@pan-sec/notebooklm-mcp 1.4.0

package/dist/utils/cert-pinning.js

@@ -0,0 +1,328 @@
+/**
+ * Certificate Pinning for NotebookLM MCP Server
+ *
+ * Provides certificate pinning for HTTPS connections:
+ * - Pin Google's root CA certificates
+ * - Detect MITM attacks
+ * - Validate certificate chains
+ *
+ * Why this matters:
+ * - Prevents man-in-the-middle attacks
+ * - Protects against rogue CA certificates
+ * - Ensures only Google's real servers are trusted
+ *
+ * Added by Pantheon Security for hardened fork.
+ */
+import https from "https";
+import tls from "tls";
+import crypto from "crypto";
+import { log } from "./logger.js";
+import { audit } from "./audit-logger.js";
+/**
+ * Google's trusted root CA Subject Public Key Info (SPKI) hashes
+ * These are SHA-256 hashes of the Subject Public Key Info
+ *
+ * Updated: November 2025
+ * Sources:
+ * - Google Trust Services roots: https://pki.goog/
+ * - GTS Root R1, R2, R3, R4
+ * - GlobalSign Root CA (backup)
+ */
+const PINNED_CERTIFICATES = {
+    // Google Trust Services roots
+    "*.google.com": [
+        // GTS Root R1
+        "hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=",
+        // GTS Root R2
+        "Vfd95BwDeSQo+NUYxVEEIBvvpOs/QbsFp7DeP0Cr1pE=",
+        // GTS Root R3
+        "QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=",
+        // GTS Root R4
+        "mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=",
+        // GlobalSign Root CA - R2 (backup)
+        "iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=",
+        // DigiCert Global Root G2 (backup)
+        "i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=",
+    ],
+    "notebooklm.google.com": [
+        // Same as *.google.com
+        "hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=",
+        "Vfd95BwDeSQo+NUYxVEEIBvvpOs/QbsFp7DeP0Cr1pE=",
+        "QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=",
+        "mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=",
+        "iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=",
+        "i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=",
+    ],
+    "accounts.google.com": [
+        // Same as *.google.com
+        "hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=",
+        "Vfd95BwDeSQo+NUYxVEEIBvvpOs/QbsFp7DeP0Cr1pE=",
+        "QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=",
+        "mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=",
+        "iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=",
+        "i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=",
+    ],
+};
+/**
+ * Get certificate pinning configuration
+ */
+function getPinningConfig() {
+    return {
+        enabled: process.env.NLMCP_CERT_PINNING !== "false",
+        failOpen: process.env.NLMCP_CERT_FAIL_OPEN === "true",
+        reportOnly: process.env.NLMCP_CERT_REPORT_ONLY === "true",
+        additionalPins: {},
+    };
+}
+/**
+ * Calculate SPKI hash for a certificate
+ */
+export function calculateSPKIHash(cert) {
+    // Get the public key in DER format
+    const pubkey = cert.pubkey;
+    if (!pubkey) {
+        throw new Error("Certificate has no public key");
+    }
+    // Calculate SHA-256 hash and encode as base64
+    const hash = crypto.createHash("sha256").update(pubkey).digest("base64");
+    return hash;
+}
+/**
+ * Get all SPKI hashes from a certificate chain
+ */
+export function getCertificateChainHashes(socket) {
+    const hashes = [];
+    const cert = socket.getPeerCertificate(true);
+    if (!cert || !cert.raw) {
+        return hashes;
+    }
+    // Walk the certificate chain
+    let current = cert;
+    const seen = new Set();
+    while (current && current.raw) {
+        const fingerprint = current.fingerprint256;
+        if (seen.has(fingerprint))
+            break;
+        seen.add(fingerprint);
+        try {
+            if (current.pubkey) {
+                const hash = crypto.createHash("sha256").update(current.pubkey).digest("base64");
+                hashes.push(hash);
+            }
+        }
+        catch {
+            // Skip certificates we can't hash
+        }
+        current = current.issuerCertificate;
+    }
+    return hashes;
+}
+/**
+ * Validate a certificate chain against pinned certificates
+ */
+export function validateCertificatePin(hostname, chainHashes, config = getPinningConfig()) {
