Skip to content

feat: CLI management commands for all WorkOS resources#76

Open
nicknisi wants to merge 10 commits intomainfrom
nicknisi/cli-management-commands
Open

feat: CLI management commands for all WorkOS resources#76
nicknisi wants to merge 10 commits intomainfrom
nicknisi/cli-management-commands

Conversation

@nicknisi
Copy link
Member

@nicknisi nicknisi commented Mar 3, 2026
edited
Loading

Summary

Adds 21 new CLI command groups covering the full WorkOS management API surface — RBAC, user lifecycle, SSO, directory sync, observability, config, and compound workflows. Enables both developers and AI agents to manage WorkOS resources directly from the terminal without context-switching to the dashboard.

Motivation: A WorkOS coworker spent a weekend fully integrating AuthKit, SSO, DSync, Feature Flags, Audit Logs, and RBAC — and identified leaving the editor as their biggest friction point. AI agents compound this: they can generate integration code but can't complete setup because they have no way to call WorkOS APIs. This PR brings us closer to closing that gap.

What's included

Foundation (Phase 1)

  • src/lib/workos-client.ts — Unified client wrapping @workos-inc/node SDK + raw fetch extensions for undocumented endpoints (webhooks, redirect URIs, CORS, homepage URL)
  • Migrated existing organization and user commands from raw workosRequest() to SDK client

New commands (Phases 2-6)

Command Subcommands Description
workos role list, get, create, update, delete, set-permissions, add-permission, remove-permission RBAC role management with --org flag for org-scoped roles
workos permission list, get, create, update, delete Permission CRUD for authorization checks
workos membership list, get, create, update, delete, deactivate, reactivate Organization membership management
workos invitation list, get, send, revoke, resend User invitation lifecycle
workos session list, revoke Session inspection and revocation
workos connection list, get, delete SSO connection management (read/delete with --force confirmation)
workos directory list, get, delete, list-users, list-groups Directory sync management with user/group listing
workos event list Event querying (requires --events filter)
workos audit-log create-event, export, list-actions, get-schema, create-schema, get-retention Audit log management with export polling and schema CRUD
workos feature-flag list, get, enable, disable, add-target, remove-target Feature flag toggling and targeting
workos webhook list, create, delete Webhook endpoint management
workos config redirect add, cors add, homepage-url set Environment configuration (redirect URIs, CORS origins, homepage URL)
workos portal generate-link Admin Portal link generation
workos vault list, get, get-by-name, create, update, delete, describe, list-versions Encrypted secret management
workos api-key list, create, validate, delete Per-organization API key management
workos org-domain get, create, verify, delete Organization domain management

Compound workflows (Phase 7)

Command Description
workos seed --file=<yaml> Declarative resource provisioning from YAML (permissions → roles → orgs → config) with --clean teardown
workos setup-org <name> One-shot org onboarding: create org, add/verify domain, create roles, generate portal link
workos onboard-user <email> Send invitation with optional --wait polling for acceptance
workos debug-sso <connId> SSO connection diagnostics: state, auth events, issue detection
workos debug-sync <dirId> Directory sync diagnostics: state, user/group counts, event history, stall detection

Agent skill (Phase 8)

  • skills/workos-management/SKILL.md — Agent skill auto-discovered by workos install-skill that teaches AI agents command reference, workflow recipes (RBAC setup, org onboarding, SSO debugging, seeding), --json usage, and dashboard-only negative guidance

Error handling (Phase 9)

  • Duck-type detection for @workos-inc/node SDK exceptions in api-error-handler.ts — all SDK errors (401, 404, 422, etc.) now produce clean structured error messages instead of crashing

Architecture

  • All commands use createWorkOSClient(apiKey, baseUrl) per-invocation (not singleton)
  • SDK-backed operations use @workos-inc/node directly; undocumented endpoints use workosRequest() extensions
  • createApiErrorHandler(resourceName) handles both WorkOSApiError (raw fetch) and SDK exceptions (duck-typed via { status, requestID })
  • All commands support --json for structured output (auto-enabled in non-TTY) and --api-key for explicit key override
  • connection delete and directory delete require --force in non-TTY mode
  • seed tracks created resources in .workos-seed-state.json for idempotent cleanup

