@mgsoftwarebv/mg-dashboard-mcp 3.4.4 → 3.6.0

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { spawn } from 'child_process';
-import { existsSync, readFileSync } from 'fs';
-import { join } from 'path';
+import { existsSync, statSync, readFileSync } from 'fs';
+import { join, isAbsolute } from 'path';
 import { Client as Client$1 } from '@modelcontextprotocol/sdk/client/index.js';
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
@@ -1372,6 +1372,8 @@ var TOOL_MODULE_MAP = {
   "sftp-delete": "ssh_servers",
   "docker-list": "ssh_servers",
   "docker-logs": "ssh_servers",
+  "docker-exec": "ssh_servers",
+  "docker-compose": "ssh_servers",
   "db-discover": "ssh_servers",
   "db-tables": "ssh_servers",
   "db-describe": "ssh_servers",
@@ -1819,6 +1821,28 @@ async function attemptVercelSync(appName, environment, knownStageId) {
     return `Vercel sync error: ${msg}`;
   }
 }
+function posixQuote(arg) {
+  if (arg === "") return "''";
+  if (/^[A-Za-z0-9._\/=:@%+\-]+$/.test(arg)) return arg;
+  return "'" + arg.replace(/'/g, "'\\''") + "'";
+}
+function buildPosixCommand(command, args2) {
+  const program = /^[A-Za-z0-9._\/\- ]+$/.test(command) ? command : posixQuote(command);
+  if (args2.length === 0) return program;
+  return `${program} ${args2.map(posixQuote).join(" ")}`;
+}
+function buildPowerShellEncodedCommand(command, args2) {
+  const psSingleQuote = (s) => "'" + s.replace(/'/g, "''") + "'";
+  let psExpr;
+  if (args2.length === 0) {
+    psExpr = command;
+  } else {
+    psExpr = `& ${psSingleQuote(command)} ${args2.map(psSingleQuote).join(" ")}`;
+  }
+  const utf16 = Buffer.from(psExpr, "utf16le");
+  const b64 = utf16.toString("base64");
+  return `powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -EncodedCommand ${b64}`;
+}
 var SSH_PROXY_SERVER_ID = "03659d55-e194-400d-b82a-bf6457371ded";
 var _proxyConnCache = null;
 async function getProxyConnection() {
@@ -1838,7 +1862,7 @@ async function getProxyConnection() {
 }
 async function getServerConnection(serverId) {
   assertServerAccess(serverId);
-  const { data, error } = await supabase.from("ssh_server").select("hostname, port, username, password_encrypted, ssh_key_encrypted, ssh_key_passphrase_encrypted, allowed_ssh_ips").eq("id", serverId).single();
+  const { data, error } = await supabase.from("ssh_server").select("hostname, port, username, password_encrypted, ssh_key_encrypted, ssh_key_passphrase_encrypted, allowed_ssh_ips, os_type").eq("id", serverId).single();
   if (error || !data) throw new Error(`Server not found: ${serverId}`);
   if (!encryptionKey) throw new Error("ENCRYPTION_KEY required to decrypt server credentials");
   const conn = {
@@ -1851,10 +1875,11 @@ async function getServerConnection(serverId) {
   };
   const needsProxy = data.allowed_ssh_ips !== null && serverId !== SSH_PROXY_SERVER_ID;
   const proxy = needsProxy ? await getProxyConnection() : void 0;
-  return { conn, proxy };
+  const os = data.os_type === "windows" ? "windows" : "linux";
+  return { conn, proxy, os };
 }
-async function sshExec(opts, command, proxy) {
-  if (proxy) return sshExecViaProxy(proxy, opts, command);
+async function sshExec(opts, command, proxy, options) {
+  if (proxy) return sshExecViaProxy(proxy, opts, command, options);
   return new Promise((resolve) => {
     const ssh = new Client();
     let stdout = "";
@@ -1893,6 +1918,9 @@ async function sshExec(opts, command, proxy) {
             resolve({ stdout, stderr, exitCode: code ?? 0 });
           }
         });
+        if (options?.stdin !== void 0) {
+          stream.end(options.stdin);
+        }
       });
     });
     ssh.on("error", (err) => {
@@ -1913,7 +1941,7 @@ async function sshExec(opts, command, proxy) {
     });
   });
 }
-function sshExecViaProxy(proxyOpts, targetOpts, command) {
+function sshExecViaProxy(proxyOpts, targetOpts, command, options) {
   return new Promise((resolve) => {
     const proxyClient = new Client();
     let done = false;
@@ -1967,6 +1995,9 @@ function sshExecViaProxy(proxyOpts, targetOpts, command) {
                 resolve({ stdout, stderr, exitCode: code ?? 0 });
               }
             });
+            if (options?.stdin !== void 0) {
