npm - @yawlabs/tailscale-mcp - Versions diffs - 0.6.4 → 0.7.0 - Mend

@yawlabs/tailscale-mcp 0.6.4 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -9,6 +9,10 @@
 Built and maintained by [YawLabs](https://yaw.sh).
+[![Add to mcp.hosting](https://mcp.hosting/install-button.svg)](https://mcp.hosting/install?name=Tailscale&command=npx&args=-y%2C%40yawlabs%2Ftailscale-mcp&env=TAILSCALE_API_KEY&description=Manage%20your%20Tailscale%20tailnet%20-%20devices%2C%20ACLs%2C%20DNS%2C%20keys&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Ftailscale-mcp)
+One click adds this to your [mcp.hosting](https://mcp.hosting) account so it syncs to every MCP client you use. Or install manually below.
 ## Why this one?
 Other Tailscale MCP servers were vibe-coded in a weekend and abandoned. This one was built for production use and tested against the real Tailscale API.
@@ -34,6 +38,8 @@ export TAILSCALE_API_KEY="tskey-api-..."
 **2. Create `.mcp.json` in your project root**
+macOS / Linux / WSL:
 ```json
 {
   "mcpServers": {
@@ -45,7 +51,20 @@ export TAILSCALE_API_KEY="tskey-api-..."
 }
 ```
-> **Tip:** This file is safe to commit — it contains no secrets. Teammates who set their own `TAILSCALE_API_KEY` will get the MCP server automatically. Works on macOS, Linux, and Windows — no platform-specific config needed.
+Windows:
+```json
+{
+  "mcpServers": {
+    "tailscale": {
+      "command": "cmd",
+      "args": ["/c", "npx", "-y", "@yawlabs/tailscale-mcp"]
+    }
+  }
+}
+```
+> **Why the extra step on Windows?** Since Node 20, `child_process.spawn` cannot directly execute `.cmd` files (that's what `npx` is on Windows). Wrapping with `cmd /c` is the standard workaround and is what MCP clients expect. This file is safe to commit — it contains no secrets.
 **3. Restart and approve**

