isc-transforms-mcp 1.0.4 → 1.0.6

package/JSONS/sailpoint.isc.transforms.conditional.schema.json

@@ -27,29 +27,11 @@
       "type": "object",
       "description": "Conditional logic configuration, plus optional dynamic variables (per docs).",
       "additionalProperties": {
-        "description": "Dynamic variables referenced via $variableName. Can be literals or nested transforms.",
-        "oneOf": [
+        "description": "Dynamic variables referenced via $variableName. Can be string literals or nested transforms.",
+        "anyOf": [
           {
             "type": "string"
           },
-          {
-            "type": "number"
-          },
-          {
-            "type": "integer"
-          },
-          {
-            "type": "boolean"
-          },
-          {
-            "type": "array"
-          },
-          {
-            "type": "object"
-          },
-          {
-            "type": "null"
-          },
           {
             "$ref": "#/$defs/NestedTransform"
           }

package/JSONS/sailpoint.isc.transforms.static.schema.json

@@ -36,29 +36,11 @@
         }
       },
       "additionalProperties": {
-        "description": "Dynamic variables referenced in Velocity template. Can be literals or nested transforms.",
-        "oneOf": [
+        "description": "Dynamic variables referenced in Velocity template. Can be string literals or nested transforms.",
+        "anyOf": [
           {
             "type": "string"
           },
-          {
-            "type": "number"
-          },
-          {
-            "type": "integer"
-          },
-          {
-            "type": "boolean"
-          },
-          {
-            "type": "array"
-          },
-          {
-            "type": "object"
-          },
-          {
-            "type": "null"
-          },
           {
             "$ref": "#/$defs/NestedTransform"
           }

package/README.md

@@ -1,38 +1,191 @@
 # isc-transforms-mcp
 
 > **SailPoint ISC transform authoring, right inside Claude.**
-> Generate · Validate · Lint · Explain · Push to tenant — without leaving your AI assistant.
+> Catalog · Build · Lint · Validate · Explain — without leaving your AI assistant.
 
 [![npm version](https://img.shields.io/npm/v/isc-transforms-mcp)](https://www.npmjs.com/package/isc-transforms-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 [![MCP compatible](https://img.shields.io/badge/MCP-compatible-blue)](https://modelcontextprotocol.io)
 
+> **Community Project** — This is an independent, community-built tool. It is not affiliated with, endorsed by, or supported by SailPoint Technologies.
+
 ---
 
 ## What is this?
 
 `isc-transforms-mcp` is a [Model Context Protocol](https://modelcontextprotocol.io) server that gives Claude a complete SailPoint ISC transform authoring toolkit. Instead of handwriting transform JSON, debugging schema errors in the UI, and cross-referencing the docs manually — you describe what you need in plain English and Claude does the rest.
 
-**Free (Personal)** — 10 offline tools. No ISC tenant needed. Works entirely on your laptop.
-**Enterprise (coming soon)** — All 14 tools, including live tenant operations (list, get, push, find references). See [Enterprise Plan](#-enterprise-plan).
+**Free (Personal)** — 11 tools. No ISC tenant needed. Works entirely on your laptop.
+**Enterprise (coming soon)** — All 15 tools, including live tenant operations (list, get, find references). See [Enterprise Plan](#-enterprise-plan).
+
+> **Note on "no tenant needed":** The MCP server itself runs as a local Node.js process on your machine — it makes no calls to any ISC tenant for the free tools. Your transform JSON is validated and linted entirely locally. Claude (the AI) is a cloud service provided by Anthropic, so your conversation — including any transform JSON you share — passes through Anthropic's infrastructure as part of normal Claude usage, the same as any other Claude session.
 
