@centrali-io/centrali-mcp 5.2.0 → 5.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +15 -0
- package/dist/index.js +2 -0
- package/dist/tools/_register.d.ts +24 -0
- package/dist/tools/_register.js +44 -0
- package/dist/tools/auth-providers.js +15 -30
- package/dist/tools/compute.js +48 -69
- package/dist/tools/describe.js +174 -21
- package/dist/tools/insights.js +13 -36
- package/dist/tools/orchestrations.js +21 -44
- package/dist/tools/pages.js +39 -61
- package/dist/tools/records.js +29 -50
- package/dist/tools/search.js +3 -24
- package/dist/tools/service-accounts.js +93 -108
- package/dist/tools/smart-queries.js +15 -36
- package/dist/tools/structures.js +23 -61
- package/dist/tools/validation.js +11 -34
- package/dist/tools/webhook-subscriptions.d.ts +3 -0
- package/dist/tools/webhook-subscriptions.js +292 -0
- package/package.json +5 -6
- package/src/index.ts +2 -0
- package/src/tools/_register.ts +53 -0
- package/src/tools/auth-providers.ts +8 -24
- package/src/tools/compute.ts +25 -46
- package/src/tools/describe.ts +200 -21
- package/src/tools/insights.ts +19 -28
- package/src/tools/orchestrations.ts +11 -34
- package/src/tools/pages.ts +20 -41
- package/src/tools/records.ts +15 -36
- package/src/tools/search.ts +7 -22
- package/src/tools/service-accounts.ts +47 -63
- package/src/tools/smart-queries.ts +8 -29
- package/src/tools/structures.ts +12 -50
- package/src/tools/validation.ts +21 -27
- package/src/tools/webhook-subscriptions.ts +363 -0
|
@@ -15,6 +15,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
15
15
|
exports.registerServiceAccountTools = registerServiceAccountTools;
|
|
16
16
|
const axios_1 = __importDefault(require("axios"));
|
|
17
17
|
const zod_1 = require("zod");
|
|
18
|
+
const _register_js_1 = require("./_register.js");
|
|
18
19
|
/**
|
|
19
20
|
* Ensures the SDK has a valid token by making a lightweight SDK call if needed.
|
|
20
21
|
*/
|
|
@@ -69,29 +70,13 @@ function createIamClient(sdk, centraliUrl, workspaceId, baseSuffix) {
|
|
|
69
70
|
}));
|
|
70
71
|
return client;
|
|
71
72
|
}
|
|
72
|
-
function formatError(error, context) {
|
|
73
|
-
var _a, _b, _c, _d, _e, _f, _g, _h;
|
|
74
|
-
if (error && typeof error === "object") {
|
|
75
|
-
const e = error;
|
|
76
|
-
if ((_a = e.response) === null || _a === void 0 ? void 0 : _a.data) {
|
|
77
|
-
const d = e.response.data;
|
|
78
|
-
const code = (_e = (_d = (_b = d.code) !== null && _b !== void 0 ? _b : (_c = d.error) === null || _c === void 0 ? void 0 : _c.code) !== null && _d !== void 0 ? _d : e.response.status) !== null && _e !== void 0 ? _e : "ERROR";
|
|
79
|
-
const message = (_h = (_f = d.message) !== null && _f !== void 0 ? _f : (_g = d.error) === null || _g === void 0 ? void 0 : _g.message) !== null && _h !== void 0 ? _h : JSON.stringify(d);
|
|
80
|
-
return `Error ${context}: [${code}] ${message}`;
|
|
81
|
-
}
|
|
82
|
-
if ("message" in e) {
|
|
83
|
-
return `Error ${context}: ${e.message}`;
|
|
84
|
-
}
|
|
85
|
-
}
|
|
86
|
-
return `Error ${context}: ${error instanceof Error ? error.message : String(error)}`;
|
|
87
|
-
}
|
|
88
73
|
function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, currentIdentity) {
|
|
89
74
|
const getSaClient = () => createIamClient(sdk, centraliUrl, workspaceId, "service-accounts");
|
|
90
75
|
const getUsersClient = () => createIamClient(sdk, centraliUrl, workspaceId, "users");
|
|
91
76
|
const getRolesClient = () => createIamClient(sdk, centraliUrl, workspaceId, "roles");
|
|
92
77
|
const getGroupsClient = () => createIamClient(sdk, centraliUrl, workspaceId, "groups");
|
|
93
78
|
// ── Identity ─────────────────────────────────────────────────────
|
|
94
|
-
|
|
79
|
+
(0, _register_js_1.registerTool)(server, "get_current_identity", "Get the current authenticated MCP identity. In stdio/service-account mode, returns the MCP service account. In hosted OAuth mode, fetches the authenticated user's profile, roles, and groups from IAM.", {}, () => __awaiter(this, void 0, void 0, function* () {
|
|
95
80
|
var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p;
|
|
96
81
|
try {
|
|
97
82
|
if ((currentIdentity === null || currentIdentity === void 0 ? void 0 : currentIdentity.userId) && !currentIdentity.isServiceAccount) {
|
|
@@ -155,13 +140,13 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
155
140
|
}
|
|
156
141
|
catch (error) {
|
|
157
142
|
return {
|
|
158
|
-
content: [{ type: "text", text: formatError(error, "getting current identity") }],
|
|
143
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "getting current identity") }],
|
|
159
144
|
isError: true,
|
|
160
145
|
};
|
|
161
146
|
}
|
|
162
147
|
}));
|
|
163
148
|
// ── Service Account CRUD ─────────────────────────────────────────
|
|
164
|
-
|
|
149
|
+
(0, _register_js_1.registerTool)(server, "list_service_accounts", "List all service accounts in the workspace. Service accounts are machine identities used for backend-to-backend API access (client_credentials flow).", {
|
|
165
150
|
page: zod_1.z.number().optional().describe("Page number (default: 1)"),
|
|
166
151
|
pageSize: zod_1.z.number().optional().describe("Results per page (default: 20)"),
|
|
167
152
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ page, pageSize }) {
|
|
@@ -178,12 +163,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
178
163
|
}
|
|
179
164
|
catch (error) {
|
|
180
165
|
return {
|
|
181
|
-
content: [{ type: "text", text: formatError(error, "listing service accounts") }],
|
|
166
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "listing service accounts") }],
|
|
182
167
|
isError: true,
|
|
183
168
|
};
|
|
184
169
|
}
|
|
185
170
|
}));
|
|
186
|
-
|
|
171
|
+
(0, _register_js_1.registerTool)(server, "get_service_account", "Get details of a specific service account by its numeric ID. Returns name, clientId, description, and revocation status. Does NOT return the clientSecret (it's only shown once at creation time).", {
|
|
187
172
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
188
173
