@yawlabs/tailscale-mcp 0.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 YawLabs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,218 @@
+# @yawlabs/tailscale-mcp
+
+[![npm version](https://img.shields.io/npm/v/@yawlabs/tailscale-mcp)](https://www.npmjs.com/package/@yawlabs/tailscale-mcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![GitHub stars](https://img.shields.io/github/stars/YawLabs/tailscale-mcp)](https://github.com/YawLabs/tailscale-mcp/stargazers)
+
+**Manage your Tailscale tailnet from Claude Code, Cursor, and any MCP client.** 43 tools. One env var. Works on first try.
+
+Built and maintained by [YawLabs](https://yaw.sh).
+
+## Why this one?
+
+Other Tailscale MCP servers were vibe-coded in a weekend and abandoned. This one was built for production use and tested against the real Tailscale API — every single endpoint.
+
+- **Preserves ACL formatting** — reads and writes HuJSON (comments, trailing commas, indentation). Others compact your carefully formatted policy into a single line.
+- **Safe ACL updates** — uses ETags to prevent overwriting concurrent changes. No silent data loss.
+- **Zero restarts** — the server always starts, even with missing credentials. Auth errors surface as clear tool-call errors, not silent crashes that force you to restart your AI assistant.
+- **One env var setup** — no config files, no setup wizards, no multi-step flows.
+- **Every tool verified** — no placeholder endpoints that 404. If it's in the tool list, it works.
+
+## Quick start
+
+Add to your MCP client config:
+
+```json
+{
+  "mcpServers": {
+    "tailscale": {
+      "command": "npx",
+      "args": ["-y", "@yawlabs/tailscale-mcp"],
+      "env": {
+        "TAILSCALE_API_KEY": "tskey-api-..."
+      }
+    }
+  }
+}
+```
+
+Get your API key from [Tailscale Admin Console > Settings > Keys](https://login.tailscale.com/admin/settings/keys).
+
+That's it. Now ask your AI assistant:
+
+> "List my Tailscale devices"
+
+```
+┌────────────┬─────────┬────────────────┬──────────────────────┐
+│  Hostname  │   OS    │  Tailscale IP  │      Last Seen       │
+├────────────┼─────────┼────────────────┼──────────────────────┤
+│ web-prod   │ Linux   │ 100.x.x.1     │ 2026-04-03 21:09 UTC │
+├────────────┼─────────┼────────────────┼──────────────────────┤
+│ db-staging │ Linux   │ 100.x.x.2     │ 2026-04-03 21:09 UTC │
+├────────────┼─────────┼────────────────┼──────────────────────┤
+│ dev-laptop │ macOS   │ 100.x.x.3     │ 2026-04-03 21:09 UTC │
+└────────────┴─────────┴────────────────┴──────────────────────┘
+```
+
+> "Show me the ACL policy"
+
+Returns your full policy with formatting, comments, and structure intact — plus an ETag for safe updates.
+
+> "Who changed the DNS settings yesterday?"
+
+Pulls the audit log so you can see exactly who did what and when.
+
+## Authentication
+
+**API key (recommended):** Set `TAILSCALE_API_KEY`. Simplest option, works immediately.
+
+**OAuth (scoped access):** For fine-grained permissions, set `TAILSCALE_OAUTH_CLIENT_ID` and `TAILSCALE_OAUTH_CLIENT_SECRET` instead. Create an OAuth client at [Tailscale Admin Console > Settings > OAuth](https://login.tailscale.com/admin/settings/oauth).
+
+The server checks for an API key first, then falls back to OAuth. If neither is set, tools return a clear error telling you what to configure.
+
+**Tailnet:** Uses your default tailnet automatically. Set `TAILSCALE_TAILNET` to specify one explicitly.
+
+## Tools (43)
+
+### Status
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_status` | Verify API connection, see tailnet info and device count |
+
+<details>
+<summary><strong>Devices</strong> (10 tools)</summary>
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_list_devices` | List all devices with status, IPs, OS, and last seen |
+| `tailscale_get_device` | Get detailed info for a specific device |
+| `tailscale_authorize_device` | Authorize a pending device |
+| `tailscale_deauthorize_device` | Deauthorize a device |
+| `tailscale_delete_device` | Remove a device from the tailnet |
+| `tailscale_rename_device` | Rename a device |
+| `tailscale_expire_device` | Expire a device's key, forcing re-authentication |
+| `tailscale_get_device_routes` | Get advertised and enabled subnet routes |
+| `tailscale_set_device_routes` | Enable or disable subnet routes |
+| `tailscale_set_device_tags` | Set ACL tags on a device |
+
+</details>
+
+<details>
+<summary><strong>ACL / Policy</strong> (4 tools) — with HuJSON formatting preservation and ETag safety</summary>
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_get_acl` | Get ACL policy with formatting preserved (HuJSON) + ETag |
+| `tailscale_update_acl` | Update ACL policy (requires ETag for safe concurrent edits) |
+| `tailscale_validate_acl` | Validate a policy without applying it |
+| `tailscale_preview_acl` | Preview rules that would apply to a user or IP |
+
+</details>
+
+<details>
+<summary><strong>DNS</strong> (8 tools)</summary>
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_get_nameservers` | Get DNS nameservers |
+| `tailscale_set_nameservers` | Set DNS nameservers |
+| `tailscale_get_search_paths` | Get DNS search paths |
+| `tailscale_set_search_paths` | Set DNS search paths |
+| `tailscale_get_split_dns` | Get split DNS configuration |
+| `tailscale_set_split_dns` | Set split DNS configuration |
+| `tailscale_get_dns_preferences` | Get DNS preferences (MagicDNS) |
+| `tailscale_set_dns_preferences` | Set DNS preferences (MagicDNS) |
+
+</details>
+
+<details>
+<summary><strong>Auth Keys</strong> (4 tools)</summary>
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_list_keys` | List auth keys |
+| `tailscale_get_key` | Get details for an auth key |
+| `tailscale_create_key` | Create a new auth key |
+| `tailscale_delete_key` | Delete an auth key |
+
+</details>
+
+<details>
+<summary><strong>Users</strong> (2 tools)</summary>
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_list_users` | List all users in the tailnet |
+| `tailscale_get_user` | Get details for a specific user |
+
+</details>
+
+<details>
+<summary><strong>Tailnet Settings</strong> (5 tools)</summary>
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_get_tailnet_settings` | Get tailnet settings |
+| `tailscale_update_tailnet_settings` | Update tailnet settings |
+| `tailscale_get_contacts` | Get tailnet contacts |
+| `tailscale_set_contacts` | Set tailnet contacts |
+| `tailscale_get_tailnet_keys` | Get auth keys and tailnet lock signing key info |
+
+</details>
+
+<details>
+<summary><strong>Webhooks</strong> (4 tools)</summary>
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_list_webhooks` | List webhooks |
+| `tailscale_get_webhook` | Get a specific webhook |
+| `tailscale_create_webhook` | Create a webhook |
+| `tailscale_delete_webhook` | Delete a webhook |
+
+</details>
+
+<details>
+<summary><strong>Posture Integrations</strong> (4 tools)</summary>
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_list_posture_integrations` | List posture integrations |
+| `tailscale_get_posture_integration` | Get a posture integration |
+| `tailscale_create_posture_integration` | Create a posture integration |
+| `tailscale_delete_posture_integration` | Delete a posture integration |
+
+</details>
+
+<details>
+<summary><strong>Audit Log</strong> (1 tool)</summary>
+
+| Tool | Description |
+|------|-------------|
+| `tailscale_get_audit_log` | Get configuration audit log (who changed what, when) |
+
+</details>
+
+## Contributing
+
+Contributions are welcome. Please [open an issue](https://github.com/YawLabs/tailscale-mcp/issues) to discuss what you'd like to change before submitting a PR.
+
+To develop locally:
+
+```bash
+git clone https://github.com/YawLabs/tailscale-mcp.git
+cd tailscale-mcp
+npm install
+npm run build
+```
+
+Test against your own tailnet by setting `TAILSCALE_API_KEY` and running:
+
+```bash
+node dist/index.js
+```
+
+## License
+
+MIT

package/dist/api.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Tailscale API client with API key and OAuth authentication.
+ */
+export declare function getTailnet(): string;
+export interface ApiResponse<T = unknown> {
+    ok: boolean;
+    status: number;
+    data?: T;
+    error?: string;
+    rawBody?: string;
+    etag?: string;
+}
+export declare function apiRequest<T = unknown>(method: string, path: string, body?: unknown, options?: {
+    rawBody?: string;
+    acceptRaw?: boolean;
+    accept?: string;
+    contentType?: string;
+    ifMatch?: string;
+}): Promise<ApiResponse<T>>;
+export declare function apiGet<T = unknown>(path: string, options?: {
+    acceptRaw?: boolean;
+    accept?: string;
+}): Promise<ApiResponse<T>>;
+export declare function apiPost<T = unknown>(path: string, body?: unknown, options?: {
+    rawBody?: string;
+    contentType?: string;
+    ifMatch?: string;
+}): Promise<ApiResponse<T>>;
+export declare function apiPatch<T = unknown>(path: string, body?: unknown): Promise<ApiResponse<T>>;
+export declare function apiDelete<T = unknown>(path: string): Promise<ApiResponse<T>>;

package/dist/api.js

@@ -0,0 +1,108 @@
+/**
+ * Tailscale API client with API key and OAuth authentication.
+ */
+const BASE_URL = "https://api.tailscale.com/api/v2";
+let oauthToken = null;
+function getConfig() {
+    const apiKey = process.env.TAILSCALE_API_KEY;
+    const oauthClientId = process.env.TAILSCALE_OAUTH_CLIENT_ID;
+    const oauthClientSecret = process.env.TAILSCALE_OAUTH_CLIENT_SECRET;
+    const tailnet = process.env.TAILSCALE_TAILNET || "-";
+    if (!apiKey && !(oauthClientId && oauthClientSecret)) {
+        throw new Error("No Tailscale credentials configured. " +
+            "Set TAILSCALE_API_KEY, or set TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET.");
+    }
+    return { apiKey, oauthClientId, oauthClientSecret, tailnet };
+}
+async function getOAuthAccessToken(clientId, clientSecret) {
+    if (oauthToken && Date.now() < oauthToken.expires_at - 60_000) {
+        return oauthToken.access_token;
+    }
+    const res = await fetch("https://api.tailscale.com/api/v2/oauth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            client_id: clientId,
+            client_secret: clientSecret,
+            grant_type: "client_credentials",
+        }),
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`OAuth token exchange failed (${res.status}): ${body}`);
+    }
+    const data = (await res.json());
+    oauthToken = {
+        access_token: data.access_token,
+        expires_at: Date.now() + data.expires_in * 1000,
+    };
+    return oauthToken.access_token;
+}
+async function getAuthHeader() {
+    const config = getConfig();
+    if (config.apiKey) {
+        return `Basic ${Buffer.from(config.apiKey + ":").toString("base64")}`;
+    }
+    const token = await getOAuthAccessToken(config.oauthClientId, config.oauthClientSecret);
+    return `Bearer ${token}`;
+}
+export function getTailnet() {
+    return process.env.TAILSCALE_TAILNET || "-";
+}
+export async function apiRequest(method, path, body, options) {
+    const auth = await getAuthHeader();
+    const headers = {
+        Authorization: auth,
+    };
+    if (options?.accept) {
+        headers["Accept"] = options.accept;
+    }
+    if (options?.ifMatch) {
+        headers["If-Match"] = options.ifMatch;
+    }
+    let fetchBody;
+    if (options?.rawBody !== undefined) {
+        headers["Content-Type"] = options.contentType || "application/json";
+        fetchBody = options.rawBody;
+    }
+    else if (body !== undefined) {
+        headers["Content-Type"] = "application/json";
+        fetchBody = JSON.stringify(body);
+    }
+    const url = path.startsWith("http") ? path : `${BASE_URL}${path}`;
+    const res = await fetch(url, {
+        method,
+        headers,
+        body: fetchBody,
+    });
+    const etag = res.headers.get("etag") || undefined;
+    if (options?.acceptRaw) {
+        const rawBody = await res.text();
+        if (!res.ok) {
+            return { ok: false, status: res.status, error: rawBody, rawBody, etag };
+        }
+        return { ok: true, status: res.status, rawBody, etag };
+    }
+    if (!res.ok) {
+        const errorBody = await res.text();
+        return { ok: false, status: res.status, error: errorBody };
+    }
+    if (res.status === 204 || res.headers.get("content-length") === "0") {
+        return { ok: true, status: res.status };
+    }
+    const data = (await res.json());
+    return { ok: true, status: res.status, data };
+}
+export async function apiGet(path, options) {
+    return apiRequest("GET", path, undefined, options);
+}
+export async function apiPost(path, body, options) {
+    return apiRequest("POST", path, body, options);
+}
+export async function apiPatch(path, body) {
+    return apiRequest("PATCH", path, body);
+}
+export async function apiDelete(path) {
+    return apiRequest("DELETE", path);
+}
+//# sourceMappingURL=api.js.map

package/dist/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,QAAQ,GAAG,kCAAkC,CAAC;AAOpD,IAAI,UAAU,GAAsB,IAAI,CAAC;AAEzC,SAAS,SAAS;IAChB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC7C,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;IAC5D,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;IACpE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC;IAErD,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,aAAa,IAAI,iBAAiB,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CACb,uCAAuC;YACrC,4FAA4F,CAC/F,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,iBAAiB,EAAE,OAAO,EAAE,CAAC;AAC/D,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAgB,EAChB,YAAoB;IAEpB,IAAI,UAAU,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,UAAU,GAAG,MAAM,EAAE,CAAC;QAC9D,OAAO,UAAU,CAAC,YAAY,CAAC;IACjC,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,8CAA8C,EAAE;QACtE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,oBAAoB;SACjC,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAiD,CAAC;IAChF,UAAU,GAAG;QACX,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;KAChD,CAAC;IACF,OAAO,UAAU,CAAC,YAAY,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,aAAa;IAC1B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,SAAS,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,mBAAmB,CACrC,MAAM,CAAC,aAAc,EACrB,MAAM,CAAC,iBAAkB,CAC1B,CAAC;IACF,OAAO,UAAU,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC;AAC9C,CAAC;AAWD,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAc,EACd,IAAY,EACZ,IAAc,EACd,OAA4G;IAE5G,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;IAEnC,MAAM,OAAO,GAA2B;QACtC,aAAa,EAAE,IAAI;KACpB,CAAC;IAEF,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;QACpB,OAAO,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IACrC,CAAC;IAED,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,OAAO,CAAC,UAAU,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IACxC,CAAC;IAED,IAAI,SAA6B,CAAC;IAElC,IAAI,OAAO,EAAE,OAAO,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,CAAC,cAAc,CAAC,GAAG,OAAO,CAAC,WAAW,IAAI,kBAAkB,CAAC;QACpE,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC;IAC9B,CAAC;SAAM,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAC7C,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,QAAQ,GAAG,IAAI,EAAE,CAAC;IAElE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM;QACN,OAAO;QACP,IAAI,EAAE,SAAS;KAChB,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC;IAElD,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC1E,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACzD,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAC7D,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,GAAG,EAAE,CAAC;QACpE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC;IAC1C,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;IACrC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,IAAY,EACZ,OAAkD;IAElD,OAAO,UAAU,CAAI,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,IAAY,EACZ,IAAc,EACd,OAAsE;IAEtE,OAAO,UAAU,CAAI,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,IAAY,EACZ,IAAc;IAEd,OAAO,UAAU,CAAI,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAY;IAEZ,OAAO,UAAU,CAAI,QAAQ,EAAE,IAAI,CAAC,CAAC;AACvC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,70 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { deviceTools } from "./tools/devices.js";
+import { aclTools } from "./tools/acl.js";
+import { dnsTools } from "./tools/dns.js";
+import { keyTools } from "./tools/keys.js";
+import { userTools } from "./tools/users.js";
+import { tailnetTools } from "./tools/tailnet.js";
+import { webhookTools } from "./tools/webhooks.js";
+import { networkLockTools } from "./tools/network-lock.js";
+import { postureTools } from "./tools/posture.js";
+import { auditTools } from "./tools/audit.js";
+import { statusTools } from "./tools/status.js";
+const allTools = [
+    ...statusTools,
+    ...deviceTools,
+    ...aclTools,
+    ...dnsTools,
+    ...keyTools,
+    ...userTools,
+    ...tailnetTools,
+    ...webhookTools,
+    ...networkLockTools,
+    ...postureTools,
+    ...auditTools,
+];
+const server = new McpServer({
+    name: "@yawlabs/tailscale-mcp",
+    version: "0.1.0",
+});
+for (const tool of allTools) {
+    server.tool(tool.name, tool.description, tool.inputSchema.shape, async (input) => {
+        try {
+            const result = await tool.handler(input);
+            const response = result;
+            if (!response.ok) {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: `Error: ${response.error || "Unknown error"}`,
+                        },
+                    ],
+                    isError: true,
+                };
+            }
+            const text = response.rawBody ?? JSON.stringify(response.data ?? { success: true }, null, 2);
+            return {
+                content: [{ type: "text", text }],
+            };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            return {
+                content: [{ type: "text", text: `Error: ${message}` }],
+                isError: true,
+            };
+        }
+    });
+}
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch((err) => {
+    console.error("Fatal:", err);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,MAAM,QAAQ,GAAG;IACf,GAAG,WAAW;IACd,GAAG,WAAW;IACd,GAAG,QAAQ;IACX,GAAG,QAAQ;IACX,GAAG,QAAQ;IACX,GAAG,SAAS;IACZ,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,gBAAgB;IACnB,GAAG,YAAY;IACf,GAAG,UAAU;CACd,CAAC;AAEF,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,wBAAwB;IAC9B,OAAO,EAAE,OAAO;CACjB,CAAC,CAAC;AAEH,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;IAC5B,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,WAAW,CAAC,KAAK,EACtB,KAAK,EAAE,KAA8B,EAAE,EAAE;QACvC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAO,IAAI,CAAC,OAAgD,CAAC,KAAK,CAAC,CAAC;YACnF,MAAM,QAAQ,GAAG,MAA2E,CAAC;YAE7F,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,UAAU,QAAQ,CAAC,KAAK,IAAI,eAAe,EAAE;yBACpD;qBACF;oBACD,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAC7F,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,CAAC;aAC3C,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,UAAU,OAAO,EAAE,EAAE,CAAC;gBAC/D,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/tools/acl.d.ts

@@ -0,0 +1,58 @@
+import { z } from "zod";
+export declare const aclTools: readonly [{
+    readonly name: "tailscale_get_acl";
+    readonly description: "Get the current ACL policy for your tailnet. Returns the raw policy text with original formatting preserved, including comments and trailing commas (HuJSON). Also returns an ETag — you must pass it to tailscale_update_acl to safely update the policy.";
+    readonly inputSchema: z.ZodObject<{}, "strip", z.ZodTypeAny, {}, {}>;
+    readonly handler: () => Promise<import("../api.js").ApiResponse<unknown>>;
+}, {
+    readonly name: "tailscale_update_acl";
+    readonly description: "Update the ACL policy for your tailnet. Accepts the full policy as a string to preserve formatting, comments, and trailing commas (HuJSON). You MUST pass the ETag from tailscale_get_acl to prevent overwriting concurrent changes. Always get the current ACL first, make targeted edits to the text, and pass the full modified text back.";
+    readonly inputSchema: z.ZodObject<{
+        policy: z.ZodString;
+        etag: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        etag: string;
+        policy: string;
+    }, {
+        etag: string;
+        policy: string;
+    }>;
+    readonly handler: (input: {
+        policy: string;
+        etag: string;
+    }) => Promise<import("../api.js").ApiResponse<unknown>>;
+}, {
+    readonly name: "tailscale_validate_acl";
+    readonly description: "Validate an ACL policy without applying it. Returns any errors found.";
+    readonly inputSchema: z.ZodObject<{
+        policy: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        policy: string;
+    }, {
+        policy: string;
+    }>;
+    readonly handler: (input: {
+        policy: string;
+    }) => Promise<import("../api.js").ApiResponse<unknown>>;
+}, {
+    readonly name: "tailscale_preview_acl";
+    readonly description: "Preview the ACL rules that would apply to a specific user or IP address if a proposed policy were applied.";
+    readonly inputSchema: z.ZodObject<{
+        policy: z.ZodString;
+        type: z.ZodEnum<["user", "ipport"]>;
+        previewFor: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        type: "user" | "ipport";
+        policy: string;
+        previewFor: string;
+    }, {
+        type: "user" | "ipport";
+        policy: string;
+        previewFor: string;
+    }>;
+    readonly handler: (input: {
+        policy: string;
+        type: string;
+        previewFor: string;
+    }) => Promise<import("../api.js").ApiResponse<unknown>>;
+}];

package/dist/tools/acl.js

@@ -0,0 +1,72 @@
+import { z } from "zod";
+import { apiGet, apiPost, getTailnet } from "../api.js";
+export const aclTools = [
+    {
+        name: "tailscale_get_acl",
+        description: "Get the current ACL policy for your tailnet. Returns the raw policy text with original formatting preserved, including comments and trailing commas (HuJSON). Also returns an ETag — you must pass it to tailscale_update_acl to safely update the policy.",
+        inputSchema: z.object({}),
+        handler: async () => {
+            const res = await apiGet(`/tailnet/${getTailnet()}/acl`, {
+                acceptRaw: true,
+                accept: "application/hujson",
+            });
+            if (res.ok && res.etag) {
+                return {
+                    ...res,
+                    rawBody: `${res.rawBody}\n\n---\nETag: ${res.etag}\nPass this ETag to tailscale_update_acl when updating the policy.`,
+                };
+            }
+            return res;
+        },
+    },
+    {
+        name: "tailscale_update_acl",
+        description: "Update the ACL policy for your tailnet. Accepts the full policy as a string to preserve formatting, comments, and trailing commas (HuJSON). You MUST pass the ETag from tailscale_get_acl to prevent overwriting concurrent changes. Always get the current ACL first, make targeted edits to the text, and pass the full modified text back.",
+        inputSchema: z.object({
+            policy: z
+                .string()
+                .describe("The full ACL policy text. Preserve existing formatting, comments, and structure. Only modify the specific parts that need to change."),
+            etag: z
+                .string()
+                .describe("The ETag from tailscale_get_acl. Required to prevent concurrent edit conflicts."),
+        }),
+        handler: async (input) => {
+            return apiPost(`/tailnet/${getTailnet()}/acl`, undefined, {
+                rawBody: input.policy,
+                contentType: "application/hujson",
+                ifMatch: input.etag,
+            });
+        },
+    },
+    {
+        name: "tailscale_validate_acl",
+        description: "Validate an ACL policy without applying it. Returns any errors found.",
+        inputSchema: z.object({
+            policy: z.string().describe("The full ACL policy text to validate"),
+        }),
+        handler: async (input) => {
+            return apiPost(`/tailnet/${getTailnet()}/acl/validate`, undefined, {
+                rawBody: input.policy,
+                contentType: "application/hujson",
+            });
+        },
+    },
+    {
+        name: "tailscale_preview_acl",
+        description: "Preview the ACL rules that would apply to a specific user or IP address if a proposed policy were applied.",
+        inputSchema: z.object({
+            policy: z.string().describe("The proposed ACL policy text to preview"),
+            type: z
+                .enum(["user", "ipport"])
+                .describe("Preview type: 'user' to see rules for a user, 'ipport' to see rules for an IP"),
+            previewFor: z
+                .string()
+                .describe("The user email (for type 'user') or IP:port (for type 'ipport') to preview rules for"),
+        }),
+        handler: async (input) => {
+            const params = new URLSearchParams({ type: input.type, previewFor: input.previewFor });
+            return apiPost(`/tailnet/${getTailnet()}/acl/preview?${params}`, undefined, { rawBody: input.policy, contentType: "application/hujson" });
+        },
+    },
+];
+//# sourceMappingURL=acl.js.map

package/dist/tools/acl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl.js","sourceRoot":"","sources":["../../src/tools/acl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAExD,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB;QACE,IAAI,EAAE,mBAAmB;QACzB,WAAW,EACT,4PAA4P;QAC9P,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,KAAK,IAAI,EAAE;YAClB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,YAAY,UAAU,EAAE,MAAM,EAAE;gBACvD,SAAS,EAAE,IAAI;gBACf,MAAM,EAAE,oBAAoB;aAC7B,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;gBACvB,OAAO;oBACL,GAAG,GAAG;oBACN,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,kBAAkB,GAAG,CAAC,IAAI,oEAAoE;iBACtH,CAAC;YACJ,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;KACF;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EACT,+UAA+U;QACjV,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,MAAM,EAAE,CAAC;iBACN,MAAM,EAAE;iBACR,QAAQ,CACP,sIAAsI,CACvI;YACH,IAAI,EAAE,CAAC;iBACJ,MAAM,EAAE;iBACR,QAAQ,CACP,iFAAiF,CAClF;SACJ,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,KAAuC,EAAE,EAAE;YACzD,OAAO,OAAO,CAAC,YAAY,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE;gBACxD,OAAO,EAAE,KAAK,CAAC,MAAM;gBACrB,WAAW,EAAE,oBAAoB;gBACjC,OAAO,EAAE,KAAK,CAAC,IAAI;aACpB,CAAC,CAAC;QACL,CAAC;KACF;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,uEAAuE;QACpF,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sCAAsC,CAAC;SACpE,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,KAAyB,EAAE,EAAE;YAC3C,OAAO,OAAO,CAAC,YAAY,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE;gBACjE,OAAO,EAAE,KAAK,CAAC,MAAM;gBACrB,WAAW,EAAE,oBAAoB;aAClC,CAAC,CAAC;QACL,CAAC;KACF;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EACT,4GAA4G;QAC9G,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,yCAAyC,CAAC;YACtE,IAAI,EAAE,CAAC;iBACJ,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;iBACxB,QAAQ,CAAC,+EAA+E,CAAC;YAC5F,UAAU,EAAE,CAAC;iBACV,MAAM,EAAE;iBACR,QAAQ,CAAC,sFAAsF,CAAC;SACpG,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,KAA2D,EAAE,EAAE;YAC7E,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC;YACvF,OAAO,OAAO,CACZ,YAAY,UAAU,EAAE,gBAAgB,MAAM,EAAE,EAChD,SAAS,EACT,EAAE,OAAO,EAAE,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,oBAAoB,EAAE,CAC7D,CAAC;QACJ,CAAC;KACF;CACO,CAAC"}

package/dist/tools/audit.d.ts

@@ -0,0 +1,19 @@
+import { z } from "zod";
+export declare const auditTools: readonly [{
+    readonly name: "tailscale_get_audit_log";
+    readonly description: "Get the tailnet audit/configuration log. Shows who changed what and when — useful for troubleshooting and compliance.";
+    readonly inputSchema: z.ZodObject<{
+        start: z.ZodString;
+        end: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        start: string;
+        end?: string | undefined;
+    }, {
+        start: string;
+        end?: string | undefined;
+    }>;
+    readonly handler: (input: {
+        start: string;
+        end?: string;
+    }) => Promise<import("../api.js").ApiResponse<unknown>>;
+}];

package/dist/tools/audit.js

@@ -0,0 +1,24 @@
+import { z } from "zod";
+import { apiGet, getTailnet } from "../api.js";
+export const auditTools = [
+    {
+        name: "tailscale_get_audit_log",
+        description: "Get the tailnet audit/configuration log. Shows who changed what and when — useful for troubleshooting and compliance.",
+        inputSchema: z.object({
+            start: z
+                .string()
+                .describe("Start time in RFC3339 format (e.g. '2026-04-01T00:00:00Z'). Required."),
+            end: z
+                .string()
+                .optional()
+                .describe("End time in RFC3339 format. Defaults to now."),
+        }),
+        handler: async (input) => {
+            const params = new URLSearchParams({ start: input.start });
+            if (input.end)
+                params.set("end", input.end);
+            return apiGet(`/tailnet/${getTailnet()}/logging/configuration?${params}`);
+        },
+    },
+];
+//# sourceMappingURL=audit.js.map

package/dist/tools/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/tools/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAE/C,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB;QACE,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EACT,uHAAuH;QACzH,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,KAAK,EAAE,CAAC;iBACL,MAAM,EAAE;iBACR,QAAQ,CAAC,uEAAuE,CAAC;YACpF,GAAG,EAAE,CAAC;iBACH,MAAM,EAAE;iBACR,QAAQ,EAAE;iBACV,QAAQ,CAAC,8CAA8C,CAAC;SAC5D,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,KAAsC,EAAE,EAAE;YACxD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YAC3D,IAAI,KAAK,CAAC,GAAG;gBAAE,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;YAC5C,OAAO,MAAM,CACX,YAAY,UAAU,EAAE,0BAA0B,MAAM,EAAE,CAC3D,CAAC;QACJ,CAAC;KACF;CACO,CAAC"}