smart-home-engine 1.1.0 → 1.1.1

package/dist/web/assets/{tsMode-DAKcfE4c.js → tsMode-BcbP1HsB.js}

@@ -1,4 +1,4 @@
-import{m as O}from"./monaco-langs-BW2J83t5.js";import{t as I}from"./index-YxGnpZAh.js";/*!-----------------------------------------------------------------------------
+import{m as O}from"./monaco-langs-BW2J83t5.js";import{t as I}from"./index-DttCbWJj.js";/*!-----------------------------------------------------------------------------
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Version: 0.52.2(404545bded1df6ffa41ea0af4e8ddb219018c6c1)
  * Released under the MIT license

package/dist/web/index.html

@@ -172,7 +172,7 @@
                 }
             })();
         </script>
-      <script type="module" crossorigin src="/assets/index-YxGnpZAh.js"></script>
+      <script type="module" crossorigin src="/assets/index-DttCbWJj.js"></script>
       <link rel="modulepreload" crossorigin href="/assets/monaco-langs-BW2J83t5.js">
       <link rel="stylesheet" crossorigin href="/assets/monaco-langs-DyX1CsEw.css">
       <link rel="stylesheet" crossorigin href="/assets/index-DKIgEFlE.css">

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "smart-home-engine",
-    "version": "1.1.0",
+    "version": "1.1.1",
     "description": "Node.js based script runner for use in MQTT based Smart Home environments",
     "main": "src/index.js",
     "scripts": {

package/src/lib/ca.js

@@ -17,8 +17,8 @@
  *       client.crt
  *       client.p12
  *
- * CA cert metadata is stored in sheDB at broker::ca.
- * Issued cert metadata is stored in sheDB at broker::cert::<serial>.
+ * CA cert metadata is stored in sheDB at she/broker/ca.
+ * Issued cert metadata is stored in sheDB at she/broker/cert/<serial>.
  */
 
 const { execFile } = require('child_process');

package/src/lib/mosquitto-conf.js

@@ -29,20 +29,12 @@ const execFileAsync = promisify(execFile);
 const MANAGED_SINGLE_KEYS = new Set(['allow_anonymous', 'persistence', 'persistence_location', 'log_dest', 'log_type', 'plugin', 'plugin_opt_dynsec_config_file']);
 
 /**
- * Parse a mosquitto.conf file into a structured object.
+ * Parse mosquitto.conf text into a structured object.
  *
- * @param {string} filePath
+ * @param {string} raw - raw mosquitto.conf content
  * @returns {{ listeners: object[], managed: object, passthrough: string[], raw: string }}
  */
-function parse(filePath) {
-    let raw = '';
-    try {
-        raw = fs.readFileSync(filePath, 'utf8');
-    } catch (err) {
-        if (err.code !== 'ENOENT') throw err;
-        return { listeners: [], managed: {}, passthrough: [], raw: '' };
-    }
-
+function parseText(raw) {
     const lines = raw.split('\n');
     const managed = {};
     const listeners = [];
@@ -79,7 +71,6 @@ function parse(filePath) {
             applyListenerKey(currentListener, key, value);
         } else if (MANAGED_SINGLE_KEYS.has(key)) {
             if (managed[key] !== undefined) {
-                // multi-value key (e.g. log_type) — convert to array
                 managed[key] = [].concat(managed[key]).concat(value);
             } else {
                 managed[key] = value;
@@ -94,6 +85,23 @@ function parse(filePath) {
     return { listeners, managed, passthrough, raw };
 }
 
+/**
+ * Parse a mosquitto.conf file into a structured object.
+ *
+ * @param {string} filePath
+ * @returns {{ listeners: object[], managed: object, passthrough: string[], raw: string }}
+ */
+function parse(filePath) {
+    let raw = '';
+    try {
+        raw = fs.readFileSync(filePath, 'utf8');
+    } catch (err) {
+        if (err.code !== 'ENOENT') throw err;
+        return { listeners: [], managed: {}, passthrough: [], raw: '' };
+    }
+    return parseText(raw);
+}
+
 /** Keys that belong to a listener block */
 function isListenerSubkey(key) {
     return [
@@ -284,4 +292,4 @@ async function restart(brokerConfig) {
     return result;
 }
 
