@yinuo-ngm/mcp-server 0.1.2 → 0.1.4

package/lib/tools/hub-v2/schemas.js

@@ -1,11 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.rdUpdateProgressSchema = exports.rdStageTaskCreateSchema = exports.rdStageTasksListSchema = exports.rdAdvanceStageSchema = exports.rdCreateSchema = exports.rdGetSchema = exports.rdListSchema = exports.markdownImageUploadSchema = exports.issueUpdateSchema = exports.issueCommentSchema = exports.issueCreateSchema = exports.issueGetSchema = exports.issuesListSchema = exports.docsGetBySlugSchema = exports.docsGetSchema = exports.docsListSchema = exports.pagingSchema = exports.projectSelectorSchema = void 0;
+exports.rdUpdateSchema = exports.rdCloseSchema = exports.rdCompleteSchema = exports.rdBlockSchema = exports.rdSimpleWriteSchema = exports.rdUpdateProgressSchema = exports.rdStageTaskCreateSchema = exports.rdStageTasksListSchema = exports.rdAdvanceStageSchema = exports.rdCreateSchema = exports.rdUploadRawSchema = exports.rdReadDetailSchema = exports.rdGetSchema = exports.rdListSchema = exports.fileUploadSchema = exports.markdownImageUploadSchema = exports.issueUpdateSchema = exports.issueParticipantRemoveSchema = exports.issueBranchCompleteSchema = exports.issueBranchActionSchema = exports.issueBranchStartMineSchema = exports.issueBranchCreateSchema = exports.issueParticipantAddSchema = exports.issueCloseSchema = exports.issueReopenSchema = exports.issueResolveSchema = exports.issueSimpleWriteSchema = exports.issueAssignSchema = exports.issueCommentSchema = exports.issueCreateSchema = exports.issueUploadRawSchema = exports.issueAttachmentRawSchema = exports.issueReadDetailSchema = exports.issueGetSchema = exports.issuesListSchema = exports.docsPublishSchema = exports.docsUpdateSchema = exports.docsCreateSchema = exports.docsGetBySlugSchema = exports.docsGetSchema = exports.docsListSchema = exports.pagingSchema = exports.projectMembersListSchema = exports.projectSelectorSchema = void 0;
 const zod_1 = require("zod");
 exports.projectSelectorSchema = zod_1.z.object({
     project: zod_1.z.string().trim().min(1).optional(),
     projectKey: zod_1.z.string().trim().min(1).optional(),
 }).strict();
+exports.projectMembersListSchema = exports.projectSelectorSchema;
 exports.pagingSchema = zod_1.z.object({
     page: zod_1.z.number().int().min(1).optional(),
     pageSize: zod_1.z.number().int().min(1).max(200).optional(),
@@ -25,6 +26,39 @@ exports.docsGetBySlugSchema = exports.projectSelectorSchema.extend({
     slug: zod_1.z.string().trim().min(1),
     contentOnly: zod_1.z.boolean().optional(),
 }).strict();
+exports.docsCreateSchema = exports.projectSelectorSchema.extend({
+    title: zod_1.z.string().trim().min(1).max(120),
+    content: zod_1.z.string().min(1).optional(),
+    contentMd: zod_1.z.string().min(1).optional(),
+    slug: zod_1.z.string().trim().min(1).max(80).optional(),
+    category: zod_1.z.string().trim().max(80).optional(),
+    categoryId: zod_1.z.string().trim().max(80).optional(),
+    summary: zod_1.z.string().trim().max(500).optional(),
+    tags: zod_1.z.array(zod_1.z.string().trim().min(1).max(40)).max(20).optional(),
+    status: zod_1.z.enum(["draft"]).optional(),
+    source: zod_1.z.string().trim().max(40).optional(),
+    version: zod_1.z.string().trim().max(40).optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.docsUpdateSchema = exports.projectSelectorSchema.extend({
+    docId: zod_1.z.string().trim().min(1),
+    title: zod_1.z.string().trim().min(1).max(120).optional(),
+    content: zod_1.z.string().min(1).optional(),
+    contentMd: zod_1.z.string().min(1).optional(),
+    slug: zod_1.z.string().trim().min(1).max(80).optional(),
