mcp-aws-manager 0.3.1 → 0.3.2

package/AGENT_GUIDANCE_LOOP_TEMPLATE_KO.md

@@ -8,6 +8,22 @@
 - 수동 개입이 필요한 순간에만 사용자를 안내한다.
 - 사용자가 조치를 완료하면 같은 입력으로 자동 재시도한다.
 
+## 초기 설정 온보딩 모드
+
+처음 사용하는 사용자에게는 아래 순서로 진행한다.
+
+1. `mcp-aws-manager doctor` 실행
+2. 인증 누락 시 `aws configure sso --profile <profile>` 안내
+3. `aws sso login --profile <profile>` 안내
+4. `aws sts get-caller-identity --profile <profile>` 검증
+5. `discover_ec2_with_ssm` 또는 `mcp-aws-manager discover` 재실행
+
+원칙:
+
+- 한 번에 하나의 조치만 요청
+- 조치 완료 답변(예: `완료`)을 받으면 즉시 같은 요청 재시도
+- 실패하면 다음 `ACTION_REQUIRED` 1건만 이어서 안내
+
 ## 입력 가정
 
 MCP 응답 JSON에는 아래 필드가 포함된다.
@@ -46,7 +62,7 @@ MCP 응답 JSON에는 아래 필드가 포함된다.
 
 완료 시 아래를 간단히 보고한다.
 
-1. 전체 인스턴스 수
-2. SSM 관리/온라인 수
+1. 전체 리소스 수(EC2/Lambda)
+2. EC2 기준 SSM 관리/온라인 수
 3. 주요 경고 유무
-4. 다음 선택 사항(예: 런타임 스냅샷 확장)
+4. 다음 선택 사항(예: 런타임 스냅샷 확장)

package/IMPLEMENTATION_INTEGRATIONS.md

@@ -0,0 +1,91 @@
+# Implementation Integrations
+
+This document lists MCP/API/CLI integrations used by `mcp-aws-manager`.
+
+## 1) MCP integration (provided by this project)
+
+Tools:
+
+- `discover_ec2_with_ssm`
+- `discover_public_ec2_with_pem` (compat alias)
+- `mcp_aws_discover_cli_help`
+
+Files:
+
+- `bin/mcp-aws-manager-mcp.js`
+- `bin/mcp-aws-manager.js`
+
+Behavior:
+
+- MCP tool input is translated to CLI args
+- CLI runs inventory/runtime workflow
+- Result is normalized as structured JSON payload (`summary`, `requiredActions`, `guidance`)
+
+## 2) Important implementation scope decision
+
+- External AWS management MCP backends are **not used** in runtime execution.
+- Execution is internal-only using AWS SDK + AWS CLI.
+- No bridge command / adapter map is required for normal operation.
+
+## 3) AWS SDK integrations (internal execution)
+
+File:
+
+- `bin/mcp-aws-manager.js`
+
+SDK clients:
+
+- `@aws-sdk/client-sts`
+- `@aws-sdk/client-ec2`
+- `@aws-sdk/client-ssm`
+- `@aws-sdk/client-lambda`
+- `@aws-sdk/client-elastic-load-balancing-v2`
+- `@aws-sdk/client-auto-scaling`
+- `@aws-sdk/client-rds`
+- `@aws-sdk/client-elasticache`
+- `@aws-sdk/client-route-53`
+
+Core API calls:
+
+- STS: `GetCallerIdentity`
+- EC2: `DescribeRegions`, `DescribeInstances`, `DescribeIamInstanceProfileAssociations`, `AssociateIamInstanceProfile`, `ReplaceIamInstanceProfileAssociation`
+- SSM: `DescribeInstanceInformation`, `SendCommand`, `GetCommandInvocation`
+- Lambda: `ListFunctions`
+- ELBv2: `DescribeLoadBalancers`, `DescribeTargetGroups`
+- Auto Scaling: `DescribeAutoScalingGroups`
+- RDS: `DescribeDBInstances`
+- ElastiCache: `DescribeCacheClusters`
+- Route53: `ListHostedZones`, `ListResourceRecordSets`
+
+## 4) AWS CLI integration
+
+File:
+
+- `bin/mcp-aws-manager.js`
+
+Command used:
+
+- `aws sso login --profile <profile>`
+
+Purpose:
+
+- Automatic recovery when SSO credentials expire.
+
+## 5) Local MCP client registration automation
+
+Supported clients:
+
+- `codex`
+- `claude`
+- `cursor`
+- `windsurf`
+- `antigravity`
+
+The setup flow tries multiple `mcp` command variants (`get/show`, `add`, `remove/rm`, scope variations) to maximize compatibility.
+
+## 6) Related docs
+
+- `README.md`
+- `USAGE_GUIDE.md`
+- `MCP_CLIENT_SETUP.md`
+- `MCP_DIFFERENTIATION.md`

