proxmox-mcps 0.1.0

package/.env.example

@@ -0,0 +1,60 @@
+# =============================================================================
+# Proxmox MCP Server — environment configuration
+# Copy to `.env` and fill in. All vars can also be passed inline.
+# =============================================================================
+
+# ---- Proxmox API connection (REQUIRED) ---------------------------------------
+PROXMOX_HOST=proxmox.example.com
+PROXMOX_PORT=8006
+PROXMOX_USER=root@pam
+PROXMOX_TOKEN_NAME=mcp
+PROXMOX_TOKEN_VALUE=00000000-0000-0000-0000-000000000000
+PROXMOX_VERIFY_SSL=true
+PROXMOX_TIMEOUT_MS=30000
+PROXMOX_SERVICE=PVE
+
+# ---- Safety -----------------------------------------------------------------
+# Set to `true` only in dev environments where Proxmox uses a self-signed cert.
+PROXMOX_DEV_MODE=false
+
+# When `true`, high-risk and destructive tools run without approval_token.
+# Use only for dev/automation. Production path: PROXMOX_MCP_APPROVAL_TOKEN.
+PROXMOX_DANGEROUSLY_ALLOW_DESTRUCTIVE=false
+
+# Token required per-call for high-risk/destructive tools. Compared with
+# crypto.timingSafeEqual against the `approval_token` tool argument.
+# Generate with: openssl rand -hex 32
+PROXMOX_MCP_APPROVAL_TOKEN=
+
+# When `true`, high-risk tools log an audit line but still require a token.
+PROXMOX_MCP_AUDIT_ONLY=false
+
+# ---- Logging ----------------------------------------------------------------
+LOG_LEVEL=info
+LOG_PRETTY=false
+
+# ---- Retry & jobs -----------------------------------------------------------
+PROXMOX_MCP_RETRY_MAX=3
+PROXMOX_MCP_RETRY_BASE_MS=200
+PROXMOX_MCP_JOB_TTL_HOURS=24
+# 'memory' (default; lost on restart) or 'sqlite' (persisted)
+PROXMOX_MCP_JOB_STORE=memory
+PROXMOX_MCP_JOB_SQLITE_PATH=./proxmox-jobs.sqlite3
+
+# ---- Transport --------------------------------------------------------------
+# STDIO = current default (Claude Code)
+# SSE = legacy HTTP+SSE
+# STREAMABLE = streamable HTTP (recommended for non-stdio clients)
+MCP_TRANSPORT=STDIO
+MCP_HOST=127.0.0.1
+MCP_PORT=8000
+
+# ---- SSH (for `execute_container_command` — pct exec on the host) -----------
+PROXMOX_SSH_USER=root
+PROXMOX_SSH_PORT=22
+PROXMOX_SSH_KEY_FILE=
+PROXMOX_SSH_PASSWORD=
+# JSON string: {"pve1":"10.0.0.1","pve2":"10.0.0.2"}
+PROXMOX_SSH_HOST_OVERRIDES=
+PROXMOX_SSH_KNOWN_HOSTS_FILE=
+PROXMOX_SSH_STRICT_HOST_KEY_CHECKING=true

package/.mcp.json.example

@@ -0,0 +1,19 @@
+{
+  "mcpServers": {
+    "proxmox": {
+      "command": "node",
+      "args": ["/Users/ngocdd/Documents/source_code/proxmox-mcp/dist/index.js"],
+      "env": {
+        "PROXMOX_HOST": "proxmox.example.com",
+        "PROXMOX_PORT": "8006",
+        "PROXMOX_USER": "root@pam",
+        "PROXMOX_TOKEN_NAME": "mcp",
+        "PROXMOX_TOKEN_VALUE": "your-token-uuid-here",
+        "PROXMOX_VERIFY_SSL": "false",
+        "PROXMOX_DEV_MODE": "true",
+        "PROXMOX_DANGEROUSLY_ALLOW_DESTRUCTIVE": "false",
+        "LOG_LEVEL": "info"
+      }
+    }
+  }
+}

