smooth-ssh-mcp 0.1.1

package/bin/smooth-ssh-mcp-codex

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(cd -- "$SCRIPT_DIR/.." && pwd)"
+
+SECRETS_FILE="${SMOOTH_SSH_MCP_SECRETS:-$HOME/.config/smooth-ssh-mcp/secrets.env}"
+CONFIG_FILE="${SMOOTH_SSH_MCP_CONFIG:-$HOME/.config/smooth-ssh-mcp/hosts.yaml}"
+
+if [[ -f "$SECRETS_FILE" ]]; then
+  if [[ ! -O "$SECRETS_FILE" ]]; then
+    echo "Refusing to load secrets file not owned by current user: $SECRETS_FILE" >&2
+    exit 1
+  fi
+  mode="$(stat -c '%a' "$SECRETS_FILE")"
+  case "$mode" in
+    400|600) ;;
+    *)
+      echo "Refusing to load secrets file with mode $mode; run: chmod 600 $SECRETS_FILE" >&2
+      exit 1
+      ;;
+  esac
+  while IFS= read -r line || [[ -n "$line" ]]; do
+    line="${line%$'\r'}"
+    if [[ "$line" =~ ^[[:space:]]*$ || "$line" =~ ^[[:space:]]*# ]]; then
+      continue
+    fi
+    if [[ ! "$line" =~ ^[[:space:]]*(export[[:space:]]+)?([A-Za-z_][A-Za-z0-9_]*)=(.*)$ ]]; then
+      echo "Refusing to load invalid secrets line from $SECRETS_FILE" >&2
+      exit 1
+    fi
+    key="${BASH_REMATCH[2]}"
+    value="${BASH_REMATCH[3]}"
+    if [[ "$value" == \"*\" && "$value" == *\" && ${#value} -ge 2 ]]; then
+      value="${value:1:${#value}-2}"
+    elif [[ "$value" == \'*\' && "$value" == *\' && ${#value} -ge 2 ]]; then
+      value="${value:1:${#value}-2}"
+    fi
+    export "$key=$value"
+  done < "$SECRETS_FILE"
+fi
+
+exec node "$PROJECT_DIR/dist/server.js" --config "$CONFIG_FILE"

package/dist/audit.d.ts

@@ -0,0 +1,23 @@
+export type AuditResultKind = "confirmation_required" | "policy_decision" | "exec_result" | "blocked" | "ok" | "error";
+export type AuditToolCall = {
+    tool: string;
+    input: unknown;
+    result: unknown;
+    durationMs: number;
+};
+export type Auditor = {
+    recordToolCall(call: AuditToolCall): void;
+};
+export type JsonlAuditorOptions = {
+    path?: string;
+    enabled?: boolean;
+    now?: () => Date;
+};
+export declare class JsonlAuditor implements Auditor {
+    private readonly path;
+    private readonly enabled;
+    private readonly now;
+    constructor(options?: JsonlAuditorOptions);
+    recordToolCall(call: AuditToolCall): void;
+}
+export declare function summarizeToolCall(call: AuditToolCall, timestamp: Date): Record<string, unknown>;

package/dist/audit.js

@@ -0,0 +1,140 @@
+import { appendFileSync, mkdirSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { redactAndTruncate } from "./redaction.js";
+const SENSITIVE_KEYS = new Set(["confirmationToken", "env", "stdin", "input", "password", "passwordEnv", "secret", "token"]);
+export class JsonlAuditor {
+    path;
+    enabled;
+    now;
+    constructor(options = {}) {
+        this.path = expandHome(options.path ?? process.env.SMOOTH_SSH_MCP_AUDIT_LOG ?? "~/.config/smooth-ssh-mcp/audit.jsonl");
+        this.enabled = options.enabled ?? process.env.SMOOTH_SSH_MCP_AUDIT !== "0";
+        this.now = options.now ?? (() => new Date());
+    }
+    recordToolCall(call) {
+        if (!this.enabled)
+            return;
+        const entry = summarizeToolCall(call, this.now());
+        mkdirSync(dirname(this.path), { recursive: true, mode: 0o700 });
+        appendFileSync(this.path, JSON.stringify(entry) + "\n", { encoding: "utf8", mode: 0o600 });
+    }
+}
+export function summarizeToolCall(call, timestamp) {
+    const result = call.result;
+    const redactions = collectRedactions(result);
+    return {
+        timestamp: timestamp.toISOString(),
+        tool: call.tool,
+        hostId: findString(call.input, "hostId") ?? findString(result, "hostId"),
+        operation: inferOperation(call.tool, result),
+        resultKind: resultKind(result),
+        exitCode: findNumberOrNull(result, "exitCode"),
+        durationMs: call.durationMs,
+        remoteDurationMs: findNumber(result, "durationMs"),
+        truncated: findBoolean(result, "truncated"),
+        redactions,
+        input: sanitizeValue(call.input)
+    };
+}
+function resultKind(value) {
+    if (!value || typeof value !== "object")
+        return "ok";
+    const input = value;
+    if (input.confirmationRequired === true)
+        return "confirmation_required";
+    if (input.blocked)
+        return "blocked";
+    if (typeof input.exitCode === "number" || input.exitCode === null)
+        return "exec_result";
+    if (typeof input.allowed === "boolean" && typeof input.confirmationRequired === "boolean")
+        return "policy_decision";
+    if (input.error)
+        return "error";
+    return "ok";
+}
+function inferOperation(tool, result) {
+    const resultOperation = findString(result, "operation");
+    if (resultOperation)
+        return resultOperation;
+    if (tool.includes("upload"))
+        return "upload";
+    if (tool.includes("download"))
+        return "download";
+    if (tool.includes("forward"))
+        return "forward";
+    if (tool.includes("session"))
+        return "pty";
+    if (tool.includes("permission"))
+        return "permission";
+    if (tool.includes("ssh") || tool.includes("task") || tool.includes("cleanup"))
+        return "exec";
+    return "local";
+}
+function sanitizeValue(value) {
+    if (Array.isArray(value))
+        return value.map(sanitizeValue);
+    if (!value || typeof value !== "object")
+        return sanitizeScalar(value);
+    const output = {};
+    for (const [key, child] of Object.entries(value)) {
+        output[key] = isSensitiveKey(key) ? "[REDACTED]" : sanitizeValue(child);
+    }
+    return output;
+}
+function sanitizeScalar(value) {
+    if (typeof value !== "string")
+        return value;
+    return redactAndTruncate(value, 1024).text;
+}
+function isSensitiveKey(key) {
+    const lower = key.toLowerCase();
+    return SENSITIVE_KEYS.has(key) || lower.includes("password") || lower.includes("secret") || lower.includes("token");
+}
+function collectRedactions(value) {
+    const redactions = findValue(value, "redactions");
+    return Array.isArray(redactions) ? redactions : [];
+}
+function findString(value, key) {
+    const found = findValue(value, key);
+    return typeof found === "string" ? found : undefined;
+}
+function findNumber(value, key) {
+    const found = findValue(value, key);
+    return typeof found === "number" ? found : undefined;
+}
+function findNumberOrNull(value, key) {
+    const found = findValue(value, key);
+    return typeof found === "number" || found === null ? found : undefined;
+}
+function findBoolean(value, key) {
+    const found = findValue(value, key);
+    return typeof found === "boolean" ? found : undefined;
+}
+function findValue(value, key) {
+    if (!value || typeof value !== "object")
+        return undefined;
+    const direct = value[key];
+    if (direct !== undefined)
+        return direct;
+    const blocked = value.blocked;
+    if (blocked && typeof blocked === "object") {
+        const blockedValue = findValue(blocked, key);
+        if (blockedValue !== undefined)
+            return blockedValue;
+    }
+    const result = value.result;
+    if (result && typeof result === "object") {
+        const resultValue = findValue(result, key);
+        if (resultValue !== undefined)
+            return resultValue;
+    }
+    return undefined;
+}
+function expandHome(path) {
+    if (path === "~")
+        return process.env.HOME ?? path;
+    if (path.startsWith("~/"))
+        return join(process.env.HOME ?? "", path.slice(2));
+    return path;
+}
+//# sourceMappingURL=audit.js.map

