fix: prevent registerSubcommand from injecting false positional args (#111)

nicknisi · web-flow · commit effe187629ee · 2026-03-31T15:04:27.000-05:00
* fix: prevent registerSubcommand from injecting false positional args

The enriched usage string (e.g., `create --slug &lt;string&gt; --name &lt;string&gt;`)
was passed directly as the yargs command string. Yargs interprets `&lt;...&gt;`
tokens in command strings as required positional arguments, causing commands
like `permission create` and `role create` to demand phantom positional
args alongside the actual named options.

Move the enriched string to `.usage()` (display-only for help text) and
pass only the original command string to `yargs.command()`.

Fixes: commands with demandOption flags (permission create, role create,
invitation create, seed, etc.) rejecting valid `--flag value` invocations
with "Not enough non-option arguments".

* chore: formatting

* test: add parsing regression tests for all affected commands

Exercises yargs arg parsing end-to-end for all 16 commands that use
registerSubcommand with demandOption named flags. Each test verifies
that standard --flag syntax is accepted without "Not enough non-option
arguments" errors.

The existing smoke test bypasses yargs entirely (calls handlers directly),
so it could not catch the parsing bug. These tests fill that gap.

* fix: enrich description instead of command string for required flags

Move the required-flag annotation from the yargs command string to the
description. This fixes two issues with the previous approach:

- P2: `$0` in `.usage()` resolved to the root script name, so nested
  commands like `workos role create --help` showed `workos create ...`
  instead of `workos role create ...`
- P3: parent help lost enrichment entirely since the command string was
  reverted to plain usage

Now parent help shows e.g.:
  create   Create a permission (requires --slug, --name)

Positional args already visible in the command string (e.g., &lt;slug&gt;) are
excluded from the description enrichment to avoid redundancy.

* fix: skip description enrichment when flag already mentioned

Commands like `role delete` and `role remove-permission` already include
`(requires --org)` in their description. The enrichment helper now
filters out flags that the description already references, preventing
duplicated text like `(requires --org) (requires --org)`.

