Skip to content

feat(clerk): expand Clerk integration with org, membership, moderation, and security tools#5364

Merged
waleedlatif1 merged 2 commits into
stagingfrom
worktree-clerk-validate-integration
Jul 2, 2026
Merged

feat(clerk): expand Clerk integration with org, membership, moderation, and security tools#5364
waleedlatif1 merged 2 commits into
stagingfrom
worktree-clerk-validate-integration

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Ran a full /validate-integration pass on Clerk and fixed 4 warnings: missing .trim() on organization/session ID params, an incomplete session-status dropdown (missing Removed/Replaced), and missing List Users/List Organizations filter subBlocks that the tools already supported but the UI didn't expose
  • Audited Clerk's Backend API for coverage gaps and added 23 new tools:
    • Organization update/delete
    • Organization membership CRUD (list, add member, update role, remove member)
    • Organization invitations (create, list)
    • User moderation: ban/unban/lock/unlock, plus OAuth access token retrieval
    • Allowlist/blocklist identifier management (list/create/delete for each)
    • JWT template list/get
    • Actor token create/revoke (impersonation / support tooling)
  • Added matching webhook triggers for the new event types: session ended/removed/revoked, organization updated/deleted, organization membership updated/deleted
  • Wired everything into the block (dropdown, subBlocks, tools.access, param mapping, outputs), tool registry, and trigger registry
  • Ran 4 parallel adversarial validation passes against the live Clerk API/OpenAPI spec after implementation; fixed the real issues they surfaced (a phantom providerUserId field that would always resolve to null, a missing clerk_create_organization condition on the metadata subBlocks, and several output-catalog completeness gaps including an expiresAt/expireAt naming mismatch for sessions)

Type of Change

  • New feature (integration expansion)
  • Bug fix (pre-existing warnings)

Testing

  • bun run lint, full-project tsc --noEmit, and bun run check:api-validation:strict all pass clean
  • Existing clerk.test.ts webhook provider suite passes (6/6)
  • Cross-checked every new tool's endpoint/params/response shape against the live Clerk Backend API and @clerk/backend SDK source across 4 independent verification passes

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

…n, and security tools

- fix 4 validate-integration warnings: missing .trim() on org/session IDs, incomplete session-status dropdown, missing list_users/list_organizations filter subBlocks
- add organization update/delete tools
- add organization membership CRUD (list, add, update role, remove)
- add organization invitation create/list
- add user ban/unban/lock/unlock and OAuth access token retrieval
- add allowlist/blocklist identifier management
- add JWT template list/get
- add actor token create/revoke (impersonation)
- add matching webhook triggers for session ended/removed/revoked, organization updated/deleted, and membership updated/deleted
- wire all 23 new tools into the block, tool registry, and trigger registry
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 2, 2026 3:46pm

Request Review

@cursor

cursor Bot commented Jul 2, 2026

Copy link
Copy Markdown

PR Summary

High Risk
Large auth/security surface: workflows can ban users, delete orgs, issue actor tokens, and return OAuth tokens using customer secret keys—misconfiguration or overly broad agent access has real account impact despite following established tool patterns.

Overview
Expands the Clerk block and backend tools from basic user/org/session CRUD to a much broader Clerk Backend API surface, plus matching webhooks and UI fixes.

23 new workflow tools cover org update/delete; membership list/add/update/remove; org invitations; user ban/unban/lock/unlock; OAuth access tokens per provider; allowlist/blocklist identifiers; JWT template list/get; and actor token create/revoke (impersonation). Each is registered in tools/registry and exposed on the Clerk block with operation-specific subBlocks, param mapping (including JSON metadata, notify flags, and numeric coercion for limit/offset/expiry fields), and expanded block outputs.

Seven new webhook triggers react to session ended/removed/revoked, organization updated/deleted, and membership updated/deleted, wired through triggers/clerk/utils event maps and the trigger registry.

Polish on existing paths: .trim() on org/session IDs in several tools; List Users gains phone/external ID/user ID filters and shared orderBy; session status dropdown adds Removed/Replaced; block skills/templates updated (e.g. moderate-user-access skill, ban vs delete in inactive-user template).

Reviewed by Cursor Bugbot for commit 7016ad8. Configure here.

Comment thread apps/sim/tools/clerk/list_allowlist_identifiers.ts
Comment thread apps/sim/tools/clerk/list_jwt_templates.ts
@greptile-apps

greptile-apps Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR significantly expands the Clerk integration by adding 23 new tools (organization CRUD, membership management, invitations, user moderation, allowlist/blocklist, JWT templates, and actor tokens) alongside 8 new webhook triggers and the corresponding UI wiring in the block definition.

  • Tools & types: All new tools correctly map Clerk BAPI endpoint shapes to camelCase outputs; response parsing choices (bare array vs. paginated object) are consistent with the Clerk OpenAPI spec as confirmed in a prior review thread.
  • Block wiring: The operation dropdown, subBlocks, param-mapping switch, and tools.access list are all kept in sync; numeric fields are correctly coerced and renamed fields (e.g. orgName → name, notifyInvitation → notify) are handled in the switch before the ...rest pass-through.
  • Triggers: Eight new trigger configs are registered with the correct Clerk event-type strings, and the deleted-event output builders expose only the slim { id, deleted } marker shape that Clerk actually sends for those events.

Confidence Score: 5/5

Safe to merge; all new tools follow established patterns, the registry and block wiring are consistent, and the response-parsing decisions are backed by the Clerk OpenAPI spec.

