@owine/unifi-network-mcp 0.9.0

package/README.md

@@ -0,0 +1,241 @@
+# UniFi Network MCP Server
+
+An MCP (Model Context Protocol) server that exposes the UniFi Network Integration API as tools for Claude Code and other MCP clients. Provides 67 tools for managing sites, devices, clients, networks, WiFi, firewalls, ACLs, DNS policies, hotspot vouchers, VPNs, and more.
+
+## Prerequisites
+
+- Node.js 20+
+- A UniFi Network console with the Integration API enabled
+- An API key generated from your UniFi Network console
+
+## Setup
+
+### Quick start (npx)
+
+Add to Claude Code with a single command — no clone or build needed:
+
+```bash
+claude mcp add-json unifi-network '{
+  "command": "npx",
+  "args": ["-y", "@owine/unifi-network-mcp"],
+  "env": {
+    "UNIFI_NETWORK_HOST": "192.168.1.1",
+    "UNIFI_NETWORK_API_KEY": "your-api-key",
+    "UNIFI_NETWORK_VERIFY_SSL": "false"
+  }
+}' -s user
+```
+
+Use `-s user` for global availability across all projects, or `-s project` for the current project only.
+
+### From source
+
+If you prefer to build locally:
+
+```bash
+git clone https://github.com/owine/unifi-network-mcp.git
+cd unifi-network-mcp
+npm install
+npm run build
+```
+
+Then add to Claude Code:
+
+```bash
+claude mcp add-json unifi-network '{
+  "command": "node",
+  "args": ["/path/to/unifi-network-mcp/dist/index.js"],
+  "env": {
+    "UNIFI_NETWORK_HOST": "192.168.1.1",
+    "UNIFI_NETWORK_API_KEY": "your-api-key",
+    "UNIFI_NETWORK_VERIFY_SSL": "false"
+  }
+}' -s user
+```
+
+### Environment Variables
+
+| Variable | Required | Default | Description |
+|---|---|---|---|
+| `UNIFI_NETWORK_HOST` | Yes | — | IP or hostname of your UniFi Network console |
+| `UNIFI_NETWORK_API_KEY` | Yes | — | API key from Network integration settings |
+| `UNIFI_NETWORK_VERIFY_SSL` | No | `true` | Set to `false` to skip TLS certificate verification (needed for self-signed certs) |
+| `UNIFI_NETWORK_READ_ONLY` | No | `false` | Set to `true` to disable all write/mutating tools (monitoring-only mode) |
+
+### Manual Configuration
+
+Alternatively, add to your `~/.claude.json` under the top-level `"mcpServers"` key:
+
+```json
+{
+  "mcpServers": {
+    "unifi-network": {
+      "command": "npx",
+      "args": ["-y", "@owine/unifi-network-mcp"],
+      "env": {
+        "UNIFI_NETWORK_HOST": "192.168.1.1",
+        "UNIFI_NETWORK_API_KEY": "your-api-key",
+        "UNIFI_NETWORK_VERIFY_SSL": "false"
+      }
+    }
+  }
+}
+```
+
+## Safety Features
+
+This server provides layered safety controls for responsible operation:
+
+- **Tool annotations** — Every tool declares `readOnlyHint`, `destructiveHint`, and `idempotentHint` so MCP clients (like Claude Code) can make informed confirmation decisions
+- **Read-only mode** — Set `UNIFI_NETWORK_READ_ONLY=true` to completely hide all write/mutating tools. Only read operations (list, get) are registered. Ideal for monitoring-only deployments
+- **Destructive tool warnings** — Tools that delete or irreversibly modify resources have descriptions prefixed with `DESTRUCTIVE:` to clearly signal risk
+- **Confirmation parameter** — The most dangerous tools (e.g., `unifi_remove_device`, `unifi_bulk_delete_vouchers`) require an explicit `confirm: true` parameter that must be present for the call to succeed
+- **Dry-run support** — All write tools accept an optional `dryRun: true` parameter that returns a preview of the HTTP request (method, path, body) without making any changes
+
+## Tools (67 total)
+
+### System (1)
+| Tool | Description |
+|---|---|
+| `unifi_get_info` | Get application information including version and whether it's a UniFi OS Console |
+
+### Sites (1)
+| Tool | Description |
+|---|---|
+| `unifi_list_sites` | List all sites available to the API key |
+
+### Devices (8)
+| Tool | Description |
+|---|---|
+| `unifi_list_devices` | List all adopted devices at a site |
+| `unifi_get_device` | Get a specific device by ID |
+| `unifi_get_device_statistics` | Get latest statistics for a device |
+| `unifi_list_pending_devices` | List devices pending adoption (global) |
+| `unifi_adopt_device` | Adopt a pending device |
+| `unifi_remove_device` | **DESTRUCTIVE:** Remove (unadopt) a device — may factory reset |
+| `unifi_restart_device` | Restart a device |
+| `unifi_power_cycle_port` | Power cycle a specific port (PoE restart) |
+
+### Clients (4)
+| Tool | Description |
+|---|---|
+| `unifi_list_clients` | List all connected clients (wired, wireless, VPN) at a site |
+| `unifi_get_client` | Get a specific client by ID |
+| `unifi_authorize_guest` | Authorize a guest client on a hotspot network |
+| `unifi_unauthorize_guest` | Unauthorize a guest client |
+
+### Networks (6)
+| Tool | Description |
+|---|---|
+| `unifi_list_networks` | List all networks at a site |
+| `unifi_get_network` | Get a specific network by ID |
+| `unifi_get_network_references` | Get references to a network (WiFi, firewall zones, etc.) |