* chore: formatting

* chore: simplify regression tests with parameterized it.each

Convert 15 copy-paste test cases into data-driven it.each blocks and
remove unused YargsOptions fields (string, number, boolean arrays).
diff --git a/src/utils/register-subcommand.parsing.spec.ts b/src/utils/register-subcommand.parsing.spec.ts
@@ -0,0 +1,226 @@
+/**
+ * Regression tests for registerSubcommand arg parsing.
+ *
+ * Verifies that commands with demandOption named flags accept standard
+ * --flag syntax without yargs demanding phantom positional arguments.
+ *
+ * Bug: registerSubcommand previously appended `--slug <string>` to the yargs
+ * command string, causing yargs to interpret <string> as required positionals.
+ */
+import { describe, it, expect } from 'vitest';
+import yargs from 'yargs';
+import type { Options, PositionalOptions } from 'yargs';
+import { registerSubcommand } from './register-subcommand.js';
+
+/** Build a yargs parser with a single registerSubcommand call, capturing parse failures. */
+function buildParser(usage: string, builder: (y: yargs.Argv) => yargs.Argv) {
+  let failMessage: string | undefined;
+  let handlerArgs: Record<string, unknown> | undefined;
+  const parser = yargs([])
+    .exitProcess(false)
+    .fail((msg) => {
+      failMessage = msg;
+    });
+  registerSubcommand(parser, usage, 'test', builder, async (argv) => {
+    handlerArgs = argv;
+  });
+  return {
+    parseAsync: async (args: string[]) => {
+      await parser.parseAsync(args);
+      return handlerArgs!;
+    },
+    getError: () => failMessage,
+  };
+}
+
+interface OptionsOnlyCase {
+  name: string;
+  usage: string;
+  options: Record<string, Options>;
+  args: string[];
+  expected: Record<string, unknown>;
+}
+
+interface MixedPositionalCase extends OptionsOnlyCase {
+  positionals: Record<string, PositionalOptions>;
+}
+
+describe('registerSubcommand parsing (regression)', () => {
+  const optionsOnlyCases: OptionsOnlyCase[] = [
+    {
+      name: 'role create: --slug --name',
+      usage: 'create',
+      options: {
+        slug: { type: 'string', demandOption: true },
+        name: { type: 'string', demandOption: true },
+        description: { type: 'string' },
+      },
+      args: ['create', '--slug', 'admin', '--name', 'Admin'],
+      expected: { slug: 'admin', name: 'Admin' },
+    },
+    {
+      name: 'membership create: --org --user',
+      usage: 'create',
+      options: {
+        org: { type: 'string', demandOption: true },
+        user: { type: 'string', demandOption: true },
+        role: { type: 'string' },
+      },
+      args: ['create', '--org', 'org_1', '--user', 'user_1'],
+      expected: { org: 'org_1', user: 'user_1' },
+    },
+    {
+      name: 'invitation send: --email',
+      usage: 'send',
+      options: {
+        email: { type: 'string', demandOption: true },
+        org: { type: 'string' },
+        role: { type: 'string' },
+      },
+      args: ['send', '--email', 'a@b.com'],
+      expected: { email: 'a@b.com' },
+    },
+    {
+      name: 'directory list-groups: --directory',
+      usage: 'list-groups',
+      options: {
+        directory: { type: 'string', demandOption: true },
+        limit: { type: 'number' },
+      },
+      args: ['list-groups', '--directory', 'dir_1'],
+      expected: { directory: 'dir_1' },
+    },
+    {
+      name: 'event list: --events',
+      usage: 'list',
+      options: {
+        events: { type: 'string', demandOption: true },
+        after: { type: 'string' },
+      },
+      args: ['list', '--events', 'user.created'],
+      expected: { events: 'user.created' },
+    },
+    {
+      name: 'audit-log export: --org --range-start --range-end',
+      usage: 'export',
+      options: {
+        org: { type: 'string', demandOption: true },
+        'range-start': { type: 'string', demandOption: true },
+        'range-end': { type: 'string', demandOption: true },
+      },
+      args: ['export', '--org', 'org_1', '--range-start', '2026-01-01', '--range-end', '2026-01-31'],
+      expected: { org: 'org_1' },
+    },
+    {
+      name: 'webhook create: --url --events',
+      usage: 'create',
+      options: {
+        url: { type: 'string', demandOption: true },
+        events: { type: 'string', demandOption: true },
+      },
+      args: ['create', '--url', 'https://example.com', '--events', 'user.created'],
+      expected: { url: 'https://example.com', events: 'user.created' },
+    },
+    {
+      name: 'portal generate-link: --intent --org',
+      usage: 'generate-link',
+      options: {
+        intent: { type: 'string', demandOption: true },
+        org: { type: 'string', demandOption: true },
+        'return-url': { type: 'string' },
+      },
+      args: ['generate-link', '--intent', 'sso', '--org', 'org_1'],
+      expected: { intent: 'sso', org: 'org_1' },
+    },
+    {
+      name: 'vault create: --name --value',
+      usage: 'create',
+      options: {
+        name: { type: 'string', demandOption: true },
+        value: { type: 'string', demandOption: true },
+        org: { type: 'string' },
+      },
+      args: ['create', '--name', 'secret', '--value', 'abc123'],
+      expected: { name: 'secret', value: 'abc123' },
+    },
+    {
+      name: 'api-key list: --org',
+      usage: 'list',
+      options: {
+        org: { type: 'string', demandOption: true },
+        limit: { type: 'number' },
+      },
+      args: ['list', '--org', 'org_1'],
+      expected: { org: 'org_1' },
+    },
+    {
+      name: 'api-key create: --org --name',
+      usage: 'create',
+      options: {
+        org: { type: 'string', demandOption: true },
+        name: { type: 'string', demandOption: true },
+        permissions: { type: 'string' },
+      },
+      args: ['create', '--org', 'org_1', '--name', 'my-key'],
+      expected: { org: 'org_1', name: 'my-key' },
+    },
+  ];
+
+  it.each(optionsOnlyCases)('$name', async ({ usage, options, args, expected }) => {
+    const { parseAsync, getError } = buildParser(usage, (y) => y.options(options));
+    const argv = await parseAsync(args);
+    expect(getError()).toBeUndefined();
+    for (const [key, value] of Object.entries(expected)) {
+      expect(argv[key]).toBe(value);
+    }
+  });
+
+  const mixedPositionalCases: MixedPositionalCase[] = [
+    {
+      name: 'role set-permissions <slug>: --permissions',
+      usage: 'set-permissions <slug>',
+      positionals: { slug: { type: 'string', demandOption: true } },
+      options: { permissions: { type: 'string', demandOption: true } },
+      args: ['set-permissions', 'admin', '--permissions', 'read,write'],
+      expected: { slug: 'admin', permissions: 'read,write' },
+    },
+    {
+      name: 'vault update <id>: --value',
+      usage: 'update <id>',
+      positionals: { id: { type: 'string', demandOption: true } },
+      options: { value: { type: 'string', demandOption: true }, 'version-check': { type: 'string' } },
+      args: ['update', 'vault_1', '--value', 'new-secret'],
+      expected: { id: 'vault_1', value: 'new-secret' },
+    },
+    {
+      name: 'audit-log create-schema <action>: --file',
+      usage: 'create-schema <action>',
+      positionals: { action: { type: 'string', demandOption: true } },
+      options: { file: { type: 'string', demandOption: true } },
+      args: ['create-schema', 'user.login', '--file', 'schema.json'],
+      expected: { action: 'user.login', file: 'schema.json' },
+    },
+    {
+      name: 'org-domain create <domain>: --org',
+      usage: 'create <domain>',
+      positionals: { domain: { type: 'string', demandOption: true } },
+      options: { org: { type: 'string', demandOption: true } },
+      args: ['create', 'example.com', '--org', 'org_1'],
+      expected: { domain: 'example.com', org: 'org_1' },
+    },
+  ];
+
+  it.each(mixedPositionalCases)('$name', async ({ usage, positionals, options, args, expected }) => {
+    const { parseAsync, getError } = buildParser(usage, (y) => {
+      for (const [key, opts] of Object.entries(positionals)) {
+        y.positional(key, opts);
+      }
+      return y.options(options);
+    });
+    const argv = await parseAsync(args);
+    expect(getError()).toBeUndefined();
+    for (const [key, value] of Object.entries(expected)) {
+      expect(argv[key]).toBe(value);
+    }
+  });
+});
diff --git a/src/utils/register-subcommand.spec.ts b/src/utils/register-subcommand.spec.ts
@@ -3,7 +3,7 @@ import yargs from 'yargs';
 import { registerSubcommand } from './register-subcommand.js';
 
