@usex/mikrotik-mcp 2.0.0 → 2.2.0

package/dist/cli.js

@@ -29,6 +29,10 @@ var DeviceConfigSchema = z.object({
   privateKey: z.string().optional(),
   keyPassphrase: z.string().optional(),
   timeoutMs: z.coerce.number().int().positive().default(1e4),
+  mac: z.string().optional(),
+  sourceMac: z.string().optional(),
+  macHost: z.string().optional(),
+  macPort: z.coerce.number().int().positive().optional(),
   description: z.string().optional()
 });
 var S3ConfigSchema = z.object({
@@ -116,7 +120,11 @@ function loadConfig(argv = process.argv.slice(2)) {
     keyFilename: pick("key-filename", "MIKROTIK_KEY_FILENAME"),
     privateKey: pick("private-key", "MIKROTIK_PRIVATE_KEY"),
     keyPassphrase: pick("key-passphrase", "MIKROTIK_KEY_PASSPHRASE"),
-    timeoutMs: pick("timeout-ms", "MIKROTIK_TIMEOUT_MS")
+    timeoutMs: pick("timeout-ms", "MIKROTIK_TIMEOUT_MS"),
+    mac: pick("mac", "MIKROTIK_MAC"),
+    sourceMac: pick("source-mac", "MIKROTIK_SOURCE_MAC"),
+    macHost: pick("mac-host", "MIKROTIK_MAC_HOST"),
+    macPort: pick("mac-port", "MIKROTIK_MAC_PORT")
   };
   const hasSingle = Object.values(single).some((v) => v !== undefined);
   const devices = {};
@@ -250,8 +258,1205 @@ var logger = {
   error: (m) => emit("error", m)
 };
 
-// src/ssh/client.ts
+// src/mac-telnet/protocol.ts
+import { createHash as createHash2, randomBytes as randomBytes2, randomInt } from "crypto";
+import { createSocket } from "dgram";
 import { readFileSync as readFileSync2 } from "fs";
+import { networkInterfaces } from "os";
+
+// src/mac-telnet/ec-srp5.ts
+import { createHash, randomBytes } from "crypto";
+var EC_SRP5_PUBKEY_LEN = 33;
+var P = BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed");
+var A = BigInt("0x2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa984914a144");
+var B = BigInt("0x7b425ed097b425ed097b425ed097b425ed097b425ed097b4260b5e9c7710c864");
+var N = BigInt("0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed");
+var GX = BigInt("0x2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaad245a");
+var GY = BigInt("0x5f51e65e475f794b1fe122d388b72eb36dc2b28192839e4dd6163a5d81312c14");
+var W2M = BigInt("0x555555555555555555555555555555555555555555555555555555555552db9c");
+var M2W = BigInt("0x2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaad2451");
+var SQRT_M1 = modPow(2n, (P - 1n) / 4n, P);
+var G = { x: GX, y: GY };
+function mod(value, m) {
+  const r = value % m;
+  return r < 0n ? r + m : r;
+}
+function modPow(base, exp, m) {
+  let result = 1n;
+  let b = mod(base, m);
+  let e = exp;
+  while (e > 0n) {
+    if (e & 1n)
+      result = result * b % m;
+    b = b * b % m;
+    e >>= 1n;
+  }
+  return result;
+}
+function modInv(value) {
+  return modPow(value, P - 2n, P);
+}
+function modSqrt(a) {
+  const aa = mod(a, P);
+  if (aa === 0n)
+    return 0n;
+  let x = modPow(aa, (P + 3n) / 8n, P);
+  if (x * x % P === aa)
+    return x;
+  x = mod(x * SQRT_M1, P);
+  if (x * x % P === aa)
+    return x;
+  return null;
+}
+function bytesToBigIntBE(bytes) {
+  let value = 0n;
+  for (const byte of bytes)
+    value = value << 8n | BigInt(byte);
+  return value;
+}
+function bigIntToBytesBE(value, length) {
+  const out = new Uint8Array(length);
+  let v = value;
+  for (let i = length - 1;i >= 0; i -= 1) {
+    out[i] = Number(v & 0xffn);
+    v >>= 8n;
+  }
+  return out;
+}
+function sha256(...chunks) {
+  const hash = createHash("sha256");
+  for (const chunk of chunks)
+    hash.update(chunk);
+  return new Uint8Array(hash.digest());
+}
+function concatBytes(parts) {
+  const total = parts.reduce((sum, part) => sum + part.length, 0);
+  const out = new Uint8Array(total);
+  let cursor = 0;
+  for (const part of parts) {
+    out.set(part, cursor);
+    cursor += part.length;
+  }
+  return out;
+}
+function pointAdd(p, q) {
+  if (p === null)
+    return q;
+  if (q === null)
+    return p;
+  if (p.x === q.x) {
+    if (mod(p.y + q.y, P) === 0n)
+      return null;
+    return pointDouble(p);
+  }
+  const slope = mod((q.y - p.y) * modInv(mod(q.x - p.x, P)), P);
+  const x = mod(slope * slope - p.x - q.x, P);
+  const y = mod(slope * (p.x - x) - p.y, P);
+  return { x, y };
+}
+function pointDouble(p) {
+  if (p === null)
+    return null;
+  if (p.y === 0n)
+    return null;
+  const slope = mod((3n * p.x * p.x + A) * modInv(mod(2n * p.y, P)), P);
+  const x = mod(slope * slope - 2n * p.x, P);
+  const y = mod(slope * (p.x - x) - p.y, P);
+  return { x, y };
+}
+function scalarMul(scalar, point) {
+  let result = null;
+  let addend = point;
+  let k = scalar;
+  while (k > 0n) {
+    if (k & 1n)
+      result = pointAdd(result, addend);
+    addend = pointDouble(addend);
+    k >>= 1n;
+  }
+  return result;
+}
+function liftX(xWeier, parity) {
+  const x = mod(xWeier, P);
+  const rhs = mod(x * x * x + A * x + B, P);
+  const y0 = modSqrt(rhs);
+  if (y0 === null)
+    return null;
+  const y = Number(y0 & 1n) === (parity & 1) ? y0 : mod(-y0, P);
+  return { x, y };
+}
+function encodePoint(point) {
+  if (point === null) {
+    throw new Error("Cannot encode the EC-SRP5 point at infinity.");
+  }
+  const out = new Uint8Array(EC_SRP5_PUBKEY_LEN);
+  out.set(bigIntToBytesBE(mod(point.x + W2M, P), 32), 0);
+  out[32] = Number(point.y & 1n);
+  return out;
+}
+function decodePoint(key) {
+  if (key.length !== EC_SRP5_PUBKEY_LEN) {
+    throw new Error(`EC-SRP5 public key must be ${EC_SRP5_PUBKEY_LEN} bytes (got ${key.length}).`);
+  }
+  const xWeier = mod(bytesToBigIntBE(key.subarray(0, 32)) + M2W, P);
+  const point = liftX(xWeier, key[32]);
+  if (point === null) {
+    throw new Error("EC-SRP5 public key X is not a valid curve point.");
+  }
+  return point;
+}
+function ecSrp5Keygen(privBytes) {
+  const priv = privBytes ? Uint8Array.from(privBytes) : new Uint8Array(randomBytes(32));
+  if (priv.length !== 32) {
+    throw new Error("EC-SRP5 private key seed must be 32 bytes.");
+  }
+  priv[0] = priv[0] & 248;
+  priv[31] = priv[31] & 127;
+  priv[31] = priv[31] | 64;
+  const privateKey = bytesToBigIntBE(priv);
+  return { privateKey, publicKey: encodePoint(scalarMul(privateKey, G)) };
+}
+function ecSrp5Id(username, password, salt) {
+  const inner = sha256(new TextEncoder().encode(`${username}:${password}`));
+  return sha256(salt, inner);
+}
+function redp1(montgomeryX, parity) {
+  let seed = bytesToBigIntBE(sha256(montgomeryX));
+  for (;; ) {
+    const candidate = sha256(bigIntToBytesBE(seed, 32));
+    const xWeier = mod(bytesToBigIntBE(candidate) + M2W, P);
+    const point = liftX(xWeier, parity);
+    if (point !== null)
+      return point;
+    seed = mod(seed + 1n, 1n << 256n);
+  }
+}
+function ecSrp5ClientShared(privateKey, serverKey, clientKey, validator) {
+  const serverPoint = decodePoint(serverKey);
+  const v = bytesToBigIntBE(validator);
