workos 0.3.3 → 0.5.0

package/dist/lib/constants.d.ts

@@ -1,16 +1,20 @@
-export declare enum Integration {
-    nextjs = "nextjs",
-    react = "react",
-    tanstackStart = "tanstack-start",
-    reactRouter = "react-router",
-    vanillaJs = "vanilla-js"
-}
-export declare function getIntegrationDescription(type: string): string;
-type IntegrationChoice = {
-    name: string;
-    value: string;
+/**
+ * Integration identifier type.
+ * No longer an enum — each integration self-registers via the auto-discovery registry.
+ * The string value matches the integration directory name (e.g., 'nextjs', 'react-router').
+ */
+export type Integration = string;
+/**
+ * Well-known integration names for backwards compatibility.
+ * New integrations do NOT need to be added here — they're auto-discovered.
+ */
+export declare const KNOWN_INTEGRATIONS: {
+    readonly nextjs: "nextjs";
+    readonly react: "react";
+    readonly tanstackStart: "tanstack-start";
+    readonly reactRouter: "react-router";
+    readonly vanillaJs: "vanilla-js";
 };
-export declare function getIntegrationChoices(): IntegrationChoice[];
 export interface Args {
     debug: boolean;
     integration: Integration;
@@ -26,7 +30,6 @@ export declare const WORKOS_TELEMETRY_ENABLED: boolean;
 export declare const OAUTH_PORT: number;
 /**
  * Common glob patterns to ignore when searching for files.
- * Used by both Next.js and React Router integrations.
+ * Used by multiple integrations.
  */
 export declare const IGNORE_PATTERNS: string[];
-export {};

package/dist/lib/constants.js

@@ -1,34 +1,15 @@
 import { getConfig } from './settings.js';
-export var Integration;
-(function (Integration) {
-    Integration["nextjs"] = "nextjs";
-    Integration["react"] = "react";
-    Integration["tanstackStart"] = "tanstack-start";
-    Integration["reactRouter"] = "react-router";
-    Integration["vanillaJs"] = "vanilla-js";
-})(Integration || (Integration = {}));
-export function getIntegrationDescription(type) {
-    switch (type) {
-        case Integration.nextjs:
-            return 'Next.js';
-        case Integration.react:
-            return 'React (SPA)';
-        case Integration.tanstackStart:
-            return 'TanStack Start';
-        case Integration.reactRouter:
-            return 'React Router';
-        case Integration.vanillaJs:
-            return 'Vanilla JavaScript';
-        default:
-            throw new Error(`Unknown integration ${type}`);
-    }
-}
-export function getIntegrationChoices() {
-    return Object.keys(Integration).map((type) => ({
-        name: getIntegrationDescription(type),
-        value: type,
-    }));
-}
+/**
+ * Well-known integration names for backwards compatibility.
+ * New integrations do NOT need to be added here — they're auto-discovered.
+ */
+export const KNOWN_INTEGRATIONS = {
+    nextjs: 'nextjs',
+    react: 'react',
+    tanstackStart: 'tanstack-start',
+    reactRouter: 'react-router',
+    vanillaJs: 'vanilla-js',
+};
 export const IS_DEV = ['test', 'development'].includes(process.env.NODE_ENV ?? '');
 const settings = getConfig();
 export const DEBUG = settings.logging.debugMode;
@@ -41,7 +22,7 @@ export const WORKOS_TELEMETRY_ENABLED = process.env.WORKOS_TELEMETRY !== 'false'
 export const OAUTH_PORT = settings.legacy.oauthPort;
 /**
  * Common glob patterns to ignore when searching for files.
- * Used by both Next.js and React Router integrations.
+ * Used by multiple integrations.
  */
 export const IGNORE_PATTERNS = [
     '**/node_modules/**',

