zitadel-mcp-server 1.0.0

package/build/types/tools.d.ts

@@ -0,0 +1,43 @@
+/**
+ * MCP Tool types — handler signatures, context, response format
+ * Annotation pattern from Auth0 MCP server
+ */
+import { z } from 'zod';
+import type { ZitadelClient } from '../auth/client.js';
+import type { ZitadelConfig } from '../utils/config.js';
+export interface ToolAnnotations {
+    title?: string;
+    readOnlyHint?: boolean;
+    destructiveHint?: boolean;
+    idempotentHint?: boolean;
+    openWorldHint?: boolean;
+}
+export interface ToolMeta {
+    readOnly?: boolean;
+    domain: 'users' | 'projects' | 'applications' | 'roles' | 'service-accounts' | 'organizations' | 'utility' | 'portal';
+}
+export interface ToolDefinition {
+    name: string;
+    description: string;
+    inputSchema: Record<string, unknown>;
+    _meta?: ToolMeta;
+    annotations?: ToolAnnotations;
+}
+export interface HandlerContext {
+    client: ZitadelClient;
+    config: ZitadelConfig;
+}
+export interface ToolResponse {
+    content: Array<{
+        type: 'text';
+        text: string;
+    }>;
+    isError?: boolean;
+}
+export type ToolHandler = (params: Record<string, unknown>, ctx: HandlerContext) => Promise<ToolResponse>;
+/** Zitadel IDs are numeric strings — reject anything that could alter URL paths */
+export declare const zitadelId: (label?: string) => z.ZodString;
+/** Helper to create a successful text response */
+export declare function textResponse(text: string): ToolResponse;
+/** Helper to create an error text response */
+export declare function errorResponse(text: string): ToolResponse;

package/build/types/tools.js

@@ -0,0 +1,16 @@
+/**
+ * MCP Tool types — handler signatures, context, response format
+ * Annotation pattern from Auth0 MCP server
+ */
+import { z } from 'zod';
+/** Zitadel IDs are numeric strings — reject anything that could alter URL paths */
+export const zitadelId = (label = 'ID') => z.string().min(1, `${label} is required`).regex(/^[a-zA-Z0-9_-]+$/, `${label} must be alphanumeric`);
+/** Helper to create a successful text response */
+export function textResponse(text) {
+    return { content: [{ type: 'text', text }] };
+}
+/** Helper to create an error text response */
+export function errorResponse(text) {
+    return { content: [{ type: 'text', text }], isError: true };
+}
+//# sourceMappingURL=tools.js.map

package/build/types/tools.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tools.js","sourceRoot":"","sources":["../../src/types/tools.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAwCxB,mFAAmF;AACnF,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC,KAAK,GAAG,IAAI,EAAE,EAAE,CACxC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,KAAK,cAAc,CAAC,CAAC,KAAK,CAAC,kBAAkB,EAAE,GAAG,KAAK,uBAAuB,CAAC,CAAC;AAEvG,kDAAkD;AAClD,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;AAC/C,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC9D,CAAC"}

