npm - @yawlabs/tailscale-mcp - Versions diffs - 0.8.8 → 0.9.1 - Mend

@yawlabs/tailscale-mcp 0.8.8 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -5,7 +5,7 @@
 [![GitHub stars](https://img.shields.io/github/stars/YawLabs/tailscale-mcp)](https://github.com/YawLabs/tailscale-mcp/stargazers)
 [![CI](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml) [![Release](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml)
-**Ask your agent questions about your tailnet and have it act on the answers.** 99 tools + 4 resources covering the full [Tailscale v2 API](https://tailscale.com/api). Backed by 736 unit tests and an opt-in live-tailnet integration suite.
+**Ask your agent questions about your tailnet and have it act on the answers.** 88 tools + 4 resources covering the full [Tailscale v2 API](https://tailscale.com/api). Backed by 700+ unit tests and an opt-in live-tailnet integration suite.
 Built and maintained by [Yaw Labs](https://yaw.sh).
@@ -20,8 +20,8 @@ You could `curl` the Tailscale API. The point isn't replacing `curl` — it's le
 - **"Which devices haven't checked in for 30 days and have key expiry disabled?"** — lists devices, filters by `lastSeen`, filters by `keyExpiryDisabled`, returns a table. Three endpoints, one question.
 - **"Someone broke DNS at 2am — who changed what in the last 24 hours?"** — pulls the audit log, filters by DNS-related actors and endpoints, reads each change's before/after, summarizes in English.
 - **"Draft an ACL change that lets `tag:mobile` reach `tag:dashboard` but not `tag:db`, preserving my comments"** — reads the current HuJSON, proposes a minimal diff, validates it against the API, returns the diff for you to apply.
-- **"Show me the OIDC workload identity for our GitHub Actions and confirm its allowed subjects still match `repo:Acme/*`"** — fetches the workload identity, parses the JWT claim patterns, tells you whether the claim still matches your repo naming.
 - **"Rotate every auth key older than 90 days and print the new ones"** — iterates, creates new keys with matching tags, revokes the old ones.
+- **"Create an OAuth client for our CI pipeline scoped to `devices:read` and `dns`"** — creates a trust credential via `tailscale_create_key` with `keyType=client`, returns the credentials once (save them immediately).
 A curl can do each step. The agent composes them. That's where the lift is, and that's what the tool surface is designed for — every read endpoint is first-class so the agent can synthesize, and every write endpoint is tagged `destructiveHint` or `idempotentHint` so your MCP client can gate mutations the way you configured it.
@@ -31,11 +31,11 @@ If all you need is one endpoint in a CI job, use `curl` — we even have a [CLI
 Reasonable question. Both have their place. Where this MCP is better:
-- **Full admin API coverage.** The `tailscale` CLI is scoped to the node it runs on. Admin concerns — ACLs, users, invites, webhooks, log streaming, workload identity, OAuth clients, posture — live in the v2 HTTP API. You'd be shelling out to `curl` anyway.
+- **Full admin API coverage.** The `tailscale` CLI is scoped to the node it runs on. Admin concerns — ACLs, users, invites, webhooks, log streaming, posture integrations, auth keys, OAuth clients, and federated identities — live in the v2 HTTP API. You'd be shelling out to `curl` anyway.
 - **Typed tool surface, not string parsing.** Every tool has a Zod-validated input schema and a structured response. No brittle `tailscale status --json | jq` pipelines that break when the schema evolves.
 - **Cross-client, no user rewriting.** A Claude Code skill only loads in Claude Code. An MCP server works in Claude Code, Claude Desktop, Cursor, Windsurf, VS Code, and anything else that speaks MCP. Version bumps ship through `npx` — users don't re-author their skill when Tailscale adds an endpoint.
 - **Safe-by-default writes.** Every tool declares `readOnlyHint` / `destructiveHint` / `idempotentHint` so clients can skip confirmation on reads and require it on mutations. A skill that shells out to the CLI can't express that.
-- **Real tests.** 736 unit tests covering every tool's input validation, API shape, and error handling. Plus an opt-in live-tailnet integration suite (`RUN_INTEGRATION_TESTS=1` + a tailnet API key) for shape-drift detection. Most skills are short markdown prompts without their own test layer — if the vendor changes output format, nothing catches it for you.
+- **Real tests.** 700+ unit tests covering every tool's input validation, API shape, and error handling. Plus an opt-in live-tailnet integration suite (`RUN_INTEGRATION_TESTS=1` + a tailnet API key) for shape-drift detection. Most skills are short markdown prompts without their own test layer — if the vendor changes output format, nothing catches it for you.
 If you already have a skill that covers your 10% of Tailscale workflows, great — keep it. The MCP is for the other 90%.
