npm - synapse-mcp - Versions diffs - 1.0.0 → 1.0.2 - Mend

synapse-mcp 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (413) hide show

package/README.md +1820 -147
package/dist/constants.d.ts +10 -4
package/dist/constants.d.ts.map +1 -1
package/dist/constants.js +18 -8
package/dist/constants.js.map +1 -1
package/dist/events/emitter.d.ts +63 -0
package/dist/events/emitter.d.ts.map +1 -0
package/dist/events/emitter.js +112 -0
package/dist/events/emitter.js.map +1 -0
package/dist/events/index.d.ts +3 -0
package/dist/events/index.d.ts.map +1 -0
package/dist/events/index.js +3 -0
package/dist/events/index.js.map +1 -0
package/dist/events/types.d.ts +51 -0
package/dist/events/types.d.ts.map +1 -0
package/dist/events/types.js +3 -0
package/dist/events/types.js.map +1 -0
package/dist/formatters/compose.d.ts +185 -0
package/dist/formatters/compose.d.ts.map +1 -0
package/dist/formatters/compose.js +397 -0
package/dist/formatters/compose.js.map +1 -0
package/dist/formatters/container.d.ts +84 -0
package/dist/formatters/container.d.ts.map +1 -0
package/dist/formatters/container.js +323 -0
package/dist/formatters/container.js.map +1 -0
package/dist/formatters/diagnostics.d.ts +20 -0
package/dist/formatters/diagnostics.d.ts.map +1 -0
package/dist/formatters/diagnostics.js +73 -0
package/dist/formatters/diagnostics.js.map +1 -0
package/dist/formatters/docker.d.ts +139 -0
package/dist/formatters/docker.d.ts.map +1 -0
package/dist/formatters/docker.js +216 -0
package/dist/formatters/docker.js.map +1 -0
package/dist/formatters/host.d.ts +137 -0
package/dist/formatters/host.d.ts.map +1 -0
package/dist/formatters/host.js +198 -0
package/dist/formatters/host.js.map +1 -0
package/dist/formatters/index.d.ts +17 -270
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +21 -456
package/dist/formatters/index.js.map +1 -1
package/dist/formatters/scout.d.ts +424 -0
package/dist/formatters/scout.d.ts.map +1 -0
package/dist/formatters/scout.js +687 -0
package/dist/formatters/scout.js.map +1 -0
package/dist/formatters/strategy.d.ts +105 -0
package/dist/formatters/strategy.d.ts.map +1 -0
package/dist/formatters/strategy.js +120 -0
package/dist/formatters/strategy.js.map +1 -0
package/dist/formatters/utils.d.ts +84 -0
package/dist/formatters/utils.d.ts.map +1 -0
package/dist/formatters/utils.js +129 -0
package/dist/formatters/utils.js.map +1 -0
package/dist/health-rate-limiter.d.ts +59 -0
package/dist/health-rate-limiter.d.ts.map +1 -0
package/dist/health-rate-limiter.js +159 -0
package/dist/health-rate-limiter.js.map +1 -0
package/dist/index.js +61 -100
package/dist/index.js.map +1 -1
package/dist/middleware/async-handler.d.ts +62 -0
package/dist/middleware/async-handler.d.ts.map +1 -0
package/dist/middleware/async-handler.js +58 -0
package/dist/middleware/async-handler.js.map +1 -0
package/dist/middleware/auth.d.ts +32 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +63 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/csrf-protection.d.ts +58 -0
package/dist/middleware/csrf-protection.d.ts.map +1 -0
package/dist/middleware/csrf-protection.js +123 -0
package/dist/middleware/csrf-protection.js.map +1 -0
package/dist/middleware/error-handler.d.ts +49 -0
package/dist/middleware/error-handler.d.ts.map +1 -0
package/dist/middleware/error-handler.js +90 -0
package/dist/middleware/error-handler.js.map +1 -0
package/dist/middleware/error-mapper.d.ts +44 -0
package/dist/middleware/error-mapper.d.ts.map +1 -0
package/dist/middleware/error-mapper.js +127 -0
package/dist/middleware/error-mapper.js.map +1 -0
package/dist/middleware/index.d.ts +13 -0
package/dist/middleware/index.d.ts.map +1 -0
package/dist/middleware/index.js +13 -0
package/dist/middleware/index.js.map +1 -0
package/dist/middleware/request-id.d.ts +22 -0
package/dist/middleware/request-id.d.ts.map +1 -0
package/dist/middleware/request-id.js +31 -0
package/dist/middleware/request-id.js.map +1 -0
package/dist/middleware/types.d.ts +33 -0
package/dist/middleware/types.d.ts.map +1 -0
package/dist/middleware/types.js +2 -0
package/dist/middleware/types.js.map +1 -0
package/dist/schemas/common.d.ts +205 -8
package/dist/schemas/common.d.ts.map +1 -1
package/dist/schemas/common.js +290 -17
package/dist/schemas/common.js.map +1 -1
package/dist/schemas/flux/compose.d.ts +307 -44
package/dist/schemas/flux/compose.d.ts.map +1 -1
package/dist/schemas/flux/compose.js +74 -48
package/dist/schemas/flux/compose.js.map +1 -1
package/dist/schemas/flux/container.d.ts +423 -56
package/dist/schemas/flux/container.d.ts.map +1 -1
package/dist/schemas/flux/container.js +83 -61
package/dist/schemas/flux/container.js.map +1 -1
package/dist/schemas/flux/docker.d.ts +254 -37
package/dist/schemas/flux/docker.d.ts.map +1 -1
package/dist/schemas/flux/docker.js +69 -39
package/dist/schemas/flux/docker.js.map +1 -1
package/dist/schemas/flux/host.d.ts +312 -29
package/dist/schemas/flux/host.d.ts.map +1 -1
package/dist/schemas/flux/host.js +74 -31
package/dist/schemas/flux/host.js.map +1 -1
package/dist/schemas/flux/index.d.ts +503 -11
package/dist/schemas/flux/index.d.ts.map +1 -1
package/dist/schemas/flux/index.js +34 -70
package/dist/schemas/flux/index.js.map +1 -1
package/dist/schemas/host-config.d.ts +76 -0
package/dist/schemas/host-config.d.ts.map +1 -0
package/dist/schemas/host-config.js +105 -0
package/dist/schemas/host-config.js.map +1 -0
package/dist/schemas/scout/index.d.ts +80 -23
package/dist/schemas/scout/index.d.ts.map +1 -1
package/dist/schemas/scout/index.js +26 -11
package/dist/schemas/scout/index.js.map +1 -1
package/dist/schemas/scout/logs.d.ts +17 -5
package/dist/schemas/scout/logs.d.ts.map +1 -1
package/dist/schemas/scout/logs.js +41 -31
package/dist/schemas/scout/logs.js.map +1 -1
package/dist/schemas/scout/simple.d.ts +126 -11
package/dist/schemas/scout/simple.d.ts.map +1 -1
package/dist/schemas/scout/simple.js +112 -57
package/dist/schemas/scout/simple.js.map +1 -1
package/dist/schemas/scout/zfs.d.ts +17 -5
package/dist/schemas/scout/zfs.d.ts.map +1 -1
package/dist/schemas/scout/zfs.js +34 -25
package/dist/schemas/scout/zfs.js.map +1 -1
package/dist/services/cache-layer.d.ts +160 -0
package/dist/services/cache-layer.d.ts.map +1 -0
package/dist/services/cache-layer.js +138 -0
package/dist/services/cache-layer.js.map +1 -0
package/dist/services/compose-cache.d.ts +75 -0
package/dist/services/compose-cache.d.ts.map +1 -0
package/dist/services/compose-cache.js +178 -0
package/dist/services/compose-cache.js.map +1 -0
package/dist/services/compose-discovery.d.ts +46 -0