package/dist/lib/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/lib/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE1C,MAAM,CAAN,IAAY,WAMX;AAND,WAAY,WAAW;IACrB,gCAAiB,CAAA;IACjB,8BAAe,CAAA;IACf,+CAAgC,CAAA;IAChC,2CAA4B,CAAA;IAC5B,uCAAwB,CAAA;AAC1B,CAAC,EANW,WAAW,KAAX,WAAW,QAMtB;AAED,MAAM,UAAU,yBAAyB,CAAC,IAAY;IACpD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,WAAW,CAAC,MAAM;YACrB,OAAO,SAAS,CAAC;QACnB,KAAK,WAAW,CAAC,KAAK;YACpB,OAAO,aAAa,CAAC;QACvB,KAAK,WAAW,CAAC,aAAa;YAC5B,OAAO,gBAAgB,CAAC;QAC1B,KAAK,WAAW,CAAC,WAAW;YAC1B,OAAO,cAAc,CAAC;QACxB,KAAK,WAAW,CAAC,SAAS;YACxB,OAAO,oBAAoB,CAAC;QAC9B;YACE,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC;AACH,CAAC;AAOD,MAAM,UAAU,qBAAqB;IACnC,OAAO,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,CAAC;QACrD,IAAI,EAAE,yBAAyB,CAAC,IAAI,CAAC;QACrC,KAAK,EAAE,IAAI;KACZ,CAAC,CAAC,CAAC;AACN,CAAC;AAOD,MAAM,CAAC,MAAM,MAAM,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;AAEnF,MAAM,QAAQ,GAAG,SAAS,EAAE,CAAC;AAE7B,MAAM,CAAC,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC;AAChD,MAAM,CAAC,MAAM,eAAe,GAAG,QAAQ,CAAC,aAAa,CAAC,aAAa,CAAC;AACpE,MAAM,CAAC,MAAM,oBAAoB,GAAG,QAAQ,CAAC,aAAa,CAAC,YAAY,CAAC;AACxE,MAAM,CAAC,MAAM,UAAU,GAAG,QAAQ,CAAC,aAAa,CAAC,SAAS,CAAC;AAC3D,MAAM,CAAC,MAAM,iBAAiB,GAAG,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC;AAC5D,MAAM,CAAC,MAAM,gCAAgC,GAAG,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC;AAC7E,MAAM,CAAC,MAAM,wBAAwB,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,OAAO,CAAC;AACjF,MAAM,CAAC,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC;AAEpD;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAa;IACvC,oBAAoB;IACpB,YAAY;IACZ,aAAa;IACb,cAAc;IACd,aAAa;CACd,CAAC","sourcesContent":["import { getConfig } from './settings.js';\n\nexport enum Integration {\n  nextjs = 'nextjs',\n  react = 'react',\n  tanstackStart = 'tanstack-start',\n  reactRouter = 'react-router',\n  vanillaJs = 'vanilla-js',\n}\n\nexport function getIntegrationDescription(type: string): string {\n  switch (type) {\n    case Integration.nextjs:\n      return 'Next.js';\n    case Integration.react:\n      return 'React (SPA)';\n    case Integration.tanstackStart:\n      return 'TanStack Start';\n    case Integration.reactRouter:\n      return 'React Router';\n    case Integration.vanillaJs:\n      return 'Vanilla JavaScript';\n    default:\n      throw new Error(`Unknown integration ${type}`);\n  }\n}\n\ntype IntegrationChoice = {\n  name: string;\n  value: string;\n};\n\nexport function getIntegrationChoices(): IntegrationChoice[] {\n  return Object.keys(Integration).map((type: string) => ({\n    name: getIntegrationDescription(type),\n    value: type,\n  }));\n}\n\nexport interface Args {\n  debug: boolean;\n  integration: Integration;\n}\n\nexport const IS_DEV = ['test', 'development'].includes(process.env.NODE_ENV ?? '');\n\nconst settings = getConfig();\n\nexport const DEBUG = settings.logging.debugMode;\nexport const WORKOS_DOCS_URL = settings.documentation.workosDocsUrl;\nexport const WORKOS_DASHBOARD_URL = settings.documentation.dashboardUrl;\nexport const ISSUES_URL = settings.documentation.issuesUrl;\nexport const ANALYTICS_ENABLED = settings.telemetry.enabled;\nexport const INSTALLER_INTERACTION_EVENT_NAME = settings.telemetry.eventName;\nexport const WORKOS_TELEMETRY_ENABLED = process.env.WORKOS_TELEMETRY !== 'false';\nexport const OAUTH_PORT = settings.legacy.oauthPort;\n\n/**\n * Common glob patterns to ignore when searching for files.\n * Used by both Next.js and React Router integrations.\n */\nexport const IGNORE_PATTERNS: string[] = [\n  '**/node_modules/**',\n  '**/dist/**',\n  '**/build/**',\n  '**/public/**',\n  '**/.next/**',\n];\n"]}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/lib/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAS1C;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,OAAO;IACd,aAAa,EAAE,gBAAgB;IAC/B,WAAW,EAAE,cAAc;IAC3B,SAAS,EAAE,YAAY;CACf,CAAC;AAOX,MAAM,CAAC,MAAM,MAAM,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;AAEnF,MAAM,QAAQ,GAAG,SAAS,EAAE,CAAC;AAE7B,MAAM,CAAC,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC;AAChD,MAAM,CAAC,MAAM,eAAe,GAAG,QAAQ,CAAC,aAAa,CAAC,aAAa,CAAC;AACpE,MAAM,CAAC,MAAM,oBAAoB,GAAG,QAAQ,CAAC,aAAa,CAAC,YAAY,CAAC;AACxE,MAAM,CAAC,MAAM,UAAU,GAAG,QAAQ,CAAC,aAAa,CAAC,SAAS,CAAC;AAC3D,MAAM,CAAC,MAAM,iBAAiB,GAAG,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC;AAC5D,MAAM,CAAC,MAAM,gCAAgC,GAAG,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC;AAC7E,MAAM,CAAC,MAAM,wBAAwB,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,OAAO,CAAC;AACjF,MAAM,CAAC,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC;AAEpD;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAa;IACvC,oBAAoB;IACpB,YAAY;IACZ,aAAa;IACb,cAAc;IACd,aAAa;CACd,CAAC","sourcesContent":["import { getConfig } from './settings.js';\n\n/**\n * Integration identifier type.\n * No longer an enum — each integration self-registers via the auto-discovery registry.\n * The string value matches the integration directory name (e.g., 'nextjs', 'react-router').\n */\nexport type Integration = string;\n\n/**\n * Well-known integration names for backwards compatibility.\n * New integrations do NOT need to be added here — they're auto-discovered.\n */\nexport const KNOWN_INTEGRATIONS = {\n  nextjs: 'nextjs',\n  react: 'react',\n  tanstackStart: 'tanstack-start',\n  reactRouter: 'react-router',\n  vanillaJs: 'vanilla-js',\n} as const;\n\nexport interface Args {\n  debug: boolean;\n  integration: Integration;\n}\n\nexport const IS_DEV = ['test', 'development'].includes(process.env.NODE_ENV ?? '');\n\nconst settings = getConfig();\n\nexport const DEBUG = settings.logging.debugMode;\nexport const WORKOS_DOCS_URL = settings.documentation.workosDocsUrl;\nexport const WORKOS_DASHBOARD_URL = settings.documentation.dashboardUrl;\nexport const ISSUES_URL = settings.documentation.issuesUrl;\nexport const ANALYTICS_ENABLED = settings.telemetry.enabled;\nexport const INSTALLER_INTERACTION_EVENT_NAME = settings.telemetry.eventName;\nexport const WORKOS_TELEMETRY_ENABLED = process.env.WORKOS_TELEMETRY !== 'false';\nexport const OAUTH_PORT = settings.legacy.oauthPort;\n\n/**\n * Common glob patterns to ignore when searching for files.\n * Used by multiple integrations.\n */\nexport const IGNORE_PATTERNS: string[] = [\n  '**/node_modules/**',\n  '**/dist/**',\n  '**/build/**',\n  '**/public/**',\n  '**/.next/**',\n];\n"]}