@@ -43,7 +43,7 @@ If you already have a skill that covers your 10% of Tailscale workflows, great
 Fair critique from Reddit: a new repo claiming "actively maintained" with no visible tests is worth exactly zero trust. Here's what's actually verifiable:
-- **736 tests** (179 suites, `node --test`) covering every tool's input validation, API shape, and error handling. Run `npm test` to see them pass locally.
+- **700+ tests** (`node --test`) covering every tool's input validation, API shape, and error handling. Run `npm test` to see them pass locally.
 - **3 CI workflows** on GitHub Actions:
   - [`ci.yml`](.github/workflows/ci.yml) — lint + typecheck + build + unit tests on every push and PR.
   - [`integration.yml`](.github/workflows/integration.yml) — read-only live-API smoke tests against a real tailnet. Wired up with three triggers (nightly schedule, every tag push via `release.yml`, manual dispatch); skips gracefully when no test-tailnet secret is configured, so forks aren't blocked.
@@ -107,7 +107,7 @@ That's it. Now ask your agent:
 ## Too many tools? Subset them.
-99 tools is a lot. If you've already got a dozen MCP servers and your client is feeling heavy, trim what this one exposes. Three knobs, combinable:
+88 tools is a lot. If you've already got a dozen MCP servers and your client is feeling heavy, trim what this one exposes. Three knobs, combinable:
 ### Option 1: `TAILSCALE_PROFILE` (preset, easiest)
@@ -122,7 +122,7 @@ That's it. Now ask your agent:
 - **`minimal`** (19 tools) — `status`, `devices`, `audit`. Observe the tailnet, read the audit log.
 - **`core`** (46 tools) — adds `acl`, `dns`, `keys`, `users`. The day-to-day admin surface.
-- **`full`** (99 tools, default) — everything. Same as omitting the env var.
+- **`full`** (88 tools, default) — everything. Same as omitting the env var.
 ### Option 2: `TAILSCALE_TOOLS` (explicit group list)
@@ -137,7 +137,7 @@ That's it. Now ask your agent:
 Comma-separated group names. Overrides `TAILSCALE_PROFILE` when both are set — use this when the presets aren't quite right.
-Valid group names: `status`, `devices`, `acl`, `dns`, `keys`, `users`, `tailnet`, `webhooks`, `network-lock`, `posture`, `audit`, `invites`, `services`, `log-streaming`, `workload-identity`, `oauth-clients`.
+Valid group names: `status`, `devices`, `acl`, `dns`, `keys`, `users`, `tailnet`, `webhooks`, `posture`, `audit`, `invites`, `services`, `log-streaming`.
 ### Option 3: `TAILSCALE_READONLY` (drop mutations)
@@ -158,7 +158,7 @@ Set to `1` or `true` to drop every tool without `readOnlyHint: true`. Stacks wit
 The server logs the active filter to stderr on startup:
 ```
-@yawlabs/tailscale-mcp v0.8.8 ready (19 tools, profile=core, readonly)
+@yawlabs/tailscale-mcp v0.9.1 ready (19 tools, profile=core, readonly)
 ```
 If you don't set any filter, startup prints a tip pointing you at the profiles.
@@ -193,7 +193,7 @@ MCP Resources expose read-only data clients can browse without a tool call.
 | ACL Policy | `tailscale://tailnet/acl` | Full ACL policy (HuJSON preserved) |
 | DNS Config | `tailscale://tailnet/dns` | Nameservers, search paths, split DNS, MagicDNS |
-## Tools (99)
+## Tools (88)
 <details>
 <summary><strong>Status</strong> (1 tool)</summary>
@@ -260,15 +260,15 @@ MCP Resources expose read-only data clients can browse without a tool call.
 </details>
 <details>
-<summary><strong>Auth Keys</strong> (5 tools)</summary>
+<summary><strong>Keys / Trust Credentials</strong> (5 tools) — covers auth keys, OAuth clients, and federated identities</summary>
 | Tool | Description |
 |------|-------------|
-| `tailscale_list_keys` | List auth keys |
-| `tailscale_get_key` | Get details for an auth key |
-| `tailscale_create_key` | Create a new auth key |
-| `tailscale_delete_key` | Delete an auth key |
-| `tailscale_update_key` | Update an existing auth key |
+| `tailscale_list_keys` | List keys (auth keys; pass `all=true` to include OAuth clients and federated identities) |
+| `tailscale_get_key` | Get details for a key |
+| `tailscale_create_key` | Create an auth key, OAuth client (`keyType=client`), or federated identity (`keyType=federated`) |
+| `tailscale_delete_key` | Delete a key |
+| `tailscale_update_key` | Update a key's description, scopes, tags, or federated claim settings |
 </details>
@@ -300,15 +300,6 @@ MCP Resources expose read-only data clients can browse without a tool call.