 ---
 
-## Demo
+## How to Use — Strict Prompt Pattern
+
+Copy and adapt this exact structure. The explicit step numbering and the **DO NOT** rules are what keep Claude on track.
 
 ```
-You: Generate a SailPoint transform that concatenates first name, a dot, and last name
-     to produce an email prefix. Then validate and lint it.
+Use MCP tools only. Follow these steps exactly and do not skip any:
+
+Step 1 — Call isc_transforms_operationCatalog to retrieve the full spec for every
+operation type you plan to use. Do not build anything yet.
+
+Step 2 — Build the complete transform JSON using only the attribute names, types,
+and structure from the catalog response in Step 1.
 
-Claude: [calls isc_transforms_generate]
-        → { "type": "concat", "name": "email-prefix", "attributes": { "values": [ ... ] } }
-        Confidence: high | Doc: https://developer.sailpoint.com/...
+Step 3 — Call isc_transforms_lint on the JSON you built.
+  - If lint returns errors or warnings, fix every one of them and call
+    isc_transforms_lint again.
+  - Repeat until isc_transforms_lint returns ok: true with 0 errors and 0 warnings.
+  - DO NOT output the final JSON until lint passes completely.
 
-        [calls isc_transforms_validate]
-        → valid: true
+Step 4 — Output the final lint-clean JSON and nothing else.
 
-        [calls isc_transforms_lint]
-        → ok: true | 0 errors | 0 warnings
+[describe your transform requirement here]
+```
+
+---
+
+## Real-World Prompt Examples
+
+### Lifecycle State from Start/End Dates
+
+```
+Use MCP tools only. Follow these steps exactly and do not skip any:
+
+Step 1 — Call isc_transforms_operationCatalog to retrieve the full spec for every
+operation type you plan to use. Do not build anything yet.
+
+Step 2 — Build the complete transform JSON using only the attribute names, types,
+and structure from the catalog response in Step 1.
+
+Step 3 — Call isc_transforms_lint on the JSON you built.
+  - If lint returns errors or warnings, fix every one of them and call
+    isc_transforms_lint again.
+  - Repeat until isc_transforms_lint returns ok: true with 0 errors and 0 warnings.
+  - DO NOT output the final JSON until lint passes completely.
+
+Step 4 — Output the final lint-clean JSON and nothing else.
+
+Transform requirement:
+Create a transform named cloudLifecycleState with requiresPeriodicRefresh: true.
+Logic:
+  - startDate > today → prehire
+  - startDate ≤ today AND endDate ≥ today AND employeeStatus = LEAVE → leave
+  - startDate ≤ today AND endDate ≥ today AND employeeStatus = ACTIVE → active
+  - endDate < today AND endDate ≥ today-30 → inactive
+  - endDate < today-30 → archived
+Inputs (source: SimplifyAuth-HRMS):
+  - startDate   attribute: startDate,       format: dd-MM-yyyy
+  - endDate     attribute: endDate,         format: dd-MM-yyyy
+  - leaveStatus attribute: employeeStatus
+```
+
+### Temporary Password from Account Attributes
+
+```
+Use MCP tools only. Follow these steps exactly and do not skip any:
+
+Step 1 — Call isc_transforms_operationCatalog to retrieve the full spec for every
+operation type you plan to use. Do not build anything yet.
+
+Step 2 — Build the complete transform JSON using only the attribute names, types,
+and structure from the catalog response in Step 1.
+
+Step 3 — Call isc_transforms_lint on the JSON you built.
+  - If lint returns errors or warnings, fix every one of them and call
+    isc_transforms_lint again.
+  - Repeat until isc_transforms_lint returns ok: true with 0 errors and 0 warnings.
+  - DO NOT output the final JSON until lint passes completely.
+
+Step 4 — Output the final lint-clean JSON and nothing else.
+
+Transform requirement:
+Build a static transform named Temporary-Password that produces:
+  ${firstInitialLower}${lastNameProper}${hireMonth}RstP*!7
+Variables (source: HRMS):
+  - firstInitialLower = lowercase first character of first_name
+  - lastNameProper    = uppercase first char of last_name + remaining chars of last_name
+  - hireMonth         = 2-digit month extracted from hire_date (input format: yyyy-MM-dd)
+```
+
+### Username with Uniqueness Counter
+
+```
+Use MCP tools only. Follow these steps exactly and do not skip any:
+
+Step 1 — Call isc_transforms_operationCatalog to retrieve the full spec for every
+operation type you plan to use. Do not build anything yet.
+
+Step 2 — Build the complete transform JSON using only the attribute names, types,
+and structure from the catalog response in Step 1.
+
+Step 3 — Call isc_transforms_lint on the JSON you built.
+  - If lint returns errors or warnings, fix every one of them and call
+    isc_transforms_lint again.
+  - Repeat until isc_transforms_lint returns ok: true with 0 errors and 0 warnings.
+  - DO NOT output the final JSON until lint passes completely.
+
+Step 4 — Output the final lint-clean JSON and nothing else.
+
+Transform requirement:
+Create a username transform named username-generator.
+  - Pattern: first initial + last name, all lowercase, max 20 chars
+  - If the username is already taken, append a uniqueCounter
+  - Source: Workday HR, attributes: firstName and lastName
+```
+
+### Email from Name Attributes
+
+```
+Use MCP tools only. Follow these steps exactly and do not skip any:
+
+Step 1 — Call isc_transforms_operationCatalog to retrieve the full spec for every
+operation type you plan to use. Do not build anything yet.
+
+Step 2 — Build the complete transform JSON using only the attribute names, types,
+and structure from the catalog response in Step 1.
+
+Step 3 — Call isc_transforms_lint on the JSON you built.
+  - If lint returns errors or warnings, fix every one of them and call
+    isc_transforms_lint again.
+  - Repeat until isc_transforms_lint returns ok: true with 0 errors and 0 warnings.
+  - DO NOT output the final JSON until lint passes completely.
+
+Step 4 — Output the final lint-clean JSON and nothing else.
+
+Transform requirement:
+Build a transform named email-generator that produces: firstname.lastname@acme.com
+  - Normalize both names (remove diacritics, lowercase) before concatenating
+  - Source: Active Directory, attributes: givenName and sn
+```
+
+### Fallback Chain
+
+```
+Use MCP tools only. Follow these steps exactly and do not skip any:
+
+Step 1 — Call isc_transforms_operationCatalog to retrieve the full spec for every
+operation type you plan to use. Do not build anything yet.
+
+Step 2 — Build the complete transform JSON using only the attribute names, types,
+and structure from the catalog response in Step 1.
+
+Step 3 — Call isc_transforms_lint on the JSON you built.
+  - If lint returns errors or warnings, fix every one of them and call
+    isc_transforms_lint again.
+  - Repeat until isc_transforms_lint returns ok: true with 0 errors and 0 warnings.
+  - DO NOT output the final JSON until lint passes completely.
+
+Step 4 — Output the final lint-clean JSON and nothing else.
+
+Transform requirement:
+Build a transform named email-fallback that returns the first non-empty value from:
+  1. workEmail (source: HR System)
+  2. personalEmail (source: HR System)
+  3. Static fallback: noemail@acme.com
 ```
 
