@yawlabs/tailscale-mcp 0.4.0 → 0.5.0

package/README.md

@@ -5,7 +5,7 @@
 [![GitHub stars](https://img.shields.io/github/stars/YawLabs/tailscale-mcp)](https://github.com/YawLabs/tailscale-mcp/stargazers)
 [![CI](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml) [![Release](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml)
 
-**Manage your Tailscale tailnet from Claude Code, Cursor, and any MCP client.** 81 tools + 4 resources. One env var. Works on first try.
+**Manage your Tailscale tailnet from Claude Code, Cursor, and any MCP client.** 98 tools + 4 resources. One env var. Works on first try.
 
 Built and maintained by [YawLabs](https://yaw.sh).
 
@@ -96,7 +96,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | ACL Policy | `tailscale://tailnet/acl` | Full ACL policy (HuJSON preserved) |
 | DNS Config | `tailscale://tailnet/dns` | Nameservers, search paths, split DNS, MagicDNS |
 
-## Tools (81)
+## Tools (98)
 
 <details>
 <summary><strong>Status</strong> (1 tool)</summary>
@@ -108,7 +108,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 </details>
 
 <details>
-<summary><strong>Devices</strong> (13 tools)</summary>
+<summary><strong>Devices</strong> (16 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
@@ -125,6 +125,9 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | `tailscale_set_device_posture_attribute` | Set a custom posture attribute (with optional expiry) |
 | `tailscale_delete_device_posture_attribute` | Delete a custom posture attribute |
 | `tailscale_set_device_tags` | Set ACL tags on a device |
+| `tailscale_set_device_ip` | Set a device's Tailscale IPv4 address |
+| `tailscale_update_device_key` | Update device key settings (e.g. disable key expiry) |
+| `tailscale_batch_update_posture_attributes` | Batch update custom posture attributes across devices |
 
 </details>
 
@@ -141,7 +144,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 </details>
 
 <details>
-<summary><strong>DNS</strong> (8 tools)</summary>
+<summary><strong>DNS</strong> (11 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
@@ -150,14 +153,17 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | `tailscale_get_search_paths` | Get DNS search paths |
 | `tailscale_set_search_paths` | Set DNS search paths |
 | `tailscale_get_split_dns` | Get split DNS configuration |
-| `tailscale_set_split_dns` | Set split DNS configuration |
+| `tailscale_set_split_dns` | Set split DNS configuration (full replace) |
+| `tailscale_update_split_dns` | Update split DNS configuration (partial merge) |
 | `tailscale_get_dns_preferences` | Get DNS preferences (MagicDNS) |
 | `tailscale_set_dns_preferences` | Set DNS preferences (MagicDNS) |
+| `tailscale_get_dns_configuration` | Get unified DNS configuration (all settings in one call) |
+| `tailscale_set_dns_configuration` | Set unified DNS configuration (all settings in one call) |
 
 </details>
 
 <details>
-<summary><strong>Auth Keys</strong> (4 tools)</summary>
+<summary><strong>Auth Keys</strong> (5 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
@@ -165,11 +171,12 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | `tailscale_get_key` | Get details for an auth key |
 | `tailscale_create_key` | Create a new auth key |
 | `tailscale_delete_key` | Delete an auth key |
+| `tailscale_update_key` | Update an existing auth key |
 
 </details>
 
 <details>
-<summary><strong>Users</strong> (6 tools)</summary>
+<summary><strong>Users</strong> (7 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
@@ -179,18 +186,20 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | `tailscale_suspend_user` | Suspend a user, revoking access |
 | `tailscale_restore_user` | Restore a suspended user |
 | `tailscale_update_user_role` | Update a user's role (owner, admin, member, etc.) |
+| `tailscale_delete_user` | Delete a user and all their devices |
 