package/MCP_CLIENT_SETUP.md

@@ -1,6 +1,6 @@
 # MCP Client Setup (stdio)
 
-This project provides an MCP stdio wrapper around the SSM-only CLI.
+This project provides an MCP stdio wrapper around the SSM-first AWS operations CLI.
 
 - Preferred CLI command: `mcp-aws-manager`
 - Preferred MCP server command: `mcp-aws-manager-mcp`
@@ -8,7 +8,7 @@ This project provides an MCP stdio wrapper around the SSM-only CLI.
 
 Exposed MCP tools:
 
-- `discover_ec2_with_ssm` (primary)
+- `discover_ec2_with_ssm` (primary, multi-service inventory + SSM runtime)
 - `discover_public_ec2_with_pem` (compatibility alias, same behavior)
 - `mcp_aws_discover_cli_help`
 
@@ -19,7 +19,7 @@ npm install -g mcp-aws-manager
 mcp-aws-manager
 ```
 
-`mcp-aws-manager` (no args) runs bootstrap and registers the MCP server for detected clients (`codex`, `claude`).
+`mcp-aws-manager` (no args) runs bootstrap and registers the MCP server for detected clients (`codex`, `claude` by default).
 
 Verification:
 
@@ -27,6 +27,22 @@ Verification:
 mcp-aws-manager doctor
 ```
 
+## Agent-Led Setup Flow
+
+When the user is unfamiliar with AWS setup, run this sequence through the agent:
+
+1. `mcp-aws-manager doctor`
+2. If AWS auth missing, guide:
+   - `aws configure sso --profile default`
+   - `aws sso login --profile default`
+3. Validate:
+   - `aws sts get-caller-identity --profile default`
+4. Validate MCP discovery path:
+   - `mcp-aws-manager discover --profiles default --no-progress`
+5. If `requiresUserAction=true`, ask for one manual action only, then retry same request.
+
+Manual user actions are typically limited to SSO browser/MFA and IAM approval.
+
 ## Explicit Registration
 
 ```bash
@@ -39,6 +55,12 @@ Custom name/command:
 mcp-aws-manager setup --name mcp-aws-manager --mcp-command mcp-aws-manager-mcp --clients codex,claude
 ```
 
+Cursor/Windsurf/Antigravity target example:
+
+```bash
+mcp-aws-manager setup --name mcp-aws-manager --mcp-command mcp-aws-manager-mcp --clients cursor,windsurf,antigravity
+```
+
 ## Manual Configuration (Fallback)
 
 Use only when automatic registration is unavailable in your environment.
@@ -91,7 +113,10 @@ Use only when automatic registration is unavailable in your environment.
 
 ## Notes
 
-- Discovery is SSM-only; PEM path arguments are no longer required.
+- Discovery is SSM-first for host/runtime access; PEM path arguments are no longer required.
+- Runtime execution uses this package's internal AWS SDK/CLI path only (no external AWS management MCP backend dependency).
+- Use include flags (`includeLambda`, `includeAlb`, `includeAsg`, `includeRds`, `includeElastiCache`, `includeRoute53`) to expand inventory scope.
 - Keep AWS credentials/profiles available on the host running MCP.
 - When `requiresUserAction=true` is returned, use `guidance.assistantMessageTemplate` to prompt the user, then retry with `guidance.retryTool` + `guidance.retryArgs` after user confirmation.
 - For auto remediation, pass `autoRemediateSsm` and an instance profile name/arn.
+- Supported setup clients: `codex`, `claude`, `cursor`, `windsurf`, `antigravity`.

