@mgsoftwarebv/mg-dashboard-mcp 6.5.0 → 6.6.1

package/dist/index.js

@@ -17,6 +17,9 @@ import { drizzle } from 'drizzle-orm/postgres-js';
 import postgres from 'postgres';
 import { readFile, mkdtemp, writeFile, rm } from 'fs/promises';
 import { tmpdir } from 'os';
+import { once } from 'events';
+import https from 'https';
+import { connect } from 'tls';
 import { HeadObjectCommand, S3Client, ListObjectsV2Command, DeleteObjectsCommand, DeleteObjectCommand, CreateMultipartUploadCommand, UploadPartCommand, CompleteMultipartUploadCommand, AbortMultipartUploadCommand, PutObjectCommand, GetObjectCommand, CopyObjectCommand } from '@aws-sdk/client-s3';
 
 var __defProp = Object.defineProperty;
@@ -314,7 +317,7 @@ function rewriteUrl(originalUrl, localPort) {
   parsed.port = String(localPort);
   return parsed.toString();
 }
-async function connectSsh(opts) {
+async function connectSsh2(opts) {
   return await new Promise((resolve, reject) => {
     const conn = new Client();
     const onError = (err) => {
@@ -374,7 +377,7 @@ async function fetchRemoteEnvValue(options) {
   const privateKey = readFileSync(privateKeyPath);
   const keepaliveIntervalMs = options.keepaliveIntervalMs ?? 3e4;
   const envKey = options.envKey ?? "DATABASE_PRIMARY_URL";
-  const conn = await connectSsh({ host, port, username, privateKey, keepaliveIntervalMs });
+  const conn = await connectSsh2({ host, port, username, privateKey, keepaliveIntervalMs });
   try {
     const safePath = options.remoteEnvPath.replace(/'/g, "'\\''");
     const result = await execOverSsh(conn, `cat -- '${safePath}'`);
@@ -400,7 +403,7 @@ async function openDbSshTunnel(options) {
   const parsedDbUrl = new URL(options.databaseUrl);
   const remoteHost = parsedDbUrl.hostname;
   const remotePort = Number(parsedDbUrl.port || "5432");
-  const conn = await connectSsh({ host, port, username, privateKey, keepaliveIntervalMs });
+  const conn = await connectSsh2({ host, port, username, privateKey, keepaliveIntervalMs });
   conn.on("error", (err) => {
     console.error(`[mcp][db-ssh-tunnel] ssh connection error: ${err.message}`);
   });
@@ -460,7 +463,7 @@ var connectionConfig = {
     }
   },
   connection: {
-    application_name: `mg-dashboard-${process.env.VERCEL ? "vercel" : process.env.TRIGGER_RUN_ID ? "trigger" : "local"}`
+    application_name: `mg-dashboard-${process.env.TRIGGER_RUN_ID ? "trigger" : "local"}`
   }
 };
 function getDatabaseUrl() {
@@ -1525,6 +1528,97 @@ async function handleRepoTool(name, args2, deps) {
       return { content: [{ type: "text", text: `Unknown repo tool: ${name}` }] };
   }
 }
+function connectSsh(opts) {
+  return new Promise((resolve, reject) => {
+    const client = new Client();
+    client.once("ready", () => resolve(client));
+    client.once("error", reject);
+    client.connect({
+      host: opts.hostname,
+      port: opts.port,
+      username: opts.username,
+      password: opts.password,
+      privateKey: opts.privateKey,
+      passphrase: opts.passphrase,
+      readyTimeout: opts.timeout ?? 3e4
+    });
+  });
+}
+function forwardOut(client, host, port) {
+  return new Promise((resolve, reject) => {
+    client.forwardOut("127.0.0.1", 0, host, port, (err, stream) => {
+      if (err) reject(err);
+      else resolve(stream);
+    });
+  });
+}
+async function fetchViaSshProxy(options) {
+  const parsedUrl = new URL(options.url);
+  if (parsedUrl.protocol !== "https:") {
+    throw new Error(`fetchViaSshProxy only supports https URLs, got ${parsedUrl.protocol}`);
+  }
+  const targetHost = parsedUrl.hostname;
+  const targetPort = parsedUrl.port ? Number(parsedUrl.port) : 443;
+  const method = options.method ?? "GET";
+  const body = options.body ?? "";
+  const headers = { ...options.headers };
+  if (body && !headers["Content-Length"]) {
+    headers["Content-Length"] = String(Buffer.byteLength(body));
+  }
+  headers.Host = parsedUrl.host;
+  const ssh = await connectSsh(options.proxy);
+  const timeoutMs = options.timeoutMs ?? 6e4;
+  let timer;
+  try {
+    const stream = await forwardOut(ssh, targetHost, targetPort);
