diff --git a/documentation/Nexus MCP - Tool Inventory.md b/documentation/Nexus MCP - Tool Inventory.md
new file mode 100644
index 0000000..f825b5e
--- /dev/null
+++ b/documentation/Nexus MCP - Tool Inventory.md	
@@ -0,0 +1,145 @@
+# Nexus MCP - Tool inventory
+
+A complete reference of every service and tool currently registered in the Nexus MCP server. Sorted alphabetically by service, then by tool name within each service.
+
+---
+
+## Active Directory
+
+**Shard:** `identity` | **Status:** 🟢 Green (WIS-017)
+
+| Tool | Description |
+|---|---|
+| `ad_get_disabled_accounts` | Returns all disabled user accounts in Active Directory (userAccountControl = 514). |
+| `ad_get_group_members` | Returns all members of an AD group by its distinguished name (DN). |
+| `ad_get_stale_accounts` | Returns active AD accounts with no recorded login activity within a configurable number of days (default: 90). |
+| `ad_get_user` | Looks up a single AD user by their sAMAccountName (login name) and returns a normalized user object. |
+| `ad_get_user_by_email` | Looks up a single AD user by their email address and returns a normalized user object. |
+| `ad_list_groups` | Lists all security and distribution groups in Active Directory. |
+| `ad_search_users` | Searches AD users by display name or sAMAccountName fragment and returns a list of normalized user objects. |
+
+---
+
+## Audit (cross-system)
+
+**Shard:** `audit` + `main.py` | **Status:** 🟢 Green
+
+| Tool | Description |
+|---|---|
+| `nexus_audit_recent` | Returns the last *n* entries from the Nexus-MCP SOC 2 structured audit log. Each entry includes tool name, shard, action category, redacted argument summary, status, and latency. |
+| `nexus_audit_stats` | Returns aggregate statistics over the entire audit log, including total call count, status breakdown, shard breakdown, top-10 tools by call volume, and recent errors. |
+| `scan_department_mismatches` | Detects workers whose department in Workday differs from their department attribute in Active Directory. Severity: MEDIUM. |
+| `scan_job_title_drift` | Detects workers whose job title in Workday differs from their title attribute in Active Directory. Severity: MEDIUM. |
+| `scan_name_variance_mismatches` | Detects AD display names that do not align with the legal or preferred name stored in Workday. Severity: LOW. |
+| `scan_status_reconciliation` | Detects workers who are terminated in Workday but still have an enabled account in Active Directory. Severity: HIGH. |
+
+---
+
+## BMC Helix (ITSM)
+
+**Shard:** `itsm` | **Status:** 🔴 Red (Planned)
+
+| Tool | Description |
+|---|---|
+| `helix_get_incident` | Retrieves full details for a single Helix incident ticket by its Entry ID (e.g. `INC0001234`). |
+| `helix_get_problem` | Retrieves a Helix problem investigation record by its problem ID (e.g. `PRB0000456`). |
+| `helix_list_changes` | Lists change requests from BMC Helix with optional status filter (e.g. Draft, Scheduled, In Progress). |
+| `helix_list_cmdb_assets` | Lists hardware assets registered in the BMC Helix CMDB. |
+| `helix_list_incidents` | Lists incidents from BMC Helix ITSM with optional filters for status and assignee. |
+| `helix_search_cmdb` | Searches the BMC Helix CMDB for configuration items (CIs) matching a name fragment. |
+
+---
+
+## FedEx
+
+**Shard:** `logistics` | **Status:** 🔴 Red (Planned — credentials pending)
+
+| Tool | Description |
+|---|---|
+| `fedex_get_rates` | Returns available FedEx shipping service options and rates between two postal codes for a given package weight. |
+| `fedex_get_shipment_events` | Returns the full ordered list of scan events (location, timestamp, description) for a single FedEx tracking number. |
+| `fedex_track_multiple` | Tracks up to 30 FedEx shipments in a single API call and returns tracking results for each. |
+| `fedex_track_shipment` | Tracks a single FedEx shipment by tracking number and returns full tracking details including current status and estimated delivery. |
+| `fedex_validate_address` | Validates a shipping address against the FedEx Address Validation API and returns the classification and resolved address. |