+    category: zod_1.z.string().trim().max(80).optional(),
+    categoryId: zod_1.z.string().trim().max(80).optional(),
+    summary: zod_1.z.string().trim().max(500).nullable().optional(),
+    tags: zod_1.z.array(zod_1.z.string().trim().min(1).max(40)).max(20).optional(),
+    source: zod_1.z.string().trim().max(40).optional(),
+    version: zod_1.z.string().trim().max(40).nullable().optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.docsPublishSchema = exports.projectSelectorSchema.extend({
+    docId: zod_1.z.string().trim().min(1),
+    source: zod_1.z.string().trim().max(40).optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
 exports.issuesListSchema = exports.projectSelectorSchema.extend({
     page: zod_1.z.number().int().min(1).optional(),
     pageSize: zod_1.z.number().int().min(1).max(200).optional(),
@@ -38,6 +72,17 @@ exports.issuesListSchema = exports.projectSelectorSchema.extend({
 exports.issueGetSchema = exports.projectSelectorSchema.extend({
     issueId: zod_1.z.string().trim().min(1),
 }).strict();
+exports.issueReadDetailSchema = exports.issueGetSchema;
+exports.issueAttachmentRawSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    attachmentId: zod_1.z.string().trim().min(1),
+    maxBytes: zod_1.z.number().int().min(1).max(5 * 1024 * 1024).optional(),
+}).strict();
+exports.issueUploadRawSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    uploadId: zod_1.z.string().trim().min(1),
+    maxBytes: zod_1.z.number().int().min(1).max(5 * 1024 * 1024).optional(),
+}).strict();
 const issueTypeSchema = zod_1.z.enum(["bug", "feature", "change", "improvement", "task", "test"]);
 const issuePrioritySchema = zod_1.z.enum(["low", "medium", "high", "critical"]);
 exports.issueCreateSchema = exports.projectSelectorSchema.extend({
@@ -59,6 +104,64 @@ exports.issueCommentSchema = exports.projectSelectorSchema.extend({
     mentions: zod_1.z.array(zod_1.z.string().trim().min(1)).optional(),
     confirm: zod_1.z.boolean().optional(),
 }).strict();
+exports.issueAssignSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    assigneeId: zod_1.z.string().trim().min(1),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueSimpleWriteSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueResolveSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    resolutionSummary: zod_1.z.string().optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueReopenSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    remark: zod_1.z.string().optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueCloseSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    reason: zod_1.z.string().trim().optional(),
+    remark: zod_1.z.string().optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueParticipantAddSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    userId: zod_1.z.string().trim().min(1),
+    taskTitle: zod_1.z.string().trim().max(80).optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueBranchCreateSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    ownerUserId: zod_1.z.string().trim().min(1),
+    title: zod_1.z.string().trim().min(1).max(80),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueBranchStartMineSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    title: zod_1.z.string().trim().min(1).max(80),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueBranchActionSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    branchId: zod_1.z.string().trim().min(1),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueBranchCompleteSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    branchId: zod_1.z.string().trim().min(1),
