PyPI - ha-mcp-dev - Versions diffs - 7.4.1.dev422__tar.gz → 7.4.1.dev423__tar.gz - Mend

ha-mcp-dev 7.4.1.dev422tar.gz → 7.4.1.dev423tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

{ha_mcp_dev-7.4.1.dev422/src/ha_mcp_dev.egg-info → ha_mcp_dev-7.4.1.dev423}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ha-mcp-dev
-Version: 7.4.1.dev422
+Version: 7.4.1.dev423
 Summary: Home Assistant MCP Server - Complete control of Home Assistant through MCP
 Author-email: Julien <github@qc-h.net>
 License: MIT

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "ha-mcp-dev"
-version = "7.4.1.dev422"
+version = "7.4.1.dev423"
 description = "Home Assistant MCP Server - Complete control of Home Assistant through MCP"
 readme = "README.md"
 requires-python = ">=3.13,<3.14"

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/src/ha_mcp/client/rest_client.py RENAMED Viewed

@@ -5,12 +5,27 @@ Home Assistant HTTP client with authentication and error handling.
 import asyncio
 import json
 import logging
+import ssl
 from typing import Any
 import httpx
 from ..config import get_global_settings
+def _is_ssl_error(exc: BaseException) -> bool:
+    """True if ``exc`` (or anything in its cause chain) is an SSL error.
+    httpx wraps ``ssl.SSLError`` inside ``httpx.ConnectError``; the only
+    reliable check is to walk ``__cause__`` / ``__context__``.
+    """
+    cur: BaseException | None = exc
+    while cur is not None:
+        if isinstance(cur, ssl.SSLError):
+            return True
+        cur = cur.__cause__ or cur.__context__
+    return False
 logger = logging.getLogger(__name__)
@@ -62,6 +77,7 @@ class HomeAssistantClient:
         base_url: str | None = None,
         token: str | None = None,
         timeout: int | None = None,
+        verify_ssl: bool | None = None,
     ):
         """
         Initialize Home Assistant client.
@@ -70,18 +86,31 @@ class HomeAssistantClient:
             base_url: Home Assistant URL (defaults to config)
             token: Long-lived access token (defaults to config)
             timeout: Request timeout in seconds (defaults to config)
+            verify_ssl: Whether to verify the HA server's TLS certificate
+                (defaults to ``settings.verify_ssl``). Pass False to allow
+                self-signed certs or hostname mismatches.
         """
-        # Only load settings if we need to use fallback values
-        if base_url is None or token is None:
+        if base_url is None or token is None or verify_ssl is None:
             settings = get_global_settings()
             self.base_url = (base_url or settings.homeassistant_url).rstrip("/")
             self.token = token or settings.homeassistant_token
             self.timeout = timeout if timeout is not None else settings.timeout
+            self.verify_ssl = (
+                verify_ssl if verify_ssl is not None else settings.verify_ssl
+            )
         else:
-            # All required parameters provided, use them directly without loading settings
             self.base_url = base_url.rstrip("/")
             self.token = token
             self.timeout = timeout if timeout is not None else 30  # Default timeout
+            self.verify_ssl = verify_ssl
+        if not self.verify_ssl:
+            logger.warning(
+                "TLS verification disabled for Home Assistant REST client "
+                "(HA_VERIFY_SSL=false). Connections to %s will accept "
+                "self-signed and mismatched certificates.",
+                self.base_url,
+            )
         # Create HTTP client with authentication headers
         self.httpx_client = httpx.AsyncClient(
@@ -91,6 +120,7 @@ class HomeAssistantClient:
                 "Content-Type": "application/json",
             },
             timeout=httpx.Timeout(self.timeout),
+            verify=self.verify_ssl,
         )
         logger.info(f"Initialized Home Assistant client for {self.base_url}")
@@ -148,6 +178,12 @@ class HomeAssistantClient:
             return response
         except httpx.ConnectError as e:
+            if _is_ssl_error(e) and self.verify_ssl:
+                raise HomeAssistantConnectionError(
+                    f"TLS verification failed for {self.base_url}: {e}. "
+                    "If this is a self-signed certificate or hostname "
+                    "mismatch, set HA_VERIFY_SSL=false to skip verification."
+                ) from e
             raise HomeAssistantConnectionError(
                 f"Failed to connect to Home Assistant: {e}"
             ) from e

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/src/ha_mcp/client/websocket_client.py RENAMED Viewed

