@yawlabs/tailscale-mcp 0.5.0 → 0.6.3

package/README.md

@@ -5,7 +5,7 @@
 [![GitHub stars](https://img.shields.io/github/stars/YawLabs/tailscale-mcp)](https://github.com/YawLabs/tailscale-mcp/stargazers)
 [![CI](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml) [![Release](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml)
 
-**Manage your Tailscale tailnet from Claude Code, Cursor, and any MCP client.** 98 tools + 4 resources. One env var. Works on first try.
+**Manage your Tailscale tailnet from Claude Code, Cursor, and any MCP client.** 99 tools + 4 resources. One env var. Works on first try.
 
 Built and maintained by [YawLabs](https://yaw.sh).
 
@@ -96,7 +96,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | ACL Policy | `tailscale://tailnet/acl` | Full ACL policy (HuJSON preserved) |
 | DNS Config | `tailscale://tailnet/dns` | Nameservers, search paths, split DNS, MagicDNS |
 
-## Tools (98)
+## Tools (99)
 
 <details>
 <summary><strong>Status</strong> (1 tool)</summary>
@@ -297,7 +297,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 </details>
 
 <details>
-<summary><strong>Device Invites</strong> (5 tools)</summary>
+<summary><strong>Device Invites</strong> (6 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
@@ -305,6 +305,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | `tailscale_create_device_invite` | Create a device invite |
 | `tailscale_get_device_invite` | Get a device invite |
 | `tailscale_delete_device_invite` | Delete a device invite |
+| `tailscale_accept_device_invite` | Accept a device share invitation |
 | `tailscale_resend_device_invite` | Resend a device invite email |
 
 </details>

package/dist/index.js

@@ -21079,6 +21079,9 @@ function getTailnet() {
 function encPath(segment) {
   return encodeURIComponent(segment);
 }
+function sanitizeDescription(value) {
+  return value.replace(/[/_]/g, "-").replace(/[^a-zA-Z0-9 -]/g, "").replace(/ {2,}/g, " ").trim().slice(0, 50);
+}
 async function apiRequest(method, path, body, options) {
   const auth = await getAuthHeader();
   const headers = {
@@ -21156,7 +21159,9 @@ async function deployAcl(filePath) {
   }
   const validateRes = await apiPost(`/tailnet/${getTailnet()}/acl/validate`, void 0, {
     rawBody: policy,
-    contentType: "application/hujson"
+    contentType: "application/hujson",
+    acceptRaw: true,
+    accept: "application/hujson"
   });
   if (!validateRes.ok) {
     console.error(`ACL validation failed: ${validateRes.error}`);
@@ -21165,7 +21170,9 @@ async function deployAcl(filePath) {
   const deployRes = await apiPost(`/tailnet/${getTailnet()}/acl`, void 0, {
     rawBody: policy,
     contentType: "application/hujson",
-    ifMatch: getRes.etag
+    ifMatch: getRes.etag,
+    acceptRaw: true,
+    accept: "application/hujson"
   });
   if (!deployRes.ok) {
     console.error(`ACL deploy failed: ${deployRes.error}`);
@@ -21225,7 +21232,9 @@ Pass this ETag to tailscale_update_acl when updating the policy.`
       return apiPost(`/tailnet/${getTailnet()}/acl`, void 0, {
         rawBody: input.policy,
         contentType: "application/hujson",
-        ifMatch: input.etag
+        ifMatch: input.etag,
+        acceptRaw: true,
+        accept: "application/hujson"
       });
     }
   },
@@ -21245,10 +21254,12 @@ Pass this ETag to tailscale_update_acl when updating the policy.`
     handler: async (input) => {
       const res = await apiPost(`/tailnet/${getTailnet()}/acl/validate`, void 0, {
         rawBody: input.policy,
-        contentType: "application/hujson"
+        contentType: "application/hujson",
+        acceptRaw: true,
+        accept: "application/hujson"
       });
-      if (res.ok && !res.data) {
-        return { ...res, data: { message: "ACL policy is valid." } };
+      if (res.ok && (!res.rawBody || !res.rawBody.trim())) {
+        return { ...res, rawBody: "ACL policy is valid." };
       }
       return res;
     }
@@ -21272,7 +21283,9 @@ Pass this ETag to tailscale_update_acl when updating the policy.`
       const params = new URLSearchParams({ type: input.type, previewFor: input.previewFor });
       return apiPost(`/tailnet/${getTailnet()}/acl/preview?${params}`, void 0, {
         rawBody: input.policy,
-        contentType: "application/hujson"
+        contentType: "application/hujson",
+        acceptRaw: true,
+        accept: "application/hujson"
       });
     }
   }
@@ -21280,8 +21293,7 @@ Pass this ETag to tailscale_update_acl when updating the policy.`
 
