feat: CLI management commands for all WorkOS resources

README.md

@@ -50,14 +50,127 @@ workos [command]
 
 Commands:
   install                Install WorkOS AuthKit into your project
-  dashboard              Run installer with visual TUI dashboard (experimental)
-  login                  Authenticate with WorkOS via Connect OAuth device flow
+  login                  Authenticate with WorkOS via browser OAuth
   logout                 Remove stored credentials
   env                    Manage environment configurations
-  organization (org)     Manage organizations
-  user                   Manage users
   doctor                 Diagnose WorkOS integration issues
   install-skill          Install AuthKit skills to coding agents
+
+Resource Management:
+  organization (org)     Manage organizations
+  user                   Manage users
+  role                   Manage roles (RBAC)
+  permission             Manage permissions (RBAC)
+  membership             Manage organization memberships
+  invitation             Manage user invitations
+  session                Manage user sessions
+  connection             Manage SSO connections
+  directory              Manage directory sync
+  event                  Query events
+  audit-log              Manage audit logs
+  feature-flag           Manage feature flags
+  webhook                Manage webhooks
+  config                 Manage redirect URIs, CORS, homepage URL
+  portal                 Generate Admin Portal links
+  vault                  Manage encrypted secrets
+  api-key                Manage per-org API keys
+  org-domain             Manage organization domains
+
+Workflows:
+  seed                   Declarative resource provisioning from YAML
+  setup-org              One-shot organization onboarding
+  onboard-user           Send invitation and assign role
+  debug-sso              Diagnose SSO connection issues
+  debug-sync             Diagnose directory sync issues
+```
+
+All management commands support `--json` for structured output (auto-enabled in non-TTY) and `--api-key` to override the active environment's key.
+
+### Workflows
+
+The compound workflow commands compose multiple API calls into common operations. These are the highest-value commands for both developers and AI agents.
+
+#### seed — Declarative resource provisioning
+
+Provision permissions, roles, organizations, and config from a YAML file. Tracks created resources for clean teardown.
+
+```bash
+# Apply a seed file
+workos seed --file workos-seed.yml
+
+# Tear down everything the seed created (reads .workos-seed-state.json)
+workos seed --clean
+```
+
+Example `workos-seed.yml`:
+
+```yaml
+permissions:
+  - name: Read Posts
+    slug: posts:read
+  - name: Write Posts
+    slug: posts:write
+
+roles:
+  - name: Editor
+    slug: editor
+    permissions: [posts:read, posts:write]
+  - name: Viewer
+    slug: viewer
+    permissions: [posts:read]
+
+organizations:
+  - name: Acme Corp
+    domains: [acme.com]
+
+config:
+  redirect_uris:
+    - http://localhost:3000/callback
+  cors_origins:
+    - http://localhost:3000
+  homepage_url: http://localhost:3000
+```
+
+Resources are created in dependency order (permissions → roles → organizations → config). State is tracked in `.workos-seed-state.json` so `--clean` removes exactly what was created.
+
+#### setup-org — One-shot organization onboarding
+
+Creates an organization with optional domain verification, roles, and an Admin Portal link in a single command.
+
+```bash
+# Minimal: just create the org
+workos setup-org "Acme Corp"
+
+# Full: org + domain + roles + portal link
+workos setup-org "Acme Corp" --domain acme.com --roles admin,viewer
+```
+
+#### onboard-user — User invitation workflow
+
+Sends an invitation to a user with an optional role assignment. With `--wait`, polls until the invitation is accepted.
+
+```bash
+# Send invitation
+workos onboard-user alice@acme.com --org org_01ABC123
+
+# Send with role and wait for acceptance
+workos onboard-user alice@acme.com --org org_01ABC123 --role admin --wait
+```
+
+#### debug-sso — SSO connection diagnostics
+
+Inspects an SSO connection's state and recent authentication events. Flags inactive connections and surfaces auth event history for debugging.
+
+```bash
+workos debug-sso conn_01ABC123
+```
+
+#### debug-sync — Directory sync diagnostics
+
+Inspects a directory's sync state, user/group counts, recent events, and detects stalled syncs.
+
+```bash
+workos debug-sync directory_01ABC123
 ```
 
 ### Environment Management
@@ -71,7 +184,11 @@ workos env list                  # List environments with active indicator
 
 API keys are stored in the system keychain via `@napi-rs/keyring`, with a JSON file fallback at `~/.workos/config.json`.
 
-### Organization Management
+### Resource Management
+
+All resource commands follow the same pattern: `workos <resource> <action> [args] [--options]`. API keys resolve via: `WORKOS_API_KEY` env var → `--api-key` flag → active environment's stored key.
+
+#### organization
 
 ```bash
 workos organization create <name> [domain:state ...]
@@ -81,16 +198,165 @@ workos organization list [--domain] [--limit] [--before] [--after] [--order]
 workos organization delete <orgId>
 ```
 
-### User Management
+#### user
 
