@usex/mikrotik-mcp 1.0.0

package/package.json

@@ -0,0 +1,107 @@
+{
+  "name": "@usex/mikrotik-mcp",
+  "version": "1.0.0",
+  "description": "Bun-native MCP server for MikroTik RouterOS — 200+ tools over SSH for firewall, NAT, routing, DHCP, DNS, WireGuard, wireless, QoS and more.",
+  "type": "module",
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "prompts",
+    "schemas"
+  ],
+  "bin": {
+    "mikrotik-mcp": "dist/cli.js"
+  },
+  "keywords": [
+    "ai",
+    "mcp",
+    "mikrotik",
+    "mikrotik mcp",
+    "claude",
+    "bun"
+  ],
+  "author": {
+    "name": "Ali Torki",
+    "url": "https://github.com/ali-master",
+    "email": "ali_4286@live.com"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ali-master/mikrotik-mcp.git"
+  },
+  "bugs": {
+    "url": "https://github.com/ali-master/mikrotik-mcp/issues"
+  },
+  "homepage": "https://github.com/ali-master/mikrotik-mcp#readme",
+  "logo": "https://raw.githubusercontent.com/ali-master/mikrotik-mcp/main/assets/logo.svg",
+  "engines": {
+    "bun": ">=1.3.0"
+  },
+  "scripts": {
+    "build": "bunup && chmod +x dist/cli.js",
+    "dev": "bunup --watch",
+    "prepack": "bunup && chmod +x dist/cli.js",
+    "auth-check": "bun run src/cli.ts auth-check",
+    "gen:schemas": "bun run scripts/gen-schemas.ts",
+    "gen:docs": "bun run scripts/gen-tool-docs.ts",
+    "gen": "bun run gen:schemas && bun run gen:docs",
+    "start": "bun run src/cli.ts serve",
+    "inspect": "bunx @modelcontextprotocol/inspector bun run src/cli.ts serve",
+    "inspect:built": "bun run build && bunx @modelcontextprotocol/inspector bun dist/cli.js serve",
+    "inspect:config": "bunx @modelcontextprotocol/inspector --config mcp-inspector.config.json --server mikrotik",
+    "inspect:cli": "bunx @modelcontextprotocol/inspector --cli bun run src/cli.ts serve --method tools/list",
+    "inspect:config:local": "bunx @modelcontextprotocol/inspector --config /var/open-source/mikrotik-mcp/mcp-inspector.config.local.json --server mikrotik",
+    "test": "bun test",
+    "release": "release-it",
+    "test:types": "tsc --noEmit",
+    "format": "prettier --write \"**/*.ts\"",
+    "lint": "eslint \"src/**/*.ts\"",
+    "lint:fix": "eslint \"src/**/*.ts\" --fix"
+  },
+  "devDependencies": {
+    "@antfu/eslint-config": "^9.0.0",
+    "@resvg/resvg-js": "^2.6.2",
+    "@types/bun": "latest",
+    "@types/node": "^25.9.3",
+    "@types/ssh2": "^1.15.5",
+    "@types/update-notifier": "^6.0.8",
+    "bunup": "^0.16.32",
+    "eslint": "^10.5.0",
+    "eslint-plugin-format": "^2.0.1",
+    "prettier": "^3.8.4",
+    "release-it": "^20.2.0"
+  },
+  "peerDependencies": {
+    "typescript": "^5.7.3"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "ssh2": "^1.17.0",
+    "zod": "^4.4.3"
+  },
+  "packageManager": "bun@1.3.14",
+  "changelog": {
+    "labels": {
+      "feature": "Features",
+      "bug": "Bug fixes",
+      "enhancement": "Enhancements",
+      "docs": "Docs",
+      "dependencies": "Dependencies",
+      "type: code style": "Code style tweaks",
+      "status: blocked": "Breaking changes",
+      "breaking change": "Breaking changes"
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/prompts/backup-and-document.md