+| `unifi_create_network` | Create a new network |
+| `unifi_update_network` | Update an existing network |
+| `unifi_delete_network` | **DESTRUCTIVE:** Delete a network — disconnects all clients |
+
+### WiFi (5)
+| Tool | Description |
+|---|---|
+| `unifi_list_wifi` | List all WiFi broadcasts (SSIDs) at a site |
+| `unifi_get_wifi` | Get a specific WiFi network by ID |
+| `unifi_create_wifi` | Create a new WiFi network (SSID) |
+| `unifi_update_wifi` | Update an existing WiFi network |
+| `unifi_delete_wifi` | **DESTRUCTIVE:** Delete a WiFi network — disconnects all clients |
+
+### Hotspot Vouchers (5)
+| Tool | Description |
+|---|---|
+| `unifi_list_vouchers` | List all hotspot vouchers at a site |
+| `unifi_get_voucher` | Get a specific hotspot voucher by ID |
+| `unifi_create_voucher` | Create hotspot vouchers |
+| `unifi_delete_voucher` | **DESTRUCTIVE:** Delete a hotspot voucher |
+| `unifi_bulk_delete_vouchers` | **DESTRUCTIVE:** Bulk delete vouchers matching a filter |
+
+### Firewall Zones & Policies (12)
+| Tool | Description |
+|---|---|
+| `unifi_list_firewall_zones` | List all firewall zones at a site |
+| `unifi_get_firewall_zone` | Get a specific firewall zone by ID |
+| `unifi_create_firewall_zone` | Create a new custom firewall zone |
+| `unifi_update_firewall_zone` | Update a firewall zone |
+| `unifi_delete_firewall_zone` | **DESTRUCTIVE:** Delete a custom firewall zone |
+| `unifi_list_firewall_policies` | List all firewall policies at a site |
+| `unifi_get_firewall_policy` | Get a specific firewall policy by ID |
+| `unifi_create_firewall_policy` | Create a new firewall policy |
+| `unifi_update_firewall_policy` | Update a firewall policy |
+| `unifi_delete_firewall_policy` | **DESTRUCTIVE:** Delete a firewall policy |
+| `unifi_get_firewall_policy_ordering` | Get user-defined firewall policy ordering for a zone pair |
+| `unifi_reorder_firewall_policies` | Reorder user-defined firewall policies for a zone pair |
+
+### ACL Rules (7)
+| Tool | Description |
+|---|---|
+| `unifi_list_acl_rules` | List all ACL (firewall) rules at a site |
+| `unifi_get_acl_rule` | Get a specific ACL rule by ID |
+| `unifi_get_acl_rule_ordering` | Get user-defined ACL rule ordering |
+| `unifi_create_acl_rule` | Create a new ACL rule |
+| `unifi_update_acl_rule` | Update an ACL rule |
+| `unifi_delete_acl_rule` | **DESTRUCTIVE:** Delete an ACL rule |
+| `unifi_reorder_acl_rules` | Reorder user-defined ACL rules |
+
+### DNS Policies (5)
+| Tool | Description |
+|---|---|
+| `unifi_list_dns_policies` | List all DNS policies at a site |
+| `unifi_get_dns_policy` | Get a specific DNS policy by ID |
+| `unifi_create_dns_policy` | Create a new DNS policy |
+| `unifi_update_dns_policy` | Update a DNS policy |
+| `unifi_delete_dns_policy` | **DESTRUCTIVE:** Delete a DNS policy |
+
+### Traffic Matching (5)
+| Tool | Description |
+|---|---|
+| `unifi_list_traffic_matching_lists` | List all traffic matching lists (port groups, IP groups) |
+| `unifi_get_traffic_matching_list` | Get a specific traffic matching list by ID |
+| `unifi_create_traffic_matching_list` | Create a new traffic matching list |
+| `unifi_update_traffic_matching_list` | Update a traffic matching list |
+| `unifi_delete_traffic_matching_list` | **DESTRUCTIVE:** Delete a traffic matching list |
+
+### Supporting (8)
+| Tool | Description |
+|---|---|
+| `unifi_list_wans` | List all WAN interfaces at a site |
+| `unifi_list_vpn_tunnels` | List all site-to-site VPN tunnels at a site |
+| `unifi_list_vpn_servers` | List all VPN servers at a site |
+| `unifi_list_radius_profiles` | List all RADIUS profiles at a site |
+| `unifi_list_device_tags` | List all device tags at a site |
+| `unifi_list_dpi_categories` | List all DPI categories for traffic identification |
+| `unifi_list_dpi_applications` | List all DPI applications for traffic identification |
+| `unifi_list_countries` | List all countries/regions for geo-based rules |
+
+## Development
+
+```bash
+npm run build        # Compile TypeScript
+npm start            # Run the server
+npm run typecheck    # Type-check without emitting
+npm run lint         # ESLint
+npm test             # Run all tests (vitest)
+```
+
+### Commit conventions
+
+This project uses [conventional commits](https://www.conventionalcommits.org/) and [release-please](https://github.com/googleapis/release-please) for automated releases:
+
+- `feat: ...` — new feature (minor version bump)
+- `fix: ...` — bug fix (patch version bump)
+- `feat!: ...` or `BREAKING CHANGE:` footer — breaking change (major version bump)
+- `chore:`, `docs:`, `ci:`, etc. — no version bump
+
+On push to `main`, release-please opens a Release PR that bumps the version and updates `CHANGELOG.md`. Merging that PR publishes to npm automatically.
+
+To override the version number, add `Release-As: x.x.x` in the commit body:
+
+```bash
+git commit --allow-empty -m "chore: release 2.0.0" -m "Release-As: 2.0.0"
+```
+
+## License
+
+MIT

