feat: add environment, organization, and user management commands (#59)

* feat: add environment management commands and config store

Add `workos env` command group (add/remove/switch/list) for managing
multiple environments with API keys. Introduces a keyring-backed
config store (with file fallback) separate from OAuth credentials,
and an API key resolution utility for upcoming management commands.

* feat: add organization management commands

Add `workos organization` command group (create/update/get/list/delete)
for managing WorkOS organizations via the REST API. Includes a generic
WorkOS API client for reuse with future resource types and a table
formatter for list output.

* chore: formatting

* feat: add user management commands

Add `workos user` command group (get/list/update/delete) for managing
WorkOS users via the REST API, porting Go CLI PR #24.

* chore: formatting

* docs: update README, DEVELOPMENT, and CLAUDE.md for management commands

* chore: remove accidentally committed .claude and docs directories

* feat: reconcile credential stores for seamless management commands

After install fetches staging credentials, auto-seed a "default"
environment in config-store so management commands work without
manual `workos env add`. Subsequent installs read from config-store
and skip the staging API call when clientId + apiKey are present.

Author: nicknisi

CLAUDE.md

@@ -1,29 +1,39 @@
-# installer
+# workos CLI
 
-AI-powered CLI installer that automatically installs WorkOS AuthKit into web projects.
+WorkOS CLI for installing AuthKit integrations and managing WorkOS resources (organizations, users, environments).
 
 ## Project Structure
 
 ```
-installer/
-├── src/
-│   ├── bin.ts              # CLI entry point
-│   ├── cli.config.ts       # App configuration (model, URLs, etc.)
-│   ├── run.ts              # Entry point, orchestrates installer flow
-│   ├── lib/
-│   │   ├── agent-interface.ts  # Claude Agent SDK integration
-│   │   ├── agent-runner.ts     # Builds prompts, runs agent
-│   │   ├── config.ts           # Framework detection config
-│   │   ├── constants.ts        # Integration enum, shared constants
-│   │   ├── credential-proxy.ts # Token refresh proxy for long sessions
-│   │   └── ensure-auth.ts      # Startup auth guard with token refresh
-│   ├── dashboard/          # Ink/React TUI components
-│   ├── nextjs/             # Next.js installer agent
-│   ├── react/              # React SPA installer agent
-│   ├── react-router/       # React Router installer agent
-│   ├── tanstack-start/     # TanStack Start installer agent
-│   └── vanilla-js/         # Vanilla JS installer agent
-└── ...
+src/
+├── bin.ts                    # CLI entry point (yargs command routing)
+├── cli.config.ts             # App configuration (model, URLs, etc.)
+├── run.ts                    # Installer orchestration entry point
+├── lib/
+│   ├── agent-interface.ts    # Claude Agent SDK integration
+│   ├── agent-runner.ts       # Builds prompts, runs agent
+│   ├── config.ts             # Framework detection config
+│   ├── constants.ts          # Integration enum, shared constants
+│   ├── credential-store.ts   # OAuth credential storage (keyring + file fallback)
+│   ├── config-store.ts       # Environment config storage (keyring + file fallback)
+│   ├── api-key.ts            # API key resolution (env var → flag → config)
+│   ├── workos-api.ts         # Generic WorkOS REST API client
+│   ├── credential-proxy.ts   # Token refresh proxy for long sessions
+│   └── ensure-auth.ts        # Startup auth guard with token refresh
+├── commands/
+│   ├── env.ts                # workos env (add/remove/switch/list)
+│   ├── organization.ts       # workos organization (create/update/get/list/delete)
+│   ├── user.ts               # workos user (get/list/update/delete)
+│   ├── install.ts            # workos install
+│   └── login.ts / logout.ts  # Auth commands
+├── dashboard/                # Ink/React TUI components
+├── nextjs/                   # Next.js installer agent
+├── react/                    # React SPA installer agent
+├── react-router/             # React Router installer agent
+├── tanstack-start/           # TanStack Start installer agent
+├── vanilla-js/               # Vanilla JS installer agent
+└── utils/
+    └── table.ts              # Terminal table formatter
 ```
 
 ## Key Architecture
@@ -32,6 +42,8 @@ installer/
 - **Event Emitter**: `InstallerEventEmitter` bridges agent execution ↔ TUI for real-time updates
 - **Framework Detection**: Each integration has a `detect()` function in `config.ts`
 - **Permission Hook**: `installerCanUseTool()` in `agent-interface.ts` restricts Bash to safe commands only
+- **Config Store**: `config-store.ts` stores environment configs (API keys, endpoints) in system keyring with file fallback
+- **WorkOS API Client**: `workos-api.ts` is a generic fetch wrapper for any WorkOS REST endpoint
 
