fix: prevent registerSubcommand from injecting false positional args

[nicknisi]

Summary

Fixes a bug where commands using named --options with demandOption: true (e.g., permission create, role create, invitation create) rejected valid invocations with:

Not enough non-option arguments: got 0, need at least 4

Root cause

registerSubcommand() probes the builder to discover required options, then enriches the usage string:

create  →  create --slug <string> --name <string>

This enriched string was passed directly as the command argument to yargs.command(). Yargs interprets <...> tokens in the command string as required positional arguments, so it parsed this as:

Token	Yargs interpretation
create	command name
--slug	positional arg #1
<string>	positional arg #2
--name	positional arg #3
<string>	positional arg #4

This created 4 phantom positional requirements on top of the actual --slug and --name options, making the command impossible to use with standard flag syntax.

Workaround users discovered

# Had to pass values as positional args to satisfy the phantom requirement
workos permission create test-perm empty "Test permission" empty --description "testing desc"

Fix

• Pass only the original usage string (e.g., create) as the yargs command — preserving any real positionals like <slug> on commands that use them (e.g., update <slug>, delete <slug>)
• Set the enriched string via .usage(), which is display-only and only affects --help output

Before (broken)

return parentYargs.command(enrichedUsage, description, builder, handler);
//                         ^^^^^^^^^^^^^ "create --slug <string> --name <string>"
//                         yargs treats <string> as positional args

After (fixed)

return parentYargs.command(usage, description, (y) => {
//                         ^^^^^ "create" — no phantom positionals
  const built = builder(y);
  if (enrichedUsage !== usage) {
    built.usage(`$0 ${enrichedUsage}`);  // display-only for --help
  }
  return built;
}, handler);

Affected commands

Any subcommand registered via registerSubcommand with demandOption options:

• permission create / role create / invitation create
• seed (multiple required options)
• setup-org, onboard-user (mixed positional + required options)
• Several others across organization, user, membership, etc.

Commands using only positional args (e.g., permission delete <slug>) or no required options (e.g., permission list) were unaffected.

Verified

• Old build: workos permission create --slug "test-perm" --name "Test Permission" → Not enough non-option arguments: got 0, need at least 4
• New build: ./dist/bin.js permission create --slug "test-perm" --name "Test Permission" → successfully creates permission

Test plan

• pnpm build passes
• pnpm test passes (all 1509 tests across 117 files)
• pnpm typecheck passes
• Manually verified permission create --slug --name works on patched build
• Manually verified old build reproduces the reported bug
• Verify --help output still shows required options in usage line
• Verify commands with real positionals (update <slug>, delete <slug>) still work