npm - @centrali-io/centrali-mcp - Versions diffs - 4.4.4 → 4.4.6 - Mend

@centrali-io/centrali-mcp 4.4.4 → 4.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +146 -14
package/dist/index.js +5 -1
package/dist/tools/auth-providers.d.ts +3 -0
package/dist/tools/auth-providers.js +267 -0
package/dist/tools/compute.d.ts +1 -1
package/dist/tools/compute.js +131 -2
package/dist/tools/describe.js +499 -5
package/dist/tools/orchestrations.js +9 -9
package/dist/tools/pages.js +31 -12
package/dist/tools/service-accounts.d.ts +3 -0
package/dist/tools/service-accounts.js +856 -0
package/package.json +2 -2
package/src/index.ts +5 -1
package/src/tools/auth-providers.ts +290 -0
package/src/tools/compute.ts +142 -2
package/src/tools/describe.ts +521 -5
package/src/tools/orchestrations.ts +9 -9
package/src/tools/pages.ts +27 -9
package/src/tools/service-accounts.ts +1051 -0

package/README.md CHANGED Viewed

@@ -1,8 +1,10 @@
 # @centrali-io/centrali-mcp
-MCP (Model Context Protocol) server for the Centrali platform. Lets AI assistants (Claude, Cursor, etc.) interact with Centrali workspaces — query data, manage records, search, trigger compute functions, and more.
+MCP (Model Context Protocol) server for the Centrali platform. Lets AI assistants (Claude, Cursor, etc.) interact with Centrali workspaces — query data, manage records, search, trigger compute functions, inspect execution results, build orchestrations, and more.
-Built on `@centrali-io/centrali-sdk` v4.2.0. Authenticates via service account client credentials.
+> **Full documentation:** [docs.centrali.io](https://docs.centrali.io) — SDK guide, API reference, compute functions, orchestrations, and more.
+Built on `@centrali-io/centrali-sdk` v4.4.6. Authenticates via service account client credentials.
 ## Setup
@@ -33,30 +35,53 @@ Add to your MCP client configuration (e.g., Claude Desktop, Cursor):
 | `CENTRALI_CLIENT_ID` | Yes | Service account client ID |
 | `CENTRALI_CLIENT_SECRET` | Yes | Service account client secret |
 | `CENTRALI_WORKSPACE` | Yes | Workspace slug to operate in |
-| `CENTRALI_PAGES_URL` | No | Override pages API URL (default: derived as `api.{domain}/pages`) |
+## Getting Started
+After connecting, call `describe_centrali` first — it returns the full capability map, feature matrix, and SDK integration guidance. Then use the specific `describe_*` tools for deeper schema details on any domain.
 ## Available Tools
-### Collections
+### Discovery (call these first)
 | Tool | Description |
 |------|-------------|
-| `list_collections` | List all data collections (schemas) in the workspace |
-| `get_collection` | Get full schema for a collection by record slug |
+| `describe_centrali` | Platform overview, feature matrix, SDK integration guidance, and list of all tools |
+| `describe_collections` | Schema reference for collections (data models, field types, constraints) |
+| `describe_records` | Schema reference for record operations (filters, sorting, pagination, expand) |
+| `describe_search` | Schema reference for full-text search |
+| `describe_compute` | Compute function reference (input contract, secrets, async execution, api object) |
+| `describe_smart_queries` | Smart query reference (parameterized queries, variables) |
+| `describe_orchestrations` | Orchestration reference (multi-step workflows, encrypted params) |
+| `describe_insights` | Anomaly insights reference |
+| `describe_validation` | Data validation reference |
+| `describe_pages` | Pages builder reference |
+| `describe_page_definition` | Page definition schema (blocks, layouts) |
+| `describe_page_blocks` | Available block types for pages |
+| `describe_page_actions` | Page action system reference |
+| `describe_navigation` | Navigation configuration reference |
+| `describe_auth_providers` | Auth provider reference (BYOT setup, claim mappings) |
+| `describe_service_accounts` | Service account & IAM reference (SA setup, roles, groups, permissions) |
-### Structures (Deprecated)
+### Collections
 | Tool | Description |
 |------|-------------|
-| `list_structures` | *Deprecated: use `list_collections`* — List all data structures in the workspace |
-| `get_structure` | *Deprecated: use `get_collection`* — Get full schema for a structure by record slug |
