figmanage 1.3.7 → 1.4.0

package/dist/cli/org.js

@@ -1,5 +1,5 @@
 import { Command } from 'commander';
-import { listAdmins, listOrgTeams, seatUsage, listTeamMembers, billingOverview, listInvoices, orgDomains, aiCreditUsage, exportMembers, listOrgMembers, contractRates, changeSeat, } from '../operations/org.js';
+import { listAdmins, listOrgTeams, seatUsage, listTeamMembers, billingOverview, listInvoices, orgDomains, aiCreditUsage, exportMembers, listOrgMembers, contractRates, changeSeat, activityLog, listPayments, removeOrgMember, createUserGroup, deleteUserGroups, addUserGroupMembers, removeUserGroupMembers, } from '../operations/org.js';
 import { output, error } from './format.js';
 import { formatApiError } from '../helpers.js';
 import { requireCookie } from './helpers.js';
@@ -130,13 +130,14 @@ export function orgCommand() {
         }
     });
     org
-        .command('ai-credits <plan-id>')
-        .description('AI credit usage summary for a billing plan')
+        .command('ai-credits <team-id>')
+        .description('AI credit usage summary (resolves billing plan from team)')
+        .option('--plan-id <id>', 'Plan ID override (skips team folder lookup)')
         .option('--json', 'Force JSON output')
-        .action(async (planId, options) => {
+        .action(async (teamId, options) => {
         try {
             const config = requireCookie();
-            const result = await aiCreditUsage(config, { plan_id: planId });
+            const result = await aiCreditUsage(config, { team_id: teamId, plan_id: options.planId });
             output(result, options);
         }
         catch (e) {
@@ -223,6 +224,143 @@ export function orgCommand() {
             process.exit(1);
         }
     });
+    org
+        .command('activity-log')
+        .description('Org audit log. Filter by email for per-user activity.')
+        .option('--org-id <id>', 'Org ID override')
+        .option('--emails <list>', 'Comma-separated emails to filter')
+        .option('--start <date>', 'Start date (ISO or YYYY-MM-DD)')
+        .option('--end <date>', 'End date (ISO or YYYY-MM-DD)')
+        .option('--page-size <n>', 'Entries per page')
+        .option('--after <cursor>', 'Pagination cursor from previous response')
+        .option('--json', 'Force JSON output')
+        .action(async (options) => {
+        try {
+            const config = requireCookie();
+            const result = await activityLog(config, {
+                org_id: options.orgId,
+                emails: options.emails,
+                start_time: options.start,
+                end_time: options.end,
+                page_size: options.pageSize ? parseInt(options.pageSize, 10) : undefined,
+                after: options.after,
+            });
+            output(result, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
+    org
+        .command('payments')
+        .description('List paid invoices / payment history')
+        .option('--org-id <id>', 'Org ID override')
+        .option('--json', 'Force JSON output')
+        .action(async (options) => {
+        try {
+            const config = requireCookie();
+            const result = await listPayments(config, { org_id: options.orgId });
+            output(result, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
+    org
+        .command('remove-org-member <user>')
+        .description('Permanently remove a member from the org (cannot be undone)')
+        .option('--org-id <id>', 'Org ID override')
+        .option('--confirm', 'Confirm permanent removal')
+        .option('--json', 'Force JSON output')
+        .action(async (user, options) => {
+        try {
+            const config = requireCookie();
+            const msg = await removeOrgMember(config, {
+                user_identifier: user,
+                org_id: options.orgId,
+                confirm: options.confirm,
+            });
+            output({ message: msg }, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
+    org
+        .command('create-user-group <name>')
+        .description('Create a user group')
+        .option('--description <text>', 'Group description')
+        .option('--team-id <id>', 'Team ID (resolves billing plan)')
+        .option('--plan-id <id>', 'Plan ID override')
+        .option('--emails <list>', 'Comma-separated emails to add as initial members')
+        .option('--no-notify', 'Skip member notification')
+        .option('--json', 'Force JSON output')
+        .action(async (name, options) => {
+        try {
+            const config = requireCookie();
+            const result = await createUserGroup(config, {
+                name,
+                description: options.description,
+                team_id: options.teamId,
+                plan_id: options.planId,
+                emails: options.emails ? options.emails.split(',').map(e => e.trim()) : undefined,
+                should_notify: options.notify,
+            });
+            output(result, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
+    org
+        .command('delete-user-groups <ids...>')
+        .description('Delete one or more user groups')
+        .option('--json', 'Force JSON output')
+        .action(async (ids, options) => {
+        try {
+            const config = requireCookie();
+            const msg = await deleteUserGroups(config, { user_group_ids: ids });
+            output({ message: msg }, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
+    org
+        .command('add-user-group-members <group-id> <emails...>')
+        .description('Add members to a user group by email')
+        .option('--json', 'Force JSON output')
+        .action(async (groupId, emails, options) => {
+        try {
+            const config = requireCookie();
+            const result = await addUserGroupMembers(config, { user_group_id: groupId, emails });
+            output(result, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
+    org
+        .command('remove-user-group-members <group-id> <user-ids...>')
+        .description('Remove members from a user group')
+        .option('--json', 'Force JSON output')
+        .action(async (groupId, userIds, options) => {
+        try {
+            const config = requireCookie();
+            const result = await removeUserGroupMembers(config, { user_group_id: groupId, user_ids: userIds });
+            output({ message: result }, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
     return org;
 }
 //# sourceMappingURL=org.js.map

