isc-transforms-mcp 1.0.19 → 1.0.21

package/JSONS/sailpoint.isc.transforms.concat.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "sailpoint.isc.transforms.concat.schema.json",
   "title": "SailPoint ISC Transform Schema - concat",
-  "description": "Strict schema derived from the SailPoint official Concatenation operation documentation. Concatenates an array of values (static strings or nested transform objects) into a single string output.",
+  "description": "Strict schema for the SailPoint ISC concat (Concatenation) transform. Joins an ordered array of values (static strings or nested transform outputs) into a single combined string. Key behaviors: (1) Items are joined in order with NO automatic separator — spaces, hyphens, or other delimiters must be added as explicit string entries in the array. (2) Each array entry can be a static string literal or a nested transform object whose output string is used. (3) A single-entry values array is valid JSON but semantically pointless — use the nested transform directly in that case.",
   "type": "object",
   "additionalProperties": false,
   "required": [
@@ -12,16 +12,18 @@
   ],
   "properties": {
     "type": {
-      "const": "concat"
+      "const": "concat",
+      "description": "Transform operation type. Must be exactly 'concat'."
     },
     "name": {
       "type": "string",
-      "minLength": 1
+      "minLength": 1,
+      "description": "Display name for this transform, shown in UI dropdowns and identity profile mappings."
     },
     "requiresPeriodicRefresh": {
       "type": "boolean",
       "default": false,
-      "description": "Whether the transform logic should be reevaluated nightly as part of identity refresh. Default false."
+      "description": "If true, re-evaluates this transform during the nightly identity refresh cycle. Default is false."
     },
     "attributes": {
       "type": "object",
@@ -29,15 +31,17 @@
       "required": [
         "values"
       ],
+      "description": "Required container for concat operation attributes. The only valid attribute is 'values'.",
       "properties": {
         "values": {
           "type": "array",
-          "minItems": 2,
-          "description": "Array of items to join. Each item must be a static string or a nested transform object.",
+          "minItems": 1,
+          "description": "Required. Ordered array of items to join into a single output string. Items are concatenated in sequence with no automatic separator. Rules: (1) Each entry must be a static string literal or a nested transform object {type, attributes} whose output is used. (2) To include spaces, hyphens, or any other separator, add them as explicit string entries between the value entries. (3) A single-entry array is valid but pointless — the nested transform can be used directly. Examples: [firstName, ' ', lastName] → 'Jane Doe'; [jobTitle, ' - ', jobCode] → 'Engineer - ENG001'.",
           "items": {
-            "oneOf": [
+            "anyOf": [
               {
-                "type": "string"
+                "type": "string",
+                "description": "Static string literal included as-is in the output (e.g., ' ', ' - ', ' (Contractor)')."
               },
               {
                 "$ref": "#/$defs/NestedTransform"
@@ -51,7 +55,7 @@
   "$defs": {
     "NestedTransform": {
       "type": "object",
-      "description": "Nested transform object used inside other transforms (docs examples often omit 'name' on nested transforms). Operation-specific validation should be applied by the referenced operation schema.",
+      "description": "A nested transform object used as one element in the values array. Its output string is inserted at the corresponding position in the concatenated result. The 'name' field is optional in nested transforms per SailPoint docs.",
       "additionalProperties": false,
       "required": [
         "type",
@@ -59,18 +63,22 @@
       ],
       "properties": {
         "id": {
-          "type": "string"
+          "type": "string",
+          "description": "Optional ID when referencing an existing saved transform."
         },
         "name": {
           "type": "string",
-          "minLength": 1
+          "minLength": 1,
+          "description": "Optional display name for the nested transform."
         },
         "type": {
           "type": "string",
-          "minLength": 1
+          "minLength": 1,
+          "description": "The operation type of the nested transform (e.g., 'accountAttribute', 'identityAttribute', 'static', 'lower', 'trim')."
         },
         "requiresPeriodicRefresh": {
-          "type": "boolean"
+          "type": "boolean",
+          "description": "Whether this nested transform re-evaluates during nightly refresh."
