npm - ssh-mcp-pro - Versions diffs - 1.0.0 - Mend

ssh-mcp-pro 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/AGENTS.md +127 -0
package/ARCHITECTURE.md +145 -0
package/LICENSE +21 -0
package/LICENSES/MIT.txt +21 -0
package/MIGRATION.md +14 -0
package/README.md +175 -0
package/REGISTRY_SUBMISSION.md +38 -0
package/SECURITY.md +40 -0
package/SECURITY_DECISIONS.md +59 -0
package/dist/agent-bin.d.ts +3 -0
package/dist/agent-bin.d.ts.map +1 -0
package/dist/agent-bin.js +8 -0
package/dist/agent-bin.js.map +1 -0
package/dist/audit.d.ts +25 -0
package/dist/audit.d.ts.map +1 -0
package/dist/audit.js +50 -0
package/dist/audit.js.map +1 -0
package/dist/auth.d.ts +4 -0
package/dist/auth.d.ts.map +1 -0
package/dist/auth.js +33 -0
package/dist/auth.js.map +1 -0
package/dist/cli.d.ts +16 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +99 -0
package/dist/cli.js.map +1 -0
package/dist/config.d.ts +103 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +490 -0
package/dist/config.js.map +1 -0
package/dist/connector-credentials.d.ts +8 -0
package/dist/connector-credentials.d.ts.map +1 -0
package/dist/connector-credentials.js +132 -0
package/dist/connector-credentials.js.map +1 -0
package/dist/connector-profile.d.ts +17 -0
package/dist/connector-profile.d.ts.map +1 -0
package/dist/connector-profile.js +81 -0
package/dist/connector-profile.js.map +1 -0
package/dist/container.d.ts +18 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +52 -0
package/dist/container.js.map +1 -0
package/dist/detect.d.ts +7 -0
package/dist/detect.d.ts.map +1 -0
package/dist/detect.js +271 -0
package/dist/detect.js.map +1 -0
package/dist/ensure.d.ts +17 -0
package/dist/ensure.d.ts.map +1 -0
package/dist/ensure.js +531 -0
package/dist/ensure.js.map +1 -0
package/dist/errors.d.ts +54 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +84 -0
package/dist/errors.js.map +1 -0
package/dist/fs-tools.d.ts +26 -0
package/dist/fs-tools.d.ts.map +1 -0
package/dist/fs-tools.js +599 -0
package/dist/fs-tools.js.map +1 -0
package/dist/http-rate-limit.d.ts +9 -0
package/dist/http-rate-limit.d.ts.map +1 -0
package/dist/http-rate-limit.js +41 -0
package/dist/http-rate-limit.js.map +1 -0
package/dist/http-security.d.ts +22 -0
package/dist/http-security.d.ts.map +1 -0
package/dist/http-security.js +88 -0
package/dist/http-security.js.map +1 -0
package/dist/index.d.ts +10 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +201 -0
package/dist/index.js.map +1 -0
package/dist/logging.d.ts +52 -0
package/dist/logging.d.ts.map +1 -0
package/dist/logging.js +180 -0
package/dist/logging.js.map +1 -0
package/dist/mcp.d.ts +16 -0
package/dist/mcp.d.ts.map +1 -0
package/dist/mcp.js +159 -0
package/dist/mcp.js.map +1 -0
package/dist/metrics.d.ts +95 -0
package/dist/metrics.d.ts.map +1 -0
package/dist/metrics.js +204 -0
package/dist/metrics.js.map +1 -0
package/dist/oauth.d.ts +14 -0
package/dist/oauth.d.ts.map +1 -0
package/dist/oauth.js +105 -0
package/dist/oauth.js.map +1 -0
package/dist/policy.d.ts +64 -0
package/dist/policy.d.ts.map +1 -0
package/dist/policy.js +368 -0
package/dist/policy.js.map +1 -0
package/dist/process.d.ts +24 -0
package/dist/process.d.ts.map +1 -0
package/dist/process.js +212 -0
package/dist/process.js.map +1 -0
package/dist/prompts.d.ts +49 -0
package/dist/prompts.d.ts.map +1 -0
package/dist/prompts.js +191 -0
package/dist/prompts.js.map +1 -0
package/dist/rate-limiter.d.ts +57 -0
package/dist/rate-limiter.d.ts.map +1 -0
package/dist/rate-limiter.js +141 -0
package/dist/rate-limiter.js.map +1 -0
package/dist/remote/agent-cli.d.ts +2 -0
package/dist/remote/agent-cli.d.ts.map +1 -0
package/dist/remote/agent-cli.js +270 -0
package/dist/remote/agent-cli.js.map +1 -0
package/dist/remote/agent-executor.d.ts +26 -0
package/dist/remote/agent-executor.d.ts.map +1 -0
package/dist/remote/agent-executor.js +400 -0
package/dist/remote/agent-executor.js.map +1 -0
package/dist/remote/config.d.ts +3 -0
package/dist/remote/config.d.ts.map +1 -0
package/dist/remote/config.js +52 -0
package/dist/remote/config.js.map +1 -0
package/dist/remote/control-plane.d.ts +57 -0
package/dist/remote/control-plane.d.ts.map +1 -0
package/dist/remote/control-plane.js +1248 -0
package/dist/remote/control-plane.js.map +1 -0
package/dist/remote/crypto.d.ts +38 -0
package/dist/remote/crypto.d.ts.map +1 -0
package/dist/remote/crypto.js +143 -0
package/dist/remote/crypto.js.map +1 -0
