@yawlabs/tailscale-mcp 0.5.1 → 0.6.4

package/README.md

@@ -5,7 +5,7 @@
 [![GitHub stars](https://img.shields.io/github/stars/YawLabs/tailscale-mcp)](https://github.com/YawLabs/tailscale-mcp/stargazers)
 [![CI](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml) [![Release](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml)
 
-**Manage your Tailscale tailnet from Claude Code, Cursor, and any MCP client.** 98 tools + 4 resources. One env var. Works on first try.
+**Manage your Tailscale tailnet from Claude Code, Cursor, and any MCP client.** 99 tools + 4 resources. One env var. Works on first try.
 
 Built and maintained by [YawLabs](https://yaw.sh).
 
@@ -96,7 +96,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | ACL Policy | `tailscale://tailnet/acl` | Full ACL policy (HuJSON preserved) |
 | DNS Config | `tailscale://tailnet/dns` | Nameservers, search paths, split DNS, MagicDNS |
 
-## Tools (98)
+## Tools (99)
 
 <details>
 <summary><strong>Status</strong> (1 tool)</summary>
@@ -297,7 +297,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 </details>
 
 <details>
-<summary><strong>Device Invites</strong> (5 tools)</summary>
+<summary><strong>Device Invites</strong> (6 tools)</summary>
 
 | Tool | Description |
 |------|-------------|
@@ -305,6 +305,7 @@ MCP Resources expose read-only data that clients can browse without tool calls.
 | `tailscale_create_device_invite` | Create a device invite |
 | `tailscale_get_device_invite` | Get a device invite |
 | `tailscale_delete_device_invite` | Delete a device invite |
+| `tailscale_accept_device_invite` | Accept a device share invitation |
 | `tailscale_resend_device_invite` | Resend a device invite email |
 
 </details>

package/dist/index.js

@@ -21021,8 +21021,9 @@ function getConfig() {
   const oauthClientSecret = process.env.TAILSCALE_OAUTH_CLIENT_SECRET;
   const tailnet = process.env.TAILSCALE_TAILNET || "-";
   if (!apiKey && !(oauthClientId && oauthClientSecret)) {
+    const hint = process.platform === "win32" ? ' On Windows, env vars set in bash/WSL profiles are not visible to MCP servers launched via cmd. Either add "env": {"TAILSCALE_API_KEY": "tskey-api-..."} to your .mcp.json, or set it as a Windows user environment variable.' : "";
     throw new Error(
-      "No Tailscale credentials configured. Set TAILSCALE_API_KEY, or set both TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET."
+      `No Tailscale credentials configured. Set TAILSCALE_API_KEY, or set both TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET.${hint}`
     );
   }
   if (apiKey && apiKey.trim() === "") {
@@ -21079,6 +21080,32 @@ function getTailnet() {
 function encPath(segment) {
   return encodeURIComponent(segment);
 }
+function sanitizeDescription(value) {
+  return value.replace(/[/_]/g, "-").replace(/[^a-zA-Z0-9 -]/g, "").replace(/ {2,}/g, " ").trim().slice(0, 50);
+}
+function formatAuthError(apiBody) {
+  const usingOAuth = !process.env.TAILSCALE_API_KEY && process.env.TAILSCALE_OAUTH_CLIENT_ID;
+  const lines = [
+    "Authentication failed (HTTP 401).",
+    "",
+    "Possible causes:",
+    usingOAuth ? "  - OAuth client credentials are invalid or lack required scopes" : "  - API key has expired or been revoked"
+  ];
+  if (process.platform === "win32" && !usingOAuth) {
+    lines.push(
+      "  - On Windows, env vars set in bash/WSL profiles are not visible to MCP servers launched via cmd",
+      "",
+      "Fix options:",
+      '  1. Add "env": {"TAILSCALE_API_KEY": "tskey-api-..."} to your .mcp.json',
+      "  2. Set TAILSCALE_API_KEY as a Windows user environment variable (System Properties > Environment Variables)"
+    );
+  }
+  lines.push("", "Generate a new key at: https://login.tailscale.com/admin/settings/keys");
+  if (apiBody) {
+    lines.push("", `API response: ${apiBody}`);
+  }
+  return lines.join("\n");
+}
 async function apiRequest(method, path, body, options) {
   const auth = await getAuthHeader();
   const headers = {
@@ -21109,13 +21136,15 @@ async function apiRequest(method, path, body, options) {
   if (options?.acceptRaw) {
     const rawBody = await res.text();
     if (!res.ok) {
-      return { ok: false, status: res.status, error: rawBody, rawBody, etag };
+      const error2 = res.status === 401 ? formatAuthError(rawBody) : rawBody;
+      return { ok: false, status: res.status, error: error2, rawBody, etag };
     }
     return { ok: true, status: res.status, rawBody, etag };
   }
   if (!res.ok) {
     const errorBody = await res.text();
-    return { ok: false, status: res.status, error: errorBody, etag };
+    const error2 = res.status === 401 ? formatAuthError(errorBody) : errorBody;
+    return { ok: false, status: res.status, error: error2, etag };
   }
   if (res.status === 204 || res.headers.get("content-length") === "0") {
     return { ok: true, status: res.status, etag };
@@ -21255,7 +21284,7 @@ Pass this ETag to tailscale_update_acl when updating the policy.`
         acceptRaw: true,
         accept: "application/hujson"
       });
-      if (res.ok && !res.rawBody) {
+      if (res.ok && (!res.rawBody || !res.rawBody.trim())) {
         return { ...res, rawBody: "ACL policy is valid." };
       }
       return res;
@@ -21290,8 +21319,7 @@ Pass this ETag to tailscale_update_acl when updating the policy.`
 