-module.exports = { parse, serialise, checksum, write, listBackups, restoreBackup, reload, restart };
+module.exports = { parse, parseText, serialise, checksum, write, listBackups, restoreBackup, reload, restart };

package/src/lib/ssh-deploy.js

@@ -1,16 +1,16 @@
 'use strict';
 
 /**
- * ssh-deploy.js — SSH/SFTP file deployment helper for remote broker management.
+ * ssh-deploy.js — SSH/SCP file deployment helper for remote broker management.
  *
- * Uses the `ssh2` npm package for SFTP uploads and remote command execution.
- * SSH keypair generation delegates to the `ssh-keygen` CLI tool.
+ * Shells out to the system ssh and scp clients — no npm dependencies required.
+ * SSH keypair generation uses the system ssh-keygen binary.
  *
- * Usage:
- *   const ssh = require('./ssh-deploy');
- *   await ssh.uploadFile(sshConfig, localPath, remotePath);
- *   const { stdout } = await ssh.runCommand(sshConfig, 'sudo systemctl reload mosquitto');
- *   const pubkey = await ssh.generateKeypair(identityFile);
+ * Requires ssh, scp, and ssh-keygen available in PATH on the she host.
+ *
+ * StrictHostKeyChecking=accept-new trusts new hosts on first connect and
+ * verifies the key on subsequent connections, protecting against MITM after
+ * the initial handshake without blocking automation.
  */
 
 const { execFile } = require('child_process');
@@ -21,19 +21,6 @@ const os = require('os');
 
 const execFileAsync = promisify(execFile);
 
-// ssh2 is an optional dependency — only loaded when needed
-let _ssh2 = null;
-function getSsh2() {
-    if (!_ssh2) {
-        try {
-            _ssh2 = require('ssh2');
-        } catch {
-            throw new Error('ssh2 package not installed — run: npm install ssh2');
-        }
-    }
-    return _ssh2;
-}
-
 function expandHome(p) {
     if (typeof p === 'string' && (p.startsWith('~/') || p === '~')) {
         return path.join(os.homedir(), p.slice(2));
@@ -42,109 +29,82 @@ function expandHome(p) {
 }
 
 /**
- * Build ssh2 connection options from she broker.ssh config.
+ * Build the common ssh argument list (flags only, no target/command).
  * @param {object} sshConfig - config.broker.ssh
+ * @returns {string[]}
  */
-function buildConnectOpts(sshConfig) {
-    const identityFile = expandHome(sshConfig.identityFile || '~/.she/broker_id_ed25519');
-    let privateKey;
-    try {
-        privateKey = fs.readFileSync(identityFile);
-    } catch (err) {
-        throw new Error(`Cannot read SSH identity file ${identityFile}: ${err.message}`);
-    }
+function sshArgs(sshConfig) {
+    const identityFile = expandHome(sshConfig.identityFile || '~/.she/ssh/broker_id_ed25519');
+    return ['-i', identityFile, '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new', '-p', String(sshConfig.port || 22)];
+}
+
+/**
+ * Build the scp argument list prefix.
+ * scp uses -P (capital) for port, unlike ssh which uses -p.
+ * @param {object} sshConfig
+ * @returns {string[]}
+ */
+function scpArgs(sshConfig) {
+    const identityFile = expandHome(sshConfig.identityFile || '~/.she/ssh/broker_id_ed25519');
+    return ['-i', identityFile, '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new', '-P', String(sshConfig.port || 22)];
+}
 
-    return {
-        host: sshConfig.host,
-        port: sshConfig.port || 22,
-        username: sshConfig.user || 'she',
-        privateKey,
-        readyTimeout: 10000,
-        keepaliveInterval: 0,
-    };
+function sshTarget(sshConfig) {
+    return `${sshConfig.user || 'she'}@${sshConfig.host}`;
 }
 