@@ -11,6 +11,7 @@ import asyncio
 import hashlib
 import json
 import logging
+import ssl
 import time
 from collections import defaultdict
 from collections.abc import Awaitable, Callable
@@ -20,7 +21,11 @@ from urllib.parse import urlparse
 import websockets
 from ..config import get_global_settings
-from .rest_client import HomeAssistantCommandError, HomeAssistantConnectionError
+from .rest_client import (
+    HomeAssistantCommandError,
+    HomeAssistantConnectionError,
+    _is_ssl_error,
+)
 logger = logging.getLogger(__name__)
@@ -158,15 +163,33 @@ class WebSocketConnectionState:
 class HomeAssistantWebSocketClient:
     """WebSocket client for Home Assistant real-time communication."""
-    def __init__(self, url: str, token: str):
+    def __init__(self, url: str, token: str, verify_ssl: bool | None = None):
         """Initialize WebSocket client.
         Args:
             url: Home Assistant URL (e.g., 'https://homeassistant.local:8123')
             token: Home Assistant long-lived access token
+            verify_ssl: Whether to verify the HA server's TLS certificate
+                for ``wss://`` connections. Defaults to
+                ``settings.verify_ssl``. Pass False to allow self-signed
+                certs or hostname mismatches.
         """
         self.base_url = url.rstrip("/")
         self.token = token
+        if verify_ssl is None:
+            try:
+                verify_ssl = get_global_settings().verify_ssl
+            except Exception as e:
+                # A bad env var elsewhere should not silently flip TLS off:
+                # log which key tripped and fall back to the secure default.
+                logger.warning(
+                    "Could not load settings while resolving verify_ssl "
+                    "(%s); falling back to verify_ssl=True.",
+                    e,
+                )
+                verify_ssl = True
+        self.verify_ssl = verify_ssl
+        self._warned_verify_disabled = False
         self.websocket: websockets.ClientConnection | None = None
         self.background_task: asyncio.Task | None = None
         self._send_lock: asyncio.Lock | None = None
@@ -197,6 +220,25 @@ class HomeAssistantWebSocketClient:
             logger.info(f"Connecting to Home Assistant WebSocket: {self.ws_url}")
             self._state.reset_connection()
+            # Only configure an SSLContext for wss://; ws:// (Supervisor
+            # proxy) doesn't use TLS and gets ssl=None.
+            ssl_ctx: ssl.SSLContext | None = None
+            if self.ws_url.startswith("wss://"):
+                ssl_ctx = ssl.create_default_context()
+                if not self.verify_ssl:
+                    if not self._warned_verify_disabled:
+                        # Once per client — pool reconnects/HA restarts
+                        # otherwise flood logs with the same warning.
+                        logger.warning(
+                            "TLS verification disabled for Home Assistant "
+                            "WebSocket (HA_VERIFY_SSL=false). Connecting to "
+                            "%s with hostname/cert checks off.",
+                            self.ws_url,
+                        )
+                        self._warned_verify_disabled = True
+                    ssl_ctx.check_hostname = False
+                    ssl_ctx.verify_mode = ssl.CERT_NONE
             # Connect to WebSocket
             # Include Authorization header for Supervisor proxy compatibility
             # (required when connecting via http://supervisor/core/websocket)
@@ -205,6 +247,7 @@ class HomeAssistantWebSocketClient:
                 ping_interval=30,
                 ping_timeout=10,
                 additional_headers={"Authorization": f"Bearer {self.token}"},
+                ssl=ssl_ctx,
                 # Increase max message size to 20MB for large responses
                 # (e.g., HACS repository list can be 2MB+)
                 max_size=20 * 1024 * 1024,
@@ -241,7 +284,16 @@ class HomeAssistantWebSocketClient:
             return True
         except Exception as e:
-            logger.error(f"WebSocket connection failed: {e}")
+            if _is_ssl_error(e) and self.verify_ssl:
+                logger.error(
+                    "WebSocket TLS verification failed for %s: %s. "
+                    "If this is a self-signed certificate or hostname "
+                    "mismatch, set HA_VERIFY_SSL=false to skip verification.",
+                    self.ws_url,
+                    e,
+                )
+            else:
+                logger.error(f"WebSocket connection failed: {e}")
             await self.disconnect()
             return False

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/src/ha_mcp/config.py RENAMED Viewed

@@ -54,6 +54,9 @@ class Settings(BaseSettings):
     timeout: int = Field(30, alias="HA_TIMEOUT")
     max_retries: int = Field(3, alias="HA_MAX_RETRIES")
+    # False = skip TLS verification (self-signed / hostname mismatch). Trusted networks only.
+    verify_ssl: bool = Field(True, alias="HA_VERIFY_SSL")
     # Tool configuration
     fuzzy_threshold: int = Field(60, alias="FUZZY_THRESHOLD")
     entity_search_limit: int = Field(20, alias="ENTITY_SEARCH_LIMIT")
@@ -231,3 +234,13 @@ def get_global_settings() -> Settings:
     if _settings is None:
         _settings = get_settings()
     return _settings
+def _reset_global_settings() -> None:
+    """Drop the cached settings singleton.
+    Test-only seam so suites that mutate ``HA_*`` env vars can force a
+    re-read without reaching into module-private state.
+    """
+    global _settings
+    _settings = None