package/dist/remote/mcp-tools.d.ts +10 -0
package/dist/remote/mcp-tools.d.ts.map +1 -0
package/dist/remote/mcp-tools.js +201 -0
package/dist/remote/mcp-tools.js.map +1 -0
package/dist/remote/policy.d.ts +11 -0
package/dist/remote/policy.d.ts.map +1 -0
package/dist/remote/policy.js +94 -0
package/dist/remote/policy.js.map +1 -0
package/dist/remote/schemas.d.ts +298 -0
package/dist/remote/schemas.d.ts.map +1 -0
package/dist/remote/schemas.js +111 -0
package/dist/remote/schemas.js.map +1 -0
package/dist/remote/scopes.d.ts +6 -0
package/dist/remote/scopes.d.ts.map +1 -0
package/dist/remote/scopes.js +24 -0
package/dist/remote/scopes.js.map +1 -0
package/dist/remote/store.d.ts +45 -0
package/dist/remote/store.d.ts.map +1 -0
package/dist/remote/store.js +355 -0
package/dist/remote/store.js.map +1 -0
package/dist/remote/types.d.ts +183 -0
package/dist/remote/types.d.ts.map +1 -0
package/dist/remote/types.js +103 -0
package/dist/remote/types.js.map +1 -0
package/dist/remote/util.d.ts +6 -0
package/dist/remote/util.d.ts.map +1 -0
package/dist/remote/util.js +45 -0
package/dist/remote/util.js.map +1 -0
package/dist/remote/websocket.d.ts +26 -0
package/dist/remote/websocket.d.ts.map +1 -0
package/dist/remote/websocket.js +167 -0
package/dist/remote/websocket.js.map +1 -0
package/dist/render-http.d.ts +2 -0
package/dist/render-http.d.ts.map +1 -0
package/dist/render-http.js +14 -0
package/dist/render-http.js.map +1 -0
package/dist/resources.d.ts +19 -0
package/dist/resources.d.ts.map +1 -0
package/dist/resources.js +96 -0
package/dist/resources.js.map +1 -0
package/dist/retry.d.ts +45 -0
package/dist/retry.d.ts.map +1 -0
package/dist/retry.js +120 -0
package/dist/retry.js.map +1 -0
package/dist/safety.d.ts +31 -0
package/dist/safety.d.ts.map +1 -0
package/dist/safety.js +174 -0
package/dist/safety.js.map +1 -0
package/dist/server-http.d.ts +2 -0
package/dist/server-http.d.ts.map +1 -0
package/dist/server-http.js +432 -0
package/dist/server-http.js.map +1 -0
package/dist/session.d.ts +116 -0
package/dist/session.d.ts.map +1 -0
package/dist/session.js +666 -0
package/dist/session.js.map +1 -0
package/dist/shell.d.ts +10 -0
package/dist/shell.d.ts.map +1 -0
package/dist/shell.js +83 -0
package/dist/shell.js.map +1 -0
package/dist/ssh-config.d.ts +94 -0
package/dist/ssh-config.d.ts.map +1 -0
package/dist/ssh-config.js +234 -0
package/dist/ssh-config.js.map +1 -0
package/dist/streaming.d.ts +36 -0
package/dist/streaming.d.ts.map +1 -0
package/dist/streaming.js +140 -0
package/dist/streaming.js.map +1 -0
package/dist/telemetry.d.ts +17 -0
package/dist/telemetry.d.ts.map +1 -0
package/dist/telemetry.js +101 -0
package/dist/telemetry.js.map +1 -0
package/dist/tools/connector.provider.d.ts +28 -0
package/dist/tools/connector.provider.d.ts.map +1 -0
package/dist/tools/connector.provider.js +360 -0
package/dist/tools/connector.provider.js.map +1 -0
package/dist/tools/ensure.provider.d.ts +18 -0
package/dist/tools/ensure.provider.d.ts.map +1 -0
package/dist/tools/ensure.provider.js +173 -0
package/dist/tools/ensure.provider.js.map +1 -0
package/dist/tools/fs.provider.d.ts +21 -0
package/dist/tools/fs.provider.d.ts.map +1 -0
package/dist/tools/fs.provider.js +259 -0
package/dist/tools/fs.provider.js.map +1 -0
package/dist/tools/index.d.ts +4 -0
package/dist/tools/index.d.ts.map +1 -0
package/dist/tools/index.js +68 -0
package/dist/tools/index.js.map +1 -0
package/dist/tools/metadata.d.ts +11 -0
package/dist/tools/metadata.d.ts.map +1 -0
package/dist/tools/metadata.js +10 -0
package/dist/tools/metadata.js.map +1 -0
package/dist/tools/output-schemas.d.ts +217 -0
package/dist/tools/output-schemas.d.ts.map +1 -0
package/dist/tools/output-schemas.js +300 -0
package/dist/tools/output-schemas.js.map +1 -0
package/dist/tools/process.provider.d.ts +22 -0
package/dist/tools/process.provider.d.ts.map +1 -0
package/dist/tools/process.provider.js +146 -0
package/dist/tools/process.provider.js.map +1 -0
package/dist/tools/registry.d.ts +12 -0
package/dist/tools/registry.d.ts.map +1 -0
package/dist/tools/registry.js +163 -0
package/dist/tools/registry.js.map +1 -0
package/dist/tools/results.d.ts +4 -0
package/dist/tools/results.d.ts.map +1 -0
package/dist/tools/results.js +5 -0
package/dist/tools/results.js.map +1 -0
package/dist/tools/session.provider.d.ts +23 -0
package/dist/tools/session.provider.d.ts.map +1 -0
package/dist/tools/session.provider.js +299 -0