package/dist/index.js CHANGED Viewed

@@ -21015,21 +21015,23 @@ var BASE_URL = "https://api.tailscale.com/api/v2";
 var REQUEST_TIMEOUT_MS = 3e4;
 var oauthToken = null;
 var oauthRefreshPromise = null;
-function getConfig() {
+function getAuthConfig() {
   const apiKey = process.env.TAILSCALE_API_KEY;
   const oauthClientId = process.env.TAILSCALE_OAUTH_CLIENT_ID;
   const oauthClientSecret = process.env.TAILSCALE_OAUTH_CLIENT_SECRET;
-  const tailnet = process.env.TAILSCALE_TAILNET || "-";
-  if (!apiKey && !(oauthClientId && oauthClientSecret)) {
-    const hint = process.platform === "win32" ? ' On Windows, env vars set in bash/WSL profiles are not visible to MCP servers launched via cmd. Either add "env": {"TAILSCALE_API_KEY": "tskey-api-..."} to your .mcp.json, or set it as a Windows user environment variable.' : "";
-    throw new Error(
-      `No Tailscale credentials configured. Set TAILSCALE_API_KEY, or set both TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET.${hint}`
-    );
+  if (apiKey) {
+    if (apiKey.trim() === "") {
+      throw new Error("TAILSCALE_API_KEY is set but empty. Provide a valid API key.");
+    }
+    return { kind: "apiKey", apiKey };
   }
-  if (apiKey && apiKey.trim() === "") {
-    throw new Error("TAILSCALE_API_KEY is set but empty. Provide a valid API key.");
+  if (oauthClientId && oauthClientSecret) {
+    return { kind: "oauth", clientId: oauthClientId, clientSecret: oauthClientSecret };
   }
-  return { apiKey, oauthClientId, oauthClientSecret, tailnet };
+  const hint = process.platform === "win32" ? ' On Windows, env vars set in bash/WSL profiles are not visible to MCP servers launched via cmd. Either add "env": {"TAILSCALE_API_KEY": "tskey-api-..."} to your .mcp.json, or set it as a Windows user environment variable.' : "";
+  throw new Error(
+    `No Tailscale credentials configured. Set TAILSCALE_API_KEY, or set both TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET.${hint}`
+  );
 }
 async function getOAuthAccessToken(clientId, clientSecret) {
   if (oauthToken && Date.now() < oauthToken.expires_at - 6e4) {
@@ -21067,11 +21069,11 @@ async function getOAuthAccessToken(clientId, clientSecret) {
   return oauthRefreshPromise;
 }
 async function getAuthHeader() {
-  const config2 = getConfig();
-  if (config2.apiKey) {
+  const config2 = getAuthConfig();
+  if (config2.kind === "apiKey") {
     return `Basic ${Buffer.from(`${config2.apiKey}:`).toString("base64")}`;
   }
-  const token = await getOAuthAccessToken(config2.oauthClientId, config2.oauthClientSecret);
+  const token = await getOAuthAccessToken(config2.clientId, config2.clientSecret);
   return `Bearer ${token}`;
 }
 function getTailnet() {
@@ -21080,6 +21082,13 @@ function getTailnet() {
 function encPath(segment) {
   return encodeURIComponent(segment);
 }
+function validateTags(tags) {
+  if (!tags || tags.length === 0) return;
+  const invalid = tags.filter((t) => !t.startsWith("tag:"));
+  if (invalid.length > 0) {
+    throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
+  }
+}
 function sanitizeDescription(value) {
   return value.replace(/[/_]/g, "-").replace(/[^a-zA-Z0-9 -]/g, "").replace(/ {2,}/g, " ").trim().slice(0, 50);
 }
@@ -21622,10 +21631,7 @@ var deviceTools = [
       tags: external_exports.array(external_exports.string()).describe("Full list of ACL tags (e.g. ['tag:server', 'tag:production']). Replaces all existing tags.")
     }),
     handler: async (input) => {
-      const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-      if (invalid.length > 0) {
-        throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-      }
+      validateTags(input.tags);
       return apiPost(`/device/${encPath(input.deviceId)}/tags`, { tags: input.tags });
     }
   },
@@ -22136,7 +22142,7 @@ var keyTools = [
   },
   {
     name: "tailscale_create_key",
-    description: "Create a new key in your tailnet. Supports auth keys (for adding devices), OAuth clients (for programmatic API access), and federated identities (for OIDC-based CI/CD access). Returns the key value \u2014 save it immediately, as it cannot be retrieved again.",
+    description: "Create a new key in your tailnet. Supports auth keys (for adding devices), OAuth clients (for programmatic API access), and federated identities (for OIDC-based CI/CD access). Returns the key value \u2014 save it immediately, as it cannot be retrieved again.\n\nExamples:\n- Auth key: {keyType:'auth', reusable:true, tags:['tag:ci']}\n- OAuth client: {keyType:'client', scopes:['devices:read','dns']}\n- Federated (GitHub Actions): {keyType:'federated', scopes:['devices:read'], issuer:'https://token.actions.githubusercontent.com', subject:'repo:my-org/my-repo:*'}",
     annotations: {
       title: "Create key",
       readOnlyHint: false,
@@ -22167,12 +22173,7 @@ var keyTools = [
       customClaimRules: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("(federated only) Custom claim mapping rules")
     }),
     handler: async (input) => {
-      if (input.tags && input.tags.length > 0) {
-        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-        if (invalid.length > 0) {
-          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-        }
-      }
+      validateTags(input.tags);
       const keyType = input.keyType ?? "auth";
       if (keyType !== "auth") {
         const authOnlyFields = ["reusable", "ephemeral", "preauthorized", "expirySeconds"];
@@ -22252,12 +22253,7 @@ var keyTools = [
       customClaimRules: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("(federated only) Updated custom claim rules")
     }),
     handler: async (input) => {
-      if (input.tags && input.tags.length > 0) {
-        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-        if (invalid.length > 0) {
-          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-        }
-      }
+      validateTags(input.tags);
       const body = {};
       if (input.description !== void 0) body.description = sanitizeDescription(input.description);
       if (input.scopes !== void 0) body.scopes = input.scopes;
@@ -22489,12 +22485,7 @@ var oauthClientTools = [
       description: external_exports.string().optional().describe("Description for this OAuth client (max 50 chars, alphanumeric/hyphens/spaces)")
     }),
     handler: async (input) => {
-      if (input.tags && input.tags.length > 0) {
-        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-        if (invalid.length > 0) {
-          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-        }
-      }
+      validateTags(input.tags);
       const body = { ...input };
       body.name = sanitizeDescription(input.name);
       if (input.description !== void 0) body.description = sanitizeDescription(input.description);
@@ -22719,12 +22710,7 @@ var serviceTools = [
       autoApproveHosts: external_exports.boolean().optional().describe("Whether to auto-approve devices that want to host this service")
     }),
     handler: async (input) => {
-      if (input.tags && input.tags.length > 0) {
-        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-        if (invalid.length > 0) {
-          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-        }
-      }
+      validateTags(input.tags);
       const { serviceName, ...body } = input;
       const cleanBody = {};
       for (const [key, value] of Object.entries(body)) {
@@ -23351,7 +23337,7 @@ var workloadIdentityTools = [
 ];
 // src/index.ts
-var version2 = true ? "0.6.4" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.7.0" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];
@@ -23487,4 +23473,5 @@ server.resource(
 );
 var transport = new StdioServerTransport();
 await server.connect(transport);
+console.error(`@yawlabs/tailscale-mcp v${version2} ready (${allTools.length} tools)`);
 //# sourceMappingURL=index.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.6.4",
+  "version": "0.7.0",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",
@@ -22,7 +22,9 @@
     "tailscale-mcp": "dist/index.js"
   },
   "files": [
-    "dist/index.js"
+    "dist/index.js",
+    "LICENSE",
+    "README.md"
   ],
   "scripts": {
     "build": "tsc && node build.mjs",
@@ -35,6 +37,10 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {},
+  "overrides": {
+    "hono": "^4.12.14",
+    "@hono/node-server": "^1.19.13"
+  },
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
     "@modelcontextprotocol/sdk": "^1.29.0",