You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat!: consolidate and rename CLI environment variables (#180)
* feat!: consolidate and rename CLI environment variables
Reduce env-var sprawl in the CLI:
- Derive the LLM gateway and CLI telemetry URLs from WORKOS_API_URL
instead of separate WORKOS_LLM_GATEWAY_URL / WORKOS_TELEMETRY_URL vars,
so api.workos.com is no longer hardcoded in multiple places.
- Remove the redundant WORKOS_NO_PROMPT alias; WORKOS_MODE=agent is the
single, self-documenting way to force agent interaction + JSON output.
- Standardize the INSTALLER_* prefix to WORKOS_* (WORKOS_DEV,
WORKOS_DISABLE_PROXY).
- Fix the rotted `workos debug env` catalog (it was missing several vars)
and add a test that scans src/ for WORKOS_* env reads and fails if any
is missing from the catalog, preventing future drift.
BREAKING CHANGE: WORKOS_LLM_GATEWAY_URL and WORKOS_TELEMETRY_URL are
removed (derived from WORKOS_API_URL); WORKOS_NO_PROMPT is removed (use
WORKOS_MODE=agent); INSTALLER_DEV is renamed to WORKOS_DEV and
INSTALLER_DISABLE_PROXY to WORKOS_DISABLE_PROXY.
* refactor: consolidate WorkOS URL resolution into utils/urls.ts
Address code review on the env-var cleanup:
- Move getLlmGatewayUrl/getTelemetryUrl from settings.ts into urls.ts so the
derived endpoints sit next to their base (getWorkOSApiUrl). This removes the
backwards settings->urls import and makes urls.ts a dependency-free leaf that
is the single home for WorkOS endpoint resolution. getAuthkitDomain stays in
settings.ts since it's config-backed, not API-host-derived.
- Normalize the trailing slash once inside getWorkOSApiUrl instead of repeating
the strip at each derivation site.
- Scope the env-var-catalog guard test's claim to dot-access reads and document
the forms it doesn't cover (bracket access, destructuring).
- Fix a stale docstring on getCliAuthClientId (it is not env-overridable).
* test: simplify and strengthen the env-var catalog guard
- Replace the hand-rolled recursive file walk with fast-glob, the pattern
already used across src/ (environment.ts, validator.ts, integrations).
- Read source files concurrently instead of in a sequential await loop.
- Make the catalog check bidirectional: it now also fails on stale entries
(cataloged vars no longer read anywhere), not just missing ones, with an
explicit CATALOG_ONLY escape hatch for any future non-dot-access reads.
This subsumes the old WORKOS_-prefix assertion.
* chore: formatting
* test: stop counting env writes as reads in the catalog guard
WORKOS_SECRET_KEY is only written (migrations.ts sets it for the downstream
migrations SDK), never read by the CLI. The guard's regex matched the
assignment's left-hand side and "discovered" it, so it was catalogued as an
input credential — misleading, since the CLI ignores any user-provided value.
Tighten the discovery regex to exclude assignment targets (with an end-anchor
so the greedy capture can't backtrack to a truncated name), and drop the
write-only WORKOS_SECRET_KEY entry. The catalog now means exactly what its
docstring claims: WORKOS_ vars the CLI reads.
Copy file name to clipboardExpand all lines: DEVELOPMENT.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -114,9 +114,9 @@ Guidelines for new code:
114
114
- For destructive operations, require an explicit `--yes`/`--force` flag whenever `!isPromptAllowed()` regardless of output mode.
115
115
- For `auth_required` and other deterministic failures, attach recovery metadata via `src/utils/recovery-hints.ts` so agents can parse `error.recovery.hints[]`.
-`WORKOS_MODE=agent` maps to agent interaction behavior **and** JSON output (via `resolveEffectiveOutputMode`). The old `WORKOS_NO_PROMPT` alias has been removed.
120
120
-`WORKOS_FORCE_TTY=1` only affects output mode (forces human). It must not change interaction mode.
121
121
- Non-TTY stdout still defaults output to JSON and interaction to agent.
122
122
-`isNonInteractiveEnvironment()` from `src/utils/environment.ts` is a thin wrapper over `!isHumanMode()` kept for backward compatibility. Prefer the explicit interaction-mode predicates in new code.
0 commit comments