 </details>
-<details>
-<summary><strong>Network Lock</strong> (1 tool)</summary>
-| Tool | Description |
-|------|-------------|
-| `tailscale_get_network_lock_status` | Get tailnet lock status and trusted signing keys |
-</details>
 <details>
 <summary><strong>Webhooks</strong> (7 tools)</summary>
@@ -367,32 +358,6 @@ MCP Resources expose read-only data clients can browse without a tool call.
 </details>
-<details>
-<summary><strong>Workload Identity</strong> (5 tools)</summary>
-| Tool | Description |
-|------|-------------|
-| `tailscale_list_workload_identities` | List federated workload identity providers |
-| `tailscale_get_workload_identity` | Get a workload identity provider |
-| `tailscale_create_workload_identity` | Create an OIDC federation provider (GitHub Actions, GitLab CI, etc.) |
-| `tailscale_update_workload_identity` | Update a workload identity provider |
-| `tailscale_delete_workload_identity` | Delete a workload identity provider |
-</details>
-<details>
-<summary><strong>OAuth Clients</strong> (5 tools)</summary>
-| Tool | Description |
-|------|-------------|
-| `tailscale_list_oauth_clients` | List OAuth clients |
-| `tailscale_get_oauth_client` | Get an OAuth client |
-| `tailscale_create_oauth_client` | Create an OAuth client for programmatic API access |
-| `tailscale_update_oauth_client` | Update an OAuth client |
-| `tailscale_delete_oauth_client` | Delete an OAuth client |
-</details>
 <details>
 <summary><strong>Device Invites</strong> (6 tools)</summary>
@@ -462,7 +427,7 @@ npm install
 npm run lint       # Biome check
 npm run lint:fix   # Auto-fix
 npm run build      # tsc + esbuild bundle
-npm test           # node --test (736 tests)
+npm test           # node --test (full suite)
 ```
 For integration testing against your own tailnet: set `TAILSCALE_API_KEY` and run `node dist/index.js`.

package/dist/index.js CHANGED Viewed

@@ -30339,7 +30339,8 @@ function filterTools(groups, options) {
       unknownProfile2 = profileKey;
     }
   }
-  const explicitTools = options.tools ? options.tools.split(",").map((s) => s.trim()).filter(Boolean) : null;
+  const parsedTools = options.tools ? options.tools.split(",").map((s) => s.trim()).filter(Boolean) : null;
+  const explicitTools = parsedTools && parsedTools.length > 0 ? parsedTools : null;
   const effectiveGroups = explicitTools ?? profileGroups ?? null;
   const enabledGroups = effectiveGroups ? new Set(effectiveGroups) : null;
   const unknownGroups2 = enabledGroups ? [...enabledGroups].filter((g) => !validNames.has(g)) : [];
@@ -30470,7 +30471,8 @@ Pass this ETag to tailscale_update_acl when updating the policy.`
 // src/tools/audit.ts
 function assertRFC3339(value, label) {
-  if (!/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(value)) {
+  const rfc3339 = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?(Z|[+-]\d{2}:\d{2})$/;
+  if (!rfc3339.test(value) || Number.isNaN(Date.parse(value))) {
     throw new Error(`${label} must be a valid RFC3339 date-time (e.g. '2026-04-01T00:00:00Z'), got: '${value}'`);
   }
 }
@@ -30611,7 +30613,7 @@ var deviceTools = [
       title: "Delete device",
       readOnlyHint: false,
       destructiveHint: true,
-      idempotentHint: false,
+      idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
@@ -30817,7 +30819,7 @@ var deviceTools = [
   },
   {
     name: "tailscale_batch_update_posture_attributes",
-    description: "Batch update custom posture attributes across multiple devices. Each attribute key must start with 'custom:'.",
+    description: "Batch update custom posture attributes across multiple devices. Each attribute key must start with 'custom:'. Uses JSON Merge Patch semantics \u2014 pass null as the attribute config to delete.",
     annotations: {
       title: "Batch update posture attributes",
       readOnlyHint: false,
@@ -30826,13 +30828,26 @@ var deviceTools = [
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      attributes: external_exports3.record(external_exports3.string(), external_exports3.record(external_exports3.string(), external_exports3.unknown())).describe(
-        'Map of device ID to attribute map (e.g. { "12345": { "custom:compliant": "true" }, "67890": { "custom:compliant": "false" } })'
-      )
+      nodes: external_exports3.record(
+        external_exports3.string(),
+        external_exports3.record(
+          external_exports3.string(),
+          external_exports3.union([
+            external_exports3.object({
+              value: external_exports3.union([external_exports3.string(), external_exports3.number(), external_exports3.boolean()]),
+              expiry: external_exports3.string().optional()
+            }),
+            external_exports3.null()
+          ])
+        )
+      ).describe(
+        'Map of device ID to attribute config map (e.g. { "12345": { "custom:compliant": { "value": "true" } }, "67890": { "custom:compliant": { "value": false, "expiry": "2026-12-01T00:00:00Z" } } }). Pass null as the config to delete an attribute.'
