workos 0.9.0 → 0.10.0

package/skills/workos-authkit-nextjs/SKILL.md

@@ -1,247 +0,0 @@
----
-name: workos-authkit-nextjs
-description: Integrate WorkOS AuthKit with Next.js App Router (13+). Server-side rendering required.
----
-
-# WorkOS AuthKit for Next.js
-
-## Step 1: Fetch SDK Documentation (BLOCKING)
-
-**STOP. Do not proceed until complete.**
-
-WebFetch: `https://raw.githubusercontent.com/workos/authkit-nextjs/main/README.md`
-
-The README is the source of truth. If this skill conflicts with README, follow README.
-
-## Step 2: Pre-Flight Validation
-
-### Project Structure
-
-- Confirm `next.config.js` or `next.config.mjs` exists
-- Confirm `package.json` contains `"next"` dependency
-
-### Environment Variables
-
-Check `.env.local` for:
-
-- `WORKOS_API_KEY` - starts with `sk_`
-- `WORKOS_CLIENT_ID` - starts with `client_`
-- `NEXT_PUBLIC_WORKOS_REDIRECT_URI` - valid callback URL
-- `WORKOS_COOKIE_PASSWORD` - 32+ characters
-
-## Step 3: Install SDK
-
-Detect package manager, install SDK package from README.
-
-**Verify:** SDK package exists in node_modules before continuing.
-
-## Step 4: Locate the app/ directory (BLOCKING)
-
-**STOP. Do this before creating any files.**
-
-Determine where the `app/` directory lives:
-
-```bash
-# Check for src/app/ first, then root app/
-ls src/app/ 2>/dev/null && echo "APP_DIR=src" || (ls app/ 2>/dev/null && echo "APP_DIR=root")
-```
-
-Set `APP_DIR` for all subsequent steps. All middleware/proxy files MUST be created in `APP_DIR`:
-
-- If `APP_DIR=src` → create files in `src/` (e.g., `src/proxy.ts`)
-- If `APP_DIR=root` → create files at project root (e.g., `proxy.ts`)
-
-Next.js only discovers middleware/proxy files in the parent directory of `app/`. A file at the wrong level is **silently ignored** — no error, just doesn't run.
-
-## Step 5: Version Detection (Decision Tree)
-
-Read Next.js version from `package.json`:
-
-```
-Next.js version?
-  |
-  +-- 16+ --> Create {APP_DIR}/proxy.ts
-  |
-  +-- 15   --> Create {APP_DIR}/middleware.ts (cookies() is async)
-  |
-  +-- 13-14 --> Create {APP_DIR}/middleware.ts (cookies() is sync)
-```
-
-**Next.js 16+ proxy.ts:** `proxy.ts` is the preferred convention. `middleware.ts` still works but shows a deprecation warning. Next.js 16 throws **error E900** if both files exist at the same level.
-
-**Next.js 15+ async note:** All route handlers and middleware accessing cookies must be async and properly await cookie operations. This is a breaking change from Next.js 14.
-
-Middleware/proxy code: See README for `authkitMiddleware()` export pattern.
-
-### Existing Middleware (IMPORTANT)
-
-If `middleware.ts` already exists with custom logic (rate limiting, logging, headers, etc.), use the **`authkit()` composable function** instead of `authkitMiddleware`.
-
-**Pattern for composing with existing middleware:**
-
-```typescript
-import { NextRequest, NextResponse } from 'next/server';
-import { authkit, handleAuthkitHeaders } from '@workos-inc/authkit-nextjs';
-
-export default async function middleware(request: NextRequest) {
-  // 1. Get auth session and headers from AuthKit
-  const { session, headers, authorizationUrl } = await authkit(request);
-  const { pathname } = request.nextUrl;
-
-  // 2. === YOUR EXISTING MIDDLEWARE LOGIC ===
-  // Rate limiting, logging, custom headers, etc.
-  const rateLimitResult = checkRateLimit(request);
-  if (!rateLimitResult.allowed) {
-    return new NextResponse('Too Many Requests', { status: 429 });
-  }
-
-  // 3. Protect routes - redirect to auth if needed
-  if (pathname.startsWith('/dashboard') && !session.user && authorizationUrl) {
-    return handleAuthkitHeaders(request, headers, { redirect: authorizationUrl });
-  }
-
-  // 4. Continue with AuthKit headers properly handled
-  return handleAuthkitHeaders(request, headers);
-}
-```
-
-**Key functions:**
-
-- `authkit(request)` - Returns `{ session, headers, authorizationUrl }` for composition
-- `handleAuthkitHeaders(request, headers, options?)` - Ensures AuthKit headers pass through correctly
-- For rewrites, use `partitionAuthkitHeaders()` and `applyResponseHeaders()` (see README)
-
-**Critical:** Always return via `handleAuthkitHeaders()` to ensure `withAuth()` works in pages.