package/dist/lib/credential-store.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Credential storage abstraction with keyring support and file fallback.
+ *
+ * Storage priority:
+ * 1. If --insecure-storage: use file only
+ * 2. Try keyring, fall back to file with warning if unavailable
+ */
+export interface StagingCache {
+    clientId: string;
+    apiKey: string;
+    fetchedAt: number;
+}
+export interface Credentials {
+    accessToken: string;
+    expiresAt: number;
+    userId: string;
+    email?: string;
+    staging?: StagingCache;
+    refreshToken?: string;
+}
+export declare function setInsecureStorage(value: boolean): void;
+declare function getCredentialsPath(): string;
+export declare function hasCredentials(): boolean;
+export declare function getCredentials(): Credentials | null;
+export declare function saveCredentials(creds: Credentials): void;
+export declare function clearCredentials(): void;
+export declare function updateTokens(accessToken: string, expiresAt: number, refreshToken?: string): void;
+export { getCredentialsPath };

package/dist/lib/credential-store.js

@@ -0,0 +1,150 @@
+/**
+ * Credential storage abstraction with keyring support and file fallback.
+ *
+ * Storage priority:
+ * 1. If --insecure-storage: use file only
+ * 2. Try keyring, fall back to file with warning if unavailable
+ */
+import { Entry } from '@napi-rs/keyring';
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import { logWarn } from '../utils/debug.js';
+const SERVICE_NAME = 'workos-cli';
+const ACCOUNT_NAME = 'credentials';
+let fallbackWarningShown = false;
+let forceInsecureStorage = false;
+export function setInsecureStorage(value) {
+    forceInsecureStorage = value;
+}
+function getCredentialsDir() {
+    return path.join(os.homedir(), '.workos');
+}
+function getCredentialsPath() {
+    return path.join(getCredentialsDir(), 'credentials.json');
+}
+function fileExists() {
+    return fs.existsSync(getCredentialsPath());
+}
+function readFromFile() {
+    if (!fileExists())
+        return null;
+    try {
+        const content = fs.readFileSync(getCredentialsPath(), 'utf-8');
+        return JSON.parse(content);
+    }
+    catch (error) {
+        logWarn('Failed to read credentials file:', error);
+        return null;
+    }
+}
+function writeToFile(creds) {
+    const dir = getCredentialsDir();
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+    fs.writeFileSync(getCredentialsPath(), JSON.stringify(creds, null, 2), {
+        mode: 0o600,
+    });
+}
+function deleteFile() {
+    if (fileExists()) {
+        fs.unlinkSync(getCredentialsPath());
+    }
+}
+function getKeyringEntry() {
+    return new Entry(SERVICE_NAME, ACCOUNT_NAME);
+}
+function readFromKeyring() {
+    try {
+        const entry = getKeyringEntry();
+        const data = entry.getPassword();
+        if (!data)
+            return null;
+        return JSON.parse(data);
+    }
+    catch (error) {
+        logWarn('Failed to read from keyring:', error);
+        return null;
+    }
+}
+function writeToKeyring(creds) {
+    try {
+        const entry = getKeyringEntry();
+        entry.setPassword(JSON.stringify(creds));
+        return true;
+    }
+    catch (error) {
+        logWarn('Failed to write to keyring:', error);
+        return false;
+    }
+}
+function deleteFromKeyring() {
+    try {
+        const entry = getKeyringEntry();
+        entry.deletePassword();
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        if (!msg.includes('not found') && !msg.includes('No such')) {
+            logWarn('Failed to delete from keyring:', error);
+        }
+    }
+}
+function showFallbackWarning() {
+    if (fallbackWarningShown || forceInsecureStorage)
+        return;
+    fallbackWarningShown = true;
+    logWarn('Unable to store credentials in system keyring. Using file storage.', 'Credentials saved to ~/.workos/credentials.json', 'Use --insecure-storage to suppress this warning.');
+}
+export function hasCredentials() {
+    if (forceInsecureStorage) {
+        return fileExists();
+    }
+    return readFromKeyring() !== null || fileExists();
+}
+export function getCredentials() {
+    if (forceInsecureStorage)
+        return readFromFile();
+    const keyringCreds = readFromKeyring();
+    if (keyringCreds)
+        return keyringCreds;
+    const fileCreds = readFromFile();
+    if (fileCreds) {
+        // Migrate file creds to keyring if possible
+        if (writeToKeyring(fileCreds))
+            deleteFile();
+        return fileCreds;
+    }
+    return null;
+}
+export function saveCredentials(creds) {
+    if (forceInsecureStorage)
+        return writeToFile(creds);
+    if (writeToKeyring(creds)) {
+        deleteFile();
+    }
+    else {
+        showFallbackWarning();
+        writeToFile(creds);
+    }
+}
+export function clearCredentials() {
+    deleteFromKeyring();
+    deleteFile();
+}
+export function updateTokens(accessToken, expiresAt, refreshToken) {
+    const creds = getCredentials();
+    if (!creds) {
+        throw new Error('No existing credentials to update');
+    }
+    const updated = {
+        ...creds,
+        accessToken,
+        expiresAt,
+        ...(refreshToken && { refreshToken }),
+    };
+    saveCredentials(updated);
+}
+export { getCredentialsPath };
+//# sourceMappingURL=credential-store.js.map