+| `list_collections` | List all data collections (schemas) in the workspace |
+| `get_collection` | Get full schema for a collection by record slug |
+| `create_collection` | Create a new collection with typed properties |
+| `update_collection` | Update an existing collection |
+| `delete_collection` | Delete a collection and all its records |
 ### Records
 | Tool | Description |
 |------|-------------|
 | `query_records` | Query records with filters, sorting, pagination |
 | `get_record` | Get a single record by ID |
+| `get_records_by_ids` | Get multiple records by IDs |
 | `create_record` | Create a new record |
 | `update_record` | Update an existing record |
+| `upsert_record` | Create or update a record |
 | `delete_record` | Soft or hard delete a record |
+| `restore_record` | Restore a soft-deleted record |
 ### Search
 | Tool | Description |
@@ -67,14 +92,69 @@ Add to your MCP client configuration (e.g., Claude Desktop, Cursor):
 | Tool | Description |
 |------|-------------|
 | `list_functions` | List compute functions |
-| `list_triggers` | List function triggers (on-demand, event-driven, scheduled, webhook) |
-| `invoke_trigger` | Invoke an on-demand trigger with optional payload |
+| `get_function` | Get a function by ID (includes code) |
+| `create_function` | Create a new compute function |
+| `update_function` | Update a function (code, name, timeout) |
+| `delete_function` | Delete a compute function |
+| `test_function` | Test execute code without saving |
+| `list_triggers` | List function triggers (on-demand, event-driven, scheduled, http-trigger) |
+| `get_trigger` | Get a trigger by ID |
+| `create_trigger` | Create a new trigger |
+| `update_trigger` | Update a trigger |
+| `delete_trigger` | Delete a trigger |
+| `invoke_trigger` | Invoke an on-demand trigger (returns job ID — async) |
+| `pause_trigger` | Pause a trigger |
+| `resume_trigger` | Resume a paused trigger |
+| `get_function_run` | Get execution result by run ID (status, output, errors) |
+| `list_function_runs` | List runs by trigger or function ID (execution history) |
+| `get_compute_job_status` | Check async job status by job ID (poll after invoke_trigger) |
+| `list_allowed_domains` | List allowed domains for outbound HTTP |
+| `add_allowed_domain` | Add a domain to the allowlist |
+| `remove_allowed_domain` | Remove a domain from the allowlist |
 ### Smart Queries
 | Tool | Description |
 |------|-------------|
-| `list_smart_queries` | List smart queries, optionally filtered by structure |
+| `list_smart_queries` | List smart queries, optionally by collection |
+| `get_smart_query` | Get a smart query by ID |
+| `create_smart_query` | Create a reusable parameterized query |
+| `update_smart_query` | Update a smart query |
+| `delete_smart_query` | Delete a smart query |
 | `execute_smart_query` | Execute a smart query with optional variables |
+| `test_smart_query` | Test a query definition without saving |
+### Orchestrations
+| Tool | Description |
+|------|-------------|
+| `list_orchestrations` | List all orchestrations in the workspace |
+| `get_orchestration` | Get orchestration details including step definitions |
+| `create_orchestration` | Create a multi-step workflow |
+| `update_orchestration` | Update an orchestration (steps, triggers, encrypted params) |
+| `delete_orchestration` | Delete an orchestration and its runs |
+| `activate_orchestration` | Activate an orchestration (enable triggers) |
+| `pause_orchestration` | Pause an orchestration (disable triggers) |
+| `trigger_orchestration` | Trigger a run with optional input data |
+| `list_orchestration_runs` | List runs for an orchestration |
+| `get_orchestration_run` | Get run details (use includeSteps=true for step-by-step debugging) |
+### Insights (Anomaly Detection)
+| Tool | Description |
+|------|-------------|
+| `trigger_anomaly_analysis` | Start an anomaly detection scan |
+| `list_insights` | List anomaly insights |
+| `get_insight` | Get a single insight |
+| `acknowledge_insight` | Mark an insight as reviewed |
+| `dismiss_insight` | Dismiss an insight |
+| `get_insights_summary` | Get insights summary counts |
+### Validation (Data Quality)
+| Tool | Description |
+|------|-------------|
+| `trigger_validation_scan` | Start a data quality scan |
+| `list_validation_suggestions` | List validation suggestions |
+| `accept_validation_suggestion` | Accept a fix (applies to record) |
+| `reject_validation_suggestion` | Reject a suggestion |
+| `get_validation_summary` | Get validation summary counts |
 ### Pages
 | Tool | Description |
@@ -99,14 +179,66 @@ Add to your MCP client configuration (e.g., Claude Desktop, Cursor):
 | `generate_starter_pages` | Generate page proposals from structure IDs |
 | `accept_page_proposal` | Accept a generated proposal and create the page |
+### Service Accounts & IAM
+| Tool | Description |
+|------|-------------|
+| `list_service_accounts` | List all service accounts |
+| `get_service_account` | Get service account details |
+| `create_service_account` | Create a service account (returns clientId + clientSecret) |
+| `update_service_account_name` | Update SA display name |
+| `update_service_account_description` | Update SA description |
+| `delete_service_account` | Permanently delete a service account |
+| `rotate_service_account_secret` | Rotate client secret (old one immediately invalidated) |
+| `revoke_service_account` | Permanently revoke a service account |
+| `generate_dev_token` | Generate a short-lived dev token for testing |
+| `scan_service_account_permissions` | Full access matrix audit (Allow/Deny per resource+action) |
+| `simulate_service_account_permission` | Simulate an authorization check with evaluation trace |
+| `generate_remediation` | Generate options to grant missing permissions (role, group, or new policy) |
+| `preview_remediation` | Preview what changes a remediation option would make |
+| `apply_remediation` | Apply a remediation option to grant access |
+| `list_service_account_roles` | List roles assigned to a SA |
+| `assign_role_to_service_account` | Assign a role to a SA |
+| `remove_role_from_service_account` | Remove a role from a SA |
+| `list_service_account_groups` | List groups a SA belongs to |
+| `add_service_account_to_group` | Add SA to a group |
+| `remove_service_account_from_group` | Remove SA from a group |
+| `list_roles` | List all roles in the workspace |
+| `get_role` | Get role details with permissions |
+| `create_role` | Create a role with permissions |
+| `update_role` | Update a role |
+| `delete_role` | Delete a role |
+| `list_groups` | List all groups |
+| `get_group` | Get group details |
+| `create_group` | Create a group |
+| `update_group` | Update a group |
+| `delete_group` | Delete a group |
+### Publishable Keys (Frontend)
+| Tool | Description |
+|------|-------------|
+| `list_publishable_keys` | List all publishable keys |
+| `get_publishable_key` | Get key details with scopes |
+| `create_publishable_key` | Create a scoped frontend key (pk_live_...) |
+| `update_publishable_key` | Update label or scopes |
+| `revoke_publishable_key` | Revoke a key (immediate, irreversible) |
+### Identity
+| Tool | Description |
+|------|-------------|
+| `get_current_identity` | Get the MCP's own service account ID and details |
+### Structures (Deprecated)
+| Tool | Description |
+|------|-------------|
+| `list_structures` | *Deprecated: use `list_collections`* |
+| `get_structure` | *Deprecated: use `get_collection`* |
 ## Resources
 | URI | Description |
 |-----|-------------|
 | `centrali://collections` | List of all collections with name, slug, description |
 | `centrali://collections/{slug}` | Full schema for a specific collection |
-| `centrali://structures` | *Deprecated: use `centrali://collections`* |
-| `centrali://structures/{slug}` | *Deprecated: use `centrali://collections/{slug}`* |
 ## Development

package/dist/index.js CHANGED Viewed

@@ -23,6 +23,8 @@ const insights_js_1 = require("./tools/insights.js");
 const validation_js_1 = require("./tools/validation.js");
 const pages_js_1 = require("./tools/pages.js");
 const describe_js_1 = require("./tools/describe.js");
+const auth_providers_js_1 = require("./tools/auth-providers.js");
+const service_accounts_js_1 = require("./tools/service-accounts.js");
 const structures_js_2 = require("./resources/structures.js");
 function getRequiredEnv(name) {
     const value = process.env[name];
@@ -53,12 +55,14 @@ function main() {
         (0, structures_js_1.registerStructureTools)(server, sdk);