+  const vG = scalarMul(v, G);
+  if (vG === null) {
+    throw new Error("EC-SRP5 validator produced the point at infinity.");
+  }
+  const gamma = redp1(bigIntToBytesBE(mod(vG.x + W2M, P), 32), 1);
+  const wB = pointAdd(serverPoint, gamma);
+  const j = sha256(clientKey.subarray(0, 32), serverKey.subarray(0, 32));
+  const scalar = mod(v * bytesToBigIntBE(j) + privateKey, N);
+  const pt = scalarMul(scalar, wB);
+  if (pt === null) {
+    throw new Error("EC-SRP5 shared point computed as infinity.");
+  }
+  const z2 = bigIntToBytesBE(mod(pt.x + W2M, P), 32);
+  return { j, z: z2 };
+}
+function ecSrp5ClientProof(privateKey, serverKey, clientKey, validator) {
+  const { j, z: z2 } = ecSrp5ClientShared(privateKey, serverKey, clientKey, validator);
+  return sha256(j, z2);
+}
+
+// src/mac-telnet/mtwei.ts
+function mtweiOfferValue(username, publicKey) {
+  return concatBytes([new TextEncoder().encode(username), Uint8Array.of(0), publicKey]);
+}
+
+// src/mac-telnet/protocol.ts
+var MAC_TELNET_PORT = 20561;
+var MAC_TELNET_HEADER_LEN = 22;
+var MAC_TELNET_CONTROL_HEADER_LEN = 9;
+var MAC_TELNET_CONTROL_MAGIC = Uint8Array.of(86, 52, 18, 255);
+var MAC_TELNET_CLIENT_TYPE = Uint8Array.of(0, 21);
+var MAC_TELNET_RETRANSMIT_SCHEDULE_MS = [
+  15,
+  20,
+  30,
+  50,
+  90,
+  170,
+  330,
+  660,
+  1000
+];
+var MAC_TELNET_KEEPALIVE_IDLE_MS = 8000;
+var MacTelnetPacketType = {
+  sessionStart: 0,
+  data: 1,
+  ack: 2,
+  ping: 4,
+  pong: 5,
+  end: 255
+};
+var MacTelnetControlType = {
+  beginAuth: 0,
+  passwordSalt: 1,
+  password: 2,
+  username: 3,
+  terminalType: 4,
+  terminalWidth: 5,
+  terminalHeight: 6,
+  packetError: 7,
+  endAuth: 9
+};
+function parseMac(value) {
+  const parts = value.trim().split(/[:\-.]/);
+  if (parts.length !== 6) {
+    throw new Error(`"${value}" is not a 6-octet MAC address. Provide a MAC like aa:bb:cc:dd:ee:ff.`);
+  }
+  const octets = new Uint8Array(6);
+  for (let index = 0;index < 6; index += 1) {
+    const octet = Number.parseInt(parts[index], 16);
+    if (!Number.isInteger(octet) || octet < 0 || octet > 255) {
+      throw new Error(`"${value}" has an invalid octet "${parts[index]}". Each octet must be a two-digit hex value (00\u2013ff).`);
+    }
+    octets[index] = octet;
+  }
+  return octets;
+}
+function macEquals(a, b) {
+  if (a.length !== b.length)
+    return false;
+  for (let index = 0;index < a.length; index += 1) {
+    if (a[index] !== b[index])
+      return false;
+  }
+  return true;
+}
+function encodeHeader(options) {
+  const data = new Uint8Array(MAC_TELNET_HEADER_LEN);
+  const view = new DataView(data.buffer);
+  data[0] = 1;
+  data[1] = options.type;
+  data.set(options.sourceMac, 2);
+  data.set(options.destinationMac, 8);
+  const sessionKeyOffset = options.fromServer ? 16 : 14;
+  const clientTypeOffset = options.fromServer ? 14 : 16;
+  view.setUint16(sessionKeyOffset, options.sessionKey & 65535, false);
+  data.set(MAC_TELNET_CLIENT_TYPE, clientTypeOffset);
+  view.setUint32(18, options.counter >>> 0, false);
+  return data;
+}
+function decodeHeader(bytes, options = {}) {
+  if (bytes.length < MAC_TELNET_HEADER_LEN) {
+    throw new Error(`MAC-Telnet packet is too short (${bytes.length} bytes, need at least ${MAC_TELNET_HEADER_LEN}).`);
+  }
+  const view = new DataView(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+  const fromServer = options.fromServer ?? true;
+  const sessionKeyOffset = fromServer ? 16 : 14;
+  return {
+    version: bytes[0],
+    type: bytes[1],
+    sourceMac: bytes.slice(2, 8),
+    destinationMac: bytes.slice(8, 14),
+    sessionKey: view.getUint16(sessionKeyOffset, false),
+    counter: view.getUint32(18, false)
+  };
+}
+function encodeControlBlock(type, value = new Uint8Array(0)) {
+  const block = new Uint8Array(MAC_TELNET_CONTROL_HEADER_LEN + value.length);
+  block.set(MAC_TELNET_CONTROL_MAGIC, 0);
+  block[4] = type;
+  new DataView(block.buffer).setUint32(5, value.length >>> 0, false);
+  block.set(value, MAC_TELNET_CONTROL_HEADER_LEN);
+  return block;
+}
+function parseControlBlocks(payload) {
+  const blocks = [];
+  let offset = 0;
+  while (offset < payload.length) {
+    const remaining = payload.length - offset;
+    const hasMagic = remaining >= MAC_TELNET_CONTROL_HEADER_LEN && payload[offset] === MAC_TELNET_CONTROL_MAGIC[0] && payload[offset + 1] === MAC_TELNET_CONTROL_MAGIC[1] && payload[offset + 2] === MAC_TELNET_CONTROL_MAGIC[2] && payload[offset + 3] === MAC_TELNET_CONTROL_MAGIC[3];
+    if (!hasMagic) {
+      blocks.push({ type: "plaindata", value: payload.slice(offset) });
+      break;
+    }
+    const type = payload[offset + 4];
+    const length = new DataView(payload.buffer, payload.byteOffset + offset + 5, 4).getUint32(0, false);
+    const valueStart = offset + MAC_TELNET_CONTROL_HEADER_LEN;
+    const valueEnd = valueStart + length;
+    if (valueEnd > payload.length) {
+      throw new Error(`MAC-Telnet control block claims ${length} bytes but only ${payload.length - valueStart} remain.`);
+    }
+    blocks.push({ type, value: payload.slice(valueStart, valueEnd) });
+    offset = valueEnd;
+  }
+  return blocks;
+}
+function macTelnetPasswordHash(password, salt) {
+  const digest = createHash2("md5").update(Buffer.from([0])).update(Buffer.from(password, "utf8")).update(salt).digest();
+  const out = new Uint8Array(17);
+  out[0] = 0;
+  out.set(digest, 1);
+  return out;
+}
+function encodeTerminalDimension(value) {
+  const out = new Uint8Array(2);
+  new DataView(out.buffer).setUint16(0, value & 65535, true);
+  return out;
+}
+function concatBytes2(parts) {
+  const total = parts.reduce((sum, part) => sum + part.length, 0);
+  const out = new Uint8Array(total);
+  let cursor = 0;
+  for (const part of parts) {
+    out.set(part, cursor);
+    cursor += part.length;
+  }
+  return out;
+}
+function buildPacket(options) {
+  const header = encodeHeader({
+    type: options.type,
+    sourceMac: options.sourceMac,
+    destinationMac: options.destinationMac,
+    sessionKey: options.sessionKey,
+    counter: options.counter
+  });
+  if (!options.payload || options.payload.length === 0)
+    return header;
+  return concatBytes2([header, options.payload]);
+}
+function createUdpMacTelnetTransport(options) {
+  const socket = createSocket({ type: "udp4", reuseAddr: true });
+  let handler;
+  socket.on("message", (message) => {
+    handler?.(new Uint8Array(message));
+  });
+  const readyPromise = new Promise((resolve, reject) => {
+    socket.once("error", reject);
+    socket.bind(0, () => {
+      if (options.broadcast) {
+        try {
+          socket.setBroadcast(true);
+        } catch {}
+      }
+      resolve();
+    });
+  });
+  return {
+    send(bytes) {
+      socket.send(bytes, options.port, options.host);
+    },
+    close() {
+      try {