package/dist/lib/credential-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.js","sourceRoot":"","sources":["../../src/lib/credential-store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAiB5C,MAAM,YAAY,GAAG,YAAY,CAAC;AAClC,MAAM,YAAY,GAAG,aAAa,CAAC;AAEnC,IAAI,oBAAoB,GAAG,KAAK,CAAC;AACjC,IAAI,oBAAoB,GAAG,KAAK,CAAC;AAEjC,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,oBAAoB,GAAG,KAAK,CAAC;AAC/B,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,EAAE,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,YAAY;IACnB,IAAI,CAAC,UAAU,EAAE;QAAE,OAAO,IAAI,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,kBAAkB,EAAE,EAAE,OAAO,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,KAAkB;IACrC,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,EAAE,CAAC,aAAa,CAAC,kBAAkB,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;QACrE,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;AACL,CAAC;AAED,SAAS,UAAU;IACjB,IAAI,UAAU,EAAE,EAAE,CAAC;QACjB,EAAE,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,IAAI,KAAK,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,eAAe;IACtB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QACjC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAkB;IACxC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB;IACxB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,KAAK,CAAC,cAAc,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3D,OAAO,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB;IAC1B,IAAI,oBAAoB,IAAI,oBAAoB;QAAE,OAAO;IACzD,oBAAoB,GAAG,IAAI,CAAC;IAC5B,OAAO,CACL,oEAAoE,EACpE,iDAAiD,EACjD,kDAAkD,CACnD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,IAAI,oBAAoB,EAAE,CAAC;QACzB,OAAO,UAAU,EAAE,CAAC;IACtB,CAAC;IACD,OAAO,eAAe,EAAE,KAAK,IAAI,IAAI,UAAU,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,IAAI,oBAAoB;QAAE,OAAO,YAAY,EAAE,CAAC;IAEhD,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,IAAI,SAAS,EAAE,CAAC;QACd,4CAA4C;QAC5C,IAAI,cAAc,CAAC,SAAS,CAAC;YAAE,UAAU,EAAE,CAAC;QAC5C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAkB;IAChD,IAAI,oBAAoB;QAAE,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;IAEpD,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,UAAU,EAAE,CAAC;IACf,CAAC;SAAM,CAAC;QACN,mBAAmB,EAAE,CAAC;QACtB,WAAW,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,iBAAiB,EAAE,CAAC;IACpB,UAAU,EAAE,CAAC;AACf,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,WAAmB,EAAE,SAAiB,EAAE,YAAqB;IACxF,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,OAAO,GAAgB;QAC3B,GAAG,KAAK;QACR,WAAW;QACX,SAAS;QACT,GAAG,CAAC,YAAY,IAAI,EAAE,YAAY,EAAE,CAAC;KACtC,CAAC;IAEF,eAAe,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAC","sourcesContent":["/**\n * Credential storage abstraction with keyring support and file fallback.\n *\n * Storage priority:\n * 1. If --insecure-storage: use file only\n * 2. Try keyring, fall back to file with warning if unavailable\n */\n\nimport { Entry } from '@napi-rs/keyring';\nimport fs from 'node:fs';\nimport path from 'node:path';\nimport os from 'node:os';\nimport { logWarn } from '../utils/debug.js';\n\nexport interface StagingCache {\n  clientId: string;\n  apiKey: string;\n  fetchedAt: number;\n}\n\nexport interface Credentials {\n  accessToken: string;\n  expiresAt: number;\n  userId: string;\n  email?: string;\n  staging?: StagingCache;\n  refreshToken?: string;\n}\n\nconst SERVICE_NAME = 'workos-cli';\nconst ACCOUNT_NAME = 'credentials';\n\nlet fallbackWarningShown = false;\nlet forceInsecureStorage = false;\n\nexport function setInsecureStorage(value: boolean): void {\n  forceInsecureStorage = value;\n}\n\nfunction getCredentialsDir(): string {\n  return path.join(os.homedir(), '.workos');\n}\n\nfunction getCredentialsPath(): string {\n  return path.join(getCredentialsDir(), 'credentials.json');\n}\n\nfunction fileExists(): boolean {\n  return fs.existsSync(getCredentialsPath());\n}\n\nfunction readFromFile(): Credentials | null {\n  if (!fileExists()) return null;\n  try {\n    const content = fs.readFileSync(getCredentialsPath(), 'utf-8');\n    return JSON.parse(content);\n  } catch (error) {\n    logWarn('Failed to read credentials file:', error);\n    return null;\n  }\n}\n\nfunction writeToFile(creds: Credentials): void {\n  const dir = getCredentialsDir();\n  if (!fs.existsSync(dir)) {\n    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });\n  }\n  fs.writeFileSync(getCredentialsPath(), JSON.stringify(creds, null, 2), {\n    mode: 0o600,\n  });\n}\n\nfunction deleteFile(): void {\n  if (fileExists()) {\n    fs.unlinkSync(getCredentialsPath());\n  }\n}\n\nfunction getKeyringEntry(): Entry {\n  return new Entry(SERVICE_NAME, ACCOUNT_NAME);\n}\n\nfunction readFromKeyring(): Credentials | null {\n  try {\n    const entry = getKeyringEntry();\n    const data = entry.getPassword();\n    if (!data) return null;\n    return JSON.parse(data);\n  } catch (error) {\n    logWarn('Failed to read from keyring:', error);\n    return null;\n  }\n}\n\nfunction writeToKeyring(creds: Credentials): boolean {\n  try {\n    const entry = getKeyringEntry();\n    entry.setPassword(JSON.stringify(creds));\n    return true;\n  } catch (error) {\n    logWarn('Failed to write to keyring:', error);\n    return false;\n  }\n}\n\nfunction deleteFromKeyring(): void {\n  try {\n    const entry = getKeyringEntry();\n    entry.deletePassword();\n  } catch (error) {\n    const msg = error instanceof Error ? error.message : String(error);\n    if (!msg.includes('not found') && !msg.includes('No such')) {\n      logWarn('Failed to delete from keyring:', error);\n    }\n  }\n}\n\nfunction showFallbackWarning(): void {\n  if (fallbackWarningShown || forceInsecureStorage) return;\n  fallbackWarningShown = true;\n  logWarn(\n    'Unable to store credentials in system keyring. Using file storage.',\n    'Credentials saved to ~/.workos/credentials.json',\n    'Use --insecure-storage to suppress this warning.',\n  );\n}\n\nexport function hasCredentials(): boolean {\n  if (forceInsecureStorage) {\n    return fileExists();\n  }\n  return readFromKeyring() !== null || fileExists();\n}\n\nexport function getCredentials(): Credentials | null {\n  if (forceInsecureStorage) return readFromFile();\n\n  const keyringCreds = readFromKeyring();\n  if (keyringCreds) return keyringCreds;\n\n  const fileCreds = readFromFile();\n  if (fileCreds) {\n    // Migrate file creds to keyring if possible\n    if (writeToKeyring(fileCreds)) deleteFile();\n    return fileCreds;\n  }\n\n  return null;\n}\n\nexport function saveCredentials(creds: Credentials): void {\n  if (forceInsecureStorage) return writeToFile(creds);\n\n  if (writeToKeyring(creds)) {\n    deleteFile();\n  } else {\n    showFallbackWarning();\n    writeToFile(creds);\n  }\n}\n\nexport function clearCredentials(): void {\n  deleteFromKeyring();\n  deleteFile();\n}\n\nexport function updateTokens(accessToken: string, expiresAt: number, refreshToken?: string): void {\n  const creds = getCredentials();\n  if (!creds) {\n    throw new Error('No existing credentials to update');\n  }\n\n  const updated: Credentials = {\n    ...creds,\n    accessToken,\n    expiresAt,\n    ...(refreshToken && { refreshToken }),\n  };\n\n  saveCredentials(updated);\n}\n\nexport { getCredentialsPath };\n"]}

