feat: major workos doctor overhaul — visual refresh, multi-language, AI analysis#62
Merged
feat: major workos doctor overhaul — visual refresh, multi-language, AI analysis#62
Conversation
Detect AuthKit-specific integration anti-patterns by scanning project code via file existence checks and regex matching (no AST parsing). Checks (11 total): - SIGNOUT_GET_HANDLER: GET route at signout/logout path (error) - SIGNOUT_LINK_PREFETCH: <Link>/<NextLink> to signout path (warning) - MISSING_MIDDLEWARE: No middleware.ts/proxy.ts for Next.js (error) - MIDDLEWARE_WRONG_LOCATION: middleware inside app/ dir (warning) - MISSING_AUTHKIT_PROVIDER: No AuthKitProvider in root layout (warning) - CALLBACK_ROUTE_MISSING: No route at redirect URI path (error) - API_KEY_LEAKED_TO_CLIENT: Secret key in NEXT_PUBLIC_/VITE_/etc (error) - WRONG_CALLBACK_LOADER: authkitLoader on callback route (warning) - MISSING_ROOT_AUTH_LOADER: Root route missing authkitLoader (warning) - MISSING_AUTHKIT_MIDDLEWARE: TanStack start.ts missing middleware (warning) - COOKIE_PASSWORD_TOO_SHORT: Password < 32 chars (warning) Framework-aware for Next.js, React Router, and TanStack Start. Resolves callback path from NEXT_PUBLIC_WORKOS_REDIRECT_URI when set.
Add a WorkOS lock ASCII art character with expressions (success/warning/error) and a summary box renderer used by both doctor output and installer completion screens. The lock shackle opens on error state. Box width adapts to terminal size with word-wrapping for narrow terminals.
…doctor Add language detection (Python, Ruby, Go, Java, PHP, .NET, JS/TS) from manifest files. Expand framework detection with Expo, React Native, SvelteKit, Vue/Nuxt, Astro, and Svelte. Detect non-JS WorkOS SDKs from requirements.txt, Gemfile, go.mod, pom.xml, composer.json, and .csproj. Language-aware install hints in issue remediation.
Add Claude Agent SDK (Sonnet) integration for doctor that analyzes the project with read-only tools and provides tailored, framework-specific recommendations. Runs through LLM gateway with credential proxy auth. Includes --skip-ai flag for offline use, 60s timeout, graceful degradation on auth/parse failures, and structured JSON response parsing.
Replace Claude Agent SDK subprocess with a single Anthropic SDK API call to the LLM gateway. No credential proxy — reads access token directly, refreshes once if expired. Adds configurable doctorModel (default Haiku) and a spinner during analysis. Fixes credential corruption caused by proxy token rotation during short-lived doctor runs.
- Add WorkOS SDK knowledge to AI prompt to prevent false positives (e.g. flagging @workos-inc/node as incompatible with Expo/RN) - Tighten AI analysis rules: fewer speculative findings, no contradicting SDK knowledge section - Fix credential storage: always write file fallback alongside keyring to survive binary rebuilds (macOS code signature invalidation) - Add credential diagnostics for debugging auth failures - Fix error lock art: shackle present but not connected to body - Formatting pass
99ec24e to
47d4b07
Compare
- Add 3 cross-language auth pattern checks that run for all projects: API_KEY_IN_SOURCE, ENV_FILE_NOT_GITIGNORED, MIXED_ENVIRONMENT - Remove isAuthKit gate so auth patterns run for non-JS projects too - Fix process.exit crash when running doctor in projects without package.json (replaced getPackageDotJson with direct file reads) - Hide Node.js runtime line for non-JS projects
- Extract shared readPackageJson into package-json.ts - Extract renderCompletionSummary to dedupe adapter code - Inline single-use callApi into callModel - Consolidate token expiration branches - Replace dotenv with inline parseEnvFile in auth-patterns - Remove dynamic imports, unused params, and no-op ternary
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Major overhaul of
workos doctoracross four areas: visual identity, multi-language support, AI-powered analysis, and auth pattern detection.Visual refresh
Multi-language detection
AI-powered analysis
@workos-inc/nodeflagged as incompatible with Expo)doctorModelin cli configAuth pattern detection
<Link>prefetchingCheck Catalog
Errors (high-confidence — almost certainly wrong):
SIGNOUT_GET_HANDLERMISSING_MIDDLEWAREAPI_KEY_LEAKED_TO_CLIENTNEXT_PUBLIC_,VITE_,REACT_APP_,EXPO_PUBLIC_)CALLBACK_ROUTE_MISSINGWarnings (lower-confidence — suspicious but may be intentional):
SIGNOUT_LINK_PREFETCH<Link>/<NextLink>pointing to signout/logout — triggers prefetch in productionMIDDLEWARE_WRONG_LOCATIONapp/instead of project rootMISSING_AUTHKIT_PROVIDERWRONG_CALLBACK_LOADERauthkitLoaderinstead ofauthLoaderMISSING_ROOT_AUTH_LOADERauthkitLoaderfor auth contextMISSING_AUTHKIT_MIDDLEWAREstart.tsdoesn't referenceauthkitMiddlewareCOOKIE_PASSWORD_TOO_SHORTWORKOS_COOKIE_PASSWORDset but < 32 charactersCredential storage fix
saveCredentialsnow writes to both keyring AND file — file persists across binary rebuilds where macOS invalidates keyring access due to code signature changesdiagnoseCredentials()for debugging auth failuresFiles Changed
src/utils/lock-art.ts,src/utils/summary-box.ts— branded visual componentssrc/doctor/checks/language.ts— multi-language detectionsrc/doctor/checks/ai-analysis.ts,src/doctor/agent-prompt.ts— AI analysissrc/doctor/checks/auth-patterns.ts— anti-pattern detection (11 checks)src/doctor/checks/framework.ts— 7 new frameworkssrc/doctor/checks/sdk.ts— non-JS SDK detectionsrc/lib/credential-store.ts— dual-write + diagnosticssrc/doctor/output.ts,src/doctor/index.ts,src/doctor/types.ts— wiring