isc-transforms-mcp 1.0.0

package/JSONS/sailpoint.isc.transforms.usernameGenerator.schema.json

@@ -0,0 +1,106 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "sailpoint.isc.transforms.usernameGenerator.schema.json",
+  "title": "SailPoint ISC Transform Schema - usernameGenerator",
+  "description": "Strict schema derived from SailPoint official Username Generator operation documentation. This transform is intended for use within an account create profile; doc examples show the transform object embedded under a create profile attribute entry's 'transform' field and do not include a transform-level 'name'.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "type",
+    "attributes"
+  ],
+  "properties": {
+    "name": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Optional. In general transform syntax, only the root-level transform has a name; nested transforms omit it."
+    },
+    "type": {
+      "const": "usernameGenerator"
+    },
+    "attributes": {
+      "type": "object",
+      "description": "Username generator configuration plus optional dynamic variables (per docs).",
+      "required": [
+        "patterns"
+      ],
+      "properties": {
+        "patterns": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "string",
+            "minLength": 1
+          },
+          "description": "A JSON array of patterns for the generator to evaluate for uniqueness, in sequential order. Docs allow using 'uniqueCounter' as a reserved variable (shown as ${uniqueCounter} in examples). Docs also state that if a pattern contains uniqueCounter, it must be the last pattern."
+        },
+        "sourceCheck": {
+          "type": "boolean",
+          "default": false,
+          "description": "Whether the generator checks only the ISC database or queries the target system directly. true = check target system directly (only if the system supports getObject); false = check only the ISC database (default)."
+        }
+      },
+      "additionalProperties": {
+        "description": "Dynamic variable value used in patterns. Docs describe these as transforms.",
+        "$ref": "#/$defs/NestedTransform"
+      }
+    }
+  },
+  "$defs": {
+    "NestedTransform": {
+      "type": "object",
+      "description": "Nested transform object used as a dynamic variable (e.g., fn, ln, fi, mi). Docs examples for nested transforms typically omit 'name'.",
+      "additionalProperties": false,
+      "required": [
+        "type"
+      ],
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "name": {
+          "type": "string",
+          "minLength": 1
+        },
+        "type": {
+          "type": "string",
+          "minLength": 1
+        },
+        "requiresPeriodicRefresh": {
+          "type": "boolean"
+        },
+        "attributes": {
+          "type": [
+            "object",
+            "null"
+          ],
+          "additionalProperties": true,
+          "description": "Operation-specific attributes for the nested transform (may be omitted for operations without attributes)."
+        }
+      }
+    }
+  },
+  "examples": [
+    {
+      "type": "usernameGenerator",
+      "attributes": {
+        "sourceCheck": true,
+        "patterns": [
+          "$fn.$ln${uniqueCounter}"
+        ],
+        "fn": {
+          "type": "identityAttribute",
+          "attributes": {
+            "name": "firstname"
+          }
+        },
+        "ln": {
+          "type": "identityAttribute",
+          "attributes": {
+            "name": "lastname"
+          }
+        }
+      }
+    }
+  ]
+}

package/JSONS/sailpoint.isc.transforms.uuid.schema.json

@@ -0,0 +1,32 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "sailpoint.isc.transforms.uuid.schema.json",
+  "title": "SailPoint ISC Transform Schema - uuid",
+  "description": "Strict schema derived from SailPoint official UUID Generator (uuid) transform documentation. Creates a UUID as a 36-character string. This transform only uses top-level properties and has no attributes block.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "type",
+    "name"
+  ],
+  "properties": {
+    "type": {
+      "const": "uuid"
+    },
+    "name": {
+      "type": "string",
+      "minLength": 1
+    },
+    "requiresPeriodicRefresh": {
+      "type": "boolean",
+      "default": false,
+      "description": "Whether the transform logic should be reevaluated every evening as part of the identity refresh process. Default is false."
+    }
+  },
+  "examples": [
+    {
+      "type": "uuid",
+      "name": "UUID Generator Transform"
+    }
+  ]
+}