         (0, records_js_1.registerRecordTools)(server, sdk);
         (0, search_js_1.registerSearchTools)(server, sdk);
-        (0, compute_js_1.registerComputeTools)(server, sdk);
+        (0, compute_js_1.registerComputeTools)(server, sdk, baseUrl, workspaceId);
         (0, smart_queries_js_1.registerSmartQueryTools)(server, sdk);
         (0, orchestrations_js_1.registerOrchestrationTools)(server, sdk);
         (0, insights_js_1.registerInsightTools)(server, sdk);
         (0, validation_js_1.registerValidationTools)(server, sdk);
         (0, pages_js_1.registerPageTools)(server, sdk, baseUrl, workspaceId);
+        (0, auth_providers_js_1.registerAuthProviderTools)(server, sdk, baseUrl, workspaceId);
+        (0, service_accounts_js_1.registerServiceAccountTools)(server, sdk, baseUrl, workspaceId, clientId);
         (0, describe_js_1.registerDescribeTools)(server);
         // Register resources
         (0, structures_js_2.registerCollectionResources)(server, sdk);

package/dist/tools/auth-providers.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { CentraliSDK } from "@centrali-io/centrali-sdk";
+export declare function registerAuthProviderTools(server: McpServer, sdk: CentraliSDK, centraliUrl: string, workspaceId: string): void;

package/dist/tools/auth-providers.js ADDED Viewed

@@ -0,0 +1,267 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerAuthProviderTools = registerAuthProviderTools;
+const axios_1 = __importDefault(require("axios"));
+const zod_1 = require("zod");
+/**
+ * Ensures the SDK has a valid token by making a lightweight SDK call if needed.
+ */
+function ensureToken(sdk) {
+    return __awaiter(this, void 0, void 0, function* () {
+        let token = sdk.getToken();
+        if (token)
+            return token;
+        try {
+            yield sdk.functions.list({ limit: 1 });
+        }
+        catch (_a) {
+            // Ignore — we only need the token refresh side effect
+        }
+        return sdk.getToken();
+    });
+}
+/**
+ * Creates an axios instance for the IAM external auth provider API.
+ */
+function createIamClient(sdk, centraliUrl, workspaceId) {
+    const url = new URL(centraliUrl);
+    const hostname = url.hostname.startsWith("api.")
+        ? url.hostname
+        : `api.${url.hostname}`;
+    const baseURL = `${url.protocol}//${hostname}/iam/workspace/${workspaceId}/api/v1/external-auth-providers`;
+    const client = axios_1.default.create({ baseURL });
+    client.interceptors.request.use((config) => __awaiter(this, void 0, void 0, function* () {
+        const token = yield ensureToken(sdk);
+        if (token) {
+            config.headers.Authorization = `Bearer ${token}`;
+        }
+        return config;
+    }));
+    client.interceptors.response.use((response) => response, (error) => __awaiter(this, void 0, void 0, function* () {
+        var _a, _b;
+        const originalRequest = error.config;
+        const isAuthError = ((_a = error.response) === null || _a === void 0 ? void 0 : _a.status) === 401 || ((_b = error.response) === null || _b === void 0 ? void 0 : _b.status) === 403;
+        if (isAuthError && !originalRequest._hasRetried) {
+            originalRequest._hasRetried = true;
+            try {
+                yield sdk.functions.list({ limit: 1 });
+            }
+            catch ( /* token refresh side effect */_c) { /* token refresh side effect */ }
+            const token = sdk.getToken();
+            if (token) {
+                originalRequest.headers.Authorization = `Bearer ${token}`;
+                return client.request(originalRequest);
+            }
+        }
+        return Promise.reject(error);
+    }));
+    return client;
+}
+function formatError(error, context) {
+    var _a, _b, _c, _d, _e, _f, _g, _h;
+    if (error && typeof error === "object") {
+        const e = error;
+        if ((_a = e.response) === null || _a === void 0 ? void 0 : _a.data) {
+            const d = e.response.data;
+            const code = (_e = (_d = (_b = d.code) !== null && _b !== void 0 ? _b : (_c = d.error) === null || _c === void 0 ? void 0 : _c.code) !== null && _d !== void 0 ? _d : e.response.status) !== null && _e !== void 0 ? _e : "ERROR";