package/dist/client.d.ts

@@ -0,0 +1,12 @@
+import { Config } from "./config.js";
+export declare class NetworkClient {
+    private baseUrl;
+    private headers;
+    constructor(config: Config);
+    private request;
+    get(path: string): Promise<unknown>;
+    post(path: string, body?: unknown): Promise<unknown>;
+    put(path: string, body: unknown): Promise<unknown>;
+    patch(path: string, body: unknown): Promise<unknown>;
+    delete(path: string): Promise<unknown>;
+}

package/dist/client.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NetworkClient = void 0;
+class NetworkClient {
+    baseUrl;
+    headers;
+    constructor(config) {
+        this.baseUrl = `https://${config.host}/proxy/network/integration/v1`;
+        this.headers = {
+            "X-API-KEY": config.apiKey,
+            "Content-Type": "application/json",
+        };
+        if (!config.verifySsl) {
+            process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+        }
+    }
+    async request(method, path, body) {
+        const url = `${this.baseUrl}${path}`;
+        const options = {
+            method,
+            headers: this.headers,
+        };
+        if (body !== undefined) {
+            options.body = JSON.stringify(body);
+        }
+        const response = await fetch(url, options);
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`HTTP ${response.status}: ${text}`);
+        }
+        const contentType = response.headers.get("content-type") ?? "";
+        if (contentType.includes("application/json")) {
+            return response.json();
+        }
+        return response.text();
+    }
+    async get(path) {
+        return this.request("GET", path);
+    }
+    async post(path, body) {
+        return this.request("POST", path, body);
+    }
+    async put(path, body) {
+        return this.request("PUT", path, body);
+    }
+    async patch(path, body) {
+        return this.request("PATCH", path, body);
+    }
+    async delete(path) {
+        return this.request("DELETE", path);
+    }
+}
+exports.NetworkClient = NetworkClient;

