@mseep/mcp-swarmpit 0.1.0

package/CLAUDE.md

@@ -0,0 +1,128 @@
+# mcp-swarmpit
+
+MCP server that wraps the Swarmpit REST API so MCP clients (Claude Code, opencode, etc.) can manage Docker Swarm clusters. Runs locally over stdio, holds the API token in its own process environment — tokens never enter the LLM conversation context.
+
+## Architecture
+
+```
+src/
+  index.ts           — entry: load config, startup health check, register tools, connect stdio
+  config.ts          — SwarmpitConfig + redact mode loaded from env (SWARMPIT_URL/TOKEN/REDACT/REDACT_PATTERNS)
+  client.ts          — SwarmpitClient: typed HTTP methods per API endpoint (native fetch)
+  sanitize.ts        — redaction utilities for services, compose YAML; $env: resolver; [REDACTED] round-trip
+  types.ts           — TypeScript types for Swarmpit API responses
+  tools/
+    register.ts      — wires all tool registrations, creates single SwarmpitClient instance
+    helpers.ts       — toolResult/toolError, resolveEnvRef, resolveData ($env/$file), prepareServiceForUpdate
+    services.ts      — list/get/create/update/redeploy/rollback/stop/scale/delete + env management
+    stacks.ts        — list/get/create/update/redeploy/rollback/deactivate/delete + stack-file variants
+    networks.ts      — list/get/create/delete + services-using
+    nodes.ts         — list/get/get_tasks/edit/delete
+    tasks.ts         — list/get
+    volumes.ts       — list/get/create/delete + services-using
+    secrets.ts       — list/get (redacted)/create ($env/$file)/delete + services-using
+    configs.ts       — list/get (redacted)/create ($env/$file)/delete + services-using
+    admin.ts         — list/get/create/edit/delete users
+    dashboard.ts     — pin/unpin node or service
+    timeseries.ts    — nodes/services cpu/memory/task metrics
+    util.ts          — swarmpit_info
+  test/              — node:test suites (run `npm test`)
+swagger.json         — saved from a running Swarmpit instance for reference
+```
+
+Tools are each under ~50 lines, all follow the same pattern: zod input schema, try/catch, `toolResult` or `toolError`. Full API coverage (79/79 non-timeseries endpoints + all timeseries/dashboard/admin).
+
+## Build & test
+
+- Node >= 18, TypeScript, ES modules (`"type": "module"`)
+- `npm run build` — compile to `dist/`
+- `npm run dev` — watch mode
+- `npm test` — runs `tsc` (`pretest`) then `node --test dist/test/*.test.js`
+
+Tests use Node's built-in test runner. Pattern for integration tests (see `test/file-ref.test.ts`): hand-rolled mock server that captures handlers registered via `server.tool(...)`, plus a mock client that records calls. Invoke the handler directly, assert on captured arguments. Avoids the MCP transport layer entirely.
+
+## Configuration
+
+Three env vars drive the server, loaded by `config.ts`:
+
+| Env | Required | Notes |
+|-----|----------|-------|
+| `SWARMPIT_URL` | Yes | Base URL, trailing slashes stripped |
+| `SWARMPIT_TOKEN` | Yes | Accepts with or without `Bearer ` prefix |
+| `SWARMPIT_REDACT` | No | `all` (default), `sensitive`, `none` |
+| `SWARMPIT_REDACT_PATTERNS` | No | Comma-separated extra regex patterns for sensitive mode |
+
+Config validation runs at startup; fatal errors exit with a message. Immediately after, `checkConnection()` calls `listNodes()` to verify auth and warn (not fail) if the token is wrong.
+
+## Security model — secrets never in LLM context
+
+Three layers keep user secrets out of the conversation:
+
+1. **Response sanitization** (`sanitize.ts`)
+   - `sanitizeService`: env var values replaced with `[REDACTED]`. `all` redacts all, `sensitive` matches name patterns (`pass`, `secret`, `token`, `key`, `auth`, `credential`, `private`, `dsn`, `connection.?string`) + user-provided `SWARMPIT_REDACT_PATTERNS`.
+   - `sanitizeComposeYaml`: same redaction applied to YAML env vars (both `KEY: val` and `- KEY=val` forms).
+   - Secrets/configs `data` field zeroed unless mode is `none`.
