@prysmid/mcp 0.1.1

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of tracking or improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Support. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or support.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Prysmid
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied. See the License for the specific language governing
+   permissions and limitations under the License.

package/README.md

@@ -0,0 +1,58 @@
+# `@prysmid/mcp` — Official Prysmid MCP server
+
+Manage your Prysmid auth workspace from any MCP-compatible agent: Claude Code, Cursor, Continue, your own runtime — anything that speaks the Model Context Protocol.
+
+## What it does
+
+Exposes the full Prysmid platform API as MCP tools so an agent can:
+
+- create workspaces
+- configure login policies (passwords, MFA, passkey-first, lockout)
+- add identity providers (Google, GitHub, Microsoft, generic OIDC)
+- create OIDC apps (with redirect URIs, PKCE, dev mode)
+- manage users (invite, list, remove)
+- update branding (logos, colors, label policy)
+- manage SMTP overrides
+- query subscription / billing state
+
+## Install
+
+> Pre-1.0 — distribution is via GitHub for now; `@prysmid/mcp` on npm is on the way.
+
+Pin to a specific version (recommended):
+
+```bash
+claude mcp add prysmid -- npx -y github:PrysmID/mcp-server#v0.1.0
+```
+
+Or float to the tip of `main`:
+
+```bash
+claude mcp add prysmid -- npx -y github:PrysmID/mcp-server
+```
+
+(or the equivalent for your agent)
+
+For now, auth is bearer-token-only via env var:
+
+```bash
+PRYSMID_API_TOKEN=ptkn_… npx -y github:PrysmID/mcp-server
+```
+
+OAuth device flow with token caching at `~/.config/prysmid-mcp/token.json` (Unix) or `%APPDATA%/prysmid-mcp/token.json` (Windows) is queued for a follow-up release.
+
+## Configuration
+
+| Env var | Default | Notes |
+|---|---|---|
+| `PRYSMID_API_BASE` | `https://api.prysmid.com` | Override for self-hosted Prysmid |
+| `PRYSMID_API_TOKEN` | — | Static bearer (skip device flow) |
+| `PRYSMID_MCP_LOG_LEVEL` | `info` | `debug` for verbose tool tracing |
+
+## Status
+
+🚧 Pre-1.0. APIs are stable but the tool surface evolves with the platform. Track the [changelog](CHANGELOG.md).
+
+## License
+
+Apache-2.0

package/dist/index.js

@@ -0,0 +1,631 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+
+// src/client.ts
+var PrysmidApiError = class extends Error {
+  constructor(message, status, body, code) {
+    super(message);
+    this.status = status;
+    this.body = body;
+    this.code = code;
+    this.name = "PrysmidApiError";
+  }
+  status;
+  body;
+  code;
+};
+var PrysmidClient = class {
+  constructor(cfg, log) {
+    this.cfg = cfg;
+    this.log = log;
+  }
+  cfg;
+  log;
+  async request(path, opts = {}) {
+    if (!this.cfg.apiToken) {
+      throw new PrysmidApiError(
+        "No PRYSMID_API_TOKEN configured. Set the env var or run device-flow login.",
+        401,
+        "",
+        "auth.no_token"
+      );
+    }
+    const url = new URL(this.cfg.apiBase + path);
+    if (opts.query) {
+      for (const [k, v] of Object.entries(opts.query)) {
+        if (v !== void 0) url.searchParams.set(k, String(v));
+      }
+    }
+    const method = opts.method ?? "GET";
+    const headers = {
+      Authorization: `Bearer ${this.cfg.apiToken}`,
+      Accept: "application/json"
+    };
+    if (opts.body !== void 0) headers["Content-Type"] = "application/json";
+    this.log.debug(`HTTP ${method} ${url.pathname}`);
+    const res = await fetch(url, {
+      method,
+      headers,
+      body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
+    });
+    const text = await res.text();
+    if (!res.ok) {
+      let code;
+      try {
+        const parsed = JSON.parse(text);
+        code = typeof parsed?.error === "string" ? parsed.error : parsed?.code;
+      } catch {
+      }
+      throw new PrysmidApiError(
+        `Prysmid API ${res.status} on ${method} ${path}`,
+        res.status,
+        text,
+        code
+      );
+    }
+    if (text === "") return void 0;
+    try {
+      return JSON.parse(text);
+    } catch {
+      return text;
+    }
+  }
+};
+
+// src/config.ts
+var DEFAULT_API_BASE = "https://api.prysmid.com";
+function loadConfig(env = process.env) {
+  const apiBase = (env.PRYSMID_API_BASE ?? DEFAULT_API_BASE).replace(/\/+$/, "");
+  const apiToken = env.PRYSMID_API_TOKEN?.trim() || null;
+  const rawLevel = (env.PRYSMID_MCP_LOG_LEVEL ?? "info").toLowerCase();
+  const logLevel = rawLevel === "debug" || rawLevel === "warn" || rawLevel === "error" ? rawLevel : "info";
+  return { apiBase, apiToken, logLevel };
+}
+
+// src/logger.ts
+var ORDER = { debug: 10, info: 20, warn: 30, error: 40 };
+function makeLogger(cfg) {
+  const threshold = ORDER[cfg.logLevel];
+  function emit(level, msg, extra) {
+    if (ORDER[level] < threshold) return;
+    const ts = (/* @__PURE__ */ new Date()).toISOString();
+    const payload = extra === void 0 ? "" : ` ${safeJSON(extra)}`;
+    process.stderr.write(`${ts} ${level.toUpperCase()} ${msg}${payload}
+`);
+  }
+  return {
+    debug: (m, e) => emit("debug", m, e),
+    info: (m, e) => emit("info", m, e),
+    warn: (m, e) => emit("warn", m, e),
+    error: (m, e) => emit("error", m, e)
+  };
+}
+function safeJSON(x) {
+  try {
+    return JSON.stringify(x);
+  } catch {
+    return String(x);
+  }
+}
+
+// src/tools/registry.ts
+function defineTool(t) {
+  return t;
+}
+function registerAll(server, ctx, tools9) {
+  for (const tool of tools9) {
+    server.registerTool(
+      tool.name,
+      {
+        description: tool.description,
+        inputSchema: tool.inputShape
+      },
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      async (input) => {
+        try {
+          const result = await tool.handler(input, ctx);
+          return {
+            content: [
+              {
+                type: "text",
+                text: typeof result === "string" ? result : JSON.stringify(result, null, 2)
+              }
+            ]
+          };
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          ctx.log.error(`tool ${tool.name} failed`, { message });
+          return {
+            isError: true,
+            content: [
+              { type: "text", text: `error: ${message}` }
+            ]
+          };
+        }
+      }
+    );
+  }
+}
+
+// src/tools/apps.ts
+import { z } from "zod";
+var listApps = defineTool({
+  name: "list_apps",
+  description: "List all OIDC apps in a workspace.",
+  inputShape: {
+    workspace: z.string().min(1).describe("Workspace slug or UUID")
+  },
+  handler: async ({ workspace }, { client }) => client.request(`/v1/workspaces/${encodeURIComponent(workspace)}/apps`)
+});
+var createOidcApp = defineTool({
+  name: "create_oidc_app",
+  description: "Create an OIDC application in a workspace. Returns client_id (and client_secret if confidential). Use auth_method=NONE for SPA/PKCE; use BASIC for confidential web apps.",
+  inputShape: {
+    workspace: z.string().min(1),
+    name: z.string().min(1).max(255),
+    redirect_uris: z.array(z.string().url()).min(1),
+    post_logout_redirect_uris: z.array(z.string().url()).optional(),
+    app_type: z.enum([
+      "OIDC_APP_TYPE_WEB",
+      "OIDC_APP_TYPE_USER_AGENT",
+      "OIDC_APP_TYPE_NATIVE"
+    ]).default("OIDC_APP_TYPE_WEB"),
+    auth_method: z.enum([
+      "OIDC_AUTH_METHOD_TYPE_NONE",
+      "OIDC_AUTH_METHOD_TYPE_BASIC",
+      "OIDC_AUTH_METHOD_TYPE_POST"
+    ]).default("OIDC_AUTH_METHOD_TYPE_NONE"),
+    dev_mode: z.boolean().default(false).describe(
+      "Skip redirect URI HTTPS check \u2014 only for local dev, NEVER prod."
+    )
+  },
+  handler: async ({ workspace, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/apps`,
+    { method: "POST", body }
+  )
+});
+var deleteOidcApp = defineTool({
+  name: "delete_oidc_app",
+  description: "Delete an OIDC app. Idempotent \u2014 404 returns success.",
+  inputShape: {
+    workspace: z.string().min(1),
+    app_id: z.string().min(1)
+  },
+  handler: async ({ workspace, app_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/apps/${encodeURIComponent(app_id)}`,
+    { method: "DELETE" }
+  )
+});
+var tools = [listApps, createOidcApp, deleteOidcApp];
+
+// src/tools/billing.ts
+import { z as z2 } from "zod";
+var getBilling = defineTool({
+  name: "get_billing",
+  description: "Get current billing state: plan, subscription status, current period, spending_cap_cents, signups_blocked.",
+  inputShape: {
+    workspace: z2.string().min(1)
+  },
+  handler: async ({ workspace }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/billing`
+  )
+});
+var setSpendingCap = defineTool({
+  name: "set_spending_cap",
+  description: "Cap monthly Pro overage spend (cents). Pass null to remove cap (unlimited). When projected overage exceeds cap, signups_blocked flips on.",
+  inputShape: {
+    workspace: z2.string().min(1),
+    spending_cap_cents: z2.number().int().min(0).max(1e7).nullable().describe("Max overage cents per period; null = unlimited")
+  },
+  handler: async ({ workspace, spending_cap_cents }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/billing/spending-cap`,
+    { method: "PATCH", body: { spending_cap_cents } }
+  )
+});
+var startCheckout = defineTool({
+  name: "start_billing_checkout",
+  description: "Create a Stripe Checkout session for upgrading. Returns the URL the user must visit. Plan must be `pro` (Free has no checkout; Enterprise is sales-only).",
+  inputShape: {
+    workspace: z2.string().min(1),
+    plan: z2.enum(["pro"])
+  },
+  handler: async ({ workspace, plan }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/billing/checkout`,
+    { method: "POST", body: { plan } }
+  )
+});
+var startBillingPortal = defineTool({
+  name: "start_billing_portal",
+  description: "Create a Stripe customer-portal session URL where the user manages payment methods, downloads invoices, cancels subscription.",
+  inputShape: {
+    workspace: z2.string().min(1)
+  },
+  handler: async ({ workspace }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/billing/portal`,
+    { method: "POST" }
+  )
+});
+var tools2 = [
+  getBilling,
+  setSpendingCap,
+  startCheckout,
+  startBillingPortal
+];
+
+// src/tools/branding.ts
+import { z as z3 } from "zod";
+var getBranding = defineTool({
+  name: "get_branding",
+  description: "Return the workspace's active branding policy (colors, fonts, hide-prysmid-watermark flag, logo URLs).",
+  inputShape: {
+    workspace: z3.string().min(1)
+  },
+  handler: async ({ workspace }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/branding`
+  )
+});
+var updateBranding = defineTool({
+  name: "update_branding",
+  description: "Update branding colors and watermark. Hex colors as `#RRGGBB`. Activates the policy after update \u2014 change shows on next login screen render.",
+  inputShape: {
+    workspace: z3.string().min(1),
+    primary_color: z3.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
+    background_color: z3.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
+    warn_color: z3.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
+    font_color: z3.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
+    disable_watermark: z3.boolean().optional().describe(
+      "Hide 'Powered by Prysmid' on the login screen (Pro+ only \u2014 Free silently ignored)."