Every new tool, trigger, and block entry is self-contained and follows the existing Clerk integration patterns. The response-parsing choices were verified against the live Clerk API per the PR description and the previous review thread. The one flagged item — a shared placeholder that is misleading for the invitation email field — is a documentation nit that won't silently corrupt data.

apps/sim/blocks/blocks/clerk.ts — the shared emailAddress subBlock placeholder text

Important Files Changed

Filename Overview
apps/sim/blocks/blocks/clerk.ts Adds 23 new operation entries to the dropdown, corresponding subBlocks, param mapping in the switch, and output catalog entries; shared emailAddress placeholder is misleading for invitation use
apps/sim/tools/clerk/types.ts Adds 544 lines of TypeScript interfaces covering all new operations; types match wire shapes described by Clerk OpenAPI spec and confirmed by the previous thread
apps/sim/tools/clerk/list_organization_memberships.ts Correctly uses paginated { data, total_count } shape; handles comma-split role filter; maps all public_user_data fields cleanly
apps/sim/tools/clerk/create_actor_token.ts Correct POST to /v1/actor_tokens with actor JSON parsing; token and url fields nullable as per spec
apps/sim/tools/clerk/get_user_oauth_token.ts Strips and re-prefixes oauth_ correctly; maps flat array response; scopes default to []
apps/sim/tools/clerk/list_allowlist_identifiers.ts Parses bare-array response as confirmed by Clerk OpenAPI spec; totalCount set to array length (correct for non-paginated endpoint)
apps/sim/tools/clerk/list_jwt_templates.ts Parses bare-array response consistent with Clerk spec; totalCount set to templates.length which is accurate for this non-paginated endpoint
apps/sim/triggers/clerk/utils.ts Adds 8 new trigger-to-event-type mappings and two new output builders for deleted-object payloads; organization_membership_deleted outputs use a slim deleted-marker shape, which is correct
apps/sim/tools/clerk/update_organization.ts Correctly uses PATCH with sparse body; only sends fields that are explicitly provided
apps/sim/tools/registry.ts All 23 new tools correctly imported and registered with the canonical IDs that match the block dropdown values
apps/sim/triggers/registry.ts All 8 new triggers correctly imported and registered; keys match CLERK_TRIGGER_TO_EVENT_TYPE entries in utils.ts

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    UI[Block UI\noperation dropdown] -->|params mapping switch| Mapper[clerk.ts\nparams config]
    Mapper -->|cleanParams| ToolRegistry[tools/registry.ts]
    ToolRegistry --> T1[User Moderation\nban/unban/lock/unlock]
    ToolRegistry --> T2[Org CRUD\nupdate/delete]
    ToolRegistry --> T3[Membership CRUD\nlist/add/update/remove]
    ToolRegistry --> T4[Invitations\ncreate/list]
    ToolRegistry --> T5[Allow/Blocklist\nlist/create/delete]
    ToolRegistry --> T6[JWT Templates\nlist/get]
    ToolRegistry --> T7[Actor Tokens\ncreate/revoke]
    ToolRegistry --> T8[OAuth Token\nget]
    T1 & T2 & T3 & T4 & T5 & T6 & T7 & T8 -->|HTTP| ClerkBAPI[Clerk Backend API\napi.clerk.com/v1]
    
    WebhookIn[Clerk Webhook\nPOST] --> TriggerRegistry[triggers/registry.ts]
    TriggerRegistry --> Tr1[session.ended/removed/revoked]
    TriggerRegistry --> Tr2[organization.updated/deleted]
    TriggerRegistry --> Tr3[organizationMembership.updated/deleted]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    UI[Block UI\noperation dropdown] -->|params mapping switch| Mapper[clerk.ts\nparams config]
    Mapper -->|cleanParams| ToolRegistry[tools/registry.ts]
    ToolRegistry --> T1[User Moderation\nban/unban/lock/unlock]
    ToolRegistry --> T2[Org CRUD\nupdate/delete]
    ToolRegistry --> T3[Membership CRUD\nlist/add/update/remove]
    ToolRegistry --> T4[Invitations\ncreate/list]
    ToolRegistry --> T5[Allow/Blocklist\nlist/create/delete]
    ToolRegistry --> T6[JWT Templates\nlist/get]
    ToolRegistry --> T7[Actor Tokens\ncreate/revoke]
    ToolRegistry --> T8[OAuth Token\nget]
    T1 & T2 & T3 & T4 & T5 & T6 & T7 & T8 -->|HTTP| ClerkBAPI[Clerk Backend API\napi.clerk.com/v1]
    
    WebhookIn[Clerk Webhook\nPOST] --> TriggerRegistry[triggers/registry.ts]
    TriggerRegistry --> Tr1[session.ended/removed/revoked]
    TriggerRegistry --> Tr2[organization.updated/deleted]
    TriggerRegistry --> Tr3[organizationMembership.updated/deleted]
Loading

Reviews (3): Last reviewed commit: "fix(clerk): I/O completeness fixes from ..." | Re-trigger Greptile

Comment thread apps/sim/tools/clerk/list_allowlist_identifiers.ts
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/blocks/blocks/clerk.ts
Comment thread apps/sim/tools/clerk/list_allowlist_identifiers.ts
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 818b5f2. Configure here.

- remove dead limit/offset params from list_blocklist_identifiers (Clerk API accepts zero params on this endpoint, verified across 6 spec versions)
- expose publicMetadata on OAuth access token output (was silently dropped)
- expose inviter email/first/last name (public_inviter_data) on organization invitation create/list outputs
- add missing orderBy param to list_organization_invitations
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 7016ad8. Configure here.

@waleedlatif1 waleedlatif1 merged commit 7a31871 into staging Jul 2, 2026
18 checks passed
@waleedlatif1 waleedlatif1 deleted the worktree-clerk-validate-integration branch July 2, 2026 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant