mcp-aws-manager 0.3.0 → 0.3.2

package/bin/mcp-aws-manager-mcp.js

@@ -20,7 +20,7 @@ function usageText() {
   return [
     "mcp-aws-manager-mcp",
     "",
-    "MCP stdio wrapper for the mcp-aws-manager CLI (SSM-only).",
+    "MCP stdio wrapper for the mcp-aws-manager CLI.",
     "",
     "Usage:",
     "  mcp-aws-manager-mcp",
@@ -28,7 +28,7 @@ function usageText() {
     "",
     "Notes:",
     "  - This process is an MCP stdio server.",
-    "  - Exposes SSM inventory/runtime snapshot discovery tools.",
+    "  - Exposes multi-service AWS inventory and optional runtime tools.",
     ""
   ].join("\n");
 }
@@ -100,6 +100,21 @@ function buildCliArgs(input) {
   const instanceIds = toCsvArg(input.instanceIds);
   if (instanceIds) args.push("--instance-ids", instanceIds);
 
+  if (input.includeLambda === true) args.push("--include-lambda");
+  if (input.includeLambda === false) args.push("--no-include-lambda");
+  if (input.includeEc2 === true) args.push("--include-ec2");
+  if (input.includeEc2 === false) args.push("--no-ec2");
+  if (input.includeAlb === true) args.push("--include-alb");
+  if (input.includeAlb === false) args.push("--no-include-alb");
+  if (input.includeAsg === true) args.push("--include-asg");
+  if (input.includeAsg === false) args.push("--no-include-asg");
+  if (input.includeRds === true) args.push("--include-rds");
+  if (input.includeRds === false) args.push("--no-include-rds");
+  if (input.includeElastiCache === true) args.push("--include-elasticache");
+  if (input.includeElastiCache === false) args.push("--no-include-elasticache");
+  if (input.includeRoute53 === true) args.push("--include-route53");
+  if (input.includeRoute53 === false) args.push("--no-include-route53");
+
   if (input.publicOnly) args.push("--public-only");
   if (input.managedOnly) args.push("--managed-only");
 
@@ -216,6 +231,14 @@ function tryParseJsonArray(text) {
 function summarizeRecords(records) {
   const summary = {
     totalRecords: 0,
+    ec2Records: 0,
+    lambdaRecords: 0,
+    albRecords: 0,
+    targetGroupRecords: 0,
+    asgRecords: 0,
+    rdsRecords: 0,
+    elasticacheRecords: 0,
+    route53ZoneRecords: 0,
     publicIpRecords: 0,
     ssmManagedCount: 0,
     ssmOnlineCount: 0,
@@ -230,6 +253,15 @@ function summarizeRecords(records) {
 
   for (const item of Array.isArray(records) ? records : []) {
     summary.totalRecords += 1;
+    const resourceType = item && item.resourceType ? String(item.resourceType).toLowerCase() : null;
+    if (resourceType === "ec2") summary.ec2Records += 1;
+    if (resourceType === "lambda") summary.lambdaRecords += 1;
+    if (resourceType === "alb") summary.albRecords += 1;
+    if (resourceType === "target_group") summary.targetGroupRecords += 1;
+    if (resourceType === "asg") summary.asgRecords += 1;
+    if (resourceType === "rds") summary.rdsRecords += 1;
+    if (resourceType === "elasticache") summary.elasticacheRecords += 1;
+    if (resourceType === "route53_zone") summary.route53ZoneRecords += 1;
     if (item && item.publicIp) summary.publicIpRecords += 1;
     if (item && item.ssmManaged === true) summary.ssmManagedCount += 1;
     if (item && item.ssmOnline === true) summary.ssmOnlineCount += 1;
@@ -248,6 +280,223 @@ function summarizeRecords(records) {
   return summary;
 }
 
