@prysmid/mcp 0.4.0 → 0.6.0

package/dist/index.js

@@ -277,8 +277,8 @@ function clearToken(env = process.env) {
 function defineTool(t) {
   return t;
 }
-function registerAll(server, ctx, tools9) {
-  for (const tool of tools9) {
+function registerAll(server, ctx, tools15) {
+  for (const tool of tools15) {
     server.registerTool(
       tool.name,
       {
@@ -429,13 +429,38 @@ var tools = [
   regenerateAppSecret
 ];
 
-// src/tools/billing.ts
+// src/tools/audit.ts
 import { z as z2 } from "zod";
+var exportAuditLog = defineTool({
+  name: "export_audit_log",
+  description: "Export a workspace's audit trail as NDJSON (default) or CSV. Filter by `org_id` (a specific business org, matches meta.org_id), `action` (exact, e.g. `idp.create`), and a created_at window (`start`/`end`, ISO-8601). `limit` caps rows (default 10000, max 50000). Returns the raw export text \u2014 narrow the window to page through large trails.",
+  inputShape: {
+    workspace: z2.string().min(1),
+    format: z2.enum(["ndjson", "csv"]).default("ndjson").describe(
+      "ndjson (default) = one JSON object per line, best for SIEM. csv = flat columns with meta JSON-encoded in one cell."
+    ),
+    org_id: z2.string().min(1).optional().describe(
+      "Scope to one business org (matches meta.org_id). Omit for the whole workspace."
+    ),
+    action: z2.string().min(1).optional().describe("Exact audit action to filter, e.g. `idp.create`."),
+    start: z2.string().optional().describe("ISO-8601 timestamp; only rows created at/after this."),
+    end: z2.string().optional().describe("ISO-8601 timestamp; only rows created before this."),
+    limit: z2.number().int().min(1).max(5e4).optional()
+  },
+  handler: async ({ workspace, ...query }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/audit-log/export`,
+    { query }
+  )
+});
+var tools2 = [exportAuditLog];
+
+// src/tools/billing.ts
+import { z as z3 } from "zod";
 var getBilling = defineTool({
   name: "get_billing",
   description: "Get current billing state: plan, subscription status, current period, spending_cap_cents, signups_blocked.",
   inputShape: {
-    workspace: z2.string().min(1)
+    workspace: z3.string().min(1)
   },
   handler: async ({ workspace }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/billing`
@@ -445,8 +470,8 @@ var setSpendingCap = defineTool({
   name: "set_spending_cap",
   description: "Cap monthly Pro overage spend (cents). Pass null to remove cap (unlimited). When projected overage exceeds cap, signups_blocked flips on.",
   inputShape: {
-    workspace: z2.string().min(1),
-    spending_cap_cents: z2.number().int().min(0).max(1e7).nullable().describe("Max overage cents per period; null = unlimited")
+    workspace: z3.string().min(1),
+    spending_cap_cents: z3.number().int().min(0).max(1e7).nullable().describe("Max overage cents per period; null = unlimited")
   },
   handler: async ({ workspace, spending_cap_cents }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/billing/spending-cap`,
@@ -457,8 +482,8 @@ var startCheckout = defineTool({
   name: "start_billing_checkout",
   description: "Create a Stripe Checkout session for upgrading. Returns the URL the user must visit. Plan must be `pro` (Free has no checkout; Enterprise is sales-only).",
   inputShape: {
-    workspace: z2.string().min(1),
-    plan: z2.enum(["pro"])
+    workspace: z3.string().min(1),
+    plan: z3.enum(["pro"])
   },
   handler: async ({ workspace, plan }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/billing/checkout`,
@@ -469,14 +494,14 @@ var startBillingPortal = defineTool({
   name: "start_billing_portal",
   description: "Create a Stripe customer-portal session URL where the user manages payment methods, downloads invoices, cancels subscription.",
   inputShape: {
-    workspace: z2.string().min(1)
+    workspace: z3.string().min(1)
   },
   handler: async ({ workspace }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/billing/portal`,
     { method: "POST" }
   )
 });
-var tools2 = [
+var tools3 = [
   getBilling,
   setSpendingCap,
   startCheckout,
@@ -484,12 +509,12 @@ var tools2 = [
 ];
 
 // src/tools/branding.ts
-import { z as z3 } from "zod";
+import { z as z4 } from "zod";
 var getBranding = defineTool({
   name: "get_branding",
   description: "Return the workspace's active branding policy (colors, fonts, hide-prysmid-watermark flag, logo URLs).",
   inputShape: {
-    workspace: z3.string().min(1)
+    workspace: z4.string().min(1)
   },
   handler: async ({ workspace }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/branding`
@@ -499,12 +524,12 @@ var updateBranding = defineTool({
   name: "update_branding",
   description: "Update branding colors and watermark. Hex colors as `#RRGGBB`. Activates the policy after update \u2014 change shows on next login screen render.",
   inputShape: {
-    workspace: z3.string().min(1),
-    primary_color: z3.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
-    background_color: z3.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
-    warn_color: z3.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
-    font_color: z3.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
-    disable_watermark: z3.boolean().optional().describe(
+    workspace: z4.string().min(1),
+    primary_color: z4.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
+    background_color: z4.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
+    warn_color: z4.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
+    font_color: z4.string().regex(/^#[0-9a-fA-F]{6}$/).optional(),
+    disable_watermark: z4.boolean().optional().describe(
       "Hide 'Powered by Prysmid' on the login screen (Pro+ only \u2014 Free silently ignored)."
     )
   },
@@ -513,23 +538,23 @@ var updateBranding = defineTool({
     { method: "PATCH", body }
   )
 });
-var tools3 = [getBranding, updateBranding];
+var tools4 = [getBranding, updateBranding];
 