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Proxmox MCP Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,72 @@
+# Proxmox MCP (TypeScript)
+
+MCP server for [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) — lets AI assistants (Claude Code, etc.) manage QEMU VMs, LXC containers, storage, network, HA, replication, SDN, and node admin.
+
+**195 tools** · 3 transports (stdio / HTTP-SSE / streamable) · approval-gated destructive ops
+
+## Supported tools (195)
+
+**Foundation (24)** — `get_cluster_status`, `get_nodes`, `get_node_status`, `get_storage`, `list_tasks`, `get_task`, `get_task_log`, `list_jobs`, `get_job`, `poll_job`, `cancel_job`, `retry_job` · snapshot / backup / ISO + template CRUD
+
+**VM (45)** — CRUD + lifecycle (`get_vms`, `get_vm_config`, `create_vm`, `clone_vm`, `start/stop/shutdown/reset/reboot/delete_vm`) · config (`update_vm_config`, `resize_vm_disk`, `set_vm_cloudinit`) · diagnostics (RRD, 10× QEMU guest agent, `vm_monitor`, `vm_firewall_rules`) · migration + console (VNC / SPICE / termproxy)
+
+**Container (35)** — CRUD + lifecycle + config (`update_container_resources`, `resize_container_disk`) · diagnostics (RRD, firewall, **`execute_container_command`** via SSH + `pct exec`) · migration + console
+
+**Cluster (23)** — Resource pools (5) · HA resources + groups (11) · Scheduled vzdump jobs (7)
+
+**Node admin (40)** — apt / DNS / hosts / time (15) · bulk ops (4) · subscription (4) · systemd services (7) · network bonds/bridges/VLANs/OVS (5) · disks + ZFS (5) · certificates (2)
+
+**Storage (5)** — `list_storages`, `get_storage`, `create/update/delete_storage` (lvm, zfs, nfs, cifs, pbs, dir, …)
+
+**Replication (7)** + **SDN (22)** — ZFS replication jobs · SDN controllers / zones / vnets / subnets + `apply_sdn`
+
+> 25 destructive tools require an approval token (or `PROXMOX_DANGEROUSLY_ALLOW_DESTRUCTIVE=true`). List them: `proxmox-mcp-print-tools destructive`.
+
+## Install
+
+### From npm (recommended)
+
+```bash
+npx proxmox-mcps
+# or install globally
+npm install -g proxmox-mcps
+proxmox-mcp          # CLI binary (installed by the package above)
+```
+
+### From source
+
+```bash
+git clone https://github.com/your-username/proxmox-mcp.git
+cd proxmox-mcp
+npm install
+cp .env.example .env       # fill in Proxmox host + API token
+npm run check-config       # validate env
+npm run build              # tsc → dist/
+npm start                  # node dist/index.js
+```
+
+## Configure for Claude Code
+
+```bash
+claude mcp add proxmox \
+  --command "npx" --args "-y,proxmox-mcps" \
+  --env "PROXMOX_HOST=proxmox.example.com" \
+  --env "PROXMOX_PORT=8006" \
+  --env "PROXMOX_USER=root@pam" \
+  --env "PROXMOX_TOKEN_NAME=mcp" \
+  --env "PROXMOX_TOKEN_VALUE=<uuid>" \
+  --env "PROXMOX_VERIFY_SSL=false" \
+  --env "PROXMOX_DEV_MODE=true"
+```
+
+Restart Claude Code, verify with `/mcp` (should show `proxmox` with 195 tools).
+
+### Get an API token
+
+Proxmox UI → **Datacenter → Permissions → API Tokens → Add** → user `root@pam`, token ID `mcp`, uncheck **Privilege Separation** → copy the secret UUID into `PROXMOX_TOKEN_VALUE`.
+
+Full env-var reference: [`.env.example`](.env.example).
+
+## License
+
+MIT

package/dist/cli/check-config.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=check-config.d.ts.map

package/dist/cli/check-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-config.d.ts","sourceRoot":"","sources":["../../src/cli/check-config.ts"],"names":[],"mappings":""}

package/dist/cli/check-config.js

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+/**
+ * `proxmox-mcp --check-config` — validate environment variables without
+ * starting the MCP server.
+ */
+import { loadConfig } from "../config/index.js";
+try {
+    const cfg = loadConfig();
+    process.stdout.write(`[OK] Configuration is valid.\n\n` +
+        `  Proxmox: ${cfg.proxmox.user}@${cfg.proxmox.host}:${cfg.proxmox.port}\n` +
+        `  Service: ${cfg.proxmox.service}\n` +
+        `  Verify SSL: ${cfg.proxmox.verifySsl}\n` +
+        `  Dev mode: ${cfg.safety.devMode}\n` +
+        `  Dangerously allow destructive: ${cfg.safety.dangerouslyAllowDestructive}\n` +
+        `  Approval token configured: ${cfg.safety.approvalToken ? "yes" : "no"}\n` +
+        `  Audit only: ${cfg.safety.auditOnly}\n` +
+        `  Log level: ${cfg.logLevel}\n` +
+        `  SSH user: ${cfg.ssh.user}@*:${cfg.ssh.port}\n` +
+        `  SSH key file: ${cfg.ssh.keyFile ?? "(none)"}\n` +
+        `  Retry max: ${cfg.retryJob.retryMax} (base ${cfg.retryJob.retryBaseMs}ms)\n` +
+        `  Job TTL: ${cfg.retryJob.jobTtlHours}h\n`);
+    process.exit(0);
+}
+catch (err) {
+    process.stderr.write(`[FAIL] ${err instanceof Error ? err.message : String(err)}\n\n` +
+        `Run 'cp .env.example .env' and fill in your Proxmox host + API token.\n`);
+    process.exit(2);
+}
+//# sourceMappingURL=check-config.js.map

