feat: add organization-scoped org sub-client (connections, rules, connect)#45
Merged
Conversation
…nect) New onecli.org surface: connect apps org-wide with direct credentials, capture org OAuth authorize URLs, and manage org connections and rules. Bearer-only auth (no X-Project-Id) — the organization comes from the oc_org_ API key. Additive; no existing exports change shape. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A new organization-scoped sub-client, exposed as
onecli.org:connectApp(provider, { fields, connectionId?, label?, method? })→POST /v1/org/apps/{provider}/connectgetAuthorizeUrl(provider, { connectionId? })→ captures the authorize redirectLocation(redirect: "manual"; server-side runtimes only, documented)listConnections(provider?)/renameConnection(id, label)/deleteConnection(id)→/v1/org/connectionslistRules()/getRule(id)/createRule(input)/updateRule(id, input)/deleteRule(id)→/v1/org/rulesUnlike the project-scoped clients, org requests carry no
X-Project-Id— the organization is derived from the API key itself (oc_org_…), and every operation requires the admin or owner role. A 404 from a server without the org surface is mapped to a descriptiveOneCLIError("requires OneCLI Cloud or a self-hosted Enterprise instance"), while id-addressed resource 404s (not_found_error) stayOneCLIRequestErrors with the server's message. Rule inputs/outputs use literal-union types matching the server's enums,enabledis required on create (as the server requires), andUpdateOrgRuleInputsupports explicitnullto clear nullable fields.Purely additive — no existing export changes shape (
feat:minor).Verification
tsc --noEmit,vitest(87 tests, 13 new fetch-spy tests incl. bearer-present / no-X-Project-Idheader assertions, manual-redirect capture, 404-type discrimination, server-message surfacing),tsupbuild (CJS + ESM + DTS) all green.Review
Reviewed through the TypeScript skill lenses (
typescript-pro,typescript-advanced-types, both read in full) plus a hunk-by-hunk self-review and adversarial pass. 8 findings fixed, the notable ones:enabledwas optional where the server requires it (would 400 at runtime), the blanket 404 mapping misfired on resource-level 404s (now discriminated by error type), barestringfields replaced with the server's literal unions, andPartial-based update type replaced with an explicit null-clearable one.Related PRs (merge order)
Server-side surface: https://github.com/onecli/onecli-cloud/pull/625 (must be deployed first). CLI sibling: onecli/onecli-cli#88. Docs: https://github.com/onecli/onecli-docs/pull/6 (lands last).
🤖 Generated with Claude Code