 // src/tools/curated.ts
-import { z as z4 } from "zod";
-var SetupWorkspaceOutput = z4.object({
-  workspace_id: z4.string(),
-  slug: z4.string(),
-  auth_domain: z4.string(),
-  state: z4.string()
+import { z as z5 } from "zod";
+var SetupWorkspaceOutput = z5.object({
+  workspace_id: z5.string(),
+  slug: z5.string(),
+  auth_domain: z5.string(),
+  state: z5.string()
 });
 var setupPrysmidWorkspace = defineTool({
   name: "setup_prysmid_workspace",
   description: "Create a new workspace and wait until it's fully provisioned (Zitadel instance, SMTP, DNS). Returns the live auth_domain ready to integrate.",
   inputShape: {
-    slug: z4.string().min(2).max(63).regex(/^[a-z0-9-]+$/),
-    display_name: z4.string().min(1),
-    timeout_seconds: z4.number().int().min(10).max(300).default(120).describe("Max time to wait for provisioning before returning.")
+    slug: z5.string().min(2).max(63).regex(/^[a-z0-9-]+$/),
+    display_name: z5.string().min(1),
+    timeout_seconds: z5.number().int().min(10).max(300).default(120).describe("Max time to wait for provisioning before returning.")
   },
   handler: async ({ slug, display_name, timeout_seconds }, { client, log }) => {
     const created = await client.request("/v1/workspaces", {
@@ -569,10 +594,10 @@ var enableGoogleLogin = defineTool({
   name: "enable_google_login",
   description: "Add Google as an identity provider on a workspace and enable external IdPs in the login policy. Hands you a checklist if external IdPs were already disabled \u2014 agent should confirm before flipping that flag.",
   inputShape: {
-    workspace: z4.string().min(1),
-    google_client_id: z4.string().min(1),
-    google_client_secret: z4.string().min(1),
-    name: z4.string().default("Google")
+    workspace: z5.string().min(1),
+    google_client_id: z5.string().min(1),
+    google_client_secret: z5.string().min(1),
+    name: z5.string().default("Google")
   },
   handler: async ({ workspace, google_client_id, google_client_secret, name }, { client }) => {
     const idp = await client.request(
@@ -600,13 +625,21 @@ function countItems(resp) {
   if (Array.isArray(resp.items)) return resp.items.length;
   return 0;
 }
+function listOf(resp) {
+  if (Array.isArray(resp)) return resp;
+  if (Array.isArray(resp.items)) return resp.items;
+  return [];
+}
 var prysmidSetupCheck = defineTool({
   name: "prysmid_setup_check",
-  description: "Run a readiness checklist on a workspace: state=active, \u22651 OIDC app, \u22651 IdP OR password+register enabled, branding has a primary_color set, login_policy reasonable. Returns pass/fail per item plus a summary verdict.",
+  description: "Run a readiness checklist on a workspace: state=active, \u22651 OIDC app, \u22651 IdP OR password+register enabled, branding has a primary_color set, login_policy reasonable, AND (by default) every external IdP probes successfully against its upstream provider. Returns pass/fail per item plus a summary verdict. Set `probe_idps=false` to skip the live probe (faster, but won't catch redirect_uri_mismatch or invalid client_secret until a real end-user hits the broken IdP).",
   inputShape: {
-    workspace: z4.string().min(1)
+    workspace: z5.string().min(1),
+    probe_idps: z5.boolean().optional().describe(
+      "Run a live probe against each external IdP's upstream authorize endpoint. Default true. Set false to skip if the latency matters more than the safety (will not catch redirect_uri_mismatch or invalid_client until a real end-user signs in)."
+    )
   },
-  handler: async ({ workspace }, { client }) => {
+  handler: async ({ workspace, probe_idps = true }, { client }) => {
     const ws = await client.request(
       `/v1/workspaces/${encodeURIComponent(workspace)}`
     );
@@ -624,6 +657,7 @@ var prysmidSetupCheck = defineTool({
     );
     const appsCount = countItems(appsResp);
     const idpsCount = countItems(idpsResp);
+    const idpItems = listOf(idpsResp);
     const passwordsOpen = policy.allow_username_password === true && policy.allow_register === true;
     const checks = [
       {
@@ -651,134 +685,600 @@ var prysmidSetupCheck = defineTool({
         details: policy.force_mfa ? "force_mfa=true" : idpsCount > 0 ? `${idpsCount} external IdP(s) \u2014 strength delegated upstream` : "MFA off and no external IdPs \u2014 passwords-only is weak"
       }
     ];
+    if (probe_idps && idpItems.length > 0) {
+      const probeResults = [];
+      for (const idp of idpItems) {
+        try {
+          const probe = await client.request(
+            `/v1/workspaces/${encodeURIComponent(workspace)}/idps/${encodeURIComponent(idp.id)}/probe`,
+            { method: "POST" }
+          );
+          probeResults.push({ id: idp.id, result: probe });
+        } catch (err) {
+          probeResults.push({
+            id: idp.id,
+            result: { ok: false, provider_reachable: false },
+            error: err instanceof Error ? err.message : String(err)
+          });
+        }
+      }
+      const allOk = probeResults.every((r) => r.result.ok);
+      const summary = probeResults.map((r) => {
+        const code = r.result.error_code ? ` (${r.result.error_code})` : "";
+        return `${r.id}=${r.result.ok ? "ok" : "fail"}${code}`;
+      }).join(", ");
+      const firstFailure = probeResults.find((r) => !r.result.ok);
+      const details = firstFailure ? `${summary}. First failure: ${firstFailure.result.error_detail ?? firstFailure.error ?? "no detail"}` : summary;
+      checks.push({
+        ok: allOk,
+        name: "idps_functional",
+        details
+      });
+    } else if (idpItems.length > 0) {
+      checks.push({
+        ok: true,
+        name: "idps_functional",
+        details: "skipped (probe_idps=false); won't catch redirect_uri_mismatch or invalid_client until a real end-user signs in."
+      });
+    }
     const verdict = checks.every((c) => c.ok) ? "ready" : "incomplete";
     return { verdict, checks };
   }
 });
-var tools4 = [
+var tools5 = [
   setupPrysmidWorkspace,
   enableGoogleLogin,
   prysmidSetupCheck
 ];
 
