@baref00t/mcp-server 0.3.1 → 0.5.0

package/README.md

@@ -11,9 +11,17 @@ Hosted multi-tenant Model Context Protocol (MCP) server that exposes the [baref0
 | Production | `https://mcp.baref00t.io/mcp` |
 | Staging | `https://mcp.sandbox.baref00t.io/mcp` |
 
-## Quick start (Claude Desktop)
+## Quick start — OAuth (recommended for AI clients)
 
-`~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
+Connect Claude Desktop, Claude.ai web Connectors, Cursor, or ChatGPT remote MCP using the standard OAuth flow — no API key to copy around.
+
+**Claude Desktop / Claude.ai / ChatGPT:** Add a custom MCP server with URL `https://mcp.baref00t.io/mcp`. The client auto-discovers `/.well-known/oauth-protected-resource`, registers itself via Dynamic Client Registration (RFC 7591), and pops a browser window to sign in via Microsoft. After consent, you'll be signed in — no JSON, no token paste.
+
+**Manage authorized apps** at https://www.baref00t.io/portal/developer/connected-apps. Revoke any app at any time; the affected session stops working immediately.
+
+## Quick start — API key (server-to-server)
+
+For headless integrations (SDK, CI, your own backend) the long-standing API-key path is unchanged. `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
 
 ```json
 {
@@ -28,131 +36,145 @@ Hosted multi-tenant Model Context Protocol (MCP) server that exposes the [baref0
 }
 ```
 
-Restart Claude Desktop. Ask: **"List my baref00t customers"**.
+Get an API key at https://www.baref00t.io/portal/developer/api-keys.
 
-## Authentication
+## Authentication summary
 
-Pass your existing baref00t Partner or Distributor API key in any of these headers:
+| Path | Header | Best for |
+|---|---|---|
+| OAuth | `Authorization: Bearer <JWT issued by mcp.baref00t.io>` | Interactive AI clients with a human user (Claude Desktop, Cursor, ChatGPT) |
+| API key (Bearer) | `Authorization: Bearer pk_live_…` (or `dk_live_…`) | Server-to-server, CI, scripted integrations |
+| API key (X-header) | `X-Partner-Key: pk_live_…` / `X-Distributor-Key: dk_live_…` | Same as Bearer, alternative header form |
 
-```
-Authorization: Bearer pk_live_…
-X-Partner-Key: pk_live_…
-X-Distributor-Key: dk_live_…
-```
+Key prefix routes to the right scope. Partner keys see partner tools; distributor keys see distributor tools. JWTs carry the scope in their claims and are similarly routed.
 
-Key prefix routes to the right scope. Partner keys see partner tools, distributor keys see distributor tools.
+## Tool catalogue
 
-Get an API key at https://www.baref00t.io → Settings → API keys.
+Full coverage of the Partner API + Distributor API. Destructive actions (delete, revoke, raw-secret reveals) include explicit warnings in the tool description so the AI assistant narrates the consequences before invoking.
 
-## Tool catalogue (v0.2 — 32 tools)
+<!-- mcp-tools:start -->
+<!-- This section is autogenerated from the live tool registry by
+     `pnpm docs:gen-mcp` (see scripts/gen-mcp-docs.mjs). Edits between
+     the markers will be overwritten on the next run. 11 categories, 50 tools. -->
 
-Full coverage of the Partner API + Distributor API. Destructive actions (delete, revoke, raw-secret reveals) include explicit warnings in the tool description so the AI assistant narrates the consequences before invoking.
+### Customers (6 tools, scope=`pk_*`)
+
+| Tool | What it does |
+|---|---|
+| `partner_list_customers` | List all customers in the partner account. Returns customerId, name, email, tenantId, status and createdAt. Use when the user asks "show me my customers" or wants to look up a customer id. |
+| `partner_get_customer` | Fetch a single customer by id, including notification toggles + creation date. Use when the user asks for details about a specific customer. |
+| `partner_create_customer` | Create a new customer record. Requires the customer's display name and Microsoft Entra tenant id (GUID). Returns the new customerId. Use when the user asks to add or onboard a customer. |
+| `partner_update_customer` | Update whitelisted fields on an existing customer. Partial — only fields you pass are changed. Note: changing `tenantId` rebinds the customer to a different Microsoft Entra tenant; existing consents tied to the old tenant will not transfer. |
+| `partner_delete_customer` | Delete a customer. Idempotent — re-deleting returns 404. Past assessments + reports tied to the customer remain queryable through partner_list_assessments / partner_get_assessment_report until their own retention windows expire; only the customer record itself is removed. Granted consents on the Microsoft Entra tenant are NOT revoked here — the customer admin must remove the baref00t app from Enterprise Applications separately. |
+| `partner_bulk_create_customers` | Bulk-create up to 100 customers in one request. Per-row failures do NOT fail the whole call — inspect `results[]` for the per-customer outcome (status: "created" \| "error", with customerId or error string). Returns total / succeeded / failed counts plus the per-row results array. Use partner_create_customer for one-offs; this is for onboarding spreadsheets / CSV imports. |
 
-### Partner — Account & Plan (3 tools, scope=`pk_*`)
+### Consent (2 tools)
 
 | Tool | What it does |
 |---|---|
-| `partner_get_plan_billing` | Plan + monthly quota usage + allowed products |
-| `partner_get_billing` | Full billing snapshot (subscriptions, invoices, charges) |
-| `partner_get_payment_portal_url` | Stripe Customer Portal deep-link for payment-method management |
+| `partner_get_consent_url` | Mint a consent URL the customer can visit to grant the baref00t app read-only Microsoft Graph access on their tenant. Required before the first assessment for any customer who hasn't already consented — partner_trigger_assessment will silently fail (orchestrator graph token-exchange 401s) without consent. Returns { consentUrl, assessmentId, product, customerId }. Hand the URL to the partner to share with the customer manually, or use partner_send_consent_email to email it on the partner's behalf. |
+| `partner_send_consent_email` | Send a partner-branded consent invitation email to the customer's configured consentRecipients (or primary email as fallback). The email contains a Grant Consent button linking to the consent URL. Returns { sent, skipped, recipients, failed, consentUrl, emailConsentEnabled, skipReason }. Honours the 2-stage email gate: if the partner's mail provider is 'off' OR the customer's emailConsentEnabled is false, no email is sent and emailConsentEnabled is returned as false with skipReason set; consentUrl is always returned so it can be shared manually. |
 
-### Partner — Branding (2 tools)
+### Assessments (5 tools)
 
 | Tool | What it does |
 |---|---|
-| `partner_get_branding` | Read name / company / brandColor / footerText / contactEmail / logo URL |
-| `partner_update_branding` | Update branding fields (`name`, `company`, `brandColor`, `footerText`, `contactEmail`) — drives outbound email + report viewer chrome. `name` is the customer-facing Brand Name (preferred display); `company` is the legal/registration entity. |
+| `partner_list_assessments` | List assessment runs for the partner. Filter by month (YYYY-MM), product, and/or customerId. Also returns runsUsed/runLimit so the LLM knows how much quota remains. Use when the user asks "show me recent runs" or wants to find a specific assessment. |
+| `partner_get_assessment` | Fetch one assessment run by id. Returns product, status, customer id, and timestamps. Use to check the live status of a previously triggered run. |
+| `partner_get_assessment_report` | Get a 30-day SAS URL for the rendered HTML report of a completed assessment. Returns { url, expiresAt }. Hand the URL to the user as a clickable link or fetch it in a browser. The assessment must be in `completed` status — call partner_get_assessment_status first to confirm. Only HTML format is supported today; PDF format returns NOT_IMPLEMENTED. |
+| `partner_trigger_assessment` | Start a new assessment for the given customer. The platform performs a live consent pre-flight (client-credentials token mint against the customer tenant) before accepting the run. Inspect the response's "status" field: "queued"/"completed"/"failed" means the run was accepted (assessmentId + runId populated, COSTS 1 CREDIT — poll via partner_get_assessment_status). "consent_required" means the per-product Entra app does NOT currently exist in the customer tenant (never consented OR the customer admin removed it from Enterprise Applications) — no credit was burned, assessmentId is null, but consentUrl is returned. In that case call partner_send_consent_email or share consentUrl directly with the customer, then re-trigger. |
+| `partner_get_assessment_status` | Poll the status of a previously-triggered assessment. Returns the current status (queued, completed, failed) and the runAt timestamp. Use to wait for a triggered assessment to finish. |
 
-### Partner — Customers (4 tools)
+### Plan & Billing (3 tools)
 
 | Tool | What it does |
 |---|---|
-| `partner_list_customers` | List all customers in the partner account |
-| `partner_get_customer` | Fetch one customer by id |
-| `partner_create_customer` | Create a new customer (requires Microsoft Entra tenant id) |
-| `partner_get_consent_url` | Get the customer-facing Microsoft admin-consent URL for a product |
-| `partner_send_consent_email` | Email the consent link to the customer's configured recipients |
+| `partner_get_plan_billing` | Fetch the partner's current plan, billing cycle, monthly assessment quota usage, and list of allowed products. Use when the user asks about their plan, quota, or available products before triggering an assessment. |
+| `partner_get_billing` | Read-only Stripe snapshot for the partner: active subscriptions, last 20 invoices, last 20 successful charges, plus a freshly-minted Stripe Customer Portal URL valid ~1 hour. When the partner has no Stripe customer linked yet, all arrays are empty and portal_url is null. For just the portal URL (or a guaranteed-fresh one) use partner_get_payment_portal_url. The platform owns the subscription lifecycle — plan changes still go through partner_get_plan_billing / the change-plan SDK call. |
+| `partner_get_payment_portal_url` | Mint a fresh, short-lived Stripe Customer Portal URL. The partner opens it in a new tab to manage payment methods, download invoices, and update billing details directly on Stripe — no card data ever touches baref00t.io. Use this when the cached portal_url from partner_get_billing has expired (or any time you want a guaranteed-fresh session). Errors 400 if the partner has no Stripe customer linked yet. |
 
-### Partner — Assessments (5 tools)
+### Branding (2 tools)
 
 | Tool | What it does |
 |---|---|
-| `partner_list_assessments` | List runs, filter by month/product/customer |
-| `partner_get_assessment` | Fetch one assessment by id |
-| `partner_get_assessment_status` | Poll status of a running assessment |
-| `partner_trigger_assessment` | Start a new assessment (costs 1 quota credit) |
-| `partner_get_assessment_report` | Fetch the 30-day SAS URL for the rendered report (HTML) |
+| `partner_get_branding` | Fetch the partner-wide branding (company name, brand colour, footer text, contact email, and a 30-day SAS URL for the uploaded logo when present). Drives customer-facing emails + the report viewer chrome. Use when the user asks "what does our branding look like?" or before mutating a single field via partner_update_branding. |
+| `partner_update_branding` | Update one or more partner-branding text fields. All fields optional — provide only what you want to change. Affects customer-facing emails (consent invitation, report-ready, questionnaire) and the report viewer chrome. Logo upload is a separate multipart flow (POST /api/partner/branding/logo, MSAL only) and is not covered by this tool. |
 
