unifi-network-mcp 0.3.2__tar.gz → 0.4.0__tar.gz

{unifi_network_mcp-0.3.2 → unifi_network_mcp-0.4.0}/.gitignore

@@ -3,6 +3,7 @@
 
 # Python
 __pycache__/
+src/_version.py
 *.py[cod]
 *$py.class
 *.so

{unifi_network_mcp-0.3.2 → unifi_network_mcp-0.4.0}/PKG-INFO

@@ -1,13 +1,13 @@
 Metadata-Version: 2.4
 Name: unifi-network-mcp
-Version: 0.3.2
+Version: 0.4.0
 Summary: Unifi Network MCP Server
 License-File: LICENSE
 Requires-Python: >=3.13
 Requires-Dist: aiohttp>=3.8.5
-Requires-Dist: aiounifi>=87.0.0
+Requires-Dist: aiounifi>=88
 Requires-Dist: jsonschema>=4.17.0
-Requires-Dist: mcp[cli]>=1.21.2
+Requires-Dist: mcp[cli]>=1.23.0
 Requires-Dist: omegaconf>=2.3.0
 Requires-Dist: python-dotenv>=1.0.0
 Requires-Dist: pyyaml>=6.0
@@ -538,6 +538,7 @@ The server merges settings from **environment variables**, an optional `.env` fi
 | `UNIFI_TOOL_REGISTRATION_MODE` | Tool loading mode: `lazy` (default), `eager`, or `meta_only`. See [Context Optimization](#context-optimization) |
 | `UNIFI_ENABLED_CATEGORIES` | Comma-separated list of tool categories to load (eager mode). See table below |
 | `UNIFI_ENABLED_TOOLS` | Comma-separated list of specific tool names to register (eager mode) |
+| `UNIFI_MCP_ALLOWED_HOSTS` | Comma-separated list of allowed hostnames for reverse proxy support. Required when running behind Nginx/Cloudflare/etc. Default `localhost,127.0.0.1` |
 
 ### Tool Categories (for UNIFI_ENABLED_CATEGORIES)
 
@@ -809,6 +810,7 @@ See [docs/permissions.md](docs/permissions.md) for complete documentation includ
 * **Review permissions carefully** before enabling high-risk operations. Use environment variables for runtime control.
 * Create, update, and delete tools should be used with caution and only enabled when necessary.
 * Do not host outside of your network unless using a secure reverse proxy like Cloudflare Tunnel or Ngrok. Even then, an additional layer of authentication is recommended.
+* **Reverse Proxy Configuration:** When running behind a reverse proxy, set `UNIFI_MCP_ALLOWED_HOSTS` to include your external domain (e.g., `localhost,127.0.0.1,unifi-mcp.example.com`) to bypass FastMCP's DNS rebinding protection.
 
 ---
 

{unifi_network_mcp-0.3.2 → unifi_network_mcp-0.4.0}/README.md

@@ -522,6 +522,7 @@ The server merges settings from **environment variables**, an optional `.env` fi
 | `UNIFI_TOOL_REGISTRATION_MODE` | Tool loading mode: `lazy` (default), `eager`, or `meta_only`. See [Context Optimization](#context-optimization) |
 | `UNIFI_ENABLED_CATEGORIES` | Comma-separated list of tool categories to load (eager mode). See table below |
 | `UNIFI_ENABLED_TOOLS` | Comma-separated list of specific tool names to register (eager mode) |
+| `UNIFI_MCP_ALLOWED_HOSTS` | Comma-separated list of allowed hostnames for reverse proxy support. Required when running behind Nginx/Cloudflare/etc. Default `localhost,127.0.0.1` |
 
 ### Tool Categories (for UNIFI_ENABLED_CATEGORIES)
 
@@ -793,6 +794,7 @@ See [docs/permissions.md](docs/permissions.md) for complete documentation includ
 * **Review permissions carefully** before enabling high-risk operations. Use environment variables for runtime control.
 * Create, update, and delete tools should be used with caution and only enabled when necessary.
 * Do not host outside of your network unless using a secure reverse proxy like Cloudflare Tunnel or Ngrok. Even then, an additional layer of authentication is recommended.
+* **Reverse Proxy Configuration:** When running behind a reverse proxy, set `UNIFI_MCP_ALLOWED_HOSTS` to include your external domain (e.g., `localhost,127.0.0.1,unifi-mcp.example.com`) to bypass FastMCP's DNS rebinding protection.
 