+// src/tools/grants.ts
+import { z as z6 } from "zod";
+var grantUserToOrganization = defineTool({
+  name: "grant_user_to_organization",
+  description: "Grant a user access to an organization's project with a set of role keys. The user does NOT need to be a member of the org \u2014 that's the point. Idempotent at the (user, org, project) tuple: duplicates return 502 from Zitadel.",
+  inputShape: {
+    workspace: z6.string().min(1),
+    org_id: z6.string().min(1).describe("Zitadel org id of the org GRANTING access."),
+    user_id: z6.string().min(1).describe(
+      "Zitadel user id. The user's home org is irrelevant \u2014 grants are cross-org."
+    ),
+    project_id: z6.string().min(1).describe(
+      "Zitadel project id this grant is for. Look it up via list_apps \u2014 every OIDC app belongs to a project."
+    ),
+    role_keys: z6.array(z6.string()).default([]).describe(
+      "Role keys defined on the target project. Empty list = bare membership (still gates access)."
+    )
+  },
+  handler: async ({ workspace, org_id, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/grants`,
+    { method: "POST", body }
+  )
+});
+var listGrantsInOrganization = defineTool({
+  name: "list_grants_in_organization",
+  description: "List all grants owned by an organization. Returns each grant with the granted user_id, project_id, role_keys, and the org's tenant_id (the value users will see as `tenant_id` claim when this grant is active).",
+  inputShape: {
+    workspace: z6.string().min(1),
+    org_id: z6.string().min(1)
+  },
+  handler: async ({ workspace, org_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/grants`
+  )
+});
+var listGrantsForUser = defineTool({
+  name: "list_grants_for_user",
+  description: "List all grants held by a user across orgs in this workspace. Useful for 'what does this user have access to?' and offboarding/audit reviews.",
+  inputShape: {
+    workspace: z6.string().min(1),
+    user_id: z6.string().min(1)
+  },
+  handler: async ({ workspace, user_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/users/${encodeURIComponent(user_id)}/grants`
+  )
+});
+var updateGrantRoles = defineTool({
+  name: "update_grant_roles",
+  description: "Replace the role_keys on an existing grant. The set is replaced wholesale \u2014 pass the full desired list, not a delta.",
+  inputShape: {
+    workspace: z6.string().min(1),
+    org_id: z6.string().min(1),
+    grant_id: z6.string().min(1),
+    role_keys: z6.array(z6.string())
+  },
+  handler: async ({ workspace, org_id, grant_id, role_keys }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/grants/${encodeURIComponent(grant_id)}`,
+    { method: "PATCH", body: { role_keys } }
+  )
+});
+var deactivateGrant = defineTool({
+  name: "deactivate_grant",
+  description: "Temporarily suspend a grant without revoking it. Idempotent. Re-enable later with reactivate_grant.",
+  inputShape: {
+    workspace: z6.string().min(1),
+    org_id: z6.string().min(1),
+    grant_id: z6.string().min(1)
+  },
+  handler: async ({ workspace, org_id, grant_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/grants/${encodeURIComponent(grant_id)}/_deactivate`,
+    { method: "POST" }
+  )
+});
+var reactivateGrant = defineTool({
+  name: "reactivate_grant",
+  description: "Re-enable a previously deactivated grant. Idempotent.",
+  inputShape: {
+    workspace: z6.string().min(1),
+    org_id: z6.string().min(1),
+    grant_id: z6.string().min(1)
+  },
+  handler: async ({ workspace, org_id, grant_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/grants/${encodeURIComponent(grant_id)}/_reactivate`,
+    { method: "POST" }
+  )
+});
+var revokeGrant = defineTool({
+  name: "revoke_grant",
+  description: "Permanently revoke a grant. Idempotent \u2014 204 even if the Zitadel-side grant is already gone. Emits a `grant.revoked` audit event (will fire a webhook in slice X5).",
+  inputShape: {
+    workspace: z6.string().min(1),
+    org_id: z6.string().min(1),
+    grant_id: z6.string().min(1)
+  },
+  handler: async ({ workspace, org_id, grant_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/grants/${encodeURIComponent(grant_id)}`,
+    { method: "DELETE" }
+  )
+});
+var tools6 = [
+  grantUserToOrganization,
+  listGrantsInOrganization,
+  listGrantsForUser,
+  updateGrantRoles,
+  deactivateGrant,
+  reactivateGrant,
+  revokeGrant
+];
+
 // src/tools/idps.ts
-import { z as z5 } from "zod";
+import { z as z7 } from "zod";
+var orgIdArg = z7.string().min(1).optional().describe(
+  "Optional Zitadel org id to scope this operation to a specific business org inside the workspace. Omit for the workspace's home org (backwards-compat)."
+);
+var providerOptionsSchema = z7.object({
+  is_creation_allowed: z7.boolean().optional(),
+  is_auto_creation: z7.boolean().optional().describe(
+    "JIT provisioning: True auto-creates a Prysm:ID user on first external login. The most common X6 flag \u2014 set False for tightly-controlled enterprise tenants where seats are granted manually."
+  ),
+  is_auto_update: z7.boolean().optional(),
+  is_linking_allowed: z7.boolean().optional(),
+  auto_linking: z7.enum(["unspecified", "username", "email"]).optional().describe(
+    "How to merge an external first-login into an existing Prysm:ID user. `username` matches user_name, `email` matches verified email, `unspecified` disables auto-linking."
+  )
+}).optional().describe(
+  "X6: JIT + linking behaviour. Omitted fields fall back to defaults on create (auto-create + auto-update + link-by-username) or preserve current state on patch."
+);
 var listIdps = defineTool({
   name: "list_idps",
-  description: "List identity providers (Google/GitHub/Microsoft/OIDC) configured on a workspace.",
+  description: "List identity providers (Google/GitHub/Microsoft/OIDC) configured on a workspace. Pass `org_id` to list IdPs of a specific business org.",
   inputShape: {
-    workspace: z5.string().min(1)
+    workspace: z7.string().min(1),
+    org_id: orgIdArg
   },
-  handler: async ({ workspace }, { client }) => client.request(`/v1/workspaces/${encodeURIComponent(workspace)}/idps`)
+  handler: async ({ workspace, org_id }, { client }) => client.request(`/v1/workspaces/${encodeURIComponent(workspace)}/idps`, {
+    query: { org_id }
+  })
 });
 var addIdp = defineTool({
   name: "add_idp",
-  description: "Add an identity provider to the workspace and attach it to the login policy in one atomic call.",
+  description: "Add an identity provider to the workspace and attach it to the login policy in one atomic call. Pass `org_id` to attach the IdP to a specific business org (multi-tenant setup) instead of the workspace's home org. Pass `provider_options` to control JIT provisioning + account-linking behaviour (X6).",
   inputShape: {
-    workspace: z5.string().min(1),
-    type: z5.enum(["google", "github", "microsoft", "oidc"]).describe("Identity provider kind. `microsoft` covers Azure AD / Entra."),
-    name: z5.string().min(1).describe("Display name shown on login screen"),
-    client_id: z5.string().min(1),
-    client_secret: z5.string().min(1),
-    scopes: z5.array(z5.string()).optional(),
-    issuer: z5.string().url().optional().describe("Required for `oidc`; ignored otherwise"),
-    tenant_id: z5.string().optional().describe(
+    workspace: z7.string().min(1),
+    org_id: orgIdArg,
+    type: z7.enum(["google", "github", "microsoft", "oidc"]).describe("Identity provider kind. `microsoft` covers Azure AD / Entra."),
+    name: z7.string().min(1).describe("Display name shown on login screen"),
+    client_id: z7.string().min(1),
+    client_secret: z7.string().min(1),
+    scopes: z7.array(z7.string()).optional(),
+    issuer: z7.string().url().optional().describe("Required for `oidc`; ignored otherwise"),
+    tenant_id: z7.string().optional().describe(
       "Optional for `microsoft` \u2014 lock to a specific Entra tenant GUID. Default accepts any account."
-    )
+    ),
+    provider_options: providerOptionsSchema
   },
-  handler: async ({ workspace, ...body }, { client }) => client.request(
-    `/v1/workspaces/${encodeURIComponent(workspace)}/idps`,
-    { method: "POST", body }
-  )
+  handler: async ({ workspace, org_id, ...body }, { client }) => client.request(`/v1/workspaces/${encodeURIComponent(workspace)}/idps`, {
+    method: "POST",
+    body,
+    query: { org_id }
+  })
 });
 var deleteIdp = defineTool({
   name: "delete_idp",
-  description: "Remove an identity provider. Strips it from the login policy then deletes the config. Idempotent.",
+  description: "Remove an identity provider. Strips it from the login policy then deletes the config. Idempotent. Pass `org_id` to target a specific business org's IdP.",
   inputShape: {
-    workspace: z5.string().min(1),
-    idp_id: z5.string().min(1)
+    workspace: z7.string().min(1),
+    org_id: orgIdArg,
+    idp_id: z7.string().min(1)
   },
-  handler: async ({ workspace, idp_id }, { client }) => client.request(
+  handler: async ({ workspace, org_id, idp_id }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/idps/${encodeURIComponent(idp_id)}`,
-    { method: "DELETE" }
+    { method: "DELETE", query: { org_id } }
   )
 });
 var getIdp = defineTool({
   name: "get_idp",
-  description: "Fetch full detail for one identity provider: type, state, client_id, issuer/tenant (when applicable), scopes, secret_updated_at, created_at. Never returns the client_secret.",
+  description: "Fetch full detail for one identity provider: type, state, client_id, issuer/tenant (when applicable), scopes, secret_updated_at, created_at. Never returns the client_secret. Pass `org_id` to scope to a business org.",
   inputShape: {
-    workspace: z5.string().min(1),
-    idp_id: z5.string().min(1)
+    workspace: z7.string().min(1),
+    org_id: orgIdArg,
+    idp_id: z7.string().min(1)
   },
-  handler: async ({ workspace, idp_id }, { client }) => client.request(
-    `/v1/workspaces/${encodeURIComponent(workspace)}/idps/${encodeURIComponent(idp_id)}`
+  handler: async ({ workspace, org_id, idp_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/idps/${encodeURIComponent(idp_id)}`,
+    { query: { org_id } }
   )
 });
 var updateIdp = defineTool({
   name: "update_idp",
-  description: "Patch mutable fields on an identity provider. All fields optional. Passing client_secret rotates the upstream-issued value (Google/GitHub/Microsoft/OIDC client secret stored in Prysmid). Passing client_id retargets to a different upstream client. issuer/tenant_id apply only when relevant to the IdP type.",
+  description: "Patch mutable fields on an identity provider. All fields optional. Passing client_secret rotates the upstream-issued value (Google/GitHub/Microsoft/OIDC client secret stored in Prysmid). Passing client_id retargets to a different upstream client. issuer/tenant_id apply only when relevant to the IdP type. Pass `org_id` to scope to a business org. Pass `provider_options` to flip JIT or linking flags \u2014 only the keys you set change, others are preserved (X6).",
   inputShape: {
-    workspace: z5.string().min(1),
-    idp_id: z5.string().min(1),
-    name: z5.string().min(1).optional(),
-    client_id: z5.string().min(1).optional(),
-    client_secret: z5.string().min(1).optional().describe(
+    workspace: z7.string().min(1),
+    org_id: orgIdArg,
+    idp_id: z7.string().min(1),
+    name: z7.string().min(1).optional(),
+    client_id: z7.string().min(1).optional(),
+    client_secret: z7.string().min(1).optional().describe(
       "Rotate the upstream-issued client secret. Not the Prysmid app secret \u2014 that one is rotated via regenerate_app_secret."
     ),
-    scopes: z5.array(z5.string()).optional(),
-    issuer: z5.string().url().optional().describe("Only meaningful for type=oidc."),
-    tenant_id: z5.string().optional().describe("Only meaningful for type=microsoft (Entra tenant GUID).")
+    scopes: z7.array(z7.string()).optional(),
+    issuer: z7.string().url().optional().describe("Only meaningful for type=oidc."),
+    tenant_id: z7.string().optional().describe("Only meaningful for type=microsoft (Entra tenant GUID)."),
+    provider_options: providerOptionsSchema
   },
-  handler: async ({ workspace, idp_id, ...patch }, { client }) => client.request(
+  handler: async ({ workspace, org_id, idp_id, ...patch }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/idps/${encodeURIComponent(idp_id)}`,
-    { method: "PATCH", body: patch }
+    { method: "PATCH", body: patch, query: { org_id } }
+  )
+});
+var probeIdp = defineTool({
+  name: "probe_idp",
+  description: "Probe an external identity provider end-to-end against its upstream authorize endpoint. Catches redirect_uri_mismatch (URI not registered at Google Cloud / GitHub / etc.), invalid_client (client_id rotated or deleted upstream), and provider_unreachable failures BEFORE a real end-user hits them. Use after enable_google_login / add_idp, and any time you suspect the IdP is misconfigured. Today: Google + GitHub get full classification; Microsoft + OIDC generic return `skipped` for the deterministic dimensions (only reachability is verified). Pass `org_id` to scope to a business org.",
+  inputShape: {
+    workspace: z7.string().min(1),
+    org_id: orgIdArg,
+    idp_id: z7.string().min(1)
+  },
+  handler: async ({ workspace, org_id, idp_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/idps/${encodeURIComponent(idp_id)}/probe`,
+    { method: "POST", query: { org_id } }
   )
 });
-var tools5 = [listIdps, addIdp, deleteIdp, getIdp, updateIdp];
+var tools7 = [listIdps, addIdp, deleteIdp, getIdp, updateIdp, probeIdp];
 