@@ -0,0 +1,31 @@
+---
+name: backup-and-document
+title: Back up and document the configuration
+description: Create a safe restore point and produce a human-readable inventory of the router's configuration.
+arguments: []
+---
+Create a restore point for this MikroTik device and then write up a clear,
+human-readable summary of how it's configured. This is read-mostly: the only
+change is creating a backup/export.
+
+1. **Restore point** — `create_backup` (binary, for full restore) and
+   `create_export` (text `.rsc`, for review/diff). List them with `list_backups`.
+2. **Inventory** — gather the configuration with read tools and organize it:
+   - System: `get_system_identity`, `get_system_resources`, `get_routerboard`,
+     `get_installed_packages`.
+   - L2/L3: `list_interfaces`, `list_vlan_interfaces`, `list_bridges`,
+     `list_ip_addresses`, `list_ip_pools`.
+   - Services: `list_dhcp_servers`, `get_dns_settings`, `list_dns_static`,
+     `list_ip_services`.
+   - Routing: `list_routes`, `get_routing_table`.
+   - Security: `list_filter_rules`, `list_nat_rules`, `list_address_lists`,
+     `list_users`, `list_certificates`.
+   - VPN/QoS: `list_wireguard_interfaces` + `list_wireguard_peers`,
+     `list_simple_queues`, `list_queue_trees`.
+   - Automation: `list_schedulers`, `list_scripts`.
+
+Produce a structured Markdown report: a one-paragraph overview, a table of
+interfaces and addressing, the firewall posture, and a "things worth reviewing"
+section (defaults left in place, disabled-but-present rules, expiring certs).
+Reference the backup/export filenames you created so the user knows their restore
+point.

package/prompts/choose-vpn-solution.md

@@ -0,0 +1,45 @@
+---
+name: choose-vpn-solution
+title: Choose the right MikroTik VPN
+description: Recommend the best MikroTik VPN/tunnel technology for a given requirement, then outline the build.
+arguments:
+  - name: use_case
+    description: What you need — e.g. "connect two offices", "remote access for laptops & phones", "site-to-site over the internet with another vendor's firewall", "L2 bridge between sites".
+    required: true
+  - name: clients
+    description: What connects — e.g. "iOS/Android/Windows built-in clients", "other MikroTik routers", "a Cisco/Fortinet device", "our laptops only". Optional.
+    required: false
+---
+Act as a MikroTik VPN architect. Recommend the single best tunneling technology
+for the requirement below, justify it against the alternatives, then sketch the
+build using this server's tools. Be decisive.
+
+Use case: {{use_case}}
+Clients / peers: {{clients}}
+
+Decision guidance — weigh these MikroTik options:
+
+- **WireGuard** — fastest, simplest, modern. Best for MikroTik↔MikroTik and
+  laptops/phones with the WireGuard app. No built-in OS client on older systems.
+  Tools: `create_wireguard_interface`, `add_wireguard_peer`, `generate_wireguard_client_config`.
+- **IPsec (IKEv2)** — the interoperability choice for site-to-site with
+  *other vendors* (Cisco/Fortinet/pfSense) and for native iOS/Windows IKEv2
+  road-warrior. Most config surface. Tools: `create_ipsec_*` (profile/peer/
+  identity/proposal/policy), `get_ipsec_active_peers`.
+- **L2TP/IPsec** — best when clients must use the **built-in** VPN client on
+  Windows/macOS/iOS/Android with no app install. Tools: `set_l2tp_server`
+  (`use_ipsec=required`), `create_ppp_secret`, `create_ppp_profile`.
+- **SSTP** — when you must traverse restrictive firewalls/proxies (TLS over 443).
+  Needs a certificate. Tools: `set_sstp_server`, `create_ppp_secret`.
+- **OpenVPN** — cross-platform with the OpenVPN client; RouterOS 7 adds UDP.
+  Tools: `set_ovpn_server`, `create_ovpn_client`.
+- **PPTP** — legacy/weak; only if a legacy device demands it. Recommend against.
+- **GRE / IPIP / EoIP / VXLAN** — *unencrypted* transport tunnels for routing or
+  L2 bridging between sites (often run **over** an IPsec policy for encryption).
+  EoIP/VXLAN bridge layer-2; GRE/IPIP carry layer-3. Tools: `create_gre_tunnel`,
+  `create_eoip_tunnel`, `create_vxlan_tunnel`.
+
+Deliver: (1) the recommendation in one sentence, (2) a short "why not the others"
+table, (3) an ordered build plan referencing the exact tools and the firewall
+rules required (use Safe Mode for firewall edits), and (4) what the client side
+needs. Confirm the plan before making changes.

