ssh-agent-workspace 1.0.0

package/dist/types/index.d.ts

@@ -0,0 +1,21 @@
+import type { Client } from 'ssh2';
+export interface Session {
+    id: string;
+    host: string;
+    ssh: Client;
+    connectedAt: number;
+    lastActivity: number;
+    tmuxSession: string;
+    shell?: string;
+    cwd?: string;
+    metadata?: Record<string, unknown>;
+}
+export interface SSHHostConfig {
+    name: string;
+    hostname?: string;
+    user?: string;
+    port?: number;
+    identityFile?: string;
+    proxyJump?: string;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAEnC,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}

package/dist/types/index.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":""}

package/dist/utils/ansi.d.ts

@@ -0,0 +1,2 @@
+export declare function stripAnsi(input: string): string;
+//# sourceMappingURL=ansi.d.ts.map

package/dist/utils/ansi.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ansi.d.ts","sourceRoot":"","sources":["../../src/utils/ansi.ts"],"names":[],"mappings":"AAIA,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C"}

package/dist/utils/ansi.js

@@ -0,0 +1,7 @@
+const ansiRegex = 
+// eslint-disable-next-line no-control-regex
+/[\u001B\u009B][[\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\d/#&.:=?%@~_]+)*|[a-zA-Z\d]+(?:;[-a-zA-Z\d/#&.:=?%@~_]*)*)?\u0007)|(?:(?:\d{1,4}(?:;\d{0,4})*)?[\dA-PR-TZcf-nq-uy=><~]))/g;
+export function stripAnsi(input) {
+    return input.replace(ansiRegex, '');
+}
+//# sourceMappingURL=ansi.js.map

package/dist/utils/ansi.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ansi.js","sourceRoot":"","sources":["../../src/utils/ansi.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS;AACb,4CAA4C;AAC5C,0KAA0K,CAAC;AAE7K,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;AACtC,CAAC"}

package/dist/utils/logger.d.ts

@@ -0,0 +1,3 @@
+import pino from 'pino';
+export declare const logger: pino.Logger<never, boolean>;
+//# sourceMappingURL=logger.d.ts.map

package/dist/utils/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,eAAO,MAAM,MAAM,6BAQlB,CAAC"}

package/dist/utils/logger.js

@@ -0,0 +1,8 @@
+import pino from 'pino';
+export const logger = pino({
+    level: process.env.LOG_LEVEL || 'info',
+    base: {
+        pid: process.pid,
+    },
+}, process.stderr);
+//# sourceMappingURL=logger.js.map

package/dist/utils/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,MAAM,CAAC,MAAM,MAAM,GAAG,IAAI,CACxB;IACE,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,MAAM;IACtC,IAAI,EAAE;QACJ,GAAG,EAAE,OAAO,CAAC,GAAG;KACjB;CACF,EACD,OAAO,CAAC,MAAM,CACf,CAAC"}

package/dist/utils/security.d.ts

@@ -0,0 +1,7 @@
+import { HostSecurityManager } from '../core/HostSecurityManager.js';
+export declare function setHostSecurityManager(manager: HostSecurityManager): void;
+export declare function isReadOnlyMode(host?: string): boolean;
+export declare function isHostCommandDenied(host: string, command: string): boolean;
+export declare function isHostAllowed(host: string): boolean;
+export declare function isCommandDenied(command: string): boolean;
+//# sourceMappingURL=security.d.ts.map

package/dist/utils/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAKrE,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,mBAAmB,QAElE;AAED,wBAAgB,cAAc,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAGrD;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAmB1E;AAcD,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CASnD;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAExD"}