-### Partner — Members (5 tools)
+### Members (5 tools)
 
 | Tool | What it does |
 |---|---|
-| `partner_list_members` | List Admin/Member/Viewer roster |
-| `partner_invite_member` | Invite by email + role |
-| `partner_update_member` | Change role or status (last-Admin protection enforced server-side) |
-| `partner_remove_member` | Remove a member (permanent — warns before invoking) |
-| `partner_resend_invite` | Resend a pending invite |
+| `partner_list_members` | List all members on the partner account, with role (Admin / Member / Viewer), status (Pending / Active / Suspended), and lifecycle timestamps. Also returns the calling principal's effective role — for X-Partner-Key callers this is always "Admin". Each member row exposes an emailHash that downstream member tools (update / remove / resend) use as the path identifier. |
+| `partner_invite_member` | Invite a new member to the partner account. Sends an invitation email with a one-time accept link valid for 14 days. Returns the new (Pending) member record including the emailHash needed for downstream update/remove/resend calls. Errors 409 if the address is already a member or has an open invite. |
+| `partner_update_member` | Update a member's role and/or status (provide at least one). Suspending revokes their ability to sign in but retains the row for audit; reactivate by setting status="Active". Cannot demote the last Admin — errors 409 in that case. |
+| `partner_remove_member` | WARNING — permanent. Removes a member from the partner account; the row is deleted (audit history of past actions is retained on the audit log, but the member entry is gone — re-add via partner_invite_member). Cannot remove the last Admin (errors 409). Prefer partner_update_member with status="Suspended" if you might re-enable later. |
+| `partner_resend_invite` | Re-issue the invitation email and reset the 14-day accept window for a Pending member. Errors 409 if the member is not in Pending status (use partner_update_member to change role on already-Active members instead). |
 
-### Partner — Webhooks (6 tools)
+### Webhooks (6 tools)
 
 | Tool | What it does |
 |---|---|
-| `partner_list_webhooks` | List configured endpoints + subscribed events |
-| `partner_create_webhook` | Create endpoint — raw secret returned ONCE in the response |
-| `partner_update_webhook` | Update URL/events/enabled/description; rotate secret if requested |
-| `partner_delete_webhook` | Delete endpoint (warns: stops in-flight retries) |
-| `partner_test_webhook` | Fire a `test.ping` event to verify the receiver |
-| `partner_list_webhook_deliveries` | Recent delivery log with retry attempt count + response bodies |
+| `partner_list_webhooks` | List all webhook endpoints configured on the partner account, plus the catalog of event types you can subscribe to (assessment.completed / failed, customer.created / updated / deleted, etc.). Each row includes lastSuccessAt, lastFailureAt, and failureCount — handy for spotting endpoints that are silently broken. |
+| `partner_create_webhook` | Create a new webhook endpoint. WARNING — the signing secret is returned ONCE in response.secret; store it immediately (e.g. in your secrets manager). It cannot be re-fetched. Use partner_update_webhook with rotateSecret=true to mint a fresh secret if lost. Verify incoming deliveries against X-Baref00t-Signature using verifyWebhookSignature() from @baref00t/sdk/webhooks. |
+| `partner_update_webhook` | Partial update for a webhook endpoint — change the URL, events, enabled flag, description, and/or rotate the signing secret. When rotateSecret=true, the new secret is returned ONCE in response.secret and the previous one stops working immediately. |
+| `partner_delete_webhook` | WARNING — permanent. Removes the webhook endpoint and STOPS any in-flight retries (events currently mid-backoff are abandoned). Historical delivery rows remain queryable until the retention window expires. If you only want to pause deliveries, prefer partner_update_webhook with enabled=false instead. |
+| `partner_test_webhook` | Fire a synthetic test.ping delivery to the endpoint with a real signed payload — useful while wiring up your handler. The 10-second response is returned inline so you can see exactly what your server replied (statusCode + first ~500 bytes of responseBody). Does NOT cost a credit and does NOT count toward retry backoff. |
+| `partner_list_webhook_deliveries` | Recent delivery attempts for a single webhook endpoint. Useful for debugging when a partner's receiver is silently failing — surfaces statusCode, durationMs, lastError, attemptCount (with v2.1.7+ retry-backoff schedule: 1m, 5m, 30m, 2h, 24h), and a 500-byte slice of the response body. Status can be Pending / Delivered / Failed / Abandoned. |
 
-### Partner — Mail (6 tools)
+### Mail (6 tools)
 
 | Tool | What it does |
 |---|---|
-| `partner_mail_status` | Provider, connected mailbox, token validity |
-| `partner_mail_set_mode` | Switch sender (`resend` / `microsoft` / `off`) |
-| `partner_mail_disconnect` | Revoke the cached refresh token, revert to Resend |
-| `partner_mail_send_test` | Send a test email to the calling user via Microsoft Graph |
-| `partner_mail_set_shared_mailbox` | Set/clear the shared-mailbox UPN (FROM address override) |
-| `partner_mail_start_connect` | Get Microsoft authorize URL for the partner admin to grant consent |
+| `partner_mail_status` | Fetch the current partner-mail configuration: provider ("resend" / "microsoft" / "off"), connected Microsoft mailbox UPN (when provider="microsoft"), shared-mailbox UPN, whether the cached refresh token can still mint a Graph access token, and the access-token expiry. Use to check status before mode/sharedMailbox changes or to decide whether to re-run partner_mail_start_connect. |
+| `partner_mail_set_mode` | Set the partner-wide mail provider. Switching to "microsoft" before completing partner_mail_start_connect errors 412 NO_CONNECTION (no refresh token on file). "off" is the recommended kill-switch — flipping it back to "resend" or "microsoft" resumes sending immediately. |
+| `partner_mail_disconnect` | Revoke the cached Microsoft refresh token and revert the provider to Resend. Use when the connected mailbox is compromised or the partner admin wants to re-consent under a different account. After disconnect, partner_mail_start_connect must be run again before partner_mail_set_mode can flip back to "microsoft". |
+| `partner_mail_send_test` | Send a one-off test email via Microsoft Graph using the connected mailbox (or sharedMailbox if set). Recipient is always the calling user's own email — no body to specify. Use to confirm the OAuth flow + Graph permissions are wired correctly. Errors 412 NOT_CONNECTED if the partner hasn't connected a Microsoft mailbox yet, or 502 GRAPH_<status> if Graph rejects the send (typically a missing Send-As permission on the shared mailbox). |
+| `partner_mail_set_shared_mailbox` | Set or clear the shared-mailbox UPN that customer-facing emails are sent FROM. When unset (null), mail is sent from the connected user's own mailbox. Confirm permission is wired correctly afterwards via partner_mail_send_test — Graph errors 502 if Send-As permission is missing on the shared mailbox. |
+| `partner_mail_start_connect` | Returns the Microsoft authorize URL for the partner admin to navigate to. The OAuth callback handles token persistence on the platform; no further MCP calls are needed for the consent step itself. After the callback bounces back to returnTo with ?mailConnected=1, call partner_mail_set_mode with mode="microsoft" to switch the provider on. Errors 503 MAIL_APP_NOT_CONFIGURED if the platform's Partner Mail Sender Entra app isn't configured server-side. |
 
-### Partner — API Keys (3 tools)
+### API Keys (3 tools)
 
 | Tool | What it does |
 |---|---|
-| `partner_list_keys` | List active API key slots (last 4 chars + slot number; max 2) |
-| `partner_create_key` | Generate a new key — raw value returned ONCE; costs an active slot |
-| `partner_revoke_key` | Revoke key by slot — permanent, can lock you out if it's the slot you're using |
+| `partner_list_keys` | List the active API key slots (1 and 2) for the partner. Each slot exposes its number + a 4-char suffix of the raw key for visual identification — the raw key itself is never re-fetchable. Returned as part of the partner profile (the same shape partner_get_plan_billing already exposes). Use to confirm which slot is in use before partner_create_key (max 2) or partner_revoke_key. |
+| `partner_create_key` | WARNING — raw key returned ONCE in response.key. Store immediately (e.g. in a secrets manager); it cannot be re-fetched. Costs an active slot (max 2). Throws MAX_KEYS if both slots are already in use — call partner_revoke_key on the unused slot first. Recommended rotation flow: create slot 2, deploy with new key, verify, then revoke slot 1. |
+| `partner_revoke_key` | WARNING — irreversible. Revoke the API key in the given slot (1 or 2). The key is invalidated immediately; any caller still using it gets 401 on the next request. Foot- gun: revoking the slot the SDK / MCP server is currently using locks subsequent calls out of the platform. Always rotate (partner_create_key) and verify the new key works before revoking the old one. |
 
-### Partner — Pipeline / Leads (10 tools)
+### Pipeline / Leads (10 tools)
 
-Requires the partner record to have `prospecting` in `enabledFeatures` (admin-granted only — no plan tier auto-includes it). All tools 403 with `FEATURE_NOT_ENABLED` otherwise.
+Requires the partner record to have `prospecting` in `enabledFeatures` (admin-granted only — no plan tier auto-includes it).
 
 | Tool | What it does |
 |---|---|
-| `partner_list_leads` | Paginated list with stage filter / search / stage-count rollup |
-| `partner_get_lead` | One lead with full contact list + last 50 activity entries |
-| `partner_create_lead` | Create from a domain — sync Apollo + Hunter + M365 OIDC enrichment by default |
-| `partner_bulk_create_leads` | Up to 50 domains in one call — async enrichment |
-| `partner_update_lead` | Partial update (company / contacts / partner overrides / notes / lostReason) |
-| `partner_delete_lead` | Soft-delete — cancels in-flight outreach cadence |
-| `partner_enrich_lead` | Re-run enrichment; `force: true` bypasses the freshness cache |
-| `partner_set_lead_stage` | Set Won / Lost (terminal). Other stages advance server-side. |
-| `partner_send_lead_consent` | **COSTS 1 CREDIT.** Kicks off the partner-branded outreach cadence — creates customer + assessment, sends touch-1 to up to 10 recipients, advances the lead to `OutreachSent`. Routes via `partner.mailProvider` (`resend` / `microsoft` / `off`); pass `skipEmail: true` to mint URLs without sending (or when mode is `off`). |
-| `partner_list_lead_activity` | Paginated activity log per lead |
+| `partner_list_leads` | List partner prospecting leads with optional stage / search filters and stage-count rollup. Requires the partner record to have `prospecting` in enabledFeatures (admin-granted only — no plan tier auto-includes it). Returns leads with domain, company, contact info, stage, and timestamps. Use when the user asks "show me my pipeline", "leads in stage X", or wants to look up a leadId. |
+| `partner_get_lead` | Fetch one lead with its full contact list, partner overrides, lifecycle timestamps, and the most recent 50 activity log entries. Requires `prospecting` feature flag. Use when the user wants details on a specific lead (by id) or to inspect activity / enrichment results. |
+| `partner_create_lead` | Create a single lead from a domain. Requires `prospecting` feature flag. By default runs enrichment synchronously: Apollo + Hunter populate company/contact fields, and an OIDC probe against login.microsoftonline.com fills tenantId/isOnM365 when the domain is on Entra. Returns 409 with `existingLeadId` if a lead for the same domain already exists for this partner. |
+| `partner_bulk_create_leads` | Bulk-create up to 50 leads from a list of domains. Requires `prospecting` feature flag. Returns `created` (lead rows) + `skipped` (duplicates / invalid domains with reasons). Enrichment runs in the background — partner_get_lead will return enriched data once Apollo / Hunter / M365 finish (typically <30s per lead). |
+| `partner_update_lead` | Update whitelisted lead fields. Requires `prospecting` feature flag. Stage cannot be set via this tool — use partner_set_lead_stage for terminal Won/Lost transitions; other stages are server-managed by the assessment lifecycle. Identity links (customerId, assessmentId) are also server-managed and not partner-settable. |
+| `partner_delete_lead` | Soft-delete a lead. Requires `prospecting` feature flag. Cancels any in-flight outreach cadence. The row stays in Postgres for audit; re-creating the same domain after deletion creates a fresh lead row with a new id. Idempotent — re-deleting an already-deleted lead returns 404. |
+| `partner_enrich_lead` | Re-run enrichment for a lead: Apollo people search + Hunter domain search + Microsoft 365 OIDC tenant discovery (login.microsoftonline.com/{domain}/.well-known/openid-configuration). Requires `prospecting` feature flag. Returns the updated lead, the contributing sources (`apollo`, `hunter`, `m365`), and `fromCache: true` when results were served from the freshness cache. On successful enrichment the lead auto-advances from `New` to `Enriched`. |
+| `partner_set_lead_stage` | Mark a lead Won or Lost — the two terminal states. Requires `prospecting` feature flag. Other stages (Enriched / OutreachSent / Consented / ReportDelivered) are server-managed via the assessment lifecycle and cannot be set explicitly. Setting Won or Lost cancels any in-flight outreach cadence for the lead. |
+| `partner_list_lead_activity` | Read the activity log for a lead — created, enriched, email_sent, email_delivered, email_opened, email_clicked, consented, report_ready, stage_changed, note, etc. Each entry has type / detail / metadata / actorEmail / createdAt. Requires `prospecting` feature flag. Use when the user asks "what happened to this lead" or to debug an outreach sequence. |
+| `partner_send_lead_consent` | Kick off the partner-branded outreach cadence for a lead. Creates (or attaches to) a customer record, mints an assessment + run row (COSTS 1 CREDIT), sends touch-1 of the consent email to each recipient, advances the lead to `OutreachSent`, and fires the `lead.outreach_sent` webhook event. Touches 2 + 3 fire from the background cadence worker on day 3 + 7. Suppressed addresses are skipped silently with `skipped: "suppressed"` in the per-recipient result. Dispatch is routed by the partner's mail mode (`mailProvider`): `resend` (default — baref00t Resend with partner From-name + Reply-To), `microsoft` (partner's connected Graph mailbox), or `off` (call fails with `MAIL_DISABLED` unless `skipEmail: true`). Each per-recipient result reports `via: "resend" \| "microsoft"` so the caller can confirm which channel ran. Pass `skipEmail: true` to bypass the email send entirely — the response still carries the per-recipient `consentUrl` strings so the partner can dispatch via their own channel. Requires the `prospecting` feature flag. Reject if the lead is in a terminal stage (Won / Lost). |
 