package/dist/cli/check-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-config.js","sourceRoot":"","sources":["../../src/cli/check-config.ts"],"names":[],"mappings":";AACA;;;GAGG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,IAAI,CAAC;IACH,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,kCAAkC;QAChC,cAAc,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI;QAC1E,cAAc,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI;QACrC,iBAAiB,GAAG,CAAC,OAAO,CAAC,SAAS,IAAI;QAC1C,eAAe,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI;QACrC,oCAAoC,GAAG,CAAC,MAAM,CAAC,2BAA2B,IAAI;QAC9E,gCAAgC,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI;QAC3E,iBAAiB,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI;QACzC,gBAAgB,GAAG,CAAC,QAAQ,IAAI;QAChC,eAAe,GAAG,CAAC,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI;QACjD,mBAAmB,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,QAAQ,IAAI;QAClD,gBAAgB,GAAG,CAAC,QAAQ,CAAC,QAAQ,UAAU,GAAG,CAAC,QAAQ,CAAC,WAAW,OAAO;QAC9E,cAAc,GAAG,CAAC,QAAQ,CAAC,WAAW,KAAK,CAC9C,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAAC,OAAO,GAAG,EAAE,CAAC;IACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM;QAC9D,yEAAyE,CAC5E,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC"}

package/dist/cli/print-tools.d.ts

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+import "../safety/risk.js";
+import "../tools/index.js";
+//# sourceMappingURL=print-tools.d.ts.map

package/dist/cli/print-tools.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"print-tools.d.ts","sourceRoot":"","sources":["../../src/cli/print-tools.ts"],"names":[],"mappings":";AAaA,OAAO,mBAAmB,CAAC;AAG3B,OAAO,mBAAmB,CAAC"}

package/dist/cli/print-tools.js

@@ -0,0 +1,45 @@
+#!/usr/bin/env node
+/**
+ * `proxmox-mcp --print-tools` — list every tool that would be registered.
+ *
+ * Pass `destructive` as the first arg to list only tools that require
+ * approval (risk=destructive).
+ *
+ * Usage:
+ *   node dist/cli/print-tools.js               # all tools
+ *   node dist/cli/print-tools.js destructive   # only approval-gated tools
+ */
+import { listRiskRegistry } from "../safety/policy.js";
+// Side-effect import: triggers risk registration (Phase 1B+).
+import "../safety/risk.js";
+// Side-effect import: also pulls in tool files so any future per-file
+// registration logic runs.
+import "../tools/index.js";
+const filter = (process.argv[2] ?? "").trim().toLowerCase();
+const reg = listRiskRegistry();
+let tools = Object.entries(reg);
+if (filter === "destructive") {
+    tools = tools.filter(([, risk]) => risk === "destructive");
+    if (tools.length === 0) {
+        process.stdout.write("[INFO] No destructive tools registered.\n");
+        process.exit(0);
+    }
+    process.stdout.write(`[OK] ${tools.length} destructive (approval-required) tool(s):\n\n`);
+}
+else if (filter === "high" || filter === "medium" || filter === "low") {
+    tools = tools.filter(([, risk]) => risk === filter);
+    process.stdout.write(`[OK] ${tools.length} ${filter}-risk tool(s):\n\n`);
+}
+else if (tools.length === 0) {
+    process.stdout.write("[INFO] No tools registered yet. (Phase 1A skeleton)\n");
+    process.exit(0);
+}
+else {
+    process.stdout.write(`[OK] ${tools.length} tool(s) registered:\n\n`);
+}
+tools.sort(([a], [b]) => a.localeCompare(b));
+const maxLen = Math.max(...tools.map(([n]) => n.length));
+for (const [name, risk] of tools) {
+    process.stdout.write(`  ${name.padEnd(maxLen)}  risk=${risk}\n`);
+}
+//# sourceMappingURL=print-tools.js.map

package/dist/cli/print-tools.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"print-tools.js","sourceRoot":"","sources":["../../src/cli/print-tools.ts"],"names":[],"mappings":";AACA;;;;;;;;;GASG;AACH,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,8DAA8D;AAC9D,OAAO,mBAAmB,CAAC;AAC3B,sEAAsE;AACtE,2BAA2B;AAC3B,OAAO,mBAAmB,CAAC;AAE3B,MAAM,MAAM,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AAE5D,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;AAC/B,IAAI,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AAEhC,IAAI,MAAM,KAAK,aAAa,EAAE,CAAC;IAC7B,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC;IAC3D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,KAAK,CAAC,MAAM,+CAA+C,CAAC,CAAC;AAC5F,CAAC;KAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;IACxE,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;IACpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,KAAK,CAAC,MAAM,IAAI,MAAM,oBAAoB,CAAC,CAAC;AAC3E,CAAC;KAAM,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;IAC9B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC9E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;KAAM,CAAC;IACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,KAAK,CAAC,MAAM,0BAA0B,CAAC,CAAC;AACvE,CAAC;AAED,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;AAE7C,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;AACzD,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC;IACjC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC;AACnE,CAAC"}