package/dist/services/compose-discovery.d.ts.map +1 -0
package/dist/services/compose-discovery.js +219 -0
package/dist/services/compose-discovery.js.map +1 -0
package/dist/services/compose-project-lister.d.ts +27 -0
package/dist/services/compose-project-lister.d.ts.map +1 -0
package/dist/services/compose-project-lister.js +71 -0
package/dist/services/compose-project-lister.js.map +1 -0
package/dist/services/compose-scanner.d.ts +63 -0
package/dist/services/compose-scanner.d.ts.map +1 -0
package/dist/services/compose-scanner.js +253 -0
package/dist/services/compose-scanner.js.map +1 -0
package/dist/services/compose.d.ts +64 -28
package/dist/services/compose.d.ts.map +1 -1
package/dist/services/compose.js +220 -98
package/dist/services/compose.js.map +1 -1
package/dist/services/config-loader.d.ts +23 -0
package/dist/services/config-loader.d.ts.map +1 -0
package/dist/services/config-loader.js +124 -0
package/dist/services/config-loader.js.map +1 -0
package/dist/services/config-service.d.ts +38 -0
package/dist/services/config-service.d.ts.map +1 -0
package/dist/services/config-service.js +225 -0
package/dist/services/config-service.js.map +1 -0
package/dist/services/container-host-map-cache.d.ts +121 -0
package/dist/services/container-host-map-cache.d.ts.map +1 -0
package/dist/services/container-host-map-cache.js +188 -0
package/dist/services/container-host-map-cache.js.map +1 -0
package/dist/services/container.d.ts +194 -6
package/dist/services/container.d.ts.map +1 -1
package/dist/services/container.js +386 -11
package/dist/services/container.js.map +1 -1
package/dist/services/diagnostics.d.ts +57 -0
package/dist/services/diagnostics.d.ts.map +1 -0
package/dist/services/diagnostics.js +271 -0
package/dist/services/diagnostics.js.map +1 -0
package/dist/services/docker/container-service.d.ts +123 -0
package/dist/services/docker/container-service.d.ts.map +1 -0
package/dist/services/docker/container-service.js +347 -0
package/dist/services/docker/container-service.js.map +1 -0
package/dist/services/docker/image-service.d.ts +82 -0
package/dist/services/docker/image-service.d.ts.map +1 -0
package/dist/services/docker/image-service.js +193 -0
package/dist/services/docker/image-service.js.map +1 -0
package/dist/services/docker/index.d.ts +80 -0
package/dist/services/docker/index.d.ts.map +1 -0
package/dist/services/docker/index.js +103 -0
package/dist/services/docker/index.js.map +1 -0
package/dist/services/docker/network-service.d.ts +22 -0
package/dist/services/docker/network-service.d.ts.map +1 -0
package/dist/services/docker/network-service.js +43 -0
package/dist/services/docker/network-service.js.map +1 -0
package/dist/services/docker/system-service.d.ts +49 -0
package/dist/services/docker/system-service.d.ts.map +1 -0
package/dist/services/docker/system-service.js +215 -0
package/dist/services/docker/system-service.js.map +1 -0
package/dist/services/docker/utils/client-factory.d.ts +56 -0
package/dist/services/docker/utils/client-factory.d.ts.map +1 -0
package/dist/services/docker/utils/client-factory.js +139 -0
package/dist/services/docker/utils/client-factory.js.map +1 -0
package/dist/services/docker/utils/client-manager.d.ts +88 -0
package/dist/services/docker/utils/client-manager.d.ts.map +1 -0
package/dist/services/docker/utils/client-manager.js +124 -0
package/dist/services/docker/utils/client-manager.js.map +1 -0
package/dist/services/docker/utils/exec-handler.d.ts +94 -0
package/dist/services/docker/utils/exec-handler.d.ts.map +1 -0
package/dist/services/docker/utils/exec-handler.js +197 -0
package/dist/services/docker/utils/exec-handler.js.map +1 -0
package/dist/services/docker/utils/formatters.d.ts +13 -0
package/dist/services/docker/utils/formatters.d.ts.map +1 -0
package/dist/services/docker/utils/formatters.js +33 -0
package/dist/services/docker/utils/formatters.js.map +1 -0
package/dist/services/docker/utils/log-parser.d.ts +10 -0
package/dist/services/docker/utils/log-parser.d.ts.map +1 -0
package/dist/services/docker/utils/log-parser.js +48 -0
package/dist/services/docker/utils/log-parser.js.map +1 -0
package/dist/services/docker/utils/stats-calculator.d.ts +68 -0
package/dist/services/docker/utils/stats-calculator.d.ts.map +1 -0
package/dist/services/docker/utils/stats-calculator.js +61 -0
package/dist/services/docker/utils/stats-calculator.js.map +1 -0
package/dist/services/docker/volume-service.d.ts +22 -0
package/dist/services/docker/volume-service.d.ts.map +1 -0
package/dist/services/docker/volume-service.js +48 -0
package/dist/services/docker/volume-service.js.map +1 -0
package/dist/services/docker-interfaces.d.ts +283 -0
package/dist/services/docker-interfaces.d.ts.map +1 -0
package/dist/services/docker-interfaces.js +13 -0
package/dist/services/docker-interfaces.js.map +1 -0
package/dist/services/docker.d.ts +42 -5
package/dist/services/docker.d.ts.map +1 -1
package/dist/services/docker.js +335 -127
package/dist/services/docker.js.map +1 -1
package/dist/services/file-service.d.ts +6 -2
package/dist/services/file-service.d.ts.map +1 -1
package/dist/services/file-service.js +156 -52
package/dist/services/file-service.js.map +1 -1
package/dist/services/host-config-repository.d.ts +133 -0
package/dist/services/host-config-repository.d.ts.map +1 -0
package/dist/services/host-config-repository.js +323 -0
package/dist/services/host-config-repository.js.map +1 -0
package/dist/services/host-resolver.d.ts +49 -0
package/dist/services/host-resolver.d.ts.map +1 -0
package/dist/services/host-resolver.js +176 -0
package/dist/services/host-resolver.js.map +1 -0
package/dist/services/interfaces.d.ts +61 -194
package/dist/services/interfaces.d.ts.map +1 -1
package/dist/services/local-executor.d.ts +31 -0
package/dist/services/local-executor.d.ts.map +1 -0
package/dist/services/local-executor.js +71 -0
package/dist/services/local-executor.js.map +1 -0
package/dist/services/ssh-config-loader.d.ts +35 -0
package/dist/services/ssh-config-loader.d.ts.map +1 -0
package/dist/services/ssh-config-loader.js +218 -0
package/dist/services/ssh-config-loader.js.map +1 -0
package/dist/services/ssh-pool.d.ts +26 -1
package/dist/services/ssh-pool.d.ts.map +1 -1
package/dist/services/ssh-pool.js +166 -25
package/dist/services/ssh-pool.js.map +1 -1
package/dist/services/ssh-service.d.ts +3 -0
package/dist/services/ssh-service.d.ts.map +1 -1
package/dist/services/ssh-service.js +53 -31
package/dist/services/ssh-service.js.map +1 -1
package/dist/services/ssh.d.ts +2 -6
