Add Clerk WASM plugin

[daltoniam]

Summary

• Adds a Clerk authentication and identity management plugin (34 tools) covering users, sessions, organizations, memberships, invitations, and allow/block list identifiers via the Clerk Backend API
• Mirrors the bland/looker pattern: cdylib crate exporting the standard guest ABI (name, metadata, tools, configure, execute, healthy, compact_specs), built with cargo build --release --target wasm32-wasip1 and shipped as dist/clerk.wasm
• Registered in manifest.json and README.md so the marketplace picks it up at the standard URL

Tools (34)

• Users (10): list, get, create, update, delete, ban, unban, lock, unlock, list_user_organization_memberships
• Sessions (3): list, get, revoke
• Organizations (12): list, get, create, update, delete + memberships CRUD + invitations CRUD
• Invitations (3): list, create, revoke (instance-level)
• Allow/Block list (6): list/create/delete for each

Entry-point tools (clerk_list_users, clerk_list_sessions, clerk_list_organizations, clerk_list_invitations, clerk_list_allowlist_identifiers, clerk_list_blocklist_identifiers) include "Start here" wayfinding text and natural-language synonyms (auth, identity, tenant, B2B, login, etc.) for search discoverability.

Field compaction specs included for all 9 list tools.

Credentials

Key	Required	Description
secret_key	yes	Clerk Backend API secret key (sk_test_... or sk_live_...), sent as Authorization: Bearer <secret_key>

healthy() calls GET /v1/jwks — succeeds iff the key is valid.

Test plan

• cargo test -p clerk-wasm — 6 tests pass (tool metadata, entry-point Start here guidance, compact spec/tool parity, dispatch parity over all 34 tools, unknown-tool error envelope, path/query escaping)
• cargo clippy -p clerk-wasm --target wasm32-wasip1 -- -D warnings — clean
• cargo fmt -p clerk-wasm --check — clean
• cargo build --release --target wasm32-wasip1 -p clerk-wasm — succeeds; binary copied to dist/clerk.wasm (210 KB)
• Manifest entry: sha256 + size match dist/clerk.wasm; manifest.json is valid JSON
• Switchboard WASM host smoke load: runtime.LoadModule returns name=clerk, 34 tools, metadata (abi=1, caps=[http]), healthy(unconfigured) = false

🐨 Generated with Crush

[daltoniam]

Live end-to-end test results

Tested against a real Clerk workspace using a sk_test_* key (loaded the WASM via Switchboard's wasm.Runtime, configured with the secret, and exercised the tools through mod.Execute).

Tools verified working

• clerk_list_users — returned real user data
• clerk_get_user — returned full user details
• clerk_list_organizations — returned Curri org with full metadata
• clerk_get_organization (with include_members_count=true) — returned members_count: 1
• clerk_list_organization_memberships — returned membership with embedded org + user
• clerk_list_organization_invitations — returned empty array (no pending invites)
• clerk_list_user_organization_memberships — returned the user's memberships
• clerk_list_invitations — returned bare array
• clerk_list_allowlist_identifiers — returned empty array
• clerk_list_blocklist_identifiers — returned {data: [...], total_count: N} shape
• clerk_list_sessions (with user_id) — returned active session with browser/device/location

Error paths verified

• clerk_get_user with bad ID → surfaced Clerk's 404 (No user was found with id user_NOPE)
• clerk_list_sessions without filter → returns "user_id or client_id is required" (see fix below)

Bug fixed in this push

• clerk_list_sessions previously accepted empty args and let Clerk return a 422. Now it validates client-side and returns a clear error. Description and parameter docs updated to mark user_id / client_id as required (one or the other).

Compaction shape notes

Confirmed live that Clerk's list endpoints are inconsistent:

• Bare array: list_users, list_sessions, list_invitations, list_allowlist_identifiers
• Wrapped: list_organizations, list_organization_memberships, list_blocklist_identifiers, etc.

The compact specs already cover both shapes via dual-path entries ([] and data[]).