+      ),
+      comment: external_exports3.string().optional().describe("Optional comment added to the audit log explaining why attributes are being set (max 200 chars)")
     }),
     handler: async (input) => {
       const invalidKeys = [];
-      for (const attrs of Object.values(input.attributes)) {
+      for (const attrs of Object.values(input.nodes)) {
         for (const key of Object.keys(attrs)) {
           if (!key.startsWith("custom:")) invalidKeys.push(key);
         }
@@ -30842,7 +30857,9 @@ var deviceTools = [
           `All attribute keys must start with 'custom:' prefix. Invalid keys: ${[...new Set(invalidKeys)].join(", ")}`
         );
       }
-      return apiPatch(`/tailnet/${getTailnet()}/device-attributes`, input.attributes);
+      const body = { nodes: input.nodes };
+      if (input.comment !== void 0) body.comment = input.comment;
+      return apiPatch(`/tailnet/${getTailnet()}/device-attributes`, body);
     }
   }
 ];
@@ -31267,16 +31284,16 @@ var keyTools = [
   },
   {
     name: "tailscale_get_key",
-    description: "Get details for a specific auth key.",
+    description: "Get details for a specific key (auth key, OAuth client, or federated identity).",
     annotations: {
-      title: "Get auth key",
+      title: "Get key",
       readOnlyHint: true,
       destructiveHint: false,
       idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      keyId: external_exports3.string().describe("The auth key ID")
+      keyId: external_exports3.string().describe("The key ID (auth key, OAuth client, or federated identity)")
     }),
     handler: async (input) => {
       return apiGet(`/tailnet/${getTailnet()}/keys/${encPath(input.keyId)}`);
@@ -31359,16 +31376,16 @@ var keyTools = [
   },
   {
     name: "tailscale_delete_key",
-    description: "Delete an auth key. This is irreversible \u2014 devices already authenticated with this key are unaffected, but no new devices can use it.",
+    description: "Delete a key (auth key, OAuth client, or federated identity). This is irreversible. For auth keys, devices already authenticated are unaffected but no new devices can use it. For OAuth clients and federated identities, any integrations using them lose access immediately.",
     annotations: {
-      title: "Delete auth key",
+      title: "Delete key",
       readOnlyHint: false,
       destructiveHint: true,
       idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      keyId: external_exports3.string().describe("The auth key ID to delete")
+      keyId: external_exports3.string().describe("The key ID to delete (auth key, OAuth client, or federated identity)")
     }),
     handler: async (input) => {
       return apiDelete(`/tailnet/${getTailnet()}/keys/${encPath(input.keyId)}`);
@@ -31416,7 +31433,7 @@ var keyTools = [
 var logStreamingTools = [
   {
     name: "tailscale_list_log_stream_configs",
-    description: "List all log streaming configurations for your tailnet. Fetches both 'configuration' (audit) and 'network' (flow) log stream configs. Log streaming sends logs to external destinations like Axiom, Datadog, Splunk, Elasticsearch, S3, or GCS.",
+    description: "List all log streaming configurations for your tailnet. Fetches both 'configuration' (audit) and 'network' (flow) log stream configs. Log streaming sends logs to external destinations like Axiom, Datadog, Splunk, Elasticsearch, or S3.",
     annotations: {
       title: "List log stream configs",
       readOnlyHint: true,
@@ -31430,14 +31447,22 @@ var logStreamingTools = [
         apiGet(`/tailnet/${getTailnet()}/logging/configuration/stream`),
         apiGet(`/tailnet/${getTailnet()}/logging/network/stream`)
       ]);
-      return {
-        ok: true,
-        status: 200,
-        data: {
-          configuration: configuration.ok ? configuration.data : { error: configuration.error },
-          network: network.ok ? network.data : { error: network.error }
-        }
+      const errors = {};
+      if (!configuration.ok) errors.configuration = configuration.error ?? `HTTP ${configuration.status}`;
+      if (!network.ok) errors.network = network.error ?? `HTTP ${network.status}`;
+      if (!configuration.ok && !network.ok) {
+        return {
+          ok: false,
+          status: configuration.status || network.status || 500,
+          error: `Both log streams failed: ${JSON.stringify(errors)}`
+        };
+      }
+      const data = {
+        configuration: configuration.ok ? configuration.data : null,
+        network: network.ok ? network.data : null
       };
+      if (Object.keys(errors).length > 0) data.errors = errors;
+      return { ok: true, status: 200, data };
     }
   },
   {
@@ -31459,7 +31484,7 @@ var logStreamingTools = [
   },
   {
     name: "tailscale_set_log_stream_config",
-    description: "Set the log streaming configuration for a specific log type. Configures where logs are sent (e.g. Axiom, Datadog, Splunk, Elasticsearch, S3, GCS).",