+function firstProfileArg(args) {
+  if (args && Array.isArray(args.profiles) && args.profiles.length > 0) {
+    return String(args.profiles[0]);
+  }
+  return "default";
+}
+
+function inferSsoLoginCommand(action, args) {
+  const hint = action && action.hint ? String(action.hint) : "";
+  const matched = /aws sso login --profile\s+[^\s'"]+/i.exec(hint);
+  if (matched) {
+    return matched[0];
+  }
+  return `aws sso login --profile ${firstProfileArg(args)}`;
+}
+
+function guidanceForAction(action, args) {
+  const code = action && action.code ? String(action.code) : "UNKNOWN";
+  const defaultItem = {
+    code,
+    title: "Manual action required",
+    steps: [
+      action && action.message ? action.message : "A manual action is required.",
+      action && action.hint ? action.hint : "After completing the action, reply '?熬곣뫁?? to continue."
+    ],
+    confirmText: "?브퀗??洹쏆쾸? ?熬곣뫁???濡?듆 '?熬곣뫁?????┑€?????면썒??닔??? ?띠룇?? ??븐슙???怨쀬Ŧ ???吏?????熬곥굥由?뇦猿뗭쪠????덈펲."
+  };
+
+  switch (code) {
+    case "SSO_LOGIN_NEEDED":
+    case "SSO_REAUTH_REQUIRED": {
+      const cmd = inferSsoLoginCommand(action, args);
+      return {
+        code,
+        title: "AWS SSO login required",
+        steps: [
+          `????????????깅쾳 嶺뚮ㅏ援앲??????덈뺄??琉얠돪?? ${cmd}`,
+          "??곗뒧???? ?筌뤾쑴理?MFA???熬곣뫁???琉얠돪??",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
+        ],
+        confirmText: "SSO ?β돦裕??筌뤾쑴逾???硫명뀬???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
+      };
+    }
+    case "AWS_CREDENTIALS_REQUIRED":
+      return {
+        code,
+        title: "AWS credentials required",
+        steps: [
+          "??????熬곣뫁夷?熬곣뫗踰????遊꾤춯?밸퉾筌?????깆젧??琉얠돪??(SSO ???裕?access key).",
+          "SSO??寃밸듆 'aws configure sso --profile <profile>' ???β돦裕??筌뤿굝由?筌뤾쑴??",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
+        ],
+        confirmText: "???遊꾤춯?밸퉾筌????깆젧/?β돦裕??筌뤾쑴逾???硫명뀬???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
+      };
+    case "SET_SSM_INSTANCE_PROFILE":
+      return {
+        code,
+        title: "SSM remediation target missing",
+        steps: [
+          "???吏??곌랜踰€?袁ㅻご??????濡?졎嶺?instance profile ???藥????裕?ARN??嶺뚯솘??筌먐삵돵????紐껊퉵??",
+          "???깅쾳 ?????繞???濡る룎????節띾쐾 ?熬곣뫀堉??琉얠돪?? --ssm-instance-profile-name ???裕?--ssm-instance-profile-arn",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
+        ],
+        confirmText: "?熬곣뫁夷???逾?????⑤챷諭?嶺뚯솘??筌먐삳빳???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
+      };
+    case "SSM_ROLE_OR_AGENT_REQUIRED":
+      return {
+        code,
+        title: "Instance is not SSM managed",
+        steps: [
+          "?筌뤾쑬裕??怨룸츩 ?????AmazonSSMManagedInstanceCore???????琉얠돪??",
+          "SSM Agent?? ???덈콦??怨뚯씩(SSM endpoint/?筌뤿굛????롪퍔?δ빳??띠럾? ?筌먦끆留?筌? ?筌먦끉逾??琉얠돪??",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
+        ],
+        confirmText: "SSM ??㉱€????⑤객臾???브퀗?????덈펲嶺?'?熬곣뫁?????┑€?????면썒??닔???"
+      };
+    case "INSTANCE_HAS_PROFILE":
+      return {
+        code,
+        title: "Existing instance profile detected",
+        steps: [
+          "?リ옇????筌뤾쑬裕??怨룸츩 ?熬곣뫁夷???逾?????곕????덈펲.",
+          "??ルㅎ臾?1: ?リ옇????????筌먦끉???SSM 雅?굝??뇡???怨뺣뼺???紐껊퉵??",
+          "??ルㅎ臾?2: ???吏???€흮?우뮁紐???믨퀡由?춯?allowReplaceProfile=true ??????熬곥굥????덈펲."
+        ],
+        confirmText: "??⑤챷????꾩렮維뽬떋???筌먐삳빳???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
+      };
+    case "IAM_PROFILE_ASSOCIATION_FAILED":
+    case "IAM_PROFILE_REPLACE_FAILED":
+      return {
+        code,
+        title: "Missing IAM permission for remediation",
+        steps: [
+          "???덈뺄 ?낅슣?섊뙼??EC2 ?筌뤾쑬裕??怨룸츩 ?熬곣뫁夷???逾???⑤슡????€흮??雅?굝??뇡???遊붋€????筌뤾쑴??",
+          "?熬곣뫗??雅?굝??뇡? ec2:AssociateIamInstanceProfile, ec2:ReplaceIamInstanceProfileAssociation(??€흮????, iam:PassRole",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
+        ],
+        confirmText: "IAM 雅?굝??뇡??꾩룇瑗?????硫명뀬???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
+      };
+    case "SSM_RUNCOMMAND_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing SSM RunCommand permission",
+        steps: [
+          "???덈뺄 ?낅슣?섊뙼??SSM 嶺뚮ㅏ援앲??雅?굝??뇡???遊붋€????筌뤾쑴??",
+          "?熬곣뫗??雅?굝??뇡? ssm:SendCommand, ssm:GetCommandInvocation",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
+        ],
+        confirmText: "SSM 雅?굝??뇡??꾩룇瑗?????硫명뀬???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
+      };
+    case "LAMBDA_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing Lambda list permission",
+        steps: [
+          "??쎈뻬 雅뚯눘猿??Lambda 鈺곌퀬??亦낅슦釉???봔€鈺곌퉲鍮€??덈뼄.",
+          "?袁⑹뒄 亦낅슦釉? lambda:ListFunctions",
+          "亦낅슦釉?獄쏆꼷????'??袁⑥┷'??⑦€????젻雅뚯눘苑??"
+        ],