 /**
- * Connect to the remote host, execute a command, and return stdout/stderr.
+ * Run a command on the remote host via the system ssh client.
  * @param {object} sshConfig - config.broker.ssh
  * @param {string} command
  * @returns {Promise<{ stdout: string, stderr: string }>}
  */
-function runCommand(sshConfig, command) {
-    const { Client } = getSsh2();
-    const opts = buildConnectOpts(sshConfig);
-
-    return new Promise((resolve, reject) => {
-        const conn = new Client();
-        let stdout = '';
-        let stderr = '';
-
-        conn.on('ready', () => {
-            conn.exec(command, (err, stream) => {
-                if (err) {
-                    conn.end();
-                    return reject(err);
-                }
-                stream.on('close', (code) => {
-                    conn.end();
-                    if (code !== 0) {
-                        reject(new Error(`Remote command exited ${code}: ${stderr.trim() || stdout.trim()}`));
-                    } else {
-                        resolve({ stdout: stdout.trim(), stderr: stderr.trim() });
-                    }
-                });
-                stream.on('data', (d) => {
-                    stdout += d.toString();
-                });
-                stream.stderr.on('data', (d) => {
-                    stderr += d.toString();
-                });
-            });
-        });
-
-        conn.on('error', reject);
-        conn.connect(opts);
-    });
+async function runCommand(sshConfig, command) {
+    const args = [...sshArgs(sshConfig), sshTarget(sshConfig), command];
+    try {
+        const { stdout, stderr } = await execFileAsync('ssh', args, { timeout: 15000 });
+        return { stdout: stdout.trim(), stderr: stderr.trim() };
+    } catch (err) {
+        const detail = (err.stderr || '').trim() || (err.stdout || '').trim() || err.message;
+        throw new Error(detail);
+    }
+}
+
+/**
+ * Read the content of a file on the remote host via ssh cat.
+ * @param {object} sshConfig
+ * @param {string} remotePath
+ * @returns {Promise<string>}
+ */
+async function readRemoteFile(sshConfig, remotePath) {
+    const { stdout } = await runCommand(sshConfig, `cat -- "${remotePath}"`);
+    return stdout;
 }
 
 /**
- * Upload a local file to the remote host via SFTP.
+ * Upload a local file to the remote host via scp.
  * @param {object} sshConfig
  * @param {string} localPath
  * @param {string} remotePath
  */
-function uploadFile(sshConfig, localPath, remotePath) {
-    const { Client } = getSsh2();
-    const opts = buildConnectOpts(sshConfig);
-
-    return new Promise((resolve, reject) => {
-        const conn = new Client();
-        conn.on('ready', () => {
-            conn.sftp((err, sftp) => {
-                if (err) {
-                    conn.end();
-                    return reject(err);
-                }
-                sftp.fastPut(localPath, remotePath, (err2) => {
-                    conn.end();
-                    if (err2) reject(err2);
-                    else resolve();
-                });
-            });
-        });
-        conn.on('error', reject);
-        conn.connect(opts);
-    });
+async function uploadFile(sshConfig, localPath, remotePath) {
+    const args = [...scpArgs(sshConfig), localPath, `${sshTarget(sshConfig)}:${remotePath}`];
+    try {
+        await execFileAsync('scp', args, { timeout: 30000 });
+    } catch (err) {
+        const detail = (err.stderr || '').trim() || err.message;
+        throw new Error(detail);
+    }
 }
 
 /**
  * Upload a string as file content to the remote host.
+ * Writes to a local temp file then uploads via scp.
  * @param {object} sshConfig
  * @param {string} content
  * @param {string} remotePath
  */
 async function uploadContent(sshConfig, content, remotePath) {
-    // Write to a temp file, then SFTP upload, then delete temp
     const tmp = path.join(os.tmpdir(), `she-ssh-${Date.now()}.tmp`);
     fs.writeFileSync(tmp, content, 'utf8');
     try {
@@ -162,8 +122,9 @@ async function uploadContent(sshConfig, content, remotePath) {
  * Test SSH connectivity. Resolves to { ok: true } on success, or throws.
  * @param {object} sshConfig
  */
-function testConnection(sshConfig) {
-    return runCommand(sshConfig, 'echo ok').then(() => ({ ok: true }));
+async function testConnection(sshConfig) {
+    await runCommand(sshConfig, 'echo ok');
+    return { ok: true };
 }
 
 /**
@@ -172,11 +133,10 @@ function testConnection(sshConfig) {
  * @returns {Promise<string>} the public key text
  */
 async function generateKeypair(identityFile) {
-    const expandedPath = expandHome(identityFile || '~/.she/broker_id_ed25519');
+    const expandedPath = expandHome(identityFile || '~/.she/ssh/broker_id_ed25519');
     const dir = path.dirname(expandedPath);
     fs.mkdirSync(dir, { recursive: true });
 
-    // Remove existing key if present
     try {
         fs.unlinkSync(expandedPath);
     } catch {
@@ -188,20 +148,7 @@ async function generateKeypair(identityFile) {
         /* ok */
     }
 
