feat: full WorkOS API emulator (emulate, dev, RBAC, webhooks, events, 84% API coverage) (#100)

* feat: add `workos emulate` command and programmatic emulator API

Port the WorkOS emulator from vercel-labs/emulate into the CLI as a
`workos emulate` command with a `workos/emulate` programmatic API.

Core infrastructure (store, ID generation, cursor pagination, JWT,
Hono server factory, auth/error middleware) lives in src/emulate/core/.
WorkOS-specific plugin (12 route files covering organizations, users,
memberships, connections, SSO, auth flows) lives in src/emulate/workos/.

The emulator supports:
- CLI: `workos emulate --port 4100 --seed config.yaml --json`
- Programmatic: `createEmulator({ port: 0, seed: { users: [...] } })`
- Health check at /health
- Seed config via YAML/JSON (auto-detected or explicit path)
- Store reset for test isolation
- Random port assignment (port: 0) for parallel test suites

New dependencies: hono, @hono/node-server, jose

* feat: add workos dev command for local development with emulator

* feat: add pipes emulation routes for user/provider connections

* feat: add gen:routes codegen script for emulator route generation

Developer tool that reads a WorkOS OpenAPI spec (YAML/JSON) and generates
TypeScript entity types, store registrations, formatter helpers, and route
stubs matching the hand-written emulate patterns. Includes 46 unit tests
covering parsing, code generation, and idempotency.

* chore: formatting:

* docs: add local development section to README

Document workos emulate, workos dev, seed configuration, programmatic
API, and emulated endpoint coverage.

* fix: set decomposed SDK env vars in workos dev

authkit-nextjs (and the @workos-inc/node SDK) read WORKOS_API_HOSTNAME,
WORKOS_API_PORT, and WORKOS_API_HTTPS — not WORKOS_API_BASE_URL.

buildDevEnv now sets both styles so the emulator works with authkit SDKs
and direct consumers.

* feat: seed default test user in workos dev

workos dev now seeds a default user (test@example.com / password) and
organization so the AuthKit login flow works out of the box. The banner
prints the credentials for easy copy-paste.

Skipped when the user provides --seed or a workos-emulate.config.* file
is auto-detected in the project directory.

* chore: formatting:

* fix: address emulator review findings (API key, JWT issuer, cleanup, redirects)

- Expose apiKey on Emulator interface; use it in dev/emulate CLI output
  and buildDevEnv() so custom seed apiKeys propagate correctly
- Update JWT issuer to actual bound URL after port resolution, fixing
  iss mismatch when using port: 0
- Clean up password resets, email verifications, and magic auths on
  user deletion; harden password_reset/confirm to return 404 if user
  was deleted
- Restrict redirect_uri in authorize endpoints to localhost origins,
  preventing open-redirect abuse
- Remove unused jose dependency

* feat: emulator auth completeness + shared entity infrastructure

Add token refresh with rotation, logout redirects, multi-user authorize
(login_hint), impersonation, sealed sessions (AES-256-GCM), MFA
challenge/verify, device authorization, and AuthKit OAuth complete flow.

New grant types: refresh_token, mfa-totp, organization-selection, device_code.
Includes shared entity/store/helper infrastructure for all 4 API parity phases.

* feat: emulator user management — invitations, config, widgets

Add invitations CRUD (create/accept/revoke/resend/by-token), config
endpoints (redirect URIs, CORS origins, JWT template), user features
(authorized apps, connected accounts, data providers), and widget
token generation.

* feat: emulator authorization — RBAC roles, permissions, FGA resources

Add environment roles, org roles with priority ordering, permissions
CRUD, role-permission management, authorization resources, permission
checks, and role assignments. JWT tokens now include role and
permissions claims for org-scoped sessions.

* feat: emulator CRUD domains — directory sync, audit logs, feature flags, and more

Add 9 CRUD domains: Directory Sync, Audit Logs, Feature Flags, Connect,
Data Integrations, Radar, API Keys, Portal, and Legacy MFA. Each domain
follows the entity/store/helper/route pattern with full test coverage.