+    const tlsSocket = connect({
+      socket: stream,
+      servername: targetHost,
+      ALPNProtocols: ["http/1.1"]
+    });
+    await Promise.race([
+      once(tlsSocket, "secureConnect"),
+      new Promise((_, reject) => {
+        timer = setTimeout(
+          () => reject(new Error(`mijn.host fetch via SSH proxy timed out after ${timeoutMs}ms`)),
+          timeoutMs
+        );
+      })
+    ]);
+    if (timer) clearTimeout(timer);
+    return await new Promise((resolve, reject) => {
+      const req = https.request(
+        {
+          createConnection: () => tlsSocket,
+          hostname: targetHost,
+          port: targetPort,
+          path: `${parsedUrl.pathname}${parsedUrl.search}`,
+          method,
+          headers,
+          agent: false
+        },
+        (res) => {
+          const chunks = [];
+          res.on("data", (chunk) => chunks.push(chunk));
+          res.on("end", () => {
+            resolve({
+              status: res.statusCode ?? 0,
+              statusText: res.statusMessage ?? "",
+              body: Buffer.concat(chunks).toString("utf8")
+            });
+          });
+          res.on("error", reject);
+        }
+      );
+      req.on("error", reject);
+      if (body) req.write(body);
+      req.end();
+    });
+  } finally {
+    if (timer) clearTimeout(timer);
+    ssh.end();
+  }
+}
 var args = process.argv.slice(2);
 function getArg2(name) {
   return args.find((a) => a.startsWith(`--${name}=`))?.split("=").slice(1).join("=");
@@ -1540,6 +1634,14 @@ var sshKeyPath = getArg2("ssh-key") || process.env.MG_DASHBOARD_SSH_KEY;
 var databaseUrl = getArg2("database-url") || process.env.DATABASE_PRIMARY_POOLER_URL || process.env.DATABASE_PRIMARY_URL;
 var encryptionKey = getArg2("encryption-key") || process.env.ENCRYPTION_KEY;
 var mijnhostApiKey = getArg2("mijnhost-api-key") || process.env.MIJNHOST_API_KEY;
+function isMijnhostViaSshProxyEnabled() {
+  const arg = getArg2("mijnhost-via-ssh-proxy");
+  if (arg === "false" || arg === "0") return false;
+  const env = process.env.MG_DASHBOARD_MIJNHOST_VIA_SSH_PROXY;
+  if (env === "0" || env === "false") return false;
+  return true;
+}
+var mijnhostViaSshProxy = isMijnhostViaSshProxyEnabled();
 var dbSshTunnel = getArg2("db-ssh-tunnel") || process.env.MG_DASHBOARD_DB_SSH_TUNNEL;
 var dbRemoteEnvFile = getArg2("db-remote-env-file") || process.env.MG_DASHBOARD_DB_REMOTE_ENV_FILE;
 var dbRemoteEnvKey = getArg2("db-remote-env-key") || process.env.MG_DASHBOARD_DB_REMOTE_ENV_KEY || "DATABASE_PRIMARY_URL";
@@ -1577,6 +1679,9 @@ if (dbSshTunnel) {
 process.env.DATABASE_PRIMARY_URL = databaseUrl;
 process.env.DATABASE_PRIMARY_POOLER_URL = databaseUrl;
 var db = getDb();
+if (mijnhostApiKey && mijnhostViaSshProxy) {
+  console.error("[mcp][mijnhost] Routing mijn.host API via SSH proxy");
+}
 var RateLimiter = class {
   buckets = /* @__PURE__ */ new Map();
   maxAttempts;
@@ -3918,23 +4023,81 @@ function describeDnsCandidates(records, type, name, attemptedValue) {
 }
 async function mijnhostFetch(path, options = {}) {
   const key = requireMijnhostApiKey();
-  const res = await fetch(`${MIJNHOST_BASE_URL}${path}`, {
-    ...options,
-    headers: {
-      "API-Key": key,
-      "Accept": "application/json",
-      "Content-Type": "application/json",
-      "User-Agent": "mg-dashboard-mcp/2.2.0",
-      ...options.headers || {}
-    }
-  });
-  const json = await res.json();
+  const headers = {
+    "API-Key": key,
+    "Accept": "application/json",
+    "Content-Type": "application/json",
+    "User-Agent": "mg-dashboard-mcp/6.6.0",
+    ...options.headers || {}
+  };
+  const method = options.method ?? "GET";
+  const requestBody = typeof options.body === "string" ? options.body : options.body != null ? String(options.body) : void 0;
+  let status;
+  let responseText;
+  if (mijnhostViaSshProxy) {
+    const proxy = await getProxyConnection();
+    const proxied = await fetchViaSshProxy({
+      proxy,
+      url: `${MIJNHOST_BASE_URL}${path}`,
+      method,
+      headers,
+      body: requestBody,
+      timeoutMs: 6e4
+    });
+    status = proxied.status;