+    summary: zod_1.z.string().trim().max(500).optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.issueParticipantRemoveSchema = exports.projectSelectorSchema.extend({
+    issueId: zod_1.z.string().trim().min(1),
+    participantId: zod_1.z.string().trim().min(1),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
 exports.issueUpdateSchema = exports.projectSelectorSchema.extend({
     issueId: zod_1.z.string().trim().min(1),
     title: zod_1.z.string().trim().optional(),
@@ -79,6 +182,14 @@ exports.markdownImageUploadSchema = exports.projectSelectorSchema.extend({
     alt: zod_1.z.string().trim().min(1).optional(),
     confirm: zod_1.z.boolean().optional(),
 }).strict();
+exports.fileUploadSchema = exports.projectSelectorSchema.extend({
+    target: zod_1.z.enum(["issueAttachment", "taskSheetAttachment"]),
+    filePath: zod_1.z.string().trim().min(1).optional(),
+    contentBase64: zod_1.z.string().trim().min(1).optional(),
+    fileName: zod_1.z.string().trim().min(1).optional(),
+    mimeType: zod_1.z.string().trim().min(1).optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
 exports.rdListSchema = exports.projectSelectorSchema.extend({
     page: zod_1.z.number().int().min(1).optional(),
     pageSize: zod_1.z.number().int().min(1).max(200).optional(),
@@ -92,6 +203,12 @@ exports.rdListSchema = exports.projectSelectorSchema.extend({
 exports.rdGetSchema = exports.projectSelectorSchema.extend({
     itemId: zod_1.z.string().trim().min(1),
 }).strict();
+exports.rdReadDetailSchema = exports.rdGetSchema;
+exports.rdUploadRawSchema = exports.projectSelectorSchema.extend({
+    itemId: zod_1.z.string().trim().min(1),
+    uploadId: zod_1.z.string().trim().min(1),
+    maxBytes: zod_1.z.number().int().min(1).max(5 * 1024 * 1024).optional(),
+}).strict();
 const rdTypeSchema = zod_1.z.enum([
     "feature_dev",
     "tech_refactor",
@@ -165,3 +282,37 @@ exports.rdUpdateProgressSchema = exports.projectSelectorSchema.extend({
     stageTaskId: zod_1.z.string().trim().min(1).optional(),
     confirm: zod_1.z.boolean().optional(),
 }).strict();
+exports.rdSimpleWriteSchema = exports.projectSelectorSchema.extend({
+    itemId: zod_1.z.string().trim().min(1),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.rdBlockSchema = exports.projectSelectorSchema.extend({
+    itemId: zod_1.z.string().trim().min(1),
+    blockerReason: zod_1.z.string().optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.rdCompleteSchema = exports.projectSelectorSchema.extend({
+    itemId: zod_1.z.string().trim().min(1),
+    reason: zod_1.z.string().trim().max(1000).optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.rdCloseSchema = exports.projectSelectorSchema.extend({
+    itemId: zod_1.z.string().trim().min(1),
+    reason: zod_1.z.string().trim().optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();
+exports.rdUpdateSchema = exports.projectSelectorSchema.extend({
+    itemId: zod_1.z.string().trim().min(1),
+    version: zod_1.z.number().int().min(1),
+    title: zod_1.z.string().trim().optional(),
+    description: zod_1.z.string().nullable().optional(),
+    stageId: zod_1.z.string().trim().nullable().optional(),
+    type: rdTypeSchema.optional(),
+    priority: rdPrioritySchema.optional(),
+    memberIds: zod_1.z.array(zod_1.z.string().trim().min(1)).min(1).optional(),
+    verifierId: zod_1.z.string().trim().nullable().optional(),
+    planStartAt: zod_1.z.string().trim().nullable().optional(),
+    planEndAt: zod_1.z.string().trim().nullable().optional(),
+    stageDescription: zod_1.z.string().trim().max(4000).nullable().optional(),
+    confirm: zod_1.z.boolean().optional(),
+}).strict();

package/lib/tools/hub-v2/upload.tools.js

@@ -7,7 +7,7 @@ exports.hubV2UploadTools = hubV2UploadTools;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const client_1 = require("./client");
-const config_1 = require("./config");
+const index_1 = require("./config/index");
 const schemas_1 = require("./schemas");
 const result_1 = require("../../utils/result");
 function hubV2UploadTools() {
@@ -41,7 +41,7 @@ function hubV2UploadTools() {
                         },
                     });
                 }
-                const ctx = (0, config_1.resolveHubV2Context)(args, "personal");
+                const ctx = (0, index_1.resolveHubV2Context)(args, "personal");
                 const client = new client_1.HubV2Client(ctx);
                 const file = resolveUploadFile(args);
                 const form = new FormData();
@@ -55,8 +55,57 @@ function hubV2UploadTools() {
                 return (0, result_1.ok)("hub_v2_upload_markdown_image", data);
             },
         },
+        {
+            name: "hub_v2_file_upload",
+            description: "Upload a local or base64 file with Personal Token and return a Hub V2 uploadId.",
+            riskLevel: "write",
+            inputSchema: schemas_1.fileUploadSchema,
+            allowPreviewWhenBlocked: true,
+            isConfirmed: (args) => args.confirm === true,
+            async handler(args) {
+                const uploadPath = "/uploads/file";
+                if (!args.confirm) {
+                    return (0, result_1.ok)("hub_v2_file_upload", {
+                        code: "PREVIEW",
+                        message: "set confirm=true to upload this file",
+                        data: {
+                            method: "POST",
+                            path: uploadPath,
+                            requiredScope: fileUploadRequiredScope(args.target),
+                            maxBytes: maxUploadBytes(),
+                            input: {
+                                target: args.target,
+                                mode: args.filePath ? "filePath" : "contentBase64",
+                                fileName: args.fileName,
+                                mimeType: args.mimeType,
+                                hasFilePath: Boolean(args.filePath),
+                                hasContentBase64: Boolean(args.contentBase64),
+                            },
+                        },
+                    });
+                }
+                const ctx = (0, index_1.resolveHubV2Context)(args, "personal");
+                const client = new client_1.HubV2Client(ctx);
+                const file = resolveUploadFile(args);
+                const form = new FormData();
+                const bytes = new Uint8Array(file.content.byteLength);
+                bytes.set(file.content);
+                form.append("file", new Blob([bytes], { type: file.mimeType }), file.fileName);
+                form.append("target", args.target);
+                const data = await client.multipart("POST", client.personalUrl(uploadPath), form);
+                return (0, result_1.ok)("hub_v2_file_upload", data);
+            },
+        },
     ];
 }
+function fileUploadRequiredScope(target) {
+    switch (target) {
+        case "issueAttachment":
+            return "issue:update:write";
+        case "taskSheetAttachment":
+            return "rd:stage-task:write or rd:edit:write";
+    }
+}
 function resolveUploadFile(args) {
     if (Boolean(args.filePath) === Boolean(args.contentBase64)) {
         throw new Error("provide exactly one of filePath or contentBase64");
@@ -93,7 +142,7 @@ function maxUploadBytes() {
 function assertUploadSize(fileSize) {
     const maxBytes = maxUploadBytes();
     if (fileSize > maxBytes) {
-        throw new Error(`upload image is too large: ${fileSize} bytes exceeds NGM_MCP_MAX_UPLOAD_BYTES=${maxBytes}`);
+        throw new Error(`upload file is too large: ${fileSize} bytes exceeds NGM_MCP_MAX_UPLOAD_BYTES=${maxBytes}`);
     }
 }
 function decodeBase64Content(value) {
@@ -117,7 +166,6 @@ function decodeBase64Content(value) {
 }
 function assertAllowedFilePath(filePath) {
     const roots = [
-        process.env.NGM_WORKSPACE_ROOT,
         process.env.NGM_MCP_UPLOAD_ROOT,
         process.cwd(),
     ]
@@ -126,7 +174,7 @@ function assertAllowedFilePath(filePath) {
         .map((item) => node_path_1.default.resolve(item));
     const allowed = roots.some((root) => filePath === root || filePath.startsWith(`${root}${node_path_1.default.sep}`));
     if (!allowed) {
-        throw new Error("filePath must be under NGM_WORKSPACE_ROOT, NGM_MCP_UPLOAD_ROOT, or the current workspace");
+        throw new Error("filePath must be under NGM_MCP_UPLOAD_ROOT or the current working directory");
     }
 }
 function inferMimeType(fileName) {