 ### Distributor (2 tools, scope=`dk_*`)
 
 | Tool | What it does |
 |---|---|
-| `distributor_list_partners` | List sub-partners (optionally filtered by status) |
-| `distributor_get_usage` | Aggregated month usage across all sub-partners |
+| `distributor_list_partners` | List all sub-partners owned by this distributor. Optionally filter by status. Returns each partner's id, company, email, plan, billing, and status. |
+| `distributor_get_usage` | Aggregated assessment usage across all sub-partners for a billing month. Returns totalPartners, activePartners, totalRuns, and per-partner breakdown (runs vs limit). Use to answer "how much have my sub-partners used this month?". |
+<!-- mcp-tools:end -->
 
 ### Versioning
 
+See [`CHANGELOG.md`](./CHANGELOG.md) for per-release notes. Major SDK pins:
+
 | MCP version | SDK pin | Highlights |
 |---|---|---|
-| **0.2.0** (current) | `@baref00t/sdk@^0.6.0` | Full partner-portal surface coverage. 21 net new tools across branding, members, billing, webhooks, mail, keys. |
-| 0.1.x | `@baref00t/sdk@^0.4.0` | Initial release: customers + assessments + plan/billing read |
+| 0.4.x | `@baref00t/sdk@^0.7.0` | Customer CRUD parity (update/delete/bulk_create); /docs + this README autogenerated from the registry. |
+| 0.3.x | `@baref00t/sdk@^0.7.0` | Lead pipeline (10 tools, prospecting feature flag); consent URL + email tooling. |
+| 0.2.x | `@baref00t/sdk@^0.6.0` | Full partner-portal surface coverage. 21 net new tools across branding, members, billing, webhooks, mail, keys. |
+| 0.1.x | `@baref00t/sdk@^0.4.0` | Initial release: customers + assessments + plan/billing read. |
 
 ## Local self-host
 

package/dist/auth.d.ts

@@ -1,10 +1,16 @@
 /**
  * Per-request key extraction + scope routing.
  *
- * Accepts either:
+ * Accepts either of:
  *   Authorization: Bearer pk_live_…       (or dk_live_…)
  *   X-Partner-Key: pk_live_…
  *   X-Distributor-Key: dk_live_…
+ *   Authorization: Bearer <JWT>            (#374 OAuth Phase 4)
+ *
+ * JWT path: lazy-loads @baref00t/mcp-oauth (hosted-only, optional peer
+ * dep), verifies the JWT, returns a synthetic apiKey carrying the
+ * partner/distributor id so downstream tool dispatch + audit log keep
+ * working without per-handler awareness of the auth source.
  *
  * Validates the prefix against the runtime-configurable allow-list
  * (`MCPAllowedKeyPrefixes` in KV). Unknown prefix → 401.
@@ -14,6 +20,12 @@ export type Scope = 'partner' | 'distributor';
 export interface ExtractedKey {
     scope: Scope;
     apiKey: string;
+    /** Set when auth came from a JWT (OAuth path). Useful for audit. */
+    oauthGrant?: {
+        grantId: string;
+        memberEmailHash: string;
+        clientId: string;
+    };
 }
 export interface AuthError {
     status: number;

package/dist/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAGhD,MAAM,MAAM,KAAK,GAAG,SAAS,GAAG,aAAa,CAAA;AAE7C,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,KAAK,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE;QAAE,KAAK,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAA;CACnD;AAED,wBAAsB,UAAU,CAC9B,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAgDnC"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAKhD,MAAM,MAAM,KAAK,GAAG,SAAS,GAAG,aAAa,CAAA;AAE7C,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,KAAK,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;IACd,oEAAoE;IACpE,UAAU,CAAC,EAAE;QACX,OAAO,EAAE,MAAM,CAAA;QACf,eAAe,EAAE,MAAM,CAAA;QACvB,QAAQ,EAAE,MAAM,CAAA;KACjB,CAAA;CACF;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE;QAAE,KAAK,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAA;CACnD;AA+BD,wBAAsB,UAAU,CAC9B,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CA6FnC"}

package/dist/auth.js

@@ -1,15 +1,51 @@
 /**
  * Per-request key extraction + scope routing.
  *
- * Accepts either:
+ * Accepts either of:
  *   Authorization: Bearer pk_live_…       (or dk_live_…)
  *   X-Partner-Key: pk_live_…
  *   X-Distributor-Key: dk_live_…
+ *   Authorization: Bearer <JWT>            (#374 OAuth Phase 4)
+ *
+ * JWT path: lazy-loads @baref00t/mcp-oauth (hosted-only, optional peer
+ * dep), verifies the JWT, returns a synthetic apiKey carrying the
+ * partner/distributor id so downstream tool dispatch + audit log keep
+ * working without per-handler awareness of the auth source.
  *
  * Validates the prefix against the runtime-configurable allow-list
  * (`MCPAllowedKeyPrefixes` in KV). Unknown prefix → 401.
  */
 import { getConfig } from './config.js';
+import { env } from './env.js';
+import { logger } from './logger.js';
+function looksLikeJwt(raw) {
+    return raw.split('.').length === 3 && raw.length > 50;
+}
+let _oauthVerifyLoaded = null;
+async function tryLoadOAuth() {
+    if (_oauthVerifyLoaded === 'unavailable')
+        return null;
+    if (_oauthVerifyLoaded)
+        return _oauthVerifyLoaded;
+    try {
+        const mod = await import('@baref00t/mcp-oauth');
+        // initOAuthConfig is idempotent. server.ts calls it on the metadata
+        // path; if a JWT-authed request arrives first, we init here too.
+        mod.initOAuthConfig({
+            issuer: env().MCP_OAUTH_ISSUER,
+            kvName: env().KV_NAME ?? null,
+            entraClientId: process.env['AZURE_AD_CLIENT_ID'],
+            entraClientSecret: process.env['AZURE_AD_CLIENT_SECRET'],
+            entraTenantId: process.env['BAREF00T_ENTRA_TENANT_ID'] ?? 'common',
+        });
+        _oauthVerifyLoaded = mod;
+        return mod;
+    }
+    catch {
+        _oauthVerifyLoaded = 'unavailable';
+        return null;
+    }
+}
 export async function extractKey(req) {
     const auth = req.headers['authorization'];
     const partnerHdr = req.headers['x-partner-key'];
@@ -35,7 +71,49 @@ export async function extractKey(req) {
             },
         };
     }
-    // Prefix check against runtime-configurable allow-list.
+    // ── OAuth JWT path (#374 Phase 4) ─────────────────────────────────────
+    // Tried before the prefix check — JWTs don't have a pk_/dk_ prefix and
+    // would otherwise fail the allow-list. Only when the OAuth module is
+    // available (hosted deployment) AND the feature flag is on do we try.
+    if (looksLikeJwt(raw)) {
+        const config = await getConfig();
+        if (config.featureFlags['MCPOAuthEnabled'] === true) {
+            const oauth = await tryLoadOAuth();
+            if (oauth) {
+                try {
+                    const claims = await oauth.verifyMcpJwt(raw, `${env().MCP_OAUTH_ISSUER}/mcp`);
+                    const scope = claims.scope.includes('mcp:distributor') ? 'distributor' : 'partner';
+                    return {
+                        scope,
+                        // Synthetic apiKey carrying partner/distributor id — downstream
+                        // code that hashes the apiKey (audit, rate-limit) keeps working;
+                        // tool handlers don't care about its actual value.
+                        apiKey: `__oauth__${claims.partnerId}__${claims.grantId}`,
+                        oauthGrant: {
+                            grantId: claims.grantId,
+                            memberEmailHash: claims.memberEmailHash,
+                            clientId: claims.clientId,
+                        },
+                    };
+                }
+                catch (err) {
+                    logger().debug({ err: err instanceof Error ? err.message : String(err) }, 'extractKey: JWT verification failed');
+                    return {
+                        status: 401,
+                        body: {
+                            error: {
+                                code: 'INVALID_TOKEN',
+                                message: 'Bearer token is not a valid baref00t-issued JWT (signature/exp/grant check failed).',
+                            },
+                        },
+                    };
+                }
+            }
+        }
+        // OAuth disabled or module unavailable — fall through. The token
+        // doesn't match any pk_/dk_ prefix so we'll reject below.
+    }
+    // ── Existing API-key prefix path ─────────────────────────────────────
     const config = await getConfig();
     const lower = raw.toLowerCase();
     const allowed = config.allowedKeyPrefixes.find((p) => lower.startsWith(p));