package/dist/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAsBnD,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,mBAAmB,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;AAE7H,MAAM,OAAO,YAAY;IACN,IAAI,CAAS;IACb,OAAO,CAAU;IACjB,GAAG,CAAa;IAEjC,YAAY,UAA+B,EAAE;QAC3C,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,sCAAsC,CAAC,CAAC;QACvH,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,GAAG,CAAC;QAC3E,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,cAAc,CAAC,IAAmB;QAChC,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAC1B,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAClD,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAChE,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7F,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAmB,EAAE,SAAe;IACpE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC3B,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC7C,OAAO;QACL,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE;QAClC,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC;QACxE,SAAS,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC;QAC5C,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC;QAC9B,QAAQ,EAAE,gBAAgB,CAAC,MAAM,EAAE,UAAU,CAAC;QAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,gBAAgB,EAAE,UAAU,CAAC,MAAM,EAAE,YAAY,CAAC;QAClD,SAAS,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC;QAC3C,UAAU;QACV,KAAK,EAAE,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;KACjC,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,KAAc;IAChC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,KAAK,GAAG,KAAgC,CAAC;IAC/C,IAAI,KAAK,CAAC,oBAAoB,KAAK,IAAI;QAAE,OAAO,uBAAuB,CAAC;IACxE,IAAI,KAAK,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IACpC,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC;IACxF,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,CAAC,oBAAoB,KAAK,SAAS;QAAE,OAAO,iBAAiB,CAAC;IACpH,IAAI,KAAK,CAAC,KAAK;QAAE,OAAO,OAAO,CAAC;IAChC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,IAAY,EAAE,MAAe;IACnD,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACxD,IAAI,eAAe;QAAE,OAAO,eAAe,CAAC;IAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC7C,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,UAAU,CAAC;IACjD,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IAC/C,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO,YAAY,CAAC;IACrD,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,MAAM,CAAC;IAC7F,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC1D,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC;IACtE,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,MAAM,CAAC,GAAG,CAAC,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,OAAO,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC;AAC7C,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAChC,OAAO,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACtH,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IAClD,OAAO,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAE,UAA0B,CAAC,CAAC,CAAC,EAAE,CAAC;AACtE,CAAC;AAED,SAAS,UAAU,CAAC,KAAc,EAAE,GAAW;IAC7C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACpC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED,SAAS,UAAU,CAAC,KAAc,EAAE,GAAW;IAC7C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACpC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc,EAAE,GAAW;IACnD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACpC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACzE,CAAC;AAED,SAAS,WAAW,CAAC,KAAc,EAAE,GAAW;IAC9C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACpC,OAAO,OAAO,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,SAAS,CAAC,KAAc,EAAE,GAAW;IAC5C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAC1D,MAAM,MAAM,GAAI,KAAiC,CAAC,GAAG,CAAC,CAAC;IACvD,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IACxC,MAAM,OAAO,GAAI,KAAiC,CAAC,OAAO,CAAC;IAC3D,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC3C,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC7C,IAAI,YAAY,KAAK,SAAS;YAAE,OAAO,YAAY,CAAC;IACtD,CAAC;IACD,MAAM,MAAM,GAAI,KAAiC,CAAC,MAAM,CAAC;IACzD,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QACzC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC3C,IAAI,WAAW,KAAK,SAAS;YAAE,OAAO,WAAW,CAAC;IACpD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC;IAClD,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9E,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/auth.d.ts

@@ -0,0 +1,8 @@
+import type { Host } from "./types.js";
+export type ProcessSpec = {
+    file: string;
+    args: string[];
+    env?: NodeJS.ProcessEnv;
+    usesPassword: boolean;
+};
+export declare function wrapWithPasswordAuth(host: Host, file: "ssh" | "scp", args: string[], envSource?: NodeJS.ProcessEnv): ProcessSpec;

package/dist/auth.js

@@ -0,0 +1,19 @@
+export function wrapWithPasswordAuth(host, file, args, envSource = process.env) {
+    if (!host.passwordEnv) {
+        return { file, args, usesPassword: false };
+    }
+    const password = envSource[host.passwordEnv];
+    if (!password) {
+        throw new Error(`Host ${host.id} requires password environment variable ${host.passwordEnv}, but it is not set`);
+    }
+    return {
+        file: "sshpass",
+        args: ["-e", file, ...args],
+        env: {
+            ...envSource,
+            SSHPASS: password
+        },
+        usesPassword: true
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AASA,MAAM,UAAU,oBAAoB,CAClC,IAAU,EACV,IAAmB,EACnB,IAAc,EACd,YAA+B,OAAO,CAAC,GAAG;IAE1C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QACtB,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,QAAQ,IAAI,CAAC,EAAE,2CAA2C,IAAI,CAAC,WAAW,qBAAqB,CAAC,CAAC;IACnH,CAAC;IAED,OAAO;QACL,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC;QAC3B,GAAG,EAAE;YACH,GAAG,SAAS;YACZ,OAAO,EAAE,QAAQ;SAClB;QACD,YAAY,EAAE,IAAI;KACnB,CAAC;AACJ,CAAC"}