Test plan

  • 931 total tests (266 new across 24 spec files)
  • Unit tests mock the SDK client via vi.mock('../lib/workos-client.js')
  • Smoke test (scripts/smoke-test.ts) exercises 27 command handlers against the real WorkOS API — 27/27 passing
  • All validation: pnpm typecheckpnpm testpnpm build

Dependencies added

  • @workos-inc/node — Official WorkOS Node.js SDK
  • yaml — YAML parsing for seed command

nicknisi added 10 commits March 2, 2026 14:15
@nicknisi
feat: add unified WorkOS SDK client and migrate org/user commands
68e70a2 
Replace raw `workosRequest()` fetch calls in organization and user
commands with the `@workos-inc/node` SDK. Introduce a unified client
(`workos-client.ts`) that wraps the SDK for documented endpoints and
extends with raw-fetch methods for undocumented ones (webhooks,
redirect URIs, CORS origins, homepage URL).
@nicknisi
feat: add CLI management commands for all WorkOS resources
f444625 
Implement 12 command groups (phases 2-6) covering the full WorkOS
management API surface:

- role, permission (RBAC with env/org-scoped branching)
- membership, invitation, session (user lifecycle)
- connection, directory (SSO & directory sync, read/delete with confirm)
- event, audit-log (observability with export polling)
- feature-flag, webhook, config, portal, vault, api-key, org-domain

Extends workos-client.ts with auditLogs extension methods for
undocumented endpoints. All commands follow the established SDK client
pattern with JSON/human output modes and structured error handling.

229 new tests across 16 spec files (894 total).
@nicknisi
feat: add compound workflow commands (seed, setup-org, debug)
2d8a6e6 
Add 5 orchestration commands that compose existing SDK operations:

- seed: declarative YAML-based resource provisioning with state
  tracking and --clean teardown
- setup-org: one-shot org onboarding (create, domain, roles, portal)
- onboard-user: invitation workflow with optional --wait polling
- debug-sso: SSO connection diagnostics with event history
- debug-sync: directory sync diagnostics with user/group counts

Adds yaml dependency for seed file parsing.
16 new tests (916 total).
@nicknisi
feat: add agent skill for management commands
44603c7 
Auto-discovered by install-skill via skills/workos-management/SKILL.md.
Covers full command reference, workflow recipes (RBAC, org/user
onboarding, SSO/DSync debugging, seeding), --json usage guide, and
dashboard-only negative guidance.
@nicknisi
feat: register all management commands in CLI
f10d1da 
Wire up 19 new command groups in bin.ts (role, permission, membership,
invitation, session, connection, directory, event, audit-log,
feature-flag, webhook, config, portal, vault, api-key, org-domain,
seed, setup-org, onboard-user, debug-sso, debug-sync).

Update help-json.ts with all 29 command schemas for --help --json.
@nicknisi
fix: handle SDK exceptions in api-error-handler
6a1a688 
Add duck-type detection for @workos-inc/node SDK exceptions alongside
the existing WorkOSApiError check. SDK errors (UnauthorizedException,
NotFoundException, etc.) now produce clean user-facing messages instead
of crashing with "Unknown error".

Revert toSnakeCase output conversion — JSON output conforms to the
Node SDK's camelCase format.
@nicknisi
fix: remove unsafe type casts in audit-log and connection commands
bd4a47a 
Replace `as any` with proper SDK types: CreateAuditLogEventOptions
for audit log events, ConnectionType for SSO connection type filter.
@nicknisi
chore: formatting and linting
716a463
@nicknisi
fix: use exitWithError in seed partial failure path
eadc29a 
Replace manual console.error + process.exit(1) with exitWithError()
for consistent structured error output. Partial state passed via
the details field.
@nicknisi
chore: formatting
ca598e4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicknisi