mcp-keycloak-admin 0.1.0

package/dist/index.js

@@ -0,0 +1,3519 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+
+// src/config/config.ts
+import { z } from "zod";
+var baseSchema = z.object({
+  KEYCLOAK_BASE_URL: z.string().min(1),
+  KEYCLOAK_REALM: z.string().min(1),
+  READ_ONLY: z.string().optional(),
+  ALLOWED_REALMS: z.string().optional()
+});
+var authSchema = z.discriminatedUnion("AUTH_MODE", [
+  z.object({
+    AUTH_MODE: z.literal("service_account"),
+    KC_CLIENT_ID: z.string().min(1),
+    KC_CLIENT_SECRET: z.string().min(1)
+  }),
+  z.object({
+    AUTH_MODE: z.literal("password"),
+    KC_ADMIN_USERNAME: z.string().min(1),
+    KC_ADMIN_PASSWORD: z.string().min(1),
+    KC_ADMIN_REALM: z.string().min(1).default("master")
+  })
+]);
+var schema = z.intersection(baseSchema, authSchema);
+function parseRealms(raw) {
+  if (raw === void 0) {
+    return [];
+  }
+  return raw.split(",").map((value) => value.trim()).filter((value) => value.length > 0);
+}
+function toAuthConfig(parsed) {
+  if (parsed.AUTH_MODE === "service_account") {
+    return {
+      mode: "service_account",
+      clientId: parsed.KC_CLIENT_ID,
+      clientSecret: parsed.KC_CLIENT_SECRET
+    };
+  }
+  return {
+    mode: "password",
+    username: parsed.KC_ADMIN_USERNAME,
+    password: parsed.KC_ADMIN_PASSWORD,
+    adminRealm: parsed.KC_ADMIN_REALM
+  };
+}
+function loadConfig(env) {
+  const result = schema.safeParse(env);
+  if (!result.success) {
+    const details = result.error.issues.map((issue) => `${issue.path.join(".") || "(root)"}: ${issue.message}`).join("; ");
+    throw new Error(`Invalid configuration: ${details}`);
+  }
+  const parsed = result.data;
+  return {
+    baseUrl: parsed.KEYCLOAK_BASE_URL,
+    realm: parsed.KEYCLOAK_REALM,
+    readOnly: parsed.READ_ONLY === "true",
+    allowedRealms: parseRealms(parsed.ALLOWED_REALMS),
+    auth: toAuthConfig(parsed)
+  };
+}
+
+// src/server.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+
+// src/domain/shared/guards.ts
+var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function ensureNonBlank(value, label) {
+  const trimmed = value.trim();
+  if (trimmed.length === 0) {
+    throw new Error(`${label} cannot be empty`);
+  }
+  return trimmed;
+}
+function ensureUuid(value, label) {
+  const trimmed = value.trim();
+  if (!UUID_PATTERN.test(trimmed)) {
+    throw new Error(`${label} must be a valid UUID`);
+  }
+  return trimmed;
+}
+
+// src/domain/shared/realm-name.ts
+var RealmName = class _RealmName {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _RealmName(ensureNonBlank(value, "RealmName"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/domain/policy/realm-access-policy.ts
+var RealmAccessPolicy = class _RealmAccessPolicy {
+  constructor(allowed) {
+    this.allowed = allowed;
+  }
+  allowed;
+  static of(allowed) {
+    return new _RealmAccessPolicy(allowed);
+  }
+  assertAllowed(realm) {
+    if (this.allowed.length === 0) {
+      return;
+    }
+    if (!this.allowed.some((candidate) => candidate.equals(realm))) {
+      throw new Error(`Realm "${realm.toString()}" is not allowed`);
+    }
+  }
+};
+
+// src/domain/policy/tool-access-policy.ts
+var ToolAccessPolicy = class _ToolAccessPolicy {
+  constructor(readOnly) {
+    this.readOnly = readOnly;
+  }
+  readOnly;
+  static of(readOnly) {
+    return new _ToolAccessPolicy(readOnly);
+  }
+  isBlocked(level) {
+    return this.readOnly && level !== "read" /* Read */;
+  }
+};
+
+// src/infrastructure/auth/caching-token-provider.ts
+var REFRESH_THRESHOLD_MS = 3e4;
+var CachingTokenProvider = class {
+  constructor(fetchToken, clock) {
+    this.fetchToken = fetchToken;
+    this.clock = clock;
+  }
+  fetchToken;
+  clock;
+  cached = null;
+  inFlight = null;
+  getToken() {
+    const current = this.cached;
+    if (current !== null && !current.isExpiringWithin(REFRESH_THRESHOLD_MS, this.clock.now())) {
+      return Promise.resolve(current);
+    }
+    this.inFlight ??= this.refresh();
+    return this.inFlight;
+  }
+  refresh() {
+    return this.fetchToken().then((token) => {
+      this.cached = token;
+      this.inFlight = null;
+      return token;
+    }).catch((error) => {
+      this.inFlight = null;
+      throw error;
+    });
+  }
+};
+
+// src/domain/shared/access-token.ts
+var AccessToken = class _AccessToken {
+  constructor(value, expiresAt) {
+    this.value = value;
+    this.expiresAt = expiresAt;
+  }
+  value;
+  expiresAt;
+  /**
+   * @param value the raw bearer token
+   * @param expiresAt absolute expiry, epoch milliseconds
+   */
+  static issue(value, expiresAt) {
+    return new _AccessToken(ensureNonBlank(value, "AccessToken"), expiresAt);
+  }
+  toString() {
+    return this.value;
+  }
+  isExpiringWithin(thresholdMs, now) {
+    return this.expiresAt - now <= thresholdMs;
+  }
+};
+
+// src/infrastructure/auth/token-endpoint.ts
+function tokenUrl(baseUrl, realm) {
+  return `${baseUrl}/realms/${realm}/protocol/openid-connect/token`;
+}
+async function requestToken(fetchFn, url, form, clock) {
+  const response = await fetchFn(url, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams(form).toString()
+  });
+  if (!response.ok) {
+    throw new Error(
+      `Authentication against Keycloak failed (HTTP ${String(response.status)})`
+    );
+  }
+  const json = await response.json();
+  const expiresAt = clock.now() + json.expires_in * 1e3;
+  return AccessToken.issue(json.access_token, expiresAt);
+}
+
+// src/infrastructure/auth/client-credentials-provider.ts
+function createClientCredentialsProvider(config, fetchFn, clock) {
+  const url = tokenUrl(config.baseUrl, config.realm);
+  return new CachingTokenProvider(
+    () => requestToken(
+      fetchFn,
+      url,
+      {
+        grant_type: "client_credentials",
+        client_id: config.clientId,
+        client_secret: config.clientSecret
+      },
+      clock
+    ),
+    clock
+  );
+}
+
+// src/infrastructure/auth/password-provider.ts
+function createPasswordProvider(config, fetchFn, clock) {
+  const url = tokenUrl(config.baseUrl, config.realm);
+  return new CachingTokenProvider(
+    () => requestToken(
+      fetchFn,
+      url,
+      {
+        grant_type: "password",
+        client_id: "admin-cli",
+        username: config.username,
+        password: config.password
+      },
+      clock
+    ),
+    clock
+  );
+}
+
+// src/infrastructure/auth/system-clock.ts
+var systemClock = {
+  now: () => Date.now()
+};
+
+// src/infrastructure/keycloak/errors.ts
+var KeycloakError = class extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "KeycloakError";
+  }
+  status;
+};
+function extractDetail(body) {
+  if (typeof body !== "object" || body === null) {
+    return null;
+  }
+  const record = body;
+  const candidate = record.errorMessage ?? record.error_description ?? record.error;
+  return typeof candidate === "string" ? candidate : null;
+}
+function toReadableKeycloakError(status, body) {
+  const detail = extractDetail(body);
+  switch (status) {
+    case 401:
+      return new KeycloakError(401, "Authentication failed");
+    case 403:
+      return new KeycloakError(
+        403,
+        "Permission denied: the configured credentials lack the required role"
+      );
+    case 404:
+      return new KeycloakError(404, "Resource not found");
+    case 409:
+      return new KeycloakError(
+        409,
+        detail !== null ? `Conflict: ${detail}` : "Conflict: the resource already exists"
+      );
+    default:
+      return new KeycloakError(
+        status,
+        detail !== null ? `Keycloak request failed: ${detail}` : `Keycloak request failed (HTTP ${String(status)})`
+      );
+  }
+}
+
+// src/infrastructure/keycloak/admin-client.ts
+var DEFAULT_PAGE_SIZE = 100;
+var KeycloakAdminClient = class {
+  constructor(config, tokens, fetchFn) {
+    this.config = config;
+    this.tokens = tokens;
+    this.fetchFn = fetchFn;
+  }
+  config;
+  tokens;
+  fetchFn;
+  async getJson(path, query = {}) {
+    const response = await this.send("GET", path, query);
+    return await response.json();
+  }
+  async post(path, body) {
+    await this.send("POST", path, {}, body);
+  }
+  async postJson(path, body) {
+    const response = await this.send("POST", path, {}, body);
+    return await response.json();
+  }
+  async put(path, body) {
+    await this.send("PUT", path, {}, body);
+  }
+  async delete(path, body) {
+    await this.send("DELETE", path, {}, body);
+  }
+  /** Fetches every page of a list endpoint using Keycloak's first/max paging. */
+  async list(path, query = {}, pageSize = DEFAULT_PAGE_SIZE) {
+    const all = [];
+    let first = 0;
+    for (; ; ) {
+      const page = await this.getJson(path, {
+        ...query,
+        first: String(first),
+        max: String(pageSize)
+      });
+      all.push(...page);
+      if (page.length < pageSize) {
+        break;
+      }
+      first += pageSize;
+    }
+    return all;
+  }
+  /** GET a non-realm-scoped admin resource, e.g. `/serverinfo`. */
+  async getAdminJson(adminPath) {
+    const response = await this.sendUrl(
+      "GET",
+      `${this.config.baseUrl}/admin${adminPath}`
+    );
+    return await response.json();
+  }
+  url(path, query) {
+    const base = `${this.config.baseUrl}/admin/realms/${this.config.realm}${path}`;
+    const params = new URLSearchParams(query).toString();
+    return params.length === 0 ? base : `${base}?${params}`;
+  }
+  send(method, path, query, body) {
+    return this.sendUrl(method, this.url(path, query), body);
+  }
+  async sendUrl(method, url, body, attempt = 0) {
+    const token = await this.tokens.getToken();
+    const headers = {
+      authorization: `Bearer ${token.toString()}`
+    };
+    const init = { method, headers };
+    if (body !== void 0) {
+      headers["content-type"] = "application/json";
+      init.body = JSON.stringify(body);
+    }
+    const response = await this.fetchFn(url, init);
+    if (response.status === 401 && attempt === 0) {
+      return this.sendUrl(method, url, body, attempt + 1);
+    }
+    if (!response.ok) {
+      throw toReadableKeycloakError(response.status, await safeJson(response));
+    }
+    return response;
+  }
+};
+async function safeJson(response) {
+  try {
+    return await response.json();
+  } catch {
+    return null;
+  }
+}
+
+// src/domain/shared/client-id.ts
+var ClientId = class _ClientId {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _ClientId(ensureNonBlank(value, "ClientId"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/domain/shared/client-secret.ts
+var ClientSecret = class _ClientSecret {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _ClientSecret(ensureNonBlank(value, "ClientSecret"));
+  }
+  /** Reveals the raw secret. Only call when the caller explicitly opted in. */
+  reveal() {
+    return this.value;
+  }
+  /** A safe representation that never exposes the secret. */
+  masked() {
+    return "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
+  }
+  toString() {
+    return this.masked();
+  }
+};
+
+// src/domain/shared/client-uuid.ts
+var ClientUuid = class _ClientUuid {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _ClientUuid(ensureUuid(value, "ClientUuid"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/infrastructure/keycloak/client-repository.ts
+function toSummary(raw) {
+  return {
+    uuid: ClientUuid.fromString(raw.id),
+    clientId: ClientId.fromString(raw.clientId),
+    enabled: raw.enabled ?? false,
+    publicClient: raw.publicClient ?? false
+  };
+}
+var KeycloakClientRepository = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async list() {
+    const raw = await this.client.getJson("/clients");
+    return raw.map(toSummary);
+  }
+  async findByClientId(clientId) {
+    const raw = await this.client.getJson("/clients", {
+      clientId: clientId.toString()
+    });
+    const first = raw[0];
+    return first === void 0 ? null : toSummary(first);
+  }
+  async getSecret(uuid) {
+    const raw = await this.client.getJson(
+      `/clients/${uuid.toString()}/client-secret`
+    );
+    return ClientSecret.fromString(raw.value);
+  }
+  async regenerateSecret(uuid) {
+    const raw = await this.client.postJson(
+      `/clients/${uuid.toString()}/client-secret`
+    );
+    return ClientSecret.fromString(raw.value);