 </details>
 
 <details>
-<summary><strong>Tailnet Settings</strong> (4 tools)</summary>
+<summary><strong>Tailnet Settings</strong> (5 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
 | `tailscale_get_tailnet_settings` | Get tailnet settings (HTTPS, device approval, key expiry, etc.) |
-| `tailscale_update_tailnet_settings` | Update tailnet settings (HTTPS certificates, approval, auto-updates, key expiry, posture, regional routing, network flow logging) |
+| `tailscale_update_tailnet_settings` | Update tailnet settings (HTTPS certificates, approval, auto-updates, key expiry, posture, regional routing, network flow logging, external ACL management) |
 | `tailscale_get_contacts` | Get tailnet contacts |
 | `tailscale_set_contacts` | Set tailnet contacts |
+| `tailscale_resend_contact_verification` | Resend verification email for a contact |
 
 </details>
 
@@ -204,7 +213,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 </details>
 
 <details>
-<summary><strong>Webhooks</strong> (6 tools)</summary>
+<summary><strong>Webhooks</strong> (7 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
@@ -214,6 +223,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | `tailscale_update_webhook` | Update a webhook's endpoint URL and/or subscriptions |
 | `tailscale_delete_webhook` | Delete a webhook |
 | `tailscale_rotate_webhook_secret` | Rotate a webhook's secret |
+| `tailscale_test_webhook` | Send a test event to verify webhook delivery |
 
 </details>
 
@@ -231,7 +241,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 </details>
 
 <details>
-<summary><strong>Tailscale Services</strong> (5 tools)</summary>
+<summary><strong>Tailscale Services</strong> (7 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
@@ -240,18 +250,23 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | `tailscale_update_service` | Update a service's configuration |
 | `tailscale_delete_service` | Delete a service |
 | `tailscale_list_service_hosts` | List devices hosting a service |
+| `tailscale_get_service_device_approval` | Get approval status of a device for a service |
+| `tailscale_set_service_device_approval` | Approve or reject a device to host a service |
 
 </details>
 
 <details>
-<summary><strong>Log Streaming</strong> (4 tools)</summary>
+<summary><strong>Log Streaming</strong> (7 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
-| `tailscale_list_log_stream_configs` | List log streaming configurations |
+| `tailscale_list_log_stream_configs` | List log streaming configurations (both audit and network) |
 | `tailscale_get_log_stream_config` | Get log streaming config for a log type |
 | `tailscale_set_log_stream_config` | Set where logs are sent (Axiom, Datadog, Splunk, etc.) |
 | `tailscale_delete_log_stream_config` | Delete a log streaming configuration |
+| `tailscale_get_log_stream_status` | Check if log streaming is delivering successfully |
+| `tailscale_create_aws_external_id` | Create/get AWS external ID for S3 log streaming |
+| `tailscale_validate_aws_trust_policy` | Validate AWS IAM role trust policy for S3 log streaming |
 
 </details>
 
@@ -282,19 +297,20 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 </details>
 
 <details>
-<summary><strong>Device Invites</strong> (4 tools)</summary>
+<summary><strong>Device Invites</strong> (5 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
-| `tailscale_list_device_invites` | List device invites |
+| `tailscale_list_device_invites` | List device invites for a specific device |
 | `tailscale_create_device_invite` | Create a device invite |
 | `tailscale_get_device_invite` | Get a device invite |
 | `tailscale_delete_device_invite` | Delete a device invite |
+| `tailscale_resend_device_invite` | Resend a device invite email |
 
 </details>
 
 <details>
-<summary><strong>User Invites</strong> (4 tools)</summary>
+<summary><strong>User Invites</strong> (5 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
@@ -302,6 +318,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | `tailscale_create_user_invite` | Create a user invite |
 | `tailscale_get_user_invite` | Get a user invite |
 | `tailscale_delete_user_invite` | Delete a user invite |
+| `tailscale_resend_user_invite` | Resend a user invite email |
 