package/prompts/diagnose-connectivity.md

@@ -0,0 +1,38 @@
+---
+name: diagnose-connectivity
+title: Diagnose a connectivity problem
+description: Systematically troubleshoot why a host, subnet, or the internet is unreachable from a MikroTik router.
+arguments:
+  - name: target
+    description: What's unreachable — an IP, hostname, or subnet (e.g. 8.8.8.8, example.com, 192.168.50.0/24).
+    required: true
+  - name: source_interface
+    description: The interface/segment the affected clients are on (e.g. bridge, vlan50). Optional.
+    required: false
+---
+Troubleshoot a connectivity issue on a MikroTik RouterOS device, reasoning from
+the bottom of the stack up. Use read-only tools only — do not change config until
+you've localized the fault and the user approves a fix.
+
+Target that is unreachable: {{target}}
+Affected segment/interface: {{source_interface}}
+
+Diagnose in layers, stating what each step rules in or out:
+
+1. **Link** — `list_interfaces` (is the relevant interface `running`?), and for
+   PoE/SFP links check status. `get_interface` for details.
+2. **Addressing** — `list_ip_addresses`; confirm the segment has a valid gateway
+   IP and the WAN has an address (DHCP/PPPoE/static).
+3. **Routing** — `get_routing_table`, then `check_route_path` toward {{target}} to
+   see which route/gateway would be used and whether it's active.
+4. **Name resolution** — if {{target}} is a hostname, `resolve_dns` and
+   `get_dns_settings`.
+5. **Reachability** — `ping` {{target}} from the router (and with `src_address`
+   set to the segment's gateway if relevant); `traceroute` to find where it stops.
+6. **Firewall / NAT** — `list_filter_rules` and `list_nat_rules`; look for a drop
+   in `forward` or a missing `srcnat`/masquerade for the segment. Check
+   `list_address_lists` if rules reference one.
+7. **Logs** — `search_logs` for the interface/subnet and `get_system_events`.
+
+Conclude with the single most likely root cause, the evidence for it, and the
+specific tool call(s) that would fix it (for the user to approve).

package/prompts/harden-router.md

@@ -0,0 +1,38 @@
+---
+name: harden-router
+title: Harden a RouterOS device
+description: Audit and tighten a MikroTik router's security posture — management services, firewall input chain, users, and DNS.
+arguments:
+  - name: wan_interface
+    description: The WAN-facing interface name (e.g. ether1, pppoe-out1). If unknown, discover it first.
+    required: false
+---
+You are securing a MikroTik RouterOS device exposed through this MCP server. Work
+**safely and incrementally**: inspect first, propose a plan, and prefer Safe Mode
+for risky firewall changes so a mistake auto-reverts instead of locking us out.
+
+WAN interface: {{wan_interface}}
+
+Carry out a hardening pass in this order, explaining each finding:
+
+1. **Baseline** — `get_system_identity`, `get_system_resources`, `get_installed_packages`,
+   and `list_interfaces` to understand the device and confirm the WAN interface.
+2. **Management surface** — `list_ip_services`. Flag any enabled plaintext service
+   (telnet, ftp, www, api). Recommend `disable_ip_service` for telnet/ftp and
+   restricting the rest with `set_ip_service` (set `address=` to trusted subnets,
+   move ssh off port 22 if appropriate).
+3. **Users** — `list_users` and `list_user_groups`. Flag the default `admin`
+   account, weak/absent passwords, and over-broad group policies.
+4. **Firewall input chain** — `list_filter_rules` with `chain=input`. Verify there
+   is an established/related accept, an ICMP accept, a trusted-management accept,
+   and a final drop. If the input chain is empty or permissive, propose concrete
+   `create_filter_rule` calls. **Enable Safe Mode** (`enable_safe_mode`) before
+   applying, verify connectivity, then `commit_safe_mode`.
+5. **Discovery/Neighbour exposure** — check for MAC-server / neighbor-discovery /
+   bandwidth-test left open on the WAN.
+6. **DNS** — `get_dns_settings`; if `allow-remote-requests` is yes, ensure UDP/TCP
+   53 from WAN is dropped.
+
+Finish with a short prioritized checklist (Critical / Recommended / Optional) and
+the exact tool calls you would run for each. Do not make changes the user hasn't
+approved.