+              stream.end(options.stdin);
+            }
           });
         });
         targetClient.on("error", (targetErr) => {
@@ -2005,7 +2036,8 @@ function sshExecViaProxy(proxyOpts, targetOpts, command) {
     });
   });
 }
-function connectSshClient(opts, proxy, readyTimeout = 6e4) {
+function connectSshClient(opts, proxy, readyTimeout = 6e4, extraConnect) {
+  const compress = extraConnect?.compress;
   if (!proxy) {
     return new Promise((resolve, reject) => {
       const ssh = new Client();
@@ -2018,7 +2050,8 @@ function connectSshClient(opts, proxy, readyTimeout = 6e4) {
         password: opts.password,
         privateKey: opts.privateKey,
         passphrase: opts.passphrase,
-        readyTimeout
+        readyTimeout,
+        ...compress ? { compress } : {}
       });
     });
   }
@@ -2052,7 +2085,8 @@ function connectSshClient(opts, proxy, readyTimeout = 6e4) {
           password: opts.password,
           privateKey: opts.privateKey,
           passphrase: opts.passphrase,
-          readyTimeout
+          readyTimeout,
+          ...compress ? { compress } : {}
         });
       });
     });
@@ -2088,8 +2122,22 @@ function assertWritablePath(path) {
     }
   }
 }
-async function sftpReaddir(opts, dirPath, proxy) {
-  const safe = sanitizePath(dirPath);
+function globToRegExp(pattern) {
+  let re = "";
+  for (const c of pattern) {
+    if (c === "*") re += ".*";
+    else if (c === "?") re += ".";
+    else if (/[.+^${}()|[\]\\]/.test(c)) re += "\\" + c;
+    else re += c;
+  }
+  return new RegExp(`^${re}$`);
+}
+async function sftpReaddir(opts, dirPath, proxy, options) {
+  const recursive = options?.recursive === true;
+  const maxDepth = Math.max(1, Math.min(20, options?.maxDepth ?? 5));
+  const maxResults = Math.max(1, Math.min(5e4, options?.maxResults ?? 5e3));
+  const matcher = options?.pattern ? globToRegExp(options.pattern) : null;
+  const rootSafe = sanitizePath(dirPath);
   let cleanup;
   try {
     const { client, cleanup: c } = await connectSshClient(opts, proxy, 3e4);
@@ -2099,7 +2147,7 @@ async function sftpReaddir(opts, dirPath, proxy) {
         cleanup?.();
         resolve("Error: timeout");
         cleanup = void 0;
-      }, 3e4);
+      }, 6e4);
       client.sftp((err, sftp) => {
         if (err) {
           clearTimeout(timer);
@@ -2108,24 +2156,48 @@ async function sftpReaddir(opts, dirPath, proxy) {
           resolve(`Error: ${err.message}`);
           return;
         }
-        sftp.readdir(safe, (err2, list) => {
-          clearTimeout(timer);
-          if (err2) {
-            cleanup?.();
-            cleanup = void 0;
-            resolve(`Error: ${err2.message}`);
-            return;
-          }
-          const entries = list.map((item) => {
-            const mode = item.attrs.mode || 0;
-            const isDir = (mode & 61440) === 16384;
-            const size = item.attrs.size || 0;
-            const mtime = item.attrs.mtime ? new Date(item.attrs.mtime * 1e3).toISOString() : "";
-            return `${isDir ? "d" : "-"} ${String(size).padStart(10)} ${mtime} ${item.filename}`;
+        const lines = [];
+        let truncated = false;
+        const readOne = (path, depth) => new Promise((resolveOne) => {
+          sftp.readdir(path, (err2, list) => {
+            if (err2) {
+              lines.push(`! error reading ${path}: ${err2.message}`);
+              return resolveOne();
+            }
+            const subdirs = [];
+            for (const item of list) {
+              if (lines.length >= maxResults) {
+                truncated = true;
+                break;
+              }
+              const mode = item.attrs.mode || 0;
+              const isDir = (mode & 61440) === 16384;
+              const size = item.attrs.size || 0;
+              const mtime = item.attrs.mtime ? new Date(item.attrs.mtime * 1e3).toISOString() : "";
+              const fullPath = path === "/" ? `/${item.filename}` : `${path}/${item.filename}`;
+              const include = !matcher || matcher.test(item.filename);
+              if (include) {
+                const display = recursive ? fullPath : item.filename;