         },
         "attributes": {
           "type": "object",
@@ -82,8 +90,54 @@
   },
   "examples": [
     {
+      "name": "Full Name from HR Source",
+      "type": "concat",
+      "attributes": {
+        "values": [
+          {
+            "type": "accountAttribute",
+            "attributes": {
+              "sourceName": "HR Source",
+              "attributeName": "FirstName"
+            }
+          },
+          " ",
+          {
+            "type": "accountAttribute",
+            "attributes": {
+              "sourceName": "HR Source",
+              "attributeName": "LastName"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "name": "Job Title with Code",
+      "type": "concat",
+      "attributes": {
+        "values": [
+          {
+            "type": "accountAttribute",
+            "attributes": {
+              "sourceName": "HR Source",
+              "attributeName": "JobTitle"
+            }
+          },
+          " - ",
+          {
+            "type": "accountAttribute",
+            "attributes": {
+              "sourceName": "HR Source",
+              "attributeName": "JobCode"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "name": "Contractor Display Name",
       "type": "concat",
-      "name": "Test Concat Transform",
       "attributes": {
         "values": [
           {
@@ -104,6 +158,38 @@
           " (Contractor)"
         ]
       }
+    },
+    {
+      "name": "Lowercase Email from Identity Attributes",
+      "type": "concat",
+      "attributes": {
+        "values": [
+          {
+            "type": "lower",
+            "attributes": {
+              "input": {
+                "type": "identityAttribute",
+                "attributes": {
+                  "name": "firstname"
+                }
+              }
+            }
+          },
+          ".",
+          {
+            "type": "lower",
+            "attributes": {
+              "input": {
+                "type": "identityAttribute",
+                "attributes": {
+                  "name": "lastname"
+                }
+              }
+            }
+          },
+          "@example.com"
+        ]
+      }
     }
   ]
 }

package/JSONS/sailpoint.isc.transforms.usernameGenerator.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "sailpoint.isc.transforms.usernameGenerator.schema.json",
   "title": "SailPoint ISC Transform Schema - usernameGenerator",
-  "description": "Strict schema derived from SailPoint official Username Generator operation documentation. This transform is intended for use within an account create profile; doc examples show the transform object embedded under a create profile attribute entry's 'transform' field and do not include a transform-level 'name'.",
+  "description": "Strict schema for the SailPoint ISC usernameGenerator transform. Generates a unique username by evaluating an ordered list of format string patterns until a unique value is found. Patterns use dollar-sign token notation ($varName or ${varName}) referencing dynamic variables defined as additional attribute keys. IMPORTANT: (1) The pattern containing '${uniqueCounter}' MUST be the last entry — patterns after it are never evaluated. (2) If all patterns are exhausted without finding a unique value, an IllegalStateException is thrown. (3) This transform is designed for account create profiles, not standalone identity profile mappings. The 'name' field is optional when used inside a create profile.",
   "type": "object",
   "additionalProperties": false,
   "required": [
@@ -10,20 +10,26 @@
     "attributes"
   ],
   "properties": {
+    "type": {
+      "const": "usernameGenerator",
+      "description": "Transform operation type. Must be exactly 'usernameGenerator'."
+    },
     "name": {
       "type": "string",
       "minLength": 1,
-      "description": "Optional. In general transform syntax, only the root-level transform has a name; nested transforms omit it."
+      "description": "Optional display name. Typically omitted when the transform is embedded within an account create profile attribute definition."
     },
-    "type": {
-      "const": "usernameGenerator"
+    "requiresPeriodicRefresh": {
+      "type": "boolean",
+      "default": false,
+      "description": "If true, re-evaluates this transform during the nightly identity refresh cycle. Default is false."
     },
     "attributes": {
       "type": "object",
-      "description": "Username generator configuration plus optional dynamic variables (per docs).",
       "required": [
         "patterns"
       ],
+      "description": "Required container. Must include 'patterns'. Optional cloud control fields: cloudMaxSize, cloudMaxUniqueChecks, cloudRequired, sourceCheck. Any additional keys are dynamic variable definitions — the key name becomes a $token usable in patterns, and its value is a static string or a nested transform that supplies the substitution value.",
       "properties": {
         "patterns": {
           "type": "array",
@@ -32,60 +38,90 @@
             "type": "string",
             "minLength": 1
           },
-          "description": "A JSON array of patterns for the generator to evaluate for uniqueness, in sequential order. Docs allow using 'uniqueCounter' as a reserved variable (shown as ${uniqueCounter} in examples). Docs also state that if a pattern contains uniqueCounter, it must be the last pattern."