 </details>
 

package/dist/index.js

@@ -21577,6 +21577,63 @@ var deviceTools = [
       }
       return apiPost(`/device/${encPath(input.deviceId)}/tags`, { tags: input.tags });
     }
+  },
+  {
+    name: "tailscale_set_device_ip",
+    description: "Set the Tailscale IPv4 address for a device.",
+    annotations: {
+      title: "Set device IP",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      deviceId: external_exports.string().describe("The device ID"),
+      ipv4: external_exports.string().describe("The new Tailscale IPv4 address for the device (e.g. '100.64.0.1')")
+    }),
+    handler: async (input) => {
+      return apiPost(`/device/${encPath(input.deviceId)}/ip`, { ipv4: input.ipv4 });
+    }
+  },
+  {
+    name: "tailscale_update_device_key",
+    description: "Update a device's key settings, such as disabling key expiry. Useful for servers that should never need to re-authenticate.",
+    annotations: {
+      title: "Update device key",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      deviceId: external_exports.string().describe("The device ID"),
+      keyExpiryDisabled: external_exports.boolean().describe("Whether to disable key expiry for this device")
+    }),
+    handler: async (input) => {
+      return apiPost(`/device/${encPath(input.deviceId)}/key`, {
+        keyExpiryDisabled: input.keyExpiryDisabled
+      });
+    }
+  },
+  {
+    name: "tailscale_batch_update_posture_attributes",
+    description: "Batch update custom posture attributes across multiple devices. Each attribute key must start with 'custom:'.",
+    annotations: {
+      title: "Batch update posture attributes",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      attributes: external_exports.record(external_exports.string(), external_exports.record(external_exports.string(), external_exports.unknown())).describe(
+        'Map of device ID to attribute map (e.g. { "12345": { "custom:compliant": "true" }, "67890": { "custom:compliant": "false" } })'
+      )
+    }),
+    handler: async (input) => {
+      return apiPatch(`/tailnet/${getTailnet()}/device-attributes`, input.attributes);
+    }
   }
 ];
 
@@ -21715,6 +21772,64 @@ var dnsTools = [
         magicDNS: input.magicDNS
       });
     }
+  },
+  {
+    name: "tailscale_update_split_dns",
+    description: "Partially update split DNS configuration. Merges the provided domains with the existing config \u2014 only the specified domains are changed, others are untouched. Set a domain's nameservers to an empty array to remove it.",
+    annotations: {
+      title: "Update split DNS (partial)",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      splitDns: external_exports.record(external_exports.string(), external_exports.array(external_exports.string())).describe(
+        'Map of domain to nameserver list to merge (e.g. { "new.example.com": ["10.0.0.3"] }). Only specified domains are changed.'
+      )
+    }),
+    handler: async (input) => {
+      return apiPatch(`/tailnet/${getTailnet()}/dns/split-dns`, input.splitDns);
+    }
+  },
+  {
+    name: "tailscale_get_dns_configuration",
+    description: "Get the unified DNS configuration for your tailnet, including nameservers, search paths, split DNS, and MagicDNS preference in a single call.",
+    annotations: {
+      title: "Get DNS configuration (unified)",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({}),
+    handler: async () => {
+      return apiGet(`/tailnet/${getTailnet()}/dns/configuration`);
+    }
+  },
+  {
+    name: "tailscale_set_dns_configuration",
+    description: "Set the unified DNS configuration for your tailnet in a single call. Replaces all DNS settings (nameservers, search paths, split DNS, MagicDNS preference).",
+    annotations: {
+      title: "Set DNS configuration (unified)",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      dns: external_exports.array(external_exports.string()).optional().describe("List of DNS server IP addresses"),
+      searchPaths: external_exports.array(external_exports.string()).optional().describe("List of DNS search domains"),
+      splitDns: external_exports.record(external_exports.string(), external_exports.array(external_exports.string())).optional().describe("Map of domain to nameserver list for split DNS"),
+      magicDNS: external_exports.boolean().optional().describe("Whether to enable MagicDNS")
+    }),
+    handler: async (input) => {
+      const body = {};
+      for (const [key, value] of Object.entries(input)) {
+        if (value !== void 0) body[key] = value;
+      }
+      return apiPost(`/tailnet/${getTailnet()}/dns/configuration`, body);
+    }
   }
 ];
 