package/dist/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAcvC,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAoB;IAEpB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAA;IACzC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAA;IAC/C,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAA;IAEvD,IAAI,GAAuB,CAAA;IAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACzE,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;IAC5B,CAAC;SAAM,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC1C,GAAG,GAAG,UAAU,CAAC,IAAI,EAAE,CAAA;IACzB,CAAC;SAAM,IAAI,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;QAC9C,GAAG,GAAG,cAAc,CAAC,IAAI,EAAE,CAAA;IAC7B,CAAC;IAED,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACJ,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EACL,8GAA8G;iBACjH;aACF;SACF,CAAA;IACH,CAAC;IAED,wDAAwD;IACxD,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;IAC/B,MAAM,OAAO,GAAG,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAA;IAC1E,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACJ,KAAK,EAAE;oBACL,IAAI,EAAE,yBAAyB;oBAC/B,OAAO,EACL,4DAA4D;wBAC5D,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;iBACvC;aACF;SACF,CAAA;IACH,CAAC;IAED,kEAAkE;IAClE,MAAM,KAAK,GAAU,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa,CAAA;IAC1E,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAA;AAC/B,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AACvC,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAA;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAoBpC,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,CAAA;AACvD,CAAC;AAGD,IAAI,kBAAkB,GAAoC,IAAI,CAAA;AAE9D,KAAK,UAAU,YAAY;IACzB,IAAI,kBAAkB,KAAK,aAAa;QAAE,OAAO,IAAI,CAAA;IACrD,IAAI,kBAAkB;QAAE,OAAO,kBAAkB,CAAA;IACjD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAA;QAC/C,oEAAoE;QACpE,iEAAiE;QACjE,GAAG,CAAC,eAAe,CAAC;YAClB,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB;YAC9B,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,IAAI,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;YAChD,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YACxD,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,IAAI,QAAQ;SACnE,CAAC,CAAA;QACF,kBAAkB,GAAG,GAAG,CAAA;QACxB,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB,GAAG,aAAa,CAAA;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAoB;IAEpB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAA;IACzC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAA;IAC/C,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAA;IAEvD,IAAI,GAAuB,CAAA;IAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACzE,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;IAC5B,CAAC;SAAM,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC1C,GAAG,GAAG,UAAU,CAAC,IAAI,EAAE,CAAA;IACzB,CAAC;SAAM,IAAI,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;QAC9C,GAAG,GAAG,cAAc,CAAC,IAAI,EAAE,CAAA;IAC7B,CAAC;IAED,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACJ,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EACL,8GAA8G;iBACjH;aACF;SACF,CAAA;IACH,CAAC;IAED,yEAAyE;IACzE,uEAAuE;IACvE,qEAAqE;IACrE,sEAAsE;IACtE,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;QAChC,IAAI,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC,KAAK,IAAI,EAAE,CAAC;YACpD,MAAM,KAAK,GAAG,MAAM,YAAY,EAAE,CAAA;YAClC,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC,gBAAgB,MAAM,CAAC,CAAA;oBAC7E,MAAM,KAAK,GAAU,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAA;oBACzF,OAAO;wBACL,KAAK;wBACL,gEAAgE;wBAChE,iEAAiE;wBACjE,mDAAmD;wBACnD,MAAM,EAAE,YAAY,MAAM,CAAC,SAAS,KAAK,MAAM,CAAC,OAAO,EAAE;wBACzD,UAAU,EAAE;4BACV,OAAO,EAAE,MAAM,CAAC,OAAO;4BACvB,eAAe,EAAE,MAAM,CAAC,eAAe;4BACvC,QAAQ,EAAE,MAAM,CAAC,QAAQ;yBAC1B;qBACF,CAAA;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,MAAM,EAAE,CAAC,KAAK,CACZ,EAAE,GAAG,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACzD,qCAAqC,CACtC,CAAA;oBACD,OAAO;wBACL,MAAM,EAAE,GAAG;wBACX,IAAI,EAAE;4BACJ,KAAK,EAAE;gCACL,IAAI,EAAE,eAAe;gCACrB,OAAO,EAAE,qFAAqF;6BAC/F;yBACF;qBACF,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,iEAAiE;QACjE,0DAA0D;IAC5D,CAAC;IAED,wEAAwE;IACxE,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;IAC/B,MAAM,OAAO,GAAG,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAA;IAC1E,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACJ,KAAK,EAAE;oBACL,IAAI,EAAE,yBAAyB;oBAC/B,OAAO,EACL,4DAA4D;wBAC5D,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;iBACvC;aACF;SACF,CAAA;IACH,CAAC;IAED,kEAAkE;IAClE,MAAM,KAAK,GAAU,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa,CAAA;IAC1E,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAA;AAC/B,CAAC"}

package/dist/env.d.ts

@@ -17,11 +17,22 @@ declare const envSchema: z.ZodObject<{
     KV_NAME: z.ZodOptional<z.ZodString>;
     APPLICATIONINSIGHTS_CONNECTION_STRING: z.ZodOptional<z.ZodString>;
     BAREF00T_API_BASE: z.ZodDefault<z.ZodString>;
+    /**
+     * OAuth issuer URL — appears verbatim in JWT `iss` claim, AS metadata's
+     * `issuer`, and the JWKS URI base. RFC 8414 requires identical-string
+     * comparison so this MUST match across environments (no trailing slash;
+     * no path component).
+     *   prod:    https://mcp.baref00t.io
+     *   staging: https://mcp.sandbox.baref00t.io
+     *   local:   http://localhost:8080
+     */
+    MCP_OAUTH_ISSUER: z.ZodDefault<z.ZodString>;
     ENVIRONMENT: z.ZodDefault<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     NODE_ENV: "development" | "production" | "test";
     PORT: number;
     BAREF00T_API_BASE: string;
+    MCP_OAUTH_ISSUER: string;
     ENVIRONMENT: string;
     AZURE_CLIENT_ID?: string | undefined;
     KV_NAME?: string | undefined;
@@ -33,6 +44,7 @@ declare const envSchema: z.ZodObject<{
     KV_NAME?: string | undefined;
     APPLICATIONINSIGHTS_CONNECTION_STRING?: string | undefined;
     BAREF00T_API_BASE?: string | undefined;
+    MCP_OAUTH_ISSUER?: string | undefined;
     ENVIRONMENT?: string | undefined;
 }>;
 export type McpEnv = z.infer<typeof envSchema>;

package/dist/env.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;EAeb,CAAA;AAEF,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA;AAI9C,wBAAgB,GAAG,IAAI,MAAM,CAU5B"}
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,SAAS;;;;;;;IAcb;;;;;;;;OAQG;;;;;;;;;;;;;;;;;;;;;EAOH,CAAA;AAEF,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA;AAI9C,wBAAgB,GAAG,IAAI,MAAM,CAU5B"}

package/dist/env.js

@@ -20,6 +20,19 @@ const envSchema = z.object({
         .string()
         .url()
         .default('https://api.baref00t.io'),
+    /**
+     * OAuth issuer URL — appears verbatim in JWT `iss` claim, AS metadata's
+     * `issuer`, and the JWKS URI base. RFC 8414 requires identical-string
+     * comparison so this MUST match across environments (no trailing slash;
+     * no path component).
+     *   prod:    https://mcp.baref00t.io
+     *   staging: https://mcp.sandbox.baref00t.io
+     *   local:   http://localhost:8080
+     */
+    MCP_OAUTH_ISSUER: z
+        .string()
+        .url()
+        .default('http://localhost:8080'),
     ENVIRONMENT: z.string().default('local'),
 });
 let _env = null;

package/dist/env.js.map

@@ -1 +1 @@
-{"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7E,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAE7D,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IACrF,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,yCAAyC,CAAC;IAEzF,qCAAqC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE5D,iBAAiB,EAAE,CAAC;SACjB,MAAM,EAAE;SACR,GAAG,EAAE;SACL,OAAO,CAAC,yBAAyB,CAAC;IAErC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;CACzC,CAAC,CAAA;AAIF,IAAI,IAAI,GAAkB,IAAI,CAAA;AAE9B,MAAM,UAAU,GAAG;IACjB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAA;YACrF,MAAM,IAAI,KAAK,CAAC,CAAC,yBAAyB,EAAE,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QACnE,CAAC;QACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IAC7E,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAE7D,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IACrF,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,yCAAyC,CAAC;IAEzF,qCAAqC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE5D,iBAAiB,EAAE,CAAC;SACjB,MAAM,EAAE;SACR,GAAG,EAAE;SACL,OAAO,CAAC,yBAAyB,CAAC;IAErC;;;;;;;;OAQG;IACH,gBAAgB,EAAE,CAAC;SAChB,MAAM,EAAE;SACR,GAAG,EAAE;SACL,OAAO,CAAC,uBAAuB,CAAC;IAEnC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;CACzC,CAAC,CAAA;AAIF,IAAI,IAAI,GAAkB,IAAI,CAAA;AAE9B,MAAM,UAAU,GAAG;IACjB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAA;YACrF,MAAM,IAAI,KAAK,CAAC,CAAC,yBAAyB,EAAE,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QACnE,CAAC;QACD,IAAI,GAAG,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/server.js

@@ -32,9 +32,33 @@ import { env } from './env.js';
 import { logger } from './logger.js';
 import { initTelemetry } from './telemetry.js';
 import { extractKey } from './auth.js';
+import { getConfig } from './config.js';
 import { keyHashShort } from './sdkCache.js';
 import { callTool, listToolsForScope } from './registry.js';
 import { registerAllTools } from './tools/index.js';
+let _oauthModule = null;
+async function loadOAuthModule() {
+    if (_oauthModule === 'unavailable')
+        return null;
+    if (_oauthModule)
+        return _oauthModule;
+    try {
+        _oauthModule = await import('@baref00t/mcp-oauth');
+        _oauthModule.initOAuthConfig({
+            issuer: env().MCP_OAUTH_ISSUER,
+            kvName: env().KV_NAME ?? null,
+            entraClientId: process.env['AZURE_AD_CLIENT_ID'],
+            entraClientSecret: process.env['AZURE_AD_CLIENT_SECRET'],
+            entraTenantId: process.env['BAREF00T_ENTRA_TENANT_ID'] ?? 'common',
+        });
+        return _oauthModule;
+    }
+    catch (err) {
+        logger().info({ err: err instanceof Error ? err.message : String(err) }, '@baref00t/mcp-oauth not available — OAuth disabled (header-key auth only)');
+        _oauthModule = 'unavailable';
+        return null;
+    }
+}
 const SDK_NAME = 'baref00t-mcp-server';
 /**
  * Read version dynamically from this package's package.json so the
@@ -104,6 +128,32 @@ async function handleRequest(req, res) {
         res.end(JSON.stringify({ status: ok ? 'ready' : 'not_ready', tools: allTools().length }));
         return;
     }
+    // ── OAuth 2.1 (hosted-only, gated on MCPOAuthEnabled feature flag) ────────
+    // Delegates the entire OAuth surface to @baref00t/mcp-oauth. That package
+    // is private and only resolved at the hosted deployment via workspace link
+    // — self-hosters never load it, the dynamic import returns null, the
+    // routes return 404 / fall through.
+    const isOAuthPath = url.pathname.startsWith('/.well-known/oauth-') ||
+        url.pathname === '/.well-known/jwks.json' ||
+        url.pathname.startsWith('/oauth/');
+    if (isOAuthPath) {
+        const config = await getConfig();
+        if (config.featureFlags['MCPOAuthEnabled'] !== true) {
+            res.writeHead(404, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: { code: 'NOT_FOUND', message: 'OAuth not enabled' } }));
+            return;
+        }
+        const oauth = await loadOAuthModule();
+        if (!oauth) {
+            res.writeHead(503, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: { code: 'OAUTH_UNAVAILABLE', message: '@baref00t/mcp-oauth not installed' } }));
+            return;
+        }
+        const handled = await oauth.handleOAuthRequest(req, res, url);
+        if (handled)
+            return;
+        // The OAuth module didn't recognise it — fall through to 404 below.
+    }
     if (url.pathname !== '/mcp') {
         res.writeHead(404, { 'Content-Type': 'application/json' });
         res.end(JSON.stringify({ error: { code: 'NOT_FOUND', message: 'POST /mcp' } }));