package/dist/services/ssh.d.ts.map +1 -1
package/dist/services/ssh.js +9 -40
package/dist/services/ssh.js.map +1 -1
package/dist/tools/definitions/flux.d.ts +13 -0
package/dist/tools/definitions/flux.d.ts.map +1 -0
package/dist/tools/definitions/flux.js +101 -0
package/dist/tools/definitions/flux.js.map +1 -0
package/dist/tools/definitions/index.d.ts +8 -0
package/dist/tools/definitions/index.d.ts.map +1 -0
package/dist/tools/definitions/index.js +8 -0
package/dist/tools/definitions/index.js.map +1 -0
package/dist/tools/definitions/scout.d.ts +13 -0
package/dist/tools/definitions/scout.d.ts.map +1 -0
package/dist/tools/definitions/scout.js +78 -0
package/dist/tools/definitions/scout.js.map +1 -0
package/dist/tools/flux.d.ts +16 -8
package/dist/tools/flux.d.ts.map +1 -1
package/dist/tools/flux.js +27 -66
package/dist/tools/flux.js.map +1 -1
package/dist/tools/handlers/base-handler.d.ts +172 -0
package/dist/tools/handlers/base-handler.d.ts.map +1 -0
package/dist/tools/handlers/base-handler.js +234 -0
package/dist/tools/handlers/base-handler.js.map +1 -0
package/dist/tools/handlers/compose-handlers.d.ts +108 -0
package/dist/tools/handlers/compose-handlers.d.ts.map +1 -0
package/dist/tools/handlers/compose-handlers.js +293 -0
package/dist/tools/handlers/compose-handlers.js.map +1 -0
package/dist/tools/handlers/compose-utils.d.ts +35 -0
package/dist/tools/handlers/compose-utils.d.ts.map +1 -0
package/dist/tools/handlers/compose-utils.js +76 -0
package/dist/tools/handlers/compose-utils.js.map +1 -0
package/dist/tools/handlers/compose.d.ts +23 -0
package/dist/tools/handlers/compose.d.ts.map +1 -0
package/dist/tools/handlers/compose.js +125 -0
package/dist/tools/handlers/compose.js.map +1 -0
package/dist/tools/handlers/container.d.ts +23 -0
package/dist/tools/handlers/container.d.ts.map +1 -0
package/dist/tools/handlers/container.js +333 -0
package/dist/tools/handlers/container.js.map +1 -0
package/dist/tools/handlers/docker.d.ts +24 -0
package/dist/tools/handlers/docker.d.ts.map +1 -0
package/dist/tools/handlers/docker.js +155 -0
package/dist/tools/handlers/docker.js.map +1 -0
package/dist/tools/handlers/host.d.ts +23 -0
package/dist/tools/handlers/host.d.ts.map +1 -0
package/dist/tools/handlers/host.js +196 -0
package/dist/tools/handlers/host.js.map +1 -0
package/dist/tools/handlers/scout-logs.d.ts +24 -0
package/dist/tools/handlers/scout-logs.d.ts.map +1 -0
package/dist/tools/handlers/scout-logs.js +119 -0
package/dist/tools/handlers/scout-logs.js.map +1 -0
package/dist/tools/handlers/scout-simple.d.ts +23 -0
package/dist/tools/handlers/scout-simple.d.ts.map +1 -0
package/dist/tools/handlers/scout-simple.js +286 -0
package/dist/tools/handlers/scout-simple.js.map +1 -0
package/dist/tools/handlers/scout-zfs.d.ts +23 -0
package/dist/tools/handlers/scout-zfs.d.ts.map +1 -0
package/dist/tools/handlers/scout-zfs.js +82 -0
package/dist/tools/handlers/scout-zfs.js.map +1 -0
package/dist/tools/index.d.ts +32 -2
package/dist/tools/index.d.ts.map +1 -1
package/dist/tools/index.js +41 -35
package/dist/tools/index.js.map +1 -1
package/dist/tools/registry.d.ts +135 -0
package/dist/tools/registry.d.ts.map +1 -0
package/dist/tools/registry.js +151 -0
package/dist/tools/registry.js.map +1 -0
package/dist/tools/scout.d.ts +16 -8
package/dist/tools/scout.d.ts.map +1 -1
package/dist/tools/scout.js +36 -78
package/dist/tools/scout.js.map +1 -1
package/dist/types.d.ts +629 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/command-security.d.ts +82 -0
package/dist/utils/command-security.d.ts.map +1 -0
package/dist/utils/command-security.js +122 -0
package/dist/utils/command-security.js.map +1 -0
package/dist/utils/error-sanitization.d.ts +77 -0
package/dist/utils/error-sanitization.d.ts.map +1 -0
package/dist/utils/error-sanitization.js +107 -0
package/dist/utils/error-sanitization.js.map +1 -0
package/dist/utils/errors.d.ts +30 -6
package/dist/utils/errors.d.ts.map +1 -1
package/dist/utils/errors.js +91 -12
package/dist/utils/errors.js.map +1 -1
package/dist/utils/help-handler.d.ts +23 -0
package/dist/utils/help-handler.d.ts.map +1 -0
package/dist/utils/help-handler.js +21 -0
package/dist/utils/help-handler.js.map +1 -0
package/dist/utils/help.d.ts +1 -1
package/dist/utils/help.d.ts.map +1 -1
package/dist/utils/help.js +57 -16
package/dist/utils/help.js.map +1 -1
package/dist/utils/host-utils.d.ts +31 -0
package/dist/utils/host-utils.d.ts.map +1 -0
package/dist/utils/host-utils.js +80 -0
package/dist/utils/host-utils.js.map +1 -0
package/dist/utils/index.d.ts +8 -2
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +8 -2
package/dist/utils/index.js.map +1 -1
package/dist/utils/init-detection.d.ts +36 -0
package/dist/utils/init-detection.d.ts.map +1 -0
package/dist/utils/init-detection.js +79 -0
package/dist/utils/init-detection.js.map +1 -0
package/dist/utils/logger.d.ts +11 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +32 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/pagination.d.ts +20 -0
package/dist/utils/pagination.d.ts.map +1 -0
package/dist/utils/pagination.js +29 -0
package/dist/utils/pagination.js.map +1 -0
package/dist/utils/path-security.d.ts +132 -18
package/dist/utils/path-security.d.ts.map +1 -1
package/dist/utils/path-security.js +164 -35
package/dist/utils/path-security.js.map +1 -1
package/dist/utils/sorting.d.ts +33 -0
package/dist/utils/sorting.d.ts.map +1 -0
package/dist/utils/sorting.js +57 -0
package/dist/utils/sorting.js.map +1 -0
package/dist/utils/text-filters.d.ts +13 -0
package/dist/utils/text-filters.d.ts.map +1 -0
package/dist/utils/text-filters.js +18 -0
package/dist/utils/text-filters.js.map +1 -0
package/dist/utils/time.d.ts +11 -0
package/dist/utils/time.d.ts.map +1 -0
package/dist/utils/time.js +13 -0
package/dist/utils/time.js.map +1 -0
package/dist/utils/validation.d.ts +25 -0
package/dist/utils/validation.d.ts.map +1 -0
package/dist/utils/validation.js +56 -0
package/dist/utils/validation.js.map +1 -0
package/package.json +45 -19
package/dist/schemas/discriminator.d.ts +0 -20
package/dist/schemas/discriminator.d.ts.map +0 -1
package/dist/schemas/discriminator.js +0 -25
package/dist/schemas/discriminator.js.map +0 -1
package/dist/schemas/unified.d.ts +0 -674
package/dist/schemas/unified.d.ts.map +0 -1
package/dist/schemas/unified.js +0 -453
package/dist/schemas/unified.js.map +0 -1
package/dist/tools/unified.d.ts +0 -7
package/dist/tools/unified.d.ts.map +0 -1
package/dist/tools/unified.js +0 -827
package/dist/tools/unified.js.map +0 -1

