feat(generated): regenerate from spec (12 changes)

[workos-sdk-automation]

Summary

feat(organization_membership)!: Change response for UserManagementOrganizationMembership.list

• Changed response for UserManagementOrganizationMembership.list.

feat(pipes)!: SDK surface change: Symbol "Pipes.create_data_integration_token" was removed

• SDK surface change: Symbol "Pipes.create_data_integration_token" was removed.

feat(user_management)!: Change response for UserManagementInvitations.list

• Changed response for UserManagementInvitations.list.

feat(widgets)!: SDK surface change: Symbol "WidgetSessionTokenResponse" was removed

• SDK surface change: Symbol "WidgetSessionTokenResponse" was removed.

feat(authorization): Add authorization operations and models

• Added model ReplaceGroupRoleAssignmentEntry.
• Added model ReplaceGroupRoleAssignments.
• Added model DeleteGroupRoleAssignmentsByCriteria.
• Added endpoint POST /authorization/groups/{group_id}/role_assignments.
• Added endpoint PUT /authorization/groups/{group_id}/role_assignments.
• Added endpoint DELETE /authorization/groups/{group_id}/role_assignments.
• Added endpoint GET /authorization/groups/{group_id}/role_assignments/{role_assignment_id}.
• Added endpoint DELETE /authorization/groups/{group_id}/role_assignments/{role_assignment_id}.

feat(client): Add client API surface

• Added model ClientApiToken.
• Added model ClientApiTokenResponse.
• Added service Client.

feat(connect): Add Connect API surface

• Added auth_method to ConnectedAccount.
• Added api_key_last_4 to ConnectedAccount.
• Added enum ConnectedAccountAuthMethod.

feat(groups): Add groups API surface

• Added model CreateGroupRoleAssignment.
• Added model GroupRoleAssignment.
• Added model GroupRoleAssignmentList.
• Added model GroupRoleAssignmentResource.

feat(organization_membership): Add organization membership API surface

• Added model UserOrganizationMembershipList.
• Added model UserOrganizationMembershipListListMetadata.

feat(pipes): Add Pipes API surface

• Added model DataIntegrationCredentials.
• Added model DataIntegrationConfigurationResponse.
• Added model DataIntegrationConfigurationListResponse.
• Added model ConfigureDataIntegrationBody.
• Added auth_methods to DataIntegrationsListResponseData.
• Added auth_method to DataIntegrationsListResponseDataConnectedAccount.
• Added api_key_last_4 to DataIntegrationsListResponseDataConnectedAccount.
• Added enum DataIntegrationCredentialsCredentialsType.
• Added enum DataIntegrationsListResponseDataAuthMethods.
• Added enum DataIntegrationsListResponseDataConnectedAccountAuthMethod.
• Added service PipesProvider.

feat(user_management): Update user management API surface

• Added model UserInviteList.
• Added model UserInviteListListMetadata.
• Made AuthorizationCodeSessionAuthenticateRequest.client_secret optional.
• Made RefreshTokenSessionAuthenticateRequest.client_secret optional.

feat(widgets): Add widgets:pipes:manage to WidgetSessionTokenScopes

• Added widgets:pipes:manage to WidgetSessionTokenScopes.

Triggered by workos/openapi-spec@0e1c039

BEGIN_COMMIT_OVERRIDE
feat(organization_membership): Change response for UserManagementOrganizationMembership.list (#501)
feat(pipes): SDK surface change: Symbol "Pipes.create_data_integration_token" was removed (#501)
feat(user_management): Change response for UserManagementInvitations.list (#501)
feat(widgets): SDK surface change: Symbol "WidgetSessionTokenResponse" was removed (#501)
feat(authorization): Add authorization operations and models (#501)
feat(client): Add client API surface (#501)
feat(connect): Add Connect API surface (#501)
feat(groups): Add groups API surface (#501)
feat(organization_membership): Add organization membership API surface (#501)
feat(pipes): Add Pipes API surface (#501)
feat(user_management): Update user management API surface (#501)
feat(widgets): Add widgets:pipes:manage to WidgetSessionTokenScopes (#501)
END_COMMIT_OVERRIDE

[greptile-apps]

Greptile Summary

• Regenerates the WorkOS Ruby SDK from the latest API spec.
• Adds authorization group role assignment APIs and models.
• Adds Client API token service and response models.
• Adds Pipes provider configuration APIs and updates related Pipes/Connect models.
• Updates user management, organization membership, widgets scopes, RBI files, and generated tests.

Confidence Score: 4/5

The generated SDK changes are mostly straightforward, but the Pipes provider request serialization needs attention before merge.

Focused validation confirmed the request body behavior for the identified API surface, while the rest of the changes are generated model/service additions with matching tests.

lib/workos/pipes_provider.rb

T-Rex Logs

What T-Rex did

• Ran a focused Minitest/WebMock repro to verify that scopes: nil is omitted from the serialized body when updating a data integration configuration.
• Observed the authorization group role assignments flow change after the update, including availability of endpoints and parsed results, indicating the list and group role assignments models were exercised.
• Created a client API token and confirmed the token response was parsed into WorkOS::ClientApiTokenResponse with organization_id and user_id.
• Verified that get_access_token succeeds and that data integration configuration endpoints are called with expected body contents, while encountering a runtime parsing issue for api_key_last_4.
• Checked user management lists and observed a head contract mismatch for the new endpoint-specific list model surface, while list struct access remains available.
• Explored widgets groups models and confirmed the same runtime behavior; a script executed as part of the check reported results before and after, with the claimed removals not taking effect.

_{Ran code and verified through T-Rex}

Comments Outside Diff (5)

1. General comment

   PipesProvider credentials response does not expose api_key_last_4

   • Bug
     • The head SDK successfully adds the PipesProvider service and sends the expected list/update requests, but a representative PipesProvider response containing credentials.api_key_last_4 cannot be read from the parsed SDK model. The runtime probe failed with NoMethodError: undefined method 'api_key_last_4' for #<WorkOS::DataIntegrationCredentials client_id="cid"> when reading the parsed list/update credentials object.
   • Cause
     • lib/workos/pipes_provider/data_integration_credentials.rb maps and exposes credentials_type, has_credentials, client_id, client_secret_last_four, and redirect_uri, but it does not include api_key_last_4 in HASH_ATTRS, attr_accessor, or initialization. This is inconsistent with the claimed new api_key_last_4 response surface.
   • Fix
     • Add api_key_last_4: :api_key_last_4 to HASH_ATTRS, include :api_key_last_4 in the accessors, initialize @api_key_last_4 = hash[:api_key_last_4], and update RBI/tests to exercise this field for PipesProvider credential responses.

   _{Ran code and verified through T-Rex}

2. General comment

   Head does not expose the claimed UserInviteList/UserOrganizationMembershipList runtime response models

   • Bug
     • The validation expected UserManagement#list_invitations and OrganizationMembershipService#list_organization_memberships to return new endpoint-specific list model classes (WorkOS::UserInviteList and WorkOS::UserOrganizationMembershipList) with list_metadata. On head, both constants are still undefined and both methods return the generic WorkOS::Types::ListStruct instead. Although list_metadata is available, code relying on the new named model classes or RBI/runtime parity will not see the advertised response surface.
   • Cause
     • The generated Ruby runtime methods in lib/workos/user_management.rb and lib/workos/organization_membership_service.rb still construct WorkOS::Types::ListStruct.from_response(...); no runtime classes for UserInviteList or UserOrganizationMembershipList are defined/loaded.
   • Fix
     • Add the runtime list model classes and update the two list methods to instantiate/return them, or update the claimed contract/RBI to continue documenting WorkOS::Types::ListStruct if that is the intended public surface.

   _{Ran code and verified through T-Rex}

3. General comment

   Head still exposes WidgetSessionTokenResponse despite claimed surface removal

   • Bug
     • The after runtime scenario reports class_available WorkOS::WidgetSessionTokenResponse=true. This contradicts the stated PR claim that head removes the WidgetSessionTokenResponse SDK surface.
   • Cause
     • The class remains loadable through the SDK surface in head; the generated file/export was not actually removed from the runtime-visible model surface, or the repository under validation does not contain the claimed removal.
   • Fix
     • Remove WorkOS::WidgetSessionTokenResponse from the generated source and any require/export paths if the intended SDK contract is to remove it, then rerun the model surface validation.