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId }) {
|
|
189
174
|
try {
|
|
@@ -194,12 +179,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
194
179
|
}
|
|
195
180
|
catch (error) {
|
|
196
181
|
return {
|
|
197
|
-
content: [{ type: "text", text: formatError(error, `getting service account '${serviceAccountId}'`) }],
|
|
182
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `getting service account '${serviceAccountId}'`) }],
|
|
198
183
|
isError: true,
|
|
199
184
|
};
|
|
200
185
|
}
|
|
201
186
|
}));
|
|
202
|
-
|
|
187
|
+
(0, _register_js_1.registerTool)(server, "create_service_account", "Create a new service account (machine identity). Returns the clientId and clientSecret — the secret is ONLY shown once, so store it securely. Use the credentials with OAuth2 client_credentials flow to get access tokens.", {
|
|
203
188
|
name: zod_1.z.string().describe("Display name for the service account (e.g., 'CI/CD Pipeline', 'Analytics Worker')"),
|
|
204
189
|
description: zod_1.z.string().optional().describe("Optional description of what this service account is used for"),
|
|
205
190
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ name, description }) {
|
|
@@ -217,12 +202,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
217
202
|
}
|
|
218
203
|
catch (error) {
|
|
219
204
|
return {
|
|
220
|
-
content: [{ type: "text", text: formatError(error, `creating service account '${name}'`) }],
|
|
205
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `creating service account '${name}'`) }],
|
|
221
206
|
isError: true,
|
|
222
207
|
};
|
|
223
208
|
}
|
|
224
209
|
}));
|
|
225
|
-
|
|
210
|
+
(0, _register_js_1.registerTool)(server, "update_service_account_name", "Update the display name of a service account.", {
|
|
226
211
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
227
212
|
name: zod_1.z.string().describe("New display name"),
|
|
228
213
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId, name }) {
|
|
@@ -234,12 +219,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
234
219
|
}
|
|
235
220
|
catch (error) {
|
|
236
221
|
return {
|
|
237
|
-
content: [{ type: "text", text: formatError(error, `updating service account '${serviceAccountId}' name`) }],
|
|
222
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `updating service account '${serviceAccountId}' name`) }],
|
|
238
223
|
isError: true,
|
|
239
224
|
};
|
|
240
225
|
}
|
|
241
226
|
}));
|
|
242
|
-
|
|
227
|
+
(0, _register_js_1.registerTool)(server, "update_service_account_description", "Update the description of a service account.", {
|
|
243
228
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
244
229
|
description: zod_1.z.string().nullable().describe("New description (or null to clear)"),
|
|
245
230
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId, description }) {
|
|
@@ -251,12 +236,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
251
236
|
}
|
|
252
237
|
catch (error) {
|
|
253
238
|
return {
|
|
254
|
-
content: [{ type: "text", text: formatError(error, `updating service account '${serviceAccountId}' description`) }],
|
|
239
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `updating service account '${serviceAccountId}' description`) }],
|
|
255
240
|
isError: true,
|
|
256
241
|
};
|
|
257
242
|
}
|
|
258
243
|
}));
|
|
259
|
-
|
|
244
|
+
(0, _register_js_1.registerTool)(server, "delete_service_account", "Permanently delete a service account. This is irreversible — all tokens are invalidated immediately. Note: the service account must not be revoked (revoke prevents deletion).", {
|
|
260
245
|
clientId: zod_1.z.string().describe("The service account's clientId string (e.g., 'ci_abc123') — NOT the numeric ID"),
|
|
261
246
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ clientId }) {
|
|
262
247
|
try {
|
|
@@ -267,13 +252,13 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
267
252
|
}
|
|
268
253
|
catch (error) {
|
|
269
254
|
return {
|
|
270
|
-
content: [{ type: "text", text: formatError(error, `deleting service account '${clientId}'`) }],
|
|
255
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `deleting service account '${clientId}'`) }],
|
|
271
256
|
isError: true,
|
|
272
257
|
};
|
|
273
258
|
}
|
|
274
259
|
}));
|
|
275
260
|
// ── Secret Rotation & Revocation ─────────────────────────────────
|
|
276
|
-
|
|
261
|
+
(0, _register_js_1.registerTool)(server, "rotate_service_account_secret", "Rotate the client secret of a service account. The old secret is immediately invalidated. Returns the new clientSecret — store it securely, it's only shown once.", {
|
|
277
262
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
278
263
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId }) {
|
|
279
264
|
try {
|
|
@@ -287,12 +272,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
287
272
|
}
|
|
288
273
|
catch (error) {
|
|
289
274
|
return {
|
|
290
|
-
content: [{ type: "text", text: formatError(error, `rotating secret for service account '${serviceAccountId}'`) }],
|
|
275
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `rotating secret for service account '${serviceAccountId}'`) }],
|
|
291
276
|
isError: true,
|
|
292
277
|
};
|
|
293
278
|
}
|
|
294
279
|
}));
|
|
295
|
-
|
|
280
|
+
(0, _register_js_1.registerTool)(server, "revoke_service_account", "Revoke a service account. All existing tokens are invalidated and no new tokens can be issued. This cannot be undone.", {
|
|
296
281
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID to revoke"),
|
|
297
282
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId }) {
|
|
298
283
|
try {
|
|
@@ -303,13 +288,13 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
303
288
|
}
|
|
304
289
|
catch (error) {
|
|
305
290
|
return {
|
|
306
|
-
content: [{ type: "text", text: formatError(error, `revoking service account '${serviceAccountId}'`) }],
|
|
291
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `revoking service account '${serviceAccountId}'`) }],
|
|
307
292
|
isError: true,
|
|
308
293
|
};
|
|
309
294
|