 // src/tools/login_policy.ts
-import { z as z6 } from "zod";
+import { z as z8 } from "zod";
+var orgIdArg2 = z8.string().min(1).optional().describe(
+  "Optional Zitadel org id to scope this operation to a specific business org. Omit for the workspace's home org (backwards-compat)."
+);
+var SECOND_FACTORS = ["otp", "u2f", "otp_email", "otp_sms"];
+var MULTI_FACTORS = ["u2f_verified"];
 var getLoginPolicy = defineTool({
   name: "get_login_policy",
-  description: "Return the workspace's current login policy (password rules, MFA, IdPs allowed, lockout, etc.).",
+  description: "Return the workspace's current login policy (auth methods, MFA factors, passwordless, domain discovery, hide-password-reset, etc.). Pass `org_id` to read a specific business org's policy.",
   inputShape: {
-    workspace: z6.string().min(1)
+    workspace: z8.string().min(1),
+    org_id: orgIdArg2
   },
-  handler: async ({ workspace }, { client }) => client.request(
-    `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`
+  handler: async ({ workspace, org_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`,
+    { query: { org_id } }
   )
 });
 var updateLoginPolicy = defineTool({
   name: "update_login_policy",
-  description: "Update the login policy. PATCH semantics \u2014 only fields you pass are changed; other policy fields stay as they were.",
+  description: "Update the login policy. PATCH semantics \u2014 only fields you pass are changed; other policy fields stay as they were. Pass `org_id` to scope to a specific business org (P3a-3). Set `allow_domain_discovery=true` together with a verified org domain (see `verify_organization_domain`) to route email-based logins to that org automatically.",
   inputShape: {
-    workspace: z6.string().min(1),
-    allow_username_password: z6.boolean().optional(),
-    allow_register: z6.boolean().optional(),
-    allow_external_idp: z6.boolean().optional(),
-    force_mfa: z6.boolean().optional().describe("Require any second factor at login"),
-    passwordless_type: z6.enum([
-      "PASSWORDLESS_TYPE_NOT_ALLOWED",
-      "PASSWORDLESS_TYPE_ALLOWED"
-    ]).optional().describe("Enables passkey-first when set to ALLOWED"),
-    max_password_attempts: z6.number().int().min(0).max(20).optional(),
-    lockout_password_attempts: z6.number().int().min(0).max(20).optional()
+    workspace: z8.string().min(1),
+    org_id: orgIdArg2,
+    allow_username_password: z8.boolean().optional(),
+    allow_register: z8.boolean().optional(),
+    allow_external_idp: z8.boolean().optional(),
+    force_mfa: z8.boolean().optional().describe("Require any second factor at login."),
+    force_mfa_local_only: z8.boolean().optional().describe(
+      "X2: require MFA only for username/password logins, exempting external-IdP logins (which may already enforce MFA upstream). Only meaningful when force_mfa is also true."
+    ),
+    passwordless_allowed: z8.boolean().optional().describe("Allow passkey-first sign-in flows."),
+    second_factors: z8.array(z8.enum(SECOND_FACTORS)).optional().describe(
+      "Replaces the full list of allowed second-factor methods. Pass `[]` to disable all 2FA."
+    ),
+    multi_factors: z8.array(z8.enum(MULTI_FACTORS)).optional().describe(
+      "Replaces the full list of allowed multi-factor (passwordless+verification) methods."
+    ),
+    hide_password_reset: z8.boolean().optional(),
+    ignore_unknown_usernames: z8.boolean().optional(),
+    allow_domain_discovery: z8.boolean().optional().describe(
+      "P3a-3: route logins to the org that owns the typed email's verified domain, skipping the IdP picker. Requires at least one verified domain on the org (see verify_organization_domain)."
+    )
   },
-  handler: async ({ workspace, ...body }, { client }) => client.request(
+  handler: async ({ workspace, org_id, ...body }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/login-policy`,
+    { method: "PATCH", body, query: { org_id } }
+  )
+});
+var tools8 = [getLoginPolicy, updateLoginPolicy];
+
+// src/tools/org_domains.ts
+import { z as z9 } from "zod";
+var workspaceArg = z9.string().min(1);
+var orgIdArg3 = z9.string().min(1).describe(
+  "Zitadel org id (the `id` returned by create/list_organizations). Per-org scoping."
+);
+var domainArg = z9.string().min(3).max(253).regex(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/).describe(
+  "Fully-qualified domain to manage. Lower-case only \u2014 `Acme.com` and `acme.com` are different to Zitadel."
+);
+var listOrganizationDomains = defineTool({
+  name: "list_organization_domains",
+  description: "List every domain attached to an organization with its verification state. Use after add/verify to confirm the domain shows `is_verified=true`.",
+  inputShape: {
+    workspace: workspaceArg,
+    org_id: orgIdArg3
+  },
+  handler: async ({ workspace, org_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/domains`
+  )
+});
+var addOrganizationDomain = defineTool({
+  name: "add_organization_domain",
+  description: "Attach a domain to an organization. State starts UNVERIFIED \u2014 chain `generate_organization_domain_verification` and `verify_organization_domain` to complete setup. 409 if already attached.",
+  inputShape: {
+    workspace: workspaceArg,
+    org_id: orgIdArg3,
+    domain: domainArg
+  },
+  handler: async ({ workspace, org_id, domain }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/domains`,
+    { method: "POST", body: { domain } }
+  )
+});
+var generateOrganizationDomainVerification = defineTool({
+  name: "generate_organization_domain_verification",
+  description: "Generate (or rotate) the verification token + record location for an attached domain. Returns `{token, url, method}`. The operator must publish the token at `url` (DNS TXT for method=dns; HTTP file for method=http) before calling `verify_organization_domain`. DNS is the default \u2014 works on apex domains, does not require HTTP control.",
+  inputShape: {
+    workspace: workspaceArg,
+    org_id: orgIdArg3,
+    domain: domainArg,
+    method: z9.enum(["dns", "http"]).default("dns").describe(
+      "Verification method. `dns` (default) \u2192 publish a TXT record. `http` \u2192 serve a file at `.well-known/zitadel-challenge/<token>` on the domain."
+    )
+  },
+  handler: async ({ workspace, org_id, domain, method }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/domains/${encodeURIComponent(domain)}/_generate_verification`,
+    { method: "POST", body: { method } }
+  )
+});
+var verifyOrganizationDomain = defineTool({
+  name: "verify_organization_domain",
+  description: "Trigger Zitadel to look up the published verification token and mark the domain verified. Returns the updated domain projection with `is_verified=true` on success. 400 if the token is not found (DNS not propagated yet, wrong record, etc.) \u2014 retry after publishing.",
+  inputShape: {
+    workspace: workspaceArg,
+    org_id: orgIdArg3,
+    domain: domainArg
+  },
+  handler: async ({ workspace, org_id, domain }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/domains/${encodeURIComponent(domain)}/_verify`,
+    { method: "POST" }
+  )
+});
+var deleteOrganizationDomain = defineTool({
+  name: "delete_organization_domain",
+  description: "Detach a domain from an organization. Idempotent (204 even if already gone). Verified domains can be removed too \u2014 domain discovery will no longer route logins of that email domain to this org.",
+  inputShape: {
+    workspace: workspaceArg,
+    org_id: orgIdArg3,
+    domain: domainArg
+  },
+  handler: async ({ workspace, org_id, domain }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/domains/${encodeURIComponent(domain)}`,
+    { method: "DELETE" }
+  )
+});
+var tools9 = [
+  listOrganizationDomains,
+  addOrganizationDomain,
+  generateOrganizationDomainVerification,
+  verifyOrganizationDomain,
+  deleteOrganizationDomain
+];
+
+// src/tools/organizations.ts
+import { z as z10 } from "zod";
+var createOrganization = defineTool({
+  name: "create_organization",
+  description: "Create a new organization inside a workspace. Returns the org with a stable `tenant_id` UUID \u2014 that's the value users will see as the `tenant_id` claim on their JWT when an active grant resolves to this org. Idempotent on slug: re-creating a duplicate slug returns 409.",
+  inputShape: {
+    workspace: z10.string().min(1),
+    name: z10.string().min(1).max(255).describe("Display name (mutable)."),
+    slug: z10.string().min(3).max(63).regex(/^[a-z][a-z0-9-]*[a-z0-9]$/).describe(
+      "URL-safe slug, unique per workspace. Immutable. Cannot be `__consumer__` (reserved)."
+    ),
+    allow_register: z10.boolean().default(false).describe(
+      "Whether self-registration is allowed for this org. Default false (invite-only)."
+    )
+  },
+  handler: async ({ workspace, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations`,
+    { method: "POST", body }
+  )
+});
+var listOrganizations = defineTool({
+  name: "list_organizations",
+  description: "List all organizations in a workspace, oldest first. Each item includes the stable `tenant_id` UUID and the consumer flag.",
+  inputShape: {
+    workspace: z10.string().min(1)
+  },
+  handler: async ({ workspace }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations`
+  )
+});
+var getOrganization = defineTool({
+  name: "get_organization",
+  description: "Read one organization by its Zitadel org id (the `id` returned by create/list, not the internal Prysm:ID UUID).",
+  inputShape: {
+    workspace: z10.string().min(1),
+    org_id: z10.string().min(1)
+  },
+  handler: async ({ workspace, org_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}`
+  )
+});
+var updateOrganization = defineTool({
+  name: "update_organization",
+  description: "Rename an organization and/or toggle `allow_register` / `domain_auto_claim`. Sparse \u2014 omit fields to leave them untouched. Rename propagates to Zitadel synchronously.",
+  inputShape: {
+    workspace: z10.string().min(1),
+    org_id: z10.string().min(1),
+    name: z10.string().min(1).max(255).optional(),
+    allow_register: z10.boolean().optional(),
+    domain_auto_claim: z10.boolean().optional().describe(
+      "P2e opt-in: when True, verifying a domain on this org (or calling reconcile_organization_domain_claims) auto-grants the org access over consumer-org users with a matching verified email domain. Public domains are always excluded; the user's home org is never moved (the claim is an additional, revocable grant)."
+    )
+  },
+  handler: async ({ workspace, org_id, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}`,
     { method: "PATCH", body }
   )
 });
-var tools6 = [getLoginPolicy, updateLoginPolicy];
+var reconcileOrganizationDomainClaims = defineTool({
+  name: "reconcile_organization_domain_claims",
+  description: "P2e: grant this org access over consumer-org users whose verified email domain matches one of the org's verified domains. Idempotent and re-runnable \u2014 catches users who self-registered after a domain was verified. Requires domain_auto_claim=true on the org (returns skipped with a reason otherwise). Public email domains are always excluded; the user's home org is never moved. Returns counts: granted / already_present / candidates + the domains matched.",
+  inputShape: {
+    workspace: z10.string().min(1),
+    org_id: z10.string().min(1)
+  },
+  handler: async ({ workspace, org_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/_reconcile-domain-claims`,
+    { method: "POST" }
+  )
+});
+var deactivateOrganization = defineTool({
+  name: "deactivate_organization",
+  description: "Block all logins to an organization. Idempotent. Consumer org cannot be deactivated \u2014 toggle `allow_consumer_org=false` on the workspace instead.",
+  inputShape: {
+    workspace: z10.string().min(1),
+    org_id: z10.string().min(1)
+  },
+  handler: async ({ workspace, org_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/_deactivate`,
+    { method: "POST" }
+  )
+});
+var reactivateOrganization = defineTool({
+  name: "reactivate_organization",
+  description: "Re-enable logins for a previously deactivated organization. Idempotent.",
+  inputShape: {
+    workspace: z10.string().min(1),
+    org_id: z10.string().min(1)
+  },
+  handler: async ({ workspace, org_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}/_reactivate`,
+    { method: "POST" }
+  )
+});
+var deleteOrganization = defineTool({
+  name: "delete_organization",
+  description: "Hard-delete an organization. Cascades users/projects/grants on the Zitadel side. Idempotent against out-of-band Zitadel removal. Consumer org is protected \u2014 toggle `allow_consumer_org=false` on the workspace to remove it.",
+  inputShape: {
+    workspace: z10.string().min(1),
+    org_id: z10.string().min(1)
+  },
+  handler: async ({ workspace, org_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/${encodeURIComponent(org_id)}`,
+    { method: "DELETE" }
+  )
+});
+var ensureConsumerOrganization = defineTool({
+  name: "ensure_consumer_organization",
+  description: "Idempotently provision the workspace's consumer organization for self-registered users. Requires `workspace.allow_consumer_org=true` (toggle it via update_workspace first). Returns the org row whether newly created or already present. Slug `__consumer__`, `allow_register=true`, `is_consumer=true`.",
+  inputShape: {
+    workspace: z10.string().min(1)
+  },
+  handler: async ({ workspace }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/organizations/_ensure-consumer`,
+    { method: "POST" }
+  )
+});
+var tools10 = [
+  createOrganization,
+  listOrganizations,
+  getOrganization,
+  updateOrganization,
+  reconcileOrganizationDomainClaims,
+  deactivateOrganization,
+  reactivateOrganization,
+  deleteOrganization,
+  ensureConsumerOrganization
+];
+
+// src/tools/service_accounts.ts
+import { z as z11 } from "zod";
+var orgIdArg4 = z11.string().min(1).optional().describe(
+  "Optional Zitadel org id to scope the service account to a specific business org. Omit for the workspace's home org (backwards-compat)."
+);
+var listServiceAccounts = defineTool({
+  name: "list_service_accounts",
+  description: "List the workspace's service accounts (machine users). The platform-internal provisioner SA is filtered out. Pass `org_id` to list a specific business org's machine users.",
+  inputShape: {
+    workspace: z11.string().min(1),
+    org_id: orgIdArg4
+  },
+  handler: async ({ workspace, org_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/service-accounts`,
+    { query: { org_id } }
+  )
+});
+var createServiceAccount = defineTool({
+  name: "create_service_account",
+  description: "Create a service account (machine user) and mint its JSON key. The `key` is returned ONCE in the response and never stored by Prysmid \u2014 surface it to the operator and instruct them to save it in a secret manager. Pass `org_id` to create the SA inside a specific business org.",
+  inputShape: {
+    workspace: z11.string().min(1),
+    org_id: orgIdArg4,
+    user_name: z11.string().regex(/^[a-zA-Z][a-zA-Z0-9._-]{1,49}$/).describe(
+      "Machine username (Zitadel handle). Cannot be the reserved `prysmid-provisioner`."
+    ),
+    name: z11.string().min(1).max(200).describe("Human-readable display name."),
+    description: z11.string().max(500).optional()
+  },
+  handler: async ({ workspace, org_id, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/service-accounts`,
+    { method: "POST", body, query: { org_id } }
+  )
+});
+var deleteServiceAccount = defineTool({
+  name: "delete_service_account",
+  description: "Revoke a service account. Idempotent (204 even if already gone). Refuses to delete the platform provisioner SA. Pass `org_id` to target a specific business org's machine user.",
+  inputShape: {
+    workspace: z11.string().min(1),
+    org_id: orgIdArg4,
+    service_account_id: z11.string().min(1)
+  },
+  handler: async ({ workspace, org_id, service_account_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/service-accounts/${encodeURIComponent(service_account_id)}`,
+    { method: "DELETE", query: { org_id } }
+  )
+});
+var tools11 = [
+  listServiceAccounts,
+  createServiceAccount,
+  deleteServiceAccount
+];
 