+        socket.close();
+      } catch {}
+    },
+    onMessage(next) {
+      handler = next;
+    },
+    ready() {
+      return readyPromise;
+    }
+  };
+}
+function isZeroMac(mac) {
+  return mac.every((octet) => octet === 0);
+}
+function tryParseMac(value) {
+  if (!value)
+    return;
+  try {
+    return parseMac(value);
+  } catch {
+    return;
+  }
+}
+function hardwareMacOf(name) {
+  try {
+    const sys = readFileSync2(`/sys/class/net/${name}/address`, "utf8").trim();
+    const mac = tryParseMac(sys);
+    if (mac && !isZeroMac(mac))
+      return mac;
+  } catch {}
+  return;
+}
+function ipv4ToInt(addr) {
+  const parts = addr.split(".");
+  if (parts.length !== 4)
+    return;
+  let value = 0;
+  for (const part of parts) {
+    const octet = Number(part);
+    if (!Number.isInteger(octet) || octet < 0 || octet > 255)
+      return;
+    value = value << 8 | octet;
+  }
+  return value >>> 0;
+}
+function intToIpv4(value) {
+  return [24, 16, 8, 0].map((shift) => value >>> shift & 255).join(".");
+}
+function directedBroadcast(address, netmask) {
+  const addr = ipv4ToInt(address);
+  const mask = ipv4ToInt(netmask);
+  if (addr === undefined || mask === undefined)
+    return;
+  return intToIpv4((addr & mask | ~mask >>> 0) >>> 0);
+}
+function listBroadcastInterfaces() {
+  const out = [];
+  for (const [name, infos] of Object.entries(networkInterfaces())) {
+    for (const info of infos ?? []) {
+      if (info.family !== "IPv4" || info.internal)
+        continue;
+      let mac = tryParseMac(info.mac);
+      if (!mac || isZeroMac(mac))
+        mac = hardwareMacOf(name);
+      if (!mac || isZeroMac(mac))
+        continue;
+      const broadcast = directedBroadcast(info.address, info.netmask);
+      if (!broadcast)
+        continue;
+      out.push({ name, address: info.address, broadcast, mac });
+    }
+  }
+  return out;
+}
+async function egressAddressFor(host, port) {
+  return await new Promise((resolve) => {
+    const probe = createSocket("udp4");
+    const done = (addr) => {
+      try {
+        probe.close();
+      } catch {}
+      resolve(addr);
+    };
+    probe.on("error", () => done(undefined));
+    try {
+      probe.connect(port, host, () => {
+        try {
+          done(probe.address().address);
+        } catch {
+          done(undefined);
+        }
+      });
+    } catch {
+      done(undefined);
+    }
+  });
+}
+async function resolveEgressMac(host, port) {
+  const localAddr = await egressAddressFor(host, port);
+  if (!localAddr)
+    return;
+  for (const ifc of listBroadcastInterfaces()) {
+    if (ifc.address === localAddr)
+      return ifc.mac;
+  }
+  return;
+}
+async function discoverMacTelnetRoute(opts) {
+  const interfaces = listBroadcastInterfaces();
+  if (interfaces.length === 0)
+    return;
+  const sessionKey = opts.sessionKey ?? randomInt(65536);
+  return await new Promise((resolve) => {
+    const socket = createSocket({ type: "udp4", reuseAddr: true });
+    let settled = false;
+    const timers = [];
+    const finish = (route) => {
+      if (settled)
+        return;
+      settled = true;
+      for (const t of timers)
+        clearTimeout(t);
+      try {
+        socket.close();
+      } catch {}
+      resolve(route);
+    };
+    socket.on("error", () => finish(undefined));
+    socket.on("message", (message) => {
+      let header;
+      try {
+        header = decodeHeader(new Uint8Array(message), { fromServer: true });
+      } catch {
+        return;
+      }
+      if (header.version !== 1 || header.sessionKey !== sessionKey)
+        return;
+      if (header.type !== MacTelnetPacketType.ack && header.type !== MacTelnetPacketType.data) {
+        return;
+      }
+      if (!macEquals(header.sourceMac, opts.destinationMac))
+        return;
+      const winner = interfaces.find((ifc) => macEquals(ifc.mac, header.destinationMac));
+      if (winner)
+        finish({ sourceMac: winner.mac, host: winner.broadcast });
+    });
+    const spray = () => {
+      for (const ifc of interfaces) {
+        const packet = buildPacket({
+          type: MacTelnetPacketType.sessionStart,
+          sourceMac: ifc.mac,
+          destinationMac: opts.destinationMac,
+          sessionKey,
+          counter: 0
+        });
+        try {
+          socket.send(packet, opts.port, ifc.broadcast);
+        } catch {}
+      }
+    };
+    socket.bind(0, () => {
+      try {
+        socket.setBroadcast(true);
+      } catch {}
+      spray();
+      timers.push(setTimeout(spray, 250));
+      timers.push(setTimeout(spray, 700));
+      timers.push(setTimeout(() => finish(undefined), opts.timeoutMs));
+    });
+  });
+}
+var DEFAULT_MAC_TELNET_BROADCAST = "255.255.255.255";
+function randomLocalMac() {
+  const octets = new Uint8Array(randomBytes2(6));
+  octets[0] = octets[0] & 254 | 2;
+  return octets;
+}
+function isBroadcastHost(host) {
+  return host === DEFAULT_MAC_TELNET_BROADCAST || host.endsWith(".255");
+}
+async function resolveMacTelnetRoute(config) {
+  if (config.explicitSourceMac) {
+    return { sourceMac: config.explicitSourceMac, host: config.host };
+  }
+  if (config.host === DEFAULT_MAC_TELNET_BROADCAST) {
+    const route = await discoverMacTelnetRoute({
+      destinationMac: config.destinationMac,
+      port: config.port,
+      timeoutMs: Math.min(config.timeoutMs, 5000)
+    });
+    if (route)
+      return route;
+  }
+  const sourceMac = await resolveEgressMac(config.host, config.port) ?? randomLocalMac();
+  return { sourceMac, host: config.host };
+}
+
+class MacTelnetSession {
+  options;
+  sessionKey;
+  state = "init";
+  outCounter = 0;
+  lastInCounter = null;
+  mtweiKeypair;
+  lastAckCounter = 0;
+  maxOutAck = -1;
+  pending;
+  activitySinceTick = false;
+  idleMs = 0;
+  lastTickMs;
+  constructor(options) {
+    this.options = options;
+    this.sessionKey = options.sessionKey ?? randomInt(65536);
+  }
+  get key() {
+    return this.sessionKey;
+  }
+  start() {
+    if (this.state !== "init")
+      return;
+    const bytes = this.sendPacket(MacTelnetPacketType.sessionStart);
+    this.pending = { bytes, ackTarget: 0, attempts: 0, elapsedMs: 0 };
+    this.state = "session-start-sent";
+  }
+  handlePacket(bytes) {
+    if (this.state === "closed")
+      return;
+    let header;
+    try {
+      header = decodeHeader(bytes, { fromServer: true });
+    } catch {
+      return;
+    }
+    switch (header.type) {
+      case MacTelnetPacketType.ack:
+        if (this.matchesSession(header))
+          this.onAck(header);
+        return;
+      case MacTelnetPacketType.data:
+        if (this.matchesSession(header))
+          this.onDataPacket(header, bytes);
+        return;
+      case MacTelnetPacketType.end:
+        if (this.matchesSession(header))
+          this.onEnd(header);
