diff --git a/.cursor-plugin/plugin.json b/.cursor-plugin/plugin.json index e463de1..d9ce0e5 100644 --- a/.cursor-plugin/plugin.json +++ b/.cursor-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "home-lab-developer-tools", "displayName": "Home Lab Developer Tools", - "version": "0.13.2", + "version": "0.14.0", "description": "Home lab and Raspberry Pi workflows for Cursor, Claude Code, and MCP-compatible editors - 22 skills, 11 rules, and 50 MCP tools for managing Docker Compose stacks, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, certificates, multi-node, diagnostics, and system administration on a Raspberry Pi home lab via SSH.", "author": { "name": "TMHSDigital", diff --git a/.env.example b/.env.example index 749d8ba..2173fbc 100644 --- a/.env.example +++ b/.env.example @@ -1,7 +1,7 @@ # Raspberry Pi SSH connection -HOMELAB_PI_HOST=raspi5.local -HOMELAB_PI_USER=tmhs -HOMELAB_PI_KEY_PATH=~/.ssh/id_ed25519_pi +HOMELAB_PI_HOST=raspberrypi.local +HOMELAB_PI_USER=pi +HOMELAB_PI_KEY_PATH=~/.ssh/id_ed25519 # Compose project directory on the Pi HOMELAB_COMPOSE_DIR=/opt/homelab/docker @@ -35,7 +35,11 @@ HOMELAB_BACKUP_REPO=/mnt/backup/restic # HOMELAB_NTFY_PORT=8080 # Multi-node support (JSON object mapping node names to SSH config) -# HOMELAB_NODES='{"nas":{"host":"nas.local","user":"admin","keyPath":"~/.ssh/id_ed25519_nas"},"pi-zero":{"host":"pizero.local","user":"pi","keyPath":"~/.ssh/id_ed25519_pz"}}' +# HOMELAB_NODES='{"nas":{"host":"nas.local","user":"admin","keyPath":"~/.ssh/id_ed25519"},"pi-zero":{"host":"pizero.local","user":"pi","keyPath":"~/.ssh/id_ed25519"}}' # Ansible inventory path for node discovery (default /etc/ansible/hosts) # HOMELAB_ANSIBLE_INVENTORY=/etc/ansible/hosts + +# Safety overrides +# HOMELAB_DRY_RUN=true # When set, execSSH prints what it would run without connecting +# HOMELAB_ALLOW_DANGEROUS_COMMANDS=true # Bypasses the runtime command guard (use with caution) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e897f01..c34cc78 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - - uses: actions/dependency-review-action@v4 + - uses: actions/dependency-review-action@v5 with: fail-on-severity: high comment-summary-in-pr: always diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index 26ef6a1..f5b9c21 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -28,6 +28,6 @@ jobs: --exclude "localhost" --exclude "127.0.0.1" --exclude "example.com" - --exclude "raspi5.local" + --exclude "raspberrypi.local" "**/*.md" "**/*.mdc" diff --git a/CHANGELOG.md b/CHANGELOG.md index ef637d8..4817429 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.14.0] - 2026-05-22 + +### Added + +- Runtime command safety guard in `execSSH` -- blocks catastrophic patterns (`rm -rf /`, `mkfs` on block devices, `dd` to block devices, fork bomb, `chmod -R 777 /`, curl/wget pipe to shell, `poweroff`/`halt`/`shutdown -h`) before opening an SSH connection. Override with `HOMELAB_ALLOW_DANGEROUS_COMMANDS=true`. +- `HOMELAB_DRY_RUN` mode -- when set, `execSSH` returns a description string without connecting. Unsafe commands are still rejected in dry-run mode. +- `UnsafeCommandError` class in `utils/errors.ts` for runtime guard rejections. +- Shared `confirmParam` and `confirmCancelled` helpers in `utils/confirm-param.ts` consumed by all confirm-gated tools. +- `mcp-server/src/utils/__tests__/ssh-guard.test.ts` -- unit tests for the command guard and dry-run mode using the real module (no mock). + +### Changed + +- `homelab_serviceRestart`, `homelab_composeUp`, and `homelab_composeDown` now require `confirm=true` to proceed. Calls without it return a cancellation message and make no changes. +- Default SSH host changed from personal hostname to generic `raspberrypi.local`; default user changed from personal username to `pi`. Override via `HOMELAB_PI_HOST` and `HOMELAB_PI_USER`. +- All confirm-gated tools now use the shared `confirmParam`/`confirmCancelled` helpers for consistent messaging (standardizes "aborted" -> "cancelled" in `certRenew` and `nodeExec`). +- `composePull` remains ungated (pull only downloads images, does not change running state). + ## [0.13.2] - 2026-04-26 See [release notes](https://github.com/TMHSDigital/Home-Lab-Developer-Tools/releases/tag/v0.13.2) for details. diff --git a/CLAUDE.md b/CLAUDE.md index 53544fe..50ef9a9 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -12,7 +12,7 @@ Home Lab Developer Tools integrates home lab and Raspberry Pi workflows into AI- This is a monorepo -- the skills, rules, and companion MCP server live in the same repository. The MCP server connects to a Raspberry Pi via SSH to execute commands. -**Version:** 0.13.2 +**Version:** 0.14.0 **License:** CC-BY-NC-ND-4.0 **npm:** @tmhs/homelab-mcp **Author:** TMHSDigital @@ -179,6 +179,13 @@ npm install -g @tmhs/homelab-mcp - Skills use kebab-case directory names with YAML frontmatter (`name`, `description`, `tools`). - Rules use kebab-case filenames with `description` and `alwaysApply` frontmatter. +## Security + +- Tools that change running state require `confirm=true`: `homelab_piReboot`, `homelab_backupRun`, `homelab_backupRestore`, `homelab_volumeBackup`, `homelab_certRenew`, `homelab_nodeExec`, `homelab_serviceRestart`, `homelab_composeUp`, `homelab_composeDown`. Use the shared `confirmParam` and `confirmCancelled` helpers from `utils/confirm-param.ts`. +- `execSSH()` runs `assertCommandSafe()` before opening any SSH connection. This blocks catastrophic patterns (`rm -rf /`, `mkfs` on block devices, fork bombs, `poweroff`, etc.). Override with `HOMELAB_ALLOW_DANGEROUS_COMMANDS=true`. +- `HOMELAB_DRY_RUN=true` makes `execSSH` return a description string instead of connecting. The command guard still runs in dry-run mode. +- No personal SSH usernames, hostnames, or key names in code or docs. Use `pi` / `raspberrypi.local` / `~/.ssh/id_ed25519` as generic defaults. + ## Release Hygiene When preparing a new release version, ALL of the following files must be updated to reflect the new version number, tool/skill/rule counts, and any new entries: diff --git a/README.md b/README.md index 2975352..d917af5 100644 --- a/README.md +++ b/README.md @@ -146,9 +146,9 @@ Add to your Cursor MCP config (`.cursor/mcp.json`): "args": ["./mcp-server/dist/index.js"], "cwd": "/Home-Lab-Developer-Tools", "env": { - "HOMELAB_PI_HOST": "raspi5.local", - "HOMELAB_PI_USER": "tmhs", - "HOMELAB_PI_KEY_PATH": "~/.ssh/id_ed25519_pi" + "HOMELAB_PI_HOST": "raspberrypi.local", + "HOMELAB_PI_USER": "pi", + "HOMELAB_PI_KEY_PATH": "~/.ssh/id_ed25519" } } } diff --git a/ROADMAP.md b/ROADMAP.md index d096218..e388411 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -16,6 +16,7 @@ | v0.10.0 | Testing Infrastructure | +2 | -- | -- | 50 | | v0.11.0 | Documentation Site | -- | -- | -- | 50 | | v0.12.0 | Polish and Hardening | +2 | -- | -- | 52 | +| v0.14.0 | Security Hardening | -- | -- | -- | 50 | | **v1.0.0** | **Stable Release** | -- | -- | -- | **52** | --- @@ -215,6 +216,18 @@ Real test coverage before v1.0. --- +## v0.14.0 - Security Hardening + +- [x] Runtime command safety guard in `execSSH` blocking catastrophic patterns +- [x] `HOMELAB_DRY_RUN` env var for testing without SSH connections +- [x] Confirm gate extended to `homelab_serviceRestart`, `homelab_composeUp`, `homelab_composeDown` +- [x] Shared `confirmParam`/`confirmCancelled` helpers used by all gated tools +- [x] Personal SSH defaults replaced with generic `raspberrypi.local` / `pi` placeholders +- [x] `UnsafeCommandError` error class for guard rejections +- [x] Unit tests for command guard and dry-run mode + +--- + ## v0.11.0 - Documentation Site Upgrade GitHub Pages from placeholder to full tool reference. diff --git a/SECURITY.md b/SECURITY.md index afb3cdb..de650f4 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,7 +15,25 @@ This project connects to remote hosts via SSH. Security considerations: - SSH private keys must never be committed to the repository - The `.env` file containing connection details is gitignored - MCP tools execute commands on remote hosts -- review tool actions before running -- Tools with destructive actions require explicit `confirm=true` parameters: `homelab_piReboot`, `homelab_backupRun`, `homelab_backupRestore`, `homelab_volumeBackup`, `homelab_certRenew`, `homelab_nodeExec` +- Tools with destructive or state-changing actions require explicit `confirm=true` parameters: `homelab_piReboot`, `homelab_backupRun`, `homelab_backupRestore`, `homelab_volumeBackup`, `homelab_certRenew`, `homelab_nodeExec`, `homelab_serviceRestart`, `homelab_composeUp`, `homelab_composeDown` + +## Runtime Command Guard + +`execSSH` blocks a focused set of catastrophic command patterns before opening an SSH connection: + +- `rm -rf /` (and `--no-preserve-root` variant) +- `mkfs` targeting a block device +- `dd` writing to a block device +- Fork bomb (`:(){ :|:& };:`) +- `chmod -R 777 /` +- Piping a remote download to a shell (`curl ... | sh`, `wget ... | bash`) +- `shutdown -h`, `halt`, `poweroff` (note: `shutdown -r` used by `homelab_piReboot` is explicitly allowed) + +To bypass the guard (not recommended): set `HOMELAB_ALLOW_DANGEROUS_COMMANDS=true`. + +## Dry-Run Mode + +Set `HOMELAB_DRY_RUN=true` to make `execSSH` print what it would execute without opening an SSH connection. Unsafe commands are still rejected in dry-run mode. ## Best Practices diff --git a/docs/index.html b/docs/index.html index fcb4beb..fcf5408 100644 --- a/docs/index.html +++ b/docs/index.html @@ -1479,11 +1479,11 @@

Related Tools

- v0.11.0 + v0.14.0 · CC-BY-NC-ND-4.0 · - Built 2026-04-08 + Built 2026-05-22