package/MCP_DIFFERENTIATION.md

@@ -0,0 +1,39 @@
+# MCP Differentiation
+
+This document clarifies how `mcp-aws-manager` differs from existing AWS-oriented MCP servers.
+
+## Scope statement
+
+- `mcp-aws-manager` is an internal-execution operations MCP.
+- Runtime does not call external AWS management MCP servers.
+- Discovery/remediation/snapshot are executed directly with AWS SDK and AWS CLI.
+
+## Compared targets
+
+- AWS MCP Server (Anthropic/community variants)
+- aws-mcp style general AWS control MCPs
+- SSH/filesystem MCP combinations for server introspection
+
+## Comparison summary
+
+| Area | Existing AWS management MCPs (generic) | `mcp-aws-manager` |
+|---|---|---|
+| Runtime dependency | Often depends on that MCP server’s own tool/runtime behavior | No external runtime dependency; internal execution only |
+| Product intent | Broad cloud control (many services, ad-hoc actions) | Server operations workflow (inventory + runtime + guided remediation) |
+| Output contract | Tool-specific response shapes | Single normalized multi-service schema (EC2/Lambda/ALB/ASG/RDS/ElastiCache/Route53/SSM) |
+| Runtime insight | Not always integrated with SSM snapshot flow | SSM-first runtime snapshot in same workflow |
+| Failure handling | Varies by server/tool | Standardized `ACTION_REQUIRED` codes and retry guidance payload |
+| Onboarding | Usually per-client manual MCP config | Built-in `bootstrap/setup/doctor` for `codex`, `claude`, `cursor`, `windsurf`, `antigravity` |
+| Governance/audit | Varies | Step-aligned summary and evidence metadata hooks |
+
+## Practical differentiation
+
+- Deterministic 9-step workflow execution (same ordering every run).
+- Operationally focused defaults (inventory + SSM state + optional remediation/snapshot).
+- User intervention loop designed for agents (ask user only when blocked, then continue).
+- Vendor-agnostic from external MCP backends (no backend lock-in).
+
+## Intentional non-goals
+
+- Full replacement of every existing AWS management MCP capability.
+- External MCP-to-MCP bridge compatibility as a primary architecture.

package/README.md

@@ -1,6 +1,6 @@
 # mcp-aws-manager
 
-AWS operations CLI and MCP server package (SSM-only mode).
+AWS operations CLI and MCP server package (SSM-first mode).
 
 ## What It Provides
 
@@ -9,13 +9,20 @@ AWS operations CLI and MCP server package (SSM-only mode).
 
 Current implementation focuses on:
 
+- Internal-only execution (AWS SDK + AWS CLI), no external AWS management MCP backend dependency
 - EC2 inventory discovery (multi profile / multi region)
+- Optional Lambda function inventory (same profile/region sweep)
+- Optional ALB/NLB + Target Group inventory
+- Optional Auto Scaling Group inventory
+- Optional RDS inventory
+- Optional ElastiCache inventory
+- Optional Route53 hosted zone inventory
 - SSM management and online-state visibility
 - Optional SSM runtime snapshot collection (`RunCommand`)
 - Optional SSM auto-remediation (instance profile association)
 - Human-in-the-loop guidance via `ACTION_REQUIRED` messages
 - JSON/CSV output (CLI)
-- Codex/Claude MCP registration bootstrap helpers
+- MCP registration bootstrap helpers (`codex`, `claude`, `cursor`, `windsurf`, `antigravity`)
 