package/dist/utils/path-security.js CHANGED Viewed

@@ -18,7 +18,6 @@
  * @see https://cwe.mitre.org/data/definitions/22.html
  * @see https://cwe.mitre.org/data/definitions/78.html
  */
-import { resolve } from "node:path";
 /**
  * Security error for invalid host format
  */
@@ -31,37 +30,115 @@ export class HostSecurityError extends Error {
     }
 }
 // Pattern for valid hostnames: alphanumeric, dots, hyphens, underscores
-const VALID_HOST_PATTERN = /^[a-zA-Z0-9._-]+$/;
+const VALID_HOSTNAME_PATTERN = /^[a-zA-Z0-9._-]+$/;
 // Dangerous shell characters that could enable command injection
 const DANGEROUS_HOST_CHARS = /[;|$`&<>(){}[\]'"\\!#*?]/;
 /**
- * Validates hostname format to prevent command injection
+ * Shell metacharacters that could enable command injection in SSH arguments
+ * More permissive than DANGEROUS_HOST_CHARS to allow valid argument values
+ */
+const SHELL_METACHARACTERS = /[;&|`$()<>{}[\]\\"\n\r\t]/;
+/**
+ * Pattern for valid systemd service names
+ * Allows alphanumeric characters plus @ . _ -
+ */
+export const SYSTEMD_SERVICE_NAME_PATTERN = /^[a-zA-Z0-9@._-]+$/;
+/**
+ * Validates hostname format to prevent command injection.
+ *
+ * Security: Prevents CWE-78 (OS Command Injection) by rejecting shell metacharacters
+ * that could be used to inject arbitrary commands when hostname is used in SSH commands.
+ * @see https://cwe.mitre.org/data/definitions/78.html
+ *
+ * @param hostname - Hostname to validate (must match pattern: alphanumeric, dots, hyphens, underscores)
+ * @throws {HostSecurityError} If hostname is empty, contains dangerous characters, or has invalid format
+ * @example
+ * ```typescript
+ * validateHostname("proxy.example.com"); // valid
+ * validateHostname("host-01"); // valid
+ * validateHostname("bad;rm -rf /"); // throws HostSecurityError
+ * ```
+ */
+export function validateHostname(hostname) {
+    if (!hostname || hostname.length === 0) {
+        throw new HostSecurityError("Hostname cannot be empty", hostname);
+    }
+    if (DANGEROUS_HOST_CHARS.test(hostname)) {
+        throw new HostSecurityError(`Invalid characters in hostname: ${hostname.substring(0, 50)}`, hostname);
+    }
+    if (!VALID_HOSTNAME_PATTERN.test(hostname)) {
+        throw new HostSecurityError(`Invalid hostname format: ${hostname.substring(0, 50)}`, hostname);
+    }
+}
+/**
+ * Security error for SSH argument validation
+ */
+export class SSHArgSecurityError extends Error {
+    arg;
+    paramName;
+    constructor(message, arg, paramName) {
+        super(message);
+        this.arg = arg;
+        this.paramName = paramName;
+        this.name = "SSHArgSecurityError";
+    }
+}
+/**
+ * Validates SSH command argument to prevent command injection.
+ *
+ * Security: Prevents CWE-77 (Command Injection) and CWE-78 (OS Command Injection)
+ * by rejecting shell metacharacters. The SSH service joins args with spaces and executes
+ * as a shell command, so an attacker could inject arbitrary commands (e.g., "running; rm -rf /").
+ * @see https://cwe.mitre.org/data/definitions/77.html
+ * @see https://cwe.mitre.org/data/definitions/78.html
  *
- * @param host - Hostname to validate
- * @throws HostSecurityError if host contains dangerous characters
+ * @param arg - Argument value to validate (max 500 characters, no shell metacharacters)
+ * @param paramName - Name of the parameter (used in error messages for context)
+ * @throws {SSHArgSecurityError} If arg is empty, contains shell metacharacters, or exceeds 500 characters
+ * @example
+ * ```typescript
+ * validateSSHArg("running", "status"); // valid
+ * validateSSHArg("docker-compose.yml", "file"); // valid
+ * validateSSHArg("arg; rm -rf /", "input"); // throws SSHArgSecurityError
+ * ```
  */
-export function validateHostFormat(host) {
-    if (!host || host.length === 0) {
-        throw new HostSecurityError("Host cannot be empty", host);
+export function validateSSHArg(arg, paramName) {
+    if (!arg || arg.length === 0) {
+        throw new SSHArgSecurityError(`${paramName} cannot be empty`, arg, paramName);
     }
-    if (DANGEROUS_HOST_CHARS.test(host)) {
-        throw new HostSecurityError(`Invalid characters in hostname: ${host.substring(0, 50)}`, host);
+    if (SHELL_METACHARACTERS.test(arg)) {
+        throw new SSHArgSecurityError(`Invalid character in ${paramName}: shell metacharacters not allowed`, arg.substring(0, 50), paramName);
     }
-    if (!VALID_HOST_PATTERN.test(host)) {
-        throw new HostSecurityError(`Invalid hostname format: ${host.substring(0, 50)}`, host);
+    // Additional safety: reject extremely long arguments (DoS prevention)
+    if (arg.length > 500) {
+        throw new SSHArgSecurityError(`${paramName} too long: maximum 500 characters allowed`, arg.substring(0, 50), paramName);
     }
 }
+/**
+ * @deprecated Use validateServiceName from validation.ts instead
+ * Re-exported for backwards compatibility
+ */
+export { validateServiceName as validateSystemdServiceName } from "./validation.js";
 /**
  * Escapes a string for safe use as a shell argument.
- * Uses single quotes with proper escaping for embedded single quotes.
  *
- * @param arg - String to escape
- * @returns Safely quoted string
+ * Security: Prevents CWE-78 (OS Command Injection) by wrapping argument in single quotes
+ * and properly escaping any embedded single quotes using the '\'' sequence.
+ * @see https://cwe.mitre.org/data/definitions/78.html
+ *
+ * @param arg - String to escape for shell usage
+ * @returns Safely quoted string suitable for shell command construction
+ * @example
+ * ```typescript
+ * escapeShellArg("hello world"); // returns: 'hello world'
+ * escapeShellArg("it's a test"); // returns: 'it'\''s a test'
+ * escapeShellArg("$(rm -rf /)"); // returns: '$(rm -rf /)' (neutered)
+ * ```
  */
 export function escapeShellArg(arg) {
     // Single quote the entire string, escaping any embedded single quotes