* feat: emulator events & webhooks — event bus, collection hooks, webhook delivery

Add cross-cutting event system with webhook delivery. Collection-level
hooks (Option A) auto-emit events on insert/update/delete for all major
entities. Hybrid route-level emission for action-specific events
(invitation accept/revoke, authentication succeeded).

Webhook endpoints CRUD with HMAC-SHA256 signed delivery (fire-and-forget,
5s timeout). Events API with paginated listing and type filtering.

Review: 2 cycles (6 findings in cycle 1, all resolved in cycle 2).

* chore: formatting:

* fix: resolve lint warnings in emulator spec files

Remove unused variables and imports flagged by oxlint:
- sessions.spec.ts: remove unused `req` helper and `headers` constant
- auth.spec.ts: remove unused `user` variable in impersonator test
- data-integrations.spec.ts: remove unused `getWorkOSStore` import and `store` variable
- event-bus.spec.ts: use non-null assertion instead of optional chaining

* feat: add emulator API coverage checker script

Compares the WorkOS OpenAPI spec against emulator route registrations
to report missing endpoints, extra endpoints, and coverage percentage.

Usage: pnpm check:coverage ~/Developer/workos/packages/api/open-api-spec.yaml

* fix: allow organization_id in refresh_token grant for switchToOrganization

The refresh token handler now reads organization_id from the request
body, falling back to the stored token's org. This enables the SDK's
switchToOrganization flow during token refresh.

* fix: alias /x/authkit/users/authenticate for SDK refresh token flow

The AuthKit SDK sends refresh_token grants to /x/authkit/users/authenticate
rather than /user_management/authenticate. Register the same handler on
both paths so the SDK's refreshTokens() and switchToOrganization() work
against the emulator.

* chore: update README

* docs: update README emulated endpoints table for phases 1-5

Add all new endpoint groups from auth completeness, user management,
authorization, CRUD domains, and events/webhooks phases. Add seed
config examples for roles, permissions, and webhook endpoints.

Author: nicknisi

README.md

@@ -77,6 +77,10 @@ Resource Management:
   api-key                Manage per-org API keys
   org-domain             Manage organization domains
 