 ## Install
 
@@ -31,14 +38,21 @@ After install, run once:
 mcp-aws-manager
 ```
 
-This ensures `mcp-aws-manager` is registered in detected clients (`codex`, `claude`).
+This ensures `mcp-aws-manager` is registered in detected clients (`codex`, `claude` by default).
+
+For first-time users, follow the agent-assisted onboarding flow in `USAGE_GUIDE.md` ("Agent-Assisted First-Time Setup").
 
 ## Prerequisites
 
 - Node.js `>=18`
 - AWS credentials/profile (or IAM role) on the machine running the CLI/MCP server
-- For runtime snapshots: SSM permissions (`ssm:SendCommand`, `ssm:GetCommandInvocation`)
+- For runtime snapshots: SSM permissions (`ssm:SendCommand`, `ssm:GetCommandInvocation`, `ssm:DescribeInstanceInformation`)
 - For auto remediation: EC2/IAM permissions (`ec2:AssociateIamInstanceProfile`, optionally `ec2:ReplaceIamInstanceProfileAssociation`, `iam:PassRole`)
+- For ALB inventory: `elasticloadbalancing:DescribeLoadBalancers`, `elasticloadbalancing:DescribeTargetGroups`
+- For ASG inventory: `autoscaling:DescribeAutoScalingGroups`
+- For RDS inventory: `rds:DescribeDBInstances`
+- For ElastiCache inventory: `elasticache:DescribeCacheClusters`
+- For Route53 inventory: `route53:ListHostedZones` (record counts require `route53:ListResourceRecordSets`)
 
 ## Quick Start
 
@@ -56,6 +70,26 @@ Basic discovery:
 mcp-aws-manager discover --profiles default
 ```
 
+Include Lambda inventory together:
+
+```bash
+mcp-aws-manager discover --profiles default --include-lambda
+```
+
+Include core service topology (ALB/ASG/RDS/ElastiCache/Route53):
+
+```bash
+mcp-aws-manager discover \
+  --profiles default \
+  --include-alb --include-asg --include-rds --include-elasticache --include-route53
+```
+
+Lambda-only inventory:
+
+```bash
+mcp-aws-manager discover --profiles default --include-lambda --no-ec2 --no-runtime-snapshot
+```
+
 Only public IP instances:
 
 ```bash
@@ -98,8 +132,8 @@ mcp-aws-manager-mcp
 
 Exposed MCP tools:
 
-- `discover_ec2_with_ssm` (primary)
-- `discover_public_ec2_with_pem` (compatibility alias, same SSM-only behavior)
+- `discover_ec2_with_ssm` (primary, multi-service inventory + SSM runtime)
+- `discover_public_ec2_with_pem` (compatibility alias, same behavior)
 - `mcp_aws_discover_cli_help`
 
 Example tool arguments:
@@ -107,6 +141,7 @@ Example tool arguments:
 ```json
 {
   "profiles": ["default"],
+  "includeLambda": true,
   "publicOnly": true,
   "runtimeSnapshot": true,
   "autoSsoLogin": true,
@@ -121,6 +156,12 @@ When fully automatic execution is not possible, the CLI/MCP returns actionable g
 - `ACTION_REQUIRED: [SSO_LOGIN_NEEDED] ...`
 - `ACTION_REQUIRED: [SSM_ROLE_OR_AGENT_REQUIRED] ...`
 - `ACTION_REQUIRED: [IAM_PROFILE_ASSOCIATION_FAILED] ...`
+- `ACTION_REQUIRED: [LAMBDA_LIST_PERMISSION_REQUIRED] ...`
+- `ACTION_REQUIRED: [ELBV2_LIST_PERMISSION_REQUIRED] ...`
+- `ACTION_REQUIRED: [ASG_LIST_PERMISSION_REQUIRED] ...`
+- `ACTION_REQUIRED: [RDS_LIST_PERMISSION_REQUIRED] ...`
+- `ACTION_REQUIRED: [ELASTICACHE_LIST_PERMISSION_REQUIRED] ...`
+- `ACTION_REQUIRED: [ROUTE53_LIST_PERMISSION_REQUIRED] ...`
 
 The MCP wrapper surfaces these in a structured `requiredActions` list and a `guidance` object (`assistantMessageTemplate`, `retryTool`, `retryArgs`).
 
@@ -140,3 +181,11 @@ These legacy commands are still available:
 