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Amit
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,221 @@
+# isc-transforms-mcp
+
+> **SailPoint ISC transform authoring, right inside Claude.**
+> Generate · Validate · Lint · Explain · Push to tenant — without leaving your AI assistant.
+
+[![npm version](https://img.shields.io/npm/v/isc-transforms-mcp)](https://www.npmjs.com/package/isc-transforms-mcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![MCP compatible](https://img.shields.io/badge/MCP-compatible-blue)](https://modelcontextprotocol.io)
+
+---
+
+## What is this?
+
+`isc-transforms-mcp` is a [Model Context Protocol](https://modelcontextprotocol.io) server that gives Claude a complete SailPoint ISC transform authoring toolkit. Instead of handwriting transform JSON, debugging schema errors in the UI, and cross-referencing the docs manually — you describe what you need in plain English and Claude does the rest.
+
+**Free (Personal)** — 10 offline tools. No ISC tenant needed. Works entirely on your laptop.
+**Enterprise** — All 14 tools, including live tenant operations (list, get, push, find references). See [Enterprise Plan](#-enterprise-plan).
+
+---
+
+## Demo
+
+```
+You: Generate a SailPoint transform that concatenates first name, a dot, and last name
+     to produce an email prefix. Then validate and lint it.
+
+Claude: [calls isc_transforms_generate]
+        → { "type": "concat", "name": "email-prefix", "attributes": { "values": [ ... ] } }
+        Confidence: high | Doc: https://developer.sailpoint.com/...
+
+        [calls isc_transforms_validate]
+        → valid: true
+
+        [calls isc_transforms_lint]
+        → ok: true | 0 errors | 0 warnings
+```
+
+---
+
+## Quick Start
+
+### 1. Install
+
+```bash
+npm install -g isc-transforms-mcp
+# or use without installing:
+# npx isc-transforms-mcp
+```
+
+### 2. Add to Claude Desktop
+
+Open `%APPDATA%\Claude\claude_desktop_config.json` (Windows) or
+`~/Library/Application Support/Claude/claude_desktop_config.json` (macOS).
+
+```json
+{
+  "mcpServers": {
+    "isc-transforms": {
+      "command": "npx",
+      "args": ["isc-transforms-mcp"]
+    }
+  }
+}
+```
+
+> If you installed globally, you can also point directly to the binary:
+> `"command": "isc-transforms-mcp"`
+
+### 3. Restart Claude Desktop
+
+Look for the 🔨 hammer icon at the bottom of the chat input — that confirms the tools loaded.
+
+### 4. Try it
+
+```
+"Use isc_ping to check the server"
+"Generate a SailPoint transform that falls back from work email to personal email"
+"Validate this transform JSON: { ... }"
+"What SailPoint transform pattern should I use for username generation?"
+```
+
+---
+
+## Free Tools (Phase 1 — No ISC Tenant Required)
+
+All 10 tools below work completely offline. No credentials, no tenant, no internet connection needed.
+
+### `isc_transforms_generate`
+Converts a plain-English requirement into a SailPoint ISC transform JSON payload. Parses your description for operation keywords, attribute names, date formats, and fallback hints. Returns the transform JSON, confidence level, alternative operations, and a link to the official SailPoint docs for that operation type.
+
+```
+"Generate a transform that converts an EPOCH timestamp to ISO8601 date format"
+"Create a username transform using first initial plus last name with a uniqueness counter"
+"Fall back from department to costCenter if department is empty"
+```
+
+### `isc_transforms_validate`
+Two-stage JSON Schema validation powered by AJV and the official SailPoint JSON Schema pack. Stage 1 validates the root shape (name, type, attributes). Stage 2 validates against the operation-specific schema for all 44 operation types, including attribute requirements, allowed values, and nested transform shapes.
+
+### `isc_transforms_lint`
+27 semantic lint rules that go beyond what JSON Schema can check. Catches issues like multiple source references on `accountAttribute`, using `delimiter` instead of `separator` on `join`, invalid regex patterns, `requiresPeriodicRefresh` set as a string instead of boolean, missing `default` keys on `lookup` transforms, and 22 more. Errors include the doc URL for the affected operation so you know exactly what to fix.
+
+### `isc_transforms_explain`
+Takes a broken transform (or an ISC error message) and returns plain-English guidance plus an auto-corrected JSON where the fix is automatable. Handles 13 known error patterns including boolean coercion, deprecated attribute names, conditional operator restrictions, and missing required fields.
+
+### `isc_transforms_suggestPattern`
+Matches your description against 10 named nested-transform patterns and returns a complete working example. Patterns include: fallback email chain, conditional department → building code, username first-initial + last-name + uniqueCounter, EPOCH → ISO8601, normalize + lowercase name, country code → region lookup, email from first.last@domain, date compare for lifecycle state, E.164 phone normalisation, and split to extract domain from email.