+    )
+  },
+  handler: async ({ workspace, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/branding`,
+    { method: "PATCH", body }
+  )
+});
+var tools3 = [getBranding, updateBranding];
+
+// src/tools/curated.ts
+import { z as z4 } from "zod";
+var SetupWorkspaceOutput = z4.object({
+  workspace_id: z4.string(),
+  slug: z4.string(),
+  auth_domain: z4.string(),
+  state: z4.string()
+});
+var setupPrysmidWorkspace = defineTool({
+  name: "setup_prysmid_workspace",
+  description: "Create a new workspace and wait until it's fully provisioned (Zitadel instance, SMTP, DNS). Returns the live auth_domain ready to integrate.",
+  inputShape: {
+    slug: z4.string().min(2).max(63).regex(/^[a-z0-9-]+$/),
+    display_name: z4.string().min(1),
+    timeout_seconds: z4.number().int().min(10).max(300).default(120).describe("Max time to wait for provisioning before returning.")
+  },
+  handler: async ({ slug, display_name, timeout_seconds }, { client, log }) => {
+    const created = await client.request("/v1/workspaces", {
+      method: "POST",
+      body: { slug, display_name }
+    });
+    const deadline = Date.now() + timeout_seconds * 1e3;
+    while (Date.now() < deadline) {
+      const ws = await client.request(
+        `/v1/workspaces/${encodeURIComponent(created.id)}`
+      );
+      if (ws.state === "active") {
+        return SetupWorkspaceOutput.parse({
+          workspace_id: ws.id,
+          slug: ws.slug,
+          auth_domain: ws.auth_domain ?? `auth.${ws.slug}.prysmid.com`,
+          state: ws.state
+        });
+      }
+      if (ws.state === "provisioning_failed") {
+        throw new Error(
+          `Workspace provisioning failed: ${ws.provisioning_error ?? "unknown reason"}`
+        );
+      }
+      log.debug(`workspace ${created.id} state=${ws.state}, polling\u2026`);
+      await sleep(3e3);
+    }
+    throw new Error(
+      `Workspace did not reach state=active within ${timeout_seconds}s`
+    );
+  }
+});
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+var enableGoogleLogin = defineTool({
+  name: "enable_google_login",
+  description: "Add Google as an identity provider on a workspace and enable external IdPs in the login policy. Hands you a checklist if external IdPs were already disabled \u2014 agent should confirm before flipping that flag.",
+  inputShape: {
+    workspace: z4.string().min(1),
+    google_client_id: z4.string().min(1),
+    google_client_secret: z4.string().min(1),
+    name: z4.string().default("Google")
+  },
+  handler: async ({ workspace, google_client_id, google_client_secret, name }, { client }) => {
+    const idp = await client.request(
+      `/v1/workspaces/${encodeURIComponent(workspace)}/idps`,
+      {
+        method: "POST",
+        body: {
+          provider: "google",
+          name,
+          config: {
+            client_id: google_client_id,
+            client_secret: google_client_secret
+          }
+        }
+      }
+    );
+    await client.request(
+      `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`,
+      { method: "PATCH", body: { allow_external_idp: true } }
+    );
+    return { idp, login_policy: "allow_external_idp=true" };
+  }
+});
+var prysmidSetupCheck = defineTool({
+  name: "prysmid_setup_check",
+  description: "Run a readiness checklist on a workspace: state=active, \u22651 OIDC app, \u22651 IdP OR password+register enabled, branding has a primary_color set, login_policy reasonable. Returns pass/fail per item plus a summary verdict.",
+  inputShape: {
+    workspace: z4.string().min(1)
+  },
+  handler: async ({ workspace }, { client }) => {
+    const ws = await client.request(
+      `/v1/workspaces/${encodeURIComponent(workspace)}`
+    );
+    const apps = await client.request(
+      `/v1/workspaces/${encodeURIComponent(workspace)}/apps`
+    );
+    const idps = await client.request(
+      `/v1/workspaces/${encodeURIComponent(workspace)}/idps`
+    );
+    const policy = await client.request(
+      `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`
+    );
+    const branding = await client.request(
+      `/v1/workspaces/${encodeURIComponent(workspace)}/branding`
+    );
+    const checks = [
+      {
+        ok: ws.state === "active",
+        name: "workspace_active",
+        details: `state=${ws.state}`
+      },
+      {
+        ok: apps.length > 0,
+        name: "has_at_least_one_app",
+        details: `${apps.length} apps`
+      },
+      {
+        ok: idps.length > 0 || policy.allow_username_password === true && policy.allow_register === true,
+        name: "users_can_sign_in",
+        details: idps.length > 0 ? `${idps.length} idps` : "no idps; must allow username+password+register"
+      },
+      {
+        ok: !!branding.primary_color,
+        name: "branding_primary_color_set"
+      },
+      {
+        ok: policy.force_mfa === true || idps.length > 0,
+        name: "auth_strength_reasonable",
+        details: policy.force_mfa ? "force_mfa=true" : "MFA off but external IdP present"
+      }
+    ];
+    const verdict = checks.every((c) => c.ok) ? "ready" : "incomplete";
+    return { verdict, checks };
+  }
+});
+var tools4 = [
+  setupPrysmidWorkspace,
+  enableGoogleLogin,
+  prysmidSetupCheck
+];
+
+// src/tools/idps.ts
+import { z as z5 } from "zod";
+var listIdps = defineTool({
+  name: "list_idps",
+  description: "List identity providers (Google/GitHub/Microsoft/OIDC) configured on a workspace.",
+  inputShape: {
+    workspace: z5.string().min(1)
+  },
+  handler: async ({ workspace }, { client }) => client.request(`/v1/workspaces/${encodeURIComponent(workspace)}/idps`)
+});
+var addIdp = defineTool({
+  name: "add_idp",
+  description: "Add an identity provider to the workspace and attach it to the login policy in one atomic call. Provider-specific fields go in `config`.",
+  inputShape: {
+    workspace: z5.string().min(1),
+    provider: z5.enum(["google", "github", "azure_ad", "oidc"]),
+    name: z5.string().min(1).describe("Display name shown on login screen"),
+    config: z5.object({
+      client_id: z5.string().min(1),
+      client_secret: z5.string().min(1),
+      scopes: z5.array(z5.string()).optional(),
+      issuer: z5.string().url().optional().describe("Required for `oidc`; ignored otherwise"),
+      tenant_id: z5.string().optional().describe(
+        "Required for `azure_ad` to lock to a specific Microsoft tenant"
+      )
+    }).describe("Provider-specific OAuth config")
+  },
+  handler: async ({ workspace, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/idps`,
+    { method: "POST", body }
+  )
+});
+var deleteIdp = defineTool({
+  name: "delete_idp",
+  description: "Remove an identity provider. Strips it from the login policy then deletes the config. Idempotent.",
+  inputShape: {
+    workspace: z5.string().min(1),
+    idp_id: z5.string().min(1)
+  },
+  handler: async ({ workspace, idp_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/idps/${encodeURIComponent(idp_id)}`,
+    { method: "DELETE" }
+  )
+});
+var tools5 = [listIdps, addIdp, deleteIdp];
+
+// src/tools/login_policy.ts
+import { z as z6 } from "zod";
+var getLoginPolicy = defineTool({
+  name: "get_login_policy",
+  description: "Return the workspace's current login policy (password rules, MFA, IdPs allowed, lockout, etc.).",
+  inputShape: {
+    workspace: z6.string().min(1)
+  },
+  handler: async ({ workspace }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`
+  )
+});
+var updateLoginPolicy = defineTool({
+  name: "update_login_policy",
+  description: "Update the login policy. PATCH semantics \u2014 only fields you pass are changed; other policy fields stay as they were.",
+  inputShape: {
+    workspace: z6.string().min(1),
+    allow_username_password: z6.boolean().optional(),
+    allow_register: z6.boolean().optional(),
+    allow_external_idp: z6.boolean().optional(),
+    force_mfa: z6.boolean().optional().describe("Require any second factor at login"),
+    passwordless_type: z6.enum([
+      "PASSWORDLESS_TYPE_NOT_ALLOWED",
+      "PASSWORDLESS_TYPE_ALLOWED"
+    ]).optional().describe("Enables passkey-first when set to ALLOWED"),
+    max_password_attempts: z6.number().int().min(0).max(20).optional(),
+    lockout_password_attempts: z6.number().int().min(0).max(20).optional()
+  },
+  handler: async ({ workspace, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`,
+    { method: "PATCH", body }
+  )
+});
+var tools6 = [getLoginPolicy, updateLoginPolicy];
+
+// src/tools/users.ts
+import { z as z7 } from "zod";
+var listUsers = defineTool({
+  name: "list_users",
+  description: "List human users in a workspace.",
+  inputShape: {
+    workspace: z7.string().min(1),
