npm - venafi-connector-machine - Versions diffs - 1.0.5 → 2.0.1 - Mend

venafi-connector-machine 1.0.5 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # venafi-connector-machine
-An MCP (Model Context Protocol) server that provides machine connector-specific knowledge, templates, and tools for building **Venafi TLS Protect Cloud machine connectors**.
+An MCP (Model Context Protocol) server that provides machine connector-specific knowledge, templates, and tools for building **Venafi machine connectors**.
 Use this with Claude Code or any MCP-compatible AI assistant to get expert guidance on SSH and REST API machine connectors — discovery, provisioning, manifest design, and all the gotchas.
@@ -43,11 +43,8 @@ Covering SSH and REST API patterns from all machine connector projects:
 ### Quick Install (Claude Code CLI)
 ```bash
-# Add to your project
-claude mcp add venafi-connector-machine -- npx -y venafi-connector-machine
-# Best used alongside the core MCP
-claude mcp add venafi-connector-core -- npx -y venafi-connector-core
+# Add to your project (best used alongside the core MCP)
+claude mcp add venafi-integration-core -- npx -y venafi-integration-core
 claude mcp add venafi-connector-machine -- npx -y venafi-connector-machine
 ```
@@ -58,9 +55,9 @@ Alternatively, add to your project's `.claude/settings.json`:
 ```json
 {
   "mcpServers": {
-    "venafi-connector-core": {
+    "venafi-integration-core": {
       "command": "npx",
-      "args": ["-y", "venafi-connector-core"]
+      "args": ["-y", "venafi-integration-core"]
     },
     "venafi-connector-machine": {
       "command": "npx",
@@ -83,8 +80,9 @@ Knowledge extracted from building these machine connectors:
 ## Related Packages
-- [`venafi-connector-core`](https://www.npmjs.com/package/venafi-connector-core) — Shared architecture, templates, deployment, troubleshooting
+- [`venafi-integration-core`](https://www.npmjs.com/package/venafi-integration-core) — Shared architecture, templates, deployment, troubleshooting
 - [`venafi-connector-ca`](https://www.npmjs.com/package/venafi-connector-ca) — CA connector endpoints, certificate issuance/import/revocation
+- [`venafi-adaptable-app`](https://www.npmjs.com/package/venafi-adaptable-app) — Adaptable app driver templates, field definitions, PowerShell patterns
 ## License

package/bundle.mjs CHANGED Viewed

@@ -31877,6 +31877,79 @@ All fields listed in \`x-primaryKey\` MUST:
 3. Be of type \`"string"\` \u2014 complex types are not supported in primary keys
 The \`x-primaryKey\` array defines uniqueness for machine identity bindings during discovery. Every unique combination of primary key values creates a separate binding entry. For provisioning, unused primary key fields default to empty string.
+### 41. CRITICAL: Do NOT Re-Marshal Private Keys When Target Accepts PEM
+**The mistake**: Parsing a DER private key into a Go type and then re-marshaling it back to DER before PEM-encoding. This round-trip can subtly change the DER encoding, causing the target to reject the key.
+**The symptom**: GCP Certificate Manager returns \`400: unsupported encryption key size\` when updating a self-managed certificate with a re-marshaled EC key. The key parses fine in Go, but the re-marshaled DER bytes differ from the original.
+**The wrong approach** (from lesson #21's example used for PKCS12):
+\`\`\`go
+// WRONG for PEM output \u2014 re-marshaling changes the DER encoding
+if key, err := x509.ParseECPrivateKey(keyDER); err == nil {
+    ecDER, _ := x509.MarshalECPrivateKey(key)  // re-marshaled bytes may differ!
+    return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: ecDER}), nil
+}
+\`\`\`
+**The correct approach** \u2014 detect the type but wrap the original bytes:
+\`\`\`go
+// CORRECT for PEM output \u2014 use original DER bytes, no re-marshaling
+if _, err := x509.ParsePKCS1PrivateKey(keyDER); err == nil {
+    return pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: keyDER}), nil
+}
+if _, err := x509.ParseECPrivateKey(keyDER); err == nil {
+    return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER}), nil
+}
+if _, err := x509.ParsePKCS8PrivateKey(keyDER); err == nil {
+    return pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: keyDER}), nil
+}
+\`\`\`
+**When to use which approach**:
+- **Target accepts PEM** (GCP, AWS, cloud APIs): Use the no-re-marshal approach above. Just detect the type for the PEM header and wrap the original DER bytes.
+- **Target requires PKCS12** (FortiGate, network appliances): You MUST parse into Go types to pass to \`pkcs12.Encode()\`. Re-marshaling is unavoidable and acceptable here because the PKCS12 encoder produces its own encoding.
