@yawlabs/tailscale-mcp 0.10.1 → 0.10.3

package/README.md

@@ -195,6 +195,8 @@ The server checks for an API key first, then falls back to OAuth. If neither is
 
 **`TAILSCALE_MAX_CONCURRENT=N`** — cap in-flight API requests at `N`. Default is unlimited (no behavior change for users who don't opt in). Useful when an agent fans out aggressively against a tailnet that has stricter limits than the per-call retry can absorb.
 
+**`TAILSCALE_REQUEST_BUDGET_MS=N`** — total wall-clock budget per request, including 429 retries and their sleeps. Default `90000` (90s). When the next retry's predicted wall time would exceed the budget, the call surfaces the 429 immediately instead of holding the line. Tune lower if your MCP client has a tighter outer timeout. 429s on non-idempotent methods (POST, PATCH) are never retried — those return immediately regardless of budget.
+
 **Friendlier error messages.** JSON error bodies of the form `{"message":"..."}` or `{"error":"..."}` are unwrapped before display, so you see the prose explanation instead of raw JSON. 401s still get the full multi-line auth-error formatter (with the Windows env-var hint when applicable).
 
 ## Resources (4)

package/dist/index.js

@@ -30119,20 +30119,28 @@ var REQUEST_TIMEOUT_MS = 3e4;
 var MAX_429_RETRIES = 3;
 var DEFAULT_429_DELAY_MS = 1e3;
 var MAX_429_DELAY_MS = 3e4;
+var MAX_REQUEST_BUDGET_MS = 9e4;
+var RETRYABLE_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "PUT", "DELETE"]);
 var oauthToken = null;
 var oauthRefreshPromise = null;
 function getAuthConfig() {
   const apiKey = process.env.TAILSCALE_API_KEY;
   const oauthClientId = process.env.TAILSCALE_OAUTH_CLIENT_ID;
   const oauthClientSecret = process.env.TAILSCALE_OAUTH_CLIENT_SECRET;
-  if (apiKey) {
-    if (apiKey.trim() === "") {
+  if (apiKey !== void 0) {
+    const trimmedKey = apiKey.trim();
+    if (trimmedKey === "") {
       throw new Error("TAILSCALE_API_KEY is set but empty. Provide a valid API key.");
     }
-    return { kind: "apiKey", apiKey };
+    return { kind: "apiKey", apiKey: trimmedKey };
   }
-  if (oauthClientId && oauthClientSecret) {
-    return { kind: "oauth", clientId: oauthClientId, clientSecret: oauthClientSecret };
+  if (oauthClientId !== void 0 || oauthClientSecret !== void 0) {
+    const trimmedId = (oauthClientId ?? "").trim();
+    const trimmedSecret = (oauthClientSecret ?? "").trim();
+    if (trimmedId === "" || trimmedSecret === "") {
+      throw new Error("TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET must both be set and non-empty.");
+    }
+    return { kind: "oauth", clientId: trimmedId, clientSecret: trimmedSecret };
   }
   const hint = process.platform === "win32" ? ' On Windows, env vars set in bash/WSL profiles are not visible to MCP servers launched via cmd. Either add "env": {"TAILSCALE_API_KEY": "tskey-api-..."} to your .mcp.json, or set it as a Windows user environment variable.' : "";
   throw new Error(
@@ -30245,6 +30253,12 @@ function getConcurrencyLimit() {
   const n = Number.parseInt(raw, 10);
   return Number.isFinite(n) && n > 0 ? n : 0;
 }
+function getRequestBudgetMs() {
+  const raw = process.env.TAILSCALE_REQUEST_BUDGET_MS;
+  if (!raw) return MAX_REQUEST_BUDGET_MS;
+  const n = Number.parseInt(raw, 10);
+  return Number.isFinite(n) && n > 0 ? n : MAX_REQUEST_BUDGET_MS;
+}
 async function withConcurrencyLimit(fn) {
   const limit = getConcurrencyLimit();
   if (limit === 0) return fn();
@@ -30309,12 +30323,19 @@ async function apiRequest(method, path, body, options) {
   const url2 = path.startsWith("http") ? path : `${BASE_URL}${path}`;
   const startedAt = Date.now();
   debugLog(`${method} ${url2}`);
+  const isRetryable = RETRYABLE_METHODS.has(method.toUpperCase());
+  const requestBudgetMs = getRequestBudgetMs();
   return withConcurrencyLimit(async () => {
     let res;
     for (let attempt = 0; attempt <= MAX_429_RETRIES; attempt++) {
       res = await executeFetch(method, url2, headers, fetchBody);
-      if (res.status !== 429 || attempt === MAX_429_RETRIES) break;
+      if (res.status !== 429 || attempt === MAX_429_RETRIES || !isRetryable) break;
       const delay = compute429DelayMs(res.headers.get("retry-after"), attempt);
+      const elapsed2 = Date.now() - startedAt;
+      if (elapsed2 + delay + REQUEST_TIMEOUT_MS > requestBudgetMs) {
+        debugLog(`  -> 429 (attempt ${attempt + 1}), giving up: budget exhausted (${elapsed2}ms + ${delay}ms)`);
+        break;
+      }
       debugLog(`  -> 429 (attempt ${attempt + 1}/${MAX_429_RETRIES + 1}), retrying in ${delay}ms`);
       await res.text().catch(() => void 0);
       await new Promise((r) => setTimeout(r, delay));
@@ -30384,6 +30405,10 @@ async function deployAcl(filePath) {
     console.error(`ACL validation failed: ${validateRes.error}`);
     process.exit(1);
   }
+  if (validateRes.rawBody?.trim()) {
+    console.error(`ACL validation failed: ${extractErrorMessage(validateRes.rawBody.trim())}`);
+    process.exit(1);
+  }
   const deployRes = await apiPost(`/tailnet/${getTailnet()}/acl`, void 0, {
     rawBody: policy,
     contentType: "application/hujson",
@@ -30411,7 +30436,7 @@ function filterTools(groups, options) {
   let unknownProfile2;
   if (options.profile) {
     const profileKey = options.profile.trim().toLowerCase();
-    if (profileKey in PROFILES) {
+    if (Object.hasOwn(PROFILES, profileKey)) {
       const preset = PROFILES[profileKey];
       profileGroups = preset.length > 0 ? [...preset] : void 0;
     } else {
@@ -30551,8 +30576,15 @@ var aclTools = [
 // src/tools/audit.ts
 function assertRFC3339(value, label) {
   const rfc3339 = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?(Z|[+-]\d{2}:\d{2})$/;
+  const err = () => new Error(`${label} must be a valid RFC3339 date-time (e.g. '2026-04-01T00:00:00Z'), got: '${value}'`);
   if (!rfc3339.test(value) || Number.isNaN(Date.parse(value))) {
-    throw new Error(`${label} must be a valid RFC3339 date-time (e.g. '2026-04-01T00:00:00Z'), got: '${value}'`);
+    throw err();
+  }
+  const dateOnly = value.slice(0, 10);
+  const [y, m, d] = dateOnly.split("-").map(Number);
+  const utc = /* @__PURE__ */ new Date(`${dateOnly}T00:00:00Z`);
+  if (Number.isNaN(utc.getTime()) || utc.getUTCFullYear() !== y || utc.getUTCMonth() + 1 !== m || utc.getUTCDate() !== d) {
+    throw err();
   }
 }
 var MAX_LOG_RANGE_MS = 30 * 24 * 60 * 60 * 1e3;
@@ -31200,6 +31232,9 @@ var dnsTools = [
       for (const [key, value] of Object.entries(input)) {
         if (value !== void 0) body[key] = value;
       }
+      if (Object.keys(body).length === 0) {
+        throw new Error("No fields to update. Provide at least one of: dns, searchPaths, splitDns, magicDNS.");
+      }
       return apiPost(`/tailnet/${getTailnet()}/dns/configuration`, body);
     }
   }
@@ -31239,7 +31274,7 @@ var inviteTools = [
       deviceId: external_exports3.string().describe("The device ID to create an invite for"),
       multiUse: external_exports3.boolean().optional().describe("Whether the invite can be used more than once (default: false)"),
       allowExitNode: external_exports3.boolean().optional().describe("Whether the invited device can be used as an exit node (default: false)"),
-      email: external_exports3.string().email().optional().describe("Email address to send the invite to")
+      email: external_exports3.email().optional().describe("Email address to send the invite to")
     }),
     handler: async (input) => {
       const body = {};
@@ -31327,7 +31362,7 @@ var inviteTools = [
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      email: external_exports3.string().email().optional().describe("Email address to send the invite to"),
+      email: external_exports3.email().optional().describe("Email address to send the invite to"),
       role: external_exports3.enum(["member", "admin", "it-admin", "network-admin", "billing-admin", "auditor"]).optional().describe("Role to assign to the invited user (default: member)")
     }),
     handler: async (input) => {
@@ -32134,7 +32169,7 @@ var tailnetTools = [
   },
   {
     name: "tailscale_set_contacts",
-    description: "Update tailnet contact information.",
+    description: "Update tailnet contact information. Each provided contact type (account/support/security) is PATCHed in parallel; per-type errors are returned alongside the successes so a partial failure doesn't lose the work that succeeded. On partial failure the response is data: { applied, failed } -- inspect data.failed for per-type error details.",
     annotations: {
       title: "Set contacts",
       readOnlyHint: false,
@@ -32143,12 +32178,15 @@ var tailnetTools = [
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      account: external_exports3.object({ email: external_exports3.string().email() }).optional().describe("Account contact email"),
-      support: external_exports3.object({ email: external_exports3.string().email() }).optional().describe("Support contact email"),
-      security: external_exports3.object({ email: external_exports3.string().email() }).optional().describe("Security contact email")
+      account: external_exports3.object({ email: external_exports3.email() }).optional().describe("Account contact email"),
+      support: external_exports3.object({ email: external_exports3.email() }).optional().describe("Support contact email"),
+      security: external_exports3.object({ email: external_exports3.email() }).optional().describe("Security contact email")
     }),
     handler: async (input) => {
       const types = ["account", "support", "security"].filter((t) => input[t] !== void 0);
+      if (types.length === 0) {
+        throw new Error("No fields to update. Provide at least one of: account, support, security.");
+      }
       const results = await Promise.all(
         types.map(async (contactType) => {
           const res = await apiPatch(
@@ -32391,7 +32429,7 @@ var webhookTools = [
     },
     inputSchema: external_exports3.object({
       endpointUrl: external_exports3.string().url().refine((u) => u.startsWith("https://"), "endpointUrl must use https://").describe("The HTTPS URL to send webhook events to"),
-      subscriptions: external_exports3.array(external_exports3.enum(webhookEventTypes)).describe("Event types to subscribe to")
+      subscriptions: external_exports3.array(external_exports3.enum(webhookEventTypes)).min(1).describe("Event types to subscribe to (at least one)")
     }),
     handler: async (input) => {
       return apiPost(`/tailnet/${getTailnet()}/webhooks`, {
@@ -32413,7 +32451,7 @@ var webhookTools = [
     inputSchema: external_exports3.object({
       webhookId: external_exports3.string().describe("The webhook ID to update"),
       endpointUrl: external_exports3.string().url().refine((u) => u.startsWith("https://"), "endpointUrl must use https://").optional().describe("New HTTPS URL to send webhook events to"),
-      subscriptions: external_exports3.array(external_exports3.enum(webhookEventTypes)).optional().describe("Updated list of event types to subscribe to")
+      subscriptions: external_exports3.array(external_exports3.enum(webhookEventTypes)).min(1).optional().describe("Updated list of event types to subscribe to (at least one)")
     }),
     handler: async (input) => {
       const body = {};
@@ -32481,7 +32519,7 @@ var webhookTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.10.1" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.10.3" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.10.1",
+  "version": "0.10.3",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",
@@ -28,13 +28,14 @@
   ],
   "scripts": {
     "build": "tsc && node build.mjs",
+    "clean": "node -e \"require('node:fs').rmSync('dist',{recursive:true,force:true})\"",
     "dev": "tsc --watch",
     "start": "node dist/index.js",
     "test": "npm run build && node --test dist/**/*.test.js",
     "test:ci": "npm run test",
     "lint": "biome check src/",
     "lint:fix": "biome check --write src/",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run clean && npm run build"
   },
   "dependencies": {},
   "overrides": {