From 847a1cb9a365acda342f5b653bec8571f2fb33e3 Mon Sep 17 00:00:00 2001
From: fOuttaMyPaint <TMhospitalitystrategies@gmail.com>
Date: Sun, 5 Apr 2026 16:38:07 -0400
Subject: [PATCH] v0.7.0: OS and Package Management

4 new MCP tools (aptUpgradable, aptHistory, kernelInfo, systemdServices), 2 new skills (os-update-management, performance-tuning), 1 new rule (resource-limits). 88 vitest + 250 pytest passing.

Made-with: Cursor
---
 .cursor-plugin/plugin.json                    |   4 +-
 CHANGELOG.md                                  |  17 ++
 CLAUDE.md                                     |  17 +-
 README.md                                     |  32 ++--
 ROADMAP.md                                    |  15 +-
 docs/index.html                               |  26 +++-
 mcp-server/README.md                          |   6 +-
 mcp-server/package-lock.json                  |   4 +-
 mcp-server/package.json                       |   4 +-
 mcp-server/src/index.ts                       |  10 +-
 .../tools/__tests__/input-validation.test.ts  |  66 ++++++++
 mcp-server/src/tools/aptHistory.ts            |  38 +++++
 mcp-server/src/tools/aptUpgradable.ts         |  28 ++++
 mcp-server/src/tools/kernelInfo.ts            |  31 ++++
 mcp-server/src/tools/systemdServices.ts       |  33 ++++
 rules/resource-limits.mdc                     |  76 +++++++++
 skills/os-update-management/SKILL.md          | 138 +++++++++++++++++
 skills/performance-tuning/SKILL.md            | 146 ++++++++++++++++++
 18 files changed, 656 insertions(+), 35 deletions(-)
 create mode 100644 mcp-server/src/tools/aptHistory.ts
 create mode 100644 mcp-server/src/tools/aptUpgradable.ts
 create mode 100644 mcp-server/src/tools/kernelInfo.ts
 create mode 100644 mcp-server/src/tools/systemdServices.ts
 create mode 100644 rules/resource-limits.mdc
 create mode 100644 skills/os-update-management/SKILL.md
 create mode 100644 skills/performance-tuning/SKILL.md

diff --git a/.cursor-plugin/plugin.json b/.cursor-plugin/plugin.json
index 14b6db7..17fe729 100644
--- a/.cursor-plugin/plugin.json
+++ b/.cursor-plugin/plugin.json
@@ -1,8 +1,8 @@
 {
   "name": "home-lab-developer-tools",
   "displayName": "Home Lab Developer Tools",
-  "version": "0.6.0",
-  "description": "Home lab and Raspberry Pi workflows for Cursor, Claude Code, and MCP-compatible editors - 18 skills, 9 rules, and 37 MCP tools for managing Docker Compose stacks, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, and system administration on a Raspberry Pi home lab via SSH.",
+  "version": "0.7.0",
+  "description": "Home lab and Raspberry Pi workflows for Cursor, Claude Code, and MCP-compatible editors - 20 skills, 10 rules, and 41 MCP tools for managing Docker Compose stacks, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, and system administration on a Raspberry Pi home lab via SSH.",
   "author": {
     "name": "TMHSDigital",
     "url": "https://github.com/TMHSDigital"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f4dc9c1..3ad1470 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.7.0] - 2026-04-05
+
+### Added
+
+- 4 new MCP tools for OS and package management
+  - `homelab_aptUpgradable` -- list upgradable packages with current and candidate versions
+  - `homelab_aptHistory` -- show recent apt install, upgrade, and remove history
+  - `homelab_kernelInfo` -- kernel version, boot parameters, and loaded modules
+  - `homelab_systemdServices` -- list systemd units or get status of a specific unit
+- 2 new skills
+  - `os-update-management` -- unattended-upgrades config, kernel updates, reboot scheduling
+  - `performance-tuning` -- kernel params, swap config, I/O scheduler, GPU memory split
+- 1 new rule
+  - `resource-limits` -- flag Docker Compose services without memory or CPU limits
+- Input validation tests for all 4 new tools
+
 ## [0.6.0] - 2026-04-05
 
 ### Added
@@ -121,6 +137,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Full documentation (README, CLAUDE.md, CONTRIBUTING, ROADMAP, SECURITY)
 - Project logo (assets/logo.png)
 
+[0.7.0]: https://github.com/TMHSDigital/Home-Lab-Developer-Tools/releases/tag/v0.7.0
 [0.6.0]: https://github.com/TMHSDigital/Home-Lab-Developer-Tools/releases/tag/v0.6.0
 [0.5.0]: https://github.com/TMHSDigital/Home-Lab-Developer-Tools/releases/tag/v0.5.0
 [0.4.0]: https://github.com/TMHSDigital/Home-Lab-Developer-Tools/releases/tag/v0.4.0
diff --git a/CLAUDE.md b/CLAUDE.md
index 3c8c653..c0c58f3 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -4,13 +4,13 @@ Project documentation for Claude Code and AI assistants working on this reposito
 
 ## Project Overview
 
-Home Lab Developer Tools integrates home lab and Raspberry Pi workflows into AI-assisted development. It includes 18 skills, 9 rules, and a companion MCP server with 37 tools for managing Docker Compose stacks, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, and system administration via SSH.
+Home Lab Developer Tools integrates home lab and Raspberry Pi workflows into AI-assisted development. It includes 20 skills, 10 rules, and a companion MCP server with 41 tools for managing Docker Compose stacks, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, and system administration via SSH.
 
 **Works with:** Cursor (plugin), Claude Code (terminal and in-editor), and any MCP-compatible client.
 
 This is a monorepo -- the skills, rules, and companion MCP server live in the same repository. The MCP server connects to a Raspberry Pi via SSH to execute commands.
 