+            const message = (_h = (_f = d.message) !== null && _f !== void 0 ? _f : (_g = d.error) === null || _g === void 0 ? void 0 : _g.message) !== null && _h !== void 0 ? _h : JSON.stringify(d);
+            return `Error ${context}: [${code}] ${message}`;
+        }
+        if ("message" in e) {
+            return `Error ${context}: ${e.message}`;
+        }
+    }
+    return `Error ${context}: ${error instanceof Error ? error.message : String(error)}`;
+}
+const ClaimMappingZod = zod_1.z.object({
+    attribute: zod_1.z.string().describe("Attribute name used in policies (automatically prefixed with ext_). Must start with a letter, alphanumeric + underscores only. Example: 'role' becomes ext_role in policies."),
+    jwtPath: zod_1.z.string().describe("Dot-notation path to extract from the JWT payload. Examples: 'org_role', 'metadata.plan', 'organization.role'"),
+    required: zod_1.z.boolean().optional().describe("If true, token validation fails when this claim is missing (default: false)"),
+    defaultValue: zod_1.z.union([zod_1.z.string(), zod_1.z.number(), zod_1.z.boolean(), zod_1.z.array(zod_1.z.string())]).optional().describe("Fallback value when claim is not present in the JWT"),
+    transform: zod_1.z.enum(["lowercase", "uppercase", "string", "boolean", "array"]).optional().describe("Transform applied to the extracted value before use in policies"),
+});
+function registerAuthProviderTools(server, sdk, centraliUrl, workspaceId) {
+    const getClient = () => createIamClient(sdk, centraliUrl, workspaceId);
+    // ── List ──────────────────────────────────────────────────────────
+    server.tool("list_auth_providers", "List external auth providers configured in the workspace. These are identity providers (Clerk, Auth0, Okta, etc.) that can issue JWTs accepted by Centrali for BYOT (Bring Your Own Token) authorization.", {
+        includeInactive: zod_1.z.boolean().optional().describe("Include inactive providers (default: false)"),
+    }, (_a) => __awaiter(this, [_a], void 0, function* ({ includeInactive }) {
+        try {
+            const params = {};
+            if (includeInactive)
+                params.includeInactive = true;
+            const result = yield getClient().get("/", { params });
+            return {
+                content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }],
+            };
+        }
+        catch (error) {
+            return {
+                content: [{ type: "text", text: formatError(error, "listing auth providers") }],
+                isError: true,
+            };
+        }
+    }));
+    // ── Get ───────────────────────────────────────────────────────────
+    server.tool("get_auth_provider", "Get details of an external auth provider by ID, including claim mappings and JWKS configuration.", {
+        providerId: zod_1.z.string().describe("The provider ID (UUID)"),
+    }, (_a) => __awaiter(this, [_a], void 0, function* ({ providerId }) {
+        try {
+            const result = yield getClient().get(`/${providerId}`);
+            return {
+                content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }],
+            };
+        }
+        catch (error) {
+            return {
+                content: [{ type: "text", text: formatError(error, `getting auth provider '${providerId}'`) }],
+                isError: true,
+            };
+        }
+    }));
+    // ── Create ────────────────────────────────────────────────────────
+    server.tool("create_auth_provider", "Create an external auth provider for BYOT (Bring Your Own Token). This lets your app's users authenticate with Clerk, Auth0, Okta, or any OIDC provider, and Centrali validates their JWTs and extracts claims for authorization policies. Call describe_auth_providers for the full setup guide.", {
+        name: zod_1.z.string().describe("Display name (e.g., 'Production Clerk')"),
+        slug: zod_1.z.string().describe("URL-safe unique slug (lowercase, hyphens allowed, e.g., 'production-clerk')"),
+        providerType: zod_1.z.enum(["oidc", "clerk", "auth0", "keycloak", "okta", "custom"]).describe("Identity provider type. Use 'clerk', 'auth0', 'okta', or 'keycloak' for built-in support, 'oidc' for any OIDC-compliant provider, or 'custom' for a custom JWT issuer."),
