@yawlabs/tailscale-mcp 0.8.1 → 0.8.2

package/README.md

@@ -107,34 +107,70 @@ That's it. Now ask your agent:
 
 ## Too many tools? Subset them.
 
-99 tools is a lot. If you've already got a dozen MCP servers and your client is feeling heavy, trim what this one exposes:
+99 tools is a lot. If you've already got a dozen MCP servers and your client is feeling heavy, trim what this one exposes. Three knobs, combinable:
+
+### Option 1: `TAILSCALE_PROFILE` (preset, easiest)
 
 ```json
 {
-  "mcpServers": {
-    "tailscale": {
-      "command": "npx",
-      "args": ["-y", "@yawlabs/tailscale-mcp"],
-      "env": {
-        "TAILSCALE_API_KEY": "tskey-api-...",
-        "TAILSCALE_TOOLS": "devices,acl,dns,audit",
-        "TAILSCALE_READONLY": "1"
-      }
-    }
+  "env": {
+    "TAILSCALE_API_KEY": "tskey-api-...",
+    "TAILSCALE_PROFILE": "core"
+  }
+}
+```
+
+- **`minimal`** (≈22 tools) — `status`, `devices`, `audit`. Observe the tailnet, read the audit log.
+- **`core`** (≈49 tools) — adds `acl`, `dns`, `keys`, `users`. The day-to-day admin surface.
+- **`full`** (99 tools, default) — everything. Same as omitting the env var.
+
+### Option 2: `TAILSCALE_TOOLS` (explicit group list)
+
+```json
+{
+  "env": {
+    "TAILSCALE_API_KEY": "tskey-api-...",
+    "TAILSCALE_TOOLS": "devices,acl,dns,audit"
   }
 }
 ```
 
-- **`TAILSCALE_TOOLS`** — comma-separated list of tool groups to expose. Omit for all groups.
-- **`TAILSCALE_READONLY`** — set to `1` or `true` to drop every mutating tool (only tools with `readOnlyHint: true` remain). Combine with `TAILSCALE_TOOLS` for maximum minimalism.
+Comma-separated group names. Overrides `TAILSCALE_PROFILE` when both are set — use this when the presets aren't quite right.
 
 Valid group names: `status`, `devices`, `acl`, `dns`, `keys`, `users`, `tailnet`, `webhooks`, `network-lock`, `posture`, `audit`, `invites`, `services`, `log-streaming`, `workload-identity`, `oauth-clients`.
 
-The server logs the active filter to stderr on startup so you can confirm what got loaded:
+### Option 3: `TAILSCALE_READONLY` (drop mutations)
 
+```json
+{
+  "env": {
+    "TAILSCALE_API_KEY": "tskey-api-...",
+    "TAILSCALE_PROFILE": "core",
+    "TAILSCALE_READONLY": "1"
+  }
+}
 ```
-@yawlabs/tailscale-mcp v0.8.0 ready (21 tools, groups=devices,acl,dns,audit, readonly)
+
+Set to `1` or `true` to drop every tool without `readOnlyHint: true`. Stacks with `TAILSCALE_PROFILE` or `TAILSCALE_TOOLS` as an intersection — combine for maximum minimalism.
+
+### Confirming what loaded
+
+The server logs the active filter to stderr on startup:
+
 ```
+@yawlabs/tailscale-mcp v0.8.1 ready (21 tools, profile=core, readonly)
+```
+
+If you don't set any filter, startup prints a tip pointing you at the profiles.
+
+## Using with mcp.hosting / mcph
+
+If you run this server through [mcp.hosting](https://mcp.hosting) (via the `@yawlabs/mcph` local agent), the two filtering layers compose cleanly:
+
+1. **Server-side** — `TAILSCALE_PROFILE` / `TAILSCALE_TOOLS` / `TAILSCALE_READONLY` reduce the tool surface *before* mcph sees it. The unloaded tools aren't registered at all.
+2. **Client-side** — mcph's `mcp_connect_activate({ tools: [...] })` filters further for what appears in `tools/list`. Tools not in that list stay reachable via `mcp_connect_dispatch`, so you don't lose capability.
+
+Recommended pattern for mcph users: set `TAILSCALE_PROFILE=core` (or narrower) in your mcp.hosting server config, then let mcph handle per-conversation activation on top. The server stays lean by default, and `mcp_connect_dispatch` covers the long-tail tools for ad-hoc needs.
 
