@superblocksteam/cli 2.0.105-next.0 → 2.0.105-next.2

package/dist/{chunk-6LTX4MKG.js → chunk-VRPW5BO7.js}

@@ -1,7 +1,7 @@
 if (typeof process === 'object' && process !== null &&
     process.env !== null && typeof process.env === 'object') {
   process.env.DD_GIT_REPOSITORY_URL = 'https://token@github.com/superblocksteam/superblocks.git';
-  process.env.DD_GIT_COMMIT_SHA = 'd3ed004f0639aa5cf95a86a1ffc7a3e0f629c2fa';
+  process.env.DD_GIT_COMMIT_SHA = 'de5c3e104e3ed96f50cc0f43a6c093c0132245f9';
 }
 import { createRequire as $dd_createRequire } from 'module';
 import { fileURLToPath as $dd_fileURLToPath } from 'url';
@@ -16,15 +16,194 @@ import {
   require_dist,
   require_dist2,
   writeApplicationToDisk
-} from "./chunk-SOHOJJJL.js";
+} from "./chunk-Q5XZN3IH.js";
 import {
   require_lib
-} from "./chunk-XHOK2OVZ.js";
+} from "./chunk-UR32AWL5.js";
 import {
   __export,
   __toESM,
   init_cjs_shims
-} from "./chunk-QLZERZ2C.js";
+} from "./chunk-DBJL76JG.js";
+
+// ../mcp-server/package.json
+var package_default = {
+  name: "@superblocksteam/mcp-server",
+  version: "2.0.105-next.2",
+  description: "Superblocks MCP server",
+  license: "Superblocks Community Software License",
+  bin: {
+    "superblocks-mcp": "./dist/index.js"
+  },
+  files: [
+    "dist"
+  ],
+  type: "module",
+  main: "dist/index.js",
+  exports: {
+    ".": {
+      types: "./dist/index.d.ts",
+      import: "./dist/index.js",
+      default: "./dist/index.js"
+    },
+    "./http": {
+      types: "./dist/http.d.ts",
+      import: "./dist/http.js",
+      default: "./dist/http.js"
+    },
+    "./jsonrpc": {
+      types: "./dist/jsonrpc.d.ts",
+      import: "./dist/jsonrpc.js",
+      default: "./dist/jsonrpc.js"
+    },
+    "./auth/context": {
+      types: "./dist/auth/context.d.ts",
+      import: "./dist/auth/context.js",
+      default: "./dist/auth/context.js"
+    },
+    "./setup": {
+      types: "./dist/setup/index.d.ts",
+      import: "./dist/setup/index.js",
+      default: "./dist/setup/index.js"
+    }
+  },
+  scripts: {
+    build: "tsc --build tsconfig.build.json",
+    check: "pnpm run lint && pnpm run typecheck",
+    dev: "tsc --build tsconfig.build.json --watch --preserveWatchOutput",
+    lint: "eslint --concurrency=auto",
+    "lint:fix": "eslint src --fix --concurrency=auto",
+    "publish-package": "pnpm publish",
+    test: "vitest run --config vitest.config.ts",
+    typecheck: "tsc --noEmit"
+  },
+  dependencies: {
+    "@modelcontextprotocol/sdk": "^1.28.0",
+    "@superblocksteam/sdk": "workspace:*",
+    "@superblocksteam/shared": "workspace:*",
+    "@superblocksteam/util": "workspace:*",
+    "fs-extra": "^11.3.0",
+    zod: "^4.3.6"
+  },
+  devDependencies: {
+    "@types/fs-extra": "^11.0.4",
+    "@types/node": "catalog:",
+    eslint: "catalog:",
+    tsdown: "catalog:",
+    typescript: "catalog:",
+    "typescript-eslint": "catalog:",
+    vitest: "catalog:"
+  },
+  engines: {
+    node: ">=24",
+    npm: ">=10.x"
+  },
+  publishConfig: {
+    registry: "https://registry.npmjs.org"
+  }
+};
+
+// ../mcp-server/dist/jsonrpc.js
+init_cjs_shims();
+function isJsonRpcRequest(value) {
+  return typeof value === "object" && value !== null && "jsonrpc" in value && value.jsonrpc === "2.0" && "method" in value && typeof value.method === "string";
+}
+function invalidRequestResponse() {
+  return {
+    jsonrpc: "2.0",
+    id: null,
+    error: { code: -32600, message: "Invalid Request" }
+  };
+}
+async function handleJsonRpc(request, options) {
+  const hasRequestId = Object.keys(request).includes("id");
+  const maybeRespond = (response) => hasRequestId ? response : null;
+  let id = null;
+  try {
+    id = hasRequestId ? request.id ?? null : null;
+    switch (request.method) {
+      case "initialize": {
+        return maybeRespond({
+          jsonrpc: "2.0",
+          id,
+          result: {
+            protocolVersion: "2025-03-26",
+            capabilities: { tools: {} },
+            serverInfo: {
+              name: "superblocks-mcp",
+              version: options.version
+            }
+          }
+        });
+      }
+      case "tools/list": {
+        return maybeRespond({
+          jsonrpc: "2.0",
+          id,
+          result: { tools: options.listTools() }
+        });
+      }
+      case "tools/call": {
+        const params = request.params;
+        if (!params?.name) {
+          return maybeRespond({
+            jsonrpc: "2.0",
+            id,
+            error: { code: -32602, message: "Missing tool name" }
+          });
+        }
+        try {
+          const result = await options.executeToolCall(params.name, params.arguments);
+          return maybeRespond({ jsonrpc: "2.0", id, result });
+        } catch (error48) {
+          const code = typeof error48.code === "number" ? error48.code : -32603;
+          return maybeRespond({
+            jsonrpc: "2.0",
+            id,
+            error: {
+              code,
+              message: error48 instanceof Error ? error48.message : "Internal server error"
+            }
+          });
+        }
+      }
+      case "notifications/initialized": {
+        return null;
+      }
+      case "ping": {
+        return maybeRespond({ jsonrpc: "2.0", id, result: {} });
+      }
+      default: {
+        return maybeRespond({
+          jsonrpc: "2.0",
+          id,
+          error: {
+            code: -32601,
+            message: `Method not found: ${request.method}`
+          }
+        });
+      }
+    }
+  } catch (error48) {
+    return maybeRespond({
+      jsonrpc: "2.0",
+      id,
+      error: {
+        code: -32603,
+        message: error48 instanceof Error ? error48.message : "Internal server error"
+      }
+    });
+  }
+}
+
+// ../mcp-server/dist/profile.js
+init_cjs_shims();
+function resolveProfile() {
+  if (process.env.SUPERBLOCKS_MCP_PROFILE === "internal") {
+    return "internal";
+  }
+  return "customer";
+}
 