package/dist/doctor.d.ts

@@ -0,0 +1,27 @@
+export type DoctorStatus = "ok" | "warning" | "error";
+export type DoctorCheck = {
+    id: string;
+    label: string;
+    status: DoctorStatus;
+    message: string;
+    fix?: string;
+};
+export type DoctorReport = {
+    ok: boolean;
+    summary: {
+        ok: number;
+        warnings: number;
+        errors: number;
+    };
+    checks: DoctorCheck[];
+};
+type DoctorOptions = {
+    configPath?: string;
+    secretsPath?: string;
+    nodeVersion?: string;
+    commandExists?: (name: string) => boolean;
+    env?: NodeJS.ProcessEnv;
+};
+export declare function runDoctor(options?: DoctorOptions): DoctorReport;
+export declare function formatDoctorReport(report: DoctorReport): string;
+export {};

package/dist/doctor.js

@@ -0,0 +1,169 @@
+import { existsSync, statSync } from "node:fs";
+import { delimiter } from "node:path";
+import { env as processEnv, version as processVersion } from "node:process";
+import { defaultInventoryPath, loadInventory } from "./inventory.js";
+export function runDoctor(options = {}) {
+    const env = options.env ?? processEnv;
+    const configPath = expandHome(options.configPath ?? defaultInventoryPath(), env);
+    const secretsPath = expandHome(options.secretsPath ?? env.SMOOTH_SSH_MCP_SECRETS ?? "~/.config/smooth-ssh-mcp/secrets.env", env);
+    const commandExists = options.commandExists ?? ((name) => commandExistsOnPath(name, env));
+    const checks = [
+        checkNodeVersion(options.nodeVersion ?? processVersion),
+        checkCommand("ssh", commandExists, "Install OpenSSH client so smooth-ssh can connect to remote hosts."),
+        checkCommand("scp", commandExists, "Install OpenSSH scp so file transfer tools can work."),
+        checkCommand("sshpass", commandExists, "Install sshpass only if you use passwordEnv hosts; key-based hosts do not need it.", true),
+        checkInventory(configPath),
+        checkFilePermissions("inventory-permissions", "Inventory permissions", configPath, "chmod 600 " + configPath, false),
+        checkSecrets(secretsPath),
+        checkFilePermissions("secrets-permissions", "Secrets permissions", secretsPath, "chmod 600 " + secretsPath, true)
+    ];
+    const summary = {
+        ok: checks.filter((check) => check.status === "ok").length,
+        warnings: checks.filter((check) => check.status === "warning").length,
+        errors: checks.filter((check) => check.status === "error").length
+    };
+    return {
+        ok: summary.errors === 0,
+        summary,
+        checks
+    };
+}
+export function formatDoctorReport(report) {
+    const icon = (status) => (status === "ok" ? "OK" : status === "warning" ? "WARN" : "ERROR");
+    const lines = [
+        `smooth-ssh-mcp doctor: ${report.ok ? "ok" : "issues found"}`,
+        `summary: ${report.summary.ok} ok, ${report.summary.warnings} warnings, ${report.summary.errors} errors`,
+        ...report.checks.map((check) => {
+            const fix = check.fix ? ` fix: ${check.fix}` : "";
+            return `[${icon(check.status)}] ${check.label}: ${check.message}${fix}`;
+        })
+    ];
+    return lines.join("\n");
+}
+function checkNodeVersion(nodeVersion) {
+    const major = Number(nodeVersion.replace(/^v/, "").split(".")[0]);
+    if (Number.isFinite(major) && major >= 20) {
+        return {
+            id: "node",
+            label: "Node.js",
+            status: "ok",
+            message: nodeVersion
+        };
+    }
+    return {
+        id: "node",
+        label: "Node.js",
+        status: "error",
+        message: `${nodeVersion} is not supported`,
+        fix: "Install Node.js >=20"
+    };
+}
+function checkCommand(name, commandExists, fix, optional = false) {
+    if (commandExists(name)) {
+        return {
+            id: name,
+            label: name,
+            status: "ok",
+            message: "found on PATH"
+        };
+    }
+    return {
+        id: name,
+        label: name,
+        status: optional ? "warning" : "error",
+        message: "not found on PATH",
+        fix
+    };
+}
+function checkInventory(path) {
+    if (!existsSync(path)) {
+        return {
+            id: "inventory",
+            label: "Inventory",
+            status: "error",
+            message: `not found at ${path}`,
+            fix: `Create ${path} or pass --config /path/to/hosts.yaml`
+        };
+    }
+    try {
+        const inventory = loadInventory(path);
+        return {
+            id: "inventory",
+            label: "Inventory",
+            status: "ok",
+            message: `${inventory.hosts.length} hosts loaded from ${path}`
+        };
+    }
+    catch (error) {
+        return {
+            id: "inventory",
+            label: "Inventory",
+            status: "error",
+            message: error instanceof Error ? error.message : String(error)
+        };
+    }
+}
+function checkSecrets(path) {
+    if (!existsSync(path)) {
+        return {
+            id: "secrets",
+            label: "Secrets file",
+            status: "warning",
+            message: `not found at ${path}; this is fine for key-based hosts`
+        };
+    }
+    return {
+        id: "secrets",
+        label: "Secrets file",
+        status: "ok",
+        message: `found at ${path}`
+    };
+}
+function checkFilePermissions(id, label, path, fix, optional) {
+    if (!existsSync(path)) {
+        return {
+            id,
+            label,
+            status: optional ? "warning" : "error",
+            message: `cannot check permissions; file does not exist`,
+            fix: optional ? undefined : fix
+        };
+    }
+    const mode = statSync(path).mode & 0o777;
+    if (mode === 0o600 || mode === 0o400) {
+        return {
+            id,
+            label,
+            status: "ok",
+            message: mode.toString(8)
+        };
+    }
+    return {
+        id,
+        label,
+        status: "error",
+        message: `mode ${mode.toString(8)} is too permissive`,
+        fix
+    };
+}
+function commandExistsOnPath(name, env) {
+    const path = env.PATH ?? "";
+    const extensions = process.platform === "win32" ? [".exe", ".cmd", ".bat", ""] : [""];
+    for (const dir of path.split(delimiter)) {
+        if (!dir)
+            continue;
+        for (const extension of extensions) {
+            if (existsSync(`${dir}/${name}${extension}`))
+                return true;
+        }
+    }
+    return false;
+}
+function expandHome(path, env) {
+    if (path === "~")
+        return env.HOME ?? path;
+    if (path.startsWith("~/"))
+        return `${env.HOME ?? ""}${path.slice(1)}`;
+    return path;
+}
+//# sourceMappingURL=doctor.js.map