package/dist/config.d.ts

@@ -0,0 +1,10 @@
+import { z } from "zod";
+declare const configSchema: z.ZodObject<{
+    host: z.ZodString;
+    apiKey: z.ZodString;
+    verifySsl: z.ZodDefault<z.ZodBoolean>;
+    readOnly: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+export type Config = z.infer<typeof configSchema>;
+export declare function loadConfig(): Config;
+export {};

package/dist/config.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = loadConfig;
+const zod_1 = require("zod");
+const configSchema = zod_1.z.object({
+    host: zod_1.z.string().min(1).describe("UniFi Network host (IP or hostname)"),
+    apiKey: zod_1.z.string().min(1).describe("UniFi Network API key"),
+    verifySsl: zod_1.z
+        .boolean()
+        .default(true)
+        .describe("Verify SSL certificates"),
+    readOnly: zod_1.z
+        .boolean()
+        .default(false)
+        .describe("When true, only read-only tools are registered"),
+});
+function loadConfig() {
+    const result = configSchema.safeParse({
+        host: process.env.UNIFI_NETWORK_HOST,
+        apiKey: process.env.UNIFI_NETWORK_API_KEY,
+        verifySsl: process.env.UNIFI_NETWORK_VERIFY_SSL?.toLowerCase() !== "false",
+        readOnly: process.env.UNIFI_NETWORK_READ_ONLY?.toLowerCase() === "true",
+    });
+    if (!result.success) {
+        console.error("Configuration error:", result.error.format());
+        process.exit(1);
+    }
+    return result.data;
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const config_js_1 = require("./config.js");
+const client_js_1 = require("./client.js");
+const index_js_1 = require("./tools/index.js");
+async function main() {
+    const config = (0, config_js_1.loadConfig)();
+    const client = new client_js_1.NetworkClient(config);
+    const server = new mcp_js_1.McpServer({
+        name: "unifi-network",
+        version: "1.0.0",
+    });
+    (0, index_js_1.registerAllTools)(server, client, config.readOnly);
+    if (config.readOnly) {
+        console.error("UniFi Network MCP server running on stdio (READ-ONLY mode)");
+    }
+    else {
+        console.error("UniFi Network MCP server running on stdio");
+    }
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch((err) => {
+    console.error("Fatal error:", err);
+    process.exit(1);
+});

package/dist/tools/acl.d.ts

@@ -0,0 +1,3 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { NetworkClient } from "../client.js";
+export declare function registerAclTools(server: McpServer, client: NetworkClient, readOnly?: boolean): void;