package/dist/cli/teams.js

@@ -1,5 +1,5 @@
 import { Command } from 'commander';
-import { createTeam, renameTeam, deleteTeam } from '../operations/teams.js';
+import { createTeam, renameTeam, deleteTeam, addTeamMember, removeTeamMember } from '../operations/teams.js';
 import { output, error } from './format.js';
 import { formatApiError } from '../helpers.js';
 import { requireCookie } from './helpers.js';
@@ -57,6 +57,46 @@ export function teamsCommand() {
             process.exit(1);
         }
     });
+    teams
+        .command('add-member <team-id> <email>')
+        .description('Add a member to a team by email')
+        .option('--level <n>', 'Permission level: 100 = view (default), 300 = edit, 999 = admin')
+        .option('--json', 'Force JSON output')
+        .action(async (teamId, email, options) => {
+        try {
+            const config = requireCookie();
+            const msg = await addTeamMember(config, {
+                team_id: teamId,
+                email,
+                level: options.level ? parseInt(options.level, 10) : undefined,
+            });
+            output({ message: msg }, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
+    teams
+        .command('remove-member <team-id> <user-id>')
+        .description('Remove a member from a team')
+        .option('--json', 'Force JSON output')
+        .action(async (teamId, userId, options) => {
+        try {
+            const config = requireCookie();
+            const { confirmAction } = await import('./helpers.js');
+            if (!await confirmAction(`Remove user ${userId} from team ${teamId}?`)) {
+                console.log('Cancelled.');
+                return;
+            }
+            const msg = await removeTeamMember(config, { team_id: teamId, user_id: userId });
+            output({ message: msg }, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
     return teams;
 }
 //# sourceMappingURL=teams.js.map

package/dist/cli/webhooks.js

@@ -1,5 +1,5 @@
 import { Command } from 'commander';
-import { listWebhooks, createWebhook, updateWebhook, deleteWebhook, } from '../operations/webhooks.js';
+import { listWebhooks, createWebhook, updateWebhook, deleteWebhook, webhookRequests, } from '../operations/webhooks.js';
 import { output, error } from './format.js';
 import { formatApiError } from '../helpers.js';
 import { requirePat } from './helpers.js';
@@ -85,6 +85,25 @@ export function webhooksCommand() {
             process.exit(1);
         }
     });
+    webhooks
+        .command('requests <webhook-id>')
+        .description('List recent webhook delivery attempts (last 7 days)')
+        .option('--json', 'Force JSON output')
+        .action(async (webhookId, options) => {
+        try {
+            const config = requirePat();
+            const result = await webhookRequests(config, { webhook_id: webhookId });
+            if (result.requests.length === 0) {
+                console.log('No webhook deliveries in the last 7 days.');
+                return;
+            }
+            output(result, options);
+        }
+        catch (e) {
+            error(formatApiError(e));
+            process.exit(1);
+        }
+    });
     webhooks
         .command('delete <webhook-id>')
         .description('Delete a webhook')