+    if (!config.enabled) {
+        return { valid: true };
+    }
+    // Get pins for this hostname
+    const pins = getPinsForHostname(hostname, config);
+    if (pins.length === 0) {
+        // No pins configured for this host
+        return { valid: true };
+    }
+    // Check if any certificate in the chain matches a pin
+    for (const hash of chainHashes) {
+        if (pins.includes(hash)) {
+            return { valid: true, matchedPin: hash };
+        }
+    }
+    // No match found
+    const error = `Certificate pinning failed for ${hostname}. ` +
+        `Chain hashes: [${chainHashes.join(", ")}]. ` +
+        `Expected one of: [${pins.join(", ")}]`;
+    return { valid: false, error };
+}
+/**
+ * Get pinned certificates for a hostname
+ */
+function getPinsForHostname(hostname, config) {
+    const pins = [];
+    // Check exact match
+    if (PINNED_CERTIFICATES[hostname]) {
+        pins.push(...PINNED_CERTIFICATES[hostname]);
+    }
+    // Check wildcard match
+    const parts = hostname.split(".");
+    if (parts.length >= 2) {
+        const wildcard = "*." + parts.slice(1).join(".");
+        if (PINNED_CERTIFICATES[wildcard]) {
+            pins.push(...PINNED_CERTIFICATES[wildcard]);
+        }
+    }
+    // Check additional pins from config
+    if (config.additionalPins[hostname]) {
+        pins.push(...config.additionalPins[hostname]);
+    }
+    return [...new Set(pins)]; // Deduplicate
+}
+/**
+ * Certificate Pinning Manager
+ */
+export class CertificatePinningManager {
+    config;
+    violationCount = 0;
+    lastViolation;
+    constructor(config) {
+        this.config = { ...getPinningConfig(), ...config };
+    }
+    /**
+     * Check if pinning is enabled
+     */
+    isEnabled() {
+        return this.config.enabled;
+    }
+    /**
+     * Validate a TLS connection
+     */
+    async validateConnection(socket, hostname) {
+        if (!this.config.enabled) {
+            return true;
+        }
+        const chainHashes = getCertificateChainHashes(socket);
+        const result = validateCertificatePin(hostname, chainHashes, this.config);
+        if (!result.valid) {
+            this.violationCount++;
+            this.lastViolation = {
+                hostname,
+                timestamp: new Date(),
+                chainHashes,
+            };
+            // Log the violation
+            log.error(`🔒 Certificate pinning violation for ${hostname}`);
+            log.error(`   Chain hashes: ${chainHashes.join(", ")}`);
+            await audit.security("cert_pinning_violation", "critical", {
+                hostname,
+                chain_hashes: chainHashes,
+                error: result.error,
+                report_only: this.config.reportOnly,
+            });
+            if (this.config.reportOnly) {
+                log.warning("   (Report-only mode - connection allowed)");
+                return true;
+            }
+            if (this.config.failOpen) {
+                log.warning("   (Fail-open mode - connection allowed)");
+                return true;
+            }
+            return false;
+        }
+        if (result.matchedPin) {
+            log.info(`🔒 Certificate pinning verified for ${hostname}`);
+        }
+        return true;
+    }
+    /**
+     * Create an HTTPS agent with certificate pinning
+     */
+    createPinnedAgent(_hostname) {
+        const self = this;
+        return new https.Agent({
+            checkServerIdentity: (host, cert) => {
+                // First do normal hostname verification
+                const err = tls.checkServerIdentity(host, cert);
+                if (err) {
+                    return err;
+                }
+                // Then check certificate pinning
+                if (self.config.enabled && cert.pubkey) {
+                    const hash = crypto.createHash("sha256").update(cert.pubkey).digest("base64");
+                    const pins = getPinsForHostname(host, self.config);
+                    if (pins.length > 0 && !pins.includes(hash)) {
+                        self.violationCount++;
+                        if (!self.config.reportOnly && !self.config.failOpen) {
+                            return new Error(`Certificate pinning failed for ${host}`);
+                        }
+                    }
+                }
+                return undefined;
+            },