package/prompts/setup-guest-wifi.md

@@ -0,0 +1,44 @@
+---
+name: setup-guest-wifi
+title: Set up an isolated guest network
+description: Create a segmented guest VLAN/network with its own DHCP, internet access, and isolation from the LAN.
+arguments:
+  - name: subnet
+    description: The guest subnet in CIDR, e.g. 192.168.80.0/24.
+    required: true
+  - name: vlan_id
+    description: VLAN ID for the guest segment, e.g. 80. Optional if using a flat interface.
+    required: false
+  - name: wan_interface
+    description: The interface that reaches the internet (for the masquerade rule).
+    required: true
+---
+Build an **isolated guest network** on this MikroTik device. Guests must reach the
+internet but must NOT reach the LAN or the router's management. Plan the whole
+change first, show it to the user, then apply it under Safe Mode.
+
+Guest subnet: {{subnet}}
+Guest VLAN ID: {{vlan_id}}
+WAN interface: {{wan_interface}}
+
+Proposed build (adapt to what you discover with `list_interfaces`,
+`list_ip_addresses`, `list_filter_rules`):
+
+1. **Segment** — if a VLAN is requested, `create_vlan_interface` (vlan_id
+   {{vlan_id}}) on the LAN bridge/trunk; otherwise pick a dedicated interface.
+2. **Gateway IP** — `add_ip_address` using the first usable address of {{subnet}}.
+3. **DHCP** — `create_dhcp_pool`, `create_dhcp_network` (gateway + DNS), and
+   `create_dhcp_server` bound to the guest interface.
+4. **NAT** — ensure a `create_nat_rule` masquerade exists for {{subnet}} out
+   {{wan_interface}}.
+5. **Isolation (the important part)** — in the `forward` chain via
+   `create_filter_rule`:
+   - allow {{subnet}} → WAN (established/related + new),
+   - **drop {{subnet}} → LAN subnets (RFC1918)**,
+   and in the `input` chain drop {{subnet}} → router except DHCP/DNS. Consider an
+   `add_address_list_entry` list named `guest` to keep the rules tidy.
+6. **Verify** — re-list the rules and confirm ordering; `enable_safe_mode` before
+   applying, test, then `commit_safe_mode`.
+
+Present the plan as an ordered list of exact tool calls with arguments before
+executing anything.

package/prompts/setup-ipsec-site-to-site.md

@@ -0,0 +1,50 @@
+---
+name: setup-ipsec-site-to-site
+title: Build an IPsec IKEv2 site-to-site tunnel
+description: Stand up an interoperable IPsec IKEv2 tunnel between this router and a remote site/peer.
+arguments:
+  - name: local_subnet
+    description: The local network behind this router, in CIDR (e.g. 192.168.10.0/24).
+    required: true
+  - name: remote_subnet
+    description: The remote network behind the peer, in CIDR (e.g. 192.168.20.0/24).
+    required: true
+  - name: peer_address
+    description: The public IP / hostname of the remote peer.
+    required: true
+---
+Build a secure IPsec **IKEv2** site-to-site tunnel. IKEv2 is the interoperability
+choice — it works against other MikroTik routers and third-party firewalls
+(Cisco, Fortinet, pfSense). Plan first, present the parameters for both ends to
+match, then apply under Safe Mode.
+
+Local subnet: {{local_subnet}}
+Remote subnet: {{remote_subnet}}
+Peer address: {{peer_address}}
+
+Build order (use the `create_ipsec_*` tools; keep phase-1/phase-2 parameters
+identical on both ends):
+
+1. **Profile (phase 1)** — `create_ipsec_profile` (e.g. dh-group modp2048,
+   enc-algorithm aes-256, hash sha256). Note the values so the remote side matches.
+2. **Proposal (phase 2)** — `create_ipsec_proposal` (e.g. auth sha256,
+   enc aes-256-cbc, pfs-group modp2048).
+3. **Peer** — `create_ipsec_peer` with `address={{peer_address}}`,
+   `exchange_mode=ike2`, and the profile from step 1.
+4. **Identity** — `create_ipsec_identity` for that peer with
+   `auth_method=pre-shared-key` and a strong secret (or certificates for
+   production). Set `generate_policy=port-strict` only if you are not defining an
+   explicit policy.
+5. **Policy** — `create_ipsec_policy` with `src_address={{local_subnet}}`,
+   `dst_address={{remote_subnet}}`, `tunnel=true`, `action=encrypt`, the peer, and
+   the proposal.
+6. **Firewall / NAT** — ensure UDP 500 + 4500 and IP protocol 50 (ESP) are
+   accepted from {{peer_address}} on the input chain, and add a NAT *bypass*
+   (accept/no-nat) rule so {{local_subnet}}→{{remote_subnet}} traffic is NOT
+   masqueraded. Apply firewall edits under `enable_safe_mode`.
+7. **Verify** — `get_ipsec_active_peers` and `get_ipsec_installed_sa` to confirm
+   the tunnel established; `ping` a remote host with src-address in {{local_subnet}}.
+
+Present the matching parameter set for the remote engineer and the exact tool
+calls before applying. Never echo the pre-shared key back in plaintext beyond
+what is necessary to configure the peer.