package/dist/doctor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../src/doctor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,GAAG,IAAI,UAAU,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,cAAc,CAAC;AAC5E,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AA8BrE,MAAM,UAAU,SAAS,CAAC,UAAyB,EAAE;IACnD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,UAAU,CAAC;IACtC,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,UAAU,IAAI,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;IACjF,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,WAAW,IAAI,GAAG,CAAC,sBAAsB,IAAI,sCAAsC,EAAE,GAAG,CAAC,CAAC;IACjI,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,mBAAmB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1F,MAAM,MAAM,GAAkB;QAC5B,gBAAgB,CAAC,OAAO,CAAC,WAAW,IAAI,cAAc,CAAC;QACvD,YAAY,CAAC,KAAK,EAAE,aAAa,EAAE,mEAAmE,CAAC;QACvG,YAAY,CAAC,KAAK,EAAE,aAAa,EAAE,sDAAsD,CAAC;QAC1F,YAAY,CAAC,SAAS,EAAE,aAAa,EAAE,oFAAoF,EAAE,IAAI,CAAC;QAClI,cAAc,CAAC,UAAU,CAAC;QAC1B,oBAAoB,CAAC,uBAAuB,EAAE,uBAAuB,EAAE,UAAU,EAAE,YAAY,GAAG,UAAU,EAAE,KAAK,CAAC;QACpH,YAAY,CAAC,WAAW,CAAC;QACzB,oBAAoB,CAAC,qBAAqB,EAAE,qBAAqB,EAAE,WAAW,EAAE,YAAY,GAAG,WAAW,EAAE,IAAI,CAAC;KAClH,CAAC;IACF,MAAM,OAAO,GAAG;QACd,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,MAAM;QAC1D,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;QACrE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,MAAM;KAClE,CAAC;IACF,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC;QACxB,OAAO;QACP,MAAM;KACP,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAoB;IACrD,MAAM,IAAI,GAAG,CAAC,MAAoB,EAAE,EAAE,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC1G,MAAM,KAAK,GAAG;QACZ,0BAA0B,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,EAAE;QAC7D,YAAY,MAAM,CAAC,OAAO,CAAC,EAAE,QAAQ,MAAM,CAAC,OAAO,CAAC,QAAQ,cAAc,MAAM,CAAC,OAAO,CAAC,MAAM,SAAS;QACxG,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClD,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,KAAK,CAAC,KAAK,KAAK,KAAK,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;QAC1E,CAAC,CAAC;KACH,CAAC;IACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,gBAAgB,CAAC,WAAmB;IAC3C,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAClE,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,EAAE,EAAE,CAAC;QAC1C,OAAO;YACL,EAAE,EAAE,MAAM;YACV,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,WAAW;SACrB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,EAAE,EAAE,MAAM;QACV,KAAK,EAAE,SAAS;QAChB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,GAAG,WAAW,mBAAmB;QAC1C,GAAG,EAAE,sBAAsB;KAC5B,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,aAAwC,EAAE,GAAW,EAAE,QAAQ,GAAG,KAAK;IACzG,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,OAAO;YACL,EAAE,EAAE,IAAI;YACR,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,eAAe;SACzB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,EAAE,EAAE,IAAI;QACR,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO;QACtC,OAAO,EAAE,mBAAmB;QAC5B,GAAG;KACJ,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO;YACL,EAAE,EAAE,WAAW;YACf,KAAK,EAAE,WAAW;YAClB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,gBAAgB,IAAI,EAAE;YAC/B,GAAG,EAAE,UAAU,IAAI,uCAAuC;SAC3D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QACtC,OAAO;YACL,EAAE,EAAE,WAAW;YACf,KAAK,EAAE,WAAW;YAClB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,MAAM,sBAAsB,IAAI,EAAE;SAC/D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,EAAE,EAAE,WAAW;YACf,KAAK,EAAE,WAAW;YAClB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAChE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO;YACL,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,cAAc;YACrB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,gBAAgB,IAAI,oCAAoC;SAClE,CAAC;IACJ,CAAC;IACD,OAAO;QACL,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,cAAc;QACrB,MAAM,EAAE,IAAI;QACZ,OAAO,EAAE,YAAY,IAAI,EAAE;KAC5B,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,EAAU,EAAE,KAAa,EAAE,IAAY,EAAE,GAAW,EAAE,QAAiB;IACnG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO;YACL,EAAE;YACF,KAAK;YACL,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO;YACtC,OAAO,EAAE,+CAA+C;YACxD,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG;SAChC,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;IACzC,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACrC,OAAO;YACL,EAAE;YACF,KAAK;YACL,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;SAC1B,CAAC;IACJ,CAAC;IACD,OAAO;QACL,EAAE;QACF,KAAK;QACL,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,QAAQ,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,oBAAoB;QACrD,GAAG;KACJ,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAY,EAAE,GAAsB;IAC/D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IAC5B,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACtF,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;QACxC,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,IAAI,UAAU,CAAC,GAAG,GAAG,IAAI,IAAI,GAAG,SAAS,EAAE,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC5D,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,IAAY,EAAE,GAAsB;IACtD,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC;IAC1C,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/forwardManager.d.ts

