npm - @yawlabs/tailscale-mcp - Versions diffs - 0.10.1 → 0.10.2 - Mend

@yawlabs/tailscale-mcp 0.10.1 → 0.10.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -195,6 +195,8 @@ The server checks for an API key first, then falls back to OAuth. If neither is
 **`TAILSCALE_MAX_CONCURRENT=N`** — cap in-flight API requests at `N`. Default is unlimited (no behavior change for users who don't opt in). Useful when an agent fans out aggressively against a tailnet that has stricter limits than the per-call retry can absorb.
+**`TAILSCALE_REQUEST_BUDGET_MS=N`** — total wall-clock budget per request, including 429 retries and their sleeps. Default `90000` (90s). When the next retry's predicted wall time would exceed the budget, the call surfaces the 429 immediately instead of holding the line. Tune lower if your MCP client has a tighter outer timeout. 429s on non-idempotent methods (POST, PATCH) are never retried — those return immediately regardless of budget.
 **Friendlier error messages.** JSON error bodies of the form `{"message":"..."}` or `{"error":"..."}` are unwrapped before display, so you see the prose explanation instead of raw JSON. 401s still get the full multi-line auth-error formatter (with the Windows env-var hint when applicable).
 ## Resources (4)

package/dist/index.js CHANGED Viewed

@@ -30119,20 +30119,28 @@ var REQUEST_TIMEOUT_MS = 3e4;
 var MAX_429_RETRIES = 3;
 var DEFAULT_429_DELAY_MS = 1e3;
 var MAX_429_DELAY_MS = 3e4;
+var MAX_REQUEST_BUDGET_MS = 9e4;
+var RETRYABLE_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "PUT", "DELETE"]);
 var oauthToken = null;
 var oauthRefreshPromise = null;
 function getAuthConfig() {
   const apiKey = process.env.TAILSCALE_API_KEY;
   const oauthClientId = process.env.TAILSCALE_OAUTH_CLIENT_ID;
   const oauthClientSecret = process.env.TAILSCALE_OAUTH_CLIENT_SECRET;
-  if (apiKey) {
-    if (apiKey.trim() === "") {
+  if (apiKey !== void 0) {
+    const trimmedKey = apiKey.trim();
+    if (trimmedKey === "") {
       throw new Error("TAILSCALE_API_KEY is set but empty. Provide a valid API key.");
     }
-    return { kind: "apiKey", apiKey };
+    return { kind: "apiKey", apiKey: trimmedKey };
   }
-  if (oauthClientId && oauthClientSecret) {
-    return { kind: "oauth", clientId: oauthClientId, clientSecret: oauthClientSecret };
+  if (oauthClientId !== void 0 || oauthClientSecret !== void 0) {
+    const trimmedId = (oauthClientId ?? "").trim();
+    const trimmedSecret = (oauthClientSecret ?? "").trim();
+    if (trimmedId === "" || trimmedSecret === "") {
+      throw new Error("TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET must both be set and non-empty.");
+    }
+    return { kind: "oauth", clientId: trimmedId, clientSecret: trimmedSecret };
   }
   const hint = process.platform === "win32" ? ' On Windows, env vars set in bash/WSL profiles are not visible to MCP servers launched via cmd. Either add "env": {"TAILSCALE_API_KEY": "tskey-api-..."} to your .mcp.json, or set it as a Windows user environment variable.' : "";
   throw new Error(
@@ -30245,6 +30253,12 @@ function getConcurrencyLimit() {
   const n = Number.parseInt(raw, 10);
   return Number.isFinite(n) && n > 0 ? n : 0;
 }
+function getRequestBudgetMs() {
+  const raw = process.env.TAILSCALE_REQUEST_BUDGET_MS;
+  if (!raw) return MAX_REQUEST_BUDGET_MS;
+  const n = Number.parseInt(raw, 10);
+  return Number.isFinite(n) && n > 0 ? n : MAX_REQUEST_BUDGET_MS;
+}
 async function withConcurrencyLimit(fn) {
   const limit = getConcurrencyLimit();
   if (limit === 0) return fn();
@@ -30309,12 +30323,19 @@ async function apiRequest(method, path, body, options) {
   const url2 = path.startsWith("http") ? path : `${BASE_URL}${path}`;
   const startedAt = Date.now();
   debugLog(`${method} ${url2}`);
+  const isRetryable = RETRYABLE_METHODS.has(method.toUpperCase());
+  const requestBudgetMs = getRequestBudgetMs();
   return withConcurrencyLimit(async () => {
     let res;
     for (let attempt = 0; attempt <= MAX_429_RETRIES; attempt++) {
       res = await executeFetch(method, url2, headers, fetchBody);
-      if (res.status !== 429 || attempt === MAX_429_RETRIES) break;
+      if (res.status !== 429 || attempt === MAX_429_RETRIES || !isRetryable) break;
       const delay = compute429DelayMs(res.headers.get("retry-after"), attempt);
+      const elapsed2 = Date.now() - startedAt;
+      if (elapsed2 + delay + REQUEST_TIMEOUT_MS > requestBudgetMs) {
+        debugLog(`  -> 429 (attempt ${attempt + 1}), giving up: budget exhausted (${elapsed2}ms + ${delay}ms)`);
+        break;
+      }
       debugLog(`  -> 429 (attempt ${attempt + 1}/${MAX_429_RETRIES + 1}), retrying in ${delay}ms`);
       await res.text().catch(() => void 0);
       await new Promise((r) => setTimeout(r, delay));
@@ -30411,7 +30432,7 @@ function filterTools(groups, options) {
   let unknownProfile2;
   if (options.profile) {
     const profileKey = options.profile.trim().toLowerCase();
-    if (profileKey in PROFILES) {
+    if (Object.hasOwn(PROFILES, profileKey)) {
       const preset = PROFILES[profileKey];
       profileGroups = preset.length > 0 ? [...preset] : void 0;
     } else {
@@ -30551,8 +30572,15 @@ var aclTools = [
 // src/tools/audit.ts
 function assertRFC3339(value, label) {
   const rfc3339 = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?(Z|[+-]\d{2}:\d{2})$/;
+  const err = () => new Error(`${label} must be a valid RFC3339 date-time (e.g. '2026-04-01T00:00:00Z'), got: '${value}'`);
   if (!rfc3339.test(value) || Number.isNaN(Date.parse(value))) {
-    throw new Error(`${label} must be a valid RFC3339 date-time (e.g. '2026-04-01T00:00:00Z'), got: '${value}'`);
+    throw err();
+  }
+  const dateOnly = value.slice(0, 10);
+  const [y, m, d] = dateOnly.split("-").map(Number);
+  const utc = /* @__PURE__ */ new Date(`${dateOnly}T00:00:00Z`);
+  if (Number.isNaN(utc.getTime()) || utc.getUTCFullYear() !== y || utc.getUTCMonth() + 1 !== m || utc.getUTCDate() !== d) {
+    throw err();
   }
 }
 var MAX_LOG_RANGE_MS = 30 * 24 * 60 * 60 * 1e3;
@@ -31200,6 +31228,9 @@ var dnsTools = [
       for (const [key, value] of Object.entries(input)) {
         if (value !== void 0) body[key] = value;
       }
+      if (Object.keys(body).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: dns, searchPaths, splitDns, magicDNS.");
+      }
       return apiPost(`/tailnet/${getTailnet()}/dns/configuration`, body);
     }
   }
@@ -32134,7 +32165,7 @@ var tailnetTools = [
   },
   {
     name: "tailscale_set_contacts",
-    description: "Update tailnet contact information.",
+    description: "Update tailnet contact information. Each provided contact type (account/support/security) is PATCHed in parallel; per-type errors are returned alongside the successes so a partial failure doesn't lose the work that succeeded. On partial failure the response is data: { applied, failed } -- inspect data.failed for per-type error details.",
     annotations: {
       title: "Set contacts",
       readOnlyHint: false,
@@ -32391,7 +32422,7 @@ var webhookTools = [
     },
     inputSchema: external_exports3.object({
       endpointUrl: external_exports3.string().url().refine((u) => u.startsWith("https://"), "endpointUrl must use https://").describe("The HTTPS URL to send webhook events to"),
-      subscriptions: external_exports3.array(external_exports3.enum(webhookEventTypes)).describe("Event types to subscribe to")
+      subscriptions: external_exports3.array(external_exports3.enum(webhookEventTypes)).min(1).describe("Event types to subscribe to (at least one)")
     }),
     handler: async (input) => {
       return apiPost(`/tailnet/${getTailnet()}/webhooks`, {
@@ -32413,7 +32444,7 @@ var webhookTools = [
     inputSchema: external_exports3.object({
       webhookId: external_exports3.string().describe("The webhook ID to update"),
       endpointUrl: external_exports3.string().url().refine((u) => u.startsWith("https://"), "endpointUrl must use https://").optional().describe("New HTTPS URL to send webhook events to"),
-      subscriptions: external_exports3.array(external_exports3.enum(webhookEventTypes)).optional().describe("Updated list of event types to subscribe to")
+      subscriptions: external_exports3.array(external_exports3.enum(webhookEventTypes)).min(1).optional().describe("Updated list of event types to subscribe to (at least one)")
     }),
     handler: async (input) => {
       const body = {};
@@ -32481,7 +32512,7 @@ var webhookTools = [
 ];
 // src/index.ts
-var version2 = true ? "0.10.1" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.10.2" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.10.1",
+  "version": "0.10.2",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",
@@ -28,13 +28,14 @@
   ],
   "scripts": {
     "build": "tsc && node build.mjs",
+    "clean": "node -e \"require('node:fs').rmSync('dist',{recursive:true,force:true})\"",
     "dev": "tsc --watch",
     "start": "node dist/index.js",
     "test": "npm run build && node --test dist/**/*.test.js",
     "test:ci": "npm run test",
     "lint": "biome check src/",
     "lint:fix": "biome check --write src/",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run clean && npm run build"
   },
   "dependencies": {},
   "overrides": {