+        return;
+      case MacTelnetPacketType.ping:
+        if (header.version === 1 && macEquals(header.destinationMac, this.options.sourceMac)) {
+          this.onPing(header);
+        }
+    }
+  }
+  matchesSession(header) {
+    return header.version === 1 && header.sessionKey === this.sessionKey && macEquals(header.sourceMac, this.options.destinationMac) && macEquals(header.destinationMac, this.options.sourceMac);
+  }
+  onPing(header) {
+    this.activitySinceTick = true;
+    this.emit(encodeHeader({
+      type: MacTelnetPacketType.pong,
+      sourceMac: this.options.sourceMac,
+      destinationMac: this.options.destinationMac,
+      sessionKey: header.sessionKey,
+      counter: header.counter
+    }));
+  }
+  onAck(header) {
+    this.activitySinceTick = true;
+    this.maxOutAck = Math.max(this.maxOutAck, header.counter);
+    if (this.pending && this.maxOutAck >= this.pending.ackTarget) {
+      this.pending = undefined;
+    }
+    if (this.state !== "session-start-sent")
+      return;
+    const blocks = [encodeControlBlock(MacTelnetControlType.beginAuth)];
+    if (this.options.offerMtwei !== false) {
+      this.mtweiKeypair = ecSrp5Keygen();
+      blocks.push(encodeControlBlock(MacTelnetControlType.passwordSalt, mtweiOfferValue(this.identityUsername(), this.mtweiKeypair.publicKey)));
+    }
+    this.sendData(blocks);
+    this.state = "auth-begin-sent";
+  }
+  identityUsername() {
+    return this.options.username.split("+", 1)[0] ?? this.options.username;
+  }
+  onDataPacket(header, bytes) {
+    this.activitySinceTick = true;
+    const payload = bytes.subarray(MAC_TELNET_HEADER_LEN);
+    this.acknowledge(header.counter, payload.length);
+    if (!this.acceptCounter(header.counter))
+      return;
+    let blocks;
+    try {
+      blocks = parseControlBlocks(payload);
+    } catch (error) {
+      this.fail(error);
+      return;
+    }
+    for (const block of blocks)
+      this.handleControlBlock(block);
+  }
+  handleControlBlock(block) {
+    switch (block.type) {
+      case MacTelnetControlType.passwordSalt:
+        this.handlePasswordSalt(block.value);
+        return;
+      case MacTelnetControlType.endAuth:
+        if (this.state === "auth-sent") {
+          this.state = "auth-complete";
+        }
+        return;
+      case "plaindata":
+        this.handleTerminalData(block.value);
+        return;
+      case MacTelnetControlType.packetError:
+        this.fail(new Error(`The device reported a MAC-Telnet error: ${new TextDecoder().decode(block.value)}. ` + "Check the credentials and that MAC-Telnet is enabled on the device."));
+    }
+  }
+  handleTerminalData(data) {
+    if (this.state === "auth-complete") {
+      if (/login failed/i.test(new TextDecoder().decode(data))) {
+        this.fail(new Error("MAC-Telnet login failed: incorrect username or password."));
+        return;
+      }
+      this.state = "ready";
+      this.options.onReady?.();
+      if (data.length > 0)
+        this.options.onData?.(data);
+      return;
+    }
+    if (this.state === "ready" && data.length > 0)
+      this.options.onData?.(data);
+  }
+  handlePasswordSalt(salt) {
+    if (this.state !== "auth-begin-sent")
+      return;
+    let passwordValue;
+    if (salt.length === 16) {
+      passwordValue = macTelnetPasswordHash(this.options.password, salt);
+    } else if (salt.length === EC_SRP5_PUBKEY_LEN + 16) {
+      if (!this.mtweiKeypair) {
+        this.fail(new Error("The device requires MTWEI but this session did not offer it. " + "Leave MTWEI enabled (the default) so the client advertises a public key."));
+        return;
+      }
+      const serverKey = salt.subarray(0, EC_SRP5_PUBKEY_LEN);
+      const mtweiSalt = salt.subarray(EC_SRP5_PUBKEY_LEN);
+      const validator = ecSrp5Id(this.identityUsername(), this.options.password, mtweiSalt);
+      passwordValue = ecSrp5ClientProof(this.mtweiKeypair.privateKey, serverKey, this.mtweiKeypair.publicKey, validator);
+    } else {
+      this.fail(new Error(`The device offered an unsupported MAC-Telnet salt length (${salt.length}). ` + "Expected 16 (MD5) or 49 (MTWEI); confirm the device and RouterOS version."));
+      return;
+    }
+    const username = new TextEncoder().encode(this.options.username);
+    const terminalType = new TextEncoder().encode(this.options.terminalType ?? "vt102");
+    const blocks = [
+      encodeControlBlock(MacTelnetControlType.password, passwordValue),
+      encodeControlBlock(MacTelnetControlType.username, username),
+      encodeControlBlock(MacTelnetControlType.terminalType, terminalType),
+      encodeControlBlock(MacTelnetControlType.terminalWidth, encodeTerminalDimension(this.options.terminalWidth ?? 80)),
+      encodeControlBlock(MacTelnetControlType.terminalHeight, encodeTerminalDimension(this.options.terminalHeight ?? 24))
+    ];
+    this.sendData(blocks);
+    this.state = "auth-sent";
+  }
+  onEnd(header) {
+    this.emit(encodeHeader({
+      type: MacTelnetPacketType.end,
+      sourceMac: this.options.sourceMac,
+      destinationMac: this.options.destinationMac,
+      sessionKey: header.sessionKey,
+      counter: 0
+    }));
+    if (this.state === "auth-complete") {
+      this.fail(new Error("MAC-Telnet login failed: the device closed the session after authentication. " + "Check the credentials configured for this device."));
+      return;
+    }
+    this.close();
+  }
+  sendInput(bytes) {
+    if (this.state !== "ready") {
+      throw new Error("Cannot send input before the MAC-Telnet session is ready.");
+    }
+    this.sendData([bytes]);
+  }
+  end() {
+    if (this.state === "closed")
+      return;
+    this.emit(encodeHeader({
+      type: MacTelnetPacketType.end,
+      sourceMac: this.options.sourceMac,
+      destinationMac: this.options.destinationMac,
+      sessionKey: this.sessionKey,
+      counter: this.outCounter
+    }));
+    this.close();
+  }
+  close(error) {
+    if (this.state === "closed")
+      return;
+    this.state = "closed";
+    this.pending = undefined;
+    this.options.sink.close();
+    this.options.onClose?.(error);
+  }
+  fail(error) {
+    this.close(error);
+  }
+  emit(bytes) {
+    try {
+      this.options.sink.send(bytes);
+    } catch {}
+  }
+  acceptCounter(counter) {
+    if (this.lastInCounter === null) {
+      this.lastInCounter = counter;
+      return true;
+    }
+    if (counter > this.lastInCounter) {
+      this.lastInCounter = counter;
+      return true;
+    }
+    return false;
+  }
+  acknowledge(counter, payloadLength) {
+    this.lastAckCounter = counter + payloadLength >>> 0;
+    this.activitySinceTick = true;
+    this.emit(encodeHeader({
+      type: MacTelnetPacketType.ack,
+      sourceMac: this.options.sourceMac,
+      destinationMac: this.options.destinationMac,
