Merge remote-tracking branch 'origin/main' into feature/explore-widgets-skills

* origin/main: (21 commits)
  chore(main): release 0.7.2 (#67)
  fix: Correct issue submission links (#66)
  chore(main): release 0.7.1 (#65)
  fix: ground AI analysis in SDK documentation (#64)
  chore(main): release 0.7.0 (#60)
  fix: improve installer skill and remove shell: true from spawn calls (#63)
  feat: major workos doctor overhaul — visual refresh, multi-language, AI analysis (#62)
  fix: replace dotenv devDependency with inline env parser in doctor (#61)
  feat: add environment, organization, and user management commands (#59)
  chore(main): release 0.6.0 (#58)
  feat: agent self-correction via validation feedback loop (#57)
  chore(main): release 0.5.4 (#56)
  fix: restore workflow_call and remove registry-url for OIDC
  chore(main): release 0.5.3 (#55)
  fix: trigger release.yml directly via release event for OIDC match
  fix: remove registry-url from setup-node to unblock OIDC auth
  chore(main): release 0.5.2 (#54)
  fix: use npm publish for OIDC trusted publishing support
  chore(main): release 0.5.1 (#53)
  fix: remove duplicate release trigger causing publish race condition
  ...

# Conflicts:
#	src/lib/adapters/cli-adapter.ts

Author: lucasmotta

.github/workflows/release.yml

@@ -3,8 +3,6 @@ name: Release
 on:
   workflow_dispatch:
   workflow_call:
-  release:
-    types: [published]
 
 jobs:
   publish:
@@ -21,20 +19,13 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 24
-          registry-url: 'https://registry.npmjs.org'
           cache: pnpm
 
-      - name: Remove token auth from npmrc (use OIDC instead)
-        run: sed -i '/_authToken/d' "$NPM_CONFIG_USERCONFIG"
-
       - name: Install
         run: pnpm install
 
       - name: Build
         run: pnpm build
 
       - name: Publish
-        run: |
-          unset NODE_AUTH_TOKEN
-          NPM_TAG="${{ github.event.release.prerelease && 'next' || 'latest' }}"
-          pnpm publish --tag "$NPM_TAG" --access public --no-git-checks --provenance
+        run: npm publish --tag latest --access public --provenance

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.5.0"
+  ".": "0.7.2"
 }

CHANGELOG.md

@@ -4,6 +4,71 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.7.2](https://github.com/workos/cli/compare/v0.7.1...v0.7.2) (2026-02-19)
+
+
+### Bug Fixes
+
+* Correct issue submission links ([#66](https://github.com/workos/cli/issues/66)) ([8c3e026](https://github.com/workos/cli/commit/8c3e0267afcb78afa15df3ffd2ce1c5b2984a3cd))
+
+## [0.7.1](https://github.com/workos/cli/compare/v0.7.0...v0.7.1) (2026-02-18)
+
+
+### Bug Fixes
+
+* ground AI analysis in SDK documentation ([#64](https://github.com/workos/cli/issues/64)) ([db8d6e3](https://github.com/workos/cli/commit/db8d6e32c56f7467c0a041a4de26d24fea50efd1))
+
+## [0.7.0](https://github.com/workos/cli/compare/v0.6.0...v0.7.0) (2026-02-18)
+
+
+### Features
+
+* add environment, organization, and user management commands ([#59](https://github.com/workos/cli/issues/59)) ([cc590b0](https://github.com/workos/cli/commit/cc590b019831c9d57b17bb64d6b7f31de71a1510))
+* major workos doctor overhaul — visual refresh, multi-language, AI analysis ([#62](https://github.com/workos/cli/issues/62)) ([014fbbc](https://github.com/workos/cli/commit/014fbbcfe63959df379f59309caf73adae32f585))
+
+
+### Bug Fixes
+
+* improve installer skill and remove shell: true from spawn calls ([#63](https://github.com/workos/cli/issues/63)) ([92ff704](https://github.com/workos/cli/commit/92ff7042409435483e0aab9c861bd99c144d6a04))
+* replace dotenv devDependency with inline env parser in doctor ([#61](https://github.com/workos/cli/issues/61)) ([4c7553f](https://github.com/workos/cli/commit/4c7553fa8a2adff859c3e2bac63e59352a83bc8f))
+
+## [0.6.0](https://github.com/workos/cli/compare/v0.5.4...v0.6.0) (2026-02-14)
+
+
+### Features
+
+* agent self-correction via validation feedback loop ([#57](https://github.com/workos/cli/issues/57)) ([920fc87](https://github.com/workos/cli/commit/920fc87874511550d193fc3a903c845baaf1ad0d))
+
+## [0.5.4](https://github.com/workos/cli/compare/v0.5.3...v0.5.4) (2026-02-13)
+
+
+### Bug Fixes
+
+* restore workflow_call and remove registry-url for OIDC ([1025e57](https://github.com/workos/cli/commit/1025e57bdd4f647d3a7fb054eae11b3fc18016db))
+
+## [0.5.3](https://github.com/workos/cli/compare/v0.5.2...v0.5.3) (2026-02-13)
+
+
+### Bug Fixes
+
+* remove registry-url from setup-node to unblock OIDC auth ([75a94bb](https://github.com/workos/cli/commit/75a94bb575c338fa4714f81103cff775e615cd05))
+* trigger release.yml directly via release event for OIDC match ([b7e737d](https://github.com/workos/cli/commit/b7e737d9fb4df9924951203bc2c6939e673a6ddb))
+
+## [0.5.2](https://github.com/workos/cli/compare/v0.5.1...v0.5.2) (2026-02-13)
+
+
+### Bug Fixes
+
+* use npm publish for OIDC trusted publishing support ([40fbbf9](https://github.com/workos/cli/commit/40fbbf995d75a3a34e39dcee714153dd2b84511e))
+
+## [0.5.1](https://github.com/workos/cli/compare/v0.5.0...v0.5.1) (2026-02-13)
+
+
+### Bug Fixes
+
+* prefer existing middleware.ts over proxy.ts for Next.js 16+ ([#52](https://github.com/workos/cli/issues/52)) ([83f3ef0](https://github.com/workos/cli/commit/83f3ef0b2c060647475bd073dc1ed99ec14e48e8))
+* remove duplicate release trigger causing publish race condition ([b0935d8](https://github.com/workos/cli/commit/b0935d87460628028b71c29584e7b023db894da8))
+
 ## [0.5.0](https://github.com/workos/cli/compare/v0.4.5...v0.5.0) (2026-02-11)
 