+    limit: z7.number().int().min(1).max(500).default(100)
+  },
+  handler: async ({ workspace, limit }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/users`,
+    { query: { limit } }
+  )
+});
+var inviteUser = defineTool({
+  name: "invite_user",
+  description: "Invite a user by email. Idempotent by email \u2014 re-inviting an existing user is a no-op. Triggers a Zitadel init email with a 'set your password' link.",
+  inputShape: {
+    workspace: z7.string().min(1),
+    email: z7.string().regex(/^[^\s@]+@[^\s@]+\.[^\s@]+$/, "must be a valid email"),
+    first_name: z7.string().min(1),
+    last_name: z7.string().min(1),
+    preferred_language: z7.string().length(2).default("en").describe("ISO 639-1, e.g. en/es/pt")
+  },
+  handler: async ({ workspace, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/users/invite`,
+    { method: "POST", body }
+  )
+});
+var deleteUser = defineTool({
+  name: "delete_user",
+  description: "Delete a user by id. Idempotent.",
+  inputShape: {
+    workspace: z7.string().min(1),
+    user_id: z7.string().min(1)
+  },
+  handler: async ({ workspace, user_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/users/${encodeURIComponent(user_id)}`,
+    { method: "DELETE" }
+  )
+});
+var tools7 = [listUsers, inviteUser, deleteUser];
+
+// src/tools/workspaces.ts
+import { z as z8 } from "zod";
+var listWorkspaces = defineTool({
+  name: "list_workspaces",
+  description: "List Prysmid workspaces accessible to the current API token. Returns an array of {id, slug, display_name, plan, state}.",
+  inputShape: {},
+  handler: async (_input, { client }) => client.request("/v1/workspaces", { method: "GET" })
+});
+var getWorkspace = defineTool({
+  name: "get_workspace",
+  description: "Get a single workspace by slug or id.",
+  inputShape: {
+    workspace: z8.string().min(1).describe("Workspace slug or UUID")
+  },
+  handler: async ({ workspace }, { client }) => client.request(`/v1/workspaces/${encodeURIComponent(workspace)}`)
+});
+var createWorkspace = defineTool({
+  name: "create_workspace",
+  description: "Create a new Prysmid workspace. Provisioning runs in the background; the response returns immediately with state=provisioning. Poll `get_workspace` until state=active (~30s).",
+  inputShape: {
+    slug: z8.string().min(2).max(63).regex(/^[a-z0-9-]+$/, "lowercase alphanumeric and hyphens only").describe("Subdomain-safe slug \u2014 becomes auth.<slug>.prysmid.com"),
+    display_name: z8.string().min(1).max(255)
+  },
+  handler: async (input, { client }) => client.request("/v1/workspaces", { method: "POST", body: input })
+});
+var tools8 = [listWorkspaces, getWorkspace, createWorkspace];
+
+// src/index.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, resolve } from "path";
+var SERVER_NAME = "prysmid";
+function readVersion() {
+  try {
+    const here = dirname(fileURLToPath(import.meta.url));
+    const pkg = JSON.parse(
+      readFileSync(resolve(here, "..", "package.json"), "utf8")
+    );
+    return typeof pkg.version === "string" ? pkg.version : "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+async function main() {
+  const cfg = loadConfig();
+  const log = makeLogger(cfg);
+  const client = new PrysmidClient(cfg, log);
+  const server = new McpServer({
+    name: SERVER_NAME,
+    version: readVersion()
+  });
+  const allTools = [
+    ...tools8,
+    ...tools,
+    ...tools5,
+    ...tools6,
+    ...tools7,
+    ...tools3,
+    ...tools2,
+    ...tools4
+  ];
+  registerAll(server, { client, log }, allTools);
+  log.info(`prysmid-mcp starting`, {
+    apiBase: cfg.apiBase,
+    tools: allTools.length,
+    authMode: cfg.apiToken ? "bearer" : "none"
+  });
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+main().catch((err) => {
+  process.stderr.write(`fatal: ${err instanceof Error ? err.stack : err}
+`);
+  process.exit(1);
+});
+export {
+  main
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/client.ts","../src/config.ts","../src/logger.ts","../src/tools/registry.ts","../src/tools/apps.ts","../src/tools/billing.ts","../src/tools/branding.ts","../src/tools/curated.ts","../src/tools/idps.ts","../src/tools/login_policy.ts","../src/tools/users.ts","../src/tools/workspaces.ts"],"sourcesContent":["/**\n * Entrypoint — boots an MCP server over stdio with the full Prysmid tool set.\n *\n * MCP transport contract:\n *   - JSON-RPC over stdin/stdout\n *   - stdout is RESERVED for protocol bytes; logs go to stderr (see logger.ts)\n *   - one process == one client; the agent spawns a fresh server per session\n */\nimport { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport { StdioServerTransport } from \"@modelcontextprotocol/sdk/server/stdio.js\";\n\nimport { PrysmidClient } from \"./client.js\";\nimport { loadConfig } from \"./config.js\";\nimport { makeLogger } from \"./logger.js\";\nimport { registerAll } from \"./tools/registry.js\";\nimport { tools as appsTools } from \"./tools/apps.js\";\nimport { tools as billingTools } from \"./tools/billing.js\";\nimport { tools as brandingTools } from \"./tools/branding.js\";\nimport { tools as curatedTools } from \"./tools/curated.js\";\nimport { tools as idpsTools } from \"./tools/idps.js\";\nimport { tools as loginPolicyTools } from \"./tools/login_policy.js\";\nimport { tools as usersTools } from \"./tools/users.js\";\nimport { tools as workspaceTools } from \"./tools/workspaces.js\";\n\nimport { readFileSync } from \"node:fs\";\nimport { fileURLToPath } from \"node:url\";\nimport { dirname, resolve } from \"node:path\";\n\nconst SERVER_NAME = \"prysmid\";\n\nfunction readVersion(): string {\n  try {\n    const here = dirname(fileURLToPath(import.meta.url));\n    const pkg = JSON.parse(\n      readFileSync(resolve(here, \"..\", \"package.json\"), \"utf8\"),\n    );\n    return typeof pkg.version === \"string\" ? pkg.version : \"0.0.0\";\n  } catch {\n    return \"0.0.0\";\n  }\n}\n\nexport async function main(): Promise<void> {\n  const cfg = loadConfig();\n  const log = makeLogger(cfg);\n  const client = new PrysmidClient(cfg, log);\n\n  const server = new McpServer({\n    name: SERVER_NAME,\n    version: readVersion(),\n  });\n\n  const allTools = [\n    ...workspaceTools,\n    ...appsTools,\n    ...idpsTools,\n    ...loginPolicyTools,\n    ...usersTools,\n    ...brandingTools,\n    ...billingTools,\n    ...curatedTools,\n  ];\n\n  registerAll(server, { client, log }, allTools);\n\n  log.info(`prysmid-mcp starting`, {\n    apiBase: cfg.apiBase,\n    tools: allTools.length,\n    authMode: cfg.apiToken ? \"bearer\" : \"none\",\n  });\n\n  const transport = new StdioServerTransport();\n  await server.connect(transport);\n}\n\n// This module is only ever invoked as the package bin (MCP servers run as a\n// process per session). Cross-platform `import.meta.url === file://<argv[1]>`\n// is fragile (Windows backslash vs forward slash; symlinked paths) so we\n// just always boot.\nmain().catch((err) => {\n  process.stderr.write(`fatal: ${err instanceof Error ? err.stack : err}\\n`);\n  process.exit(1);\n});\n","/**\n * Prysmid API client — thin fetch wrapper that adds auth + maps errors.\n *\n * Auth model (MVP): static bearer via `PRYSMID_API_TOKEN`. Device-flow OAuth\n * lives in `auth.ts` and produces a token compatible with this client.\n */\nimport type { Config } from \"./config.js\";\nimport type { Logger } from \"./logger.js\";\n\nexport class PrysmidApiError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number,\n    public readonly body: string,\n    public readonly code?: string,\n  ) {\n    super(message);\n    this.name = \"PrysmidApiError\";\n  }\n}\n\nexport interface RequestOptions {\n  method?: \"GET\" | \"POST\" | \"PUT\" | \"PATCH\" | \"DELETE\";\n  body?: unknown;\n  query?: Record<string, string | number | boolean | undefined>;\n}\n\nexport class PrysmidClient {\n  constructor(\n    private readonly cfg: Config,\n    private readonly log: Logger,\n  ) {}\n\n  async request<T = unknown>(path: string, opts: RequestOptions = {}): Promise<T> {\n    if (!this.cfg.apiToken) {\n      throw new PrysmidApiError(\n        \"No PRYSMID_API_TOKEN configured. Set the env var or run device-flow login.\",\n        401,\n        \"\",\n        \"auth.no_token\",\n      );\n    }\n\n    const url = new URL(this.cfg.apiBase + path);\n    if (opts.query) {\n      for (const [k, v] of Object.entries(opts.query)) {\n        if (v !== undefined) url.searchParams.set(k, String(v));\n      }\n    }\n\n    const method = opts.method ?? \"GET\";\n    const headers: Record<string, string> = {\n      Authorization: `Bearer ${this.cfg.apiToken}`,\n      Accept: \"application/json\",\n    };\n    if (opts.body !