     // by ending the quote, adding an escaped single quote, and starting a new quote
-    return "'" + arg.replace(/'/g, "'\\''") + "'";
+    return `'${arg.replace(/'/g, "'\\''")}'`;
 }
 /**
  * System paths that should trigger warnings when used as transfer targets
@@ -75,29 +152,86 @@ const SYSTEM_PATH_PREFIXES = [
     "/lib",
     "/lib64",
     "/boot",
-    "/root"
+    "/root",
 ];
 /**
- * Checks if a path is a system path that should be protected
+ * Checks if a path is a system path that should be protected from modification.
  *
- * @param path - Path to check
- * @returns true if path is in a system directory
+ * Identifies paths in critical system directories (/etc, /bin, /sbin, /usr/bin, /usr/sbin,
+ * /lib, /lib64, /boot, /root) that typically require elevated privileges and should
+ * trigger warnings when used as transfer targets.
+ *
+ * @param path - Absolute path to check against system directory prefixes
+ * @returns true if path is in a system directory, false otherwise
+ * @example
+ * ```typescript
+ * isSystemPath("/etc/nginx/nginx.conf"); // true
+ * isSystemPath("/home/user/file.txt"); // false
+ * isSystemPath("/usr/bin/curl"); // true
+ * ```
  */
 export function isSystemPath(path) {
-    return SYSTEM_PATH_PREFIXES.some((prefix) => path === prefix || path.startsWith(prefix + "/"));
+    return SYSTEM_PATH_PREFIXES.some((prefix) => path === prefix || path.startsWith(`${prefix}/`));
 }
 /**
- * Validates that a file path is safe from directory traversal attacks
+ * Validates that a file path is safe from directory traversal attacks.
  *
- * Rules:
+ * Security: Prevents CWE-22 (Path Traversal) by enforcing strict path validation rules
+ * to prevent attackers from accessing files outside intended directories.
+ * @see https://cwe.mitre.org/data/definitions/22.html
+ *
+ * SECURITY (S-M5, CWE-22): Character Set Restrictions
+ * ----------------------------------------------------
+ * This function deliberately uses a conservative character whitelist to prioritize
+ * security over flexibility. The allowed character set is: [a-zA-Z0-9._\-/]
+ *
+ * **Allowed:**
+ * - Alphanumeric: a-z, A-Z, 0-9
+ * - Separators: forward slash (/)
+ * - Safe punctuation: dot (.), hyphen (-), underscore (_)
+ *
+ * **Explicitly Rejected:**
+ * - Spaces: Rejected to prevent parsing ambiguity in shell contexts and URL encoding issues
+ * - Colons: Rejected to prevent NTFS alternate data stream access (Windows) and URL scheme confusion
+ * - Backslashes: Rejected to prevent Windows path traversal and escape sequence injection
+ * - Shell metacharacters: &, |, ;, $, `, <, >, (, ), {, }, [, ], *, ?, ~, !, #, @
+ *
+ * **Design Rationale:**
+ * While spaces and colons are technically valid in POSIX paths, they create security risks:
+ * 1. Spaces require proper quoting in shell contexts (SSH commands, Docker exec)
+ * 2. Colons enable Windows alternate data streams (file.txt:hidden) and path separator confusion
+ * 3. Conservative whitelist prevents future attack vectors as new exploits are discovered
+ *
+ * **If you need paths with spaces or colons:**
+ * Use escapeShellArg() for shell command construction, but understand this function
+ * deliberately rejects them at the validation layer as a defense-in-depth measure.
+ * The security review (02-security-performance.md, S-M5) concluded: "Security over flexibility."
+ *
+ * Validation rules:
  * 1. Must be absolute path (starts with /)
- * 2. Cannot contain .. (parent directory)
- * 3. Cannot contain . as a path component (except in filenames)
- * 4. Must contain only allowed characters: a-zA-Z0-9._-/
+ * 2. Cannot contain .. (parent directory traversal)
+ * 3. Cannot contain . as a standalone component (current directory)
+ * 4. Must contain only safe characters: a-zA-Z0-9._-/
+ * 5. Path resolution must not result in traversal
  *
- * @param path - The file path to validate
- * @param paramName - Name of the parameter (for error messages)
- * @throws Error if path contains directory traversal or is invalid
+ * @param path - The file path to validate (must be absolute)
+ * @param paramName - Name of the parameter (used in error messages for context)
+ * @throws {Error} If path is empty, contains traversal sequences, has invalid characters, or is not absolute
+ * @example
+ * ```typescript
+ * // Valid paths
+ * validateSecurePath("/data/files/doc.txt", "file"); // OK
+ * validateSecurePath("/app/config.json", "config"); // OK
+ * validateSecurePath("/srv/docker-compose.yml", "file"); // OK (hyphens allowed)
+ * validateSecurePath("/home/user_name/file.tar.gz", "archive"); // OK (underscores, dots allowed)
+ *
+ * // Rejected for security
+ * validateSecurePath("../../../etc/passwd", "file"); // throws: relative path with traversal
+ * validateSecurePath("/valid/../../../etc/passwd", "file"); // throws: traversal sequence
+ * validateSecurePath("/path with spaces/file.txt", "file"); // throws: spaces not allowed
+ * validateSecurePath("/path:alternate/file", "file"); // throws: colons not allowed
+ * validateSecurePath("/path/$(rm -rf /)", "file"); // throws: shell metacharacters not allowed
+ * ```
  */
 export function validateSecurePath(path, paramName) {
     // 1. Check for empty path
@@ -128,11 +262,6 @@ export function validateSecurePath(path, paramName) {
             throw new Error(`${paramName}: directory traversal (.) not allowed in path: ${path}`);
         }
     }
-    // 5. Additional safety check: resolve path and verify it doesn't traverse
-    // This catches cases like /valid/path/../../etc that might slip through
-    const resolved = resolve(path);
-    if (!resolved.startsWith(path.split("/")[1] ? `/${path.split("/")[1]}` : "/")) {
-        throw new Error(`${paramName}: Path resolution resulted in directory traversal: ${path}`);
-    }
+    // Path is secure - all ".." and "." components rejected, absolute path verified
 }
 //# sourceMappingURL=path-security.js.map