package/dist/lib/credentials.d.ts

@@ -1,47 +1,13 @@
-export interface StagingCache {
-    clientId: string;
-    apiKey: string;
-    fetchedAt: number;
-}
-export interface Credentials {
-    accessToken: string;
-    expiresAt: number;
-    userId: string;
-    email?: string;
-    staging?: StagingCache;
-    refreshToken?: string;
-}
-export declare function getCredentialsPath(): string;
-export declare function hasCredentials(): boolean;
-export declare function getCredentials(): Credentials | null;
-export declare function saveCredentials(creds: Credentials): void;
-export declare function clearCredentials(): void;
-/**
- * Check if token is actually expired (hard expiry check).
- */
+export type { StagingCache, Credentials } from './credential-store.js';
+export { hasCredentials, getCredentials, saveCredentials, clearCredentials, updateTokens, getCredentialsPath, setInsecureStorage, } from './credential-store.js';
+import type { Credentials } from './credential-store.js';
 export declare function isTokenExpired(creds: Credentials): boolean;
-/**
- * Get access token if available and not expired.
- */
 export declare function getAccessToken(): string | null;
-/**
- * Save staging credentials to the credential cache.
- * Staging credentials are tied to the access token lifecycle.
- */
 export declare function saveStagingCredentials(staging: {
     clientId: string;
     apiKey: string;
 }): void;
-/**
- * Get cached staging credentials if available and access token is still valid.
- * Returns null if no cached credentials or if access token has expired.
- */
 export declare function getStagingCredentials(): {
     clientId: string;
     apiKey: string;
 } | null;
-/**
- * Atomically update tokens in credentials file.
- * Uses write-to-temp + rename pattern for atomic updates.
- */
-export declare function updateTokens(accessToken: string, expiresAt: number, refreshToken?: string): void;

package/dist/lib/credentials.js

@@ -1,49 +1,8 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import os from 'node:os';
-function getCredentialsDir() {
-    return path.join(os.homedir(), '.workos');
-}
-export function getCredentialsPath() {
-    return path.join(getCredentialsDir(), 'credentials.json');
-}
-export function hasCredentials() {
-    return fs.existsSync(getCredentialsPath());
-}
-export function getCredentials() {
-    if (!hasCredentials())
-        return null;
-    try {
-        const content = fs.readFileSync(getCredentialsPath(), 'utf-8');
-        return JSON.parse(content);
-    }
-    catch {
-        return null;
-    }
-}
-export function saveCredentials(creds) {
-    const dir = getCredentialsDir();
-    if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
-    }
-    fs.writeFileSync(getCredentialsPath(), JSON.stringify(creds, null, 2), {
-        mode: 0o600,
-    });
-}
-export function clearCredentials() {
-    if (hasCredentials()) {
-        fs.unlinkSync(getCredentialsPath());
-    }
-}
-/**
- * Check if token is actually expired (hard expiry check).
- */
+export { hasCredentials, getCredentials, saveCredentials, clearCredentials, updateTokens, getCredentialsPath, setInsecureStorage, } from './credential-store.js';
+import { getCredentials, saveCredentials } from './credential-store.js';
 export function isTokenExpired(creds) {
     return Date.now() >= creds.expiresAt;
 }
-/**
- * Get access token if available and not expired.
- */
 export function getAccessToken() {
     const creds = getCredentials();
     if (!creds)
@@ -52,10 +11,6 @@ export function getAccessToken() {
         return null;
     return creds.accessToken;
 }
-/**
- * Save staging credentials to the credential cache.
- * Staging credentials are tied to the access token lifecycle.
- */
 export function saveStagingCredentials(staging) {
     const creds = getCredentials();
     if (!creds)
@@ -68,50 +23,12 @@ export function saveStagingCredentials(staging) {
         },
     });
 }
-/**
- * Get cached staging credentials if available and access token is still valid.
- * Returns null if no cached credentials or if access token has expired.
- */
 export function getStagingCredentials() {
     const creds = getCredentials();
     if (!creds?.staging)
         return null;
-    // Invalidate staging credentials when access token expires
     if (isTokenExpired(creds))
         return null;
     return { clientId: creds.staging.clientId, apiKey: creds.staging.apiKey };
 }
-/**
- * Atomically update tokens in credentials file.
- * Uses write-to-temp + rename pattern for atomic updates.
- */
-export function updateTokens(accessToken, expiresAt, refreshToken) {
-    const creds = getCredentials();
-    if (!creds) {
-        throw new Error('No existing credentials to update');
-    }
-    const updated = {
-        ...creds,
-        accessToken,
-        expiresAt,
-        ...(refreshToken && { refreshToken }),
-    };
-    // Atomic write: temp file + rename
-    const credPath = getCredentialsPath();
-    const tempPath = `${credPath}.${crypto.randomUUID()}.tmp`;
-    try {
-        fs.writeFileSync(tempPath, JSON.stringify(updated, null, 2), { mode: 0o600 });
-        fs.renameSync(tempPath, credPath);
-    }
-    catch (error) {
-        // Clean up temp file if rename failed
-        try {
-            fs.unlinkSync(tempPath);
-        }
-        catch {
-            // Ignore cleanup errors
-        }
-        throw error;
-    }
-}
 //# sourceMappingURL=credentials.js.map