-
-## Step 6: Create Callback Route
-
-Parse `NEXT_PUBLIC_WORKOS_REDIRECT_URI` to determine route path:
-
-```
-URI path          --> Route location (use APP_DIR from Step 4)
-/auth/callback    --> {APP_DIR}/app/auth/callback/route.ts
-/callback         --> {APP_DIR}/app/callback/route.ts
-```
-
-Use `handleAuth()` from SDK. Do not write custom OAuth logic.
-
-**CRITICAL for Next.js 15+:** The route handler MUST be async and properly await handleAuth():
-
-```typescript
-// CORRECT - Next.js 15+ requires async route handlers
-export const GET = handleAuth();
-
-// If handleAuth returns a function, ensure it's awaited in request context
-```
-
-Check README for exact usage. If build fails with "cookies outside request scope", the handler is likely missing async/await.
-
-## Step 7: Provider Setup (REQUIRED)
-
-**CRITICAL:** You MUST wrap the app in `AuthKitProvider` in `app/layout.tsx`.
-
-This is required for:
-
-- Client-side auth state via `useAuth()` hook
-- Consistent auth UX across client/server boundaries
-- Proper migration from Auth0 (which uses client-side auth)
-
-```tsx
-// app/layout.tsx
-import { AuthKitProvider } from '@workos-inc/authkit-nextjs/components';
-
-export default function RootLayout({ children }: { children: React.ReactNode }) {
-  return (
-    <html lang="en">
-      <body>
-        <AuthKitProvider>{children}</AuthKitProvider>
-      </body>
-    </html>
-  );
-}
-```
-
-**Do NOT skip this step** even if using server-side auth patterns elsewhere.
-
-## Step 8: UI Integration
-
-Add auth UI to `app/page.tsx` using SDK functions. See README for auth helper usage (`withAuth`/`getUser`, `getSignInUrl`, `signOut`).
-
-**Note:** The SDK renamed `getUser` to `withAuth` in newer versions. Use whichever function the installed SDK version exports — do NOT rename existing working imports.
-
-## Verification Checklist (ALL MUST PASS)
-
-Run these commands to confirm integration. **Do not mark complete until all pass:**
-
-```bash
-# 1. Check middleware/proxy exists (one should match)
-ls proxy.ts middleware.ts src/proxy.ts src/middleware.ts 2>/dev/null
-
-# 2. CRITICAL: Check AuthKitProvider is in layout (REQUIRED)
-grep "AuthKitProvider" app/layout.tsx || echo "FAIL: AuthKitProvider missing from layout"
-
-# 3. Check callback route exists
-find app -name "route.ts" -path "*/callback/*"
-
-# 4. Build succeeds
-npm run build
-```
-
-**If check #2 fails:** Go back to Step 6 and add AuthKitProvider. This is not optional.
-
-## Error Recovery
-
-### "cookies was called outside a request scope" (Next.js 15+)
-
-**Most common cause:** Route handler not properly async or missing await.
-
-Fix for callback route:
-
-1. Check that `handleAuth()` is exported directly: `export const GET = handleAuth();`
-2. If using custom wrapper, ensure it's `async` and awaits any cookie operations
-3. Verify authkit-nextjs SDK version supports Next.js 15+ (check README for compatibility)
-4. **Never** call `cookies()` at module level - only inside request handlers
-
-This error causes OAuth codes to expire ("invalid_grant"), so fix the handler first.
-
-### "middleware.ts not found"
-
-- Check: File at project root or `src/`, not inside `app/`
-- Check: Filename matches Next.js version (proxy.ts for 16+, middleware.ts for 13-15)
-
-### "Both middleware file and proxy file are detected" (Next.js 16+)
-
-- Next.js 16 throws error E900 if both `middleware.ts` and `proxy.ts` exist
-- Delete `middleware.ts` and use only `proxy.ts`
-- If `middleware.ts` has custom logic, migrate it into `proxy.ts`
-
-### "withAuth route not covered by middleware" but middleware/proxy file exists
-
-- **Most common cause:** File is at the wrong level. Next.js only discovers middleware/proxy files in the parent directory of `app/`. For `src/app/` projects, the file must be in `src/`, not at the project root.