package/build/types/zitadel.d.ts

@@ -0,0 +1,232 @@
+/**
+ * Zitadel Management API TypeScript Types
+ * Covers users, projects, apps, roles, grants, service accounts
+ */
+export interface ResourceDetails {
+    sequence: string;
+    creationDate: string;
+    changeDate: string;
+    resourceOwner: string;
+}
+export interface ListDetails {
+    totalResult: string;
+    processedSequence: string;
+    timestamp: string;
+}
+export interface ZitadelError {
+    code: number;
+    message: string;
+    details?: Array<{
+        '@type': string;
+        id?: string;
+        message?: string;
+    }>;
+}
+export type UserState = 'USER_STATE_UNSPECIFIED' | 'USER_STATE_ACTIVE' | 'USER_STATE_INACTIVE' | 'USER_STATE_DELETED' | 'USER_STATE_LOCKED' | 'USER_STATE_INITIAL';
+export interface HumanProfile {
+    givenName: string;
+    familyName: string;
+    nickName?: string;
+    displayName?: string;
+    preferredLanguage?: string;
+    gender?: 'GENDER_UNSPECIFIED' | 'GENDER_FEMALE' | 'GENDER_MALE' | 'GENDER_DIVERSE';
+    avatarUrl?: string;
+}
+export interface HumanEmail {
+    email: string;
+    isEmailVerified: boolean;
+}
+export interface HumanPhone {
+    phone?: string;
+    isPhoneVerified?: boolean;
+}
+export interface ZitadelUserDetails {
+    userId: string;
+    state: UserState;
+    username: string;
+    loginNames: string[];
+    preferredLoginName: string;
+    human?: {
+        profile: HumanProfile;
+        email: HumanEmail;
+        phone?: HumanPhone;
+        passwordChanged?: string;
+    };
+    details: ResourceDetails;
+}
+export interface ListUsersResponse {
+    details: ListDetails;
+    sortingColumn?: number;
+    result: ZitadelUserDetails[];
+}
+export interface GetUserResponse {
+    user: ZitadelUserDetails;
+}
+export interface CreateHumanUserRequest {
+    profile: {
+        givenName: string;
+        familyName: string;
+        nickName?: string;
+        displayName?: string;
+        preferredLanguage?: string;
+    };
+    email: {
+        email: string;
+        isVerified?: boolean;
+    };
+    phone?: {
+        phone: string;
+        isVerified?: boolean;
+    };
+    password?: {
+        password: string;
+        changeRequired?: boolean;
+    };
+}
+export interface CreateUserResponse {
+    userId: string;
+    details: ResourceDetails;
+}
+export interface ZitadelProject {
+    id: string;
+    name: string;
+    state: 'PROJECT_STATE_ACTIVE' | 'PROJECT_STATE_INACTIVE';
+    details: ResourceDetails;
+    projectRoleAssertion?: boolean;
+    projectRoleCheck?: boolean;
+    hasProjectCheck?: boolean;
+}
+export interface ListProjectsResponse {
+    details: ListDetails;
+    result: ZitadelProject[];
+}
+export interface CreateProjectRequest {
+    name: string;
+    projectRoleAssertion?: boolean;
+    projectRoleCheck?: boolean;
+    hasProjectCheck?: boolean;
+}
+export interface CreateProjectResponse {
+    id: string;
+    details: ResourceDetails;
+}
+export interface OIDCConfig {
+    clientId: string;
+    clientSecret?: string;
+    redirectUris: string[];
+    responseTypes: string[];
+    grantTypes: string[];
+    appType: string;
+    authMethodType: string;
+    postLogoutRedirectUris?: string[];
+    devMode?: boolean;
+}
+export interface ZitadelApp {
+    id: string;
+    name: string;
+    state: 'APP_STATE_ACTIVE' | 'APP_STATE_INACTIVE';
+    details: ResourceDetails;
+    oidcConfig?: OIDCConfig;
+}
+export interface ListAppsResponse {
+    details: ListDetails;
+    result: ZitadelApp[];
+}
+export interface GetAppResponse {
+    app: ZitadelApp;
+}
+export interface CreateOIDCAppRequest {
+    name: string;
+    redirectUris: string[];
+    responseTypes: string[];
+    grantTypes: string[];
+    appType: string;
+    authMethodType: string;
+    postLogoutRedirectUris?: string[];
+    devMode?: boolean;
+}
+export interface CreateOIDCAppResponse {
+    appId: string;
+    details: ResourceDetails;
+    clientId: string;
+    clientSecret?: string;
+}
+export interface UpdateOIDCAppRequest {
+    redirectUris?: string[];
+    responseTypes?: string[];
+    grantTypes?: string[];
+    appType?: string;
+    authMethodType?: string;
+    postLogoutRedirectUris?: string[];
+    devMode?: boolean;
+}
+export interface ProjectRole {
+    key: string;
+    displayName: string;
+    group?: string;
+}
+export interface ListProjectRolesResponse {
+    details: ListDetails;
+    result: ProjectRole[];
+}
+export interface CreateProjectRoleRequest {
+    roleKey: string;
+    displayName: string;
+    group?: string;
+}
+export interface UserGrant {
+    id: string;
+    details: ResourceDetails;
+    userId: string;
+    projectId: string;
+    projectGrantId?: string;
+    roleKeys: string[];
+    state: 'USER_GRANT_STATE_ACTIVE' | 'USER_GRANT_STATE_INACTIVE';
+}
+export interface ListUserGrantsResponse {
+    details: ListDetails;
+    result: UserGrant[];
+}
+export interface CreateUserGrantResponse {
+    userGrantId: string;
+    details: ResourceDetails;
+}
+export interface CreateMachineUserRequest {
+    userName: string;
+    name: string;
+    description?: string;
+    accessTokenType?: 'ACCESS_TOKEN_TYPE_BEARER' | 'ACCESS_TOKEN_TYPE_JWT';
+}
+export interface CreateMachineUserResponse {
+    userId: string;
+    details: ResourceDetails;
+}
+export interface MachineKeyDetails {
+    id: string;
+    details: ResourceDetails;
+    type: string;
+    expirationDate?: string;
+}
+export interface ListMachineKeysResponse {
+    details: ListDetails;
+    result: MachineKeyDetails[];
+}
+export interface CreateMachineKeyResponse {
+    keyId: string;
+    keyDetails: string;
+    details: ResourceDetails;
+}
+export interface ZitadelOrg {
+    id: string;
+    name: string;
+    state: 'ORG_STATE_ACTIVE' | 'ORG_STATE_INACTIVE';
+    details: ResourceDetails;
+    primaryDomain?: string;
+}
+export interface GetOrgResponse {
+    org: ZitadelOrg;
+}
+export interface ListOrgsResponse {
+    details: ListDetails;
+    result: ZitadelOrg[];
+}