 ---
 

{unifi_network_mcp-0.3.2 → unifi_network_mcp-0.4.0}/pyproject.toml

@@ -1,13 +1,13 @@
 [project]
 name = "unifi-network-mcp"
-version = "0.3.2"
+dynamic = ["version"]
 description = "Unifi Network MCP Server"
 readme = "README.md"
 requires-python = ">=3.13"
 dependencies = [
-    "mcp[cli]>=1.21.2",
+    "mcp[cli]>=1.23.0",
     "aiohttp>=3.8.5",
-    "aiounifi>=87.0.0",
+    "aiounifi>=88",
     "pyyaml>=6.0",
     "python-dotenv>=1.0.0",
     "omegaconf>=2.3.0",
@@ -16,9 +16,15 @@ dependencies = [
 ]
 
 [build-system]
-requires = ["hatchling"]
+requires = ["hatchling", "hatch-vcs"]
 build-backend = "hatchling.build"
 
+[tool.hatch.version]
+source = "vcs"
+
+[tool.hatch.build.hooks.vcs]
+version-file = "src/_version.py"
+
 [tool.hatch.build.targets.wheel]
 packages = ["src"]
 
@@ -44,6 +50,7 @@ dev = [
     "pytest-asyncio>=0.21.0",
     "aioresponses>=0.7.0",
     "pytest-cov>=4.0.0",
+    "ruff>=0.8.0",
 ]
 
 [tool.rye]
@@ -53,6 +60,7 @@ dev-dependencies = [
     "pytest-asyncio>=0.21.0",
     "aioresponses>=0.7.0",
     "pytest-cov>=4.0.0",
+    "ruff>=0.8.0",
 ]
 
 [project.scripts]
@@ -61,6 +69,7 @@ unifi-network-mcp = "src.main:main"
 
 [tool.ruff]
 line-length = 120
+exclude = ["src/_version.py"]  # Auto-generated by hatch-vcs
 
 [tool.ruff.lint]
 select = ["E", "F", "I"]

unifi_network_mcp-0.4.0/src/_version.py

@@ -0,0 +1,34 @@
+# file generated by setuptools-scm
+# don't change, don't track in version control
+
+__all__ = [
+    "__version__",
+    "__version_tuple__",
+    "version",
+    "version_tuple",
+    "__commit_id__",
+    "commit_id",
+]
+
+TYPE_CHECKING = False
+if TYPE_CHECKING:
+    from typing import Tuple
+    from typing import Union
+
+    VERSION_TUPLE = Tuple[Union[int, str], ...]
+    COMMIT_ID = Union[str, None]
+else:
+    VERSION_TUPLE = object
+    COMMIT_ID = object
+
+version: str
+__version__: str
+__version_tuple__: VERSION_TUPLE
+version_tuple: VERSION_TUPLE
+commit_id: COMMIT_ID
+__commit_id__: COMMIT_ID
+
+__version__ = version = '0.4.0'
+__version_tuple__ = version_tuple = (0, 4, 0)
+
+__commit_id__ = commit_id = None

{unifi_network_mcp-0.3.2 → unifi_network_mcp-0.4.0}/src/runtime.py

@@ -14,10 +14,12 @@ Lazy factories (`get_*`) are provided so unit tests can substitute fakes by
 monkey‑patching before the first call.
 """
 