 // src/tools/users.ts
-import { z as z7 } from "zod";
+import { z as z12 } from "zod";
 var listUsers = defineTool({
   name: "list_users",
   description: "List human users in a workspace.",
   inputShape: {
-    workspace: z7.string().min(1),
-    limit: z7.number().int().min(1).max(500).default(100)
+    workspace: z12.string().min(1),
+    limit: z12.number().int().min(1).max(500).default(100)
   },
   handler: async ({ workspace, limit }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/users`,
@@ -789,11 +1289,11 @@ var inviteUser = defineTool({
   name: "invite_user",
   description: "Invite a user by email. Idempotent by email \u2014 re-inviting an existing user is a no-op. Triggers a Zitadel init email with a 'set your password' link.",
   inputShape: {
-    workspace: z7.string().min(1),
-    email: z7.string().regex(/^[^\s@]+@[^\s@]+\.[^\s@]+$/, "must be a valid email"),
-    first_name: z7.string().min(1),
-    last_name: z7.string().min(1),
-    preferred_language: z7.string().length(2).default("en").describe("ISO 639-1, e.g. en/es/pt")
+    workspace: z12.string().min(1),
+    email: z12.string().regex(/^[^\s@]+@[^\s@]+\.[^\s@]+$/, "must be a valid email"),
+    first_name: z12.string().min(1),
+    last_name: z12.string().min(1),
+    preferred_language: z12.string().length(2).default("en").describe("ISO 639-1, e.g. en/es/pt")
   },
   handler: async ({ workspace, ...body }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/users/invite`,
@@ -804,18 +1304,115 @@ var deleteUser = defineTool({
   name: "delete_user",
   description: "Delete a user by id. Idempotent.",
   inputShape: {
-    workspace: z7.string().min(1),
-    user_id: z7.string().min(1)
+    workspace: z12.string().min(1),
+    user_id: z12.string().min(1)
   },
   handler: async ({ workspace, user_id }, { client }) => client.request(
     `/v1/workspaces/${encodeURIComponent(workspace)}/users/${encodeURIComponent(user_id)}`,
     { method: "DELETE" }
   )
 });
-var tools7 = [listUsers, inviteUser, deleteUser];
+var tools12 = [listUsers, inviteUser, deleteUser];
+
+// src/tools/webhooks.ts
+import { z as z13 } from "zod";
+var KNOWN_EVENTS = [
+  "user.created",
+  "user.deleted",
+  "user.deactivated",
+  "user.reactivated",
+  "session.created",
+  "org.created",
+  "org.updated",
+  "org.deactivated",
+  "org.reactivated",
+  "org.deleted",
+  "grant.granted",
+  "grant.updated",
+  "grant.deactivated",
+  "grant.reactivated",
+  "grant.revoked"
+];
+var eventName = z13.enum(KNOWN_EVENTS);
+var createWebhookEndpoint = defineTool({
+  name: "create_webhook_endpoint",
+  description: "Register a new outbound webhook endpoint for a workspace. Returns the freshly-generated `signing_secret` EXACTLY ONCE \u2014 store it immediately to verify deliveries; it is NOT retrievable later. HTTPS required in prod. Empty `enabled_events` = catch-all (subscribe to everything).",
+  inputShape: {
+    workspace: z13.string().min(1),
+    url: z13.string().url().describe(
+      "Destination URL. Must be https:// in production; http:// is permitted only on dev/staging environments."
+    ),
+    description: z13.string().max(255).optional().describe("Human label so you can tell endpoints apart in the dashboard."),
+    enabled_events: z13.array(eventName).default([]).describe(
+      "Event types this endpoint subscribes to. Empty = catch-all. Unknown event types return 422."
+    )
+  },
+  handler: async ({ workspace, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/webhook-endpoints`,
+    { method: "POST", body }
+  )
+});
+var listWebhookEndpoints = defineTool({
+  name: "list_webhook_endpoints",
+  description: "List all outbound webhook endpoints registered for a workspace. Does NOT return signing secrets \u2014 that's only on create.",
+  inputShape: {
+    workspace: z13.string().min(1)
+  },
+  handler: async ({ workspace }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/webhook-endpoints`
+  )
+});
+var getWebhookEndpoint = defineTool({
+  name: "get_webhook_endpoint",
+  description: "Read one webhook endpoint by id. Omits the signing secret \u2014 recreate the endpoint if it was lost.",
+  inputShape: {
+    workspace: z13.string().min(1),
+    endpoint_id: z13.string().min(1)
+  },
+  handler: async ({ workspace, endpoint_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/webhook-endpoints/${encodeURIComponent(endpoint_id)}`
+  )
+});
+var updateWebhookEndpoint = defineTool({
+  name: "update_webhook_endpoint",
+  description: "Sparse update of an endpoint's url / description / enabled_events / enabled flag. Omit fields to leave them untouched. signing_secret is NOT mutable \u2014 to rotate, delete and recreate.",
+  inputShape: {
+    workspace: z13.string().min(1),
+    endpoint_id: z13.string().min(1),
+    url: z13.string().url().optional(),
+    description: z13.string().max(255).optional(),
+    enabled_events: z13.array(eventName).optional(),
+    enabled: z13.boolean().optional().describe(
+      "Toggle deliveries without losing config. Useful when the destination is temporarily down."
+    )
+  },
+  handler: async ({ workspace, endpoint_id, ...body }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/webhook-endpoints/${encodeURIComponent(endpoint_id)}`,
+    { method: "PATCH", body }
+  )
+});
+var deleteWebhookEndpoint = defineTool({
+  name: "delete_webhook_endpoint",
+  description: "Permanently remove a webhook endpoint. Pending deliveries to it are NOT removed (operator can inspect them) but no new deliveries will be queued.",
+  inputShape: {
+    workspace: z13.string().min(1),
+    endpoint_id: z13.string().min(1)
+  },
+  handler: async ({ workspace, endpoint_id }, { client }) => client.request(
+    `/v1/workspaces/${encodeURIComponent(workspace)}/webhook-endpoints/${encodeURIComponent(endpoint_id)}`,
+    { method: "DELETE" }
+  )
+});
+var tools13 = [
+  createWebhookEndpoint,
+  listWebhookEndpoints,
+  getWebhookEndpoint,
+  updateWebhookEndpoint,
+  deleteWebhookEndpoint
+];
 