 // src/tools/audit.ts
 function assertRFC3339(value, label) {
-  const d = new Date(value);
-  if (Number.isNaN(d.getTime())) {
+  if (!/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(value)) {
     throw new Error(`${label} must be a valid RFC3339 date-time (e.g. '2026-04-01T00:00:00Z'), got: '${value}'`);
   }
 }
@@ -21347,11 +21359,21 @@ var deviceTools = [
     inputSchema: external_exports.object({
       fields: external_exports.string().optional().describe(
         "Comma-separated list of fields to include. Omit for all fields. Valid fields: addresses, advertisedRoutes, authorized, blocksIncomingConnections, clientConnectivity, clientVersion, connectedToControl, created, distro, enabledRoutes, expires, hostname, id, isExternal, keyExpiryDisabled, lastSeen, machineKey, name, nodeId, nodeKey, os, sshEnabled, tags, tailnetLockError, tailnetLockKey, updateAvailable, user. Use 'all' for every field."
+      ),
+      filters: external_exports.record(external_exports.string(), external_exports.string()).optional().describe(
+        "Server-side filters as key-value pairs. Filter by any top-level device property (e.g. { isEphemeral: 'true', os: 'linux', tags: 'tag:prod' }). Multiple filters are ANDed together."
       )
     }),
     handler: async (input) => {
-      const params = input.fields ? `?fields=${encodeURIComponent(input.fields)}` : "";
-      return apiGet(`/tailnet/${getTailnet()}/devices${params}`);
+      const params = new URLSearchParams();
+      if (input.fields) params.set("fields", input.fields);
+      if (input.filters) {
+        for (const [key, value] of Object.entries(input.filters)) {
+          params.set(key, value);
+        }
+      }
+      const qs = params.toString();
+      return apiGet(`/tailnet/${getTailnet()}/devices${qs ? `?${qs}` : ""}`);
     }
   },
   {
@@ -21365,7 +21387,7 @@ var deviceTools = [
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      deviceId: external_exports.string().describe("The device ID (numeric or nodekey format)")
+      deviceId: external_exports.string().describe("The device ID (numeric id or nodeId, NOT the nodeKey)")
     }),
     handler: async (input) => {
       return apiGet(`/device/${encPath(input.deviceId)}`);
@@ -21553,6 +21575,9 @@ var deviceTools = [
       attributeKey: external_exports.string().describe("The attribute key to delete (e.g. 'custom:lastAuditDate')")
     }),
     handler: async (input) => {
+      if (!input.attributeKey.startsWith("custom:")) {
+        throw new Error(`attributeKey must start with 'custom:' prefix, got: '${input.attributeKey}'`);
+      }
       return apiDelete(`/device/${encPath(input.deviceId)}/attributes/${encPath(input.attributeKey)}`);
     }
   },
@@ -21632,6 +21657,17 @@ var deviceTools = [
       )
     }),
     handler: async (input) => {
+      const invalidKeys = [];
+      for (const attrs of Object.values(input.attributes)) {
+        for (const key of Object.keys(attrs)) {
+          if (!key.startsWith("custom:")) invalidKeys.push(key);
+        }
+      }
+      if (invalidKeys.length > 0) {
+        throw new Error(
+          `All attribute keys must start with 'custom:' prefix. Invalid keys: ${[...new Set(invalidKeys)].join(", ")}`
+        );
+      }
       return apiPatch(`/tailnet/${getTailnet()}/device-attributes`, input.attributes);
     }
   }
@@ -21855,7 +21891,7 @@ var inviteTools = [
   },
   {
     name: "tailscale_create_device_invite",
-    description: "Create a new device invite that allows someone to add a specific device to your tailnet.",
+    description: "Create a device share invitation that allows an external user to access a specific device in your tailnet.",
     annotations: {
       title: "Create device invite",
       readOnlyHint: false,
@@ -21911,6 +21947,23 @@ var inviteTools = [
       return apiDelete(`/device-invites/${encPath(input.inviteId)}`);
     }
   },
+  {
+    name: "tailscale_accept_device_invite",
+    description: "Accept a device share invitation using the invite URL or code.",
+    annotations: {