+                lines.push(`${isDir ? "d" : "-"} ${String(size).padStart(10)} ${mtime} ${display}`);
+              }
+              if (isDir && recursive && depth < maxDepth) subdirs.push(fullPath);
+            }
+            if (truncated || subdirs.length === 0) return resolveOne();
+            (async () => {
+              for (const sub of subdirs) {
+                if (truncated) break;
+                await readOne(sub, depth + 1);
+              }
+              resolveOne();
+            })();
           });
+        });
+        readOne(rootSafe, 1).then(() => {
+          clearTimeout(timer);
           cleanup?.();
           cleanup = void 0;
-          resolve(entries.join("\n"));
+          if (truncated) lines.push(`... (truncated at ${maxResults} entries; raise maxResults or narrow path/pattern)`);
+          resolve(lines.length ? lines.join("\n") : "No entries");
         });
       });
     });
@@ -2192,46 +2264,129 @@ async function sftpRead(opts, filePath, proxy) {
     return `Error: ${e.message}`;
   }
 }
-async function sftpWrite(opts, filePath, content, proxy) {
+var SFTP_FASTPUT_CONCURRENCY = 64;
+var SFTP_FASTPUT_CHUNK_SIZE = 65536;
+var SFTP_IDLE_TIMEOUT_MS = 12e4;
+var SFTP_INLINE_TIMEOUT_MS = 6e4;
+var SFTP_PROGRESS_LOG_BYTES = 50 * 1024 * 1024;
+function formatBytes(bytes) {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
+  return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
+}
+async function sftpWrite(opts, filePath, input, proxy) {
   const safe = sanitizePath(filePath);
   assertWritablePath(safe);
+  let mode;
+  let inlineBuffer;
+  let localPath;
+  let expectedBytes = 0;
+  if ("content" in input && typeof input.content === "string") {
+    mode = "content";
+    inlineBuffer = Buffer.from(input.content, "utf-8");
+    expectedBytes = inlineBuffer.length;
+  } else if ("sourcePath" in input && typeof input.sourcePath === "string") {
+    mode = "sourcePath";
+    localPath = input.sourcePath;
+    if (!isAbsolute(localPath)) return `Error: sourcePath must be an absolute path: ${localPath}`;
+    if (!existsSync(localPath)) return `Error: sourcePath does not exist: ${localPath}`;
+    const st = statSync(localPath);
+    if (!st.isFile()) return `Error: sourcePath is not a regular file: ${localPath}`;
+    expectedBytes = st.size;
+  } else {
+    return "Error: sftp-write requires exactly one of: content (string) or sourcePath (absolute local path)";
+  }
+  const compress = mode === "content";
+  const startedAt = Date.now();
   let cleanup;
   try {
-    const { client, cleanup: c } = await connectSshClient(opts, proxy, 6e4);
+    const { client, cleanup: c } = await connectSshClient(opts, proxy, 6e4, { compress });
     cleanup = c;
     return await new Promise((resolve) => {
-      const timer = setTimeout(() => {
+      let resolved = false;
+      let bytesWritten = 0;
+      const finish = (msg) => {
+        if (resolved) return;
+        resolved = true;
+        watchdog?.cancel();
+        wallTimer && clearTimeout(wallTimer);
         cleanup?.();
-        resolve("Error: timeout");
         cleanup = void 0;
-      }, 6e4);
+        resolve(msg);
+      };
+      let watchdog;
+      let wallTimer;
+      if (mode === "sourcePath") {
+        const armWatchdog = () => {
+          let timer = setTimeout(
+            () => finish(`Error: idle timeout (no SFTP progress for ${SFTP_IDLE_TIMEOUT_MS / 1e3}s, wrote ${formatBytes(bytesWritten)} of ${formatBytes(expectedBytes)})`),
+            SFTP_IDLE_TIMEOUT_MS
+          );
+          return {
+            reset: () => {
+              clearTimeout(timer);
+              timer = setTimeout(
+                () => finish(`Error: idle timeout (no SFTP progress for ${SFTP_IDLE_TIMEOUT_MS / 1e3}s, wrote ${formatBytes(bytesWritten)} of ${formatBytes(expectedBytes)})`),
+                SFTP_IDLE_TIMEOUT_MS
+              );
+            },
+            cancel: () => clearTimeout(timer)
+          };
+        };
+        watchdog = armWatchdog();
+      } else {
+        wallTimer = setTimeout(
+          () => finish(`Error: timeout after ${SFTP_INLINE_TIMEOUT_MS / 1e3}s`),
+          SFTP_INLINE_TIMEOUT_MS
+        );
+      }
       client.sftp((err, sftp) => {