 

CLAUDE.md

@@ -1,29 +1,39 @@
-# installer
+# workos CLI
 
-AI-powered CLI installer that automatically installs WorkOS AuthKit into web projects.
+WorkOS CLI for installing AuthKit integrations and managing WorkOS resources (organizations, users, environments).
 
 ## Project Structure
 
 ```
-installer/
-├── src/
-│   ├── bin.ts              # CLI entry point
-│   ├── cli.config.ts       # App configuration (model, URLs, etc.)
-│   ├── run.ts              # Entry point, orchestrates installer flow
-│   ├── lib/
-│   │   ├── agent-interface.ts  # Claude Agent SDK integration
-│   │   ├── agent-runner.ts     # Builds prompts, runs agent
-│   │   ├── config.ts           # Framework detection config
-│   │   ├── constants.ts        # Integration enum, shared constants
-│   │   ├── credential-proxy.ts # Token refresh proxy for long sessions
-│   │   └── ensure-auth.ts      # Startup auth guard with token refresh
-│   ├── dashboard/          # Ink/React TUI components
-│   ├── nextjs/             # Next.js installer agent
-│   ├── react/              # React SPA installer agent
-│   ├── react-router/       # React Router installer agent
-│   ├── tanstack-start/     # TanStack Start installer agent
-│   └── vanilla-js/         # Vanilla JS installer agent
-└── ...
+src/
+├── bin.ts                    # CLI entry point (yargs command routing)
+├── cli.config.ts             # App configuration (model, URLs, etc.)
+├── run.ts                    # Installer orchestration entry point
+├── lib/
+│   ├── agent-interface.ts    # Claude Agent SDK integration
+│   ├── agent-runner.ts       # Builds prompts, runs agent
+│   ├── config.ts             # Framework detection config
+│   ├── constants.ts          # Integration enum, shared constants
+│   ├── credential-store.ts   # OAuth credential storage (keyring + file fallback)
+│   ├── config-store.ts       # Environment config storage (keyring + file fallback)
+│   ├── api-key.ts            # API key resolution (env var → flag → config)
+│   ├── workos-api.ts         # Generic WorkOS REST API client
+│   ├── credential-proxy.ts   # Token refresh proxy for long sessions
+│   └── ensure-auth.ts        # Startup auth guard with token refresh
+├── commands/
+│   ├── env.ts                # workos env (add/remove/switch/list)
+│   ├── organization.ts       # workos organization (create/update/get/list/delete)
+│   ├── user.ts               # workos user (get/list/update/delete)
+│   ├── install.ts            # workos install
+│   └── login.ts / logout.ts  # Auth commands
+├── dashboard/                # Ink/React TUI components
+├── nextjs/                   # Next.js installer agent
+├── react/                    # React SPA installer agent
+├── react-router/             # React Router installer agent
+├── tanstack-start/           # TanStack Start installer agent
+├── vanilla-js/               # Vanilla JS installer agent
+└── utils/
+    └── table.ts              # Terminal table formatter
 ```
 
