@veertu/anka-mcp 0.1.0

package/dist/tokens/ownership.d.ts

@@ -0,0 +1,6 @@
+/** Require the current MCP credential to own the given controller instance. */
+export declare function requireControllerInstanceAccess(instanceId: string): void;
+/** Register a newly created controller instance under the current MCP credential. */
+export declare function registerControllerInstance(instanceId: string): void;
+/** Remove instance ownership after successful termination. */
+export declare function releaseControllerInstance(instanceId: string): void;

package/dist/tokens/ownership.js

@@ -0,0 +1,31 @@
+import { getRequestContext } from "../log.js";
+import { getTokenStore } from "./store.js";
+const SKIP_OWNERSHIP_CREDENTIAL_IDS = new Set(["anonymous"]);
+/** Require the current MCP credential to own the given controller instance. */
+export function requireControllerInstanceAccess(instanceId) {
+    const ctx = getRequestContext();
+    if (!ctx?.credentialId) {
+        throw new Error("Missing credential context");
+    }
+    if (SKIP_OWNERSHIP_CREDENTIAL_IDS.has(ctx.credentialId)) {
+        return;
+    }
+    getTokenStore().assertInstanceOwned(ctx.credentialId, instanceId);
+}
+/** Register a newly created controller instance under the current MCP credential. */
+export function registerControllerInstance(instanceId) {
+    const ctx = getRequestContext();
+    if (!ctx?.credentialId || SKIP_OWNERSHIP_CREDENTIAL_IDS.has(ctx.credentialId)) {
+        return;
+    }
+    getTokenStore().registerInstance(ctx.credentialId, instanceId);
+}
+/** Remove instance ownership after successful termination. */
+export function releaseControllerInstance(instanceId) {
+    const ctx = getRequestContext();
+    if (!ctx?.credentialId || SKIP_OWNERSHIP_CREDENTIAL_IDS.has(ctx.credentialId)) {
+        return;
+    }
+    getTokenStore().releaseInstance(ctx.credentialId, instanceId);
+}
+//# sourceMappingURL=ownership.js.map

package/dist/tokens/ownership.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ownership.js","sourceRoot":"","sources":["../../src/tokens/ownership.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,MAAM,6BAA6B,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;AAE7D,+EAA+E;AAC/E,MAAM,UAAU,+BAA+B,CAAC,UAAkB;IAChE,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG,EAAE,YAAY,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,6BAA6B,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;QACxD,OAAO;IACT,CAAC;IACD,aAAa,EAAE,CAAC,mBAAmB,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AACpE,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,0BAA0B,CAAC,UAAkB;IAC3D,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG,EAAE,YAAY,IAAI,6BAA6B,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9E,OAAO;IACT,CAAC;IACD,aAAa,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AACjE,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,yBAAyB,CAAC,UAAkB;IAC1D,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG,EAAE,YAAY,IAAI,6BAA6B,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9E,OAAO;IACT,CAAC;IACD,aAAa,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AAChE,CAAC"}

package/dist/tokens/schema.d.ts

@@ -0,0 +1,3 @@
+import type Database from "better-sqlite3";
+/** Apply idempotent schema migrations and enable foreign keys. */
+export declare function migrateSchema(db: Database.Database): void;

package/dist/tokens/schema.js

@@ -0,0 +1,35 @@
+const MIGRATIONS = [
+    `CREATE TABLE IF NOT EXISTS tokens (
+    id         TEXT PRIMARY KEY,
+    label      TEXT NOT NULL DEFAULT '',
+    token_hash TEXT NOT NULL UNIQUE,
+    created_at TEXT NOT NULL,
+    revoked_at TEXT
+  )`,
+    `CREATE TABLE IF NOT EXISTS instances (
+    instance_id   TEXT PRIMARY KEY,
+    credential_id TEXT NOT NULL REFERENCES tokens(id),
+    created_at    TEXT NOT NULL
+  )`,
+    `CREATE INDEX IF NOT EXISTS idx_instances_credential_id ON instances(credential_id)`
+];
+function instancesColumnNames(db) {
+    const rows = db.prepare("PRAGMA table_info(instances)").all();
+    return rows.map((row) => row.name);
+}
+/** Apply idempotent schema migrations and enable foreign keys. */
+export function migrateSchema(db) {
+    db.pragma("foreign_keys = ON");
+    for (const sql of MIGRATIONS) {
+        db.exec(sql);
+    }
+    const columns = instancesColumnNames(db);
+    if (columns.includes("token_id") && !columns.includes("credential_id")) {
+        db.exec("ALTER TABLE instances RENAME COLUMN token_id TO credential_id");
+    }
+    if (columns.includes("token_id")) {
+        db.exec("DROP INDEX IF EXISTS idx_instances_token_id");
+    }
+    db.exec("CREATE INDEX IF NOT EXISTS idx_instances_credential_id ON instances(credential_id)");
+}
+//# sourceMappingURL=schema.js.map