package/dist/tools/session.provider.js.map +1 -0
package/dist/tools/system.provider.d.ts +18 -0
package/dist/tools/system.provider.d.ts.map +1 -0
package/dist/tools/system.provider.js +81 -0
package/dist/tools/system.provider.js.map +1 -0
package/dist/tools/transfer.provider.d.ts +16 -0
package/dist/tools/transfer.provider.d.ts.map +1 -0
package/dist/tools/transfer.provider.js +85 -0
package/dist/tools/transfer.provider.js.map +1 -0
package/dist/tools/tunnel.provider.d.ts +18 -0
package/dist/tools/tunnel.provider.d.ts.map +1 -0
package/dist/tools/tunnel.provider.js +142 -0
package/dist/tools/tunnel.provider.js.map +1 -0
package/dist/tools/types.d.ts +16 -0
package/dist/tools/types.d.ts.map +1 -0
package/dist/tools/types.js +2 -0
package/dist/tools/types.js.map +1 -0
package/dist/transfer.d.ts +40 -0
package/dist/transfer.d.ts.map +1 -0
package/dist/transfer.js +363 -0
package/dist/transfer.js.map +1 -0
package/dist/tunnel.d.ts +37 -0
package/dist/tunnel.d.ts.map +1 -0
package/dist/tunnel.js +234 -0
package/dist/tunnel.js.map +1 -0
package/dist/types.d.ts +341 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +184 -0
package/dist/types.js.map +1 -0
package/docs/docker.md +22 -0
package/examples/README.md +77 -0
package/mcp.json +21 -0
package/package.json +147 -0
package/registry/ssh-mcp-pro/mcp.json +21 -0
package/server.json +76 -0

package/dist/session.js ADDED Viewed

@@ -0,0 +1,666 @@
+import { NodeSSH } from "node-ssh";
+import { createHash, createHmac, randomUUID } from "node:crypto";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { SSHMCPError, } from "./types.js";
+import { createAuthError, createConnectionError, createHostKeyError, createPolicyError, createTimeoutError, } from "./errors.js";
+import { logger } from "./logging.js";
+import { detectOS } from "./detect.js";
+const KNOWN_HOST_KEY_TYPES = new Set([
+    "ssh-ed25519",
+    "ssh-ed25519-cert-v01@openssh.com",
+    "ssh-rsa",
+    "ssh-rsa-cert-v01@openssh.com",
+    "rsa-sha2-256",
+    "rsa-sha2-256-cert-v01@openssh.com",
+    "rsa-sha2-512",
+    "rsa-sha2-512-cert-v01@openssh.com",
+    "ecdsa-sha2-nistp256",
+    "ecdsa-sha2-nistp256-cert-v01@openssh.com",
+    "ecdsa-sha2-nistp384",
+    "ecdsa-sha2-nistp384-cert-v01@openssh.com",
+    "ecdsa-sha2-nistp521",
+    "ecdsa-sha2-nistp521-cert-v01@openssh.com",
+    "sk-ssh-ed25519@openssh.com",
+    "sk-ssh-ed25519-cert-v01@openssh.com",
+    "sk-ecdsa-sha2-nistp256@openssh.com",
+    "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com",
+]);
+function normalizeSha256Fingerprint(fingerprint) {
+    return fingerprint.replace(/^SHA256:/i, "").trim();
+}
+function knownHostKeyFingerprints(keyBlob) {
+    const key = Buffer.from(keyBlob, "base64");
+    const base64 = createHash("sha256").update(key).digest("base64").replace(/=+$/, "");
+    const hex = createHash("sha256").update(key).digest("hex");
+    return [base64, hex];
+}
+/**
+ * Session manager with LRU cache and TTL
+ */
+export class SessionManager {
+    security;
+    policy;
+    sessions = new Map();
+    maxSessions;
+    defaultTtlMs;
+    cleanupInterval;
+    acceptedHostKeys = new Map();
+    closeListeners = new Set();
+    constructor(maxSessions = 20, defaultTtlMs = 900_000, cleanupIntervalMs = 10_000, security = {
+        allowRootLogin: false,
+        hostKeyPolicy: "strict",
+        knownHostsPath: path.join(os.homedir(), ".ssh", "known_hosts"),
+        allowedCiphers: [],
+    }, policy) {
+        this.security = security;
+        this.policy = policy;
+        this.maxSessions = maxSessions;
+        this.defaultTtlMs = defaultTtlMs;
+        this.cleanupInterval = setInterval(() => {
+            this.cleanupExpiredSessions();
+        }, cleanupIntervalMs);
+        this.cleanupInterval.unref?.();
+    }
+    /**
+     * Destroys the session manager, cleaning up all sessions and intervals
+     */
+    async destroy() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = undefined;
+        }
+        await this.closeAllSessions();
+    }
+    onSessionClose(listener) {
+        this.closeListeners.add(listener);
+        return () => {
+            this.closeListeners.delete(listener);
+        };
+    }
+    /**
+     * Gets cached OS info for a session (detects and caches if needed)
+     */
+    async getOSInfo(sessionId) {
+        const session = this.getSession(sessionId);