@@ -21723,7 +21838,7 @@ var inviteTools = [
   // --- Device Invites ---
   {
     name: "tailscale_list_device_invites",
-    description: "List all device invites for your tailnet.",
+    description: "List all device invites for a specific device.",
     annotations: {
       title: "List device invites",
       readOnlyHint: true,
@@ -21731,14 +21846,16 @@ var inviteTools = [
       idempotentHint: true,
       openWorldHint: true
     },
-    inputSchema: external_exports.object({}),
-    handler: async () => {
-      return apiGet(`/tailnet/${getTailnet()}/device-invites`);
+    inputSchema: external_exports.object({
+      deviceId: external_exports.string().describe("The device ID to list invites for")
+    }),
+    handler: async (input) => {
+      return apiGet(`/device/${encPath(input.deviceId)}/device-invites`);
     }
   },
   {
     name: "tailscale_create_device_invite",
-    description: "Create a new device invite that allows someone to add a device to your tailnet.",
+    description: "Create a new device invite that allows someone to add a specific device to your tailnet.",
     annotations: {
       title: "Create device invite",
       readOnlyHint: false,
@@ -21747,6 +21864,7 @@ var inviteTools = [
       openWorldHint: true
     },
     inputSchema: external_exports.object({
+      deviceId: external_exports.string().describe("The device ID to create an invite for"),
       multiUse: external_exports.boolean().optional().describe("Whether the invite can be used more than once (default: false)"),
       allowExitNode: external_exports.boolean().optional().describe("Whether the invited device can be used as an exit node (default: false)"),
       email: external_exports.string().optional().describe("Email address to send the invite to")
@@ -21756,7 +21874,7 @@ var inviteTools = [
       if (input.multiUse !== void 0) body.multiUse = input.multiUse;
       if (input.allowExitNode !== void 0) body.allowExitNode = input.allowExitNode;
       if (input.email !== void 0) body.email = input.email;
-      return apiPost(`/tailnet/${getTailnet()}/device-invites`, body);
+      return apiPost(`/device/${encPath(input.deviceId)}/device-invites`, body);
     }
   },
   {
@@ -21863,6 +21981,40 @@ var inviteTools = [
     handler: async (input) => {
       return apiDelete(`/user-invites/${encPath(input.inviteId)}`);
     }
+  },
+  {
+    name: "tailscale_resend_device_invite",
+    description: "Resend a device invite email.",
+    annotations: {
+      title: "Resend device invite",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      inviteId: external_exports.string().describe("The device invite ID to resend")
+    }),
+    handler: async (input) => {
+      return apiPost(`/device-invites/${encPath(input.inviteId)}/resend`);
+    }
+  },
+  {
+    name: "tailscale_resend_user_invite",
+    description: "Resend a user invite email.",
+    annotations: {
+      title: "Resend user invite",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      inviteId: external_exports.string().describe("The user invite ID to resend")
+    }),
+    handler: async (input) => {
+      return apiPost(`/user-invites/${encPath(input.inviteId)}/resend`);
+    }
   }
 ];
 
@@ -21952,6 +22104,26 @@ var keyTools = [
     handler: async (input) => {
       return apiDelete(`/tailnet/${getTailnet()}/keys/${encPath(input.keyId)}`);
     }
+  },
+  {
+    name: "tailscale_update_key",
+    description: "Update an existing auth key's description or capabilities.",
+    annotations: {
+      title: "Update auth key",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      keyId: external_exports.string().describe("The auth key ID to update"),
+      description: external_exports.string().optional().describe("Updated description for the key")
+    }),
+    handler: async (input) => {
+      const body = {};
+      if (input.description !== void 0) body.description = input.description;
+      return apiPut(`/tailnet/${getTailnet()}/keys/${encPath(input.keyId)}`, body);
+    }
   }
 ];
 