 ## Key Architecture
@@ -32,6 +42,8 @@ installer/
 - **Event Emitter**: `InstallerEventEmitter` bridges agent execution ↔ TUI for real-time updates
 - **Framework Detection**: Each integration has a `detect()` function in `config.ts`
 - **Permission Hook**: `installerCanUseTool()` in `agent-interface.ts` restricts Bash to safe commands only
+- **Config Store**: `config-store.ts` stores environment configs (API keys, endpoints) in system keyring with file fallback
+- **WorkOS API Client**: `workos-api.ts` is a generic fetch wrapper for any WorkOS REST endpoint
 
 ## CLI Modes
 
@@ -93,11 +105,16 @@ pnpm test         # Run tests
 pnpm typecheck    # Type check
 ```
 
-## Testing the Installer
+## Testing
 
 ```bash
 # Run installer in a test project
 cd /path/to/test-app && workos dashboard
+
+# Test management commands
+workos env add sandbox sk_test_xxx
+workos organization list
+workos user list
 ```
 
 ## Adding a New Framework
@@ -106,3 +123,10 @@ cd /path/to/test-app && workos dashboard
 2. Add to `Integration` enum in `lib/constants.ts`
 3. Add detection logic in `lib/config.ts`
 4. Wire up in `run.ts` switch statement
+
+## Adding a New Resource Command
+
+1. Create `src/commands/{resource}.ts` with command handlers (uses `workos-api.ts`)
+2. Create `src/commands/{resource}.spec.ts` with mocked API tests
+3. Register in `src/bin.ts` as a yargs command group with subcommands
+4. Commands use `resolveApiKey()` from `api-key.ts` for auth

DEVELOPMENT.md

@@ -3,39 +3,43 @@
 ## Project Structure
 
 ```
-installer/
-├── src/
-│   ├── bin.ts                # CLI entry point
-│   ├── cli.config.ts         # App configuration (model, URLs)
-│   ├── run.ts                # Entry point
-│   ├── lib/
-│   │   ├── agent-runner.ts       # Core agent execution
-│   │   ├── agent-interface.ts    # SDK interface
-│   │   ├── installer-core.ts     # Headless installer core
-│   │   ├── config.ts             # Framework detection config
-│   │   ├── framework-config.ts   # Framework definitions
-│   │   ├── constants.ts          # Integration types
-│   │   ├── events.ts             # InstallerEventEmitter
-│   │   ├── credential-proxy.ts   # Token refresh proxy for long sessions
-│   │   ├── ensure-auth.ts        # Startup auth guard
-│   │   ├── background-refresh.ts # Background token refresh
-│   │   └── adapters/             # CLI and dashboard adapters
-│   ├── commands/                 # Subcommands (install-skill, login, logout)
-│   ├── steps/                    # Installer step implementations
-│   ├── dashboard/                # Ink/React TUI components
-│   ├── nextjs/                   # Next.js installer agent
-│   ├── react/                    # React SPA installer agent
-│   ├── react-router/             # React Router installer agent
-│   ├── tanstack-start/           # TanStack Start installer agent
-│   ├── vanilla-js/               # Vanilla JS installer agent
-│   └── utils/
-│       ├── clack-utils.ts        # CLI prompts
-│       ├── debug.ts              # Logging with redaction
-│       ├── redact.ts             # Credential redaction
-│       ├── package-manager.ts    # Package manager detection
-│       └── ...                   # Additional utilities
-├── tsconfig.json             # TypeScript config
-└── package.json              # Dependencies and scripts
+src/
+├── bin.ts                    # CLI entry point (yargs command routing)
+├── cli.config.ts             # App configuration (model, URLs)
+├── run.ts                    # Installer orchestration entry point
+├── lib/
+│   ├── agent-runner.ts       # Core agent execution
+│   ├── agent-interface.ts    # Claude Agent SDK interface
+│   ├── installer-core.ts     # Headless installer core (XState)
+│   ├── config.ts             # Framework detection config
+│   ├── constants.ts          # Integration types, shared constants
+│   ├── credential-store.ts   # OAuth credential storage (keyring + file fallback)
+│   ├── config-store.ts       # Environment config storage (keyring + file fallback)
+│   ├── api-key.ts            # API key resolution (env var → flag → config)
+│   ├── workos-api.ts         # Generic WorkOS REST API client
+│   ├── credential-proxy.ts   # Token refresh proxy for long sessions
+│   ├── ensure-auth.ts        # Startup auth guard
+│   └── adapters/             # CLI and dashboard adapters
+├── commands/
+│   ├── env.ts                # workos env (add/remove/switch/list)
+│   ├── organization.ts       # workos organization (create/update/get/list/delete)
+│   ├── user.ts               # workos user (get/list/update/delete)
+│   ├── install.ts            # workos install
+│   ├── install-skill.ts      # workos install-skill
+│   ├── login.ts              # workos login
+│   └── logout.ts             # workos logout
+├── dashboard/                # Ink/React TUI components
+├── nextjs/                   # Next.js installer agent
+├── react/                    # React SPA installer agent
+├── react-router/             # React Router installer agent
+├── tanstack-start/           # TanStack Start installer agent
+├── vanilla-js/               # Vanilla JS installer agent
+└── utils/
+    ├── table.ts              # Terminal table formatter
+    ├── clack-utils.ts        # CLI prompts
+    ├── debug.ts              # Logging with redaction
+    ├── redact.ts             # Credential redaction
+    └── ...                   # Additional utilities
 ```
 
 ## Setup
@@ -54,9 +58,14 @@ pnpm build
 # Build, link globally, and watch for changes
 pnpm dev
 
-# Test locally in another project
+# Test installer in another project
 cd /path/to/test/nextjs-app
 workos dashboard
+
+# Test management commands
+workos env add sandbox sk_test_xxx
+workos organization list
+workos user list
 ```
 