+        if (!session) {
+            throw new Error(`Session ${sessionId} not found or expired`);
+        }
+        if (session.osInfo) {
+            return session.osInfo;
+        }
+        const osInfo = await detectOS(session.ssh);
+        session.osInfo = osInfo;
+        return osInfo;
+    }
+    /**
+     * Opens a new SSH session with authentication
+     */
+    async openSession(params) {
+        logger.debug("Opening SSH session", {
+            host: params.host,
+            username: params.username,
+        });
+        const sessionId = this.generateSessionId();
+        const now = Date.now();
+        const ttl = params.ttlMs ?? this.defaultTtlMs;
+        const policyMode = params.policyMode ?? "enforce";
+        const hostKeyPolicy = this.resolveHostKeyPolicy(params);
+        const policyHost = params.policyHost ?? params.host;
+        const policyDecision = this.policy?.assertAllowed({
+            action: "ssh.open",
+            host: policyHost,
+            username: params.username,
+            mode: policyMode,
+        });
+        const rootDenied = params.username === "root" && !this.security.allowRootLogin;
+        if (policyMode === "explain") {
+            return {
+                sessionId,
+                host: params.host,
+                username: params.username,
+                sftpAvailable: false,
+                expiresInMs: ttl,
+                policyMode,
+                hostKeyPolicy,
+                wouldConnect: !rootDenied && (policyDecision?.allowed ?? true),
+            };
+        }
+        try {
+            if (rootDenied) {
+                throw createPolicyError("Root SSH login is disabled by policy", "Connect as an unprivileged user and use approved privilege escalation workflows.");
+            }
+            // Clean up old sessions if we're at the limit
+            if (this.sessions.size >= this.maxSessions) {
+                this.evictOldestSession();
+            }
+            const ssh = new NodeSSH();
+            const authConfig = await this.buildAuthConfig(params);
+            const knownHostsPath = params.knownHostsPath ?? this.security.knownHostsPath;
+            const connectConfig = {
+                host: params.host,
+                username: params.username,
+                port: params.port ?? 22,
+                readyTimeout: params.readyTimeoutMs ?? 20000,
+                ...authConfig,
+            };
+            if (this.security.allowedCiphers.length > 0) {
+                connectConfig.algorithms = {
+                    ...connectConfig.algorithms,
+                    cipher: this.security.allowedCiphers,
+                };
+            }
+            if (params.expectedHostKeySha256) {
+                connectConfig.hostHash = "sha256";
+                connectConfig.hostVerifier = (hashedKey) => normalizeSha256Fingerprint(hashedKey) ===
+                    normalizeSha256Fingerprint(params.expectedHostKeySha256 ?? "");
+            }
+            else if (hostKeyPolicy === "insecure") {
+                connectConfig.hostVerifier = () => true;
+            }
+            else if (hostKeyPolicy === "accept-new") {
+                connectConfig.hostHash = "sha256";
+                connectConfig.hostVerifier = (hashedKey) => this.verifyAcceptNewHostKey(params.host, params.port ?? 22, hashedKey);
+            }
+            else {
+                connectConfig.hostHash = "sha256";
+                connectConfig.hostVerifier = (hashedKey) => this.verifyKnownHostKey(params.host, params.port ?? 22, knownHostsPath, hashedKey);
+            }
+            logger.debug("Connecting to SSH server");
+            await ssh.connect(connectConfig);
+            let sftp;
+            let sftpAvailable = false;
+            try {
+                sftp = await ssh.requestSFTP();
+                sftpAvailable = true;
+            }
+            catch (sftpError) {
+                logger.warn("SFTP unavailable, continuing with SSH-only session", {
+                    host: params.host,
+                    username: params.username,
+                    error: sftpError instanceof Error ? sftpError.message : String(sftpError),
+                });
+            }
+            if (hostKeyPolicy !== "strict") {
+                logger.warn("Strict host key verification is not active for this session.", {