package/dist/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAA;AACnF,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAA;AAClE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAA;AAClG,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,oCAAoC,CAAA;AAC3C,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAA;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAA;AACtC,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AAEnD,MAAM,QAAQ,GAAG,qBAAqB,CAAA;AACtC;;;;;;;;;;GAUG;AACH,SAAS,cAAc;IACrB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAyB,CAAA;QAC7E,OAAO,GAAG,CAAC,OAAO,IAAI,eAAe,CAAA;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,eAAe,CAAA;IACxB,CAAC;AACH,CAAC;AACD,MAAM,WAAW,GAAG,cAAc,EAAE,CAAA;AAEpC,KAAK,UAAU,IAAI;IACjB,MAAM,CAAC,GAAG,GAAG,EAAE,CAAA;IACf,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IAEpB,MAAM,aAAa,EAAE,CAAA;IACrB,gBAAgB,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,CAAC,CAAA;IAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE;QACzB,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,sBAAsB,CAAC,CAAA;IACxE,CAAC,CAAC,CAAA;IAEF,MAAM,QAAQ,GAAG,CAAC,MAAc,EAAE,EAAE;QAClC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,+BAA+B,CAAC,CAAA;QACrD,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;QACnC,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,EAAE,CAAA;IACnD,CAAC,CAAA;IACD,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAA;IAChD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAA;AAChD,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAoB,EAAE,GAAmB;IACpE,MAAM,SAAS,GAAG,UAAU,EAAE,CAAA;IAC9B,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IAExC,uEAAuE;IACvE,2CAA2C;IAC3C,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACjB,6BAA6B,EAAE,GAAG;YAClC,8BAA8B,EAAE,oBAAoB;YACpD,8BAA8B,EAC5B,+EAA+E;YACjF,wBAAwB,EAAE,OAAO;SAClC,CAAC,CAAA;QACF,GAAG,CAAC,GAAG,EAAE,CAAA;QACT,OAAM;IACR,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC,CAAA;IAEhF,IAAI,GAAG,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QAChC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,CAAA;QAClF,OAAM;IACR,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC/B,8EAA8E;QAC9E,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAA;QAClD,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC,MAAM,GAAG,CAAC,CAAA;QAChC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QACrE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;QACzF,OAAM;IACR,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC5B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC,CAAA;QAC/E,OAAM;IACR,CAAC;IAED,wBAAwB;IACxB,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAAA;IACjC,IAAI,QAAQ,IAAI,GAAG,EAAE,CAAC;QACpB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QACjE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;QACjC,OAAM;IACR,CAAC;IAED,uEAAuE;IACvE,MAAM,GAAG,GAAG,IAAI,MAAM,CACpB,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,EACxC,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAA;IAED,8DAA8D;IAC9D,GAAG,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAChD,OAAO,EAAE,KAAK,EAAE,CAAA;IAClB,CAAC,CAAC,CAAA;IAEF,0EAA0E;IAC1E,GAAG,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;QACxD,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,SAAS,EAAE,CAAA;QACpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;YACvE,OAAO;gBACL,OAAO,EAAE;oBACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;iBACxD;aACF,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChE,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;aAC3C,CAAA;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,sEAAsE;IACtE,mEAAmE;IACnE,mEAAmE;IACnE,wEAAwE;IACxE,mEAAmE;IACnE,yDAAyD;IACzD,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;QAClD,kBAAkB,EAAE,SAAS;QAC7B,kBAAkB,EAAE,IAAI;KACzB,CAAC,CAAA;IACF,MAAM,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;IAE5B,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IAEvC,MAAM,EAAE,CAAC,KAAK,CACZ;QACE,SAAS;QACT,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC;KAClC,EACD,qBAAqB,CACtB,CAAA;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAA;AACnF,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAA;AAClE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAA;AAClG,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,oCAAoC,CAAA;AAC3C,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAA;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAA;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AAYnD,IAAI,YAAY,GAAuC,IAAI,CAAA;AAE3D,KAAK,UAAU,eAAe;IAC5B,IAAI,YAAY,KAAK,aAAa;QAAE,OAAO,IAAI,CAAA;IAC/C,IAAI,YAAY;QAAE,OAAO,YAAY,CAAA;IACrC,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAA;QAClD,YAAY,CAAC,eAAe,CAAC;YAC3B,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB;YAC9B,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,IAAI,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;YAChD,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YACxD,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,IAAI,QAAQ;SACnE,CAAC,CAAA;QACF,OAAO,YAAY,CAAA;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,EAAE,CAAC,IAAI,CACX,EAAE,GAAG,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACzD,2EAA2E,CAC5E,CAAA;QACD,YAAY,GAAG,aAAa,CAAA;QAC5B,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,MAAM,QAAQ,GAAG,qBAAqB,CAAA;AACtC;;;;;;;;;;GAUG;AACH,SAAS,cAAc;IACrB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAyB,CAAA;QAC7E,OAAO,GAAG,CAAC,OAAO,IAAI,eAAe,CAAA;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,eAAe,CAAA;IACxB,CAAC;AACH,CAAC;AACD,MAAM,WAAW,GAAG,cAAc,EAAE,CAAA;AAEpC,KAAK,UAAU,IAAI;IACjB,MAAM,CAAC,GAAG,GAAG,EAAE,CAAA;IACf,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IAEpB,MAAM,aAAa,EAAE,CAAA;IACrB,gBAAgB,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,CAAC,CAAA;IAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE;QACzB,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,sBAAsB,CAAC,CAAA;IACxE,CAAC,CAAC,CAAA;IAEF,MAAM,QAAQ,GAAG,CAAC,MAAc,EAAE,EAAE;QAClC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,+BAA+B,CAAC,CAAA;QACrD,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;QACnC,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,EAAE,CAAA;IACnD,CAAC,CAAA;IACD,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAA;IAChD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAA;AAChD,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAoB,EAAE,GAAmB;IACpE,MAAM,SAAS,GAAG,UAAU,EAAE,CAAA;IAC9B,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IAExC,uEAAuE;IACvE,2CAA2C;IAC3C,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACjB,6BAA6B,EAAE,GAAG;YAClC,8BAA8B,EAAE,oBAAoB;YACpD,8BAA8B,EAC5B,+EAA+E;YACjF,wBAAwB,EAAE,OAAO;SAClC,CAAC,CAAA;QACF,GAAG,CAAC,GAAG,EAAE,CAAA;QACT,OAAM;IACR,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC,CAAA;IAEhF,IAAI,GAAG,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QAChC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,CAAA;QAClF,OAAM;IACR,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC/B,8EAA8E;QAC9E,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAA;QAClD,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC,MAAM,GAAG,CAAC,CAAA;QAChC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QACrE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;QACzF,OAAM;IACR,CAAC;IAED,6EAA6E;IAC7E,0EAA0E;IAC1E,2EAA2E;IAC3E,qEAAqE;IACrE,oCAAoC;IACpC,MAAM,WAAW,GACf,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,qBAAqB,CAAC;QAC9C,GAAG,CAAC,QAAQ,KAAK,wBAAwB;QACzC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,CAAA;IACpC,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;QAChC,IAAI,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC,KAAK,IAAI,EAAE,CAAC;YACpD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;YAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,mBAAmB,EAAE,EAAE,CAAC,CAAC,CAAA;YACvF,OAAM;QACR,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,eAAe,EAAE,CAAA;QACrC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;YAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,mCAAmC,EAAE,EAAE,CAAC,CAAC,CAAA;YAC/G,OAAM;QACR,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;QAC7D,IAAI,OAAO;YAAE,OAAM;QACnB,oEAAoE;IACtE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC5B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC,CAAA;QAC/E,OAAM;IACR,CAAC;IAED,wBAAwB;IACxB,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAAA;IACjC,IAAI,QAAQ,IAAI,GAAG,EAAE,CAAC;QACpB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;QACjE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;QACjC,OAAM;IACR,CAAC;IAED,uEAAuE;IACvE,MAAM,GAAG,GAAG,IAAI,MAAM,CACpB,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,EACxC,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAA;IAED,8DAA8D;IAC9D,GAAG,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAChD,OAAO,EAAE,KAAK,EAAE,CAAA;IAClB,CAAC,CAAC,CAAA;IAEF,0EAA0E;IAC1E,GAAG,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;QACxD,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,SAAS,EAAE,CAAA;QACpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;YACvE,OAAO;gBACL,OAAO,EAAE;oBACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;iBACxD;aACF,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChE,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;aAC3C,CAAA;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,sEAAsE;IACtE,mEAAmE;IACnE,mEAAmE;IACnE,wEAAwE;IACxE,mEAAmE;IACnE,yDAAyD;IACzD,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;QAClD,kBAAkB,EAAE,SAAS;QAC7B,kBAAkB,EAAE,IAAI;KACzB,CAAC,CAAA;IACF,MAAM,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;IAE5B,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IAEvC,MAAM,EAAE,CAAC,KAAK,CACZ;QACE,SAAS;QACT,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC;KAClC,EACD,qBAAqB,CACtB,CAAA;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}

package/dist/tools/index.d.ts

@@ -5,4 +5,27 @@
  * Called once from server.ts at startup.
  */
 export declare function registerAllTools(): void;
+/**
+ * Docs grouping. Source of truth for `scripts/gen-mcp-docs.mjs` — every
+ * tool name registered above must appear in exactly one bucket here, and
+ * vice-versa, or the generator throws (see drift check). When adding a
+ * tool, add the registerTool() call above AND its name to a category
+ * here; the docs page picks up both via `pnpm docs:gen-mcp`.
+ */
+export declare const TOOL_CATEGORIES: {
+    readonly Customers: readonly ["partner_list_customers", "partner_get_customer", "partner_create_customer", "partner_update_customer", "partner_delete_customer", "partner_bulk_create_customers"];
+    readonly Consent: readonly ["partner_get_consent_url", "partner_send_consent_email"];
+    readonly Assessments: readonly ["partner_list_assessments", "partner_get_assessment", "partner_get_assessment_report", "partner_trigger_assessment", "partner_get_assessment_status"];
+    readonly 'Plan & Billing': readonly ["partner_get_plan_billing", "partner_get_billing", "partner_get_payment_portal_url"];
+    readonly Branding: readonly ["partner_get_branding", "partner_update_branding"];
+    readonly Members: readonly ["partner_list_members", "partner_invite_member", "partner_update_member", "partner_remove_member", "partner_resend_invite"];
+    readonly Webhooks: readonly ["partner_list_webhooks", "partner_create_webhook", "partner_update_webhook", "partner_delete_webhook", "partner_test_webhook", "partner_list_webhook_deliveries"];
+    readonly Mail: readonly ["partner_mail_status", "partner_mail_set_mode", "partner_mail_disconnect", "partner_mail_send_test", "partner_mail_set_shared_mailbox", "partner_mail_start_connect"];
+    readonly 'API Keys': readonly ["partner_list_keys", "partner_create_key", "partner_revoke_key"];
+    readonly 'Pipeline / Leads': readonly ["partner_list_leads", "partner_get_lead", "partner_create_lead", "partner_bulk_create_leads", "partner_update_lead", "partner_delete_lead", "partner_enrich_lead", "partner_set_lead_stage", "partner_list_lead_activity", "partner_send_lead_consent"];
+    readonly Distributor: readonly ["distributor_list_partners", "distributor_get_usage"];
+};
+export declare const CATEGORY_ORDER: ReadonlyArray<keyof typeof TOOL_CATEGORIES>;
+/** Optional MDX prose rendered between the category heading and its table. */
+export declare const CATEGORY_NOTES: Partial<Record<keyof typeof TOOL_CATEGORIES, string>>;
 //# sourceMappingURL=index.d.ts.map