 // src/tools/workspaces.ts
-import { z as z8 } from "zod";
+import { z as z14 } from "zod";
 var listWorkspaces = defineTool({
   name: "list_workspaces",
   description: "List Prysmid workspaces accessible to the current API token. Returns an array of {id, slug, display_name, plan, state}.",
@@ -826,7 +1423,7 @@ var getWorkspace = defineTool({
   name: "get_workspace",
   description: "Get a single workspace by slug or id.",
   inputShape: {
-    workspace: z8.string().min(1).describe("Workspace slug or UUID")
+    workspace: z14.string().min(1).describe("Workspace slug or UUID")
   },
   handler: async ({ workspace }, { client }) => client.request(`/v1/workspaces/${encodeURIComponent(workspace)}`)
 });
@@ -834,25 +1431,25 @@ var createWorkspace = defineTool({
   name: "create_workspace",
   description: "Create a new Prysmid workspace. Provisioning runs in the background; the response returns immediately with state=provisioning. Poll `get_workspace` until state=active (~30s).",
   inputShape: {
-    slug: z8.string().min(2).max(63).regex(/^[a-z0-9-]+$/, "lowercase alphanumeric and hyphens only").describe("Subdomain-safe slug \u2014 becomes auth.<slug>.prysmid.com"),
-    display_name: z8.string().min(1).max(255)
+    slug: z14.string().min(2).max(63).regex(/^[a-z0-9-]+$/, "lowercase alphanumeric and hyphens only").describe("Subdomain-safe slug \u2014 becomes auth.<slug>.prysmid.com"),
+    display_name: z14.string().min(1).max(255)
   },
   handler: async (input, { client }) => client.request("/v1/workspaces", { method: "POST", body: input })
 });
-var tools8 = [listWorkspaces, getWorkspace, createWorkspace];
+var tools14 = [listWorkspaces, getWorkspace, createWorkspace];
 