 - `mcp-aws-discover`
 - `mcp-aws-discover-mcp`
+
+## Differentiation Docs
+
+This project does not delegate runtime execution to other AWS management MCP servers.
+Implementation details and differentiation are documented in:
+
+- `IMPLEMENTATION_INTEGRATIONS.md` (implemented MCP/API/CLI inventory)
+- `MCP_DIFFERENTIATION.md` (differences from existing AWS management MCPs)

package/bin/mcp-aws-manager-mcp.js

@@ -20,7 +20,7 @@ function usageText() {
   return [
     "mcp-aws-manager-mcp",
     "",
-    "MCP stdio wrapper for the mcp-aws-manager CLI (SSM-only).",
+    "MCP stdio wrapper for the mcp-aws-manager CLI.",
     "",
     "Usage:",
     "  mcp-aws-manager-mcp",
@@ -28,7 +28,7 @@ function usageText() {
     "",
     "Notes:",
     "  - This process is an MCP stdio server.",
-    "  - Exposes SSM inventory/runtime snapshot discovery tools.",
+    "  - Exposes multi-service AWS inventory and optional runtime tools.",
     ""
   ].join("\n");
 }
@@ -100,6 +100,21 @@ function buildCliArgs(input) {
   const instanceIds = toCsvArg(input.instanceIds);
   if (instanceIds) args.push("--instance-ids", instanceIds);
 
+  if (input.includeLambda === true) args.push("--include-lambda");
+  if (input.includeLambda === false) args.push("--no-include-lambda");
+  if (input.includeEc2 === true) args.push("--include-ec2");
+  if (input.includeEc2 === false) args.push("--no-ec2");
+  if (input.includeAlb === true) args.push("--include-alb");
+  if (input.includeAlb === false) args.push("--no-include-alb");
+  if (input.includeAsg === true) args.push("--include-asg");
+  if (input.includeAsg === false) args.push("--no-include-asg");
+  if (input.includeRds === true) args.push("--include-rds");
+  if (input.includeRds === false) args.push("--no-include-rds");
+  if (input.includeElastiCache === true) args.push("--include-elasticache");
+  if (input.includeElastiCache === false) args.push("--no-include-elasticache");
+  if (input.includeRoute53 === true) args.push("--include-route53");
+  if (input.includeRoute53 === false) args.push("--no-include-route53");
+
   if (input.publicOnly) args.push("--public-only");
   if (input.managedOnly) args.push("--managed-only");
 
@@ -216,6 +231,14 @@ function tryParseJsonArray(text) {
 function summarizeRecords(records) {
   const summary = {
     totalRecords: 0,
+    ec2Records: 0,
+    lambdaRecords: 0,
+    albRecords: 0,
+    targetGroupRecords: 0,
+    asgRecords: 0,
+    rdsRecords: 0,
+    elasticacheRecords: 0,
+    route53ZoneRecords: 0,
     publicIpRecords: 0,
     ssmManagedCount: 0,
     ssmOnlineCount: 0,
@@ -230,6 +253,15 @@ function summarizeRecords(records) {
 
   for (const item of Array.isArray(records) ? records : []) {
     summary.totalRecords += 1;
+    const resourceType = item && item.resourceType ? String(item.resourceType).toLowerCase() : null;
+    if (resourceType === "ec2") summary.ec2Records += 1;
+    if (resourceType === "lambda") summary.lambdaRecords += 1;
+    if (resourceType === "alb") summary.albRecords += 1;
+    if (resourceType === "target_group") summary.targetGroupRecords += 1;
+    if (resourceType === "asg") summary.asgRecords += 1;
+    if (resourceType === "rds") summary.rdsRecords += 1;
+    if (resourceType === "elasticache") summary.elasticacheRecords += 1;
+    if (resourceType === "route53_zone") summary.route53ZoneRecords += 1;
     if (item && item.publicIp) summary.publicIpRecords += 1;
     if (item && item.ssmManaged === true) summary.ssmManagedCount += 1;
     if (item && item.ssmOnline === true) summary.ssmOnlineCount += 1;
@@ -271,9 +303,9 @@ function guidanceForAction(action, args) {
     title: "Manual action required",
     steps: [
       action && action.message ? action.message : "A manual action is required.",
-      action && action.hint ? action.hint : "After completing the action, reply '완료' to continue."
+      action && action.hint ? action.hint : "After completing the action, reply '?熬곣뫁?? to continue."
     ],
-    confirmText: "조치가 완료되면 '완료'라고 답해주세요. 같은 요청으로 자동 재시도하겠습니다."
+    confirmText: "?브퀗??洹쏆쾸? ?熬곣뫁???濡?듆 '?熬곣뫁?????┑€?????면썒??닔??? ?띠룇?? ??븐슙???怨쀬Ŧ ???吏?????熬곥굥由?뇦猿뗭쪠????덈펲."
   };
 