-**Version:** 0.6.0
+**Version:** 0.7.0
 **License:** CC-BY-NC-ND-4.0
 **npm:** @tmhs/homelab-mcp
 **Author:** TMHSDigital
@@ -38,7 +38,7 @@ Home-Lab-Developer-Tools/
   tests/                     # Python structure tests
 ```
 
-## Skills (18)
+## Skills (20)
 
 | Skill | Description |
 |-------|-------------|
@@ -58,10 +58,12 @@ Home-Lab-Developer-Tools/
 | secrets-management | Vaultwarden, env vars, Docker secrets, credential auditing |
 | log-analysis | Structured log querying, journald workflows, container log searching |
 | notification-workflows | Ntfy setup, alert routing, notification pipelines |
+| os-update-management | Unattended-upgrades, kernel updates, reboot scheduling |
+| performance-tuning | Kernel params, swap config, I/O scheduler, GPU memory split |
 | storage-management | Samba, Syncthing, volumes, disk monitoring |
 | troubleshooting | Debug crashes, network issues, hardware problems |
 
-## Rules (9)
+## Rules (10)
 
 | Rule | Scope | Description |
 |------|-------|-------------|
@@ -74,8 +76,9 @@ Home-Lab-Developer-Tools/
 | backup-coverage | compose*.yml | Flag Docker volumes not covered by any backup job |
 | privileged-containers | compose*.yml | Flag containers with elevated privileges or missing security opts |
 | weak-credentials | compose*.yml, .env* | Flag default/weak passwords and insecure credential storage |
+| resource-limits | compose*.yml | Flag containers without memory or CPU limits |
 
-## MCP Tools (37)
+## MCP Tools (41)
 
 All tools connect to the Pi via SSH using environment variables for configuration.
 
@@ -117,6 +120,10 @@ All tools connect to the Pi via SSH using environment variables for configuratio
 | `homelab_logSearch` | Search across container logs with grep patterns |
 | `homelab_ntfySend` | Send a push notification via Ntfy |
 | `homelab_ntfyTopics` | List Ntfy topics and recent messages |
+| `homelab_aptUpgradable` | List upgradable packages with version details |
+| `homelab_aptHistory` | Show recent apt install/upgrade/remove history |
+| `homelab_kernelInfo` | Kernel version, boot parameters, loaded modules |
+| `homelab_systemdServices` | List systemd units or get status of a specific unit |
 | `homelab_sshTest` | Test SSH connectivity |
 
 ## Development
diff --git a/README.md b/README.md
index c1547fa..295830d 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@
 </p>
 
 <p align="center">
-  <strong>18 skills &nbsp;&bull;&nbsp; 9 rules &nbsp;&bull;&nbsp; 37 MCP tools</strong>
+  <strong>20 skills &nbsp;&bull;&nbsp; 10 rules &nbsp;&bull;&nbsp; 41 MCP tools</strong>
 </p>
 
 ---
@@ -41,9 +41,9 @@ This project works with any AI coding tool that supports skills, rules, or MCP:
 | Component | Cursor | Claude Code (terminal) | Claude Code in Cursor | Other MCP clients |
 |---|:---:|:---:|:---:|:---:|
 | **CLAUDE.md** context | Yes | Yes | Yes | - |
-| **18 Skills** (SKILL.md) | Yes | Yes | Yes | - |
-| **9 Rules** (.mdc) | Yes | Via CLAUDE.md | Yes | - |
-| **37 MCP tools** | Yes | Yes | Yes | Yes |
+| **20 Skills** (SKILL.md) | Yes | Yes | Yes | - |
+| **10 Rules** (.mdc) | Yes | Via CLAUDE.md | Yes | - |
+| **41 MCP tools** | Yes | Yes | Yes | Yes |
 
 > **Claude Code** reads `CLAUDE.md` automatically and can reference skills. The MCP server works with any client that supports the MCP stdio transport.
 
@@ -71,7 +71,7 @@ flowchart LR
 ---
 
 <details>
-<summary><strong>18 Skills</strong> - on-demand home lab expertise</summary>
+<summary><strong>20 Skills</strong> - on-demand home lab expertise</summary>
 
 &nbsp;
 
@@ -93,13 +93,15 @@ flowchart LR
 | **Security** | `secrets-management` | Vaultwarden, env vars, Docker secrets, credential auditing |
 | **Logs** | `log-analysis` | Structured log querying, journald workflows, container log searching |
 | **Notifications** | `notification-workflows` | Ntfy setup, alert routing, notification pipelines |
+| **OS** | `os-update-management` | Unattended-upgrades, kernel updates, reboot scheduling |
+| **OS** | `performance-tuning` | Kernel params, swap config, I/O scheduler, GPU memory split |
 | **Storage** | `storage-management` | Samba, Syncthing, volumes, disk monitoring |
 | **Debug** | `troubleshooting` | Debug crashes, network issues, hardware problems |
 
 </details>
 
 <details>
-<summary><strong>9 Rules</strong> - automatic best-practice enforcement</summary>
+<summary><strong>10 Rules</strong> - automatic best-practice enforcement</summary>
 
 &nbsp;
 
@@ -114,6 +116,7 @@ flowchart LR
 | `backup-coverage` | Compose files | Flag Docker volumes not covered by any backup job |
 | `privileged-containers` | Compose files | Flag containers with elevated privileges or missing security opts |
 | `weak-credentials` | Compose / .env files | Flag default/weak passwords and insecure credential storage |
+| `resource-limits` | Compose files | Flag containers without memory or CPU limits |
 
 </details>
 
@@ -125,7 +128,7 @@ The MCP server gives your AI assistant live access to your Raspberry Pi via SSH.
 
 <p align="center">
   <img src="https://img.shields.io/badge/transport-stdio-blue" alt="transport">
-  <img src="https://img.shields.io/badge/tools-37-green" alt="tools">
+  <img src="https://img.shields.io/badge/tools-41-green" alt="tools">
   <img src="https://img.shields.io/badge/runtime-Node%20%E2%89%A5%2020-yellow" alt="runtime">
   <img src="https://img.shields.io/badge/connection-SSH-orange" alt="connection">
 </p>
@@ -150,7 +153,7 @@ Add to your Cursor MCP config (`.cursor/mcp.json`):
 ```
 