}
|
|
310
295
|
}));
|
|
311
296
|
// ── Dev Token Generation ─────────────────────────────────────────
|
|
312
|
-
|
|
297
|
+
(0, _register_js_1.registerTool)(server, "generate_dev_token", "Generate a short-lived development token for a service account. Useful for testing and local development without the full OAuth2 client_credentials flow. The token has limited TTL.", {
|
|
313
298
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
314
299
|
ttlSeconds: zod_1.z.number().describe("Token time-to-live in seconds (valid options depend on server config, typically 3600, 86400, 604800)"),
|
|
315
300
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId, ttlSeconds }) {
|
|
@@ -324,13 +309,13 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
324
309
|
}
|
|
325
310
|
catch (error) {
|
|
326
311
|
return {
|
|
327
|
-
content: [{ type: "text", text: formatError(error, `generating dev token for service account '${serviceAccountId}'`) }],
|
|
312
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `generating dev token for service account '${serviceAccountId}'`) }],
|
|
328
313
|
isError: true,
|
|
329
314
|
};
|
|
330
315
|
}
|
|
331
316
|
}));
|
|
332
317
|
// ── Permission Introspection ─────────────────────────────────────
|
|
333
|
-
|
|
318
|
+
(0, _register_js_1.registerTool)(server, "scan_service_account_permissions", "Scan all permissions for a service account. Returns a full access matrix showing every resource and action with Allow/Deny decisions and reasons. Use this to audit what a service account can and cannot do.", {
|
|
334
319
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
335
320
|
filter: zod_1.z.enum(["all", "allowed", "denied"]).optional().describe("Filter results: 'all' (default), 'allowed' (only granted), 'denied' (only missing)"),
|
|
336
321
|
resourceCategory: zod_1.z.string().optional().describe("Filter by resource category (e.g., 'workspace')"),
|
|
@@ -348,12 +333,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
348
333
|
}
|
|
349
334
|
catch (error) {
|
|
350
335
|
return {
|
|
351
|
-
content: [{ type: "text", text: formatError(error, `scanning permissions for service account '${serviceAccountId}'`) }],
|
|
336
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `scanning permissions for service account '${serviceAccountId}'`) }],
|
|
352
337
|
isError: true,
|
|
353
338
|
};
|
|
354
339
|
}
|
|
355
340
|
}));
|
|
356
|
-
|
|
341
|
+
(0, _register_js_1.registerTool)(server, "simulate_service_account_permission", "Simulate an authorization check for a service account against a specific resource and action. Returns the decision (Allow/Deny), evaluation trace, and suggestions for granting access if denied.", {
|
|
357
342
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
358
343
|
resource: zod_1.z.string().describe("Resource identifier (e.g., 'workspace::records', 'workspace::compute-functions')"),
|
|
359
344
|
resourceCategory: zod_1.z.string().describe("Resource category (e.g., 'workspace')"),
|
|
@@ -371,7 +356,7 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
371
356
|
}
|
|
372
357
|
catch (error) {
|
|
373
358
|
return {
|
|
374
|
-
content: [{ type: "text", text: formatError(error, `simulating permission for service account '${serviceAccountId}'`) }],
|
|
359
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `simulating permission for service account '${serviceAccountId}'`) }],
|
|
375
360
|
isError: true,
|
|
376
361
|
};
|
|
377
362
|
}
|
|
@@ -396,7 +381,7 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
396
381
|
details: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()).optional(),
|
|
397
382
|
})),
|
|
398
383
|
}).describe("The remediation option object from generate_remediation — pass the full option object exactly as returned");
|
|
399
|
-
|
|
384
|
+
(0, _register_js_1.registerTool)(server, "generate_remediation", "Generate remediation options for granting a service account access to a specific resource and actions. Returns multiple options: assign an existing role, join a group, or create a minimal new policy. Use after scan_service_account_permissions or simulate_service_account_permission shows Deny.", {
|
|
400
385
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
401
386
|
resource: zod_1.z.string().describe("Resource identifier (e.g., 'workspace::records', 'workspace::compute-functions')"),
|
|
402
387
|
resourceCategory: zod_1.z.string().describe("Resource category (e.g., 'workspace')"),
|
|
@@ -416,12 +401,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
416
401
|
}
|
|
417
402
|
catch (error) {
|
|
418
403
|
return {
|
|
419
|
-
content: [{ type: "text", text: formatError(error, `generating remediation for service account '${serviceAccountId}'`) }],
|
|
404
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `generating remediation for service account '${serviceAccountId}'`) }],
|
|
420
405
|
isError: true,
|
|
421
406
|
};
|
|
422
407
|
}
|
|
423
408
|
}));
|
|
424
|
-
|
|
409
|
+
(0, _register_js_1.registerTool)(server, "preview_remediation", "Preview what changes would be made by applying a specific remediation option. Shows what would be created or modified without actually making changes. Call generate_remediation first to get the options.", {
|
|
425
410
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
426
411
|
resource: zod_1.z.string().describe("Resource identifier (same as used in generate_remediation)"),
|
|
427
412
|
resourceCategory: zod_1.z.string().describe("Resource category (same as used in generate_remediation)"),
|
|
@@ -444,12 +429,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
444
429
|
}
|
|
445
430
|
catch (error) {
|
|
446
431
|
return {
|
|
447
|
-
content: [{ type: "text", text: formatError(error, `previewing remediation for service account '${serviceAccountId}'`) }],
|
|
432
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `previewing remediation for service account '${serviceAccountId}'`) }],
|
|
448
433
|
isError: true,
|
|
449
434
|
};
|
|
450
435
|
}
|
|
451
436
|
}));
|
|
452
|
-
|