+Local Development:
+  emulate                Start a local WorkOS API emulator
+  dev                    Start emulator + your app in one command
+
 Workflows:
   seed                   Declarative resource provisioning from YAML
   setup-org              One-shot organization onboarding
@@ -192,6 +196,158 @@ Inspects a directory's sync state, user/group counts, recent events, and detects
 workos debug-sync directory_01ABC123
 ```
 
+### Local Development
+
+Test your WorkOS integration locally without hitting the live API. The emulator provides a full in-memory WorkOS API replacement with all major endpoints.
+
+#### `workos dev` — One command to start everything
+
+The fastest way to develop locally. Starts the emulator and your app together, auto-detecting your framework and injecting the right environment variables.
+
+```bash
+# Auto-detects framework (Next.js, Vite, Remix, SvelteKit, etc.) and dev command
+workos dev
+
+# Override the dev command
+workos dev -- npx vite --port 5173
+
+# Custom emulator port and seed data
+workos dev --port 8080 --seed workos-emulate.config.yaml
+```
+
+Your app receives these environment variables automatically:
+
+- `WORKOS_API_BASE_URL` — points to the local emulator (e.g. `http://localhost:4100`)
+- `WORKOS_API_KEY` — `sk_test_default`
+- `WORKOS_CLIENT_ID` — `client_emulate`
+
+#### `workos emulate` — Standalone emulator
+
+Run the emulator on its own for CI, test suites, or when you want manual control.
+
+```bash
+# Start with defaults (port 4100)
+workos emulate
+
+# CI-friendly: JSON output, custom port
+workos emulate --port 9100 --json
+# → {"url":"http://localhost:9100","port":9100,"apiKey":"sk_test_default","health":"http://localhost:9100/health"}
+
+# Pre-load seed data
+workos emulate --seed workos-emulate.config.yaml
+```
+
+The emulator supports `GET /health` for readiness polling and shuts down cleanly on Ctrl+C.
+
+#### Seed configuration
+
+Create a `workos-emulate.config.yaml` (auto-detected) or pass `--seed <path>`:
+
+```yaml
+users:
+  - email: alice@acme.com
+    first_name: Alice
+    password: test123
+    email_verified: true
+
+organizations:
+  - name: Acme Corp
+    domains:
+      - domain: acme.com
+        state: verified
+    memberships:
+      - user_id: <user_id>
+        role: admin
+
+connections:
+  - name: Acme SSO
+    organization: Acme Corp
+    connection_type: GenericSAML
+    domains: [acme.com]
+
+roles:
+  - slug: admin
+    name: Admin
+    permissions: [posts:read, posts:write]
+
+permissions:
+  - slug: posts:read
+    name: Read Posts
+  - slug: posts:write
+    name: Write Posts
+
+webhookEndpoints:
+  - url: http://localhost:3000/webhooks
+    events: [user.created, organization.updated]
+```
+
+#### Programmatic API
+
+Use the emulator directly in test suites without the CLI:
+
+```typescript
+import { createEmulator } from 'workos/emulate';
+
+const emulator = await createEmulator({
+  port: 0, // random available port
+  seed: {
+    users: [{ email: 'test@example.com', password: 'secret' }],
+  },
+});
+
+// Use emulator.url as your WORKOS_API_BASE_URL
+const res = await fetch(`${emulator.url}/user_management/users`, {
+  headers: { Authorization: 'Bearer sk_test_default' },
+});
+
+// Reset between tests (clears data, re-applies seed)
+emulator.reset();
+
+// Clean up
+await emulator.close();
+```
+
+#### Emulated endpoints
+
+The emulator covers the full WorkOS API surface (~84% of OpenAPI spec endpoints). Run `pnpm check:coverage <openapi-spec>` to see exact coverage.
+
+| Endpoint Group           | Routes                                                                                                                                                                 |
+| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Organizations            | CRUD, external_id lookup, domain management                                                                                                                            |
+| Users                    | CRUD, email uniqueness, password management                                                                                                                            |
+| Organization memberships | CRUD, role assignment, deactivate/reactivate                                                                                                                           |
+| Organization domains     | CRUD, verification                                                                                                                                                     |
+| SSO connections          | CRUD, domain-based lookup                                                                                                                                              |
+| SSO flow                 | Authorize, token exchange, profile, JWKS, SSO logout                                                                                                                   |
+| AuthKit                  | OAuth authorize (login_hint, multi-user), authenticate (7 grant types incl. refresh_token, MFA TOTP, org selection, device code), PKCE, sealed sessions, impersonation |
+| Sessions                 | List, revoke, logout redirect, JWKS per client                                                                                                                         |
+| Email verification       | Send code, confirm                                                                                                                                                     |
+| Password reset           | Create token, confirm                                                                                                                                                  |
+| Magic auth               | Create code                                                                                                                                                            |
+| Auth factors             | TOTP enrollment, delete                                                                                                                                                |
+| MFA challenges           | Create challenge, verify code                                                                                                                                          |
+| Invitations              | CRUD, accept, revoke, resend, get by token                                                                                                                             |
+| Config                   | Redirect URIs, CORS origins, JWT template                                                                                                                              |
+| User features            | Authorized apps, connected accounts, data providers                                                                                                                    |
+| Widgets                  | Token generation                                                                                                                                                       |
+| Authorization (RBAC)     | Environment roles, org roles (priority ordering), permissions, role-permission management                                                                              |
+| Authorization (FGA)      | Resources CRUD, permission checks, role assignments                                                                                                                    |
+| Directory Sync           | List/get/delete directories, users, groups                                                                                                                             |
+| Audit Logs               | Actions, schemas, events, exports, org config/retention                                                                                                                |
+| Feature Flags            | List/get, enable/disable, targets, org/user evaluations                                                                                                                |
+| Connect                  | Applications CRUD, client secrets                                                                                                                                      |
+| Data Integrations        | OAuth authorize + token exchange                                                                                                                                       |
+| Radar                    | Attempts list/get, allow/deny lists                                                                                                                                    |
+| API Keys                 | Validate, delete, list by org                                                                                                                                          |
+| Portal                   | Generate admin portal links                                                                                                                                            |
+| Legacy MFA               | Enroll/get/delete factors, challenge/verify                                                                                                                            |
+| Webhook Endpoints        | CRUD with auto-generated secrets, secret masking                                                                                                                       |
+| Events                   | Paginated event stream with type filtering                                                                                                                             |
+| Event Bus                | Auto-emits events on entity CRUD via collection hooks, fire-and-forget webhook delivery with HMAC signatures                                                           |
+| Pipes                    | Connection CRUD, mock `getAccessToken()`                                                                                                                               |
+
+JWT tokens include `role` and `permissions` claims for org-scoped sessions. All list endpoints support cursor pagination (`before`, `after`, `limit`, `order`). Error responses match the WorkOS format (`{ message, code, errors }`).
+
 ### Environment Management
 