 <details>
-<summary><strong>37 MCP Tools</strong> - full tool reference</summary>
+<summary><strong>41 MCP Tools</strong> - full tool reference</summary>
 
 &nbsp;
 
@@ -226,6 +229,15 @@ Add to your Cursor MCP config (`.cursor/mcp.json`):
 | `homelab_openPorts` | Scan listening TCP ports and map to processes |
 | `homelab_containerScan` | Scan container images for vulnerabilities via Trivy |
 
+**OS / Packages** (4)
+
+| Tool | What It Does |
+|---|---|
+| `homelab_aptUpgradable` | List upgradable packages with version details |
+| `homelab_aptHistory` | Show recent apt install/upgrade/remove history |
+| `homelab_kernelInfo` | Kernel version, boot parameters, loaded modules |
+| `homelab_systemdServices` | List systemd units or get status of a specific unit |
+
 **SSH** (1)
 
 | Tool | What It Does |
@@ -314,6 +326,8 @@ Any client supporting MCP stdio transport can use the Home Lab MCP server. Point
 | `secrets-management` | "Audit my Pi for weak passwords and scan containers for vulnerabilities" |
 | `log-analysis` | "Search all container logs for OOM errors in the last hour" |
 | `notification-workflows` | "Send a test notification to my phone via Ntfy" |
+| `os-update-management` | "Are there any security updates pending on my Pi?" |
+| `performance-tuning` | "My Pi is sluggish with 13 containers. How can I optimize it?" |
 
 </details>
 
@@ -330,7 +344,7 @@ Any client supporting MCP stdio transport can use the Home Lab MCP server. Point
 | **v0.4.0** | **Backup and Recovery** | **+4** | **+1** | **+1** | **29** |
 | **v0.5.0** | **Security Hardening** | **+4** | **+1** | **+2** | **33** |
 | **v0.6.0** | **Logs and Notifications** | **+4** | **+2** | **--** | **37** |
-| v0.7.0 | OS and Package Management | +4 | +2 | +1 | 41 |
+| **v0.7.0** | **OS and Package Management** | **+4** | **+2** | **+1** | **41** |
 | v0.8.0 | SSL/TLS Certificates | +3 | +1 | -- | 44 |
 | v0.9.0 | Multi-Node Foundation | +4 | +1 | +1 | 48 |
 | v0.10.0 | Testing Infrastructure | +2 | -- | -- | 50 |
diff --git a/ROADMAP.md b/ROADMAP.md
index 67e8b91..e2bc6d6 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -140,19 +140,19 @@ System-level maintenance beyond apt update.
 
 **MCP tools (+4):**
 
-- [ ] `homelab_aptUpgradable` -- list upgradable packages with version details
-- [ ] `homelab_aptHistory` -- show recent apt install/upgrade history
-- [ ] `homelab_kernelInfo` -- kernel version, loaded modules, boot params
-- [ ] `homelab_systemdServices` -- list systemd units, enable/disable/status
+- [x] `homelab_aptUpgradable` -- list upgradable packages with version details
+- [x] `homelab_aptHistory` -- show recent apt install/upgrade history
+- [x] `homelab_kernelInfo` -- kernel version, loaded modules, boot params
+- [x] `homelab_systemdServices` -- list systemd units, enable/disable/status
 
 **Skills (+2):**
 
-- [ ] `os-update-management` -- unattended-upgrades config, kernel updates, reboot scheduling
-- [ ] `performance-tuning` -- kernel params, swap config, I/O scheduler, GPU memory split
+- [x] `os-update-management` -- unattended-upgrades config, kernel updates, reboot scheduling
+- [x] `performance-tuning` -- kernel params, swap config, I/O scheduler, GPU memory split
 
 **Rules (+1):**
 
-- [ ] `resource-limits` -- flag containers without memory/CPU limits set
+- [x] `resource-limits` -- flag containers without memory/CPU limits set
 
 ---
 
@@ -271,6 +271,7 @@ Production-ready, fully tested, fully documented.
 
 ## Completed
 
+- v0.7.0: OS and Package Management -- 4 new tools (aptUpgradable, aptHistory, kernelInfo, systemdServices), 2 new skills (os-update-management, performance-tuning), 1 new rule (resource-limits)
 - v0.6.0: Logs and Notifications -- 4 new tools (journalLogs, logSearch, ntfySend, ntfyTopics), 2 new skills (log-analysis, notification-workflows)
 - v0.5.0: Security Hardening -- 4 new tools (ufwStatus, fail2banStatus, openPorts, containerScan), 1 new skill (secrets-management), 2 new rules (privileged-containers, weak-credentials)
 - v0.4.0: Backup and Recovery -- 4 new tools (backupList, backupRestore, backupDiff, volumeBackup), 1 new skill (disaster-recovery), 1 new rule (backup-coverage)
diff --git a/docs/index.html b/docs/index.html
index 8d13de1..f44c0fb 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -4,9 +4,9 @@
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Home Lab Developer Tools</title>
-  <meta name="description" content="Home lab and Raspberry Pi workflows for Cursor, Claude Code, and MCP-compatible editors. 18 skills, 9 rules, 37 MCP tools.">
+  <meta name="description" content="Home lab and Raspberry Pi workflows for Cursor, Claude Code, and MCP-compatible editors. 20 skills, 10 rules, 41 MCP tools.">
   <meta property="og:title" content="Home Lab Developer Tools">
-  <meta property="og:description" content="18 skills, 9 rules, 37 MCP tools for managing a Raspberry Pi home lab via SSH.">
+  <meta property="og:description" content="20 skills, 10 rules, 41 MCP tools for managing a Raspberry Pi home lab via SSH.">
   <meta property="og:type" content="website">
   <style>
     :root {
@@ -99,22 +99,22 @@
     <div class="container">
       <h1>Home Lab Developer Tools</h1>
       <p>Home lab and Raspberry Pi workflows for Cursor, Claude Code, and any MCP-compatible editor.</p>
-      <span class="version">v0.6.0</span>
+      <span class="version">v0.7.0</span>
     </div>
   </header>
 