+  }
+};
+
+// src/infrastructure/keycloak/authentication-repository.ts
+var KeycloakAuthenticationRepository = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async listFlows() {
+    const raw = await this.client.getJson(
+      "/authentication/flows"
+    );
+    return raw.map((flow) => ({
+      id: flow.id ?? "",
+      alias: flow.alias ?? "",
+      builtIn: flow.builtIn ?? false
+    }));
+  }
+  async listRequiredActions() {
+    const raw = await this.client.getJson(
+      "/authentication/required-actions"
+    );
+    return raw.map((action) => ({
+      alias: action.alias ?? "",
+      name: action.name ?? "",
+      enabled: action.enabled ?? false,
+      defaultAction: action.defaultAction ?? false
+    }));
+  }
+  async setRequiredActionEnabled(alias, enabled) {
+    const current = await this.client.getJson(
+      `/authentication/required-actions/${encodeURIComponent(alias)}`
+    );
+    await this.client.put(
+      `/authentication/required-actions/${encodeURIComponent(alias)}`,
+      { ...current, enabled }
+    );
+  }
+};
+
+// src/infrastructure/keycloak/authorization-repository.ts
+function toEntry(raw) {
+  return {
+    id: raw.id ?? raw._id ?? "",
+    name: raw.name ?? "",
+    type: raw.type ?? ""
+  };
+}
+var KeycloakAuthorizationRepository = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  base(clientUuid) {
+    return `/clients/${clientUuid.toString()}/authz/resource-server`;
+  }
+  async resources(clientUuid) {
+    const raw = await this.client.getJson(
+      `${this.base(clientUuid)}/resource`
+    );
+    return raw.map(toEntry);
+  }
+  async policies(clientUuid) {
+    const raw = await this.client.getJson(
+      `${this.base(clientUuid)}/policy`
+    );
+    return raw.map(toEntry);
+  }
+  async permissions(clientUuid) {
+    const raw = await this.client.getJson(
+      `${this.base(clientUuid)}/permission`
+    );
+    return raw.map(toEntry);
+  }
+};
+
+// src/domain/shared/client-scope-id.ts
+var ClientScopeId = class _ClientScopeId {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _ClientScopeId(ensureUuid(value, "ClientScopeId"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/domain/shared/client-scope-name.ts
+var ClientScopeName = class _ClientScopeName {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _ClientScopeName(ensureNonBlank(value, "ClientScopeName"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/infrastructure/keycloak/client-scope-repository.ts
+function toScope(raw) {
+  return {
+    id: ClientScopeId.fromString(raw.id),
+    name: ClientScopeName.fromString(raw.name),
+    protocol: raw.protocol ?? "openid-connect"
+  };
+}
+function toMapper(raw) {
+  return {
+    id: raw.id,
+    name: raw.name,
+    protocol: raw.protocol ?? "openid-connect",
+    type: raw.protocolMapper ?? "unknown"
+  };
+}
+var KeycloakClientScopeRepository = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async listScopes() {
+    const raw = await this.client.getJson("/client-scopes");
+    return raw.map(toScope);
+  }
+  async findScopeByName(name) {
+    const scopes = await this.listScopes();
+    return scopes.find((scope) => scope.name.equals(name)) ?? null;
+  }
+  async defaultScopes(clientUuid) {
+    const raw = await this.client.getJson(
+      `/clients/${clientUuid.toString()}/default-client-scopes`
+    );
+    return raw.map(toScope);
+  }
+  assignDefaultScope(clientUuid, scopeId) {
+    return this.client.put(
+      `/clients/${clientUuid.toString()}/default-client-scopes/${scopeId.toString()}`
+    );
+  }
+  removeDefaultScope(clientUuid, scopeId) {
+    return this.client.delete(
+      `/clients/${clientUuid.toString()}/default-client-scopes/${scopeId.toString()}`
+    );
+  }
+  async listMappers(clientUuid) {
+    const raw = await this.client.getJson(
+      `/clients/${clientUuid.toString()}/protocol-mappers/models`
+    );
+    return raw.map(toMapper);
+  }
+};
+
+// src/infrastructure/keycloak/event-log.ts
+function toLoginEvent(raw) {
+  return {
+    time: raw.time ?? 0,
+    type: raw.type ?? "UNKNOWN",
+    userId: raw.userId ?? null,
+    ipAddress: raw.ipAddress ?? null
+  };
+}
+function toAdminEvent(raw) {
+  return {
+    time: raw.time ?? 0,
+    operationType: raw.operationType ?? "UNKNOWN",
+    resourceType: raw.resourceType ?? "UNKNOWN",
+    resourcePath: raw.resourcePath ?? null
+  };
+}
+function toParams(query) {
+  const params = { max: String(query.max) };
+  if (query.type !== void 0) {
+    params.type = query.type;
+  }
+  if (query.user !== void 0) {
+    params.user = query.user;
+  }
+  return params;
+}
+var KeycloakEventLog = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async loginEvents(query) {
+    const raw = await this.client.getJson(
+      "/events",
+      toParams(query)
+    );
+    return raw.map(toLoginEvent);
+  }
+  async adminEvents(query) {
+    const raw = await this.client.getJson(
+      "/admin-events",
+      {
+        max: String(query.max)
+      }
+    );
+    return raw.map(toAdminEvent);
+  }
+};
+
+// src/domain/shared/component-id.ts
+var ComponentId = class _ComponentId {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _ComponentId(ensureUuid(value, "ComponentId"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/infrastructure/keycloak/federation-repository.ts
+var PROVIDER_TYPE = "org.keycloak.storage.UserStorageProvider";
+function toProvider(raw) {
+  return {
+    id: ComponentId.fromString(raw.id),
+    name: raw.name ?? "unnamed",
+    providerId: raw.providerId ?? "unknown"
+  };
+}
+var KeycloakFederationRepository = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async list() {
+    const raw = await this.client.getJson("/components", {
+      type: PROVIDER_TYPE
+    });
+    return raw.map(toProvider);
+  }
+  async find(id) {
+    try {
+      const raw = await this.client.getJson(
+        `/components/${id.toString()}`
+      );
+      return toProvider(raw);
+    } catch (error) {
+      if (error instanceof KeycloakError && error.status === 404) {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async sync(id, mode) {
+    const action = mode === "full" ? "triggerFullSync" : "triggerChangedUsersSync";
+    const raw = await this.client.postJson(
+      `/user-storage/${id.toString()}/sync?action=${action}`
+    );
+    return {
+      status: raw.status ?? "completed",
+      added: raw.added ?? 0,
+      updated: raw.updated ?? 0,
+      removed: raw.removed ?? 0
+    };
+  }
+};
+
+// src/domain/shared/group-id.ts
+var GroupId = class _GroupId {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _GroupId(ensureUuid(value, "GroupId"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/domain/shared/group-name.ts
+var GroupName = class _GroupName {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _GroupName(ensureNonBlank(value, "GroupName"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/domain/shared/email.ts
+var EMAIL_PATTERN = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+var Email = class _Email {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    const trimmed = value.trim().toLowerCase();
+    if (!EMAIL_PATTERN.test(trimmed)) {
+      throw new Error(`Invalid email address: ${value}`);
+    }
+    return new _Email(trimmed);
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/domain/shared/user-id.ts
+var UserId = class _UserId {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _UserId(ensureUuid(value, "UserId"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/domain/shared/username.ts
+var Username = class _Username {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    const trimmed = ensureNonBlank(value, "Username");
+    if (/\s/.test(trimmed)) {
+      throw new Error("Username cannot contain whitespace");
+    }
+    return new _Username(trimmed);
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/infrastructure/keycloak/user-repository.ts
+function toUser(raw) {
+  return {
+    id: UserId.fromString(raw.id),
+    username: Username.fromString(raw.username),
+    email: raw.email === void 0 || raw.email === "" ? null : Email.fromString(raw.email),
+    enabled: raw.enabled ?? false
+  };
+}
+var KeycloakUserRepository = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  search(criteria) {
+    const query = {
+      first: String(criteria.first),
+      max: String(criteria.max)
+    };
+    if (criteria.email !== void 0) {
+      query.email = criteria.email.toString();
+    }
+    if (criteria.username !== void 0) {
+      query.username = criteria.username.toString();
+    }
+    if (criteria.search !== void 0) {
+      query.search = criteria.search;
+    }
+    return this.client.getJson("/users", query).then((raw) => raw.map(toUser));
+  }
+  async findById(id) {
+    try {
+      const raw = await this.client.getJson(
+        `/users/${id.toString()}`
+      );
+      return toUser(raw);
+    } catch (error) {
+      if (error instanceof KeycloakError && error.status === 404) {
+        return null;
+      }
+      throw error;
+    }
+  }
+  create(user) {
+    return this.client.post("/users", {
+      username: user.username.toString(),
+      ...user.email === void 0 ? {} : { email: user.email.toString() },
+      enabled: user.enabled,
+      emailVerified: user.emailVerified
+    });
+  }
+  update(id, changes) {
+    const body = {};
+    if (changes.email !== void 0) {
+      body.email = changes.email.toString();
+    }
+    if (changes.firstName !== void 0) {
+      body.firstName = changes.firstName;
+    }
+    if (changes.lastName !== void 0) {
+      body.lastName = changes.lastName;
+    }
+    if (changes.enabled !== void 0) {
+      body.enabled = changes.enabled;
+    }
+    return this.client.put(`/users/${id.toString()}`, body);
+  }
+  setEnabled(id, enabled) {
+    return this.client.put(`/users/${id.toString()}`, { enabled });
+  }
+  resetPassword(id, password, temporary) {
+    return this.client.put(`/users/${id.toString()}/reset-password`, {
+      type: "password",
+      value: password.reveal(),
+      temporary
+    });
+  }
+  sendActionsEmail(id, actions) {
+    return this.client.put(
+      `/users/${id.toString()}/execute-actions-email`,
+      actions.map((action) => action.toString())
+    );
+  }
+  logout(id) {
+    return this.client.post(`/users/${id.toString()}/logout`);
+  }
+  delete(id) {
+    return this.client.delete(`/users/${id.toString()}`);
+  }
+  async listSessions(id) {
+    const raw = await this.client.getJson(
+      `/users/${id.toString()}/sessions`
+    );
+    return raw.map((session) => ({
+      id: session.id ?? "",
+      ipAddress: session.ipAddress ?? null,
+      start: session.start ?? 0,
+      lastAccess: session.lastAccess ?? 0
+    }));
+  }
+  async countActiveSessions(id) {
+    return (await this.listSessions(id)).length;
+  }
+};
+
+// src/infrastructure/keycloak/group-repository.ts
+function toGroup(raw) {
+  return {
+    id: GroupId.fromString(raw.id),
+    name: GroupName.fromString(raw.name),
+    path: raw.path ?? `/${raw.name}`
+  };
+}
+var KeycloakGroupRepository = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async list() {
+    const raw = await this.client.getJson("/groups");
+    return raw.map(toGroup);
+  }
+  create(name) {
+    return this.client.post("/groups", { name: name.toString() });
+  }
+  delete(id) {
+    return this.client.delete(`/groups/${id.toString()}`);
+  }
+  addMember(groupId, userId) {
+    return this.client.put(
+      `/users/${userId.toString()}/groups/${groupId.toString()}`
+    );
+  }
+  removeMember(groupId, userId) {
+    return this.client.delete(
+      `/users/${userId.toString()}/groups/${groupId.toString()}`
+    );
+  }
+  assignRealmRole(groupId, role) {
+    return this.client.post(
+      `/groups/${groupId.toString()}/role-mappings/realm`,
+      [{ id: role.id, name: role.name.toString() }]
+    );
+  }
+  async members(groupId) {
+    const raw = await this.client.getJson(`/groups/${groupId.toString()}/members`);
+    return raw.map(toUser);
+  }
+  async userGroups(userId) {
+    const raw = await this.client.getJson(`/users/${userId.toString()}/groups`);
+    return raw.map(toGroup);
+  }
+};
+
+// src/domain/shared/idp-alias.ts
+var IdpAlias = class _IdpAlias {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _IdpAlias(ensureNonBlank(value, "IdpAlias"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/infrastructure/keycloak/identity-provider-repository.ts
+function toIdp(raw) {
+  return {
+    alias: IdpAlias.fromString(raw.alias),
+    providerId: raw.providerId ?? "unknown",
+    enabled: raw.enabled ?? false,
+    displayName: raw.displayName ?? null
+  };
+}
+var KeycloakIdentityProviderRepository = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async list() {
+    const raw = await this.client.getJson(
+      "/identity-provider/instances"
+    );
+    return raw.map(toIdp);
+  }
+  async find(alias) {
+    try {
+      const raw = await this.client.getJson(
+        `/identity-provider/instances/${alias.toString()}`
+      );
+      return toIdp(raw);
+    } catch (error) {
+      if (error instanceof KeycloakError && error.status === 404) {
+        return null;
+      }
+      throw error;
+    }
+  }
+  create(idp) {
+    return this.client.post("/identity-provider/instances", {
+      alias: idp.alias.toString(),
+      providerId: idp.providerId,
+      enabled: idp.enabled,
+      config: idp.config
+    });
+  }
+  delete(alias) {
+    return this.client.delete(
+      `/identity-provider/instances/${alias.toString()}`
+    );
+  }
+  async listMappers(alias) {
+    const raw = await this.client.getJson(
+      `/identity-provider/instances/${alias.toString()}/mappers`
+    );
+    return raw.map((mapper) => ({
+      id: mapper.id,
+      name: mapper.name,
+      type: mapper.identityProviderMapper ?? "unknown"
+    }));
+  }
+};
+
+// src/infrastructure/keycloak/realm-info.ts
+var KeycloakRealmInfo = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  getRealmConfig() {
+    return this.client.getJson("");
+  }
+  serverInfo() {
+    return this.client.getAdminJson("/serverinfo");
+  }
+};
+
+// src/domain/shared/role-name.ts
+var RoleName = class _RoleName {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _RoleName(ensureNonBlank(value, "RoleName"));
+  }
+  toString() {
+    return this.value;
+  }
+  equals(other) {
+    return this.value === other.value;
+  }
+};
+
+// src/infrastructure/keycloak/role-repository.ts
+function toRole(raw) {
+  return {
+    id: raw.id,
+    name: RoleName.fromString(raw.name),
+    description: raw.description ?? null
+  };
+}
+function toRepresentation(role) {
+  return { id: role.id, name: role.name.toString() };
+}
+var KeycloakRoleRepository = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async listRealmRoles() {
+    const raw = await this.client.getJson("/roles");
+    return raw.map(toRole);
+  }
+  async findRealmRole(name) {
+    try {
+      const raw = await this.client.getJson(
+        `/roles/${encodeURIComponent(name.toString())}`
+      );
+      return toRole(raw);
+    } catch (error) {
+      if (error instanceof KeycloakError && error.status === 404) {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async listUserRealmRoles(userId) {
+    const raw = await this.client.getJson(
+      `/users/${userId.toString()}/role-mappings/realm`
+    );
+    return raw.map(toRole);
+  }
+  assignRealmRole(userId, role) {
+    return this.client.post(`/users/${userId.toString()}/role-mappings/realm`, [
+      toRepresentation(role)
+    ]);
+  }
+  removeRealmRole(userId, role) {
+    return this.client.delete(
+      `/users/${userId.toString()}/role-mappings/realm`,
+      [toRepresentation(role)]
+    );
+  }
+};
+
+// src/infrastructure/mcp/auth-tools.ts
+import { z as z2 } from "zod";
+
+// src/application/authentication/list-auth-flows.use-case.ts
+var ListAuthFlowsUseCase = class {
+  constructor(authentication) {
+    this.authentication = authentication;
+  }
+  authentication;
+  execute() {
+    return this.authentication.listFlows();
+  }
+};
+
+// src/application/authentication/list-required-actions.use-case.ts
+var ListRequiredActionsUseCase = class {
+  constructor(authentication) {
+    this.authentication = authentication;
+  }
+  authentication;
+  execute() {
+    return this.authentication.listRequiredActions();
+  }
+};
+
+// src/application/authentication/set-required-action-enabled.use-case.ts
+var SetRequiredActionEnabledUseCase = class {
+  constructor(authentication) {
+    this.authentication = authentication;
+  }
+  authentication;
+  execute(input) {
+    return this.authentication.setRequiredActionEnabled(
+      input.alias,
+      input.enabled
+    );
+  }
+};
+
+// src/infrastructure/mcp/tool-definition.ts
+function textResult(text) {
+  return { content: [{ type: "text", text }] };
+}
+
+// src/infrastructure/mcp/auth-tools.ts
+function listFlowsTool(deps) {
+  return {
+    name: "keycloak_auth_flows_list",
+    title: "List authentication flows",
+    description: "List the realm's authentication flows.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler() {
+      const flows = await new ListAuthFlowsUseCase(
+        deps.authenticationRepository
+      ).execute();
+      return textResult(JSON.stringify(flows, null, 2));
+    }
+  };
+}
+function listRequiredActionsTool(deps) {
+  return {
+    name: "keycloak_auth_required_actions_list",
+    title: "List required actions",
+    description: "List the realm's required actions.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler() {
+      const actions = await new ListRequiredActionsUseCase(
+        deps.authenticationRepository
+      ).execute();
+      return textResult(JSON.stringify(actions, null, 2));
+    }
+  };
+}
+function setRequiredActionEnabledTool(deps) {
+  return {
+    name: "keycloak_auth_required_action_set_enabled",
+    title: "Enable or disable a required action",
+    description: "Enable or disable a realm required action by alias.",
+    level: "write" /* Write */,
+    inputSchema: { alias: z2.string(), enabled: z2.boolean() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const enabled = args.enabled === true;
+      await new SetRequiredActionEnabledUseCase(
+        deps.authenticationRepository
+      ).execute({ alias: String(args.alias), enabled });
+      return textResult(
+        `Required action ${String(args.alias)} ${enabled ? "enabled" : "disabled"}.`
+      );
+    }
+  };
+}
+function buildAuthTools(deps) {
+  return [
+    listFlowsTool(deps),
+    listRequiredActionsTool(deps),
+    setRequiredActionEnabledTool(deps)
+  ];
+}
+
+// src/infrastructure/mcp/authz-tools.ts
+import { z as z3 } from "zod";
+
+// src/application/authz/list-authz-permissions.use-case.ts
+var ListAuthzPermissionsUseCase = class {
+  constructor(clients, authz) {
+    this.clients = clients;
+    this.authz = authz;
+  }
+  clients;
+  authz;
+  async execute(clientId) {
+    const client = await this.clients.findByClientId(clientId);
+    if (client === null) {
+      return null;
+    }
+    return this.authz.permissions(client.uuid);
+  }
+};
+
+// src/application/authz/list-authz-policies.use-case.ts
+var ListAuthzPoliciesUseCase = class {
+  constructor(clients, authz) {
+    this.clients = clients;
+    this.authz = authz;
+  }
+  clients;
+  authz;
+  async execute(clientId) {
+    const client = await this.clients.findByClientId(clientId);
+    if (client === null) {
+      return null;
+    }
+    return this.authz.policies(client.uuid);
+  }
+};
+
+// src/application/authz/list-authz-resources.use-case.ts
+var ListAuthzResourcesUseCase = class {
+  constructor(clients, authz) {
+    this.clients = clients;
+    this.authz = authz;
+  }
+  clients;
+  authz;
+  async execute(clientId) {
+    const client = await this.clients.findByClientId(clientId);
+    if (client === null) {
+      return null;
+    }
+    return this.authz.resources(client.uuid);
+  }
+};
+
+// src/infrastructure/mcp/authz-tools.ts
+function listTool(name, title, description, run) {
+  return {
+    name,
+    title,
+    description,
+    level: "read" /* Read */,
+    inputSchema: { clientId: z3.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const entries = await run(ClientId.fromString(String(args.clientId)));
+      return textResult(
+        entries === null ? "Client not found." : JSON.stringify(entries, null, 2)
+      );
+    }
+  };
+}
+function buildAuthzTools(deps) {
+  return [
+    listTool(
+      "keycloak_authz_resources_list",
+      "List authorization resources",
+      "List a client's authorization-services resources.",
+      (clientId) => new ListAuthzResourcesUseCase(
+        deps.clientRepository,
+        deps.authorizationRepository
+      ).execute(clientId)
+    ),
+    listTool(
+      "keycloak_authz_policies_list",
+      "List authorization policies",
+      "List a client's authorization-services policies.",
+      (clientId) => new ListAuthzPoliciesUseCase(
+        deps.clientRepository,
+        deps.authorizationRepository
+      ).execute(clientId)
+    ),
+    listTool(
+      "keycloak_authz_permissions_list",
+      "List authorization permissions",
+      "List a client's authorization-services permissions.",
+      (clientId) => new ListAuthzPermissionsUseCase(
+        deps.clientRepository,
+        deps.authorizationRepository
+      ).execute(clientId)
+    )
+  ];
+}
+
+// src/infrastructure/mcp/client-scope-tools.ts
+import { z as z4 } from "zod";
+
+// src/application/clientscopes/assign-client-scope.use-case.ts
+var AssignClientScopeUseCase = class {
+  constructor(clients, scopes) {
+    this.clients = clients;
+    this.scopes = scopes;
+  }
+  clients;
+  scopes;
+  async execute(input) {
+    const client = await this.clients.findByClientId(input.clientId);
+    if (client === null) {
+      return { assigned: false, reason: "Client not found" };
+    }
+    const scope = await this.scopes.findScopeByName(input.scope);
+    if (scope === null) {
+      return { assigned: false, reason: "Scope not found" };
+    }
+    await this.scopes.assignDefaultScope(client.uuid, scope.id);
+    return { assigned: true };
+  }
+};
+
+// src/application/clientscopes/get-client-default-scopes.use-case.ts
+var GetClientDefaultScopesUseCase = class {
+  constructor(clients, scopes) {
+    this.clients = clients;
+    this.scopes = scopes;
+  }
+  clients;
+  scopes;
+  async execute(clientId) {
+    const client = await this.clients.findByClientId(clientId);
+    if (client === null) {
+      return null;
+    }
+    return this.scopes.defaultScopes(client.uuid);
+  }
+};
+
+// src/application/clientscopes/list-client-mappers.use-case.ts
+var ListClientMappersUseCase = class {
+  constructor(clients, scopes) {
+    this.clients = clients;
+    this.scopes = scopes;
+  }
+  clients;
+  scopes;
+  async execute(clientId) {
+    const client = await this.clients.findByClientId(clientId);
+    if (client === null) {
+      return null;
+    }
+    return this.scopes.listMappers(client.uuid);
+  }
+};
+
+// src/application/clientscopes/list-client-scopes.use-case.ts
+var ListClientScopesUseCase = class {
+  constructor(scopes) {
+    this.scopes = scopes;
+  }
+  scopes;
+  execute() {
+    return this.scopes.listScopes();
+  }
+};
+
+// src/domain/policy/destructive-operation.ts
+var DestructiveOperation = class _DestructiveOperation {
+  constructor(summary, impact) {
+    this.summary = summary;
+    this.impact = impact;
+  }
+  summary;
+  impact;
+  static of(summary, impact) {
+    return new _DestructiveOperation(
+      ensureNonBlank(summary, "summary"),
+      ensureNonBlank(impact, "impact")
+    );
+  }
+  describe() {
+    return `${this.summary}
+
+${this.impact}`;
+  }
+};
+
+// src/application/clientscopes/remove-client-scope.use-case.ts
+var RemoveClientScopeUseCase = class {
+  constructor(clients, scopes, confirmer) {
+    this.clients = clients;
+    this.scopes = scopes;
+    this.confirmer = confirmer;
+  }
+  clients;
+  scopes;
+  confirmer;
+  async execute(input) {
+    const client = await this.clients.findByClientId(input.clientId);
+    if (client === null) {
+      return { removed: false, reason: "Client not found" };
+    }
+    const scope = await this.scopes.findScopeByName(input.scope);
+    if (scope === null) {
+      return { removed: false, reason: "Scope not found" };
+    }
+    const operation = DestructiveOperation.of(
+      `Remove default scope ${input.scope.toString()} from client ${input.clientId.toString()}`,
+      "The client stops emitting the claims and roles this scope contributes to its tokens."
+    );
+    if (!await this.confirmer.confirm(operation)) {
+      return { removed: false, reason: "Operation not confirmed" };
+    }
+    await this.scopes.removeDefaultScope(client.uuid, scope.id);
+    return { removed: true };
+  }
+};
+
+// src/infrastructure/mcp/client-scope-tools.ts
+function serializeScope(scope) {
+  return {
+    id: scope.id.toString(),
+    name: scope.name.toString(),
+    protocol: scope.protocol
+  };
+}
+function listScopesTool(deps) {
+  return {
+    name: "keycloak_client_scopes_list",
+    title: "List client scopes",
+    description: "List the realm's client scopes.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler() {
+      const scopes = await new ListClientScopesUseCase(
+        deps.clientScopeRepository
+      ).execute();
+      return textResult(JSON.stringify(scopes.map(serializeScope), null, 2));
+    }
+  };
+}
+function defaultScopesTool(deps) {
+  return {
+    name: "keycloak_client_default_scopes_get",
+    title: "Get a client's default scopes",
+    description: "List the default client scopes assigned to a client.",
+    level: "read" /* Read */,
+    inputSchema: { clientId: z4.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const scopes = await new GetClientDefaultScopesUseCase(
+        deps.clientRepository,
+        deps.clientScopeRepository
+      ).execute(ClientId.fromString(String(args.clientId)));
+      return textResult(
+        scopes === null ? "Client not found." : JSON.stringify(scopes.map(serializeScope), null, 2)
+      );
+    }
+  };
+}
+function listMappersTool(deps) {
+  return {
+    name: "keycloak_client_mappers_list",
+    title: "List client protocol mappers",
+    description: "List a client's protocol mappers.",
+    level: "read" /* Read */,
+    inputSchema: { clientId: z4.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const mappers = await new ListClientMappersUseCase(
+        deps.clientRepository,
+        deps.clientScopeRepository
+      ).execute(ClientId.fromString(String(args.clientId)));
+      return textResult(
+        mappers === null ? "Client not found." : JSON.stringify(mappers, null, 2)
+      );
+    }
+  };
+}
+function assignScopeTool(deps) {
+  return {
+    name: "keycloak_client_scope_assign",
+    title: "Assign a default scope to a client",
+    description: "Add a default client scope to a client.",
+    level: "write" /* Write */,
+    inputSchema: { clientId: z4.string(), scope: z4.string() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const result = await new AssignClientScopeUseCase(
+        deps.clientRepository,
+        deps.clientScopeRepository
+      ).execute({
+        clientId: ClientId.fromString(String(args.clientId)),
+        scope: ClientScopeName.fromString(String(args.scope))
+      });
+      return textResult(
+        result.assigned ? `Scope "${String(args.scope)}" assigned.` : `Not assigned: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function unassignScopeTool(deps) {
+  return {
+    name: "keycloak_client_scope_unassign",
+    title: "Remove a default scope from a client",
+    description: "Remove a default client scope from a client. Requires confirmation.",
+    level: "destructive" /* Destructive */,
+    inputSchema: {
+      clientId: z4.string(),
+      scope: z4.string(),
+      confirm: z4.boolean().optional()
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const confirmer = deps.confirmers.create(args.confirm === true);
+      const result = await new RemoveClientScopeUseCase(
+        deps.clientRepository,
+        deps.clientScopeRepository,
+        confirmer
+      ).execute({
+        clientId: ClientId.fromString(String(args.clientId)),
+        scope: ClientScopeName.fromString(String(args.scope))
+      });
+      return textResult(
+        result.removed ? `Scope "${String(args.scope)}" removed.` : `Not removed: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function buildClientScopeTools(deps) {
+  return [
+    listScopesTool(deps),
+    defaultScopesTool(deps),
+    listMappersTool(deps),
+    assignScopeTool(deps),
+    unassignScopeTool(deps)
+  ];
+}
+
+// src/infrastructure/mcp/client-tools.ts
+import { z as z5 } from "zod";
+
+// src/application/clients/get-client-secret.use-case.ts
+var GetClientSecretUseCase = class {
+  constructor(clients) {
+    this.clients = clients;
+  }
+  clients;
+  async execute(clientId) {
+    const client = await this.clients.findByClientId(clientId);
+    if (client === null) {
+      return null;
+    }
+    return this.clients.getSecret(client.uuid);
+  }
+};
+
+// src/application/clients/get-client.use-case.ts
+var GetClientUseCase = class {
+  constructor(clients) {
+    this.clients = clients;
+  }
+  clients;
+  execute(clientId) {
+    return this.clients.findByClientId(clientId);
+  }
+};
+
+// src/application/clients/list-clients.use-case.ts
+var ListClientsUseCase = class {
+  constructor(clients) {
+    this.clients = clients;
+  }
+  clients;
+  execute() {
+    return this.clients.list();
+  }
+};
+
+// src/application/clients/regenerate-client-secret.use-case.ts
+var RegenerateClientSecretUseCase = class {
+  constructor(clients, confirmer) {
+    this.clients = clients;
+    this.confirmer = confirmer;
+  }
+  clients;
+  confirmer;
+  async execute(clientId) {
+    const client = await this.clients.findByClientId(clientId);
+    if (client === null) {
+      return { regenerated: false, reason: "Client not found" };
+    }
+    const operation = DestructiveOperation.of(
+      `Regenerate secret for client ${clientId.toString()}`,
+      "Any service still using the old secret will fail to authenticate until it is updated with the new one."
+    );
+    if (!await this.confirmer.confirm(operation)) {
+      return { regenerated: false, reason: "Operation not confirmed" };
+    }
+    const secret = await this.clients.regenerateSecret(client.uuid);
+    return { regenerated: true, secret };
+  }
+};
+
+// src/infrastructure/mcp/client-tools.ts
+function serializeClient(client) {
+  return {
+    uuid: client.uuid.toString(),
+    clientId: client.clientId.toString(),
+    enabled: client.enabled,
+    publicClient: client.publicClient
+  };
+}
+function listClientsTool(deps) {
+  return {
+    name: "keycloak_client_list",
+    title: "List clients",
+    description: "List the realm clients.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler() {
+      const clients = await new ListClientsUseCase(
+        deps.clientRepository
+      ).execute();
+      return textResult(JSON.stringify(clients.map(serializeClient), null, 2));
+    }
+  };
+}
+function getClientTool(deps) {
+  return {
+    name: "keycloak_client_get",
+    title: "Get client",
+    description: "Fetch a client by its clientId.",
+    level: "read" /* Read */,
+    inputSchema: { clientId: z5.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const client = await new GetClientUseCase(deps.clientRepository).execute(
+        ClientId.fromString(String(args.clientId))
+      );
+      return textResult(
+        client === null ? "Client not found." : JSON.stringify(serializeClient(client), null, 2)
+      );
+    }
+  };
+}
+function getClientSecretTool(deps) {
+  return {
+    name: "keycloak_client_get_secret",
+    title: "Get client secret",
+    description: "Read a confidential client's secret. Masked unless reveal is true.",
+    level: "read" /* Read */,
+    inputSchema: { clientId: z5.string(), reveal: z5.boolean().optional() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const secret = await new GetClientSecretUseCase(
+        deps.clientRepository
+      ).execute(ClientId.fromString(String(args.clientId)));
+      if (secret === null) {
+        return textResult("Client not found.");
+      }
+      return textResult(
+        args.reveal === true ? secret.reveal() : secret.masked()
+      );
+    }
+  };
+}
+function regenerateClientSecretTool(deps) {
+  return {
+    name: "keycloak_client_regenerate_secret",
+    title: "Regenerate client secret",
+    description: "Regenerate a confidential client's secret. Requires confirmation; the old secret stops working.",
+    level: "destructive" /* Destructive */,
+    inputSchema: { clientId: z5.string(), confirm: z5.boolean().optional() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const confirmer = deps.confirmers.create(args.confirm === true);
+      const result = await new RegenerateClientSecretUseCase(
+        deps.clientRepository,
+        confirmer
+      ).execute(ClientId.fromString(String(args.clientId)));
+      if (!result.regenerated || result.secret === void 0) {
+        return textResult(
+          `Not regenerated: ${result.reason ?? "unknown reason"}`
+        );
+      }
+      return textResult(`New secret: ${result.secret.reveal()}`);
+    }
+  };
+}
+function buildClientTools(deps) {
+  return [
+    listClientsTool(deps),
+    getClientTool(deps),
+    getClientSecretTool(deps),
+    regenerateClientSecretTool(deps)
+  ];
+}
+
+// src/infrastructure/mcp/confirmation/elicitation-confirmer.ts
+var ElicitationConfirmer = class {
+  constructor(elicit) {
+    this.elicit = elicit;
+  }
+  elicit;
+  async confirm(operation) {
+    const response = await this.elicit({
+      message: operation.describe(),
+      requestedSchema: {
+        type: "object",
+        properties: {
+          confirm: {
+            type: "boolean",
+            title: "Confirm",
+            description: "Proceed with this irreversible operation?"