+
+2. **`$env:` / `$file` references in tool inputs** (`helpers.ts::resolveEnvRef`, `resolveData`)
+   - `update_service_env` accepts `{ $env: "MY_SECRET" }` per-var — resolved from `process.env` server-side.
+   - `create_stack` / `update_stack` / `create_stack_file` accept YAML with `$env:VAR_NAME` tokens (string or `{ $file: /path }`) — `resolveComposeEnvRefs` replaces them before sending.
+   - `create_secret` / `create_config` accept `{ $file: /path }` to read payload from disk (saves thousands of tokens on HTML pages, certs, large compose files).
+
+3. **`[REDACTED]` round-trip on stack update** (`sanitize.ts::restoreRedactedValues`)
+   - `get_stack` returns compose with sensitive values as `[REDACTED]`.
+   - `update_stack` fetches the current raw compose, restores `[REDACTED]` values from it, then applies `$env:` resolution. Lets the user edit only what they need without accidentally overwriting secrets.
+
+4. **`SWARMPIT_TOKEN_FILE` to keep the token out of MCP client configs** (`config.ts::loadToken`)
+   - If `SWARMPIT_TOKEN_FILE` is set, token is read from the referenced path at startup. Takes precedence over `SWARMPIT_TOKEN`.
+   - Matters because Claude Code and similar clients can accidentally dump `.mcp.json` (with inlined `SWARMPIT_TOKEN`) to conversation via their `Read` tool. Users are directed to add a `permissions.deny` rule on `.mcp.json` and use `SWARMPIT_TOKEN_FILE` — see README "Token handling".
+
+If you add a new tool that takes user-provided data, use `resolveData` (supports plain string, `$env`, `$file`) instead of accepting raw strings for any non-trivial payload.
+
+## Swarmpit API quirks (learned the hard way)
+
+Real Swarmpit behaviour diverges from its own Swagger spec in several places. Keep these in mind if you extend the client:
+
+- **`POST /api/secrets` and `/api/configs` want base64** — the Swagger types `data: string` but the server rejects raw strings with `invalid JSON: illegal base64 data at input byte 0`. `client.ts` encodes on the way in. Not yet filed upstream.
+
+- **`GET /api/services/{id}/logs` requires `since`** as a Go duration string (`30s`, `5m`, `1h`), NOT a unix timestamp or ISO 8601. Default in the client is `5m`. Filed [swarmpit#730](https://github.com/swarmpit/swarmpit/issues/730) for the lack of documentation (closed).
+
+- **Nested `{ spec: { compose } }`** — `getStackFile`, `getStackCompose`, `getServiceCompose` all wrap the compose string under `spec.compose`, but the swagger types it as flat `{ compose: string }`. The client normalises to `{ compose }`. Don't trust the swagger. (I initially filed [swarmpit#729](https://github.com/swarmpit/swarmpit/issues/729) thinking the endpoint was broken — it wasn't, just poorly documented.)
+
+- **Service edit used to reject its own GET response** — [swarmpit#724](https://github.com/swarmpit/swarmpit/issues/724) (now fixed): `POST /api/services/{id}` complained about `imageDigest` being empty (`"nginx:alpine@"`). `prepareServiceForUpdate()` in `helpers.ts` strips nulls, strips read-only fields (`id`, `createdAt`, `updatedAt`, `state`, `status`), and trims `repository` to `{ name, tag }`. Keep this logic — even if the server bug is fixed, the read-only fields and nulls still cause issues.
+
+- **`POST /api/stacks/{name}` edit wants `name` in the body** — not just the path param. `updateStack()` adds it automatically.
+
+- **Timeseries endpoints (`/api/nodes/ts`, `/api/services/ts/cpu|memory`, `/api/tasks/{name}/ts`) return huge payloads** — often >100KB. Use the tools sparingly or expect token truncation in clients.
+
+## Adding a new tool
+
+1. Add a typed method to `SwarmpitClient` (`client.ts`) — use `this.request<T>(method, path, body?)`.
+2. Add a registration function in a resource file under `tools/` (follow the shape of existing ones).
+3. Wire it in `tools/register.ts` alongside the others.
+4. If it accepts user data that could be large or sensitive, accept `string | { $env } | { $file }` and call `resolveData` first.
+5. If it returns data that could contain secrets, pass it through the appropriate sanitizer. Respect the `redact` mode.