+
+### `isc_transforms_generateTestCases`
+Generates 2–5 illustrative test cases for a transform: happy-path, null input, and edge cases. Each test case includes a description, sample input, expected output, and notes. Use these directly in the ISC transform tester.
+
+### `isc_transforms_catalog`
+Returns all 44+ supported SailPoint ISC transform operation types with: type key, human-readable title, required attributes, doc URL, schema coverage flag, and scaffold example. Essential reference when you are not sure which operation to use.
+
+### `isc_transforms_getSchema`
+Returns the full JSON Schema (Draft 2020-12) for any operation type — the exact schema used internally for validation. Useful when you want to understand precisely which attributes are required, optional, and what their constraints are.
+
+### `isc_transforms_scaffold`
+Generates a valid minimal starter JSON payload for any operation type. Good starting point before you fill in the actual values.
+
+### `isc_ping`
+Health check. Returns the server status, active license tier, and whether Phase 2 tools are available.
+
+---
+
+## Enterprise Plan
+
+The 4 tools below connect to a live ISC tenant and require an **Enterprise license key**.
+
+| Tool | What it does |
+|---|---|
+| `isc_transforms_list` | `GET /v3/transforms` — fetch all transforms from your tenant |
+| `isc_transforms_get` | `GET /v3/transforms/:id` — fetch a single transform |
+| `isc_transforms_upsert` | Create or update with dry-run preview + JSON-Patch diff + lint before write |
+| `isc_transforms_findReferences` | Scan identity profiles for every place a transform is referenced |
+
+**Get Enterprise →** [YOUR-STORE-URL](https://YOUR-STORE-URL)
+
+Once you have a license key, add it to your Claude Desktop config:
+
+```json
+{
+  "mcpServers": {
+    "isc-transforms": {
+      "command": "npx",
+      "args": ["isc-transforms-mcp"],
+      "env": {
+        "ISC_MCP_LICENSE_KEY": "ISC-XXXX-XXXX-XXXX-XXXX",
+        "ISC_TENANT": "your-tenant.identitynow.com",
+        "ISC_PAT_CLIENT_ID": "your-client-id",
+        "ISC_PAT_CLIENT_SECRET": "your-client-secret"
+      }
+    }
+  }
+}
+```
+
+### Hosted (Remote) Mode
+
+Enterprise customers can also point Claude Desktop directly at the hosted server — no local install required:
+
+```json
+{
+  "mcpServers": {
+    "isc-transforms": {
+      "url": "https://YOUR-DOMAIN.COM/mcp",
+      "headers": {
+        "Authorization": "Bearer ISC-XXXX-XXXX-XXXX-XXXX"
+      }
+    }
+  }
+}
+```
+
+---
+
+## Configuration Reference
+
+All settings are optional for Personal use. Enterprise users need the `ISC_*` credentials for Phase 2 tools.
+
+| Variable | Default | Description |
+|---|---|---|
+| `ISC_MCP_LICENSE_KEY` | — | Enterprise license key. Format: `ISC-XXXX-XXXX-XXXX-XXXX` |
+| `ISC_TENANT` | — | Your tenant name. Expands to `https://{tenant}.api.identitynow.com` |
+| `ISC_API_BASE_URL` | — | Explicit API base URL (alternative to `ISC_TENANT`) |
+| `ISC_PAT_CLIENT_ID` | — | PAT client ID for authentication |
+| `ISC_PAT_CLIENT_SECRET` | — | PAT client secret for authentication |
+| `ISC_ACCESS_TOKEN` | — | Pre-minted bearer token (alternative to PAT) |
+| `ISC_MCP_MODE` | `readonly` | Set to `write` to allow `isc_transforms_upsert` to apply changes |
+| `ISC_MCP_DEBUG` | `false` | Enable verbose debug logging to stderr |
+| `ISC_TIMEOUT_MS` | `30000` | HTTP request timeout in milliseconds |
+
+---
+
+## Supported Operations
+
+All 44 SailPoint ISC transform operation types are fully supported for generation, validation, and linting:
+
+`accountAttribute` · `base64Decode` · `base64Encode` · `concat` · `conditional` · `dateCompare` · `dateFormat` · `dateMath` · `decomposeDiacriticalMarks` · `displayName` · `e164phone` · `firstValid` · `generateRandomString`\* · `getEndOfString`\* · `getReferenceIdentityAttribute`\* · `identityAttribute` · `indexOf` · `iso3166` · `join` · `lastIndexOf` · `leftPad` · `lookup` · `lower` · `nameNormalizer` · `normalizeNames` · `randomAlphaNumeric` · `randomNumeric` · `reference` · `replace` · `replaceAll` · `rfc5646` · `rightPad` · `rule` · `split` · `static` · `substring` · `trim` · `upper` · `usernameGenerator` · `uuid`
+
+\* Rule-backed operations (executed via the Cloud Services Deployment Utility).
+
+---
+
+## Running from Source
+
+```bash
+git clone https://github.com/simplifyauth/isc-transforms-mcp.git
+cd isc-transforms-mcp
+npm install
+npm run build
+npm start        # stdio mode (Claude Desktop)
+npm run serve    # HTTP mode (hosted/remote)
+```
+
+---
+
+## License
+
+MIT — free to use, modify, and distribute.
+Commercial hosting and enterprise features require a license key. See [Enterprise Plan](#-enterprise-plan).