package/dist/config/env.d.ts

@@ -0,0 +1,183 @@
+/**
+ * Environment variable schema. Single source of truth for runtime config.
+ *
+ * Validates process.env at startup. Exits with code 2 on validation failure.
+ */
+import { z } from "zod";
+import type { LoggerConfig } from "../log.js";
+declare const EnvSchema: z.ZodEffects<z.ZodObject<{
+    PROXMOX_HOST: z.ZodString;
+    PROXMOX_PORT: z.ZodDefault<z.ZodNumber>;
+    PROXMOX_USER: z.ZodString;
+    PROXMOX_TOKEN_NAME: z.ZodString;
+    PROXMOX_TOKEN_VALUE: z.ZodString;
+    PROXMOX_VERIFY_SSL: z.ZodDefault<z.ZodEffects<z.ZodUnion<[z.ZodBoolean, z.ZodString]>, boolean, string | boolean>>;
+    PROXMOX_TIMEOUT_MS: z.ZodDefault<z.ZodNumber>;
+    PROXMOX_SERVICE: z.ZodDefault<z.ZodEnum<["PVE", "PMG", "PBS"]>>;
+    PROXMOX_DEV_MODE: z.ZodDefault<z.ZodEffects<z.ZodUnion<[z.ZodBoolean, z.ZodString]>, boolean, string | boolean>>;
+    PROXMOX_DANGEROUSLY_ALLOW_DESTRUCTIVE: z.ZodDefault<z.ZodEffects<z.ZodUnion<[z.ZodBoolean, z.ZodString]>, boolean, string | boolean>>;
+    PROXMOX_MCP_APPROVAL_TOKEN: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodLiteral<"">]>;
+    PROXMOX_MCP_AUDIT_ONLY: z.ZodDefault<z.ZodEffects<z.ZodUnion<[z.ZodBoolean, z.ZodString]>, boolean, string | boolean>>;
+    LOG_LEVEL: z.ZodDefault<z.ZodEnum<["debug", "info", "warn", "error"]>>;
+    LOG_PRETTY: z.ZodDefault<z.ZodEffects<z.ZodUnion<[z.ZodBoolean, z.ZodString]>, boolean, string | boolean>>;
+    PROXMOX_MCP_RETRY_MAX: z.ZodDefault<z.ZodNumber>;
+    PROXMOX_MCP_RETRY_BASE_MS: z.ZodDefault<z.ZodNumber>;
+    PROXMOX_MCP_JOB_TTL_HOURS: z.ZodDefault<z.ZodNumber>;
+    PROXMOX_MCP_JOB_STORE: z.ZodDefault<z.ZodEnum<["memory", "sqlite"]>>;
+    PROXMOX_MCP_JOB_SQLITE_PATH: z.ZodDefault<z.ZodString>;
+    MCP_TRANSPORT: z.ZodDefault<z.ZodEnum<["STDIO", "SSE", "STREAMABLE"]>>;
+    MCP_HOST: z.ZodDefault<z.ZodString>;
+    MCP_PORT: z.ZodDefault<z.ZodNumber>;
+    PROXMOX_SSH_USER: z.ZodDefault<z.ZodString>;
+    PROXMOX_SSH_PORT: z.ZodDefault<z.ZodNumber>;
+    PROXMOX_SSH_KEY_FILE: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodLiteral<"">]>;
+    PROXMOX_SSH_PASSWORD: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodLiteral<"">]>;
+    PROXMOX_SSH_HOST_OVERRIDES: z.ZodEffects<z.ZodOptional<z.ZodString>, Record<string, string>, string | undefined>;
+    PROXMOX_SSH_KNOWN_HOSTS_FILE: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodLiteral<"">]>;
+    PROXMOX_SSH_STRICT_HOST_KEY_CHECKING: z.ZodDefault<z.ZodEffects<z.ZodUnion<[z.ZodBoolean, z.ZodString]>, boolean, string | boolean>>;
+    PROXMOX_DOWNLOAD_ALLOWED_SCHEMES: z.ZodEffects<z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodLiteral<"">]>, string[] | readonly ["http", "https"], string | undefined>;
+    PROXMOX_DOWNLOAD_ALLOWED_HOSTS: z.ZodEffects<z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodLiteral<"">]>, string[], string | undefined>;
+}, "strip", z.ZodTypeAny, {
+    PROXMOX_HOST: string;
+    PROXMOX_PORT: number;
+    PROXMOX_USER: string;
+    PROXMOX_TOKEN_NAME: string;