+6. If it's destructive (`DELETE`, data loss), require `confirm: z.boolean()` and return a `toolError` if not set.
+7. Add tests: unit test for any new sanitizer logic, integration test using the mock-server pattern if it touches `$file`/`$env`/redaction.
+
+## Publishing / distribution
+
+Not on npm (yet) — users install via `npx github:swarmpit/mcp` in their MCP client's config. Works because `package.json` has a `bin` entry pointing at `dist/index.js` and npm installs fetch+build on first run. If we publish to npm later, just flip the `mcp-swarmpit` name for `@swarmpit/mcp` and add `publishConfig.access: public`.
+
+## Useful commands
+
+```bash
+# Hit the live Swarmpit API directly (bypassing the MCP) to debug:
+curl -s -H "Authorization: Bearer $SWARMPIT_TOKEN" "$SWARMPIT_URL/api/services" | jq .
+
+# Re-fetch the swagger from a running Swarmpit (helps when API diverges from local copy):
+curl -s $SWARMPIT_URL/api/swagger.json > swagger.json
+
+# List all endpoints from swagger:
+jq -r '.paths | to_entries[] | .key as $p | .value | keys[] | "\(. | ascii_upcase)\t\($p)"' swagger.json | sort
+```
+
+## Style / conventions
+
+- Keep commit messages lowercase and succinct (`fix X`, `support $file refs for stack compose`) — no AI/Claude/Anthropic references, no Co-Authored-By.
+- Only push on explicit user request.
+- No code comments for the "what" — names should carry it. Comments only when the "why" is non-obvious (e.g. the base64 encoding workaround, nested `spec.compose` normalisation).

package/README.md

@@ -0,0 +1,416 @@
+# mcp-swarmpit
+
+MCP server for managing [Swarmpit](https://swarmpit.io) Docker Swarm instances from any MCP-compatible client. 100% Swarmpit API coverage (79 endpoints).
+
+The server runs locally and holds API tokens — they never enter the LLM conversation context.
+
+Works with [opencode](https://opencode.ai) (recommended), [Claude Code](https://claude.ai/code), and any other MCP client.
+
+## Configuration
+
+### opencode
+
+Add to your `.opencode.json`:
+
+```json
+{
+  "mcpServers": {
+    "swarmpit-prod": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["github:swarmpit/mcp"],
+      "env": {
+        "SWARMPIT_URL": "https://swarmpit.example.com",
+        "SWARMPIT_TOKEN": "your-api-token",
+        "SWARMPIT_REDACT": "sensitive"
+      }
+    }
+  }
+}
+```
+
+### Claude Code
+
+Add to your `.mcp.json` (project-level) or `~/.claude.json` (global):
+
+```json
+{
+  "mcpServers": {
+    "swarmpit-prod": {
+      "command": "npx",
+      "args": ["github:swarmpit/mcp"],
+      "env": {
+        "SWARMPIT_URL": "https://swarmpit.example.com",
+        "SWARMPIT_TOKEN": "your-api-token",
+        "SWARMPIT_REDACT": "sensitive"
+      }
+    }
+  }
+}
+```
+
+Get your API token from Swarmpit UI: Profile → API Access → Generate token.
+
+### Multiple servers
+
+Register each as a separate MCP server instance:
+
+```json
+{
+  "mcpServers": {
+    "swarmpit-prod": {
+      "command": "npx",
+      "args": ["github:swarmpit/mcp"],
+      "env": {
+        "SWARMPIT_URL": "https://swarmpit.prod.example.com",
+        "SWARMPIT_TOKEN": "prod-token",
+        "SWARMPIT_REDACT": "sensitive"
+      }
+    },
+    "swarmpit-staging": {
+      "command": "npx",
+      "args": ["github:swarmpit/mcp"],
+      "env": {
+        "SWARMPIT_URL": "https://swarmpit.staging.example.com",
+        "SWARMPIT_TOKEN": "staging-token",
+        "SWARMPIT_REDACT": "sensitive"
+      }
+    }
+  }
+}
+```
+
+Tools appear namespaced: `swarmpit-prod: list_services`, `swarmpit-staging: list_services`.