@@ -21959,7 +22131,7 @@ var keyTools = [
 var logStreamingTools = [
   {
     name: "tailscale_list_log_stream_configs",
-    description: "List all log streaming configurations for your tailnet. Log streaming sends logs to external destinations like Axiom, Datadog, Splunk, Elasticsearch, S3, or GCS.",
+    description: "List all log streaming configurations for your tailnet. Fetches both 'configuration' (audit) and 'network' (flow) log stream configs. Log streaming sends logs to external destinations like Axiom, Datadog, Splunk, Elasticsearch, S3, or GCS.",
     annotations: {
       title: "List log stream configs",
       readOnlyHint: true,
@@ -21969,7 +22141,18 @@ var logStreamingTools = [
     },
     inputSchema: external_exports.object({}),
     handler: async () => {
-      return apiGet(`/tailnet/${getTailnet()}/logging/stream`);
+      const [configuration, network] = await Promise.all([
+        apiGet(`/tailnet/${getTailnet()}/logging/configuration/stream`),
+        apiGet(`/tailnet/${getTailnet()}/logging/network/stream`)
+      ]);
+      return {
+        ok: true,
+        status: 200,
+        data: {
+          configuration: configuration.ok ? configuration.data : { error: configuration.error },
+          network: network.ok ? network.data : { error: network.error }
+        }
+      };
     }
   },
   {
@@ -21986,7 +22169,7 @@ var logStreamingTools = [
       logType: external_exports.enum(["configuration", "network"]).describe("The log type: 'configuration' for audit logs, 'network' for network flow logs")
     }),
     handler: async (input) => {
-      return apiGet(`/tailnet/${getTailnet()}/logging/stream/${encPath(input.logType)}`);
+      return apiGet(`/tailnet/${getTailnet()}/logging/${encPath(input.logType)}/stream`);
     }
   },
   {
@@ -22014,7 +22197,7 @@ var logStreamingTools = [
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
-      return apiPut(`/tailnet/${getTailnet()}/logging/stream/${encPath(logType)}`, cleanBody);
+      return apiPut(`/tailnet/${getTailnet()}/logging/${encPath(logType)}/stream`, cleanBody);
     }
   },
   {
@@ -22031,7 +22214,60 @@ var logStreamingTools = [
       logType: external_exports.enum(["configuration", "network"]).describe("The log type to stop streaming: 'configuration' or 'network'")
     }),
     handler: async (input) => {
-      return apiDelete(`/tailnet/${getTailnet()}/logging/stream/${encPath(input.logType)}`);
+      return apiDelete(`/tailnet/${getTailnet()}/logging/${encPath(input.logType)}/stream`);
+    }
+  },
+  {
+    name: "tailscale_get_log_stream_status",
+    description: "Get the status of log streaming for a specific log type. Shows whether logs are being delivered successfully.",
+    annotations: {
+      title: "Get log stream status",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      logType: external_exports.enum(["configuration", "network"]).describe("The log type: 'configuration' for audit logs, 'network' for network flow logs")
+    }),
+    handler: async (input) => {
+      return apiGet(`/tailnet/${getTailnet()}/logging/${encPath(input.logType)}/stream/status`);
+    }
+  },
+  {
+    name: "tailscale_create_aws_external_id",
+    description: "Create or get an AWS external ID for your tailnet. Used when configuring log streaming to S3 \u2014 the external ID is included in the IAM role trust policy.",
+    annotations: {
+      title: "Create AWS external ID",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({}),
+    handler: async () => {
+      return apiPost(`/tailnet/${getTailnet()}/aws-external-id`);
+    }
+  },
+  {
+    name: "tailscale_validate_aws_trust_policy",
+    description: "Validate that an AWS IAM role trust policy is correctly configured with the Tailscale external ID. Use this after setting up the IAM role for S3 log streaming.",
+    annotations: {
+      title: "Validate AWS trust policy",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      externalId: external_exports.string().describe("The AWS external ID to validate"),