 // src/tools/audit.ts
 function assertRFC3339(value, label) {
-  const d = new Date(value);
-  if (Number.isNaN(d.getTime())) {
+  if (!/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(value)) {
     throw new Error(`${label} must be a valid RFC3339 date-time (e.g. '2026-04-01T00:00:00Z'), got: '${value}'`);
   }
 }
@@ -21357,11 +21385,21 @@ var deviceTools = [
     inputSchema: external_exports.object({
       fields: external_exports.string().optional().describe(
         "Comma-separated list of fields to include. Omit for all fields. Valid fields: addresses, advertisedRoutes, authorized, blocksIncomingConnections, clientConnectivity, clientVersion, connectedToControl, created, distro, enabledRoutes, expires, hostname, id, isExternal, keyExpiryDisabled, lastSeen, machineKey, name, nodeId, nodeKey, os, sshEnabled, tags, tailnetLockError, tailnetLockKey, updateAvailable, user. Use 'all' for every field."
+      ),
+      filters: external_exports.record(external_exports.string(), external_exports.string()).optional().describe(
+        "Server-side filters as key-value pairs. Filter by any top-level device property (e.g. { isEphemeral: 'true', os: 'linux', tags: 'tag:prod' }). Multiple filters are ANDed together."
       )
     }),
     handler: async (input) => {
-      const params = input.fields ? `?${new URLSearchParams({ fields: input.fields })}` : "";
-      return apiGet(`/tailnet/${getTailnet()}/devices${params}`);
+      const params = new URLSearchParams();
+      if (input.fields) params.set("fields", input.fields);
+      if (input.filters) {
+        for (const [key, value] of Object.entries(input.filters)) {
+          params.set(key, value);
+        }
+      }
+      const qs = params.toString();
+      return apiGet(`/tailnet/${getTailnet()}/devices${qs ? `?${qs}` : ""}`);
     }
   },
   {
@@ -21375,7 +21413,7 @@ var deviceTools = [
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      deviceId: external_exports.string().describe("The device ID (numeric or nodekey format)")
+      deviceId: external_exports.string().describe("The device ID (numeric id or nodeId, NOT the nodeKey)")
     }),
     handler: async (input) => {
       return apiGet(`/device/${encPath(input.deviceId)}`);
@@ -21563,6 +21601,9 @@ var deviceTools = [
       attributeKey: external_exports.string().describe("The attribute key to delete (e.g. 'custom:lastAuditDate')")
     }),
     handler: async (input) => {
+      if (!input.attributeKey.startsWith("custom:")) {
+        throw new Error(`attributeKey must start with 'custom:' prefix, got: '${input.attributeKey}'`);
+      }
       return apiDelete(`/device/${encPath(input.deviceId)}/attributes/${encPath(input.attributeKey)}`);
     }
   },
@@ -21642,6 +21683,17 @@ var deviceTools = [
       )
     }),
     handler: async (input) => {
+      const invalidKeys = [];
+      for (const attrs of Object.values(input.attributes)) {
+        for (const key of Object.keys(attrs)) {
+          if (!key.startsWith("custom:")) invalidKeys.push(key);
+        }
+      }
+      if (invalidKeys.length > 0) {
+        throw new Error(
+          `All attribute keys must start with 'custom:' prefix. Invalid keys: ${[...new Set(invalidKeys)].join(", ")}`
+        );
+      }
       return apiPatch(`/tailnet/${getTailnet()}/device-attributes`, input.attributes);
     }
   }
@@ -21865,7 +21917,7 @@ var inviteTools = [
   },
   {
     name: "tailscale_create_device_invite",
-    description: "Create a new device invite that allows someone to add a specific device to your tailnet.",
+    description: "Create a device share invitation that allows an external user to access a specific device in your tailnet.",
     annotations: {
       title: "Create device invite",
       readOnlyHint: false,
@@ -21921,6 +21973,23 @@ var inviteTools = [
       return apiDelete(`/device-invites/${encPath(input.inviteId)}`);
     }
   },
+  {
+    name: "tailscale_accept_device_invite",