+      title: "Accept device invite",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      invite: external_exports.string().describe("The device invite URL or invite code")
+    }),
+    handler: async (input) => {
+      return apiPost("/device-invites/-/accept", { invite: input.invite });
+    }
+  },
   // --- User Invites ---
   {
     name: "tailscale_list_user_invites",
@@ -22022,17 +22075,20 @@ var inviteTools = [
 var keyTools = [
   {
     name: "tailscale_list_keys",
-    description: "List all auth keys in your tailnet.",
+    description: "List keys in your tailnet. By default lists auth keys only. Set 'all' to true to include OAuth clients and federated identities.",
     annotations: {
-      title: "List auth keys",
+      title: "List keys",
       readOnlyHint: true,
       destructiveHint: false,
       idempotentHint: true,
       openWorldHint: true
     },
-    inputSchema: external_exports.object({}),
-    handler: async () => {
-      return apiGet(`/tailnet/${getTailnet()}/keys`);
+    inputSchema: external_exports.object({
+      all: external_exports.boolean().optional().describe("When true, returns all key types (auth keys, OAuth clients, federated identities). Default: false")
+    }),
+    handler: async (input) => {
+      const qs = input.all ? "?all=true" : "";
+      return apiGet(`/tailnet/${getTailnet()}/keys${qs}`);
     }
   },
   {
@@ -22054,25 +22110,56 @@ var keyTools = [
   },
   {
     name: "tailscale_create_key",
-    description: "Create a new auth key for adding devices to your tailnet. Returns the key value \u2014 save it immediately, as it cannot be retrieved again.",
+    description: "Create a new key in your tailnet. Supports auth keys (for adding devices), OAuth clients (for programmatic API access), and federated identities (for OIDC-based CI/CD access). Returns the key value \u2014 save it immediately, as it cannot be retrieved again.",
     annotations: {
-      title: "Create auth key",
+      title: "Create key",
       readOnlyHint: false,
       destructiveHint: false,
       idempotentHint: false,
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      reusable: external_exports.boolean().optional().describe("Whether the key can be used more than once (default: false)"),
-      ephemeral: external_exports.boolean().optional().describe("Whether devices using this key are ephemeral (default: false)"),
-      preauthorized: external_exports.boolean().optional().describe("Whether devices are pre-authorized (default: false)"),
-      tags: external_exports.array(external_exports.string()).optional().describe("ACL tags to apply to devices using this key"),
-      expirySeconds: external_exports.number().optional().describe("Key expiry in seconds (default: 90 days)"),
-      description: external_exports.string().optional().describe("Description for this key")
+      keyType: external_exports.enum(["auth", "client", "federated"]).optional().describe(
+        "Key type: 'auth' (default) for device auth keys, 'client' for OAuth clients, 'federated' for OIDC federation"
+      ),
+      description: external_exports.string().optional().describe("Description for this key (max 50 chars, alphanumeric/hyphens/spaces)"),
+      // Auth key fields
+      reusable: external_exports.boolean().optional().describe("(auth only) Whether the key can be used more than once (default: false)"),
+      ephemeral: external_exports.boolean().optional().describe("(auth only) Whether devices using this key are ephemeral (default: false)"),
+      preauthorized: external_exports.boolean().optional().describe("(auth only) Whether devices are pre-authorized (default: false)"),
+      expirySeconds: external_exports.number().optional().describe("(auth only) Key expiry in seconds (default: 90 days)"),
+      // Shared fields
+      tags: external_exports.array(external_exports.string()).optional().describe(
+        "ACL tags (must start with 'tag:'). Required for client/federated if scopes include 'devices:core' or 'auth_keys'"
+      ),
+      // Client + Federated fields