+    responseText = proxied.body;
+  } else {
+    const res = await fetch(`${MIJNHOST_BASE_URL}${path}`, {
+      ...options,
+      headers
+    });
+    status = res.status;
+    responseText = await res.text();
+  }
+  let json;
+  try {
+    json = JSON.parse(responseText);
+  } catch {
+    throw new Error(
+      `mijn.host API returned non-JSON (${status}): ${responseText.slice(0, 300)}`
+    );
+  }
   const body = json;
-  if (!res.ok) {
-    throw new Error(body?.status_description || `mijn.host API error: ${res.status}`);
+  if (status < 200 || status >= 300) {
+    throw new Error(body?.status_description || `mijn.host API error: ${status}`);
   }
   return body;
 }
+var DNS_MIN_INTERVAL_MS = 750;
+var DNS_RETRY_BACKOFF_MS = 1500;
+var dnsZoneQueue = /* @__PURE__ */ new Map();
+var dnsLastPutAt = /* @__PURE__ */ new Map();
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function withDnsZoneLock(domain, fn) {
+  const key = domain.toLowerCase();
+  const previous = dnsZoneQueue.get(key) ?? Promise.resolve();
+  const run = previous.then(async () => {
+    const last = dnsLastPutAt.get(key) ?? 0;
+    const wait = DNS_MIN_INTERVAL_MS - (Date.now() - last);
+    if (wait > 0) await sleep(wait);
+    return fn();
+  });
+  const queued = run.finally(() => {
+    if (dnsZoneQueue.get(key) === queued) dnsZoneQueue.delete(key);
+  });
+  dnsZoneQueue.set(key, queued.catch(() => {
+  }));
+  return run;
+}
+function markDnsPut(domain) {
+  dnsLastPutAt.set(domain.toLowerCase(), Date.now());
+}
+function isTransientMijnhostError(err) {
+  const msg = err instanceof Error ? err.message : String(err);
+  return /Internal Server Error|API error: 5\d\d|fetch failed|ETIMEDOUT|ECONNRESET/i.test(msg);
+}
 var TOOLS = [
   {
     name: "list-servers",
@@ -4298,7 +4461,7 @@ var TOOLS = [
   },
   {
     name: "dns-record",
-    description: 'Mutate a single DNS record on a mijn.host domain. Pick the mutation with `action`:\n- "create": add a new record. Required: type, name, value. Optional: ttl (default 3600).\n- "update": replace an existing record. Required: type, name, oldValue, newValue. Optional: ttl.\n- "delete": remove a record. Required: type, name, value.\n\nAlways pass `dryRun: true` first when touching MX / SPF / DKIM / DMARC \u2014 returns a full before/after diff with a mail-auth warning and applies nothing. Re-run without dryRun once the diff looks correct.\n\nUse `dns-list` to inspect the current zone first if you need to identify the right `oldValue`. Requires MIJNHOST_API_KEY.',
+    description: 'Mutate a single DNS record on a mijn.host domain. Pick the mutation with `action`:\n- "create": add a new record. Required: type, name, value. Optional: ttl (default 3600).\n- "update": replace an existing record. Required: type, name, oldValue, newValue. Optional: ttl.\n- "delete": remove a record. Required: type, name, value.\n\nAlways pass `dryRun: true` first when touching MX / SPF / DKIM / DMARC \u2014 returns a full before/after diff with a mail-auth warning and applies nothing. Re-run without dryRun once the diff looks correct.\n\nUse `dns-list` to inspect the current zone first if you need to identify the right `oldValue`. Requires MIJNHOST_API_KEY.\n\nConcurrency: calls are automatically serialized per domain (mijn.host\'s API does GET-then-PUT-the-whole-zone, so parallel calls would race and silently drop records). A minimum 750 ms gap is enforced between PUTs to the same zone, transient 5xx errors are retried once, and a stale-snapshot guard refuses to PUT a zone that suddenly shrunk. You can still fire calls in parallel \u2014 they just queue safely behind each other per domain.',
     inputSchema: {
       type: "object",
       properties: {
@@ -4320,7 +4483,7 @@ var TOOLS = [
   // ----- Repo reference -----
   ...REPO_TOOLS
 ];
-var MCP_VERSION = "6.3.0";
+var MCP_VERSION = "6.6.0";
 async function handleListTools() {
   if (!authContext) return { tools: TOOLS };
   const accessible = TOOLS.filter((tool) => {
@@ -5985,74 +6148,102 @@ ${lines.join("\n")}` }] };
         if (!domain || !type || !dnsName) {
