Skip to content

feat!: move login/logout to auth subcommand, add auth status#84

Merged
nicknisi merged 12 commits intomainfrom
nicknisi/auth-subcommand
Mar 5, 2026
Merged

feat!: move login/logout to auth subcommand, add auth status#84
nicknisi merged 12 commits intomainfrom
nicknisi/auth-subcommand

Conversation

@nicknisi
Copy link
Member

@nicknisi nicknisi commented Mar 5, 2026

Summary

Groups auth-related commands under workos auth and adds a new status subcommand for inspecting current authentication state.

Breaking Change

workos login and workos logout are removed as top-level commands. Use:

  • workos auth login — Authenticate with WorkOS via browser-based OAuth
  • workos auth logout — Remove stored WorkOS credentials and tokens

New: workos auth status

Shows current authentication state at a glance:

Logged in as nick@nisi.org
Token expires in 4m 32s
Refresh token: present
Environment: staging (sandbox)

When not logged in:

Not logged in
Run `workos auth login` to authenticate

Supports --json for machine-readable output:

{
  "authenticated": true,
  "email": "nick@nisi.org",
  "userId": "user_01JA4BG95WJA49X1DXKSDET8PC",
  "tokenExpired": false,
  "tokenExpiresAt": "2026-03-05T19:43:04.155Z",
  "tokenExpiresIn": "4m 32s",
  "hasRefreshToken": true,
  "activeEnvironment": { "name": "staging", "type": "sandbox" }
}

String reference updates

All error messages across the codebase referencing workos login or workos logout have been updated to workos auth login / workos auth logout (15 files, ~20 locations).

Implementation

  • Follows existing subcommand pattern (env, organization) using registerSubcommand() utility
  • workos auth with no subcommand shows help listing all three subcommands
  • auth status reads from credential-store and config-store — no API calls, no side effects
  • Command registry in help-json.ts updated for agent-facing command discovery

nicknisi added 9 commits March 5, 2026 15:20
@nicknisi
feat!: move login/logout to auth subcommand, add auth status
4002ce5 
BREAKING CHANGE: `workos login` and `workos logout` are now
`workos auth login` and `workos auth logout`.

New `workos auth status` command shows current auth state:
- Logged in email/userId
- Token expiry (time remaining or how long ago it expired)
- Refresh token presence
- Active environment name and type
- Supports --json for machine-readable output

All error messages referencing `workos login` updated to
`workos auth login`.
@nicknisi
chore: formatting and linting fixes
bfa1b89
@nicknisi
feat: add credential audit log for debugging auth loss
2d78cf5 
Writes timestamped entries to ~/.workos/audit.log for every credential
mutation: SAVE_CREDENTIALS, CLEAR_CREDENTIALS, UPDATE_TOKENS, and
GET_CREDENTIALS (when returning null). Logs only non-sensitive metadata:
email, userId, token expiry, refresh token presence, storage backend,
and caller stack frame. Never logs tokens or API keys.

Disabled automatically in test environments (VITEST).
@nicknisi
fix: guard keyring operations behind insecure storage flag
e8b74d1 
When forceInsecureStorage is true, all keyring read/write/delete
operations are now no-ops. Previously, deleteFromKeyring() would
still hit the real system keychain even in insecure-storage mode,
meaning tests using setInsecureStorage(true) could wipe real
credentials from the keychain.

This was the root cause of credentials mysteriously vanishing
after running tests.
@nicknisi
Revert "fix: guard keyring operations behind insecure storage flag"
c6450a6 
This reverts commit e8b74d1.
@nicknisi
Revert "feat: add credential audit log for debugging auth loss"
421393e 
This reverts commit 2d78cf5.
@nicknisi
docs: update README auth commands to use auth subcommand
546a261
@nicknisi
fix: use plain colored output for auth status instead of clack
8a32c8e
@nicknisi
fix: add blank line after update notice to separate from command output
cb34b07
@nicknisi nicknisi force-pushed the nicknisi/auth-subcommand branch from 3480260 to cb34b07 Compare March 5, 2026 21:45
nicknisi added 3 commits March 5, 2026 15:46
@nicknisi
fix: use plain colored output for login already-authenticated messages
0f5667b
@nicknisi
fix: suppress update notice in JSON mode to keep stdout clean
6def869
@nicknisi
fix: review fixes — isJsonMode guard, missed string ref, double newline
a700748 
- bin.ts: use isJsonMode() instead of hasJsonFlag to suppress update
  notice in all JSON contexts (including non-TTY auto-detection)
- ensure-auth.ts: fix missed workos login → workos auth login at line 94
- version-check.ts: fix double blank line (console.log already adds \n)
- Update CLAUDE.md, DEVELOPMENT.md, SKILL.md references
@nicknisi nicknisi merged commit b86c39b into main Mar 5, 2026
5 checks passed
@nicknisi nicknisi deleted the nicknisi/auth-subcommand branch March 5, 2026 22:10
@github-actions github-actions bot mentioned this pull request Mar 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicknisi