Skip to content

Enforce WorkOS Vault style rules with oxlint#481

Merged
RhysSullivan merged 1 commit intomainfrom
workos-vault-oxlint-rules
May 4, 2026
Merged

Enforce WorkOS Vault style rules with oxlint#481
RhysSullivan merged 1 commit intomainfrom
workos-vault-oxlint-rules

Conversation

@RhysSullivan
Copy link
Copy Markdown
Owner

@RhysSullivan RhysSullivan commented May 4, 2026

Summary

Adds seven repo-local oxlint rules scoped to packages/plugins/workos-vault/src/**/*.{ts,tsx} so the provider's Effect-only surface, tagged-error discipline, and typed-boundary patterns stay enforced. Cherry-picks the rule logic from #425 and adapts the imports to the flat scripts/oxlint-plugin-executor/utils.js layout on main.

Rules added

  • executor/no-inline-object-type-assertion
  • executor/no-instanceof-tagged-error
  • executor/no-manual-tag-check
  • executor/no-promise-client-surface
  • executor/no-raw-error-throw
  • executor/no-redundant-error-factory
  • executor/no-unknown-shape-probing

All registered as error severity under an overrides block targeting packages/plugins/workos-vault/src/**/*.{ts,tsx} (matches the scope #425 used).

Rules from #425 that were skipped

  • no-vitest-import — already on main as executor/no-vitest-import.
  • no-if-in-tests — overlaps with main's executor/no-conditional-tests. The two are not identical (the new rule blanket-bans if in tests; the existing rule bans expect() only inside conditionals), but the existing rule is the more nuanced of the two and the WorkOS Vault tests pass under it. Adding both would double-up on the same intent, so skipping per the task brief.

Source-file fixes required

The new rules apply to existing workos-vault source. To make them pass:

  • client.ts: WorkOSVaultClientError now captures message and status at construction time via a small named ErrorWithStatus guard, so callers consume typed fields instead of probing unknown causes. Renamed the exported WorkOSVaultSdk interface to module-private WorkOSVaultPromiseApi (the rule forbids exposing Promise-shaped client surfaces); removed it from index.ts and updated testing.ts to import the new name.
  • secret-store.ts: replaced unwrapVaultError + inline shape probes ("status" in cause, (cause as { status: number }), etc.) in isStatusError, isKekNotReadyError, and formatVaultError with direct typed access on WorkOSVaultClientError. Removed the now-unused GenericServerException/NotFoundException imports.
  • secret-store.test.ts: introduced a named VaultMetadataRow interface instead of an inline as { scope_id: string } cast.

Validation

  • bun run lint — passes (Found 0 warnings and 0 errors).
  • bun run --cwd packages/plugins/workos-vault typecheck — passes.
  • bunx vitest run src/sdk/secret-store.test.ts from packages/plugins/workos-vault — 11/11 passing.

Test plan

  • CI green
  • Spot-check that the rules still fire by introducing a violating pattern temporarily

Based on #425.

@RhysSullivan
Enforce WorkOS Vault style rules with oxlint
6e44b63 
Add seven repo-local oxlint rules scoped to packages/plugins/workos-vault/src
to keep the provider's Effect-only surface, tagged-error discipline, and
typed boundary patterns in place.

Rules added:
- no-inline-object-type-assertion
- no-instanceof-tagged-error
- no-manual-tag-check
- no-promise-client-surface
- no-raw-error-throw
- no-redundant-error-factory
- no-unknown-shape-probing

Adapted to the existing flat scripts/oxlint-plugin-executor/utils.js layout
on main; no rules already on main were duplicated.

Cleanup in workos-vault to satisfy the new rules:
- WorkOSVaultClientError now captures status + message at construction so
  callers consume typed fields instead of probing unknown causes.
- Renamed exported WorkOSVaultSdk to module-private WorkOSVaultPromiseApi
  and removed it from the public package surface.
- Replaced unwrapVaultError + inline shape probes in secret-store with
  direct typed access on WorkOSVaultClientError.
- Introduced a named row type in secret-store.test.ts instead of an inline
  object type assertion.
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 4, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 executor-marketing 6e44b63 Commit Preview URL

Branch Preview URL		 May 04 2026, 03:11 AM

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 4, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 executor-cloud 6e44b63 May 04 2026, 03:12 AM

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 4, 2026

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@481

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@481

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@481

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@481

@executor-js/storage-core

npm i https://pkg.pr.new/@executor-js/storage-core@481

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@481

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@481

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@481

@executor-js/plugin-google-discovery

npm i https://pkg.pr.new/@executor-js/plugin-google-discovery@481

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@481

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@481

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@481

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@481

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@481

executor

npm i https://pkg.pr.new/executor@481

commit: 6e44b63

@RhysSullivan RhysSullivan merged commit e3ee27f into main May 4, 2026
9 checks passed
@RhysSullivan RhysSullivan deleted the workos-vault-oxlint-rules branch May 4, 2026 03:17
RhysSullivan added a commit that referenced this pull request May 4, 2026
@RhysSullivan
fixup: rename WorkOSVaultSdk -> WorkOSVaultPromiseApi after #481
f7e010e
RhysSullivan added a commit that referenced this pull request May 4, 2026
@RhysSullivan
Add shared WorkOS Vault test client (#482)
88b493c 
* Add shared WorkOS Vault test client

Extract the in-memory `WorkOSVaultClient` previously inlined in
`apps/cloud/.../api-harness.ts` into a published subpath
`@executor-js/plugin-workos-vault/testing` so other apps and downstream
consumers can stand up vault-backed tests without copying the fake.

`makeTestWorkOSVaultClient` matches the current Effect-shaped client
surface (post v4 migration) and adds optional knobs for exercising
secret-store retry paths: `conflictOnNextSecretUpdate`,
`rejectNamesWithColon`, and `rejectReadNamesLongerThan`. Errors are
tagged (`TestWorkOSVaultNotFoundError`/`Conflict`/`InvalidRequest`) and
carry numeric `status` so the production `isStatusError` checks in
`secret-store.ts` route 404/409/400 through the same paths the real
SDK exercises.

Re-cut from #424 against current `main`; the `mcp.ts` and contract test
pieces from that PR are intentionally dropped (the audience-fallback
removal landed via #429 and the contract test is out of scope for this
extraction).

* fixup: rename WorkOSVaultSdk -> WorkOSVaultPromiseApi after #481
@RhysSullivan RhysSullivan mentioned this pull request May 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RhysSullivan