           throw new Error("domain, type, and name are required");
         }
-        const current = await mijnhostFetch(
-          `/domains/${encodeURIComponent(domain)}/dns`
-        );
-        let nextRecords;
-        let diffArgs;
-        let okMessage;
-        if (action === "create") {
-          const value = typeof a.value === "string" ? a.value : "";
-          if (!value) throw new Error('action="create" requires value');
-          const ttl = Number(a.ttl) || 3600;
-          const newRecord = { type, name: dnsName, value, ttl };
-          nextRecords = [...current.data.records, newRecord];
-          diffArgs = { verb: "create", added: [newRecord] };
-          okMessage = `DNS record created: ${type} ${dnsName} \u2192 ${value} (TTL: ${ttl})`;
-        } else if (action === "update") {
-          const oldValue = typeof a.oldValue === "string" ? a.oldValue : "";
-          const newValue = typeof a.newValue === "string" ? a.newValue : "";
-          if (!oldValue || !newValue) throw new Error('action="update" requires oldValue and newValue');
-          const ttlArg = a.ttl !== void 0 ? Number(a.ttl) : void 0;
-          const idx = current.data.records.findIndex(
-            (r) => r.type === type && r.name === dnsName && r.value === oldValue
+        return withDnsZoneLock(domain, async () => {
+          const fetchZone = () => mijnhostFetch(
+            `/domains/${encodeURIComponent(domain)}/dns`
           );
-          if (idx === -1) {
-            throw new Error(
-              `No matching DNS record found: ${type} ${dnsName} = ${oldValue}
+          let current = await fetchZone();
+          if (current.data.records.length === 0) {
+            await sleep(DNS_RETRY_BACKOFF_MS);
+            current = await fetchZone();
+          }
+          let nextRecords;
+          let diffArgs;
+          let okMessage;
+          if (action === "create") {
+            const value = typeof a.value === "string" ? a.value : "";
+            if (!value) throw new Error('action="create" requires value');
+            const ttl = Number(a.ttl) || 3600;
+            const newRecord = { type, name: dnsName, value, ttl };
+            nextRecords = [...current.data.records, newRecord];
+            diffArgs = { verb: "create", added: [newRecord] };
+            okMessage = `DNS record created: ${type} ${dnsName} \u2192 ${value} (TTL: ${ttl})`;
+          } else if (action === "update") {
+            const oldValue = typeof a.oldValue === "string" ? a.oldValue : "";
+            const newValue = typeof a.newValue === "string" ? a.newValue : "";
+            if (!oldValue || !newValue) throw new Error('action="update" requires oldValue and newValue');
+            const ttlArg = a.ttl !== void 0 ? Number(a.ttl) : void 0;
+            const idx = current.data.records.findIndex(
+              (r) => r.type === type && r.name === dnsName && r.value === oldValue
+            );
+            if (idx === -1) {
+              throw new Error(
+                `No matching DNS record found: ${type} ${dnsName} = ${oldValue}
 ` + describeDnsCandidates(current.data.records, type, dnsName, oldValue)
+              );
+            }
+            const updated = [...current.data.records];
+            const before = updated[idx];
+            const after = {
+              type,
+              name: dnsName,
+              value: newValue,
+              ttl: ttlArg ?? before.ttl
+            };
+            updated[idx] = after;
+            nextRecords = updated;
+            diffArgs = { verb: "update", removed: [before], added: [after] };
+            okMessage = `DNS record updated: ${type} ${dnsName} \u2192 ${newValue}${ttlArg ? ` (TTL: ${ttlArg})` : ""}`;
+          } else {
+            const value = typeof a.value === "string" ? a.value : "";
+            if (!value) throw new Error('action="delete" requires value');
+            const removed = current.data.records.filter(
+              (r) => r.type === type && r.name === dnsName && r.value === value
+            );
+            const remaining = current.data.records.filter(