+                    sessionId,
+                    hostKeyPolicy,
+                });
+            }
+            const sessionInfo = {
+                sessionId,
+                host: params.host,
+                username: params.username,
+                port: params.port ?? 22,
+                createdAt: now,
+                expiresAt: now + ttl,
+                lastUsed: now,
+                policyMode,
+                hostKeyPolicy,
+            };
+            const session = {
+                ssh,
+                info: sessionInfo,
+                connectionParams: params,
+                ...(sftp ? { sftp } : {}),
+            };
+            this.sessions.set(sessionId, session);
+            logger.info("SSH session opened successfully", {
+                sessionId,
+                host: params.host,
+                username: params.username,
+                sftpAvailable,
+                expiresInMs: ttl,
+            });
+            return {
+                sessionId,
+                host: params.host,
+                username: params.username,
+                sftpAvailable,
+                expiresInMs: ttl,
+                policyMode,
+                hostKeyPolicy,
+            };
+        }
+        catch (error) {
+            logger.error("Failed to open SSH session", { error, host: params.host });
+            if (error instanceof SSHMCPError) {
+                throw error;
+            }
+            if (error instanceof Error) {
+                if (error.message.includes("authentication")) {
+                    throw createAuthError("SSH authentication failed", "Check your username, password, or SSH key configuration");
+                }
+                if (error.message.includes("timeout") || error.message.includes("ETIMEDOUT")) {
+                    throw createTimeoutError("SSH connection timeout", "Check if the host is reachable and the SSH service is running");
+                }
+                if (error.message.includes("ECONNREFUSED")) {
+                    throw createConnectionError("SSH connection refused", "Check if the SSH service is running on the target port");
+                }
+                if (error.message.toLowerCase().includes("host key")) {
+                    throw createHostKeyError("SSH host key verification failed", "Check known_hosts, hostKeyPolicy, or expectedHostKeySha256");
+                }
+                if (error.message.toLowerCase().includes("host denied")) {
+                    throw createHostKeyError("SSH host key verification failed", "Check known_hosts, hostKeyPolicy, or expectedHostKeySha256");
+                }
+            }
+            throw createConnectionError(`Failed to establish SSH connection: ${error instanceof Error ? error.message : String(error)}`, "Verify the host, port, and network connectivity");
+        }
+    }
+    /**
+     * Closes an SSH session
+     */
+    async closeSession(sessionId) {
+        logger.debug("Closing SSH session", { sessionId });
+        const session = this.sessions.get(sessionId);
+        if (!session) {
+            logger.warn("Session not found for closing", { sessionId });
+            return false;
+        }
+        try {
+            await this.notifySessionClose(sessionId);
+            if (session.sftp) {
+                session.sftp.end();
+            }
+            session.ssh.dispose();
+        }
+        catch (error) {
+            logger.warn("Error closing session", { sessionId, error });
+        }
+        this.sessions.delete(sessionId);
+        logger.info("SSH session closed", { sessionId });
+        return true;
+    }
+    /**
+     * Gets an active session by ID
+     */
+    getSession(sessionId) {
+        const session = this.sessions.get(sessionId);
+        if (!session) {
+            return undefined;
+        }
+        if (Date.now() > session.info.expiresAt) {
+            void this.closeSession(sessionId);
+            return undefined;
+        }
+        session.info.lastUsed = Date.now();
+        return session;
+    }
+    /**
+     * Builds authentication configuration based on the auth strategy
+     */
+    async buildAuthConfig(params) {
+        const authStrategy = params.auth ?? "auto";
+        logger.debug("Building auth config", { strategy: authStrategy });
+        switch (authStrategy) {
+            case "password":