package/dist/tokens/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/tokens/schema.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAAG;IACjB;;;;;;IAME;IACF;;;;IAIE;IACF,oFAAoF;CACrF,CAAC;AAEF,SAAS,oBAAoB,CAAC,EAAqB;IACjD,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC,GAAG,EAAwB,CAAC;IACpF,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,aAAa,CAAC,EAAqB;IACjD,EAAE,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IAED,MAAM,OAAO,GAAG,oBAAoB,CAAC,EAAE,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QACvE,EAAE,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACjC,EAAE,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IACzD,CAAC;IACD,EAAE,CAAC,IAAI,CAAC,oFAAoF,CAAC,CAAC;AAChG,CAAC"}

package/dist/tokens/store.d.ts

@@ -0,0 +1,45 @@
+export declare const LEGACY_CREDENTIAL_ID = "legacy";
+export interface TokenRecord {
+    id: string;
+    label: string;
+    createdAt: string;
+    revoked: boolean;
+    instanceCount: number;
+}
+export interface ValidatedToken {
+    id: string;
+    label: string;
+}
+export interface RevokeResult {
+    instanceIds: string[];
+}
+export declare class TokenStore {
+    private readonly db;
+    constructor(dbPath: string);
+    close(): void;
+    /** Ensure a synthetic row exists for the legacy env bearer (FK target for instances). */
+    ensureLegacyCredential(): void;
+    hasActiveTokens(): boolean;
+    createToken(label?: string): {
+        id: string;
+        label: string;
+        token: string;
+    };
+    listTokens(): TokenRecord[];
+    getTokenById(id: string): {
+        id: string;
+        label: string;
+        revoked: boolean;
+    } | null;
+    revokeToken(id: string): RevokeResult;
+    validateToken(plaintext: string): ValidatedToken | null;
+    listInstancesForCredential(credentialId: string): string[];
+    registerInstance(credentialId: string, instanceId: string): void;
+    assertInstanceOwned(credentialId: string, instanceId: string): void;
+    releaseInstance(credentialId: string, instanceId: string): void;
+    deleteInstancesForCredential(credentialId: string): void;
+}
+export declare function initTokenStore(dbPath: string): TokenStore;
+export declare function getTokenStore(): TokenStore;
+/** @internal Test helper to reset the singleton. */
+export declare function resetTokenStoreForTests(): void;

package/dist/tokens/store.js

@@ -0,0 +1,145 @@
+import { createHash, randomBytes, randomUUID } from "node:crypto";
+import Database from "better-sqlite3";
+import { migrateSchema } from "./schema.js";
+export const LEGACY_CREDENTIAL_ID = "legacy";
+function hashToken(plaintext) {
+    return createHash("sha256").update(plaintext).digest("hex");
+}
+function nowIso() {
+    return new Date().toISOString();
+}
+export class TokenStore {
+    db;
+    constructor(dbPath) {
+        this.db = new Database(dbPath);
+        migrateSchema(this.db);
+    }
+    close() {
+        this.db.close();
+    }
+    /** Ensure a synthetic row exists for the legacy env bearer (FK target for instances). */
+    ensureLegacyCredential() {
+        this.db
+            .prepare(`INSERT INTO tokens (id, label, token_hash, created_at, revoked_at)
+         VALUES (?, '', '__legacy__', ?, NULL)
+         ON CONFLICT(id) DO NOTHING`)
+            .run(LEGACY_CREDENTIAL_ID, nowIso());
+    }
+    hasActiveTokens() {
+        const row = this.db
+            .prepare(`SELECT COUNT(*) AS count FROM tokens WHERE revoked_at IS NULL AND token_hash != '__legacy__'`)
+            .get();
+        return row.count > 0;
+    }
+    createToken(label = "") {
+        const id = randomUUID();
+        const token = randomBytes(32).toString("hex");
+        const createdAt = nowIso();
+        const trimmedLabel = label.trim();
+        const insert = this.db.transaction(() => {
+            this.db
+                .prepare(`INSERT INTO tokens (id, label, token_hash, created_at, revoked_at)
+           VALUES (?, ?, ?, ?, NULL)`)
+                .run(id, trimmedLabel, hashToken(token), createdAt);
+        });
+        insert();
+        return { id, label: trimmedLabel, token };
+    }
+    listTokens() {
+        const rows = this.db
+            .prepare(`SELECT t.id, t.label, t.created_at, t.revoked_at,
+                COUNT(i.instance_id) AS instance_count
+         FROM tokens t
+         LEFT JOIN instances i ON i.credential_id = t.id
+         WHERE t.token_hash != '__legacy__'
+         GROUP BY t.id
+         ORDER BY t.created_at ASC`)
+            .all();
+        return rows.map((row) => ({
+            id: row.id,
+            label: row.label,
+            createdAt: row.created_at,
+            revoked: row.revoked_at !== null,
+            instanceCount: row.instance_count
+        }));
+    }
+    getTokenById(id) {
+        const row = this.db
+            .prepare(`SELECT id, label, revoked_at FROM tokens WHERE id = ? AND token_hash != '__legacy__'`)
+            .get(id);
+        if (!row)
+            return null;
+        return { id: row.id, label: row.label, revoked: row.revoked_at !== null };
+    }
+    revokeToken(id) {
+        const existing = this.getTokenById(id);
+        if (!existing) {
+            throw new Error(`Token not found: ${id}`);
+        }
+        if (existing.revoked) {
+            throw new Error(`Token already revoked: ${id}`);
+        }
+        const instanceRows = this.listInstancesForCredential(id);
+        const revoke = this.db.transaction(() => {
+            this.db
+                .prepare(`UPDATE tokens SET revoked_at = ? WHERE id = ?`)
+                .run(nowIso(), id);
+        });
+        revoke();
+        return { instanceIds: instanceRows };
+    }
+    validateToken(plaintext) {
+        const row = this.db
+            .prepare(`SELECT id, label FROM tokens WHERE token_hash = ? AND revoked_at IS NULL`)
+            .get(hashToken(plaintext));
+        if (!row || row.id === LEGACY_CREDENTIAL_ID)
+            return null;
+        return { id: row.id, label: row.label };
+    }
+    listInstancesForCredential(credentialId) {
+        const rows = this.db
+            .prepare(`SELECT instance_id FROM instances WHERE credential_id = ? ORDER BY created_at ASC`)
+            .all(credentialId);
+        return rows.map((row) => row.instance_id);
+    }
+    registerInstance(credentialId, instanceId) {
+        this.db
+            .prepare(`INSERT INTO instances (instance_id, credential_id, created_at) VALUES (?, ?, ?)`)
+            .run(instanceId, credentialId, nowIso());
+    }
+    assertInstanceOwned(credentialId, instanceId) {
+        const row = this.db
+            .prepare(`SELECT credential_id FROM instances WHERE instance_id = ?`)
+            .get(instanceId);
+        if (!row || row.credential_id !== credentialId) {
+            throw new Error("Instance not owned by this credential");
+        }
+    }
+    releaseInstance(credentialId, instanceId) {
+        this.db
+            .prepare(`DELETE FROM instances WHERE instance_id = ? AND credential_id = ?`)
+            .run(instanceId, credentialId);
+    }
+    deleteInstancesForCredential(credentialId) {
+        this.db.prepare(`DELETE FROM instances WHERE credential_id = ?`).run(credentialId);
+    }
+}
+let sharedStore;
+export function initTokenStore(dbPath) {
+    if (sharedStore)
+        sharedStore.close();
+    sharedStore = new TokenStore(dbPath);
+    return sharedStore;
+}
+export function getTokenStore() {
+    if (!sharedStore) {
+        throw new Error("Token store not initialized");
+    }
+    return sharedStore;
+}
+/** @internal Test helper to reset the singleton. */
+export function resetTokenStoreForTests() {
+    sharedStore?.close();
+    sharedStore = undefined;
+}
+//# sourceMappingURL=store.js.map

package/dist/tokens/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/tokens/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,MAAM,CAAC,MAAM,oBAAoB,GAAG,QAAQ,CAAC;AAmB7C,SAAS,SAAS,CAAC,SAAiB;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,MAAM;IACb,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AAClC,CAAC;AAED,MAAM,OAAO,UAAU;IACJ,EAAE,CAAoB;IAEvC,YAAY,MAAc;QACxB,IAAI,CAAC,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;IAED,yFAAyF;IACzF,sBAAsB;QACpB,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;;oCAE4B,CAC7B;aACA,GAAG,CAAC,oBAAoB,EAAE,MAAM,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,eAAe;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,8FAA8F,CAAC;aACvG,GAAG,EAAuB,CAAC;QAC9B,OAAO,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,WAAW,CAAC,KAAK,GAAG,EAAE;QACpB,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC;QAC3B,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAElC,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE;YACtC,IAAI,CAAC,EAAE;iBACJ,OAAO,CACN;qCAC2B,CAC5B;iBACA,GAAG,CAAC,EAAE,EAAE,YAAY,EAAE,SAAS,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QACH,MAAM,EAAE,CAAC;QAET,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAC5C,CAAC;IAED,UAAU;QACR,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CACN;;;;;;mCAM2B,CAC5B;aACA,GAAG,EAMH,CAAC;QAEJ,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACxB,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,OAAO,EAAE,GAAG,CAAC,UAAU,KAAK,IAAI;YAChC,aAAa,EAAE,GAAG,CAAC,cAAc;SAClC,CAAC,CAAC,CAAC;IACN,CAAC;IAED,YAAY,CAAC,EAAU;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,sFAAsF,CAAC;aAC/F,GAAG,CAAC,EAAE,CAAyE,CAAC;QACnF,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;IAC5E,CAAC;IAED,WAAW,CAAC,EAAU;QACpB,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QACvC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,0BAA0B,EAAE,EAAE,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,0BAA0B,CAAC,EAAE,CAAC,CAAC;QAEzD,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE;YACtC,IAAI,CAAC,EAAE;iBACJ,OAAO,CAAC,+CAA+C,CAAC;iBACxD,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QACvB,CAAC,CAAC,CAAC;QACH,MAAM,EAAE,CAAC;QAET,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;IACvC,CAAC;IAED,aAAa,CAAC,SAAiB;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,0EAA0E,CAAC;aACnF,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAA8C,CAAC;QAC1E,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,KAAK,oBAAoB;YAAE,OAAO,IAAI,CAAC;QACzD,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;IAC1C,CAAC;IAED,0BAA0B,CAAC,YAAoB;QAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,mFAAmF,CAAC;aAC5F,GAAG,CAAC,YAAY,CAA8B,CAAC;QAClD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC;IAED,gBAAgB,CAAC,YAAoB,EAAE,UAAkB;QACvD,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,iFAAiF,CAAC;aAC1F,GAAG,CAAC,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,mBAAmB,CAAC,YAAoB,EAAE,UAAkB;QAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,2DAA2D,CAAC;aACpE,GAAG,CAAC,UAAU,CAA0C,CAAC;QAC5D,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,aAAa,KAAK,YAAY,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,eAAe,CAAC,YAAoB,EAAE,UAAkB;QACtD,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,mEAAmE,CAAC;aAC5E,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IACnC,CAAC;IAED,4BAA4B,CAAC,YAAoB;QAC/C,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,+CAA+C,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACrF,CAAC;CACF;AAED,IAAI,WAAmC,CAAC;AAExC,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,IAAI,WAAW;QAAE,WAAW,CAAC,KAAK,EAAE,CAAC;IACrC,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,uBAAuB;IACrC,WAAW,EAAE,KAAK,EAAE,CAAC;IACrB,WAAW,GAAG,SAAS,CAAC;AAC1B,CAAC"}