   <div class="container">
     <div class="stats">
       <div class="stat">
-        <div class="stat-number" data-target="18">18</div>
+        <div class="stat-number" data-target="20">20</div>
         <div class="stat-label">Skills</div>
       </div>
       <div class="stat">
-        <div class="stat-number" data-target="9">9</div>
+        <div class="stat-number" data-target="10">10</div>
         <div class="stat-label">Rules</div>
       </div>
       <div class="stat">
-        <div class="stat-number" data-target="37">37</div>
+        <div class="stat-number" data-target="41">41</div>
         <div class="stat-label">MCP Tools</div>
       </div>
     </div>
@@ -222,6 +222,17 @@ <h3>Logs / Notifications (4)</h3>
         </tbody>
       </table>
 
+      <h3>OS / Packages (4)</h3>
+      <table>
+        <thead><tr><th>Tool</th><th>Description</th></tr></thead>
+        <tbody>
+          <tr><td><code>homelab_aptUpgradable</code></td><td>List upgradable packages with version details</td></tr>
+          <tr><td><code>homelab_aptHistory</code></td><td>Show recent apt install/upgrade/remove history</td></tr>
+          <tr><td><code>homelab_kernelInfo</code></td><td>Kernel version, boot parameters, loaded modules</td></tr>
+          <tr><td><code>homelab_systemdServices</code></td><td>List systemd units or get status of a specific unit</td></tr>
+        </tbody>
+      </table>
+
       <h3>SSH (1)</h3>
       <table>
         <thead><tr><th>Tool</th><th>Description</th></tr></thead>
@@ -252,6 +263,8 @@ <h2>Skills</h2>
           <tr><td>secrets-management</td><td>Vaultwarden, env vars, Docker secrets, credential auditing</td></tr>
           <tr><td>log-analysis</td><td>Structured log querying, journald workflows, container log searching</td></tr>
           <tr><td>notification-workflows</td><td>Ntfy setup, alert routing, notification pipelines</td></tr>
+          <tr><td>os-update-management</td><td>Unattended-upgrades, kernel updates, reboot scheduling</td></tr>
+          <tr><td>performance-tuning</td><td>Kernel params, swap config, I/O scheduler, GPU memory split</td></tr>
           <tr><td>storage-management</td><td>Samba, Syncthing, volumes, disk monitoring</td></tr>
           <tr><td>troubleshooting</td><td>Debug crashes, network issues, hardware problems</td></tr>
         </tbody>
@@ -272,6 +285,7 @@ <h2>Rules</h2>
           <tr><td>backup-coverage</td><td>Compose files</td><td>Flag Docker volumes not covered by any backup job</td></tr>
           <tr><td>privileged-containers</td><td>Compose files</td><td>Flag containers with elevated privileges or missing security opts</td></tr>
           <tr><td>weak-credentials</td><td>Compose / .env</td><td>Flag default/weak passwords and insecure credential storage</td></tr>
+          <tr><td>resource-limits</td><td>Compose files</td><td>Flag containers without memory or CPU limits</td></tr>
         </tbody>
       </table>
     </section>
diff --git a/mcp-server/README.md b/mcp-server/README.md
index bb9d935..d8ee76a 100644
--- a/mcp-server/README.md
+++ b/mcp-server/README.md
@@ -1,6 +1,6 @@
 # Home Lab MCP Server
 
-MCP (Model Context Protocol) server for home lab operations. Connects to a Raspberry Pi via SSH and provides 37 tools for system management, Docker Compose stacks, service monitoring, networking, backups, disaster recovery, security auditing, log analysis, and notifications.
+MCP (Model Context Protocol) server for home lab operations. Connects to a Raspberry Pi via SSH and provides 41 tools for system management, Docker Compose stacks, service monitoring, networking, backups, disaster recovery, security auditing, log analysis, notifications, and OS management.
 
 ## Tools
 
@@ -42,6 +42,10 @@ MCP (Model Context Protocol) server for home lab operations. Connects to a Raspb
 | Logs | `homelab_logSearch` | Search across container logs with grep patterns |
 | Notifications | `homelab_ntfySend` | Send a push notification via Ntfy |
 | Notifications | `homelab_ntfyTopics` | List Ntfy topics and recent messages |
+| OS | `homelab_aptUpgradable` | List upgradable packages with version details |
+| OS | `homelab_aptHistory` | Show recent apt install/upgrade/remove history |
+| OS | `homelab_kernelInfo` | Kernel version, boot parameters, loaded modules |
+| OS | `homelab_systemdServices` | List systemd units or get status of a specific unit |
 | SSH | `homelab_sshTest` | Test SSH connectivity |
 