+      roleArn: external_exports.string().describe("The AWS IAM role ARN to validate against")
+    }),
+    handler: async (input) => {
+      return apiPost(
+        `/tailnet/${getTailnet()}/aws-external-id/${encPath(input.externalId)}/validate-aws-trust-policy`,
+        { roleArn: input.roleArn }
+      );
     }
   }
 ];
@@ -22316,7 +22552,7 @@ var serviceTools = [
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
-      return apiPatch(`/tailnet/${getTailnet()}/services/${encPath(serviceName)}`, cleanBody);
+      return apiPut(`/tailnet/${getTailnet()}/services/${encPath(serviceName)}`, cleanBody);
     }
   },
   {
@@ -22350,7 +22586,49 @@ var serviceTools = [
       serviceName: external_exports.string().describe("The service name")
     }),
     handler: async (input) => {
-      return apiGet(`/tailnet/${getTailnet()}/services/${encPath(input.serviceName)}/hosts`);
+      return apiGet(`/tailnet/${getTailnet()}/services/${encPath(input.serviceName)}/devices`);
+    }
+  },
+  {
+    name: "tailscale_get_service_device_approval",
+    description: "Get the approval status of a specific device for a Tailscale Service.",
+    annotations: {
+      title: "Get service device approval",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      serviceName: external_exports.string().describe("The service name"),
+      deviceId: external_exports.string().describe("The device ID")
+    }),
+    handler: async (input) => {
+      return apiGet(
+        `/tailnet/${getTailnet()}/services/${encPath(input.serviceName)}/device/${encPath(input.deviceId)}/approved`
+      );
+    }
+  },
+  {
+    name: "tailscale_set_service_device_approval",
+    description: "Approve or reject a device to host a Tailscale Service.",
+    annotations: {
+      title: "Set service device approval",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      serviceName: external_exports.string().describe("The service name"),
+      deviceId: external_exports.string().describe("The device ID"),
+      approved: external_exports.boolean().describe("Whether to approve (true) or reject (false) the device")
+    }),
+    handler: async (input) => {
+      return apiPost(
+        `/tailnet/${getTailnet()}/services/${encPath(input.serviceName)}/device/${encPath(input.deviceId)}/approved`,
+        { approved: input.approved }
+      );
     }
   }
 ];
@@ -22428,21 +22706,15 @@ var tailnetTools = [
       networkFlowLoggingOn: external_exports.boolean().optional().describe("Whether network flow logging is enabled"),
       regionalRoutingOn: external_exports.boolean().optional().describe("Whether regional routing is enabled"),
       postureIdentityCollectionOn: external_exports.boolean().optional().describe("Whether posture identity collection is enabled"),
-      httpsEnabled: external_exports.boolean().optional().describe("Whether HTTPS certificates are enabled (for tailscale serve/funnel)")
+      httpsEnabled: external_exports.boolean().optional().describe("Whether HTTPS certificates are enabled (for tailscale serve/funnel)"),
+      aclsExternallyManagedOn: external_exports.boolean().optional().describe("Whether ACLs are externally managed (e.g. via GitOps)"),
+      aclsExternalLink: external_exports.string().optional().describe("URL to the external ACL management system (shown in the admin console)")
     }),
     handler: async (input) => {
       const body = {};
-      if (input.devicesApprovalOn !== void 0) body.devicesApprovalOn = input.devicesApprovalOn;
-      if (input.devicesAutoUpdatesOn !== void 0) body.devicesAutoUpdatesOn = input.devicesAutoUpdatesOn;
-      if (input.devicesKeyDurationDays !== void 0) body.devicesKeyDurationDays = input.devicesKeyDurationDays;
-      if (input.usersApprovalOn !== void 0) body.usersApprovalOn = input.usersApprovalOn;
-      if (input.usersRoleAllowedToJoinExternalTailnets !== void 0)
