Skip to content

feat(clerk): expand Clerk integration with org, membership, moderation, and security tools#5364

Open
waleedlatif1 wants to merge 2 commits into
stagingfrom
worktree-clerk-validate-integration
Open

feat(clerk): expand Clerk integration with org, membership, moderation, and security tools#5364
waleedlatif1 wants to merge 2 commits into
stagingfrom
worktree-clerk-validate-integration

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Ran a full /validate-integration pass on Clerk and fixed 4 warnings: missing .trim() on organization/session ID params, an incomplete session-status dropdown (missing Removed/Replaced), and missing List Users/List Organizations filter subBlocks that the tools already supported but the UI didn't expose
  • Audited Clerk's Backend API for coverage gaps and added 23 new tools:
    • Organization update/delete
    • Organization membership CRUD (list, add member, update role, remove member)
    • Organization invitations (create, list)
    • User moderation: ban/unban/lock/unlock, plus OAuth access token retrieval
    • Allowlist/blocklist identifier management (list/create/delete for each)
    • JWT template list/get
    • Actor token create/revoke (impersonation / support tooling)
  • Added matching webhook triggers for the new event types: session ended/removed/revoked, organization updated/deleted, organization membership updated/deleted
  • Wired everything into the block (dropdown, subBlocks, tools.access, param mapping, outputs), tool registry, and trigger registry
  • Ran 4 parallel adversarial validation passes against the live Clerk API/OpenAPI spec after implementation; fixed the real issues they surfaced (a phantom providerUserId field that would always resolve to null, a missing clerk_create_organization condition on the metadata subBlocks, and several output-catalog completeness gaps including an expiresAt/expireAt naming mismatch for sessions)

Type of Change

  • New feature (integration expansion)
  • Bug fix (pre-existing warnings)

Testing

  • bun run lint, full-project tsc --noEmit, and bun run check:api-validation:strict all pass clean
  • Existing clerk.test.ts webhook provider suite passes (6/6)
  • Cross-checked every new tool's endpoint/params/response shape against the live Clerk Backend API and @clerk/backend SDK source across 4 independent verification passes

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

…n, and security tools

- fix 4 validate-integration warnings: missing .trim() on org/session IDs, incomplete session-status dropdown, missing list_users/list_organizations filter subBlocks
- add organization update/delete tools
- add organization membership CRUD (list, add, update role, remove)
- add organization invitation create/list
- add user ban/unban/lock/unlock and OAuth access token retrieval
- add allowlist/blocklist identifier management
- add JWT template list/get
- add actor token create/revoke (impersonation)
- add matching webhook triggers for session ended/removed/revoked, organization updated/deleted, and membership updated/deleted
- wire all 23 new tools into the block, tool registry, and trigger registry
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 2, 2026 3:46pm

Request Review

@cursor

cursor Bot commented Jul 2, 2026

Copy link
Copy Markdown

PR Summary

High Risk
Adds security-sensitive Clerk operations (impersonation actor tokens, OAuth token reads, ban/delete org, allow/block lists) callable from workflows with a user-supplied secret key; mistakes or over-broad agent access could lock users out or leak tokens.

Overview
Expands the Clerk block and tool layer with ~23 new Backend API operations and seven new webhook triggers, plus fixes to existing list/filter UI and ID handling.

New workflow capabilities include user moderation (ban/unban/lock/unlock), OAuth access token retrieval, full organization update/delete, membership CRUD and invitations, allowlist/blocklist identifiers, JWT template list/get, and actor tokens for impersonation. The Clerk block’s operation dropdown, conditional subBlocks, tools.access, param mapping (including numeric coercion for pagination/expiry fields), and outputs are updated to match; templates/skills gain a moderate-user-access skill and richer org flows.

Webhook triggers now cover session.ended / removed / revoked, organization.updated / deleted, and organizationMembership.updated / deleted, with trigger utils and registries kept in sync with the webhook provider event map.

Smaller fixes: .trim() on org/session IDs in several tools; session list status options Removed and Replaced; List Users advanced filters (phone, external ID, user ID, orderBy) exposed in the UI where tools already supported them.

Reviewed by Cursor Bugbot for commit 818b5f2. Configure here.