+      sessionKey: this.sessionKey,
+      counter: this.lastAckCounter
+    }));
+  }
+  sendPacket(type, payload) {
+    const bytes = buildPacket({
+      type,
+      sourceMac: this.options.sourceMac,
+      destinationMac: this.options.destinationMac,
+      sessionKey: this.sessionKey,
+      counter: this.outCounter,
+      payload
+    });
+    this.activitySinceTick = true;
+    this.emit(bytes);
+    return bytes;
+  }
+  sendData(parts) {
+    const payload = concatBytes2(parts);
+    const bytes = this.sendPacket(MacTelnetPacketType.data, payload);
+    this.outCounter = this.outCounter + payload.length >>> 0;
+    this.pending = {
+      bytes,
+      ackTarget: this.outCounter,
+      attempts: 0,
+      elapsedMs: 0
+    };
+  }
+  tick(nowMs) {
+    if (this.state === "closed")
+      return;
+    const delta = this.lastTickMs === undefined ? 0 : Math.max(0, nowMs - this.lastTickMs);
+    this.lastTickMs = nowMs;
+    if (this.activitySinceTick) {
+      this.idleMs = 0;
+      this.activitySinceTick = false;
+    } else {
+      this.idleMs += delta;
+    }
+    if (this.idleMs >= MAC_TELNET_KEEPALIVE_IDLE_MS) {
+      this.sendKeepalive();
+      this.idleMs = 0;
+    }
+    const pending = this.pending;
+    if (pending && pending.attempts < MAC_TELNET_RETRANSMIT_SCHEDULE_MS.length) {
+      pending.elapsedMs += delta;
+      const wait = MAC_TELNET_RETRANSMIT_SCHEDULE_MS[pending.attempts];
+      if (pending.elapsedMs >= wait) {
+        this.emit(pending.bytes);
+        pending.attempts += 1;
+        pending.elapsedMs = 0;
+      }
+    }
+  }
+  sendKeepalive() {
+    this.emit(encodeHeader({
+      type: MacTelnetPacketType.ack,
+      sourceMac: this.options.sourceMac,
+      destinationMac: this.options.destinationMac,
+      sessionKey: this.sessionKey,
+      counter: this.lastAckCounter
+    }));
+  }
+}
+
+// src/mac-telnet/console.ts
+var ESC = "\x1B";
+var enc = new TextEncoder;
+var ANSI_CSI = new RegExp(`${ESC}\\[[0-9;?]*[ -/]*[@-~]`, "g");
+var ANSI_ESC2 = new RegExp(`${ESC}[@-_]`, "g");
+var ROUTEROS_PROMPT_RE = /\[[^\]@\r\n]+@[^\]\r\n]*\][^\r\n]*>\s*$/;
+var TICK_INTERVAL_MS = 15;
+var LICENSE_RE = /do you want to see the software license/i;
+function emulateScreen(text) {
+  const clean = text.replace(ANSI_CSI, "").replace(ANSI_ESC2, "");
+  const lines = [[]];
+  let row = 0;
+  let col = 0;
+  for (const ch of clean) {
+    const code = ch.charCodeAt(0);
+    if (ch === `
+`) {
+      row += 1;
+      if (!lines[row])
+        lines[row] = [];
+      col = 0;
+    } else if (ch === "\r") {
+      col = 0;
+    } else if (code === 8) {
+      col = Math.max(0, col - 1);
+    } else if (code >= 32 && code !== 127) {
+      const line = lines[row];
+      line[col] = ch;
+      col += 1;
+    }
+  }
+  return lines.map((line) => Array.from(line, (c) => c ?? " ").join("").replace(/\s+$/, ""));
+}
+function extractCommandOutput(raw, command) {
+  const lines = emulateScreen(raw);
+  let start = 1;
+  if (command !== undefined && lines.length > 0) {
+    const first = lines[0] ?? "";
+    const promptMatch = first.match(/^\[[^\]\r\n]*\][^\r\n]*?>\s?/);
+    const echoedOnFirst = promptMatch ? first.slice(promptMatch[0].length) : first;
+    let consumed = echoedOnFirst.length;
+    while (consumed < command.length && start < lines.length) {
+      consumed += (lines[start] ?? "").length;
+      start += 1;
+    }
+  }
+  const body = lines.slice(start);
+  while (body.length > 0) {
+    const last = body[body.length - 1];
+    if (last.length === 0 || ROUTEROS_PROMPT_RE.test(last)) {
+      body.pop();
+      continue;
+    }
+    break;
+  }
+  return body.join(`
+`);
+}
+
+class MacTelnetConsole {
+  options;
+  session;
+  buffer = "";
+  ready = false;
+  closed = false;
+  closeError;
+  waiter;
+  tickTimer;
+  readyWaiters = [];
+  decoder = new TextDecoder;
+  probeTail = "";
+  constructor(options) {
+    this.options = {
+      rows: 9999,
+      cols: 512,
+      primeTimeoutMs: 30000,
+      commandTimeoutMs: 15000,
+      settleMs: 150,
+      acceptLicense: true,
+      ...options
+    };
+    this.session = new MacTelnetSession({
+      sink: options.sink,
+      sourceMac: options.sourceMac,
+      destinationMac: options.destinationMac,
+      username: options.username,
+      password: options.password,
+      sessionKey: options.sessionKey,
+      terminalType: "vt102",
+      terminalWidth: this.options.cols,
+      terminalHeight: this.options.rows,
+      onReady: () => this.onReady(),
+      onData: (bytes) => this.onData(bytes),
+      onClose: (error) => this.onClose(error)
+    });
+  }
+  handlePacket(bytes) {
+    try {
+      this.session.handlePacket(bytes);
+    } catch (error) {
+      this.onClose(error instanceof Error ? error : new Error("Failed to process a MAC-Telnet datagram."));
+    }
+  }
+  async open() {
+    this.tickTimer = setInterval(() => {
+      try {
+        this.session.tick(Date.now());
+      } catch {}
+    }, TICK_INTERVAL_MS);
+    this.tickTimer.unref?.();
+    this.session.start();
+    await this.waitReady(this.options.primeTimeoutMs);
+    await this.waitFor((buffer) => this.endsWithPrompt(buffer) || LICENSE_RE.test(buffer), this.options.primeTimeoutMs, "waiting for the RouterOS console prompt");
+    if (this.options.acceptLicense && LICENSE_RE.test(this.buffer)) {
+      this.buffer = "";
+      this.session.sendInput(enc.encode("n\r"));
+      await this.waitFor((buffer) => this.endsWithPrompt(buffer), this.options.primeTimeoutMs, "waiting for the prompt after the license screen");
+    }
+    this.buffer = "";
+    this.session.sendInput(enc.encode("\r"));
+    await this.waitFor((buffer) => this.endsWithPrompt(buffer), this.options.commandTimeoutMs, "waiting for a clean prompt");
+    this.buffer = "";
+  }
+  async run(cli) {
+    this.assertOpen();
+    this.buffer = "";
+    this.session.sendInput(enc.encode(`${cli}\r`));
+    await this.waitFor((buffer) => this.endsWithPrompt(buffer), this.options.commandTimeoutMs, `running over mac-telnet: ${cli}`);
+    const raw = this.buffer;
+    return { output: extractCommandOutput(raw, cli), raw };
+  }
+  close() {
+    if (this.tickTimer) {
+      clearInterval(this.tickTimer);
+      this.tickTimer = undefined;
+    }
+    if (!this.closed)
+      this.session.end();
+  }
+  get isReady() {
+    return this.ready && !this.closed;
+  }
+  onReady() {
+    this.ready = true;
+    for (const w of this.readyWaiters.splice(0))
+      w.resolve();
+  }
+  onData(bytes) {
+    const chunk = this.decoder.decode(bytes, { stream: true });
+    const combined = `${this.probeTail}${chunk}`;
+    this.answerSizeProbe(combined);
+    this.probeTail = combined.slice(-3);
+    this.buffer += chunk;
+    this.checkWaiter();
+  }
+  onClose(error) {
+    this.closed = true;