package/dist/tools/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAqEH,wBAAgB,gBAAgB,IAAI,IAAI,CAoEvC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAwEH,wBAAgB,gBAAgB,IAAI,IAAI,CAuEvC;AAED;;;;;;GAMG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;CAyElB,CAAA;AAEV,eAAO,MAAM,cAAc,EAAE,aAAa,CAAC,MAAM,OAAO,eAAe,CAYtE,CAAA;AAED,8EAA8E;AAC9E,eAAO,MAAM,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,OAAO,eAAe,EAAE,MAAM,CAAC,CAGhF,CAAA"}

package/dist/tools/index.js

@@ -8,6 +8,9 @@ import { registerTool } from '../registry.js';
 import partnerListCustomers from './partner/listCustomers.js';
 import partnerGetCustomer from './partner/getCustomer.js';
 import partnerCreateCustomer from './partner/createCustomer.js';
+import partnerUpdateCustomer from './partner/updateCustomer.js';
+import partnerDeleteCustomer from './partner/deleteCustomer.js';
+import partnerBulkCreateCustomers from './partner/bulkCreateCustomers.js';
 import partnerGetConsentUrl from './partner/getConsentUrl.js';
 import partnerSendConsentEmail from './partner/sendConsentEmail.js';
 import partnerListAssessments from './partner/listAssessments.js';
@@ -64,10 +67,13 @@ export function registerAllTools() {
     if (_registered)
         return;
     _registered = true;
-    // Partner (11)
+    // Partner (14)
     registerTool(partnerListCustomers);
     registerTool(partnerGetCustomer);
     registerTool(partnerCreateCustomer);
+    registerTool(partnerUpdateCustomer);
+    registerTool(partnerDeleteCustomer);
+    registerTool(partnerBulkCreateCustomers);
     registerTool(partnerGetConsentUrl);
     registerTool(partnerSendConsentEmail);
     registerTool(partnerListAssessments);
@@ -121,4 +127,102 @@ export function registerAllTools() {
     registerTool(distributorListPartners);
     registerTool(distributorGetUsage);
 }
+/**
+ * Docs grouping. Source of truth for `scripts/gen-mcp-docs.mjs` — every
+ * tool name registered above must appear in exactly one bucket here, and
+ * vice-versa, or the generator throws (see drift check). When adding a
+ * tool, add the registerTool() call above AND its name to a category
+ * here; the docs page picks up both via `pnpm docs:gen-mcp`.
+ */
+export const TOOL_CATEGORIES = {
+    Customers: [
+        'partner_list_customers',
+        'partner_get_customer',
+        'partner_create_customer',
+        'partner_update_customer',
+        'partner_delete_customer',
+        'partner_bulk_create_customers',
+    ],
+    Consent: [
+        'partner_get_consent_url',
+        'partner_send_consent_email',
+    ],
+    Assessments: [
+        'partner_list_assessments',
+        'partner_get_assessment',
+        'partner_get_assessment_report',
+        'partner_trigger_assessment',
+        'partner_get_assessment_status',
+    ],
+    'Plan & Billing': [
+        'partner_get_plan_billing',
+        'partner_get_billing',
+        'partner_get_payment_portal_url',
+    ],
+    Branding: [
+        'partner_get_branding',
+        'partner_update_branding',
+    ],
+    Members: [
+        'partner_list_members',
+        'partner_invite_member',
+        'partner_update_member',
+        'partner_remove_member',
+        'partner_resend_invite',
+    ],
+    Webhooks: [
+        'partner_list_webhooks',
+        'partner_create_webhook',
+        'partner_update_webhook',
+        'partner_delete_webhook',
+        'partner_test_webhook',
+        'partner_list_webhook_deliveries',
+    ],
+    Mail: [
+        'partner_mail_status',
+        'partner_mail_set_mode',
+        'partner_mail_disconnect',
+        'partner_mail_send_test',
+        'partner_mail_set_shared_mailbox',
+        'partner_mail_start_connect',
+    ],
+    'API Keys': [
+        'partner_list_keys',
+        'partner_create_key',
+        'partner_revoke_key',
+    ],
+    'Pipeline / Leads': [
+        'partner_list_leads',
+        'partner_get_lead',
+        'partner_create_lead',
+        'partner_bulk_create_leads',
+        'partner_update_lead',
+        'partner_delete_lead',
+        'partner_enrich_lead',
+        'partner_set_lead_stage',
+        'partner_list_lead_activity',
+        'partner_send_lead_consent',
+    ],
+    Distributor: [
+        'distributor_list_partners',
+        'distributor_get_usage',
+    ],
+};
+export const CATEGORY_ORDER = [
+    'Customers',
+    'Consent',
+    'Assessments',
+    'Plan & Billing',
+    'Branding',
+    'Members',
+    'Webhooks',
+    'Mail',
+    'API Keys',
+    'Pipeline / Leads',
+    'Distributor',
+];
+/** Optional MDX prose rendered between the category heading and its table. */
+export const CATEGORY_NOTES = {
+    'Pipeline / Leads': 'Requires the partner record to have `prospecting` in `enabledFeatures` (admin-granted only — no plan tier auto-includes it).',
+};
 //# sourceMappingURL=index.js.map

package/dist/tools/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAE7C,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAC/D,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,uBAAuB,MAAM,+BAA+B,CAAA;AACnE,OAAO,sBAAsB,MAAM,8BAA8B,CAAA;AACjE,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,0BAA0B,MAAM,kCAAkC,CAAA;AACzE,OAAO,wBAAwB,MAAM,gCAAgC,CAAA;AACrE,OAAO,0BAA0B,MAAM,kCAAkC,CAAA;AACzE,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAE/D,sBAAsB;AACtB,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAE/D,qBAAqB;AACrB,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,mBAAmB,MAAM,iCAAiC,CAAA;AAEjE,qBAAqB;AACrB,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,0BAA0B,MAAM,kCAAkC,CAAA;AAEzE,sBAAsB;AACtB,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,4BAA4B,MAAM,oCAAoC,CAAA;AAE7E,kBAAkB;AAClB,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAC/D,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,2BAA2B,MAAM,mCAAmC,CAAA;AAC3E,OAAO,uBAAuB,MAAM,+BAA+B,CAAA;AAEnE,kBAAkB;AAClB,OAAO,eAAe,MAAM,uBAAuB,CAAA;AACnD,OAAO,gBAAgB,MAAM,wBAAwB,CAAA;AACrD,OAAO,gBAAgB,MAAM,wBAAwB,CAAA;AAErD,oCAAoC;AACpC,OAAO,gBAAgB,MAAM,wBAAwB,CAAA;AACrD,OAAO,cAAc,MAAM,sBAAsB,CAAA;AACjD,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,sBAAsB,MAAM,8BAA8B,CAAA;AACjE,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,uBAAuB,MAAM,+BAA+B,CAAA;AACnE,OAAO,sBAAsB,MAAM,8BAA8B,CAAA;AAEjE,OAAO,uBAAuB,MAAM,+BAA+B,CAAA;AACnE,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAE3D,IAAI,WAAW,GAAG,KAAK,CAAA;AAEvB,MAAM,UAAU,gBAAgB;IAC9B,IAAI,WAAW;QAAE,OAAM;IACvB,WAAW,GAAG,IAAI,CAAA;IAElB,eAAe;IACf,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IACnC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,uBAAuB,CAAC,CAAA;IACrC,YAAY,CAAC,sBAAsB,CAAC,CAAA;IACpC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,0BAA0B,CAAC,CAAA;IACxC,YAAY,CAAC,wBAAwB,CAAC,CAAA;IACtC,YAAY,CAAC,0BAA0B,CAAC,CAAA;IACxC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IAEnC,yBAAyB;IACzB,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IAEnC,wBAAwB;IACxB,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IAEjC,wBAAwB;IACxB,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,0BAA0B,CAAC,CAAA;IAExC,yBAAyB;IACzB,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,4BAA4B,CAAC,CAAA;IAE1C,qBAAqB;IACrB,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IACnC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,2BAA2B,CAAC,CAAA;IACzC,YAAY,CAAC,uBAAuB,CAAC,CAAA;IAErC,qBAAqB;IACrB,YAAY,CAAC,eAAe,CAAC,CAAA;IAC7B,YAAY,CAAC,gBAAgB,CAAC,CAAA;IAC9B,YAAY,CAAC,gBAAgB,CAAC,CAAA;IAE9B,kCAAkC;IAClC,YAAY,CAAC,gBAAgB,CAAC,CAAA;IAC9B,YAAY,CAAC,cAAc,CAAC,CAAA;IAC5B,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,sBAAsB,CAAC,CAAA;IACpC,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,uBAAuB,CAAC,CAAA;IACrC,YAAY,CAAC,sBAAsB,CAAC,CAAA;IAEpC,kBAAkB;IAClB,YAAY,CAAC,uBAAuB,CAAC,CAAA;IACrC,YAAY,CAAC,mBAAmB,CAAC,CAAA;AACnC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAE7C,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAC/D,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAC/D,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAC/D,OAAO,0BAA0B,MAAM,kCAAkC,CAAA;AACzE,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,uBAAuB,MAAM,+BAA+B,CAAA;AACnE,OAAO,sBAAsB,MAAM,8BAA8B,CAAA;AACjE,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,0BAA0B,MAAM,kCAAkC,CAAA;AACzE,OAAO,wBAAwB,MAAM,gCAAgC,CAAA;AACrE,OAAO,0BAA0B,MAAM,kCAAkC,CAAA;AACzE,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAE/D,sBAAsB;AACtB,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAE/D,qBAAqB;AACrB,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,mBAAmB,MAAM,iCAAiC,CAAA;AAEjE,qBAAqB;AACrB,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,0BAA0B,MAAM,kCAAkC,CAAA;AAEzE,sBAAsB;AACtB,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,oBAAoB,MAAM,4BAA4B,CAAA;AAC7D,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,4BAA4B,MAAM,oCAAoC,CAAA;AAE7E,kBAAkB;AAClB,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,kBAAkB,MAAM,0BAA0B,CAAA;AACzD,OAAO,qBAAqB,MAAM,6BAA6B,CAAA;AAC/D,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,2BAA2B,MAAM,mCAAmC,CAAA;AAC3E,OAAO,uBAAuB,MAAM,+BAA+B,CAAA;AAEnE,kBAAkB;AAClB,OAAO,eAAe,MAAM,uBAAuB,CAAA;AACnD,OAAO,gBAAgB,MAAM,wBAAwB,CAAA;AACrD,OAAO,gBAAgB,MAAM,wBAAwB,CAAA;AAErD,oCAAoC;AACpC,OAAO,gBAAgB,MAAM,wBAAwB,CAAA;AACrD,OAAO,cAAc,MAAM,sBAAsB,CAAA;AACjD,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,sBAAsB,MAAM,8BAA8B,CAAA;AACjE,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,iBAAiB,MAAM,yBAAyB,CAAA;AACvD,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAC3D,OAAO,uBAAuB,MAAM,+BAA+B,CAAA;AACnE,OAAO,sBAAsB,MAAM,8BAA8B,CAAA;AAEjE,OAAO,uBAAuB,MAAM,+BAA+B,CAAA;AACnE,OAAO,mBAAmB,MAAM,2BAA2B,CAAA;AAE3D,IAAI,WAAW,GAAG,KAAK,CAAA;AAEvB,MAAM,UAAU,gBAAgB;IAC9B,IAAI,WAAW;QAAE,OAAM;IACvB,WAAW,GAAG,IAAI,CAAA;IAElB,eAAe;IACf,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IACnC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IACnC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IACnC,YAAY,CAAC,0BAA0B,CAAC,CAAA;IACxC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,uBAAuB,CAAC,CAAA;IACrC,YAAY,CAAC,sBAAsB,CAAC,CAAA;IACpC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,0BAA0B,CAAC,CAAA;IACxC,YAAY,CAAC,wBAAwB,CAAC,CAAA;IACtC,YAAY,CAAC,0BAA0B,CAAC,CAAA;IACxC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IAEnC,yBAAyB;IACzB,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IAEnC,wBAAwB;IACxB,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IAEjC,wBAAwB;IACxB,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,0BAA0B,CAAC,CAAA;IAExC,yBAAyB;IACzB,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,oBAAoB,CAAC,CAAA;IAClC,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,4BAA4B,CAAC,CAAA;IAE1C,qBAAqB;IACrB,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAChC,YAAY,CAAC,qBAAqB,CAAC,CAAA;IACnC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,2BAA2B,CAAC,CAAA;IACzC,YAAY,CAAC,uBAAuB,CAAC,CAAA;IAErC,qBAAqB;IACrB,YAAY,CAAC,eAAe,CAAC,CAAA;IAC7B,YAAY,CAAC,gBAAgB,CAAC,CAAA;IAC9B,YAAY,CAAC,gBAAgB,CAAC,CAAA;IAE9B,kCAAkC;IAClC,YAAY,CAAC,gBAAgB,CAAC,CAAA;IAC9B,YAAY,CAAC,cAAc,CAAC,CAAA;IAC5B,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,sBAAsB,CAAC,CAAA;IACpC,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,iBAAiB,CAAC,CAAA;IAC/B,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACjC,YAAY,CAAC,uBAAuB,CAAC,CAAA;IACrC,YAAY,CAAC,sBAAsB,CAAC,CAAA;IAEpC,kBAAkB;IAClB,YAAY,CAAC,uBAAuB,CAAC,CAAA;IACrC,YAAY,CAAC,mBAAmB,CAAC,CAAA;AACnC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,SAAS,EAAE;QACT,wBAAwB;QACxB,sBAAsB;QACtB,yBAAyB;QACzB,yBAAyB;QACzB,yBAAyB;QACzB,+BAA+B;KAChC;IACD,OAAO,EAAE;QACP,yBAAyB;QACzB,4BAA4B;KAC7B;IACD,WAAW,EAAE;QACX,0BAA0B;QAC1B,wBAAwB;QACxB,+BAA+B;QAC/B,4BAA4B;QAC5B,+BAA+B;KAChC;IACD,gBAAgB,EAAE;QAChB,0BAA0B;QAC1B,qBAAqB;QACrB,gCAAgC;KACjC;IACD,QAAQ,EAAE;QACR,sBAAsB;QACtB,yBAAyB;KAC1B;IACD,OAAO,EAAE;QACP,sBAAsB;QACtB,uBAAuB;QACvB,uBAAuB;QACvB,uBAAuB;QACvB,uBAAuB;KACxB;IACD,QAAQ,EAAE;QACR,uBAAuB;QACvB,wBAAwB;QACxB,wBAAwB;QACxB,wBAAwB;QACxB,sBAAsB;QACtB,iCAAiC;KAClC;IACD,IAAI,EAAE;QACJ,qBAAqB;QACrB,uBAAuB;QACvB,yBAAyB;QACzB,wBAAwB;QACxB,iCAAiC;QACjC,4BAA4B;KAC7B;IACD,UAAU,EAAE;QACV,mBAAmB;QACnB,oBAAoB;QACpB,oBAAoB;KACrB;IACD,kBAAkB,EAAE;QAClB,oBAAoB;QACpB,kBAAkB;QAClB,qBAAqB;QACrB,2BAA2B;QAC3B,qBAAqB;QACrB,qBAAqB;QACrB,qBAAqB;QACrB,wBAAwB;QACxB,4BAA4B;QAC5B,2BAA2B;KAC5B;IACD,WAAW,EAAE;QACX,2BAA2B;QAC3B,uBAAuB;KACxB;CACO,CAAA;AAEV,MAAM,CAAC,MAAM,cAAc,GAAgD;IACzE,WAAW;IACX,SAAS;IACT,aAAa;IACb,gBAAgB;IAChB,UAAU;IACV,SAAS;IACT,UAAU;IACV,MAAM;IACN,UAAU;IACV,kBAAkB;IAClB,aAAa;CACd,CAAA;AAED,8EAA8E;AAC9E,MAAM,CAAC,MAAM,cAAc,GAA0D;IACnF,kBAAkB,EAChB,8HAA8H;CACjI,CAAA"}