   _{Ran code and verified through T-Rex}

4. General comment

   Group role assignment list model cannot deserialize list metadata

   • Bug
     • Instantiating WorkOS::GroupRoleAssignmentList with representative list_metadata raises NameError: uninitialized constant WorkOS::ListMetadata, so the generated model cannot round-trip a normal list response shape.
   • Cause
     • lib/workos/authorization/group_role_assignment_list.rb references WorkOS::ListMetadata, but that constant is not available in the loaded SDK namespace for this model path.
   • Fix
     • Update the generated model to reference the correct list metadata class/namespace or add/load WorkOS::ListMetadata consistently with other list response models.

   _{Ran code and verified through T-Rex}

5. General comment

   CreateGroupRoleAssignment and GroupRoleAssignmentResource do not preserve representative fields

   • Bug
     • The after round-trip output shows CreateGroupRoleAssignment omits group_id from to_h and GroupRoleAssignmentResource does not preserve the fixture's type field, returning resource_type_slug=>nil instead. This fails the requested representative field preservation check for the new group role assignment models.
   • Cause
     • The generated accessors/serialization mappings for these models do not include group_id on create input and expect resource_type_slug rather than the representative type key for resources.
   • Fix
     • Confirm the intended API schema fields. If group_id and type are valid contract fields, regenerate/fix the model attributes and serializers to preserve them; otherwise update fixtures/tests and documentation to use the actual schema names.

   _{Ran code and verified through T-Rex}

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
lib/workos/pipes_provider.rb:50-55
**Cannot send null scopes**

`scopes: nil` is documented as sending JSON `null` so the organization can inherit provider scopes, but this request body is compacted before serialization, and the base client compacts request bodies again. When callers pass `scopes: nil` to clear custom scopes, the `scopes` key is omitted instead, so the API cannot distinguish “leave scopes unchanged” from “reset scopes to inherited defaults.”

_{Reviews (2): Last reviewed commit: "Update changelog" | Re-trigger Greptile}

[greptile-apps]

Type alias changes class.name and class identity

WidgetSessionTokenResponse = ClientApiTokenResponse makes the constant a true alias — WorkOS::WidgetSessionTokenResponse.new(...).class returns WorkOS::ClientApiTokenResponse, not WorkOS::WidgetSessionTokenResponse. Any caller doing result.class.name, result.is_a?(WorkOS::WidgetSessionTokenResponse), or pattern-matching on the class will silently get different results. The same applies to UserRoleAssignmentResource = GroupRoleAssignmentResource in authorization/user_role_assignment_resource.rb. These are documented breaking changes, but the impact goes slightly beyond "symbol removed" since the constant remains accessible and appears to work, masking the identity shift.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

GroupRoleAssignmentList model is never instantiated by the service layer

list_group_role_assignments returns a WorkOS::Types::ListStruct built via ListStruct.from_response, not a GroupRoleAssignmentList. The model class is defined and has a round-trip test but is unreachable from any service method. If it is intentionally a schema reference type (matching the raw API shape), a comment to that effect would help; otherwise it is dead code.

[greptile-apps]

Cannot send null scopes

scopes: nil is documented as sending JSON null so the organization can inherit provider scopes, but this request body is compacted before serialization, and the base client compacts request bodies again. When callers pass scopes: nil to clear custom scopes, the scopes key is omitted instead, so the API cannot distinguish “leave scopes unchanged” from “reset scopes to inherited defaults.”

Artifacts

Repro: focused Minitest WebMock script for scopes nil serialization

• Contains supporting evidence from the run (text/x-ruby; charset=utf-8).

Repro: verbose test output showing omitted scopes key and failing assertion

• Keeps the command output available without making the summary code-heavy.

_{Ran code and verified through T-Rex}

Prompt To Fix With AI

This is a comment left during a code review.
Path: lib/workos/pipes_provider.rb
Line: 50-55

Comment:
**Cannot send null scopes**

`scopes: nil` is documented as sending JSON `null` so the organization can inherit provider scopes, but this request body is compacted before serialization, and the base client compacts request bodies again. When callers pass `scopes: nil` to clear custom scopes, the `scopes` key is omitted instead, so the API cannot distinguish “leave scopes unchanged” from “reset scopes to inherited defaults.”

How can I resolve this? If you propose a fix, please make it concise.