-        if (err) {
-          clearTimeout(timer);
-          cleanup?.();
-          cleanup = void 0;
-          resolve(`Error: ${err.message}`);
+        if (err) return finish(`Error: ${err.message}`);
+        if (mode === "content") {
+          const ws = sftp.createWriteStream(safe, { mode: 420 });
+          ws.on("error", (e) => finish(`Error: ${e.message}`));
+          ws.on("close", () => {
+            const elapsed = Date.now() - startedAt;
+            finish(`Written ${expectedBytes} bytes to ${safe} in ${elapsed}ms`);
+          });
+          ws.end(inlineBuffer);
           return;
         }
-        const ws = sftp.createWriteStream(safe, { mode: 420 });
-        ws.on("close", () => {
-          clearTimeout(timer);
-          cleanup?.();
-          cleanup = void 0;
-          resolve(`Written ${content.length} bytes to ${safe}`);
-        });
-        ws.on("error", (e) => {
-          clearTimeout(timer);
-          cleanup?.();
-          cleanup = void 0;
-          resolve(`Error: ${e.message}`);
-        });
-        ws.end(Buffer.from(content, "utf-8"));
+        let nextProgressLog = SFTP_PROGRESS_LOG_BYTES;
+        sftp.fastPut(
+          localPath,
+          safe,
+          {
+            concurrency: SFTP_FASTPUT_CONCURRENCY,
+            chunkSize: SFTP_FASTPUT_CHUNK_SIZE,
+            mode: 420,
+            fileSize: expectedBytes,
+            step: (transferred) => {
+              bytesWritten = transferred;
+              watchdog?.reset();
+              if (transferred >= nextProgressLog) {
+                console.error(
+                  `[sftp-write] ${formatBytes(transferred)} / ${formatBytes(expectedBytes)} \u2192 ${safe}`
+                );
+                nextProgressLog += SFTP_PROGRESS_LOG_BYTES;
+              }
+            }
+          },
+          (fpErr) => {
+            if (fpErr) return finish(`Error: ${fpErr.message}`);
+            const elapsed = Date.now() - startedAt;
+            const mbps = expectedBytes / (1024 * 1024) / Math.max(1e-3, elapsed / 1e3);
+            finish(
+              `Uploaded ${formatBytes(expectedBytes)} from ${localPath} to ${safe} in ${(elapsed / 1e3).toFixed(1)}s (${mbps.toFixed(1)} MB/s)`
+            );
+          }
+        );
       });
     });
   } catch (e) {
     cleanup?.();
-    return `Error: ${e.message}`;
+    return `Error: ${e instanceof Error ? e.message : String(e)}`;
   }
 }
 async function sftpDelete(opts, filePath, proxy) {
@@ -2466,12 +2621,15 @@ var TOOLS = [
   },
   {
     name: "ssh-execute",
-    description: "Execute a shell command on a remote server via SSH. Some dangerous commands are blocked for safety.",
+    description: 'Execute a command on a remote server via SSH. OS-aware: automatically wraps in bash on linux servers and `powershell -EncodedCommand` (UTF-16LE base64) on windows servers, so $, #, quotes, spaces inside `args` are never re-interpreted by a shell. Some dangerous commands are blocked. Use `list-servers` first to see each server\'s os_type.\nTwo ways to invoke (use `args` for anything with passwords or special chars):\n- Quick: `command` only, e.g. `command: "df -h"` (raw shell string, OS-dispatched but caller-quoted).\n- Safe: `command` + `args[]`, e.g. `command: "mysql"`, `args: ["-u", "root", "-p$tr@nge#pwd", "-e", "SELECT 1"]` \u2014 every arg is quoted/encoded for the target OS.\n`stdin` lets you pipe data into the remote process (queries, scripts, secrets) without putting it on the command line.',
     inputSchema: {
       type: "object",
       properties: {
         serverId: { type: "string", description: "UUID of the SSH server" },
-        command: { type: "string", description: "Shell command to execute" },
+        command: { type: "string", description: 'Program/command to run (e.g. "mysql", "Get-Service", "df"). Required.' },
+        args: { type: "array", items: { type: "string" }, description: "Optional argv list. When provided, each entry is safely quoted/encoded for the target OS." },
+        stdin: { type: "string", description: "Optional data piped to the remote process stdin (use for SQL queries, scripts, secrets \u2014 anything you do NOT want on the command line)." },