package/dist/tools/acl.js

@@ -0,0 +1,164 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerAclTools = registerAclTools;
+const zod_1 = require("zod");
+const responses_js_1 = require("../utils/responses.js");
+const query_js_1 = require("../utils/query.js");
+const safety_js_1 = require("../utils/safety.js");
+function registerAclTools(server, client, readOnly = false) {
+    server.tool("unifi_list_acl_rules", "List all ACL (firewall) rules at a site", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        offset: zod_1.z
+            .number()
+            .int()
+            .nonnegative()
+            .optional()
+            .describe("Number of records to skip (default: 0)"),
+        limit: zod_1.z
+            .number()
+            .int()
+            .min(1)
+            .max(200)
+            .optional()
+            .describe("Number of records to return (default: 25, max: 200)"),
+        filter: zod_1.z
+            .string()
+            .optional()
+            .describe("Filter expression"),
+    }, safety_js_1.READ_ONLY, async ({ siteId, offset, limit, filter }) => {
+        try {
+            const query = (0, query_js_1.buildQuery)({ offset, limit, filter });
+            const data = await client.get(`/sites/${siteId}/acl-rules${query}`);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+    server.tool("unifi_get_acl_rule", "Get a specific ACL rule by ID", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        aclRuleId: zod_1.z.string().describe("ACL rule ID"),
+    }, safety_js_1.READ_ONLY, async ({ siteId, aclRuleId }) => {
+        try {
+            const data = await client.get(`/sites/${siteId}/acl-rules/${aclRuleId}`);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+    server.tool("unifi_get_acl_rule_ordering", "Get user-defined ACL rule ordering", {
+        siteId: zod_1.z.string().describe("Site ID"),
+    }, safety_js_1.READ_ONLY, async ({ siteId }) => {
+        try {
+            const data = await client.get(`/sites/${siteId}/acl-rules/ordering`);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+    if (readOnly)
+        return;
+    server.tool("unifi_create_acl_rule", "Create a new ACL (firewall) rule", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        type: zod_1.z.enum(["IPV4", "MAC"]).describe("Rule type"),
+        name: zod_1.z.string().describe("Rule name"),
+        enabled: zod_1.z.boolean().describe("Enable the rule"),
+        action: zod_1.z.enum(["ALLOW", "BLOCK"]).describe("Rule action"),
+        description: zod_1.z
+            .string()
+            .optional()
+            .describe("Rule description"),
+        protocolFilter: zod_1.z
+            .array(zod_1.z.string())
+            .optional()
+            .describe("Protocols: TCP, UDP"),
+        dryRun: zod_1.z
+            .boolean()
+            .optional()
+            .describe("Preview this action without executing it"),
+    }, safety_js_1.WRITE_NOT_IDEMPOTENT, async ({ siteId, type, name, enabled, action, description, protocolFilter, dryRun }) => {
+        try {
+            const body = { type, name, enabled, action };
+            if (description !== undefined)
+                body.description = description;
+            if (protocolFilter !== undefined)
+                body.protocolFilter = protocolFilter;
+            if (dryRun)
+                return (0, safety_js_1.formatDryRun)("POST", `/sites/${siteId}/acl-rules`, body);
+            const data = await client.post(`/sites/${siteId}/acl-rules`, body);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+    server.tool("unifi_update_acl_rule", "Update an ACL rule", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        aclRuleId: zod_1.z.string().describe("ACL rule ID"),
+        rule: zod_1.z
+            .record(zod_1.z.string(), zod_1.z.unknown())
+            .describe("ACL rule configuration (JSON object)"),
+        dryRun: zod_1.z
+            .boolean()
+            .optional()
+            .describe("Preview this action without executing it"),
+    }, safety_js_1.WRITE, async ({ siteId, aclRuleId, rule, dryRun }) => {
+        try {
+            if (dryRun)
+                return (0, safety_js_1.formatDryRun)("PUT", `/sites/${siteId}/acl-rules/${aclRuleId}`, rule);
+            const data = await client.put(`/sites/${siteId}/acl-rules/${aclRuleId}`, rule);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+    server.tool("unifi_delete_acl_rule", "DESTRUCTIVE: Delete an ACL rule", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        aclRuleId: zod_1.z.string().describe("ACL rule ID"),
+        confirm: zod_1.z
+            .boolean()
+            .optional()
+            .describe("Must be true to execute this destructive action"),
+        dryRun: zod_1.z
+            .boolean()
+            .optional()
+            .describe("Preview this action without executing it"),
+    }, safety_js_1.DESTRUCTIVE, async ({ siteId, aclRuleId, confirm, dryRun }) => {
+        const guard = (0, safety_js_1.requireConfirmation)(confirm, "This will delete the ACL rule");
+        if (guard)
+            return guard;
+        try {
+            if (dryRun)
+                return (0, safety_js_1.formatDryRun)("DELETE", `/sites/${siteId}/acl-rules/${aclRuleId}`, {});
+            const data = await client.delete(`/sites/${siteId}/acl-rules/${aclRuleId}`);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+    server.tool("unifi_reorder_acl_rules", "Reorder user-defined ACL rules", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        orderedAclRuleIds: zod_1.z
+            .array(zod_1.z.string())
+            .describe("Ordered ACL rule IDs"),
+        dryRun: zod_1.z
+            .boolean()
+            .optional()
+            .describe("Preview this action without executing it"),
+    }, safety_js_1.WRITE, async ({ siteId, orderedAclRuleIds, dryRun }) => {
+        try {
+            const body = { orderedAclRuleIds };
+            if (dryRun)
+                return (0, safety_js_1.formatDryRun)("PUT", `/sites/${siteId}/acl-rules/ordering`, body);
+            const data = await client.put(`/sites/${siteId}/acl-rules/ordering`, body);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+}

package/dist/tools/clients.d.ts

@@ -0,0 +1,3 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { NetworkClient } from "../client.js";
+export declare function registerClientTools(server: McpServer, client: NetworkClient, readOnly?: boolean): void;