== undefined) headers[\"Content-Type\"] = \"application/json\";\n\n    this.log.debug(`HTTP ${method} ${url.pathname}`);\n    const res = await fetch(url, {\n      method,\n      headers,\n      body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,\n    });\n\n    const text = await res.text();\n    if (!res.ok) {\n      let code: string | undefined;\n      try {\n        const parsed = JSON.parse(text);\n        code = typeof parsed?.error === \"string\" ? parsed.error : parsed?.code;\n      } catch {\n        // body wasn't JSON\n      }\n      throw new PrysmidApiError(\n        `Prysmid API ${res.status} on ${method} ${path}`,\n        res.status,\n        text,\n        code,\n      );\n    }\n\n    if (text === \"\") return undefined as T;\n    try {\n      return JSON.parse(text) as T;\n    } catch {\n      return text as unknown as T;\n    }\n  }\n}\n","/**\n * Runtime configuration. Pulled from env at startup; immutable thereafter.\n *\n * The MCP runs as a long-lived stdio process — env reads happen once.\n */\n\nexport interface Config {\n  apiBase: string;\n  apiToken: string | null;\n  logLevel: \"debug\" | \"info\" | \"warn\" | \"error\";\n}\n\nconst DEFAULT_API_BASE = \"https://api.prysmid.com\";\n\nexport function loadConfig(env: NodeJS.ProcessEnv = process.env): Config {\n  const apiBase = (env.PRYSMID_API_BASE ?? DEFAULT_API_BASE).replace(/\\/+$/, \"\");\n  const apiToken = env.PRYSMID_API_TOKEN?.trim() || null;\n  const rawLevel = (env.PRYSMID_MCP_LOG_LEVEL ?? \"info\").toLowerCase();\n  const logLevel: Config[\"logLevel\"] =\n    rawLevel === \"debug\" || rawLevel === \"warn\" || rawLevel === \"error\"\n      ? rawLevel\n      : \"info\";\n  return { apiBase, apiToken, logLevel };\n}\n","/**\n * stderr-only logger. MCP servers MUST NOT write to stdout — that channel\n * is reserved for the JSON-RPC protocol; any stray byte breaks the agent.\n */\nimport type { Config } from \"./config.js\";\n\nconst ORDER = { debug: 10, info: 20, warn: 30, error: 40 } as const;\n\nexport interface Logger {\n  debug: (msg: string, extra?: unknown) => void;\n  info: (msg: string, extra?: unknown) => void;\n  warn: (msg: string, extra?: unknown) => void;\n  error: (msg: string, extra?: unknown) => void;\n}\n\nexport function makeLogger(cfg: Pick<Config, \"logLevel\">): Logger {\n  const threshold = ORDER[cfg.logLevel];\n\n  function emit(level: keyof typeof ORDER, msg: string, extra?: unknown) {\n    if (ORDER[level] < threshold) return;\n    const ts = new Date().toISOString();\n    const payload = extra === undefined ? \"\" : ` ${safeJSON(extra)}`;\n    process.stderr.write(`${ts} ${level.toUpperCase()} ${msg}${payload}\\n`);\n  }\n\n  return {\n    debug: (m, e) => emit(\"debug\", m, e),\n    info: (m, e) => emit(\"info\", m, e),\n    warn: (m, e) => emit(\"warn\", m, e),\n    error: (m, e) => emit(\"error\", m, e),\n  };\n}\n\nfunction safeJSON(x: unknown): string {\n  try {\n    return JSON.stringify(x);\n  } catch {\n    return String(x);\n  }\n}\n","/**\n * Tool registry — single place where every MCP tool lives. Each tool exports\n * its input schema (Zod) + handler; `registerAll` wires them into the SDK.\n *\n * Two flavors of tools coexist:\n *   - generated: 1:1 with REST endpoints, produced by `scripts/generate-tools.ts`\n *     (lives under `tools/generated/*` once the script runs)\n *   - curated: high-level orchestrators a human/agent actually wants to call,\n *     e.g. `setup_prysmid_workspace(company_name)` that combines several\n *     endpoints. These live under `tools/curated/*`.\n *\n * Both share the same `Tool` shape so the registry is uniform.\n */\nimport type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport { z } from \"zod\";\n\nimport type { PrysmidClient } from \"../client.js\";\nimport type { Logger } from \"../logger.js\";\n\nexport interface ToolContext {\n  client: PrysmidClient;\n  log: Logger;\n}\n\nexport interface ToolDef<I extends z.ZodRawShape> {\n  name: string;\n  description: string;\n  inputShape: I;\n  /**\n   * Handler returns plain JSON-able output. The SDK serializes it into\n   * MCP `content` blocks; we wrap to text by default (most MCP UIs render it\n   * better than structured content).\n   */\n  handler: (\n    input: z.infer<z.ZodObject<I>>,\n    ctx: ToolContext,\n  ) => Promise<unknown>;\n}\n\nexport function defineTool<I extends z.ZodRawShape>(t: ToolDef<I>): ToolDef<I> {\n  return t;\n}\n\n// `ToolDef<any>` here intentionally — the array is heterogeneous (each tool\n// has its own input shape) and the SDK's registerTool only cares about the\n// runtime Zod object, not compile-time type inference. Without `any` there's\n// no single ZodRawShape that satisfies every entry simultaneously.\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport function registerAll(\n  server: McpServer,\n  ctx: ToolContext,\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  tools: ReadonlyArray<ToolDef<any>>,\n): void {\n  for (const tool of tools) {\n    server.registerTool(\n      tool.name,\n      {\n        description: tool.description,\n        inputSchema: tool.inputShape,\n      },\n      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n      async (input: any) => {\n        try {\n          const result = await tool.handler(input, ctx);\n          return {\n            content: [\n              {\n                type: \"text\" as const,\n                text:\n                  typeof result === \"string\"\n                    ? result\n                    : JSON.stringify(result, null, 2),\n              },\n            ],\n          };\n        } catch (err) {\n          const message = err instanceof Error ? err.message : String(err);\n          ctx.log.error(`tool ${tool.name} failed`, { message });\n          return {\n            isError: true,\n            content: [\n              { type: \"text\" as const, text: `error: ${message}` },\n            ],\n          };\n        }\n      },\n    );\n  }\n}\n","/**\n * OIDC application tools — list, create, delete on a workspace's apps.\n * Apps are the integration unit: each one represents one downstream service\n * (web app, mobile app, CLI) that authenticates via Prysmid.\n */\nimport { z } from \"zod\";\n\nimport { defineTool } from \"./registry.js\";\n\nexport const listApps = defineTool({\n  name: \"list_apps\",\n  description: \"List all OIDC apps in a workspace.\",\n  inputShape: {\n    workspace: z.string().min(1).describe(\"Workspace slug or UUID\"),\n  },\n  handler: async ({ workspace }, { client }) =>\n    client.request(`/v1/workspaces/${encodeURIComponent(workspace)}/apps`),\n});\n\nexport const createOidcApp = defineTool({\n  name: \"create_oidc_app\",\n  description:\n    \"Create an OIDC application in a workspace. Returns client_id (and client_secret if confidential). Use auth_method=NONE for SPA/PKCE; use BASIC for confidential web apps.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    name: z.string().min(1).max(255),\n    redirect_uris: z.array(z.string().url()).min(1),\n    post_logout_redirect_uris: z.array(z.string().url()).optional(),\n    app_type: z\n      .enum([\n        \"OIDC_APP_TYPE_WEB\",\n        \"OIDC_APP_TYPE_USER_AGENT\",\n        \"OIDC_APP_TYPE_NATIVE\",\n      ])\n      .default(\"OIDC_APP_TYPE_WEB\"),\n    auth_method: z\n      .enum([\n        \"OIDC_AUTH_METHOD_TYPE_NONE\",\n        \"OIDC_AUTH_METHOD_TYPE_BASIC\",\n        \"OIDC_AUTH_METHOD_TYPE_POST\",\n      ])\n      .default(\"OIDC_AUTH_METHOD_TYPE_NONE\"),\n    dev_mode: z\n      .boolean()\n      .default(false)\n      .describe(\n        \"Skip redirect URI HTTPS check — only for local dev, NEVER prod.\",\n      ),\n  },\n  handler: async ({ workspace, ...body }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/apps`,\n      { method: \"POST\", body },\n    ),\n});\n\nexport const deleteOidcApp = defineTool({\n  name: \"delete_oidc_app\",\n  description: \"Delete an OIDC app. Idempotent — 404 returns success.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    app_id: z.string().min(1),\n  },\n  handler: async ({ workspace, app_id }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/apps/${encodeURIComponent(app_id)}`,\n      { method: \"DELETE\" },\n    ),\n});\n\nexport const tools = [listApps, createOidcApp, deleteOidcApp] as const;\n","/**\n * Billing tools — read state, manage spending cap, generate Stripe portal URL.\n * Checkout/upgrade flow returns a Stripe-hosted URL; the agent surfaces it to\n * the user for them to navigate (we don't process payment data here).