 // ../../../../node_modules/.pnpm/@modelcontextprotocol+sdk@1.28.0_zod@4.3.6/node_modules/@modelcontextprotocol/sdk/dist/esm/types.js
 init_cjs_shims();
@@ -15410,107 +15589,21 @@ var UrlElicitationRequiredError = class extends McpError {
   }
 };
 
-// ../mcp-server/package.json
-var package_default = {
-  name: "@superblocksteam/mcp-server",
-  version: "2.0.105-next.0",
-  description: "Superblocks MCP server",
-  license: "Superblocks Community Software License",
-  bin: {
-    "superblocks-mcp": "./dist/index.js"
-  },
-  files: [
-    "dist"
-  ],
-  type: "module",
-  main: "dist/index.js",
-  exports: {
-    ".": {
-      types: "./dist/index.d.ts",
-      import: "./dist/index.js"
-    },
-    "./http": {
-      types: "./dist/http.d.ts",
-      import: "./dist/http.js"
-    }
-  },
-  scripts: {
-    build: "tsc --build tsconfig.build.json",
-    check: "pnpm run lint && pnpm run typecheck",
-    dev: "tsc --build tsconfig.build.json --watch --preserveWatchOutput",
-    lint: "eslint --concurrency=auto",
-    "lint:fix": "eslint src --fix --concurrency=auto",
-    "publish-package": "pnpm publish",
-    test: "vitest run --config vitest.config.ts",
-    typecheck: "tsc --noEmit"
-  },
-  dependencies: {
-    "@modelcontextprotocol/sdk": "^1.28.0",
-    "@superblocksteam/sdk": "workspace:*",
-    "@superblocksteam/shared": "workspace:*",
-    "@superblocksteam/util": "workspace:*",
-    "fs-extra": "^11.3.0",
-    zod: "^4.3.6"
-  },
-  devDependencies: {
-    "@types/fs-extra": "^11.0.4",
-    "@types/node": "catalog:",
-    eslint: "catalog:",
-    tsdown: "catalog:",
-    typescript: "catalog:",
-    "typescript-eslint": "catalog:",
-    vitest: "catalog:"
-  },
-  engines: {
-    node: ">=24",
-    npm: ">=10.x"
-  },
-  publishConfig: {
-    registry: "https://registry.npmjs.org"
-  }
-};
-
-// ../mcp-server/dist/profile.js
+// ../mcp-server/dist/auth/context.js
 init_cjs_shims();
-function resolveProfile() {
-  if (process.env.SUPERBLOCKS_MCP_PROFILE === "internal") {
-    return "internal";
-  }
-  return "customer";
+import { AsyncLocalStorage } from "node:async_hooks";
+var authStore = new AsyncLocalStorage();
+function getAuthContext() {
+  return authStore.getStore();
 }
-
-// ../mcp-server/dist/tools/registry.js
-init_cjs_shims();
-function buildToolRegistry(definitions, profile) {
-  const filtered = profile === "internal" ? definitions : definitions.filter((d) => d.audience === "customer");
-  return new ToolRegistry(filtered);
+function runWithAuthContext(context, fn) {
+  return authStore.run(context, fn);
 }
-var ToolRegistry = class {
-  tools;
-  constructor(definitions) {
-    this.tools = new Map(definitions.map((d) => [d.name, d]));
-  }
-  listTools() {
-    return [...this.tools.values()].map((d) => ({
-      name: d.name,
-      title: d.title,
-      description: d.description,
-      inputSchema: d.inputSchema,
-      annotations: d.annotations
-    }));
-  }
-  getHandler(name) {
-    return this.tools.get(name)?.handler;
-  }
-};
-
-// ../mcp-server/dist/tools/index.js
-init_cjs_shims();
 
-// ../mcp-server/dist/tools/assign-builder-seat.js
+// ../mcp-server/dist/tools/registry.js
 init_cjs_shims();
 
-// ../../../../node_modules/.pnpm/zod@4.3.6/node_modules/zod/index.js
+// ../mcp-server/dist/entitlement-wrapper.js
 init_cjs_shims();
 
 // ../mcp-server/dist/auth/resolve-auth.js
@@ -15576,28 +15669,28 @@ async function readAuthStore() {
       origins: { ...EMPTY_AUTH_STORE.origins }
     };
   }
-  const authStore = await import_fs_extra.default.readJSON(authFilePath);
-  if (!authStore || typeof authStore !== "object" || !("origins" in authStore)) {
+  const authStore2 = await import_fs_extra.default.readJSON(authFilePath);
+  if (!authStore2 || typeof authStore2 !== "object" || !("origins" in authStore2)) {
     throw new Error(`Invalid MCP auth store: ${authFilePath}`);
   }
   return {
-    origins: authStore.origins
+    origins: authStore2.origins
   };
 }
-async function writeAuthStore(authStore) {
+async function writeAuthStore(authStore2) {
   await ensureAuthDirectory();
   const authFilePath = getMcpAuthFilePath();
-  await import_fs_extra.default.writeJSON(authFilePath, authStore, { spaces: 2 });
+  await import_fs_extra.default.writeJSON(authFilePath, authStore2, { spaces: 2 });
   await import_fs_extra.default.chmod(authFilePath, 384).catch(() => void 0);
 }
 async function upsertAuthToken(baseUrl, token) {
   const normalizedBaseUrl = normalizeBaseUrl(baseUrl);
-  const authStore = await readAuthStore();
-  authStore.origins[normalizedBaseUrl] = {
+  const authStore2 = await readAuthStore();
+  authStore2.origins[normalizedBaseUrl] = {
     token,
     updatedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  await writeAuthStore(authStore);
+  await writeAuthStore(authStore2);
   return normalizedBaseUrl;
 }
 async function getStoredAuthToken(baseUrl) {
@@ -15605,12 +15698,12 @@ async function getStoredAuthToken(baseUrl) {
 }
 async function getStoredAuthEntry(baseUrl) {
   const normalizedBaseUrl = normalizeBaseUrl(baseUrl);
-  const authStore = await readAuthStore();
-  return authStore.origins[normalizedBaseUrl];
+  const authStore2 = await readAuthStore();
+  return authStore2.origins[normalizedBaseUrl];
 }
 async function listStoredOrigins() {
-  const authStore = await readAuthStore();
-  return Object.keys(authStore.origins).sort();
+  const authStore2 = await readAuthStore();
+  return Object.keys(authStore2.origins).sort();
 }
 