package/dist/utils/security.js

@@ -0,0 +1,58 @@
+let hostSecurity = null;
+export function setHostSecurityManager(manager) {
+    hostSecurity = manager;
+}
+export function isReadOnlyMode(host) {
+    if (host && hostSecurity?.isReadOnly(host))
+        return true;
+    return process.env.MCP_SSH_READONLY === 'true';
+}
+export function isHostCommandDenied(host, command) {
+    const global = isGlobalCommandDenied(command);
+    if (global)
+        return true;
+    if (!hostSecurity)
+        return false;
+    const allowlist = hostSecurity.getAllowCommands(host);
+    if (allowlist.length > 0) {
+        const lower = command.toLowerCase();
+        if (!allowlist.some((a) => lower.includes(a.toLowerCase())))
+            return true;
+    }
+    const denylist = hostSecurity.getDenyCommands(host);
+    if (denylist.length > 0) {
+        const lower = command.toLowerCase();
+        if (denylist.some((d) => lower.includes(d.toLowerCase())))
+            return true;
+    }
+    return false;
+}
+function isGlobalCommandDenied(command) {
+    const denylist = process.env.MCP_SSH_DENYLIST_COMMANDS;
+    if (!denylist)
+        return false;
+    const list = denylist
+        .split(',')
+        .map((c) => c.trim())
+        .filter(Boolean);
+    if (list.length === 0)
+        return false;
+    const lower = command.toLowerCase();
+    return list.some((denied) => lower.includes(denied.toLowerCase()));
+}
+export function isHostAllowed(host) {
+    const allowed = process.env.MCP_SSH_ALLOWED_HOSTS;
+    if (!allowed)
+        return true;
+    const list = allowed
+        .split(',')
+        .map((h) => h.trim())
+        .filter(Boolean);
+    if (list.length === 0)
+        return true;
+    return list.includes(host);
+}
+export function isCommandDenied(command) {
+    return isGlobalCommandDenied(command);
+}
+//# sourceMappingURL=security.js.map

package/dist/utils/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAGA,IAAI,YAAY,GAA+B,IAAI,CAAC;AAEpD,MAAM,UAAU,sBAAsB,CAAC,OAA4B;IACjE,YAAY,GAAG,OAAO,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,IAAa;IAC1C,IAAI,IAAI,IAAI,YAAY,EAAE,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACxD,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,MAAM,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,IAAY,EAAE,OAAe;IAC/D,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,MAAM;QAAE,OAAO,IAAI,CAAC;IAExB,IAAI,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAEhC,MAAM,SAAS,GAAG,YAAY,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACtD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACpC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IAC3E,CAAC;IAED,MAAM,QAAQ,GAAG,YAAY,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACpD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACpC,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IACzE,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAe;IAC5C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;IACvD,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,MAAM,IAAI,GAAG,QAAQ;SAClB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC,CAAC;IACnB,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;IAClD,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,MAAM,IAAI,GAAG,OAAO;SACjB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC,CAAC;IACnB,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,OAAO,qBAAqB,CAAC,OAAO,CAAC,CAAC;AACxC,CAAC"}

package/dist/utils/ssh.d.ts

@@ -0,0 +1,4 @@
+import type { ConnectConfig } from 'ssh2';
+import type { SSHHostConfig } from '../types/index.js';
+export declare function buildSshConfig(hostConfig: SSHHostConfig, readyTimeout?: number): ConnectConfig | null;
+//# sourceMappingURL=ssh.d.ts.map

package/dist/utils/ssh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh.d.ts","sourceRoot":"","sources":["../../src/utils/ssh.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEvD,wBAAgB,cAAc,CAAC,UAAU,EAAE,aAAa,EAAE,YAAY,SAAQ,GAAG,aAAa,GAAG,IAAI,CAyBpG"}