package/prompts/setup-l2tp-ipsec-roadwarrior.md

@@ -0,0 +1,41 @@
+---
+name: setup-l2tp-ipsec-roadwarrior
+title: Set up L2TP/IPsec remote access (road warrior)
+description: Configure an L2TP-over-IPsec server so laptops and phones can connect with their built-in VPN client.
+arguments:
+  - name: vpn_pool
+    description: The address range handed to VPN clients, e.g. 192.168.89.10-192.168.89.254.
+    required: true
+  - name: local_gateway
+    description: The router's address on the VPN/LAN side that clients use as gateway/DNS, e.g. 192.168.89.1.
+    required: true
+---
+Configure **L2TP/IPsec** remote access — the right choice when users must connect
+with the **built-in** VPN client on Windows, macOS, iOS, and Android (no app to
+install). Plan first, then apply (firewall under Safe Mode).
+
+Client address pool: {{vpn_pool}}
+Gateway / DNS for clients: {{local_gateway}}
+
+Build order:
+
+1. **IP pool** — `create_ip_pool` for {{vpn_pool}} (e.g. name `l2tp-pool`).
+2. **PPP profile** — `create_ppp_profile` (name `l2tp-profile`,
+   `local_address={{local_gateway}}`, `remote_address=l2tp-pool`,
+   `dns_server={{local_gateway}}`, `change_tcp_mss=yes`).
+3. **User accounts** — `create_ppp_secret` per user with
+   `service=l2tp` and `profile=l2tp-profile`. Use strong passwords.
+4. **Enable the server** — `set_l2tp_server` with `enabled=true`,
+   `default_profile=l2tp-profile`, `use_ipsec=required`, and a strong
+   `ipsec_secret` (this is the IPsec pre-shared key clients enter).
+   `authentication=mschap2`.
+5. **Firewall** — accept UDP 500, UDP 4500, UDP 1701, and IP protocol 50 (ESP)
+   on the input chain from the internet; allow the {{vpn_pool}} range to reach the
+   LAN/internet in the forward chain as required. Apply under `enable_safe_mode`,
+   verify you can still reach the router, then `commit_safe_mode`.
+6. **Verify** — `get_l2tp_server`, then `get_ppp_active` after a test client
+   connects.
+
+Finish with a short **client setup card**: server address, the IPsec pre-shared
+key (treat as a secret), the username/password, and the per-OS steps (type =
+"L2TP over IPsec"). Confirm before applying changes.