 ## CLI Modes
 
@@ -93,11 +105,16 @@ pnpm test         # Run tests
 pnpm typecheck    # Type check
 ```
 
-## Testing the Installer
+## Testing
 
 ```bash
 # Run installer in a test project
 cd /path/to/test-app && workos dashboard
+
+# Test management commands
+workos env add sandbox sk_test_xxx
+workos organization list
+workos user list
 ```
 
 ## Adding a New Framework
@@ -106,3 +123,10 @@ cd /path/to/test-app && workos dashboard
 2. Add to `Integration` enum in `lib/constants.ts`
 3. Add detection logic in `lib/config.ts`
 4. Wire up in `run.ts` switch statement
+
+## Adding a New Resource Command
+
+1. Create `src/commands/{resource}.ts` with command handlers (uses `workos-api.ts`)
+2. Create `src/commands/{resource}.spec.ts` with mocked API tests
+3. Register in `src/bin.ts` as a yargs command group with subcommands
+4. Commands use `resolveApiKey()` from `api-key.ts` for auth

DEVELOPMENT.md

@@ -3,39 +3,43 @@
 ## Project Structure
 
 ```
-installer/
-├── src/
-│   ├── bin.ts                # CLI entry point
-│   ├── cli.config.ts         # App configuration (model, URLs)
-│   ├── run.ts                # Entry point
-│   ├── lib/
-│   │   ├── agent-runner.ts       # Core agent execution
-│   │   ├── agent-interface.ts    # SDK interface
-│   │   ├── installer-core.ts     # Headless installer core
-│   │   ├── config.ts             # Framework detection config
-│   │   ├── framework-config.ts   # Framework definitions
-│   │   ├── constants.ts          # Integration types
-│   │   ├── events.ts             # InstallerEventEmitter
-│   │   ├── credential-proxy.ts   # Token refresh proxy for long sessions
-│   │   ├── ensure-auth.ts        # Startup auth guard
-│   │   ├── background-refresh.ts # Background token refresh
-│   │   └── adapters/             # CLI and dashboard adapters
-│   ├── commands/                 # Subcommands (install-skill, login, logout)
-│   ├── steps/                    # Installer step implementations
-│   ├── dashboard/                # Ink/React TUI components
-│   ├── nextjs/                   # Next.js installer agent
-│   ├── react/                    # React SPA installer agent
-│   ├── react-router/             # React Router installer agent
-│   ├── tanstack-start/           # TanStack Start installer agent
-│   ├── vanilla-js/               # Vanilla JS installer agent
-│   └── utils/
-│       ├── clack-utils.ts        # CLI prompts
-│       ├── debug.ts              # Logging with redaction
-│       ├── redact.ts             # Credential redaction
-│       ├── package-manager.ts    # Package manager detection
-│       └── ...                   # Additional utilities
-├── tsconfig.json             # TypeScript config
-└── package.json              # Dependencies and scripts
+src/
+├── bin.ts                    # CLI entry point (yargs command routing)
+├── cli.config.ts             # App configuration (model, URLs)
+├── run.ts                    # Installer orchestration entry point
+├── lib/
+│   ├── agent-runner.ts       # Core agent execution
+│   ├── agent-interface.ts    # Claude Agent SDK interface
+│   ├── installer-core.ts     # Headless installer core (XState)
+│   ├── config.ts             # Framework detection config
+│   ├── constants.ts          # Integration types, shared constants
+│   ├── credential-store.ts   # OAuth credential storage (keyring + file fallback)
+│   ├── config-store.ts       # Environment config storage (keyring + file fallback)
+│   ├── api-key.ts            # API key resolution (env var → flag → config)
+│   ├── workos-api.ts         # Generic WorkOS REST API client
+│   ├── credential-proxy.ts   # Token refresh proxy for long sessions
+│   ├── ensure-auth.ts        # Startup auth guard
+│   └── adapters/             # CLI and dashboard adapters
+├── commands/
+│   ├── env.ts                # workos env (add/remove/switch/list)
+│   ├── organization.ts       # workos organization (create/update/get/list/delete)
+│   ├── user.ts               # workos user (get/list/update/delete)
+│   ├── install.ts            # workos install
+│   ├── install-skill.ts      # workos install-skill
+│   ├── login.ts              # workos login
+│   └── logout.ts             # workos logout
+├── dashboard/                # Ink/React TUI components
+├── nextjs/                   # Next.js installer agent
+├── react/                    # React SPA installer agent
+├── react-router/             # React Router installer agent
+├── tanstack-start/           # TanStack Start installer agent
+├── vanilla-js/               # Vanilla JS installer agent
+└── utils/
+    ├── table.ts              # Terminal table formatter
+    ├── clack-utils.ts        # CLI prompts
+    ├── debug.ts              # Logging with redaction
+    ├── redact.ts             # Credential redaction
+    └── ...                   # Additional utilities
 ```
 
 ## Setup
@@ -54,9 +58,14 @@ pnpm build
 # Build, link globally, and watch for changes
 pnpm dev
 
-# Test locally in another project
+# Test installer in another project
 cd /path/to/test/nextjs-app
 workos dashboard
+
+# Test management commands
+workos env add sandbox sk_test_xxx
+workos organization list
+workos user list
 ```
 