+        });
+    }
+    /**
+     * Get violation statistics
+     */
+    getStats() {
+        return {
+            enabled: this.config.enabled,
+            reportOnly: this.config.reportOnly,
+            violationCount: this.violationCount,
+            lastViolation: this.lastViolation
+                ? {
+                    hostname: this.lastViolation.hostname,
+                    timestamp: this.lastViolation.timestamp,
+                }
+                : undefined,
+        };
+    }
+    /**
+     * Update configuration
+     */
+    updateConfig(config) {
+        this.config = { ...this.config, ...config };
+    }
+    /**
+     * Add a custom pin for a hostname
+     */
+    addPin(hostname, spkiHash) {
+        if (!this.config.additionalPins[hostname]) {
+            this.config.additionalPins[hostname] = [];
+        }
+        if (!this.config.additionalPins[hostname].includes(spkiHash)) {
+            this.config.additionalPins[hostname].push(spkiHash);
+        }
+    }
+}
+/**
+ * Global certificate pinning manager
+ */
+let globalPinningManager = null;
+/**
+ * Get or create the global pinning manager
+ */
+export function getCertificatePinningManager() {
+    if (!globalPinningManager) {
+        globalPinningManager = new CertificatePinningManager();
+    }
+    return globalPinningManager;
+}
+/**
+ * Utility to extract and display certificate pins from a hostname
+ * Useful for updating pinned certificates
+ */
+export async function extractCertificatePins(hostname) {
+    return new Promise((resolve, reject) => {
+        const options = {
+            host: hostname,
+            port: 443,
+            servername: hostname,
+            rejectUnauthorized: true,
+        };
+        const socket = tls.connect(options, () => {
+            try {
+                const hashes = getCertificateChainHashes(socket);
+                socket.end();
+                resolve(hashes);
+            }
+            catch (error) {
+                socket.end();
+                reject(error);
+            }
+        });
+        socket.on("error", reject);
+        socket.setTimeout(10000, () => {
+            socket.destroy();
+            reject(new Error("Connection timeout"));
+        });
+    });
+}
+//# sourceMappingURL=cert-pinning.js.map

package/dist/utils/cert-pinning.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert-pinning.js","sourceRoot":"","sources":["../../src/utils/cert-pinning.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAE1C;;;;;;;;;GASG;AACH,MAAM,mBAAmB,GAA6B;IACpD,8BAA8B;IAC9B,cAAc,EAAE;QACd,cAAc;QACd,8CAA8C;QAC9C,cAAc;QACd,8CAA8C;QAC9C,cAAc;QACd,8CAA8C;QAC9C,cAAc;QACd,8CAA8C;QAC9C,mCAAmC;QACnC,8CAA8C;QAC9C,mCAAmC;QACnC,8CAA8C;KAC/C;IACD,uBAAuB,EAAE;QACvB,uBAAuB;QACvB,8CAA8C;QAC9C,8CAA8C;QAC9C,8CAA8C;QAC9C,8CAA8C;QAC9C,8CAA8C;QAC9C,8CAA8C;KAC/C;IACD,qBAAqB,EAAE;QACrB,uBAAuB;QACvB,8CAA8C;QAC9C,8CAA8C;QAC9C,8CAA8C;QAC9C,8CAA8C;QAC9C,8CAA8C;QAC9C,8CAA8C;KAC/C;CACF,CAAC;AAgBF;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,OAAO;QACnD,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,MAAM;QACrD,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,MAAM;QACzD,cAAc,EAAE,EAAE;KACnB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAyB;IACzD,mCAAmC;IACnC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,8CAA8C;IAC9C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAqB;IAC7D,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAE7C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,6BAA6B;IAC7B,IAAI,OAAO,GAA4C,IAAmC,CAAC;IAC3F,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,OAAO,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC;QAC3C,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;YAAE,MAAM;QACjC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAEtB,IAAI,CAAC;YACH,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACjF,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,kCAAkC;QACpC,CAAC;QAED,OAAO,GAAG,OAAO,CAAC,iBAA4D,CAAC;IACjF,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAAgB,EAChB,WAAqB,EACrB,SAA4B,gBAAgB,EAAE;IAE9C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED,6BAA6B;IAC7B,MAAM,IAAI,GAAG,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAElD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,mCAAmC;QACnC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED,sDAAsD;IACtD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