+        shell: { type: "string", enum: ["auto", "bash", "powershell"], description: `Override shell selection (default "auto" uses the server's os_type).` },
         timeout: { type: "number", description: "Timeout in milliseconds (default: 60000)" }
       },
       required: ["serverId", "command"]
@@ -2479,12 +2637,16 @@ var TOOLS = [
   },
   {
     name: "sftp-list",
-    description: "List files and directories at a given path on a remote server via SFTP.",
+    description: 'List files and directories on a remote server via SFTP. Supports recursive traversal and glob filtering, eliminating the need to fall back on `ssh-execute "find ..."`.',
     inputSchema: {
       type: "object",
       properties: {
         serverId: { type: "string", description: "UUID of the SSH server" },
-        path: { type: "string", description: "Directory path to list (default: /)" }
+        path: { type: "string", description: "Directory path to list (default: /)" },
+        recursive: { type: "boolean", description: "Walk into subdirectories (default false)" },
+        maxDepth: { type: "number", description: "Maximum recursion depth (1-20, default 5)" },
+        pattern: { type: "string", description: 'Glob pattern to filter filenames (e.g. "*.conf", "wp-*.php"). Matches basename only.' },
+        maxResults: { type: "number", description: "Cap total entries returned (default 5000, max 50000)" }
       },
       required: ["serverId"]
     }
@@ -2503,15 +2665,16 @@ var TOOLS = [
   },
   {
     name: "sftp-write",
-    description: "Write content to a file on a remote server via SFTP. Protected system paths are blocked.",
+    description: "Write a file to a remote server via SFTP. Two modes (provide exactly one of `content` or `sourcePath`):\n- `content` (string): inline UTF-8 text. Best for configs, scripts, small JSON. Practical max ~1 MB.\n- `sourcePath` (absolute local path): streams a local file with ssh2 fastPut (64 parallel pipelined writes, 64 KiB chunks). Handles GB-scale files (zips, dumps, builds) without going through the LLM. Only usable when the MCP server runs locally on your machine (i.e. not via --proxy-url).\nProtected system paths on the remote are blocked.",
     inputSchema: {
       type: "object",
       properties: {
         serverId: { type: "string", description: "UUID of the SSH server" },
-        path: { type: "string", description: "File path to write" },
-        content: { type: "string", description: "File content to write" }
+        path: { type: "string", description: "Remote file path to write" },
+        content: { type: "string", description: "Inline UTF-8 file content (mutually exclusive with sourcePath)" },
+        sourcePath: { type: "string", description: "Absolute local file path to upload via fastPut (mutually exclusive with content). Use for files >1 MB or any binary." }
       },
-      required: ["serverId", "path", "content"]
+      required: ["serverId", "path"]
     }
   },
   {
@@ -2528,28 +2691,66 @@ var TOOLS = [
   },
   {
     name: "docker-list",
-    description: "List all Docker containers on a remote server (running and stopped).",
+    description: "List Docker containers on a remote server. Adds the docker-compose project label as the last column so you can immediately see which compose project a container belongs to.",
     inputSchema: {
       type: "object",
       properties: {
-        serverId: { type: "string", description: "UUID of the SSH server" }
+        serverId: { type: "string", description: "UUID of the SSH server" },
+        format: { type: "string", enum: ["table", "json"], description: "Output format: human table (default) or NDJSON (one JSON object per line, includes labels)." },
+        composeOnly: { type: "boolean", description: "Only show containers that have a docker-compose project label." }
       },
       required: ["serverId"]
     }
   },
   {
     name: "docker-logs",
-    description: "Get recent logs from a Docker container.",
+    description: "Get logs from a Docker container. Supports time-window (`since`) and server-side `grep` to keep responses small. Always merges stderr into stdout.",