 // src/tools/generated/apps.ts
-import { z as z9 } from "zod";
+import { z as z15 } from "zod";
 var createApp = defineTool({
   name: "create_app",
   description: "Create App",
   inputShape: {
-    workspace_id: z9.string().uuid(),
-    name: z9.string().min(1).max(200),
-    redirect_uris: z9.array(z9.string().url().min(1).max(2083)).describe("Where the IdP sends the user back after auth. At least one required."),
-    post_logout_redirect_uris: z9.array(z9.string().url().min(1).max(2083)).describe("Where the IdP sends the user after logout.").optional(),
-    app_type: z9.enum(["web", "spa", "native"]).describe("App kind, drives OIDC grant + auth_method defaults.\n\n- `web`: server-rendered confidential client. Gets a `client_secret`.\n- `spa`: single-page app (user-agent). Public, PKCE required, no secret.\n- `native`: desktop/mobile. Public, PKCE required, no secret.").optional(),
-    dev_mode: z9.boolean().describe("Relax HTTPS requirement on redirect_uris (allows http://localhost). Use only for local development; never in production.").default(false)
+    workspace_id: z15.string().uuid(),
+    name: z15.string().min(1).max(200),
+    redirect_uris: z15.array(z15.string().url().min(1).max(2083)).describe("Where the IdP sends the user back after auth. At least one required."),
+    post_logout_redirect_uris: z15.array(z15.string().url().min(1).max(2083)).describe("Where the IdP sends the user after logout.").optional(),
+    app_type: z15.enum(["web", "spa", "native"]).describe("App kind, drives OIDC grant + auth_method defaults.\n\n- `web`: server-rendered confidential client. Gets a `client_secret`.\n- `spa`: single-page app (user-agent). Public, PKCE required, no secret.\n- `native`: desktop/mobile. Public, PKCE required, no secret.").optional(),
+    dev_mode: z15.boolean().describe("Relax HTTPS requirement on redirect_uris (allows http://localhost). Use only for local development; never in production.").default(false)
   },
   handler: async (input, { client }) => {
     const { workspace_id, ...__body } = input;
@@ -863,8 +1460,8 @@ var deleteApp = defineTool({
   name: "delete_app",
   description: "Delete App",
   inputShape: {
-    workspace_id: z9.string().uuid(),
-    app_id: z9.string()
+    workspace_id: z15.string().uuid(),
+    app_id: z15.string()
   },
   handler: async (input, { client }) => {
     const { workspace_id, app_id } = input;
@@ -875,7 +1472,7 @@ var listApps2 = defineTool({
   name: "list_apps",
   description: "List Apps",
   inputShape: {
-    workspace_id: z9.string().uuid()
+    workspace_id: z15.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -889,13 +1486,13 @@ var generatedAppsTools = [
 ];
 
 // src/tools/generated/billing.ts
-import { z as z10 } from "zod";
+import { z as z16 } from "zod";
 var billingCheckout = defineTool({
   name: "billing_checkout",
   description: "Checkout",
   inputShape: {
-    workspace_id: z10.string().uuid(),
-    plan: z10.enum(["free", "pro", "enterprise"])
+    workspace_id: z16.string().uuid(),
+    plan: z16.enum(["free", "pro", "enterprise"])
   },
   handler: async (input, { client }) => {
     const { workspace_id, ...__body } = input;
@@ -906,7 +1503,7 @@ var billingGetState = defineTool({
   name: "billing_get_state",
   description: "Get State",
   inputShape: {
-    workspace_id: z10.string().uuid()
+    workspace_id: z16.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -917,7 +1514,7 @@ var billingPortal = defineTool({
   name: "billing_portal",
   description: "Portal",
   inputShape: {
-    workspace_id: z10.string().uuid()
+    workspace_id: z16.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -928,8 +1525,8 @@ var updateSpendingCap = defineTool({
   name: "update_spending_cap",
   description: "Update Spending Cap",
   inputShape: {
-    workspace_id: z10.string().uuid(),
-    cents: z10.number().int().min(0).nullable().optional()
+    workspace_id: z16.string().uuid(),
+    cents: z16.number().int().min(0).nullable().optional()
   },
   handler: async (input, { client }) => {
     const { workspace_id, ...__body } = input;
@@ -944,12 +1541,12 @@ var generatedBillingTools = [
 ];
 
 // src/tools/generated/branding.ts
-import { z as z11 } from "zod";
+import { z as z17 } from "zod";
 var deleteLogo = defineTool({
   name: "delete_logo",
   description: "Delete Logo",
   inputShape: {
-    workspace_id: z11.string().uuid()
+    workspace_id: z17.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -960,7 +1557,7 @@ var getBranding2 = defineTool({
   name: "get_branding",
   description: "Get Branding",
   inputShape: {
-    workspace_id: z11.string().uuid()
+    workspace_id: z17.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -971,17 +1568,17 @@ var updateBranding2 = defineTool({
   name: "update_branding",
   description: "Update Branding",
   inputShape: {
-    workspace_id: z11.string().uuid(),
-    primary_color: z11.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
-    background_color: z11.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
-    warn_color: z11.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
-    font_color: z11.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
-    primary_color_dark: z11.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
-    background_color_dark: z11.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
-    warn_color_dark: z11.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
-    font_color_dark: z11.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
-    hide_login_name_suffix: z11.boolean().nullable().optional(),
-    disable_watermark: z11.boolean().nullable().optional()
+    workspace_id: z17.string().uuid(),
+    primary_color: z17.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
+    background_color: z17.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
+    warn_color: z17.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
+    font_color: z17.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
+    primary_color_dark: z17.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
+    background_color_dark: z17.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
+    warn_color_dark: z17.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
+    font_color_dark: z17.string().regex(/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/).nullable().optional(),
+    hide_login_name_suffix: z17.boolean().nullable().optional(),
+    disable_watermark: z17.boolean().nullable().optional()
   },
   handler: async (input, { client }) => {
     const { workspace_id, ...__body } = input;
@@ -995,19 +1592,19 @@ var generatedBrandingTools = [
 ];
 
 // src/tools/generated/idps.ts
-import { z as z12 } from "zod";
+import { z as z18 } from "zod";
 var createIdp = defineTool({
   name: "create_idp",
   description: "Create Idp",
   inputShape: {
-    workspace_id: z12.string().uuid(),
-    type: z12.enum(["google", "github", "microsoft", "oidc"]),
-    name: z12.string().min(1).max(200),
-    client_id: z12.string().min(1),
-    client_secret: z12.string().min(1),
-    issuer: z12.string().url().min(1).max(2083).nullable().optional(),
-    tenant_id: z12.string().nullable().optional(),
-    scopes: z12.array(z12.string()).nullable().optional()
+    workspace_id: z18.string().uuid(),
+    type: z18.enum(["google", "github", "microsoft", "oidc"]),
+    name: z18.string().min(1).max(200),
+    client_id: z18.string().min(1),
+    client_secret: z18.string().min(1),
+    issuer: z18.string().url().min(1).max(2083).nullable().optional(),
+    tenant_id: z18.string().nullable().optional(),
+    scopes: z18.array(z18.string()).nullable().optional()
   },
   handler: async (input, { client }) => {
     const { workspace_id, ...__body } = input;
@@ -1018,8 +1615,8 @@ var deleteIdp2 = defineTool({
   name: "delete_idp",
   description: "Delete Idp",
   inputShape: {
-    workspace_id: z12.string().uuid(),
-    idp_id: z12.string()
+    workspace_id: z18.string().uuid(),
+    idp_id: z18.string()
   },
   handler: async (input, { client }) => {
     const { workspace_id, idp_id } = input;
@@ -1030,7 +1627,7 @@ var listIdps2 = defineTool({
   name: "list_idps",
   description: "List Idps",
   inputShape: {
-    workspace_id: z12.string().uuid()
+    workspace_id: z18.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -1044,12 +1641,12 @@ var generatedIdpsTools = [
 ];
 