,MAAM,KAAK,GAAG,kCAAkC,QAAQ,IAAI;QAC1D,kBAAkB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK;QAC7C,qBAAqB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;IAE1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,QAAgB,EAAE,MAAyB;IACrE,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,oBAAoB;IACpB,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAuB;IACvB,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACtB,MAAM,QAAQ,GAAG,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,IAAI,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,IAAI,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,IAAI,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,cAAc;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,yBAAyB;IAC5B,MAAM,CAAoB;IAC1B,cAAc,GAAW,CAAC,CAAC;IAC3B,aAAa,CAInB;IAEF,YAAY,MAAmC;QAC7C,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,gBAAgB,EAAE,EAAE,GAAG,MAAM,EAAE,CAAC;IACrD,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CAAC,MAAqB,EAAE,QAAgB;QAC9D,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,WAAW,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,sBAAsB,CAAC,QAAQ,EAAE,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAE1E,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,IAAI,CAAC,cAAc,EAAE,CAAC;YACtB,IAAI,CAAC,aAAa,GAAG;gBACnB,QAAQ;gBACR,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,WAAW;aACZ,CAAC;YAEF,oBAAoB;YACpB,GAAG,CAAC,KAAK,CAAC,wCAAwC,QAAQ,EAAE,CAAC,CAAC;YAC9D,GAAG,CAAC,KAAK,CAAC,oBAAoB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAExD,MAAM,KAAK,CAAC,QAAQ,CAAC,wBAAwB,EAAE,UAAU,EAAE;gBACzD,QAAQ;gBACR,YAAY,EAAE,WAAW;gBACzB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;aACpC,CAAC,CAAC;YAEH,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC3B,GAAG,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;gBAC1D,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACzB,GAAG,CAAC,OAAO,CAAC,0CAA0C,CAAC,CAAC;gBACxD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,GAAG,CAAC,IAAI,CAAC,uCAAuC,QAAQ,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,SAAiB;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC;QAElB,OAAO,IAAI,KAAK,CAAC,KAAK,CAAC;YACrB,mBAAmB,EAAE,CAAC,IAAY,EAAE,IAAyB,EAAE,EAAE;gBAC/D,wCAAwC;gBACxC,MAAM,GAAG,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;gBAChD,IAAI,GAAG,EAAE,CAAC;oBACR,OAAO,GAAG,CAAC;gBACb,CAAC;gBAED,iCAAiC;gBACjC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;oBACvC,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;oBAC9E,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;oBAEnD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5C,IAAI,CAAC,cAAc,EAAE,CAAC;wBAEtB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;4BACrD,OAAO,IAAI,KAAK,CAAC,kCAAkC,IAAI,EAAE,CAAC,CAAC;wBAC7D,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,OAAO,SAAS,CAAC;YACnB,CAAC;SACF,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,QAAQ;QASN,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;YAClC,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,aAAa,EAAE,IAAI,CAAC,aAAa;gBAC/B,CAAC,CAAC;oBACE,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;oBACrC,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,SAAS;iBACxC;gBACH,CAAC,CAAC,SAAS;SACd,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,MAAkC;QAC7C,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAgB,EAAE,QAAgB;QACvC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;QAC5C,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7D,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,IAAI,oBAAoB,GAAqC,IAAI,CAAC;AAElE;;GAEG;AACH,MAAM,UAAU,4BAA4B;IAC1C,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,oBAAoB,GAAG,IAAI,yBAAyB,EAAE,CAAC;IACzD,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,QAAgB;IAC3D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,OAAO,GAAG;YACd,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,GAAG;YACT,UAAU,EAAE,QAAQ;YACpB,kBAAkB,EAAE,IAAI;SACzB,CAAC;QAEF,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAC;gBACjD,MAAM,CAAC,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,CAAC;YAChB,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,GAAG,EAAE;YAC5B,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/utils/cleanup-manager.d.ts

@@ -0,0 +1,133 @@
+/**
+ * Cleanup Manager for NotebookLM MCP Server
+ *
+ * ULTRATHINK EDITION - Complete cleanup across all platforms!
