✨ Add Rippling provider (company / workforce / org structure)

[tas50]

Summary

• Adds providers/rippling, a new SaaS provider that exposes the company profile, workforce, and org structure of a Rippling-managed company. Auth is OAuth 2.0 — the provider takes a client ID, client secret, and refresh token via --client-id / --client-secret / --refresh-token (or RIPPLING_CLIENT_ID / RIPPLING_CLIENT_SECRET / RIPPLING_REFRESH_TOKEN).
• Resources: rippling, rippling.company, rippling.employee, rippling.department, rippling.team, rippling.workLocation, rippling.group. Compensation, benefits, and payroll-mechanics fields are intentionally not modeled — the provider is scoped to identity, org structure, and access auditing.
• Lightweight in-repo HTTP client over the Rippling Platform REST API (no Go SDK exists). Pagination handled via limit/offset query parameters; covered by a unit test on the pagination math.

Authentication

• Rippling supports an OAuth 2.0 authorization-code grant. Register an app in the Rippling developer portal, complete the authorization once to obtain a refresh token, then hand mql the client ID, client secret, and refresh token.
• mql exchanges the refresh token for short-lived access tokens via golang.org/x/oauth2; the access token is refreshed automatically as it expires. No static API token is involved.

What you can audit

• Every active employee has a department, team, and primary work location
• Terminated employees have terminated=true and no remaining manager reports
• The company's primary contact email uses a recognizable corporate domain
• Every group named like a privileged role (Admin, Finance, …) has a bounded membership
• Employee roleStatus values stay within the documented set (ACTIVE, TERMINATED, LEAVE_OF_ABSENCE)

Files of interest

• providers/rippling/resources/rippling.lr — schema
• providers/rippling/connection/client.go — REST client + paginator
• providers/rippling/connection/client_test.go — pagination math unit test
• providers/rippling/connection/connection.go — OAuth credential handling and asset identifier
• providers/rippling/provider/provider.go — flag handling and asset detection

Notes for review

• Modeled on the Gusto provider (✨ Add Gusto provider (company / workforce / admin access) #7693). Same overall shape (in-repo REST client, lazily-resolved typed cross-refs, single-page-walk listing), but Gusto authenticates with a static API token while Rippling uses OAuth 2.0.
• Rippling OAuth tokens are scoped to a single company, so rippling.companies() is always a one-element list (kept plural to match the rest of the schema and avoid a name clash with rippling.company).
• Field names mirror what the Rippling Platform API documents publicly. I haven't been able to verify against a live tenant in this session — please run the test plan below before merging.

Test plan

• make providers/build/rippling succeeds
• make providers/install/rippling && mql shell rippling --client-id $RIPPLING_CLIENT_ID --client-secret $RIPPLING_CLIENT_SECRET --refresh-token $RIPPLING_REFRESH_TOKEN
  • rippling.companies { name legalName }
  • rippling.employees.where(terminated == false) { workEmail department { name } }
  • rippling.departments { name parent { name } }
  • rippling.workLocations { nickname city state }
  • rippling.groups { name members.length }
• Invalid or expired OAuth credentials return a clear error on connect
• An expired access token is transparently refreshed mid-session
• Optional --api-base override works for a custom Rippling base URL

🤖 Generated with Claude Code

[mondoo-code-review]

Cross-reference fields (manager, department, team, parent, members) silently return null when a resource is resolved by ID rather than from a list.

[github-actions]

Test Results

6 030 tests  ±0   6 026 ✅ ±0   3m 13s ⏱️ -9s
  292 suites ±0       2 💤 ±0 
    4 files   ±0       2 ❌ ±0 

For more details on these failures, see this check.

Results for commit d856125. ± Comparison against base commit 629c9c2.

♻️ This comment has been updated with latest results.

[mondoo-code-review]

Resolving resources by ID (e.g. rippling.employee(id: "xxx").manager) silently returns null because init functions never populate internal struct cache fields

Superseded by new review

[mondoo-code-review]

Init functions now correctly populate internal structs for cross-reference resolution.

[mondoo-code-review]

New Rippling provider exposes company, workforce, and org structure data via OAuth-authenticated API; sensitive field (TIN) is exposed without warning.

[tas50]

/review