+        confirmText: "Lambda 亦낅슦釉?獄쏆꼷?????멸돌筌?'??袁⑥┷'??⑦€????젻雅뚯눘苑??"
+      };
+    case "ELBV2_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing ELBv2 list permission",
+        steps: [
+          "Grant permissions to list load balancers and target groups.",
+          "Required: elasticloadbalancing:DescribeLoadBalancers and elasticloadbalancing:DescribeTargetGroups.",
+          "Retry after permission update."
+        ],
+        confirmText: "After ELBv2 permission update, reply 'completed' and retry."
+      };
+    case "ASG_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing Auto Scaling list permission",
+        steps: [
+          "Grant permission to read Auto Scaling Groups.",
+          "Required: autoscaling:DescribeAutoScalingGroups.",
+          "Retry after permission update."
+        ],
+        confirmText: "After Auto Scaling permission update, reply 'completed' and retry."
+      };
+    case "RDS_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing RDS list permission",
+        steps: [
+          "Grant permission to list RDS DB instances.",
+          "Required: rds:DescribeDBInstances.",
+          "Retry after permission update."
+        ],
+        confirmText: "After RDS permission update, reply 'completed' and retry."
+      };
+    case "ELASTICACHE_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing ElastiCache list permission",
+        steps: [
+          "Grant permission to list ElastiCache clusters.",
+          "Required: elasticache:DescribeCacheClusters.",
+          "Retry after permission update."
+        ],
+        confirmText: "After ElastiCache permission update, reply 'completed' and retry."
+      };
+    case "ROUTE53_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing Route53 list permission",
+        steps: [
+          "Grant permission to list Route53 hosted zones.",
+          "Required: route53:ListHostedZones (and route53:ListResourceRecordSets for record counts).",
+          "Retry after permission update."
+        ],
+        confirmText: "After Route53 permission update, reply 'completed' and retry."
+      };
+    default:
+      return defaultItem;
+  }
+}
+
+function buildAgentGuidance(requiredActions, toolName, args) {
+  const items = Array.isArray(requiredActions)
+    ? requiredActions.map((action) => guidanceForAction(action, args))
+    : [];
+
+  if (!items.length) {
+    return {
+      mode: "none",
+      autoRetryRecommended: false,
+      retryTool: toolName,
+      retryArgs: args,
+      userChecklist: [],
+      assistantMessageTemplate: "상태 조회가 완료되었습니다."
+    };
+  }
+
+  const firstItem = items[0];
+  const lines = [];
+  lines.push("AWS 상태 조회를 계속하려면 아래 조치가 필요합니다.");
+  lines.push(`1. [${firstItem.code}] ${firstItem.title}`);
+  for (let i = 0; i < firstItem.steps.length; i += 1) {
+    lines.push(`${i + 1}. ${firstItem.steps[i]}`);
+  }
+  lines.push(firstItem.confirmText);
+
+  return {
+    mode: "human_in_the_loop",
+    autoRetryRecommended: true,
+    retryTool: toolName,
+    retryArgs: args,
+    completionTrigger: "사용자가 '완료' 또는 조치 완료 의사를 전달하면 같은 입력으로 재시도",
+    userChecklist: items,
+    assistantMessageTemplate: lines.join("\n")
+  };
+}
+
 function buildToolTextResponse(payload) {
   return truncateText(JSON.stringify(payload, null, 2), DEFAULT_JSON_TEXT_LIMIT);
 }
@@ -257,6 +506,13 @@ function toolSchema() {
     profiles: z.array(z.string().min(1)).optional().describe("Optional AWS profiles."),
     regions: z.array(z.string().min(1)).optional().describe("Optional AWS regions."),
     instanceIds: z.array(z.string().min(1)).optional().describe("Optional EC2 instance ids."),
+    includeLambda: z.boolean().optional().describe("If true, include Lambda inventory."),
+    includeEc2: z.boolean().optional().describe("If false, skip EC2 inventory."),
+    includeAlb: z.boolean().optional().describe("If true, include ALB/NLB and target group inventory."),
+    includeAsg: z.boolean().optional().describe("If true, include Auto Scaling Group inventory."),
+    includeRds: z.boolean().optional().describe("If true, include RDS DB instance inventory."),
+    includeElastiCache: z.boolean().optional().describe("If true, include ElastiCache cluster inventory."),
+    includeRoute53: z.boolean().optional().describe("If true, include Route53 hosted zone inventory."),
     publicOnly: z.boolean().optional().describe("If true, include only public IPv4 instances."),
     managedOnly: z.boolean().optional().describe("If true, include only SSM-managed instances."),
     autoRemediateSsm: z.boolean().optional().describe("If true, try attaching/replacing instance profile for unmanaged instances."),
@@ -353,6 +609,7 @@ function registerDiscoverTool(server, name, title, description) {
 