 // ../mcp-server/dist/auth/resolve-auth.js
@@ -15636,6 +15729,15 @@ async function tryMcpStoreAuth(normalizedBaseUrl) {
   return void 0;
 }
 async function getAuthStatusForOrigin(baseUrl) {
+  const ctx = getAuthContext();
+  if (ctx) {
+    const normalizedRequested = normalizeBaseUrl(baseUrl);
+    const normalizedContext = normalizeBaseUrl(ctx.baseUrl);
+    if (normalizedRequested !== normalizedContext) {
+      return { authenticated: false, source: null, updatedAt: null };
+    }
+    return { authenticated: true, source: "remote-context", updatedAt: null };
+  }
   const normalizedBaseUrl = normalizeBaseUrl(baseUrl);
   const cliAuth = await tryCliAuth(normalizedBaseUrl);
   if (cliAuth) {
@@ -15652,6 +15754,15 @@ async function getAuthStatusForOrigin(baseUrl) {
   return { authenticated: false, source: null, updatedAt: null };
 }
 async function resolveAuthForOrigin(baseUrl) {
+  const ctx = getAuthContext();
+  if (ctx) {
+    const normalizedRequested = normalizeBaseUrl(baseUrl);
+    const normalizedContext = normalizeBaseUrl(ctx.baseUrl);
+    if (normalizedRequested !== normalizedContext) {
+      throw new Error(`Remote auth context is for ${normalizedContext}, but tool requested auth for ${normalizedRequested}`);
+    }
+    return { token: ctx.token, source: "remote-context" };
+  }
   const normalizedBaseUrl = normalizeBaseUrl(baseUrl);
   const cliAuth = await tryCliAuth(normalizedBaseUrl);
   if (cliAuth) {
@@ -15664,14 +15775,173 @@ async function resolveAuthForOrigin(baseUrl) {
   throw new Error(`No API token configured for ${normalizedBaseUrl}. ${getAuthSetupHint(normalizedBaseUrl)}`);
 }
 
