dev_arc_aws/backend/src/integrations/proxmox.ts

import { Agent } from 'undici'
import type { IntegrationAdapter, Resource } from './types.js'

interface ProxmoxResourceEntry {
  type: string
  name?: string
  status?: string
  vmid?: number
  node?: string
}

function authHeader(apiKey: string): Record<string, string> {
  return { Authorization: `PVEAPIToken=${apiKey}` }
}

// Proxmox ships with a self-signed cert by default, which Node's fetch rejects out of the box.
const insecureDispatcher = new Agent({ connect: { rejectUnauthorized: false } })

// undici's fetch() wraps the real failure (DNS, TLS, connection refused/timed out) in a generic
// "fetch failed" TypeError — unwrap err.cause so the actual reason reaches the UI.
function describeFetchError(err: unknown): string {
  if (err instanceof Error) {
    const cause = (err as { cause?: unknown }).cause
    if (cause instanceof Error) return `${err.message}: ${cause.message}`
    return err.message
  }
  return 'Connection failed'
}

export const proxmox: IntegrationAdapter = {
  async testConnection(config, secrets) {
    const baseUrl = config.baseUrl?.replace(/\/$/, '')
    const apiKey = secrets.apiKey
    if (!baseUrl) return { ok: false, message: 'Missing baseUrl' }
    if (!apiKey) return { ok: false, message: 'Missing API token' }
    try {
      const res = await fetch(`${baseUrl}/api2/json/version`, {
        headers: authHeader(apiKey),
        dispatcher: insecureDispatcher,
      } as RequestInit)
      if (!res.ok) return { ok: false, message: `HTTP ${res.status}` }
      return { ok: true, message: 'Connected' }
    } catch (err) {
      return { ok: false, message: describeFetchError(err) }
    }
  },

  async listResources(config, secrets): Promise<Resource[]> {
    const baseUrl = config.baseUrl?.replace(/\/$/, '')
    const apiKey = secrets.apiKey
    if (!baseUrl || !apiKey) return []
    const res = await fetch(`${baseUrl}/api2/json/cluster/resources?type=vm`, {
      headers: authHeader(apiKey),
      dispatcher: insecureDispatcher,
    } as RequestInit)
    if (!res.ok) return []
    const body = (await res.json()) as { data: ProxmoxResourceEntry[] }
    return body.data.map((entry) => ({
      name: entry.name ?? `vm-${entry.vmid}`,
      status: entry.status === 'running' ? 'healthy' : entry.status === 'stopped' ? 'unknown' : 'warning',
      detail: `${entry.type} on ${entry.node} — ${entry.status}`,
    }))
  },
}
Allow self-signed TLS for Proxmox and fix critical fast-jwt vuln Proxmox ships with a self-signed cert by default, which Node's fetch rejected outright; route Proxmox requests through an undici Agent with rejectUnauthorized disabled so real Proxmox hosts can be connected. Also bump @fastify/jwt to v10, which pulls in a patched fast-jwt and resolves the critical advisories (crit-header bypass, algorithm confusion, cache collision, ReDoS, empty-HMAC-secret auth bypass) that npm audit flagged on the old v9/fast-jwt<=6.2.3 pairing. Verified auth still works end-to-end (setup, valid token, rejected bad token) after the upgrade; npm audit now reports 0 vulnerabilities. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BbJV5nm8KPVH1oNJYKpnoF 2026-06-19 10:28:37 +00:00			`import { Agent } from 'undici'`
Add Proxmox integration adapter with real resource listing Implements testConnection (via /api2/json/version) and listResources (via /api2/json/cluster/resources) using Proxmox's API token auth header, following the same pattern as the Docker adapter. Verified end-to-end: graceful failure against an unreachable host, correct event logging, and exclusion from the resources endpoint when not connected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BbJV5nm8KPVH1oNJYKpnoF 2026-06-18 20:12:40 +00:00			`import type { IntegrationAdapter, Resource } from './types.js'`

			`interface ProxmoxResourceEntry {`
			`type: string`
			`name?: string`
			`status?: string`
			`vmid?: number`
			`node?: string`
			`}`

			`function authHeader(apiKey: string): Record<string, string> {`
			return { Authorization: `PVEAPIToken=${apiKey}` }
			`}`

Allow self-signed TLS for Proxmox and fix critical fast-jwt vuln Proxmox ships with a self-signed cert by default, which Node's fetch rejected outright; route Proxmox requests through an undici Agent with rejectUnauthorized disabled so real Proxmox hosts can be connected. Also bump @fastify/jwt to v10, which pulls in a patched fast-jwt and resolves the critical advisories (crit-header bypass, algorithm confusion, cache collision, ReDoS, empty-HMAC-secret auth bypass) that npm audit flagged on the old v9/fast-jwt<=6.2.3 pairing. Verified auth still works end-to-end (setup, valid token, rejected bad token) after the upgrade; npm audit now reports 0 vulnerabilities. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BbJV5nm8KPVH1oNJYKpnoF 2026-06-19 10:28:37 +00:00			`// Proxmox ships with a self-signed cert by default, which Node's fetch rejects out of the box.`
			`const insecureDispatcher = new Agent({ connect: { rejectUnauthorized: false } })`

Surface underlying network error instead of generic 'fetch failed' undici's fetch() collapses DNS/TLS/connection-refused/timeout failures into a vague TypeError. Unwrap err.cause so Test Connection shows the real reason (e.g. ECONNREFUSED, certificate error) instead of just 'fetch failed'. 2026-06-20 10:31:11 +00:00			`// undici's fetch() wraps the real failure (DNS, TLS, connection refused/timed out) in a generic`
			`// "fetch failed" TypeError — unwrap err.cause so the actual reason reaches the UI.`
			`function describeFetchError(err: unknown): string {`
			`if (err instanceof Error) {`
			`const cause = (err as { cause?: unknown }).cause`
			if (cause instanceof Error) return `${err.message}: ${cause.message}`
			`return err.message`
			`}`
			`return 'Connection failed'`
			`}`

Add Proxmox integration adapter with real resource listing Implements testConnection (via /api2/json/version) and listResources (via /api2/json/cluster/resources) using Proxmox's API token auth header, following the same pattern as the Docker adapter. Verified end-to-end: graceful failure against an unreachable host, correct event logging, and exclusion from the resources endpoint when not connected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BbJV5nm8KPVH1oNJYKpnoF 2026-06-18 20:12:40 +00:00			`export const proxmox: IntegrationAdapter = {`
			`async testConnection(config, secrets) {`
			`const baseUrl = config.baseUrl?.replace(/\/$/, '')`
			`const apiKey = secrets.apiKey`
			`if (!baseUrl) return { ok: false, message: 'Missing baseUrl' }`
			`if (!apiKey) return { ok: false, message: 'Missing API token' }`
			`try {`
Allow self-signed TLS for Proxmox and fix critical fast-jwt vuln Proxmox ships with a self-signed cert by default, which Node's fetch rejected outright; route Proxmox requests through an undici Agent with rejectUnauthorized disabled so real Proxmox hosts can be connected. Also bump @fastify/jwt to v10, which pulls in a patched fast-jwt and resolves the critical advisories (crit-header bypass, algorithm confusion, cache collision, ReDoS, empty-HMAC-secret auth bypass) that npm audit flagged on the old v9/fast-jwt<=6.2.3 pairing. Verified auth still works end-to-end (setup, valid token, rejected bad token) after the upgrade; npm audit now reports 0 vulnerabilities. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BbJV5nm8KPVH1oNJYKpnoF 2026-06-19 10:28:37 +00:00			const res = await fetch(`${baseUrl}/api2/json/version`, {
			`headers: authHeader(apiKey),`
			`dispatcher: insecureDispatcher,`
			`} as RequestInit)`
Add Proxmox integration adapter with real resource listing Implements testConnection (via /api2/json/version) and listResources (via /api2/json/cluster/resources) using Proxmox's API token auth header, following the same pattern as the Docker adapter. Verified end-to-end: graceful failure against an unreachable host, correct event logging, and exclusion from the resources endpoint when not connected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BbJV5nm8KPVH1oNJYKpnoF 2026-06-18 20:12:40 +00:00			if (!res.ok) return { ok: false, message: `HTTP ${res.status}` }
			`return { ok: true, message: 'Connected' }`
			`} catch (err) {`
Surface underlying network error instead of generic 'fetch failed' undici's fetch() collapses DNS/TLS/connection-refused/timeout failures into a vague TypeError. Unwrap err.cause so Test Connection shows the real reason (e.g. ECONNREFUSED, certificate error) instead of just 'fetch failed'. 2026-06-20 10:31:11 +00:00			`return { ok: false, message: describeFetchError(err) }`
Add Proxmox integration adapter with real resource listing Implements testConnection (via /api2/json/version) and listResources (via /api2/json/cluster/resources) using Proxmox's API token auth header, following the same pattern as the Docker adapter. Verified end-to-end: graceful failure against an unreachable host, correct event logging, and exclusion from the resources endpoint when not connected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BbJV5nm8KPVH1oNJYKpnoF 2026-06-18 20:12:40 +00:00			`}`
			`},`

			`async listResources(config, secrets): Promise<Resource[]> {`
			`const baseUrl = config.baseUrl?.replace(/\/$/, '')`
			`const apiKey = secrets.apiKey`
			`if (!baseUrl \|\| !apiKey) return []`
Allow self-signed TLS for Proxmox and fix critical fast-jwt vuln Proxmox ships with a self-signed cert by default, which Node's fetch rejected outright; route Proxmox requests through an undici Agent with rejectUnauthorized disabled so real Proxmox hosts can be connected. Also bump @fastify/jwt to v10, which pulls in a patched fast-jwt and resolves the critical advisories (crit-header bypass, algorithm confusion, cache collision, ReDoS, empty-HMAC-secret auth bypass) that npm audit flagged on the old v9/fast-jwt<=6.2.3 pairing. Verified auth still works end-to-end (setup, valid token, rejected bad token) after the upgrade; npm audit now reports 0 vulnerabilities. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BbJV5nm8KPVH1oNJYKpnoF 2026-06-19 10:28:37 +00:00			const res = await fetch(`${baseUrl}/api2/json/cluster/resources?type=vm`, {
			`headers: authHeader(apiKey),`
			`dispatcher: insecureDispatcher,`
			`} as RequestInit)`
Add Proxmox integration adapter with real resource listing Implements testConnection (via /api2/json/version) and listResources (via /api2/json/cluster/resources) using Proxmox's API token auth header, following the same pattern as the Docker adapter. Verified end-to-end: graceful failure against an unreachable host, correct event logging, and exclusion from the resources endpoint when not connected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BbJV5nm8KPVH1oNJYKpnoF 2026-06-18 20:12:40 +00:00			`if (!res.ok) return []`
			`const body = (await res.json()) as { data: ProxmoxResourceEntry[] }`
			`return body.data.map((entry) => ({`
			name: entry.name ?? `vm-${entry.vmid}`,
			`status: entry.status === 'running' ? 'healthy' : entry.status === 'stopped' ? 'unknown' : 'warning',`
			detail: `${entry.type} on ${entry.node} — ${entry.status}`,
			`}))`
			`},`
			`}`