+### 42. CRITICAL: Handle Both DER and PEM Input in Certificate Bundle
+**The problem**: The Venafi platform sends certificate bundles with \`contentEncoding: "base64"\` in the manifest. Go's JSON unmarshaler automatically base64-decodes \`[]byte\` fields. However, the decoded bytes may be either **raw DER** or **PEM-encoded text**, depending on how the certificate was originally stored.
+**The symptom**: \`x509.ParseCertificate()\` fails with "asn1: structure error" when the input is PEM text (which starts with \`-----BEGIN\` ASCII bytes, not a valid ASN.1 sequence). Or the private key parser fails silently.
+**The fix**: Always check for PEM encoding first before assuming DER:
+\`\`\`go
+func convertBundleToPEM(bundle *domain.CertificateBundle) (certPEM, keyPEM string, chainPEMs []string, err error) {
+    // Handle both DER and PEM input
+    certBytes := bundle.Certificate
+    if block, _ := pem.Decode(bundle.Certificate); block != nil {
+        certBytes = block.Bytes  // extract DER from PEM
+    }
+    cert, err := x509.ParseCertificate(certBytes)
+    // ...
+    // Same for private key
+    if block, _ := pem.Decode(bundle.PrivateKey); block != nil {
+        keyPEM = string(pem.EncodeToMemory(block))  // already PEM, re-encode cleanly
+    } else {
+        keyPEM = derKeyToPEM(bundle.PrivateKey)  // DER, wrap in PEM
+    }
+    // Same for chain certificates
+    for _, chainBytes := range bundle.CertificateChain {
+        if block, _ := pem.Decode(chainBytes); block != nil {
+            chainPEMs = append(chainPEMs, string(pem.EncodeToMemory(block)))
+        } else {
+            // parse DER and encode to PEM
+        }
+    }
+}
+\`\`\`
+**Key insight**: This pattern makes the connector resilient to both input formats. The \`pem.Decode()\` check is cheap (just looks for \`-----BEGIN\`) and handles the ambiguity gracefully.
 `;
 var MACHINE_MANIFEST_TEMPLATE = `
 {
@@ -33803,37 +33876,37 @@ var server = new McpServer({
   name: "venafi-connector-machine",
   version: "1.0.0"
 });
-server.resource("machine-blueprint", "machine-connector://docs/blueprint", {
+server.resource("machine-blueprint", "venafi://connector-machine/blueprint", {
   description: "Machine connector architecture \u2014 5 endpoints, Temporal workflow model, SSH client abstraction, discovery/provisioning patterns, manifest domainSchema",
   mimeType: "text/markdown"
 }, async () => ({
   contents: [
     {
-      uri: "machine-connector://docs/blueprint",
+      uri: "venafi://connector-machine/blueprint",
       text: MACHINE_BLUEPRINT,
       mimeType: "text/markdown"
     }
   ]
 }));
-server.resource("lessons-learned", "machine-connector://docs/lessons-learned", {
+server.resource("lessons-learned", "venafi://connector-machine/lessons-learned", {
   description: "What worked, what failed, and mistakes to avoid \u2014 from building the Splunk SSH connector. Covers SSH patterns, discovery challenges, certificate format issues, and more.",
   mimeType: "text/markdown"
 }, async () => ({
   contents: [
     {
-      uri: "machine-connector://docs/lessons-learned",
+      uri: "venafi://connector-machine/lessons-learned",
       text: LESSONS_LEARNED,
       mimeType: "text/markdown"
     }
   ]
 }));
-server.resource("machine-manifest-template", "machine-connector://templates/manifest", {
+server.resource("machine-manifest-template", "venafi://connector-machine/manifest-template", {
   description: "Complete machine connector manifest.json template with connection (SSH), keystore, binding, certificateBundle, discovery, discoveryControl, discoveryPage sections",
   mimeType: "application/json"
 }, async () => ({
   contents: [
     {
-      uri: "machine-connector://templates/manifest",
+      uri: "venafi://connector-machine/manifest-template",
       text: MACHINE_MANIFEST_TEMPLATE,
       mimeType: "application/json"
     }

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "venafi-connector-machine",
-  "version": "1.0.5",
-  "description": "MCP server providing machine connector-specific knowledge, templates, and tools for building Venafi TLS Protect Cloud machine connectors",
+  "version": "2.0.1",
+  "description": "MCP server providing machine connector-specific knowledge, templates, and tools for building Venafi machine connectors",
   "main": "bundle.mjs",
   "type": "module",
   "bin": {
@@ -20,7 +20,6 @@
     "mcp",
     "model-context-protocol",
     "venafi",
-    "tls-protect-cloud",
     "machine-connector",
     "ssh",
     "rest-api",
@@ -32,7 +31,7 @@
   "license": "Apache-2.0",
   "repository": {
     "type": "git",
-    "url": "https://github.com/abhadfield/venafi-connector-mcps"
+    "url": "https://github.com/abhadfield/venafi-integration-mcps"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.1"