create_user tool cannot produce users in STAGED status

[stephen-bailey-carta]

Problem

The create_user tool in src/okta_mcp_server/tools/users/users.py accepts only a profile dict and calls client.create_user(user_data) without passing any query parameters. The Okta Users API defaults activate=true, so every user created via this tool lands in PROVISIONED status (activation email is fired immediately).

There is no way to create a user in STAGED status, which is the expected starting state for:

• Pre-hire / future-dated employee imports
• M&A user migrations where activation is controlled centrally by HR/IT
• Bulk imports where you want to validate data before kicking off provisioning workflows

Current behavior

# src/okta_mcp_server/tools/users/users.py
async def create_user(profile: dict, ctx: Context = None) -> list:
    ...
    user_data = {"profile": profile}
    user, _, err = await client.create_user(user_data)

Result: new user is in PROVISIONED status, activation email sent.

Proposed fix

Accept an activate: bool = True parameter and pass it through to the Okta SDK (which already supports query_params.activate per its user_client.create_user docstring):

async def create_user(profile: dict, activate: bool = True, ctx: Context = None) -> list:
    ...
    user_data = {"profile": profile}
    user, _, err = await client.create_user(
        user_data,
        {"activate": str(activate).lower()},
    )

Default behavior is preserved. Callers needing STAGED pass activate=False.

Verification

I've applied this patch locally and verified end-to-end:

1. Created a disposable user with activate="false" via the Okta Python SDK
2. Confirmed returned user's status == UserStatus.STAGED
3. Deleted the test user (STAGED users delete in a single call)

Happy to open a PR with the fix.

References

• Okta API — Create User activate query param
• Okta SDK user_client.create_user signature accepts query_params.activate