package/dist/utils/ssh.js

@@ -0,0 +1,29 @@
+import fs from 'fs';
+import os from 'os';
+import { logger } from './logger.js';
+export function buildSshConfig(hostConfig, readyTimeout = 20000) {
+    const config = {
+        host: hostConfig.hostname || hostConfig.name,
+        port: hostConfig.port || 22,
+        username: hostConfig.user || process.env.USER || 'root',
+        readyTimeout,
+        keepaliveInterval: 10000,
+        keepaliveCountMax: 3,
+        // Try SSH agent first if available (ssh-agent / Pageant)
+        agent: process.env.SSH_AUTH_SOCK || undefined,
+    };
+    if (hostConfig.identityFile) {
+        const keyPath = hostConfig.identityFile.replace(/^~(?=$|\/)/, os.homedir());
+        if (fs.existsSync(keyPath)) {
+            try {
+                config.privateKey = fs.readFileSync(keyPath);
+            }
+            catch (err) {
+                logger.error({ keyPath, error: err.message }, 'Failed to read SSH key');
+                return null;
+            }
+        }
+    }
+    return config;
+}
+//# sourceMappingURL=ssh.js.map

package/dist/utils/ssh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../src/utils/ssh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,MAAM,IAAI,CAAC;AAEpB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAGrC,MAAM,UAAU,cAAc,CAAC,UAAyB,EAAE,YAAY,GAAG,KAAK;IAC5E,MAAM,MAAM,GAAkB;QAC5B,IAAI,EAAE,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,IAAI;QAC5C,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,EAAE;QAC3B,QAAQ,EAAE,UAAU,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM;QACvD,YAAY;QACZ,iBAAiB,EAAE,KAAK;QACxB,iBAAiB,EAAE,CAAC;QACpB,yDAAyD;QACzD,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,SAAS;KAC9C,CAAC;IAEF,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5E,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,MAAM,CAAC,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YAC/C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,EAAE,wBAAwB,CAAC,CAAC;gBACnF,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/utils/sshConfig.d.ts

@@ -0,0 +1,4 @@
+import type { SSHHostConfig } from '../types/index.js';
+export declare function listHostAliases(): string[];
+export declare function getHostConfig(alias: string): SSHHostConfig | null;
+//# sourceMappingURL=sshConfig.d.ts.map

package/dist/utils/sshConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sshConfig.d.ts","sourceRoot":"","sources":["../../src/utils/sshConfig.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AA+BvD,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAqB1C;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAwCjE"}

package/dist/utils/sshConfig.js

@@ -0,0 +1,85 @@
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import { SSHConfig } from 'ssh-config';
+import { logger } from './logger.js';
+let cachedConfig = null;
+let cachedMtime = 0;
+function getConfigPath() {
+    return path.join(os.homedir(), '.ssh', 'config');
+}
+function loadConfig() {
+    const configPath = getConfigPath();
+    try {
+        const stats = fs.statSync(configPath);
+        if (!cachedConfig || stats.mtimeMs !== cachedMtime) {
+            const content = fs.readFileSync(configPath, 'utf8');
+            cachedConfig = SSHConfig.parse(content);
+            cachedMtime = stats.mtimeMs;
+            logger.debug({ path: configPath }, 'SSH config loaded');
+        }
+    }
+    catch (err) {
+        if (err.code === 'ENOENT') {
+            logger.warn({ path: configPath }, 'SSH config not found');
+        }
+        else {
+            logger.error({ error: err.message }, 'Failed to load SSH config');
+        }
+        cachedConfig = SSHConfig.parse('');
+        cachedMtime = 0;
+    }
+    return cachedConfig;
+}
+export function listHostAliases() {
+    const config = loadConfig();
+    const aliases = [];
+    for (const line of config) {
+        if (line.param === 'Host' && line.value) {
+            const values = Array.isArray(line.value) ? line.value : [line.value];
+            for (const value of values) {
+                // Skip wildcard patterns - we only list concrete aliases
+                if (!value.includes('*') && !value.includes('?')) {
+                    aliases.push(value);
+                }
+            }
+        }
+    }
+    return [...new Set(aliases)];
+}
+export function getHostConfig(alias) {
+    const config = loadConfig();
+    try {
+        const computed = config.compute(alias);
+        if (!computed || Object.keys(computed).length === 0) {
+            return null;
+        }
+        const getValue = (key) => {
+            const val = computed[key];
+            if (Array.isArray(val))
+                return val[0];
+            if (typeof val === 'string')
+                return val;
+            return undefined;
+        };
+        return {
+            name: alias,
+            hostname: getValue('HostName'),
+            user: getValue('User'),
+            port: (() => {
+                const p = getValue('Port');
+                if (!p)
+                    return undefined;
+                const n = parseInt(p, 10);
+                return isNaN(n) ? undefined : n;
+            })(),
+            identityFile: getValue('IdentityFile'),
+            proxyJump: getValue('ProxyJump'),
+        };
+    }
+    catch (err) {
+        logger.error({ alias, error: err.message }, 'Failed to compute SSH host config');
+        return null;
+    }
+}
+//# sourceMappingURL=sshConfig.js.map