\n */\nimport { z } from \"zod\";\n\nimport { defineTool } from \"./registry.js\";\n\nexport const getBilling = defineTool({\n  name: \"get_billing\",\n  description:\n    \"Get current billing state: plan, subscription status, current period, spending_cap_cents, signups_blocked.\",\n  inputShape: {\n    workspace: z.string().min(1),\n  },\n  handler: async ({ workspace }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/billing`,\n    ),\n});\n\nexport const setSpendingCap = defineTool({\n  name: \"set_spending_cap\",\n  description:\n    \"Cap monthly Pro overage spend (cents). Pass null to remove cap (unlimited). When projected overage exceeds cap, signups_blocked flips on.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    spending_cap_cents: z\n      .number()\n      .int()\n      .min(0)\n      .max(10_000_000)\n      .nullable()\n      .describe(\"Max overage cents per period; null = unlimited\"),\n  },\n  handler: async ({ workspace, spending_cap_cents }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/billing/spending-cap`,\n      { method: \"PATCH\", body: { spending_cap_cents } },\n    ),\n});\n\nexport const startCheckout = defineTool({\n  name: \"start_billing_checkout\",\n  description:\n    \"Create a Stripe Checkout session for upgrading. Returns the URL the user must visit. Plan must be `pro` (Free has no checkout; Enterprise is sales-only).\",\n  inputShape: {\n    workspace: z.string().min(1),\n    plan: z.enum([\"pro\"]),\n  },\n  handler: async ({ workspace, plan }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/billing/checkout`,\n      { method: \"POST\", body: { plan } },\n    ),\n});\n\nexport const startBillingPortal = defineTool({\n  name: \"start_billing_portal\",\n  description:\n    \"Create a Stripe customer-portal session URL where the user manages payment methods, downloads invoices, cancels subscription.\",\n  inputShape: {\n    workspace: z.string().min(1),\n  },\n  handler: async ({ workspace }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/billing/portal`,\n      { method: \"POST\" },\n    ),\n});\n\nexport const tools = [\n  getBilling,\n  setSpendingCap,\n  startCheckout,\n  startBillingPortal,\n] as const;\n","/**\n * Branding tools — colors, fonts, logo for the login page. Logo upload is\n * out of MCP scope (multipart binary uploads don't fit MCP tool semantics\n * cleanly); use the dashboard or API directly for that.\n */\nimport { z } from \"zod\";\n\nimport { defineTool } from \"./registry.js\";\n\nexport const getBranding = defineTool({\n  name: \"get_branding\",\n  description:\n    \"Return the workspace's active branding policy (colors, fonts, hide-prysmid-watermark flag, logo URLs).\",\n  inputShape: {\n    workspace: z.string().min(1),\n  },\n  handler: async ({ workspace }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/branding`,\n    ),\n});\n\nexport const updateBranding = defineTool({\n  name: \"update_branding\",\n  description:\n    \"Update branding colors and watermark. Hex colors as `#RRGGBB`. Activates the policy after update — change shows on next login screen render.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    primary_color: z\n      .string()\n      .regex(/^#[0-9a-fA-F]{6}$/)\n      .optional(),\n    background_color: z\n      .string()\n      .regex(/^#[0-9a-fA-F]{6}$/)\n      .optional(),\n    warn_color: z\n      .string()\n      .regex(/^#[0-9a-fA-F]{6}$/)\n      .optional(),\n    font_color: z\n      .string()\n      .regex(/^#[0-9a-fA-F]{6}$/)\n      .optional(),\n    disable_watermark: z\n      .boolean()\n      .optional()\n      .describe(\n        \"Hide 'Powered by Prysmid' on the login screen (Pro+ only — Free silently ignored).\",\n      ),\n  },\n  handler: async ({ workspace, ...body }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/branding`,\n      { method: \"PATCH\", body },\n    ),\n});\n\nexport const tools = [getBranding, updateBranding] as const;\n","/**\n * Curated high-level tools — the ones agents would naturally reach for to\n * accomplish a goal in one call, instead of orchestrating 4 raw endpoints.\n *\n * Keep these small: each represents one end-user intent (\"set up a workspace\n * with Google login\"). Branch logic and prompts stay on the agent side; this\n * file only owns the API choreography.\n */\nimport { z } from \"zod\";\n\nimport { defineTool } from \"./registry.js\";\n\nconst SetupWorkspaceOutput = z.object({\n  workspace_id: z.string(),\n  slug: z.string(),\n  auth_domain: z.string(),\n  state: z.string(),\n});\n\nexport const setupPrysmidWorkspace = defineTool({\n  name: \"setup_prysmid_workspace\",\n  description:\n    \"Create a new workspace and wait until it's fully provisioned (Zitadel instance, SMTP, DNS). Returns the live auth_domain ready to integrate.\",\n  inputShape: {\n    slug: z\n      .string()\n      .min(2)\n      .max(63)\n      .regex(/^[a-z0-9-]+$/),\n    display_name: z.string().min(1),\n    timeout_seconds: z\n      .number()\n      .int()\n      .min(10)\n      .max(300)\n      .default(120)\n      .describe(\"Max time to wait for provisioning before returning.\"),\n  },\n  handler: async (\n    { slug, display_name, timeout_seconds },\n    { client, log },\n  ) => {\n    const created = (await client.request(\"/v1/workspaces\", {\n      method: \"POST\",\n      body: { slug, display_name },\n    })) as { id: string; slug: string; state: string; auth_domain?: string };\n\n    const deadline = Date.now() + timeout_seconds * 1000;\n    while (Date.now() < deadline) {\n      const ws = (await client.request(\n        `/v1/workspaces/${encodeURIComponent(created.id)}`,\n      )) as {\n        id: string;\n        slug: string;\n        state: string;\n        auth_domain?: string;\n        provisioning_error?: string;\n      };\n      if (ws.state === \"active\") {\n        return SetupWorkspaceOutput.parse({\n          workspace_id: ws.id,\n          slug: ws.slug,\n          auth_domain: ws.auth_domain ?? `auth.${ws.slug}.prysmid.com`,\n          state: ws.state,\n        });\n      }\n      if (ws.state === \"provisioning_failed\") {\n        throw new Error(\n          `Workspace provisioning failed: ${ws.provisioning_error ?? \"unknown reason\"}`,\n        );\n      }\n      log.debug(`workspace ${created.id} state=${ws.state}, polling…`);\n      await sleep(3000);\n    }\n    throw new Error(\n      `Workspace did not reach state=active within ${timeout_seconds}s`,\n    );\n  },\n});\n\nfunction sleep(ms: number) {\n  return new Promise((r) => setTimeout(r, ms));\n}\n\nexport const enableGoogleLogin = defineTool({\n  name: \"enable_google_login\",\n  description:\n    \"Add Google as an identity provider on a workspace and enable external IdPs in the login policy. Hands you a checklist if external IdPs were already disabled — agent should confirm before flipping that flag.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    google_client_id: z.string().min(1),\n    google_client_secret: z.string().min(1),\n    name: z.string().default(\"Google\"),\n  },\n  handler: async (\n    { workspace, google_client_id, google_client_secret, name },\n    { client },\n  ) => {\n    const idp = await client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/idps`,\n      {\n        method: \"POST\",\n        body: {\n          provider: \"google\",\n          name,\n          config: {\n            client_id: google_client_id,\n            client_secret: google_client_secret,\n          },\n        },\n      },\n    );\n\n    // Force-enable external IdP toggle in case the workspace had it off.\n    await client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`,\n      { method: \"PATCH\", body: { allow_external_idp: true } },\n    );\n\n    return { idp, login_policy: \"allow_external_idp=true\" };\n  },\n});\n\ninterface SetupCheckItem {\n  ok: boolean;\n  name: string;\n  details?: string;\n}\n\nexport const prysmidSetupCheck = defineTool({\n  name: \"prysmid_setup_check\",\n  description:\n    \"Run a readiness checklist on a workspace: state=active, ≥1 OIDC app, ≥1 IdP OR password+register enabled, branding has a primary_color set, login_policy reasonable. Returns pass/fail per item plus a summary verdict.