 ## Setup
diff --git a/mcp-server/package-lock.json b/mcp-server/package-lock.json
index 9e456ff..8ef5aed 100644
--- a/mcp-server/package-lock.json
+++ b/mcp-server/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@tmhs/homelab-mcp",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@tmhs/homelab-mcp",
-      "version": "0.6.0",
+      "version": "0.7.0",
       "license": "CC-BY-NC-ND-4.0",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.12.1",
diff --git a/mcp-server/package.json b/mcp-server/package.json
index c57d4b4..dd500d6 100644
--- a/mcp-server/package.json
+++ b/mcp-server/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@tmhs/homelab-mcp",
-  "version": "0.6.0",
-  "description": "MCP server for home lab operations via SSH - 37 tools for system status, Docker Compose management, service health, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, and administration on a Raspberry Pi.",
+  "version": "0.7.0",
+  "description": "MCP server for home lab operations via SSH - 41 tools for system status, Docker Compose management, service health, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, and administration on a Raspberry Pi.",
   "type": "module",
   "main": "dist/index.js",
   "bin": {
diff --git a/mcp-server/src/index.ts b/mcp-server/src/index.ts
index 04b7285..3049013 100644
--- a/mcp-server/src/index.ts
+++ b/mcp-server/src/index.ts
@@ -40,10 +40,14 @@ import { register as registerJournalLogs } from "./tools/journalLogs.js";
 import { register as registerLogSearch } from "./tools/logSearch.js";
 import { register as registerNtfySend } from "./tools/ntfySend.js";
 import { register as registerNtfyTopics } from "./tools/ntfyTopics.js";
+import { register as registerAptUpgradable } from "./tools/aptUpgradable.js";
+import { register as registerAptHistory } from "./tools/aptHistory.js";
+import { register as registerKernelInfo } from "./tools/kernelInfo.js";
+import { register as registerSystemdServices } from "./tools/systemdServices.js";
 
 const server = new McpServer({
   name: "homelab-mcp",
-  version: "0.6.0",
+  version: "0.7.0",
 });
 
 registerPiStatus(server);
@@ -83,6 +87,10 @@ registerJournalLogs(server);
 registerLogSearch(server);
 registerNtfySend(server);
 registerNtfyTopics(server);
+registerAptUpgradable(server);
+registerAptHistory(server);
+registerKernelInfo(server);
+registerSystemdServices(server);
 