+                if (!params.password) {
+                    throw createAuthError("Password required for password authentication");
+                }
+                return { password: params.password };
+            case "key":
+                return await this.buildKeyAuth(params);
+            case "agent":
+                return await this.buildAgentAuth();
+            case "auto":
+            default:
+                return await this.buildAutoAuth(params);
+        }
+    }
+    /**
+     * Builds key-based authentication
+     */
+    async buildKeyAuth(params) {
+        if (params.privateKey) {
+            logger.debug("Using inline private key");
+            return {
+                privateKey: params.privateKey,
+                ...(params.passphrase !== undefined ? { passphrase: params.passphrase } : {}),
+            };
+        }
+        if (params.privateKeyPath) {
+            logger.debug("Using private key from path", {
+                path: params.privateKeyPath,
+            });
+            return await this.loadPrivateKeyFromPath(params.privateKeyPath, params.passphrase);
+        }
+        return await this.discoverPrivateKeys(params.passphrase);
+    }
+    /**
+     * Builds SSH agent authentication
+     */
+    async buildAgentAuth() {
+        const authSock = process.env.SSH_AUTH_SOCK;
+        if (!authSock) {
+            throw createAuthError("SSH agent not available", "Set SSH_AUTH_SOCK environment variable or use a different auth method");
+        }
+        logger.debug("Using SSH agent authentication");
+        return { agent: authSock };
+    }
+    /**
+     * Builds automatic authentication (tries password, then key, then agent)
+     */
+    async buildAutoAuth(params) {
+        if (params.password) {
+            logger.debug("Auto auth: trying password");
+            return { password: params.password };
+        }
+        try {
+            logger.debug("Auto auth: trying key authentication");
+            return await this.buildKeyAuth(params);
+        }
+        catch {
+            logger.debug("Auto auth: key authentication failed, trying agent");
+        }
+        try {
+            return await this.buildAgentAuth();
+        }
+        catch {
+            throw createAuthError("No suitable authentication method found", "Provide a password, private key, or ensure SSH agent is running");
+        }
+    }
+    /**
+     * Loads private key from file path
+     */
+    async loadPrivateKeyFromPath(keyPath, passphrase) {
+        try {
+            const privateKey = await fs.promises.readFile(keyPath, "utf8");
+            return {
+                privateKey,
+                ...(passphrase !== undefined ? { passphrase } : {}),
+            };
+        }
+        catch {
+            throw createAuthError(`Failed to load private key from ${keyPath}`, "Check if the file exists and is readable");
+        }
+    }
+    /**
+     * Auto-discovers private keys in standard locations
+     */
+    async discoverPrivateKeys(passphrase) {
+        const homeDir = os.homedir();
+        const keyDir = process.env.SSH_DEFAULT_KEY_DIR ?? path.join(homeDir, ".ssh");
+        const keyFiles = ["id_ed25519", "id_ecdsa", "id_ed25519_sk", "id_ecdsa_sk", "id_rsa"];
+        for (const keyFile of keyFiles) {
+            const keyPath = path.join(keyDir, keyFile);
+            try {
+                await fs.promises.access(keyPath, fs.constants.R_OK);
+                logger.debug("Found SSH key", { path: keyPath });
+                return await this.loadPrivateKeyFromPath(keyPath, passphrase);
+            }
+            catch {
+                logger.debug("SSH key not found or not readable", { path: keyPath });
+            }
+        }
+        throw createAuthError("No SSH private keys found in standard locations", `Checked: ${keyFiles.map((f) => path.join(keyDir, f)).join(", ")}`);
+    }
+    /**
+     * Generates a unique session ID
+     */
+    generateSessionId() {
+        return `ssh-${randomUUID()}`;
+    }
+    async notifySessionClose(sessionId) {
+        const listenerTimeoutMs = 5_000;
+        const runListener = async (listener) => {
+            let timeout;
+            try {
+                await Promise.race([
+                    Promise.resolve().then(() => listener(sessionId)),
+                    new Promise((_, reject) => {