\",\n  inputShape: {\n    workspace: z.string().min(1),\n  },\n  handler: async ({ workspace }, { client }) => {\n    const ws = (await client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}`,\n    )) as { state: string; auth_domain?: string };\n    const apps = (await client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/apps`,\n    )) as unknown[];\n    const idps = (await client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/idps`,\n    )) as unknown[];\n    const policy = (await client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`,\n    )) as {\n      allow_username_password?: boolean;\n      allow_register?: boolean;\n      allow_external_idp?: boolean;\n      force_mfa?: boolean;\n    };\n    const branding = (await client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/branding`,\n    )) as { primary_color?: string };\n\n    const checks: SetupCheckItem[] = [\n      {\n        ok: ws.state === \"active\",\n        name: \"workspace_active\",\n        details: `state=${ws.state}`,\n      },\n      {\n        ok: apps.length > 0,\n        name: \"has_at_least_one_app\",\n        details: `${apps.length} apps`,\n      },\n      {\n        ok:\n          idps.length > 0 ||\n          (policy.allow_username_password === true &&\n            policy.allow_register === true),\n        name: \"users_can_sign_in\",\n        details:\n          idps.length > 0\n            ? `${idps.length} idps`\n            : \"no idps; must allow username+password+register\",\n      },\n      {\n        ok: !!branding.primary_color,\n        name: \"branding_primary_color_set\",\n      },\n      {\n        ok: policy.force_mfa === true || idps.length > 0,\n        name: \"auth_strength_reasonable\",\n        details: policy.force_mfa\n          ? \"force_mfa=true\"\n          : \"MFA off but external IdP present\",\n      },\n    ];\n    const verdict = checks.every((c) => c.ok) ? \"ready\" : \"incomplete\";\n    return { verdict, checks };\n  },\n});\n\nexport const tools = [\n  setupPrysmidWorkspace,\n  enableGoogleLogin,\n  prysmidSetupCheck,\n] as const;\n","/**\n * Identity provider tools — Google, GitHub, Microsoft, generic OIDC.\n * Each create_* operation atomically: creates the IdP config AND adds it to\n * the login policy so it appears on the login screen. The Prysmid API\n * encapsulates that two-step lifecycle behind a single endpoint.\n */\nimport { z } from \"zod\";\n\nimport { defineTool } from \"./registry.js\";\n\nexport const listIdps = defineTool({\n  name: \"list_idps\",\n  description:\n    \"List identity providers (Google/GitHub/Microsoft/OIDC) configured on a workspace.\",\n  inputShape: {\n    workspace: z.string().min(1),\n  },\n  handler: async ({ workspace }, { client }) =>\n    client.request(`/v1/workspaces/${encodeURIComponent(workspace)}/idps`),\n});\n\nexport const addIdp = defineTool({\n  name: \"add_idp\",\n  description:\n    \"Add an identity provider to the workspace and attach it to the login policy in one atomic call. Provider-specific fields go in `config`.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    provider: z.enum([\"google\", \"github\", \"azure_ad\", \"oidc\"]),\n    name: z.string().min(1).describe(\"Display name shown on login screen\"),\n    config: z\n      .object({\n        client_id: z.string().min(1),\n        client_secret: z.string().min(1),\n        scopes: z.array(z.string()).optional(),\n        issuer: z\n          .string()\n          .url()\n          .optional()\n          .describe(\"Required for `oidc`; ignored otherwise\"),\n        tenant_id: z\n          .string()\n          .optional()\n          .describe(\n            \"Required for `azure_ad` to lock to a specific Microsoft tenant\",\n          ),\n      })\n      .describe(\"Provider-specific OAuth config\"),\n  },\n  handler: async ({ workspace, ...body }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/idps`,\n      { method: \"POST\", body },\n    ),\n});\n\nexport const deleteIdp = defineTool({\n  name: \"delete_idp\",\n  description:\n    \"Remove an identity provider. Strips it from the login policy then deletes the config. Idempotent.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    idp_id: z.string().min(1),\n  },\n  handler: async ({ workspace, idp_id }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/idps/${encodeURIComponent(idp_id)}`,\n      { method: \"DELETE\" },\n    ),\n});\n\nexport const tools = [listIdps, addIdp, deleteIdp] as const;\n","/**\n * Login policy tools — control which authentication methods are allowed,\n * MFA enforcement, lockout thresholds. Patches are merge semantics on the\n * server side; only fields you set are changed.\n */\nimport { z } from \"zod\";\n\nimport { defineTool } from \"./registry.js\";\n\nexport const getLoginPolicy = defineTool({\n  name: \"get_login_policy\",\n  description:\n    \"Return the workspace's current login policy (password rules, MFA, IdPs allowed, lockout, etc.).\",\n  inputShape: {\n    workspace: z.string().min(1),\n  },\n  handler: async ({ workspace }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`,\n    ),\n});\n\nexport const updateLoginPolicy = defineTool({\n  name: \"update_login_policy\",\n  description:\n    \"Update the login policy. PATCH semantics — only fields you pass are changed; other policy fields stay as they were.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    allow_username_password: z.boolean().optional(),\n    allow_register: z.boolean().optional(),\n    allow_external_idp: z.boolean().optional(),\n    force_mfa: z\n      .boolean()\n      .optional()\n      .describe(\"Require any second factor at login\"),\n    passwordless_type: z\n      .enum([\n        \"PASSWORDLESS_TYPE_NOT_ALLOWED\",\n        \"PASSWORDLESS_TYPE_ALLOWED\",\n      ])\n      .optional()\n      .describe(\"Enables passkey-first when set to ALLOWED\"),\n    max_password_attempts: z.number().int().min(0).max(20).optional(),\n    lockout_password_attempts: z.number().int().min(0).max(20).optional(),\n  },\n  handler: async ({ workspace, ...body }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`,\n      { method: \"PATCH\", body },\n    ),\n});\n\nexport const tools = [getLoginPolicy, updateLoginPolicy] as const;\n","/**\n * User tools — list, invite (sends Zitadel init email), delete.\n * Invite is the primary creation path; users set their own password via the\n * email link. Direct user creation with pre-set credentials is intentionally\n * not exposed here.\n */\nimport { z } from \"zod\";\n\nimport { defineTool } from \"./registry.js\";\n\nexport const listUsers = defineTool({\n  name: \"list_users\",\n  description: \"List human users in a workspace.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    limit: z.number().int().min(1).max(500).default(100),\n  },\n  handler: async ({ workspace, limit }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/users`,\n      { query: { limit } },\n    ),\n});\n\nexport const inviteUser = defineTool({\n  name: \"invite_user\",\n  description:\n    \"Invite a user by email. Idempotent by email — re-inviting an existing user is a no-op. Triggers a Zitadel init email with a 'set your password' link.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    email: z\n      .string()\n      .regex(/^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/, \"must be a valid email\"),\n    first_name: z.string().min(1),\n    last_name: z.string().min(1),\n    preferred_language: z\n      .string()\n      .length(2)\n      .default(\"en\")\n      .describe(\"ISO 639-1, e.g. en/es/pt\"),\n  },\n  handler: async ({ workspace, ...body }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/users/invite`,\n      { method: \"POST\", body },\n    ),\n});\n\nexport const deleteUser = defineTool({\n  name: \"delete_user\",\n  description: \"Delete a user by id. Idempotent.\",\n  inputShape: {\n    workspace: z.string().min(1),\n    user_id: z.string().min(1),\n  },\n  handler: async ({ workspace, user_id }, { client }) =>\n    client.request(\n      `/v1/workspaces/${encodeURIComponent(workspace)}/users/${encodeURIComponent(user_id)}`,\n      { method: \"DELETE\" },\n    ),\n});\n\nexport const tools = [listUsers, inviteUser, deleteUser] as const;\n","/**\n * Hand-written workspace tools. These are the ones agents reach for first;\n * the rest of the surface is auto-generated from OpenAPI in a later pass.\n */\nimport { z } from \"zod\";\n\nimport { defineTool } from \"./registry.js\";\n\nexport const listWorkspaces = defineTool({\n  name: \"list_workspaces\",\n  description:\n    \"List Prysmid workspaces accessible to the current API token. Returns an array of {id, slug, display_name, plan, state}.\",\n  inputShape: {},\n  handler: async (_input, { client }) =>\n    client.request(\"/v1/workspaces\", { method: \"GET\" }),\n});\n\nexport const getWorkspace = defineTool({\n  name: \"get_workspace\",\n  description: \"Get a single workspace by slug or id.\",\n  inputShape: {\n    workspace: z\n      .string()\n      .min(1)\n      .describe(\"Workspace slug or UUID\"),\n  },\n  handler: async ({ workspace }, { client }) =>\n    client.request(`/v1/workspaces/${encodeURIComponent(workspace)}`),\n});\n\nexport const createWorkspace = defineTool({\n  name: \"create_workspace\",\n  description:\n    \"Create a new Prysmid workspace. Provisioning runs in the background; the response returns immediately with state=provisioning. Poll `get_workspace` until state=active (~30s).