package/bin/isc-transforms-mcp.mjs

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+// Entry-point shim for `npx isc-transforms-mcp` or global installs.
+import "../dist/index.js";

package/dist/allowlist.js

@@ -0,0 +1,37 @@
+const RULES = [
+    // Phase 1: discovery only (readonly)
+    { method: "POST", pathPrefix: "/v3/search", modes: ["readonly", "write"] },
+    { method: "GET", pathPrefix: "/v3/transforms", modes: ["readonly", "write"] },
+    { method: "GET", pathPrefix: "/v3/identity-profiles", modes: ["readonly", "write"] },
+    { method: "GET", pathPrefix: "/v3/workflow-library", modes: ["readonly", "write"] },
+    { method: "GET", pathPrefix: "/v3/workflow-executions", modes: ["readonly", "write"] },
+    { method: "POST", pathPrefix: "/v3/workflow-executions", modes: ["write"] },
+    { method: "GET", pathPrefix: "/v3/workflows", modes: ["readonly", "write"] },
+    // Phase 2: Transforms write path
+    { method: "POST", pathPrefix: "/v3/transforms", modes: ["write"] }, // create Docs: https://developer.sailpoint.com/docs/api/v3/create-transform/
+    { method: "PUT", pathPrefix: "/v3/transforms", modes: ["write"] }, // update Docs: https://developer.sailpoint.com/docs/api/v3/update-transform/
+    { method: "POST", pathPrefix: "/v3/identity-profiles", modes: ["write"] },
+    { method: "PUT", pathPrefix: "/v3/identity-profiles", modes: ["write"] },
+    { method: "PATCH", pathPrefix: "/v3/identity-profiles", modes: ["write"] }, // update via JSON Patch (Content-Type: application/json-patch+json) // Docs: https://developer.sailpoint.com/docs/api/v3/update-identity-profile/
+    { method: "POST", pathPrefix: "/v3/workflows", modes: ["write"] },
+    { method: "PUT", pathPrefix: "/v3/workflows", modes: ["write"] },
+    { method: "PATCH", pathPrefix: "/v3/workflows", modes: ["write"] },
+    { method: "DELETE", pathPrefix: "/v3/workflows", modes: ["write"] },
+    { method: "POST", pathPrefix: "/v3/workflows/execute/external", modes: ["write"] },
+    // Phase Forms: Custom Forms (v2024)
+    // Docs: https://developer.sailpoint.com/docs/api/v2024/custom-forms/  (form definitions + form instances)
+    { method: "GET", pathPrefix: "/v2024/form-definitions", modes: ["readonly", "write"] },
+    { method: "POST", pathPrefix: "/v2024/form-definitions", modes: ["write"] }, // create-form-definition
+    { method: "PATCH", pathPrefix: "/v2024/form-definitions", modes: ["write"] }, // patch-form-definition
+    { method: "DELETE", pathPrefix: "/v2024/form-definitions", modes: ["write"] }, // delete-form-definition
+    { method: "GET", pathPrefix: "/v2024/form-instances", modes: ["readonly", "write"] },
+    { method: "PATCH", pathPrefix: "/v2024/form-instances", modes: ["write"] } // patch-form-instance
+];
+export function isAllowed(mode, method, path) {
+    return RULES.some(r => r.method === method &&
+        path.startsWith(r.pathPrefix) &&
+        r.modes.includes(mode));
+}
+export function getAllowlist() {
+    return RULES;
+}