Part of TMHSDigital Developer Tools diff --git a/mcp-server/README.md b/mcp-server/README.md index ae267d2..fafda23 100644 --- a/mcp-server/README.md +++ b/mcp-server/README.md @@ -71,9 +71,9 @@ Set environment variables: | Variable | Default | Description | |----------|---------|-------------| -| `HOMELAB_PI_HOST` | `raspi5.local` | Pi hostname or IP | -| `HOMELAB_PI_USER` | `tmhs` | SSH username | -| `HOMELAB_PI_KEY_PATH` | (empty) | Path to SSH private key | +| `HOMELAB_PI_HOST` | `raspberrypi.local` | Pi hostname or IP | +| `HOMELAB_PI_USER` | `pi` | SSH username | +| `HOMELAB_PI_KEY_PATH` | (empty) | Path to SSH private key (e.g. `~/.ssh/id_ed25519`) | | `HOMELAB_COMPOSE_DIR` | `/opt/homelab/docker` | Compose project directory on Pi | | `HOMELAB_BACKUP_REPO` | `/mnt/backup/restic` | Restic backup repo path on Pi | | `HOMELAB_GRAFANA_TOKEN` | (empty) | Grafana API token (preferred auth method) | @@ -93,6 +93,8 @@ Set environment variables: | `HOMELAB_NTFY_PORT` | `8080` | Ntfy server port override | | `HOMELAB_NODES` | (empty) | JSON object mapping node names to SSH config for multi-node support | | `HOMELAB_ANSIBLE_INVENTORY` | `/etc/ansible/hosts` | Ansible inventory file path for node discovery | +| `HOMELAB_DRY_RUN` | (unset) | When set to any truthy value, `execSSH` prints the command without connecting | +| `HOMELAB_ALLOW_DANGEROUS_COMMANDS` | (unset) | Set to `true` to bypass the runtime command safety guard | ## Usage with Cursor @@ -105,9 +107,9 @@ Add to `.cursor/mcp.json`: "command": "node", "args": ["path/to/Home-Lab-Developer-Tools/mcp-server/dist/index.js"], "env": { - "HOMELAB_PI_HOST": "raspi5.local", - "HOMELAB_PI_USER": "tmhs", - "HOMELAB_PI_KEY_PATH": "~/.ssh/id_ed25519_pi" + "HOMELAB_PI_HOST": "raspberrypi.local", + "HOMELAB_PI_USER": "pi", + "HOMELAB_PI_KEY_PATH": "~/.ssh/id_ed25519" } } } diff --git a/mcp-server/package-lock.json b/mcp-server/package-lock.json index 24103e1..3e1da86 100644 --- a/mcp-server/package-lock.json +++ b/mcp-server/package-lock.json @@ -1,12 +1,12 @@ { "name": "@tmhs/homelab-mcp", - "version": "0.10.0", + "version": "0.14.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@tmhs/homelab-mcp", - "version": "0.10.0", + "version": "0.14.0", "license": "CC-BY-NC-ND-4.0", "dependencies": { "@modelcontextprotocol/sdk": "^1.12.1", @@ -17,20 +17,20 @@ "homelab-mcp": "dist/index.js" }, "devDependencies": { - "@types/node": "^25.6.0", + "@types/node": "^25.9.0", "@types/ssh2": "^1.15.0", - "tsx": "^4.19.0", + "tsx": "^4.22.2", "typescript": "^6.0.3", - "vitest": "^4.1.4" + "vitest": "^4.1.6" }, "engines": { "node": ">= 20.0.0" } }, "node_modules/@emnapi/core": { - "version": "1.9.2", - "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz", - "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==", + "version": "1.10.0", + "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz", + "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==", "dev": true, "license": "MIT", "optional": true, @@ -40,9 +40,9 @@ } }, "node_modules/@emnapi/runtime": { - "version": "1.9.2", - "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz", - "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==", + "version": "1.10.0", + "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz", + "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==", "dev": true, "license": "MIT", "optional": true, @@ -62,9 +62,9 @@ } }, "node_modules/@esbuild/aix-ppc64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.7.tgz", - "integrity": "sha512-EKX3Qwmhz1eMdEJokhALr0YiD0lhQNwDqkPYyPhiSwKrh7/4KRjQc04sZ8db+5DVVnZ1LmbNDI1uAMPEUBnQPg==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.28.0.tgz", + "integrity": "sha512-lhRUCeuOyJQURhTxl4WkpFTjIsbDayJHih5kZC1giwE+MhIzAb7mEsQMqMf18rHLsrb5qI1tafG20mLxEWcWlA==", "cpu": [ "ppc64" ], @@ -79,9 +79,9 @@ } }, "node_modules/@esbuild/android-arm": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.7.tgz", - "integrity": "sha512-jbPXvB4Yj2yBV7HUfE2KHe4GJX51QplCN1pGbYjvsyCZbQmies29EoJbkEc+vYuU5o45AfQn37vZlyXy4YJ8RQ==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.28.0.tgz", + "integrity": "sha512-wqh0ByljabXLKHeWXYLqoJ5jKC4XBaw6Hk08OfMrCRd2nP2ZQ5eleDZC41XHyCNgktBGYMbqnrJKq/K/lzPMSQ==", "cpu": [ "arm" ], @@ -96,9 +96,9 @@ } }, "node_modules/@esbuild/android-arm64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.7.tgz", - "integrity": "sha512-62dPZHpIXzvChfvfLJow3q5dDtiNMkwiRzPylSCfriLvZeq0a1bWChrGx/BbUbPwOrsWKMn8idSllklzBy+dgQ==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.28.0.tgz", + "integrity": "sha512-+WzIXQOSaGs33tLEgYPYe/yQHf0WTU0X42Jca3y8NWMbUVhp7rUnw+vAsRC/QiDrdD31IszMrZy+qwPOPjd+rw==", "cpu": [ "arm64" ], @@ -113,9 +113,9 @@ } }, "node_modules/@esbuild/android-x64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.7.tgz", - "integrity": "sha512-x5VpMODneVDb70PYV2VQOmIUUiBtY3D3mPBG8NxVk5CogneYhkR7MmM3yR/uMdITLrC1ml/NV1rj4bMJuy9MCg==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.28.0.tgz", + "integrity": "sha512-+VJggoaKhk2VNNqVL7f6S189UzShHC/mR9EE8rDdSkdpN0KflSwWY/gWjDrNxxisg8Fp1ZCD9jLMo4m0OUfeUA==", "cpu": [ "x64" ], @@ -130,9 +130,9 @@ } }, "node_modules/@esbuild/darwin-arm64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.7.tgz", - "integrity": "sha512-5lckdqeuBPlKUwvoCXIgI2D9/ABmPq3Rdp7IfL70393YgaASt7tbju3Ac+ePVi3KDH6N2RqePfHnXkaDtY9fkw==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.28.0.tgz", + "integrity": "sha512-0T+A9WZm+bZ84nZBtk1ckYsOvyA3x7e2Acj1KdVfV4/2tdG4fzUp91YHx+GArWLtwqp77pBXVCPn2We7Letr0Q==", "cpu": [ "arm64" ], @@ -147,9 +147,9 @@ } }, "node_modules/@esbuild/darwin-x64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.7.tgz", - "integrity": "sha512-rYnXrKcXuT7Z+WL5K980jVFdvVKhCHhUwid+dDYQpH+qu+TefcomiMAJpIiC2EM3Rjtq0sO3StMV/+3w3MyyqQ==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.28.0.tgz", + "integrity": "sha512-fyzLm/DLDl/84OCfp2f/XQ4flmORsjU7VKt8HLjvIXChJoFFOIL6pLJPH4Yhd1n1gGFF9mPwtlN5Wf82DZs+LQ==", "cpu": [ "x64" ], @@ -164,9 +164,9 @@ } }, "node_modules/@esbuild/freebsd-arm64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.7.tgz", - "integrity": "sha512-B48PqeCsEgOtzME2GbNM2roU29AMTuOIN91dsMO30t+Ydis3z/3Ngoj5hhnsOSSwNzS+6JppqWsuhTp6E82l2w==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.28.0.tgz", + "integrity": "sha512-l9GeW5UZBT9k9brBYI+0WDffcRxgHQD8ShN2Ur4xWq/NFzUKm3k5lsH4PdaRgb2w7mI9u61nr2gI2mLI27Nh3Q==", "cpu": [ "arm64" ], @@ -181,9 +181,9 @@ } }, "node_modules/@esbuild/freebsd-x64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.7.tgz", - "integrity": "sha512-jOBDK5XEjA4m5IJK3bpAQF9/Lelu/Z9ZcdhTRLf4cajlB+8VEhFFRjWgfy3M1O4rO2GQ/b2dLwCUGpiF/eATNQ==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.28.0.tgz", + "integrity": "sha512-BXoQai/A0wPO6Es3yFJ7APCiKGc1tdAEOgeTNy3SsB491S3aHn4S4r3e976eUnPdU+NbdtmBuLncYir2tMU9Nw==", "cpu": [ "x64" ], @@ -198,9 +198,9 @@ } }, "node_modules/@esbuild/linux-arm": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.7.tgz", - "integrity": "sha512-RkT/YXYBTSULo3+af8Ib0ykH8u2MBh57o7q/DAs3lTJlyVQkgQvlrPTnjIzzRPQyavxtPtfg0EopvDyIt0j1rA==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.28.0.tgz", + "integrity": "sha512-CjaaREJagqJp7iTaNQjjidaNbCKYcd4IDkzbwwxtSvjI7NZm79qiHc8HqciMddQ6CKvJT6aBd8lO9kN/ZudLlw==", "cpu": [ "arm" ], @@ -215,9 +215,9 @@ } }, "node_modules/@esbuild/linux-arm64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.7.tgz", - "integrity": "sha512-RZPHBoxXuNnPQO9rvjh5jdkRmVizktkT7TCDkDmQ0W2SwHInKCAV95GRuvdSvA7w4VMwfCjUiPwDi0ZO6Nfe9A==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.28.0.tgz", + "integrity": "sha512-RVyzfb3FWsGA55n6WY0MEIEPURL1FcbhFE6BffZEMEekfCzCIMtB5yyDcFnVbTnwk+CLAgTujmV/Lgvih56W+A==", "cpu": [ "arm64" ], @@ -232,9 +232,9 @@ } }, "node_modules/@esbuild/linux-ia32": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.7.tgz", - "integrity": "sha512-GA48aKNkyQDbd3KtkplYWT102C5sn/EZTY4XROkxONgruHPU72l+gW+FfF8tf2cFjeHaRbWpOYa/uRBz/Xq1Pg==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.28.0.tgz", + "integrity": "sha512-KBnSTt1kxl9x70q+ydterVdl+Cn0H18ngRMRCEQfrbqdUuntQQ0LoMZv47uB97NljZFzY6HcfqEZ2SAyIUTQBQ==", "cpu": [ "ia32" ], @@ -249,9 +249,9 @@ } }, "node_modules/@esbuild/linux-loong64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.7.tgz", - "integrity": "sha512-a4POruNM2oWsD4WKvBSEKGIiWQF8fZOAsycHOt6JBpZ+JN2n2JH9WAv56SOyu9X5IqAjqSIPTaJkqN8F7XOQ5Q==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.28.0.tgz", + "integrity": "sha512-zpSlUce1mnxzgBADvxKXX5sl8aYQHo2ezvMNI8I0lbblJtp8V4odlm3Yzlj7gPyt3T8ReksE6bK+pT3WD+aJRg==", "cpu": [ "loong64" ], @@ -266,9 +266,9 @@ } }, "node_modules/@esbuild/linux-mips64el": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.7.tgz", - "integrity": "sha512-KabT5I6StirGfIz0FMgl1I+R1H73Gp0ofL9A3nG3i/cYFJzKHhouBV5VWK1CSgKvVaG4q1RNpCTR2LuTVB3fIw==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.28.0.tgz", + "integrity": "sha512-2jIfP6mmjkdmeTlsX/9vmdmhBmKADrWqN7zcdtHIeNSCH1SqIoNI63cYsjQR8J+wGa4Y5izRcSHSm8K3QWmk3w==", "cpu": [ "mips64el" ], @@ -283,9 +283,9 @@ } }, "node_modules/@esbuild/linux-ppc64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.7.tgz", - "integrity": "sha512-gRsL4x6wsGHGRqhtI+ifpN/vpOFTQtnbsupUF5R5YTAg+y/lKelYR1hXbnBdzDjGbMYjVJLJTd2OFmMewAgwlQ==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.28.0.tgz", + "integrity": "sha512-bc0FE9wWeC0WBm49IQMPSPILRocGTQt3j5KPCA8os6VprfuJ7KD+5PzESSrJ6GmPIPJK965ZJHTUlSA6GNYEhg==", "cpu": [ "ppc64" ], @@ -300,9 +300,9 @@ } }, "node_modules/@esbuild/linux-riscv64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.7.tgz", - "integrity": "sha512-hL25LbxO1QOngGzu2U5xeXtxXcW+/GvMN3ejANqXkxZ/opySAZMrc+9LY/WyjAan41unrR3YrmtTsUpwT66InQ==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.28.0.tgz", + "integrity": "sha512-SQPZOwoTTT/HXFXQJG/vBX8sOFagGqvZyXcgLA3NhIqcBv1BJU1d46c0rGcrij2B56Z2rNiSLaZOYW5cUk7yLQ==", "cpu": [ "riscv64" ], @@ -317,9 +317,9 @@ } }, "node_modules/@esbuild/linux-s390x": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.7.tgz", - "integrity": "sha512-2k8go8Ycu1Kb46vEelhu1vqEP+UeRVj2zY1pSuPdgvbd5ykAw82Lrro28vXUrRmzEsUV0NzCf54yARIK8r0fdw==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.28.0.tgz", + "integrity": "sha512-SCfR0HN8CEEjnYnySJTd2cw0k9OHB/YFzt5zgJEwa+wL/T/raGWYMBqwDNAC6dqFKmJYZoQBRfHjgwLHGSrn3Q==", "cpu": [ "s390x" ], @@ -334,9 +334,9 @@ } }, "node_modules/@esbuild/linux-x64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.7.tgz", - "integrity": "sha512-hzznmADPt+OmsYzw1EE33ccA+HPdIqiCRq7cQeL1Jlq2gb1+OyWBkMCrYGBJ+sxVzve2ZJEVeePbLM2iEIZSxA==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.28.0.tgz", + "integrity": "sha512-us0dSb9iFxIi8srnpl931Nvs65it/Jd2a2K3qs7fz2WfGPHqzfzZTfec7oxZJRNPXPnNYZtanmRc4AL/JwVzHQ==", "cpu": [ "x64" ], @@ -351,9 +351,9 @@ } }, "node_modules/@esbuild/netbsd-arm64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.7.tgz", - "integrity": "sha512-b6pqtrQdigZBwZxAn1UpazEisvwaIDvdbMbmrly7cDTMFnw/+3lVxxCTGOrkPVnsYIosJJXAsILG9XcQS+Yu6w==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.28.0.tgz", + "integrity": "sha512-CR/RYotgtCKwtftMwJlUU7xCVNg3lMYZ0RzTmAHSfLCXw3NtZtNpswLEj/Kkf6kEL3Gw+BpOekRX0BYCtklhUw==", "cpu": [ "arm64" ], @@ -368,9 +368,9 @@ } }, "node_modules/@esbuild/netbsd-x64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.7.tgz", - "integrity": "sha512-OfatkLojr6U+WN5EDYuoQhtM+1xco+/6FSzJJnuWiUw5eVcicbyK3dq5EeV/QHT1uy6GoDhGbFpprUiHUYggrw==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.28.0.tgz", + "integrity": "sha512-nU1yhmYutL+fQ71Kxnhg8uEOdC0pwEW9entHykTgEbna2pw2dkbFSMeqjjyHZoCmt8SBkOSvV+yNmm94aUrrqw==", "cpu": [ "x64" ], @@ -385,9 +385,9 @@ } }, "node_modules/@esbuild/openbsd-arm64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.7.tgz", - "integrity": "sha512-AFuojMQTxAz75Fo8idVcqoQWEHIXFRbOc1TrVcFSgCZtQfSdc1RXgB3tjOn/krRHENUB4j00bfGjyl2mJrU37A==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.28.0.tgz", + "integrity": "sha512-cXb5vApOsRsxsEl4mcZ1XY3D4DzcoMxR/nnc4IyqYs0rTI8ZKmW6kyyg+11Z8yvgMfAEldKzP7AdP64HnSC/6g==", "cpu": [ "arm64" ], @@ -402,9 +402,9 @@ } }, "node_modules/@esbuild/openbsd-x64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.7.tgz", - "integrity": "sha512-+A1NJmfM8WNDv5CLVQYJ5PshuRm/4cI6WMZRg1by1GwPIQPCTs1GLEUHwiiQGT5zDdyLiRM/l1G0Pv54gvtKIg==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.28.0.tgz", + "integrity": "sha512-8wZM2qqtv9UP3mzy7HiGYNH/zjTA355mpeuA+859TyR+e+Tc08IHYpLJuMsfpDJwoLo1ikIJI8jC3GFjnRClzA==", "cpu": [ "x64" ], @@ -419,9 +419,9 @@ } }, "node_modules/@esbuild/openharmony-arm64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.7.tgz", - "integrity": "sha512-+KrvYb/C8zA9CU/g0sR6w2RBw7IGc5J2BPnc3dYc5VJxHCSF1yNMxTV5LQ7GuKteQXZtspjFbiuW5/dOj7H4Yw==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.28.0.tgz", + "integrity": "sha512-FLGfyizszcef5C3YtoyQDACyg95+dndv79i2EekILBofh5wpCa1KuBqOWKrEHZg3zrL3t5ouE5jgr94vA+Wb2w==", "cpu": [ "arm64" ], @@ -436,9 +436,9 @@ } }, "node_modules/@esbuild/sunos-x64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.7.tgz", - "integrity": "sha512-ikktIhFBzQNt/QDyOL580ti9+5mL/YZeUPKU2ivGtGjdTYoqz6jObj6nOMfhASpS4GU4Q/Clh1QtxWAvcYKamA==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.28.0.tgz", + "integrity": "sha512-1ZgjUoEdHZZl/YlV76TSCz9Hqj9h9YmMGAgAPYd+q4SicWNX3G5GCyx9uhQWSLcbvPW8Ni7lj4gDa1T40akdlw==", "cpu": [ "x64" ], @@ -453,9 +453,9 @@ } }, "node_modules/@esbuild/win32-arm64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.7.tgz", - "integrity": "sha512-7yRhbHvPqSpRUV7Q20VuDwbjW5kIMwTHpptuUzV+AA46kiPze5Z7qgt6CLCK3pWFrHeNfDd1VKgyP4O+ng17CA==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.28.0.tgz", + "integrity": "sha512-Q9StnDmQ/enxnpxCCLSg0oo4+34B9TdXpuyPeTedN/6+iXBJ4J+zwfQI28u/Jl40nOYAxGoNi7mFP40RUtkmUA==", "cpu": [ "arm64" ], @@ -470,9 +470,9 @@ } }, "node_modules/@esbuild/win32-ia32": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.7.tgz", - "integrity": "sha512-SmwKXe6VHIyZYbBLJrhOoCJRB/Z1tckzmgTLfFYOfpMAx63BJEaL9ExI8x7v0oAO3Zh6D/Oi1gVxEYr5oUCFhw==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.28.0.tgz", + "integrity": "sha512-zF3ag/gfiCe6U2iczcRzSYJKH1DCI+ByzSENHlM2FcDbEeo5Zd2C86Aq0tKUYAJJ1obRP84ymxIAksZUcdztHA==", "cpu": [ "ia32" ], @@ -487,9 +487,9 @@ } }, "node_modules/@esbuild/win32-x64": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.7.tgz", - "integrity": "sha512-56hiAJPhwQ1R4i+21FVF7V8kSD5zZTdHcVuRFMW0hn753vVfQN8xlx4uOPT4xoGH0Z/oVATuR82AiqSTDIpaHg==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.28.0.tgz", + "integrity": "sha512-pEl1bO9mfAmIC+tW5btTmrKaujg3zGtUmWNdCw/xs70FBjwAL3o9OEKNHvNmnyylD6ubxUERiEhdsL0xBQ9efw==", "cpu": [ "x64" ], @@ -563,9 +563,9 @@ } }, "node_modules/@napi-rs/wasm-runtime": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.3.tgz", - "integrity": "sha512-xK9sGVbJWYb08+mTJt3/YV24WxvxpXcXtP6B172paPZ+Ts69Re9dAr7lKwJoeIx8OoeuimEiRZ7umkiUVClmmQ==", + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.4.tgz", + "integrity": "sha512-3NQNNgA1YSlJb/kMH1ildASP9HW7/7kYnRI2szWJaofaS1hWmbGI4H+d3+22aGzXXN9IJ+n+GiFVcGipJP18ow==", "dev": true, "license": "MIT", "optional": true, @@ -582,9 +582,9 @@ } }, "node_modules/@oxc-project/types": { - "version": "0.124.0", - "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.124.0.tgz", - "integrity": "sha512-VBFWMTBvHxS11Z5Lvlr3IWgrwhMTXV+Md+EQF0Xf60+wAdsGFTBx7X7K/hP4pi8N7dcm1RvcHwDxZ16Qx8keUg==", + "version": "0.129.0", + "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.129.0.tgz", + "integrity": "sha512-3oz8m3FGdr2nDXVqmFUw7jolKliC4MoyXYIG2c7gpjBnzUWQpUGIYcXYKxTdTi+N2jusvt610ckTMkxdwHkYEg==", "dev": true, "license": "MIT", "funding": { @@ -592,9 +592,9 @@ } }, "node_modules/@rolldown/binding-android-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-YYe6aWruPZDtHNpwu7+qAHEMbQ/yRl6atqb/AhznLTnD3UY99Q1jE7ihLSahNWkF4EqRPVC4SiR4O0UkLK02tA==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0.tgz", + "integrity": "sha512-TWMZnRLMe63C2Lhyicviu7ZHaU4kxa6PS3rofvc9GmcvptzNN11BcfQ4Sl7MwTOsisQoa2keB/EBdNCAnUo8vA==", "cpu": [ "arm64" ], @@ -609,9 +609,9 @@ } }, "node_modules/@rolldown/binding-darwin-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-oArR/ig8wNTPYsXL+Mzhs0oxhxfuHRfG7Ikw7jXsw8mYOtk71W0OkF2VEVh699pdmzjPQsTjlD1JIOoHkLP1Fg==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0.tgz", + "integrity": "sha512-6XcD+8k0gPVItNagEw78/qqcBDwKcwDYS8V2hRmVsfUSIrd8cWe/CBvRDI5toqFyPfj+FJr6t8U6Xj2P2prEew==", "cpu": [ "arm64" ], @@ -626,9 +626,9 @@ } }, "node_modules/@rolldown/binding-darwin-x64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.15.tgz", - "integrity": "sha512-YzeVqOqjPYvUbJSWJ4EDL8ahbmsIXQpgL3JVipmN+MX0XnXMeWomLN3Fb+nwCmP/jfyqte5I3XRSm7OfQrbyxw==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0.tgz", + "integrity": "sha512-iN/tWVXRQDWvmZlKdceP1Dwug9GDpEymhb9p4xnEe6zvCg5lFmzVljl+1qR1NVx3yfGpr2Na+CuLmv5IU8uzfQ==", "cpu": [ "x64" ], @@ -643,9 +643,9 @@ } }, "node_modules/@rolldown/binding-freebsd-x64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.15.tgz", - "integrity": "sha512-9Erhx956jeQ0nNTyif1+QWAXDRD38ZNjr//bSHrt6wDwB+QkAfl2q6Mn1k6OBPerznjRmbM10lgRb1Pli4xZPw==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0.tgz", + "integrity": "sha512-jjQMDvvwSOuhOwMszD/klSOjyWMM3zI64hWTj9KT5x4MxRbZAf+7vLQ6qouRhtsLVFHr3f0ILaJAfgENPiQdAQ==", "cpu": [ "x64" ], @@ -660,9 +660,9 @@ } }, "node_modules/@rolldown/binding-linux-arm-gnueabihf": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.15.tgz", - "integrity": "sha512-cVwk0w8QbZJGTnP/AHQBs5yNwmpgGYStL88t4UIaqcvYJWBfS0s3oqVLZPwsPU6M0zlW4GqjP0Zq5MnAGwFeGA==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0.tgz", + "integrity": "sha512-d//Dtg2x6/m3mbV64yUGNnDGNZaDGRpDLLNGerHQUVObuNaIQaaDp25yUiqGXtHEXX+NP2d0wAlmKgpYgIAJ2A==", "cpu": [ "arm" ], @@ -677,9 +677,9 @@ } }, "node_modules/@rolldown/binding-linux-arm64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-eBZ/u8iAK9SoHGanqe/jrPnY0JvBN6iXbVOsbO38mbz+ZJsaobExAm1Iu+rxa4S1l2FjG0qEZn4Rc6X8n+9M+w==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0.tgz", + "integrity": "sha512-n7Ofp0mx+aB2cC+Sdy5YtMnXtY9lchnHbY+3Yt0uq9JsWQExf4f5Whu0tK0R8Jdc9S6RchTHjIFY7uc92puOVQ==", "cpu": [ "arm64" ], @@ -694,9 +694,9 @@ } }, "node_modules/@rolldown/binding-linux-arm64-musl": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.15.tgz", - "integrity": "sha512-ZvRYMGrAklV9PEkgt4LQM6MjQX2P58HPAuecwYObY2DhS2t35R0I810bKi0wmaYORt6m/2Sm+Z+nFgb0WhXNcQ==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0.tgz", + "integrity": "sha512-EIVjy2cgd7uuMMo94FVkBp7F6DhcZAUwNURkSG3RwUmvAXR6s0ISxM81U+IydcZByPG0pZIHsf1b6kTxoFDgJA==", "cpu": [ "arm64" ], @@ -711,9 +711,9 @@ } }, "node_modules/@rolldown/binding-linux-ppc64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-VDpgGBzgfg5hLg+uBpCLoFG5kVvEyafmfxGUV0UHLcL5irxAK7PKNeC2MwClgk6ZAiNhmo9FLhRYgvMmedLtnQ==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0.tgz", + "integrity": "sha512-JEwwOPcwTLAcpDQlqSmjEmfs63xJnSiUNIGvLcDLUHCWK4XowpS/7c7tUsUH6uT/ct6bMUTdXKfI8967FYj6mg==", "cpu": [ "ppc64" ], @@ -728,9 +728,9 @@ } }, "node_modules/@rolldown/binding-linux-s390x-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-y1uXY3qQWCzcPgRJATPSOUP4tCemh4uBdY7e3EZbVwCJTY3gLJWnQABgeUetvED+bt1FQ01OeZwvhLS2bpNrAQ==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0.tgz", + "integrity": "sha512-0wjCFhLrihtAubnT9iA0N++0pSV0z5Hg7tNGdNJ4RFaINceHadoF+kiFGyY1qSSNVIAZtLotG8Ju1bgDPkjnFA==", "cpu": [ "s390x" ], @@ -745,9 +745,9 @@ } }, "node_modules/@rolldown/binding-linux-x64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-023bTPBod7J3Y/4fzAN6QtpkSABR0rigtrwaP+qSEabUh5zf6ELr9Nc7GujaROuPY3uwdSIXWrvhn1KxOvurWA==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0.tgz", + "integrity": "sha512-Dfn7iak9BcMMePxcoJfpSbWqnEyrp/dRF63/8qW/eHBdOZov6x5aShLLEYGYdIeSJ6vMLK/XCVB+lGIxm41bQA==", "cpu": [ "x64" ], @@ -762,9 +762,9 @@ } }, "node_modules/@rolldown/binding-linux-x64-musl": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.15.tgz", - "integrity": "sha512-witB2O0/hU4CgfOOKUoeFgQ4GktPi1eEbAhaLAIpgD6+ZnhcPkUtPsoKKHRzmOoWPZue46IThdSgdo4XneOLYw==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0.tgz", + "integrity": "sha512-5/utzzDmD/pD/bmuaUcbTf/sZYy0aztwIVlfpoW1fTjCZ0BaPOMVWGZL1zvgxyi7ZIVYWlxKONHmSbHuiOh8Jw==", "cpu": [ "x64" ], @@ -779,9 +779,9 @@ } }, "node_modules/@rolldown/binding-openharmony-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-UCL68NJ0Ud5zRipXZE9dF5PmirzJE4E4BCIOOssEnM7wLDsxjc6Qb0sGDxTNRTP53I6MZpygyCpY8Aa8sPfKPg==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0.tgz", + "integrity": "sha512-ouJs8VcUomfLfpbUECqFMRqdV4x6aeAK3MA4m6vTrJJjKyWTV5KnxZx7Jd9G+GlDaQQxubcba00x16OyJ1meig==", "cpu": [ "arm64" ], @@ -796,9 +796,9 @@ } }, "node_modules/@rolldown/binding-wasm32-wasi": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.15.tgz", - "integrity": "sha512-ApLruZq/ig+nhaE7OJm4lDjayUnOHVUa77zGeqnqZ9pn0ovdVbbNPerVibLXDmWeUZXjIYIT8V3xkT58Rm9u5Q==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0.tgz", + "integrity": "sha512-E+oHKGiDA+lsKMmFtffDDw91EryDT7uJocrIuCHqhm6bCTM6xFK+3gaCkYOHfPwQr0cCNarSM2xaELoQDz9jJg==", "cpu": [ "wasm32" ], @@ -806,18 +806,18 @@ "license": "MIT", "optional": true, "dependencies": { - "@emnapi/core": "1.9.2", - "@emnapi/runtime": "1.9.2", - "@napi-rs/wasm-runtime": "^1.1.3" + "@emnapi/core": "1.10.0", + "@emnapi/runtime": "1.10.0", + "@napi-rs/wasm-runtime": "^1.1.4" }, "engines": { - "node": ">=14.0.0" + "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@rolldown/binding-win32-arm64-msvc": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.15.tgz", - "integrity": "sha512-KmoUoU7HnN+Si5YWJigfTws1jz1bKBYDQKdbLspz0UaqjjFkddHsqorgiW1mxcAj88lYUE6NC/zJNwT+SloqtA==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0.tgz", + "integrity": "sha512-yYK02n8Rngo+gbm1y6G0+7jk1sJ/2Wt7K0me0Y7k/ErBpyf+LJ2gFpqWVTcRV1rUepBlQRmpgWkTQCiiwrK0Ow==", "cpu": [ "arm64" ], @@ -832,9 +832,9 @@ } }, "node_modules/@rolldown/binding-win32-x64-msvc": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.15.tgz", - "integrity": "sha512-3P2A8L+x75qavWLe/Dll3EYBJLQmtkJN8rfh+U/eR3MqMgL/h98PhYI+JFfXuDPgPeCB7iZAKiqii5vqOvnA0g==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0.tgz", + "integrity": "sha512-14bpChMahXRRXiTwahSl+zzHPW6qQTXtkMuJBFlbo+pqSAews2d4BdCSHfrJ/MBsCZtpmTafsY+1QhBzitcmdg==", "cpu": [ "x64" ], @@ -849,9 +849,9 @@ } }, "node_modules/@rolldown/pluginutils": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.15.tgz", - "integrity": "sha512-UromN0peaE53IaBRe9W7CjrZgXl90fqGpK+mIZbA3qSTeYqg3pqpROBdIPvOG3F5ereDHNwoHBI2e50n1BDr1g==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0.tgz", + "integrity": "sha512-aKs/3GSWyV0mrhNmt/96/Z3yczC3yvrzYATCiCXQebBsGyYzjNdUphRVLeJQ67ySKVXRfMxt2lm12pmXvbPFQQ==", "dev": true, "license": "MIT" }, @@ -863,9 +863,9 @@ "license": "MIT" }, "node_modules/@tybys/wasm-util": { - "version": "0.10.1", - "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.1.tgz", - "integrity": "sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==", + "version": "0.10.2", + "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.2.tgz", + "integrity": "sha512-RoBvJ2X0wuKlWFIjrwffGw1IqZHKQqzIchKaadZZfnNpsAYp2mM0h36JtPCjNDAHGgYez/15uMBpfGwchhiMgg==", "dev": true, "license": "MIT", "optional": true, @@ -892,20 +892,20 @@ "license": "MIT" }, "node_modules/@types/estree": { - "version": "1.0.8", - "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz", - "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==", + "version": "1.0.9", + "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.9.tgz", + "integrity": "sha512-GhdPgy1el4/ImP05X05Uw4cw2/M93BCUmnEvWZNStlCzEKME4Fkk+YpoA5OiHNQmoS7Cafb8Xa3Pya8m1Qrzeg==", "dev": true, "license": "MIT" }, "node_modules/@types/node": { - "version": "25.6.0", - "resolved": "https://registry.npmjs.org/@types/node/-/node-25.6.0.tgz", - "integrity": "sha512-+qIYRKdNYJwY3vRCZMdJbPLJAtGjQBudzZzdzwQYkEPQd+PJGixUL5QfvCLDaULoLv+RhT3LDkwEfKaAkgSmNQ==", + "version": "25.9.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.0.tgz", + "integrity": "sha512-AOQwYUNolgy3VosiRqXrACUXTN8nJUtPl7FJXMqZVyxiiCLhQuG3jXKvCS1ALr+Y2OmZhzzLVlYPEqJaiqkaJQ==", "dev": true, "license": "MIT", "dependencies": { - "undici-types": "~7.19.0" + "undici-types": ">=7.24.0 <7.24.7" } }, "node_modules/@types/ssh2": { @@ -936,16 +936,16 @@ "license": "MIT" }, "node_modules/@vitest/expect": { - "version": "4.1.4", - "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.4.tgz", - "integrity": "sha512-iPBpra+VDuXmBFI3FMKHSFXp3Gx5HfmSCE8X67Dn+bwephCnQCaB7qWK2ldHa+8ncN8hJU8VTMcxjPpyMkUjww==", + "version": "4.1.6", + "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.6.tgz", + "integrity": "sha512-7EHDquPthALSV0jhhjgEW8FXaviMx7rSqu8W6oqCoAuOhKov814P99QDV1pxMA3QPv21YudvJngIhjrNI4opLg==", "dev": true, "license": "MIT", "dependencies": { "@standard-schema/spec": "^1.1.0", "@types/chai": "^5.2.2", - "@vitest/spy": "4.1.4", - "@vitest/utils": "4.1.4", + "@vitest/spy": "4.1.6", + "@vitest/utils": "4.1.6", "chai": "^6.2.2", "tinyrainbow": "^3.1.0" }, @@ -954,13 +954,13 @@ } }, "node_modules/@vitest/mocker": { - "version": "4.1.4", - "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.4.tgz", - "integrity": "sha512-R9HTZBhW6yCSGbGQnDnH3QHfJxokKN4KB+Yvk9Q1le7eQNYwiCyKxmLmurSpFy6BzJanSLuEUDrD+j97Q+ZLPg==", + "version": "4.1.6", + "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.6.tgz", + "integrity": "sha512-MCFc63czMjEInOlcY2cpQCvCN+KgbAn+60xu9cMgP4sKaLC5JNAKw7JH8QdAnoAC88hW1IiSNZ+GgVXlN1UcMQ==", "dev": true, "license": "MIT", "dependencies": { - "@vitest/spy": "4.1.4", + "@vitest/spy": "4.1.6", "estree-walker": "^3.0.3", "magic-string": "^0.30.21" }, @@ -981,9 +981,9 @@ } }, "node_modules/@vitest/pretty-format": { - "version": "4.1.4", - "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.4.tgz", - "integrity": "sha512-ddmDHU0gjEUyEVLxtZa7xamrpIefdEETu3nZjWtHeZX4QxqJ7tRxSteHVXJOcr8jhiLoGAhkK4WJ3WqBpjx42A==", + "version": "4.1.6", + "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.6.tgz", + "integrity": "sha512-h5SxD/IzNhZYnrSZRsUZQIC+vD0GY8cUvq0iwsmkFKixRCKLLWqCXa/FIQ4S1R+sI+PGoojkHsdNrbZiM9Qpgw==", "dev": true, "license": "MIT", "dependencies": { @@ -994,13 +994,13 @@ } }, "node_modules/@vitest/runner": { - "version": "4.1.4", - "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.4.tgz", - "integrity": "sha512-xTp7VZ5aXP5ZJrn15UtJUWlx6qXLnGtF6jNxHepdPHpMfz/aVPx+htHtgcAL2mDXJgKhpoo2e9/hVJsIeFbytQ==", + "version": "4.1.6", + "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.6.tgz", + "integrity": "sha512-nOPCmn2+yD0ZNmKdsXGv/UxMMWbMuKeD6GyYncNwdkYDxpQvrPSKYj2rWuDjC2Y4b6w6hjip5dBKFzEUuZe3vA==", "dev": true, "license": "MIT", "dependencies": { - "@vitest/utils": "4.1.4", + "@vitest/utils": "4.1.6", "pathe": "^2.0.3" }, "funding": { @@ -1008,14 +1008,14 @@ } }, "node_modules/@vitest/snapshot": { - "version": "4.1.4", - "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.4.tgz", - "integrity": "sha512-MCjCFgaS8aZz+m5nTcEcgk/xhWv0rEH4Yl53PPlMXOZ1/Ka2VcZU6CJ+MgYCZbcJvzGhQRjVrGQNZqkGPttIKw==", + "version": "4.1.6", + "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.6.tgz", + "integrity": "sha512-YhsdE6xAVfTDmzjxL2ZDUvjj+ZsgyOKe+TdQzqkD72wIOmHka8NuGQ6NpTNZv9D2Z63fbwWKJPeVpEw4EQgYxw==", "dev": true, "license": "MIT", "dependencies": { - "@vitest/pretty-format": "4.1.4", - "@vitest/utils": "4.1.4", + "@vitest/pretty-format": "4.1.6", + "@vitest/utils": "4.1.6", "magic-string": "^0.30.21", "pathe": "^2.0.3" }, @@ -1024,9 +1024,9 @@ } }, "node_modules/@vitest/spy": { - "version": "4.1.4", - "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.4.tgz", - "integrity": "sha512-XxNdAsKW7C+FLydqFJLb5KhJtl3PGCMmYwFRfhvIgxJvLSXhhVI1zM8f1qD3Zg7RCjTSzDVyct6sghs9UEgBEQ==", + "version": "4.1.6", + "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.6.tgz", + "integrity": "sha512-JFKxMx6udhwKh/Ldo270e17QX710vgunMkuPAvXjHSvC6oqLWAHhVhjg/I71q0u0CBSErIODV1Kjv0FQNSWjdg==", "dev": true, "license": "MIT", "funding": { @@ -1034,13 +1034,13 @@ } }, "node_modules/@vitest/utils": { - "version": "4.1.4", - "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.4.tgz", - "integrity": "sha512-13QMT+eysM5uVGa1rG4kegGYNp6cnQcsTc67ELFbhNLQO+vgsygtYJx2khvdt4gVQqSSpC/KT5FZZxUpP3Oatw==", + "version": "4.1.6", + "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.6.tgz", + "integrity": "sha512-FxIY+U81R3LGKCxaHHFRQ5+g6/iRgGLmeHWdp2Amj4ljQRrEIWHmZyDfDYBRZlpyqA7qKxtS9DD1dhk8RnRIVQ==", "dev": true, "license": "MIT", "dependencies": { - "@vitest/pretty-format": "4.1.4", + "@vitest/pretty-format": "4.1.6", "convert-source-map": "^2.0.0", "tinyrainbow": "^3.1.0" }, @@ -1398,9 +1398,9 @@ } }, "node_modules/esbuild": { - "version": "0.27.7", - "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.7.tgz", - "integrity": "sha512-IxpibTjyVnmrIQo5aqNpCgoACA/dTKLTlhMHihVHhdkxKyPO1uBBthumT0rdHmcsk9uMonIWS0m4FljWzILh3w==", + "version": "0.28.0", + "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.28.0.tgz", + "integrity": "sha512-sNR9MHpXSUV/XB4zmsFKN+QgVG82Cc7+/aaxJ8Adi8hyOac+EXptIp45QBPaVyX3N70664wRbTcLTOemCAnyqw==", "dev": true, "hasInstallScript": true, "license": "MIT", @@ -1411,32 +1411,32 @@ "node": ">=18" }, "optionalDependencies": { - "@esbuild/aix-ppc64": "0.27.7", - "@esbuild/android-arm": "0.27.7", - "@esbuild/android-arm64": "0.27.7", - "@esbuild/android-x64": "0.27.7", - "@esbuild/darwin-arm64": "0.27.7", - "@esbuild/darwin-x64": "0.27.7", - "@esbuild/freebsd-arm64": "0.27.7", - "@esbuild/freebsd-x64": "0.27.7", - "@esbuild/linux-arm": "0.27.7", - "@esbuild/linux-arm64": "0.27.7", - "@esbuild/linux-ia32": "0.27.7", - "@esbuild/linux-loong64": "0.27.7", - "@esbuild/linux-mips64el": "0.27.7", - "@esbuild/linux-ppc64": "0.27.7", - "@esbuild/linux-riscv64": "0.27.7", - "@esbuild/linux-s390x": "0.27.7", - "@esbuild/linux-x64": "0.27.7", - "@esbuild/netbsd-arm64": "0.27.7", - "@esbuild/netbsd-x64": "0.27.7", - "@esbuild/openbsd-arm64": "0.27.7", - "@esbuild/openbsd-x64": "0.27.7", - "@esbuild/openharmony-arm64": "0.27.7", - "@esbuild/sunos-x64": "0.27.7", - "@esbuild/win32-arm64": "0.27.7", - "@esbuild/win32-ia32": "0.27.7", - "@esbuild/win32-x64": "0.27.7" + "@esbuild/aix-ppc64": "0.28.0", + "@esbuild/android-arm": "0.28.0", + "@esbuild/android-arm64": "0.28.0", + "@esbuild/android-x64": "0.28.0", + "@esbuild/darwin-arm64": "0.28.0", + "@esbuild/darwin-x64": "0.28.0", + "@esbuild/freebsd-arm64": "0.28.0", + "@esbuild/freebsd-x64": "0.28.0", + "@esbuild/linux-arm": "0.28.0", + "@esbuild/linux-arm64": "0.28.0", + "@esbuild/linux-ia32": "0.28.0", + "@esbuild/linux-loong64": "0.28.0", + "@esbuild/linux-mips64el": "0.28.0", + "@esbuild/linux-ppc64": "0.28.0", + "@esbuild/linux-riscv64": "0.28.0", + "@esbuild/linux-s390x": "0.28.0", + "@esbuild/linux-x64": "0.28.0", + "@esbuild/netbsd-arm64": "0.28.0", + "@esbuild/netbsd-x64": "0.28.0", + "@esbuild/openbsd-arm64": "0.28.0", + "@esbuild/openbsd-x64": "0.28.0", + "@esbuild/openharmony-arm64": "0.28.0", + "@esbuild/sunos-x64": "0.28.0", + "@esbuild/win32-arm64": "0.28.0", + "@esbuild/win32-ia32": "0.28.0", + "@esbuild/win32-x64": "0.28.0" } }, "node_modules/escape-html": { @@ -1696,19 +1696,6 @@ "node": ">= 0.4" } }, - "node_modules/get-tsconfig": { - "version": "4.13.7", - "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz", - "integrity": "sha512-7tN6rFgBlMgpBML5j8typ92BKFi2sFQvIdpAqLA2beia5avZDrMs0FLZiM5etShWq5irVyGcGMEA1jcDaK7A/Q==", - "dev": true, - "license": "MIT", - "dependencies": { - "resolve-pkg-maps": "^1.0.0" - }, - "funding": { - "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1" - } - }, "node_modules/gopd": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz", @@ -2187,9 +2174,9 @@ "optional": true }, "node_modules/nanoid": { - "version": "3.3.11", - "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz", - "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==", + "version": "3.3.12", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.12.tgz", + "integrity": "sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==", "dev": true, "funding": [ { @@ -2332,9 +2319,9 @@ } }, "node_modules/postcss": { - "version": "8.5.9", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.9.tgz", - "integrity": "sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==", + "version": "8.5.14", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.14.tgz", + "integrity": "sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==", "dev": true, "funding": [ { @@ -2421,25 +2408,15 @@ "node": ">=0.10.0" } }, - "node_modules/resolve-pkg-maps": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz", - "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==", - "dev": true, - "license": "MIT", - "funding": { - "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1" - } - }, "node_modules/rolldown": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.15.tgz", - "integrity": "sha512-Ff31guA5zT6WjnGp0SXw76X6hzGRk/OQq2hE+1lcDe+lJdHSgnSX6nK3erbONHyCbpSj9a9E+uX/OvytZoWp2g==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0.tgz", + "integrity": "sha512-yD986aXDESFGS95spT1LAv0jssywP4npMEjmMHyN2/5+eE8qQJUype2AaKkRiLgBgyD0LFlubwAht7VmY8rGoA==", "dev": true, "license": "MIT", "dependencies": { - "@oxc-project/types": "=0.124.0", - "@rolldown/pluginutils": "1.0.0-rc.15" + "@oxc-project/types": "=0.129.0", + "@rolldown/pluginutils": "1.0.0" }, "bin": { "rolldown": "bin/cli.mjs" @@ -2448,21 +2425,21 @@ "node": "^20.19.0 || >=22.12.0" }, "optionalDependencies": { - "@rolldown/binding-android-arm64": "1.0.0-rc.15", - "@rolldown/binding-darwin-arm64": "1.0.0-rc.15", - "@rolldown/binding-darwin-x64": "1.0.0-rc.15", - "@rolldown/binding-freebsd-x64": "1.0.0-rc.15", - "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.15", - "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.15", - "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-x64-musl": "1.0.0-rc.15", - "@rolldown/binding-openharmony-arm64": "1.0.0-rc.15", - "@rolldown/binding-wasm32-wasi": "1.0.0-rc.15", - "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.15", - "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.15" + "@rolldown/binding-android-arm64": "1.0.0", + "@rolldown/binding-darwin-arm64": "1.0.0", + "@rolldown/binding-darwin-x64": "1.0.0", + "@rolldown/binding-freebsd-x64": "1.0.0", + "@rolldown/binding-linux-arm-gnueabihf": "1.0.0", + "@rolldown/binding-linux-arm64-gnu": "1.0.0", + "@rolldown/binding-linux-arm64-musl": "1.0.0", + "@rolldown/binding-linux-ppc64-gnu": "1.0.0", + "@rolldown/binding-linux-s390x-gnu": "1.0.0", + "@rolldown/binding-linux-x64-gnu": "1.0.0", + "@rolldown/binding-linux-x64-musl": "1.0.0", + "@rolldown/binding-openharmony-arm64": "1.0.0", + "@rolldown/binding-wasm32-wasi": "1.0.0", + "@rolldown/binding-win32-arm64-msvc": "1.0.0", + "@rolldown/binding-win32-x64-msvc": "1.0.0" } }, "node_modules/router": { @@ -2750,14 +2727,13 @@ "optional": true }, "node_modules/tsx": { - "version": "4.21.0", - "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz", - "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==", + "version": "4.22.2", + "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.22.2.tgz", + "integrity": "sha512-6w9FwtT8WQqRAyTNR+Z+86kghRqpmOLjXUrBlBT6T+CQGDuIMm0VmAqaFUFBIeKDTGobE6/YSigZYLeomzBaRg==", "dev": true, "license": "MIT", "dependencies": { - "esbuild": "~0.27.0", - "get-tsconfig": "^4.7.5" + "esbuild": "~0.28.0" }, "bin": { "tsx": "dist/cli.mjs" @@ -2804,9 +2780,9 @@ } }, "node_modules/undici-types": { - "version": "7.19.2", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.19.2.tgz", - "integrity": "sha512-qYVnV5OEm2AW8cJMCpdV20CDyaN3g0AjDlOGf1OW4iaDEx8MwdtChUp4zu4H0VP3nDRF/8RKWH+IPp9uW0YGZg==", + "version": "7.24.6", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.24.6.tgz", + "integrity": "sha512-WRNW+sJgj5OBN4/0JpHFqtqzhpbnV0GuB+OozA9gCL7a993SmU+1JBZCzLNxYsbMfIeDL+lTsphD5jN5N+n0zg==", "dev": true, "license": "MIT" }, @@ -2829,17 +2805,17 @@ } }, "node_modules/vite": { - "version": "8.0.8", - "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.8.tgz", - "integrity": "sha512-dbU7/iLVa8KZALJyLOBOQ88nOXtNG8vxKuOT4I2mD+Ya70KPceF4IAmDsmU0h1Qsn5bPrvsY9HJstCRh3hG6Uw==", + "version": "8.0.12", + "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.12.tgz", + "integrity": "sha512-w2dDofOWv2QB09ZITZBsvKTVAlYvPR4IAmrY/v0ir9KvLs0xybR7i48wxhM1/oyBWO34wPns+bPGw5ZrZqDpZg==", "dev": true, "license": "MIT", "dependencies": { "lightningcss": "^1.32.0", "picomatch": "^4.0.4", - "postcss": "^8.5.8", - "rolldown": "1.0.0-rc.15", - "tinyglobby": "^0.2.15" + "postcss": "^8.5.14", + "rolldown": "1.0.0", + "tinyglobby": "^0.2.16" }, "bin": { "vite": "bin/vite.js" @@ -2855,7 +2831,7 @@ }, "peerDependencies": { "@types/node": "^20.19.0 || >=22.12.0", - "@vitejs/devtools": "^0.1.0", + "@vitejs/devtools": "^0.1.18", "esbuild": "^0.27.0 || ^0.28.0", "jiti": ">=1.21.0", "less": "^4.0.0", @@ -2907,19 +2883,19 @@ } }, "node_modules/vitest": { - "version": "4.1.4", - "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.4.tgz", - "integrity": "sha512-tFuJqTxKb8AvfyqMfnavXdzfy3h3sWZRWwfluGbkeR7n0HUev+FmNgZ8SDrRBTVrVCjgH5cA21qGbCffMNtWvg==", + "version": "4.1.6", + "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.6.tgz", + "integrity": "sha512-6lvjbS3p9b4CrdCmguzbh2/4uoXhGE2q71R4OX5sqF9R1bo9Xd6fGrMAfvp5wnCzlBnFVdCOp6onuTQVbo8iUQ==", "dev": true, "license": "MIT", "dependencies": { - "@vitest/expect": "4.1.4", - "@vitest/mocker": "4.1.4", - "@vitest/pretty-format": "4.1.4", - "@vitest/runner": "4.1.4", - "@vitest/snapshot": "4.1.4", - "@vitest/spy": "4.1.4", - "@vitest/utils": "4.1.4", + "@vitest/expect": "4.1.6", + "@vitest/mocker": "4.1.6", + "@vitest/pretty-format": "4.1.6", + "@vitest/runner": "4.1.6", + "@vitest/snapshot": "4.1.6", + "@vitest/spy": "4.1.6", + "@vitest/utils": "4.1.6", "es-module-lexer": "^2.0.0", "expect-type": "^1.3.0", "magic-string": "^0.30.21", @@ -2947,12 +2923,12 @@ "@edge-runtime/vm": "*", "@opentelemetry/api": "^1.9.0", "@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0", - "@vitest/browser-playwright": "4.1.4", - "@vitest/browser-preview": "4.1.4", - "@vitest/browser-webdriverio": "4.1.4", - "@vitest/coverage-istanbul": "4.1.4", - "@vitest/coverage-v8": "4.1.4", - "@vitest/ui": "4.1.4", + "@vitest/browser-playwright": "4.1.6", + "@vitest/browser-preview": "4.1.6", + "@vitest/browser-webdriverio": "4.1.6", + "@vitest/coverage-istanbul": "4.1.6", + "@vitest/coverage-v8": "4.1.6", + "@vitest/ui": "4.1.6", "happy-dom": "*", "jsdom": "*", "vite": "^6.0.0 || ^7.0.0 || ^8.0.0" diff --git a/mcp-server/package.json b/mcp-server/package.json index ce7fefb..0413c8c 100644 --- a/mcp-server/package.json +++ b/mcp-server/package.json @@ -1,6 +1,6 @@ { "name": "@tmhs/homelab-mcp", - "version": "0.10.0", + "version": "0.14.0", "description": "MCP server for home lab operations via SSH - 50 tools for system status, Docker Compose management, service health, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, certificates, multi-node, diagnostics, and administration on a