+      scopes: external_exports.array(external_exports.string()).optional().describe("(client/federated) OAuth scopes to grant (e.g. ['devices:read', 'dns', 'acl'])"),
+      // Federated-only fields
+      issuer: external_exports.string().optional().describe("(federated only) OIDC issuer URL (e.g. 'https://token.actions.githubusercontent.com')"),
+      subject: external_exports.string().optional().describe("(federated only) Expected subject claim, supports * wildcards"),
+      audience: external_exports.string().optional().describe("(federated only) Expected audience claim"),
+      customClaimRules: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("(federated only) Custom claim mapping rules")
     }),
     handler: async (input) => {
-      const body = {
-        capabilities: {
+      if (input.tags && input.tags.length > 0) {
+        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
+        if (invalid.length > 0) {
+          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
+        }
+      }
+      const keyType = input.keyType ?? "auth";
+      if (keyType !== "auth") {
+        const authOnlyFields = ["reusable", "ephemeral", "preauthorized", "expirySeconds"];
+        const wrongFields = authOnlyFields.filter((f) => input[f] !== void 0);
+        if (wrongFields.length > 0) {
+          throw new Error(`${wrongFields.join(", ")} can only be used with keyType 'auth', not '${keyType}'`);
+        }
+      }
+      const body = {};
+      if (keyType !== "auth") body.keyType = keyType;
+      if (input.description !== void 0) body.description = sanitizeDescription(input.description);
+      if (keyType === "auth") {
+        body.capabilities = {
           devices: {
             create: {
               reusable: input.reusable ?? false,
@@ -22081,10 +22168,23 @@ var keyTools = [
               tags: input.tags ?? []
             }
           }
+        };
+        if (input.expirySeconds !== void 0) body.expirySeconds = input.expirySeconds;
+      } else {
+        if (!input.scopes || input.scopes.length === 0) {
+          throw new Error(`scopes are required for keyType '${keyType}'`);
         }
-      };
-      if (input.expirySeconds !== void 0) body.expirySeconds = input.expirySeconds;
-      if (input.description !== void 0) body.description = input.description;
+        body.scopes = input.scopes;
+        if (input.tags) body.tags = input.tags;
+        if (keyType === "federated") {
+          if (!input.issuer) throw new Error("issuer is required for federated keys");
+          if (!input.subject) throw new Error("subject is required for federated keys");
+          body.issuer = input.issuer;
+          body.subject = input.subject;
+          if (input.audience !== void 0) body.audience = input.audience;
+          if (input.customClaimRules !== void 0) body.customClaimRules = input.customClaimRules;
+        }
+      }
       return apiPost(`/tailnet/${getTailnet()}/keys`, body);
     }
   },
@@ -22107,21 +22207,42 @@ var keyTools = [
   },
   {
     name: "tailscale_update_key",
-    description: "Update an existing auth key's description or capabilities.",
+    description: "Update an existing key's description or configuration. For OAuth clients and federated identities, scopes, tags, and identity fields can also be updated. Auth keys only support description updates.",
     annotations: {
-      title: "Update auth key",
+      title: "Update key",
       readOnlyHint: false,
       destructiveHint: false,
       idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      keyId: external_exports.string().describe("The auth key ID to update"),
-      description: external_exports.string().optional().describe("Updated description for the key")
+      keyId: external_exports.string().describe("The key ID to update"),
+      description: external_exports.string().optional().describe("Updated description (max 50 chars, alphanumeric/hyphens/spaces)"),
+      scopes: external_exports.array(external_exports.string()).optional().describe("(client/federated) Updated OAuth scopes"),