-// ../mcp-server/dist/tools/schemas.js
+// ../mcp-server/dist/entitlement.js
 init_cjs_shims();
-var APP_URL_PROPERTY = {
-  format: "uri",
-  type: "string"
+
+// ../mcp-server/dist/tools/server-api.js
+init_cjs_shims();
+function extractMessage(payload) {
+  if (!payload || typeof payload !== "object")
+    return void 0;
+  const obj = payload;
+  const responseMeta = obj.responseMeta;
+  if (responseMeta && typeof responseMeta === "object" && "message" in responseMeta) {
+    const msg = responseMeta.message;
+    if (typeof msg === "string" && msg.length > 0)
+      return msg;
+  }
+  if ("message" in obj && typeof obj.message === "string" && obj.message.length > 0) {
+    return obj.message;
+  }
+  return void 0;
+}
+async function callServerApi(options) {
+  const url2 = new URL(options.path, options.baseUrl);
+  for (const [key, value] of Object.entries(options.query ?? {})) {
+    if (value !== void 0) {
+      url2.searchParams.set(key, String(value));
+    }
+  }
+  const response = await fetch(url2, {
+    method: options.method,
+    headers: {
+      Authorization: `Bearer ${options.token}`,
+      ...options.body !== void 0 ? { "Content-Type": "application/json" } : {}
+    },
+    body: options.body !== void 0 ? JSON.stringify(options.body) : void 0
+  });
+  const raw = await response.text();
+  let parsed;
+  if (raw.length > 0) {
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      parsed = void 0;
+    }
+  }
+  if (!response.ok) {
+    const message = extractMessage(parsed) ?? (raw.length > 0 ? raw : response.statusText || "Request failed");
+    throw new Error(message);
+  }
+  if (parsed && typeof parsed === "object" && "data" in parsed) {
+    return parsed.data;
+  }
+  return parsed;
+}
+
+// ../mcp-server/dist/entitlement.js
+var ENTITLED_PLANS = /* @__PURE__ */ new Set(["ENTERPRISE", "POC"]);
+var EntitlementError = class extends Error {
+  plan;
+  constructor(plan) {
+    const planLabel = plan ?? "unknown";
+    super(`The Superblocks MCP server requires an Enterprise or POC plan. Your organization is on the ${planLabel} plan. Contact sales to upgrade: https://www.superblocks.com/contact-sales`);
+    this.name = "EntitlementError";
+    this.plan = plan;
+  }
 };
-var APPLICATION_ID_PROPERTY = {
-  format: "uuid",
+async function assertEnterprisePlan(baseUrl, token) {
+  const data = await callServerApi({
+    baseUrl,
+    token,
+    method: "GET",
+    path: "api/v1/public/users/me"
+  });
+  const plan = data?.organizations?.[0]?.billing?.plan;
+  if (!plan || !ENTITLED_PLANS.has(plan)) {
+    throw new EntitlementError(plan);
+  }
+}
+
+// ../mcp-server/dist/entitlement-wrapper.js
+function extractBaseUrl(args) {
+  if (!args || typeof args !== "object") {
+    return void 0;
+  }
+  const obj = args;
+  if (typeof obj.base_url === "string") {
+    try {
+      return normalizeBaseUrl(obj.base_url);
+    } catch {
+      return void 0;
+    }
+  }
+  if (typeof obj.app_url === "string") {
+    try {
+      return normalizeBaseUrl(obj.app_url);
+    } catch {
+      return void 0;
+    }
+  }
+  return void 0;
+}
+function wrapHandlerWithEntitlement(handler) {
+  return async (args) => {
+    const baseUrl = extractBaseUrl(args);
+    if (baseUrl) {
+      let authResolved = false;
+      try {
+        const auth = await resolveAuthForOrigin(baseUrl);
+        authResolved = true;
+        await assertEnterprisePlan(baseUrl, auth.token);
+      } catch (error48) {
+        if (error48 instanceof EntitlementError) {
+          throw error48;
+        }
+        if (authResolved) {
+          throw error48;
+        }
+      }
+    }
+    return handler(args);
+  };
+}
+
+// ../mcp-server/dist/tools/registry.js
+function buildToolRegistry(definitions, profile) {
+  const filtered = profile === "internal" ? definitions : definitions.filter((d) => d.audience === "customer");
+  const ready = profile === "internal" ? filtered : filtered.map((d) => ({
+    ...d,
+    handler: wrapHandlerWithEntitlement(d.handler)
+  }));
+  return new ToolRegistry(ready);
+}
+var ToolRegistry = class {
+  tools;
+  constructor(definitions) {
+    this.tools = new Map(definitions.map((d) => [d.name, d]));
+  }
+  listTools() {
+    return [...this.tools.values()].map((d) => ({
+      name: d.name,
+      title: d.title,
+      description: d.description,
+      inputSchema: d.inputSchema,
+      annotations: d.annotations
+    }));
+  }
+  getHandler(name) {
+    return this.tools.get(name)?.handler;
+  }
+};
+
+// ../mcp-server/dist/tools/index.js
+init_cjs_shims();
+
+// ../mcp-server/dist/tools/assign-builder-seat.js
+init_cjs_shims();
+
+// ../../../../node_modules/.pnpm/zod@4.3.6/node_modules/zod/index.js
+init_cjs_shims();
+
+// ../mcp-server/dist/tools/schemas.js
+init_cjs_shims();
+var APP_URL_PROPERTY = {
+  format: "uri",
+  type: "string"
+};
+var APPLICATION_ID_PROPERTY = {
+  format: "uuid",
   pattern: "^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$",
   type: "string"
 };
@@ -15813,7 +16083,7 @@ var OCSF_CLASS_UID_PROPERTY = {
   type: "integer"
 };
 var OCSF_STATUS_ID_PROPERTY = {
-  description: "OCSF status filter (0=UNKNOWN, 1=SUCCESS, 2=FAILURE, 99=IN_PROGRESS).",
+  description: "OCSF status filter (0=UNKNOWN, 1=SUCCESS, 2=FAILURE, 99=IN_PROGRESS). For API execution events (class_uid=6003), each execution emits a start event (status_id=99) and a completion event (status_id=1 or 2). To count unique executions, exclude status_id=99.",
   type: "integer"
 };
 var OCSF_SEVERITY_ID_PROPERTY = {
@@ -15875,10 +16145,6 @@ var ASSIGNMENT_ID_PROPERTY = {
   description: "Role ID or permission ID depending on assignment_type.",
   type: "string"
 };
-var ORGANIZATION_ID_GENERIC_PROPERTY = {
-  format: "uuid",
-  type: "string"
-};
 var OBJECT_PAYLOAD_PROPERTY = {
   additionalProperties: true,
   description: "Integration payload object sent directly to the integrations API. Include fields required by the target integration type.",
@@ -16078,8 +16344,7 @@ var grantResourceAccessToolInputSchema = {
           resource_type: RBAC_RESOURCE_TYPE_PROPERTY,
           resource_id: { type: "string" },
           principal_type: PRINCIPAL_TYPE_PROPERTY,
-          principal_id: { type: "string" },
-          organization_id: ORGANIZATION_ID_GENERIC_PROPERTY
+          principal_id: { type: "string" }
         },
         required: [
           "assignment_type",
@@ -16087,8 +16352,7 @@ var grantResourceAccessToolInputSchema = {
           "resource_type",
           "resource_id",
           "principal_type",
-          "principal_id",
-          "organization_id"
+          "principal_id"
         ],
         type: "object"
       },
@@ -16134,28 +16398,87 @@ var listRbacAssignmentsToolInputSchema = {
   required: ["base_url", "resource_type", "resource_id"],
   type: "object"
 };
+var ORGANIZATION_ID_OPTIONAL_PROPERTY = {
+  ...ORGANIZATION_ID_PROPERTY,
+  description: "Optional. When omitted, uses the authenticated user's current organization."
+};
 var listRolesToolInputSchema = {
   additionalProperties: false,
   properties: {
     base_url: BASE_URL_PROPERTY,
-    organization_id: ORGANIZATION_ID_PROPERTY,
+    organization_id: ORGANIZATION_ID_OPTIONAL_PROPERTY,
     type: {
       description: "Filter roles by type (apps, integrations, org, jobs, workflows).",
       enum: ["apps", "integrations", "org", "jobs", "workflows"],
       type: "string"
     }
   },
+  required: ["base_url"],
+  type: "object"
+};
+var listUsersToolInputSchema = {
+  additionalProperties: false,
+  properties: {
+    base_url: BASE_URL_PROPERTY,
+    organization_id: ORGANIZATION_ID_PROPERTY,
+    page: {
+      description: "Page number (1-indexed). Defaults to 1.",
+      minimum: 1,
+      type: "integer"
+    },
+    page_size: {
+      description: "Number of users per page. Defaults to 100. Maximum 500.",
+      minimum: 1,
+      maximum: 500,
+      type: "integer"
+    }
+  },
   required: ["base_url", "organization_id"],
   type: "object"
 };
-var listOrganizationAgentsToolInputSchema = {
+var listUsersByRoleToolInputSchema = {
   additionalProperties: false,
   properties: {
     base_url: BASE_URL_PROPERTY,
     organization_id: ORGANIZATION_ID_PROPERTY,
+    role_name: {
+      description: "Org role name to filter by (e.g. Admin, Developer, End-User). Case-insensitive.",
+      minLength: 1,
+      type: "string"
+    },
+    page: {
+      description: "Page number (1-indexed). Defaults to 1.",
+      minimum: 1,
+      type: "integer"
+    },
+    page_size: {
+      description: "Number of users per page. Defaults to 100. Maximum 500.",
+      minimum: 1,
+      maximum: 500,
+      type: "integer"
+    }
+  },
+  required: ["base_url", "organization_id", "role_name"],
+  type: "object"
+};
+var getUserPermissionsToolInputSchema = {
+  additionalProperties: false,
+  properties: {
+    base_url: BASE_URL_PROPERTY,
+    organization_id: ORGANIZATION_ID_PROPERTY,
+    user_id: USER_ID_PROPERTY
+  },
+  required: ["base_url", "organization_id", "user_id"],
+  type: "object"
+};
+var listOrganizationAgentsToolInputSchema = {
+  additionalProperties: false,
+  properties: {
+    base_url: BASE_URL_PROPERTY,
+    organization_id: ORGANIZATION_ID_OPTIONAL_PROPERTY,
     start_time: ISO_DATE_PROPERTY
   },
-  required: ["base_url", "organization_id"],
+  required: ["base_url"],
   type: "object"
 };
 var START_DATE_PROPERTY = {
@@ -16231,9 +16554,24 @@ var findAppsByPackageToolInputSchema = {
       type: "string"
     },
     package_version: {
+      description: "Filter by declared version string/range from package.json.",
+      minLength: 1,
+      type: "string"
+    },
+    package_version_resolved: {
+      description: "Filter by resolved version from lockfile (e.g. '1.2.3').",
       minLength: 1,
       type: "string"
     },
+    dependency_source: {
+      description: "Filter by dependency source: 'root' (root package.json), 'direct' (any non-transitive), 'transitive' (lockfile-only).",
+      enum: ["root", "direct", "transitive"],
+      type: "string"
+    },
+    include_transitive: {
+      description: "When false, excludes transitive (lockfile-only) dependencies. Defaults to true.",
+      type: "boolean"
+    },
     deployed: {
       description: "Optional deploy filter. true = only deployed commit matches, false = only non-deployed commit matches, omitted = both.",
       type: "boolean"
@@ -16314,57 +16652,21 @@ var getKnowledgeToolInputSchema = {
   required: ["base_url", "knowledge_id"],
   type: "object"
 };
-
-// ../mcp-server/dist/tools/server-api.js
-init_cjs_shims();
-function extractMessage(payload) {
-  if (!payload || typeof payload !== "object")
-    return void 0;
-  const obj = payload;
-  const responseMeta = obj.responseMeta;
-  if (responseMeta && typeof responseMeta === "object" && "message" in responseMeta) {
-    const msg = responseMeta.message;
-    if (typeof msg === "string" && msg.length > 0)
-      return msg;
-  }
-  if ("message" in obj && typeof obj.message === "string" && obj.message.length > 0) {
-    return obj.message;
-  }
-  return void 0;
-}
-async function callServerApi(options) {
-  const url2 = new URL(options.path, options.baseUrl);
-  for (const [key, value] of Object.entries(options.query ?? {})) {
-    if (value !== void 0) {
-      url2.searchParams.set(key, String(value));
-    }
-  }
-  const response = await fetch(url2, {
-    method: options.method,
-    headers: {
-      Authorization: `Bearer ${options.token}`,
-      ...options.body !== void 0 ? { "Content-Type": "application/json" } : {}
-    },
-    body: options.body !== void 0 ? JSON.stringify(options.body) : void 0
-  });
-  const raw = await response.text();
-  let parsed;
-  if (raw.length > 0) {
-    try {
-      parsed = JSON.parse(raw);
-    } catch {
-      parsed = void 0;
-    }
-  }
-  if (!response.ok) {
-    const message = extractMessage(parsed) ?? (raw.length > 0 ? raw : response.statusText || "Request failed");
-    throw new Error(message);
-  }
-  if (parsed && typeof parsed === "object" && "data" in parsed) {
-    return parsed.data;
-  }
-  return parsed;
-}
+var REASON_PROPERTY = {
+  description: "Optional reason for the action. Echoed in the tool response for the caller's own logging; not persisted server-side.",
+  minLength: 1,
+  type: "string"
+};
+var deactivateUserToolInputSchema = {
+  additionalProperties: false,
+  properties: {
+    base_url: BASE_URL_PROPERTY,
+    user_id: USER_ID_PROPERTY,
+    reason: REASON_PROPERTY
+  },
+  required: ["base_url", "user_id"],
+  type: "object"
+};
 