-    await execFileAsync(
-        'ssh-keygen',
-        [
-            '-t',
-            'ed25519',
-            '-f',
-            expandedPath,
-            '-N',
-            '', // no passphrase
-            '-C',
-            'she-broker',
-        ],
-        { timeout: 15000 },
-    );
+    await execFileAsync('ssh-keygen', ['-t', 'ed25519', '-f', expandedPath, '-N', '', '-C', 'she-broker'], { timeout: 15000 });
 
     try {
         fs.chmodSync(expandedPath, 0o600);
@@ -209,8 +156,7 @@ async function generateKeypair(identityFile) {
         /* ignore */
     }
 
-    const pubkey = fs.readFileSync(expandedPath + '.pub', 'utf8');
-    return pubkey.trim();
+    return fs.readFileSync(expandedPath + '.pub', 'utf8').trim();
 }
 
-module.exports = { runCommand, uploadFile, uploadContent, testConnection, generateKeypair };
+module.exports = { runCommand, readRemoteFile, uploadFile, uploadContent, testConnection, generateKeypair };

package/src/web/broker-api.js

@@ -20,6 +20,10 @@ const dynsec = require('../lib/dynsec');
 const mosquittoConf = require('../lib/mosquitto-conf');
 const ca = require('../lib/ca');
 const sshDeploy = require('../lib/ssh-deploy');
+const sheConfig = require('../config');
+
+// Default SSH identity file respects the configured data directory
+const DEFAULT_SSH_KEY = path.join(sheConfig['data-dir'], 'ssh', 'broker_id_ed25519');
 
 const router = express.Router();
 
@@ -70,7 +74,7 @@ router.get('/status', (req, res) => {
         }
     }
 
-    res.json({ dynsec: ds, sys });
+    res.json({ dynsec: ds, sys, sshKeyDefault: DEFAULT_SSH_KEY });
 });
 
 // ── mosquitto.conf ─────────────────────────────────────────────────────────────
@@ -181,10 +185,16 @@ router.post('/config/restore', (req, res) => {
 /**
  * POST /she/broker/reload
  * Send SIGHUP / systemctl reload to mosquitto.
+ * In remote mode, the command is executed on the broker host via SSH.
  */
 router.post('/reload', async (req, res) => {
     try {
         const bc = getBrokerConfig(req);
+        if (bc.mode === 'remote' && bc.ssh && bc.ssh.host) {
+            const cmd = bc.reloadCmd || 'sudo systemctl reload mosquitto';
+            const result = await sshDeploy.runCommand(bc.ssh, cmd);
+            return res.json({ ok: true, ...result });
+        }
         const result = await mosquittoConf.reload(bc);
         res.json({ ok: true, stdout: result.stdout, stderr: result.stderr });
     } catch (err) {
@@ -195,10 +205,16 @@ router.post('/reload', async (req, res) => {
 /**
  * POST /she/broker/restart
  * Full mosquitto service restart.
+ * In remote mode, the command is executed on the broker host via SSH.
  */
 router.post('/restart', async (req, res) => {
     try {
         const bc = getBrokerConfig(req);
+        if (bc.mode === 'remote' && bc.ssh && bc.ssh.host) {
+            const cmd = bc.restartCmd || 'sudo systemctl restart mosquitto';
+            const result = await sshDeploy.runCommand(bc.ssh, cmd);
+            return res.json({ ok: true, ...result });
+        }
         const result = await mosquittoConf.restart(bc);
         res.json({ ok: true, stdout: result.stdout, stderr: result.stderr });
     } catch (err) {
@@ -469,7 +485,7 @@ router.get('/ca/certs', async (req, res) => {
         const db = req.app.locals.db;
         if (!db) return res.json({ certs: [] });
         const certs = db.query(
-            (doc) => doc._id && doc._id.startsWith('broker::cert::'),
+            (doc) => doc._id && doc._id.startsWith('she/broker/cert/'),
             (doc) => doc,
         );
         res.json({ certs });
@@ -488,7 +504,7 @@ router.post('/ca/certs', async (req, res) => {
         // Store metadata in sheDB
         const db = req.app.locals.db;
         if (db) {
-            db.set(`broker::cert::${result.serial}`, {
+            db.set(`she/broker/cert/${result.serial}`, {
                 cn: result.cn,
                 serial: result.serial,
                 fingerprint: result.fingerprint,
@@ -522,7 +538,7 @@ router.delete('/ca/certs/:serial', async (req, res) => {
         const bc = getBrokerConfig(req);
         const { serial } = req.params;
         const db = req.app.locals.db;
-        const meta = db ? db.get(`broker::cert::${serial}`) : null;
+        const meta = db ? db.get(`she/broker/cert/${serial}`) : null;
         if (!meta) return res.status(404).json({ error: 'cert not found' });
 