@@ -0,0 +1,49 @@
+import type { Host } from "./types.js";
+export type SpawnedForwardProcess = {
+    pid?: number;
+    kill: (signal?: NodeJS.Signals) => unknown;
+    on: (event: string, listener: (...args: unknown[]) => void) => unknown;
+};
+type ForwardManagerOptions = {
+    controlDir: string;
+    maxForwards?: number;
+    ttlSeconds?: number;
+    env?: NodeJS.ProcessEnv;
+    spawnProcess?: (file: string, args: string[], env?: NodeJS.ProcessEnv) => SpawnedForwardProcess;
+};
+type ForwardRecord = {
+    forwardId: string;
+    hostId: string;
+    pid?: number;
+    localHost: string;
+    localPort: number;
+    remoteHost: string;
+    remotePort: number;
+    state: "starting" | "running" | "exited" | "error";
+    startedAt: string;
+    expiresAt: string;
+    argv: string[];
+    process: SpawnedForwardProcess;
+    timer?: NodeJS.Timeout;
+};
+export type ForwardInfo = Omit<ForwardRecord, "process">;
+export declare class ForwardManager {
+    private readonly options;
+    private readonly forwards;
+    private readonly maxForwards;
+    private readonly env;
+    private readonly spawnProcess;
+    constructor(options: ForwardManagerOptions);
+    start(input: {
+        host: Host;
+        localHost?: string;
+        localPort: number;
+        remoteHost: string;
+        remotePort: number;
+    }): ForwardInfo;
+    stop(forwardId: string): ForwardInfo;
+    list(): ForwardInfo[];
+    private toInfo;
+    private cleanupExpired;
+}
+export {};