 // ../mcp-server/dist/tools/validation.js
 init_cjs_shims();
@@ -16700,6 +17002,79 @@ var createIntegration = {
   }
 };
 
+// ../mcp-server/dist/tools/deactivate-user.js
+init_cjs_shims();
+var ALL_USERS_GROUP_TYPE = 0;
+var deactivateUserInputSchema = external_exports.object({
+  base_url: external_exports.string().url(),
+  user_id: external_exports.string().uuid(),
+  reason: external_exports.string().trim().min(1).optional().describe("Echoed in the response for the caller's own logging; not persisted server-side.")
+}).strict();
+var deactivateUser = {
+  name: "deactivate_user",
+  title: "Deactivate User",
+  description: "Deactivate a user account by user_id for incident response. This removes the user from all groups, revokes their RBAC assignments, and prevents them from logging in. Requires org admin privileges. Optionally include a reason, which is echoed back in the response for the caller's own logging.",
+  inputSchema: deactivateUserToolInputSchema,
+  annotations: {
+    readOnlyHint: false,
+    destructiveHint: true,
+    idempotentHint: false,
+    openWorldHint: true
+  },
+  audience: "internal",
+  async handler(args) {
+    const input = parseToolInput(deactivateUserInputSchema, args);
+    const baseUrl = normalizeBaseUrl(input.base_url);
+    const auth = await resolveAuthForOrigin(baseUrl);
+    const sdk = createSdk(auth.token, baseUrl);
+    const currentUser = await sdk.fetchCurrentUser();
+    const organizationId = currentUser.user.currentOrganizationId;
+    const targetUser = await callServerApi({
+      baseUrl,
+      token: auth.token,
+      method: "GET",
+      path: `/api/v1/organizations/${organizationId}/users/${input.user_id}`
+    });
+    if (!targetUser?.email) {
+      throw new Error(`Could not resolve email for user ${input.user_id}. The user may not exist in this organization.`);
+    }
+    const groupsResponse = await callServerApi({
+      baseUrl,
+      token: auth.token,
+      method: "GET",
+      path: `/api/v1/organizations/${organizationId}/groups`
+    });
+    if (!Array.isArray(groupsResponse?.groups)) {
+      throw new Error("Unexpected response shape from groups endpoint.");
+    }
+    const allUsersGroup = groupsResponse.groups.find((g) => g.type === ALL_USERS_GROUP_TYPE);
+    if (!allUsersGroup) {
+      throw new Error("Could not find the All Users group in the organization.");
+    }
+    const result = await callServerApi({
+      baseUrl,
+      token: auth.token,
+      method: "POST",
+      path: `/api/v1/organizations/${organizationId}/groups/${allUsersGroup.id}`,
+      body: {
+        operations: [{ email: targetUser.email, action: "REMOVE_MEMBER" }]
+      }
+    });
+    if (result && typeof result === "object" && "errors" in result) {
+      throw new Error(`User deactivation may have failed. Server response: ${JSON.stringify(result)}`);
+    }
+    return {
+      result,
+      user_id: input.user_id,
+      user_email: targetUser.email,
+      reason: input.reason,
+      auth_source: auth.source,
+      base_url: baseUrl,
+      environment: detectEnvironment(baseUrl)
+    };
+  }
+};
+
 // ../mcp-server/dist/tools/delete-folder.js
 init_cjs_shims();
 var deleteFolderInputSchema = external_exports.object({
@@ -16894,6 +17269,9 @@ var findAppsByPackageInputSchema = external_exports.object({
   base_url: external_exports.string().url(),
   package_name: external_exports.string().trim().min(1),
   package_version: external_exports.string().trim().min(1).optional(),
+  package_version_resolved: external_exports.string().trim().min(1).optional(),
+  dependency_source: external_exports.enum(["root", "direct", "transitive"]).describe("Filter by dependency source: 'root' (root package.json), 'direct' (any non-transitive), 'transitive' (lockfile-only)").optional(),
+  include_transitive: external_exports.boolean().describe("When false, excludes transitive (lockfile-only) dependencies. Defaults to true.").optional(),
   deployed: external_exports.boolean().optional(),
   limit: external_exports.number().int().min(1).max(200).optional(),
   offset: external_exports.number().int().min(0).optional()
@@ -16901,7 +17279,7 @@ var findAppsByPackageInputSchema = external_exports.object({
 var findAppsByPackage = {
   name: "find_apps_by_package",
   title: "Find Apps by Package",
-  description: "Find apps whose package usage index contains a declared package.json dependency. Supports filtering by deployed/non-deployed app commits with exact declared version string/range matching (not resolved lockfile versions).",
+  description: "Find apps whose package usage index contains a package dependency. Supports filtering by deployed/non-deployed commits, declared or resolved version, and dependency source (root, direct, transitive).",
   inputSchema: findAppsByPackageToolInputSchema,
   annotations: {
     readOnlyHint: true,
@@ -16917,6 +17295,7 @@ var findAppsByPackage = {
     const limit = input.limit ?? 50;
     const offset = input.offset ?? 0;
     const deployed = input.deployed === void 0 ? void 0 : input.deployed ? "true" : "false";
+    const dependencySource = input.dependency_source ?? (input.include_transitive === false ? "direct" : void 0);
     const data = await callServerApi({
       baseUrl,
       token: auth.token,
@@ -16925,6 +17304,8 @@ var findAppsByPackage = {
       query: {
         package_name: input.package_name,
         package_version_declared: input.package_version,
+        package_version_resolved: input.package_version_resolved,
+        dependency_source: dependencySource,
         deployed,
         limit,
         offset
@@ -16938,11 +17319,13 @@ var findAppsByPackage = {
       deployed_filter: data.deployed_filter,
       package_name: data.package_name,
       package_version_declared: data.package_version_declared,
+      package_version_resolved: data.package_version_resolved,
+      dependency_source: data.dependency_source,
       limit: data.limit,
       offset: data.offset,
       total_matches: data.total,
       matches: data.items,
-      note: "Set deployed=true for only deployed commits, deployed=false for only non-deployed commits, or omit deployed to search all indexed commits. Matching is exact on declared package.json strings/ranges and does not reflect resolved lockfile versions.",
+      note: "Results include dependency_source ('root' or 'transitive') and package_version_resolved (from lockfile). Use dependency_source filter to narrow results. Use include_transitive=false to exclude lockfile-only transitive deps.",
       auth_source: auth.source,
       base_url: baseUrl,
       environment: detectEnvironment(baseUrl)
@@ -17408,7 +17791,7 @@ function resolveBaseUrlTarget(input) {
 var getAuditEvents = {
   name: "get_audit_events",
   title: "Get Audit Events",
-  description: "Fetch v2 audit events (OCSF) for the current organization in a time range, with cursor pagination and OCSF filters. Use list_audit_event_types to discover all available class_uid, resource_type, and operation values for filtering.",
+  description: "Fetch v2 audit events (OCSF) for the current organization in a time range, with cursor pagination and OCSF filters. Use list_audit_event_types to discover all available class_uid, resource_type, and operation values for filtering.\n\nIMPORTANT \u2014 API execution double-counting: API execution events (class_uid=6003) are logged as start/completion pairs. Each execution produces two events with the same timestamp: a start event (status_id=99, no duration) and a completion event (status_id=1 for success or status_id=2 for failure, includes duration in ms). To count unique executions, filter to status_id != 99 (i.e. exclude IN_PROGRESS) or divide the raw class_uid=6003 count by 2.",
   inputSchema: getAuditEventsToolInputSchema,
   annotations: {
     readOnlyHint: true,
@@ -17850,6 +18233,66 @@ var getOrganizationSummary = {
   }
 };
 