+                        timeout = setTimeout(() => reject(new Error("Session close listener timed out")), listenerTimeoutMs);
+                    }),
+                ]);
+            }
+            finally {
+                if (timeout) {
+                    clearTimeout(timeout);
+                }
+            }
+        };
+        const results = await Promise.allSettled(Array.from(this.closeListeners).map((listener) => runListener(listener)));
+        for (const result of results) {
+            if (result.status === "rejected") {
+                logger.warn("Session close listener failed", { sessionId, error: result.reason });
+            }
+        }
+    }
+    resolveHostKeyPolicy(params) {
+        if (params.hostKeyPolicy) {
+            return params.hostKeyPolicy;
+        }
+        if (params.strictHostKeyChecking !== undefined) {
+            return params.strictHostKeyChecking ? "strict" : "insecure";
+        }
+        return this.security.hostKeyPolicy;
+    }
+    verifyAcceptNewHostKey(host, port, hashedKey) {
+        const key = `${host}:${port}`;
+        const normalized = normalizeSha256Fingerprint(hashedKey);
+        const accepted = this.acceptedHostKeys.get(key);
+        if (!accepted) {
+            this.acceptedHostKeys.set(key, normalized);
+            logger.warn("Accepted first-seen SSH host key for this process only", { host, port });
+            return true;
+        }
+        return accepted === normalized;
+    }
+    verifyKnownHostKey(host, port, knownHostsPath, hashedKey) {
+        if (!knownHostsPath) {
+            return false;
+        }
+        let contents;
+        try {
+            contents = fs.readFileSync(knownHostsPath, "utf8");
+        }
+        catch {
+            return false;
+        }
+        const expected = normalizeSha256Fingerprint(hashedKey);
+        for (const line of contents.split(/\r?\n/)) {
+            const parsed = this.parseKnownHostLine(line);
+            if (!parsed || !this.knownHostPatternMatches(parsed.hosts, host, port)) {
+                continue;
+            }
+            if (parsed.marker === "@revoked") {
+                return false;
+            }
+            try {
+                const fingerprints = knownHostKeyFingerprints(parsed.keyBlob);
+                if (fingerprints.some((fingerprint) => normalizeSha256Fingerprint(fingerprint) === expected)) {
+                    return true;
+                }
+            }
+            catch {
+                continue;
+            }
+        }
+        return false;
+    }
+    parseKnownHostLine(line) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#")) {
+            return undefined;
+        }
+        const parts = trimmed.split(/\s+/);
+        if (parts[0]?.startsWith("@")) {
+            if (parts.length < 4) {
+                return undefined;
+            }
+            if (!KNOWN_HOST_KEY_TYPES.has(parts[2] ?? "")) {
+                return undefined;
+            }
+            return { marker: parts[0], hosts: parts[1] ?? "", keyBlob: parts[3] ?? "" };
+        }
+        if (parts.length < 3) {
+            return undefined;
+        }
+        if (!KNOWN_HOST_KEY_TYPES.has(parts[1] ?? "")) {
+            return undefined;
+        }
+        return { hosts: parts[0] ?? "", keyBlob: parts[2] ?? "" };
+    }
+    knownHostPatternMatches(hosts, host, port) {
+        const candidates = new Set([host, `[${host}]:${port}`]);
+        for (const pattern of hosts.split(",")) {
+            if (pattern.startsWith("|")) {
+                if (this.hashedKnownHostPatternMatches(pattern, candidates)) {
+                    return true;
+                }
+                continue;
+            }
+            if (candidates.has(pattern)) {
+                return true;
+            }
+            const regex = new RegExp(`^${pattern
+                .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+                .replace(/\*/g, ".*")
+                .replace(/\?/g, ".")}$`);
+            if (regex.test(host)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    hashedKnownHostPatternMatches(pattern, candidates) {
+        const match = /^\|1\|([^|]+)\|([^|]+)$/u.exec(pattern);
+        if (!match) {
+            return false;
+        }
+        try {
+            const salt = Buffer.from(match[1] ?? "", "base64");
+            const expected = match[2] ?? "";