package/dist/lib/credentials.js.map

@@ -1 +1 @@
-{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/lib/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAiBzB,SAAS,iBAAiB;IACxB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,OAAO,EAAE,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC,cAAc,EAAE;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,kBAAkB,EAAE,EAAE,OAAO,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAkB;IAChD,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,EAAE,CAAC,aAAa,CAAC,kBAAkB,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;QACrE,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,IAAI,cAAc,EAAE,EAAE,CAAC;QACrB,EAAE,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAkB;IAC/C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,cAAc,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,KAAK,CAAC,WAAW,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAA6C;IAClF,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,eAAe,CAAC;QACd,GAAG,KAAK;QACR,OAAO,EAAE;YACP,GAAG,OAAO;YACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB;IACnC,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,OAAO;QAAE,OAAO,IAAI,CAAC;IACjC,2DAA2D;IAC3D,IAAI,cAAc,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;AAC5E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,WAAmB,EAAE,SAAiB,EAAE,YAAqB;IACxF,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,OAAO,GAAgB;QAC3B,GAAG,KAAK;QACR,WAAW;QACX,SAAS;QACT,GAAG,CAAC,YAAY,IAAI,EAAE,YAAY,EAAE,CAAC;KACtC,CAAC;IAEF,mCAAmC;IACnC,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAG,GAAG,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC;IAE1D,IAAI,CAAC;QACH,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC9E,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,sCAAsC;QACtC,IAAI,CAAC;YACH,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC","sourcesContent":["import fs from 'node:fs';\nimport path from 'node:path';\nimport os from 'node:os';\n\nexport interface StagingCache {\n  clientId: string;\n  apiKey: string;\n  fetchedAt: number;\n}\n\nexport interface Credentials {\n  accessToken: string;\n  expiresAt: number;\n  userId: string;\n  email?: string;\n  staging?: StagingCache;\n  refreshToken?: string;\n}\n\nfunction getCredentialsDir(): string {\n  return path.join(os.homedir(), '.workos');\n}\n\nexport function getCredentialsPath(): string {\n  return path.join(getCredentialsDir(), 'credentials.json');\n}\n\nexport function hasCredentials(): boolean {\n  return fs.existsSync(getCredentialsPath());\n}\n\nexport function getCredentials(): Credentials | null {\n  if (!hasCredentials()) return null;\n  try {\n    const content = fs.readFileSync(getCredentialsPath(), 'utf-8');\n    return JSON.parse(content);\n  } catch {\n    return null;\n  }\n}\n\nexport function saveCredentials(creds: Credentials): void {\n  const dir = getCredentialsDir();\n  if (!fs.existsSync(dir)) {\n    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });\n  }\n  fs.writeFileSync(getCredentialsPath(), JSON.stringify(creds, null, 2), {\n    mode: 0o600,\n  });\n}\n\nexport function clearCredentials(): void {\n  if (hasCredentials()) {\n    fs.unlinkSync(getCredentialsPath());\n  }\n}\n\n/**\n * Check if token is actually expired (hard expiry check).\n */\nexport function isTokenExpired(creds: Credentials): boolean {\n  return Date.now() >= creds.expiresAt;\n}\n\n/**\n * Get access token if available and not expired.\n */\nexport function getAccessToken(): string | null {\n  const creds = getCredentials();\n  if (!creds) return null;\n  if (isTokenExpired(creds)) return null;\n  return creds.accessToken;\n}\n\n/**\n * Save staging credentials to the credential cache.\n * Staging credentials are tied to the access token lifecycle.\n */\nexport function saveStagingCredentials(staging: { clientId: string; apiKey: string }): void {\n  const creds = getCredentials();\n  if (!creds) return;\n\n  saveCredentials({\n    ...creds,\n    staging: {\n      ...staging,\n      fetchedAt: Date.now(),\n    },\n  });\n}\n\n/**\n * Get cached staging credentials if available and access token is still valid.\n * Returns null if no cached credentials or if access token has expired.\n */\nexport function getStagingCredentials(): { clientId: string; apiKey: string } | null {\n  const creds = getCredentials();\n  if (!creds?.staging) return null;\n  // Invalidate staging credentials when access token expires\n  if (isTokenExpired(creds)) return null;\n  return { clientId: creds.staging.clientId, apiKey: creds.staging.apiKey };\n}\n\n/**\n * Atomically update tokens in credentials file.\n * Uses write-to-temp + rename pattern for atomic updates.\n */\nexport function updateTokens(accessToken: string, expiresAt: number, refreshToken?: string): void {\n  const creds = getCredentials();\n  if (!creds) {\n    throw new Error('No existing credentials to update');\n  }\n\n  const updated: Credentials = {\n    ...creds,\n    accessToken,\n    expiresAt,\n    ...(refreshToken && { refreshToken }),\n  };\n\n  // Atomic write: temp file + rename\n  const credPath = getCredentialsPath();\n  const tempPath = `${credPath}.${crypto.randomUUID()}.tmp`;\n\n  try {\n    fs.writeFileSync(tempPath, JSON.stringify(updated, null, 2), { mode: 0o600 });\n    fs.renameSync(tempPath, credPath);\n  } catch (error) {\n    // Clean up temp file if rename failed\n    try {\n      fs.unlinkSync(tempPath);\n    } catch {\n      // Ignore cleanup errors\n    }\n    throw error;\n  }\n}\n"]}
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/lib/credentials.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,cAAc,EACd,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAExE,MAAM,UAAU,cAAc,CAAC,KAAkB;IAC/C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,cAAc,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,KAAK,CAAC,WAAW,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAA6C;IAClF,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,eAAe,CAAC;QACd,GAAG,KAAK;QACR,OAAO,EAAE;YACP,GAAG,OAAO;YACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,OAAO;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,cAAc,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;AAC5E,CAAC","sourcesContent":["export type { StagingCache, Credentials } from './credential-store.js';\n\nexport {\n  hasCredentials,\n  getCredentials,\n  saveCredentials,\n  clearCredentials,\n  updateTokens,\n  getCredentialsPath,\n  setInsecureStorage,\n} from './credential-store.js';\n\nimport type { Credentials } from './credential-store.js';\nimport { getCredentials, saveCredentials } from './credential-store.js';\n\nexport function isTokenExpired(creds: Credentials): boolean {\n  return Date.now() >= creds.expiresAt;\n}\n\nexport function getAccessToken(): string | null {\n  const creds = getCredentials();\n  if (!creds) return null;\n  if (isTokenExpired(creds)) return null;\n  return creds.accessToken;\n}\n\nexport function saveStagingCredentials(staging: { clientId: string; apiKey: string }): void {\n  const creds = getCredentials();\n  if (!creds) return;\n\n  saveCredentials({\n    ...creds,\n    staging: {\n      ...staging,\n      fetchedAt: Date.now(),\n    },\n  });\n}\n\nexport function getStagingCredentials(): { clientId: string; apiKey: string } | null {\n  const creds = getCredentials();\n  if (!creds?.staging) return null;\n  if (isTokenExpired(creds)) return null;\n  return { clientId: creds.staging.clientId, apiKey: creds.staging.apiKey };\n}\n"]}