package/dist/clients/internal-api.js

@@ -8,7 +8,7 @@ export function internalClient(config) {
     if (existing)
         return existing;
     const client = axios.create({
-        baseURL: 'https://www.figma.com',
+        baseURL: process.env.FIGMA_INTERNAL_BASE_URL || 'https://www.figma.com',
         httpsAgent,
         headers: {
             'Cookie': `__Host-figma.authn=${config.cookie || ''}`,

package/dist/clients/public-api.js

@@ -8,7 +8,7 @@ export function publicClient(config) {
     if (existing)
         return existing;
     const client = axios.create({
-        baseURL: 'https://api.figma.com',
+        baseURL: process.env.FIGMA_PUBLIC_BASE_URL || 'https://api.figma.com',
         httpsAgent,
         headers: {
             'X-Figma-Token': config.pat || '',

package/dist/mcp.d.ts

@@ -7,6 +7,7 @@ import './tools/export.js';
 import './tools/versions.js';
 import './tools/branching.js';
 import './tools/components.js';
+import './tools/dev-resources.js';
 import './tools/webhooks.js';
 import './tools/reading.js';
 import './tools/analytics.js';

package/dist/mcp.js

@@ -7,6 +7,7 @@ import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/
 import { loadAuthConfig, hasPat, hasCookie } from './auth/client.js';
 import { registerTools } from './tools/register.js';
 import { registerSetupTools } from './tools/setup.js';
+import { checkIsAdmin } from './operations/navigate.js';
 // Import tool modules (side-effect: registers via defineTool)
 import './tools/navigate.js';
 import './tools/files.js';
@@ -17,6 +18,7 @@ import './tools/export.js';
 import './tools/versions.js';
 import './tools/branching.js';
 import './tools/components.js';
+import './tools/dev-resources.js';
 import './tools/webhooks.js';
 import './tools/reading.js';
 import './tools/analytics.js';
@@ -73,19 +75,23 @@ export async function startMcpServer() {
         version,
     });
     const fullyConfigured = hasPat(config) && hasCookie(config);
+    const isAdmin = hasCookie(config) ? await checkIsAdmin(config) : false;
+    config.isAdmin = isAdmin;
     if (fullyConfigured) {
-        registerTools(server, config, enabledToolsets, readOnly);
+        registerTools(server, config, enabledToolsets, readOnly, isAdmin);
     }
     else {
         // No auth or partial auth: register setup tools.
         // If env vars provide some auth, also register whatever tools are available.
         if (hasPat(config) || hasCookie(config)) {
-            registerTools(server, config, enabledToolsets, readOnly);
+            registerTools(server, config, enabledToolsets, readOnly, isAdmin);
         }
-        registerSetupTools(server, () => {
+        registerSetupTools(server, async () => {
             // Re-load config after setup wrote credentials to disk
             const newConfig = loadAuthConfig();
-            registerTools(server, newConfig, enabledToolsets, readOnly);
+            const newIsAdmin = await checkIsAdmin(newConfig);
+            newConfig.isAdmin = newIsAdmin;
+            registerTools(server, newConfig, enabledToolsets, readOnly, newIsAdmin);
             server.server.sendToolListChanged();
         });
     }

package/dist/operations/comments.d.ts

@@ -36,6 +36,31 @@ export declare function deleteComment(config: AuthConfig, params: {
     file_key: string;
     comment_id: string;
 }): Promise<void>;
+export declare function resolveComment(config: AuthConfig, params: {
+    file_key: string;
+    comment_id: string;
+    resolved?: boolean;
+}): Promise<string>;
+export declare function editComment(config: AuthConfig, params: {
+    file_key: string;
+    comment_id: string;
+    message: string;
+}): Promise<string>;
+export interface AddedReaction {
+    emoji: string;
+    user: string;
+    created_at: string;
+}
+export declare function addCommentReaction(config: AuthConfig, params: {
+    file_key: string;
+    comment_id: string;
+    emoji: string;
+}): Promise<AddedReaction>;
+export declare function removeCommentReaction(config: AuthConfig, params: {
+    file_key: string;
+    comment_id: string;
+    emoji: string;
+}): Promise<void>;
 export declare function listCommentReactions(config: AuthConfig, params: {
     file_key: string;
     comment_id: string;

