npm - @yawlabs/tailscale-mcp - Versions diffs - 0.10.4 → 0.10.6 - Mend

@yawlabs/tailscale-mcp 0.10.4 → 0.10.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +139 -121
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -3104,7 +3104,7 @@ var require_utils = __commonJS({
   "node_modules/fast-uri/lib/utils.js"(exports, module) {
     "use strict";
     var isUUID = RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu);
-    var isIPv4 = RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);
+    var isIPv42 = RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);
     function stringArrayToHexStripped(input) {
       let acc = "";
       let code = 0;
@@ -3327,7 +3327,7 @@ var require_utils = __commonJS({
       }
       if (component.host !== void 0) {
         let host = unescape(component.host);
-        if (!isIPv4(host)) {
+        if (!isIPv42(host)) {
           const ipV6res = normalizeIPv6(host);
           if (ipV6res.isIPV6 === true) {
             host = `[${ipV6res.escapedHost}]`;
@@ -3348,7 +3348,7 @@ var require_utils = __commonJS({
       recomposeAuthority,
       normalizeComponentEncoding,
       removeDotSegments,
-      isIPv4,
+      isIPv4: isIPv42,
       isUUID,
       normalizeIPv6,
       stringArrayToHexStripped
@@ -3570,7 +3570,7 @@ var require_schemes = __commonJS({
 var require_fast_uri = __commonJS({
   "node_modules/fast-uri/index.js"(exports, module) {
     "use strict";
-    var { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizeComponentEncoding, isIPv4, nonSimpleDomain } = require_utils();
+    var { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizeComponentEncoding, isIPv4: isIPv42, nonSimpleDomain } = require_utils();
     var { SCHEMES, getSchemeHandler } = require_schemes();
     function normalize(uri, options) {
       if (typeof uri === "string") {
@@ -3751,7 +3751,7 @@ var require_fast_uri = __commonJS({
           parsed.port = matches[5];
         }
         if (parsed.host) {
-          const ipv4result = isIPv4(parsed.host);
+          const ipv4result = isIPv42(parsed.host);
           if (ipv4result === false) {
             const ipv6result = normalizeIPv6(parsed.host);
             parsed.host = ipv6result.host.toLowerCase();
@@ -30113,6 +30113,9 @@ var StdioServerTransport = class {
   }
 };
+// src/cli.ts
+import { readFileSync } from "node:fs";
 // src/api.ts
 var BASE_URL = "https://api.tailscale.com/api/v2";
 var REQUEST_TIMEOUT_MS = 3e4;
@@ -30207,15 +30210,20 @@ function validateTags(tags) {
 function sanitizeDescription(value) {
   return value.replace(/[/_]/g, "-").replace(/[^a-zA-Z0-9 -]/g, "").replace(/ {2,}/g, " ").trim().slice(0, 50);
 }
-function formatAuthError(apiBody) {
-  const usingOAuth = !process.env.TAILSCALE_API_KEY && process.env.TAILSCALE_OAUTH_CLIENT_ID;
-  const lines = [
-    "Authentication failed (HTTP 401).",
-    "",
-    "Possible causes:",
-    usingOAuth ? "  - OAuth client credentials are invalid or lack required scopes" : "  - API key has expired or been revoked"
-  ];
-  if (process.platform === "win32" && !usingOAuth) {
+function validateAndSanitizeDescription(value) {
+  const sanitized = sanitizeDescription(value);
+  if (sanitized.length > 0) return sanitized;
+  if (value.trim().length === 0) return void 0;
+  throw new Error(
+    `description ${JSON.stringify(value)} contains no valid characters after sanitization. Allowed characters: alphanumeric, spaces, and hyphens (max 50 chars).`
+  );
+}
+function formatAuthError(status, apiBody) {
+  const usingOAuth = !process.env.TAILSCALE_API_KEY && !!process.env.TAILSCALE_OAUTH_CLIENT_ID;
+  const headline = status === 401 ? "Authentication failed (HTTP 401)." : "Authorization failed (HTTP 403): the request was authenticated but not permitted for this resource.";
+  const cause = status === 401 ? usingOAuth ? "  - OAuth client credentials are invalid or lack required scopes" : "  - API key has expired or been revoked" : usingOAuth ? "  - OAuth client is missing a scope required for this endpoint" : "  - API key lacks the permission required for this endpoint";
+  const lines = [headline, "", "Possible causes:", cause];
+  if (status === 401 && process.platform === "win32" && !usingOAuth) {
     lines.push(
       "  - On Windows, env vars set in bash/WSL profiles are not visible to MCP servers launched via cmd",
       "",
@@ -30224,7 +30232,8 @@ function formatAuthError(apiBody) {
       "  2. Set TAILSCALE_API_KEY as a Windows user environment variable (System Properties > Environment Variables)"
     );
   }
-  lines.push("", "Generate a new key at: https://login.tailscale.com/admin/settings/keys");
+  const link = status === 401 ? "Generate a new key at: https://login.tailscale.com/admin/settings/keys" : usingOAuth ? "Adjust the OAuth client scopes at: https://login.tailscale.com/admin/settings/oauth" : "Adjust the API key permissions at: https://login.tailscale.com/admin/settings/keys";
+  lines.push("", link);
   if (apiBody) {
     lines.push("", `API response: ${apiBody}`);
   }
@@ -30250,28 +30259,32 @@ var concurrencyQueue = [];
 function getConcurrencyLimit() {
   const raw = process.env.TAILSCALE_MAX_CONCURRENT;
   if (!raw) return 0;
-  const n = Number.parseInt(raw, 10);
-  return Number.isFinite(n) && n > 0 ? n : 0;
+  const n = Number(raw);
+  return Number.isInteger(n) && n > 0 ? n : 0;
 }
 function getRequestBudgetMs() {
   const raw = process.env.TAILSCALE_REQUEST_BUDGET_MS;
   if (!raw) return MAX_REQUEST_BUDGET_MS;
-  const n = Number.parseInt(raw, 10);
-  return Number.isFinite(n) && n > 0 ? n : MAX_REQUEST_BUDGET_MS;
+  const n = Number(raw);
+  return Number.isInteger(n) && n > 0 ? n : MAX_REQUEST_BUDGET_MS;
 }
 async function withConcurrencyLimit(fn) {
   const limit = getConcurrencyLimit();
   if (limit === 0) return fn();
   if (inFlight >= limit) {
     await new Promise((resolve) => concurrencyQueue.push(resolve));
+  } else {
+    inFlight++;
   }
-  inFlight++;
   try {
     return await fn();
   } finally {
-    inFlight--;
     const next = concurrencyQueue.shift();
-    if (next) next();
+    if (next) {
+      next();
+    } else {
+      inFlight--;
+    }
   }
 }
 function debugLog(...parts) {
@@ -30347,14 +30360,14 @@ async function apiRequest(method, path, body, options) {
     if (options?.acceptRaw) {
       const rawBody = await response.text();
       if (!response.ok) {
-        const error48 = response.status === 401 ? formatAuthError(rawBody) : extractErrorMessage(rawBody);
+        const error48 = response.status === 401 || response.status === 403 ? formatAuthError(response.status, rawBody) : extractErrorMessage(rawBody);
         return { ok: false, status: response.status, error: error48, rawBody, etag };
       }
       return { ok: true, status: response.status, rawBody, etag };
     }
     if (!response.ok) {
       const errorBody = await response.text();
-      const error48 = response.status === 401 ? formatAuthError(errorBody) : extractErrorMessage(errorBody);
+      const error48 = response.status === 401 || response.status === 403 ? formatAuthError(response.status, errorBody) : extractErrorMessage(errorBody);
       return { ok: false, status: response.status, error: error48, etag };
     }
     if (response.status === 204 || response.headers.get("content-length") === "0") {
@@ -30381,7 +30394,6 @@ async function apiDelete(path, options) {
 }
 // src/cli.ts
-import { readFileSync } from "node:fs";
 async function deployAcl(filePath) {
   let policy;
   try {
@@ -30463,6 +30475,85 @@ function filterTools(groups, options) {
   return result;
 }
+// src/server-wiring.ts
+function wrapToolHandler(tool) {
+  return async (input) => {
+    try {
+      const result = await tool.handler(input);
+      const response = result;
+      if (!response.ok) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Error: ${response.error || "Unknown error"}`
+            }
+          ],
+          isError: true
+        };
+      }
+      const text = response.rawBody ?? JSON.stringify(response.data ?? { success: true }, null, 2);
+      return {
+        content: [{ type: "text", text }]
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        content: [{ type: "text", text: `Error: ${message}` }],
+        isError: true
+      };
+    }
+  };
+}
+async function tailnetStatusResource(uri) {
+  const [devicesRes, settingsRes] = await Promise.all([
+    apiGet(`/tailnet/${getTailnet()}/devices?fields=id`),
+    apiGet(`/tailnet/${getTailnet()}/settings`)
+  ]);
+  const data = {
+    tailnet: getTailnet(),
+    deviceCount: devicesRes.ok ? devicesRes.data?.devices?.length ?? 0 : null,
+    settings: settingsRes.ok ? settingsRes.data : null
+  };
+  const errors = {};
+  if (!devicesRes.ok) errors.devices = devicesRes.error ?? `HTTP ${devicesRes.status}`;
+  if (!settingsRes.ok) errors.settings = settingsRes.error ?? `HTTP ${settingsRes.status}`;
+  if (Object.keys(errors).length > 0) data.errors = errors;
+  return { contents: [{ uri: uri.href, text: JSON.stringify(data, null, 2), mimeType: "application/json" }] };
+}
+async function tailnetDevicesResource(uri) {
+  const res = await apiGet(`/tailnet/${getTailnet()}/devices`);
+  const text = res.ok ? JSON.stringify(res.data, null, 2) : JSON.stringify({ error: res.error ?? `HTTP ${res.status}` }, null, 2);
+  return { contents: [{ uri: uri.href, text, mimeType: "application/json" }] };
+}
+async function tailnetAclResource(uri) {
+  const res = await apiGet(`/tailnet/${getTailnet()}/acl`, { acceptRaw: true, accept: "application/hujson" });
+  const text = res.ok ? res.rawBody ?? "" : `// Error: ${res.error ?? `HTTP ${res.status}`}
+`;
+  return { contents: [{ uri: uri.href, text, mimeType: "application/hujson" }] };
+}
+async function tailnetDnsResource(uri) {
+  const [nameservers, searchPaths, splitDns, preferences] = await Promise.all([
+    apiGet(`/tailnet/${getTailnet()}/dns/nameservers`),
+    apiGet(`/tailnet/${getTailnet()}/dns/searchpaths`),
+    apiGet(`/tailnet/${getTailnet()}/dns/split-dns`),
+    apiGet(`/tailnet/${getTailnet()}/dns/preferences`)
+  ]);
+  const data = {
+    nameservers: nameservers.ok ? nameservers.data : null,
+    searchPaths: searchPaths.ok ? searchPaths.data : null,
+    splitDns: splitDns.ok ? splitDns.data : null,
+    preferences: preferences.ok ? preferences.data : null
+  };
+  const errors = {};
+  if (!nameservers.ok) errors.nameservers = nameservers.error ?? `HTTP ${nameservers.status}`;
+  if (!searchPaths.ok) errors.searchPaths = searchPaths.error ?? `HTTP ${searchPaths.status}`;
+  if (!splitDns.ok) errors.splitDns = splitDns.error ?? `HTTP ${splitDns.status}`;
+  if (!preferences.ok) errors.preferences = preferences.error ?? `HTTP ${preferences.status}`;
+  if (Object.keys(errors).length > 0) data.errors = errors;
+  return { contents: [{ uri: uri.href, text: JSON.stringify(data, null, 2), mimeType: "application/json" }] };
+}
 // src/tools/acl.ts
 var aclTools = [
   {
@@ -30650,6 +30741,18 @@ var auditTools = [
 ];
 // src/tools/devices.ts
+import * as net from "node:net";
+function isCidr(s) {
+  const slash = s.indexOf("/");
+  if (slash < 0) return false;
+  const addr = s.slice(0, slash);
+  const prefix = s.slice(slash + 1);
+  const prefixN = Number(prefix);
+  if (!Number.isInteger(prefixN) || prefixN < 0) return false;
+  if (net.isIPv4(addr)) return prefixN <= 32;
+  if (net.isIPv6(addr)) return prefixN <= 128;
+  return false;
+}
 var deviceTools = [
   {
     name: "tailscale_list_devices",
@@ -30813,16 +30916,7 @@ var deviceTools = [
     },
     inputSchema: external_exports3.object({
       deviceId: external_exports3.string().describe("The device ID"),
-      routes: external_exports3.array(
-        external_exports3.string().refine(
-          // Accept v4 (10.0.0.0/24) or v6 (fd7a:115c::/48) CIDRs. Routes can be either.
-          // Loose check: must contain a '/' followed by 1-3 digits, and the address part
-          // must look like an IPv4 quad-dotted or an IPv6 colon-form. The Tailscale API
-          // is the authoritative validator; this just rejects obvious typos client-side.
-          (s) => /^([\d.]+|[\da-fA-F:]+)\/\d{1,3}$/.test(s),
-          { message: "must be a CIDR (e.g. '10.0.0.0/24' or 'fd7a:115c::/48')" }
-        )
-      ).describe(
+      routes: external_exports3.array(external_exports3.string().refine(isCidr, { message: "must be a CIDR (e.g. '10.0.0.0/24' or 'fd7a:115c::/48')" })).describe(
         "Full list of CIDR routes to enable (e.g. ['10.0.0.0/24', '192.168.1.0/24']). Replaces existing enabled routes."
       )
     }),
@@ -31526,8 +31620,8 @@ var keyTools = [
       const body = {};
       if (keyType !== "auth") body.keyType = keyType;
       if (input.description !== void 0) {
-        const sanitized = sanitizeDescription(input.description);
-        if (sanitized.length > 0) body.description = sanitized;
+        const sanitized = validateAndSanitizeDescription(input.description);
+        if (sanitized !== void 0) body.description = sanitized;
       }
       if (keyType === "auth") {
         body.capabilities = {
@@ -31600,8 +31694,8 @@ var keyTools = [
       validateTags(input.tags);
       const body = {};
       if (input.description !== void 0) {
-        const sanitized = sanitizeDescription(input.description);
-        if (sanitized.length > 0) body.description = sanitized;
+        const sanitized = validateAndSanitizeDescription(input.description);
+        if (sanitized !== void 0) body.description = sanitized;
       }
       if (input.scopes !== void 0) body.scopes = input.scopes;
       if (input.tags !== void 0) body.tags = input.tags;
@@ -32519,7 +32613,7 @@ var webhookTools = [
 ];
 // src/index.ts
-var version2 = true ? "0.10.4" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.10.6" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];
@@ -32576,81 +32670,25 @@ var server = new McpServer({
   version: version2
 });
 for (const tool of allTools) {
-  server.tool(
-    tool.name,
-    tool.description,
-    tool.inputSchema.shape,
-    tool.annotations,
-    async (input) => {
-      try {
-        const result = await tool.handler(input);
-        const response = result;
-        if (!response.ok) {
-          return {
-            content: [
-              {
-                type: "text",
-                text: `Error: ${response.error || "Unknown error"}`
-              }
-            ],
-            isError: true
-          };
-        }
-        const text = response.rawBody ?? JSON.stringify(response.data ?? { success: true }, null, 2);
-        return {
-          content: [{ type: "text", text }]
-        };
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        return {
-          content: [{ type: "text", text: `Error: ${message}` }],
-          isError: true
-        };
-      }
-    }
-  );
+  server.tool(tool.name, tool.description, tool.inputSchema.shape, tool.annotations, wrapToolHandler(tool));
 }
 server.resource(
   "tailnet-status",
   "tailscale://tailnet/status",
   { description: "Current tailnet status including device count and settings", mimeType: "application/json" },
-  async (uri) => {
-    const [devicesRes, settingsRes] = await Promise.all([
-      apiGet(`/tailnet/${getTailnet()}/devices?fields=id`),
-      apiGet(`/tailnet/${getTailnet()}/settings`)
-    ]);
-    const data = {
-      tailnet: getTailnet(),
-      deviceCount: devicesRes.ok ? devicesRes.data?.devices?.length ?? 0 : null,
-      settings: settingsRes.ok ? settingsRes.data : null
-    };
-    const errors = {};
-    if (!devicesRes.ok) errors.devices = devicesRes.error ?? `HTTP ${devicesRes.status}`;
-    if (!settingsRes.ok) errors.settings = settingsRes.error ?? `HTTP ${settingsRes.status}`;
-    if (Object.keys(errors).length > 0) data.errors = errors;
-    return { contents: [{ uri: uri.href, text: JSON.stringify(data, null, 2), mimeType: "application/json" }] };
-  }
+  tailnetStatusResource
 );
 server.resource(
   "tailnet-devices",
   "tailscale://tailnet/devices",
   { description: "List of all devices in the tailnet with their status", mimeType: "application/json" },
-  async (uri) => {
-    const res = await apiGet(`/tailnet/${getTailnet()}/devices`);
-    const text = res.ok ? JSON.stringify(res.data, null, 2) : JSON.stringify({ error: res.error ?? `HTTP ${res.status}` }, null, 2);
-    return { contents: [{ uri: uri.href, text, mimeType: "application/json" }] };
-  }
+  tailnetDevicesResource
 );
 server.resource(
   "tailnet-acl",
   "tailscale://tailnet/acl",
   { description: "Current ACL policy (HuJSON with comments preserved)", mimeType: "application/hujson" },
-  async (uri) => {
-    const res = await apiGet(`/tailnet/${getTailnet()}/acl`, { acceptRaw: true, accept: "application/hujson" });
-    const text = res.ok ? res.rawBody ?? "" : `// Error: ${res.error ?? `HTTP ${res.status}`}
-`;
-    return { contents: [{ uri: uri.href, text, mimeType: "application/hujson" }] };
-  }
+  tailnetAclResource
 );
 server.resource(
   "tailnet-dns",
@@ -32659,27 +32697,7 @@ server.resource(
     description: "DNS configuration including nameservers, search paths, split DNS, and MagicDNS status",
     mimeType: "application/json"
   },
-  async (uri) => {
-    const [nameservers, searchPaths, splitDns, preferences] = await Promise.all([
-      apiGet(`/tailnet/${getTailnet()}/dns/nameservers`),
-      apiGet(`/tailnet/${getTailnet()}/dns/searchpaths`),
-      apiGet(`/tailnet/${getTailnet()}/dns/split-dns`),
-      apiGet(`/tailnet/${getTailnet()}/dns/preferences`)
-    ]);
-    const data = {
-      nameservers: nameservers.ok ? nameservers.data : null,
-      searchPaths: searchPaths.ok ? searchPaths.data : null,
-      splitDns: splitDns.ok ? splitDns.data : null,
-      preferences: preferences.ok ? preferences.data : null
-    };
-    const errors = {};
-    if (!nameservers.ok) errors.nameservers = nameservers.error ?? `HTTP ${nameservers.status}`;
-    if (!searchPaths.ok) errors.searchPaths = searchPaths.error ?? `HTTP ${searchPaths.status}`;
-    if (!splitDns.ok) errors.splitDns = splitDns.error ?? `HTTP ${splitDns.status}`;
-    if (!preferences.ok) errors.preferences = preferences.error ?? `HTTP ${preferences.status}`;
-    if (Object.keys(errors).length > 0) data.errors = errors;
-    return { contents: [{ uri: uri.href, text: JSON.stringify(data, null, 2), mimeType: "application/json" }] };
-  }
+  tailnetDnsResource
 );
 var transport = new StdioServerTransport();
 await server.connect(transport);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.10.4",
+  "version": "0.10.6",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",