package/lib/tools/index.d.ts

@@ -8,6 +8,7 @@ export type McpToolDefinition<TSchema extends z.AnyZodObject = z.AnyZodObject> =
     riskLevel: ToolRiskLevel;
     inputSchema: TSchema;
     allowPreviewWhenBlocked?: boolean;
+    deferPolicyToHandler?: boolean;
     isConfirmed?: (args: z.infer<TSchema>) => boolean;
     handler(args: z.infer<TSchema>, context: ToolContext): Promise<ToolResult> | ToolResult;
 };

package/lib/tools/index.js

@@ -1,20 +1,42 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.allTools = allTools;
+const capability_tools_1 = require("./capability.tools");
+const angular_1 = require("./angular");
+const controlled_tools_1 = require("./controlled.tools");
+const file_write_tools_1 = require("./file-write.tools");
 const git_tools_1 = require("./git.tools");
 const hub_v2_1 = require("./hub-v2");
 const log_tools_1 = require("./log.tools");
+const nginx_tools_1 = require("./nginx.tools");
+const project_observe_tools_1 = require("./project-observe.tools");
 const project_tools_1 = require("./project.tools");
 const proxy_tools_1 = require("./proxy.tools");
 const runtime_tools_1 = require("./runtime.tools");
+const review_1 = require("./review");
+const standard_1 = require("./standard");
 const task_tools_1 = require("./task.tools");
+const test_1 = require("./test");
+const workspace_tools_1 = require("./workspace.tools");
+const workflow_1 = require("./workflow");
 function allTools() {
     return [
+        ...(0, capability_tools_1.capabilityTools)(),
+        ...(0, workspace_tools_1.workspaceTools)(),
+        ...(0, controlled_tools_1.controlledTools)(),
+        ...(0, file_write_tools_1.fileWriteTools)(),
         ...(0, project_tools_1.projectTools)(),
+        ...(0, project_observe_tools_1.projectObserveTools)(),
         ...(0, task_tools_1.taskTools)(),
         ...(0, log_tools_1.logTools)(),
         ...(0, git_tools_1.gitTools)(),
+        ...(0, standard_1.standardTools)(),
+        ...(0, test_1.testStandardTools)(),
+        ...(0, angular_1.angularStandardTools)(),
+        ...(0, review_1.reviewTools)(),
+        ...(0, workflow_1.frontendWorkflowTools)(),
         ...(0, runtime_tools_1.runtimeTools)(),
+        ...(0, nginx_tools_1.nginxTools)(),
         ...(0, proxy_tools_1.proxyTools)(),
         ...(0, hub_v2_1.hubV2Tools)(),
     ];