 async function main(): Promise<void> {
   const transport = new StdioServerTransport();
diff --git a/mcp-server/src/tools/__tests__/input-validation.test.ts b/mcp-server/src/tools/__tests__/input-validation.test.ts
index b11184d..c1b0da3 100644
--- a/mcp-server/src/tools/__tests__/input-validation.test.ts
+++ b/mcp-server/src/tools/__tests__/input-validation.test.ts
@@ -619,4 +619,70 @@ describe("input validation schemas", () => {
       expect(result.since).toBe("30m");
     });
   });
+
+  describe("aptUpgradable (no params)", () => {
+    const schema = z.object({});
+
+    it("accepts empty input", () => {
+      const result = schema.parse({});
+      expect(result).toEqual({});
+    });
+  });
+
+  describe("aptHistory", () => {
+    const schema = z.object({
+      lines: z.number().int().positive().optional().default(50),
+    });
+
+    it("accepts empty input with default", () => {
+      const result = schema.parse({});
+      expect(result.lines).toBe(50);
+    });
+
+    it("accepts custom line count", () => {
+      const result = schema.parse({ lines: 100 });
+      expect(result.lines).toBe(100);
+    });
+
+    it("rejects non-positive lines", () => {
+      expect(() => schema.parse({ lines: 0 })).toThrow();
+      expect(() => schema.parse({ lines: -5 })).toThrow();
+    });
+  });
+
+  describe("kernelInfo (no params)", () => {
+    const schema = z.object({});
+
+    it("accepts empty input", () => {
+      const result = schema.parse({});
+      expect(result).toEqual({});
+    });
+  });
+
+  describe("systemdServices", () => {
+    const schema = z.object({
+      unit: z.string().optional(),
+      type: z.enum(["service", "timer", "socket", "mount"]).optional(),
+    });
+
+    it("accepts empty input", () => {
+      const result = schema.parse({});
+      expect(result.unit).toBeUndefined();
+      expect(result.type).toBeUndefined();
+    });
+
+    it("accepts specific unit", () => {
+      const result = schema.parse({ unit: "docker.service" });
+      expect(result.unit).toBe("docker.service");
+    });
+
+    it("accepts type filter", () => {
+      const result = schema.parse({ type: "timer" });
+      expect(result.type).toBe("timer");
+    });
+
+    it("rejects invalid type", () => {
+      expect(() => schema.parse({ type: "target" })).toThrow();
+    });
+  });
 });
diff --git a/mcp-server/src/tools/aptHistory.ts b/mcp-server/src/tools/aptHistory.ts
new file mode 100644
index 0000000..96c598b
--- /dev/null
+++ b/mcp-server/src/tools/aptHistory.ts
@@ -0,0 +1,38 @@
+import { z } from "zod";
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { execSSH, errorResponse } from "../utils/ssh-api.js";
+
+const inputSchema = {
+  lines: z
+    .number()
+    .int()
+    .positive()
+    .optional()
+    .default(50)
+    .describe("Number of recent history entries to return"),
+};
+
+export function register(server: McpServer): void {
+  server.tool(
+    "homelab_aptHistory",
+    "Show recent apt install, upgrade, and remove history",
+    inputSchema,
+    async (args) => {
+      try {
+        const cmd =
+          `(grep -E '(Install|Upgrade|Remove|Commandline)' /var/log/apt/history.log 2>/dev/null; ` +
+          `zgrep -E '(Install|Upgrade|Remove|Commandline)' /var/log/apt/history.log.*.gz 2>/dev/null) ` +
+          `| tail -${args.lines}`;
+        const output = await execSSH(cmd);
+        return {
+          content: [{
+            type: "text" as const,
+            text: output || "No apt history entries found.",
+          }],
+        };
+      } catch (error) {
+        return errorResponse(error);
+      }
+    },
+  );
+}
diff --git a/mcp-server/src/tools/aptUpgradable.ts b/mcp-server/src/tools/aptUpgradable.ts
new file mode 100644
index 0000000..43baf48
--- /dev/null
+++ b/mcp-server/src/tools/aptUpgradable.ts
@@ -0,0 +1,28 @@
+import { z } from "zod";
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { execSSH, errorResponse } from "../utils/ssh-api.js";
+
+const inputSchema = {};
+
+export function register(server: McpServer): void {
+  server.tool(
+    "homelab_aptUpgradable",
+    "List upgradable packages with current and candidate versions",
+    inputSchema,
+    async () => {
+      try {
+        const output = await execSSH(
+          "apt list --upgradable 2>/dev/null | grep -v '^Listing'",
+        );
+        return {
+          content: [{
+            type: "text" as const,
+            text: output || "All packages are up to date.",
+          }],
+        };
+      } catch (error) {
+        return errorResponse(error);
+      }
+    },
+  );
+}
diff --git a/mcp-server/src/tools/kernelInfo.ts b/mcp-server/src/tools/kernelInfo.ts
new file mode 100644
index 0000000..130cbd8
--- /dev/null
+++ b/mcp-server/src/tools/kernelInfo.ts
@@ -0,0 +1,31 @@
+import { z } from "zod";
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { execSSH, errorResponse } from "../utils/ssh-api.js";
+
+const inputSchema = {};
+
+export function register(server: McpServer): void {
+  server.tool(
+    "homelab_kernelInfo",
+    "Show kernel version, boot parameters, and loaded modules",
+    inputSchema,
+    async () => {
+      try {
+        const cmd = [
+          "echo '=== Kernel ==='",
+          "uname -a",
+          "echo",
+          "echo '=== Boot Parameters ==='",
+          "cat /proc/cmdline",
+          "echo",
+          "echo '=== Loaded Modules (top 30) ==='",
+          "lsmod | head -31",
+        ].join(" && ");
+        const output = await execSSH(cmd);
+        return { content: [{ type: "text" as const, text: output }] };
+      } catch (error) {
+        return errorResponse(error);
+      }
+    },
+  );
+}
diff --git a/mcp-server/src/tools/systemdServices.ts b/mcp-server/src/tools/systemdServices.ts
new file mode 100644
index 0000000..318cb3f
--- /dev/null
+++ b/mcp-server/src/tools/systemdServices.ts
@@ -0,0 +1,33 @@
+import { z } from "zod";
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { execSSH, errorResponse } from "../utils/ssh-api.js";
+
+const inputSchema = {
+  unit: z
+    .string()
+    .optional()
+    .describe("Specific unit name to get status for (e.g. docker.service, restic-backup.timer)"),
+  type: z
+    .enum(["service", "timer", "socket", "mount"])
+    .optional()
+    .describe("Filter by unit type when listing. Defaults to 'service'"),
+};
+
+export function register(server: McpServer): void {
+  server.tool(
+    "homelab_systemdServices",
+    "List systemd units or get status of a specific unit",
+    inputSchema,
+    async (args) => {
+      try {
+        const cmd = args.unit
+          ? `systemctl status '${args.unit}' --no-pager 2>&1`
+          : `systemctl list-units --type=${args.type || "service"} --no-pager 2>&1`;
+        const output = await execSSH(cmd);
+        return { content: [{ type: "text" as const, text: output }] };
+      } catch (error) {
+        return errorResponse(error);
+      }
+    },