package/dist/utils/sshConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sshConfig.js","sourceRoot":"","sources":["../../src/utils/sshConfig.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAGrC,IAAI,YAAY,GAA8C,IAAI,CAAC;AACnE,IAAI,WAAW,GAAG,CAAC,CAAC;AAEpB,SAAS,aAAa;IACpB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,UAAU;IACjB,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACtC,IAAI,CAAC,YAAY,IAAI,KAAK,CAAC,OAAO,KAAK,WAAW,EAAE,CAAC;YACnD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YACpD,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACxC,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC;YAC5B,MAAM,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,mBAAmB,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,sBAAsB,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,EAAE,2BAA2B,CAAC,CAAC;QAC/E,CAAC;QACD,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACnC,WAAW,GAAG,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,IAAI,IAAI,MAIjB,EAAE,CAAC;QACH,IAAI,IAAI,CAAC,KAAK,KAAK,MAAM,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACxC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,yDAAyD;gBACzD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjD,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAGpC,CAAC;QAEF,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,CAAC,GAAW,EAAsB,EAAE;YACnD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC1B,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;gBAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;YACtC,IAAI,OAAO,GAAG,KAAK,QAAQ;gBAAE,OAAO,GAAG,CAAC;YACxC,OAAO,SAAS,CAAC;QACnB,CAAC,CAAC;QAEF,OAAO;YACL,IAAI,EAAE,KAAK;YACX,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC;YAC9B,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC;YACtB,IAAI,EAAE,CAAC,GAAG,EAAE;gBACV,MAAM,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;gBAC3B,IAAI,CAAC,CAAC;oBAAE,OAAO,SAAS,CAAC;gBACzB,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC1B,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC,CAAC,EAAE;YACJ,YAAY,EAAE,QAAQ,CAAC,cAAc,CAAC;YACtC,SAAS,EAAE,QAAQ,CAAC,WAAW,CAAC;SACjC,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CACV,EAAE,KAAK,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,EACxC,mCAAmC,CACpC,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/utils/validation.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const sessionIdSchema: z.ZodString;
+export declare function sanitizeTmuxSessionName(name: string): string;
+//# sourceMappingURL=validation.d.ts.map

package/dist/utils/validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,eAAe,aAA0C,CAAC;AAEvE,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQ5D"}

package/dist/utils/validation.js

@@ -0,0 +1,12 @@
+import { z } from 'zod';
+export const sessionIdSchema = z.string().regex(/^sess_[a-f0-9]{32}$/);
+export function sanitizeTmuxSessionName(name) {
+    // tmux session names can contain: letters, digits, underscore, hyphen, dot
+    let sanitized = name.replace(/[^a-zA-Z0-9_.-]/g, '_');
+    // Must not start with a hyphen or dot, and should start with a letter for safety
+    if (/^[^a-zA-Z]/.test(sanitized)) {
+        sanitized = 'mcp_' + sanitized;
+    }
+    return sanitized;
+}
+//# sourceMappingURL=validation.js.map

package/dist/utils/validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;AAEvE,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,2EAA2E;IAC3E,IAAI,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;IACtD,iFAAiF;IACjF,IAAI,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,SAAS,GAAG,MAAM,GAAG,SAAS,CAAC;IACjC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/docs/SECURITY.md