package/lib/tools/log.tools.js

@@ -23,22 +23,49 @@ function clampSearchLimit(value) {
 function logTools() {
     return [
         {
-            name: "ngm.log.tail",
+            name: "ngm_log_tail",
             description: "Read recent task logs by runId or taskId.",
             riskLevel: "read",
             inputSchema: logTailSchema,
             async handler(args, context) {
                 const tail = clampTail(args.tail);
                 let runId = args.runId;
+                const localServer = context.services.localServer;
+                const availability = localServer ? await localServer.availability() : { available: false, reason: "local server client is not configured" };
                 if (!runId && args.taskId) {
-                    const snapshot = await context.services.core.task.getSnapshotByTaskId(args.taskId);
+                    if (!availability.available || !localServer) {
+                        return (0, result_1.ok)("ngm_log_tail", {
+                            controlPlane: "unavailable",
+                            localServer: availability,
+                            status: "unavailable",
+                            reason: "ng-manager local server is not running; start it with ngm server or ngm ui to read shared task logs",
+                            taskId: args.taskId,
+                            tail,
+                            lines: [],
+                        });
+                    }
+                    const snapshot = await localServer.getTaskStatus(args.taskId);
                     runId = snapshot?.runId;
                 }
                 if (!runId) {
                     throw new Error("runId or taskId is required");
                 }
-                const lines = await context.services.core.task.getTailLogsByRun(runId, tail);
-                return (0, result_1.ok)("ngm.log.tail", {
+                if (!availability.available || !localServer) {
+                    return (0, result_1.ok)("ngm_log_tail", {
+                        controlPlane: "unavailable",
+                        localServer: availability,
+                        status: "unavailable",
+                        reason: "ng-manager local server is not running; start it with ngm server or ngm ui to read shared task logs",
+                        runId,
+                        tail,
+                        lines: [],
+                    });
+                }
+                const controlPlane = "local-server";
+                const lines = await localServer.getTaskLogTail(runId, tail);
+                return (0, result_1.ok)("ngm_log_tail", {
+                    controlPlane,
+                    localServer: availability,
                     runId,
                     tail,
                     lines,
@@ -46,7 +73,7 @@ function logTools() {
             },
         },
         {
-            name: "ngm.log.search",
+            name: "ngm_log_search",
             description: "Search recent ng-manager system logs by keyword.",
             riskLevel: "read",
             inputSchema: logSearchSchema,
@@ -64,7 +91,7 @@ function logTools() {
                     return text.includes(needle);
                 })
                     .slice(0, limit);
-                return (0, result_1.ok)("ngm.log.search", {
+                return (0, result_1.ok)("ngm_log_search", {
                     query: args.query,
                     limit,
                     entries,

package/lib/tools/nginx/index.d.ts

@@ -0,0 +1 @@
+export { nginxControlTools } from "./nginx-control.tools";

package/lib/tools/nginx/index.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.nginxControlTools = void 0;
+var nginx_control_tools_1 = require("./nginx-control.tools");
+Object.defineProperty(exports, "nginxControlTools", { enumerable: true, get: function () { return nginx_control_tools_1.nginxControlTools; } });

package/lib/tools/nginx/nginx-control.tools.d.ts

@@ -0,0 +1,2 @@
+import type { McpToolDefinition } from "../index";
+export declare function nginxControlTools(): McpToolDefinition[];