+    description: "Accept a device share invitation using the invite URL or code.",
+    annotations: {
+      title: "Accept device invite",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      invite: external_exports.string().describe("The device invite URL or invite code")
+    }),
+    handler: async (input) => {
+      return apiPost("/device-invites/-/accept", { invite: input.invite });
+    }
+  },
   // --- User Invites ---
   {
     name: "tailscale_list_user_invites",
@@ -22032,17 +22101,20 @@ var inviteTools = [
 var keyTools = [
   {
     name: "tailscale_list_keys",
-    description: "List all auth keys in your tailnet.",
+    description: "List keys in your tailnet. By default lists auth keys only. Set 'all' to true to include OAuth clients and federated identities.",
     annotations: {
-      title: "List auth keys",
+      title: "List keys",
       readOnlyHint: true,
       destructiveHint: false,
       idempotentHint: true,
       openWorldHint: true
     },
-    inputSchema: external_exports.object({}),
-    handler: async () => {
-      return apiGet(`/tailnet/${getTailnet()}/keys`);
+    inputSchema: external_exports.object({
+      all: external_exports.boolean().optional().describe("When true, returns all key types (auth keys, OAuth clients, federated identities). Default: false")
+    }),
+    handler: async (input) => {
+      const qs = input.all ? "?all=true" : "";
+      return apiGet(`/tailnet/${getTailnet()}/keys${qs}`);
     }
   },
   {
@@ -22064,21 +22136,35 @@ var keyTools = [
   },
   {
     name: "tailscale_create_key",
-    description: "Create a new auth key for adding devices to your tailnet. Returns the key value \u2014 save it immediately, as it cannot be retrieved again.",
+    description: "Create a new key in your tailnet. Supports auth keys (for adding devices), OAuth clients (for programmatic API access), and federated identities (for OIDC-based CI/CD access). Returns the key value \u2014 save it immediately, as it cannot be retrieved again.",
     annotations: {
-      title: "Create auth key",
+      title: "Create key",
       readOnlyHint: false,
       destructiveHint: false,
       idempotentHint: false,
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      reusable: external_exports.boolean().optional().describe("Whether the key can be used more than once (default: false)"),
-      ephemeral: external_exports.boolean().optional().describe("Whether devices using this key are ephemeral (default: false)"),
-      preauthorized: external_exports.boolean().optional().describe("Whether devices are pre-authorized (default: false)"),
-      tags: external_exports.array(external_exports.string()).optional().describe("ACL tags to apply to devices using this key"),
-      expirySeconds: external_exports.number().optional().describe("Key expiry in seconds (default: 90 days)"),
-      description: external_exports.string().optional().describe("Description for this key")
+      keyType: external_exports.enum(["auth", "client", "federated"]).optional().describe(
+        "Key type: 'auth' (default) for device auth keys, 'client' for OAuth clients, 'federated' for OIDC federation"
+      ),
+      description: external_exports.string().optional().describe("Description for this key (max 50 chars, alphanumeric/hyphens/spaces)"),
+      // Auth key fields
+      reusable: external_exports.boolean().optional().describe("(auth only) Whether the key can be used more than once (default: false)"),
+      ephemeral: external_exports.boolean().optional().describe("(auth only) Whether devices using this key are ephemeral (default: false)"),
+      preauthorized: external_exports.boolean().optional().describe("(auth only) Whether devices are pre-authorized (default: false)"),
+      expirySeconds: external_exports.number().optional().describe("(auth only) Key expiry in seconds (default: 90 days)"),
+      // Shared fields