package/dist/lib/framework-config.d.ts

@@ -1,5 +1,5 @@
-import type { Integration } from './constants.js';
 import type { InstallerOptions } from '../utils/types.js';
+import type { Language } from './language-detection.js';
 /**
  * Configuration interface for framework-specific agent integrations.
  * Each framework exports a FrameworkConfig that the universal runner uses.
@@ -18,8 +18,8 @@ export interface FrameworkConfig {
 export interface FrameworkMetadata {
     /** Display name (e.g., "Next.js", "React") */
     name: string;
-    /** Integration type from constants */
-    integration: Integration;
+    /** Integration identifier (e.g., 'nextjs', 'python'). String, not enum — auto-discovered from registry. */
+    integration: string;
     /** URL to framework-specific WorkOS AuthKit docs */
     docsUrl: string;
     /**
@@ -36,9 +36,18 @@ export interface FrameworkMetadata {
     /**
      * Name of the framework-specific skill for agent integration.
      * Skills are located in .claude/skills/{skillName}/SKILL.md
-     * Will be populated per-framework in Phase 3.
      */
     skillName?: string;
+    /** Language ecosystem this integration belongs to */
+    language: Language;
+    /** Stability tier: 'stable' for tested integrations, 'experimental' for new ones */
+    stability: 'stable' | 'experimental';
+    /** Detection priority — higher numbers are checked first */
+    priority: number;
+    /** Default package manager command (e.g., 'pip', 'gem', 'go'). Optional for JS integrations. */
+    packageManager?: string;
+    /** Primary manifest file (e.g., 'pyproject.toml', 'Gemfile'). Optional for JS integrations. */
+    manifestFile?: string;
 }
 /**
  * Framework detection and version handling