+
+---
+
+## Microsoft Entra ID
+
+**Shard:** `identity` | **Status:** 🟢 Green (WIS-017)
+
+| Tool | Description |
+|---|---|
+| `entra_get_conditional_access_policies` | Lists all Conditional Access policies configured in the Entra ID tenant. |
+| `entra_get_group_members` | Lists members of an Entra ID group by its object ID. |
+| `entra_get_risky_users` | Lists users currently flagged as risky by Entra ID Identity Protection. Requires `IdentityRiskyUser.Read.All` Graph permission. |
+| `entra_get_signin_logs` | Retrieves recent sign-in log entries from Entra ID, ordered by most recent. Requires `AuditLog.Read.All` Graph permission. |
+| `entra_get_user` | Retrieves a single Entra ID user by object ID or UPN and returns a normalized user object. |
+| `entra_list_groups` | Lists all groups in the Microsoft Entra ID tenant. |
+| `entra_list_service_principals` | Lists service principals (app registrations and enterprise applications) registered in Entra ID. |
+| `entra_list_users` | Lists users in Microsoft Entra ID and returns normalized user objects. |
+
+---
+
+## Microsoft Intune
+
+**Shard:** `assets` | **Status:** 🔴 Red (Planned)
+
+| Tool | Description |
+|---|---|
+| `intune_get_autopilot_devices` | Lists all Windows Autopilot device registrations in Intune. |
+| `intune_get_managed_device` | Retrieves full details for a single Intune managed device by its device ID or device name. |
+| `intune_get_noncompliant_devices` | Returns all Intune-managed devices currently in a non-compliant state. |
+| `intune_list_apps` | Lists managed applications deployed through Intune mobile app management. |
+| `intune_list_compliance_policies` | Lists the device compliance policies configured in Intune. |
+| `intune_list_configuration_profiles` | Lists the device configuration profiles configured in Intune. |
+| `intune_list_managed_devices` | Lists all devices enrolled in Microsoft Intune with key health and compliance attributes. |
+
+---
+
+## Lansweeper
+
+**Shard:** `assets` | **Status:** 🔴 Red (Planned)
+
+| Tool | Description |
+|---|---|
+| `lansweeper_get_asset` | Retrieves full inventory details for a single Lansweeper asset by its asset ID. |
+| `lansweeper_get_software` | Lists all installed software (name, version, publisher) on a given Lansweeper asset. |
+| `lansweeper_list_assets` | Lists assets from Lansweeper with optional filtering by asset type (e.g. Windows, Linux, Network Device). |
+| `lansweeper_search_assets` | Searches Lansweeper assets by name, IP address, or serial number fragment and returns matching records. |
+
+---
+
+## Workday
+
+**Shard:** `workday` | **Status:** 🟡 Yellow (WIS-009)
+
+| Tool | Description |
+|---|---|
+| `workday_find_worker_by_email` | Finds a Workday worker record by their primary work email address. |
+| `workday_get_compensation` | Retrieves compensation details (grade, salary band) for a worker by their Workday ID. |
+| `workday_get_worker` | Retrieves full details for a single Workday worker by their Workday worker ID. |
+| `workday_list_organizations` | Lists supervisory organisations in the Workday tenant. |
+| `workday_list_positions` | Lists open and filled positions in Workday HCM. |
+| `workday_list_workers` | Lists workers from Workday HCM with support for pagination via `limit` and `offset`. |
+| `workday_run_raas_report` | Executes a Workday Report-as-a-Service (RaaS) custom report by path and returns the result rows. |
+
+---
+
+## Summary
+
+| Service | Shard | Status | Tool count |
+|---|---|---|---|
+| Active Directory | `identity` | 🟢 Green | 7 |
+| Audit (cross-system) | `audit` / `main.py` | 🟢 Green | 6 |
+| BMC Helix (ITSM) | `itsm` | 🔴 Planned | 6 |
+| FedEx | `logistics` | 🔴 Planned | 5 |
+| Microsoft Entra ID | `identity` | 🟢 Green | 8 |
+| Microsoft Intune | `assets` | 🔴 Planned | 7 |
+| Lansweeper | `assets` | 🔴 Planned | 4 |
+| Workday | `workday` | 🟡 In progress | 7 |
+| **Total** | | | **50** |
+
+---
+
+*Generated: 2026-04-14 | Source: `nexus-mcp/src/shards/` + `nexus-mcp/src/main.py`*