   switch (code) {
@@ -284,11 +316,11 @@ function guidanceForAction(action, args) {
         code,
         title: "AWS SSO login required",
         steps: [
-          `터미널에서 다음 명령을 실행하세요: ${cmd}`,
-          "브라우저 인증/MFA를 완료하세요.",
-          "완료 후 '완료'라고 답해주세요."
+          `????????????깅쾳 嶺뚮ㅏ援앲??????덈뺄??琉얠돪?? ${cmd}`,
+          "??곗뒧???? ?筌뤾쑴理?MFA???熬곣뫁???琉얠돪??",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
         ],
-        confirmText: "SSO 로그인이 끝났다면 '완료'라고 답해주세요."
+        confirmText: "SSO ?β돦裕??筌뤾쑴逾???硫명뀬???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
       };
     }
     case "AWS_CREDENTIALS_REQUIRED":
@@ -296,44 +328,44 @@ function guidanceForAction(action, args) {
         code,
         title: "AWS credentials required",
         steps: [
-          "사용할 프로필의 자격증명을 설정하세요 (SSO 또는 access key).",
-          "SSO라면 'aws configure sso --profile <profile>' 후 로그인하세요.",
-          "완료 후 '완료'라고 답해주세요."
+          "??????熬곣뫁夷?熬곣뫗踰????遊꾤춯?밸퉾筌?????깆젧??琉얠돪??(SSO ???裕?access key).",
+          "SSO??寃밸듆 'aws configure sso --profile <profile>' ???β돦裕??筌뤿굝由?筌뤾쑴??",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
         ],
-        confirmText: "자격증명 설정/로그인이 끝났다면 '완료'라고 답해주세요."
+        confirmText: "???遊꾤춯?밸퉾筌????깆젧/?β돦裕??筌뤾쑴逾???硫명뀬???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
       };
     case "SET_SSM_INSTANCE_PROFILE":
       return {
         code,
         title: "SSM remediation target missing",
         steps: [
-          "자동 복구를 사용하려면 instance profile 이름 또는 ARN을 지정해야 합니다.",
-          "다음 옵션 중 하나를 함께 전달하세요: --ssm-instance-profile-name 또는 --ssm-instance-profile-arn",
-          "완료 후 '완료'라고 답해주세요."
+          "???吏??곌랜踰€?袁ㅻご??????濡?졎嶺?instance profile ???藥????裕?ARN??嶺뚯솘??筌먐삵돵????紐껊퉵??",
+          "???깅쾳 ?????繞???濡る룎????節띾쐾 ?熬곣뫀堉??琉얠돪?? --ssm-instance-profile-name ???裕?--ssm-instance-profile-arn",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
         ],
-        confirmText: "프로파일 대상을 지정했다면 '완료'라고 답해주세요."
+        confirmText: "?熬곣뫁夷???逾?????⑤챷諭?嶺뚯솘??筌먐삳빳???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
       };
     case "SSM_ROLE_OR_AGENT_REQUIRED":
       return {
         code,
         title: "Instance is not SSM managed",
         steps: [
-          "인스턴스 역할에 AmazonSSMManagedInstanceCore를 포함하세요.",
-          "SSM Agent와 네트워크(SSM endpoint/인터넷 경로)가 정상인지 확인하세요.",
-          "완료 후 '완료'라고 답해주세요."
+          "?筌뤾쑬裕??怨룸츩 ?????AmazonSSMManagedInstanceCore???????琉얠돪??",
+          "SSM Agent?? ???덈콦??怨뚯씩(SSM endpoint/?筌뤿굛????롪퍔?δ빳??띠럾? ?筌먦끆留?筌? ?筌먦끉逾??琉얠돪??",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
         ],
-        confirmText: "SSM 관리 상태를 조치했다면 '완료'라고 답해주세요."
+        confirmText: "SSM ??㉱€????⑤객臾???브퀗?????덈펲嶺?'?熬곣뫁?????┑€?????면썒??닔???"
       };
     case "INSTANCE_HAS_PROFILE":
       return {
         code,
         title: "Existing instance profile detected",
         steps: [
-          "기존 인스턴스 프로파일이 있습니다.",
-          "선택 1: 기존 역할 정책에 SSM 권한을 추가합니다.",
-          "선택 2: 자동 교체를 원하면 allowReplaceProfile=true 로 재시도합니다."
+          "?リ옇????筌뤾쑬裕??怨룸츩 ?熬곣뫁夷???逾?????곕????덈펲.",
+          "??ルㅎ臾?1: ?リ옇????????筌먦끉???SSM 雅?굝??뇡???怨뺣뼺???紐껊퉵??",
+          "??ルㅎ臾?2: ???吏???€흮?우뮁紐???믨퀡由?춯?allowReplaceProfile=true ??????熬곥굥????덈펲."
         ],
-        confirmText: "적용할 방법을 정했다면 '완료'라고 답해주세요."