package/dist/tools/controller/get-vm.d.ts

@@ -0,0 +1,3 @@
+export declare const controllerGetVmTool: import("../define-tool.js").ToolDefinition<{
+    instance_id: import("zod").ZodString;
+}>;

package/dist/tools/controller/get-vm.js

@@ -0,0 +1,34 @@
+import { controller, extractSshEndpoint } from "../../controller.js";
+import { uuidLike } from "../../security/schemas.js";
+import { requireControllerInstanceAccess } from "../../tokens/ownership.js";
+import { defineTool, jsonResult } from "../define-tool.js";
+import { runControllerTool } from "./results.js";
+export const controllerGetVmTool = defineTool({
+    name: "controller_get_vm",
+    config: {
+        title: "Get controller VM status",
+        description: "Get the current state of a controller VM instance, including SSH endpoint " +
+            "details (host, forwarded port, username) once it is reachable. Use the private " +
+            "key returned by controller_request_vm to connect.",
+        inputSchema: {
+            instance_id: uuidLike.describe("The instance id returned by controller_request_vm.")
+        },
+        annotations: { title: "Get controller VM status", readOnlyHint: true, openWorldHint: true }
+    },
+    handler: async ({ instance_id }) => runControllerTool(async () => {
+        try {
+            requireControllerInstanceAccess(instance_id);
+        }
+        catch {
+            return jsonResult({ ok: false, error: "Instance not owned by this credential" }, true);
+        }
+        const instance = await controller.getVm(instance_id);
+        return jsonResult({
+            instance_id,
+            instance_state: instance.instance_state,
+            vm_status: instance.vminfo?.status ?? null,
+            ssh: extractSshEndpoint(instance.vminfo) ?? null
+        });
+    })
+});
+//# sourceMappingURL=get-vm.js.map

package/dist/tools/controller/get-vm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-vm.js","sourceRoot":"","sources":["../../../src/tools/controller/get-vm.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAyB,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EAAE,+BAA+B,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEjD,MAAM,CAAC,MAAM,mBAAmB,GAAG,UAAU,CAAC;IAC5C,IAAI,EAAE,mBAAmB;IACzB,MAAM,EAAE;QACN,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,4EAA4E;YAC5E,iFAAiF;YACjF,mDAAmD;QACrD,WAAW,EAAE;YACX,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,oDAAoD,CAAC;SACrF;QACD,WAAW,EAAE,EAAE,KAAK,EAAE,0BAA0B,EAAE,YAAY,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE;KAC5F;IACD,OAAO,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,CACjC,iBAAiB,CAAC,KAAK,IAAI,EAAE;QAC3B,IAAI,CAAC;YACH,+BAA+B,CAAC,WAAW,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,uCAAuC,EAAE,EAAE,IAAI,CAAC,CAAC;QACzF,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACrD,OAAO,UAAU,CAAC;YAChB,WAAW;YACX,cAAc,EAAE,QAAQ,CAAC,cAAc;YACvC,SAAS,EAAE,QAAQ,CAAC,MAAM,EAAE,MAAM,IAAI,IAAI;YAC1C,GAAG,EAAE,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI;SACjD,CAAC,CAAC;IACL,CAAC,CAAC;CACL,CAAC,CAAC"}