 // src/tools/generated/login-policy.ts
-import { z as z13 } from "zod";
+import { z as z19 } from "zod";
 var getLoginPolicy2 = defineTool({
   name: "get_login_policy",
   description: "Get Login Policy",
   inputShape: {
-    workspace_id: z13.string().uuid()
+    workspace_id: z19.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -1060,16 +1657,16 @@ var updateLoginPolicy2 = defineTool({
   name: "update_login_policy",
   description: "Update Login Policy",
   inputShape: {
-    workspace_id: z13.string().uuid(),
-    allow_username_password: z13.boolean().nullable().optional(),
-    allow_register: z13.boolean().nullable().optional(),
-    allow_external_idp: z13.boolean().nullable().optional(),
-    force_mfa: z13.boolean().nullable().optional(),
-    passwordless_allowed: z13.boolean().nullable().optional(),
-    second_factors: z13.array(z13.enum(["otp", "u2f", "otp_email", "otp_sms"])).nullable().optional(),
-    multi_factors: z13.array(z13.enum(["u2f_verified"])).nullable().optional(),
-    hide_password_reset: z13.boolean().nullable().optional(),
-    ignore_unknown_usernames: z13.boolean().nullable().optional()
+    workspace_id: z19.string().uuid(),
+    allow_username_password: z19.boolean().nullable().optional(),
+    allow_register: z19.boolean().nullable().optional(),
+    allow_external_idp: z19.boolean().nullable().optional(),
+    force_mfa: z19.boolean().nullable().optional(),
+    passwordless_allowed: z19.boolean().nullable().optional(),
+    second_factors: z19.array(z19.enum(["otp", "u2f", "otp_email", "otp_sms"])).nullable().optional(),
+    multi_factors: z19.array(z19.enum(["u2f_verified"])).nullable().optional(),
+    hide_password_reset: z19.boolean().nullable().optional(),
+    ignore_unknown_usernames: z19.boolean().nullable().optional()
   },
   handler: async (input, { client }) => {
     const { workspace_id, ...__body } = input;
@@ -1082,12 +1679,12 @@ var generatedLoginPolicyTools = [
 ];
 
 // src/tools/generated/smtp.ts
-import { z as z14 } from "zod";
+import { z as z20 } from "zod";
 var getSmtp = defineTool({
   name: "get_smtp",
   description: "Get Smtp",
   inputShape: {
-    workspace_id: z14.string().uuid()
+    workspace_id: z20.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -1098,7 +1695,7 @@ var revertToPlatformDefault = defineTool({
   name: "revert_to_platform_default",
   description: "Revert To Platform Default",
   inputShape: {
-    workspace_id: z14.string().uuid()
+    workspace_id: z20.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -1109,15 +1706,15 @@ var setCustomSmtp = defineTool({
   name: "set_custom_smtp",
   description: "Set Custom Smtp",
   inputShape: {
-    workspace_id: z14.string().uuid(),
-    host: z14.string().min(1),
-    port: z14.number().int().min(1).max(65535),
-    tls: z14.boolean().default(true),
-    sender_address: z14.string().min(3).describe("Address that appears in the From header."),
-    sender_name: z14.string().min(1).max(200),
-    user: z14.string().min(1).describe("SMTP auth username."),
-    password: z14.string().min(1).describe("SMTP auth password / API key."),
-    reply_to_address: z14.string().describe("Optional Reply-To header.").default("")
+    workspace_id: z20.string().uuid(),
+    host: z20.string().min(1),
+    port: z20.number().int().min(1).max(65535),
+    tls: z20.boolean().default(true),
+    sender_address: z20.string().min(3).describe("Address that appears in the From header."),
+    sender_name: z20.string().min(1).max(200),
+    user: z20.string().min(1).describe("SMTP auth username."),
+    password: z20.string().min(1).describe("SMTP auth password / API key."),
+    reply_to_address: z20.string().describe("Optional Reply-To header.").default("")
   },
   handler: async (input, { client }) => {
     const { workspace_id, ...__body } = input;
@@ -1131,13 +1728,13 @@ var generatedSmtpTools = [
 ];
 
 // src/tools/generated/users.ts
-import { z as z15 } from "zod";
+import { z as z21 } from "zod";
 var deleteUser2 = defineTool({
   name: "delete_user",
   description: "Delete User",
   inputShape: {
-    workspace_id: z15.string().uuid(),
-    user_id: z15.string()
+    workspace_id: z21.string().uuid(),
+    user_id: z21.string()
   },
   handler: async (input, { client }) => {
     const { workspace_id, user_id } = input;
@@ -1148,11 +1745,11 @@ var inviteUser2 = defineTool({
   name: "invite_user",
   description: "Invite User",
   inputShape: {
-    workspace_id: z15.string().uuid(),
-    email: z15.string().max(320).regex(/^[^\s@]+@[^\s@]+\.[^\s@]+$/),
-    first_name: z15.string().min(1).max(100),
-    last_name: z15.string().min(1).max(100),
-    user_name: z15.string().nullable().optional()
+    workspace_id: z21.string().uuid(),
+    email: z21.string().max(320).regex(/^[^\s@]+@[^\s@]+\.[^\s@]+$/),
+    first_name: z21.string().min(1).max(100),
+    last_name: z21.string().min(1).max(100),
+    user_name: z21.string().nullable().optional()
   },
   handler: async (input, { client }) => {
     const { workspace_id, ...__body } = input;
@@ -1163,7 +1760,7 @@ var listUsers2 = defineTool({
   name: "list_users",
   description: "List Users",
   inputShape: {
-    workspace_id: z15.string().uuid()
+    workspace_id: z21.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -1177,14 +1774,14 @@ var generatedUsersTools = [
 ];
 
 // src/tools/generated/workspaces.ts
-import { z as z16 } from "zod";
+import { z as z22 } from "zod";
 var createWorkspace2 = defineTool({
   name: "create_workspace",
   description: "Create Workspace",
   inputShape: {
-    slug: z16.string().min(3).max(63).regex(/^[a-z][a-z0-9-]*[a-z0-9]$/).describe("URL-safe lowercase slug. Becomes part of auth.<slug>.prysmid.com."),
-    display_name: z16.string().min(1).max(255),
-    plan: z16.enum(["free", "pro", "enterprise"]).optional()
+    slug: z22.string().min(3).max(63).regex(/^[a-z][a-z0-9-]*[a-z0-9]$/).describe("URL-safe lowercase slug. Becomes part of auth.<slug>.prysmid.com."),
+    display_name: z22.string().min(1).max(255),
+    plan: z22.enum(["free", "pro", "enterprise"]).optional()
   },
   handler: async (input, { client }) => {
     return client.request(`/v1/workspaces`, { method: "POST", body: input });
@@ -1194,7 +1791,7 @@ var deleteWorkspace = defineTool({
   name: "delete_workspace",
   description: "Delete Workspace",
   inputShape: {
-    workspace_id: z16.string().uuid()
+    workspace_id: z22.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -1205,7 +1802,7 @@ var getWorkspace2 = defineTool({
   name: "get_workspace",
   description: "Get Workspace",
   inputShape: {
-    workspace_id: z16.string().uuid()
+    workspace_id: z22.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -1224,7 +1821,7 @@ var retryProvisioning = defineTool({
   name: "retry_provisioning",
   description: "Retry Provisioning",
   inputShape: {
-    workspace_id: z16.string().uuid()
+    workspace_id: z22.string().uuid()
   },
   handler: async (input, { client }) => {
     const { workspace_id } = input;
@@ -1235,8 +1832,8 @@ var updateWorkspace = defineTool({
   name: "update_workspace",
   description: "Update Workspace",
   inputShape: {
-    workspace_id: z16.string().uuid(),
-    display_name: z16.string().min(1).max(255).nullable().optional()
+    workspace_id: z22.string().uuid(),
+    display_name: z22.string().min(1).max(255).nullable().optional()
   },
   handler: async (input, { client }) => {
     const { workspace_id, ...__body } = input;
@@ -1292,14 +1889,20 @@ var GENERATED_ALIASES = {
 };
 function composeToolset() {
   const handwrittenAndCurated = [
-    ...tools8,
-    ...tools,
-    ...tools5,
+    ...tools14,
+    ...tools10,
+    ...tools9,
     ...tools6,
+    ...tools,
     ...tools7,
-    ...tools3,
+    ...tools8,
+    ...tools11,
     ...tools2,
-    ...tools4
+    ...tools12,
+    ...tools4,
+    ...tools3,
+    ...tools13,
+    ...tools5
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
   ];
   const handwrittenNames = new Set(handwrittenAndCurated.map((t) => t.name));