 describe('registerSubcommand', () => {
-  it('enriches usage with one required string option', () => {
+  it('enriches description with required flag names', () => {
     const parent = yargs([]);
     const commandSpy = vi.spyOn(parent, 'command');
 
@@ -16,14 +16,14 @@ describe('registerSubcommand', () => {
     );
 
     expect(commandSpy).toHaveBeenCalledWith(
-      'create --name <string>',
-      'Create a resource',
+      'create',
+      'Create a resource (requires --name)',
       expect.any(Function),
       expect.any(Function),
     );
   });
 
-  it('enriches usage with multiple required options', () => {
+  it('enriches description with multiple required flags', () => {
     const parent = yargs([]);
     const commandSpy = vi.spyOn(parent, 'command');
 
@@ -39,12 +39,13 @@ describe('registerSubcommand', () => {
       async () => {},
     );
 
-    const usageArg = commandSpy.mock.calls[0]![0] as string;
-    expect(usageArg).toContain('--email <string>');
-    expect(usageArg).toContain('--org-id <string>');
+    const descArg = commandSpy.mock.calls[0]![1] as string;
+    expect(descArg).toContain('requires');
+    expect(descArg).toContain('--email');
+    expect(descArg).toContain('--org-id');
   });
 
-  it('leaves usage unchanged when no required options', () => {
+  it('leaves description unchanged when no required options', () => {
     const parent = yargs([]);
     const commandSpy = vi.spyOn(parent, 'command');
 