package/dist/tools/partner/bulkCreateCustomers.d.ts

@@ -0,0 +1,84 @@
+import { z } from 'zod';
+import type { Tool } from '../../registry.js';
+declare const inputSchema: z.ZodObject<{
+    customers: z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        tenantId: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        receivers: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodObject<{
+            email: z.ZodString;
+            role: z.ZodOptional<z.ZodString>;
+        }, "strict", z.ZodTypeAny, {
+            email: string;
+            role?: string | undefined;
+        }, {
+            email: string;
+            role?: string | undefined;
+        }>]>, "many">>;
+        questionnaireRecipients: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodObject<{
+            email: z.ZodString;
+            role: z.ZodOptional<z.ZodString>;
+        }, "strict", z.ZodTypeAny, {
+            email: string;
+            role?: string | undefined;
+        }, {
+            email: string;
+            role?: string | undefined;
+        }>]>, "many">>;
+    }, "strict", z.ZodTypeAny, {
+        name: string;
+        tenantId: string;
+        email?: string | undefined;
+        receivers?: (string | {
+            email: string;
+            role?: string | undefined;
+        })[] | undefined;
+        questionnaireRecipients?: (string | {
+            email: string;
+            role?: string | undefined;
+        })[] | undefined;
+    }, {
+        name: string;
+        tenantId: string;
+        email?: string | undefined;
+        receivers?: (string | {
+            email: string;
+            role?: string | undefined;
+        })[] | undefined;
+        questionnaireRecipients?: (string | {
+            email: string;
+            role?: string | undefined;
+        })[] | undefined;
+    }>, "many">;
+}, "strict", z.ZodTypeAny, {
+    customers: {
+        name: string;
+        tenantId: string;
+        email?: string | undefined;
+        receivers?: (string | {
+            email: string;
+            role?: string | undefined;
+        })[] | undefined;
+        questionnaireRecipients?: (string | {
+            email: string;
+            role?: string | undefined;
+        })[] | undefined;
+    }[];
+}, {
+    customers: {
+        name: string;
+        tenantId: string;
+        email?: string | undefined;
+        receivers?: (string | {
+            email: string;
+            role?: string | undefined;
+        })[] | undefined;
+        questionnaireRecipients?: (string | {
+            email: string;
+            role?: string | undefined;
+        })[] | undefined;
+    }[];
+}>;
+declare const tool: Tool<typeof inputSchema>;
+export default tool;
+//# sourceMappingURL=bulkCreateCustomers.d.ts.map

package/dist/tools/partner/bulkCreateCustomers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bulkCreateCustomers.d.ts","sourceRoot":"","sources":["../../../src/tools/partner/bulkCreateCustomers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAoB7C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQN,CAAA;AAEX,QAAA,MAAM,IAAI,EAAE,IAAI,CAAC,OAAO,WAAW,CAalC,CAAA;AAED,eAAe,IAAI,CAAA"}

package/dist/tools/partner/bulkCreateCustomers.js

@@ -0,0 +1,42 @@
+import { z } from 'zod';
+import { getPartnerClient } from '../../sdkCache.js';
+const receiverSchema = z.union([
+    z.string().email(),
+    z.object({ email: z.string().email(), role: z.string().optional() }).strict(),
+]);
+const customerEntrySchema = z
+    .object({
+    name: z.string().min(1).max(120),
+    tenantId: z
+        .string()
+        .regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i)
+        .describe('Microsoft Entra tenant id (GUID).'),
+    email: z.string().email().optional(),
+    receivers: z.array(receiverSchema).optional(),
+    questionnaireRecipients: z.array(receiverSchema).optional(),
+})
+    .strict();
+const inputSchema = z
+    .object({
+    customers: z
+        .array(customerEntrySchema)
+        .min(1)
+        .max(100)
+        .describe('Up to 100 customers per request.'),
+})
+    .strict();
+const tool = {
+    name: 'partner_bulk_create_customers',
+    scope: 'partner',
+    description: 'Bulk-create up to 100 customers in one request. Per-row failures do NOT fail the whole call — ' +
+        'inspect `results[]` for the per-customer outcome (status: "created" | "error", with customerId ' +
+        'or error string). Returns total / succeeded / failed counts plus the per-row results array. ' +
+        'Use partner_create_customer for one-offs; this is for onboarding spreadsheets / CSV imports.',
+    schema: inputSchema,
+    async handler(input, ctx) {
+        const client = getPartnerClient(ctx.auth.apiKey);
+        return client.customers.bulkCreate(input);
+    },
+};
+export default tool;
+//# sourceMappingURL=bulkCreateCustomers.js.map

package/dist/tools/partner/bulkCreateCustomers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bulkCreateCustomers.js","sourceRoot":"","sources":["../../../src/tools/partner/bulkCreateCustomers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAA;AAGpD,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC;IAC7B,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAClB,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;CAC9E,CAAC,CAAA;AAEF,MAAM,mBAAmB,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IAChC,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,KAAK,CAAC,iEAAiE,CAAC;SACxE,QAAQ,CAAC,mCAAmC,CAAC;IAChD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;IACpC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE;IAC7C,uBAAuB,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE;CAC5D,CAAC;KACD,MAAM,EAAE,CAAA;AAEX,MAAM,WAAW,GAAG,CAAC;KAClB,MAAM,CAAC;IACN,SAAS,EAAE,CAAC;SACT,KAAK,CAAC,mBAAmB,CAAC;SAC1B,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,GAAG,CAAC;SACR,QAAQ,CAAC,kCAAkC,CAAC;CAChD,CAAC;KACD,MAAM,EAAE,CAAA;AAEX,MAAM,IAAI,GAA6B;IACrC,IAAI,EAAE,+BAA+B;IACrC,KAAK,EAAE,SAAS;IAChB,WAAW,EACT,gGAAgG;QAChG,iGAAiG;QACjG,8FAA8F;QAC9F,8FAA8F;IAChG,MAAM,EAAE,WAAW;IACnB,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG;QACtB,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAChD,OAAO,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;IAC3C,CAAC;CACF,CAAA;AAED,eAAe,IAAI,CAAA"}

package/dist/tools/partner/deleteCustomer.d.ts

@@ -0,0 +1,12 @@
+import { z } from 'zod';
+import type { Tool } from '../../registry.js';
+declare const inputSchema: z.ZodObject<{
+    customerId: z.ZodString;
+}, "strict", z.ZodTypeAny, {
+    customerId: string;
+}, {
+    customerId: string;
+}>;
+declare const tool: Tool<typeof inputSchema>;
+export default tool;
+//# sourceMappingURL=deleteCustomer.d.ts.map