|
437
|
+
(0, _register_js_1.registerTool)(server, "apply_remediation", "Apply a remediation option to actually grant access. Creates roles, policies, or group assignments as needed. After applying, the service account will have the requested permissions. The response includes a verification check confirming the access was granted.", {
|
|
453
438
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
454
439
|
resource: zod_1.z.string().describe("Resource identifier (same as used in generate_remediation)"),
|
|
455
440
|
resourceCategory: zod_1.z.string().describe("Resource category (same as used in generate_remediation)"),
|
|
@@ -473,13 +458,13 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
473
458
|
}
|
|
474
459
|
catch (error) {
|
|
475
460
|
return {
|
|
476
|
-
content: [{ type: "text", text: formatError(error, `applying remediation for service account '${serviceAccountId}'`) }],
|
|
461
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `applying remediation for service account '${serviceAccountId}'`) }],
|
|
477
462
|
isError: true,
|
|
478
463
|
};
|
|
479
464
|
}
|
|
480
465
|
}));
|
|
481
466
|
// ── Service Account ↔ Roles ──────────────────────────────────────
|
|
482
|
-
|
|
467
|
+
(0, _register_js_1.registerTool)(server, "list_service_account_roles", "List all roles assigned to a service account.", {
|
|
483
468
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
484
469
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId }) {
|
|
485
470
|
try {
|
|
@@ -490,12 +475,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
490
475
|
}
|
|
491
476
|
catch (error) {
|
|
492
477
|
return {
|
|
493
|
-
content: [{ type: "text", text: formatError(error, `listing roles for service account '${serviceAccountId}'`) }],
|
|
478
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `listing roles for service account '${serviceAccountId}'`) }],
|
|
494
479
|
isError: true,
|
|
495
480
|
};
|
|
496
481
|
}
|
|
497
482
|
}));
|
|
498
|
-
|
|
483
|
+
(0, _register_js_1.registerTool)(server, "assign_role_to_service_account", "Assign a role to a service account. The service account inherits all permissions defined in the role.", {
|
|
499
484
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
500
485
|
roleId: zod_1.z.string().describe("The role ID (UUID) to assign"),
|
|
501
486
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId, roleId }) {
|
|
@@ -507,12 +492,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
507
492
|
}
|
|
508
493
|
catch (error) {
|
|
509
494
|
return {
|
|
510
|
-
content: [{ type: "text", text: formatError(error, `assigning role '${roleId}' to service account '${serviceAccountId}'`) }],
|
|
495
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `assigning role '${roleId}' to service account '${serviceAccountId}'`) }],
|
|
511
496
|
isError: true,
|
|
512
497
|
};
|
|
513
498
|
}
|
|
514
499
|
}));
|
|
515
|
-
|
|
500
|
+
(0, _register_js_1.registerTool)(server, "remove_role_from_service_account", "Remove a role from a service account. The service account loses all permissions from this role.", {
|
|
516
501
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
517
502
|
roleId: zod_1.z.string().describe("The role ID (UUID) to remove"),
|
|
518
503
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId, roleId }) {
|
|
@@ -524,13 +509,13 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
524
509
|
}
|
|
525
510
|
catch (error) {
|
|
526
511
|
return {
|
|
527
|
-
content: [{ type: "text", text: formatError(error, `removing role '${roleId}' from service account '${serviceAccountId}'`) }],
|
|
512
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `removing role '${roleId}' from service account '${serviceAccountId}'`) }],
|
|
528
513
|
isError: true,
|
|
529
514
|
};
|
|
530
515
|
}
|
|
531
516
|
}));
|
|
532
517
|
// ── Service Account ↔ Groups ─────────────────────────────────────
|
|
533
|
-
|
|
518
|
+
(0, _register_js_1.registerTool)(server, "list_service_account_groups", "List all groups a service account belongs to.", {
|
|
534
519
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
535
520
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId }) {
|
|
536
521
|
try {
|
|
@@ -541,12 +526,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
541
526
|
}
|
|
542
527
|
catch (error) {
|
|
543
528
|
return {
|
|
544
|
-
content: [{ type: "text", text: formatError(error, `listing groups for service account '${serviceAccountId}'`) }],
|
|
529
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `listing groups for service account '${serviceAccountId}'`) }],
|
|
545
530
|
isError: true,
|
|
546
531
|
};
|
|
547
532
|
}
|
|
548
533
|
}));
|
|
549
|
-
|
|
534
|
+
(0, _register_js_1.registerTool)(server, "add_service_account_to_group", "Add a service account to a group. The service account inherits all roles assigned to the group.", {
|
|
550
535
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
551
536
|
groupId: zod_1.z.string().describe("The group ID (UUID) to add the service account to"),
|
|
552
537
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId, groupId }) {
|
|
@@ -558,12 +543,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
558
543
|
}
|
|
559
544
|
catch (error) {
|
|
560
545
|
return {
|
|
561
|
-
content: [{ type: "text", text: formatError(error, `adding service account '${serviceAccountId}' to group '${groupId}'`) }],
|
|
546
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `adding service account '${serviceAccountId}' to group '${groupId}'`) }],
|
|
562
547
|
isError: true,
|
|
563
548
|
};
|
|
564
549
|
}
|
|
565
550
|
}));
|
|
566
|
-
|
|
551
|
+
(0, _register_js_1.registerTool)(server, "remove_service_account_from_group", "Remove a service account from a group. The service account loses all permissions inherited through this group.", {
|
|
567
552
|
serviceAccountId: zod_1.z.number().describe("The service account numeric ID"),
|
|
568
553
|
groupId: zod_1.z.string().describe("The group ID (UUID) to remove the service account from"),
|
|
569
554