package/prompts/setup-tunnel-between-sites.md

@@ -0,0 +1,56 @@
+---
+name: setup-tunnel-between-sites
+title: Build a tunnel between two MikroTik devices
+description: Configure BOTH routers of a site-to-site tunnel from one conversation, then verify it end to end.
+arguments:
+  - name: device_a
+    description: Name of the first configured device (see list_mikrotik_devices), e.g. site-a.
+    required: true
+  - name: device_b
+    description: Name of the second configured device, e.g. site-b.
+    required: true
+  - name: technology
+    description: Tunnel type to use — wireguard, ipsec, gre, eoip, or "recommend" to let you choose.
+    required: false
+---
+You are configuring a **site-to-site tunnel between two MikroTik routers** that
+this server can both reach. You will drive BOTH devices in one flow by passing
+the `device` argument on each tool call.
+
+Device A: {{device_a}}
+Device B: {{device_b}}
+Requested technology: {{technology}}
+
+Work in this order, confirming the plan before any change:
+
+1. **Inventory both ends.** Call `list_mikrotik_devices` first. Then, for each of
+   {{device_a}} and {{device_b}}, gather facts with `device=<name>`:
+   `get_system_identity`, `list_interfaces`, `list_ip_addresses`,
+   `get_routing_table`. Note each side's WAN/public address and LAN subnet.
+2. **Choose the technology.** If `{{technology}}` is "recommend" or empty, pick
+   based on the facts (WireGuard for MikroTik↔MikroTik simplicity; IPsec IKEv2
+   for policy-based/interop; GRE/EoIP when you need routed/L2 transport — wrap it
+   in IPsec if it must be encrypted). State the choice and why.
+3. **Configure side A** (`device={{device_a}}`) then **side B**
+   (`device={{device_b}}`), keeping the two ends' parameters consistent:
+   - WireGuard: `create_wireguard_interface` on each, exchange the **public keys**
+     (read with `get_wireguard_interface`), `add_wireguard_peer` on each pointing
+     at the other's endpoint + public key + allowed subnet, and `add_ip_address`
+     on each tunnel interface.
+   - IPsec: matching `create_ipsec_profile` + `create_ipsec_proposal` on both,
+     then `create_ipsec_peer` (`exchange_mode=ike2`) → `create_ipsec_identity`
+     (same PSK) → `create_ipsec_policy` (A: src=A-LAN dst=B-LAN; B: mirrored).
+   - GRE/EoIP: `create_gre_tunnel`/`create_eoip_tunnel` on each with
+     remote-address = the other side's public IP, then address + a route.
+4. **Firewall, safely.** On each side, open the tunnel's port/protocol on the
+   `input` chain and allow the far LAN in `forward`. Use `enable_safe_mode`
+   (`device=<name>`) per device before firewall edits, verify, then
+   `commit_safe_mode` — Safe Mode is tracked per device, so each router commits
+   independently.
+5. **Verify end to end.** From {{device_a}} run `ping` (`device={{device_a}}`) to
+   the far tunnel address and a host in B's LAN (set `src_address` to A's LAN IP);
+   repeat from {{device_b}}. For IPsec, check `get_ipsec_active_peers` on both.
+   Use `traceroute` if a path is wrong.
+
+Report the tunnel parameters used on each side, the verification results, and any
+follow-ups (e.g. routes still needed). Never apply changes the user hasn't approved.

package/prompts/setup-wireguard-vpn.md

@@ -0,0 +1,41 @@
+---
+name: setup-wireguard-vpn
+title: Set up a WireGuard VPN + first peer
+description: Stand up a WireGuard server interface on the router and generate a ready-to-use client config for one peer.
+arguments:
+  - name: vpn_subnet
+    description: The VPN tunnel subnet in CIDR, e.g. 10.10.0.0/24.
+    required: true
+  - name: endpoint
+    description: The public hostname/IP clients will connect to (your WAN address or DDNS name).
+    required: true
+  - name: listen_port
+    description: UDP port for WireGuard (default 13231).
+    required: false
+---
+Provision a WireGuard VPN on this MikroTik device and produce a working client
+config. Confirm the plan with the user before applying changes.
+
+VPN subnet: {{vpn_subnet}}
+Public endpoint: {{endpoint}}
+Listen port: {{listen_port}}
+
+Steps:
+
+1. **Server interface** — `create_wireguard_interface` (e.g. name `wg-vpn`,
+   listen port {{listen_port}} or 13231). Then `get_wireguard_interface` to read
+   back its **public key**.
+2. **Tunnel address** — `add_ip_address` on `wg-vpn` using the router's address in
+   {{vpn_subnet}} (e.g. the .1).
+3. **Firewall** — `create_filter_rule` in `input` to accept UDP on the listen port
+   from WAN, and in `forward` to allow the VPN subnet to the LAN/internet as the
+   user wants. Use Safe Mode for the firewall edits.
+4. **First peer** — `add_wireguard_peer` on `wg-vpn` with the client's allowed
+   address (a /32 in {{vpn_subnet}}). If the client keypair is generated on the
+   client, collect its public key; otherwise note that the private key must be
+   created client-side.
+5. **Client config** — call `generate_wireguard_client_config` with the server
+   public key, {{endpoint}}, the listen port, and the assigned client address, and
+   present the resulting `[Interface]/[Peer]` config for the user to import.
+
+Report the server public key, the peer you added, and the full client config.