       const acceptedExitCodes = new Set([0, 2, 3]);
       const requiresUserAction = logInfo.requiredActions.length > 0 || cliResult.exitCode === 3;
+      const guidance = buildAgentGuidance(logInfo.requiredActions, name, args);
 
       const response = {
         ok: acceptedExitCodes.has(cliResult.exitCode),
@@ -362,6 +619,7 @@ function registerDiscoverTool(server, name, title, description) {
         signal: cliResult.signal,
         requiresUserAction,
         requiredActions: logInfo.requiredActions,
+        guidance,
         summary: {
           ...summarizeRecords(allRecords),
           returnedRecords: records.length,
@@ -395,15 +653,15 @@ async function registerTools(server) {
   registerDiscoverTool(
     server,
     "discover_ec2_with_ssm",
-    "Discover EC2 + SSM Inventory",
-    "Runs mcp-aws-manager in SSM-only mode and returns EC2 inventory with SSM management/online status and optional runtime snapshots."
+    "Discover AWS Inventory (multi-service + SSM runtime)",
+    "Runs mcp-aws-manager and returns inventory across EC2/Lambda/ALB/ASG/RDS/ElastiCache/Route53 with optional SSM runtime snapshots."
   );
 
   registerDiscoverTool(
     server,
     "discover_public_ec2_with_pem",
-    "Discover EC2 + SSM Inventory (compat alias)",
-    "Compatibility alias. Internally runs the same SSM-only discovery flow."
+    "Discover AWS Inventory (compat alias)",
+    "Compatibility alias. Internally runs the same multi-service discovery flow."
   );
 
   server.registerTool(