+      tags: external_exports.array(external_exports.string()).optional().describe(
+        "ACL tags (must start with 'tag:'). Required for client/federated if scopes include 'devices:core' or 'auth_keys'"
+      ),
+      // Client + Federated fields
+      scopes: external_exports.array(external_exports.string()).optional().describe("(client/federated) OAuth scopes to grant (e.g. ['devices:read', 'dns', 'acl'])"),
+      // Federated-only fields
+      issuer: external_exports.string().optional().describe("(federated only) OIDC issuer URL (e.g. 'https://token.actions.githubusercontent.com')"),
+      subject: external_exports.string().optional().describe("(federated only) Expected subject claim, supports * wildcards"),
+      audience: external_exports.string().optional().describe("(federated only) Expected audience claim"),
+      customClaimRules: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("(federated only) Custom claim mapping rules")
     }),
     handler: async (input) => {
       if (input.tags && input.tags.length > 0) {
@@ -22087,8 +22173,19 @@ var keyTools = [
           throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
         }
       }
-      const body = {
-        capabilities: {
+      const keyType = input.keyType ?? "auth";
+      if (keyType !== "auth") {
+        const authOnlyFields = ["reusable", "ephemeral", "preauthorized", "expirySeconds"];
+        const wrongFields = authOnlyFields.filter((f) => input[f] !== void 0);
+        if (wrongFields.length > 0) {
+          throw new Error(`${wrongFields.join(", ")} can only be used with keyType 'auth', not '${keyType}'`);
+        }
+      }
+      const body = {};
+      if (keyType !== "auth") body.keyType = keyType;
+      if (input.description !== void 0) body.description = sanitizeDescription(input.description);
+      if (keyType === "auth") {
+        body.capabilities = {
           devices: {
             create: {
               reusable: input.reusable ?? false,
@@ -22097,10 +22194,23 @@ var keyTools = [
               tags: input.tags ?? []
             }
           }
+        };
+        if (input.expirySeconds !== void 0) body.expirySeconds = input.expirySeconds;
+      } else {
+        if (!input.scopes || input.scopes.length === 0) {
+          throw new Error(`scopes are required for keyType '${keyType}'`);
         }
-      };
-      if (input.expirySeconds !== void 0) body.expirySeconds = input.expirySeconds;
-      if (input.description !== void 0) body.description = input.description;
+        body.scopes = input.scopes;
+        if (input.tags) body.tags = input.tags;
+        if (keyType === "federated") {
+          if (!input.issuer) throw new Error("issuer is required for federated keys");
+          if (!input.subject) throw new Error("subject is required for federated keys");
+          body.issuer = input.issuer;
+          body.subject = input.subject;
+          if (input.audience !== void 0) body.audience = input.audience;
+          if (input.customClaimRules !== void 0) body.customClaimRules = input.customClaimRules;
+        }
+      }
       return apiPost(`/tailnet/${getTailnet()}/keys`, body);
     }
   },
@@ -22123,21 +22233,42 @@ var keyTools = [
   },
   {
     name: "tailscale_update_key",
-    description: "Update an existing auth key's description or capabilities.",
+    description: "Update an existing key's description or configuration. For OAuth clients and federated identities, scopes, tags, and identity fields can also be updated. Auth keys only support description updates.",
     annotations: {
-      title: "Update auth key",
+      title: "Update key",
       readOnlyHint: false,
       destructiveHint: false,
       idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      keyId: external_exports.string().describe("The auth key ID to update"),
-      description: external_exports.string().optional().describe("Updated description for the key")