package/dist/tools/clients.js

@@ -0,0 +1,119 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerClientTools = registerClientTools;
+const zod_1 = require("zod");
+const responses_js_1 = require("../utils/responses.js");
+const query_js_1 = require("../utils/query.js");
+const safety_js_1 = require("../utils/safety.js");
+function registerClientTools(server, client, readOnly = false) {
+    server.tool("unifi_list_clients", "List all connected clients (wired, wireless, VPN) at a site", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        offset: zod_1.z
+            .number()
+            .int()
+            .nonnegative()
+            .optional()
+            .describe("Number of records to skip (default: 0)"),
+        limit: zod_1.z
+            .number()
+            .int()
+            .min(1)
+            .max(200)
+            .optional()
+            .describe("Number of records to return (default: 25, max: 200)"),
+        filter: zod_1.z.string().optional().describe("Filter expression"),
+    }, safety_js_1.READ_ONLY, async ({ siteId, offset, limit, filter }) => {
+        try {
+            const query = (0, query_js_1.buildQuery)({ offset, limit, filter });
+            const data = await client.get(`/sites/${siteId}/clients${query}`);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+    server.tool("unifi_get_client", "Get a specific client by ID", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        clientId: zod_1.z.string().describe("Client ID"),
+    }, safety_js_1.READ_ONLY, async ({ siteId, clientId }) => {
+        try {
+            const data = await client.get(`/sites/${siteId}/clients/${clientId}`);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+    if (readOnly)
+        return;
+    server.tool("unifi_authorize_guest", "Authorize a guest client on a hotspot network", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        clientId: zod_1.z.string().describe("Client ID"),
+        timeLimitMinutes: zod_1.z
+            .number()
+            .int()
+            .min(1)
+            .max(1000000)
+            .optional()
+            .describe("How long (in minutes) the guest will be authorized (1-1000000)"),
+        dataUsageLimitMBytes: zod_1.z
+            .number()
+            .int()
+            .min(1)
+            .max(1048576)
+            .optional()
+            .describe("Data usage limit in megabytes (1-1048576)"),
+        rxRateLimitKbps: zod_1.z
+            .number()
+            .int()
+            .min(2)
+            .max(100000)
+            .optional()
+            .describe("Download rate limit in kilobits per second (2-100000)"),
+        txRateLimitKbps: zod_1.z
+            .number()
+            .int()
+            .min(2)
+            .max(100000)
+            .optional()
+            .describe("Upload rate limit in kilobits per second (2-100000)"),
+        dryRun: zod_1.z.boolean().optional().describe("Preview this action without executing it"),
+    }, safety_js_1.WRITE_NOT_IDEMPOTENT, async ({ siteId, clientId, timeLimitMinutes, dataUsageLimitMBytes, rxRateLimitKbps, txRateLimitKbps, dryRun, }) => {
+        const body = {
+            action: "AUTHORIZE_GUEST_ACCESS",
+        };
+        if (timeLimitMinutes !== undefined)
+            body.timeLimitMinutes = timeLimitMinutes;
+        if (dataUsageLimitMBytes !== undefined)
+            body.dataUsageLimitMBytes = dataUsageLimitMBytes;
+        if (rxRateLimitKbps !== undefined)
+            body.rxRateLimitKbps = rxRateLimitKbps;
+        if (txRateLimitKbps !== undefined)
+            body.txRateLimitKbps = txRateLimitKbps;
+        if (dryRun)
+            return (0, safety_js_1.formatDryRun)("POST", `/sites/${siteId}/clients/${clientId}/actions`, body);
+        try {
+            const data = await client.post(`/sites/${siteId}/clients/${clientId}/actions`, body);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+    server.tool("unifi_unauthorize_guest", "Unauthorize a guest client", {
+        siteId: zod_1.z.string().describe("Site ID"),
+        clientId: zod_1.z.string().describe("Client ID"),
+        dryRun: zod_1.z.boolean().optional().describe("Preview this action without executing it"),
+    }, safety_js_1.WRITE, async ({ siteId, clientId, dryRun }) => {
+        const body = { action: "UNAUTHORIZE_GUEST_ACCESS" };
+        if (dryRun)
+            return (0, safety_js_1.formatDryRun)("POST", `/sites/${siteId}/clients/${clientId}/actions`, body);
+        try {
+            const data = await client.post(`/sites/${siteId}/clients/${clientId}/actions`, body);
+            return (0, responses_js_1.formatSuccess)(data);
+        }
+        catch (err) {
+            return (0, responses_js_1.formatError)(err);
+        }
+    });
+}

package/dist/tools/devices.d.ts

@@ -0,0 +1,3 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { NetworkClient } from "../client.js";
+export declare function registerDeviceTools(server: McpServer, client: NetworkClient, readOnly?: boolean): void;