+        confirmText: "??⑤챷????꾩렮維뽬떋???筌먐삳빳???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
       };
     case "IAM_PROFILE_ASSOCIATION_FAILED":
     case "IAM_PROFILE_REPLACE_FAILED":
@@ -341,22 +373,88 @@ function guidanceForAction(action, args) {
         code,
         title: "Missing IAM permission for remediation",
         steps: [
-          "실행 주체에 EC2 인스턴스 프로파일 연결/교체 권한을 부여하세요.",
-          "필요 권한: ec2:AssociateIamInstanceProfile, ec2:ReplaceIamInstanceProfileAssociation(교체 시), iam:PassRole",
-          "완료 후 '완료'라고 답해주세요."
+          "???덈뺄 ?낅슣?섊뙼??EC2 ?筌뤾쑬裕??怨룸츩 ?熬곣뫁夷???逾???⑤슡????€흮??雅?굝??뇡???遊붋€????筌뤾쑴??",
+          "?熬곣뫗??雅?굝??뇡? ec2:AssociateIamInstanceProfile, ec2:ReplaceIamInstanceProfileAssociation(??€흮????, iam:PassRole",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
         ],
-        confirmText: "IAM 권한 반영이 끝났다면 '완료'라고 답해주세요."
+        confirmText: "IAM 雅?굝??뇡??꾩룇瑗?????硫명뀬???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
       };
     case "SSM_RUNCOMMAND_PERMISSION_REQUIRED":
       return {
         code,
         title: "Missing SSM RunCommand permission",
         steps: [
-          "실행 주체에 SSM 명령 권한을 부여하세요.",
-          "필요 권한: ssm:SendCommand, ssm:GetCommandInvocation",
-          "완료 후 '완료'라고 답해주세요."
+          "???덈뺄 ?낅슣?섊뙼??SSM 嶺뚮ㅏ援앲??雅?굝??뇡???遊붋€????筌뤾쑴??",
+          "?熬곣뫗??雅?굝??뇡? ssm:SendCommand, ssm:GetCommandInvocation",
+          "?熬곣뫁????'?熬곣뫁?????┑€?????면썒??닔???"
+        ],
+        confirmText: "SSM 雅?굝??뇡??꾩룇瑗?????硫명뀬???좊듆 '?熬곣뫁?????┑€?????면썒??닔???"
+      };
+    case "LAMBDA_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing Lambda list permission",
+        steps: [
+          "??쎈뻬 雅뚯눘猿??Lambda 鈺곌퀬??亦낅슦釉???봔€鈺곌퉲鍮€??덈뼄.",
+          "?袁⑹뒄 亦낅슦釉? lambda:ListFunctions",
+          "亦낅슦釉?獄쏆꼷????'??袁⑥┷'??⑦€????젻雅뚯눘苑??"
+        ],
+        confirmText: "Lambda 亦낅슦釉?獄쏆꼷?????멸돌筌?'??袁⑥┷'??⑦€????젻雅뚯눘苑??"
+      };
+    case "ELBV2_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing ELBv2 list permission",
+        steps: [
+          "Grant permissions to list load balancers and target groups.",
+          "Required: elasticloadbalancing:DescribeLoadBalancers and elasticloadbalancing:DescribeTargetGroups.",
+          "Retry after permission update."
+        ],
+        confirmText: "After ELBv2 permission update, reply 'completed' and retry."
+      };
+    case "ASG_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing Auto Scaling list permission",
+        steps: [
+          "Grant permission to read Auto Scaling Groups.",
+          "Required: autoscaling:DescribeAutoScalingGroups.",
+          "Retry after permission update."
+        ],
+        confirmText: "After Auto Scaling permission update, reply 'completed' and retry."
+      };
+    case "RDS_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing RDS list permission",
+        steps: [
+          "Grant permission to list RDS DB instances.",
+          "Required: rds:DescribeDBInstances.",
+          "Retry after permission update."
+        ],
+        confirmText: "After RDS permission update, reply 'completed' and retry."
+      };
+    case "ELASTICACHE_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing ElastiCache list permission",
+        steps: [
+          "Grant permission to list ElastiCache clusters.",