package/lib/tools/nginx/nginx-control.tools.js

@@ -0,0 +1,133 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.nginxControlTools = nginxControlTools;
+const operation_result_1 = require("../controlled/operation-result");
+const schemas_1 = require("../controlled/schemas");
+const nginx_proxy_1 = require("./nginx-proxy");
+const result_1 = require("../../utils/result");
+const operation_policy_1 = require("../controlled/operation-policy");
+function reloadTool() {
+    return {
+        name: "ngm_nginx_reload",
+        description: "Skill ngm-nginx. Controlled execute tool for validating and reloading only the ng-manager managed local Nginx instance. Prefer this over direct nginx commands because it uses ng-manager's local service boundary and audit. Previews validation by default; real reload requires confirm=true and NGM_MCP_ALLOW_EXECUTE=true and is refused when validation fails.",
+        riskLevel: "execute",
+        allowPreviewWhenBlocked: true,
+        deferPolicyToHandler: true,
+        isConfirmed: operation_result_1.isConfirmed,
+        inputSchema: schemas_1.nginxReloadSchema,
+        async handler(args, context) {
+            const confirmed = (0, operation_result_1.isConfirmed)(args);
+            const nginx = context.services.core.nginx;
+            const instance = nginx.service.getInstance();
+            const status = await nginx.service.getStatus().catch((error) => ({
+                isRunning: false,
+                error: error instanceof Error ? error.message : String(error),
+            }));
+            const validation = await nginx.config.validateConfig();
+            const safetyMessage = "Validate and reload the ng-manager managed local Nginx instance.";
+            const preview = {
+                ...(0, operation_result_1.controlledFields)("execute", confirmed, (0, operation_policy_1.requiredEnv)("execute")),
+                operation: (0, operation_result_1.operation)("preview", "service-control", "high", safetyMessage),
+                instance: instance ? { path: instance.path, configPath: instance.configPath } : null,
+                status,
+                validation,
+            };
+            if (!validation.valid) {
+                return (0, result_1.ok)("ngm_nginx_reload", { ...preview, operation: (0, operation_result_1.operation)("blocked", "service-control", "high", safetyMessage), reason: "Nginx config validation failed; reload refused." });
+            }
+            if (!confirmed)
+                return (0, result_1.ok)("ngm_nginx_reload", preview);
+            const policyBlock = (0, operation_policy_1.requireExecutePolicy)("service-control", "high", safetyMessage);
+            if (policyBlock)
+                return (0, result_1.ok)("ngm_nginx_reload", { ...(0, operation_result_1.controlledFields)("execute", true, (0, operation_policy_1.requiredEnv)("execute")), ...policyBlock });
+            return (0, result_1.ok)("ngm_nginx_reload", {
+                ...preview,
+                ...(0, operation_result_1.controlledFields)("execute", true, (0, operation_policy_1.requiredEnv)("execute")),
+                operation: (0, operation_result_1.operation)("executed", "service-control", "high", safetyMessage),
+                result: await nginx.service.reload(),
+            });
+        },
+    };
+}
+function proxySaveTool() {
+    return {
+        name: "ngm_nginx_proxy_save",
+        description: "Skill ngm-nginx. Controlled write tool for creating or updating ng-manager managed Nginx proxy server blocks. Prefer this over editing Nginx files directly because it validates inputs, redacts sensitive fields, rolls back invalid saves, and audit logs confirmed writes. Previews by default; real write requires confirm=true and NGM_MCP_ALLOW_WRITE=true. It never writes arbitrary file paths and reloads only when reloadAfterSave=true plus execute policy is enabled.",
+        riskLevel: "write",
+        allowPreviewWhenBlocked: true,
+        deferPolicyToHandler: true,
+        isConfirmed: operation_result_1.isConfirmed,
+        inputSchema: schemas_1.nginxProxySaveSchema,
+        async handler(args, context) {
+            const confirmed = (0, operation_result_1.isConfirmed)(args);
+            const nginx = context.services.core.nginx;
+            const proxyArgs = args;
+            const existing = proxyArgs.serverId ? await nginx.server.getServer(proxyArgs.serverId) : null;
+            if (proxyArgs.serverId && !existing) {
+                return (0, result_1.ok)("ngm_nginx_proxy_save", (0, operation_result_1.blocked)("write", "high", "Save a managed Nginx proxy server block.", "serverId not found"));
+            }
+            let request;
+            try {
+                request = (0, nginx_proxy_1.normalizeProxyRequest)(proxyArgs, existing);
+            }
+            catch (error) {
+                return (0, result_1.ok)("ngm_nginx_proxy_save", (0, operation_result_1.blocked)("write", "high", "Save a managed Nginx proxy server block.", "invalid Nginx proxy input", {