package/dist/tools/controller/index.d.ts

@@ -0,0 +1,3 @@
+import type { ToolDefinition } from "../define-tool.js";
+/** Tools exposed when the controller backend is enabled. */
+export declare const controllerTools: ToolDefinition<any>[];

package/dist/tools/controller/index.js

@@ -0,0 +1,12 @@
+import { controllerListTemplatesTool } from "./list-templates.js";
+import { controllerRequestVmTool } from "./request-vm.js";
+import { controllerGetVmTool } from "./get-vm.js";
+import { controllerTerminateVmTool } from "./terminate-vm.js";
+/** Tools exposed when the controller backend is enabled. */
+export const controllerTools = [
+    controllerListTemplatesTool,
+    controllerRequestVmTool,
+    controllerGetVmTool,
+    controllerTerminateVmTool
+];
+//# sourceMappingURL=index.js.map

package/dist/tools/controller/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/tools/controller/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,2BAA2B,EAAE,MAAM,qBAAqB,CAAC;AAClE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAE9D,4DAA4D;AAC5D,MAAM,CAAC,MAAM,eAAe,GAA0B;IACpD,2BAA2B;IAC3B,uBAAuB;IACvB,mBAAmB;IACnB,yBAAyB;CAC1B,CAAC"}

package/dist/tools/controller/list-templates.d.ts

@@ -0,0 +1 @@
+export declare const controllerListTemplatesTool: import("../define-tool.js").ToolDefinition<{}>;

package/dist/tools/controller/list-templates.js

@@ -0,0 +1,21 @@
+import { controller } from "../../controller.js";
+import { defineTool, jsonResult } from "../define-tool.js";
+import { runControllerTool } from "./results.js";
+export const controllerListTemplatesTool = defineTool({
+    name: "controller_list_templates",
+    config: {
+        title: "List controller templates",
+        description: "List the VM templates available in the Anka Build Cloud registry. Use this " +
+            "to find the template `vmid` (and optionally a tag) to pass to " +
+            "controller_request_vm.",
+        inputSchema: {},
+        annotations: { title: "List controller templates", readOnlyHint: true, openWorldHint: true }
+    },
+    handler: async () => runControllerTool(async () => {
+        const templates = await controller.listTemplates();
+        return jsonResult({
+            templates: templates.map((t) => ({ id: t.id, name: t.name, arch: t.arch }))
+        });
+    })
+});
+//# sourceMappingURL=list-templates.js.map

package/dist/tools/controller/list-templates.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-templates.js","sourceRoot":"","sources":["../../../src/tools/controller/list-templates.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEjD,MAAM,CAAC,MAAM,2BAA2B,GAAG,UAAU,CAAC;IACpD,IAAI,EAAE,2BAA2B;IACjC,MAAM,EAAE;QACN,KAAK,EAAE,2BAA2B;QAClC,WAAW,EACT,6EAA6E;YAC7E,gEAAgE;YAChE,wBAAwB;QAC1B,WAAW,EAAE,EAAE;QACf,WAAW,EAAE,EAAE,KAAK,EAAE,2BAA2B,EAAE,YAAY,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE;KAC7F;IACD,OAAO,EAAE,KAAK,IAAI,EAAE,CAClB,iBAAiB,CAAC,KAAK,IAAI,EAAE;QAC3B,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,aAAa,EAAE,CAAC;QACnD,OAAO,UAAU,CAAC;YAChB,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;SAC5E,CAAC,CAAC;IACL,CAAC,CAAC;CACL,CAAC,CAAC"}

package/dist/tools/controller/request-vm.d.ts

@@ -0,0 +1,8 @@
+import { z } from "zod";
+export declare const controllerRequestVmTool: import("../define-tool.js").ToolDefinition<{
+    vmid: z.ZodString;
+    tag: z.ZodOptional<z.ZodString>;
+    name: z.ZodOptional<z.ZodString>;
+    externalId: z.ZodOptional<z.ZodString>;
+    addSshPortForward: z.ZodOptional<z.ZodBoolean>;
+}>;