+          "Required: elasticache:DescribeCacheClusters.",
+          "Retry after permission update."
+        ],
+        confirmText: "After ElastiCache permission update, reply 'completed' and retry."
+      };
+    case "ROUTE53_LIST_PERMISSION_REQUIRED":
+      return {
+        code,
+        title: "Missing Route53 list permission",
+        steps: [
+          "Grant permission to list Route53 hosted zones.",
+          "Required: route53:ListHostedZones (and route53:ListResourceRecordSets for record counts).",
+          "Retry after permission update."
         ],
-        confirmText: "SSM 권한 반영이 끝났다면 '완료'라고 답해주세요."
+        confirmText: "After Route53 permission update, reply 'completed' and retry."
       };
     default:
       return defaultItem;
@@ -393,7 +491,7 @@ function buildAgentGuidance(requiredActions, toolName, args) {
     autoRetryRecommended: true,
     retryTool: toolName,
     retryArgs: args,
-    completionTrigger: "사용자가 '완료' 또는 조치 완료를 확인하면 같은 입력으로 도구를 재실행",
+    completionTrigger: "사용자가 '완료' 또는 조치 완료 의사를 전달하면 같은 입력으로 재시도",
     userChecklist: items,
     assistantMessageTemplate: lines.join("\n")
   };
@@ -408,6 +506,13 @@ function toolSchema() {
     profiles: z.array(z.string().min(1)).optional().describe("Optional AWS profiles."),
     regions: z.array(z.string().min(1)).optional().describe("Optional AWS regions."),
     instanceIds: z.array(z.string().min(1)).optional().describe("Optional EC2 instance ids."),
+    includeLambda: z.boolean().optional().describe("If true, include Lambda inventory."),
+    includeEc2: z.boolean().optional().describe("If false, skip EC2 inventory."),
+    includeAlb: z.boolean().optional().describe("If true, include ALB/NLB and target group inventory."),
+    includeAsg: z.boolean().optional().describe("If true, include Auto Scaling Group inventory."),
+    includeRds: z.boolean().optional().describe("If true, include RDS DB instance inventory."),
+    includeElastiCache: z.boolean().optional().describe("If true, include ElastiCache cluster inventory."),
+    includeRoute53: z.boolean().optional().describe("If true, include Route53 hosted zone inventory."),
     publicOnly: z.boolean().optional().describe("If true, include only public IPv4 instances."),
     managedOnly: z.boolean().optional().describe("If true, include only SSM-managed instances."),
     autoRemediateSsm: z.boolean().optional().describe("If true, try attaching/replacing instance profile for unmanaged instances."),
@@ -548,15 +653,15 @@ async function registerTools(server) {
   registerDiscoverTool(
     server,
     "discover_ec2_with_ssm",
-    "Discover EC2 + SSM Inventory",
-    "Runs mcp-aws-manager in SSM-only mode and returns EC2 inventory with SSM management/online status and optional runtime snapshots."
+    "Discover AWS Inventory (multi-service + SSM runtime)",
+    "Runs mcp-aws-manager and returns inventory across EC2/Lambda/ALB/ASG/RDS/ElastiCache/Route53 with optional SSM runtime snapshots."
   );
 
   registerDiscoverTool(
     server,
     "discover_public_ec2_with_pem",
-    "Discover EC2 + SSM Inventory (compat alias)",
-    "Compatibility alias. Internally runs the same SSM-only discovery flow."
+    "Discover AWS Inventory (compat alias)",
+    "Compatibility alias. Internally runs the same multi-service discovery flow."
   );
 
   server.registerTool(