+          "description": "Required. Ordered list of format strings evaluated sequentially until a unique value is found. Each string may contain $varName or ${varName} tokens referencing dynamic variables defined as sibling attribute keys. Rules: (1) The pattern containing '${uniqueCounter}' MUST be the last entry — it auto-increments on each collision and patterns after it are never reached. (2) If no pattern contains '${uniqueCounter}' and all patterns produce values that already exist, the generator throws IllegalStateException. (3) The generator validates uniqueness only for the attribute marked as 'accountID' in the account schema.",
+          "examples": [
+            ["$fn$ln", "$fn.$ln${uniqueCounter}"],
+            ["$fn$ln", "$fi$ln", "$fn$mi$ln${uniqueCounter}"]
+          ]
         },
         "sourceCheck": {
           "type": "boolean",
           "default": false,
-          "description": "Whether the generator checks only the ISC database or queries the target system directly. true = check target system directly (only if the system supports getObject); false = check only the ISC database (default)."
+          "description": "Optional. Determines where uniqueness is validated. true = query the target system directly (only if the source supports the getObject operation — falls back to ISC database for sources that don't). false = check only the ISC database (default). The generator always validates the attribute marked as 'accountID' in the account schema."
+        },
+        "cloudMaxSize": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "Optional. Maximum character length for generated usernames. Generated values exceeding this length are automatically truncated to this size before the uniqueness check."
+        },
+        "cloudMaxUniqueChecks": {
+          "type": "integer",
+          "minimum": 1,
+          "maximum": 50,
+          "description": "Optional. Maximum number of uniqueness check iterations before the generator throws IllegalStateException. Must be between 1 and 50 (the documented maximum). Applies to the ${uniqueCounter} expansion loop — when the counter exceeds this limit without finding a unique value, the transform fails."
+        },
+        "cloudRequired": {
+          "type": "boolean",
+          "description": "Internal flag. Must remain true. Changing this value may cause unexpected behavior."
         }
       },
       "additionalProperties": {
-        "description": "Dynamic variable value used in patterns. Docs describe these as transforms.",
-        "$ref": "#/$defs/NestedTransform"
+        "description": "Dynamic variable definition. The key name becomes a $token referenced in patterns (e.g., key 'fn' is used as '$fn' or '${fn}' in a pattern). The value can be a static string or a nested transform object whose output supplies the substitution value.",
+        "anyOf": [
+          {
+            "type": "string",
+            "description": "Static string value for this variable token."
+          },
+          {
+            "$ref": "#/$defs/NestedTransform"
+          }
+        ]
       }
     }
   },
   "$defs": {
     "NestedTransform": {
       "type": "object",
-      "description": "Nested transform object used as a dynamic variable (e.g., fn, ln, fi, mi). Docs examples for nested transforms typically omit 'name'.",
+      "description": "A nested transform object used as a dynamic variable value. Its output string is substituted for the $token in patterns. Common types: identityAttribute (to read a name attribute), substring (to extract initials), accountAttribute. The 'name' field is optional in nested transforms per SailPoint docs.",
       "additionalProperties": false,
       "required": [
-        "type"
+        "type",
+        "attributes"
       ],
       "properties": {
         "id": {
-          "type": "string"
+          "type": "string",
+          "description": "Optional ID when referencing an existing saved transform."
         },
         "name": {
           "type": "string",
-          "minLength": 1
+          "minLength": 1,
+          "description": "Optional display name for the nested transform."
         },
         "type": {
           "type": "string",
-          "minLength": 1
+          "minLength": 1,
+          "description": "The operation type of the nested transform (e.g., 'identityAttribute', 'substring', 'accountAttribute', 'lower')."
         },
         "requiresPeriodicRefresh": {
-          "type": "boolean"
+          "type": "boolean",
+          "description": "Whether this nested transform re-evaluates during nightly refresh."