package/dist/tools/controller/request-vm.js

@@ -0,0 +1,101 @@
+import { z } from "zod";
+import { config } from "../../config.js";
+import { controller, extractSshEndpoint, isSshReady } from "../../controller.js";
+import { optionalBoundedString, uuidLike } from "../../security/schemas.js";
+import { buildAuthorizedKeysStartupScript, buildSshCommand, encodeStartupScript, generateSshKeypair, probeSshAuth } from "../../ssh-key.js";
+import { buildControllerExternalId } from "../../log.js";
+import { registerControllerInstance } from "../../tokens/ownership.js";
+import { defineTool, jsonResult } from "../define-tool.js";
+import { controllerError } from "./results.js";
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+/** Instance states that mean the VM will never become ready. */
+const FAILED_STATES = new Set(["Error", "Failed", "Terminated", "Terminating", "Stopped"]);
+export const controllerRequestVmTool = defineTool({
+    name: "controller_request_vm",
+    config: {
+        title: "Request a VM from the controller",
+        description: "Start one VM instance from a template on the Anka Build Cloud Controller, wait " +
+            "until it is running and the temporary SSH key authenticates over the forwarded port, " +
+            "then return the connection details (host, forwarded SSH port, username, private key path, " +
+            "ssh command). A temporary ed25519 key is generated and installed on the VM via the " +
+            "controller startup_script. The template must have port forwarding for the SSH guest port " +
+            "(default 22), or set addSshPortForward to add it. The agent then opens the SSH connection itself.",
+        inputSchema: {
+            vmid: uuidLike.describe("UUID of the template to start (from controller_list_templates)."),
+            tag: optionalBoundedString.optional().describe("Optional template tag. Defaults to the latest tag."),
+            name: optionalBoundedString.optional().describe("Optional name for the instance."),
+            externalId: optionalBoundedString
+                .optional()
+                .describe("Optional extra reference appended to the auto-generated external_id " +
+                "(which always records MCP client, IP, user-agent, and session)."),
+            addSshPortForward: z
+                .boolean()
+                .optional()
+                .describe("Add an SSH port-forward rule even if the template lacks one. Defaults to true.")
+        },
+        annotations: { title: "Request a VM from the controller", openWorldHint: true }
+    },
+    handler: async ({ vmid, tag, name, externalId, addSshPortForward = true }) => {
+        try {
+            const { privateKeyPath, publicKey } = await generateSshKeypair();
+            const startupScript = encodeStartupScript(buildAuthorizedKeysStartupScript(publicKey));
+            const instanceId = await controller.startVm({
+                vmid,
+                tag,
+                name,
+                externalId: buildControllerExternalId(externalId),
+                addSshPortForward,
+                startupScript
+            });
+            registerControllerInstance(instanceId);
+            const deadline = Date.now() + config.controllerStartTimeoutMs;
+            let instance;
+            while (Date.now() < deadline) {
+                instance = await controller.getVm(instanceId);
+                if (isSshReady(instance)) {
+                    const endpoint = extractSshEndpoint(instance.vminfo);
+                    const sshVerified = !config.controllerSshProbeEnabled ||
+                        (await probeSshAuth({
+                            privateKeyPath,
+                            host: endpoint.host,
+                            port: endpoint.port,
+                            user: endpoint.username
+                        }));
+                    if (sshVerified) {
+                        return jsonResult({
+                            instance_id: instanceId,
+                            instance_state: instance.instance_state,
+                            ssh: {
+                                ...endpoint,
+                                private_key_path: privateKeyPath,
+                                command: buildSshCommand({
+                                    privateKeyPath,
+                                    host: endpoint.host,
+                                    port: endpoint.port,
+                                    user: endpoint.username
+                                })
+                            }
+                        });
+                    }
+                }
+                if (instance.instance_state && FAILED_STATES.has(instance.instance_state)) {
+                    return jsonResult({
+                        instance_id: instanceId,
+                        instance_state: instance.instance_state,
+                        error: `Instance entered terminal state "${instance.instance_state}" before becoming SSH-ready.`
+                    }, true);
+                }
+                await sleep(config.controllerPollIntervalMs);
+            }
+            return jsonResult({
+                instance_id: instanceId,
+                instance_state: instance?.instance_state,
+                error: `Timed out after ${config.controllerStartTimeoutMs}ms waiting for the VM to become SSH-ready. The instance was started; use controller_get_vm to keep checking or controller_terminate_vm to clean up.`
+            }, true);
+        }
+        catch (error) {
+            return jsonResult({ ok: false, error: controllerError(error) }, true);
+        }
+    }
+});
+//# sourceMappingURL=request-vm.js.map

package/dist/tools/controller/request-vm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-vm.js","sourceRoot":"","sources":["../../../src/tools/controller/request-vm.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,UAAU,EAAiB,MAAM,qBAAqB,CAAC;AAChG,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EACL,gCAAgC,EAChC,eAAe,EACf,mBAAmB,EACnB,kBAAkB,EAClB,YAAY,EACb,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,yBAAyB,EAAE,MAAM,cAAc,CAAC;AACzD,OAAO,EACL,0BAA0B,EAC3B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAE/C,MAAM,KAAK,GAAG,CAAC,EAAU,EAAE,EAAE,CAAC,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAEtF,gEAAgE;AAChE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,CAAC,CAAC,CAAC;AAE3F,MAAM,CAAC,MAAM,uBAAuB,GAAG,UAAU,CAAC;IAChD,IAAI,EAAE,uBAAuB;IAC7B,MAAM,EAAE;QACN,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,iFAAiF;YACjF,uFAAuF;YACvF,4FAA4F;YAC5F,qFAAqF;YACrF,2FAA2F;YAC3F,mGAAmG;QACrG,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ,CAAC,QAAQ,CAAC,iEAAiE,CAAC;YAC1F,GAAG,EAAE,qBAAqB,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oDAAoD,CAAC;YACpG,IAAI,EAAE,qBAAqB,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,iCAAiC,CAAC;YAClF,UAAU,EAAE,qBAAqB;iBAC9B,QAAQ,EAAE;iBACV,QAAQ,CACP,sEAAsE;gBACpE,iEAAiE,CACpE;YACH,iBAAiB,EAAE,CAAC;iBACjB,OAAO,EAAE;iBACT,QAAQ,EAAE;iBACV,QAAQ,CACP,gFAAgF,CACjF;SACJ;QACD,WAAW,EAAE,EAAE,KAAK,EAAE,kCAAkC,EAAE,aAAa,EAAE,IAAI,EAAE;KAChF;IACD,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,UAAU,EAAE,iBAAiB,GAAG,IAAI,EAAE,EAAE,EAAE;QAC3E,IAAI,CAAC;YACL,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE,GAAG,MAAM,kBAAkB,EAAE,CAAC;YACjE,MAAM,aAAa,GAAG,mBAAmB,CAAC,gCAAgC,CAAC,SAAS,CAAC,CAAC,CAAC;YAEvF,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC;gBAC1C,IAAI;gBACJ,GAAG;gBACH,IAAI;gBACJ,UAAU,EAAE,yBAAyB,CAAC,UAAU,CAAC;gBACjD,iBAAiB;gBACjB,aAAa;aACd,CAAC,CAAC;YACH,0BAA0B,CAAC,UAAU,CAAC,CAAC;YAEvC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC;YAC9D,IAAI,QAA8B,CAAC;YAEnC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;gBAC7B,QAAQ,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;gBAE9C,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAE,CAAC;oBACtD,MAAM,WAAW,GACf,CAAC,MAAM,CAAC,yBAAyB;wBACjC,CAAC,MAAM,YAAY,CAAC;4BAClB,cAAc;4BACd,IAAI,EAAE,QAAQ,CAAC,IAAI;4BACnB,IAAI,EAAE,QAAQ,CAAC,IAAI;4BACnB,IAAI,EAAE,QAAQ,CAAC,QAAQ;yBACxB,CAAC,CAAC,CAAC;oBACN,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,UAAU,CAAC;4BAChB,WAAW,EAAE,UAAU;4BACvB,cAAc,EAAE,QAAQ,CAAC,cAAc;4BACvC,GAAG,EAAE;gCACH,GAAG,QAAQ;gCACX,gBAAgB,EAAE,cAAc;gCAChC,OAAO,EAAE,eAAe,CAAC;oCACvB,cAAc;oCACd,IAAI,EAAE,QAAQ,CAAC,IAAI;oCACnB,IAAI,EAAE,QAAQ,CAAC,IAAI;oCACnB,IAAI,EAAE,QAAQ,CAAC,QAAQ;iCACxB,CAAC;6BACH;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,IAAI,QAAQ,CAAC,cAAc,IAAI,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC1E,OAAO,UAAU,CACf;wBACE,WAAW,EAAE,UAAU;wBACvB,cAAc,EAAE,QAAQ,CAAC,cAAc;wBACvC,KAAK,EAAE,oCAAoC,QAAQ,CAAC,cAAc,8BAA8B;qBACjG,EACD,IAAI,CACL,CAAC;gBACJ,CAAC;gBAED,MAAM,KAAK,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;YAC/C,CAAC;YAED,OAAO,UAAU,CACf;gBACE,WAAW,EAAE,UAAU;gBACvB,cAAc,EAAE,QAAQ,EAAE,cAAc;gBACxC,KAAK,EAAE,mBAAmB,MAAM,CAAC,wBAAwB,qJAAqJ;aAC/M,EACD,IAAI,CACL,CAAC;QACF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;CACF,CAAC,CAAC"}

package/dist/tools/controller/results.d.ts

@@ -0,0 +1,5 @@
+import type { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
+/** Extract an agent-safe error string from a controller failure. */
+export declare function controllerError(error: unknown): string;
+/** Run an async controller operation and return a narrow tool result on failure. */
+export declare function runControllerTool(fn: () => Promise<CallToolResult>): Promise<CallToolResult>;

package/dist/tools/controller/results.js

@@ -0,0 +1,23 @@
+import { ControllerError } from "../../controller.js";
+import { sanitizeControllerError, sanitizeUnknownError } from "../../security/sanitize.js";
+import { jsonResult } from "../define-tool.js";
+/** Extract an agent-safe error string from a controller failure. */
+export function controllerError(error) {
+    if (error instanceof ControllerError) {
+        return sanitizeControllerError(error.message);
+    }
+    if (error instanceof Error) {
+        return sanitizeControllerError(error.message);
+    }
+    return sanitizeUnknownError(error);
+}
+/** Run an async controller operation and return a narrow tool result on failure. */
+export async function runControllerTool(fn) {
+    try {
+        return await fn();
+    }
+    catch (error) {
+        return jsonResult({ ok: false, error: controllerError(error) }, true);
+    }
+}
+//# sourceMappingURL=results.js.map

