fix: add tsx as root devDependency for CI script resolution

Root scripts (mapping:validate, api-report:fix) use pnpm tsx which
resolves from the root node_modules, not from tool packages.

Author: ryanbas21

MIGRATION.md

@@ -4,12 +4,12 @@ This guide documents the conversion from `@forgerock/javascript-sdk` (legacy) to
 
 ## Package Dependencies
 
-| Legacy                      | New                         | Purpose                                                            |
-| --------------------------- | --------------------------- | ------------------------------------------------------------------ |
-| `@forgerock/javascript-sdk` | `@forgerock/journey-client` | Authentication tree/journey flows                                  |
-| `@forgerock/javascript-sdk` | `@forgerock/oidc-client`    | OAuth2/OIDC token management, user info, logout                    |
-| `@forgerock/javascript-sdk` | `@forgerock/device-client`  | Device profile & management (OATH, Push, WebAuthn, Bound, Profile) |
-| `@forgerock/ping-protect`   | `@forgerock/protect`        | PingOne Protect/Signals integration                                |
+| Legacy                                                  | New                         | Purpose                                                            |
+| ------------------------------------------------------- | --------------------------- | ------------------------------------------------------------------ |
+| `@forgerock/javascript-sdk` — `FRAuth` class            | `@forgerock/journey-client` | Authentication tree/journey flows                                  |
+| `@forgerock/javascript-sdk` — `TokenManager` class      | `@forgerock/oidc-client`    | OAuth2/OIDC token management, user info, logout                    |
+| `@forgerock/javascript-sdk` — `FRDevice*` classes       | `@forgerock/device-client`  | Device profile & management (OATH, Push, WebAuthn, Bound, Profile) |
+| `@forgerock/ping-protect`                               | `@forgerock/protect`        | PingOne Protect/Signals integration                                |
 
 ---
 
@@ -58,7 +58,7 @@ const oidcClient = await oidc({ config });
 | `FRAuth.next(step, { tree: 'Login' })` | `journeyClient.next(step)`                  | Tree is set at `start()`, not repeated on `next()`                 |
 | `FRAuth.redirect(step)`                | `await journeyClient.redirect(step)`        | Now async. Step stored in `sessionStorage` (was `localStorage`)    |
 | `FRAuth.resume(resumeUrl)`             | `await journeyClient.resume(resumeUrl)`     | Previous step retrieved from `sessionStorage` (was `localStorage`) |
-| No equivalent                          | `await journeyClient.terminate()`           | **New.** Ends the AM session via `/sessions` endpoint              |
+| `SessionManager.logout()`              | `await journeyClient.terminate()`           | Ends the AM session via `/sessions` endpoint                       |
 
 ### Before/After: Login Flow
 
@@ -123,8 +123,8 @@ if ('error' in result) {
 
 | Legacy                                            | New                                                                                           | Notes                                                  |
 | ------------------------------------------------- | --------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `TokenManager.getTokens({ forceRenew: true })`    | `await oidcClient.token.get({ forceRenew: true, backgroundRenew: true })`                     | Single call with auto-renewal. Returns tokens or error |
-| `TokenManager.getTokens()` then manual code+state | `await oidcClient.authorize.background()` then `await oidcClient.token.exchange(code, state)` | Two-step when you need explicit control                |
+| `TokenManager.getTokens({ forceRenew: true })`                                                          | `await oidcClient.token.get({ forceRenew: true, backgroundRenew: true })`                     | Single call with auto-renewal. Returns tokens or error |
+| `OAuth2Client.getAuthCodeByIframe()` then `TokenManager.getTokens({ authorizationCode, ...params })` | `await oidcClient.authorize.background()` then `await oidcClient.token.exchange(code, state)` | Two-step when you need explicit control over authorize + exchange                |
 | `TokenManager.deleteTokens()`                     | `await oidcClient.token.revoke()`                                                             | Revokes remotely AND deletes locally                   |
 | `TokenStorage.get()`                              | `await oidcClient.token.get()`                                                                | Auto-retrieves from storage; check `'error' in tokens` |
 | `TokenStorage.set(tokens)`                        | Handled automatically by `oidcClient.token.exchange()`                                        | Tokens stored after exchange                           |
@@ -182,7 +182,7 @@ const response = await fetch('https://api.example.com/resource', {
 
 ## Error Handling Pattern
 
-The new SDK primarily returns error objects instead of throwing exceptions. However, some `journey-client` methods may still throw in certain edge cases (known tech debt). Defensive code should handle both patterns:
+Client **initialization** (factory functions like `journey()` and `oidc()`) will **throw** when misconfigured. However, once initialized, client **methods** return error objects instead of throwing exceptions. Some `journey-client` methods may still throw in certain edge cases (known tech debt). Defensive code should handle both patterns:
 
 | Legacy                                           | New                                                                      |
 | ------------------------------------------------ | ------------------------------------------------------------------------ |

package.json

@@ -104,6 +104,7 @@
     "shx": "^0.4.0",
     "swc-loader": "0.2.6",
     "ts-node": "10.9.2",
+    "tsx": "^4.20.0",
     "ts-patch": "3.3.0",
     "tslib": "^2.5.0",
     "typedoc": "^0.27.4",