+          }
+        },
+        required: ["confirm"]
+      }
+    });
+    return response.action === "accept" && response.content?.confirm === true;
+  }
+};
+
+// src/infrastructure/mcp/confirmation/param-confirmer.ts
+var ParamConfirmer = class {
+  constructor(provided) {
+    this.provided = provided;
+  }
+  provided;
+  confirm() {
+    return Promise.resolve(this.provided);
+  }
+};
+
+// src/infrastructure/mcp/confirmation/confirmer-factory.ts
+var McpConfirmerFactory = class {
+  constructor(server) {
+    this.server = server;
+  }
+  server;
+  create(providedConfirm) {
+    const capabilities = this.server.server.getClientCapabilities();
+    if (capabilities?.elicitation !== void 0) {
+      return new ElicitationConfirmer(
+        (request) => this.server.server.elicitInput(
+          request
+        )
+      );
+    }
+    return new ParamConfirmer(providedConfirm);
+  }
+};
+
+// src/infrastructure/mcp/event-realm-tools.ts
+import { z as z6 } from "zod";
+
+// src/application/events/get-admin-events.use-case.ts
+var GetAdminEventsUseCase = class {
+  constructor(events) {
+    this.events = events;
+  }
+  events;
+  execute(query) {
+    return this.events.adminEvents(query);
+  }
+};
+
+// src/application/events/get-login-events.use-case.ts
+var GetLoginEventsUseCase = class {
+  constructor(events) {
+    this.events = events;
+  }
+  events;
+  execute(query) {
+    return this.events.loginEvents(query);
+  }
+};
+
+// src/application/realm/get-realm-config.use-case.ts
+var GetRealmConfigUseCase = class {
+  constructor(realm) {
+    this.realm = realm;
+  }
+  realm;
+  execute() {
+    return this.realm.getRealmConfig();
+  }
+};
+
+// src/application/realm/get-server-info.use-case.ts
+var GetServerInfoUseCase = class {
+  constructor(realm) {
+    this.realm = realm;
+  }
+  realm;
+  execute() {
+    return this.realm.serverInfo();
+  }
+};
+
+// src/infrastructure/mcp/event-realm-tools.ts
+var REALM_FIELDS = [
+  "realm",
+  "enabled",
+  "registrationAllowed",
+  "resetPasswordAllowed",
+  "verifyEmail",
+  "loginWithEmailAllowed",
+  "bruteForceProtected",
+  "sslRequired",
+  "accessTokenLifespan",
+  "ssoSessionIdleTimeout",
+  "ssoSessionMaxLifespan"
+];
+var READ_ANNOTATIONS = {
+  readOnlyHint: true,
+  destructiveHint: false,
+  idempotentHint: true
+};
+function pick(record, keys) {
+  const out = {};
+  for (const key of keys) {
+    if (key in record) {
+      out[key] = record[key];
+    }
+  }
+  return out;
+}
+function serverSummary(info) {
+  const systemInfo = info.systemInfo;
+  const version = typeof systemInfo === "object" && systemInfo !== null && "version" in systemInfo ? systemInfo.version : null;
+  return { keycloakVersion: version };
+}
+function eventQuery(args) {
+  const query = {
+    max: typeof args.max === "number" ? args.max : 20
+  };
+  if (typeof args.type === "string") {
+    query.type = args.type;
+  }
+  if (typeof args.user === "string") {
+    query.user = args.user;
+  }
+  return query;
+}
+function loginEventsTool(deps) {
+  return {
+    name: "keycloak_events_login",
+    title: "List login events",
+    description: "Read recent login events, optionally filtered.",
+    level: "read" /* Read */,
+    inputSchema: {
+      max: z6.number().int().min(1).max(500).optional(),
+      type: z6.string().optional(),
+      user: z6.string().optional()
+    },
+    annotations: READ_ANNOTATIONS,
+    async handler(args) {
+      const events = await new GetLoginEventsUseCase(deps.eventLog).execute(
+        eventQuery(args)
+      );
+      return textResult(JSON.stringify(events, null, 2));
+    }
+  };
+}
+function adminEventsTool(deps) {
+  return {
+    name: "keycloak_events_admin",
+    title: "List admin events",
+    description: "Read recent admin events.",
+    level: "read" /* Read */,
+    inputSchema: { max: z6.number().int().min(1).max(500).optional() },
+    annotations: READ_ANNOTATIONS,
+    async handler(args) {
+      const events = await new GetAdminEventsUseCase(deps.eventLog).execute(
+        eventQuery(args)
+      );
+      return textResult(JSON.stringify(events, null, 2));
+    }
+  };
+}
+function realmConfigTool(deps) {
+  return {
+    name: "keycloak_realm_get_config",
+    title: "Get realm configuration",
+    description: "Read key realm configuration flags.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: READ_ANNOTATIONS,
+    async handler() {
+      const config = await new GetRealmConfigUseCase(deps.realmInfo).execute();
+      return textResult(JSON.stringify(pick(config, REALM_FIELDS), null, 2));
+    }
+  };
+}
+function serverInfoTool(deps) {
+  return {
+    name: "keycloak_server_info",
+    title: "Get server info",
+    description: "Read the Keycloak server version and profile.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: READ_ANNOTATIONS,
+    async handler() {
+      const info = await new GetServerInfoUseCase(deps.realmInfo).execute();
+      return textResult(JSON.stringify(serverSummary(info), null, 2));
+    }
+  };
+}
+function buildEventRealmTools(deps) {
+  return [
+    loginEventsTool(deps),
+    adminEventsTool(deps),
+    realmConfigTool(deps),
+    serverInfoTool(deps)
+  ];
+}
+
+// src/infrastructure/mcp/federation-tools.ts
+import { z as z7 } from "zod";
+
+// src/application/federation/get-federation-provider.use-case.ts
+var GetFederationProviderUseCase = class {
+  constructor(federation) {
+    this.federation = federation;
+  }
+  federation;
+  execute(id) {
+    return this.federation.find(id);
+  }
+};
+
+// src/application/federation/list-federation-providers.use-case.ts
+var ListFederationProvidersUseCase = class {
+  constructor(federation) {
+    this.federation = federation;
+  }
+  federation;
+  execute() {
+    return this.federation.list();
+  }
+};
+
+// src/application/federation/sync-federation.use-case.ts
+var SyncFederationUseCase = class {
+  constructor(federation) {
+    this.federation = federation;
+  }
+  federation;
+  execute(input) {
+    return this.federation.sync(input.id, input.mode);
+  }
+};
+
+// src/infrastructure/mcp/federation-tools.ts
+function serializeProvider(provider) {
+  return {
+    id: provider.id.toString(),
+    name: provider.name,
+    providerId: provider.providerId
+  };
+}
+function listFederationTool(deps) {
+  return {
+    name: "keycloak_federation_list",
+    title: "List user federation providers",
+    description: "List the realm's user federation (LDAP/Kerberos) providers.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler() {
+      const providers = await new ListFederationProvidersUseCase(
+        deps.federationRepository
+      ).execute();
+      return textResult(
+        JSON.stringify(providers.map(serializeProvider), null, 2)
+      );
+    }
+  };
+}
+function getFederationTool(deps) {
+  return {
+    name: "keycloak_federation_get",
+    title: "Get a user federation provider",
+    description: "Fetch a user federation provider by id.",
+    level: "read" /* Read */,
+    inputSchema: { id: z7.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const provider = await new GetFederationProviderUseCase(
+        deps.federationRepository
+      ).execute(ComponentId.fromString(String(args.id)));
+      return textResult(
+        provider === null ? "Federation provider not found." : JSON.stringify(serializeProvider(provider), null, 2)
+      );
+    }
+  };
+}
+function syncFederationTool(deps) {
+  return {
+    name: "keycloak_federation_sync",
+    title: "Synchronize a user federation provider",
+    description: "Trigger a user sync from a federation provider (full or changed).",
+    level: "write" /* Write */,
+    inputSchema: {
+      id: z7.string(),
+      mode: z7.enum(["full", "changed"]).optional()
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const mode = args.mode === "full" ? "full" : "changed";
+      const result = await new SyncFederationUseCase(
+        deps.federationRepository
+      ).execute({ id: ComponentId.fromString(String(args.id)), mode });
+      return textResult(JSON.stringify(result, null, 2));
+    }
+  };
+}
+function buildFederationTools(deps) {
+  return [
+    listFederationTool(deps),
+    getFederationTool(deps),
+    syncFederationTool(deps)
+  ];
+}
+
+// src/infrastructure/mcp/group-tools.ts
+import { z as z8 } from "zod";
+
+// src/application/groups/add-group-member.use-case.ts
+var AddGroupMemberUseCase = class {
+  constructor(groups) {
+    this.groups = groups;
+  }
+  groups;
+  execute(input) {
+    return this.groups.addMember(input.groupId, input.userId);
+  }
+};
+
+// src/application/groups/assign-group-role.use-case.ts
+var AssignGroupRoleUseCase = class {
+  constructor(roles, groups) {
+    this.roles = roles;
+    this.groups = groups;
+  }
+  roles;
+  groups;
+  async execute(input) {
+    const role = await this.roles.findRealmRole(input.role);
+    if (role === null) {
+      return { assigned: false, reason: "Role not found" };
+    }
+    await this.groups.assignRealmRole(input.groupId, role);
+    return { assigned: true };
+  }
+};
+
+// src/application/groups/create-group.use-case.ts
+var CreateGroupUseCase = class {
+  constructor(groups) {
+    this.groups = groups;
+  }
+  groups;
+  execute(name) {
+    return this.groups.create(name);
+  }
+};
+
+// src/application/groups/delete-group.use-case.ts
+var DeleteGroupUseCase = class {
+  constructor(groups, confirmer) {
+    this.groups = groups;
+    this.confirmer = confirmer;
+  }
+  groups;
+  confirmer;
+  async execute(id) {
+    const operation = DestructiveOperation.of(
+      `Delete group ${id.toString()}`,
+      "Removes the group, its sub-groups, and every membership and role mapping it carries. This is irreversible."