package/dist/lib/framework-config.js.map

@@ -1 +1 @@
-{"version":3,"file":"framework-config.js","sourceRoot":"","sources":["../../src/lib/framework-config.ts"],"names":[],"mappings":"AAyHA;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,aAAqB;IACrD,OAAO,kBAAkB,aAAa,4BAA4B,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,iFAAiF,CAAC","sourcesContent":["import type { Integration } from './constants.js';\nimport type { InstallerOptions } from '../utils/types.js';\n\n/**\n * Configuration interface for framework-specific agent integrations.\n * Each framework exports a FrameworkConfig that the universal runner uses.\n */\nexport interface FrameworkConfig {\n  metadata: FrameworkMetadata;\n  detection: FrameworkDetection;\n  environment: EnvironmentConfig;\n  analytics: AnalyticsConfig;\n  prompts: PromptConfig;\n  ui: UIConfig;\n}\n\n/**\n * Basic framework information and documentation\n */\nexport interface FrameworkMetadata {\n  /** Display name (e.g., \"Next.js\", \"React\") */\n  name: string;\n\n  /** Integration type from constants */\n  integration: Integration;\n\n  /** URL to framework-specific WorkOS AuthKit docs */\n  docsUrl: string;\n\n  /**\n   * Optional URL to docs for users with unsupported framework versions.\n   * If not provided, defaults to docsUrl.\n   */\n  unsupportedVersionDocsUrl?: string;\n\n  /**\n   * Optional function to gather framework-specific context before agent runs.\n   * For Next.js: detects router type\n   * For React Native: detects Expo vs bare\n   */\n  gatherContext?: (options: InstallerOptions) => Promise<Record<string, any>>;\n\n  /**\n   * Name of the framework-specific skill for agent integration.\n   * Skills are located in .claude/skills/{skillName}/SKILL.md\n   * Will be populated per-framework in Phase 3.\n   */\n  skillName?: string;\n}\n\n/**\n * Framework detection and version handling\n */\nexport interface FrameworkDetection {\n  /** Package name to check in package.json (e.g., \"next\", \"react\") */\n  packageName: string;\n\n  /** Human-readable name for error messages (e.g., \"Next.js\") */\n  packageDisplayName: string;\n\n  /** Extract version from package.json */\n  getVersion: (packageJson: any) => string | undefined;\n\n  /** Optional: Convert version to analytics bucket (e.g., \"15.x\") */\n  getVersionBucket?: (version: string) => string;\n}\n\n/**\n * Environment variable configuration\n */\nexport interface EnvironmentConfig {\n  /** Whether to upload env vars to hosting providers post-agent */\n  uploadToHosting: boolean;\n\n  /** Whether this framework requires API key (false for client-only SDKs) */\n  requiresApiKey: boolean;\n\n  /**\n   * Build the environment variables object for this framework.\n   * Returns the exact variable names and values to upload to hosting providers.\n   */\n  getEnvVars: (apiKey: string, clientId: string) => Record<string, string>;\n}\n\n/**\n * Analytics configuration\n */\nexport interface AnalyticsConfig {\n  /** Generate tags from context (e.g., { 'nextjs-version': '15.x', 'router': 'app' }) */\n  getTags: (context: any) => Record<string, any>;\n\n  /** Optional: Additional event properties */\n  getEventProperties?: (context: any) => Record<string, any>;\n}\n\n/**\n * Prompt configuration\n */\nexport interface PromptConfig {\n  /**\n   * Optional: Additional context lines to append to base prompt\n   * For Next.js: \"- Router: app\"\n   * For React Native: \"- Platform: Expo\"\n   */\n  getAdditionalContextLines?: (context: any) => string[];\n}\n\n/**\n * UI messaging configuration\n */\nexport interface UIConfig {\n  /** Success message when agent completes */\n  successMessage: string;\n\n  /** Generate \"What the agent did\" bullets from context */\n  getOutroChanges: (context: any) => string[];\n\n  /** Generate \"Next steps\" bullets from context */\n  getOutroNextSteps: (context: any) => string[];\n}\n\n/**\n * Generate welcome message from framework name\n */\nexport function getWelcomeMessage(frameworkName: string): string {\n  return `WorkOS AuthKit ${frameworkName} installer (agent-powered)`;\n}\n\n/**\n * Shared spinner message for all frameworks\n */\nexport const SPINNER_MESSAGE = 'Setting up WorkOS AuthKit with login, authentication, and session management...';\n"]}
+{"version":3,"file":"framework-config.js","sourceRoot":"","sources":["../../src/lib/framework-config.ts"],"names":[],"mappings":"AAuIA;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,aAAqB;IACrD,OAAO,kBAAkB,aAAa,4BAA4B,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,iFAAiF,CAAC","sourcesContent":["import type { InstallerOptions } from '../utils/types.js';\nimport type { Language } from './language-detection.js';\n\n/**\n * Configuration interface for framework-specific agent integrations.\n * Each framework exports a FrameworkConfig that the universal runner uses.\n */\nexport interface FrameworkConfig {\n  metadata: FrameworkMetadata;\n  detection: FrameworkDetection;\n  environment: EnvironmentConfig;\n  analytics: AnalyticsConfig;\n  prompts: PromptConfig;\n  ui: UIConfig;\n}\n\n/**\n * Basic framework information and documentation\n */\nexport interface FrameworkMetadata {\n  /** Display name (e.g., \"Next.js\", \"React\") */\n  name: string;\n\n  /** Integration identifier (e.g., 'nextjs', 'python'). String, not enum — auto-discovered from registry. */\n  integration: string;\n\n  /** URL to framework-specific WorkOS AuthKit docs */\n  docsUrl: string;\n\n  /**\n   * Optional URL to docs for users with unsupported framework versions.\n   * If not provided, defaults to docsUrl.\n   */\n  unsupportedVersionDocsUrl?: string;\n\n  /**\n   * Optional function to gather framework-specific context before agent runs.\n   * For Next.js: detects router type\n   * For React Native: detects Expo vs bare\n   */\n  gatherContext?: (options: InstallerOptions) => Promise<Record<string, any>>;\n\n  /**\n   * Name of the framework-specific skill for agent integration.\n   * Skills are located in .claude/skills/{skillName}/SKILL.md\n   */\n  skillName?: string;\n\n  /** Language ecosystem this integration belongs to */\n  language: Language;\n\n  /** Stability tier: 'stable' for tested integrations, 'experimental' for new ones */\n  stability: 'stable' | 'experimental';\n\n  /** Detection priority — higher numbers are checked first */\n  priority: number;\n\n  /** Default package manager command (e.g., 'pip', 'gem', 'go'). Optional for JS integrations. */\n  packageManager?: string;\n\n  /** Primary manifest file (e.g., 'pyproject.toml', 'Gemfile'). Optional for JS integrations. */\n  manifestFile?: string;\n}\n\n/**\n * Framework detection and version handling\n */\nexport interface FrameworkDetection {\n  /** Package name to check in package.json (e.g., \"next\", \"react\") */\n  packageName: string;\n\n  /** Human-readable name for error messages (e.g., \"Next.js\") */\n  packageDisplayName: string;\n\n  /** Extract version from package.json */\n  getVersion: (packageJson: any) => string | undefined;\n\n  /** Optional: Convert version to analytics bucket (e.g., \"15.x\") */\n  getVersionBucket?: (version: string) => string;\n}\n\n/**\n * Environment variable configuration\n */\nexport interface EnvironmentConfig {\n  /** Whether to upload env vars to hosting providers post-agent */\n  uploadToHosting: boolean;\n\n  /** Whether this framework requires API key (false for client-only SDKs) */\n  requiresApiKey: boolean;\n\n  /**\n   * Build the environment variables object for this framework.\n   * Returns the exact variable names and values to upload to hosting providers.\n   */\n  getEnvVars: (apiKey: string, clientId: string) => Record<string, string>;\n}\n\n/**\n * Analytics configuration\n */\nexport interface AnalyticsConfig {\n  /** Generate tags from context (e.g., { 'nextjs-version': '15.x', 'router': 'app' }) */\n  getTags: (context: any) => Record<string, any>;\n\n  /** Optional: Additional event properties */\n  getEventProperties?: (context: any) => Record<string, any>;\n}\n\n/**\n * Prompt configuration\n */\nexport interface PromptConfig {\n  /**\n   * Optional: Additional context lines to append to base prompt\n   * For Next.js: \"- Router: app\"\n   * For React Native: \"- Platform: Expo\"\n   */\n  getAdditionalContextLines?: (context: any) => string[];\n}\n\n/**\n * UI messaging configuration\n */\nexport interface UIConfig {\n  /** Success message when agent completes */\n  successMessage: string;\n\n  /** Generate \"What the agent did\" bullets from context */\n  getOutroChanges: (context: any) => string[];\n\n  /** Generate \"Next steps\" bullets from context */\n  getOutroNextSteps: (context: any) => string[];\n}\n\n/**\n * Generate welcome message from framework name\n */\nexport function getWelcomeMessage(frameworkName: string): string {\n  return `WorkOS AuthKit ${frameworkName} installer (agent-powered)`;\n}\n\n/**\n * Shared spinner message for all frameworks\n */\nexport const SPINNER_MESSAGE = 'Setting up WorkOS AuthKit with login, authentication, and session management...';\n"]}

package/dist/lib/language-detection.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Supported programming languages for framework detection.
+ */
+export type Language = 'javascript' | 'python' | 'ruby' | 'php' | 'go' | 'kotlin' | 'dotnet' | 'elixir';
+export interface LanguageSignal {
+    language: Language;
+    confidence: number;
+    manifestFile: string;
+}
+export interface LanguageDetectionResult {
+    primary: Language;
+    signals: LanguageSignal[];
+    ambiguous: boolean;
+}
+/**
+ * Detect the primary programming language of a project.
+ * Runs all detectors and returns the highest-priority match.
+ * Sets `ambiguous: true` if multiple non-JS languages are detected.
+ */
+export declare function detectLanguage(cwd: string): LanguageDetectionResult | undefined;