+
+### Environment variables
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `SWARMPIT_URL` | Yes | Swarmpit instance URL |
+| `SWARMPIT_TOKEN` | One of | API token (with or without `Bearer ` prefix). Avoid putting in `.mcp.json` — see [token handling](#token-handling). |
+| `SWARMPIT_TOKEN_FILE` | One of | Path to a file containing the token. Takes precedence over `SWARMPIT_TOKEN`. **Recommended** for production use. |
+| `SWARMPIT_REDACT` | No | Redaction mode: `all` (default), `sensitive`, or `none` |
+| `SWARMPIT_REDACT_PATTERNS` | No | Comma-separated extra patterns to redact in `sensitive` mode (regex, case-insensitive) |
+
+### Redaction modes
+
+| Mode | Env vars | Secrets/Configs data |
+|------|----------|---------------------|
+| `all` | All values redacted | Redacted |
+| `sensitive` | Only names matching patterns | Redacted |
+| `none` | No redaction | Not redacted |
+
+> **Warning:** `none` mode sends all environment variables, secrets, and config data in full to the LLM provider. Only use this with a local model (e.g. via ollama/opencode) or on servers that definitely do not contain any sensitive environment variables or configs. Never use `none` with cloud-hosted LLM providers on production infrastructure.
+
+Built-in sensitive patterns: `pass`, `secret`, `token`, `key`, `auth`, `credential`, `private`, `dsn`, `connection_string`.
+
+Add custom patterns via `SWARMPIT_REDACT_PATTERNS`:
+
+```json
+"env": {
+  "SWARMPIT_REDACT": "sensitive",
+  "SWARMPIT_REDACT_PATTERNS": "GRAFANA,RPC,ENDPOINT,DATABASE"
+}
+```
+
+## Tools
+
+### Services
+
+| Tool | Description |
+|------|-------------|
+| `list_services` | List all services |
+| `get_service` | Get service details |
+| `service_logs` | Get service logs |
+| `create_service` | Create a service |
+| `update_service` | Update a service |
+| `redeploy_service` | Redeploy (optionally with new tag) |
+| `rollback_service` | Rollback to previous version |
+| `stop_service` | Stop a service |
+| `scale_service` | Scale replicas |
+| `list_service_tasks` | List service tasks/containers |
+| `delete_service` | Delete (requires `confirm: true`) |
+| `update_service_env` | Set/remove env vars (supports `$env` references) |
+| `get_service_env` | Get specific env var values by name |
+| `get_service_compose` | Get compose YAML for a service |
+| `get_service_networks` | Get networks attached to a service |
+
+### Stacks
+
+| Tool | Description |
+|------|-------------|
+| `list_stacks` | List all stacks |
+| `get_stack` | Get stack services and compose file |
+| `create_stack` | Create from compose YAML |
+| `update_stack` | Update with new compose YAML |
+| `redeploy_stack` | Redeploy all services |
+| `rollback_stack` | Rollback all services |
+| `deactivate_stack` | Stop all services in a stack |
+| `delete_stack` | Delete (requires `confirm: true`) |
+| `get_stack_tasks` | List all tasks in a stack |
+| `get_stack_volumes` | List all volumes in a stack |
+| `get_stack_networks` | List all networks in a stack |
+| `get_stack_compose` | Get generated compose YAML |
+| `get_stack_secrets` | List secrets in a stack |
+| `get_stack_configs` | List configs in a stack |
+| `create_stack_file` | Upload a compose file for a stack |
+| `delete_stack_file` | Delete stack compose file (requires `confirm: true`) |
+
+### Networks
+
+| Tool | Description |
+|------|-------------|
+| `list_networks` | List all networks |
+| `get_network` | Get network details |
+| `create_network` | Create a network |
+| `delete_network` | Delete (requires `confirm: true`) |
+| `get_network_services` | List services using a network |
+
+### Nodes
+
+| Tool | Description |
+|------|-------------|
+| `list_nodes` | List all nodes |
+| `get_node` | Get node details |
+| `get_node_tasks` | List tasks running on a node |
+| `edit_node` | Edit node properties |
+| `delete_node` | Remove a node (requires `confirm: true`) |
+
+### Tasks
+
+| Tool | Description |
+|------|-------------|
+| `list_tasks` | List all tasks |
+| `get_task` | Get task details |
+