         // Find the cert file
@@ -534,7 +550,7 @@ router.delete('/ca/certs/:serial', async (req, res) => {
         // Collect all other revoked certs
         if (db) {
             const allCerts = db.query(
-                (doc) => doc._id && doc._id.startsWith('broker::cert::') && doc.revoked && doc._id !== `broker::cert::${serial}`,
+                (doc) => doc._id && doc._id.startsWith('she/broker/cert/') && doc.revoked && doc._id !== `she/broker/cert/${serial}`,
                 (doc) => doc,
             );
             for (const c of allCerts) {
@@ -547,7 +563,7 @@ router.delete('/ca/certs/:serial', async (req, res) => {
 
         // Mark revoked in sheDB
         if (db) {
-            db.extend(`broker::cert::${serial}`, { revoked: true, revokedAt: new Date().toISOString() });
+            db.extend(`she/broker/cert/${serial}`, { revoked: true, revokedAt: new Date().toISOString() });
         }
 
         res.json({ ok: true });
@@ -563,7 +579,7 @@ router.get('/ca/certs/:serial/download', async (req, res) => {
         const { serial } = req.params;
         const { type = 'p12' } = req.query;
         const db = req.app.locals.db;
-        const meta = db ? db.get(`broker::cert::${serial}`) : null;
+        const meta = db ? db.get(`she/broker/cert/${serial}`) : null;
         if (!meta) return res.status(404).json({ error: 'cert not found' });
 
         const paths = ca.clientCertPaths(bc, meta.cn);
@@ -650,7 +666,7 @@ module.exports = { router };
 router.post('/ssh/keygen', async (req, res) => {
     try {
         const bc = getBrokerConfig(req);
-        const identityFile = (bc.ssh && bc.ssh.identityFile) || '~/.she/broker_id_ed25519';
+        const identityFile = (bc.ssh && bc.ssh.identityFile) || DEFAULT_SSH_KEY;
         const publicKey = await sshDeploy.generateKeypair(identityFile);
         res.json({ ok: true, publicKey });
     } catch (err) {
@@ -684,13 +700,17 @@ router.post('/wizard/probe', (req, res) => {
 /**
  * POST /she/broker/wizard/bootstrap
  * Full bootstrap flow:
- *   1. Generate dynamic-security.json with she-admin credentials
- *   2. Write the file to configDir (or upload via SSH for remote mode)
- *   3. Ensure plugin line exists in mosquitto.conf
- *   4. Return instructions for the next step (restart)
+ *   1. Generate dynamic-security.json via mosquitto_ctrl
+ *      - Remote mode: run mosquitto_ctrl on the broker host via SSH
+ *      - Local mode:  run mosquitto_ctrl locally
+ *   2. Ensure plugin line exists in mosquitto.conf
+ *   3. Return credentials (store in config.json via /she/config)
+ *
+ * Note: mosquitto_ctrl is part of the mosquitto package and must be installed
+ * on the same host as the broker. It cannot be used to manage a remote broker,
+ * which is why we invoke it via SSH in remote mode.
  *
  * Body: { adminUsername?, adminPassword?, configDir? }
- * The generated password is returned in the response (store in config.json via /she/config).
  */
 router.post('/wizard/bootstrap', async (req, res) => {
     try {
@@ -702,47 +722,53 @@ router.post('/wizard/bootstrap', async (req, res) => {
 