     inputSchema: {
       type: "object",
       properties: {
         serverId: { type: "string", description: "UUID of the SSH server" },
         containerName: { type: "string", description: "Container name or ID" },
-        lines: { type: "number", description: "Number of log lines to retrieve (default: 100)" }
+        lines: { type: "number", description: "Number of log lines to retrieve (default: 100)" },
+        since: { type: "string", description: 'Time window, e.g. "10m", "2h", "24h", or an absolute "2026-05-09T10:00:00".' },
+        grep: { type: "string", description: "Case-insensitive regex/literal filter applied server-side (saves tokens for noisy containers)." }
       },
       required: ["serverId", "containerName"]
     }
   },
+  {
+    name: "docker-exec",
+    description: 'Run a command inside a running Docker container. `args[]` are quoted safely (no shell-escape hell with $ or quotes). Optional `stdin` pipes data into the container process (for SQL, scripts, etc.). Use this instead of `ssh-execute "docker exec ..."`.',
+    inputSchema: {
+      type: "object",
+      properties: {
+        serverId: { type: "string", description: "UUID of the SSH server" },
+        container: { type: "string", description: "Container name or ID" },
+        command: { type: "string", description: 'Program to run inside the container (e.g. "psql", "wp", "node").' },
+        args: { type: "array", items: { type: "string" }, description: "Argument list, each safely quoted." },
+        stdin: { type: "string", description: "Optional data piped to the container process stdin." },
+        workdir: { type: "string", description: "Working directory inside the container (-w)." },
+        user: { type: "string", description: "User to run as inside the container (-u)." },
+        timeout: { type: "number", description: "Timeout in milliseconds (default: 60000)" }
+      },
+      required: ["serverId", "container", "command"]
+    }
+  },
+  {
+    name: "docker-compose",
+    description: 'Run a docker-compose action against a project on a remote server. Replaces the common `ssh-execute "cd /opt/x && docker compose ..."` pattern. Action enum keeps the surface tiny.',
+    inputSchema: {
+      type: "object",
+      properties: {
+        serverId: { type: "string", description: "UUID of the SSH server" },
+        projectPath: { type: "string", description: "Absolute path to the directory containing docker-compose.yml." },
+        action: { type: "string", enum: ["up", "down", "restart", "logs", "ps", "pull", "build"], description: "Compose action." },
+        service: { type: "string", description: 'Optional service name to scope the action to (e.g. "studio"). Omit to act on the whole project.' },
+        tail: { type: "number", description: "For `logs`: number of lines (default 200)." },
+        timeout: { type: "number", description: "Timeout in milliseconds (default: 120000 \u2014 compose ops can be slow)." }
+      },
+      required: ["serverId", "projectPath", "action"]
+    }
+  },
   {
     name: "db-discover",
     description: "Scan /var/www on a server for web applications (WordPress, PrestaShop, Laravel, .env) and list their database credentials. Use this first to find available sites before running other db-* tools.",
@@ -2801,10 +3002,22 @@ async function executeToolCall(name, a, _serverId) {
       case "ssh-execute": {
         const command = String(a.command);
         assertSafeCommand(command);
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        const args2 = Array.isArray(a.args) ? a.args.map(String) : void 0;
+        const stdin = typeof a.stdin === "string" ? a.stdin : void 0;
+        const shellOverride = typeof a.shell === "string" ? a.shell : "auto";
+        const { conn, proxy, os } = await getServerConnection(String(a.serverId));
         if (a.timeout) conn.timeout = Number(a.timeout);
-        const result = await sshExec(conn, command, proxy);
-        const output = [`Exit code: ${result.exitCode}`];
+        const shell = shellOverride === "auto" ? os === "windows" ? "powershell" : "bash" : shellOverride;
+        let finalCmd;
+        if (args2 && args2.length > 0) {