+  );
+}
diff --git a/rules/resource-limits.mdc b/rules/resource-limits.mdc
new file mode 100644
index 0000000..dff9d14
--- /dev/null
+++ b/rules/resource-limits.mdc
@@ -0,0 +1,76 @@
+---
+description: Flag Docker Compose services without memory or CPU limits set.
+alwaysApply: false
+globs:
+  - "**/compose*.yml"
+  - "**/docker-compose*.yml"
+---
+
+# Resource Limits
+
+## Patterns to Flag
+
+### Missing Memory Limits
+- Services without `mem_limit` (Compose v2 short form)
+- Services without `deploy.resources.limits.memory` (Compose v3 deploy syntax)
+- On a Raspberry Pi with 4-8GB RAM, unbounded containers risk OOM-killing other services
+
+### Missing CPU Limits
+- Services without `cpus` (Compose v2 short form)
+- Services without `deploy.resources.limits.cpus` (Compose v3 deploy syntax)
+- On a 4-core Pi, a runaway container can starve all other services
+
+### Unreasonable Limits
+- Memory limits above 4GB on an 8GB Pi (leaves too little for the OS and other containers)
+- CPU limits above 3.0 on a 4-core Pi
+- Memory limits below 32MB (most services cannot function)
+
+## What to Do
+
+- Add resource limits to every service in Compose files:
+
+```yaml
+services:
+  grafana:
+    image: grafana/grafana:latest
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: "1.0"
+        reservations:
+          memory: 256M
+```
+
+- Or use the v2 short form (both are valid):
+
+```yaml
+services:
+  grafana:
+    image: grafana/grafana:latest
+    mem_limit: 512m
+    cpus: 1.0
+```
+
+- Set reservations (soft limits) alongside hard limits to help Docker schedule containers
+- Size limits based on actual usage -- check with `docker stats` first
+
+## Recommended Limits for Common Home Lab Services
+
+| Service | Memory | CPUs |
+|---------|--------|------|
+| Prometheus | 512M-1G | 1.0 |
+| Grafana | 256M-512M | 0.5 |
+| AdGuard Home | 128M-256M | 0.5 |
+| Nginx Proxy Manager | 128M-256M | 0.5 |
+| Uptime Kuma | 256M | 0.5 |
+| Vaultwarden | 128M-256M | 0.25 |
+| Ntfy | 64M-128M | 0.25 |
+| Portainer | 128M-256M | 0.5 |
+| Syncthing | 256M-512M | 1.0 |
+
+## Exceptions
+
+- Services that intentionally manage their own memory (e.g. databases with `shared_buffers`)
+- Build-time services that need burst resources temporarily
+- Init containers or one-shot jobs
diff --git a/skills/os-update-management/SKILL.md b/skills/os-update-management/SKILL.md
new file mode 100644
index 0000000..113c813
--- /dev/null
+++ b/skills/os-update-management/SKILL.md
@@ -0,0 +1,138 @@
+---
+name: os-update-management
+description: Unattended-upgrades config, kernel updates, reboot scheduling
+tools:
+  - homelab_aptUpdate
+  - homelab_aptUpgradable
+  - homelab_aptHistory
+  - homelab_kernelInfo
+  - homelab_systemdServices
+---
+
+# OS Update Management
+
+Guide the user through managing operating system updates on their Raspberry Pi, including package updates, kernel upgrades, unattended-upgrades configuration, and scheduled reboot planning.
+
+## Trigger
+
+- User asks about updating their Pi's OS or packages
+- User wants to check for available updates without applying them
+- User asks about unattended-upgrades or automatic updates
+- User mentions "apt upgrade", "kernel update", "reboot schedule", or "package management"
+- User wants to review what was recently installed or upgraded
+- User asks about update policies or scheduling maintenance windows
+
+## Required Inputs
+
+- SSH connectivity to the Raspberry Pi (validated via `homelab_sshTest`)
+
+Optional:
+- Whether to actually apply upgrades (vs just listing)
+- Specific packages to investigate
+- Desired unattended-upgrades configuration
+
+## Workflow
+
+### Check Current Update Status
+
+1. Run `homelab_aptUpgradable` to see what packages have updates available.
+2. If the list is stale, run `homelab_aptUpdate` to refresh the package index first.
+3. Review the list -- security updates should be prioritized.
+
+### Review Update History
+
+1. Run `homelab_aptHistory` to see recent package operations.
+2. Look for patterns -- frequent updates to the same package may indicate instability.
+3. Check if security updates are being applied in a timely manner.
+
+### Apply Updates
+
+1. Run `homelab_aptUpgradable` to review pending updates.
+2. Run `homelab_aptUpdate` with `upgrade: true` to apply all pending updates.
+3. Run `homelab_kernelInfo` to check if a kernel update requires a reboot.
+4. If reboot needed, check running services with `homelab_systemdServices` before scheduling.
+
+### Configure Unattended Upgrades
+
+1. Check if unattended-upgrades is installed and running:
+   - `homelab_systemdServices` with `unit: "unattended-upgrades.service"`
+2. Review the configuration files:
+   - `/etc/apt/apt.conf.d/50unattended-upgrades` -- which packages to auto-update
+   - `/etc/apt/apt.conf.d/20auto-upgrades` -- update frequency
+3. Recommended settings for a home lab Pi:
+
+```
+Unattended-Upgrade::Origins-Pattern {
+    "origin=Debian,codename=${distro_codename},label=Debian-Security";
+    "origin=Raspbian,codename=${distro_codename}";
+};
+Unattended-Upgrade::Automatic-Reboot "false";
+Unattended-Upgrade::Mail "root";
+```
+
+### Schedule Maintenance Reboots
+
+1. Check if a reboot is pending: look for `/var/run/reboot-required`
+2. Check `homelab_kernelInfo` -- if running kernel differs from installed, reboot is needed
+3. Use `homelab_systemdServices` with `type: "timer"` to review existing timers
+4. Create a systemd timer for scheduled reboots during low-traffic hours
+
+## Key References
+
+- `apt` and `apt-get` man pages
+- `unattended-upgrades` documentation
+- Raspberry Pi OS release notes for kernel updates
+- `/var/log/apt/history.log` for package operation history
+- `/var/run/reboot-required` for pending reboot detection
+
+## Example Interaction
+
+**User:** Are there any updates available for my Pi?
+
+**Assistant:**
+
+1. Let me check for upgradable packages.
+
+   *Calls `homelab_aptUpgradable`*
+
+   There are 12 packages with updates available, including 3 security updates for openssl, libssl3, and openssh-server.
+
+2. Let me check when packages were last updated.
+
+   *Calls `homelab_aptHistory` with lines 20*
+
+   Last update was 5 days ago. The security updates should be applied soon.
+
+3. Let me check the kernel version too.
+
+   *Calls `homelab_kernelInfo`*
+
+   Running kernel 6.6.31 -- this matches the installed version, so no kernel update pending.
+
+   Recommendations:
+   - Apply the 3 security updates immediately with `homelab_aptUpdate` (upgrade: true)
+   - The remaining 9 packages can wait for your next maintenance window
+   - Consider enabling unattended-upgrades for security patches
+
+## MCP Usage
+
+- `homelab_aptUpgradable` -- check available updates without modifying the system
+- `homelab_aptUpdate` -- refresh package index and optionally apply upgrades
+- `homelab_aptHistory` -- review recent install/upgrade/remove operations