@@ -0,0 +1,213 @@
+# Security Model
+
+`ssh-agent-workspace` implements a **three-layer defense** architecture. Each layer adds granularity without breaking the layers above it.
+
+---
+
+## Layer 1: Global (Environment Variables)
+
+Set at server startup via environment variables. Applies to **all hosts**.
+
+| Variable | Effect |
+|---|---|
+| `MCP_SSH_READONLY=true` | Blocks all write operations globally |
+| `MCP_SSH_ALLOWED_HOSTS=prod,staging` | Only these host aliases can be connected to |
+| `MCP_SSH_DENYLIST_COMMANDS=rm,shutdown,dd` | Blocks commands containing these substrings (case-insensitive) |
+
+### Read-Only Mode: Blocked Tools
+
+When `MCP_SSH_READONLY=true`, the following tools return errors:
+
+- `exec` — Command execution disabled
+- `send_input` — Input sending disabled
+- `sftp_upload` — SFTP upload disabled
+- `sftp_download` — SFTP download disabled
+- `deploy` — Deploy disabled
+- `backup` — Backup disabled
+- `sync` — Sync disabled
+- `group_exec` — Group exec disabled
+- `db_query` — DB query disabled
+- `ssh_tunnel_open` — Tunnels disabled
+
+### Tools Always Allowed (Read Operations)
+
+`list_hosts`, `connect`, `reconnect_to_tmux`, `read_output`, `interrupt`, `disconnect`, `list_sessions`, `sftp_list`, `connection_status`, `health_check`, `tail_log`, `ssh_tunnel_close`, `ssh_tunnel_list`, `tools_config`, `host_security`
+
+---
+
+## Layer 2: Per-Host (Host Security)
+
+Managed via the `host_security` tool and persisted in `~/.dynamic-ssh-mcp/host_security.json`.
+
+Per-host settings **override** global settings for that specific host only.
+
+### Configuration
+
+```json
+{
+  "prod": {
+    "readonly": true,
+    "deny_commands": ["shutdown", "reboot", "dd if="]
+  },
+  "staging": {
+    "deny_commands": ["rm -rf /", "shutdown"]
+  },
+  "dev": {
+    "allow_commands": [
+      "ls", "cat", "echo", "ps aux",
+      "docker ps", "docker logs",
+      "git status", "git diff", "git log",
+      "npm run", "node"
+    ]
+  }
+}
+```
+
+### Rules
+
+| Field | Behavior |
+|---|---|
+| `readonly: true` | Host locked to read-only, regardless of global `MCP_SSH_READONLY` |
+| `readonly: false` | Host explicitly writeable (does **not** override global readonly) |
+| `allow_commands: [...]` | If set, **only** commands matching these patterns are allowed (case-insensitive substring match) |
+| `deny_commands: [...]` | Commands matching these patterns are blocked (case-insensitive substring match) |
+
+**Precedence:** `deny_commands` wins over `allow_commands`. If a command matches both, it's blocked.
+
+### Enforcement Points
+
+Per-host read-only is checked **after session lookup** in every write tool:
+
+```
+exec, send_input, sftp_upload, sftp_download,
+deploy, backup, sync, group_exec, db_query, ssh_tunnel_open
+```
+
+If a session's host has `readonly: true`, the tool returns:
+
+```
+Error: Host 'prod' is in read-only mode. <operation> is disabled.
+```
+
+### Per-Host Command Filtering
+
+`isHostCommandDenied(host, command)` checks:
+1. Global `MCP_SSH_DENYLIST_COMMANDS`
+2. Per-host `allow_commands` (if set, command must match at least one)
+3. Per-host `deny_commands`
+
+Per-host command filtering is available to all tools via the shared security utility.
+
+---
+
+## Layer 3: Per-Operation (Tool-Level)
+
+### Path Sanitization
+
+All file paths used in SFTP, backup, deploy, sync, and tail_log are validated:
+
+- Rejects paths containing `;`, `&&`, `||`, `|`