@@ -59,24 +60,29 @@ describe('registerSubcommand', () => {
     expect(commandSpy).toHaveBeenCalledWith('list', 'List resources', expect.any(Function), expect.any(Function));
   });
 
-  it('preserves positional args and appends required options', () => {
+  it('excludes positional args from description enrichment', () => {
     const parent = yargs([]);
     const commandSpy = vi.spyOn(parent, 'command');
 
     registerSubcommand(
       parent,
-      'remove <name>',
-      'Remove a resource',
-      (y) => y.options({ force: { type: 'boolean', demandOption: true, describe: 'Force removal' } }),
+      'update <slug>',
+      'Update a resource',
+      (y) =>
+        y
+          .positional('slug', { type: 'string', demandOption: true })
+          .options({ value: { type: 'string', demandOption: true, describe: 'Value' } }),
       async () => {},
     );
 
-    const usageArg = commandSpy.mock.calls[0]![0] as string;
-    expect(usageArg).toMatch(/^remove <name>/);
-    expect(usageArg).toContain('--force <boolean>');
+    const cmdArg = commandSpy.mock.calls[0]![0] as string;
+    const descArg = commandSpy.mock.calls[0]![1] as string;
+    expect(cmdArg).toBe('update <slug>');
+    expect(descArg).toContain('--value');
+    expect(descArg).not.toContain('--slug');
   });
 
-  it('filters out help and version from enriched options', () => {
+  it('filters out help and version from enriched flags', () => {
     const parent = yargs([]);
     const commandSpy = vi.spyOn(parent, 'command');
 
@@ -88,27 +94,41 @@ describe('registerSubcommand', () => {
       async () => {},
     );
 
-    const usageArg = commandSpy.mock.calls[0]![0] as string;
-    expect(usageArg).not.toContain('--help');
-    expect(usageArg).not.toContain('--version');
-    expect(usageArg).toContain('--id <string>');
+    const descArg = commandSpy.mock.calls[0]![1] as string;
+    expect(descArg).not.toContain('--help');
+    expect(descArg).not.toContain('--version');
+    expect(descArg).toContain('--id');
+  });
+
+  it('passes original builder directly (no wrapper)', () => {
+    const parent = yargs([]);
+    const commandSpy = vi.spyOn(parent, 'command');
+    const builder = (y: yargs.Argv) => y.options({ count: { type: 'number', demandOption: true, describe: 'Count' } });
+
+    registerSubcommand(parent, 'set', 'Set a value', builder, async () => {});
+
+    // Builder is passed through directly — no wrapper
+    expect(commandSpy).toHaveBeenCalledWith('set', 'Set a value (requires --count)', builder, expect.any(Function));
   });
 
-  it('handles number type option', () => {
+  it('skips enrichment when description already mentions the flag', () => {
     const parent = yargs([]);
     const commandSpy = vi.spyOn(parent, 'command');
 
     registerSubcommand(
       parent,
-      'set',
-      'Set a value',
-      (y) => y.options({ count: { type: 'number', demandOption: true, describe: 'Count' } }),
+      'delete <slug>',
+      'Delete an org-scoped role (requires --org)',
+      (y) =>
+        y
+          .positional('slug', { type: 'string', demandOption: true })
+          .options({ org: { type: 'string', demandOption: true } }),
       async () => {},
     );
 
     expect(commandSpy).toHaveBeenCalledWith(
-      'set --count <number>',
-      'Set a value',
+      'delete <slug>',
+      'Delete an org-scoped role (requires --org)',
       expect.any(Function),
       expect.any(Function),
     );
@@ -126,7 +146,7 @@ describe('registerSubcommand', () => {
     expect(result).toBe(parent);
   });
 
-  it('falls back to unenriched usage when builder throws', () => {
+  it('falls back to unenriched description when builder throws', () => {
     const parent = yargs([]);
     const commandSpy = vi.spyOn(parent, 'command');
 
diff --git a/src/utils/register-subcommand.ts b/src/utils/register-subcommand.ts