+      tags: external_exports.array(external_exports.string()).optional().describe("Updated ACL tags (must start with 'tag:')"),
+      issuer: external_exports.string().optional().describe("(federated only) Updated OIDC issuer URL"),
+      subject: external_exports.string().optional().describe("(federated only) Updated subject claim pattern"),
+      audience: external_exports.string().optional().describe("(federated only) Updated audience claim"),
+      customClaimRules: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("(federated only) Updated custom claim rules")
     }),
     handler: async (input) => {
+      if (input.tags && input.tags.length > 0) {
+        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
+        if (invalid.length > 0) {
+          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
+        }
+      }
       const body = {};
-      if (input.description !== void 0) body.description = input.description;
+      if (input.description !== void 0) body.description = sanitizeDescription(input.description);
+      if (input.scopes !== void 0) body.scopes = input.scopes;
+      if (input.tags !== void 0) body.tags = input.tags;
+      if (input.issuer !== void 0) body.issuer = input.issuer;
+      if (input.subject !== void 0) body.subject = input.subject;
+      if (input.audience !== void 0) body.audience = input.audience;
+      if (input.customClaimRules !== void 0) body.customClaimRules = input.customClaimRules;
+      if (Object.keys(body).length === 0) {
+        throw new Error("No fields to update. Provide at least one field (description, scopes, tags, etc.).");
+      }
       return apiPut(`/tailnet/${getTailnet()}/keys/${encPath(input.keyId)}`, body);
     }
   }
@@ -22184,9 +22305,7 @@ var logStreamingTools = [
     },
     inputSchema: external_exports.object({
       logType: external_exports.enum(["configuration", "network"]).describe("The log type: 'configuration' for audit logs, 'network' for network flow logs"),
-      destinationType: external_exports.string().describe(
-        "The destination type (e.g. 'axiom', 'datadog', 'splunk', 'elasticsearch', 'panther', 's3', 'gcs', 'cribl')"
-      ),
+      destinationType: external_exports.enum(["splunk", "elastic", "panther", "cribl", "datadog", "axiom", "s3"]).describe("The log streaming destination type"),
       url: external_exports.string().optional().describe("Destination URL (required for most destination types)"),
       token: external_exports.string().optional().describe("Authentication token or API key for the destination"),
       user: external_exports.string().optional().describe("Username for the destination (if required)")
@@ -22336,15 +22455,24 @@ var oauthClientTools = [
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      name: external_exports.string().describe("A human-readable name for this OAuth client"),
+      name: external_exports.string().describe("A human-readable name for this OAuth client (max 50 chars, alphanumeric/hyphens/spaces)"),
       scopes: external_exports.array(external_exports.string()).describe(
         "OAuth scopes to grant (e.g. ['devices:read', 'dns', 'acl']). See Tailscale docs for available scopes."
       ),
       tags: external_exports.array(external_exports.string()).optional().describe("ACL tags to assign to the OAuth client"),
-      description: external_exports.string().optional().describe("Description for this OAuth client")
+      description: external_exports.string().optional().describe("Description for this OAuth client (max 50 chars, alphanumeric/hyphens/spaces)")
     }),
     handler: async (input) => {
-      return apiPost(`/tailnet/${getTailnet()}/oauth-clients`, input);
+      if (input.tags && input.tags.length > 0) {
+        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
+        if (invalid.length > 0) {
+          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
+        }
+      }
+      const body = { ...input };
+      body.name = sanitizeDescription(input.name);