package/dist/config.js

@@ -0,0 +1,67 @@
+import "dotenv/config";
+function mustBool(v, def) {
+    if (!v)
+        return def;
+    return ["1", "true", "yes", "on"].includes(v.toLowerCase());
+}
+function mustInt(v, def) {
+    if (!v)
+        return def;
+    const n = Number(v);
+    return Number.isFinite(n) ? n : def;
+}
+function stripTrailingSlash(u) {
+    return u.replace(/\/+$/, "");
+}
+/**
+ * Validates the license key format: ISC-XXXX-XXXX-XXXX-XXXX
+ * where each X is an uppercase alphanumeric character (A-Z0-9).
+ * Full online activation is optional and handled separately at first use.
+ */
+export function isValidLicenseKey(key) {
+    if (!key)
+        return false;
+    return /^ISC-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/.test(key);
+}
+export function loadConfig() {
+    const tenant = process.env.ISC_TENANT?.trim();
+    const explicitBase = process.env.ISC_API_BASE_URL?.trim();
+    let apiBaseUrl = explicitBase || "";
+    if (!apiBaseUrl && tenant) {
+        apiBaseUrl = `https://${tenant}.api.identitynow.com`;
+    }
+    apiBaseUrl = stripTrailingSlash(apiBaseUrl || "");
+    const apiVersion = (process.env.ISC_API_VERSION?.trim() || "v3").replace(/^\/+/, "");
+    const modeRaw = (process.env.ISC_MCP_MODE?.trim() || "readonly");
+    if (modeRaw !== "readonly" && modeRaw !== "write") {
+        throw new Error("Config error: ISC_MCP_MODE must be 'readonly' or 'write'.");
+    }
+    const debug = mustBool(process.env.ISC_MCP_DEBUG, false);
+    const timeoutMs = mustInt(process.env.ISC_TIMEOUT_MS, 30000);
+    const accessToken = process.env.ISC_ACCESS_TOKEN?.trim();
+    const patClientId = process.env.ISC_PAT_CLIENT_ID?.trim();
+    const patClientSecret = process.env.ISC_PAT_CLIENT_SECRET?.trim();
+    // Offline mode: no ISC credentials — Phase 1 tools work, Phase 2 tools will return a clear error.
+    const offline = !accessToken && !(patClientId && patClientSecret);
+    if (offline && !apiBaseUrl) {
+        apiBaseUrl = "https://tenant.api.identitynow.com"; // placeholder, not used in offline mode
+    }
+    // License key — required for Phase 2 (enterprise) tools.
+    // Format: ISC-XXXX-XXXX-XXXX-XXXX (groups of 4 uppercase alphanumeric, prefix ISC-)
+    const licenseKey = process.env.ISC_MCP_LICENSE_KEY?.trim() || undefined;
+    const licenseTier = isValidLicenseKey(licenseKey) ? "enterprise" : "personal";
+    return {
+        tenant,
+        apiBaseUrl,
+        apiVersion,
+        mode: modeRaw,
+        debug,
+        timeoutMs,
+        accessToken,
+        patClientId,
+        patClientSecret,
+        offline,
+        licenseKey,
+        licenseTier,
+    };
+}

package/dist/http/errors.js

@@ -0,0 +1,19 @@
+export class HttpError extends Error {
+    status;
+    body;
+    constructor(message, status, body) {
+        super(message);
+        this.status = status;
+        this.body = body;
+        this.name = "HttpError";
+    }
+}
+export function toSafeError(e) {
+    if (e instanceof HttpError) {
+        return { name: e.name, message: e.message, status: e.status, body: e.body };
+    }
+    if (e instanceof Error) {
+        return { name: e.name, message: e.message };
+    }
+    return { name: "UnknownError", message: String(e) };
+}