 ---
@@ -74,35 +227,52 @@ Look for the 🔨 hammer icon at the bottom of the chat input — that confirms
 
 ```
 "Use isc_ping to check the server"
-"Generate a SailPoint transform that falls back from work email to personal email"
-"Validate this transform JSON: { ... }"
-"What SailPoint transform pattern should I use for username generation?"
+```
+
+```
+Use MCP tools only. Follow these steps exactly and do not skip any:
+Step 1 — Call isc_transforms_operationCatalog for the operations you need. Do not build yet.
+Step 2 — Build the transform JSON using only specs from Step 1.
+Step 3 — Call isc_transforms_lint. Fix all errors and repeat until ok: true, 0 errors, 0 warnings.
+         DO NOT output JSON until lint passes completely.
+Step 4 — Output the final lint-clean JSON and nothing else.
+
+Transform requirement: Build a transform that lowercases the first name from Workday HR
+(source: Workday, attribute: firstName). Name it lowercase-firstname.
 ```
 
 ---
 
 ## Free Tools (Phase 1 — No ISC Tenant Required)
 
-All 10 tools below work completely offline. No credentials, no tenant, no internet connection needed.
+All 11 tools below run locally on your machine with no ISC tenant connection required. No ISC credentials needed.
 
-### `isc_transforms_generate`
-Converts a plain-English requirement into a SailPoint ISC transform JSON payload. Parses your description for operation keywords, attribute names, date formats, and fallback hints. Returns the transform JSON, confidence level, alternative operations, and a link to the official SailPoint docs for that operation type.
+### `isc_transforms_operationCatalog`
+**Start here when building any transform.** Returns everything needed in a single call — all 39 operation types with type key, title, doc URL, required attributes, scaffold JSON, and full JSON Schema. Optionally filter to specific operation types to keep the response focused.
 
 ```
-"Generate a transform that converts an EPOCH timestamp to ISO8601 date format"
-"Create a username transform using first initial plus last name with a uniqueness counter"
-"Fall back from department to costCenter if department is empty"
+"Show me the full spec for dateCompare and dateMath"
+"What attributes does accountAttribute require?"
+"Give me the scaffold for a conditional transform"
 ```
 
-### `isc_transforms_validate`
-Two-stage JSON Schema validation powered by AJV and the official SailPoint JSON Schema pack. Stage 1 validates the root shape (name, type, attributes). Stage 2 validates against the operation-specific schema for all 44 operation types, including attribute requirements, allowed values, and nested transform shapes.
-
 ### `isc_transforms_lint`
-27 semantic lint rules that go beyond what JSON Schema can check. Catches issues like multiple source references on `accountAttribute`, using `delimiter` instead of `separator` on `join`, invalid regex patterns, `requiresPeriodicRefresh` set as a string instead of boolean, missing `default` keys on `lookup` transforms, and 22 more. Errors include the doc URL for the affected operation so you know exactly what to fix.
+27 semantic lint rules that go beyond what JSON Schema can check. Catches issues like wrong case on nested transform types (`datemath` vs `dateMath`), multiple source references on `accountAttribute`, using `delimiter` instead of `separator` on `join`, invalid regex patterns, `requiresPeriodicRefresh` as a string instead of boolean, missing `default` key on `lookup`, and more. Always run this after building — fix all errors before treating the JSON as final.
+
+### `isc_transforms_validate`
+Two-stage JSON Schema validation powered by AJV and the official SailPoint JSON Schema pack. Stage 1 validates the root shape (name, type, attributes). Stage 2 validates against the operation-specific schema for all 39 operation types, including attribute requirements, allowed values, and nested transform shapes.
 