+        issuer: zod_1.z.string().describe("The JWT issuer URL. Centrali auto-discovers JWKS from this. Examples: 'https://clerk.your-domain.com' for Clerk, 'https://your-tenant.auth0.com/' for Auth0, 'https://your-org.okta.com' for Okta."),
+        jwksUrl: zod_1.z.string().optional().describe("Override JWKS URL if auto-discovery doesn't work (usually not needed for standard providers)"),
+        allowedAudiences: zod_1.z.array(zod_1.z.string()).optional().describe("JWT audience values to accept. If set, tokens without a matching 'aud' claim are rejected."),
+        clockSkewSeconds: zod_1.z.number().optional().describe("Seconds of clock skew tolerance for token expiration (default: 60, max: 300)"),
+        allowedAlgorithms: zod_1.z.array(zod_1.z.enum(["RS256", "RS384", "RS512", "ES256", "ES384", "ES512"])).optional().describe("Accepted JWT signing algorithms (default: ['RS256'])"),
+        claimMappings: zod_1.z.array(ClaimMappingZod).optional().describe("Map JWT claims to policy attributes. Each mapping extracts a value from the JWT and makes it available as ext_<attribute> in authorization policies. Example: { attribute: 'role', jwtPath: 'org_role' } makes ext_role available."),
+        allowedOrigins: zod_1.z.array(zod_1.z.string()).optional().describe("CORS origins allowed for browser requests with this provider's tokens"),
+    }, (_a) => __awaiter(this, [_a], void 0, function* ({ name, slug, providerType, issuer, jwksUrl, allowedAudiences, clockSkewSeconds, allowedAlgorithms, claimMappings, allowedOrigins }) {
+        try {
+            const input = { name, slug, providerType, issuer };
+            if (jwksUrl !== undefined)
+                input.jwksUrl = jwksUrl;
+            if (allowedAudiences !== undefined)
+                input.allowedAudiences = allowedAudiences;
+            if (clockSkewSeconds !== undefined)
+                input.clockSkewSeconds = clockSkewSeconds;
+            if (allowedAlgorithms !== undefined)
+                input.allowedAlgorithms = allowedAlgorithms;
+            if (claimMappings !== undefined)
+                input.claimMappings = claimMappings;
+            if (allowedOrigins !== undefined)
+                input.allowedOrigins = allowedOrigins;
+            const result = yield getClient().post("/", input);
+            return {
+                content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }],
+            };
+        }
+        catch (error) {
+            return {
+                content: [{ type: "text", text: formatError(error, `creating auth provider '${name}'`) }],
+                isError: true,
+            };
+        }
+    }));
+    // ── Update ────────────────────────────────────────────────────────
+    server.tool("update_auth_provider", "Update an external auth provider. Only include the fields you want to change. Use this to update claim mappings, allowed audiences, or deactivate a provider.", {
+        providerId: zod_1.z.string().describe("The provider ID (UUID) to update"),
+        name: zod_1.z.string().optional().describe("Updated display name"),
+        jwksUrl: zod_1.z.string().optional().describe("Updated JWKS URL"),
+        allowedAudiences: zod_1.z.array(zod_1.z.string()).optional().describe("Updated allowed audiences"),
+        clockSkewSeconds: zod_1.z.number().optional().describe("Updated clock skew tolerance (0-300 seconds)"),
+        allowedAlgorithms: zod_1.z.array(zod_1.z.enum(["RS256", "RS384", "RS512", "ES256", "ES384", "ES512"])).optional().describe("Updated allowed algorithms"),
+        claimMappings: zod_1.z.array(ClaimMappingZod).optional().describe("Updated claim mappings (replaces all existing mappings)"),
+        allowedOrigins: zod_1.z.array(zod_1.z.string()).optional().describe("Updated CORS origins"),
+        isActive: zod_1.z.boolean().optional().describe("Set to false to deactivate the provider (tokens will be rejected)"),
+    }, (_a) => __awaiter(this, [_a], void 0, function* ({ providerId, name, jwksUrl, allowedAudiences, clockSkewSeconds, allowedAlgorithms, claimMappings, allowedOrigins, isActive }) {
+        try {
+            const input = {};
+            if (name !== undefined)
+                input.name = name;
+            if (jwksUrl !== undefined)