package/dist/http/iscAuth.js

@@ -0,0 +1,45 @@
+import { HttpError } from "./errors.js";
+let cache = null;
+function nowMs() {
+    return Date.now();
+}
+// Token URL example in v3 API intro: https://{tenant}.api.identitynow.com/oauth/token // Docs: https://developer.sailpoint.com/docs/api/v3/
+export async function getBearerToken(cfg) {
+    // If user supplied a token, use it.
+    if (cfg.accessToken)
+        return cfg.accessToken;
+    if (!cfg.patClientId || !cfg.patClientSecret) {
+        throw new Error("Missing PAT credentials (ISC_PAT_CLIENT_ID / ISC_PAT_CLIENT_SECRET).");
+    }
+    // cache: refresh if expiring within 60s
+    if (cache && cache.expEpochMs - nowMs() > 60_000)
+        return cache.token;
+    const tokenUrl = `${cfg.apiBaseUrl}/oauth/token`;
+    const body = new URLSearchParams({
+        grant_type: "client_credentials",
+        client_id: cfg.patClientId,
+        client_secret: cfg.patClientSecret
+    });
+    const resp = await fetch(tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body,
+        signal: AbortSignal.timeout(cfg.timeoutMs)
+    });
+    const text = await resp.text();
+    let json = null;
+    try {
+        json = text ? JSON.parse(text) : null;
+    }
+    catch { /* ignore */ }
+    if (!resp.ok) {
+        throw new HttpError(`Token request failed (${resp.status})`, resp.status, json ?? text);
+    }
+    const token = json?.access_token;
+    const expiresIn = Number(json?.expires_in ?? 900);
+    if (!token) {
+        throw new Error("Token response missing access_token");
+    }
+    cache = { token, expEpochMs: nowMs() + expiresIn * 1000 };
+    return token;
+}

package/dist/http/iscClient.js

@@ -0,0 +1,73 @@
+import { isAllowed } from "../allowlist.js";
+import { HttpError } from "./errors.js";
+import { getBearerToken } from "./iscAuth.js";
+function stripTrailingSlash(u) {
+    return u.replace(/\/+$/, "");
+}
+function stripLeadingSlash(p) {
+    return p.replace(/^\/+/, "");
+}
+export class IScClient {
+    cfg;
+    baseUrl; // e.g. https://{tenant}.api.identitynow.com
+    defaultVersion; // e.g. v3
+    baseApi; // e.g. https://{tenant}.api.identitynow.com/v3
+    constructor(cfg) {
+        this.cfg = cfg;
+        this.baseUrl = stripTrailingSlash(cfg.apiBaseUrl);
+        this.defaultVersion = stripLeadingSlash(cfg.apiVersion);
+        this.baseApi = `${this.baseUrl}/${this.defaultVersion}`;
+    }
+    /** Backwards-compatible (default version). */
+    getBaseApi() {
+        return this.baseApi;
+    }
+    /** Version-aware base. */
+    getBaseApiFor(version) {
+        return `${this.baseUrl}/${stripLeadingSlash(version)}`;
+    }
+    /** Default-version request (existing code uses this). */
+    async request(method, path, body, extraHeaders) {
+        return this.requestWithVersion(this.defaultVersion, method, path, body, extraHeaders);
+    }
+    /**
+     * Version-aware request.
+     * Example:
+     *  - version="v3", path="/workflows"
+     *  - version="v2024", path="/form-definitions"
+     */
+    async requestWithVersion(version, method, path, // "/transforms?limit=50" or "transforms?limit=50"
+    body, extraHeaders) {
+        const v = stripLeadingSlash(version);
+        const fullPath = `/${stripLeadingSlash(path)}`; // "/transforms?limit=50"
+        const allowPath = `/${v}${fullPath}`; // "/v3/transforms?limit=50"
+        if (!isAllowed(this.cfg.mode, method, allowPath)) {
+            throw new Error(`Blocked by allowlist: ${method} ${allowPath} (mode=${this.cfg.mode})`);
+        }
+        const token = await getBearerToken(this.cfg);
+        const url = `${this.baseUrl}/${v}${fullPath}`;
+        const resp = await fetch(url, {
+            method,
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Accept: "application/json",
+                ...(body ? { "Content-Type": "application/json" } : {}),
+                ...(extraHeaders || {})
+            },
+            body: body ? JSON.stringify(body) : undefined,
+            signal: AbortSignal.timeout(this.cfg.timeoutMs)
+        });
+        const text = await resp.text();
+        let json = null;
+        try {
+            json = text ? JSON.parse(text) : null;
+        }
+        catch {
+            /* ignore */
+        }
+        if (!resp.ok) {
+            throw new HttpError(`ISC API failed (${resp.status}) ${method} /${v}${fullPath}`, resp.status, json ?? text);
+        }
+        return (json ?? text);
+    }
+}