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/src/ha_mcp/tools/backup.py RENAMED Viewed

@@ -179,7 +179,9 @@ async def create_backup(
     try:
         # Connect to WebSocket
-        ws_client, error = await get_connected_ws_client(client.base_url, client.token)
+        ws_client, error = await get_connected_ws_client(
+            client.base_url, client.token, verify_ssl=client.verify_ssl
+        )
         if error:
             raise_tool_error(error or create_error_response(
                 ErrorCode.CONNECTION_FAILED,
@@ -300,7 +302,9 @@ async def restore_backup(
     try:
         # Connect to WebSocket
-        ws_client, error = await get_connected_ws_client(client.base_url, client.token)
+        ws_client, error = await get_connected_ws_client(
+            client.base_url, client.token, verify_ssl=client.verify_ssl
+        )
         if error:
             raise_tool_error(error or create_error_response(
                 ErrorCode.CONNECTION_FAILED,

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/src/ha_mcp/tools/helpers.py RENAMED Viewed

@@ -78,7 +78,7 @@ def extract_tool_error_message(te: ToolError) -> str:
 async def get_connected_ws_client(
-    base_url: str, token: str
+    base_url: str, token: str, verify_ssl: bool | None = None
 ) -> tuple[HomeAssistantWebSocketClient | None, dict[str, Any] | None]:
     """
     Create and connect a WebSocket client.
@@ -86,11 +86,15 @@ async def get_connected_ws_client(
     Args:
         base_url: Home Assistant base URL
         token: Authentication token
+        verify_ssl: TLS verification override. Pass ``client.verify_ssl``
+            from the calling REST client so a programmatic
+            ``HomeAssistantClient(verify_ssl=False)`` propagates to the
+            WebSocket too. ``None`` falls back to ``settings.verify_ssl``.
     Returns:
         Tuple of (ws_client, error_dict). If connection fails, ws_client is None.
     """
-    ws_client = HomeAssistantWebSocketClient(base_url, token)
+    ws_client = HomeAssistantWebSocketClient(base_url, token, verify_ssl=verify_ssl)
     connected = await ws_client.connect()
     if not connected:
         return None, create_connection_error(

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/src/ha_mcp/tools/tools_addons.py RENAMED Viewed

@@ -232,7 +232,9 @@ async def _supervisor_api_call(
     """
     ws_client = None
     try:
-        ws_client, error = await get_connected_ws_client(client.base_url, client.token)
+        ws_client, error = await get_connected_ws_client(
+            client.base_url, client.token, verify_ssl=client.verify_ssl
+        )
         if error or ws_client is None:
             return error or create_connection_error(
                 "Failed to establish WebSocket connection",

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/src/ha_mcp/tools/tools_history.py RENAMED Viewed

@@ -290,7 +290,9 @@ class HistoryTools:
             # Connect to WebSocket (shared by both sources)
             ws_client, error = await get_connected_ws_client(
-                self._client.base_url, self._client.token
+                self._client.base_url,
+                self._client.token,
+                verify_ssl=self._client.verify_ssl,
             )
             if error or ws_client is None:
                 raise_tool_error(error or create_error_response(

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/src/ha_mcp/tools/tools_system.py RENAMED Viewed

@@ -415,7 +415,9 @@ class SystemTools:
             for subsequent optional fetches.
         """
         ws_client, error = await get_connected_ws_client(
-            self._client.base_url, self._client.token
+            self._client.base_url,
+            self._client.token,
+            verify_ssl=self._client.verify_ssl,
         )
         if error or ws_client is None:
             raise_tool_error(error or create_error_response(

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423}/src/ha_mcp/tools/tools_traces.py RENAMED Viewed

@@ -167,7 +167,9 @@ class TraceTools:
             # Connect to WebSocket
             ws_client, error = await get_connected_ws_client(
-                self._client.base_url, self._client.token
+                self._client.base_url,
+                self._client.token,
+                verify_ssl=self._client.verify_ssl,
             )
             if error or ws_client is None:
                 raise_tool_error(error or create_error_response(

{ha_mcp_dev-7.4.1.dev422 → ha_mcp_dev-7.4.1.dev423/src/ha_mcp_dev.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ha-mcp-dev
-Version: 7.4.1.dev422
+Version: 7.4.1.dev423
 Summary: Home Assistant MCP Server - Complete control of Home Assistant through MCP
 Author-email: Julien <github@qc-h.net>
 License: MIT