+    );
+    if (!await this.confirmer.confirm(operation)) {
+      return { deleted: false, reason: "Operation not confirmed" };
+    }
+    await this.groups.delete(id);
+    return { deleted: true };
+  }
+};
+
+// src/application/groups/list-group-members.use-case.ts
+var ListGroupMembersUseCase = class {
+  constructor(groups) {
+    this.groups = groups;
+  }
+  groups;
+  execute(groupId) {
+    return this.groups.members(groupId);
+  }
+};
+
+// src/application/groups/list-groups.use-case.ts
+var ListGroupsUseCase = class {
+  constructor(groups) {
+    this.groups = groups;
+  }
+  groups;
+  execute() {
+    return this.groups.list();
+  }
+};
+
+// src/application/groups/list-user-groups.use-case.ts
+var ListUserGroupsUseCase = class {
+  constructor(groups) {
+    this.groups = groups;
+  }
+  groups;
+  execute(userId) {
+    return this.groups.userGroups(userId);
+  }
+};
+
+// src/application/groups/remove-group-member.use-case.ts
+var RemoveGroupMemberUseCase = class {
+  constructor(groups, confirmer) {
+    this.groups = groups;
+    this.confirmer = confirmer;
+  }
+  groups;
+  confirmer;
+  async execute(input) {
+    const operation = DestructiveOperation.of(
+      `Remove user ${input.userId.toString()} from group ${input.groupId.toString()}`,
+      "The user loses every role and permission granted through this group."
+    );
+    if (!await this.confirmer.confirm(operation)) {
+      return { removed: false, reason: "Operation not confirmed" };
+    }
+    await this.groups.removeMember(input.groupId, input.userId);
+    return { removed: true };
+  }
+};
+
+// src/infrastructure/mcp/group-tools.ts
+function serializeGroup(group) {
+  return {
+    id: group.id.toString(),
+    name: group.name.toString(),
+    path: group.path
+  };
+}
+function serializeUser(user) {
+  return {
+    id: user.id.toString(),
+    username: user.username.toString(),
+    email: user.email?.toString() ?? null,
+    enabled: user.enabled
+  };
+}
+function listGroupsTool(deps) {
+  return {
+    name: "keycloak_group_list",
+    title: "List groups",
+    description: "List the realm's top-level groups.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler() {
+      const groups = await new ListGroupsUseCase(
+        deps.groupRepository
+      ).execute();
+      return textResult(JSON.stringify(groups.map(serializeGroup), null, 2));
+    }
+  };
+}
+function createGroupTool(deps) {
+  return {
+    name: "keycloak_group_create",
+    title: "Create group",
+    description: "Create a top-level group.",
+    level: "write" /* Write */,
+    inputSchema: { name: z8.string() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: false
+    },
+    async handler(args) {
+      await new CreateGroupUseCase(deps.groupRepository).execute(
+        GroupName.fromString(String(args.name))
+      );
+      return textResult(`Group "${String(args.name)}" created.`);
+    }
+  };
+}
+function addGroupMemberTool(deps) {
+  return {
+    name: "keycloak_group_member_add",
+    title: "Add group member",
+    description: "Add a user to a group.",
+    level: "write" /* Write */,
+    inputSchema: { groupId: z8.string(), userId: z8.string() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      await new AddGroupMemberUseCase(deps.groupRepository).execute({
+        groupId: GroupId.fromString(String(args.groupId)),
+        userId: UserId.fromString(String(args.userId))
+      });
+      return textResult("User added to group.");
+    }
+  };
+}
+function removeGroupMemberTool(deps) {
+  return {
+    name: "keycloak_group_member_remove",
+    title: "Remove group member",
+    description: "Remove a user from a group. Requires confirmation.",
+    level: "destructive" /* Destructive */,
+    inputSchema: {
+      groupId: z8.string(),
+      userId: z8.string(),
+      confirm: z8.boolean().optional()
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const confirmer = deps.confirmers.create(args.confirm === true);
+      const result = await new RemoveGroupMemberUseCase(
+        deps.groupRepository,
+        confirmer
+      ).execute({
+        groupId: GroupId.fromString(String(args.groupId)),
+        userId: UserId.fromString(String(args.userId))
+      });
+      return textResult(
+        result.removed ? "User removed from group." : `Not removed: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function deleteGroupTool(deps) {
+  return {
+    name: "keycloak_group_delete",
+    title: "Delete group",
+    description: "Delete a group. Requires confirmation.",
+    level: "destructive" /* Destructive */,
+    inputSchema: { id: z8.string(), confirm: z8.boolean().optional() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const confirmer = deps.confirmers.create(args.confirm === true);
+      const result = await new DeleteGroupUseCase(
+        deps.groupRepository,
+        confirmer
+      ).execute(GroupId.fromString(String(args.id)));
+      return textResult(
+        result.deleted ? "Group deleted." : `Not deleted: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function assignGroupRoleTool(deps) {
+  return {
+    name: "keycloak_group_role_assign",
+    title: "Assign a realm role to a group",
+    description: "Grant a realm role to a group (inherited by its members).",
+    level: "write" /* Write */,
+    inputSchema: { groupId: z8.string(), role: z8.string() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const result = await new AssignGroupRoleUseCase(
+        deps.roleRepository,
+        deps.groupRepository
+      ).execute({
+        groupId: GroupId.fromString(String(args.groupId)),
+        role: RoleName.fromString(String(args.role))
+      });
+      return textResult(
+        result.assigned ? `Role "${String(args.role)}" assigned to group.` : `Not assigned: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function listGroupMembersTool(deps) {
+  return {
+    name: "keycloak_group_members_list",
+    title: "List group members",
+    description: "List the users that are members of a group.",
+    level: "read" /* Read */,
+    inputSchema: { groupId: z8.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const members = await new ListGroupMembersUseCase(
+        deps.groupRepository
+      ).execute(GroupId.fromString(String(args.groupId)));
+      return textResult(JSON.stringify(members.map(serializeUser), null, 2));
+    }
+  };
+}
+function listUserGroupsTool(deps) {
+  return {
+    name: "keycloak_user_groups_list",
+    title: "List a user's groups",
+    description: "List the groups a user belongs to.",
+    level: "read" /* Read */,
+    inputSchema: { userId: z8.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const groups = await new ListUserGroupsUseCase(
+        deps.groupRepository
+      ).execute(UserId.fromString(String(args.userId)));
+      return textResult(JSON.stringify(groups.map(serializeGroup), null, 2));
+    }
+  };
+}
+function buildGroupTools(deps) {
+  return [
+    listGroupsTool(deps),
+    listGroupMembersTool(deps),
+    listUserGroupsTool(deps),
+    createGroupTool(deps),
+    addGroupMemberTool(deps),
+    assignGroupRoleTool(deps),
+    removeGroupMemberTool(deps),
+    deleteGroupTool(deps)
+  ];
+}
+
+// src/infrastructure/mcp/idp-tools.ts
+import { z as z9 } from "zod";
+
+// src/application/idp/create-identity-provider.use-case.ts
+var CreateIdentityProviderUseCase = class {
+  constructor(idps) {
+    this.idps = idps;
+  }
+  idps;
+  execute(idp) {
+    return this.idps.create(idp);
+  }
+};
+
+// src/application/idp/delete-identity-provider.use-case.ts
+var DeleteIdentityProviderUseCase = class {
+  constructor(idps, confirmer) {
+    this.idps = idps;
+    this.confirmer = confirmer;
+  }
+  idps;
+  confirmer;
+  async execute(alias) {
+    const operation = DestructiveOperation.of(
+      `Delete identity provider ${alias.toString()}`,
+      "Users who authenticate through this provider can no longer log in via it, and their federated links are removed. This is irreversible."
+    );
+    if (!await this.confirmer.confirm(operation)) {
+      return { deleted: false, reason: "Operation not confirmed" };
+    }
+    await this.idps.delete(alias);
+    return { deleted: true };
+  }
+};
+
+// src/application/idp/get-identity-provider.use-case.ts
+var GetIdentityProviderUseCase = class {
+  constructor(idps) {
+    this.idps = idps;
+  }
+  idps;
+  execute(alias) {
+    return this.idps.find(alias);
+  }
+};
+
+// src/application/idp/list-identity-providers.use-case.ts
+var ListIdentityProvidersUseCase = class {
+  constructor(idps) {
+    this.idps = idps;
+  }
+  idps;
+  execute() {
+    return this.idps.list();
+  }
+};
+
+// src/application/idp/list-idp-mappers.use-case.ts
+var ListIdpMappersUseCase = class {
+  constructor(idps) {
+    this.idps = idps;
+  }
+  idps;
+  execute(alias) {
+    return this.idps.listMappers(alias);
+  }
+};
+
+// src/infrastructure/mcp/idp-tools.ts
+function serializeIdp(idp) {
+  return {
+    alias: idp.alias.toString(),
+    providerId: idp.providerId,
+    enabled: idp.enabled,
+    displayName: idp.displayName
+  };
+}
+function readConfig(value) {
+  const config = {};
+  if (value !== null && typeof value === "object") {
+    for (const [key, entry] of Object.entries(
+      value
+    )) {
+      if (typeof entry === "string") {
+        config[key] = entry;
+      }
+    }
+  }
+  return config;
+}
+function listIdpsTool(deps) {
+  return {
+    name: "keycloak_idp_list",
+    title: "List identity providers",
+    description: "List the realm's identity providers.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler() {
+      const idps = await new ListIdentityProvidersUseCase(
+        deps.identityProviderRepository
+      ).execute();
+      return textResult(JSON.stringify(idps.map(serializeIdp), null, 2));
+    }
+  };
+}
+function getIdpTool(deps) {
+  return {
+    name: "keycloak_idp_get",
+    title: "Get identity provider",
+    description: "Fetch an identity provider by alias.",
+    level: "read" /* Read */,
+    inputSchema: { alias: z9.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const idp = await new GetIdentityProviderUseCase(
+        deps.identityProviderRepository
+      ).execute(IdpAlias.fromString(String(args.alias)));
+      return textResult(
+        idp === null ? "Identity provider not found." : JSON.stringify(serializeIdp(idp), null, 2)
+      );
+    }
+  };
+}
+function listIdpMappersTool(deps) {
+  return {
+    name: "keycloak_idp_mappers_list",
+    title: "List identity provider mappers",
+    description: "List an identity provider's mappers.",
+    level: "read" /* Read */,
+    inputSchema: { alias: z9.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const mappers = await new ListIdpMappersUseCase(
+        deps.identityProviderRepository
+      ).execute(IdpAlias.fromString(String(args.alias)));
+      return textResult(JSON.stringify(mappers, null, 2));
+    }
+  };
+}
+function createIdpTool(deps) {
+  return {
+    name: "keycloak_idp_create",
+    title: "Create identity provider",
+    description: "Create an identity provider. `config` carries provider-specific keys (clientId, clientSecret, authorizationUrl, \u2026).",
+    level: "write" /* Write */,
+    inputSchema: {
+      alias: z9.string(),
+      providerId: z9.string(),
+      enabled: z9.boolean().optional(),
+      config: z9.record(z9.string(), z9.string()).optional()
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: false
+    },
+    async handler(args) {
+      await new CreateIdentityProviderUseCase(
+        deps.identityProviderRepository
+      ).execute({
+        alias: IdpAlias.fromString(String(args.alias)),
+        providerId: String(args.providerId),
+        enabled: args.enabled !== false,
+        config: readConfig(args.config)
+      });
+      return textResult(`Identity provider "${String(args.alias)}" created.`);
+    }
+  };
+}
+function deleteIdpTool(deps) {
+  return {
+    name: "keycloak_idp_delete",
+    title: "Delete identity provider",
+    description: "Delete an identity provider. Requires confirmation.",
+    level: "destructive" /* Destructive */,
+    inputSchema: { alias: z9.string(), confirm: z9.boolean().optional() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const confirmer = deps.confirmers.create(args.confirm === true);
+      const result = await new DeleteIdentityProviderUseCase(
+        deps.identityProviderRepository,
+        confirmer
+      ).execute(IdpAlias.fromString(String(args.alias)));
+      return textResult(
+        result.deleted ? `Identity provider "${String(args.alias)}" deleted.` : `Not deleted: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function buildIdpTools(deps) {
+  return [
+    listIdpsTool(deps),
+    getIdpTool(deps),
+    listIdpMappersTool(deps),
+    createIdpTool(deps),
+    deleteIdpTool(deps)
+  ];
+}
+
+// src/infrastructure/mcp/role-tools.ts
+import { z as z10 } from "zod";
+
+// src/application/roles/assign-user-role.use-case.ts
+var AssignUserRoleUseCase = class {
+  constructor(roles) {
+    this.roles = roles;
+  }
+  roles;
+  async execute(input) {
+    const role = await this.roles.findRealmRole(input.role);
+    if (role === null) {
+      return { assigned: false, reason: "Role not found" };
+    }
+    await this.roles.assignRealmRole(input.userId, role);
+    return { assigned: true };
+  }
+};
+
+// src/application/roles/get-user-roles.use-case.ts
+var GetUserRolesUseCase = class {
+  constructor(roles) {
+    this.roles = roles;
+  }
+  roles;
+  execute(userId) {
+    return this.roles.listUserRealmRoles(userId);
+  }
+};
+
+// src/application/roles/list-realm-roles.use-case.ts
+var ListRealmRolesUseCase = class {
+  constructor(roles) {
+    this.roles = roles;
+  }
+  roles;
+  execute() {
+    return this.roles.listRealmRoles();
+  }
+};
+
+// src/application/roles/unassign-user-role.use-case.ts
+var UnassignUserRoleUseCase = class {
+  constructor(roles, confirmer) {
+    this.roles = roles;
+    this.confirmer = confirmer;
+  }
+  roles;
+  confirmer;
+  async execute(input) {
+    const role = await this.roles.findRealmRole(input.role);
+    if (role === null) {
+      return { removed: false, reason: "Role not found" };
+    }
+    const operation = DestructiveOperation.of(
+      `Remove role ${role.name.toString()} from user ${input.userId.toString()}`,
+      "The user immediately loses every permission granted by this role."