+    PROXMOX_TOKEN_VALUE: string;
+    PROXMOX_VERIFY_SSL: boolean;
+    PROXMOX_TIMEOUT_MS: number;
+    PROXMOX_SERVICE: "PVE" | "PMG" | "PBS";
+    PROXMOX_DEV_MODE: boolean;
+    PROXMOX_DANGEROUSLY_ALLOW_DESTRUCTIVE: boolean;
+    PROXMOX_MCP_AUDIT_ONLY: boolean;
+    LOG_LEVEL: "debug" | "info" | "warn" | "error";
+    LOG_PRETTY: boolean;
+    PROXMOX_MCP_RETRY_MAX: number;
+    PROXMOX_MCP_RETRY_BASE_MS: number;
+    PROXMOX_MCP_JOB_TTL_HOURS: number;
+    PROXMOX_MCP_JOB_STORE: "memory" | "sqlite";
+    PROXMOX_MCP_JOB_SQLITE_PATH: string;
+    MCP_TRANSPORT: "STDIO" | "SSE" | "STREAMABLE";
+    MCP_HOST: string;
+    MCP_PORT: number;
+    PROXMOX_SSH_USER: string;
+    PROXMOX_SSH_PORT: number;
+    PROXMOX_SSH_HOST_OVERRIDES: Record<string, string>;
+    PROXMOX_SSH_STRICT_HOST_KEY_CHECKING: boolean;
+    PROXMOX_DOWNLOAD_ALLOWED_SCHEMES: string[] | readonly ["http", "https"];
+    PROXMOX_DOWNLOAD_ALLOWED_HOSTS: string[];
+    PROXMOX_MCP_APPROVAL_TOKEN?: string | undefined;
+    PROXMOX_SSH_KEY_FILE?: string | undefined;
+    PROXMOX_SSH_PASSWORD?: string | undefined;
+    PROXMOX_SSH_KNOWN_HOSTS_FILE?: string | undefined;
+}, {
+    PROXMOX_HOST: string;
+    PROXMOX_USER: string;
+    PROXMOX_TOKEN_NAME: string;
+    PROXMOX_TOKEN_VALUE: string;
+    PROXMOX_PORT?: number | undefined;
+    PROXMOX_VERIFY_SSL?: string | boolean | undefined;
+    PROXMOX_TIMEOUT_MS?: number | undefined;
+    PROXMOX_SERVICE?: "PVE" | "PMG" | "PBS" | undefined;
+    PROXMOX_DEV_MODE?: string | boolean | undefined;
+    PROXMOX_DANGEROUSLY_ALLOW_DESTRUCTIVE?: string | boolean | undefined;
+    PROXMOX_MCP_APPROVAL_TOKEN?: string | undefined;
+    PROXMOX_MCP_AUDIT_ONLY?: string | boolean | undefined;
+    LOG_LEVEL?: "debug" | "info" | "warn" | "error" | undefined;
+    LOG_PRETTY?: string | boolean | undefined;
+    PROXMOX_MCP_RETRY_MAX?: number | undefined;
+    PROXMOX_MCP_RETRY_BASE_MS?: number | undefined;
+    PROXMOX_MCP_JOB_TTL_HOURS?: number | undefined;
+    PROXMOX_MCP_JOB_STORE?: "memory" | "sqlite" | undefined;
+    PROXMOX_MCP_JOB_SQLITE_PATH?: string | undefined;
+    MCP_TRANSPORT?: "STDIO" | "SSE" | "STREAMABLE" | undefined;
+    MCP_HOST?: string | undefined;
+    MCP_PORT?: number | undefined;
+    PROXMOX_SSH_USER?: string | undefined;
+    PROXMOX_SSH_PORT?: number | undefined;
+    PROXMOX_SSH_KEY_FILE?: string | undefined;
+    PROXMOX_SSH_PASSWORD?: string | undefined;
+    PROXMOX_SSH_HOST_OVERRIDES?: string | undefined;
+    PROXMOX_SSH_KNOWN_HOSTS_FILE?: string | undefined;
+    PROXMOX_SSH_STRICT_HOST_KEY_CHECKING?: string | boolean | undefined;
+    PROXMOX_DOWNLOAD_ALLOWED_SCHEMES?: string | undefined;
+    PROXMOX_DOWNLOAD_ALLOWED_HOSTS?: string | undefined;
+}>, {
+    PROXMOX_HOST: string;
+    PROXMOX_PORT: number;
+    PROXMOX_USER: string;
+    PROXMOX_TOKEN_NAME: string;
+    PROXMOX_TOKEN_VALUE: string;
+    PROXMOX_VERIFY_SSL: boolean;
+    PROXMOX_TIMEOUT_MS: number;
+    PROXMOX_SERVICE: "PVE" | "PMG" | "PBS";
+    PROXMOX_DEV_MODE: boolean;