package/schemas/README.md

@@ -0,0 +1,14 @@
+# Schemas
+
+Machine-readable JSON Schemas for `@usex/mikrotik-mcp`, **generated** from the
+TypeScript source by `scripts/gen-schemas.ts` (`bun run gen:schemas`). Do not
+edit by hand — regenerate instead.
+
+| File | Contents |
+|------|----------|
+| `config.schema.json` | The runtime configuration object (env vars / CLI flags). |
+| `tool-catalog.json` | Every one of the 466 tools: `name`, `risk`, `title`, `description`, and input JSON Schema. |
+| `tools/<name>.json` | The input JSON Schema for a single tool. |
+
+`risk` is derived from the MCP tool annotations:
+`read` · `write` · `write-idempotent` · `destructive` · `dangerous`.

package/schemas/config.schema.json

@@ -0,0 +1,128 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "MikrotikConfig",
+  "type": "object",
+  "properties": {
+    "devices": {
+      "default": {
+        "default": {
+          "host": "127.0.0.1",
+          "username": "admin",
+          "password": "",
+          "port": 22,
+          "timeoutMs": 10000
+        }
+      },
+      "type": "object",
+      "propertyNames": {
+        "type": "string"
+      },
+      "additionalProperties": {
+        "type": "object",
+        "properties": {
+          "host": {
+            "default": "127.0.0.1",
+            "type": "string"
+          },
+          "username": {
+            "default": "admin",
+            "type": "string"
+          },
+          "password": {
+            "default": "",
+            "type": "string"
+          },
+          "port": {
+            "default": 22,
+            "type": "integer",
+            "exclusiveMinimum": 0,
+            "maximum": 9007199254740991
+          },
+          "keyFilename": {
+            "type": "string"
+          },
+          "privateKey": {
+            "type": "string"
+          },
+          "keyPassphrase": {
+            "type": "string"
+          },
+          "timeoutMs": {
+            "default": 10000,
+            "type": "integer",
+            "exclusiveMinimum": 0,
+            "maximum": 9007199254740991
+          },
+          "description": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "host",
+          "username",
+          "password",
+          "port",
+          "timeoutMs"
+        ],
+        "additionalProperties": false
+      }
+    },
+    "defaultDevice": {
+      "default": "default",
+      "type": "string"
+    },
+    "mcp": {
+      "default": {
+        "transport": "stdio",
+        "host": "0.0.0.0",
+        "port": 8000,
+        "allowedHosts": "",
+        "allowedOrigins": ""
+      },
+      "type": "object",
+      "properties": {
+        "transport": {
+          "default": "stdio",
+          "type": "string",
+          "enum": [
+            "stdio",
+            "sse",
+            "streamable-http"
+          ]
+        },
+        "host": {
+          "default": "0.0.0.0",
+          "type": "string"
+        },
+        "port": {
+          "default": 8000,
+          "type": "integer",
+          "exclusiveMinimum": 0,
+          "maximum": 9007199254740991
+        },
+        "allowedHosts": {
+          "default": "",
+          "type": "string"
+        },
+        "allowedOrigins": {
+          "default": "",
+          "type": "string"
+        }
+      },
+      "required": [
+        "transport",
+        "host",
+        "port",
+        "allowedHosts",
+        "allowedOrigins"
+      ],
+      "additionalProperties": false
+    }
+  },
+  "required": [
+    "devices",
+    "defaultDevice",
+    "mcp"
+  ],
+  "additionalProperties": false
+}