+      if (input.description !== void 0) body.description = sanitizeDescription(input.description);
+      return apiPost(`/tailnet/${getTailnet()}/oauth-clients`, body);
     }
   },
   {
@@ -22369,6 +22497,12 @@ var oauthClientTools = [
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
+      if (cleanBody.name !== void 0) cleanBody.name = sanitizeDescription(cleanBody.name);
+      if (cleanBody.description !== void 0)
+        cleanBody.description = sanitizeDescription(cleanBody.description);
+      if (Object.keys(cleanBody).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: name, scopes, description.");
+      }
       return apiPatch(`/tailnet/${getTailnet()}/oauth-clients/${encPath(clientId)}`, cleanBody);
     }
   },
@@ -22443,7 +22577,14 @@ var postureTools = [
       cloudEnvironment: external_exports.string().optional().describe("Cloud environment (e.g. 'us-1', 'eu-1')")
     }),
     handler: async (input) => {
-      return apiPost(`/tailnet/${getTailnet()}/posture/integrations`, input);
+      const body = {
+        provider: input.provider,
+        clientId: input.clientId,
+        clientSecret: input.clientSecret
+      };
+      if (input.tenantId !== void 0) body.tenantId = input.tenantId;
+      if (input.cloudEnvironment !== void 0) body.cloudEnvironment = input.cloudEnvironment;
+      return apiPost(`/tailnet/${getTailnet()}/posture/integrations`, body);
     }
   },
   {
@@ -22469,6 +22610,11 @@ var postureTools = [
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
+      if (Object.keys(cleanBody).length === 0) {
+        throw new Error(
+          "No fields to update. Provide at least one of: clientId, clientSecret, tenantId, cloudEnvironment."
+        );
+      }
       return apiPatch(`/tailnet/${getTailnet()}/posture/integrations/${encPath(integrationId)}`, cleanBody);
     }
   },
@@ -22547,11 +22693,20 @@ var serviceTools = [
       autoApproveHosts: external_exports.boolean().optional().describe("Whether to auto-approve devices that want to host this service")
     }),
     handler: async (input) => {
+      if (input.tags && input.tags.length > 0) {
+        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
+        if (invalid.length > 0) {
+          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
+        }
+      }
       const { serviceName, ...body } = input;
       const cleanBody = {};
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
+      if (Object.keys(cleanBody).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: ports, tags, autoApproveHosts.");
+      }
       return apiPut(`/tailnet/${getTailnet()}/services/${encPath(serviceName)}`, cleanBody);
     }
   },
@@ -22715,6 +22870,9 @@ var tailnetTools = [
       for (const [key, value] of Object.entries(input)) {
         if (value !== void 0) body[key] = value;
       }
+      if (Object.keys(body).length === 0) {
+        throw new Error("No fields to update. Provide at least one setting to change.");
+      }
       return apiPatch(`/tailnet/${getTailnet()}/settings`, body);
     }
   },
@@ -22792,9 +22950,16 @@ var userTools = [
       idempotentHint: true,
       openWorldHint: true
     },
-    inputSchema: external_exports.object({}),
-    handler: async () => {
-      return apiGet(`/tailnet/${getTailnet()}/users`);
+    inputSchema: external_exports.object({
+      type: external_exports.enum(["member", "shared", "all"]).optional().describe("Filter by user type: 'member' (direct members), 'shared' (shared-in users), or 'all' (default)"),
+      role: external_exports.enum(["owner", "admin", "it-admin", "network-admin", "billing-admin", "auditor", "member"]).optional().describe("Filter by user role")
+    }),
+    handler: async (input) => {
+      const params = new URLSearchParams();
+      if (input.type) params.set("type", input.type);
+      if (input.role) params.set("role", input.role);
+      const qs = params.toString();
+      return apiGet(`/tailnet/${getTailnet()}/users${qs ? `?${qs}` : ""}`);
     }
   },
   {
@@ -22903,6 +23068,26 @@ var userTools = [
 ];
 