+                input.jwksUrl = jwksUrl;
+            if (allowedAudiences !== undefined)
+                input.allowedAudiences = allowedAudiences;
+            if (clockSkewSeconds !== undefined)
+                input.clockSkewSeconds = clockSkewSeconds;
+            if (allowedAlgorithms !== undefined)
+                input.allowedAlgorithms = allowedAlgorithms;
+            if (claimMappings !== undefined)
+                input.claimMappings = claimMappings;
+            if (allowedOrigins !== undefined)
+                input.allowedOrigins = allowedOrigins;
+            if (isActive !== undefined)
+                input.isActive = isActive;
+            const result = yield getClient().put(`/${providerId}`, input);
+            return {
+                content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }],
+            };
+        }
+        catch (error) {
+            return {
+                content: [{ type: "text", text: formatError(error, `updating auth provider '${providerId}'`) }],
+                isError: true,
+            };
+        }
+    }));
+    // ── Delete ────────────────────────────────────────────────────────
+    server.tool("delete_auth_provider", "Delete an external auth provider. Tokens from this provider will no longer be accepted.", {
+        providerId: zod_1.z.string().describe("The provider ID (UUID) to delete"),
+    }, (_a) => __awaiter(this, [_a], void 0, function* ({ providerId }) {
+        try {
+            yield getClient().delete(`/${providerId}`);
+            return {
+                content: [{ type: "text", text: `Auth provider '${providerId}' deleted successfully.` }],
+            };
+        }
+        catch (error) {
+            return {
+                content: [{ type: "text", text: formatError(error, `deleting auth provider '${providerId}'`) }],
+                isError: true,
+            };
+        }
+    }));
+    // ── Test Claim Extraction ─────────────────────────────────────────
+    server.tool("test_auth_provider", "Test claim extraction for an auth provider by passing a sample JWT. Decodes the token (without signature verification) and shows which claims would be extracted using the provider's configured mappings. Use this to validate your claim mappings before deploying.", {
+        providerId: zod_1.z.string().describe("The provider ID (UUID) to test against"),
+        token: zod_1.z.string().describe("A sample JWT token from your identity provider"),
+    }, (_a) => __awaiter(this, [_a], void 0, function* ({ providerId, token }) {
+        try {
+            const result = yield getClient().post(`/${providerId}/test-extraction`, { token });
+            return {
+                content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }],
+            };
+        }
+        catch (error) {
+            return {
+                content: [{ type: "text", text: formatError(error, `testing auth provider '${providerId}'`) }],
+                isError: true,
+            };
+        }
+    }));
+    // ── Refresh JWKS ──────────────────────────────────────────────────
+    server.tool("refresh_auth_provider_jwks", "Force refresh the cached JWKS (JSON Web Key Set) for an auth provider. Use this after your identity provider rotates its signing keys.", {
+        providerId: zod_1.z.string().describe("The provider ID (UUID)"),
+    }, (_a) => __awaiter(this, [_a], void 0, function* ({ providerId }) {
+        try {
+            const result = yield getClient().post(`/${providerId}/refresh-jwks`);
+            return {
+                content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }],
+            };
+        }
+        catch (error) {
+            return {
+                content: [{ type: "text", text: formatError(error, `refreshing JWKS for auth provider '${providerId}'`) }],
+                isError: true,
+            };
+        }
+    }));
+}

package/dist/tools/compute.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { CentraliSDK } from "@centrali-io/centrali-sdk";
-export declare function registerComputeTools(server: McpServer, sdk: CentraliSDK): void;
+export declare function registerComputeTools(server: McpServer, sdk: CentraliSDK, centraliUrl: string, workspaceId: string): void;