+              (r) => !(r.type === type && r.name === dnsName && r.value === value)
             );
+            if (removed.length === 0) {
+              throw new Error(
+                `No matching DNS record found: ${type} ${dnsName} = ${value}
+` + describeDnsCandidates(current.data.records, type, dnsName, value)
+              );
+            }
+            nextRecords = remaining;
+            diffArgs = { verb: "delete", removed };
+            okMessage = `DNS record deleted: ${type} ${dnsName} = ${value} (${remaining.length} records remaining)`;
           }
-          const updated = [...current.data.records];
-          const before = updated[idx];
-          const after = {
-            type,
-            name: dnsName,
-            value: newValue,
-            ttl: ttlArg ?? before.ttl
-          };
-          updated[idx] = after;
-          nextRecords = updated;
-          diffArgs = { verb: "update", removed: [before], added: [after] };
-          okMessage = `DNS record updated: ${type} ${dnsName} \u2192 ${newValue}${ttlArg ? ` (TTL: ${ttlArg})` : ""}`;
-        } else {
-          const value = typeof a.value === "string" ? a.value : "";
-          if (!value) throw new Error('action="delete" requires value');
-          const removed = current.data.records.filter(
-            (r) => r.type === type && r.name === dnsName && r.value === value
-          );
-          const remaining = current.data.records.filter(
-            (r) => !(r.type === type && r.name === dnsName && r.value === value)
-          );
-          if (removed.length === 0) {
+          if (dryRun) {
+            const diff = formatDnsDiff(domain, current.data.records, nextRecords, diffArgs);
+            return { content: [{ type: "text", text: diff }] };
+          }
+          if (nextRecords.length < 3 && current.data.records.length >= 5 && action !== "delete") {
             throw new Error(
-              `No matching DNS record found: ${type} ${dnsName} = ${value}
-` + describeDnsCandidates(current.data.records, type, dnsName, value)
+              `Aborting PUT: would shrink ${domain} from ${current.data.records.length} to ${nextRecords.length} records. This usually indicates a stale zone snapshot from mijn.host. Run dns-list and retry.`
             );
           }
-          nextRecords = remaining;
-          diffArgs = { verb: "delete", removed };
-          okMessage = `DNS record deleted: ${type} ${dnsName} = ${value} (${remaining.length} records remaining)`;
-        }
-        if (dryRun) {
-          const diff = formatDnsDiff(domain, current.data.records, nextRecords, diffArgs);
-          return { content: [{ type: "text", text: diff }] };
-        }
-        await mijnhostFetch(`/domains/${encodeURIComponent(domain)}/dns`, {
-          method: "PUT",
-          body: JSON.stringify({ records: nextRecords })
+          try {
+            await mijnhostFetch(`/domains/${encodeURIComponent(domain)}/dns`, {
+              method: "PUT",
+              body: JSON.stringify({ records: nextRecords })
+            });
+          } catch (err) {
+            if (!isTransientMijnhostError(err)) throw err;
+            await sleep(DNS_RETRY_BACKOFF_MS);
+            const refetched = await fetchZone();
+            const stillNeedsApply = action === "create" ? !refetched.data.records.some((r) => r.type === type && r.name === dnsName && r.value === (typeof a.value === "string" ? a.value : "")) : true;
+            if (!stillNeedsApply) {
+              markDnsPut(domain);
+              return { content: [{ type: "text", text: `${okMessage} (already applied; recovered from transient error)` }] };
+            }
+            await mijnhostFetch(`/domains/${encodeURIComponent(domain)}/dns`, {
+              method: "PUT",
+              body: JSON.stringify({ records: nextRecords })
+            });
+          }
+          markDnsPut(domain);
+          return { content: [{ type: "text", text: okMessage }] };
         });
-        return { content: [{ type: "text", text: okMessage }] };
       }
       default:
         if (TRIGGER_TOOL_NAMES.has(name)) {