+                    error: error instanceof Error ? error.message : String(error),
+                }));
+            }
+            const safetyMessage = `${proxyArgs.serverId ? "Update" : "Create"} ng-manager managed Nginx proxy server "${request.name}".`;
+            const mode = proxyArgs.serverId ? "update" : "create";
+            const preview = {
+                ...(0, operation_result_1.controlledFields)("write", confirmed, (0, operation_policy_1.requiredEnv)("write")),
+                operation: (0, operation_result_1.operation)("preview", "write", "high", safetyMessage),
+                mode,
+                serverId: proxyArgs.serverId,
+                before: (0, nginx_proxy_1.sanitizeNginxServerForAgent)(existing),
+                afterRequest: (0, nginx_proxy_1.sanitizeNginxProxyRequestForAgent)(request),
+                reloadAfterSave: proxyArgs.reloadAfterSave === true,
+                reloadRequired: true,
+            };
+            if (!confirmed)
+                return (0, result_1.ok)("ngm_nginx_proxy_save", preview);
+            const policyBlock = (0, operation_policy_1.requireWritePolicy)("high", safetyMessage);
+            if (policyBlock)
+                return (0, result_1.ok)("ngm_nginx_proxy_save", { ...(0, operation_result_1.controlledFields)("write", true, (0, operation_policy_1.requiredEnv)("write")), ...policyBlock });
+            const saved = proxyArgs.serverId ? await nginx.server.updateServer(proxyArgs.serverId, request) : await nginx.server.createServer(request);
+            const validation = await nginx.config.validateConfig();
+            if (!validation.valid) {
+                const rollback = await (0, nginx_proxy_1.rollbackNginxProxySave)(context, mode, proxyArgs.serverId, saved, existing);
+                return (0, result_1.ok)("ngm_nginx_proxy_save", {
+                    ...preview,
+                    ...(0, operation_result_1.controlledFields)("write", true, (0, operation_policy_1.requiredEnv)("write")),
+                    operation: (0, operation_result_1.operation)("failed", "write", "high", safetyMessage),
+                    result: { status: "failed", reason: "Nginx config validation failed after save" },
+                    server: (0, nginx_proxy_1.sanitizeNginxServerForAgent)(saved),
+                    validation,
+                    rollback,
+                    reloadRequired: true,
+                });
+            }
+            const result = {
+                ...preview,
+                ...(0, operation_result_1.controlledFields)("write", true, (0, operation_policy_1.requiredEnv)("write")),
+                operation: (0, operation_result_1.operation)("executed", "write", "high", safetyMessage),
+                server: (0, nginx_proxy_1.sanitizeNginxServerForAgent)(saved),
+                validation,
+                reloadRequired: true,
+            };
+            if (proxyArgs.reloadAfterSave === true) {
+                const reloadBlock = (0, operation_policy_1.requireExecutePolicy)("service-control", "high", "Reload after saving a managed Nginx proxy server block.");
+                if (reloadBlock)
+                    result.reload = { status: "blocked", action: "execute", confirmed: true, requires: (0, operation_policy_1.requiredEnv)("execute"), errorCode: reloadBlock.errorCode, reason: "reloadAfterSave requires NGM_MCP_ALLOW_EXECUTE=true" };
+                else {
+                    result.reload = { status: "executed", result: await nginx.service.reload() };
+                    result.reloadRequired = false;
+                }
+            }
+            return (0, result_1.ok)("ngm_nginx_proxy_save", result);
+        },
+    };
+}
+function nginxControlTools() {
+    return [reloadTool(), proxySaveTool()];
+}

package/lib/tools/nginx/nginx-proxy.d.ts

@@ -0,0 +1,24 @@
+import type { ToolContext } from "../../context/tool-context";
+import type { NginxProxySaveArgs } from "../controlled/schemas";
+export type NginxProxyRequest = {
+    name: string;
+    listen: string[];
+    domains: string[];
+    enabled?: boolean;
+    protocol?: "http" | "https";
+    ssl?: boolean;
+    sslCert?: string;
+    sslKey?: string;
+    root?: string;
+    index?: string[];
+    extraConfig?: string;
+    locations: Array<{
+        path: string;
+        proxyPass?: string;
+    }>;
+    createdBy?: string;
+};
+export declare function normalizeProxyRequest(args: NginxProxySaveArgs, existing?: Record<string, any> | null): NginxProxyRequest;
+export declare function sanitizeNginxServerForAgent(server: any): unknown;
+export declare function sanitizeNginxProxyRequestForAgent(request: NginxProxyRequest): unknown;
+export declare function rollbackNginxProxySave(context: ToolContext, mode: "create" | "update", serverId: string | undefined, saved: Record<string, any> | null, existing: Record<string, any> | null): Promise<Record<string, unknown>>;