package/dist/forwardManager.js

@@ -0,0 +1,141 @@
+import { spawn } from "node:child_process";
+import { randomUUID } from "node:crypto";
+import { wrapWithPasswordAuth } from "./auth.js";
+import { buildSshArgs } from "./sshArgs.js";
+export class ForwardManager {
+    options;
+    forwards = new Map();
+    maxForwards;
+    env;
+    spawnProcess;
+    constructor(options) {
+        this.options = options;
+        this.maxForwards = options.maxForwards ?? 8;
+        this.env = options.env ?? process.env;
+        this.spawnProcess =
+            options.spawnProcess ??
+                ((file, args, env) => spawn(file, args, {
+                    env,
+                    shell: false,
+                    stdio: ["ignore", "ignore", "pipe"]
+                }));
+    }
+    start(input) {
+        this.cleanupExpired();
+        if (this.forwards.size >= this.maxForwards) {
+            throw new Error(`Maximum active forwards reached: ${this.maxForwards}`);
+        }
+        validatePort(input.localPort, "localPort");
+        validatePort(input.remotePort, "remotePort");
+        validateForwardHost(input.localHost ?? "127.0.0.1", "localHost");
+        validateForwardHost(input.remoteHost, "remoteHost");
+        const base = buildSshArgs(input.host, {
+            controlDir: this.options.controlDir,
+            batchMode: true
+        });
+        const target = base.pop();
+        const separator = base.pop();
+        if (!target || separator !== "--")
+            throw new Error("Unable to build ssh target for forward");
+        const localHost = input.localHost ?? "127.0.0.1";
+        const spec = `${localHost}:${input.localPort}:${input.remoteHost}:${input.remotePort}`;
+        const argv = [...base, "-o", "ExitOnForwardFailure=yes", "-N", "-L", spec, "--", target];
+        const commandSpec = wrapWithPasswordAuth(input.host, "ssh", argv, this.env);
+        const child = this.spawnProcess(commandSpec.file, commandSpec.args, commandSpec.env);
+        const ttlSeconds = this.options.ttlSeconds ?? 60 * 60;
+        const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
+        const record = {
+            forwardId: randomUUID(),
+            hostId: input.host.id,
+            pid: child.pid,
+            localHost,
+            localPort: input.localPort,
+            remoteHost: input.remoteHost,
+            remotePort: input.remotePort,
+            state: "starting",
+            startedAt: new Date().toISOString(),
+            expiresAt,
+            argv: sanitizeForwardArgv(commandSpec.args),
+            process: child
+        };
+        record.timer = setTimeout(() => {
+            this.stop(record.forwardId);
+        }, ttlSeconds * 1000);
+        record.timer.unref();
+        setTimeout(() => {
+            if (record.state === "starting")
+                record.state = "running";
+        }, 500).unref();
+        child.on("close", () => {
+            record.state = "exited";
+        });
+        child.on("error", () => {
+            record.state = "error";
+        });
+        this.forwards.set(record.forwardId, record);
+        return this.toInfo(record);
+    }
+    stop(forwardId) {
+        const record = this.forwards.get(forwardId);
+        if (!record)
+            throw new Error(`Forward not found: ${forwardId}`);
+        if (record.timer)
+            clearTimeout(record.timer);
+        record.process.kill("SIGTERM");
+        forceKillLater(record.process);
+        record.state = "exited";
+        this.forwards.delete(forwardId);
+        return this.toInfo(record);
+    }
+    list() {
+        this.cleanupExpired();
+        return [...this.forwards.values()].map((record) => this.toInfo(record));
+    }
+    toInfo(record) {
+        const { process: _process, timer: _timer, ...info } = record;
+        return info;
+    }
+    cleanupExpired() {
+        const now = Date.now();
+        for (const [forwardId, record] of this.forwards) {
+            if (Date.parse(record.expiresAt) <= now || record.state === "exited" || record.state === "error") {
+                if (record.timer)
+                    clearTimeout(record.timer);
+                record.process.kill("SIGTERM");
+                forceKillLater(record.process);
+                this.forwards.delete(forwardId);
+            }
+        }
+    }
+}
+function forceKillLater(process) {
+    setTimeout(() => {
+        process.kill("SIGKILL");
+    }, 1000).unref();
+}
+function validatePort(value, label) {
+    if (!Number.isInteger(value) || value < 1 || value > 65535) {
+        throw new Error(`Invalid ${label}: ${value}`);
+    }
+}
+function validateForwardHost(value, label) {
+    if (value.startsWith("-")) {
+        throw new Error(`Invalid ${label}: leading dash is not allowed`);
+    }
+    if (!/^[A-Za-z0-9._:-]+$/.test(value)) {
+        throw new Error(`Invalid ${label}: ${value}`);
+    }
+}
+function sanitizeForwardArgv(argv) {
+    return argv.map((arg, index) => {
+        const previous = argv[index - 1];
+        if (previous === "-i")
+            return "[REDACTED_IDENTITY_FILE]";
+        if (arg.startsWith("ControlPath="))
+            return "ControlPath=[REDACTED]";
+        if (arg.includes("ControlPath="))
+            return arg.replace(/ControlPath=[^\s]+/g, "ControlPath=[REDACTED]");
+        return arg;
+    });
+}
+//# sourceMappingURL=forwardManager.js.map