+    PROXMOX_DANGEROUSLY_ALLOW_DESTRUCTIVE: boolean;
+    PROXMOX_MCP_AUDIT_ONLY: boolean;
+    LOG_LEVEL: "debug" | "info" | "warn" | "error";
+    LOG_PRETTY: boolean;
+    PROXMOX_MCP_RETRY_MAX: number;
+    PROXMOX_MCP_RETRY_BASE_MS: number;
+    PROXMOX_MCP_JOB_TTL_HOURS: number;
+    PROXMOX_MCP_JOB_STORE: "memory" | "sqlite";
+    PROXMOX_MCP_JOB_SQLITE_PATH: string;
+    MCP_TRANSPORT: "STDIO" | "SSE" | "STREAMABLE";
+    MCP_HOST: string;
+    MCP_PORT: number;
+    PROXMOX_SSH_USER: string;
+    PROXMOX_SSH_PORT: number;
+    PROXMOX_SSH_HOST_OVERRIDES: Record<string, string>;
+    PROXMOX_SSH_STRICT_HOST_KEY_CHECKING: boolean;
+    PROXMOX_DOWNLOAD_ALLOWED_SCHEMES: string[] | readonly ["http", "https"];
+    PROXMOX_DOWNLOAD_ALLOWED_HOSTS: string[];
+    PROXMOX_MCP_APPROVAL_TOKEN?: string | undefined;
+    PROXMOX_SSH_KEY_FILE?: string | undefined;
+    PROXMOX_SSH_PASSWORD?: string | undefined;
+    PROXMOX_SSH_KNOWN_HOSTS_FILE?: string | undefined;
+}, {
+    PROXMOX_HOST: string;
+    PROXMOX_USER: string;
+    PROXMOX_TOKEN_NAME: string;
+    PROXMOX_TOKEN_VALUE: string;
+    PROXMOX_PORT?: number | undefined;
+    PROXMOX_VERIFY_SSL?: string | boolean | undefined;
+    PROXMOX_TIMEOUT_MS?: number | undefined;
+    PROXMOX_SERVICE?: "PVE" | "PMG" | "PBS" | undefined;
+    PROXMOX_DEV_MODE?: string | boolean | undefined;
+    PROXMOX_DANGEROUSLY_ALLOW_DESTRUCTIVE?: string | boolean | undefined;
+    PROXMOX_MCP_APPROVAL_TOKEN?: string | undefined;
+    PROXMOX_MCP_AUDIT_ONLY?: string | boolean | undefined;
+    LOG_LEVEL?: "debug" | "info" | "warn" | "error" | undefined;
+    LOG_PRETTY?: string | boolean | undefined;
+    PROXMOX_MCP_RETRY_MAX?: number | undefined;
+    PROXMOX_MCP_RETRY_BASE_MS?: number | undefined;
+    PROXMOX_MCP_JOB_TTL_HOURS?: number | undefined;
+    PROXMOX_MCP_JOB_STORE?: "memory" | "sqlite" | undefined;
+    PROXMOX_MCP_JOB_SQLITE_PATH?: string | undefined;
+    MCP_TRANSPORT?: "STDIO" | "SSE" | "STREAMABLE" | undefined;
+    MCP_HOST?: string | undefined;
+    MCP_PORT?: number | undefined;
+    PROXMOX_SSH_USER?: string | undefined;
+    PROXMOX_SSH_PORT?: number | undefined;
+    PROXMOX_SSH_KEY_FILE?: string | undefined;
+    PROXMOX_SSH_PASSWORD?: string | undefined;
+    PROXMOX_SSH_HOST_OVERRIDES?: string | undefined;
+    PROXMOX_SSH_KNOWN_HOSTS_FILE?: string | undefined;
+    PROXMOX_SSH_STRICT_HOST_KEY_CHECKING?: string | boolean | undefined;
+    PROXMOX_DOWNLOAD_ALLOWED_SCHEMES?: string | undefined;
+    PROXMOX_DOWNLOAD_ALLOWED_HOSTS?: string | undefined;
+}>;
+export type EnvInput = z.infer<typeof EnvSchema>;
+/**
+ * Parse and validate process.env. Throws ZodError on failure.
+ */
+export declare function parseEnv(env?: NodeJS.ProcessEnv): EnvInput;
+/**
+ * Parse and exit with code 2 on failure. Use in entry points.
+ */
+export declare function parseEnvOrExit(env?: NodeJS.ProcessEnv): EnvInput;
+/**
+ * Build a LoggerConfig from env.
+ */
+export declare function loggerConfigFromEnv(env: EnvInput): LoggerConfig;
+export {};
+//# sourceMappingURL=env.d.ts.map

