**\n   * Auto-create pull request after installation\n   */\n  createPr?: boolean;\n\n  /**\n   * Skip git dirty working tree check\n   */\n  noGitCheck?: boolean;\n\n  /**\n   * Direct mode - bypass llm-gateway and use user's own Anthropic API key.\n   * Requires ANTHROPIC_API_KEY environment variable.\n   */\n  direct?: boolean;\n\n  /**\n   * Max correction attempts after initial agent run.\n   * The agent gets this many chances to fix validation failures (typecheck/build).\n   * Default: 2. Set to 0 to disable retries entirely.\n   */\n  maxRetries?: number;\n};\n\nexport interface Feature {\n  id: string;\n  prompt: string;\n  enabledHint?: string;\n  disabledHint?: string;\n}\n\nexport type FileChange = {\n  filePath: string;\n  oldContent?: string;\n  newContent: string;\n};\n"]}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/utils/types.ts"],"names":[],"mappings":"","sourcesContent":["export type InstallerOptions = {\n  /**\n   * Whether to enable debug mode.\n   */\n  debug: boolean;\n\n  /**\n   * Whether to force install the SDK package to continue with the installation in case\n   * any package manager checks are failing (e.g. peer dependency versions).\n   *\n   * Use with caution and only if you know what you're doing.\n   *\n   * Does not apply to all wizard flows (currently NPM only)\n   */\n  forceInstall: boolean;\n\n  /**\n   * The directory to run the wizard in.\n   */\n  installDir: string;\n\n  /**\n   * Whether to use local services (LLM gateway on localhost:8000)\n   */\n  local: boolean;\n\n  /**\n   * CI mode - non-interactive execution\n   */\n  ci: boolean;\n\n  /**\n   * Skip authentication check (for local development only)\n   */\n  skipAuth: boolean;\n\n  /**\n   * WorkOS API key (sk_xxx)\n   */\n  apiKey?: string;\n\n  /**\n   * WorkOS Client ID (client_xxx)\n   */\n  clientId?: string;\n\n  /**\n   * App homepage URL for WorkOS dashboard config.\n   * Defaults to http://localhost:{detected_port}\n   */\n  homepageUrl?: string;\n\n  /**\n   * Redirect URI for WorkOS callback.\n   * Defaults to framework-specific convention (e.g., /api/auth/callback)\n   */\n  redirectUri?: string;\n\n  /**\n   * [Experimental] Enable visual dashboard mode\n   */\n  dashboard?: boolean;\n\n  /**\n   * Event emitter for dashboard mode\n   */\n  emitter?: import('../lib/events.js').InstallerEventEmitter;\n\n  /**\n   * Enable XState inspector - opens browser to visualize state machine live\n   */\n  inspect?: boolean;\n\n  /**\n   * Skip post-installation validation (includes build check)\n   */\n  noValidate?: boolean;\n\n  /**\n   * Skip post-install commit and PR workflow\n   */\n  noCommit?: boolean;\n\n  /**\n   * Skip branch creation (continue on current branch)\n   */\n  noBranch?: boolean;\n\n  /**\n   * Auto-create pull request after installation\n   */\n  createPr?: boolean;\n\n  /**\n   * Skip git dirty working tree check\n   */\n  noGitCheck?: boolean;\n\n  /**\n   * Direct mode - bypass llm-gateway and use user's own Anthropic API key.\n   * Requires ANTHROPIC_API_KEY environment variable.\n   */\n  direct?: boolean;\n\n  /**\n   * Max correction attempts after initial agent run.\n   * The agent gets this many chances to fix validation failures (typecheck/build).\n   * Default: 2. Set to 0 to disable retries entirely.\n   */\n  maxRetries?: number;\n\n  /**\n   * Scaffold a new Next.js app when run in an empty directory.\n   * Auto-enabled in headless mode; opt-in via --scaffold in interactive mode.\n   */\n  scaffold?: boolean;\n\n  /**\n   * Package manager for the scaffolded app (npm/pnpm/yarn/bun).\n   * Overrides detection from npm_config_user_agent.\n   */\n  pm?: string;\n};\n\nexport interface Feature {\n  id: string;\n  prompt: string;\n  enabledHint?: string;\n  disabledHint?: string;\n}\n\nexport type FileChange = {\n  filePath: string;\n  oldContent?: string;\n  newContent: string;\n};\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "workos",
-  "version": "0.16.0",
+  "version": "0.17.1",
   "type": "module",
   "description": "The Official Workos CLI",
   "repository": {
@@ -54,7 +54,7 @@
     "@workos-inc/node": "^8.7.0",
     "@workos/migrations": "^2.0.0",
     "@workos/openapi-spec": "^0.1.0",
-    "@workos/skills": "0.6.0",
+    "@workos/skills": "0.6.1",
     "chalk": "^5.6.2",
     "diff": "^8.0.3",
     "fast-glob": "^3.3.3",