-        body.usersRoleAllowedToJoinExternalTailnets = input.usersRoleAllowedToJoinExternalTailnets;
-      if (input.networkFlowLoggingOn !== void 0) body.networkFlowLoggingOn = input.networkFlowLoggingOn;
-      if (input.regionalRoutingOn !== void 0) body.regionalRoutingOn = input.regionalRoutingOn;
-      if (input.postureIdentityCollectionOn !== void 0)
-        body.postureIdentityCollectionOn = input.postureIdentityCollectionOn;
-      if (input.httpsEnabled !== void 0) body.httpsEnabled = input.httpsEnabled;
+      for (const [key, value] of Object.entries(input)) {
+        if (value !== void 0) body[key] = value;
+      }
       return apiPatch(`/tailnet/${getTailnet()}/settings`, body);
     }
   },
@@ -22477,11 +22749,33 @@ var tailnetTools = [
       security: external_exports.object({ email: external_exports.string() }).optional().describe("Security contact email")
     }),
     handler: async (input) => {
-      const body = {};
-      if (input.account !== void 0) body.account = input.account;
-      if (input.support !== void 0) body.support = input.support;
-      if (input.security !== void 0) body.security = input.security;
-      return apiPatch(`/tailnet/${getTailnet()}/contacts`, body);
+      const results = {};
+      for (const contactType of ["account", "support", "security"]) {
+        const value = input[contactType];
+        if (value !== void 0) {
+          const res = await apiPatch(`/tailnet/${getTailnet()}/contacts/${encPath(contactType)}`, value);
+          if (!res.ok) return res;
+          results[contactType] = res.data;
+        }
+      }
+      return { ok: true, status: 200, data: results };
+    }
+  },
+  {
+    name: "tailscale_resend_contact_verification",
+    description: "Resend the verification email for a tailnet contact.",
+    annotations: {
+      title: "Resend contact verification",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      contactType: external_exports.enum(["account", "support", "security"]).describe("The contact type to resend verification for")
+    }),
+    handler: async (input) => {
+      return apiPost(`/tailnet/${getTailnet()}/contacts/${encPath(input.contactType)}/resend-verification-email`);
     }
   }
 ];
@@ -22586,7 +22880,24 @@ var userTools = [
       role: external_exports.enum(["owner", "admin", "it-admin", "network-admin", "billing-admin", "auditor", "member"]).describe("The new role to assign")
     }),
     handler: async (input) => {
-      return apiPatch(`/users/${encPath(input.userId)}/role`, { role: input.role });
+      return apiPost(`/users/${encPath(input.userId)}/role`, { role: input.role });
+    }
+  },
+  {
+    name: "tailscale_delete_user",
+    description: "Delete a user from the tailnet. This is irreversible \u2014 the user and all their devices will be removed.",
+    annotations: {
+      title: "Delete user",
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      userId: external_exports.string().describe("The user ID to delete")
+    }),
+    handler: async (input) => {
+      return apiPost(`/users/${encPath(input.userId)}/delete`);
     }
   }
 ];
@@ -22705,6 +23016,23 @@ var webhookTools = [
     handler: async (input) => {
       return apiPost(`/webhooks/${encPath(input.webhookId)}/rotate`);
     }
+  },
+  {
+    name: "tailscale_test_webhook",
+    description: "Send a test event to a webhook endpoint to verify it is configured correctly and receiving events.",
+    annotations: {
+      title: "Test webhook",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      webhookId: external_exports.string().describe("The webhook ID to test")
+    }),
+    handler: async (input) => {
+      return apiPost(`/webhooks/${encPath(input.webhookId)}/test`);
+    }
   }
 ];
 
@@ -22807,7 +23135,7 @@ var workloadIdentityTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.4.0" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.5.0" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",