+    );
+    if (!await this.confirmer.confirm(operation)) {
+      return { removed: false, reason: "Operation not confirmed" };
+    }
+    await this.roles.removeRealmRole(input.userId, role);
+    return { removed: true };
+  }
+};
+
+// src/infrastructure/mcp/role-tools.ts
+function serializeRole(role) {
+  return {
+    id: role.id,
+    name: role.name.toString(),
+    description: role.description
+  };
+}
+function listRealmRolesTool(deps) {
+  return {
+    name: "keycloak_role_list",
+    title: "List realm roles",
+    description: "List the realm roles.",
+    level: "read" /* Read */,
+    inputSchema: {},
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler() {
+      const roles = await new ListRealmRolesUseCase(
+        deps.roleRepository
+      ).execute();
+      return textResult(JSON.stringify(roles.map(serializeRole), null, 2));
+    }
+  };
+}
+function getUserRolesTool(deps) {
+  return {
+    name: "keycloak_user_roles_get",
+    title: "Get a user's realm roles",
+    description: "List the realm roles assigned to a user.",
+    level: "read" /* Read */,
+    inputSchema: { userId: z10.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const roles = await new GetUserRolesUseCase(deps.roleRepository).execute(
+        UserId.fromString(String(args.userId))
+      );
+      return textResult(JSON.stringify(roles.map(serializeRole), null, 2));
+    }
+  };
+}
+function assignUserRoleTool(deps) {
+  return {
+    name: "keycloak_user_role_assign",
+    title: "Assign a realm role to a user",
+    description: "Grant a realm role to a user.",
+    level: "write" /* Write */,
+    inputSchema: { userId: z10.string(), role: z10.string() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const result = await new AssignUserRoleUseCase(
+        deps.roleRepository
+      ).execute({
+        userId: UserId.fromString(String(args.userId)),
+        role: RoleName.fromString(String(args.role))
+      });
+      return textResult(
+        result.assigned ? `Role "${String(args.role)}" assigned.` : `Not assigned: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function unassignUserRoleTool(deps) {
+  return {
+    name: "keycloak_user_role_unassign",
+    title: "Remove a realm role from a user",
+    description: "Revoke a realm role from a user. Requires confirmation.",
+    level: "destructive" /* Destructive */,
+    inputSchema: {
+      userId: z10.string(),
+      role: z10.string(),
+      confirm: z10.boolean().optional()
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const confirmer = deps.confirmers.create(args.confirm === true);
+      const result = await new UnassignUserRoleUseCase(
+        deps.roleRepository,
+        confirmer
+      ).execute({
+        userId: UserId.fromString(String(args.userId)),
+        role: RoleName.fromString(String(args.role))
+      });
+      return textResult(
+        result.removed ? `Role "${String(args.role)}" removed.` : `Not removed: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function buildRoleTools(deps) {
+  return [
+    listRealmRolesTool(deps),
+    getUserRolesTool(deps),
+    assignUserRoleTool(deps),
+    unassignUserRoleTool(deps)
+  ];
+}
+
+// src/infrastructure/mcp/tool-registry.ts
+function filterTools(definitions, policy) {
+  return definitions.filter(
+    (definition) => !policy.isBlocked(definition.level)
+  );
+}
+function registerTools(server, definitions) {
+  for (const definition of definitions) {
+    server.registerTool(
+      definition.name,
+      {
+        title: definition.title,
+        description: definition.description,
+        inputSchema: definition.inputSchema,
+        annotations: definition.annotations
+      },
+      (args) => definition.handler(args).then((result) => ({ ...result }))
+    );
+  }
+}
+
+// src/infrastructure/mcp/user-tools.ts
+import { z as z11 } from "zod";
+
+// src/application/users/create-user.use-case.ts
+var CreateUserUseCase = class {
+  constructor(users) {
+    this.users = users;
+  }
+  users;
+  execute(user) {
+    return this.users.create(user);
+  }
+};
+
+// src/application/users/delete-user.use-case.ts
+var DeleteUserUseCase = class {
+  constructor(users, confirmer) {
+    this.users = users;
+    this.confirmer = confirmer;
+  }
+  users;
+  confirmer;
+  async execute(input) {
+    const user = await this.users.findById(input.id);
+    if (user === null) {
+      return { deleted: false, reason: "User not found" };
+    }
+    if (!user.username.equals(input.username)) {
+      return {
+        deleted: false,
+        reason: "Username does not match the target user"
+      };
+    }
+    const sessions = await this.users.countActiveSessions(input.id);
+    const email = user.email === null ? "" : ` (${user.email.toString()})`;
+    const operation = DestructiveOperation.of(
+      `Delete user ${user.username.toString()}`,
+      `Permanently deletes the account${email} and revokes ${sessions} active session(s). This is irreversible.`
+    );
+    if (!await this.confirmer.confirm(operation)) {
+      return { deleted: false, reason: "Operation not confirmed" };
+    }
+    await this.users.delete(input.id);
+    return { deleted: true };
+  }
+};
+
+// src/application/users/get-user.use-case.ts
+var GetUserUseCase = class {
+  constructor(users) {
+    this.users = users;
+  }
+  users;
+  execute(id) {
+    return this.users.findById(id);
+  }
+};
+
+// src/application/users/list-user-sessions.use-case.ts
+var ListUserSessionsUseCase = class {
+  constructor(users) {
+    this.users = users;
+  }
+  users;
+  execute(id) {
+    return this.users.listSessions(id);
+  }
+};
+
+// src/application/users/logout-user.use-case.ts
+var LogoutUserUseCase = class {
+  constructor(users, confirmer) {
+    this.users = users;
+    this.confirmer = confirmer;
+  }
+  users;
+  confirmer;
+  async execute(input) {
+    const user = await this.users.findById(input.id);
+    if (user === null) {
+      return { loggedOut: false, reason: "User not found" };
+    }
+    const sessions = await this.users.countActiveSessions(input.id);
+    const operation = DestructiveOperation.of(
+      `Log out ${user.username.toString()}`,
+      `Revokes ${String(sessions)} active session(s); the user must sign in again.`
+    );
+    if (!await this.confirmer.confirm(operation)) {
+      return { loggedOut: false, reason: "Operation not confirmed" };
+    }
+    await this.users.logout(input.id);
+    return { loggedOut: true };
+  }
+};
+
+// src/application/users/reset-user-password.use-case.ts
+var ResetUserPasswordUseCase = class {
+  constructor(users, confirmer) {
+    this.users = users;
+    this.confirmer = confirmer;
+  }
+  users;
+  confirmer;
+  async execute(input) {
+    const user = await this.users.findById(input.id);
+    if (user === null) {
+      return { reset: false, reason: "User not found" };
+    }
+    const operation = DestructiveOperation.of(
+      `Reset password for ${user.username.toString()}`,
+      `The current password stops working immediately${input.temporary ? " and the user must set a new one at next login" : ""}.`
+    );
+    if (!await this.confirmer.confirm(operation)) {
+      return { reset: false, reason: "Operation not confirmed" };
+    }
+    await this.users.resetPassword(input.id, input.password, input.temporary);
+    return { reset: true };
+  }
+};
+
+// src/application/users/search-users.use-case.ts
+var SearchUsersUseCase = class {
+  constructor(users) {
+    this.users = users;
+  }
+  users;
+  execute(criteria) {
+    return this.users.search(criteria);
+  }
+};
+
+// src/application/users/send-action-email.use-case.ts
+var SendActionEmailUseCase = class {
+  constructor(users) {
+    this.users = users;
+  }
+  users;
+  execute(input) {
+    return this.users.sendActionsEmail(input.id, input.actions);
+  }
+};
+
+// src/application/users/set-user-enabled.use-case.ts
+var SetUserEnabledUseCase = class {
+  constructor(users) {
+    this.users = users;
+  }
+  users;
+  execute(input) {
+    return this.users.setEnabled(input.id, input.enabled);
+  }
+};
+
+// src/application/users/update-user.use-case.ts
+var UpdateUserUseCase = class {
+  constructor(users) {
+    this.users = users;
+  }
+  users;
+  execute(input) {
+    return this.users.update(input.id, input.changes);
+  }
+};
+
+// src/domain/shared/action-email-type.ts
+var ACTIONS = [
+  "VERIFY_EMAIL",
+  "UPDATE_PASSWORD",
+  "UPDATE_PROFILE",
+  "CONFIGURE_TOTP"
+];
+var ActionEmailType = class _ActionEmailType {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    const match = ACTIONS.find((action) => action === value);
+    if (match === void 0) {
+      throw new Error(`Unknown action email type: ${value}`);
+    }
+    return new _ActionEmailType(match);
+  }
+  toString() {
+    return this.value;
+  }
+};
+
+// src/domain/shared/password.ts
+var Password = class _Password {
+  constructor(value) {
+    this.value = value;
+  }
+  value;
+  static fromString(value) {
+    return new _Password(ensureNonBlank(value, "Password"));
+  }
+  reveal() {
+    return this.value;
+  }
+  /** Prevents accidental leakage through logging / serialization. */
+  toString() {
+    return "[redacted]";
+  }
+  toJSON() {
+    return "[redacted]";
+  }
+};
+
+// src/infrastructure/mcp/user-tools.ts
+function serializeUser2(user) {
+  return {
+    id: user.id.toString(),
+    username: user.username.toString(),
+    email: user.email?.toString() ?? null,
+    enabled: user.enabled
+  };
+}
+function buildCriteria(args) {
+  const criteria = {
+    first: typeof args.first === "number" ? args.first : 0,
+    max: typeof args.max === "number" ? args.max : 20
+  };
+  if (typeof args.email === "string") {
+    criteria.email = Email.fromString(args.email);
+  }
+  if (typeof args.username === "string") {
+    criteria.username = Username.fromString(args.username);
+  }
+  if (typeof args.search === "string") {
+    criteria.search = args.search;
+  }
+  return criteria;
+}
+function searchUsersTool(deps) {
+  return {
+    name: "keycloak_user_search",
+    title: "Search users",
+    description: "Search realm users by email, username or free text.",
+    level: "read" /* Read */,
+    inputSchema: {
+      email: z11.string().optional(),
+      username: z11.string().optional(),
+      search: z11.string().optional(),
+      first: z11.number().int().min(0).optional(),
+      max: z11.number().int().min(1).max(500).optional()
+    },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const users = await new SearchUsersUseCase(deps.userRepository).execute(
+        buildCriteria(args)
+      );