+    description: "Set the log streaming configuration for a specific log type. Configures where logs are sent (e.g. Axiom, Datadog, Splunk, Elasticsearch, S3).\n\nPer-destination required fields:\n- splunk / elastic / panther / cribl / datadog / axiom: url + token (user optional)\n- s3: s3Bucket + s3Region + s3AuthenticationType, plus either (s3AccessKeyId + s3SecretAccessKey) for 'accesskey' auth or s3RoleArn for 'rolearn' auth. Call tailscale_create_aws_external_id first when using 'rolearn'.",
     annotations: {
       title: "Set log stream config",
       readOnlyHint: false,
@@ -31470,9 +31495,22 @@ var logStreamingTools = [
     inputSchema: external_exports3.object({
       logType: external_exports3.enum(["configuration", "network"]).describe("The log type: 'configuration' for audit logs, 'network' for network flow logs"),
       destinationType: external_exports3.enum(["splunk", "elastic", "panther", "cribl", "datadog", "axiom", "s3"]).describe("The log streaming destination type"),
-      url: external_exports3.string().optional().describe("Destination URL (required for most destination types)"),
+      url: external_exports3.string().optional().describe("Destination URL (required for non-s3 destinations)"),
       token: external_exports3.string().optional().describe("Authentication token or API key for the destination"),
-      user: external_exports3.string().optional().describe("Username for the destination (if required)")
+      user: external_exports3.string().optional().describe("Username for the destination (if required)"),
+      uploadPeriodMinutes: external_exports3.number().optional().describe("Minutes to wait between uploads (max 1440). Optional."),
+      compressionFormat: external_exports3.enum(["zstd", "gzip", "none"]).optional().describe("Compression algorithm for log uploads. Defaults to 'none'."),
+      s3Bucket: external_exports3.string().optional().describe("(s3 only) S3 bucket name. Required when destinationType is 's3'."),
+      s3Region: external_exports3.string().optional().describe("(s3 only) AWS region of the S3 bucket. Required when destinationType is 's3'."),
+      s3KeyPrefix: external_exports3.string().optional().describe("(s3 only) Optional prefix prepended to the auto-generated S3 object key."),
+      s3AuthenticationType: external_exports3.enum(["accesskey", "rolearn"]).optional().describe(
+        "(s3 only) Authentication mode. Required when destinationType is 's3'. Tailscale recommends 'rolearn'."
+      ),
+      s3AccessKeyId: external_exports3.string().optional().describe("(s3 only) AWS access key id. Required when s3AuthenticationType is 'accesskey'."),
+      s3SecretAccessKey: external_exports3.string().optional().describe("(s3 only) AWS secret access key. Required when s3AuthenticationType is 'accesskey'."),
+      s3RoleArn: external_exports3.string().optional().describe(
+        "(s3 only) IAM role ARN that Tailscale will assume. Required when s3AuthenticationType is 'rolearn'."
+      )
     }),
     handler: async (input) => {
       const { logType, ...body } = input;
@@ -31555,135 +31593,6 @@ var logStreamingTools = [
   }
 ];
-// src/tools/network-lock.ts
-var networkLockTools = [
-  {
-    name: "tailscale_get_network_lock_status",
-    description: "Get the tailnet lock (network lock) status, including whether it is enabled and the list of trusted signing keys.",
-    annotations: {
-      title: "Get network lock status",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({}),
-    handler: async () => {
-      return apiGet(`/tailnet/${getTailnet()}/network-lock/status`);
-    }
-  }
-];
-// src/tools/oauth-clients.ts
-var oauthClientTools = [
-  {
-    name: "tailscale_list_oauth_clients",
-    description: "List all OAuth clients configured for your tailnet.",
-    annotations: {
-      title: "List OAuth clients",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({}),
-    handler: async () => {
-      return apiGet(`/tailnet/${getTailnet()}/oauth-clients`);
-    }
-  },
-  {
-    name: "tailscale_get_oauth_client",
-    description: "Get details for a specific OAuth client.",
-    annotations: {
-      title: "Get OAuth client",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      clientId: external_exports3.string().describe("The OAuth client ID")
-    }),
-    handler: async (input) => {
-      return apiGet(`/tailnet/${getTailnet()}/oauth-clients/${encPath(input.clientId)}`);
-    }
-  },
-  {
-    name: "tailscale_create_oauth_client",
-    description: "Create a new OAuth client for programmatic API access. Returns the client secret \u2014 save it immediately, as it cannot be retrieved again.",
-    annotations: {
-      title: "Create OAuth client",
-      readOnlyHint: false,
-      destructiveHint: false,
-      idempotentHint: false,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      name: external_exports3.string().describe("A human-readable name for this OAuth client (max 50 chars, alphanumeric/hyphens/spaces)"),
-      scopes: external_exports3.array(external_exports3.string()).describe(
-        "OAuth scopes to grant (e.g. ['devices:read', 'dns', 'acl']). See Tailscale docs for available scopes."