+### Volumes
+
+| Tool | Description |
+|------|-------------|
+| `list_volumes` | List all volumes |
+| `get_volume` | Get volume details |
+| `create_volume` | Create a volume |
+| `delete_volume` | Delete (requires `confirm: true`) |
+| `get_volume_services` | List services using a volume |
+
+### Secrets
+
+| Tool | Description |
+|------|-------------|
+| `list_secrets` | List all secrets (data redacted) |
+| `get_secret` | Get secret details (data redacted) |
+| `create_secret` | Create a secret (supports `$env` / `$file` references) |
+| `delete_secret` | Delete (requires `confirm: true`) |
+| `get_secret_services` | List services using a secret |
+
+### Configs
+
+| Tool | Description |
+|------|-------------|
+| `list_configs` | List all configs (data redacted) |
+| `get_config` | Get config details (data redacted) |
+| `create_config` | Create a config (supports `$env` / `$file` references) |
+| `delete_config` | Delete (requires `confirm: true`) |
+| `get_config_services` | List services using a config |
+
+### Admin
+
+| Tool | Description |
+|------|-------------|
+| `list_users` | List all Swarmpit users |
+| `get_user` | Get user details |
+| `create_user` | Create a user |
+| `edit_user` | Edit user properties |
+| `delete_user` | Delete (requires `confirm: true`) |
+
+### Dashboard
+
+| Tool | Description |
+|------|-------------|
+| `pin_service_to_dashboard` | Pin a service to the Swarmpit dashboard |
+| `unpin_service_from_dashboard` | Remove a service from the dashboard |
+| `pin_node_to_dashboard` | Pin a node to the dashboard |
+| `unpin_node_from_dashboard` | Remove a node from the dashboard |
+
+### Timeseries
+
+| Tool | Description |
+|------|-------------|
+| `get_nodes_timeseries` | Node CPU/memory/disk over time |
+| `get_services_cpu_timeseries` | Service CPU usage over time |
+| `get_services_memory_timeseries` | Service memory usage over time |
+| `get_task_timeseries` | Task metrics over time |
+
+### Utility
+
+| Tool | Description |
+|------|-------------|
+| `swarmpit_info` | Show connected URL and redaction mode |
+
+## Token handling
+
+Putting `SWARMPIT_TOKEN` directly in `.mcp.json` is convenient but risky: if anything (including Claude / the LLM) reads `.mcp.json`, the token leaks into the conversation and API logs. **Two hardening steps you should take:**
+
+### 1. Block MCP config files from being read
+
+Add this to your project `.claude/settings.json` so Claude Code refuses to `Read` credential-holding files:
+
+```json
+{
+  "permissions": {
+    "deny": [
+      "Read(.mcp.json)",
+      "Read(**/.mcp.json)",
+      "Read(.env)",
+      "Read(.env.*)",
+      "Read(**/.env)",
+      "Read(**/.env.*)",
+      "Read(**/*credentials*)",
+      "Read(**/secrets/**)",
+      "Read(**/*.pem)",
+      "Read(**/*.key)"
+    ]
+  }
+}
+```
+
+### 2. Use `SWARMPIT_TOKEN_FILE` instead of inline
+
+Store the token in a file outside the repo and reference it by path. The token never appears in `.mcp.json` itself:
+
+```bash
+# Write the token to a restricted file
+install -m 600 /dev/stdin ~/.config/swarmpit/lark.token <<<'your-token-here'
+```
+
+```json
+{
+  "mcpServers": {
+    "swarmpit-lark": {
+      "command": "npx",
+      "args": ["github:swarmpit/mcp"],
+      "env": {
+        "SWARMPIT_URL": "https://swarmpit.example.com",
+        "SWARMPIT_TOKEN_FILE": "/Users/you/.config/swarmpit/lark.token",
+        "SWARMPIT_REDACT": "sensitive"
+      }
+    }
+  }
+}
+```
+
+### 3. Password manager integration
+
+For even stronger posture, have the MCP spawn with a secret manager:
+
+```json
+{
+  "swarmpit-lark": {
+    "command": "op",
+    "args": ["run", "--", "npx", "github:swarmpit/mcp"],
+    "env": {
+      "SWARMPIT_URL": "https://swarmpit.example.com",
+      "SWARMPIT_TOKEN": "op://Private/Swarmpit Lark/token",
+      "SWARMPIT_REDACT": "sensitive"
+    }
+  }
+}
+```
+
+1Password's `op run` substitutes `op://...` references at process start. macOS users can do the equivalent with `security find-generic-password` in a wrapper script.