package/build/types/zitadel.js

@@ -0,0 +1,6 @@
+/**
+ * Zitadel Management API TypeScript Types
+ * Covers users, projects, apps, roles, grants, service accounts
+ */
+export {};
+//# sourceMappingURL=zitadel.js.map

package/build/types/zitadel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"zitadel.js","sourceRoot":"","sources":["../../src/types/zitadel.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/build/utils/config.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Configuration loader with Zod validation
+ */
+import { z } from 'zod';
+declare const configSchema: z.ZodObject<{
+    issuer: z.ZodString;
+    serviceAccountUserId: z.ZodString;
+    serviceAccountKeyId: z.ZodString;
+    serviceAccountPrivateKey: z.ZodString;
+    orgId: z.ZodString;
+    projectId: z.ZodOptional<z.ZodString>;
+    portalDatabaseUrl: z.ZodOptional<z.ZodString>;
+    logLevel: z.ZodDefault<z.ZodEnum<["DEBUG", "INFO", "WARN", "ERROR"]>>;
+}, "strip", z.ZodTypeAny, {
+    issuer: string;
+    serviceAccountUserId: string;
+    serviceAccountKeyId: string;
+    serviceAccountPrivateKey: string;
+    orgId: string;
+    logLevel: "DEBUG" | "INFO" | "WARN" | "ERROR";
+    projectId?: string | undefined;
+    portalDatabaseUrl?: string | undefined;
+}, {
+    issuer: string;
+    serviceAccountUserId: string;
+    serviceAccountKeyId: string;
+    serviceAccountPrivateKey: string;
+    orgId: string;
+    projectId?: string | undefined;
+    portalDatabaseUrl?: string | undefined;
+    logLevel?: "DEBUG" | "INFO" | "WARN" | "ERROR" | undefined;
+}>;
+export type ZitadelConfig = z.infer<typeof configSchema>;
+export declare function loadConfig(): ZitadelConfig;
+export declare function isPortalEnabled(config: ZitadelConfig): boolean;
+export {};