-      ),
-      tags: external_exports3.array(external_exports3.string()).optional().describe("ACL tags to assign to the OAuth client"),
-      description: external_exports3.string().optional().describe("Description for this OAuth client (max 50 chars, alphanumeric/hyphens/spaces)")
-    }),
-    handler: async (input) => {
-      validateTags(input.tags);
-      const body = { ...input };
-      body.name = sanitizeDescription(input.name);
-      if (input.description !== void 0) body.description = sanitizeDescription(input.description);
-      return apiPost(`/tailnet/${getTailnet()}/oauth-clients`, body);
-    }
-  },
-  {
-    name: "tailscale_update_oauth_client",
-    description: "Update an OAuth client's name, description, or scopes.",
-    annotations: {
-      title: "Update OAuth client",
-      readOnlyHint: false,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      clientId: external_exports3.string().describe("The OAuth client ID to update"),
-      name: external_exports3.string().optional().describe("Updated name"),
-      scopes: external_exports3.array(external_exports3.string()).optional().describe("Updated OAuth scopes"),
-      description: external_exports3.string().optional().describe("Updated description")
-    }),
-    handler: async (input) => {
-      const { clientId, ...body } = input;
-      const cleanBody = {};
-      for (const [key, value] of Object.entries(body)) {
-        if (value !== void 0) cleanBody[key] = value;
-      }
-      if (cleanBody.name !== void 0) cleanBody.name = sanitizeDescription(cleanBody.name);
-      if (cleanBody.description !== void 0)
-        cleanBody.description = sanitizeDescription(cleanBody.description);
-      if (Object.keys(cleanBody).length === 0) {
-        throw new Error("No fields to update. Provide at least one of: name, scopes, description.");
-      }
-      return apiPatch(`/tailnet/${getTailnet()}/oauth-clients/${encPath(clientId)}`, cleanBody);
-    }
-  },
-  {
-    name: "tailscale_delete_oauth_client",
-    description: "Delete an OAuth client. This is irreversible \u2014 any integrations using this client will lose access immediately.",
-    annotations: {
-      title: "Delete OAuth client",
-      readOnlyHint: false,
-      destructiveHint: true,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      clientId: external_exports3.string().describe("The OAuth client ID to delete")
-    }),
-    handler: async (input) => {
-      return apiDelete(`/tailnet/${getTailnet()}/oauth-clients/${encPath(input.clientId)}`);
-    }
-  }
-];
 // src/tools/posture.ts
 var postureTools = [
   {
@@ -31715,7 +31624,7 @@ var postureTools = [
       integrationId: external_exports3.string().describe("The posture integration ID")
     }),
     handler: async (input) => {
-      return apiGet(`/tailnet/${getTailnet()}/posture/integrations/${encPath(input.integrationId)}`);
+      return apiGet(`/posture/integrations/${encPath(input.integrationId)}`);
     }
   },
   {
@@ -31729,20 +31638,24 @@ var postureTools = [
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      provider: external_exports3.string().describe("The posture provider (e.g. 'crowdstrike', 'sentinelone', 'intune')"),
-      clientId: external_exports3.string().describe("The OAuth client ID for the provider"),
-      clientSecret: external_exports3.string().describe("The OAuth client secret for the provider"),
-      tenantId: external_exports3.string().optional().describe("The tenant ID (required for some providers)"),
-      cloudEnvironment: external_exports3.string().optional().describe("Cloud environment (e.g. 'us-1', 'eu-1')")
+      provider: external_exports3.enum(["falcon", "intune", "jamfpro", "kandji", "kolide", "sentinelone"]).describe("The posture provider"),
+      clientId: external_exports3.string().optional().describe(
+        "Client ID for the provider (Intune: application UUID; Falcon/Jamf Pro: client id; Kandji/Kolide/Sentinel One: leave blank)"
+      ),
+      clientSecret: external_exports3.string().describe("The secret (auth key, token, etc.) used to authenticate with the provider"),
+      tenantId: external_exports3.string().optional().describe("Microsoft Intune directory (tenant) ID. Other providers leave blank."),
+      cloudId: external_exports3.string().optional().describe(
+        "Identifies which of the provider's clouds to integrate with. Falcon: us-1|us-2|eu-1|us-gov; Intune: global|us-gov; Jamf Pro/Kandji/Sentinel One: FQDN of your subdomain; Kolide: leave blank."