\",\n  inputShape: {\n    slug: z\n      .string()\n      .min(2)\n      .max(63)\n      .regex(/^[a-z0-9-]+$/, \"lowercase alphanumeric and hyphens only\")\n      .describe(\"Subdomain-safe slug — becomes auth.<slug>.prysmid.com\"),\n    display_name: z.string().min(1).max(255),\n  },\n  handler: async (input, { client }) =>\n    client.request(\"/v1/workspaces\", { method: \"POST\", body: input }),\n});\n\nexport const tools = [listWorkspaces, getWorkspace, createWorkspace] as const;\n"],"mappings":";;;AAQA,SAAS,iBAAiB;AAC1B,SAAS,4BAA4B;;;ACA9B,IAAM,kBAAN,cAA8B,MAAM;AAAA,EACzC,YACE,SACgB,QACA,MACA,MAChB;AACA,UAAM,OAAO;AAJG;AACA;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EANkB;AAAA,EACA;AAAA,EACA;AAKpB;AAQO,IAAM,gBAAN,MAAoB;AAAA,EACzB,YACmB,KACA,KACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA,EAGnB,MAAM,QAAqB,MAAc,OAAuB,CAAC,GAAe;AAC9E,QAAI,CAAC,KAAK,IAAI,UAAU;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,MAAM,IAAI,IAAI,KAAK,IAAI,UAAU,IAAI;AAC3C,QAAI,KAAK,OAAO;AACd,iBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAK,KAAK,GAAG;AAC/C,YAAI,MAAM,OAAW,KAAI,aAAa,IAAI,GAAG,OAAO,CAAC,CAAC;AAAA,MACxD;AAAA,IACF;AAEA,UAAM,SAAS,KAAK,UAAU;AAC9B,UAAM,UAAkC;AAAA,MACtC,eAAe,UAAU,KAAK,IAAI,QAAQ;AAAA,MAC1C,QAAQ;AAAA,IACV;AACA,QAAI,KAAK,SAAS,OAAW,SAAQ,cAAc,IAAI;AAEvD,SAAK,IAAI,MAAM,QAAQ,MAAM,IAAI,IAAI,QAAQ,EAAE;AAC/C,UAAM,MAAM,MAAM,MAAM,KAAK;AAAA,MAC3B;AAAA,MACA;AAAA,MACA,MAAM,KAAK,SAAS,SAAY,KAAK,UAAU,KAAK,IAAI,IAAI;AAAA,IAC9D,CAAC;AAED,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,QAAI,CAAC,IAAI,IAAI;AACX,UAAI;AACJ,UAAI;AACF,cAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,eAAO,OAAO,QAAQ,UAAU,WAAW,OAAO,QAAQ,QAAQ;AAAA,MACpE,QAAQ;AAAA,MAER;AACA,YAAM,IAAI;AAAA,QACR,eAAe,IAAI,MAAM,OAAO,MAAM,IAAI,IAAI;AAAA,QAC9C,IAAI;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,QAAI,SAAS,GAAI,QAAO;AACxB,QAAI;AACF,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACF;;;AC5EA,IAAM,mBAAmB;AAElB,SAAS,WAAW,MAAyB,QAAQ,KAAa;AACvE,QAAM,WAAW,IAAI,oBAAoB,kBAAkB,QAAQ,QAAQ,EAAE;AAC7E,QAAM,WAAW,IAAI,mBAAmB,KAAK,KAAK;AAClD,QAAM,YAAY,IAAI,yBAAyB,QAAQ,YAAY;AACnE,QAAM,WACJ,aAAa,WAAW,aAAa,UAAU,aAAa,UACxD,WACA;AACN,SAAO,EAAE,SAAS,UAAU,SAAS;AACvC;;;ACjBA,IAAM,QAAQ,EAAE,OAAO,IAAI,MAAM,IAAI,MAAM,IAAI,OAAO,GAAG;AASlD,SAAS,WAAW,KAAuC;AAChE,QAAM,YAAY,MAAM,IAAI,QAAQ;AAEpC,WAAS,KAAK,OAA2B,KAAa,OAAiB;AACrE,QAAI,MAAM,KAAK,IAAI,UAAW;AAC9B,UAAM,MAAK,oBAAI,KAAK,GAAE,YAAY;AAClC,UAAM,UAAU,UAAU,SAAY,KAAK,IAAI,SAAS,KAAK,CAAC;AAC9D,YAAQ,OAAO,MAAM,GAAG,EAAE,IAAI,MAAM,YAAY,CAAC,IAAI,GAAG,GAAG,OAAO;AAAA,CAAI;AAAA,EACxE;AAEA,SAAO;AAAA,IACL,OAAO,CAAC,GAAG,MAAM,KAAK,SAAS,GAAG,CAAC;AAAA,IACnC,MAAM,CAAC,GAAG,MAAM,KAAK,QAAQ,GAAG,CAAC;AAAA,IACjC,MAAM,CAAC,GAAG,MAAM,KAAK,QAAQ,GAAG,CAAC;AAAA,IACjC,OAAO,CAAC,GAAG,MAAM,KAAK,SAAS,GAAG,CAAC;AAAA,EACrC;AACF;AAEA,SAAS,SAAS,GAAoB;AACpC,MAAI;AACF,WAAO,KAAK,UAAU,CAAC;AAAA,EACzB,QAAQ;AACN,WAAO,OAAO,CAAC;AAAA,EACjB;AACF;;;ACAO,SAAS,WAAoC,GAA2B;AAC7E,SAAO;AACT;AAOO,SAAS,YACd,QACA,KAEAA,QACM;AACN,aAAW,QAAQA,QAAO;AACxB,WAAO;AAAA,MACL,KAAK;AAAA,MACL;AAAA,QACE,aAAa,KAAK;AAAA,QAClB,aAAa,KAAK;AAAA,MACpB;AAAA;AAAA,MAEA,OAAO,UAAe;AACpB,YAAI;AACF,gBAAM,SAAS,MAAM,KAAK,QAAQ,OAAO,GAAG;AAC5C,iBAAO;AAAA,YACL,SAAS;AAAA,cACP;AAAA,gBACE,MAAM;AAAA,gBACN,MACE,OAAO,WAAW,WACd,SACA,KAAK,UAAU,QAAQ,MAAM,CAAC;AAAA,cACtC;AAAA,YACF;AAAA,UACF;AAAA,QACF,SAAS,KAAK;AACZ,gBAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,cAAI,IAAI,MAAM,QAAQ,KAAK,IAAI,WAAW,EAAE,QAAQ,CAAC;AACrD,iBAAO;AAAA,YACL,SAAS;AAAA,YACT,SAAS;AAAA,cACP,EAAE,MAAM,QAAiB,MAAM,UAAU,OAAO,GAAG;AAAA,YACrD;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;;;ACpFA,SAAS,SAAS;AAIX,IAAM,WAAW,WAAW;AAAA,EACjC,MAAM;AAAA,EACN,aAAa;AAAA,EACb,YAAY;AAAA,IACV,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,wBAAwB;AAAA,EAChE;AAAA,EACA,SAAS,OAAO,EAAE,UAAU,GAAG,EAAE,OAAO,MACtC,OAAO,QAAQ,kBAAkB,mBAAmB,SAAS,CAAC,OAAO;AACzE,CAAC;AAEM,IAAM,gBAAgB,WAAW;AAAA,EACtC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG;AAAA,IAC/B,eAAe,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC;AAAA,IAC9C,2BAA2B,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,IAC9D,UAAU,EACP,KAAK;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC,EACA,QAAQ,mBAAmB;AAAA,IAC9B,aAAa,EACV,KAAK;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC,EACA,QAAQ,4BAA4B;AAAA,IACvC,UAAU,EACP,QAAQ,EACR,QAAQ,KAAK,EACb;AAAA,MACC;AAAA,IACF;AAAA,EACJ;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,GAAG,KAAK,GAAG,EAAE,OAAO,MAC/C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IAC/C,EAAE,QAAQ,QAAQ,KAAK;AAAA,EACzB;AACJ,CAAC;AAEM,IAAM,gBAAgB,WAAW;AAAA,EACtC,MAAM;AAAA,EACN,aAAa;AAAA,EACb,YAAY;AAAA,IACV,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,OAAO,GAAG,EAAE,OAAO,MAC9C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC,SAAS,mBAAmB,MAAM,CAAC;AAAA,IAClF,EAAE,QAAQ,SAAS;AAAA,EACrB;AACJ,CAAC;AAEM,IAAM,QAAQ,CAAC,UAAU,eAAe,aAAa;;;ACjE5D,SAAS,KAAAC,UAAS;AAIX,IAAM,aAAa,WAAW;AAAA,EACnC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWC,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B;AAAA,EACA,SAAS,OAAO,EAAE,UAAU,GAAG,EAAE,OAAO,MACtC,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,EACjD;AACJ,CAAC;AAEM,IAAM,iBAAiB,WAAW;AAAA,EACvC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,oBAAoBA,GACjB,OAAO,EACP,IAAI,EACJ,IAAI,CAAC,EACL,IAAI,GAAU,EACd,SAAS,EACT,SAAS,gDAAgD;AAAA,EAC9D;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,mBAAmB,GAAG,EAAE,OAAO,MAC1D,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IAC/C,EAAE,QAAQ,SAAS,MAAM,EAAE,mBAAmB,EAAE;AAAA,EAClD;AACJ,CAAC;AAEM,IAAM,gBAAgB,WAAW;AAAA,EACtC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,MAAMA,GAAE,KAAK,CAAC,KAAK,CAAC;AAAA,EACtB;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,KAAK,GAAG,EAAE,OAAO,MAC5C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IAC/C,EAAE,QAAQ,QAAQ,MAAM,EAAE,KAAK,EAAE;AAAA,EACnC;AACJ,CAAC;AAEM,IAAM,qBAAqB,WAAW;AAAA,EAC3C,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B;AAAA,EACA,SAAS,OAAO,EAAE,UAAU,GAAG,EAAE,OAAO,MACtC,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IAC/C,EAAE,QAAQ,OAAO;AAAA,EACnB;AACJ,CAAC;AAEM,IAAMC,SAAQ;AAAA,EACnB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;;;ACxEA,SAAS,KAAAC,UAAS;AAIX,IAAM,cAAc,WAAW;AAAA,EACpC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWC,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B;AAAA,EACA,SAAS,OAAO,EAAE,UAAU,GAAG,EAAE,OAAO,MACtC,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,EACjD;AACJ,CAAC;AAEM,IAAM,iBAAiB,WAAW;AAAA,EACvC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,eAAeA,GACZ,OAAO,EACP,MAAM,mBAAmB,EACzB,SAAS;AAAA,IACZ,kBAAkBA,GACf,OAAO,EACP,MAAM,mBAAmB,EACzB,SAAS;AAAA,IACZ,YAAYA,GACT,OAAO,EACP,MAAM,mBAAmB,EACzB,SAAS;AAAA,IACZ,YAAYA,GACT,OAAO,EACP,MAAM,mBAAmB,EACzB,SAAS;AAAA,IACZ,mBAAmBA,GAChB,QAAQ,EACR,SAAS,EACT;AAAA,MACC;AAAA,IACF;AAAA,EACJ;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,GAAG,KAAK,GAAG,EAAE,OAAO,MAC/C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IAC/C,EAAE,QAAQ,SAAS,KAAK;AAAA,EAC1B;AACJ,CAAC;AAEM,IAAMC,SAAQ,CAAC,aAAa,cAAc;;;AClDjD,SAAS,KAAAC,UAAS;AAIlB,IAAM,uBAAuBC,GAAE,OAAO;AAAA,EACpC,cAAcA,GAAE,OAAO;AAAA,EACvB,MAAMA,GAAE,OAAO;AAAA,EACf,aAAaA,GAAE,OAAO;AAAA,EACtB,OAAOA,GAAE,OAAO;AAClB,CAAC;AAEM,IAAM,wBAAwB,WAAW;AAAA,EAC9C,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,MAAMA,GACH,OAAO,EACP,IAAI,CAAC,EACL,IAAI,EAAE,EACN,MAAM,cAAc;AAAA,IACvB,cAAcA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC9B,iBAAiBA,GACd,OAAO,EACP,IAAI,EACJ,IAAI,EAAE,EACN,IAAI,GAAG,EACP,QAAQ,GAAG,EACX,SAAS,qDAAqD;AAAA,EACnE;AAAA,EACA,SAAS,OACP,EAAE,MAAM,cAAc,gBAAgB,GACtC,EAAE,QAAQ,IAAI,MACX;AACH,UAAM,UAAW,MAAM,OAAO,QAAQ,kBAAkB;AAAA,MACtD,QAAQ;AAAA,MACR,MAAM,EAAE,MAAM,aAAa;AAAA,IAC7B,CAAC;AAED,UAAM,WAAW,KAAK,IAAI,IAAI,kBAAkB;AAChD,WAAO,KAAK,IAAI,IAAI,UAAU;AAC5B,YAAM,KAAM,MAAM,OAAO;AAAA,QACvB,kBAAkB,mBAAmB,QAAQ,EAAE,CAAC;AAAA,MAClD;AAOA,UAAI,GAAG,UAAU,UAAU;AACzB,eAAO,qBAAqB,MAAM;AAAA,UAChC,cAAc,GAAG;AAAA,UACjB,MAAM,GAAG;AAAA,UACT,aAAa,GAAG,eAAe,QAAQ,GAAG,IAAI;AAAA,UAC9C,OAAO,GAAG;AAAA,QACZ,CAAC;AAAA,MACH;AACA,UAAI,GAAG,UAAU,uBAAuB;AACtC,cAAM,IAAI;AAAA,UACR,kCAAkC,GAAG,sBAAsB,gBAAgB;AAAA,QAC7E;AAAA,MACF;AACA,UAAI,MAAM,aAAa,QAAQ,EAAE,UAAU,GAAG,KAAK,iBAAY;AAC/D,YAAM,MAAM,GAAI;AAAA,IAClB;AACA,UAAM,IAAI;AAAA,MACR,+CAA+C,eAAe;AAAA,IAChE;AAAA,EACF;AACF,CAAC;AAED,SAAS,MAAM,IAAY;AACzB,SAAO,IAAI,QAAQ,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC;AAC7C;AAEO,IAAM,oBAAoB,WAAW;AAAA,EAC1C,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,kBAAkBA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAClC,sBAAsBA