+
+If your token has already been exposed (e.g. you saw it scroll through a log), rotate it in Swarmpit UI → Profile → API Access → regenerate.
+
+## Secret handling
+
+Secrets in `.mcp.json` `env` are passed to the MCP server process but **never sent to the LLM**.
+
+### Reading from local files
+
+For large payloads (HTML pages, compose files, certs) use `$file` to have the MCP server read from disk instead of passing content through the LLM context:
+
+```
+create_config(configName: "my_dashboard", data: { "$file": "/path/to/index.html" })
+create_secret(secretName: "tls_cert", data: { "$file": "/etc/ssl/server.crt" })
+create_stack(name: "myapp", compose: { "$file": "/path/to/stack.yml" })
+update_stack(name: "myapp", compose: { "$file": "/path/to/stack.yml" })
+```
+
+Saves context/credits on anything larger than a few hundred bytes. `$env:` references inside the file are still resolved before sending to Swarmpit.
+
+### Service env vars
+
+Use `$env` references to set secrets without them entering the conversation:
+
+```
+update_service_env(id: "my-service", set: {
+  "NODE_ENV": "production",
+  "DB_PASSWORD": { "$env": "MY_DB_PASS" }
+})
+```
+
+`MY_DB_PASS` is resolved from the MCP server's environment. Add it to `.mcp.json` env:
+
+```json
+"env": {
+  "SWARMPIT_URL": "...",
+  "SWARMPIT_TOKEN": "...",
+  "MY_DB_PASS": "the-actual-password"
+}
+```
+
+### Stack compose files
+
+When reading stacks, env var values are redacted according to the redaction mode. When updating, `[REDACTED]` values are automatically preserved from the current stack — only changed values are updated:
+
+```yaml
+# Returned by get_stack (sensitive mode):
+environment:
+  NODE_ENV: production           # visible
+  DB_PASSWORD: [REDACTED]        # redacted
+
+# Sent to update_stack — only NODE_ENV changed:
+environment:
+  NODE_ENV: staging              # new value
+  DB_PASSWORD: [REDACTED]        # preserved from current stack
+```
+
+Use `$env:VAR_NAME` for new secrets in compose:
+
+```yaml
+environment:
+  NEW_SECRET: $env:MY_SECRET     # resolved locally
+```
+
+## Development
+
+```bash
+git clone https://github.com/swarmpit/mcp
+cd mcp
+npm install
+npm run build        # compile TypeScript
+npm run dev          # watch mode
+npm test             # run tests
+```
+
+When developing locally, point `.mcp.json` at your local build:
+
+```json
+{
+  "mcpServers": {
+    "swarmpit-dev": {
+      "command": "node",
+      "args": ["/path/to/mcp/dist/index.js"],
+      "env": {
+        "SWARMPIT_URL": "https://swarmpit.example.com",
+        "SWARMPIT_TOKEN": "your-token",
+        "SWARMPIT_REDACT": "sensitive"
+      }
+    }
+  }
+}
+```
+
+## License
+
+MIT

package/dist/client.d.ts

@@ -0,0 +1,107 @@
+import type { SwarmpitService, SwarmpitStack, SwarmpitNetwork, SwarmpitNode, SwarmpitTask, SwarmpitVolume, SwarmpitLogEntry } from "./types.js";
+export declare class SwarmpitApiError extends Error {
+    status: number;
+    statusText: string;
+    body: string;
+    constructor(status: number, statusText: string, body: string);
+}
+export declare class SwarmpitClient {
+    private baseUrl;
+    private token;
+    private timeout;
+    constructor(baseUrl: string, token: string, timeout?: number);
+    private request;
+    listServices(): Promise<SwarmpitService[]>;
+    getService(id: string): Promise<SwarmpitService>;
+    getServiceLogs(id: string, since?: string): Promise<SwarmpitLogEntry[]>;
+    createService(spec: Record<string, unknown>): Promise<{
+        id: string;
+    }>;
+    updateService(id: string, spec: Record<string, unknown>): Promise<void>;
+    redeployService(id: string, tag?: string): Promise<void>;
+    rollbackService(id: string): Promise<void>;
+    stopService(id: string): Promise<void>;