-- Check: Is `app/` at `src/app/`? Then middleware/proxy must be at `src/middleware.ts` or `src/proxy.ts`
-- Check: Matcher config must include the route path being accessed
-
-### "Cannot use getUser in client component"
-
-- Check: Component has no `'use client'` directive, or
-- Check: Move auth logic to server component/API route
-
-### "Module not found" for SDK import
-
-- Check: SDK installed before writing imports
-- Check: SDK package directory exists in node_modules
-
-### "withAuth route not covered by middleware"
-
-- Check: Middleware/proxy file exists at correct location
-- Check: Matcher config includes the route path
-
-### Build fails after AuthKitProvider
-
-- Check: Import path matches what README specifies (root export vs `/components` subpath)
-- Check: No client/server boundary violations
-
-### NEXT*PUBLIC* prefix issues
-
-- Client components need `NEXT_PUBLIC_*` prefix
-- Server components use plain env var names

package/skills/workos-authkit-react/SKILL.md

@@ -1,100 +0,0 @@
----
-name: workos-authkit-react
-description: Integrate WorkOS AuthKit with React single-page applications. Client-side only authentication. Use when the project is a React SPA without Next.js or React Router.
----
-
-# WorkOS AuthKit for React (SPA)
-
-## Decision Tree
-
-```
-START
-  │
-  ├─► Fetch README (BLOCKING)
-  │   raw.githubusercontent.com/workos/authkit-react/main/README.md
-  │   README is source of truth. Stop if fetch fails.
-  │
-  ├─► Detect Build Tool
-  │   ├─ vite.config.ts exists? → Vite
-  │   └─ otherwise → Create React App
-  │
-  ├─► Set Env Var Prefix
-  │   ├─ Vite → VITE_WORKOS_CLIENT_ID
-  │   └─ CRA  → REACT_APP_WORKOS_CLIENT_ID
-  │
-  └─► Implement per README
-```
-
-## Critical: Build Tool Detection
-
-| Marker File               | Build Tool | Env Prefix   | Access Pattern            |
-| ------------------------- | ---------- | ------------ | ------------------------- |
-| `vite.config.ts`          | Vite       | `VITE_`      | `import.meta.env.VITE_*`  |
-| `craco.config.js` or none | CRA        | `REACT_APP_` | `process.env.REACT_APP_*` |
-
-**Wrong prefix = undefined values at runtime.** This is the #1 integration failure.
-
-## Key Clarification: No Callback Route
-
-The React SDK handles OAuth callbacks **internally** via AuthKitProvider.
-
-- No server-side callback route needed
-- SDK intercepts redirect URI client-side
-- Token exchange happens automatically
-
-Just ensure redirect URI env var matches WorkOS Dashboard exactly.
-
-## Required Environment Variables
-
-```
-{PREFIX}WORKOS_CLIENT_ID=client_...
-{PREFIX}WORKOS_REDIRECT_URI=http://localhost:5173/callback
-```
-
-No `WORKOS_API_KEY` needed. Client-side only SDK.
-
-## Verification Checklist (ALL MUST PASS)
-
-Run these commands to confirm integration. **Do not mark complete until all pass:**
-
-```bash
-# 1. Check env var prefix matches build tool
-grep -E "VITE_WORKOS_CLIENT_ID|REACT_APP_WORKOS_CLIENT_ID" .env .env.local 2>/dev/null
-
-# 2. Check AuthKitProvider wraps app root
-grep "AuthKitProvider" src/main.tsx src/index.tsx 2>/dev/null || echo "FAIL: AuthKitProvider missing"
-
-# 3. Check no server framework present (wrong skill if found)
-grep -E '"next"|"react-router"' package.json && echo "WARN: Server framework detected"
-
-# 4. Build succeeds
-pnpm build
-```
-
-**If check #2 fails:** AuthKitProvider must wrap the app root in main.tsx/index.tsx. This is required for useAuth() to work.
-
-## Error Recovery
-
-### "clientId is required"
-
-**Cause:** Env var inaccessible (wrong prefix)
-
-Check: Does prefix match build tool? Vite needs `VITE_`, CRA needs `REACT_APP_`.