+// ../mcp-server/dist/tools/get-user-permissions.js
+init_cjs_shims();
+var getUserPermissionsInputSchema = external_exports.object({
+  base_url: external_exports.string().url(),
+  organization_id: external_exports.string().uuid(),
+  user_id: external_exports.string().uuid()
+}).strict();
+var getUserPermissions = {
+  name: "get_user_permissions",
+  title: "Get User Permissions",
+  description: "Get all resources a user can access and their role on each, including assignments inherited through groups. Returns RBAC assignments across applications, integrations, workflows, and jobs. Useful for deprovisioning audits, compliance reviews, and access certification.",
+  inputSchema: getUserPermissionsToolInputSchema,
+  annotations: {
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true,
+    openWorldHint: true
+  },
+  audience: "customer",
+  async handler(args) {
+    const input = parseToolInput(getUserPermissionsInputSchema, args);
+    const baseUrl = normalizeBaseUrl(input.base_url);
+    const auth = await resolveAuthForOrigin(baseUrl);
+    const assignments = await callServerApi({
+      baseUrl,
+      token: auth.token,
+      method: "GET",
+      path: `/api/v1/organizations/${input.organization_id}/users/${input.user_id}/assignments`
+    });
+    if (!Array.isArray(assignments)) {
+      throw new Error(`Unexpected response from user assignments API: expected array, got ${typeof assignments}`);
+    }
+    const assignmentsList = assignments;
+    return {
+      user_id: input.user_id,
+      organization_id: input.organization_id,
+      assignments: assignmentsList.map((a) => ({
+        id: a.id,
+        assignment_type: a.assignmentType,
+        resource_type: a.resourceType,
+        resource_id: a.resourceId,
+        principal_type: a.principalType,
+        principal_id: a.principalId,
+        role_name: a.role?.name ?? null,
+        role_id: a.role?.id ?? null,
+        permission: a.permission ? {
+          action: a.permission.actionType,
+          resource: a.permission.resourceType
+        } : null,
+        resource_name: a.application?.name ?? a.integration?.name ?? a.api?.name ?? null,
+        inherited_via_group: a.group?.name ?? null
+      })),
+      auth_source: auth.source,
+      base_url: baseUrl,
+      environment: detectEnvironment(baseUrl),
+      total_count: assignmentsList.length
+    };
+  }
+};
+
 // ../mcp-server/dist/tools/get-workflow-access.js
 init_cjs_shims();
 var getWorkflowAccessInputSchema = external_exports.object({
@@ -17886,6 +18329,20 @@ var getWorkflowAccess = {
 