 // src/tools/webhooks.ts
+var webhookEventTypes = [
+  "nodeCreated",
+  "nodeNeedsApproval",
+  "nodeApproved",
+  "nodeKeyExpiringInOneDay",
+  "nodeKeyExpired",
+  "nodeDeleted",
+  "nodeSigned",
+  "nodeNeedsSignature",
+  "policyUpdate",
+  "userCreated",
+  "userNeedsApproval",
+  "userSuspended",
+  "userRestored",
+  "userDeleted",
+  "userApproved",
+  "userRoleUpdated",
+  "subnetIPForwardingNotEnabled",
+  "exitNodeIPForwardingNotEnabled"
+];
 var webhookTools = [
   {
     name: "tailscale_list_webhooks",
@@ -22948,9 +23133,7 @@ var webhookTools = [
     },
     inputSchema: external_exports.object({
       endpointUrl: external_exports.string().describe("The URL to send webhook events to"),
-      subscriptions: external_exports.array(external_exports.string()).describe(
-        "Event types to subscribe to (e.g. ['nodeCreated', 'nodeDeleted', 'nodeApproved', 'policyUpdate', 'userCreated', 'userDeleted'])"
-      )
+      subscriptions: external_exports.array(external_exports.enum(webhookEventTypes)).describe("Event types to subscribe to")
     }),
     handler: async (input) => {
       return apiPost(`/tailnet/${getTailnet()}/webhooks`, {
@@ -22972,14 +23155,15 @@ var webhookTools = [
     inputSchema: external_exports.object({
       webhookId: external_exports.string().describe("The webhook ID to update"),
       endpointUrl: external_exports.string().optional().describe("New URL to send webhook events to"),
-      subscriptions: external_exports.array(external_exports.string()).optional().describe(
-        "Updated list of event types to subscribe to (e.g. ['nodeCreated', 'nodeDeleted', 'nodeApproved', 'policyUpdate', 'userCreated', 'userDeleted'])"
-      )
+      subscriptions: external_exports.array(external_exports.enum(webhookEventTypes)).optional().describe("Updated list of event types to subscribe to")
     }),
     handler: async (input) => {
       const body = {};
       if (input.endpointUrl !== void 0) body.endpointUrl = input.endpointUrl;
       if (input.subscriptions !== void 0) body.subscriptions = input.subscriptions;
+      if (Object.keys(body).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: endpointUrl, subscriptions.");
+      }
       return apiPatch(`/webhooks/${encPath(input.webhookId)}`, body);
     }
   },
@@ -23081,13 +23265,15 @@ var workloadIdentityTools = [
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      name: external_exports.string().describe("A human-readable name for this provider"),
+      name: external_exports.string().describe("A human-readable name for this provider (max 50 chars, alphanumeric/hyphens/spaces)"),
       issuerUrl: external_exports.string().describe("The OIDC issuer URL (e.g. 'https://token.actions.githubusercontent.com' for GitHub Actions)"),
       audience: external_exports.string().optional().describe("Expected audience claim in the OIDC token"),
       claimMappings: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("Map of Tailscale attributes to OIDC token claims (e.g. { 'tag': 'repository' })")
     }),
     handler: async (input) => {
-      return apiPost(`/tailnet/${getTailnet()}/workload-identity/providers`, input);
+      const body = { ...input };
+      body.name = sanitizeDescription(input.name);
+      return apiPost(`/tailnet/${getTailnet()}/workload-identity/providers`, body);
     }
   },
   {
@@ -23112,6 +23298,10 @@ var workloadIdentityTools = [
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
+      if (cleanBody.name !== void 0) cleanBody.name = sanitizeDescription(cleanBody.name);
+      if (Object.keys(cleanBody).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: name, audience, claimMappings.");
+      }
       return apiPatch(`/tailnet/${getTailnet()}/workload-identity/providers/${encPath(providerId)}`, cleanBody);
     }
   },
@@ -23135,7 +23325,7 @@ var workloadIdentityTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.5.0" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.6.3" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.5.0",
+  "version": "0.6.3",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",