         },
         "attributes": {
-          "type": [
-            "object",
-            "null"
-          ],
+          "type": "object",
           "additionalProperties": true,
-          "description": "Operation-specific attributes for the nested transform (may be omitted for operations without attributes)."
+          "description": "Operation-specific attributes for the nested transform."
         }
       }
     }
   },
   "examples": [
     {
+      "name": "Basic Username Generator",
       "type": "usernameGenerator",
       "attributes": {
-        "sourceCheck": true,
         "patterns": [
+          "$fn$ln",
           "$fn.$ln${uniqueCounter}"
         ],
         "fn": {
@@ -101,6 +137,91 @@
           }
         }
       }
+    },
+    {
+      "name": "Username with Initial and Cloud Controls",
+      "type": "usernameGenerator",
+      "attributes": {
+        "sourceCheck": true,
+        "cloudMaxSize": 20,
+        "cloudMaxUniqueChecks": 50,
+        "patterns": [
+          "$fn$ln",
+          "$fi$ln",
+          "$fn$mi$ln${uniqueCounter}"
+        ],
+        "fn": {
+          "type": "identityAttribute",
+          "attributes": {
+            "name": "firstname"
+          }
+        },
+        "ln": {
+          "type": "identityAttribute",
+          "attributes": {
+            "name": "lastname"
+          }
+        },
+        "fi": {
+          "type": "substring",
+          "attributes": {
+            "begin": 0,
+            "end": 1,
+            "input": {
+              "type": "identityAttribute",
+              "attributes": {
+                "name": "firstname"
+              }
+            }
+          }
+        },
+        "mi": {
+          "type": "substring",
+          "attributes": {
+            "begin": 0,
+            "end": 1,
+            "input": {
+              "type": "identityAttribute",
+              "attributes": {
+                "name": "middleName"
+              }
+            }
+          }
+        }
+      }
+    },
+    {
+      "name": "Lowercase Email-Style Username",
+      "type": "usernameGenerator",
+      "attributes": {
+        "cloudMaxSize": 64,
+        "patterns": [
+          "$fn.$ln",
+          "$fn.$ln${uniqueCounter}"
+        ],
+        "fn": {
+          "type": "lower",
+          "attributes": {
+            "input": {
+              "type": "identityAttribute",
+              "attributes": {
+                "name": "firstname"
+              }
+            }
+          }
+        },
+        "ln": {
+          "type": "lower",
+          "attributes": {
+            "input": {
+              "type": "identityAttribute",
+              "attributes": {
+                "name": "lastname"
+              }
+            }
+          }
+        }
+      }
     }
   ]
 }

package/dist/transforms/lint.js

@@ -18,7 +18,7 @@ const ALLOWED_ATTRS = {
     ]),
     base64Decode: new Set(["input"]),
     base64Encode: new Set(["input"]),
-    concat: new Set(["values", "input"]),
+    concat: new Set(["values"]),
     conditional: "open", // dynamic variable keys allowed per docs
     dateCompare: new Set(["firstDate", "secondDate", "operator", "positiveCondition", "negativeCondition"]),
     dateFormat: new Set(["input", "inputFormat", "outputFormat"]),
@@ -49,7 +49,7 @@ const ALLOWED_ATTRS = {
     substring: new Set(["begin", "beginOffset", "end", "endOffset", "input"]),
     trim: new Set(["input"]),
     upper: new Set(["input"]),
-    usernameGenerator: new Set(["patterns", "sourceCheck"]),
+    usernameGenerator: "open", // patterns + sourceCheck + cloudMaxSize/Checks/Required + dynamic variable keys (fn, ln, etc.)