 // ../mcp-server/dist/tools/grant-resource-access.js
 init_cjs_shims();
+
+// ../mcp-server/dist/auth/resolve-current-organization.js
+init_cjs_shims();
+async function resolveCurrentOrganizationId(normalizedBaseUrl, token) {
+  const sdk = createSdk(token, normalizedBaseUrl);
+  const me = await sdk.fetchCurrentUser();
+  const id = me.user?.currentOrganizationId;
+  if (!id) {
+    throw new Error("Could not resolve current organization: missing currentOrganizationId on user");
+  }
+  return id;
+}
+
+// ../mcp-server/dist/tools/grant-resource-access.js
 var grantResourceAccessInputSchema = external_exports.object({
   base_url: external_exports.string().url(),
   assignments: external_exports.array(external_exports.object({
@@ -17894,14 +18351,13 @@ var grantResourceAccessInputSchema = external_exports.object({
     resource_type: external_exports.string().min(1),
     resource_id: external_exports.string().min(1),
     principal_type: external_exports.enum(["user", "group"]),
-    principal_id: external_exports.string().min(1),
-    organization_id: external_exports.string().uuid()
+    principal_id: external_exports.string().min(1)
   }).strict()).min(1)
 }).strict();
 var grantResourceAccess = {
   name: "grant_resource_access",
   title: "Grant Resource Access",
-  description: "Create RBAC assignments for a resource (roles or direct permissions).",
+  description: "Create RBAC assignments for a resource (roles or direct permissions). Organization scope is always the authenticated user's current organization (matches server enforcement).",
   inputSchema: grantResourceAccessToolInputSchema,
   annotations: {
     readOnlyHint: false,
@@ -17914,6 +18370,7 @@ var grantResourceAccess = {
     const input = parseToolInput(grantResourceAccessInputSchema, args);
     const baseUrl = normalizeBaseUrl(input.base_url);
     const auth = await resolveAuthForOrigin(baseUrl);
+    const organizationId = await resolveCurrentOrganizationId(baseUrl, auth.token);
     const sdk = createSdk(auth.token, baseUrl);
     const assignments = await sdk.createRbacAssignments({
       assignments: input.assignments.map((a) => ({
@@ -17923,11 +18380,12 @@ var grantResourceAccess = {
         resourceId: a.resource_id,
         principalType: a.principal_type,
         principalId: a.principal_id,
-        organizationId: a.organization_id
+        organizationId
       }))
     });
     return {
       assignments,
+      organization_id: organizationId,
       auth_source: auth.source,
       base_url: baseUrl,
       environment: detectEnvironment(baseUrl),
@@ -18154,7 +18612,7 @@ var listIntegrations = {
     const target = resolveBaseUrlTarget(input);
     const auth = await resolveAuthForOrigin(target.baseUrl);
     const sdk = createSdk(auth.token, target.baseUrl);
-    let integrations = await sdk.fetchIntegrations(input.kind ? { kind: input.kind } : void 0);
+    let integrations = (await sdk.fetchIntegrations(input.kind ? { kind: input.kind } : void 0)).filter((i) => i.isUserConfigured === true);
     if (input.creator_email) {
       const createdBy = input.creator_email.toLowerCase();
       integrations = integrations.filter((i) => i.ownerEmail?.toLowerCase() === createdBy);
@@ -18238,14 +18696,14 @@ var listKnowledge = {
 // ../mcp-server/dist/tools/list-organization-agents.js
 init_cjs_shims();
 var listOrganizationAgentsInputSchema = external_exports.object({
-  organization_id: external_exports.string().uuid(),
   base_url: external_exports.string().url(),
+  organization_id: external_exports.uuid().optional(),
   start_time: external_exports.string().datetime({ offset: true }).optional()
 }).strict();
 var listOrganizationAgents = {
   name: "list_organization_agents",
   title: "List Organization Agents",
-  description: "List non-deactivated agents for an organization. Requires organization_id and base_url.",
+  description: "List non-deactivated agents for the authenticated user's current organization. Organization scope matches auth (same as other MCP tools); organization_id is optional and only needed if you must target a specific org UUID for URL compatibility.",
   inputSchema: listOrganizationAgentsToolInputSchema,
   annotations: {
     readOnlyHint: true,
@@ -18258,15 +18716,16 @@ var listOrganizationAgents = {
     const input = parseToolInput(listOrganizationAgentsInputSchema, args);
     const baseUrl = normalizeBaseUrl(input.base_url);
     const auth = await resolveAuthForOrigin(baseUrl);
+    const organizationId = input.organization_id ?? await resolveCurrentOrganizationId(baseUrl, auth.token);
     const agents = await callServerApi({
       baseUrl,
       token: auth.token,
       method: "GET",
-      path: `/api/v1/organizations/${input.organization_id}/agents`,
+      path: `/api/v1/organizations/${organizationId}/agents`,
       query: { startTime: input.start_time }
     });
     return {
-      organization_id: input.organization_id,
+      organization_id: organizationId,
       agents,
       auth_source: auth.source,
       base_url: baseUrl,
@@ -18328,13 +18787,13 @@ var listRbacAssignments = {
 init_cjs_shims();
 var listRolesInputSchema = external_exports.object({
   base_url: external_exports.string().url(),
-  organization_id: external_exports.string().uuid(),
+  organization_id: external_exports.uuid().optional(),
   type: external_exports.enum(["apps", "integrations", "org", "jobs", "workflows"]).optional()
 }).strict();
 var listRoles = {
   name: "list_roles",
   title: "List Roles",
-  description: "List available RBAC roles for an organization, including their UUIDs. Use these role UUIDs as assignment_id when calling grant_resource_access. Optionally filter by role type (apps, integrations, org, jobs, workflows).",
+  description: "List available RBAC roles for an organization, including their UUIDs. Use these role UUIDs as assignment_id when calling grant_resource_access. Optionally filter by role type (apps, integrations, org, jobs, workflows). Organization scope defaults to the authenticated user's current organization; pass organization_id only when targeting a different org you belong to.",
   inputSchema: listRolesToolInputSchema,
   annotations: {
     readOnlyHint: true,
@@ -18347,11 +18806,12 @@ var listRoles = {
     const input = parseToolInput(listRolesInputSchema, args);
     const baseUrl = normalizeBaseUrl(input.base_url);
     const auth = await resolveAuthForOrigin(baseUrl);
+    const organizationId = input.organization_id ?? await resolveCurrentOrganizationId(baseUrl, auth.token);
     const roles = await callServerApi({
       baseUrl,
       token: auth.token,
       method: "GET",
-      path: `/api/v1/organizations/${input.organization_id}/roles`,
+      path: `/api/v1/organizations/${organizationId}/roles`,
       query: input.type ? { type: input.type } : void 0
     });
     if (!Array.isArray(roles)) {
@@ -18374,6 +18834,132 @@ var listRoles = {
   }
 };
 