package/dist/config/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/config/env.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AA6C9C,QAAA,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiFX,CAAC;AAEL,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAC;AAEjD;;GAEG;AACH,wBAAgB,QAAQ,CAAC,GAAG,GAAE,MAAM,CAAC,UAAwB,GAAG,QAAQ,CASvE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,GAAE,MAAM,CAAC,UAAwB,GAAG,QAAQ,CAU7E;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,QAAQ,GAAG,YAAY,CAE/D"}

package/dist/config/env.js

@@ -0,0 +1,149 @@
+/**
+ * Environment variable schema. Single source of truth for runtime config.
+ *
+ * Validates process.env at startup. Exits with code 2 on validation failure.
+ */
+import { z } from "zod";
+const USER_REGEX = /^[\w.\-]+(@[a-z][a-z0-9\-]+)?$/i;
+const HOST_REGEX = /^[a-zA-Z0-9]([a-zA-Z0-9\-_.]*[a-zA-Z0-9])?$/;
+const LogLevelSchema = z.enum(["debug", "info", "warn", "error"]);
+const ServiceSchema = z.enum(["PVE", "PMG", "PBS"]);
+/**
+ * Coerce env-style boolean strings to actual booleans. z.coerce.boolean() is
+ * broken (any non-empty string is truthy), so we explicitly map "true"/"1" to
+ * true and everything else to false.
+ */
+const BoolFromString = z
+    .union([z.boolean(), z.string()])
+    .transform((v) => {
+    if (typeof v === "boolean")
+        return v;
+    return /^(true|1|yes|on)$/i.test(v.trim());
+});
+const SshHostOverridesSchema = z
+    .string()
+    .optional()
+    .transform((raw) => {
+    if (!raw || raw.trim() === "")
+        return {};
+    try {
+        const parsed = JSON.parse(raw);
+        if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+            throw new Error("PROXMOX_SSH_HOST_OVERRIDES must be a JSON object");
+        }
+        const out = {};
+        for (const [k, v] of Object.entries(parsed)) {
+            if (typeof v !== "string") {
+                throw new Error(`PROXMOX_SSH_HOST_OVERRIDES[${k}] must be a string`);
+            }
+            out[k] = v;
+        }
+        return out;
+    }
+    catch (err) {
+        throw new Error(`PROXMOX_SSH_HOST_OVERRIDES: ${err instanceof Error ? err.message : String(err)}`);
+    }
+});
+const EnvSchema = z
+    .object({
+    // Proxmox API connection
+    PROXMOX_HOST: z.string().min(1).regex(HOST_REGEX, "invalid hostname"),
+    PROXMOX_PORT: z.coerce.number().int().min(1).max(65535).default(8006),
+    PROXMOX_USER: z.string().regex(USER_REGEX, "must be like 'user@realm'"),
+    PROXMOX_TOKEN_NAME: z.string().min(1),
+    PROXMOX_TOKEN_VALUE: z.string().min(8),
+    PROXMOX_VERIFY_SSL: BoolFromString.default(true),
+    PROXMOX_TIMEOUT_MS: z.coerce.number().int().min(1000).max(600_000).default(30_000),
+    PROXMOX_SERVICE: ServiceSchema.default("PVE"),
+    // Safety
+    PROXMOX_DEV_MODE: BoolFromString.default(false),
+    PROXMOX_DANGEROUSLY_ALLOW_DESTRUCTIVE: BoolFromString.default(false),
+    PROXMOX_MCP_APPROVAL_TOKEN: z.string().min(8).optional().or(z.literal("")),
+    PROXMOX_MCP_AUDIT_ONLY: BoolFromString.default(false),
+    // Logging
+    LOG_LEVEL: LogLevelSchema.default("info"),
+    LOG_PRETTY: BoolFromString.default(false),
+    // Retry & jobs
+    PROXMOX_MCP_RETRY_MAX: z.coerce.number().int().min(0).max(10).default(3),
+    PROXMOX_MCP_RETRY_BASE_MS: z.coerce.number().int().min(50).max(10_000).default(200),
+    PROXMOX_MCP_JOB_TTL_HOURS: z.coerce.number().int().min(1).max(168).default(24),
+    PROXMOX_MCP_JOB_STORE: z.enum(["memory", "sqlite"]).default("memory"),
+    PROXMOX_MCP_JOB_SQLITE_PATH: z.string().min(1).default("./proxmox-jobs.sqlite3"),
+    // Transport (Phase 2A)
+    MCP_TRANSPORT: z.enum(["STDIO", "SSE", "STREAMABLE"]).default("STDIO"),
+    MCP_HOST: z.string().default("127.0.0.1"),
+    MCP_PORT: z.coerce.number().int().min(1).max(65535).default(8000),
+    // SSH (for `pct exec` on containers)
+    PROXMOX_SSH_USER: z.string().default("root"),
+    PROXMOX_SSH_PORT: z.coerce.number().int().min(1).max(65535).default(22),
+    PROXMOX_SSH_KEY_FILE: z.string().optional().or(z.literal("")),
+    PROXMOX_SSH_PASSWORD: z.string().optional().or(z.literal("")),
+    PROXMOX_SSH_HOST_OVERRIDES: SshHostOverridesSchema,
+    PROXMOX_SSH_KNOWN_HOSTS_FILE: z.string().optional().or(z.literal("")),
+    PROXMOX_SSH_STRICT_HOST_KEY_CHECKING: BoolFromString.default(true),
+    // Download guard (SSRF mitigation for download_iso etc.)
+    PROXMOX_DOWNLOAD_ALLOWED_SCHEMES: z
+        .string()
+        .optional()
+        .or(z.literal(""))
+        .transform((raw) => !raw || raw.trim() === ""
+        ? ["http", "https"]
+        : raw
+            .split(",")
+            .map((s) => s.trim().toLowerCase())
+            .filter(Boolean)),
+    PROXMOX_DOWNLOAD_ALLOWED_HOSTS: z
+        .string()
+        .optional()
+        .or(z.literal(""))
+        .transform((raw) => !raw || raw.trim() === ""
+        ? []
+        : raw.split(",").map((s) => s.trim()).filter(Boolean)),
+})
+    .superRefine((data, ctx) => {
+    // Guard: verify_ssl=false requires dev_mode=true
+    if (!data.PROXMOX_VERIFY_SSL && !data.PROXMOX_DEV_MODE) {
+        ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            path: ["PROXMOX_VERIFY_SSL"],
+            message: "PROXMOX_VERIFY_SSL=false requires PROXMOX_DEV_MODE=true",
+        });
+    }
+    // Guard: at least one of key_file or password for SSH (warning only)
+    // We don't enforce — user might want password prompt via agent.
+    // Guard: approval_token or dangerously_allow_destructive should be set
+    // for any use of destructive tools. We log a warning at startup.
+});
+/**
+ * Parse and validate process.env. Throws ZodError on failure.
+ */
+export function parseEnv(env = process.env) {
+    const result = EnvSchema.safeParse(env);
+    if (!result.success) {
+        const issues = result.error.issues
+            .map((i) => `  - ${i.path.join(".") || "(root)"}: ${i.message}`)
+            .join("\n");
+        throw new Error(`Invalid environment configuration:\n${issues}`);
+    }
+    return result.data;
+}
+/**
+ * Parse and exit with code 2 on failure. Use in entry points.
+ */
+export function parseEnvOrExit(env = process.env) {
+    try {
+        return parseEnv(env);
+    }
+    catch (err) {
+        process.stderr.write(`\n[FATAL] ${err instanceof Error ? err.message : String(err)}\n\n` +
+            `Run 'npm run check-config' to diagnose, or 'cp .env.example .env' to start.\n`);
+        process.exit(2);
+    }
+}
+/**
+ * Build a LoggerConfig from env.
+ */
+export function loggerConfigFromEnv(env) {
+    return { level: env.LOG_LEVEL, pretty: env.LOG_PRETTY };
+}
+//# sourceMappingURL=env.js.map