+      )
     }),
     handler: async (input) => {
       const body = {
         provider: input.provider,
-        clientId: input.clientId,
         clientSecret: input.clientSecret
       };
+      if (input.clientId !== void 0) body.clientId = input.clientId;
       if (input.tenantId !== void 0) body.tenantId = input.tenantId;
-      if (input.cloudEnvironment !== void 0) body.cloudEnvironment = input.cloudEnvironment;
+      if (input.cloudId !== void 0) body.cloudId = input.cloudId;
       return apiPost(`/tailnet/${getTailnet()}/posture/integrations`, body);
     }
   },
@@ -31758,10 +31671,10 @@ var postureTools = [
     },
     inputSchema: external_exports3.object({
       integrationId: external_exports3.string().describe("The posture integration ID to update"),
-      clientId: external_exports3.string().optional().describe("Updated OAuth client ID for the provider"),
-      clientSecret: external_exports3.string().optional().describe("Updated OAuth client secret for the provider"),
+      clientId: external_exports3.string().optional().describe("Updated client ID for the provider"),
+      clientSecret: external_exports3.string().optional().describe("Updated client secret for the provider (omit to retain the existing secret)"),
       tenantId: external_exports3.string().optional().describe("Updated tenant ID"),
-      cloudEnvironment: external_exports3.string().optional().describe("Updated cloud environment (e.g. 'us-1', 'eu-1')")
+      cloudId: external_exports3.string().optional().describe("Updated cloud identifier (e.g. 'us-1', 'global', or provider FQDN)")
     }),
     handler: async (input) => {
       const { integrationId, ...body } = input;
@@ -31770,11 +31683,9 @@ var postureTools = [
         if (value !== void 0) cleanBody[key] = value;
       }
       if (Object.keys(cleanBody).length === 0) {
-        throw new Error(
-          "No fields to update. Provide at least one of: clientId, clientSecret, tenantId, cloudEnvironment."
-        );
+        throw new Error("No fields to update. Provide at least one of: clientId, clientSecret, tenantId, cloudId.");
       }
-      return apiPatch(`/tailnet/${getTailnet()}/posture/integrations/${encPath(integrationId)}`, cleanBody);
+      return apiPatch(`/posture/integrations/${encPath(integrationId)}`, cleanBody);
     }
   },
   {
@@ -31791,7 +31702,7 @@ var postureTools = [
       integrationId: external_exports3.string().describe("The posture integration ID to delete")
     }),
     handler: async (input) => {
-      return apiDelete(`/tailnet/${getTailnet()}/posture/integrations/${encPath(input.integrationId)}`);
+      return apiDelete(`/posture/integrations/${encPath(input.integrationId)}`);
     }
   }
 ];
@@ -31871,7 +31782,7 @@ var serviceTools = [
       title: "Delete service",
       readOnlyHint: false,
       destructiveHint: true,
-      idempotentHint: false,
+      idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
@@ -31960,21 +31871,20 @@ var statusTools = [
         apiGet(`/tailnet/${getTailnet()}/devices?fields=id`),
         apiGet(`/tailnet/${getTailnet()}/settings`)
       ]);
-      if (!devicesRes.ok) {
+      if (!devicesRes.ok && !settingsRes.ok) {
         return devicesRes;
       }
-      const deviceCount = devicesRes.data?.devices?.length ?? 0;
-      return {
-        ok: true,
-        status: 200,
-        data: {
-          connected: true,
-          tailnet: getTailnet(),
-          deviceCount,
-          settings: settingsRes.ok ? settingsRes.data : void 0,
-          ...settingsRes.ok ? {} : { settingsError: settingsRes.error || "Failed to fetch tailnet settings" }
-        }
+      const data = {
+        connected: true,
+        tailnet: getTailnet(),
+        deviceCount: devicesRes.ok ? devicesRes.data?.devices?.length ?? 0 : null,
+        settings: settingsRes.ok ? settingsRes.data : null
       };
+      const errors = {};
+      if (!devicesRes.ok) errors.devices = devicesRes.error ?? `HTTP ${devicesRes.status}`;
+      if (!settingsRes.ok) errors.settings = settingsRes.error ?? `HTTP ${settingsRes.status}`;
+      if (Object.keys(errors).length > 0) data.errors = errors;
+      return { ok: true, status: 200, data };
     }
   }
 ];
@@ -32068,15 +31978,16 @@ var tailnetTools = [
         if (value === void 0) continue;
         const res = await apiPatch(`/tailnet/${getTailnet()}/contacts/${encPath(contactType)}`, value);
         if (res.ok) applied[contactType] = res.data;
-        else failed[contactType] = res.error ?? `HTTP ${res.status}`;
+        else failed[contactType] = { status: res.status, error: res.error ?? `HTTP ${res.status}` };
       }
       const hasFailed = Object.keys(failed).length > 0;
       const hasApplied = Object.keys(applied).length > 0;
       if (hasFailed && !hasApplied) {
-        return { ok: false, status: 500, error: `Contact update failed: ${JSON.stringify(failed)}` };
+        const first = Object.values(failed)[0];
+        return { ok: false, status: first.status, error: `Contact update failed: ${JSON.stringify(failed)}` };
       }
       if (hasFailed) {
-        return { ok: true, status: 207, data: { applied, failed } };
+        return { ok: true, status: 200, data: { applied, failed } };
       }
       return { ok: true, status: 200, data: applied };
     }
@@ -32217,7 +32128,7 @@ var userTools = [