 ### `isc_transforms_explain`
 Takes a broken transform (or an ISC error message) and returns plain-English guidance plus an auto-corrected JSON where the fix is automatable. Handles 13 known error patterns including boolean coercion, deprecated attribute names, conditional operator restrictions, and missing required fields.
 
+### `isc_transforms_generate`
+Converts a plain-English requirement into a SailPoint ISC transform JSON payload. Returns the transform JSON, confidence level, alternative operations, and a link to the official SailPoint docs. Best used as a quick starting point — always follow up with `isc_transforms_operationCatalog` and `isc_transforms_lint`.
+
+```
+"Generate a transform that converts an EPOCH timestamp to ISO8601 date format"
+"Create a username transform using first initial plus last name with a uniqueness counter"
+```
+
 ### `isc_transforms_suggestPattern`
 Matches your description against 10 named nested-transform patterns and returns a complete working example. Patterns include: fallback email chain, conditional department → building code, username first-initial + last-name + uniqueCounter, EPOCH → ISO8601, normalize + lowercase name, country code → region lookup, email from first.last@domain, date compare for lifecycle state, E.164 phone normalisation, and split to extract domain from email.
 
@@ -110,13 +280,13 @@ Matches your description against 10 named nested-transform patterns and returns
 Generates 2–5 illustrative test cases for a transform: happy-path, null input, and edge cases. Each test case includes a description, sample input, expected output, and notes. Use these directly in the ISC transform tester.
 
 ### `isc_transforms_catalog`
-Returns all 44+ supported SailPoint ISC transform operation types with: type key, human-readable title, required attributes, doc URL, schema coverage flag, and scaffold example. Essential reference when you are not sure which operation to use.
+Returns all 39 supported SailPoint ISC transform operation types with: type key, human-readable title, required attributes, doc URL, schema coverage flag, and scaffold example. Use `isc_transforms_operationCatalog` instead when you need full specs — this is the lightweight index.
 
 ### `isc_transforms_getSchema`
-Returns the full JSON Schema (Draft 2020-12) for any operation type — the exact schema used internally for validation. Useful when you want to understand precisely which attributes are required, optional, and what their constraints are.
+Returns the full JSON Schema (Draft 2020-12) for any single operation type. Useful when you want to inspect exactly which attributes are required, optional, and what their constraints are.
 
 ### `isc_transforms_scaffold`
-Generates a valid minimal starter JSON payload for any operation type. Good starting point before you fill in the actual values.
+Generates a valid minimal starter JSON payload for any operation type. Good starting point before filling in actual values.
 
 ### `isc_ping`
 Health check. Returns the server status, active license tier, and whether Phase 2 tools are available.
@@ -130,7 +300,7 @@ The 4 tools below connect to a live ISC tenant and require an **Enterprise licen
 | Tool | What it does |
 |---|---|
 | `isc_transforms_list` | `GET /v3/transforms` — fetch all transforms from your tenant |
-| `isc_transforms_get` | `GET /v3/transforms/:id` — fetch a single transform |
+| `isc_transforms_get` | `GET /v3/transforms/:id` — fetch a single transform by ID |
 | `isc_transforms_upsert` | Create or update with dry-run preview + JSON-Patch diff + lint before write |
 | `isc_transforms_findReferences` | Scan identity profiles for every place a transform is referenced |
 
@@ -186,7 +356,6 @@ All settings are optional for Personal use. Enterprise users need the `ISC_*` cr
 | `ISC_PAT_CLIENT_ID` | — | PAT client ID for authentication |
 | `ISC_PAT_CLIENT_SECRET` | — | PAT client secret for authentication |
 | `ISC_ACCESS_TOKEN` | — | Pre-minted bearer token (alternative to PAT) |
-| `ISC_MCP_MODE` | `readonly` | Set to `write` to allow `isc_transforms_upsert` to apply changes |
 | `ISC_MCP_DEBUG` | `false` | Enable verbose debug logging to stderr |
 | `ISC_TIMEOUT_MS` | `30000` | HTTP request timeout in milliseconds |
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "isc-transforms-mcp",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "type": "module",
   "description": "MCP server for SailPoint Identity Security Cloud (ISC) Transform authoring — scaffold, strict lint, catalog, and safe upsert to live tenants.",
   "author": {