+- Rejects paths starting with `-` (option injection)
+- Paths are shell-escaped before passing to exec commands
+
+### Command Denylist (Global)
+
+Commands containing these substrings are blocked (case-insensitive):
+
+```
+rm -rf, shutdown, reboot, dd, mkfs, fdisk, :(){ :|:& };:  (fork bomb)
+```
+
+Configured via `MCP_SSH_DENYLIST_COMMANDS` — comma-separated:
+```
+MCP_SSH_DENYLIST_COMMANDS=rm -rf,shutdown,dd if=,mkfs,chmod 777
+```
+
+### SQL/MongoDB Query Security
+
+The `db_query` tool enforces read-only queries:
+
+**SQL (MySQL/PostgreSQL):**
+- Blocked keywords: `DROP`, `DELETE`, `INSERT`, `UPDATE`, `ALTER`, `CREATE`, `TRUNCATE`, `GRANT`, `REVOKE`, `RENAME`, `REPLACE`, `MERGE`, `UPSERT`, `LOAD`
+- Only allowed prefixes: `SELECT`, `SHOW`, `EXPLAIN`, `DESCRIBE`, `WITH`
+
+**MongoDB:**
+- Blocked methods: `deleteOne`, `deleteMany`, `insertOne`, `insertMany`, `updateOne`, `updateMany`, `replaceOne`, `drop`, `dropDatabase`, `createIndex`, `createCollection`
+
+### Shell Injection Protection
+
+All arguments passed to tmux commands are:
+1. Validated via Zod schemas before use
+2. Passed through `sanitizeTmuxSessionName()` for session names
+3. Base64-encoded buffer pipeline for command input (not raw string interpolation)
+4. Escaped via `escapeShellArg()` for exec channel commands
+
+### SFTP Security
+
+- `sftp_upload` / `sftp_download`: paths validated before transfer
+- `sftp_list`: read-only, allowed even in read-only mode
+- `deploy`: validates all paths in the files array, plus exec commands for chmod/chown/restart
+
+---
+
+## Proxy Jump / Bastion Security
+
+- Both the bastion host AND the target host must pass `isHostAllowed()` checks
+- Bastion resolved from `~/.ssh/config` (`ProxyJump` directive) or explicit `proxy_jump` parameter
+- Each hop uses its own SSH key from the corresponding `Host` config block
+- The bastion connection is established first, then `forwardOut` is used to reach the target
+
+---
+
+## Session Isolation
+
+- Each session = **one dedicated SSH connection** + **one dedicated tmux session**
+- Sessions cannot see each other's tmux panes
+- Session metadata stored locally at `~/.dynamic-ssh-mcp/sessions.json`
+- No passwords are stored — auth is key-based via `~/.ssh/config`
+- SSH key passphrases not stored; use `ssh-agent` for passphrase-protected keys
+
+---
+
+## Hardening Recommendations
+
+### Production
+
+```bash
+# Global read-only on production
+export MCP_SSH_READONLY=true
+
+# Only prod and staging hosts
+export MCP_SSH_ALLOWED_HOSTS=prod,staging
+
+# Block dangerous operations
+export MCP_SSH_DENYLIST_COMMANDS="rm -rf,shutdown,reboot,dd if=,chmod 777,fdisk,mkfs"
+
+# Only restore known sessions (don't discover new ones)
+export MCP_SSH_RESTORE_SESSIONS=true
+```
+
+### Per-Host Fine-Tuning (via tools_config / host_security)
+
+```
+# Lock production to read-only
+host_security set host=prod readonly=true
+
+# Limit dev commands
+host_security set host=dev deny_commands=["rm -rf", "shutdown", "reboot"]
+
+# Disable unused tools to reduce attack surface
+tools_config disable db_query
+tools_config disable backup
+tools_config disable sync
+tools_config disable deploy
+```
+
+---
+
+## Audit & Monitoring
+
+- All tool invocations logged to stderr via pino (configurable `LOG_LEVEL`)
+- Session create/remove/restore events logged with session IDs
+- Failed connections, auth rejections, and denied commands logged at `warn` level
+- Log format: structured JSON with timestamps