       title: "Delete user",
       readOnlyHint: false,
       destructiveHint: true,
-      idempotentHint: false,
+      idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
@@ -32382,112 +32293,8 @@ var webhookTools = [
   }
 ];
-// src/tools/workload-identity.ts
-var workloadIdentityTools = [
-  {
-    name: "tailscale_list_workload_identities",
-    description: "List all federated workload identity providers configured for your tailnet. Workload identities allow CI/CD pipelines and automated systems to authenticate using OIDC federation.",
-    annotations: {
-      title: "List workload identities",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({}),
-    handler: async () => {
-      return apiGet(`/tailnet/${getTailnet()}/workload-identity/providers`);
-    }
-  },
-  {
-    name: "tailscale_get_workload_identity",
-    description: "Get details for a specific federated workload identity provider, including issuer URL, audience, and the subject patterns it accepts for OIDC token exchange.",
-    annotations: {
-      title: "Get workload identity",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      providerId: external_exports3.string().describe("The workload identity provider ID")
-    }),
-    handler: async (input) => {
-      return apiGet(`/tailnet/${getTailnet()}/workload-identity/providers/${encPath(input.providerId)}`);
-    }
-  },
-  {
-    name: "tailscale_create_workload_identity",
-    description: "Create a new workload identity provider for OIDC federation. Enables CI/CD systems (GitHub Actions, GitLab CI, etc.) to authenticate to your tailnet without static credentials.",
-    annotations: {
-      title: "Create workload identity",
-      readOnlyHint: false,
-      destructiveHint: false,
-      idempotentHint: false,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      name: external_exports3.string().describe("A human-readable name for this provider (max 50 chars, alphanumeric/hyphens/spaces)"),
-      issuerUrl: external_exports3.string().describe("The OIDC issuer URL (e.g. 'https://token.actions.githubusercontent.com' for GitHub Actions)"),
-      audience: external_exports3.string().optional().describe("Expected audience claim in the OIDC token"),
-      claimMappings: external_exports3.record(external_exports3.string(), external_exports3.string()).optional().describe("Map of Tailscale attributes to OIDC token claims (e.g. { 'tag': 'repository' })")
-    }),
-    handler: async (input) => {
-      const body = { ...input };
-      body.name = sanitizeDescription(input.name);
-      return apiPost(`/tailnet/${getTailnet()}/workload-identity/providers`, body);
-    }
-  },
-  {
-    name: "tailscale_update_workload_identity",
-    description: "Update an existing workload identity provider's configuration.",
-    annotations: {
-      title: "Update workload identity",
-      readOnlyHint: false,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      providerId: external_exports3.string().describe("The workload identity provider ID to update"),
-      name: external_exports3.string().optional().describe("Updated human-readable name"),
-      audience: external_exports3.string().optional().describe("Updated expected audience claim"),
-      claimMappings: external_exports3.record(external_exports3.string(), external_exports3.string()).optional().describe("Updated claim mappings")
-    }),
-    handler: async (input) => {
-      const { providerId, ...body } = input;
-      const cleanBody = {};
-      for (const [key, value] of Object.entries(body)) {
-        if (value !== void 0) cleanBody[key] = value;
-      }
-      if (cleanBody.name !== void 0) cleanBody.name = sanitizeDescription(cleanBody.name);
-      if (Object.keys(cleanBody).length === 0) {
-        throw new Error("No fields to update. Provide at least one of: name, audience, claimMappings.");
-      }
-      return apiPatch(`/tailnet/${getTailnet()}/workload-identity/providers/${encPath(providerId)}`, cleanBody);
-    }
-  },
-  {
-    name: "tailscale_delete_workload_identity",
-    description: "Delete a workload identity provider. This is irreversible \u2014 any CI/CD pipelines using this provider will lose access.",
-    annotations: {
-      title: "Delete workload identity",
-      readOnlyHint: false,
-      destructiveHint: true,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      providerId: external_exports3.string().describe("The workload identity provider ID to delete")
-    }),
-    handler: async (input) => {
-      return apiDelete(`/tailnet/${getTailnet()}/workload-identity/providers/${encPath(input.providerId)}`);
-    }
-  }
-];
 // src/index.ts
-var version2 = true ? "0.8.8" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.9.1" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];
@@ -32513,14 +32320,11 @@ var toolGroups = {
   users: userTools,
   tailnet: tailnetTools,
   webhooks: webhookTools,
-  "network-lock": networkLockTools,
   posture: postureTools,
   audit: auditTools,
   invites: inviteTools,
   services: serviceTools,
-  "log-streaming": logStreamingTools,
-  "workload-identity": workloadIdentityTools,
-  "oauth-clients": oauthClientTools
+  "log-streaming": logStreamingTools
 };
 var {
   tools: allTools,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.8.8",
+  "version": "0.9.1",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",