package/build/utils/config.js

@@ -0,0 +1,35 @@
+/**
+ * Configuration loader with Zod validation
+ */
+import { z } from 'zod';
+const configSchema = z.object({
+    issuer: z.string().url('ZITADEL_ISSUER must be a valid URL'),
+    serviceAccountUserId: z.string().min(1, 'ZITADEL_SERVICE_ACCOUNT_USER_ID is required'),
+    serviceAccountKeyId: z.string().min(1, 'ZITADEL_SERVICE_ACCOUNT_KEY_ID is required'),
+    serviceAccountPrivateKey: z.string().min(1, 'ZITADEL_SERVICE_ACCOUNT_PRIVATE_KEY is required'),
+    orgId: z.string().min(1, 'ZITADEL_ORG_ID is required'),
+    projectId: z.string().optional(),
+    portalDatabaseUrl: z.string().optional(),
+    logLevel: z.enum(['DEBUG', 'INFO', 'WARN', 'ERROR']).default('INFO'),
+});
+export function loadConfig() {
+    const result = configSchema.safeParse({
+        issuer: process.env['ZITADEL_ISSUER'],
+        serviceAccountUserId: process.env['ZITADEL_SERVICE_ACCOUNT_USER_ID'],
+        serviceAccountKeyId: process.env['ZITADEL_SERVICE_ACCOUNT_KEY_ID'],
+        serviceAccountPrivateKey: process.env['ZITADEL_SERVICE_ACCOUNT_PRIVATE_KEY'],
+        orgId: process.env['ZITADEL_ORG_ID'],
+        projectId: process.env['ZITADEL_PROJECT_ID'] || undefined,
+        portalDatabaseUrl: process.env['PORTAL_DATABASE_URL'] || undefined,
+        logLevel: process.env['LOG_LEVEL'] || 'INFO',
+    });
+    if (!result.success) {
+        const errors = result.error.issues.map(i => `  - ${i.path.join('.')}: ${i.message}`).join('\n');
+        throw new Error(`Configuration error:\n${errors}`);
+    }
+    return result.data;
+}
+export function isPortalEnabled(config) {
+    return !!config.portalDatabaseUrl;
+}
+//# sourceMappingURL=config.js.map

package/build/utils/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/utils/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,oCAAoC,CAAC;IAC5D,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,6CAA6C,CAAC;IACtF,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,4CAA4C,CAAC;IACpF,wBAAwB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,iDAAiD,CAAC;IAC9F,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,4BAA4B,CAAC;IACtD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;CACrE,CAAC,CAAC;AAIH,MAAM,UAAU,UAAU;IACxB,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC;QACpC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACrC,oBAAoB,EAAE,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC;QACpE,mBAAmB,EAAE,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC;QAClE,wBAAwB,EAAE,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC;QAC5E,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACpC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,SAAS;QACzD,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,SAAS;QAClE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,MAAM;KAC7C,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChG,MAAM,IAAI,KAAK,CAAC,yBAAyB,MAAM,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAqB;IACnD,OAAO,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC;AACpC,CAAC"}

package/build/utils/error-handler.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Error classes and MCP error handling
+ */
+import { McpError } from '@modelcontextprotocol/sdk/types.js';
+export declare class ZitadelAPIError extends Error {
+    statusCode?: number | undefined;
+    originalError?: Error | undefined;
+    constructor(message: string, statusCode?: number | undefined, originalError?: Error | undefined);
+}
+export declare class ValidationError extends Error {
+    field?: string | undefined;
+    constructor(message: string, field?: string | undefined);
+}
+export declare class ConfigurationError extends Error {
+    constructor(message: string);
+}
+export declare function handleMCPError(error: unknown): McpError;
+export declare function setupErrorHandlers(): void;