package/dist/tools/controller/results.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"results.js","sourceRoot":"","sources":["../../../src/tools/controller/results.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAC3F,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,oEAAoE;AACpE,MAAM,UAAU,eAAe,CAAC,KAAc;IAC5C,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;QACrC,OAAO,uBAAuB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,OAAO,uBAAuB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAC;AACrC,CAAC;AAED,oFAAoF;AACpF,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,EAAiC;IAEjC,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACxE,CAAC;AACH,CAAC"}

package/dist/tools/controller/terminate-vm.d.ts

@@ -0,0 +1,3 @@
+export declare const controllerTerminateVmTool: import("../define-tool.js").ToolDefinition<{
+    instance_id: import("zod").ZodString;
+}>;

package/dist/tools/controller/terminate-vm.js

@@ -0,0 +1,32 @@
+import { controller } from "../../controller.js";
+import { uuidLike } from "../../security/schemas.js";
+import { releaseControllerInstance, requireControllerInstanceAccess } from "../../tokens/ownership.js";
+import { defineTool, jsonResult } from "../define-tool.js";
+import { runControllerTool } from "./results.js";
+export const controllerTerminateVmTool = defineTool({
+    name: "controller_terminate_vm",
+    config: {
+        title: "Terminate a controller VM",
+        description: "Terminate a running controller VM instance by its instance id.",
+        inputSchema: {
+            instance_id: uuidLike.describe("The instance id to terminate.")
+        },
+        annotations: {
+            title: "Terminate a controller VM",
+            destructiveHint: true,
+            openWorldHint: true
+        }
+    },
+    handler: async ({ instance_id }) => runControllerTool(async () => {
+        try {
+            requireControllerInstanceAccess(instance_id);
+        }
+        catch {
+            return jsonResult({ ok: false, error: "Instance not owned by this credential" }, true);
+        }
+        await controller.terminateVm(instance_id);
+        releaseControllerInstance(instance_id);
+        return jsonResult({ instance_id, terminated: true });
+    })
+});
+//# sourceMappingURL=terminate-vm.js.map

package/dist/tools/controller/terminate-vm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"terminate-vm.js","sourceRoot":"","sources":["../../../src/tools/controller/terminate-vm.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AACrD,OAAO,EACL,yBAAyB,EACzB,+BAA+B,EAChC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEjD,MAAM,CAAC,MAAM,yBAAyB,GAAG,UAAU,CAAC;IAClD,IAAI,EAAE,yBAAyB;IAC/B,MAAM,EAAE;QACN,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,gEAAgE;QAC7E,WAAW,EAAE;YACX,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,+BAA+B,CAAC;SAChE;QACD,WAAW,EAAE;YACX,KAAK,EAAE,2BAA2B;YAClC,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,IAAI;SACpB;KACF;IACD,OAAO,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,CACjC,iBAAiB,CAAC,KAAK,IAAI,EAAE;QAC3B,IAAI,CAAC;YACH,+BAA+B,CAAC,WAAW,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,UAAU,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,uCAAuC,EAAE,EAAE,IAAI,CAAC,CAAC;QACzF,CAAC;QACD,MAAM,UAAU,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QAC1C,yBAAyB,CAAC,WAAW,CAAC,CAAC;QACvC,OAAO,UAAU,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC;CACL,CAAC,CAAC"}

package/dist/tools/define-tool.d.ts

@@ -0,0 +1,34 @@
+import type { McpServer, ToolCallback } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
+import type { ZodRawShape } from "zod";
+interface ToolConfig<InputArgs extends ZodRawShape> {
+    title?: string;
+    description: string;
+    inputSchema?: InputArgs;
+    annotations?: {
+        title?: string;
+        readOnlyHint?: boolean;
+        destructiveHint?: boolean;
+        idempotentHint?: boolean;
+        openWorldHint?: boolean;
+    };
+}
+/** A self-contained, registrable MCP tool. */
+export interface ToolDefinition<InputArgs extends ZodRawShape = ZodRawShape> {
+    name: string;
+    config: ToolConfig<InputArgs>;
+    handler: ToolCallback<InputArgs>;
+    register(server: McpServer): void;
+}
+/**
+ * Declare an MCP tool in one place. Add the returned object to the `tools`
+ * array in `tools/index.ts` and it is wired up automatically.
+ */
+export declare function defineTool<InputArgs extends ZodRawShape>(spec: {
+    name: string;
+    config: ToolConfig<InputArgs>;
+    handler: ToolCallback<InputArgs>;
+}): ToolDefinition<InputArgs>;
+/** Serialize a value into a CallToolResult with a single JSON text block. */
+export declare function jsonResult(value: unknown, isError?: boolean): CallToolResult;
+export {};