-
-### Auth state lost on refresh
-
-**Cause:** Token persistence issue
-
-Check: Browser dev tools → Application → Local Storage. SDK stores tokens here automatically.
-
-### useAuth returns undefined
-
-**Cause:** Component outside provider tree
-
-Check: Entry file (`main.tsx` or `index.tsx`) wraps `<App />` in `<AuthKitProvider>`.
-
-### Callback redirect fails
-
-**Cause:** URI mismatch
-
-Check: Env var redirect URI exactly matches WorkOS Dashboard → Redirects configuration.

package/skills/workos-authkit-react-router/SKILL.md

@@ -1,117 +0,0 @@
----
-name: workos-authkit-react-router
-description: Integrate WorkOS AuthKit with React Router applications. Supports v6 and v7 (Framework, Data, Declarative modes). Use when project uses react-router, react-router-dom, or mentions React Router authentication.
----
-
-# WorkOS AuthKit for React Router
-
-## Decision Tree
-
-```
-1. Fetch README (BLOCKING)
-2. Detect router mode
-3. Follow README for that mode
-4. Verify with checklist below
-```
-
-## Phase 1: Fetch SDK Documentation (BLOCKING)
-
-**STOP - Do not write any code until this completes.**
-
-WebFetch: `https://raw.githubusercontent.com/workos/authkit-react-router/main/README.md`
-
-The README is the source of truth. If this skill conflicts with README, **follow the README**.
-
-## Phase 2: Detect Router Mode
-
-| Mode           | Detection Signal                | Key Indicator             |
-| -------------- | ------------------------------- | ------------------------- |
-| v7 Framework   | `react-router.config.ts` exists | Routes in `app/routes/`   |
-| v7 Data        | `createBrowserRouter` in source | Loaders in route config   |
-| v7 Declarative | `<BrowserRouter>` component     | Routes as JSX, no loaders |
-| v6             | package.json version `"6.x"`    | Similar to v7 Declarative |
-
-**Detection order:**
-
-1. Check for `react-router.config.ts` (Framework mode)
-2. Grep for `createBrowserRouter` (Data mode)
-3. Check package.json version (v6 vs v7)
-4. Default to Declarative if v7 with `<BrowserRouter>`
-
-## Phase 3: Follow README
-
-Based on detected mode, apply the corresponding README section. The README contains current API signatures and code patterns.
-
-## Critical Distinctions
-
-### authLoader vs authkitLoader
-
-| Function        | Purpose                   | Where to use           |
-| --------------- | ------------------------- | ---------------------- |
-| `authLoader`    | OAuth callback handler    | Callback route ONLY    |
-| `authkitLoader` | Fetch user data in routes | Any route needing auth |
-
-**Common mistake:** Using `authkitLoader` for callback route. Use `authLoader()`.
-
-### Root Route Requirement
-
-Auth loader MUST be on root route for child routes to access auth context.
-
-**Wrong:** Auth loader only on `/dashboard`
-**Right:** Auth loader on `/` (root), children inherit context
-
-## Environment Variables
-
-Required in `.env` or `.env.local`:
-
-- `WORKOS_API_KEY` - starts with `sk_`
-- `WORKOS_CLIENT_ID` - starts with `client_`
-- `WORKOS_REDIRECT_URI` - full URL (e.g., `http://localhost:3000/auth/callback`)
-- `WORKOS_COOKIE_PASSWORD` - 32+ chars (server modes only)
-
-## Verification Checklist (ALL MUST PASS)
-
-Run these commands to confirm integration. **Do not mark complete until all pass:**
-
-```bash
-# 1. Check SDK installed
-ls node_modules/@workos-inc/authkit-react-router 2>/dev/null || echo "FAIL: SDK not installed"
-
-# 2. Check callback route exists and matches WORKOS_REDIRECT_URI
-grep -r "authLoader\|handleCallbackRoute" src/ app/ 2>/dev/null
-
-# 3. Check auth loader/provider on root route
-grep -r "authkitLoader\|AuthKitProvider" src/ app/ 2>/dev/null
-
-# 4. Build succeeds
-npm run build
-```
-
-**If check #2 fails:** Callback route path must match WORKOS_REDIRECT_URI exactly. Use authLoader (not authkitLoader) for the callback route.