package/dist/config/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/config/env.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,UAAU,GAAG,iCAAiC,CAAC;AACrD,MAAM,UAAU,GAAG,6CAA6C,CAAC;AAEjE,MAAM,cAAc,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAClE,MAAM,aAAa,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAEpD;;;;GAIG;AACH,MAAM,cAAc,GAAG,CAAC;KACrB,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;KAChC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE;IACf,IAAI,OAAO,CAAC,KAAK,SAAS;QAAE,OAAO,CAAC,CAAC;IACrC,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AAC7C,CAAC,CAAC,CAAC;AAEL,MAAM,sBAAsB,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,QAAQ,EAAE;KACV,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE;IACjB,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE;QAAE,OAAO,EAA4B,CAAC;IACnE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3E,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QACD,MAAM,GAAG,GAA2B,EAAE,CAAC;QACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5C,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,oBAAoB,CAAC,CAAC;YACvE,CAAC;YACD,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACb,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,+BAA+B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAClF,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,MAAM,SAAS,GAAG,CAAC;KAChB,MAAM,CAAC;IACN,yBAAyB;IACzB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,EAAE,kBAAkB,CAAC;IACrE,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACrE,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,2BAA2B,CAAC;IACvE,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtC,kBAAkB,EAAE,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC;IAChD,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAClF,eAAe,EAAE,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC;IAE7C,SAAS;IACT,gBAAgB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IAC/C,qCAAqC,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IACpE,0BAA0B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1E,sBAAsB,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IAErD,UAAU;IACV,SAAS,EAAE,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC;IACzC,UAAU,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;IAEzC,eAAe;IACf,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACxE,yBAAyB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IACnF,yBAAyB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC9E,qBAAqB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IACrE,2BAA2B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,wBAAwB,CAAC;IAEhF,uBAAuB;IACvB,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IACtE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC;IACzC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAEjE,qCAAqC;IACrC,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IAC5C,gBAAgB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACvE,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC7D,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC7D,0BAA0B,EAAE,sBAAsB;IAClD,4BAA4B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACrE,oCAAoC,EAAE,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC;IAElE,yDAAyD;IACzD,gCAAgC,EAAE,CAAC;SAChC,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;SACjB,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CACjB,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE;QACvB,CAAC,CAAE,CAAC,MAAM,EAAE,OAAO,CAAW;QAC9B,CAAC,CAAE,GAAG;aACD,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;aAClC,MAAM,CAAC,OAAO,CAAc,CACpC;IACH,8BAA8B,EAAE,CAAC;SAC9B,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;SACjB,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CACjB,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE;QACvB,CAAC,CAAE,EAAe;QAClB,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CACxD;CACJ,CAAC;KACD,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,iDAAiD;IACjD,IAAI,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACvD,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,IAAI,EAAE,CAAC,oBAAoB,CAAC;YAC5B,OAAO,EAAE,yDAAyD;SACnE,CAAC,CAAC;IACL,CAAC;IAED,qEAAqE;IACrE,gEAAgE;IAEhE,uEAAuE;IACvE,iEAAiE;AACnE,CAAC,CAAC,CAAC;AAIL;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,MAAyB,OAAO,CAAC,GAAG;IAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC/D,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,uCAAuC,MAAM,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAAyB,OAAO,CAAC,GAAG;IACjE,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,aAAa,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM;YACjE,+EAA+E,CAClF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAa;IAC/C,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC,UAAU,EAAE,CAAC;AAC1D,CAAC"}

package/dist/config/index.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Config entrypoint. Loads .env, parses env, returns AppConfig.
+ *
+ * Usage:
+ *   import { loadConfig } from "./config/index.js";
+ *   const cfg = loadConfig();
+ */
+import "dotenv/config";
+import { type AppConfig } from "./types.js";
+import type { LoggerConfig } from "../log.js";
+export { parseEnv, loggerConfigFromEnv } from "./env.js";
+export type { EnvInput } from "./env.js";
+export * from "./types.js";
+/**
+ * Load (and cache) the AppConfig. Subsequent calls return the cached value.
+ */
+export declare function loadConfig(): AppConfig;
+/**
+ * Load (and cache) the LoggerConfig.
+ */
+export declare function loadLoggerConfig(): LoggerConfig;
+/**
+ * Reset cached config (tests).
+ */
+export declare function resetConfig(): void;
+//# sourceMappingURL=index.d.ts.map