 ## Authentication
 

package/dist/index.js

@@ -30320,13 +30320,30 @@ async function deployAcl(filePath) {
 }
 
 // src/filter.ts
+var PROFILES = {
+  minimal: ["status", "devices", "audit"],
+  core: ["status", "devices", "acl", "dns", "keys", "users", "audit"],
+  full: []
+  // empty = all groups
+};
 function filterTools(groups, options) {
-  const enabledGroups = options.tools ? new Set(
-    options.tools.split(",").map((s) => s.trim()).filter(Boolean)
-  ) : null;
-  const readonly2 = options.readonly === "1" || options.readonly === "true";
   const validNames = new Set(Object.keys(groups));
+  let profileGroups;
+  let unknownProfile2;
+  if (options.profile) {
+    const profileKey = options.profile.trim().toLowerCase();
+    if (profileKey in PROFILES) {
+      const preset = PROFILES[profileKey];
+      profileGroups = preset.length > 0 ? [...preset] : void 0;
+    } else {
+      unknownProfile2 = profileKey;
+    }
+  }
+  const explicitTools = options.tools ? options.tools.split(",").map((s) => s.trim()).filter(Boolean) : null;
+  const effectiveGroups = explicitTools ?? profileGroups ?? null;
+  const enabledGroups = effectiveGroups ? new Set(effectiveGroups) : null;
   const unknownGroups2 = enabledGroups ? [...enabledGroups].filter((g) => !validNames.has(g)) : [];
+  const readonly2 = options.readonly === "1" || options.readonly === "true";
   const out = [];
   for (const [name, tools] of Object.entries(groups)) {
     if (enabledGroups && !enabledGroups.has(name)) continue;
@@ -30335,7 +30352,10 @@ function filterTools(groups, options) {
       out.push(t);
     }
   }
-  return { tools: out, unknownGroups: unknownGroups2 };
+  const result = { tools: out, unknownGroups: unknownGroups2 };
+  if (unknownProfile2) result.unknownProfile = unknownProfile2;
+  if (profileGroups && !explicitTools) result.profileGroups = profileGroups;
+  return result;
 }
 
 // src/tools/acl.ts
@@ -32459,7 +32479,7 @@ var workloadIdentityTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.8.1" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.8.2" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "deploy-acl") {
   const filePath = process.argv[3];
@@ -32494,9 +32514,14 @@ var toolGroups = {
   "workload-identity": workloadIdentityTools,
   "oauth-clients": oauthClientTools
 };
-var { tools: allTools, unknownGroups } = filterTools(toolGroups, {
+var {
+  tools: allTools,
+  unknownGroups,
+  unknownProfile
+} = filterTools(toolGroups, {
   tools: process.env.TAILSCALE_TOOLS,
-  readonly: process.env.TAILSCALE_READONLY
+  readonly: process.env.TAILSCALE_READONLY,
+  profile: process.env.TAILSCALE_PROFILE
 });
 if (unknownGroups.length > 0) {
   const validNames = Object.keys(toolGroups);
@@ -32504,6 +32529,11 @@ if (unknownGroups.length > 0) {
     `@yawlabs/tailscale-mcp: TAILSCALE_TOOLS includes unknown group(s): ${unknownGroups.join(", ")}. Valid groups: ${validNames.join(", ")}`
   );
 }
+if (unknownProfile) {
+  console.error(
+    `@yawlabs/tailscale-mcp: TAILSCALE_PROFILE="${unknownProfile}" is not a known profile. Valid profiles: minimal, core, full. Falling back to no profile filter.`
+  );
+}
 var server = new McpServer({
   name: "@yawlabs/tailscale-mcp",
   version: version2
@@ -32606,11 +32636,18 @@ server.resource(
 var transport = new StdioServerTransport();
 await server.connect(transport);
 var readonlyMode = process.env.TAILSCALE_READONLY === "1" || process.env.TAILSCALE_READONLY === "true";
+var profileApplied = process.env.TAILSCALE_PROFILE && !unknownProfile ? process.env.TAILSCALE_PROFILE : null;
 var filterSuffix = [
+  profileApplied ? `profile=${profileApplied}` : null,
   process.env.TAILSCALE_TOOLS ? `groups=${process.env.TAILSCALE_TOOLS}` : null,
   readonlyMode ? "readonly" : null
 ].filter(Boolean).join(", ");
 console.error(
   `@yawlabs/tailscale-mcp v${version2} ready (${allTools.length} tools${filterSuffix ? `, ${filterSuffix}` : ""})`
 );
+if (!filterSuffix) {
+  console.error(
+    "@yawlabs/tailscale-mcp: tip \u2014 set TAILSCALE_PROFILE=core (\u224849 tools) or =minimal (\u224822) to load a smaller tool surface. See README."
+  );
+}
 //# sourceMappingURL=index.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/tailscale-mcp",
-  "version": "0.8.1",
+  "version": "0.8.2",
   "description": "Tailscale MCP server for managing your tailnet from AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",