package/dist/operations/comments.js

@@ -1,4 +1,5 @@
 import { publicClient } from '../clients/public-api.js';
+import { internalClient } from '../clients/internal-api.js';
 export async function listComments(config, params) {
     const res = await publicClient(config).get(`/v1/files/${params.file_key}/comments`);
     const comments = res.data?.comments || [];
@@ -53,6 +54,27 @@ export async function postComment(config, params) {
 export async function deleteComment(config, params) {
     await publicClient(config).delete(`/v1/files/${params.file_key}/comments/${params.comment_id}`);
 }
+export async function resolveComment(config, params) {
+    const resolve = params.resolved !== false;
+    await internalClient(config).put(`/api/file/${params.file_key}/comments/${params.comment_id}`, { resolved_at: resolve ? 'true' : null });
+    return `Comment ${params.comment_id} ${resolve ? 'resolved' : 'unresolved'}.`;
+}
+export async function editComment(config, params) {
+    await internalClient(config).put(`/api/file/${params.file_key}/comments/${params.comment_id}`, { message_meta: [{ t: params.message }] });
+    return `Comment ${params.comment_id} updated.`;
+}
+export async function addCommentReaction(config, params) {
+    const res = await publicClient(config).post(`/v1/files/${params.file_key}/comments/${params.comment_id}/reactions`, { emoji: params.emoji });
+    const r = res.data;
+    return {
+        emoji: r.emoji || params.emoji,
+        user: r.user?.handle || '',
+        created_at: r.created_at || new Date().toISOString(),
+    };
+}
+export async function removeCommentReaction(config, params) {
+    await publicClient(config).delete(`/v1/files/${params.file_key}/comments/${params.comment_id}/reactions`, { params: { emoji: params.emoji } });
+}
 export async function listCommentReactions(config, params) {
     const res = await publicClient(config).get(`/v1/files/${params.file_key}/comments/${params.comment_id}/reactions`);
     const reactions = res.data?.reactions || [];

package/dist/operations/compound-manager.d.ts

@@ -3,6 +3,7 @@ export declare function offboardUser(config: AuthConfig, params: {
     user_identifier: string;
     execute: boolean;
     transfer_to?: string;
+    remove_from_org?: boolean;
     org_id?: string;
 }): Promise<{
     user: {

package/dist/operations/compound-manager.js

@@ -22,7 +22,7 @@ const PAID_STATUSES = {
 const LEVEL_MAP = { editor: 300, viewer: 100 };
 // -- offboard_user --
 export async function offboardUser(config, params) {
-    const { user_identifier, execute, transfer_to } = params;
+    const { user_identifier, execute, transfer_to, remove_from_org } = params;
     const orgId = requireOrgId(config, params.org_id);
     const api = internalClient(config);
     // Step 1: Resolve user
@@ -175,7 +175,7 @@ export async function offboardUser(config, params) {
             file_ownership: fileOwnership,
             summary,
             transfer_plan: transferPlan,
-            note: 'Run with execute=true to perform offboarding. Provide transfer_to if the user owns files.',
+            note: 'Run with execute=true to perform offboarding. Provide transfer_to if the user owns files. Add remove_from_org=true to fully remove from the org (permanent).',
         };
     }
     // --- Execute mode ---
@@ -315,6 +315,18 @@ export async function offboardUser(config, params) {
             actions.push({ action: 'downgrade_seat', status: 'failed', detail: formatApiError(e) });
         }
     }
+    // Step F: Remove from org (permanent, requires remove_from_org flag)
+    if (remove_from_org) {
+        try {
+            await api.delete(`/api/orgs/${orgId}/org_users`, {
+                data: { org_user_ids: [user.org_user_id] },
+            });
+            actions.push({ action: 'remove_from_org', status: 'done', detail: 'Permanently removed from org' });
+        }
+        catch (e) {
+            actions.push({ action: 'remove_from_org', status: 'failed', detail: formatApiError(e) });
+        }
+    }
     const succeeded = actions.filter(a => a.status === 'done').length;
     const failed = actions.filter(a => a.status === 'failed').length;
     return {
@@ -324,7 +336,9 @@ export async function offboardUser(config, params) {
         summary: { succeeded, failed, total: actions.length },
         note: failed > 0
             ? `${failed} action(s) failed. Review and retry manually.`
-            : 'Offboarding complete.',
+            : remove_from_org
+                ? 'Offboarding complete. User permanently removed from org.'
+                : 'Offboarding complete. User remains in org (use remove_from_org=true to fully remove).',
     };
 }
 // -- onboard_user --