+    deleteService(id: string): Promise<void>;
+    getServiceTasks(id: string): Promise<SwarmpitTask[]>;
+    getServiceCompose(id: string): Promise<{
+        compose: string;
+    }>;
+    getServiceNetworks(id: string): Promise<SwarmpitNetwork[]>;
+    listStacks(): Promise<SwarmpitStack[]>;
+    getStackServices(name: string): Promise<SwarmpitService[]>;
+    getStackFile(name: string): Promise<{
+        compose: string;
+    }>;
+    createStack(spec: {
+        name: string;
+        spec: {
+            compose: string;
+        };
+    }): Promise<void>;
+    updateStack(name: string, compose: string): Promise<void>;
+    redeployStack(name: string): Promise<void>;
+    rollbackStack(name: string): Promise<void>;
+    deactivateStack(name: string): Promise<void>;
+    getStackTasks(name: string): Promise<SwarmpitTask[]>;
+    getStackVolumes(name: string): Promise<SwarmpitVolume[]>;
+    getStackNetworks(name: string): Promise<SwarmpitNetwork[]>;
+    getStackCompose(name: string): Promise<{
+        compose: string;
+    }>;
+    getStackSecrets(name: string): Promise<Record<string, unknown>[]>;
+    getStackConfigs(name: string): Promise<Record<string, unknown>[]>;
+    createStackFile(name: string, compose: string): Promise<void>;
+    deleteStackFile(name: string): Promise<void>;
+    deleteStack(name: string): Promise<void>;
+    listNetworks(): Promise<SwarmpitNetwork[]>;
+    getNetwork(id: string): Promise<SwarmpitNetwork>;
+    getNetworkServices(id: string): Promise<SwarmpitService[]>;
+    createNetwork(spec: Record<string, unknown>): Promise<void>;
+    deleteNetwork(id: string): Promise<void>;
+    listNodes(): Promise<SwarmpitNode[]>;
+    getNode(id: string): Promise<SwarmpitNode>;
+    editNode(id: string, spec: Record<string, unknown>): Promise<void>;
+    deleteNode(id: string): Promise<void>;
+    getNodeTasks(id: string): Promise<SwarmpitTask[]>;
+    listTasks(): Promise<SwarmpitTask[]>;
+    getTask(id: string): Promise<SwarmpitTask>;
+    listVolumes(): Promise<SwarmpitVolume[]>;
+    getVolume(name: string): Promise<SwarmpitVolume>;
+    getVolumeServices(name: string): Promise<SwarmpitService[]>;
+    createVolume(spec: Record<string, unknown>): Promise<void>;
+    deleteVolume(name: string): Promise<void>;
+    listSecrets(): Promise<Record<string, unknown>[]>;
+    getSecret(id: string): Promise<Record<string, unknown>>;
+    getSecretServices(id: string): Promise<SwarmpitService[]>;
+    createSecret(spec: {
+        secretName: string;
+        data: string;
+    }): Promise<void>;
+    deleteSecret(id: string): Promise<void>;
+    listConfigs(): Promise<Record<string, unknown>[]>;
+    getConfig(id: string): Promise<Record<string, unknown>>;
+    getConfigServices(id: string): Promise<SwarmpitService[]>;
+    createConfig(spec: {
+        configName: string;
+        data: string;
+    }): Promise<void>;
+    deleteConfig(id: string): Promise<void>;
+    listUsers(): Promise<Record<string, unknown>[]>;
+    getUser(id: string): Promise<Record<string, unknown>>;
+    createUser(spec: {
+        username: string;
+        password: string;
+        role: string;
+        email?: string;
+    }): Promise<void>;
+    editUser(id: string, spec: Record<string, unknown>): Promise<void>;
+    deleteUser(id: string): Promise<void>;
+    pinNodeToDashboard(id: string): Promise<void>;
+    unpinNodeFromDashboard(id: string): Promise<void>;
+    pinServiceToDashboard(id: string): Promise<void>;
+    unpinServiceFromDashboard(id: string): Promise<void>;
+    getNodesTimeseries(): Promise<unknown>;
+    getServicesCpuTimeseries(): Promise<unknown>;
+    getServicesMemoryTimeseries(): Promise<unknown>;
+    getTaskTimeseries(name: string): Promise<unknown>;
+}