package/dist/utils/path-security.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"path-security.js","sourceRoot":"","sources":["../../src/utils/path-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH~~,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC~~;;GAEG;AACH,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAGxB;IAFlB,YACE,OAAe,EACC,IAAY;QAE5B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,SAAI,GAAJ,IAAI,CAAQ;QAG5B,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED,wEAAwE;AACxE,MAAM,~~kBAAkB~~,GAAG,mBAAmB,CAAC;~~AAE/C~~,iEAAiE;AACjE,MAAM,oBAAoB,GAAG,0BAA0B,CAAC;AAExD~~;;;;;GAKG~~;AACH,MAAM,UAAU,~~kBAAkB~~,CAAC,~~IAAY~~;~~IAC7C~~,IAAI,CAAC,~~IAAI~~,IAAI,~~IAAI~~,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;~~QAC/B~~,MAAM,IAAI,iBAAiB,CAAC,~~sBAAsB~~,EAAE,~~IAAI~~,CAAC,CAAC;~~IAC5D~~,CAAC;IAED,IAAI,oBAAoB,CAAC,IAAI,CAAC,~~IAAI~~,CAAC,EAAE,CAAC;~~QACpC~~,MAAM,IAAI,iBAAiB,~~CAAC~~,mCAAmC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;~~IAChG~~,CAAC;~~IAED~~,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,~~iBAAiB~~,~~CAAC~~,~~4BAA4B~~,~~IAAI~~,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,~~EAAE~~,EAAE,IAAI,CAAC,CAAC;~~IACzF~~,CAAC;AACH,CAAC;AAED~~;;;;;;GAMG~~;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,sEAAsE;IACtE,gFAAgF;IAChF,OAAO,~~GAAG~~,GAAG,~~GAAG,~~CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,~~GAAG,~~CAAC;~~AAChD~~,CAAC;AAED;;GAEG;AACH,MAAM,oBAAoB,GAAG;IAC3B,MAAM;IACN,MAAM;IACN,OAAO;IACP,UAAU;IACV,WAAW;IACX,MAAM;IACN,QAAQ;IACR,OAAO;IACP,OAAO;CACR,CAAC;AAEF~~;;;;;GAKG~~;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,~~GAAG,~~CAAC,CAAC,CAAC;AACjG,CAAC;AAED~~;;;;;;;;;;;;GAYG~~;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY,EAAE,SAAiB;IAChE,0BAA0B;IAC1B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,wBAAwB,CAAC,CAAC;IACxD,CAAC;IAED,iGAAiG;IACjG,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,iCAAiC,IAAI,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,mEAAmE;IACnE,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE/D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,8DAA8D;QAC9D,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,mDAAmD,IAAI,EAAE,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,kCAAkC,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,oEAAoE;IACpE,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,yDAAyD;QACzD,+DAA+D;QAC/D,IAAI,SAAS,KAAK,GAAG,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,kDAAkD,IAAI,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IAED,~~0EAA0E~~;~~IAC1E~~,~~wEAAwE;IACxE,MAAM,QAAQ,GAAG,OAAO,~~CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,sDAAsD,IAAI,EAAE,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC"}
1	+ {"version":3,"file":"path-security.js","sourceRoot":"","sources":["../../src/utils/path-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH;;GAEG;AACH,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAGxB;IAFlB,YACE,OAAe,EACC,IAAY;QAE5B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,SAAI,GAAJ,IAAI,CAAQ;QAG5B,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED,wEAAwE;AACxE,MAAM,sBAAsB,GAAG,mBAAmB,CAAC;AAEnD,iEAAiE;AACjE,MAAM,oBAAoB,GAAG,0BAA0B,CAAC;AAExD;;;GAGG;AACH,MAAM,oBAAoB,GAAG,2BAA2B,CAAC;AAEzD;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,oBAAoB,CAAC;AAEjE;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,iBAAiB,CAAC,0BAA0B,EAAE,QAAQ,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,iBAAiB,CACzB,mCAAmC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAC9D,QAAQ,CACT,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3C,MAAM,IAAI,iBAAiB,CAAC,4BAA4B,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjG,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAG1B;IACA;IAHlB,YACE,OAAe,EACC,GAAW,EACX,SAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,QAAG,GAAH,GAAG,CAAQ;QACX,cAAS,GAAT,SAAS,CAAQ;QAGjC,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW,EAAE,SAAiB;IAC3D,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,mBAAmB,CAAC,GAAG,SAAS,kBAAkB,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;IAChF,CAAC;IAED,IAAI,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,mBAAmB,CAC3B,wBAAwB,SAAS,oCAAoC,EACrE,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EACpB,SAAS,CACV,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACrB,MAAM,IAAI,mBAAmB,CAC3B,GAAG,SAAS,2CAA2C,EACvD,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EACpB,SAAS,CACV,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,OAAO,EAAE,mBAAmB,IAAI,0BAA0B,EAAE,MAAM,iBAAiB,CAAC;AAEpF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,sEAAsE;IACtE,gFAAgF;IAChF,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,oBAAoB,GAAG;IAC3B,MAAM;IACN,MAAM;IACN,OAAO;IACP,UAAU;IACV,WAAW;IACX,MAAM;IACN,QAAQ;IACR,OAAO;IACP,OAAO;CACR,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC,CAAC;AACjG,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2DG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY,EAAE,SAAiB;IAChE,0BAA0B;IAC1B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,wBAAwB,CAAC,CAAC;IACxD,CAAC;IAED,iGAAiG;IACjG,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,iCAAiC,IAAI,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,mEAAmE;IACnE,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE/D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,8DAA8D;QAC9D,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,mDAAmD,IAAI,EAAE,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,kCAAkC,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,oEAAoE;IACpE,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,yDAAyD;QACzD,+DAA+D;QAC/D,IAAI,SAAS,KAAK,GAAG,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,kDAAkD,IAAI,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IAED,gFAAgF;AAClF,CAAC"}

package/dist/utils/sorting.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * Shared severity sorting utilities (STYLE.md Section 12).
+ *
+ * Provides a generic severity-first sort function used by container,
+ * compose, and host formatters.
+ */
+/**
+ * Predefined severity orders for container states.
+ * Lower values appear first (most critical).
+ */
+export declare const CONTAINER_SEVERITY: Record<string, number>;
+/**
+ * Predefined severity orders for compose project statuses.
+ * Lower values appear first (most critical).
+ */
+export declare const COMPOSE_PROJECT_SEVERITY: Record<string, number>;
+/**
+ * Predefined severity orders for compose service statuses.
+ * Lower values appear first (most critical).
+ */
+export declare const COMPOSE_SERVICE_SEVERITY: Record<string, number>;
+/**
+ * Sort items by severity, with lowest severity value appearing first.
+ * Items with unknown states are placed at the end.
+ *
+ * @param items - Array to sort (not mutated)
+ * @param getState - Function to extract the state/status string from an item
+ * @param severityOrder - Map of state strings to numeric severity (lower = more critical)
+ * @param getSecondaryKey - Optional function for tiebreaking (typically name); uses localeCompare
+ * @returns New sorted array
+ */
+export declare function sortBySeverity<T>(items: readonly T[], getState: (item: T) => string, severityOrder: Record<string, number>, getSecondaryKey?: (item: T) => string): T[];
+//# sourceMappingURL=sorting.d.ts.map