package/dist/operations/dev-resources.d.ts

@@ -0,0 +1,25 @@
+import type { AuthConfig } from '../auth/client.js';
+export interface DevResource {
+    id: string;
+    name: string;
+    url: string;
+    file_key: string;
+    node_id: string;
+    dev_status?: string;
+}
+export declare function listDevResources(config: AuthConfig, params: {
+    file_key: string;
+    node_ids?: string[];
+}): Promise<DevResource[]>;
+export interface CreateDevResourceParams {
+    file_key: string;
+    node_id: string;
+    name: string;
+    url: string;
+}
+export declare function createDevResource(config: AuthConfig, params: CreateDevResourceParams): Promise<Record<string, any>>;
+export declare function deleteDevResource(config: AuthConfig, params: {
+    file_key: string;
+    dev_resource_id: string;
+}): Promise<void>;
+//# sourceMappingURL=dev-resources.d.ts.map

package/dist/operations/dev-resources.js

@@ -0,0 +1,31 @@
+import { publicClient } from '../clients/public-api.js';
+export async function listDevResources(config, params) {
+    const reqParams = {};
+    if (params.node_ids?.length)
+        reqParams.node_ids = params.node_ids.join(',');
+    const res = await publicClient(config).get(`/v1/files/${params.file_key}/dev_resources`, { params: reqParams });
+    const resources = res.data?.dev_resources || [];
+    return resources.map((r) => ({
+        id: r.id,
+        name: r.name,
+        url: r.url,
+        file_key: r.file_key || params.file_key,
+        node_id: r.node_id,
+        dev_status: r.dev_status,
+    }));
+}
+export async function createDevResource(config, params) {
+    const res = await publicClient(config).post('/v1/dev_resources', {
+        dev_resources: [{
+                file_key: params.file_key,
+                node_id: params.node_id,
+                name: params.name,
+                url: params.url,
+            }],
+    });
+    return res.data;
+}
+export async function deleteDevResource(config, params) {
+    await publicClient(config).delete(`/v1/files/${params.file_key}/dev_resources/${params.dev_resource_id}`);
+}
+//# sourceMappingURL=dev-resources.js.map

package/dist/operations/navigate.d.ts

@@ -72,6 +72,11 @@ export interface Favorite {
     name: string;
     type?: string;
 }
+/**
+ * Check if the current user is an org admin.
+ * Returns false on any error (no org, 403, network) -- safe default.
+ */
+export declare function checkIsAdmin(config: AuthConfig): Promise<boolean>;
 export declare function checkAuthStatus(config: AuthConfig): Promise<AuthCheckResult>;
 export declare function listOrgs(config: AuthConfig): Promise<OrgListEntry[]>;
 export declare function switchOrg(config: AuthConfig, params: {