Comment thread apps/sim/tools/clerk/list_allowlist_identifiers.ts
Comment thread apps/sim/tools/clerk/list_jwt_templates.ts
@greptile-apps

greptile-apps Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR significantly expands the Clerk integration by adding 23 new tools and 8 new webhook trigger types. It closes coverage gaps across organization management, membership CRUD, invitations, user moderation, allow/blocklist management, JWT templates, and actor tokens, while also fixing pre-existing validation gaps (missing .trim(), incomplete session-status dropdown, missing filter subBlocks in the UI).

  • 23 new tool files covering organization update/delete, membership CRUD, organization invitations, user ban/unban/lock/unlock, OAuth access-token retrieval, allowlist/blocklist CRUD, JWT template list/get, and actor-token create/revoke — all wired into the tool registry and the block's dropdown, subBlocks, param mapping, and output catalog.
  • 8 new trigger files for session ended/removed/revoked, organization updated/deleted, and organization membership updated/deleted — each with its own output-builder and registered in the trigger registry.
  • Block-level fixes: added missing filter subBlocks for user listing (phone, externalId, userId), corrected the session-status dropdown (Removed/Replaced), moved maxAllowedMemberships into the shared numericFields coercion path, and added clerk_create_organization to the metadata subBlock conditions.

Confidence Score: 5/5

Safe to merge — all 23 new tools follow the established pattern with correct endpoint URLs, proper nullable field handling, and consistent error propagation; the block param mapping is complete and the trigger registry is fully wired.

The change is a large but mechanically regular feature expansion: each new tool file, trigger file, and block subBlock follows the same well-tested pattern as the existing Clerk integration. API shape decisions (bare-array vs. paginated responses) are explicitly justified and consistent with the codebase. No logic or data-flow issues were found after full review.

No files require special attention.

Important Files Changed

Filename Overview
apps/sim/blocks/blocks/clerk.ts Block config expanded with 23 new operations, subBlocks, param mapping (incl. numeric coercion via numericFields), and an output catalog — all correctly wired. New triggers added to both subBlocks and triggers.access.
apps/sim/tools/clerk/types.ts 558-line addition defining all new Clerk resource types and param/response interfaces; wire types and response shapes match the Clerk BAPI spec.
apps/sim/tools/clerk/create_actor_token.ts Actor-token creation tool with correct POST /v1/actor_tokens endpoint, optional expiresInSeconds/sessionMaxDurationInSeconds fields, and proper token/url nullable handling.
apps/sim/tools/clerk/get_user_oauth_token.ts OAuth token retrieval; correctly normalises the provider slug (strips leading oauth_ if present), parses the response as ClerkOAuthAccessToken[], and maps all token fields.
apps/sim/tools/clerk/list_allowlist_identifiers.ts Parses the allowlist endpoint as a bare array (confirmed correct by prior thread discussion of the BAPI spec); totalCount reflects page size only, which is the only available count for this endpoint.
apps/sim/tools/clerk/list_blocklist_identifiers.ts Correctly parses the blocklist paginated response shape {data, total_count}, consistent with the existing blocklist endpoint's wire format.
apps/sim/tools/clerk/list_organization_memberships.ts Paginated memberships list; correctly parses {data, total_count}, multi-value role filter handled with repeated append, all membership fields mapped.
apps/sim/tools/clerk/create_organization_invitation.ts Invitation creation with optional fields correctly omitted when undefined; response shape matches ClerkOrganizationInvitation with all nullable fields handled.
apps/sim/triggers/clerk/utils.ts CLERK_TRIGGER_TO_EVENT_TYPE and clerkTriggerOptions updated with 7 new entries; new output-builder functions added for organisation.deleted and organizationMembership.deleted events.
apps/sim/tools/registry.ts All 23 new tool exports correctly imported and registered alphabetically in the tools map.
apps/sim/triggers/registry.ts All 8 new trigger exports correctly imported and registered in TRIGGER_REGISTRY.

Reviews (2): Last reviewed commit: "feat(clerk): expand Clerk integration wi..." | Re-trigger Greptile

Comment thread apps/sim/tools/clerk/list_allowlist_identifiers.ts
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/blocks/blocks/clerk.ts
Comment thread apps/sim/tools/clerk/list_allowlist_identifiers.ts
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 818b5f2. Configure here.

- remove dead limit/offset params from list_blocklist_identifiers (Clerk API accepts zero params on this endpoint, verified across 6 spec versions)
- expose publicMetadata on OAuth access token output (was silently dropped)
- expose inviter email/first/last name (public_inviter_data) on organization invitation create/list outputs
- add missing orderBy param to list_organization_invitations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant