@yawlabs/tailscale-mcp 0.2.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (56) hide show
  1. package/README.md +25 -19
  2. package/dist/index.js +22921 -101
  3. package/package.json +10 -11
  4. package/dist/api.d.ts +0 -35
  5. package/dist/api.js +0 -134
  6. package/dist/api.js.map +0 -1
  7. package/dist/index.d.ts +0 -2
  8. package/dist/index.js.map +0 -1
  9. package/dist/tools/acl.d.ts +0 -86
  10. package/dist/tools/acl.js +0 -105
  11. package/dist/tools/acl.js.map +0 -1
  12. package/dist/tools/audit.d.ts +0 -50
  13. package/dist/tools/audit.js +0 -60
  14. package/dist/tools/audit.js.map +0 -1
  15. package/dist/tools/devices.d.ts +0 -290
  16. package/dist/tools/devices.js +0 -254
  17. package/dist/tools/devices.js.map +0 -1
  18. package/dist/tools/dns.d.ts +0 -130
  19. package/dist/tools/dns.js +0 -139
  20. package/dist/tools/dns.js.map +0 -1
  21. package/dist/tools/invites.d.ts +0 -158
  22. package/dist/tools/invites.js +0 -160
  23. package/dist/tools/invites.js.map +0 -1
  24. package/dist/tools/keys.d.ts +0 -94
  25. package/dist/tools/keys.js +0 -92
  26. package/dist/tools/keys.js.map +0 -1
  27. package/dist/tools/log-streaming.d.ts +0 -90
  28. package/dist/tools/log-streaming.js +0 -89
  29. package/dist/tools/log-streaming.js.map +0 -1
  30. package/dist/tools/network-lock.d.ts +0 -14
  31. package/dist/tools/network-lock.js +0 -20
  32. package/dist/tools/network-lock.js.map +0 -1
  33. package/dist/tools/oauth-clients.d.ts +0 -118
  34. package/dist/tools/oauth-clients.js +0 -102
  35. package/dist/tools/oauth-clients.js.map +0 -1
  36. package/dist/tools/posture.d.ts +0 -126
  37. package/dist/tools/posture.js +0 -103
  38. package/dist/tools/posture.js.map +0 -1
  39. package/dist/tools/services.d.ts +0 -124
  40. package/dist/tools/services.js +0 -106
  41. package/dist/tools/services.js.map +0 -1
  42. package/dist/tools/status.d.ts +0 -26
  43. package/dist/tools/status.js +0 -38
  44. package/dist/tools/status.js.map +0 -1
  45. package/dist/tools/tailnet.d.ts +0 -130
  46. package/dist/tools/tailnet.js +0 -96
  47. package/dist/tools/tailnet.js.map +0 -1
  48. package/dist/tools/users.d.ts +0 -118
  49. package/dist/tools/users.js +0 -108
  50. package/dist/tools/users.js.map +0 -1
  51. package/dist/tools/webhooks.d.ts +0 -126
  52. package/dist/tools/webhooks.js +0 -121
  53. package/dist/tools/webhooks.js.map +0 -1
  54. package/dist/tools/workload-identity.d.ts +0 -118
  55. package/dist/tools/workload-identity.js +0 -105
  56. package/dist/tools/workload-identity.js.map +0 -1
package/README.md CHANGED
@@ -3,7 +3,7 @@
3
3
  [![npm version](https://img.shields.io/npm/v/@yawlabs/tailscale-mcp)](https://www.npmjs.com/package/@yawlabs/tailscale-mcp)
4
4
  [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
5
5
  [![GitHub stars](https://img.shields.io/github/stars/YawLabs/tailscale-mcp)](https://github.com/YawLabs/tailscale-mcp/stargazers)
6
- [![CI](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml)
6
+ [![CI](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/ci.yml) [![Release](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml/badge.svg)](https://github.com/YawLabs/tailscale-mcp/actions/workflows/release.yml)
7
7
 
8
8
  **Manage your Tailscale tailnet from Claude Code, Cursor, and any MCP client.** 81 tools + 4 resources. One env var. Works on first try.
9
9
 