 ## Commands

README.md

@@ -1,6 +1,6 @@
 # workos
 
-AI-powered CLI that automatically integrates WorkOS AuthKit into web applications.
+WorkOS CLI for installing AuthKit integrations and managing WorkOS resources.
 
 ## Installation
 
@@ -45,29 +45,65 @@ Get your credentials from [dashboard.workos.com](https://dashboard.workos.com):
 ## CLI Options
 
 ```bash
-workos [options] [command]
+workos [command]
 
 Commands:
-  dashboard              Run with visual TUI dashboard (experimental)
+  install                Install WorkOS AuthKit into your project
+  dashboard              Run installer with visual TUI dashboard (experimental)
   login                  Authenticate with WorkOS via Connect OAuth device flow
   logout                 Remove stored credentials
-  install-skill          Install AuthKit skills to coding agents (Claude Code, Codex, etc.)
-    --list, -l           List available skills without installing
-    --skill, -s          Install specific skill(s)
-    --agent, -a          Target agent(s): claude-code, codex, cursor, goose
+  env                    Manage environment configurations
+  organization           Manage organizations
+  user                   Manage users
+  doctor                 Diagnose WorkOS integration issues
+  install-skill          Install AuthKit skills to coding agents
+```
+
+### Environment Management
+
+```bash
+workos env add [name] [apiKey]   # Add environment (interactive if no args)
+workos env remove <name>         # Remove an environment
+workos env switch [name]         # Switch active environment
+workos env list                  # List environments with active indicator
+```
+
+API keys are stored in the system keychain via `@napi-rs/keyring`, with a JSON file fallback at `~/.workos/config.json`.
+
+### Organization Management
+
+```bash
+workos organization create <name> [domain:state ...]
+workos organization update <orgId> <name> [domain] [state]
+workos organization get <orgId>
+workos organization list [--domain] [--limit] [--before] [--after] [--order]
+workos organization delete <orgId>
+```
+
+### User Management
+
+```bash
+workos user get <userId>
+workos user list [--email] [--organization] [--limit] [--before] [--after] [--order]
+workos user update <userId> [--first-name] [--last-name] [--email-verified] [--password] [--external-id]
+workos user delete <userId>
+```
+
+Management commands resolve API keys via: `WORKOS_API_KEY` env var → `--api-key` flag → active environment's stored key.
+
+### Installer Options
+
+```bash
+workos install [options]
 
-Options:
   --direct, -D            Use your own Anthropic API key (bypass llm-gateway)
   --integration <name>    Framework: nextjs, react, react-router, tanstack-start, vanilla-js
-  --redirect-uri <uri>    Custom redirect URI (defaults to framework convention)
-  --homepage-url <url>    Custom homepage URL (defaults to http://localhost:{port})
+  --redirect-uri <uri>    Custom redirect URI
+  --homepage-url <url>    Custom homepage URL
   --install-dir <path>    Installation directory
-  --no-validate           Skip post-installation validation (includes build check)
+  --no-validate           Skip post-installation validation
   --force-install         Force install packages even if peer dependency checks fail
   --debug                 Enable verbose logging
-
-Environment Variables:
-  WORKOS_TELEMETRY=false  Disable telemetry collection
 ```
 
 ## Examples
@@ -95,7 +131,7 @@ workos login
 workos logout
 ```
 
-Credentials are stored in `~/.workos/credentials.json`. Access tokens are not persisted long-term for security - users re-authenticate when tokens expire.
+OAuth credentials are stored in the system keychain (with `~/.workos/credentials.json` fallback). Access tokens are not persisted long-term for security - users re-authenticate when tokens expire.
 
 ## How It Works