+            for (const candidate of candidates) {
+                const digest = createHmac("sha1", salt).update(candidate).digest("base64");
+                if (digest === expected) {
+                    return true;
+                }
+            }
+        }
+        catch {
+            return false;
+        }
+        return false;
+    }
+    /**
+     * Evicts the oldest (least recently used) session
+     */
+    evictOldestSession() {
+        let oldestSession;
+        let oldestTime = Date.now();
+        for (const [sessionId, session] of this.sessions) {
+            if (session.info.lastUsed < oldestTime) {
+                oldestTime = session.info.lastUsed;
+                oldestSession = sessionId;
+            }
+        }
+        if (oldestSession) {
+            logger.info("Evicting oldest session", { sessionId: oldestSession });
+            void this.closeSession(oldestSession);
+        }
+    }
+    /**
+     * Cleans up expired sessions
+     */
+    cleanupExpiredSessions() {
+        const now = Date.now();
+        const expiredSessions = [];
+        for (const [sessionId, session] of this.sessions) {
+            if (now > session.info.expiresAt) {
+                expiredSessions.push(sessionId);
+            }
+        }
+        for (const sessionId of expiredSessions) {
+            logger.info("Cleaning up expired session", { sessionId });
+            void this.closeSession(sessionId);
+        }
+    }
+    /**
+     * Gets information about all active sessions
+     */
+    getActiveSessions() {
+        return Array.from(this.sessions.values()).map((session) => ({
+            ...session.info,
+        }));
+    }
+    /**
+     * Closes all active sessions
+     */
+    async closeAllSessions() {
+        const sessionIds = Array.from(this.sessions.keys());
+        await Promise.all(sessionIds.map((id) => this.closeSession(id)));
+    }
+    /**
+     * Attempts to reconnect a session
+     */
+    async reconnectSession(sessionId) {
+        const session = this.sessions.get(sessionId);
+        if (!session) {
+            logger.warn("Session not found for reconnect", { sessionId });
+            return null;
+        }
+        if (!session.connectionParams) {
+            logger.warn("Session has no stored connection params", { sessionId });
+            return null;
+        }
+        logger.info("Attempting to reconnect session", {
+            sessionId,
+            host: session.info.host,
+        });
+        await this.closeSession(sessionId);
+        try {
+            const result = await this.openSession(session.connectionParams);
+            logger.info("Session reconnected successfully", {
+                oldSessionId: sessionId,
+                newSessionId: result.sessionId,
+            });
+            return result;
+        }
+        catch (error) {
+            logger.error("Failed to reconnect session", { sessionId, error });
+            throw error;
+        }
+    }
+    /**
+     * Checks if a session is alive by executing a simple command
+     */
+    async isSessionAlive(sessionId) {
+        const session = this.sessions.get(sessionId);
+        if (!session) {
+            return false;
+        }
+        try {
+            const result = await session.ssh.execCommand("echo 1");
+            return result.code === 0;
+        }
+        catch (error) {
+            logger.debug("Session health check failed", { sessionId, error });
+            return false;
+        }
+    }
+    /**
+     * Gets session with auto-reconnect if disconnected
+     */
+    async getSessionWithReconnect(sessionId) {
+        const session = this.getSession(sessionId);
+        if (!session) {
+            return undefined;
+        }
+        if (!(await this.isSessionAlive(sessionId))) {
+            logger.info("Session disconnected, attempting reconnect", { sessionId });
+            if (session.connectionParams) {
+                try {
+                    await this.reconnectSession(sessionId);
+                    return undefined;
+                }
+                catch (error) {
+                    logger.error("Auto-reconnect failed", { sessionId, error });
+                    return undefined;
+                }
+            }
+        }
+        return session;
+    }
+}
+//# sourceMappingURL=session.js.map