     uuid: new Set([]),
     // Rule-backed ops (normalized to type=rule, but linted by operation key)
     generateRandomString: new Set(["name", "operation", "length", "includeNumbers", "includeSpecialChars"]),
@@ -876,30 +876,122 @@ function lintDateFormat(attrs) {
     return msgs;
 }
 // ---------------------------------------------------------------------------
-// 12. usernameGenerator — patterns array
+// 12. usernameGenerator — patterns, tokens, cloud* fields, dynamic variable cross-check
+// Docs: https://developer.sailpoint.com/docs/extensibility/transforms/operations/username-generator
 // ---------------------------------------------------------------------------
+// Known non-variable attribute keys for usernameGenerator
+const USERNAME_GENERATOR_KNOWN_KEYS = new Set([
+    "patterns", "sourceCheck", "cloudMaxSize", "cloudMaxUniqueChecks", "cloudRequired",
+]);
 function lintUsernameGenerator(attrs) {
     const msgs = [];
     const patterns = attrs?.patterns;
+    // --- 1. patterns: required non-empty array of format strings ---
     if (patterns !== undefined) {
         if (!Array.isArray(patterns) || patterns.length === 0) {
-            push(msgs, "error", "patterns must be a non-empty array of strings.", "attributes.patterns");
+            push(msgs, "error", "patterns must be a non-empty array of format strings (e.g., ['$fn$ln', '$fn.$ln${uniqueCounter}']).", "attributes.patterns");
         }
         else {
-            const bad = patterns.findIndex((p) => typeof p !== "string" || p.trim().length === 0);
-            if (bad >= 0) {
-                push(msgs, "error", `Each pattern must be a non-empty string. Invalid at index [${bad}].`, `attributes.patterns[${bad}]`);
+            // 1a. Each entry must be a non-empty string
+            patterns.forEach((p, idx) => {
+                if (typeof p !== "string" || p.trim().length === 0) {
+                    push(msgs, "error", `patterns[${idx}] must be a non-empty format string. ` +
+                        "Use $varName or ${varName} tokens for variable substitution.", `attributes.patterns[${idx}]`);
+                }
+            });
+            // 1b. ${uniqueCounter} must be last — patterns after it are never evaluated
+            const ucIdx = patterns.findIndex((p) => typeof p === "string" && p.includes("uniqueCounter"));
+            if (ucIdx >= 0 && ucIdx !== patterns.length - 1) {
+                push(msgs, "error", "The pattern containing '${uniqueCounter}' must be the last entry in the patterns array. " +
+                    "The generator stops after exhausting the uniqueCounter pattern — any patterns listed after it are never evaluated.", "attributes.patterns");
+            }
+            // 1c. No uniqueCounter at all — exhausting all patterns throws IllegalStateException
+            if (ucIdx === -1) {
+                push(msgs, "warn", "No pattern contains '${uniqueCounter}'. If all patterns generate values that already exist, " +
+                    "the generator throws an IllegalStateException. " +
+                    "Add a final fallback pattern with '${uniqueCounter}' (e.g., '$fn$ln${uniqueCounter}') to handle conflicts.", "attributes.patterns");
+            }
+            // 1d. Token syntax info
+            push(msgs, "info", "Pattern tokens use dollar-sign notation: $varName (simple) or ${varName} (formal). " +
+                "Each variable name (e.g., $fn, $ln, $fi) must be defined as an additional key in the attributes object, " +
+                "set to a static string or a nested transform that supplies the value. " +
+                "The reserved token ${uniqueCounter} auto-increments when a generated value already exists.", "attributes.patterns");
+            // 1e. Cross-check: tokens used in patterns must have a matching variable defined in attributes
+            const RESERVED_TOKENS = new Set(["uniqueCounter"]);
+            const definedVars = new Set(Object.keys(attrs ?? {}).filter((k) => !USERNAME_GENERATOR_KNOWN_KEYS.has(k)));
+            const referencedTokens = new Set();
+            for (const p of patterns) {
+                if (typeof p !== "string")
+                    continue;
+                const re = /\$\{?([A-Za-z_][A-Za-z0-9_]*)\}?/g;
+                let m;
+                while ((m = re.exec(p)) !== null) {
+                    referencedTokens.add(m[1]);
+                }
             }
-            // uniqueCounter must be last per docs
-            const idx = patterns.findIndex((p) => typeof p === "string" && p.includes("uniqueCounter"));
-            if (idx >= 0 && idx !== patterns.length - 1) {
-                push(msgs, "warn", "Pattern containing 'uniqueCounter' should be last in the patterns array.", "attributes.patterns");