+    this.closeError = error;
+    if (this.tickTimer) {
+      clearInterval(this.tickTimer);
+      this.tickTimer = undefined;
+    }
+    const failure = error ?? new Error("The MAC-Telnet console session closed.");
+    for (const w of this.readyWaiters.splice(0))
+      w.reject(failure);
+    if (this.waiter) {
+      const waiter = this.waiter;
+      this.waiter = undefined;
+      clearTimeout(waiter.timeout);
+      if (waiter.settle)
+        clearTimeout(waiter.settle);
+      waiter.reject(failure);
+    }
+  }
+  answerSizeProbe(chunk) {
+    if (chunk.includes(`${ESC}[6n`)) {
+      this.session.sendInput(enc.encode(`${ESC}[${this.options.rows};${this.options.cols}R`));
+    }
+    if (chunk.includes(`${ESC}Z`) || chunk.includes(`${ESC}[c`)) {
+      this.session.sendInput(enc.encode(`${ESC}[?6c`));
+    }
+  }
+  endsWithPrompt(buffer) {
+    const lines = emulateScreen(buffer).filter((line) => line.length > 0);
+    return ROUTEROS_PROMPT_RE.test(lines[lines.length - 1] ?? "");
+  }
+  waitReady(timeoutMs) {
+    if (this.ready)
+      return Promise.resolve();
+    if (this.closed) {
+      return Promise.reject(this.closeError ?? new Error("The MAC-Telnet session closed before login completed."));
+    }
+    return new Promise((resolve, reject) => {
+      let timer;
+      const entry = {
+        resolve: () => {
+          clearTimeout(timer);
+          resolve();
+        },
+        reject: (error) => {
+          clearTimeout(timer);
+          reject(error);
+        }
+      };
+      timer = setTimeout(() => {
+        this.readyWaiters = this.readyWaiters.filter((w) => w !== entry);
+        reject(new Error("MAC-Telnet login did not complete \u2014 no console response from the device. " + "Confirm the device is reachable over mac-telnet (mac-server interface list) and the credentials are correct."));
+      }, timeoutMs);
+      this.readyWaiters.push(entry);
+    });
+  }
+  waitFor(predicate, timeoutMs, label) {
+    if (this.closed) {
+      return Promise.reject(this.closeError ?? new Error(`MAC-Telnet session closed while ${label}.`));
+    }
+    return new Promise((resolve, reject) => {
+      const timeout = setTimeout(() => {
+        this.waiter = undefined;
+        reject(new Error(`Timed out ${label}. The RouterOS console did not return a prompt in time; ` + "raise the timeout or confirm the device is responsive over mac-telnet."));
+      }, timeoutMs);
+      this.waiter = { predicate, resolve, reject, timeout };
+      this.checkWaiter();
+    });
+  }
+  checkWaiter() {
+    const waiter = this.waiter;
+    if (!waiter)
+      return;
+    if (!waiter.predicate(this.buffer)) {
+      if (waiter.settle) {
+        clearTimeout(waiter.settle);
+        waiter.settle = undefined;
+      }
+      return;
+    }
+    if (waiter.settle)
+      clearTimeout(waiter.settle);
+    waiter.settle = setTimeout(() => {
+      if (this.waiter !== waiter)
+        return;
+      this.waiter = undefined;
+      clearTimeout(waiter.timeout);
+      waiter.resolve();
+    }, this.options.settleMs);
+  }
+  assertOpen() {
+    if (!this.ready || this.closed) {
+      throw new Error("The MAC-Telnet console is not open. Call open() and await it before running commands.");
+    }
+  }
+}
+
+// src/mac-telnet/client.ts
+class MikroTikMacTelnetClient {
+  transport = null;
+  console = null;
+  opts;
+  lastError;
+  constructor(opts) {
+    this.opts = {
+      port: MAC_TELNET_PORT,
+      timeoutMs: 1e4,
+      ...opts
+    };
+  }
+  async connect() {
+    this.lastError = undefined;
+    try {
+      const destinationMac = parseMac(this.opts.mac);
+      const explicitSourceMac = this.opts.sourceMac ? parseMac(this.opts.sourceMac) : undefined;
+      const host = this.opts.host ?? DEFAULT_MAC_TELNET_BROADCAST;
+      const route = await resolveMacTelnetRoute({
+        destinationMac,
+        host,
+        port: this.opts.port,
+        timeoutMs: this.opts.timeoutMs,
+        explicitSourceMac
+      });
+      const transport = createUdpMacTelnetTransport({
+        host: route.host,
+        port: this.opts.port,
+        broadcast: isBroadcastHost(route.host)
+      });
+      this.transport = transport;
+      await transport.ready();
+      const console = new MacTelnetConsole({
+        sink: transport,
+        sourceMac: route.sourceMac,
+        destinationMac,
+        username: this.opts.username,
+        password: this.opts.password ?? "",
+        primeTimeoutMs: Math.max(this.opts.timeoutMs, 30000),
+        commandTimeoutMs: Math.max(this.opts.timeoutMs, 15000)
+      });
+      this.console = console;
+      transport.onMessage((bytes) => console.handlePacket(bytes));
+      await console.open();
+      return true;
+    } catch (e) {
+      this.lastError = e instanceof Error ? e.message : String(e);
+      logger.error(`Failed to connect to MikroTik over MAC-Telnet: ${this.lastError}`);
+      this.disconnect();
+      return false;
+    }
+  }
+  async run(command) {
+    if (!this.console || !this.console.isReady) {
+      throw new Error("Not connected to MikroTik device (MAC-Telnet)");
+    }
+    const { output } = await this.console.run(command);
+    return output;
+  }
+  disconnect() {
+    try {
+      this.console?.close();
+    } catch {}
+    try {
+      this.transport?.close();
+    } catch {}
+    this.console = null;
+    this.transport = null;
+  }
+}
+
+// src/ssh/client.ts
+import { readFileSync as readFileSync3 } from "fs";
 import { Client } from "ssh2";
 function decodeOutput(data) {
   if (!data || data.length === 0)
@@ -286,7 +1491,7 @@ class MikroTikSSHClient {
         cfg.privateKey = this.opts.privateKey;
       } else if (this.opts.keyFilename) {
         try {
-          cfg.privateKey = readFileSync2(this.opts.keyFilename);
+          cfg.privateKey = readFileSync3(this.opts.keyFilename);
         } catch (e) {
           this.lastError = `could not read key file ${this.opts.keyFilename}: ${e instanceof Error ? e.message : String(e)}`;
           logger.error(`Failed to read SSH key file ${this.opts.keyFilename}: ${String(e)}`);
@@ -352,6 +1557,45 @@ class MikroTikSSHClient {
   }
 }
 
+// src/core/transport.ts
+function isMacTelnetDevice(dc) {
+  return Boolean(dc.mac);
+}
+function createDeviceClient(dc) {
+  if (isMacTelnetDevice(dc)) {
+    return new MikroTikMacTelnetClient({
+      mac: dc.mac,
+      username: dc.username,
+      password: dc.password,
+      sourceMac: dc.sourceMac,
+      host: dc.macHost,
+      port: dc.macPort,
+      timeoutMs: dc.timeoutMs
+    });
+  }
+  return new MikroTikSSHClient({
+    host: dc.host,
+    username: dc.username,
+    password: dc.password,
+    keyFilename: dc.keyFilename,
+    privateKey: dc.privateKey,
+    keyPassphrase: dc.keyPassphrase,
+    port: dc.port,
+    timeoutMs: dc.timeoutMs