+      keyId: external_exports.string().describe("The key ID to update"),
+      description: external_exports.string().optional().describe("Updated description (max 50 chars, alphanumeric/hyphens/spaces)"),
+      scopes: external_exports.array(external_exports.string()).optional().describe("(client/federated) Updated OAuth scopes"),
+      tags: external_exports.array(external_exports.string()).optional().describe("Updated ACL tags (must start with 'tag:')"),
+      issuer: external_exports.string().optional().describe("(federated only) Updated OIDC issuer URL"),
+      subject: external_exports.string().optional().describe("(federated only) Updated subject claim pattern"),
+      audience: external_exports.string().optional().describe("(federated only) Updated audience claim"),
+      customClaimRules: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("(federated only) Updated custom claim rules")
     }),
     handler: async (input) => {
+      if (input.tags && input.tags.length > 0) {
+        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
+        if (invalid.length > 0) {
+          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
+        }
+      }
       const body = {};
-      if (input.description !== void 0) body.description = input.description;
+      if (input.description !== void 0) body.description = sanitizeDescription(input.description);
+      if (input.scopes !== void 0) body.scopes = input.scopes;
+      if (input.tags !== void 0) body.tags = input.tags;
+      if (input.issuer !== void 0) body.issuer = input.issuer;
+      if (input.subject !== void 0) body.subject = input.subject;
+      if (input.audience !== void 0) body.audience = input.audience;
+      if (input.customClaimRules !== void 0) body.customClaimRules = input.customClaimRules;
+      if (Object.keys(body).length === 0) {
+        throw new Error("No fields to update. Provide at least one field (description, scopes, tags, etc.).");
+      }
       return apiPut(`/tailnet/${getTailnet()}/keys/${encPath(input.keyId)}`, body);
     }
   }
@@ -22200,9 +22331,7 @@ var logStreamingTools = [
     },
     inputSchema: external_exports.object({
       logType: external_exports.enum(["configuration", "network"]).describe("The log type: 'configuration' for audit logs, 'network' for network flow logs"),
-      destinationType: external_exports.string().describe(
-        "The destination type (e.g. 'axiom', 'datadog', 'splunk', 'elasticsearch', 'panther', 's3', 'gcs', 'cribl')"
-      ),
+      destinationType: external_exports.enum(["splunk", "elastic", "panther", "cribl", "datadog", "axiom", "s3"]).describe("The log streaming destination type"),
       url: external_exports.string().optional().describe("Destination URL (required for most destination types)"),
       token: external_exports.string().optional().describe("Authentication token or API key for the destination"),
       user: external_exports.string().optional().describe("Username for the destination (if required)")
@@ -22352,12 +22481,12 @@ var oauthClientTools = [
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      name: external_exports.string().describe("A human-readable name for this OAuth client"),
+      name: external_exports.string().describe("A human-readable name for this OAuth client (max 50 chars, alphanumeric/hyphens/spaces)"),
       scopes: external_exports.array(external_exports.string()).describe(
         "OAuth scopes to grant (e.g. ['devices:read', 'dns', 'acl']). See Tailscale docs for available scopes."
       ),
       tags: external_exports.array(external_exports.string()).optional().describe("ACL tags to assign to the OAuth client"),
-      description: external_exports.string().optional().describe("Description for this OAuth client")
+      description: external_exports.string().optional().describe("Description for this OAuth client (max 50 chars, alphanumeric/hyphens/spaces)")
     }),
     handler: async (input) => {