 ## Commands

README.md

@@ -1,6 +1,6 @@
 # workos
 
-AI-powered CLI that automatically integrates WorkOS AuthKit into web applications.
+WorkOS CLI for installing AuthKit integrations and managing WorkOS resources.
 
 ## Installation
 
@@ -45,29 +45,65 @@ Get your credentials from [dashboard.workos.com](https://dashboard.workos.com):
 ## CLI Options
 
 ```bash
-workos [options] [command]
+workos [command]
 
 Commands:
-  dashboard              Run with visual TUI dashboard (experimental)
+  install                Install WorkOS AuthKit into your project
+  dashboard              Run installer with visual TUI dashboard (experimental)
   login                  Authenticate with WorkOS via Connect OAuth device flow
   logout                 Remove stored credentials
-  install-skill          Install AuthKit skills to coding agents (Claude Code, Codex, etc.)
-    --list, -l           List available skills without installing
-    --skill, -s          Install specific skill(s)
-    --agent, -a          Target agent(s): claude-code, codex, cursor, goose
+  env                    Manage environment configurations
+  organization           Manage organizations
+  user                   Manage users
+  doctor                 Diagnose WorkOS integration issues
+  install-skill          Install AuthKit skills to coding agents
+```
+
+### Environment Management
+
+```bash
+workos env add [name] [apiKey]   # Add environment (interactive if no args)
+workos env remove <name>         # Remove an environment
+workos env switch [name]         # Switch active environment
+workos env list                  # List environments with active indicator
+```
+
+API keys are stored in the system keychain via `@napi-rs/keyring`, with a JSON file fallback at `~/.workos/config.json`.
+
+### Organization Management
+
+```bash
+workos organization create <name> [domain:state ...]
+workos organization update <orgId> <name> [domain] [state]
+workos organization get <orgId>
+workos organization list [--domain] [--limit] [--before] [--after] [--order]
+workos organization delete <orgId>
+```
+
+### User Management
+
+```bash
+workos user get <userId>
+workos user list [--email] [--organization] [--limit] [--before] [--after] [--order]
+workos user update <userId> [--first-name] [--last-name] [--email-verified] [--password] [--external-id]
+workos user delete <userId>
+```
+
+Management commands resolve API keys via: `WORKOS_API_KEY` env var → `--api-key` flag → active environment's stored key.
+
+### Installer Options
+
+```bash
+workos install [options]
 
-Options:
   --direct, -D            Use your own Anthropic API key (bypass llm-gateway)
   --integration <name>    Framework: nextjs, react, react-router, tanstack-start, vanilla-js
-  --redirect-uri <uri>    Custom redirect URI (defaults to framework convention)
-  --homepage-url <url>    Custom homepage URL (defaults to http://localhost:{port})
+  --redirect-uri <uri>    Custom redirect URI
+  --homepage-url <url>    Custom homepage URL
   --install-dir <path>    Installation directory
-  --no-validate           Skip post-installation validation (includes build check)
+  --no-validate           Skip post-installation validation
   --force-install         Force install packages even if peer dependency checks fail
   --debug                 Enable verbose logging
-
-Environment Variables:
-  WORKOS_TELEMETRY=false  Disable telemetry collection
 ```
 
 ## Examples
@@ -95,7 +131,7 @@ workos login
 workos logout
 ```
 
-Credentials are stored in `~/.workos/credentials.json`. Access tokens are not persisted long-term for security - users re-authenticate when tokens expire.
+OAuth credentials are stored in the system keychain (with `~/.workos/credentials.json` fallback). Access tokens are not persisted long-term for security - users re-authenticate when tokens expire.
 
 ## How It Works