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ serviceAccountId, groupId }) {
|
|
@@ -575,13 +560,13 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
575
560
|
}
|
|
576
561
|
catch (error) {
|
|
577
562
|
return {
|
|
578
|
-
content: [{ type: "text", text: formatError(error, `removing service account '${serviceAccountId}' from group '${groupId}'`) }],
|
|
563
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `removing service account '${serviceAccountId}' from group '${groupId}'`) }],
|
|
579
564
|
isError: true,
|
|
580
565
|
};
|
|
581
566
|
}
|
|
582
567
|
}));
|
|
583
568
|
// ── Role CRUD ────────────────────────────────────────────────────
|
|
584
|
-
|
|
569
|
+
(0, _register_js_1.registerTool)(server, "list_roles", "List all roles in the workspace. Roles are named labels assigned to users and service accounts.", {
|
|
585
570
|
page: zod_1.z.number().optional().describe("Page number (default: 1)"),
|
|
586
571
|
pageSize: zod_1.z.number().optional().describe("Results per page (default: 20)"),
|
|
587
572
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ page, pageSize }) {
|
|
@@ -598,12 +583,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
598
583
|
}
|
|
599
584
|
catch (error) {
|
|
600
585
|
return {
|
|
601
|
-
content: [{ type: "text", text: formatError(error, "listing roles") }],
|
|
586
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "listing roles") }],
|
|
602
587
|
isError: true,
|
|
603
588
|
};
|
|
604
589
|
}
|
|
605
590
|
}));
|
|
606
|
-
|
|
591
|
+
(0, _register_js_1.registerTool)(server, "get_role", "Get details of a role including its permissions.", {
|
|
607
592
|
roleId: zod_1.z.string().describe("The role ID (UUID)"),
|
|
608
593
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ roleId }) {
|
|
609
594
|
try {
|
|
@@ -614,12 +599,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
614
599
|
}
|
|
615
600
|
catch (error) {
|
|
616
601
|
return {
|
|
617
|
-
content: [{ type: "text", text: formatError(error, `getting role '${roleId}'`) }],
|
|
602
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `getting role '${roleId}'`) }],
|
|
618
603
|
isError: true,
|
|
619
604
|
};
|
|
620
605
|
}
|
|
621
606
|
}));
|
|
622
|
-
|
|
607
|
+
(0, _register_js_1.registerTool)(server, "create_role", "Create a new role. Roles are named labels assigned to users and service accounts. They do NOT contain permissions directly — to grant access, create a policy that targets the role as a principal. Role names are immutable after creation.", {
|
|
623
608
|
name: zod_1.z.string().describe("Role name (e.g., 'Data Reader', 'Compute Admin'). Cannot be changed after creation."),
|
|
624
609
|
description: zod_1.z.string().optional().describe("Optional description of the role's purpose"),
|
|
625
610
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ name, description }) {
|
|
@@ -634,12 +619,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
634
619
|
}
|
|
635
620
|
catch (error) {
|
|
636
621
|
return {
|
|
637
|
-
content: [{ type: "text", text: formatError(error, `creating role '${name}'`) }],
|
|
622
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `creating role '${name}'`) }],
|
|
638
623
|
isError: true,
|
|
639
624
|
};
|
|
640
625
|
}
|
|
641
626
|
}));
|
|
642
|
-
|
|
627
|
+
(0, _register_js_1.registerTool)(server, "update_role", "Update a role's description. Role names are immutable. Roles are named labels assigned to users/service accounts — they do NOT contain permissions directly. To grant access, create a policy that references the role.", {
|
|
643
628
|
roleId: zod_1.z.string().describe("The role ID (UUID) to update"),
|
|
644
629
|
description: zod_1.z.string().optional().describe("Updated description"),
|
|
645
630
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ roleId, description }) {
|
|
@@ -654,12 +639,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
654
639
|
}
|
|
655
640
|
catch (error) {
|
|
656
641
|
return {
|
|
657
|
-
content: [{ type: "text", text: formatError(error, `updating role '${roleId}'`) }],
|
|
642
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `updating role '${roleId}'`) }],
|
|
658
643
|
isError: true,
|
|
659
644
|
};
|
|
660
645
|
}
|
|
661
646
|
}));
|
|
662
|
-
|
|
647
|
+
(0, _register_js_1.registerTool)(server, "delete_role", "Delete a role. Service accounts assigned to this role will lose the label.", {
|
|
663
648
|
roleId: zod_1.z.string().describe("The role ID (UUID) to delete"),
|
|
664
649
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ roleId }) {
|
|
665
650
|
try {
|
|
@@ -670,13 +655,13 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
670
655
|
}
|
|
671
656
|
catch (error) {
|
|
672
657
|
return {
|
|
673
|
-
content: [{ type: "text", text: formatError(error, `deleting role '${roleId}'`) }],
|
|
658
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `deleting role '${roleId}'`) }],
|
|
674
659
|
isError: true,
|
|
675
660
|
};
|
|
676
661
|
}
|
|
677
662
|
}));
|
|
678
663
|
// ── Group CRUD ───────────────────────────────────────────────────
|
|
679
|
-
|
|
664
|
+
(0, _register_js_1.registerTool)(server, "list_groups", "List all groups in the workspace. Groups bundle service accounts together and can have roles assigned to them.", {
|
|
680
665
|
page: zod_1.z.number().optional().describe("Page number (default: 1)"),
|
|
681
666
|
pageSize: zod_1.z.number().optional().describe("Results per page (default: 20)"),
|
|
682
667
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ page, pageSize }) {
|
|
@@ -693,12 +678,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
693
678
|
}
|
|
694
679
|
catch (error) {
|
|
695
680
|
return {
|
|
696
|
-
content: [{ type: "text", text: formatError(error, "listing groups") }],
|
|
681
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "listing groups") }],
|
|
697
682
|
isError: true,
|
|
698
683
|
};
|
|
699
684
|
}
|
|
700
685
|
}));
|
|
701
|
-
|
|
686
|
+
(0, _register_js_1.registerTool)(server, "get_group", "Get details of a group.", {
|
|
702
687
|