package/build/utils/error-handler.js

@@ -0,0 +1,56 @@
+/**
+ * Error classes and MCP error handling
+ */
+import { McpError, ErrorCode } from '@modelcontextprotocol/sdk/types.js';
+export class ZitadelAPIError extends Error {
+    statusCode;
+    originalError;
+    constructor(message, statusCode, originalError) {
+        super(message);
+        this.statusCode = statusCode;
+        this.originalError = originalError;
+        this.name = 'ZitadelAPIError';
+    }
+}
+export class ValidationError extends Error {
+    field;
+    constructor(message, field) {
+        super(message);
+        this.field = field;
+        this.name = 'ValidationError';
+    }
+}
+export class ConfigurationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ConfigurationError';
+    }
+}
+export function handleMCPError(error) {
+    if (error instanceof ValidationError) {
+        return new McpError(ErrorCode.InvalidParams, `Invalid parameter${error.field ? ` '${error.field}'` : ''}: ${error.message}`);
+    }
+    if (error instanceof ZitadelAPIError) {
+        if (error.statusCode === 404) {
+            return new McpError(ErrorCode.InvalidParams, 'Resource not found in Zitadel');
+        }
+        if (error.statusCode === 409) {
+            return new McpError(ErrorCode.InvalidParams, `Conflict: ${error.message}`);
+        }
+        if (error.statusCode === 429) {
+            return new McpError(ErrorCode.InternalError, 'Rate limit exceeded. Please try again later.');
+        }
+        return new McpError(ErrorCode.InternalError, `Zitadel API error: ${error.message}`);
+    }
+    return new McpError(ErrorCode.InternalError, error instanceof Error ? error.message : 'Unknown error occurred');
+}
+export function setupErrorHandlers() {
+    process.on('uncaughtException', (error) => {
+        console.error('Uncaught Exception:', error);
+        process.exit(1);
+    });
+    process.on('unhandledRejection', (reason, promise) => {
+        console.error('Unhandled Rejection at:', promise, 'reason:', reason);
+    });
+}
+//# sourceMappingURL=error-handler.js.map

package/build/utils/error-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.js","sourceRoot":"","sources":["../../src/utils/error-handler.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,OAAO,eAAgB,SAAQ,KAAK;IAG/B;IACA;IAHT,YACE,OAAe,EACR,UAAmB,EACnB,aAAqB;QAE5B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,eAAU,GAAV,UAAU,CAAS;QACnB,kBAAa,GAAb,aAAa,CAAQ;QAG5B,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACJ;IAApC,YAAY,OAAe,EAAS,KAAc;QAChD,KAAK,CAAC,OAAO,CAAC,CAAC;QADmB,UAAK,GAAL,KAAK,CAAS;QAEhD,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;QACrC,OAAO,IAAI,QAAQ,CACjB,SAAS,CAAC,aAAa,EACvB,oBAAoB,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,OAAO,EAAE,CAC/E,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;QACrC,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;YAC7B,OAAO,IAAI,QAAQ,CAAC,SAAS,CAAC,aAAa,EAAE,+BAA+B,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;YAC7B,OAAO,IAAI,QAAQ,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;YAC7B,OAAO,IAAI,QAAQ,CAAC,SAAS,CAAC,aAAa,EAAE,8CAA8C,CAAC,CAAC;QAC/F,CAAC;QACD,OAAO,IAAI,QAAQ,CAAC,SAAS,CAAC,aAAa,EAAE,sBAAsB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IACtF,CAAC;IAED,OAAO,IAAI,QAAQ,CACjB,SAAS,CAAC,aAAa,EACvB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAClE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,OAAO,CAAC,EAAE,CAAC,mBAAmB,EAAE,CAAC,KAAK,EAAE,EAAE;QACxC,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,EAAE,CAAC,oBAAoB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QACnD,OAAO,CAAC,KAAK,CAAC,yBAAyB,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;AACL,CAAC"}

package/build/utils/logger.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Logger — all output to stderr (stdout reserved for MCP protocol)
+ */
+export declare enum LogLevel {
+    DEBUG = 0,
+    INFO = 1,
+    WARN = 2,
+    ERROR = 3
+}
+export declare class Logger {
+    private logLevel;
+    constructor(level?: keyof typeof LogLevel);
+    private shouldLog;
+    private formatMessage;
+    debug(message: string, meta?: unknown): void;
+    info(message: string, meta?: unknown): void;
+    warn(message: string, meta?: unknown): void;
+    error(message: string, meta?: unknown): void;
+}
+export declare const logger: Logger;