package/dist/forwardManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"forwardManager.js","sourceRoot":"","sources":["../src/forwardManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAmC5C,MAAM,OAAO,cAAc;IAMI;IALZ,QAAQ,GAAG,IAAI,GAAG,EAAyB,CAAC;IAC5C,WAAW,CAAS;IACpB,GAAG,CAAoB;IACvB,YAAY,CAAmF;IAEhH,YAA6B,OAA8B;QAA9B,YAAO,GAAP,OAAO,CAAuB;QACzD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;QACtC,IAAI,CAAC,YAAY;YACf,OAAO,CAAC,YAAY;gBACpB,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,CACnB,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE;oBAChB,GAAG;oBACH,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC;iBACpC,CAAqC,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK,CAAC,KAAoG;QACxG,IAAI,CAAC,cAAc,EAAE,CAAC;QACtB,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,oCAAoC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC1E,CAAC;QACD,YAAY,CAAC,KAAK,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAC3C,YAAY,CAAC,KAAK,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAC7C,mBAAmB,CAAC,KAAK,CAAC,SAAS,IAAI,WAAW,EAAE,WAAW,CAAC,CAAC;QACjE,mBAAmB,CAAC,KAAK,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAEpD,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE;YACpC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU;YACnC,SAAS,EAAE,IAAI;SAChB,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,IAAI,SAAS,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC7F,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,WAAW,CAAC;QACjD,MAAM,IAAI,GAAG,GAAG,SAAS,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACvF,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,EAAE,IAAI,EAAE,0BAA0B,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACzF,MAAM,WAAW,GAAG,oBAAoB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5E,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;QACrF,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,GAAG,EAAE,CAAC;QACtD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QACzE,MAAM,MAAM,GAAkB;YAC5B,SAAS,EAAE,UAAU,EAAE;YACvB,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE;YACrB,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,SAAS;YACT,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,KAAK,EAAE,UAAU;YACjB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS;YACT,IAAI,EAAE,mBAAmB,CAAC,WAAW,CAAC,IAAI,CAAC;YAC3C,OAAO,EAAE,KAAK;SACf,CAAC;QACF,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC9B,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC,CAAC;QACtB,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACrB,UAAU,CAAC,GAAG,EAAE;YACd,IAAI,MAAM,CAAC,KAAK,KAAK,UAAU;gBAAE,MAAM,CAAC,KAAK,GAAG,SAAS,CAAC;QAC5D,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC;QAChB,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACrB,MAAM,CAAC,KAAK,GAAG,QAAQ,CAAC;QAC1B,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACrB,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC;QACzB,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI,CAAC,SAAiB;QACpB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,SAAS,EAAE,CAAC,CAAC;QAChE,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7C,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC/B,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC/B,MAAM,CAAC,KAAK,GAAG,QAAQ,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI;QACF,IAAI,CAAC,cAAc,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAC1E,CAAC;IAEO,MAAM,CAAC,MAAqB;QAClC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,MAAM,CAAC;QAC7D,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,cAAc;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChD,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,GAAG,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;gBACjG,IAAI,MAAM,CAAC,KAAK;oBAAE,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC7C,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAC/B,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAC/B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED,SAAS,cAAc,CAAC,OAA8B;IACpD,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC1B,CAAC,EAAE,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;AACnB,CAAC;AAED,SAAS,YAAY,CAAC,KAAa,EAAE,KAAa;IAChD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,KAAK,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,WAAW,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa,EAAE,KAAa;IACvD,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,WAAW,KAAK,+BAA+B,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,WAAW,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAc;IACzC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QACjC,IAAI,QAAQ,KAAK,IAAI;YAAE,OAAO,0BAA0B,CAAC;QACzD,IAAI,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC;YAAE,OAAO,wBAAwB,CAAC;QACpE,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC;YAAE,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,wBAAwB,CAAC,CAAC;QACtG,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;AACL,CAAC"}