package/dist/tools/partner/deleteCustomer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deleteCustomer.d.ts","sourceRoot":"","sources":["../../../src/tools/partner/deleteCustomer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAE7C,QAAA,MAAM,WAAW;;;;;;EAIN,CAAA;AAEX,QAAA,MAAM,IAAI,EAAE,IAAI,CAAC,OAAO,WAAW,CAclC,CAAA;AAED,eAAe,IAAI,CAAA"}

package/dist/tools/partner/deleteCustomer.js

@@ -0,0 +1,23 @@
+import { z } from 'zod';
+import { getPartnerClient } from '../../sdkCache.js';
+const inputSchema = z
+    .object({
+    customerId: z.string().uuid(),
+})
+    .strict();
+const tool = {
+    name: 'partner_delete_customer',
+    scope: 'partner',
+    description: 'Delete a customer. Idempotent — re-deleting returns 404. Past assessments + reports tied to ' +
+        'the customer remain queryable through partner_list_assessments / partner_get_assessment_report ' +
+        'until their own retention windows expire; only the customer record itself is removed. Granted ' +
+        'consents on the Microsoft Entra tenant are NOT revoked here — the customer admin must remove ' +
+        'the baref00t app from Enterprise Applications separately.',
+    schema: inputSchema,
+    async handler(input, ctx) {
+        const client = getPartnerClient(ctx.auth.apiKey);
+        return client.customers.delete(input.customerId);
+    },
+};
+export default tool;
+//# sourceMappingURL=deleteCustomer.js.map

package/dist/tools/partner/deleteCustomer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deleteCustomer.js","sourceRoot":"","sources":["../../../src/tools/partner/deleteCustomer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAA;AAGpD,MAAM,WAAW,GAAG,CAAC;KAClB,MAAM,CAAC;IACN,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;CAC9B,CAAC;KACD,MAAM,EAAE,CAAA;AAEX,MAAM,IAAI,GAA6B;IACrC,IAAI,EAAE,yBAAyB;IAC/B,KAAK,EAAE,SAAS;IAChB,WAAW,EACT,8FAA8F;QAC9F,iGAAiG;QACjG,gGAAgG;QAChG,+FAA+F;QAC/F,2DAA2D;IAC7D,MAAM,EAAE,WAAW;IACnB,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG;QACtB,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAChD,OAAO,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAClD,CAAC;CACF,CAAA;AAED,eAAe,IAAI,CAAA"}

package/dist/tools/partner/updateCustomer.d.ts

@@ -0,0 +1,129 @@
+import { z } from 'zod';
+import type { Tool } from '../../registry.js';
+declare const inputSchema: z.ZodEffects<z.ZodObject<{
+    customerId: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+    email: z.ZodOptional<z.ZodString>;
+    tenantId: z.ZodOptional<z.ZodString>;
+    receivers: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodObject<{
+        email: z.ZodString;
+        role: z.ZodOptional<z.ZodString>;
+    }, "strict", z.ZodTypeAny, {
+        email: string;
+        role?: string | undefined;
+    }, {
+        email: string;
+        role?: string | undefined;
+    }>]>, "many">>;
+    questionnaireRecipients: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodObject<{
+        email: z.ZodString;
+        role: z.ZodOptional<z.ZodString>;
+    }, "strict", z.ZodTypeAny, {
+        email: string;
+        role?: string | undefined;
+    }, {
+        email: string;
+        role?: string | undefined;
+    }>]>, "many">>;
+    consentRecipients: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodObject<{
+        email: z.ZodString;
+        role: z.ZodOptional<z.ZodString>;
+    }, "strict", z.ZodTypeAny, {
+        email: string;
+        role?: string | undefined;
+    }, {
+        email: string;
+        role?: string | undefined;
+    }>]>, "many">>;
+    emailReportsEnabled: z.ZodOptional<z.ZodBoolean>;
+    emailConsentEnabled: z.ZodOptional<z.ZodBoolean>;
+    emailQuestionnaireEnabled: z.ZodOptional<z.ZodBoolean>;
+    status: z.ZodOptional<z.ZodEnum<["active", "archived", "pending"]>>;
+}, "strict", z.ZodTypeAny, {
+    customerId: string;
+    status?: "active" | "archived" | "pending" | undefined;
+    name?: string | undefined;
+    tenantId?: string | undefined;
+    email?: string | undefined;
+    emailReportsEnabled?: boolean | undefined;
+    emailConsentEnabled?: boolean | undefined;
+    emailQuestionnaireEnabled?: boolean | undefined;
+    receivers?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+    questionnaireRecipients?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+    consentRecipients?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+}, {
+    customerId: string;
+    status?: "active" | "archived" | "pending" | undefined;
+    name?: string | undefined;
+    tenantId?: string | undefined;
+    email?: string | undefined;
+    emailReportsEnabled?: boolean | undefined;
+    emailConsentEnabled?: boolean | undefined;
+    emailQuestionnaireEnabled?: boolean | undefined;
+    receivers?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+    questionnaireRecipients?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+    consentRecipients?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+}>, {
+    customerId: string;
+    status?: "active" | "archived" | "pending" | undefined;
+    name?: string | undefined;
+    tenantId?: string | undefined;
+    email?: string | undefined;
+    emailReportsEnabled?: boolean | undefined;
+    emailConsentEnabled?: boolean | undefined;
+    emailQuestionnaireEnabled?: boolean | undefined;
+    receivers?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+    questionnaireRecipients?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+    consentRecipients?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+}, {
+    customerId: string;
+    status?: "active" | "archived" | "pending" | undefined;
+    name?: string | undefined;
+    tenantId?: string | undefined;
+    email?: string | undefined;
+    emailReportsEnabled?: boolean | undefined;
+    emailConsentEnabled?: boolean | undefined;
+    emailQuestionnaireEnabled?: boolean | undefined;
+    receivers?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+    questionnaireRecipients?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+    consentRecipients?: (string | {
+        email: string;
+        role?: string | undefined;
+    })[] | undefined;
+}>;
+declare const tool: Tool<typeof inputSchema>;
+export default tool;
+//# sourceMappingURL=updateCustomer.d.ts.map

package/dist/tools/partner/updateCustomer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"updateCustomer.d.ts","sourceRoot":"","sources":["../../../src/tools/partner/updateCustomer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AAO7C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAwBb,CAAA;AAEJ,QAAA,MAAM,IAAI,EAAE,IAAI,CAAC,OAAO,WAAW,CAalC,CAAA;AAED,eAAe,IAAI,CAAA"}

package/dist/tools/partner/updateCustomer.js

@@ -0,0 +1,46 @@
+import { z } from 'zod';
+import { getPartnerClient } from '../../sdkCache.js';
+const receiverSchema = z.union([
+    z.string().email(),
+    z.object({ email: z.string().email(), role: z.string().optional() }).strict(),
+]);
+const inputSchema = z
+    .object({
+    customerId: z.string().uuid(),
+    name: z.string().min(1).max(120).optional(),
+    email: z.string().email().optional(),
+    tenantId: z
+        .string()
+        .regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i)
+        .optional()
+        .describe('Microsoft Entra tenant id (GUID). Rebinds the customer to a different tenant.'),
+    receivers: z.array(receiverSchema).optional(),
+    questionnaireRecipients: z.array(receiverSchema).optional(),
+    consentRecipients: z.array(receiverSchema).optional(),
+    emailReportsEnabled: z.boolean().optional(),
+    emailConsentEnabled: z.boolean().optional(),
+    emailQuestionnaireEnabled: z.boolean().optional(),
+    status: z
+        .enum(['active', 'archived', 'pending'])
+        .optional()
+        .describe('Customer lifecycle state.'),
+})
+    .strict()
+    .refine((v) => Object.keys(v).length > 1, {
+    message: 'Provide at least one field to update besides customerId',
+});
+const tool = {
+    name: 'partner_update_customer',
+    scope: 'partner',
+    description: 'Update whitelisted fields on an existing customer. Partial — only fields you pass are changed. ' +
+        'Note: changing `tenantId` rebinds the customer to a different Microsoft Entra tenant; existing ' +
+        'consents tied to the old tenant will not transfer.',
+    schema: inputSchema,
+    async handler(input, ctx) {
+        const { customerId, ...updates } = input;
+        const client = getPartnerClient(ctx.auth.apiKey);
+        return client.customers.update(customerId, updates);
+    },
+};
+export default tool;
+//# sourceMappingURL=updateCustomer.js.map

package/dist/tools/partner/updateCustomer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"updateCustomer.js","sourceRoot":"","sources":["../../../src/tools/partner/updateCustomer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAA;AAGpD,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC;IAC7B,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IAClB,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;CAC9E,CAAC,CAAA;AAEF,MAAM,WAAW,GAAG,CAAC;KAClB,MAAM,CAAC;IACN,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC7B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC3C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,KAAK,CAAC,iEAAiE,CAAC;SACxE,QAAQ,EAAE;SACV,QAAQ,CAAC,+EAA+E,CAAC;IAC5F,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE;IAC7C,uBAAuB,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE;IAC3D,iBAAiB,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE;IACrD,mBAAmB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC3C,mBAAmB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC3C,yBAAyB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACjD,MAAM,EAAE,CAAC;SACN,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;SACvC,QAAQ,EAAE;SACV,QAAQ,CAAC,2BAA2B,CAAC;CACzC,CAAC;KACD,MAAM,EAAE;KACR,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;IACxC,OAAO,EAAE,yDAAyD;CACnE,CAAC,CAAA;AAEJ,MAAM,IAAI,GAA6B;IACrC,IAAI,EAAE,yBAAyB;IAC/B,KAAK,EAAE,SAAS;IAChB,WAAW,EACT,iGAAiG;QACjG,iGAAiG;QACjG,oDAAoD;IACtD,MAAM,EAAE,WAAW;IACnB,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG;QACtB,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,GAAG,KAAK,CAAA;QACxC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAChD,OAAO,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;IACrD,CAAC;CACF,CAAA;AAED,eAAe,IAAI,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@baref00t/mcp-server",
-  "version": "0.3.1",
+  "version": "0.5.0",
   "description": "Hosted multi-tenant MCP (Model Context Protocol) server for the baref00t Partner + Distributor APIs",
   "license": "Apache-2.0",
   "homepage": "https://github.com/becloudsmart-com/baref00t/tree/main/packages/mcp-server",
@@ -39,6 +39,7 @@
     "@azure/monitor-opentelemetry": "^1.9.0",
     "@baref00t/sdk": "^0.7.0",
     "@modelcontextprotocol/sdk": "1.29.0",
+    "jose": "^5.9.6",
     "lru-cache": "^11.0.2",
     "pino": "^9.5.0",
     "zod": "^3.23.8",
@@ -49,7 +50,17 @@
     "tsx": "^4.19.2",
     "typescript": "^5.6.3",
     "vitest": "^2.1.5",
-    "eslint": "^9.15.0"
+    "eslint": "^9.15.0",
+    "@baref00t/mcp-oauth": "2.0.0-dev"
+  },
+  "//peerDependencies-note": "OAuth is hosted-only. The published @baref00t/mcp-server does not pull @baref00t/mcp-oauth (private package). Self-hosters get header-key auth only. Hosted mcp.baref00t.io resolves it via the monorepo workspace link, dynamic import below succeeds, OAuth lights up.",
+  "peerDependencies": {
+    "@baref00t/mcp-oauth": "*"
+  },
+  "peerDependenciesMeta": {
+    "@baref00t/mcp-oauth": {
+      "optional": true
+    }
   },
   "scripts": {
     "dev": "tsx watch src/server.ts",