+  });
+}
+function describeTransport(dc) {
+  return dc.mac ? `MAC ${dc.mac} (mac-telnet)` : `${dc.host}:${dc.port}`;
+}
+function connectErrorMessage(name, dc, lastError) {
+  const reason = lastError ? ` \u2014 ${lastError}` : "";
+  if (dc.mac) {
+    return `Failed to connect to MikroTik device '${name}' over MAC-Telnet at ${dc.mac}${reason}. ` + "Check you are on the same Layer-2 segment, MAC-Telnet is enabled (/tool mac-server) on a reachable interface, and the credentials are correct.";
+  }
+  const authMode = dc.keyFilename || dc.privateKey ? "SSH key" : dc.password ? "password" : "no credentials";
+  return `Failed to connect to MikroTik device '${name}' at ${dc.host}:${dc.port} (auth: ${authMode})${reason}. ` + "Check the host/port are reachable, the SSH service is enabled (/ip service), and the credentials are correct.";
+}
+
 // src/tools/address-list.ts
 import { z as z3 } from "zod";
 
@@ -389,6 +1633,9 @@ class SafeModeManager {
       if (this.active)
         return "Safe mode is already active.";
       const dc = getDevice(this.deviceName);
+      if (dc.mac) {
+        return "Error: Safe Mode is not supported for a MAC-Telnet device " + `('${this.deviceName}' is reached by MAC ${dc.mac}). ` + "Connect over SSH (configure host/credentials) to use Safe Mode.";
+      }
       const ssh = new MikroTikSSHClient({
         host: dc.host,
         username: dc.username,
@@ -523,25 +1770,14 @@ function getSafeModeManager(deviceName) {
 async function runOnce(command, deviceName) {
   const name = resolveDeviceName(deviceName);
   const dc = getDevice(deviceName);
-  const ssh = new MikroTikSSHClient({
-    host: dc.host,
-    username: dc.username,
-    password: dc.password,
-    keyFilename: dc.keyFilename,
-    privateKey: dc.privateKey,
-    keyPassphrase: dc.keyPassphrase,
-    port: dc.port,
-    timeoutMs: dc.timeoutMs
-  });
+  const client = createDeviceClient(dc);
   try {
-    if (!await ssh.connect()) {
-      const authMode = dc.keyFilename || dc.privateKey ? "SSH key" : dc.password ? "password" : "no credentials";
-      const reason = ssh.lastError ? ` \u2014 ${ssh.lastError}` : "";
-      throw new Error(`Failed to connect to MikroTik device '${name}' at ${dc.host}:${dc.port} (auth: ${authMode})${reason}. ` + "Check the host/port are reachable, the SSH service is enabled (/ip service), and the credentials are correct.");
+    if (!await client.connect()) {
+      throw new Error(connectErrorMessage(name, dc, client.lastError));
     }
-    return await ssh.run(command);
+    return await client.run(command);
   } finally {
-    ssh.disconnect();
+    client.disconnect();
   }
 }
 async function executeMikrotikCommand(command, ctx) {
@@ -673,7 +1909,7 @@ function parseFlagLegend(text) {
   if (!line)
     return out;
   const body = line.replace(/^\s*Flags:\s*/, "");
-  for (const part of body.split(",")) {
+  for (const part of body.split(/[;,]/)) {
     const m = part.match(/^\s*([A-Za-z])\s*-\s*(.+?)\s*$/);
     if (m)
       out[m[1]] = m[2];
@@ -695,7 +1931,7 @@ function parseKvTokens(chunk) {
   return out;
 }
 var INDEX_LINE = /^\s*(\d+)\s+(.*)$/;
-var LEADING_FLAGS = /^([A-Za-z]+)\s+(?=[\w.-]+=)/;
+var LEADING_FLAGS = /^([A-Z]+)(?=\s|$)/;
 function unionColumns(rows) {
   const seen = new Set;
   const cols = [];
@@ -718,6 +1954,8 @@ function parseDetailRecords(lines) {
     const row = { "#": current.index };
     if (current.flags.trim())
       row.flags = current.flags.trim();
+    if (current.comment.trim())
+      row.comment = current.comment.trim();
     Object.assign(row, parseKvTokens(current.chunk));
     rows.push(row);
     current = null;
@@ -726,11 +1964,28 @@ function parseDetailRecords(lines) {
     const m = line.match(INDEX_LINE);
     if (m) {
       flush();
-      const rest = m[2];
+      let rest = m[2];
+      let flags = "";
       const fm = rest.match(LEADING_FLAGS);
-      current = fm ? { index: m[1], flags: fm[1], chunk: rest.slice(fm[0].length) } : { index: m[1], flags: "", chunk: rest };
+      if (fm) {
+        flags = fm[1];
+        rest = rest.slice(fm[0].length).replace(/^\s+/, "");
+      }
+      let comment = "";
+      const cm = rest.match(/;;;\s*(.*)$/);
+      if (cm) {
+        comment = cm[1];
+        rest = rest.slice(0, cm.index).replace(/\s+$/, "");
+      }
+      current = { index: m[1], flags, comment, chunk: rest };
     } else if (current) {
-      current.chunk += ` ${line}`;
+      const cm = line.match(/;;;\s*(.*)$/);
+      if (cm) {
+        current.comment = `${current.comment} ${cm[1]}`.trim();
+        current.chunk += ` ${line.slice(0, cm.index)}`;
+      } else {
+        current.chunk += ` ${line}`;
+      }
     }
   }
   flush();
@@ -775,7 +2030,7 @@ function parseColumnarRecords(lines) {
 }
 function parseRecords(text) {
   const lines = text.split(`
-`).filter((l) => !/^\s*Flags:/.test(l));
+`).filter((l) => !/^\s*(Flags|Columns):/.test(l));
   const hasKv = /[A-Za-z][\w.-]*=/.test(text);
   if (hasKv && lines.some((l) => INDEX_LINE.test(l))) {
     const rows = parseDetailRecords(lines);
@@ -1095,8 +2350,8 @@ function defineTool(def) {
 function registerTools(server, modules, opts = {}) {
   let count = 0;
   const seen = new Set;
-  for (const mod of modules) {
-    for (const tool of mod) {
+  for (const mod2 of modules) {
+    for (const tool of mod2) {
       if (seen.has(tool.name)) {
         throw new Error(`Duplicate tool name registered: ${tool.name}`);
       }
@@ -1231,7 +2486,7 @@ ${result}`;
 ];
 
 // src/core/ui-resources.ts
-import { readFileSync as readFileSync3 } from "fs";
+import { readFileSync as readFileSync4 } from "fs";
 import { join as join3 } from "path";
 import { registerAppResource, RESOURCE_MIME_TYPE } from "@modelcontextprotocol/ext-apps/server";
 
@@ -1278,7 +2533,7 @@ function registerUiResources(server) {
     registerAppResource(server, view.name, uri, { description: view.description, mimeType: RESOURCE_MIME_TYPE }, () => {
       let html;
       try {
-        html = readFileSync3(file, "utf8");
+        html = readFileSync4(file, "utf8");
       } catch {
         html = placeholderHtml(view);
       }
@@ -1316,12 +2571,10 @@ var appViewTools = [
     async handler(_a, ctx) {
       const device = resolveDeviceName(ctx.device);
       ctx.info(`Building system dashboard for '${device}'`);
-      const [identity, resource, health, routerboard] = await Promise.all([
-        printRecord("/system identity print", ctx),
-        printRecord("/system resource print", ctx),
-        printRecord("/system health print", ctx),
-        printRecord("/system routerboard print", ctx)
-      ]);
+      const identity = await printRecord("/system identity print", ctx);
+      const resource = await printRecord("/system resource print", ctx);