+      return textResult(JSON.stringify(users.map(serializeUser2), null, 2));
+    }
+  };
+}
+function getUserTool(deps) {
+  return {
+    name: "keycloak_user_get",
+    title: "Get user",
+    description: "Fetch a single user by id.",
+    level: "read" /* Read */,
+    inputSchema: { id: z11.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const user = await new GetUserUseCase(deps.userRepository).execute(
+        UserId.fromString(String(args.id))
+      );
+      return textResult(
+        user === null ? "User not found." : JSON.stringify(serializeUser2(user), null, 2)
+      );
+    }
+  };
+}
+function createUserTool(deps) {
+  return {
+    name: "keycloak_user_create",
+    title: "Create user",
+    description: "Create a realm user.",
+    level: "write" /* Write */,
+    inputSchema: {
+      username: z11.string(),
+      email: z11.string().optional(),
+      enabled: z11.boolean().optional(),
+      emailVerified: z11.boolean().optional()
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const user = {
+        username: Username.fromString(String(args.username)),
+        ...typeof args.email === "string" ? { email: Email.fromString(args.email) } : {},
+        enabled: args.enabled !== false,
+        emailVerified: args.emailVerified === true
+      };
+      await new CreateUserUseCase(deps.userRepository).execute(user);
+      return textResult(`User "${user.username.toString()}" created.`);
+    }
+  };
+}
+function setUserEnabledTool(deps) {
+  return {
+    name: "keycloak_user_set_enabled",
+    title: "Enable or disable user",
+    description: "Enable or disable a user account.",
+    level: "write" /* Write */,
+    inputSchema: { id: z11.string(), enabled: z11.boolean() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const enabled = args.enabled === true;
+      await new SetUserEnabledUseCase(deps.userRepository).execute({
+        id: UserId.fromString(String(args.id)),
+        enabled
+      });
+      return textResult(
+        `User ${String(args.id)} ${enabled ? "enabled" : "disabled"}.`
+      );
+    }
+  };
+}
+function sendActionEmailTool(deps) {
+  return {
+    name: "keycloak_user_send_action_email",
+    title: "Send action email",
+    description: "Send a required-actions email (e.g. VERIFY_EMAIL, UPDATE_PASSWORD).",
+    level: "write" /* Write */,
+    inputSchema: { id: z11.string(), actions: z11.array(z11.string()) },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const raw = Array.isArray(args.actions) ? args.actions : [];
+      const actions = raw.map(
+        (action) => ActionEmailType.fromString(String(action))
+      );
+      await new SendActionEmailUseCase(deps.userRepository).execute({
+        id: UserId.fromString(String(args.id)),
+        actions
+      });
+      return textResult("Action email sent.");
+    }
+  };
+}
+function resetUserPasswordTool(deps) {
+  return {
+    name: "keycloak_user_reset_password",
+    title: "Reset user password",
+    description: "Set a new password for a user. Requires confirmation.",
+    level: "destructive" /* Destructive */,
+    inputSchema: {
+      id: z11.string(),
+      password: z11.string(),
+      temporary: z11.boolean().optional(),
+      confirm: z11.boolean().optional()
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const confirmer = deps.confirmers.create(args.confirm === true);
+      const result = await new ResetUserPasswordUseCase(
+        deps.userRepository,
+        confirmer
+      ).execute({
+        id: UserId.fromString(String(args.id)),
+        password: Password.fromString(String(args.password)),
+        temporary: args.temporary === true
+      });
+      return textResult(
+        result.reset ? "Password reset." : `Not reset: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function logoutUserTool(deps) {
+  return {
+    name: "keycloak_user_logout",
+    title: "Log out user",
+    description: "Revoke all of a user's sessions. Requires confirmation.",
+    level: "destructive" /* Destructive */,
+    inputSchema: { id: z11.string(), confirm: z11.boolean().optional() },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const confirmer = deps.confirmers.create(args.confirm === true);
+      const result = await new LogoutUserUseCase(
+        deps.userRepository,
+        confirmer
+      ).execute({ id: UserId.fromString(String(args.id)) });
+      return textResult(
+        result.loggedOut ? "User logged out." : `Not logged out: ${result.reason ?? "unknown reason"}`
+      );
+    }
+  };
+}
+function deleteUserTool(deps) {
+  return {
+    name: "keycloak_user_delete",
+    title: "Delete user",
+    description: "Permanently delete a user. Requires confirmation; the username must match the target id.",
+    level: "destructive" /* Destructive */,
+    inputSchema: {
+      id: z11.string(),
+      username: z11.string(),
+      confirm: z11.boolean().optional()
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false
+    },
+    async handler(args) {
+      const confirmer = deps.confirmers.create(args.confirm === true);
+      const result = await new DeleteUserUseCase(
+        deps.userRepository,
+        confirmer
+      ).execute({
+        id: UserId.fromString(String(args.id)),
+        username: Username.fromString(String(args.username))
+      });
+      if (!result.deleted) {
+        return textResult(`Not deleted: ${result.reason ?? "unknown reason"}`);
+      }
+      return textResult(`User "${String(args.username)}" deleted.`);
+    }
+  };
+}
+function updateUserTool(deps) {
+  return {
+    name: "keycloak_user_update",
+    title: "Update user",
+    description: "Update a user's email, name or enabled flag.",
+    level: "write" /* Write */,
+    inputSchema: {
+      id: z11.string(),
+      email: z11.string().optional(),
+      firstName: z11.string().optional(),
+      lastName: z11.string().optional(),
+      enabled: z11.boolean().optional()
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const changes = {};
+      if (typeof args.email === "string") {
+        changes.email = Email.fromString(args.email);
+      }
+      if (typeof args.firstName === "string") {
+        changes.firstName = args.firstName;
+      }
+      if (typeof args.lastName === "string") {
+        changes.lastName = args.lastName;
+      }
+      if (typeof args.enabled === "boolean") {
+        changes.enabled = args.enabled;
+      }
+      await new UpdateUserUseCase(deps.userRepository).execute({
+        id: UserId.fromString(String(args.id)),
+        changes
+      });
+      return textResult(`User ${String(args.id)} updated.`);
+    }
+  };
+}
+function listUserSessionsTool(deps) {
+  return {
+    name: "keycloak_user_sessions_list",
+    title: "List user sessions",
+    description: "List a user's active sessions.",
+    level: "read" /* Read */,
+    inputSchema: { id: z11.string() },
+    annotations: {
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true
+    },
+    async handler(args) {
+      const sessions = await new ListUserSessionsUseCase(
+        deps.userRepository
+      ).execute(UserId.fromString(String(args.id)));
+      return textResult(JSON.stringify(sessions, null, 2));
+    }
+  };
+}
+function buildUserTools(deps) {
+  return [
+    searchUsersTool(deps),
+    getUserTool(deps),
+    listUserSessionsTool(deps),
+    createUserTool(deps),
+    updateUserTool(deps),
+    setUserEnabledTool(deps),
+    sendActionEmailTool(deps),
+    resetUserPasswordTool(deps),
+    logoutUserTool(deps),
+    deleteUserTool(deps)
+  ];
+}
+
+// src/server.ts
+var httpFetch = (url, init) => fetch(url, init);
+function createTokenProvider(config) {
+  if (config.auth.mode === "service_account") {
+    return createClientCredentialsProvider(
+      {
+        baseUrl: config.baseUrl,
+        realm: config.realm,
+        clientId: config.auth.clientId,
+        clientSecret: config.auth.clientSecret
+      },
+      httpFetch,
+      systemClock
+    );
+  }
+  return createPasswordProvider(
+    {
+      baseUrl: config.baseUrl,
+      realm: config.auth.adminRealm,
+      username: config.auth.username,
+      password: config.auth.password
+    },
+    httpFetch,
+    systemClock
+  );
+}
+function createServer(config) {
+  RealmAccessPolicy.of(
+    config.allowedRealms.map((realm) => RealmName.fromString(realm))
+  ).assertAllowed(RealmName.fromString(config.realm));
+  const server = new McpServer({
+    name: "mcp-keycloak-admin",
+    version: "0.0.0"
+  });
+  const tokens = createTokenProvider(config);
+  const client = new KeycloakAdminClient(
+    { baseUrl: config.baseUrl, realm: config.realm },
+    tokens,
+    httpFetch
+  );
+  const userRepository = new KeycloakUserRepository(client);
+  const roleRepository = new KeycloakRoleRepository(client);
+  const clientRepository = new KeycloakClientRepository(client);
+  const clientScopeRepository = new KeycloakClientScopeRepository(client);
+  const groupRepository = new KeycloakGroupRepository(client);
+  const eventLog = new KeycloakEventLog(client);
+  const realmInfo = new KeycloakRealmInfo(client);
+  const identityProviderRepository = new KeycloakIdentityProviderRepository(
+    client
+  );
+  const federationRepository = new KeycloakFederationRepository(client);
+  const authenticationRepository = new KeycloakAuthenticationRepository(client);
+  const authorizationRepository = new KeycloakAuthorizationRepository(client);
+  const confirmers = new McpConfirmerFactory(server);
+  const tools = filterTools(
+    [
+      ...buildUserTools({ userRepository, confirmers }),
+      ...buildRoleTools({ roleRepository, confirmers }),
+      ...buildClientTools({ clientRepository, confirmers }),
+      ...buildClientScopeTools({
+        clientRepository,
+        clientScopeRepository,
+        confirmers
+      }),
+      ...buildGroupTools({ groupRepository, roleRepository, confirmers }),
+      ...buildIdpTools({ identityProviderRepository, confirmers }),
+      ...buildFederationTools({ federationRepository }),
+      ...buildAuthTools({ authenticationRepository }),
+      ...buildAuthzTools({ clientRepository, authorizationRepository }),
+      ...buildEventRealmTools({ eventLog, realmInfo })
+    ],
+    ToolAccessPolicy.of(config.readOnly)
+  );
+  registerTools(server, tools);
+  return server;
+}
+
+// src/index.ts
+async function main() {
+  const config = loadConfig(process.env);
+  const server = createServer(config);
+  await server.connect(new StdioServerTransport());
+}
+main().catch((error) => {
+  console.error(error);
+  process.exitCode = 1;
+});
+//# sourceMappingURL=index.js.map