 ```bash
@@ -466,12 +622,13 @@ workos install --api-key sk_test_xxx --client-id client_xxx --no-commit 2>/dev/n
 
 ### Environment Variables
 
-| Variable                 | Effect                                                   |
-| ------------------------ | -------------------------------------------------------- |
-| `WORKOS_API_KEY`         | API key for management commands (bypasses stored config) |
-| `WORKOS_NO_PROMPT=1`     | Force non-interactive mode + JSON output                 |
-| `WORKOS_FORCE_TTY=1`     | Force interactive mode even when piped                   |
-| `WORKOS_TELEMETRY=false` | Disable telemetry                                        |
+| Variable                 | Effect                                                    |
+| ------------------------ | --------------------------------------------------------- |
+| `WORKOS_API_KEY`         | API key for management commands (bypasses stored config)  |
+| `WORKOS_API_BASE_URL`    | Override API base URL (set automatically by `workos dev`) |
+| `WORKOS_NO_PROMPT=1`     | Force non-interactive mode + JSON output                  |
+| `WORKOS_FORCE_TTY=1`     | Force interactive mode even when piped                    |
+| `WORKOS_TELEMETRY=false` | Disable telemetry                                         |
 
 ### Command Discovery
 

package.json

@@ -34,6 +34,16 @@
   "typescript": {
     "definition": "dist/index.d.ts"
   },
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./emulate": {
+      "import": "./dist/emulate/index.js",
+      "types": "./dist/emulate/index.d.ts"
+    }
+  },
   "dependencies": {
     "@anthropic-ai/claude-agent-sdk": "~0.2.62",
     "@anthropic-ai/sdk": "^0.78.0",
@@ -51,6 +61,8 @@
     "semver": "^7.7.4",
     "uuid": "^13.0.0",
     "xstate": "^5.28.0",
+    "hono": "^4",
+    "@hono/node-server": "^1",
     "yaml": "^2.8.2",
     "yargs": "^18.0.0",
     "zod": "^4.3.6"
@@ -96,7 +108,9 @@
     "eval:diff": "tsx tests/evals/index.ts diff",
     "eval:prune": "tsx tests/evals/index.ts prune",
     "eval:logs": "tsx tests/evals/index.ts logs",
-    "eval:show": "tsx tests/evals/index.ts show"
+    "eval:show": "tsx tests/evals/index.ts show",
+    "gen:routes": "tsx scripts/gen-routes.ts",
+    "check:coverage": "tsx scripts/check-coverage.ts"
   },
   "author": "WorkOS",
   "license": "MIT"