@@ -17,6 +17,7 @@ Other Tailscale MCP servers were vibe-coded in a weekend and abandoned. This one
17
17
  - **Safe ACL updates** — uses ETags to prevent overwriting concurrent changes. No silent data loss.
18
18
  - **Tool annotations** — every tool declares `readOnlyHint`, `destructiveHint`, and `idempotentHint`, so MCP clients skip confirmation dialogs for safe operations.
19
19
  - **MCP Resources** — exposes tailnet status, device list, ACL policy, and DNS config as browsable resources.
20
+ - **Instant startup** — ships as a single self-contained bundle with zero runtime dependencies. `npx` downloads ~150 KB and starts immediately — no 5-minute `node_modules` installs.
20
21
  - **Zero restarts** — the server always starts, even with missing credentials. Auth errors surface as clear tool-call errors, not silent crashes that force you to restart your AI assistant.
21
22
  - **One env var setup** — no config files, no setup wizards, no multi-step flows.
22
23
  - **Every tool verified** — no placeholder endpoints that 404. If it's in the tool list, it works.
@@ -33,8 +34,6 @@ export TAILSCALE_API_KEY="tskey-api-..."
33
34
 
34
35
  **2. Create `.mcp.json` in your project root**
35
36
 
36
- macOS / Linux / WSL:
37
-
38
37
  ```json
39
38
  {
40
39
  "mcpServers": {
@@ -46,20 +45,7 @@ macOS / Linux / WSL:
46
45
  }
47
46
  ```
48
47
 
49
- Windows:
50
-
51
- ```json
52
- {
53
- "mcpServers": {
54
- "tailscale": {
55
- "command": "cmd",
56
- "args": ["/c", "npx", "-y", "@yawlabs/tailscale-mcp"]
57
- }
58
- }
59
- }
60
- ```
61
-
62
- > **Tip:** This file is safe to commit — it contains no secrets. Teammates who set their own `TAILSCALE_API_KEY` will get the MCP server automatically.
48
+ > **Tip:** This file is safe to commit — it contains no secrets. Teammates who set their own `TAILSCALE_API_KEY` will get the MCP server automatically. Works on macOS, Linux, and Windows — no platform-specific config needed.
63
49
 
64
50
  **3. Restart and approve**
65
51
 
@@ -201,8 +187,8 @@ MCP Resources expose read-only data that clients can browse without tool calls.
201
187
 
202
188
  | Tool | Description |
203
189
  |------|-------------|
204
- | `tailscale_get_tailnet_settings` | Get tailnet settings |
205
- | `tailscale_update_tailnet_settings` | Update tailnet settings |
190
+ | `tailscale_get_tailnet_settings` | Get tailnet settings (HTTPS, device approval, key expiry, etc.) |
191
+ | `tailscale_update_tailnet_settings` | Update tailnet settings (HTTPS certificates, approval, auto-updates, key expiry, posture, regional routing, network flow logging) |
206
192
  | `tailscale_get_contacts` | Get tailnet contacts |
207
193
  | `tailscale_set_contacts` | Set tailnet contacts |
208
194
 
@@ -329,6 +315,26 @@ MCP Resources expose read-only data that clients can browse without tool calls.
329
315
 
330
316
  </details>
331
317
 
318
+ ## GitOps: deploy ACLs from CI
319
+
320
+ The recommended workflow for ACL management is to keep your policy in git and deploy it automatically on merge. This gives you code review, history, and no accidental overwrites from stale browser tabs.
321
+
322
+ The `deploy-acl` CLI subcommand handles everything — ETag fetching, validation, and deployment — in a single command:
323
+
324
+ ```bash
325
+ npx @yawlabs/tailscale-mcp deploy-acl tailscale/acl.json
326
+ ```
327
+
328
+ Works with any CI system — just set `TAILSCALE_API_KEY` and `TAILSCALE_TAILNET` as env vars.
329
+
330
+ **Optional:** Lock the Admin Console to prevent manual edits that drift from git:
331
+
332
+ ```
333
+ > "Set aclsExternallyManagedOn to true and aclsExternalLink to our repo URL"
334
+ ```
335
+
336
+ This shows a read-only banner in the Tailscale Admin Console pointing to your repo. Use the MCP for reads and one-off operations (audit logs, device management, investigations), and let CI handle ACL deployments.
337
+
332
338
  ## Requirements
333
339
 
334
340
  - Node.js 18 or higher