Raspberry Pi.", "type": "module", "main": "dist/index.js", @@ -29,11 +29,11 @@ "zod": "^3.23.0" }, "devDependencies": { - "@types/node": "^25.6.0", + "@types/node": "^25.9.0", "@types/ssh2": "^1.15.0", - "tsx": "^4.19.0", + "tsx": "^4.22.2", "typescript": "^6.0.3", - "vitest": "^4.1.4" + "vitest": "^4.1.6" }, "license": "CC-BY-NC-ND-4.0", "repository": { diff --git a/mcp-server/src/index.ts b/mcp-server/src/index.ts index b3a2935..a525135 100644 --- a/mcp-server/src/index.ts +++ b/mcp-server/src/index.ts @@ -56,7 +56,7 @@ import { register as registerDiagnostics } from "./tools/diagnostics.js"; const server = new McpServer({ name: "homelab-mcp", - version: "0.10.0", + version: "0.14.0", }); registerPiStatus(server); diff --git a/mcp-server/src/tools/__tests__/input-validation.test.ts b/mcp-server/src/tools/__tests__/input-validation.test.ts index d122a04..0beeb20 100644 --- a/mcp-server/src/tools/__tests__/input-validation.test.ts +++ b/mcp-server/src/tools/__tests__/input-validation.test.ts @@ -31,16 +31,30 @@ describe("input validation schemas", () => { describe("serviceRestart", () => { const schema = z.object({ service: z.string().min(1), + confirm: z.boolean(), }); it("rejects empty service name", () => { - expect(() => schema.parse({ service: "" })).toThrow(); + expect(() => schema.parse({ service: "", confirm: true })).toThrow(); }); it("accepts valid service name", () => { - const result = schema.parse({ service: "nginx-proxy-manager" }); + const result = schema.parse({ service: "nginx-proxy-manager", confirm: true }); expect(result.service).toBe("nginx-proxy-manager"); }); + + it("rejects missing confirm", () => { + expect(() => schema.parse({ service: "prometheus" })).toThrow(); + }); + + it("rejects non-boolean confirm", () => { + expect(() => schema.parse({ service: "prometheus", confirm: "yes" })).toThrow(); + }); + + it("accepts boolean confirm", () => { + const result = schema.parse({ service: "prometheus", confirm: true }); + expect(result.confirm).toBe(true); + }); }); describe("piReboot", () => { @@ -139,19 +153,64 @@ describe("input validation schemas", () => { describe("composeUp", () => { const schema = z.object({ stacks: z.array(z.string()).optional(), + confirm: z.boolean(), + }); + + it("rejects missing confirm", () => { + expect(() => schema.parse({})).toThrow(); + }); + + it("rejects non-boolean confirm", () => { + expect(() => schema.parse({ confirm: "yes" })).toThrow(); + }); + + it("accepts boolean confirm", () => { + const result = schema.parse({ confirm: true }); + expect(result.confirm).toBe(true); }); it("accepts empty stacks for all", () => { - const result = schema.parse({}); + const result = schema.parse({ confirm: true }); expect(result.stacks).toBeUndefined(); }); it("accepts specific stacks", () => { - const result = schema.parse({ stacks: ["compose.monitoring.yml"] }); + const result = schema.parse({ stacks: ["compose.monitoring.yml"], confirm: true }); expect(result.stacks).toEqual(["compose.monitoring.yml"]); }); }); + describe("composeDown", () => { + const schema = z.object({ + stacks: z.array(z.string()).optional(), + removeVolumes: z.boolean().optional().default(false), + confirm: z.boolean(), + }); + + it("rejects missing confirm", () => { + expect(() => schema.parse({})).toThrow(); + }); + + it("rejects non-boolean confirm", () => { + expect(() => schema.parse({ confirm: "yes" })).toThrow(); + }); + + it("accepts boolean confirm", () => { + const result = schema.parse({ confirm: false }); + expect(result.confirm).toBe(false); + }); + + it("defaults removeVolumes to false", () => { + const result = schema.parse({ confirm: true }); + expect(result.removeVolumes).toBe(false); + }); + + it("accepts removeVolumes=true", () => { + const result = schema.parse({ confirm: true, removeVolumes: true }); + expect(result.removeVolumes).toBe(true); + }); + }); + describe("prometheusQuery", () => { const schema = z.object({ query: z.string().min(1), diff --git a/mcp-server/src/tools/__tests__/integration.test.ts b/mcp-server/src/tools/__tests__/integration.test.ts index a83001d..ee0060b 100644 --- a/mcp-server/src/tools/__tests__/integration.test.ts +++ b/mcp-server/src/tools/__tests__/integration.test.ts @@ -13,7 +13,7 @@ vi.mock("../../utils/ssh-api.js", () => ({ })), checkSSHAvailable: vi.fn(), listNodes: vi.fn(() => [ - { name: "default", host: "raspi5.local" }, + { name: "default", host: "raspberrypi.local" }, { name: "nas", host: "nas.local" }, ]), getNodeConfig: vi.fn(), @@ -116,7 +116,7 @@ describe("integration tests (mocked SSH)", () => { const handler = captureHandler(register); const result = await handler({ confirm: false }); - expect(result.content[0].text).toContain("aborted"); + expect(result.content[0].text).toContain("cancelled"); expect(mockExecSSH).not.toHaveBeenCalled(); }); @@ -129,7 +129,34 @@ describe("integration tests (mocked SSH)", () => { confirm: false, }); - expect(result.content[0].text).toContain("aborted"); + expect(result.content[0].text).toContain("cancelled"); + expect(mockExecSSH).not.toHaveBeenCalled(); + }); + + it("serviceRestart blocks when confirm=false", async () => { + const { register } = await import("../serviceRestart.js"); + const handler = captureHandler(register); + const result = await handler({ service: "grafana", confirm: false }); + + expect(result.content[0].text).toContain("cancelled"); + expect(mockExecSSH).not.toHaveBeenCalled(); + }); + + it("composeUp blocks when confirm=false", async () => { + const { register } = await import("../composeUp.js"); + const handler = captureHandler(register); + const result = await handler({ confirm: false }); + + expect(result.content[0].text).toContain("cancelled"); + expect(mockExecSSH).not.toHaveBeenCalled(); + }); + + it("composeDown blocks when confirm=false", async () => { + const { register } = await import("../composeDown.js"); + const handler = captureHandler(register); + const result = await handler({ confirm: false }); + + expect(result.content[0].text).toContain("cancelled"); expect(mockExecSSH).not.toHaveBeenCalled(); }); }); @@ -145,7 +172,7 @@ describe("integration tests (mocked SSH)", () => { const result = await handler({}); const text = result.content[0].text; - expect(text).toContain("default (raspi5.local) -- online"); + expect(text).toContain("default (raspberrypi.local) -- online"); expect(text).toContain("nas (nas.local) -- offline"); }); }); diff --git a/mcp-server/src/tools/backupRestore.ts b/mcp-server/src/tools/backupRestore.ts index 88a6102..e0f7c9f 100644 --- a/mcp-server/src/tools/backupRestore.ts +++ b/mcp-server/src/tools/backupRestore.ts @@ -2,6 +2,7 @@ import { z } from "zod"; import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { execSSH, errorResponse } from "../utils/ssh-api.js"; import { nodeParam } from "../utils/node-param.js"; +import { confirmParam, confirmCancelled } from "../utils/confirm-param.js"; const inputSchema = { ...nodeParam, @@ -17,9 +18,7 @@ const inputSchema = { .string() .optional() .describe("Only restore files matching this pattern (e.g. /opt/homelab/docker/)"), - confirm: z - .boolean() - .describe("Must be true to proceed with restore. Safety check."), + ...confirmParam, }; export function register(server: McpServer): void { @@ -28,15 +27,11 @@ export function register(server: McpServer): void { "Restore files from a restic backup snapshot to a target path on the Pi", inputSchema, async (args) => { + if (!args.confirm) { + return confirmCancelled("Restore"); + } + try { - if (!args.confirm) { - return { - content: [{ - type: "text" as const, - text: "Restore cancelled. Set confirm=true to proceed.", - }], - }; - } const repo = process.env.HOMELAB_BACKUP_REPO || "/mnt/backup/restic"; const includeFlag = args.include ? ` --include '${args.include}'` : ""; diff --git a/mcp-server/src/tools/backupRun.ts b/mcp-server/src/tools/backupRun.ts index b7db403..a11fc30 100644 --- a/mcp-server/src/tools/backupRun.ts +++ b/mcp-server/src/tools/backupRun.ts @@ -1,13 +1,11 @@ -import { z } from "zod"; import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { execSSH, errorResponse } from "../utils/ssh-api.js"; import { nodeParam } from "../utils/node-param.js"; +import { confirmParam, confirmCancelled } from "../utils/confirm-param.js"; const inputSchema = { ...nodeParam, - confirm: z - .boolean() - .describe("Must be true to trigger a backup. Safety check."), + ...confirmParam, }; export function register(server: McpServer): void { @@ -16,15 +14,11 @@ export function register(server: McpServer): void { "Trigger a restic backup on the Pi", inputSchema, async (args) => { + if (!args.confirm) { + return confirmCancelled("Backup"); + } + try { - if (!args.confirm) { - return { - content: [{ - type: "text" as const, - text: "Backup cancelled. Set confirm=true to proceed.", - }], - }; - } const output = await execSSH( "sudo /opt/backup/backup.sh 2>&1 || echo 'Backup script not found at /opt/backup/backup.sh'", diff --git a/mcp-server/src/tools/certRenew.ts b/mcp-server/src/tools/certRenew.ts index b69dfad..7c66f26 100644 --- a/mcp-server/src/tools/certRenew.ts +++ b/mcp-server/src/tools/certRenew.ts @@ -2,6 +2,7 @@ import { z } from "zod"; import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { execSSH, errorResponse } from "../utils/ssh-api.js"; import { nodeParam } from "../utils/node-param.js"; +import { confirmParam, confirmCancelled } from "../utils/confirm-param.js"; const inputSchema = { ...nodeParam, @@ -9,9 +10,7 @@ const inputSchema = { .string() .optional() .describe("Specific certificate name to renew. Renews all eligible certificates if omitted"), - confirm: z - .boolean() - .describe("Safety gate -- must be true to proceed with