-
-## Error Recovery
-
-### "loader is not a function"
-
-**Cause:** Using loader pattern in Declarative/v6 mode
-**Fix:** Declarative/v6 modes use `AuthKitProvider` + `useAuth` hook, not loaders
-
-### Auth state not available in child routes
-
-**Cause:** Auth loader missing from root route
-**Fix:** Add `authkitLoader` (or `AuthKitProvider`) to root route so children inherit context
-
-### useAuth returns undefined
-
-**Cause:** Missing `AuthKitProvider` wrapper
-**Fix:** Wrap app with `AuthKitProvider` (required for Declarative/v6 modes)
-
-### Callback route 404
-
-**Cause:** Route path mismatch with `WORKOS_REDIRECT_URI`
-**Fix:** Extract exact path from env var, create route at that path
-
-### "Module not found" for SDK
-
-**Cause:** SDK not installed
-**Fix:** Install SDK, wait for completion, verify `node_modules` before writing imports

package/skills/workos-authkit-sveltekit/SKILL.md

@@ -1,208 +0,0 @@
----
-name: workos-authkit-sveltekit
-description: Integrate WorkOS AuthKit with SvelteKit. Server-side authentication with hooks and file-based routing.
----
-
-# WorkOS AuthKit for SvelteKit
-
-## Step 1: Fetch SDK Documentation (BLOCKING)
-
-**STOP. Do not proceed until complete.**
-
-WebFetch: `https://raw.githubusercontent.com/workos/authkit-sveltekit/main/README.md`
-
-The README is the source of truth. If this skill conflicts with README, follow README.
-
-## Step 2: Pre-Flight Validation
-
-### Project Structure
-
-- Confirm `svelte.config.js` (or `svelte.config.ts`) exists
-- Confirm `package.json` contains `@sveltejs/kit` dependency
-- Confirm `src/routes/` directory exists
-
-### Environment Variables
-
-Check `.env` or `.env.local` for:
-
-- `WORKOS_API_KEY` - starts with `sk_`
-- `WORKOS_CLIENT_ID` - starts with `client_`
-- `WORKOS_REDIRECT_URI` - valid callback URL
-- `WORKOS_COOKIE_PASSWORD` - 32+ characters
-
-SvelteKit uses `$env/static/private` and `$env/dynamic/private` natively. The agent should write env vars to `.env` (SvelteKit's default) or `.env.local`.
-
-## Step 2b: Partial Install Recovery
-
-Before installing the SDK, check if a previous AuthKit attempt already exists:
-
-1. Check if `@workos/authkit-sveltekit` is already in `package.json`
-2. Check for incomplete setup signals:
-   - `src/hooks.server.ts` has commented-out `authkitHandle` import or exports a passthrough handle
-   - `src/routes/+layout.server.ts` has TODO comments about loading the session
-   - No callback `+server.ts` route exists in `src/routes/`
-   - No `WORKOS_COOKIE_PASSWORD` in `.env`
-3. If partial install detected:
-   - Do NOT reinstall the SDK (it's already there)
-   - Read existing files to understand what's done vs missing
-   - Complete the integration by filling gaps rather than starting fresh
-   - The most common gap is the missing callback route — create it
-   - Wire up `authkitHandle` in hooks.server.ts properly (use `sequence()` if other hooks exist)
-   - Complete the layout load function
-   - Ensure `WORKOS_COOKIE_PASSWORD` is set in `.env`
-
-## Step 2c: Existing Auth System Detection
-
-Check for existing authentication before integrating:
-
-```
-package.json has 'lucia'?              → Lucia v3 session auth
-package.json has '@auth0/auth0-spa-js'? → Auth0 SPA auth
-package.json has '@auth/sveltekit'?    → Auth.js SvelteKit
-src/hooks.server.ts handles cookies?   → Custom session middleware
-```
-
-If existing auth detected (Lucia is most common in SvelteKit):
-
-- Do NOT remove or disable the existing auth system
-- Use `sequence()` from `@sveltejs/kit/hooks` to compose handles:
-
-  ```typescript
-  import { sequence } from '@sveltejs/kit/hooks';
-  import { authkitHandle } from '@workos/authkit-sveltekit';
-
-  // Keep existing handle, compose with AuthKit
-  export const handle = sequence(authkitHandle, existingHandle);
-  ```
-
-- AuthKit handle should come FIRST in `sequence()` so it runs before other middleware
-- Create separate WorkOS routes if `/login` or `/callback` are already taken (e.g., use `/auth/callback`)
-- Ensure existing auth routes, form actions, and session cookies continue to work unchanged
-- Document in code comments how to migrate fully to WorkOS AuthKit later
-
-## Step 3: Install SDK
-
-Detect package manager, install SDK package from README.