+            for (const tok of referencedTokens) {
+                if (RESERVED_TOKENS.has(tok))
+                    continue;
+                if (!definedVars.has(tok)) {
+                    push(msgs, "warn", `Pattern references '$${tok}' but no variable '${tok}' is defined in attributes. ` +
+                        `Add a '${tok}' key to attributes as a static string or a nested transform (e.g., identityAttribute).`, `attributes.${tok}`);
+                }
+            }
+            // 1f. Cross-check: variables defined in attributes but never referenced in any pattern
+            for (const varName of definedVars) {
+                if (!referencedTokens.has(varName)) {
+                    push(msgs, "warn", `Variable '${varName}' is defined in attributes but not referenced as $${varName} in any pattern. ` +
+                        "Remove it to keep the transform clean, or check for a typo in the pattern.", `attributes.${varName}`);
+                }
             }
         }
     }
-    if (attrs?.sourceCheck !== undefined && typeof attrs.sourceCheck !== "boolean") {
-        push(msgs, "error", "sourceCheck must be a boolean.", "attributes.sourceCheck");
+    // --- 2. sourceCheck ---
+    if (attrs?.sourceCheck !== undefined) {
+        if (typeof attrs.sourceCheck !== "boolean") {
+            push(msgs, "error", "sourceCheck must be a boolean. " +
+                "true = check the target system directly (only if the source supports getObject). " +
+                "false = check only the ISC database (default).", "attributes.sourceCheck");
+        }
+        else if (attrs.sourceCheck === true) {
+            push(msgs, "info", "sourceCheck: true validates uniqueness against the target system directly. " +
+                "This only works for sources that support the getObject operation — " +
+                "for sources that don't, the check automatically falls back to the ISC database.", "attributes.sourceCheck");
+        }
+    }
+    // --- 3. cloudMaxSize: positive integer — truncates generated values exceeding this length ---
+    if (attrs?.cloudMaxSize !== undefined) {
+        const n = Number(attrs.cloudMaxSize);
+        if (!Number.isFinite(n) || n <= 0 || !Number.isInteger(n)) {
+            push(msgs, "error", "cloudMaxSize must be a positive integer. Generated usernames longer than this value will be truncated to this length.", "attributes.cloudMaxSize");
+        }
+        else {
+            push(msgs, "info", `cloudMaxSize: ${n} — generated values exceeding ${n} characters will be automatically truncated.`, "attributes.cloudMaxSize");
+        }
+    }
+    // --- 4. cloudMaxUniqueChecks: positive integer, maximum 50 ---
+    if (attrs?.cloudMaxUniqueChecks !== undefined) {
+        const n = Number(attrs.cloudMaxUniqueChecks);
+        if (!Number.isFinite(n) || n <= 0 || !Number.isInteger(n)) {
+            push(msgs, "error", "cloudMaxUniqueChecks must be a positive integer (maximum: 50). " +
+                "The generator throws IllegalStateException when this number of uniqueness iterations is exceeded.", "attributes.cloudMaxUniqueChecks");
+        }
+        else if (n > 50) {
+            push(msgs, "error", `cloudMaxUniqueChecks ${n} exceeds the documented maximum of 50. ` +
+                "Values above 50 cause an error at runtime. Set to 50 or less.", "attributes.cloudMaxUniqueChecks");
+        }
+        else {
+            push(msgs, "info", `cloudMaxUniqueChecks: ${n} — generator throws IllegalStateException after ${n} failed uniqueness iterations.`, "attributes.cloudMaxUniqueChecks");
+        }
     }
+    // --- 5. cloudRequired: internal flag — must remain true ---
+    if (attrs?.cloudRequired !== undefined && attrs.cloudRequired !== true) {
+        push(msgs, "warn", "cloudRequired is an internal flag that must remain true. " +
+            "Setting it to any other value may cause unexpected behavior.", "attributes.cloudRequired");
+    }
+    // --- 6. Standalone use limitation ---
+    push(msgs, "info", "usernameGenerator is designed specifically for account create profiles. " +
+        "It should be placed within a create profile attribute definition — not used as a standalone identity profile attribute transform.", "type");
     return msgs;
 }
 // ---------------------------------------------------------------------------
@@ -1320,6 +1412,63 @@ function lintRfc5646(attrs) {
     return msgs;
 }
 // ---------------------------------------------------------------------------
+// lintConcat — concat (Concatenation)
+// Docs: https://developer.sailpoint.com/docs/extensibility/transforms/operations/concatenation
+// Joins an ordered array of strings / nested-transform outputs into one string.