groupId: zod_1.z.string().describe("The group ID (UUID)"),
|
|
703
688
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ groupId }) {
|
|
704
689
|
try {
|
|
@@ -709,12 +694,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
709
694
|
}
|
|
710
695
|
catch (error) {
|
|
711
696
|
return {
|
|
712
|
-
content: [{ type: "text", text: formatError(error, `getting group '${groupId}'`) }],
|
|
697
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `getting group '${groupId}'`) }],
|
|
713
698
|
isError: true,
|
|
714
699
|
};
|
|
715
700
|
}
|
|
716
701
|
}));
|
|
717
|
-
|
|
702
|
+
(0, _register_js_1.registerTool)(server, "create_group", "Create a new group. Groups let you assign roles to multiple service accounts at once.", {
|
|
718
703
|
name: zod_1.z.string().describe("Group name (e.g., 'Backend Services', 'Analytics Pipeline')"),
|
|
719
704
|
description: zod_1.z.string().optional().describe("Optional description"),
|
|
720
705
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ name, description }) {
|
|
@@ -729,12 +714,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
729
714
|
}
|
|
730
715
|
catch (error) {
|
|
731
716
|
return {
|
|
732
|
-
content: [{ type: "text", text: formatError(error, `creating group '${name}'`) }],
|
|
717
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `creating group '${name}'`) }],
|
|
733
718
|
isError: true,
|
|
734
719
|
};
|
|
735
720
|
}
|
|
736
721
|
}));
|
|
737
|
-
|
|
722
|
+
(0, _register_js_1.registerTool)(server, "update_group", "Update a group's description. Group names are immutable and cannot be changed after creation.", {
|
|
738
723
|
groupId: zod_1.z.string().describe("The group ID (UUID) to update"),
|
|
739
724
|
description: zod_1.z.string().optional().describe("Updated description"),
|
|
740
725
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ groupId, description }) {
|
|
@@ -749,12 +734,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
749
734
|
}
|
|
750
735
|
catch (error) {
|
|
751
736
|
return {
|
|
752
|
-
content: [{ type: "text", text: formatError(error, `updating group '${groupId}'`) }],
|
|
737
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `updating group '${groupId}'`) }],
|
|
753
738
|
isError: true,
|
|
754
739
|
};
|
|
755
740
|
}
|
|
756
741
|
}));
|
|
757
|
-
|
|
742
|
+
(0, _register_js_1.registerTool)(server, "delete_group", "Delete a group. Service accounts in this group lose permissions inherited through it.", {
|
|
758
743
|
groupId: zod_1.z.string().describe("The group ID (UUID) to delete"),
|
|
759
744
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ groupId }) {
|
|
760
745
|
try {
|
|
@@ -765,14 +750,14 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
765
750
|
}
|
|
766
751
|
catch (error) {
|
|
767
752
|
return {
|
|
768
|
-
content: [{ type: "text", text: formatError(error, `deleting group '${groupId}'`) }],
|
|
753
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `deleting group '${groupId}'`) }],
|
|
769
754
|
isError: true,
|
|
770
755
|
};
|
|
771
756
|
}
|
|
772
757
|
}));
|
|
773
758
|
// ── Publishable Keys ─────────────────────────────────────────────
|
|
774
759
|
const getPkClient = () => createIamClient(sdk, centraliUrl, workspaceId, "publishable-keys");
|
|
775
|
-
|
|
760
|
+
(0, _register_js_1.registerTool)(server, "list_publishable_keys", "List all publishable keys in the workspace. Publishable keys are frontend-safe API keys for browser/client-side apps — they grant scoped, read-mostly access to specific collections, records, triggers, and files.", {
|
|
776
761
|
page: zod_1.z.number().optional().describe("Page number (default: 1)"),
|
|
777
762
|
pageSize: zod_1.z.number().optional().describe("Results per page (default: 20)"),
|
|
778
763
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ page, pageSize }) {
|
|
@@ -789,12 +774,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
789
774
|
}
|
|
790
775
|
catch (error) {
|
|
791
776
|
return {
|
|
792
|
-
content: [{ type: "text", text: formatError(error, "listing publishable keys") }],
|
|
777
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "listing publishable keys") }],
|
|
793
778
|
isError: true,
|
|
794
779
|
};
|
|
795
780
|
}
|
|
796
781
|
}));
|
|
797
|
-
|
|
782
|
+
(0, _register_js_1.registerTool)(server, "get_publishable_key", "Get details of a publishable key including its scopes and usage stats.", {
|
|
798
783
|
keyId: zod_1.z.string().describe("The publishable key ID (UUID)"),
|
|
799
784
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ keyId }) {
|
|
800
785
|
try {
|
|
@@ -805,12 +790,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
805
790
|
}
|
|
806
791
|
catch (error) {
|
|
807
792
|
return {
|
|
808
|
-
content: [{ type: "text", text: formatError(error, `getting publishable key '${keyId}'`) }],
|
|
793
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `getting publishable key '${keyId}'`) }],
|
|
809
794
|
isError: true,
|
|
810
795
|
};
|
|
811
796
|
}
|
|
812
797
|
}));
|
|
813
|
-
|
|
798
|
+
(0, _register_js_1.registerTool)(server, "create_publishable_key", "Create a publishable key for frontend/client-side use. Returns the full key value (pk_live_...) — it's safe to embed in client code but only shown in full once. Scopes control what the key can access. Always use least-privilege: only grant the specific collections, actions, and triggers the frontend needs.", {
|
|
814
799
|
label: zod_1.z.string().describe("Display label (e.g., 'React Dashboard', 'Marketing Site')"),
|
|
815
800
|
scopes: zod_1.z.array(zod_1.z.string()).describe("Scopes defining what this key can access. Format: 'resource:action:target'. Examples: 'records:list:products' (list products), 'records:retrieve:*' (read any collection), 'records:create:orders' (create orders), 'triggers:execute:send-email' (invoke a trigger), 'files:retrieve' (read files), 'collections:list' (list collection schemas). Write actions (create, execute) require explicit targets — no wildcards."),
|
|
816
801
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ label, scopes }) {