package/dist/utils/sorting.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sorting.d.ts","sourceRoot":"","sources":["../../src/utils/sorting.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAOrD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAI3D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAG3D,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAC9B,KAAK,EAAE,SAAS,CAAC,EAAE,EACnB,QAAQ,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,MAAM,EAC7B,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACrC,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,MAAM,GACpC,CAAC,EAAE,CAQL"}

package/dist/utils/sorting.js ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Shared severity sorting utilities (STYLE.md Section 12).
+ *
+ * Provides a generic severity-first sort function used by container,
+ * compose, and host formatters.
+ */
+/**
+ * Predefined severity orders for container states.
+ * Lower values appear first (most critical).
+ */
+export const CONTAINER_SEVERITY = {
+    exited: 0,
+    dead: 1,
+    stopped: 2,
+    paused: 3,
+    restarting: 4,
+    running: 5,
+};
+/**
+ * Predefined severity orders for compose project statuses.
+ * Lower values appear first (most critical).
+ */
+export const COMPOSE_PROJECT_SEVERITY = {
+    partial: 0,
+    running: 1,
+    stopped: 2,
+};
+/**
+ * Predefined severity orders for compose service statuses.
+ * Lower values appear first (most critical).
+ */
+export const COMPOSE_SERVICE_SEVERITY = {
+    stopped: 0,
+    running: 1,
+};
+/**
+ * Sort items by severity, with lowest severity value appearing first.
+ * Items with unknown states are placed at the end.
+ *
+ * @param items - Array to sort (not mutated)
+ * @param getState - Function to extract the state/status string from an item
+ * @param severityOrder - Map of state strings to numeric severity (lower = more critical)
+ * @param getSecondaryKey - Optional function for tiebreaking (typically name); uses localeCompare
+ * @returns New sorted array
+ */
+export function sortBySeverity(items, getState, severityOrder, getSecondaryKey) {
+    return [...items].sort((a, b) => {
+        const aSeverity = severityOrder[getState(a)] ?? 999;
+        const bSeverity = severityOrder[getState(b)] ?? 999;
+        if (aSeverity !== bSeverity)
+            return aSeverity - bSeverity;
+        if (getSecondaryKey)
+            return getSecondaryKey(a).localeCompare(getSecondaryKey(b));
+        return 0;
+    });
+}
+//# sourceMappingURL=sorting.js.map

package/dist/utils/sorting.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sorting.js","sourceRoot":"","sources":["../../src/utils/sorting.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAA2B;IACxD,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,OAAO,EAAE,CAAC;IACV,MAAM,EAAE,CAAC;IACT,UAAU,EAAE,CAAC;IACb,OAAO,EAAE,CAAC;CACX,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAA2B;IAC9D,OAAO,EAAE,CAAC;IACV,OAAO,EAAE,CAAC;IACV,OAAO,EAAE,CAAC;CACX,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAA2B;IAC9D,OAAO,EAAE,CAAC;IACV,OAAO,EAAE,CAAC;CACX,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAC5B,KAAmB,EACnB,QAA6B,EAC7B,aAAqC,EACrC,eAAqC;IAErC,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC9B,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC;QACpD,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC;QACpD,IAAI,SAAS,KAAK,SAAS;YAAE,OAAO,SAAS,GAAG,SAAS,CAAC;QAC1D,IAAI,eAAe;YAAE,OAAO,eAAe,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;QACjF,OAAO,CAAC,CAAC;IACX,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/utils/text-filters.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+/**
+ * Apply grep filter to output string using String.includes()
+ *
+ * SECURITY: Uses JavaScript String.includes() for filtering,
+ * making it immune to shell injection. The grep parameter can
+ * safely contain any characters that pass jsFilterSchema validation.
+ *
+ * @param output - Multi-line string to filter
+ * @param grep - Optional pattern to filter lines by (case-sensitive)
+ * @returns Filtered output with matching lines joined by newlines
+ */
+export declare function applyGrepFilter(output: string, grep?: string): string;
+//# sourceMappingURL=text-filters.d.ts.map

package/dist/utils/text-filters.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"text-filters.d.ts","sourceRoot":"","sources":["../../src/utils/text-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAIrE"}

package/dist/utils/text-filters.js ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * Apply grep filter to output string using String.includes()
+ *
+ * SECURITY: Uses JavaScript String.includes() for filtering,
+ * making it immune to shell injection. The grep parameter can
+ * safely contain any characters that pass jsFilterSchema validation.
+ *
+ * @param output - Multi-line string to filter
+ * @param grep - Optional pattern to filter lines by (case-sensitive)
+ * @returns Filtered output with matching lines joined by newlines
+ */
+export function applyGrepFilter(output, grep) {
+    if (!grep)
+        return output;
+    const lines = output.split("\n");
+    return lines.filter((line) => line.includes(grep)).join("\n");
+}
+//# sourceMappingURL=text-filters.js.map

package/dist/utils/text-filters.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"text-filters.js","sourceRoot":"","sources":["../../src/utils/text-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAAC,MAAc,EAAE,IAAa;IAC3D,IAAI,CAAC,IAAI;QAAE,OAAO,MAAM,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChE,CAAC"}

package/dist/utils/time.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * Time utility functions
+ */
+/**
+ * Get current timestamp in ISO 8601 format
+ * Centralized timestamp generation for consistency across the codebase
+ *
+ * @returns ISO 8601 timestamp string (e.g., "2026-02-14T12:34:56.789Z")
+ */
+export declare function getCurrentTimestamp(): string;
+//# sourceMappingURL=time.d.ts.map

package/dist/utils/time.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"time.d.ts","sourceRoot":"","sources":["../../src/utils/time.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;;;GAKG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C"}

package/dist/utils/time.js ADDED Viewed

@@ -0,0 +1,13 @@
+/**
+ * Time utility functions
+ */
+/**
+ * Get current timestamp in ISO 8601 format
+ * Centralized timestamp generation for consistency across the codebase
+ *
+ * @returns ISO 8601 timestamp string (e.g., "2026-02-14T12:34:56.789Z")
+ */
+export function getCurrentTimestamp() {
+    return new Date().toISOString();
+}
+//# sourceMappingURL=time.js.map

package/dist/utils/time.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"time.js","sourceRoot":"","sources":["../../src/utils/time.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AAClC,CAAC"}

package/dist/utils/validation.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Centralized validation utilities
+ * Consolidates duplicated validation logic from across the codebase
+ */
+/**
+ * Validates alphanumeric string (letters, numbers, dots, dashes, underscores)
+ *
+ * @param value - Value to validate
+ * @param name - Parameter name for error messages
+ * @param options - Optional flags for allowing slashes and tildes
+ * @throws Error if value contains invalid characters
+ */
+export declare function validateAlphanumeric(value: string, name: string, options?: {
+    allowSlash?: boolean;
+    allowTilde?: boolean;
+}): void;
+/**
+ * Validates systemd service name format
+ * Consolidates validation from 4 locations
+ *
+ * @param service - Service name to validate
+ * @throws SSHArgSecurityError if service name is invalid
+ */
+export declare function validateServiceName(service: string): void;
+//# sourceMappingURL=validation.d.ts.map

package/dist/utils/validation.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAQH;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE;IAAE,UAAU,CAAC,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,OAAO,CAAA;CAAO,GAC3D,IAAI,CAwBN;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAYzD"}

