@yawlabs/tailscale-mcp 0.6.5 → 0.7.0

package/README.md

@@ -9,6 +9,10 @@
 
 Built and maintained by [YawLabs](https://yaw.sh).
 
+[![Add to mcp.hosting](https://mcp.hosting/install-button.svg)](https://mcp.hosting/install?name=Tailscale&command=npx&args=-y%2C%40yawlabs%2Ftailscale-mcp&env=TAILSCALE_API_KEY&description=Manage%20your%20Tailscale%20tailnet%20-%20devices%2C%20ACLs%2C%20DNS%2C%20keys&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Ftailscale-mcp)
+
+One click adds this to your [mcp.hosting](https://mcp.hosting) account so it syncs to every MCP client you use. Or install manually below.
+
 ## Why this one?
 
 Other Tailscale MCP servers were vibe-coded in a weekend and abandoned. This one was built for production use and tested against the real Tailscale API.

package/dist/index.js

@@ -21015,21 +21015,23 @@ var BASE_URL = "https://api.tailscale.com/api/v2";
 var REQUEST_TIMEOUT_MS = 3e4;
 var oauthToken = null;
 var oauthRefreshPromise = null;
-function getConfig() {
+function getAuthConfig() {
   const apiKey = process.env.TAILSCALE_API_KEY;
   const oauthClientId = process.env.TAILSCALE_OAUTH_CLIENT_ID;
   const oauthClientSecret = process.env.TAILSCALE_OAUTH_CLIENT_SECRET;
-  const tailnet = process.env.TAILSCALE_TAILNET || "-";
-  if (!apiKey && !(oauthClientId && oauthClientSecret)) {
-    const hint = process.platform === "win32" ? ' On Windows, env vars set in bash/WSL profiles are not visible to MCP servers launched via cmd. Either add "env": {"TAILSCALE_API_KEY": "tskey-api-..."} to your .mcp.json, or set it as a Windows user environment variable.' : "";
-    throw new Error(
-      `No Tailscale credentials configured. Set TAILSCALE_API_KEY, or set both TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET.${hint}`
-    );
+  if (apiKey) {
+    if (apiKey.trim() === "") {
+      throw new Error("TAILSCALE_API_KEY is set but empty. Provide a valid API key.");
+    }
+    return { kind: "apiKey", apiKey };
   }
-  if (apiKey && apiKey.trim() === "") {
-    throw new Error("TAILSCALE_API_KEY is set but empty. Provide a valid API key.");
+  if (oauthClientId && oauthClientSecret) {
+    return { kind: "oauth", clientId: oauthClientId, clientSecret: oauthClientSecret };
   }
-  return { apiKey, oauthClientId, oauthClientSecret, tailnet };
+  const hint = process.platform === "win32" ? ' On Windows, env vars set in bash/WSL profiles are not visible to MCP servers launched via cmd. Either add "env": {"TAILSCALE_API_KEY": "tskey-api-..."} to your .mcp.json, or set it as a Windows user environment variable.' : "";
+  throw new Error(
+    `No Tailscale credentials configured. Set TAILSCALE_API_KEY, or set both TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET.${hint}`
+  );
 }
 async function getOAuthAccessToken(clientId, clientSecret) {
   if (oauthToken && Date.now() < oauthToken.expires_at - 6e4) {
@@ -21067,11 +21069,11 @@ async function getOAuthAccessToken(clientId, clientSecret) {
   return oauthRefreshPromise;
 }
 async function getAuthHeader() {
-  const config2 = getConfig();
-  if (config2.apiKey) {
+  const config2 = getAuthConfig();
+  if (config2.kind === "apiKey") {
     return `Basic ${Buffer.from(`${config2.apiKey}:`).toString("base64")}`;
   }
-  const token = await getOAuthAccessToken(config2.oauthClientId, config2.oauthClientSecret);
+  const token = await getOAuthAccessToken(config2.clientId, config2.clientSecret);
   return `Bearer ${token}`;
 }
 function getTailnet() {
@@ -21080,6 +21082,13 @@ function getTailnet() {
 function encPath(segment) {
   return encodeURIComponent(segment);
 }
+function validateTags(tags) {
+  if (!tags || tags.length === 0) return;
+  const invalid = tags.filter((t) => !t.startsWith("tag:"));
+  if (invalid.length > 0) {
+    throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
+  }
+}
 function sanitizeDescription(value) {
   return value.replace(/[/_]/g, "-").replace(/[^a-zA-Z0-9 -]/g, "").replace(/ {2,}/g, " ").trim().slice(0, 50);
 }
@@ -21622,10 +21631,7 @@ var deviceTools = [
       tags: external_exports.array(external_exports.string()).describe("Full list of ACL tags (e.g. ['tag:server', 'tag:production']). Replaces all existing tags.")
     }),
     handler: async (input) => {
-      const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-      if (invalid.length > 0) {
-        throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-      }
+      validateTags(input.tags);
       return apiPost(`/device/${encPath(input.deviceId)}/tags`, { tags: input.tags });
     }
   },
@@ -22136,7 +22142,7 @@ var keyTools = [
   },
   {
     name: "tailscale_create_key",