package/dist/operations/navigate.js

@@ -10,8 +10,28 @@ function requireOrgId(config, explicit) {
         throw new Error('Invalid org ID format');
     return id;
 }
+/**
+ * Check if the current user is an org admin.
+ * Returns false on any error (no org, 403, network) -- safe default.
+ */
+export async function checkIsAdmin(config) {
+    const orgId = config.orgId || process.env.FIGMA_ORG_ID;
+    if (!orgId || !config.cookie)
+        return false;
+    try {
+        const res = await internalClient(config).get(`/api/orgs/${orgId}/admins`, { params: { include_license_admins: false } });
+        const admins = res.data?.meta?.admins || res.data?.meta || [];
+        return admins.some(a => (a.user_id || a.user?.id) === config.userId);
+    }
+    catch {
+        return false;
+    }
+}
 export async function checkAuthStatus(config) {
     const status = await checkAuth(config);
+    if (config.isAdmin === undefined && config.cookie) {
+        config.isAdmin = await checkIsAdmin(config);
+    }
     const formatted = formatAuthStatus(status, config);
     return { status, formatted };
 }

package/dist/operations/org.d.ts

@@ -1,8 +1,11 @@
 import type { AuthConfig } from '../auth/client.js';
+import { internalClient } from '../clients/internal-api.js';
 export declare const SEAT_HIERARCHY: Record<string, number>;
 export declare const SEAT_LABELS: Record<string, string>;
 export declare const PAID_STATUSES: Record<string, Record<string, string>>;
 export declare const SEAT_KEY_TO_TYPE: Record<string, string>;
+/** Resolve a billing plan_id from a team's folders. */
+export declare function resolvePlanId(client: ReturnType<typeof internalClient>, teamId: string): Promise<string>;
 export interface Admin {
     user_id: string;
     email: string | undefined;
@@ -54,7 +57,8 @@ export declare function orgDomains(config: AuthConfig, params: {
     org_id?: string;
 }): Promise<Record<string, any>>;
 export declare function aiCreditUsage(config: AuthConfig, params: {
-    plan_id: string;
+    team_id: string;
+    plan_id?: string;
 }): Promise<any>;
 export declare function exportMembers(config: AuthConfig, params: {
     org_id?: string;
@@ -92,4 +96,67 @@ export declare function changeSeat(config: AuthConfig, params: {
     org_id?: string;
     confirm?: boolean;
 }): Promise<ChangeSeatResult | string>;
+export interface ActivityLogEntry {
+    id: string;
+    timestamp: string;
+    event: string;
+    actor: {
+        id: string;
+        email: string;
+        name: string;
+    } | null;
+    team: string | null;
+    ip_address: string | null;
+    target: {
+        type: string;
+        id_or_key: string;
+    } | null;
+    metadata: Record<string, any> | null;
+}
+export interface ActivityLogResult {
+    entries: ActivityLogEntry[];
+    pagination?: {
+        after: string;
+        column: string;
+    };
+}
+export declare function activityLog(config: AuthConfig, params: {
+    org_id?: string;
+    emails?: string;
+    start_time?: string;
+    end_time?: string;
+    page_size?: number;
+    after?: string;
+}): Promise<ActivityLogResult>;
+export declare function listPayments(config: AuthConfig, params: {
+    org_id?: string;
+}): Promise<any[]>;
+export declare function removeOrgMember(config: AuthConfig, params: {
+    user_identifier: string;
+    org_id?: string;
+    confirm?: boolean;
+}): Promise<string>;
+export interface CreateUserGroupResult {
+    user_group_id: string;
+    add_user_results: any;
+}
+export declare function createUserGroup(config: AuthConfig, params: {
+    name: string;
+    description?: string;
+    team_id?: string;
+    plan_id?: string;
+    emails?: string[];
+    should_notify?: boolean;
+}): Promise<CreateUserGroupResult>;
+export declare function deleteUserGroups(config: AuthConfig, params: {
+    user_group_ids: string[];
+}): Promise<string>;
+export declare function addUserGroupMembers(config: AuthConfig, params: {
+    user_group_id: string;
+    emails: string[];
+}): Promise<any>;
+export declare function removeUserGroupMembers(config: AuthConfig, params: {
+    user_group_id: string;
+    user_ids: string[];
+}): Promise<string>;
 //# sourceMappingURL=org.d.ts.map