Commits on Mar 5, 2026

1. chore: expand eval coverage for backend SDKs and SvelteKit (#78) …

   * chore: standardize README URLs and document fixture conventions
   
   Switch all SKILL.md WebFetch URLs from github.com/blob/ (HTML) to
   raw.githubusercontent.com (plain text) for cleaner parsing. Add
   tests/fixtures/README.md documenting fixture state conventions and
   per-language guidance for upcoming backend SDK eval expansion.
   
   * feat: expand backend SDK and SvelteKit eval coverage
   
   Add partial-install and conflicting-auth fixtures for all 8 backend
   SDKs (Node, Python, Ruby, Go, PHP, PHP-Laravel, Kotlin, Elixir) and
   expand SvelteKit from 1 to 5 test states. Each backend SDK now has
   4 eval states (up from 2), matching frontend skill coverage.
   
   Includes:
   - 20 new fixture directories with validated, buildable projects
   - SKILL.md updates with partial install recovery and conflicting
     auth detection sections for 9 skills
   - Grader bonus checks for preserved routes and conflicting auth
   - 24 new eval scenarios registered in runner.ts
   
   * chore: standardize frontend skill verification checklists
   
   Align React, React Router, TanStack Start, and Vanilla JS skills
   to match the Next.js verification checklist pattern: numbered bash
   commands with comments, "(ALL MUST PASS)" header, and recovery
   guidance for critical checks.
   
   * fix: bump workos-php-laravel to ^5.0 in partial-install fixture
   
   v1.x-v2.x require illuminate/support ^5-9 via workos-php, which
   conflicts with Laravel 11. v5.x requires workos-php ^4.29 with no
   illuminate/support constraint, resolving the conflict.
   
   * chore: formatting
   
   * fix: correct SvelteKit SDK package name to @workos/authkit-sveltekit
   
   Steps 3, 4, and error recovery still referenced the old @workos-inc
   namespace. The npm package is @workos/authkit-sveltekit.
   
   * fix: bump gin to v1.10.0 in Go fixtures to resolve CVE
   
   gin v1.9.1 pulled in golang.org/x/net v0.10.0 which has a High CVE
   (GHSA-4374-p667-p6c8, HTTP/2 rapid reset). gin v1.10.0 brings in
   golang.org/x/net v0.25.0 which is patched.
   
   * chore: formatting

   

   nicknisi authored Mar 5, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for a1c1518
   • Browse repository at this point

   Copy the full SHA

   a1c1518 View commit details

   Browse the repository at this point in the history

2. feat!: move login/logout to auth subcommand, add auth status (#84) …

   * feat!: move login/logout to auth subcommand, add auth status
   
   BREAKING CHANGE: `workos login` and `workos logout` are now
   `workos auth login` and `workos auth logout`.
   
   New `workos auth status` command shows current auth state:
   - Logged in email/userId
   - Token expiry (time remaining or how long ago it expired)
   - Refresh token presence
   - Active environment name and type
   - Supports --json for machine-readable output
   
   All error messages referencing `workos login` updated to
   `workos auth login`.
   
   * chore: formatting and linting fixes
   
   * feat: add credential audit log for debugging auth loss
   
   Writes timestamped entries to ~/.workos/audit.log for every credential
   mutation: SAVE_CREDENTIALS, CLEAR_CREDENTIALS, UPDATE_TOKENS, and
   GET_CREDENTIALS (when returning null). Logs only non-sensitive metadata:
   email, userId, token expiry, refresh token presence, storage backend,
   and caller stack frame. Never logs tokens or API keys.
   
   Disabled automatically in test environments (VITEST).
   
   * fix: guard keyring operations behind insecure storage flag
   
   When forceInsecureStorage is true, all keyring read/write/delete
   operations are now no-ops. Previously, deleteFromKeyring() would
   still hit the real system keychain even in insecure-storage mode,
   meaning tests using setInsecureStorage(true) could wipe real
   credentials from the keychain.
   
   This was the root cause of credentials mysteriously vanishing
   after running tests.
   
   * Revert "fix: guard keyring operations behind insecure storage flag"
   
   This reverts commit e8b74d1.
   
   * Revert "feat: add credential audit log for debugging auth loss"
   
   This reverts commit 2d78cf5.
   
   * docs: update README auth commands to use auth subcommand
   
   * fix: use plain colored output for auth status instead of clack
   
   * fix: add blank line after update notice to separate from command output
   
   * fix: use plain colored output for login already-authenticated messages
   
   * fix: suppress update notice in JSON mode to keep stdout clean
   
   * fix: review fixes — isJsonMode guard, missed string ref, double newline
   
   - bin.ts: use isJsonMode() instead of hasJsonFlag to suppress update
     notice in all JSON contexts (including non-TTY auto-detection)
   - ensure-auth.ts: fix missed workos login → workos auth login at line 94
   - version-check.ts: fix double blank line (console.log already adds \n)
   - Update CLAUDE.md, DEVELOPMENT.md, SKILL.md references

   

   nicknisi authored Mar 5, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for b86c39b
   • Browse repository at this point

   Copy the full SHA

   b86c39b View commit details

   Browse the repository at this point in the history

3. chore(main): release 0.9.0 (#85) …

   Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

   

   github-actions[bot] authored Mar 5, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for 95d17f1
   • Browse repository at this point

   Copy the full SHA

   95d17f1 View commit details

   Browse the repository at this point in the history