-    description: "Create a new key in your tailnet. Supports auth keys (for adding devices), OAuth clients (for programmatic API access), and federated identities (for OIDC-based CI/CD access). Returns the key value \u2014 save it immediately, as it cannot be retrieved again.",
+    description: "Create a new key in your tailnet. Supports auth keys (for adding devices), OAuth clients (for programmatic API access), and federated identities (for OIDC-based CI/CD access). Returns the key value \u2014 save it immediately, as it cannot be retrieved again.\n\nExamples:\n- Auth key: {keyType:'auth', reusable:true, tags:['tag:ci']}\n- OAuth client: {keyType:'client', scopes:['devices:read','dns']}\n- Federated (GitHub Actions): {keyType:'federated', scopes:['devices:read'], issuer:'https://token.actions.githubusercontent.com', subject:'repo:my-org/my-repo:*'}",
     annotations: {
       title: "Create key",
       readOnlyHint: false,
@@ -22167,12 +22173,7 @@ var keyTools = [
       customClaimRules: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("(federated only) Custom claim mapping rules")
     }),
     handler: async (input) => {
-      if (input.tags && input.tags.length > 0) {
-        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-        if (invalid.length > 0) {
-          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-        }
-      }
+      validateTags(input.tags);
       const keyType = input.keyType ?? "auth";
       if (keyType !== "auth") {
         const authOnlyFields = ["reusable", "ephemeral", "preauthorized", "expirySeconds"];
@@ -22252,12 +22253,7 @@ var keyTools = [
       customClaimRules: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("(federated only) Updated custom claim rules")
     }),
     handler: async (input) => {
-      if (input.tags && input.tags.length > 0) {
-        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-        if (invalid.length > 0) {
-          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-        }
-      }
+      validateTags(input.tags);
       const body = {};
       if (input.description !== void 0) body.description = sanitizeDescription(input.description);
       if (input.scopes !== void 0) body.scopes = input.scopes;
@@ -22489,12 +22485,7 @@ var oauthClientTools = [
       description: external_exports.string().optional().describe("Description for this OAuth client (max 50 chars, alphanumeric/hyphens/spaces)")
     }),
     handler: async (input) => {
-      if (input.tags && input.tags.length > 0) {
-        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-        if (invalid.length > 0) {
-          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-        }
-      }
+      validateTags(input.tags);
       const body = { ...input };
       body.name = sanitizeDescription(input.name);
       if (input.description !== void 0) body.description = sanitizeDescription(input.description);
@@ -22719,12 +22710,7 @@ var serviceTools = [
       autoApproveHosts: external_exports.boolean().optional().describe("Whether to auto-approve devices that want to host this service")
     }),
     handler: async (input) => {
-      if (input.tags && input.tags.length > 0) {
-        const invalid = input.tags.filter((t) => !t.startsWith("tag:"));
-        if (invalid.length > 0) {
-          throw new Error(`All tags must start with 'tag:' prefix. Invalid tags: ${invalid.join(", ")}`);
-        }
-      }
+      validateTags(input.tags);
       const { serviceName, ...body } = input;
       const cleanBody = {};
       for (const [key, value] of Object.entries(body)) {
@@ -23351,7 +23337,7 @@ var workloadIdentityTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.6.5" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.7.0" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];
@@ -23487,4 +23473,5 @@ server.resource(
 );
 var transport = new StdioServerTransport();
 await server.connect(transport);
+console.error(`@yawlabs/tailscale-mcp v${version2} ready (${allTools.length} tools)`);
 //# sourceMappingURL=index.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.6.5",
+  "version": "0.7.0",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",
@@ -22,7 +22,9 @@
     "tailscale-mcp": "dist/index.js"
   },
   "files": [
-    "dist/index.js"
+    "dist/index.js",
+    "LICENSE",
+    "README.md"
   ],
   "scripts": {
     "build": "tsc && node build.mjs",
@@ -35,6 +37,10 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {},
+  "overrides": {
+    "hono": "^4.12.14",
+    "@hono/node-server": "^1.19.13"
+  },
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
     "@modelcontextprotocol/sdk": "^1.29.0",