+      const health = await printRecord("/system health print", ctx);
+      const routerboard = await printRecord("/system routerboard print", ctx);
       const memTotal = parseSizeToBytes(resource["total-memory"]);
       const memFree = parseSizeToBytes(resource["free-memory"]);
       const memUsed = memTotal !== null && memFree !== null ? memTotal - memFree : null;
@@ -17246,7 +18499,7 @@ var moduleCatalog = [
 var allToolModules = moduleCatalog.map((m) => m.tools);
 
 // src/observability/dashboard.ts
-import { readFileSync as readFileSync4 } from "fs";
+import { readFileSync as readFileSync5 } from "fs";
 import { join as join4 } from "path";
 var {serve } = globalThis.Bun;
 
@@ -17259,30 +18512,24 @@ function getDeviceStatus(name) {
   return statuses.get(name) ?? UNKNOWN;
 }
 async function probeDevice(name, dc) {
-  const ssh = new MikroTikSSHClient({
-    host: dc.host,
-    username: dc.username,
-    password: dc.password,
-    port: dc.port,
-    keyFilename: dc.keyFilename,
-    privateKey: dc.privateKey,
-    keyPassphrase: dc.keyPassphrase,
+  const client = createDeviceClient({
+    ...dc,
     timeoutMs: Math.min(dc.timeoutMs ?? 1e4, 8000)
   });
   const t0 = Date.now();
   let status;
   try {
-    const ok = await ssh.connect();
+    const ok = await client.connect();
     if (!ok) {
       status = {
         reachable: false,
         checkedAt: Date.now(),
         latencyMs: null,
-        error: ssh.lastError ?? "connection failed"
+        error: client.lastError ?? "connection failed"
       };
     } else {
-      const identity = parseKeyValues(await ssh.run("/system identity print")).name;
-      const version = parseKeyValues(await ssh.run("/system resource print")).version;
+      const identity = parseKeyValues(await client.run("/system identity print")).name;
+      const version = parseKeyValues(await client.run("/system resource print")).version;
       status = {
         reachable: true,
         checkedAt: Date.now(),
@@ -17299,7 +18546,7 @@ async function probeDevice(name, dc) {
       error: e instanceof Error ? e.message : String(e)
     };
   } finally {
-    ssh.disconnect();
+    client.disconnect();
   }
   statuses.set(name, status);
   return status;
@@ -17572,7 +18819,7 @@ function json(body, status = 200) {
 }
 function dashboardHtml() {
   try {
-    return readFileSync4(join4(UI_DIST_DIR, "observability.html"), "utf8");
+    return readFileSync5(join4(UI_DIST_DIR, "observability.html"), "utf8");
   } catch {
     return `<!doctype html><meta charset=utf-8><body style="font:14px system-ui;padding:24px;background:#0b0d10;color:#e8eaed">
 <h2>MikroTik MCP \u2014 Observability Dashboard</h2>
@@ -17670,10 +18917,10 @@ function sseResponse(transportLabel) {
   let ping;
   const stream = new ReadableStream({
     start(controller) {
-      const enc = new TextEncoder;
+      const enc2 = new TextEncoder;
       const send = (text) => {
         try {
-          controller.enqueue(enc.encode(text));
+          controller.enqueue(enc2.encode(text));
         } catch {}
       };
       send(`event: hello
@@ -17857,7 +19104,7 @@ function corsHeaders(origin, configured) {
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 
 // src/prompts/index.ts
-import { readFileSync as readFileSync5, readdirSync } from "fs";
+import { readFileSync as readFileSync6, readdirSync } from "fs";
 import { join as join5 } from "path";
 import { z as z87 } from "zod";
 function parseFrontmatter(raw) {
@@ -17929,7 +19176,7 @@ function registerPrompts(server) {
   for (const file of files) {
     let parsed;
     try {
-      parsed = parseFrontmatter(readFileSync5(join5(PROMPTS_DIR, file), "utf8"));
+      parsed = parseFrontmatter(readFileSync6(join5(PROMPTS_DIR, file), "utf8"));
     } catch (e) {
       logger.warn(`Skipping prompt ${file}: ${String(e)}`);
       continue;
@@ -17961,7 +19208,7 @@ function registerPrompts(server) {
 // package.json
 var package_default = {
   name: "@usex/mikrotik-mcp",
-  version: "2.0.0",
+  version: "2.2.0",
   description: "Bun-native MCP server for MikroTik RouterOS \u2014 200+ tools over SSH for firewall, NAT, routing, DHCP, DNS, WireGuard, wireless, QoS and more.",
   keywords: [
     "ai",
@@ -18278,8 +19525,8 @@ function warnIfPlaintextPasswordInContainer(anyPassword) {
 function listTools() {
   const risk = (a) => a.readOnlyHint ? "READ" : a.destructiveHint ? "DESTRUCTIVE" : "WRITE";
   let total = 0;
-  for (const mod of allToolModules) {
-    for (const t of mod) {
+  for (const mod2 of allToolModules) {
+    for (const t of mod2) {
       total++;
       process.stdout.write(`${risk(t.annotations).padEnd(12)} ${t.name.padEnd(34)} ${t.title}
 `);
@@ -18293,9 +19540,9 @@ function listDevicesCli() {
   const cfg = loadConfig();
   for (const [name, d] of Object.entries(cfg.devices)) {
     const tag = name === cfg.defaultDevice ? " (default)" : "";
-    const auth = d.keyFilename || d.privateKey ? "key" : d.password ? "password" : "none";
+    const auth = d.mac ? "mac-telnet" : d.keyFilename || d.privateKey ? "key" : d.password ? "password" : "none";
     const desc = d.description ? ` \u2014 ${d.description}` : "";
-    process.stdout.write(`${name}${tag}	${d.username}@${d.host}:${d.port} [auth: ${auth}]${desc}
+    process.stdout.write(`${name}${tag}	${d.username}@${describeTransport(d)} [auth: ${auth}]${desc}
 `);
   }
   process.stdout.write(`
@@ -18303,31 +19550,22 @@ ${Object.keys(cfg.devices).length} device(s)
 `);
 }
 async function probeDevice2(name, d) {
-  const authMode = d.keyFilename || d.privateKey ? "SSH key" : "password";
-  logger.info(`[${name}] Connecting to ${d.username}@${d.host}:${d.port} (auth: ${authMode}) \u2026`);
-  const ssh = new MikroTikSSHClient({
-    host: d.host,
-    username: d.username,
-    password: d.password,
-    keyFilename: d.keyFilename,
-    privateKey: d.privateKey,
-    keyPassphrase: d.keyPassphrase,
-    port: d.port,
-    timeoutMs: d.timeoutMs
-  });
-  if (!await ssh.connect()) {
-    logger.error(`[${name}] Connection FAILED. Check host/credentials/reachability.`);
+  const authMode = d.mac ? "mac-telnet" : d.keyFilename || d.privateKey ? "SSH key" : "password";
+  logger.info(`[${name}] Connecting to ${d.username}@${describeTransport(d)} (auth: ${authMode}) \u2026`);
+  const client = createDeviceClient(d);
+  if (!await client.connect()) {
+    logger.error(`[${name}] Connection FAILED. ${client.lastError ?? "Check credentials/reachability."}`);
     return false;
   }
   try {
-    const identity = (await ssh.run("/system identity print")).trim();
+    const identity = (await client.run("/system identity print")).trim();
     process.stdout.write(`
 [${name}] Connection OK.
 ${identity}
 `);
     return true;
   } finally {
-    ssh.disconnect();
+    client.disconnect();
   }
 }
 async function authCheck() {