package/build/utils/logger.js

@@ -0,0 +1,46 @@
+/**
+ * Logger — all output to stderr (stdout reserved for MCP protocol)
+ */
+export var LogLevel;
+(function (LogLevel) {
+    LogLevel[LogLevel["DEBUG"] = 0] = "DEBUG";
+    LogLevel[LogLevel["INFO"] = 1] = "INFO";
+    LogLevel[LogLevel["WARN"] = 2] = "WARN";
+    LogLevel[LogLevel["ERROR"] = 3] = "ERROR";
+})(LogLevel || (LogLevel = {}));
+export class Logger {
+    logLevel;
+    constructor(level = 'INFO') {
+        this.logLevel = LogLevel[level];
+    }
+    shouldLog(level) {
+        return level >= this.logLevel;
+    }
+    formatMessage(level, message, meta) {
+        const timestamp = new Date().toISOString();
+        const metaStr = meta ? ` ${JSON.stringify(meta)}` : '';
+        return `[${timestamp}] ${level}: ${message}${metaStr}`;
+    }
+    debug(message, meta) {
+        if (this.shouldLog(LogLevel.DEBUG)) {
+            console.error(this.formatMessage('DEBUG', message, meta));
+        }
+    }
+    info(message, meta) {
+        if (this.shouldLog(LogLevel.INFO)) {
+            console.error(this.formatMessage('INFO', message, meta));
+        }
+    }
+    warn(message, meta) {
+        if (this.shouldLog(LogLevel.WARN)) {
+            console.error(this.formatMessage('WARN', message, meta));
+        }
+    }
+    error(message, meta) {
+        if (this.shouldLog(LogLevel.ERROR)) {
+            console.error(this.formatMessage('ERROR', message, meta));
+        }
+    }
+}
+export const logger = new Logger(process.env['LOG_LEVEL'] || 'INFO');
+//# sourceMappingURL=logger.js.map

package/build/utils/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,CAAN,IAAY,QAKX;AALD,WAAY,QAAQ;IAClB,yCAAS,CAAA;IACT,uCAAQ,CAAA;IACR,uCAAQ,CAAA;IACR,yCAAS,CAAA;AACX,CAAC,EALW,QAAQ,KAAR,QAAQ,QAKnB;AAED,MAAM,OAAO,MAAM;IACT,QAAQ,CAAW;IAE3B,YAAY,QAA+B,MAAM;QAC/C,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAEO,SAAS,CAAC,KAAe;QAC/B,OAAO,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC;IAChC,CAAC;IAEO,aAAa,CAAC,KAAa,EAAE,OAAe,EAAE,IAAc;QAClE,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,SAAS,KAAK,KAAK,KAAK,OAAO,GAAG,OAAO,EAAE,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,IAAc;QACnC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,IAAc;QAClC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,IAAc;QAClC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,IAAc;QACnC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;CACF;AAED,MAAM,CAAC,MAAM,MAAM,GAAG,IAAI,MAAM,CAC7B,OAAO,CAAC,GAAG,CAAC,WAAW,CAA2B,IAAI,MAAM,CAC9D,CAAC"}

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "zitadel-mcp-server",
+  "version": "1.0.0",
+  "description": "MCP server for Zitadel identity management — manage users, projects, apps, roles, and service accounts",
+  "type": "module",
+  "main": "build/index.js",
+  "bin": {
+    "zitadel-mcp": "build/index.js"
+  },
+  "files": [
+    "build",
+    "LICENSE",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "start": "node build/index.js",
+    "dev": "tsx src/index.ts",
+    "clean": "rm -rf build",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "dotenv": "^16.5.0",
+    "jose": "^5.0.0",
+    "postgres": "^3.4.0",
+    "zod": "^3.22.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.0",
+    "vitest": "^4.0.18"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/takleb3rry/zitadel-mcp.git"
+  },
+  "license": "MIT",
+  "keywords": [
+    "zitadel",
+    "mcp",
+    "model-context-protocol",
+    "identity",
+    "iam",
+    "authentication",
+    "authorization"
+  ]
+}