+import os
 from functools import lru_cache
 from typing import Any
 
 from mcp.server.fastmcp import FastMCP
+from mcp.server.transport_security import TransportSecuritySettings
 
 from src.bootstrap import load_config, logger
 from src.managers.client_manager import ClientManager
@@ -50,7 +52,21 @@ def get_config():
 @lru_cache
 def get_server() -> FastMCP:
     """Create the FastMCP server instance exactly once."""
-    return FastMCP(name="unifi-network-mcp", debug=True)
+    # Parse allowed hosts from environment variable for reverse proxy support
+    # Default to localhost only for backwards compatibility
+    allowed_hosts_str = os.getenv("UNIFI_MCP_ALLOWED_HOSTS", "localhost,127.0.0.1")
+    allowed_hosts = [h.strip() for h in allowed_hosts_str.split(",") if h.strip()]
+
+    # Configure transport security settings
+    transport_security = TransportSecuritySettings(allowed_hosts=allowed_hosts)
+
+    logger.debug(f"Configuring FastMCP with allowed_hosts: {allowed_hosts}")
+
+    return FastMCP(
+        name="unifi-network-mcp",
+        debug=True,
+        transport_security=transport_security,
+    )
 
 
 # ---------------------------------------------------------------------------

{unifi_network_mcp-0.3.2 → unifi_network_mcp-0.4.0}/src/tools/network.py

@@ -170,7 +170,7 @@ async def get_network_details(network_id: str) -> Dict[str, Any]:
 
 @server.tool(
     name="unifi_update_network",
-    description="Update specific fields of an existing network (LAN/VLAN). Requires confirmation.",
+    description="Update specific fields of an existing network (LAN/VLAN). Requires confirmation. Note: Network isolation is only supported on 'corporate' networks, not 'guest' networks.",
     permission_category="networks",
     permission_action="update",
 )
@@ -193,9 +193,15 @@ async def update_network(network_id: str, update_data: Dict[str, Any], confirm:
             - dhcp_start (string): New DHCP start IP.
             - dhcp_stop (string): New DHCP stop IP.
             - enabled (boolean): Enable/disable the entire network.
+            - network_isolation_enabled (boolean): Enable network isolation (IMPORTANT: Only works on networks with purpose="corporate").
             # Add other relevant fields from NetworkSchema here if needed
         confirm (bool): Must be set to `True` to execute. Defaults to `False`.
 
+    Important Constraints:
+        - Network isolation (network_isolation_enabled) is ONLY supported on networks with purpose="corporate".
+        - Attempting to enable isolation on "guest" or other network types will fail with an API error.
+        - To isolate a guest network: (1) Change its purpose from "guest" to "corporate", then (2) enable network_isolation_enabled.
+
     Returns:
         Dict: Success status, ID, updated fields, details, or error message.
         Example (success):
@@ -317,6 +323,11 @@ async def create_network(network_data: Dict[str, Any], confirm: bool = False) ->
     - vlan (integer): VLAN ID (required if vlan_enabled is true)
     - dhcp_enabled (boolean): Whether DHCP is enabled (default: true)
     - enabled (boolean): Whether the network is enabled (default: true)
+    - network_isolation_enabled (boolean): Enable network isolation (IMPORTANT: Only works on networks with purpose="corporate")
+
+    Important Constraints:
+    - Network isolation (network_isolation_enabled) is ONLY supported on networks with purpose="corporate".
+    - It cannot be enabled on "guest" networks.
 
     Example:
     {

{unifi_network_mcp-0.3.2 → unifi_network_mcp-0.4.0}/src/tools_manifest.json

@@ -1239,7 +1239,7 @@
       }
     },
     {
-      "description": "Update specific fields of an existing network (LAN/VLAN). Requires confirmation.",
+      "description": "Update specific fields of an existing network (LAN/VLAN). Requires confirmation. Note: Network isolation is only supported on 'corporate' networks, not 'guest' networks.",
       "name": "unifi_update_network",
       "schema": {
         "input": {