+// No automatic separators — spaces, hyphens, etc. must be explicit array entries.
+// ---------------------------------------------------------------------------
+function lintConcat(attrs) {
+    const msgs = [];
+    const values = attrs?.values;
+    // --- 1. values is the only attribute and is required ---
+    if (values === undefined || values === null) {
+        push(msgs, "error", "values is required for concat. Provide an ordered array of strings and/or nested transform objects " +
+            "whose outputs will be joined into a single string.", "attributes.values");
+        return msgs;
+    }
+    if (!Array.isArray(values)) {
+        push(msgs, "error", "values must be an array of strings and/or nested transform objects.", "attributes.values");
+        return msgs;
+    }
+    if (values.length === 0) {
+        push(msgs, "error", "values array must not be empty. Provide at least one string or nested transform.", "attributes.values");
+        return msgs;
+    }
+    // --- 2. Warn if only a single entry — concat is pointless with one value ---
+    if (values.length === 1) {
+        push(msgs, "warn", "values array has only one entry. concat is designed to join multiple values — " +
+            "consider using the nested transform directly instead of wrapping it in a concat.", "attributes.values");
+    }
+    // --- 3. Validate each item: must be string or a nested transform object ---
+    values.forEach((item, idx) => {
+        if (item === null || item === undefined) {
+            push(msgs, "warn", `values[${idx}] is null/undefined — this will produce the string "null"/"undefined" in the output. ` +
+                "Remove it or replace with a static string or a nested transform.", `attributes.values[${idx}]`);
+        }
+        else if (typeof item === "string") {
+            // Valid — static strings (including spaces, separators, literals) are expected
+        }
+        else if (isPlainObject(item)) {
+            if (typeof item.type !== "string" || item.type.trim() === "") {
+                push(msgs, "error", `values[${idx}] is an object but is missing a 'type' field — it does not look like a valid nested transform. ` +
+                    "Add a 'type' (e.g., 'accountAttribute', 'identityAttribute', 'static').", `attributes.values[${idx}]`);
+            }
+        }
+        else {
+            push(msgs, "error", `values[${idx}] must be a string or a nested transform object {type, attributes}. ` +
+                `Got: ${typeof item}.`, `attributes.values[${idx}]`);
+        }
+    });
+    // --- 4. Separator hint: inform if no explicit spacing string found between transform objects ---
+    const allTransforms = values.every((v) => isPlainObject(v));
+    if (allTransforms && values.length > 1) {
+        push(msgs, "info", "concat does not insert any separator between values automatically. " +
+            "If the output needs spaces, hyphens, or other delimiters, add them as explicit string entries " +
+            "in the values array (e.g., [firstName, \" \", lastName]).", "attributes.values");
+    }
+    return msgs;
+}
+// ---------------------------------------------------------------------------
 // Main lintTransform export
 // ---------------------------------------------------------------------------
 export function lintTransform(input) {
@@ -1410,6 +1559,8 @@ export function lintTransform(input) {
         messages.push(...lintRandom(requestedType, attrs));
     if (requestedType === "rfc5646")
         messages.push(...lintRfc5646(attrs));
+    if (requestedType === "concat")
+        messages.push(...lintConcat(attrs));
     // --- Recursive nested transform lint ---
     // Recursively lint every nested transform found inside attributes.
     // We start from normalized.attributes (not the root) to avoid double-linting root.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "isc-transforms-mcp",
-  "version": "1.0.19",
+  "version": "1.0.21",
   "type": "module",
   "description": "MCP server for SailPoint Identity Security Cloud (ISC) Transform authoring — scaffold, strict lint, catalog, and safe upsert to live tenants.",
   "author": {