+          finalCmd = shell === "powershell" ? buildPowerShellEncodedCommand(command, args2) : buildPosixCommand(command, args2);
+        } else if (shell === "powershell" && !/^powershell\b/i.test(command.trim())) {
+          finalCmd = buildPowerShellEncodedCommand(command, []);
+        } else {
+          finalCmd = command;
+        }
+        const result = await sshExec(conn, finalCmd, proxy, stdin !== void 0 ? { stdin } : void 0);
+        const output = [`Exit code: ${result.exitCode} (os: ${os}, shell: ${shell})`];
         if (result.stdout) output.push(`--- stdout ---
 ${result.stdout}`);
         if (result.stderr) output.push(`--- stderr ---
@@ -2814,7 +3027,12 @@ ${result.stderr}`);
       // ----- SFTP -----
       case "sftp-list": {
         const { conn, proxy } = await getServerConnection(String(a.serverId));
-        const listing = await sftpReaddir(conn, String(a.path || "/"), proxy);
+        const listing = await sftpReaddir(conn, String(a.path || "/"), proxy, {
+          recursive: a.recursive === true,
+          maxDepth: typeof a.maxDepth === "number" ? a.maxDepth : void 0,
+          pattern: typeof a.pattern === "string" ? a.pattern : void 0,
+          maxResults: typeof a.maxResults === "number" ? a.maxResults : void 0
+        });
         return { content: [{ type: "text", text: listing }] };
       }
       case "sftp-read": {
@@ -2824,7 +3042,8 @@ ${result.stderr}`);
       }
       case "sftp-write": {
         const { conn, proxy } = await getServerConnection(String(a.serverId));
-        const result = await sftpWrite(conn, String(a.path), String(a.content), proxy);
+        const input = typeof a.sourcePath === "string" && a.sourcePath.length > 0 ? { sourcePath: a.sourcePath } : { content: String(a.content ?? "") };
+        const result = await sftpWrite(conn, String(a.path), input, proxy);
         return { content: [{ type: "text", text: result }] };
       }
       case "sftp-delete": {
@@ -2834,16 +3053,109 @@ ${result.stderr}`);
       }
       // ----- Docker -----
       case "docker-list": {
+        const format = a.format === "json" ? "json" : "table";
+        const composeOnly = a.composeOnly === true;
+        const filterArg = composeOnly ? ' --filter "label=com.docker.compose.project"' : "";
+        const fmtArg = format === "json" ? ` --format '{{json .}}'` : (
+          // Add the compose project as the last column. Docker's --format
+          // template language uses {{ index .Labels "key" }} for label lookup.
+          ` --format 'table {{.Names}}	{{.Image}}	{{.Status}}	{{.Ports}}	{{ index .Labels "com.docker.compose.project" }}'`
+        );
+        const cmd = `docker ps -a${filterArg}${fmtArg}`;
         const { conn, proxy } = await getServerConnection(String(a.serverId));
-        const result = await sshExec(conn, 'docker ps -a --format "table {{.Names}}	{{.Image}}	{{.Status}}	{{.Ports}}"', proxy);
+        const result = await sshExec(conn, cmd, proxy);
         return { content: [{ type: "text", text: result.exitCode === 0 ? result.stdout : `Error: ${result.stderr}` }] };
       }
       case "docker-logs": {
         const container = String(a.containerName).replace(/[^a-zA-Z0-9._-]/g, "");
         const lines = Number(a.lines) || 100;
+        const sinceRaw = typeof a.since === "string" ? a.since.trim() : "";
+        const grepRaw = typeof a.grep === "string" ? a.grep : "";
+        let sinceArg = "";
+        if (sinceRaw) {
+          if (!/^\d+[smhd]$/i.test(sinceRaw) && !/^\d{4}-\d{2}-\d{2}/.test(sinceRaw)) {
+            return { content: [{ type: "text", text: 'Error: invalid `since` format (expected e.g. "10m", "2h", or ISO timestamp)' }] };
+          }
+          sinceArg = ` --since ${posixQuote(sinceRaw)}`;
+        }
+        const grepSuffix = grepRaw ? ` | grep -i -E ${posixQuote(grepRaw)}` : "";
+        const cmd = `docker logs --tail ${lines}${sinceArg} ${container} 2>&1${grepSuffix}`;
         const { conn, proxy } = await getServerConnection(String(a.serverId));
-        const result = await sshExec(conn, `docker logs --tail ${lines} ${container} 2>&1`, proxy);
-        return { content: [{ type: "text", text: result.exitCode === 0 ? result.stdout : `Error: ${result.stderr}` }] };