|
|
@@ -825,12 +810,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
825
810
|
}
|
|
826
811
|
catch (error) {
|
|
827
812
|
return {
|
|
828
|
-
content: [{ type: "text", text: formatError(error, `creating publishable key '${label}'`) }],
|
|
813
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `creating publishable key '${label}'`) }],
|
|
829
814
|
isError: true,
|
|
830
815
|
};
|
|
831
816
|
}
|
|
832
817
|
}));
|
|
833
|
-
|
|
818
|
+
(0, _register_js_1.registerTool)(server, "update_publishable_key", "Update a publishable key's label or scopes. When updating scopes, the new scopes replace all existing ones.", {
|
|
834
819
|
keyId: zod_1.z.string().describe("The publishable key ID (UUID) to update"),
|
|
835
820
|
label: zod_1.z.string().optional().describe("Updated label"),
|
|
836
821
|
scopes: zod_1.z.array(zod_1.z.string()).optional().describe("Updated scopes (replaces all existing). Same format as create_publishable_key."),
|
|
@@ -848,12 +833,12 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
848
833
|
}
|
|
849
834
|
catch (error) {
|
|
850
835
|
return {
|
|
851
|
-
content: [{ type: "text", text: formatError(error, `updating publishable key '${keyId}'`) }],
|
|
836
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `updating publishable key '${keyId}'`) }],
|
|
852
837
|
isError: true,
|
|
853
838
|
};
|
|
854
839
|
}
|
|
855
840
|
}));
|
|
856
|
-
|
|
841
|
+
(0, _register_js_1.registerTool)(server, "revoke_publishable_key", "Revoke a publishable key. The key immediately stops working. This cannot be undone — create a new key if needed.", {
|
|
857
842
|
keyId: zod_1.z.string().describe("The publishable key ID (UUID) to revoke"),
|
|
858
843
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ keyId }) {
|
|
859
844
|
try {
|
|
@@ -864,7 +849,7 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
864
849
|
}
|
|
865
850
|
catch (error) {
|
|
866
851
|
return {
|
|
867
|
-
content: [{ type: "text", text: formatError(error, `revoking publishable key '${keyId}'`) }],
|
|
852
|
+
content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `revoking publishable key '${keyId}'`) }],
|
|
868
853
|
isError: true,
|
|
869
854
|
};
|
|
870
855
|
}
|
|
@@ -875,7 +860,7 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
875
860
|
const getPoliciesClient = () => createIamClient(sdk, centraliUrl, workspaceId, "access/policies");
|
|
876
861
|
const getPermissionsClient = () => createIamClient(sdk, centraliUrl, workspaceId, "access/permissions");
|
|
877
862
|
const getResourcesClient = () => createIamClient(sdk, centraliUrl, workspaceId, "access/resources");
|
|
878
|
-
|
|
863
|
+
(0, _register_js_1.registerTool)(server, "list_policies", "List all access control policies in the workspace. Policies define who can do what — they bind roles/groups/principals to permissions with optional conditions.", {
|
|
879
864
|
page: zod_1.z.number().optional().describe("Page number (default: 1)"),
|
|
880
865
|
pageSize: zod_1.z.number().optional().describe("Results per page (default: 20)"),
|
|
881
866
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ page, pageSize }) {
|
|
@@ -889,10 +874,10 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
889
874
|
return { content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }] };
|
|
890
875
|
}
|
|
891
876
|
catch (error) {
|
|
892
|
-
return { content: [{ type: "text", text: formatError(error, "listing policies") }], isError: true };
|
|
877
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "listing policies") }], isError: true };
|
|
893
878
|
}
|
|
894
879
|
}));
|
|
895
|
-
|
|
880
|
+
(0, _register_js_1.registerTool)(server, "get_policy", "Get the full definition of an access control policy by ID.", {
|
|
896
881
|
policyId: zod_1.z.string().describe("The policy ID"),
|
|
897
882
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ policyId }) {
|
|
898
883
|
try {
|
|
@@ -900,10 +885,10 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
900
885
|
return { content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }] };
|
|
901
886
|
}
|
|
902
887
|
catch (error) {
|
|
903
|
-
return { content: [{ type: "text", text: formatError(error, `getting policy '${policyId}'`) }], isError: true };
|
|
888
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `getting policy '${policyId}'`) }], isError: true };
|
|
904
889
|
}
|
|
905
890
|
}));
|
|
906
|
-
|
|
891
|
+
(0, _register_js_1.registerTool)(server, "create_policy", "Create an access control policy. Policies grant or deny actions on resources to principals (users, service accounts, groups, roles).", {
|
|
907
892
|
policy: zod_1.z.record(zod_1.z.string(), zod_1.z.any()).describe("The policy definition object. Must include: name, effect ('allow'|'deny'), principals, resources, actions. May include conditions."),
|
|
908
893
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ policy }) {
|
|
909
894
|
try {
|
|
@@ -911,10 +896,10 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
911
896
|
return { content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }] };
|
|
912
897
|
}
|
|
913
898
|
catch (error) {
|
|
914
|
-
return { content: [{ type: "text", text: formatError(error, "creating policy") }], isError: true };
|
|
899
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "creating policy") }], isError: true };
|
|
915
900
|
}
|
|
916
901
|
}));
|
|
917
|
-
|
|
902
|
+
(0, _register_js_1.registerTool)(server, "update_policy", "Update an existing access control policy by ID.", {
|
|
918
903
|
policyId: zod_1.z.string().describe("The policy ID to update"),
|
|
919
904
|
policy: zod_1.z.record(zod_1.z.string(), zod_1.z.any()).describe("The updated policy definition"),
|
|
920
905
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ policyId, policy }) {
|
|
@@ -923,10 +908,10 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
923
908
|
return { content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }] };
|
|
924
909
|
}
|
|
925
910
|
catch (error) {
|
|
926
|