       if (input.tags && input.tags.length > 0) {
@@ -22366,7 +22495,10 @@ var oauthClientTools = [
           throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
         }
       }
-      return apiPost(`/tailnet/${getTailnet()}/oauth-clients`, input);
+      const body = { ...input };
+      body.name = sanitizeDescription(input.name);
+      if (input.description !== void 0) body.description = sanitizeDescription(input.description);
+      return apiPost(`/tailnet/${getTailnet()}/oauth-clients`, body);
     }
   },
   {
@@ -22391,6 +22523,12 @@ var oauthClientTools = [
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
+      if (cleanBody.name !== void 0) cleanBody.name = sanitizeDescription(cleanBody.name);
+      if (cleanBody.description !== void 0)
+        cleanBody.description = sanitizeDescription(cleanBody.description);
+      if (Object.keys(cleanBody).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: name, scopes, description.");
+      }
       return apiPatch(`/tailnet/${getTailnet()}/oauth-clients/${encPath(clientId)}`, cleanBody);
     }
   },
@@ -22465,7 +22603,14 @@ var postureTools = [
       cloudEnvironment: external_exports.string().optional().describe("Cloud environment (e.g. 'us-1', 'eu-1')")
     }),
     handler: async (input) => {
-      return apiPost(`/tailnet/${getTailnet()}/posture/integrations`, input);
+      const body = {
+        provider: input.provider,
+        clientId: input.clientId,
+        clientSecret: input.clientSecret
+      };
+      if (input.tenantId !== void 0) body.tenantId = input.tenantId;
+      if (input.cloudEnvironment !== void 0) body.cloudEnvironment = input.cloudEnvironment;
+      return apiPost(`/tailnet/${getTailnet()}/posture/integrations`, body);
     }
   },
   {
@@ -22491,6 +22636,11 @@ var postureTools = [
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
+      if (Object.keys(cleanBody).length === 0) {
+        throw new Error(
+          "No fields to update. Provide at least one of: clientId, clientSecret, tenantId, cloudEnvironment."
+        );
+      }
       return apiPatch(`/tailnet/${getTailnet()}/posture/integrations/${encPath(integrationId)}`, cleanBody);
     }
   },
@@ -22580,6 +22730,9 @@ var serviceTools = [
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
+      if (Object.keys(cleanBody).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: ports, tags, autoApproveHosts.");
+      }
       return apiPut(`/tailnet/${getTailnet()}/services/${encPath(serviceName)}`, cleanBody);
     }
   },
@@ -22743,6 +22896,9 @@ var tailnetTools = [
       for (const [key, value] of Object.entries(input)) {
         if (value !== void 0) body[key] = value;
       }
+      if (Object.keys(body).length === 0) {
+        throw new Error("No fields to update. Provide at least one setting to change.");
+      }
       return apiPatch(`/tailnet/${getTailnet()}/settings`, body);
     }
   },
@@ -22820,9 +22976,16 @@ var userTools = [
       idempotentHint: true,
       openWorldHint: true
     },
-    inputSchema: external_exports.object({}),
-    handler: async () => {
-      return apiGet(`/tailnet/${getTailnet()}/users`);
+    inputSchema: external_exports.object({
+      type: external_exports.enum(["member", "shared", "all"]).optional().describe("Filter by user type: 'member' (direct members), 'shared' (shared-in users), or 'all' (default)"),
+      role: external_exports.enum(["owner", "admin", "it-admin", "network-admin", "billing-admin", "auditor", "member"]).optional().describe("Filter by user role")
+    }),
+    handler: async (input) => {
+      const params = new URLSearchParams();
+      if (input.type) params.set("type", input.type);
+      if (input.role) params.set("role", input.role);
+      const qs = params.toString();
+      return apiGet(`/tailnet/${getTailnet()}/users${qs ? `?${qs}` : ""}`);
     }
   },
   {
@@ -22931,6 +23094,26 @@ var userTools = [
 ];
 