-
-```
-pnpm-lock.yaml? → pnpm add @workos/authkit-sveltekit
-yarn.lock? → yarn add @workos/authkit-sveltekit
-bun.lockb? → bun add @workos/authkit-sveltekit
-else → npm install @workos/authkit-sveltekit
-```
-
-**Verify:** SDK package exists in node_modules before continuing.
-
-## Step 4: Configure Server Hooks
-
-SvelteKit uses `src/hooks.server.ts` for server-side middleware. This is where the AuthKit handler is registered.
-
-Create or update `src/hooks.server.ts` with the authkit handle function from the README.
-
-### Existing Hooks (IMPORTANT)
-
-If `src/hooks.server.ts` already exists with custom logic, use SvelteKit's `sequence()` helper to compose hooks:
-
-```typescript
-import { sequence } from '@sveltejs/kit/hooks';
-import { authkitHandle } from '@workos/authkit-sveltekit'; // Check README for exact export
-
-export const handle = sequence(authkitHandle, yourExistingHandle);
-```
-
-Check README for the exact export name and usage pattern.
-
-## Step 5: Create Callback Route
-
-Parse `WORKOS_REDIRECT_URI` to determine route path:
-
-```
-URI path          --> Route location
-/callback         --> src/routes/callback/+server.ts
-/auth/callback    --> src/routes/auth/callback/+server.ts
-```
-
-Use the SDK's callback handler from the README. Do not write custom OAuth logic.
-
-**Critical:** SvelteKit uses `+server.ts` for API routes, not `+page.server.ts`.
-
-## Step 6: Layout Setup
-
-Update `src/routes/+layout.server.ts` to load the auth session and pass it to all pages.
-
-Check README for the exact pattern — typically a `load` function that returns the user session from locals.
-
-```typescript
-// src/routes/+layout.server.ts
-import type { LayoutServerLoad } from './$types';
-
-export const load: LayoutServerLoad = async (event) => {
-  // Check README for exact API — session is typically on event.locals
-  return {
-    user: event.locals.user, // or similar from README
-  };
-};
-```
-
-## Step 7: UI Integration
-
-Add auth UI to `src/routes/+page.svelte` using the session data from the layout.
-
-- Show user info when authenticated
-- Show sign-in link/button when not authenticated
-- Add sign-out functionality
-
-Check README for sign-in URL generation and sign-out patterns.
-
-## Verification Checklist (ALL MUST PASS)
-
-Run these commands to confirm integration. **Do not mark complete until all pass:**
-
-```bash
-# 1. Check hooks.server.ts exists and has authkit
-grep -i "workos\|authkit" src/hooks.server.ts || echo "FAIL: authkit missing from hooks.server.ts"
-
-# 2. Check callback route exists
-find src/routes -name "+server.ts" -path "*/callback/*"
-
-# 3. Check layout loads auth session
-grep -i "user\|auth\|session" src/routes/+layout.server.ts || echo "FAIL: auth session missing from layout"
-
-# 4. Build succeeds
-pnpm build || npm run build
-```
-
-## Error Recovery
-
-### "Cannot find module '@workos/authkit-sveltekit'"
-
-- Check: SDK installed before writing imports
-- Check: SDK package directory exists in node_modules
-- Re-run install if missing
-
-### hooks.server.ts not taking effect
-
-- Check: File is at `src/hooks.server.ts`, not `src/hooks.ts` or elsewhere
-- Check: Named export is `handle` (SvelteKit requirement)
-- Check: If using `sequence()`, all handles are properly composed
-
-### Callback route not found (404)
-
-- Check: File uses `+server.ts` (not `+page.server.ts`)
-- Check: Route path matches `WORKOS_REDIRECT_URI` path exactly
-- Check: Exports `GET` handler (SvelteKit convention)
-
-### "locals" type errors
-
-- Check: App.Locals interface is augmented in `src/app.d.ts`
-- Check README for TypeScript setup instructions
-
-### Cookie password error
-
-- Verify `WORKOS_COOKIE_PASSWORD` is 32+ characters
-- Generate new: `openssl rand -base64 32`
-
-### Auth state not available in pages
-
-- Check: `+layout.server.ts` load function returns user data
-- Check: Pages access data via `export let data` (Svelte 4) or `$page.data` (Svelte 5)