-
return { content: [{ type: "text", text: formatError(error, `updating policy '${policyId}'`) }], isError: true };
|
|
911
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `updating policy '${policyId}'`) }], isError: true };
|
|
927
912
|
}
|
|
928
913
|
}));
|
|
929
|
-
|
|
914
|
+
(0, _register_js_1.registerTool)(server, "delete_policy", "Delete an access control policy by ID. This immediately revokes the access it granted. Use this to undo apply_remediation.", {
|
|
930
915
|
policyId: zod_1.z.string().describe("The policy ID to delete"),
|
|
931
916
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ policyId }) {
|
|
932
917
|
try {
|
|
@@ -934,11 +919,11 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
934
919
|
return { content: [{ type: "text", text: `Policy '${policyId}' deleted.` }] };
|
|
935
920
|
}
|
|
936
921
|
catch (error) {
|
|
937
|
-
return { content: [{ type: "text", text: formatError(error, `deleting policy '${policyId}'`) }], isError: true };
|
|
922
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `deleting policy '${policyId}'`) }], isError: true };
|
|
938
923
|
}
|
|
939
924
|
}));
|
|
940
925
|
// ── Permissions CRUD ───────────────────────────────────────────────
|
|
941
|
-
|
|
926
|
+
(0, _register_js_1.registerTool)(server, "list_permissions", "List all permission definitions in the workspace. Permissions are resource + action pairs (e.g., 'workspace::records' + 'create').", {
|
|
942
927
|
page: zod_1.z.number().optional().describe("Page number (default: 1)"),
|
|
943
928
|
pageSize: zod_1.z.number().optional().describe("Results per page (default: 20)"),
|
|
944
929
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ page, pageSize }) {
|
|
@@ -952,10 +937,10 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
952
937
|
return { content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }] };
|
|
953
938
|
}
|
|
954
939
|
catch (error) {
|
|
955
|
-
return { content: [{ type: "text", text: formatError(error, "listing permissions") }], isError: true };
|
|
940
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "listing permissions") }], isError: true };
|
|
956
941
|
}
|
|
957
942
|
}));
|
|
958
|
-
|
|
943
|
+
(0, _register_js_1.registerTool)(server, "create_permission", "Create a new permission definition. Permissions bind actions to a resource within a policy. Required fields: name, resourceId (UUID from list_resources), actions (string array), policyId (UUID from list_policies or create_policy).", {
|
|
959
944
|
permission: zod_1.z.record(zod_1.z.string(), zod_1.z.any()).describe("Required: { name: string, resourceId: UUID, actions: string[], policyId: UUID }. Optional: description, priority (number)."),
|
|
960
945
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ permission }) {
|
|
961
946
|
try {
|
|
@@ -963,10 +948,10 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
963
948
|
return { content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }] };
|
|
964
949
|
}
|
|
965
950
|
catch (error) {
|
|
966
|
-
return { content: [{ type: "text", text: formatError(error, "creating permission") }], isError: true };
|
|
951
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "creating permission") }], isError: true };
|
|
967
952
|
}
|
|
968
953
|
}));
|
|
969
|
-
|
|
954
|
+
(0, _register_js_1.registerTool)(server, "delete_permission", "Delete a permission definition by ID.", {
|
|
970
955
|
permissionId: zod_1.z.string().describe("The permission ID to delete"),
|
|
971
956
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ permissionId }) {
|
|
972
957
|
try {
|
|
@@ -974,11 +959,11 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
974
959
|
return { content: [{ type: "text", text: `Permission '${permissionId}' deleted.` }] };
|
|
975
960
|
}
|
|
976
961
|
catch (error) {
|
|
977
|
-
return { content: [{ type: "text", text: formatError(error, `deleting permission '${permissionId}'`) }], isError: true };
|
|
962
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `deleting permission '${permissionId}'`) }], isError: true };
|
|
978
963
|
}
|
|
979
964
|
}));
|
|
980
965
|
// ── Resources ──────────────────────────────────────────────────────
|
|
981
|
-
|
|
966
|
+
(0, _register_js_1.registerTool)(server, "list_resources", "List all protected resource definitions in the workspace. Resources are the things permissions act on (e.g., 'workspace::records', 'workspace::functions').", {
|
|
982
967
|
page: zod_1.z.number().optional().describe("Page number (default: 1)"),
|
|
983
968
|
pageSize: zod_1.z.number().optional().describe("Results per page (default: 20)"),
|
|
984
969
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ page, pageSize }) {
|
|
@@ -992,10 +977,10 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
992
977
|
return { content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }] };
|
|
993
978
|
}
|
|
994
979
|
catch (error) {
|
|
995
|
-
return { content: [{ type: "text", text: formatError(error, "listing resources") }], isError: true };
|
|
980
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, "listing resources") }], isError: true };
|
|
996
981
|
}
|
|
997
982
|
}));
|
|
998
|
-
|
|
983
|
+
(0, _register_js_1.registerTool)(server, "get_resource", "Get details of a protected resource definition by ID.", {
|
|
999
984
|
resourceId: zod_1.z.string().describe("The resource ID"),
|
|
1000
985
|
}, (_a) => __awaiter(this, [_a], void 0, function* ({ resourceId }) {
|
|
1001
986
|
try {
|
|
@@ -1003,7 +988,7 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, curr
|
|
|
1003
988
|
return { content: [{ type: "text", text: JSON.stringify(result.data, null, 2) }] };
|
|
1004
989
|
}
|
|
1005
990
|
catch (error) {
|
|
1006
|
-
return { content: [{ type: "text", text: formatError(error, `getting resource '${resourceId}'`) }], isError: true };
|
|
991
|
+
return { content: [{ type: "text", text: (0, _register_js_1.formatError)(error, `getting resource '${resourceId}'`) }], isError: true };
|
|
1007
992
|
}
|
|
1008
993
|
}));
|
|
1009
994
|
}
|