 // src/tools/webhooks.ts
+var webhookEventTypes = [
+  "nodeCreated",
+  "nodeNeedsApproval",
+  "nodeApproved",
+  "nodeKeyExpiringInOneDay",
+  "nodeKeyExpired",
+  "nodeDeleted",
+  "nodeSigned",
+  "nodeNeedsSignature",
+  "policyUpdate",
+  "userCreated",
+  "userNeedsApproval",
+  "userSuspended",
+  "userRestored",
+  "userDeleted",
+  "userApproved",
+  "userRoleUpdated",
+  "subnetIPForwardingNotEnabled",
+  "exitNodeIPForwardingNotEnabled"
+];
 var webhookTools = [
   {
     name: "tailscale_list_webhooks",
@@ -22976,9 +23159,7 @@ var webhookTools = [
     },
     inputSchema: external_exports.object({
       endpointUrl: external_exports.string().describe("The URL to send webhook events to"),
-      subscriptions: external_exports.array(external_exports.string()).describe(
-        "Event types to subscribe to (e.g. ['nodeCreated', 'nodeDeleted', 'nodeApproved', 'policyUpdate', 'userCreated', 'userDeleted'])"
-      )
+      subscriptions: external_exports.array(external_exports.enum(webhookEventTypes)).describe("Event types to subscribe to")
     }),
     handler: async (input) => {
       return apiPost(`/tailnet/${getTailnet()}/webhooks`, {
@@ -23000,14 +23181,15 @@ var webhookTools = [
     inputSchema: external_exports.object({
       webhookId: external_exports.string().describe("The webhook ID to update"),
       endpointUrl: external_exports.string().optional().describe("New URL to send webhook events to"),
-      subscriptions: external_exports.array(external_exports.string()).optional().describe(
-        "Updated list of event types to subscribe to (e.g. ['nodeCreated', 'nodeDeleted', 'nodeApproved', 'policyUpdate', 'userCreated', 'userDeleted'])"
-      )
+      subscriptions: external_exports.array(external_exports.enum(webhookEventTypes)).optional().describe("Updated list of event types to subscribe to")
     }),
     handler: async (input) => {
       const body = {};
       if (input.endpointUrl !== void 0) body.endpointUrl = input.endpointUrl;
       if (input.subscriptions !== void 0) body.subscriptions = input.subscriptions;
+      if (Object.keys(body).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: endpointUrl, subscriptions.");
+      }
       return apiPatch(`/webhooks/${encPath(input.webhookId)}`, body);
     }
   },
@@ -23109,13 +23291,15 @@ var workloadIdentityTools = [
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      name: external_exports.string().describe("A human-readable name for this provider"),
+      name: external_exports.string().describe("A human-readable name for this provider (max 50 chars, alphanumeric/hyphens/spaces)"),
       issuerUrl: external_exports.string().describe("The OIDC issuer URL (e.g. 'https://token.actions.githubusercontent.com' for GitHub Actions)"),
       audience: external_exports.string().optional().describe("Expected audience claim in the OIDC token"),
       claimMappings: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("Map of Tailscale attributes to OIDC token claims (e.g. { 'tag': 'repository' })")
     }),
     handler: async (input) => {
-      return apiPost(`/tailnet/${getTailnet()}/workload-identity/providers`, input);
+      const body = { ...input };
+      body.name = sanitizeDescription(input.name);
+      return apiPost(`/tailnet/${getTailnet()}/workload-identity/providers`, body);
     }
   },
   {
@@ -23140,6 +23324,10 @@ var workloadIdentityTools = [
       for (const [key, value] of Object.entries(body)) {
         if (value !== void 0) cleanBody[key] = value;
       }
+      if (cleanBody.name !== void 0) cleanBody.name = sanitizeDescription(cleanBody.name);
+      if (Object.keys(cleanBody).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: name, audience, claimMappings.");
+      }
       return apiPatch(`/tailnet/${getTailnet()}/workload-identity/providers/${encPath(providerId)}`, cleanBody);
     }
   },
@@ -23163,7 +23351,7 @@ var workloadIdentityTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.5.1" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.6.4" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.5.1",
+  "version": "0.6.4",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",