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IACtC,MAAMA,GAAE,OAAO,EAAE,QAAQ,QAAQ;AAAA,EACnC;AAAA,EACA,SAAS,OACP,EAAE,WAAW,kBAAkB,sBAAsB,KAAK,GAC1D,EAAE,OAAO,MACN;AACH,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,MAC/C;AAAA,QACE,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,UAAU;AAAA,UACV;AAAA,UACA,QAAQ;AAAA,YACN,WAAW;AAAA,YACX,eAAe;AAAA,UACjB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,OAAO;AAAA,MACX,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,MAC/C,EAAE,QAAQ,SAAS,MAAM,EAAE,oBAAoB,KAAK,EAAE;AAAA,IACxD;AAEA,WAAO,EAAE,KAAK,cAAc,0BAA0B;AAAA,EACxD;AACF,CAAC;AAQM,IAAM,oBAAoB,WAAW;AAAA,EAC1C,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B;AAAA,EACA,SAAS,OAAO,EAAE,UAAU,GAAG,EAAE,OAAO,MAAM;AAC5C,UAAM,KAAM,MAAM,OAAO;AAAA,MACvB,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IACjD;AACA,UAAM,OAAQ,MAAM,OAAO;AAAA,MACzB,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IACjD;AACA,UAAM,OAAQ,MAAM,OAAO;AAAA,MACzB,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IACjD;AACA,UAAM,SAAU,MAAM,OAAO;AAAA,MAC3B,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IACjD;AAMA,UAAM,WAAY,MAAM,OAAO;AAAA,MAC7B,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IACjD;AAEA,UAAM,SAA2B;AAAA,MAC/B;AAAA,QACE,IAAI,GAAG,UAAU;AAAA,QACjB,MAAM;AAAA,QACN,SAAS,SAAS,GAAG,KAAK;AAAA,MAC5B;AAAA,MACA;AAAA,QACE,IAAI,KAAK,SAAS;AAAA,QAClB,MAAM;AAAA,QACN,SAAS,GAAG,KAAK,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,QACE,IACE,KAAK,SAAS,KACb,OAAO,4BAA4B,QAClC,OAAO,mBAAmB;AAAA,QAC9B,MAAM;AAAA,QACN,SACE,KAAK,SAAS,IACV,GAAG,KAAK,MAAM,UACd;AAAA,MACR;AAAA,MACA;AAAA,QACE,IAAI,CAAC,CAAC,SAAS;AAAA,QACf,MAAM;AAAA,MACR;AAAA,MACA;AAAA,QACE,IAAI,OAAO,cAAc,QAAQ,KAAK,SAAS;AAAA,QAC/C,MAAM;AAAA,QACN,SAAS,OAAO,YACZ,mBACA;AAAA,MACN;AAAA,IACF;AACA,UAAM,UAAU,OAAO,MAAM,CAAC,MAAM,EAAE,EAAE,IAAI,UAAU;AACtD,WAAO,EAAE,SAAS,OAAO;AAAA,EAC3B;AACF,CAAC;AAEM,IAAMC,SAAQ;AAAA,EACnB;AAAA,EACA;AAAA,EACA;AACF;;;ACnMA,SAAS,KAAAC,UAAS;AAIX,IAAM,WAAW,WAAW;AAAA,EACjC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWC,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B;AAAA,EACA,SAAS,OAAO,EAAE,UAAU,GAAG,EAAE,OAAO,MACtC,OAAO,QAAQ,kBAAkB,mBAAmB,SAAS,CAAC,OAAO;AACzE,CAAC;AAEM,IAAM,SAAS,WAAW;AAAA,EAC/B,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,UAAUA,GAAE,KAAK,CAAC,UAAU,UAAU,YAAY,MAAM,CAAC;AAAA,IACzD,MAAMA,GAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,oCAAoC;AAAA,IACrE,QAAQA,GACL,OAAO;AAAA,MACN,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,MAC3B,eAAeA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,MAC/B,QAAQA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AAAA,MACrC,QAAQA,GACL,OAAO,EACP,IAAI,EACJ,SAAS,EACT,SAAS,wCAAwC;AAAA,MACpD,WAAWA,GACR,OAAO,EACP,SAAS,EACT;AAAA,QACC;AAAA,MACF;AAAA,IACJ,CAAC,EACA,SAAS,gCAAgC;AAAA,EAC9C;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,GAAG,KAAK,GAAG,EAAE,OAAO,MAC/C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IAC/C,EAAE,QAAQ,QAAQ,KAAK;AAAA,EACzB;AACJ,CAAC;AAEM,IAAM,YAAY,WAAW;AAAA,EAClC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,QAAQA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,OAAO,GAAG,EAAE,OAAO,MAC9C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC,SAAS,mBAAmB,MAAM,CAAC;AAAA,IAClF,EAAE,QAAQ,SAAS;AAAA,EACrB;AACJ,CAAC;AAEM,IAAMC,SAAQ,CAAC,UAAU,QAAQ,SAAS;;;ACjEjD,SAAS,KAAAC,UAAS;AAIX,IAAM,iBAAiB,WAAW;AAAA,EACvC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWC,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B;AAAA,EACA,SAAS,OAAO,EAAE,UAAU,GAAG,EAAE,OAAO,MACtC,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,EACjD;AACJ,CAAC;AAEM,IAAM,oBAAoB,WAAW;AAAA,EAC1C,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,yBAAyBA,GAAE,QAAQ,EAAE,SAAS;AAAA,IAC9C,gBAAgBA,GAAE,QAAQ,EAAE,SAAS;AAAA,IACrC,oBAAoBA,GAAE,QAAQ,EAAE,SAAS;AAAA,IACzC,WAAWA,GACR,QAAQ,EACR,SAAS,EACT,SAAS,oCAAoC;AAAA,IAChD,mBAAmBA,GAChB,KAAK;AAAA,MACJ;AAAA,MACA;AAAA,IACF,CAAC,EACA,SAAS,EACT,SAAS,2CAA2C;AAAA,IACvD,uBAAuBA,GAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,SAAS;AAAA,IAChE,2BAA2BA,GAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,SAAS;AAAA,EACtE;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,GAAG,KAAK,GAAG,EAAE,OAAO,MAC/C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IAC/C,EAAE,QAAQ,SAAS,KAAK;AAAA,EAC1B;AACJ,CAAC;AAEM,IAAMC,SAAQ,CAAC,gBAAgB,iBAAiB;;;AC9CvD,SAAS,KAAAC,UAAS;AAIX,IAAM,YAAY,WAAW;AAAA,EAClC,MAAM;AAAA,EACN,aAAa;AAAA,EACb,YAAY;AAAA,IACV,WAAWC,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,OAAOA,GAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,GAAG;AAAA,EACrD;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,MAAM,GAAG,EAAE,OAAO,MAC7C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IAC/C,EAAE,OAAO,EAAE,MAAM,EAAE;AAAA,EACrB;AACJ,CAAC;AAEM,IAAM,aAAa,WAAW;AAAA,EACnC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,OAAOA,GACJ,OAAO,EACP,MAAM,8BAA8B,uBAAuB;AAAA,IAC9D,YAAYA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC5B,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,oBAAoBA,GACjB,OAAO,EACP,OAAO,CAAC,EACR,QAAQ,IAAI,EACZ,SAAS,0BAA0B;AAAA,EACxC;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,GAAG,KAAK,GAAG,EAAE,OAAO,MAC/C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC;AAAA,IAC/C,EAAE,QAAQ,QAAQ,KAAK;AAAA,EACzB;AACJ,CAAC;AAEM,IAAM,aAAa,WAAW;AAAA,EACnC,MAAM;AAAA,EACN,aAAa;AAAA,EACb,YAAY;AAAA,IACV,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,IAC3B,SAASA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC3B;AAAA,EACA,SAAS,OAAO,EAAE,WAAW,QAAQ,GAAG,EAAE,OAAO,MAC/C,OAAO;AAAA,IACL,kBAAkB,mBAAmB,SAAS,CAAC,UAAU,mBAAmB,OAAO,CAAC;AAAA,IACpF,EAAE,QAAQ,SAAS;AAAA,EACrB;AACJ,CAAC;AAEM,IAAMC,SAAQ,CAAC,WAAW,YAAY,UAAU;;;AC1DvD,SAAS,KAAAC,UAAS;AAIX,IAAM,iBAAiB,WAAW;AAAA,EACvC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY,CAAC;AAAA,EACb,SAAS,OAAO,QAAQ,EAAE,OAAO,MAC/B,OAAO,QAAQ,kBAAkB,EAAE,QAAQ,MAAM,CAAC;AACtD,CAAC;AAEM,IAAM,eAAe,WAAW;AAAA,EACrC,MAAM;AAAA,EACN,aAAa;AAAA,EACb,YAAY;AAAA,IACV,WAAWC,GACR,OAAO,EACP,IAAI,CAAC,EACL,SAAS,wBAAwB;AAAA,EACtC;AAAA,EACA,SAAS,OAAO,EAAE,UAAU,GAAG,EAAE,OAAO,MACtC,OAAO,QAAQ,kBAAkB,mBAAmB,SAAS,CAAC,EAAE;AACpE,CAAC;AAEM,IAAM,kBAAkB,WAAW;AAAA,EACxC,MAAM;AAAA,EACN,aACE;AAAA,EACF,YAAY;AAAA,IACV,MAAMA,GACH,OAAO,EACP,IAAI,CAAC,EACL,IAAI,EAAE,EACN,MAAM,gBAAgB,yCAAyC,EAC/D,SAAS,4DAAuD;AAAA,IACnE,cAAcA,GAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG;AAAA,EACzC;AAAA,EACA,SAAS,OAAO,OAAO,EAAE,OAAO,MAC9B,OAAO,QAAQ,kBAAkB,EAAE,QAAQ,QAAQ,MAAM,MAAM,CAAC;AACpE,CAAC;AAEM,IAAMC,SAAQ,CAAC,gBAAgB,cAAc,eAAe;;;AZvBnE,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,SAAS,eAAe;AAEjC,IAAM,cAAc;AAEpB,SAAS,cAAsB;AAC7B,MAAI;AACF,UAAM,OAAO,QAAQ,cAAc,YAAY,GAAG,CAAC;AACnD,UAAM,MAAM,KAAK;AAAA,MACf,aAAa,QAAQ,MAAM,MAAM,cAAc,GAAG,MAAM;AAAA,IAC1D;AACA,WAAO,OAAO,IAAI,YAAY,WAAW,IAAI,UAAU;AAAA,EACzD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,OAAsB;AAC1C,QAAM,MAAM,WAAW;AACvB,QAAM,MAAM,WAAW,GAAG;AAC1B,QAAM,SAAS,IAAI,cAAc,KAAK,GAAG;AAEzC,QAAM,SAAS,IAAI,UAAU;AAAA,IAC3B,MAAM;AAAA,IACN,SAAS,YAAY;AAAA,EACvB,CAAC;AAED,QAAM,WAAW;AAAA,IACf,GAAGC;AAAA,IACH,GAAG;AAAA,IACH,GAAGA;AAAA,IACH,GAAGA;AAAA,IACH,GAAGA;AAAA,IACH,GAAGA;AAAA,IACH,GAAGA;AAAA,IACH,GAAGA;AAAA,EACL;AAEA,cAAY,QAAQ,EAAE,QAAQ,IAAI,GAAG,QAAQ;AAE7C,MAAI,KAAK,wBAAwB;AAAA,IAC/B,SAAS,IAAI;AAAA,IACb,OAAO,SAAS;AAAA,IAChB,UAAU,IAAI,WAAW,WAAW;AAAA,EACtC,CAAC;AAED,QAAM,YAAY,IAAI,qBAAqB;AAC3C,QAAM,OAAO,QAAQ,SAAS;AAChC;AAMA,KAAK,EAAE,MAAM,CAAC,QAAQ;AACpB,UAAQ,OAAO,MAAM,UAAU,eAAe,QAAQ,IAAI,QAAQ,GAAG;AAAA,CAAI;AACzE,UAAQ,KAAK,CAAC;AAChB,CAAC;","names":["tools","z","z","tools","z","z","tools","z","z","tools","z","z","tools","z","z","tools","z","z","tools","z","z","tools","tools"]}

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@prysmid/mcp",
+  "version": "0.1.1",
+  "description": "Official Prysmid MCP server — manage workspaces, apps OIDC, login policy, IdPs, branding, users from any MCP-compatible agent (Claude Code, Cursor, etc.)",
+  "license": "Apache-2.0",
+  "homepage": "https://prysmid.com",
+  "bugs": "https://github.com/PrysmID/mcp-server/issues",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/PrysmID/mcp-server.git"
+  },
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "prysmid-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsx src/index.ts",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit",
+    "gen-tools": "tsx scripts/generate-tools.ts",
+    "prepare": "tsup"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.4",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/node": "^22.9.0",
+    "tsup": "^8.3.5",
+    "tsx": "^4.19.2",
+    "typescript": "^5.6.3",
+    "vitest": "^2.1.5"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "prysmid",
+    "auth",
+    "oidc",
+    "zitadel",
+    "agents"
+  ]
+}