+// ../mcp-server/dist/tools/list-users-by-role.js
+init_cjs_shims();
+var DEFAULT_PAGE_SIZE = 100;
+var listUsersByRoleInputSchema = external_exports.object({
+  base_url: external_exports.string().url(),
+  organization_id: external_exports.string().uuid(),
+  role_name: external_exports.string().trim().min(1),
+  page: external_exports.number().int().positive().optional(),
+  page_size: external_exports.number().int().positive().max(500).optional()
+}).strict();
+var listUsersByRole = {
+  name: "list_users_by_role",
+  title: "List Users by Role",
+  description: "List users in a Superblocks organization filtered by org role name (e.g. Admin, Developer, End-User). Returns only users whose org-level role assignment matches the given role_name (case-insensitive). Useful for access audits and compliance reviews.",
+  inputSchema: listUsersByRoleToolInputSchema,
+  annotations: {
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true,
+    openWorldHint: true
+  },
+  audience: "customer",
+  async handler(args) {
+    const input = parseToolInput(listUsersByRoleInputSchema, args);
+    const baseUrl = normalizeBaseUrl(input.base_url);
+    const auth = await resolveAuthForOrigin(baseUrl);
+    const users = await callServerApi({
+      baseUrl,
+      token: auth.token,
+      method: "GET",
+      path: `/api/v1/organizations/${input.organization_id}/users`
+    });
+    if (!Array.isArray(users)) {
+      throw new Error(`Unexpected response from users API: expected array, got ${typeof users}`);
+    }
+    const usersList = users;
+    const roleNameLower = input.role_name.toLowerCase();
+    const filtered = usersList.filter((u) => u.assignments?.some((a) => a.assignmentType === "role" && a.role?.name?.toLowerCase() === roleNameLower));
+    const totalCount = filtered.length;
+    const page = input.page ?? 1;
+    const pageSize = input.page_size ?? DEFAULT_PAGE_SIZE;
+    const totalPages = Math.ceil(totalCount / pageSize);
+    const offset = (page - 1) * pageSize;
+    const paged = filtered.slice(offset, offset + pageSize);
+    return {
+      users: paged.map((u) => ({
+        id: u.id,
+        name: u.name,
+        email: u.email,
+        status: u.status,
+        type: u.type ?? null,
+        org_role: u.assignments?.find((a) => a.assignmentType === "role" && a.role?.name?.toLowerCase() === roleNameLower)?.role?.name ?? null
+      })),
+      role_filter: input.role_name,
+      auth_source: auth.source,
+      base_url: baseUrl,
+      environment: detectEnvironment(baseUrl),
+      total_count: totalCount,
+      page,
+      page_size: pageSize,
+      total_pages: totalPages
+    };
+  }
+};
+
+// ../mcp-server/dist/tools/list-users.js
+init_cjs_shims();
+var DEFAULT_PAGE_SIZE2 = 100;
+var listUsersInputSchema = external_exports.object({
+  base_url: external_exports.string().url(),
+  organization_id: external_exports.string().uuid(),
+  page: external_exports.number().int().positive().optional(),
+  page_size: external_exports.number().int().positive().max(500).optional()
+}).strict();
+var listUsers = {
+  name: "list_users",
+  title: "List Users",
+  description: "List all users in a Superblocks organization with their status, type, and org-level role assignments. Useful for access audits, user inventories, and governance workflows.",
+  inputSchema: listUsersToolInputSchema,
+  annotations: {
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true,
+    openWorldHint: true
+  },
+  audience: "customer",
+  async handler(args) {
+    const input = parseToolInput(listUsersInputSchema, args);
+    const baseUrl = normalizeBaseUrl(input.base_url);
+    const auth = await resolveAuthForOrigin(baseUrl);
+    const users = await callServerApi({
+      baseUrl,
+      token: auth.token,
+      method: "GET",
+      path: `/api/v1/organizations/${input.organization_id}/users`
+    });
+    if (!Array.isArray(users)) {
+      throw new Error(`Unexpected response from users API: expected array, got ${typeof users}`);
+    }
+    const usersList = users;
+    const totalCount = usersList.length;
+    const page = input.page ?? 1;
+    const pageSize = input.page_size ?? DEFAULT_PAGE_SIZE2;
+    const totalPages = Math.ceil(totalCount / pageSize);
+    const offset = (page - 1) * pageSize;
+    const paged = usersList.slice(offset, offset + pageSize);
+    return {
+      users: paged.map((u) => ({
+        id: u.id,
+        name: u.name,
+        email: u.email,
+        status: u.status,
+        type: u.type ?? null,
+        org_role: u.assignments?.find((a) => a.assignmentType === "role")?.role?.name ?? null
+      })),
+      auth_source: auth.source,
+      base_url: baseUrl,
+      environment: detectEnvironment(baseUrl),
+      total_count: totalCount,
+      page,
+      page_size: pageSize,
+      total_pages: totalPages
+    };
+  }
+};
+
 // ../mcp-server/dist/tools/revoke-resource-access.js
 init_cjs_shims();
 var revokeResourceAccessInputSchema = external_exports.object({
@@ -18608,6 +19194,7 @@ var toolDefinitions = [
   checkoutApplication,
   createFolder,
   createIntegration,
+  deactivateUser,
   deleteFolder,
   deleteIntegration,
   deployApplication,
@@ -18629,6 +19216,7 @@ var toolDefinitions = [
   getJobAccess,
   getKnowledge,
   getOrganizationSummary,
+  getUserPermissions,
   getWorkflowAccess,
   grantResourceAccess,
   listApplications,
@@ -18640,6 +19228,8 @@ var toolDefinitions = [
   listOrganizationAgents,
   listRbacAssignments,
   listRoles,
+  listUsers,
+  listUsersByRole,
   revokeResourceAccess,
   unassignBuilderSeat,
   undeployApplication,
@@ -18676,6 +19266,9 @@ async function executeToolCall(name, args, registry2) {
     if (error48 instanceof McpError) {
       throw error48;
     }
+    if (error48 instanceof EntitlementError) {
+      return createToolCallResultPayload(error48.message, { isError: true });
+    }
     return createToolCallResultPayload(JSON.stringify({
       error: error48 instanceof Error ? error48.message : String(error48)
     }, null, 2), { isError: true });
@@ -18683,6 +19276,11 @@ async function executeToolCall(name, args, registry2) {
 }
 
 export {
+  package_default,
+  isJsonRpcRequest,
+  invalidRequestResponse,
+  handleJsonRpc,
+  resolveProfile,
   $constructor,
   defineLazy,
   clone,
@@ -18738,14 +19336,15 @@ export {
   assertCompleteRequestResourceTemplate,
   ListRootsResultSchema,
   McpError,
-  package_default,
-  resolveProfile,
   normalizeBaseUrl,
+  getAuthContext,
+  runWithAuthContext,
   getMcpAuthFilePath,
   upsertAuthToken,
   listStoredOrigins,
+  createSdk,
   buildToolRegistry,
   toolDefinitions,
   executeToolCall
 };
-//# sourceMappingURL=chunk-6LTX4MKG.js.map
+//# sourceMappingURL=chunk-VRPW5BO7.js.map