 ```bash
 workos user get <userId>
-workos user list [--email] [--organization] [--limit] [--before] [--after] [--order]
+workos user list [--email] [--organization] [--limit]
 workos user update <userId> [--first-name] [--last-name] [--email-verified] [--password] [--external-id]
 workos user delete <userId>
 ```
 
-Management commands resolve API keys via: `WORKOS_API_KEY` env var → `--api-key` flag → active environment's stored key.
+#### role
+
+```bash
+workos role list [--org <orgId>]
+workos role get <slug> [--org <orgId>]
+workos role create --slug <slug> --name <name> [--org <orgId>]
+workos role update <slug> [--name] [--description] [--org <orgId>]
+workos role delete <slug> --org <orgId>
+workos role set-permissions <slug> --permissions <slugs> [--org <orgId>]
+workos role add-permission <slug> <permissionSlug> [--org <orgId>]
+workos role remove-permission <slug> <permissionSlug> --org <orgId>
+```
+
+#### permission
+
+```bash
+workos permission list [--limit]
+workos permission get <slug>
+workos permission create --slug <slug> --name <name> [--description]
+workos permission update <slug> [--name] [--description]
+workos permission delete <slug>
+```
+
+#### membership
+
+```bash
+workos membership list [--org] [--user] [--limit]
+workos membership get <id>
+workos membership create --org <orgId> --user <userId> [--role]
+workos membership update <id> [--role]
+workos membership delete <id>
+workos membership deactivate <id>
+workos membership reactivate <id>
+```
+
+#### invitation
+
+```bash
+workos invitation list [--org] [--email] [--limit]
+workos invitation get <id>
+workos invitation send --email <email> [--org] [--role] [--expires-in-days]
+workos invitation revoke <id>
+workos invitation resend <id>
+```
+
+#### session
+
+```bash
+workos session list <userId> [--limit]
+workos session revoke <sessionId>
+```
+
+#### connection
+
+```bash
+workos connection list [--org] [--type] [--limit]
+workos connection get <id>
+workos connection delete <id> [--force]
+```
+
+#### directory
+
+```bash
+workos directory list [--org] [--limit]
+workos directory get <id>
+workos directory delete <id> [--force]
+workos directory list-users [--directory] [--group] [--limit]
+workos directory list-groups --directory <id> [--limit]
+```
+
+#### event
+
+```bash
+workos event list --events <types> [--org] [--range-start] [--range-end] [--limit]
+```
+
+#### audit-log
+
+```bash
+workos audit-log create-event <orgId> --action <action> --actor-type <type> --actor-id <id> [--file <json>]
+workos audit-log export --org <orgId> --range-start <date> --range-end <date> [--actions] [--actor-names]
+workos audit-log list-actions
+workos audit-log get-schema <action>
+workos audit-log create-schema <action> --file <schema.json>
+workos audit-log get-retention <orgId>
+```
+
+#### feature-flag
+
+```bash
+workos feature-flag list [--limit]
+workos feature-flag get <slug>
+workos feature-flag enable <slug>
+workos feature-flag disable <slug>
+workos feature-flag add-target <slug> <targetId>
+workos feature-flag remove-target <slug> <targetId>
+```
+
+#### webhook
+
+```bash
+workos webhook list
+workos webhook create --url <endpoint> --events <types>
+workos webhook delete <id>
+```
+
+#### config
+
+```bash
+workos config redirect add <uri>
+workos config cors add <origin>
+workos config homepage-url set <url>
+```
+
+#### portal
+
+```bash
+workos portal generate-link --intent <intent> --org <orgId> [--return-url] [--success-url]
+```
+
+#### vault
+
+```bash
+workos vault list [--limit]
+workos vault get <id>
+workos vault get-by-name <name>
+workos vault create --name <name> --value <secret> [--org <orgId>]
+workos vault update <id> --value <secret> [--version-check]
+workos vault delete <id>
+workos vault describe <id>
+workos vault list-versions <id>
+```
+
+#### api-key
+
+```bash
+workos api-key list --org <orgId> [--limit]
+workos api-key create --org <orgId> --name <name> [--permissions]
+workos api-key validate <value>
+workos api-key delete <id>
+```
+
+#### org-domain
+
+```bash
+workos org-domain get <id>
+workos org-domain create <domain> --org <orgId>
+workos org-domain verify <id>
+workos org-domain delete <id>
+```
 
 ### Installer Options
 

package.json

@@ -42,6 +42,7 @@
     "@clack/core": "^1.0.1",
     "@clack/prompts": "1.0.1",
     "@napi-rs/keyring": "^1.2.0",
+    "@workos-inc/node": "^8.7.0",
     "chalk": "^5.6.2",
     "diff": "^8.0.3",
     "fast-glob": "^3.3.3",
@@ -51,6 +52,7 @@
     "semver": "^7.7.4",
     "uuid": "^13.0.0",
     "xstate": "^5.28.0",
+    "yaml": "^2.8.2",
     "yargs": "^18.0.0",
     "zod": "^4.3.6"
   },