+- `homelab_kernelInfo` -- check running vs installed kernel to determine reboot need
+- `homelab_systemdServices` -- check unattended-upgrades status or review timers
+
+## Common Pitfalls
+
+- Running `apt upgrade` on a Pi with limited disk can fail mid-upgrade -- check disk space first with `homelab_diskUsage`
+- Kernel updates on Raspberry Pi OS require a reboot to take effect
+- Unattended-upgrades can restart services unexpectedly -- disable auto-reboot for home lab
+- The apt history log rotates -- older entries are in gzipped files
+- Running containers may need restarting after library updates (especially libssl)
+
+## See Also
+
+- `pi-system-management` skill for hardware monitoring
+- `performance-tuning` skill for kernel parameter optimization
+- `docker-compose-stacks` skill for restarting services after updates
+- `notification-workflows` skill for alerting on update availability
diff --git a/skills/performance-tuning/SKILL.md b/skills/performance-tuning/SKILL.md
new file mode 100644
index 0000000..2d4cfd5
--- /dev/null
+++ b/skills/performance-tuning/SKILL.md
@@ -0,0 +1,146 @@
+---
+name: performance-tuning
+description: Kernel params, swap config, I/O scheduler, GPU memory split
+tools:
+  - homelab_kernelInfo
+  - homelab_piStatus
+  - homelab_systemdServices
+---
+
+# Performance Tuning
+
+Guide the user through optimizing their Raspberry Pi's performance for home lab workloads, covering kernel parameters, swap configuration, I/O scheduling, GPU memory allocation, and resource monitoring.
+
+## Trigger
+
+- User asks about improving Pi performance or reducing latency
+- User mentions "slow", "swap", "memory", "GPU memory split", or "I/O scheduler"
+- User wants to optimize their Pi for Docker workloads
+- User asks about kernel parameters, sysctl tuning, or boot config
+- User wants to reduce SD card wear or optimize storage I/O
+- User asks about CPU governor, overclocking, or thermal management
+
+## Required Inputs
+
+- SSH connectivity to the Raspberry Pi (validated via `homelab_sshTest`)
+
+Optional:
+- Current workload description (container-heavy, NAS, monitoring, etc.)
+- Whether the Pi uses an SD card, USB SSD, or NVMe
+- Amount of RAM (4GB vs 8GB)
+
+## Workflow
+
+### Baseline Assessment
+
+1. Run `homelab_piStatus` to check CPU temp, memory usage, and throttle state.
+2. Run `homelab_kernelInfo` to see current kernel version and boot parameters.
+3. Check swap configuration: look for `zram` or `dphys-swapfile` in boot params and loaded modules.
+
+### Memory Optimization
+
+1. **GPU memory split**: For headless home lab servers, reduce GPU memory to minimum:
+   - Edit `/boot/firmware/config.txt`: `gpu_mem=16`
+   - This frees up to 60MB of RAM for applications
+2. **Swap tuning**: Reduce swappiness for SSD, increase for SD card:
+   - SSD: `vm.swappiness=10` in `/etc/sysctl.d/99-tuning.conf`
+   - SD card: `vm.swappiness=1` (minimize writes)
+3. **zram**: Enable compressed swap in RAM for better performance than disk swap:
+
+```bash
+sudo apt install zram-tools
+echo 'ALGO=zstd' | sudo tee /etc/default/zramswap
+echo 'PERCENT=50' | sudo tee -a /etc/default/zramswap
+sudo systemctl restart zramswap
+```
+
+### I/O Optimization
+
+1. Check current scheduler: `cat /sys/block/mmcblk0/queue/scheduler` (or `sda` for USB)
+2. For SD cards: `mq-deadline` is optimal
+3. For SSDs/NVMe: `none` (noop) is optimal
+4. Set via udev rule for persistence:
+
+```bash
+echo 'ACTION=="add|change", KERNEL=="mmcblk*", ATTR{queue/scheduler}="mq-deadline"' | \
+  sudo tee /etc/udev/rules.d/60-scheduler.rules
+```
+
+5. Reduce journal writes: `Storage=volatile` in `/etc/systemd/journald.conf`
+
+### CPU and Thermal
+
+1. Check current governor: `cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor`
+2. For consistent performance: `performance` governor (at cost of more heat)
+3. For balanced: `schedutil` (default, scales with load)
+4. Check if throttling is occurring via `homelab_piStatus` -- if yes, improve cooling before overclocking
+
+### Docker-Specific Tuning
+
+1. Increase max file watchers for containers:
+   - `fs.inotify.max_user_watches=524288` in sysctl
+   - `fs.inotify.max_user_instances=512`
+2. Increase ARP cache for many containers:
+   - `net.ipv4.neigh.default.gc_thresh3=4096`
+3. Check Docker storage driver: `overlay2` is optimal
+4. Use `homelab_systemdServices` with `unit: "docker.service"` to verify Docker health
+
+## Key References
+
+- Raspberry Pi documentation: performance and config.txt
+- `/boot/firmware/config.txt` for boot-time hardware config
+- `/etc/sysctl.d/` for kernel runtime parameters
+- `vcgencmd` commands for Pi-specific hardware info
+- Linux kernel documentation for scheduler and VM tuning
+
+## Example Interaction
+
+**User:** My Pi feels sluggish when running all 13 containers. How can I optimize it?
+
+**Assistant:**
+
+1. Let me check the current system state.
+
+   *Calls `homelab_piStatus`*
+
+   CPU temp is 62C (fine), memory is 7.2GB/8GB used (very high), no throttling. Memory pressure is the bottleneck.
+
+2. Let me check the kernel config.
+
+   *Calls `homelab_kernelInfo`*
+
+   GPU memory is set to 76MB (default). Boot params show `dphys-swapfile` active with 200MB swap. Let me check systemd for zram.
+
+3. Let me check swap and Docker status.
+
+   *Calls `homelab_systemdServices` with unit "zramswap.service"*
+
+   zram is not installed. Here's what I recommend:
+
+   - Reduce GPU memory from 76MB to 16MB (frees 60MB): edit `/boot/firmware/config.txt`
+   - Install zram for compressed swap in RAM -- much faster than SD card swap
+   - Set `vm.swappiness=10` to keep more data in RAM
+   - Increase inotify watches for Docker: `fs.inotify.max_user_watches=524288`
+   - Consider which containers can be stopped during low-usage hours
+
+## MCP Usage
+
+- `homelab_kernelInfo` -- check kernel version, boot params, and loaded modules to identify tuning opportunities
+- `homelab_piStatus` -- monitor CPU temp, memory, disk, and throttle state to find bottlenecks
+- `homelab_systemdServices` -- check service status (Docker, zram, swap) and timer configurations
+
+## Common Pitfalls
+
+- Overclocking without adequate cooling causes thermal throttling, making performance worse
+- Setting `gpu_mem=16` breaks any GUI/display output -- only do this on headless servers
+- SD card swap is extremely slow and wears the card -- prefer zram or USB SSD swap
+- Changing the I/O scheduler requires a reboot (or udev trigger) to take effect
+- Some kernel parameters in `config.txt` only apply after a reboot
+- Aggressive swappiness reduction can cause OOM kills under memory pressure
+
+## See Also
+
+- `pi-system-management` skill for hardware monitoring and reboot management
+- `os-update-management` skill for kernel updates that may improve performance
+- `docker-compose-stacks` skill for managing container resource allocation
+- `storage-management` skill for disk I/O and volume management