         const username = req.body.adminUsername || 'she-admin';
         const password = req.body.adminPassword || crypto.randomBytes(18).toString('base64url');
-        const configDir = req.body.configDir || bc.configDir || '/etc/mosquitto';
-
-        // Generate dynamic-security.json using mosquitto_ctrl
-        const dynSecPath = path.join(configDir, 'dynamic-security.json');
-        const tmpJson = path.join(require('os').tmpdir(), `she-dynsec-${Date.now()}.json`);
-
-        try {
-            await execFileAsync('mosquitto_ctrl', ['dynsec', 'init', tmpJson, username, password], { timeout: 10000 });
-        } catch (err) {
-            return res.status(500).json({ error: `mosquitto_ctrl failed: ${err.message}. Ensure mosquitto-clients is installed.` });
-        }
-
-        const jsonContent = fs.readFileSync(tmpJson, 'utf8');
-        try {
-            fs.unlinkSync(tmpJson);
-        } catch {
-            /* ok */
-        }
+        const configDir = (req.body.configDir || bc.configDir || '/etc/mosquitto').replace(/\\/g, '/');
+        const isRemote = bc.mode === 'remote' && bc.ssh && bc.ssh.host;
+
+        const dynSecPath = `${configDir}/dynamic-security.json`;
+        const confFilePath = `${configDir}/mosquitto.conf`;
+
+        if (isRemote) {
+            // mosquitto_ctrl must run on the broker host — invoke it via SSH.
+            try {
+                await sshDeploy.runCommand(bc.ssh, `mosquitto_ctrl dynsec init "${dynSecPath}" "${username}" "${password}"`);
+            } catch (err) {
+                return res.status(500).json({
+                    error: `mosquitto_ctrl failed on remote host: ${err.message}. Ensure mosquitto is installed on the remote broker host.`,
+                });
+            }
 
-        // Write dynamic-security.json (locally or via SSH)
-        if (bc.mode === 'remote' && bc.ssh && bc.ssh.host) {
-            await sshDeploy.uploadContent(bc.ssh, jsonContent, dynSecPath);
+            // Read the remote mosquitto.conf, parse, and add the plugin line if missing.
+            let remoteConfRaw = '';
+            try {
+                remoteConfRaw = await sshDeploy.readRemoteFile(bc.ssh, confFilePath);
+            } catch {
+                // File may not exist yet — start from an empty config
+            }
+            const parsed = mosquittoConf.parseText(remoteConfRaw);
+            if (!parsed.managed.plugin || !String(parsed.managed.plugin).includes('mosquitto_dynamic_security')) {
+                parsed.managed.plugin = 'mosquitto_dynamic_security.so';
+                parsed.managed.plugin_opt_dynsec_config_file = dynSecPath;
+                const content = mosquittoConf.serialise(parsed);
+                await sshDeploy.uploadContent(bc.ssh, content, confFilePath);
+            }
         } else {
+            // Local mode: run mosquitto_ctrl on this host.
             fs.mkdirSync(configDir, { recursive: true });
-            fs.writeFileSync(dynSecPath, jsonContent, 'utf8');
-        }
-
-        // Ensure plugin line exists in mosquitto.conf
-        const confFilePath = path.join(configDir, 'mosquitto.conf');
-        const parsed = mosquittoConf.parse(confFilePath);
-
-        const pluginLine = 'mosquitto_dynamic_security.so';
-        const pluginOptLine = dynSecPath;
+            try {
+                await execFileAsync('mosquitto_ctrl', ['dynsec', 'init', dynSecPath, username, password], { timeout: 10000 });
+            } catch (err) {
+                return res.status(500).json({
+                    error: `mosquitto_ctrl failed: ${err.message}. Ensure mosquitto is installed on this host.`,
+                });
+            }
 
-        if (!parsed.managed.plugin || !String(parsed.managed.plugin).includes(pluginLine)) {
-            parsed.managed.plugin = pluginLine;
-            parsed.managed.plugin_opt_dynsec_config_file = dynSecPath;
-            const content = mosquittoConf.serialise(parsed);
-            if (bc.mode === 'remote' && bc.ssh && bc.ssh.host) {
-                await sshDeploy.uploadContent(bc.ssh, content, confFilePath);
-            } else {
+            // Ensure plugin line exists in local mosquitto.conf
+            const parsed = mosquittoConf.parse(confFilePath);
+            if (!parsed.managed.plugin || !String(parsed.managed.plugin).includes('mosquitto_dynamic_security')) {
+                parsed.managed.plugin = 'mosquitto_dynamic_security.so';
+                parsed.managed.plugin_opt_dynsec_config_file = dynSecPath;
+                const content = mosquittoConf.serialise(parsed);
                 mosquittoConf.write(confFilePath, content);
             }
         }