package/dist/utils/validation.js ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Centralized validation utilities
+ * Consolidates duplicated validation logic from across the codebase
+ */
+import { SSHArgSecurityError, SYSTEMD_SERVICE_NAME_PATTERN, validateSSHArg, } from "./path-security.js";
+/**
+ * Validates alphanumeric string (letters, numbers, dots, dashes, underscores)
+ *
+ * @param value - Value to validate
+ * @param name - Parameter name for error messages
+ * @param options - Optional flags for allowing slashes and tildes
+ * @throws Error if value contains invalid characters
+ */
+export function validateAlphanumeric(value, name, options = {}) {
+    if (!value || value.length === 0) {
+        throw new Error(`${name} cannot be empty`);
+    }
+    const { allowSlash = false, allowTilde = false } = options;
+    let pattern;
+    if (allowSlash && allowTilde) {
+        pattern = /^[a-zA-Z0-9._\-/~]+$/;
+    }
+    else if (allowSlash) {
+        pattern = /^[a-zA-Z0-9._\-/]+$/;
+    }
+    else if (allowTilde) {
+        pattern = /^[a-zA-Z0-9._\-~]+$/;
+    }
+    else {
+        pattern = /^[a-zA-Z0-9._-]+$/;
+    }
+    if (!pattern.test(value)) {
+        const allowed = ["letters", "numbers", "dots", "dashes", "underscores"];
+        if (allowSlash)
+            allowed.push("forward slashes");
+        if (allowTilde)
+            allowed.push("tilde");
+        throw new Error(`${name}: Invalid characters (allowed: ${allowed.join(", ")})`);
+    }
+}
+/**
+ * Validates systemd service name format
+ * Consolidates validation from 4 locations
+ *
+ * @param service - Service name to validate
+ * @throws SSHArgSecurityError if service name is invalid
+ */
+export function validateServiceName(service) {
+    // First check for shell metacharacters (from validateSSHArg)
+    validateSSHArg(service, "service");
+    // Then check systemd naming rules
+    if (!SYSTEMD_SERVICE_NAME_PATTERN.test(service)) {
+        throw new SSHArgSecurityError("Invalid service name: only letters, numbers, @, ., _, and - are allowed", service.substring(0, 50), "service");
+    }
+}
+//# sourceMappingURL=validation.js.map

package/dist/utils/validation.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,mBAAmB,EACnB,4BAA4B,EAC5B,cAAc,GACf,MAAM,oBAAoB,CAAC;AAE5B;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAa,EACb,IAAY,EACZ,UAA0D,EAAE;IAE5D,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,kBAAkB,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,EAAE,UAAU,GAAG,KAAK,EAAE,UAAU,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAE3D,IAAI,OAAe,CAAC;IACpB,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;QAC7B,OAAO,GAAG,sBAAsB,CAAC;IACnC,CAAC;SAAM,IAAI,UAAU,EAAE,CAAC;QACtB,OAAO,GAAG,qBAAqB,CAAC;IAClC,CAAC;SAAM,IAAI,UAAU,EAAE,CAAC;QACtB,OAAO,GAAG,qBAAqB,CAAC;IAClC,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,mBAAmB,CAAC;IAChC,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;QACxE,IAAI,UAAU;YAAE,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAChD,IAAI,UAAU;YAAE,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,kCAAkC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClF,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe;IACjD,6DAA6D;IAC7D,cAAc,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAEnC,kCAAkC;IAClC,IAAI,CAAC,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,mBAAmB,CAC3B,yEAAyE,EACzE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EACxB,SAAS,CACV,CAAC;IACJ,CAAC;AACH,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "synapse-mcp",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "MCP server providing Flux (Docker management) and Scout (SSH operations) tools for homelab infrastructure",
   "main": "dist/index.js",
   "type": "module",
@@ -18,21 +18,23 @@
     "README.md"
   ],
   "scripts": {
-    "build": "tsc",
+    "build": "pnpm docs:update && tsc",
     "start": "node dist/index.js",
     "dev": "tsc --watch",
-    "clean": "rm -rf dist coverage",
+    "clean": "node -e \"require('fs').rmSync('dist',{recursive:true,force:true});require('fs').rmSync('coverage',{recursive:true,force:true})\"",
+    "docs:update": "tsx scripts/update-readme.ts",
     "typecheck": "tsc --noEmit",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "test:integration": "vitest run \"**/*.integration.test.ts\"",
     "test:bench": "vitest run src/schemas/unified.bench.test.ts",
-    "lint": "eslint src/",
-    "lint:fix": "eslint src/ --fix",
-    "format": "prettier --write src/",
-    "format:check": "prettier --check src/",
-    "prepublishOnly": "pnpm run build"
+    "lint": "biome check src/",
+    "lint:fix": "biome check --write src/",
+    "format": "biome format --write src/ && prettier --write \"**/*.{md,yml,yaml}\"",
+    "format:check": "biome format src/ && prettier --check \"**/*.{md,yml,yaml}\"",
+    "prepublishOnly": "pnpm run build",
+    "prepare": "husky"
   },
   "keywords": [
     "mcp",
@@ -60,26 +62,50 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.25.1",
+    "@modelcontextprotocol/sdk": "^1.26.0",
     "dockerode": "^4.0.9",
     "express": "^5.2.1",
     "express-rate-limit": "^8.2.1",
     "node-ssh": "^13.2.1",
-    "zod": "^4.2.1",
+    "p-limit": "^7.2.0",
+    "ssh-config": "^5.0.4",
+    "yaml": "^2.8.2",
+    "zod": "^4.3.6",
     "zod-to-json-schema": "^3.25.1"
   },
+  "pnpm": {
+    "overrides": {
+      "hono": ">=4.11.7"
+    }
+  },
   "devDependencies": {
-    "@eslint/js": "^9.39.2",
-    "@types/dockerode": "^3.3.47",
+    "@biomejs/biome": "^2.3.15",
+    "@eslint/js": "^10.0.1",
+    "@types/dockerode": "^4.0.1",
     "@types/express": "^5.0.6",
-    "@types/node": "^25.0.3",
+    "@types/node": "^25.2.2",
     "@types/ssh2": "^1.15.5",
-    "@vitest/coverage-v8": "^4.0.16",
-    "eslint": "^9.39.2",
+    "@types/supertest": "^6.0.3",
+    "@vitest/coverage-v8": "^4.0.18",
+    "axios": "^1.13.5",
+    "eslint": "^10.0.0",
     "eslint-config-prettier": "^10.1.8",
-    "prettier": "^3.7.4",
-    "typescript": "^5.7.0",
-    "typescript-eslint": "^8.51.0",
-    "vitest": "^4.0.16"
+    "husky": "^9.1.7",
+    "lint-staged": "^16.2.7",
+    "prettier": "^3.8.1",
+    "supertest": "^7.2.2",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.55.0",
+    "vitest": "^4.0.18"
+  },
+  "lint-staged": {
+    "*.ts": [
+      "biome check --write",
+      "vitest related --run"
+    ],
+    "*.{json,md,yml,yaml}": [
+      "prettier --write"
+    ]
   }
 }