renewal"), + ...confirmParam, }; export function register(server: McpServer): void { @@ -21,12 +20,7 @@ export function register(server: McpServer): void { inputSchema, async (args) => { if (!args.confirm) { - return { - content: [{ - type: "text" as const, - text: "Renewal aborted -- set confirm=true to proceed.", - }], - }; + return confirmCancelled("Renewal"); } try { diff --git a/mcp-server/src/tools/composeDown.ts b/mcp-server/src/tools/composeDown.ts index 440229f..1f8ba6d 100644 --- a/mcp-server/src/tools/composeDown.ts +++ b/mcp-server/src/tools/composeDown.ts @@ -2,6 +2,7 @@ import { z } from "zod"; import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { execSSH, errorResponse } from "../utils/ssh-api.js"; import { nodeParam } from "../utils/node-param.js"; +import { confirmParam, confirmCancelled } from "../utils/confirm-param.js"; const COMPOSE_DIR = process.env.HOMELAB_COMPOSE_DIR || "/opt/homelab/docker"; @@ -16,6 +17,7 @@ const inputSchema = { .optional() .default(false) .describe("Also remove named volumes declared in compose file"), + ...confirmParam, }; export function register(server: McpServer): void { @@ -24,6 +26,10 @@ export function register(server: McpServer): void { "Stop Docker Compose stacks on the Pi", inputSchema, async (args) => { + if (!args.confirm) { + return confirmCancelled("Compose down"); + } + try { let files = "-f compose.base.yml"; if (args.stacks && args.stacks.length > 0) { diff --git a/mcp-server/src/tools/composePull.ts b/mcp-server/src/tools/composePull.ts index 4656a43..6e93956 100644 --- a/mcp-server/src/tools/composePull.ts +++ b/mcp-server/src/tools/composePull.ts @@ -13,6 +13,7 @@ const inputSchema = { .describe("Specific compose files to pull images for. Omit for all."), }; +// Intentionally ungated: pull only downloads images, does not change running state. export function register(server: McpServer): void { server.tool( "homelab_composePull", diff --git a/mcp-server/src/tools/composeUp.ts b/mcp-server/src/tools/composeUp.ts index 053635a..3ee4f5b 100644 --- a/mcp-server/src/tools/composeUp.ts +++ b/mcp-server/src/tools/composeUp.ts @@ -2,6 +2,7 @@ import { z } from "zod"; import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { execSSH, errorResponse } from "../utils/ssh-api.js"; import { nodeParam } from "../utils/node-param.js"; +import { confirmParam, confirmCancelled } from "../utils/confirm-param.js"; const COMPOSE_DIR = process.env.HOMELAB_COMPOSE_DIR || "/opt/homelab/docker"; @@ -11,6 +12,7 @@ const inputSchema = { .array(z.string()) .optional() .describe("Specific compose files to start (e.g. ['compose.monitoring.yml']). Omit for all."), + ...confirmParam, }; export function register(server: McpServer): void { @@ -19,6 +21,10 @@ export function register(server: McpServer): void { "Start Docker Compose stacks on the Pi", inputSchema, async (args) => { + if (!args.confirm) { + return confirmCancelled("Compose up"); + } + try { let files = "-f compose.base.yml"; if (args.stacks && args.stacks.length > 0) { diff --git a/mcp-server/src/tools/nodeExec.ts b/mcp-server/src/tools/nodeExec.ts index f5b4c7f..2188e04 100644 --- a/mcp-server/src/tools/nodeExec.ts +++ b/mcp-server/src/tools/nodeExec.ts @@ -1,13 +1,12 @@ import { z } from "zod"; import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { execSSH, errorResponse } from "../utils/ssh-api.js"; +import { confirmParam, confirmCancelled } from "../utils/confirm-param.js"; const inputSchema = { node: z.string().min(1).describe("Target node name from the node registry"), command: z.string().min(1).describe("Shell command to execute on the node"), - confirm: z - .boolean() - .describe("Safety gate -- must be true to execute arbitrary commands"), + ...confirmParam, }; export function register(server: McpServer): void { @@ -17,12 +16,7 @@ export function register(server: McpServer): void { inputSchema, async (args) => { if (!args.confirm) { - return { - content: [{ - type: "text" as const, - text: "Execution aborted -- set confirm=true to proceed.", - }], - }; + return confirmCancelled("Execution"); } try { diff --git a/mcp-server/src/tools/piReboot.ts b/mcp-server/src/tools/piReboot.ts index 7c3864b..6c1a75b 100644 --- a/mcp-server/src/tools/piReboot.ts +++ b/mcp-server/src/tools/piReboot.ts @@ -1,13 +1,11 @@ -import { z } from "zod"; import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { execSSH, errorResponse } from "../utils/ssh-api.js"; import { nodeParam } from "../utils/node-param.js"; +import { confirmParam, confirmCancelled } from "../utils/confirm-param.js"; const inputSchema = { ...nodeParam, - confirm: z - .boolean() - .describe("Must be true to proceed with reboot. Safety check to prevent accidental reboots."), + ...confirmParam, }; export function register(server: McpServer): void { @@ -16,15 +14,11 @@ export function register(server: McpServer): void { "Safely reboot the Raspberry Pi. Checks for running containers before rebooting.", inputSchema, async (args) => { + if (!args.confirm) { + return confirmCancelled("Reboot"); + } + try { - if (!args.confirm) { - return { - content: [{ - type: "text" as const, - text: "Reboot cancelled. Set confirm=true to proceed.", - }], - }; - } const containers = await execSSH( "docker ps --format '{{.Names}}' 2>/dev/null | wc -l", diff --git a/mcp-server/src/tools/serviceRestart.ts b/mcp-server/src/tools/serviceRestart.ts index e01ff2e..108cbbd 100644 --- a/mcp-server/src/tools/serviceRestart.ts +++ b/mcp-server/src/tools/serviceRestart.ts @@ -2,10 +2,12 @@ import { z } from "zod"; import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { execSSH, errorResponse } from "../utils/ssh-api.js"; import { nodeParam } from "../utils/node-param.js"; +import { confirmParam, confirmCancelled } from "../utils/confirm-param.js"; const inputSchema = { ...nodeParam, service: z.string().min(1).describe("Container name to restart"), + ...confirmParam, }; export function register(server: McpServer): void { @@ -14,6 +16,10 @@ export function register(server: McpServer): void { "Restart a Docker container on the Pi", inputSchema, async (args) => { + if (!args.confirm) { + return confirmCancelled("Restart"); + } + try { await execSSH(`docker restart ${args.service}`, args.node); const status = await execSSH( diff --git a/mcp-server/src/tools/sshTest.ts b/mcp-server/src/tools/sshTest.ts index b788212..18d0779 100644 --- a/mcp-server/src/tools/sshTest.ts +++ b/mcp-server/src/tools/sshTest.ts @@ -9,8 +9,8 @@ export function register(server: McpServer): void { { ...nodeParam }, async (args) => { try { - const host = process.env.HOMELAB_PI_HOST || "raspi5.local"; - const user = process.env.HOMELAB_PI_USER || "tmhs"; + const host = process.env.HOMELAB_PI_HOST || "raspberrypi.local"; + const user = process.env.HOMELAB_PI_USER || "pi"; const output = await execSSH("echo ok && hostname && uptime -p", args.node); const lines = output.split("\n"); diff --git a/mcp-server/src/tools/volumeBackup.ts b/mcp-server/src/tools/volumeBackup.ts index 98b17ad..48bd7c4 100644 --- a/mcp-server/src/tools/volumeBackup.ts +++ b/mcp-server/src/tools/volumeBackup.ts @@ -2,13 +2,12 @@ import { z } from "zod"; import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; import { execSSH, errorResponse } from "../utils/ssh-api.js"; import { nodeParam } from "../utils/node-param.js"; +import { confirmParam, confirmCancelled } from "../utils/confirm-param.js"; const inputSchema = { ...nodeParam, volume: z.string().min(1).describe("Docker volume name to back up"), - confirm: z - .boolean() - .describe("Must be true to trigger backup. Safety check."), + ...confirmParam, }; export function register(server: McpServer): void { @@ -17,15 +16,11 @@ export function register(server: McpServer): void { "Back up a specific Docker volume to the restic repository", inputSchema, async (args) => { + if (!args.confirm) { + return confirmCancelled("Volume backup"); + } + try { - if (!args.confirm) { - return { - content: [{ - type: "text" as const, - text: "Volume backup cancelled. Set confirm=true to proceed.", - }], - }; - } const repo = process.env.HOMELAB_BACKUP_REPO || "/mnt/backup/restic"; const volumePath = `/var/lib/docker/volumes/${args.volume}/_data`; diff --git a/mcp-server/src/utils/__tests__/ssh-guard.test.ts b/mcp-server/src/utils/__tests__/ssh-guard.test.ts new file mode 100644 index 0000000..6849987 --- /dev/null +++ b/mcp-server/src/utils/__tests__/ssh-guard.test.ts @@ -0,0 +1,104 @@ +import { describe, it, expect, afterEach } from "vitest"; +import { assertCommandSafe, execSSH } from "../ssh-api.js"; +import { UnsafeCommandError } from "../errors.js"; + +describe("assertCommandSafe", () => { + afterEach(() => { + delete process.env.HOMELAB_ALLOW_DANGEROUS_COMMANDS; + delete process.env.HOMELAB_DRY_RUN; + }); + + describe("blocks catastrophic commands", () => { + it("rejects rm -rf /", () => { + expect(() => assertCommandSafe("rm -rf /")).toThrow(UnsafeCommandError); + }); + + it("rejects rm -rf --no-preserve-root /", () => { + expect(() => assertCommandSafe("rm -rf --no-preserve-root /")).toThrow(UnsafeCommandError); + }); + + it("rejects mkfs on block device", () => { + expect(() => assertCommandSafe("mkfs.ext4 /dev/sda")).toThrow(UnsafeCommandError); + }); + + it("rejects dd writing to block device", () => { + expect(() => assertCommandSafe("dd if=/dev/zero of=/dev/sda")).toThrow(UnsafeCommandError); + }); + + it("rejects poweroff", () => { + expect(() => assertCommandSafe("poweroff")).toThrow(UnsafeCommandError); + }); + + it("rejects halt", () => { + expect(() => assertCommandSafe("halt")).toThrow(UnsafeCommandError); + }); + + it("rejects shutdown -h", () => { + expect(() => assertCommandSafe("sudo shutdown -h now")).toThrow(UnsafeCommandError); + }); + + it("rejects curl pipe to sh", () => { + expect(() => assertCommandSafe("curl http://x | sh")).toThrow(UnsafeCommandError); + }); + + it("rejects wget pipe to bash", () => { + expect(() => assertCommandSafe("wget -qO- http://x | bash")).toThrow(UnsafeCommandError); + }); + }); + + describe("allows legitimate commands", () => { + it("allows sudo shutdown -r (reboot)", () => { + expect(() => assertCommandSafe("sudo shutdown -r +0")).not.toThrow(); + }); + + it("allows docker compose up", () => { + expect(() => assertCommandSafe("docker compose up -d")).not.toThrow(); + }); + + it("allows df -h", () => { + expect(() => assertCommandSafe("df -h")).not.toThrow(); + }); + + it("allows restic snapshots", () => { + expect(() => assertCommandSafe("restic snapshots")).not.toThrow(); + }); + + it("allows docker restart", () => { + expect(() => assertCommandSafe("docker restart prometheus")).not.toThrow(); + }); + }); + + describe("HOMELAB_ALLOW_DANGEROUS_COMMANDS override", () => { + it("bypasses guard when set to true", () => { + process.env.HOMELAB_ALLOW_DANGEROUS_COMMANDS = "true"; + expect(() => assertCommandSafe("rm -rf /")).not.toThrow(); + }); + + it("still guards when set to false", () => { + process.env.HOMELAB_ALLOW_DANGEROUS_COMMANDS = "false"; + expect(() => assertCommandSafe("rm -rf /")).toThrow(UnsafeCommandError); + }); + }); +}); + +describe("execSSH dry-run mode", () => { + afterEach(() => { + delete process.env.HOMELAB_DRY_RUN; + delete process.env.HOMELAB_PI_HOST; + }); + + it("resolves to dry-run string without connecting", async () => { + process.env.HOMELAB_DRY_RUN = "true"; + process.env.HOMELAB_PI_HOST = "raspberrypi.local"; + + const result = await execSSH("uptime"); + expect(result).toContain("[dry-run]"); + expect(result).toContain("uptime"); + }); + + it("still rejects unsafe commands in dry-run mode", async () => { + process.env.HOMELAB_DRY_RUN = "true"; + + await expect(execSSH("rm -rf /")).rejects.toThrow(UnsafeCommandError); + }); +}); diff --git a/mcp-server/src/utils/confirm-param.ts b/mcp-server/src/utils/confirm-param.ts new file mode 100644 index 0000000..c8b1aa3 --- /dev/null +++ b/mcp-server/src/utils/confirm-param.ts @@ -0,0 +1,16 @@ +import { z } from "zod"; + +export const confirmParam = { + confirm: z.boolean().describe("Safety gate. Must be true to proceed."), +}; + +export function confirmCancelled(action: string): { + content: { type: "text"; text: string }[]; +} { + return { + content: [{ + type: "text" as const, + text: `${action} cancelled. Set confirm=true to proceed.`, + }], + }; +} diff --git a/mcp-server/src/utils/errors.ts b/mcp-server/src/utils/errors.ts index aad508e..f862d52 100644 --- a/mcp-server/src/utils/errors.ts +++ b/mcp-server/src/utils/errors.ts @@ -40,3 +40,14 @@ export class CommandFailedError extends SSHError { this.exitCode = exitCode; } } + +export class UnsafeCommandError extends SSHError { + constructor(command: string, pattern: string) { + super( + `Refused to execute potentially destructive command (matched: ${pattern}). ` + + `Set HOMELAB_ALLOW_DANGEROUS_COMMANDS=true to override.`, + command, + ); + this.name = "UnsafeCommandError"; + } +} diff --git a/mcp-server/src/utils/ssh-api.ts b/mcp-server/src/utils/ssh-api.ts index 4abb017..f476aee 100644 --- a/mcp-server/src/utils/ssh-api.ts +++ b/mcp-server/src/utils/ssh-api.ts @@ -6,8 +6,26 @@ import { SSHAuthError, SSHTimeoutError, CommandFailedError, + UnsafeCommandError, } from "./errors.js"; +const DANGEROUS_PATTERNS: Array<[RegExp, string]> = [ + [/\brm\s+-[a-z]*r[a-z]*f?[a-z]*\s+(--no-preserve-root\s+)?\/(\s|\*|$)/i, "rm -rf /"], + [/\bmkfs(\.\w+)?\s+\/dev\//i, "mkfs on block device"], + [/\bdd\b[^|;&]*\bof=\/dev\//i, "dd to block device"], + [/:\(\)\s*\{\s*:\|:&\s*\};:/, "fork bomb"], + [/\bchmod\s+-R\s+777\s+\//, "chmod -R 777 /"], + [/\b(curl|wget)\b[^|]*\|\s*(sudo\s+)?(sh|bash)\b/i, "curl|sh pipe"], + [/\b(shutdown\s+-h|halt|poweroff)\b/i, "host power off"], +]; + +export function assertCommandSafe(command: string): void { + if (process.env.HOMELAB_ALLOW_DANGEROUS_COMMANDS === "true") return; + for (const [re, label] of DANGEROUS_PATTERNS) { + if (re.test(command)) throw new UnsafeCommandError(command, label); + } +} + const CONNECT_TIMEOUT_MS = 10_000; const EXEC_TIMEOUT_MS = 30_000; @@ -19,8 +37,8 @@ interface NodeConfig { function getDefaultConfig(): NodeConfig { return { - host: process.env.HOMELAB_PI_HOST || "raspi5.local", - username: process.env.HOMELAB_PI_USER || "tmhs", + host: process.env.HOMELAB_PI_HOST || "raspberrypi.local", + username: process.env.HOMELAB_PI_USER || "pi", keyPath: process.env.HOMELAB_PI_KEY_PATH || "", }; } @@ -75,6 +93,13 @@ export async function execSSH( command: string, node?: string, ): Promise { + assertCommandSafe(command); + + if (process.env.HOMELAB_DRY_RUN && process.env.HOMELAB_DRY_RUN !== "false") { + const cfg = getNodeConfig(node); + return `[dry-run] would execute on ${cfg.host}: ${command}`; + } + const { host, username, keyPath } = getNodeConfig(node); return new Promise((resolve, reject) => { diff --git a/requirements-test.txt b/requirements-test.txt index 4b7a0c1..24e29be 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -1,2 +1,2 @@ pytest>=8.0.0 -pyyaml>=6.0 +pyyaml>=6.0.3 diff --git a/rules/inventory-consistency.mdc b/rules/inventory-consistency.mdc index 39f5338..34b1544 100644 --- a/rules/inventory-consistency.mdc +++ b/rules/inventory-consistency.mdc @@ -40,14 +40,14 @@ standards-version: 1.9.0 ```json { "pi5": { - "host": "raspi5.local", - "user": "tmhs", - "keyPath": "~/.ssh/id_ed25519_pi" + "host": "raspberrypi.local", + "user": "pi", + "keyPath": "~/.ssh/id_ed25519" }, "nas": { "host": "192.168.1.50", "user": "admin", - "keyPath": "~/.ssh/id_ed25519_nas" + "keyPath": "~/.ssh/id_ed25519" } } ``` diff --git a/skills/docker-compose-stacks/SKILL.md b/skills/docker-compose-stacks/SKILL.md index b3d1891..13bb2a4 100644 --- a/skills/docker-compose-stacks/SKILL.md +++ b/skills/docker-compose-stacks/SKILL.md @@ -121,6 +121,7 @@ Service-to-stack mapping (quick reference): ## Common Pitfalls +- **Confirm gate** -- `homelab_composeUp`, `homelab_composeDown`, and `homelab_serviceRestart` now require `confirm=true` to proceed. Calls without it return a cancellation message and do nothing. - **Pulling all stacks at once** -- avoid calling `homelab_composePull` on every stack simultaneously. The Pi has limited bandwidth and disk I/O. Update one stack at a time. diff --git a/skills/multi-node-management/SKILL.md b/skills/multi-node-management/SKILL.md index 7d4e1d9..644845c 100644 --- a/skills/multi-node-management/SKILL.md +++ b/skills/multi-node-management/SKILL.md @@ -42,9 +42,9 @@ Set the `HOMELAB_NODES` environment variable as JSON: ```json { - "pi5": { "host": "raspi5.local", "user": "tmhs", "keyPath": "~/.ssh/id_ed25519_pi" }, - "nas": { "host": "nas.local", "user": "admin", "keyPath": "~/.ssh/id_ed25519_nas" }, - "pi-zero": { "host": "pizero.local", "user": "pi", "keyPath": "~/.ssh/id_ed25519_pz" } + "pi5": { "host": "raspberrypi.local", "user": "pi", "keyPath": "~/.ssh/id_ed25519" }, + "nas": { "host": "nas.local", "user": "admin", "keyPath": "~/.ssh/id_ed25519" }, + "pi-zero": { "host": "pizero.local", "user": "pi", "keyPath": "~/.ssh/id_ed25519" } } ``` @@ -90,7 +90,7 @@ Add this to your MCP config's `env` block. The default node (from `HOMELAB_PI_*` 1. You need to add the NAS to your node registry. Update your MCP config's env to include: ```json - "HOMELAB_NODES": "{\"nas\":{\"host\":\"nas.local\",\"user\":\"admin\",\"keyPath\":\"~/.ssh/id_ed25519_nas\"}}" + "HOMELAB_NODES": "{\"nas\":{\"host\":\"nas.local\",\"user\":\"admin\",\"keyPath\":\"~/.ssh/id_ed25519\"}}" ``` 2. After restarting the MCP server, let me check both nodes. @@ -98,7 +98,7 @@ Add this to your MCP config's `env` block. The default node (from `HOMELAB_PI_*` *Calls `homelab_nodeList`* Both nodes are online: - - default (raspi5.local) -- online + - default (raspberrypi.local) -- online - nas (nas.local) -- online 3. Let me check the NAS status. diff --git a/skills/service-monitoring/SKILL.md b/skills/service-monitoring/SKILL.md index b461ab7..84ed56e 100644 --- a/skills/service-monitoring/SKILL.md +++ b/skills/service-monitoring/SKILL.md @@ -126,6 +126,7 @@ Default scrape targets: ## Common Pitfalls +- **Confirm gate** -- `homelab_serviceRestart` and `homelab_composeUp` require `confirm=true` to proceed. Omitting it returns a cancellation message without restarting or redeploying anything. - **Prometheus reload vs restart** -- Prometheus supports hot-reload via `POST /-/reload` for config changes. A full container restart is heavier and causes a brief metrics gap. Prefer reload when possible. diff --git a/skills/troubleshooting/SKILL.md b/skills/troubleshooting/SKILL.md index 36759ef..d0e730f 100644 --- a/skills/troubleshooting/SKILL.md +++ b/skills/troubleshooting/SKILL.md @@ -126,6 +126,7 @@ Use this skill when the user wants to: ## Common Pitfalls +- **Confirm gate on restart and redeploy** -- `homelab_serviceRestart`, `homelab_composeUp`, and `homelab_composeDown` require `confirm=true`. If a restart call returns "cancelled", the gate is the reason. - **Reading only the last few log lines** -- some errors are logged at startup, not at the crash. Always pull enough log history to see the initial error. - **Restarting without diagnosing** -- blindly restarting a crashing container just resets the restart counter. Find the root cause in logs first. - **Ignoring Pi throttling** -- performance degradation and random service failures can be caused by undervoltage or overheating. Always check `homelab_piStatus` for hardware issues.