+        const result = await sshExec(conn, cmd, proxy);
+        if (result.exitCode !== 0 && !(grepRaw && result.exitCode === 1)) {
+          return { content: [{ type: "text", text: `Error (exit ${result.exitCode}): ${result.stderr || result.stdout}` }] };
+        }
+        return { content: [{ type: "text", text: result.stdout || "(no log lines matched)" }] };
+      }
+      case "docker-exec": {
+        const container = String(a.container).replace(/[^a-zA-Z0-9._-]/g, "");
+        if (!container) return { content: [{ type: "text", text: "Error: invalid container name" }] };
+        const command = String(a.command);
+        const args2 = Array.isArray(a.args) ? a.args.map(String) : [];
+        const stdin = typeof a.stdin === "string" ? a.stdin : void 0;
+        const workdir = typeof a.workdir === "string" && a.workdir ? ["-w", a.workdir] : [];
+        const user = typeof a.user === "string" && a.user ? ["-u", a.user] : [];
+        const stdinFlag = stdin !== void 0 ? ["-i"] : [];
+        const dockerArgs = [...stdinFlag, ...workdir, ...user, container, command, ...args2];
+        const fullCmd = buildPosixCommand("docker", ["exec", ...dockerArgs]);
+        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        if (a.timeout) conn.timeout = Number(a.timeout);
+        const result = await sshExec(conn, fullCmd, proxy, stdin !== void 0 ? { stdin } : void 0);
+        const output = [`Exit code: ${result.exitCode}`];
+        if (result.stdout) output.push(`--- stdout ---
+${result.stdout}`);
+        if (result.stderr) output.push(`--- stderr ---
+${result.stderr}`);
+        return { content: [{ type: "text", text: output.join("\n") }] };
+      }
+      case "docker-compose": {
+        const projectPath = String(a.projectPath);
+        if (!projectPath || !projectPath.startsWith("/")) {
+          return { content: [{ type: "text", text: "Error: projectPath must be an absolute path" }] };
+        }
+        const action = String(a.action);
+        const allowedActions = ["up", "down", "restart", "logs", "ps", "pull", "build"];
+        if (!allowedActions.includes(action)) {
+          return { content: [{ type: "text", text: `Error: invalid action (allowed: ${allowedActions.join(", ")})` }] };
+        }
+        const service = typeof a.service === "string" && a.service ? a.service : "";
+        const tail = Number(a.tail) > 0 ? Number(a.tail) : 200;
+        let composeArgs;
+        switch (action) {
+          case "up":
+            composeArgs = service ? ["up", "-d", service] : ["up", "-d"];
+            break;
+          case "down":
+            composeArgs = service ? ["down", service] : ["down"];
+            break;
+          case "restart":
+            composeArgs = service ? ["restart", service] : ["restart"];
+            break;
+          case "logs":
+            composeArgs = service ? ["logs", "--no-color", `--tail=${tail}`, service] : ["logs", "--no-color", `--tail=${tail}`];
+            break;
+          case "ps":
+            composeArgs = service ? ["ps", service] : ["ps"];
+            break;
+          case "pull":
+            composeArgs = service ? ["pull", service] : ["pull"];
+            break;
+          case "build":
+            composeArgs = service ? ["build", service] : ["build"];
+            break;
+          default:
+            composeArgs = [];
+        }
+        const composeCmd = buildPosixCommand("docker", ["compose", ...composeArgs]);
+        const fullCmd = `cd ${posixQuote(projectPath)} && ${composeCmd} 2>&1`;
+        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        conn.timeout = Number(a.timeout) > 0 ? Number(a.timeout) : 12e4;
+        const result = await sshExec(conn, fullCmd, proxy);
+        const output = [`Exit code: ${result.exitCode} (compose ${action}${service ? ` ${service}` : ""} @ ${projectPath})`];
+        if (result.stdout) output.push(result.stdout);
+        if (result.stderr) output.push(`--- stderr ---
+${result.stderr}`);
+        return { content: [{ type: "text", text: output.join("\n") }] };
       }
       // ----- Database -----
       case "db-discover": {