+ *
+ * Handles safe removal of:
+ * - Legacy data from notebooklm-mcp-nodejs
+ * - Current installation data
+ * - Browser profiles and session data
+ * - NPM/NPX cache
+ * - Claude CLI MCP logs
+ * - Claude Projects cache
+ * - Temporary backups
+ * - Editor logs (Cursor, VSCode)
+ * - Trash files (optional)
+ *
+ * Platform support: Linux, Windows, macOS
+ */
+export type CleanupMode = "legacy" | "all" | "deep";
+export interface CleanupResult {
+    success: boolean;
+    mode: CleanupMode;
+    deletedPaths: string[];
+    failedPaths: string[];
+    totalSizeBytes: number;
+    categorySummary: Record<string, {
+        count: number;
+        bytes: number;
+    }>;
+}
+export interface CleanupCategory {
+    name: string;
+    description: string;
+    paths: string[];
+    totalBytes: number;
+    optional: boolean;
+}
+export declare class CleanupManager {
+    private legacyPaths;
+    private currentPaths;
+    private homeDir;
+    private tempDir;
+    constructor();
+    /**
+     * Get NPM cache directory (platform-specific)
+     */
+    private getNpmCachePath;
+    /**
+     * Get Claude CLI cache directory (platform-specific)
+     */
+    private getClaudeCliCachePath;
+    /**
+     * Get Claude projects directory (platform-specific)
+     */
+    private getClaudeProjectsPath;
+    /**
+     * Get editor config paths (Cursor, VSCode)
+     */
+    private getEditorConfigPaths;
+    /**
+     * Get trash directory (platform-specific)
+     */
+    private getTrashPath;
+    /**
+     * Get manual legacy config paths that might not be caught by envPaths
+     * This ensures we catch ALL legacy installations including old config.json files
+     */
+    private getManualLegacyPaths;
+    /**
+     * Find NPM/NPX cache files
+     */
+    private findNpmCache;
+    /**
+     * Find Claude CLI MCP logs
+     */
+    private findClaudeCliLogs;
+    /**
+     * Find Claude projects cache
+     */
+    private findClaudeProjects;
+    /**
+     * Find temporary backups
+     */
+    private findTemporaryBackups;
+    /**
+     * Find editor logs (Cursor, VSCode)
+     */
+    private findEditorLogs;
+    /**
+     * Find trash files
+     */
+    private findTrashFiles;
+    /**
+     * Get all paths that would be deleted for a given mode (with categorization)
+     */
+    getCleanupPaths(mode: CleanupMode, preserveLibrary?: boolean): Promise<{
+        categories: CleanupCategory[];
+        totalPaths: string[];
+        totalSizeBytes: number;
+    }>;
+    /**
+     * Perform cleanup with safety checks and detailed reporting
+     */
+    performCleanup(mode: CleanupMode, preserveLibrary?: boolean): Promise<CleanupResult>;
+    /**
+     * Check if a path exists
+     */
+    private pathExists;
+    /**
+     * Get the size of a single file
+     */
+    private getFileSize;
+    /**
+     * Get the total size of a directory (recursive)
+     */
+    private getDirectorySize;
+    /**
+     * Format bytes to human-readable string
+     */
+    formatBytes(bytes: number): string;
+    /**
+     * Get platform-specific path info
+     */
+    getPlatformInfo(): {
+        platform: string;
+        legacyBasePath: string;
+        currentBasePath: string;
+        npmCachePath: string;
+        claudeCliCachePath: string;
+        claudeProjectsPath: string;
+    };
+}
+//# sourceMappingURL=cleanup-manager.d.ts.map

package/dist/utils/cleanup-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cleanup-manager.d.ts","sourceRoot":"","sources":["../../src/utils/cleanup-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AASH,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEpD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,WAAW,CAAC;IAClB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACnE;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAUD,qBAAa,cAAc;IACzB,OAAO,CAAC,WAAW,CAAQ;IAC3B,OAAO,CAAC,YAAY,CAAQ;IAC5B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAS;;IAmBxB;;OAEG;IACH,OAAO,CAAC,eAAe;IAIvB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAc7B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAc7B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IA0B5B;;OAEG;IACH,OAAO,CAAC,YAAY;IAapB;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IA+C5B;;OAEG;YACW,YAAY;IAsB1B;;OAEG;YACW,iBAAiB;IA2B/B;;OAEG;YACW,kBAAkB;IAqBhC;;OAEG;YACW,oBAAoB;IAelC;;OAEG;YACW,cAAc;IAuB5B;;OAEG;YACW,cAAc;IA6B5B;;OAEG;IACG,eAAe,CACnB,IAAI,EAAE,WAAW,EACjB,eAAe,GAAE,OAAe,GAC/B,OAAO,CAAC;QACT,UAAU,EAAE,eAAe,EAAE,CAAC;QAC9B,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IA0QF;;OAEG;IACG,cAAc,CAClB,IAAI,EAAE,WAAW,EACjB,eAAe,GAAE,OAAe,GAC/B,OAAO,CAAC,aAAa,CAAC;IAqEzB;;OAEG;YACW,UAAU;IASxB;;OAEG;YACW,WAAW;IASzB;;OAEG;YACW,gBAAgB;IA2B9B;;OAEG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAQlC;;OAEG;IACH,eAAe,IAAI;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,cAAc,EAAE,MAAM,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,YAAY,EAAE,MAAM,CAAC;QACrB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,kBAAkB,EAAE,MAAM,CAAC;KAC5B;CAyBF"}