feat(generated): Add Groups API and organization membership groups support

[workos-sdk-automation]

Summary

• New GroupService: Added complete Groups API with CRUD operations (ListOrganizationGroups, CreateOrganizationGroup, GetOrganizationGroup, UpdateOrganizationGroup, DeleteOrganizationGroup)
• Group membership operations: Added ListOrganizationMemberships, CreateOrganizationMembership, and DeleteOrganizationMembership methods
• New UserManagementOrganizationMembershipGroupService: Added ListOrganizationMembershipGroups to list groups for an organization membership
• New models: Added Group, CreateGroup, CreateGroupMembership models; WaitlistUser, WaitlistUserState, and waitlist event types (WaitlistUserCreated, WaitlistUserApproved, WaitlistUserDenied)
• Authorization API method renames: Renamed methods for clarity (ListOrganizationMembershipResources → ListResourcesForMembership, ListResourcePermissions → ListEffectivePermissions, etc.) with corresponding parameter type renames
• Admin Portal updates: Changed AdminEmails field to ItContactEmails in AdminPortalGenerateLinkParams
• Enhanced enums: Added SSO providers (Bitbucket, GitLab, Intuit, LinkedIn, Salesforce, Slack, Vercel, Xero) and webhook event types for waitlist users
• Invitation model updates: Added RoleSlug field to invitation-related data types
• New domain verification intent options: Added DomainVerificationIntentOptions for Admin Portal
• Internal improvements: Test files and test data fixtures added for new functionality

Triggered by workos/openapi-spec@b684348

[greptile-apps]

Greptile Summary

This auto-generated PR adds a new GroupService with full CRUD and membership operations, a UserManagementOrganizationMembershipGroupService, new Group/WaitlistUser models, extended SSO provider and webhook event enums, and several breaking renames in the Authorization API and Admin Portal field names.

• groups_test.go references testdata/list_user_organization_membership_base_list_data.json, which is explicitly removed from the oagen manifest in this same PR — a future regeneration that purges untracked fixtures will break the TestGroups_ListOrganizationMemberships test.

Confidence Score: 3/5

PR is mostly safe but contains a P1 test fragility where a newly added test references a fixture file removed from the oagen manifest in the same PR.

One P1 finding (test referencing a de-listed fixture that will break on next oagen cleanup) pulls the score below the 4/5 P1 ceiling, given it affects test reliability on the newly added code path.

groups_test.go (ListOrganizationMemberships test fixture dependency) and testdata/create_group.json / testdata/update_group.json (misleading request-body fixtures tracked in manifest).

Important Files Changed

Filename	Overview
groups.go	New GroupService with full CRUD and membership operations; URL construction uses url.PathEscape correctly; CreateOrganizationMembership returning *Group is consistent with API spec.
groups_test.go	Tests reference testdata/list_user_organization_membership_base_list_data.json which is removed from the oagen manifest — future regeneration may delete that file and break the ListOrganizationMemberships test.
models.go	Adds Group, CreateGroup, WaitlistUser models; UpdateGroup aliased to UpdateAuthorizationPermission (structurally correct but semantically coupled); AdminEmails renamed to ItContactEmails (breaking change).
authorization.go	Method renames (ListOrganizationMembershipResources → ListResourcesForMembership, ListResourcePermissions → ListEffectivePermissions, etc.) are breaking API changes for existing SDK consumers.
user_management_organization_membership_groups.go	New UserManagementOrganizationMembershipGroupService with ListOrganizationMembershipGroups; implementation is straightforward and correct.
admin_portal.go	AdminEmails field renamed to ItContactEmails in AdminPortalGenerateLinkParams; this is a breaking wire-format change (json tag changes from admin_emails to it_contact_emails).
enums.go	Adds WaitlistUserState enum, new SSO/auth providers (Bitbucket, GitLab, etc.), waitlist webhook event types, and order type aliases; all additions are additive and non-breaking.
workos.go	Registers new GroupService and UserManagementOrganizationMembershipGroupService on the Client; Groups() and UserManagementOrganizationMembershipGroups() accessor methods correctly wired.

Class Diagram

%%{init: {'theme': 'neutral'}}%%
classDiagram
    class Client {
        +Groups() GroupService
        +UserManagementOrganizationMembershipGroups() UserManagementOrganizationMembershipGroupService
        +Authorization() AuthorizationService
        +AdminPortal() AdminPortalService
    }

    class GroupService {
        +ListOrganizationGroups(ctx, orgID, params) Iterator~Group~
        +CreateOrganizationGroup(ctx, orgID, params) Group
        +GetOrganizationGroup(ctx, orgID, groupID) Group
        +UpdateOrganizationGroup(ctx, orgID, groupID, params) Group
        +DeleteOrganizationGroup(ctx, orgID, groupID) error
        +ListOrganizationMemberships(ctx, orgID, groupID, params) Iterator~UserOrganizationMembershipBaseListData~
        +CreateOrganizationMembership(ctx, orgID, groupID, params) Group
        +DeleteOrganizationMembership(ctx, orgID, groupID, omID) error
    }

    class UserManagementOrganizationMembershipGroupService {
        +ListOrganizationMembershipGroups(ctx, omID, params) Iterator~Group~
    }

    class AuthorizationService {
        +ListResourcesForMembership() Iterator~AuthorizationResource~
        +ListEffectivePermissions() Iterator~AuthorizationPermission~
        +ListRoleAssignments() Iterator~RoleAssignment~
    }

    class Group {
        +string Object
        +string ID
        +string OrganizationID
        +string Name
        +string Description
        +string CreatedAt
        +string UpdatedAt
    }

    class WaitlistUser {
        +string Object
        +string ID
        +string Email
        +WaitlistUserState State
        +string ApprovedAt
    }

    Client --> GroupService
    Client --> UserManagementOrganizationMembershipGroupService
    Client --> AuthorizationService
    GroupService --> Group
    UserManagementOrganizationMembershipGroupService --> Group

Loading

_{Reviews (1): Last reviewed commit: "feat(generated): Add Groups API and orga..." | Re-trigger Greptile}

[greptile-apps]

Test fixture removed from manifest but still referenced

testdata/list_user_organization_membership_base_list_data.json is explicitly removed from .oagen-manifest.json in this PR, yet this test continues to read from it. If a subsequent oagen run deletes files that are no longer tracked by the manifest, this test will fail at the os.ReadFile call with no fixture to serve, causing the iterator assertion to break. A new fixture should be added to the manifest, or the test should reference a tracked file (e.g., testdata/list_user_organization_membership.json if its shape is compatible).

[greptile-apps]

Misleading type alias coupling UpdateGroup to UpdateAuthorizationPermission

UpdateGroup is aliased to UpdateAuthorizationPermission — a structurally unrelated type — solely because they share the same Name/Description schema at this point in time. If UpdateAuthorizationPermission ever gains a permission-specific field (e.g., ResourceTypeSlug) or vice-versa, consumers of UpdateGroup would silently pick up that field. The same pattern is used for UpdateOrganizationRole and UpdateRole, so this appears to be a code-generator decision, but it creates invisible semantic coupling across two distinct domains.

[greptile-apps]

Fixture files contain request body, not a full response object

testdata/create_group.json (and testdata/update_group.json) contain only {"name": "…", "description": "…"}, which is the request body shape — not a full Group response (which should include id, object, organization_id, created_at, updated_at). The actual tests correctly use testdata/group.json for responses, so these files are unused and only tracked in the manifest. Having misleadingly named request-body fixtures that look like response fixtures can cause confusion for future test authors.