mcp-aws-manager 0.3.4 → 0.3.6

package/bin/mcp-aws-manager.js

@@ -46,6 +46,147 @@ function parseCsv(raw) {
   return list.length ? list : null;
 }
 
+function normalizeKey(value) {
+  return String(value == null ? "" : value)
+    .trim()
+    .toLowerCase()
+    .replace(/[^a-z0-9]/g, "");
+}
+
+function normalizedLookup(raw) {
+  const out = {};
+  if (!raw || typeof raw !== "object") return out;
+  for (const [key, value] of Object.entries(raw)) {
+    const original = String(key || "");
+    out[original] = value;
+    const normalized = normalizeKey(original);
+    if (normalized && !Object.prototype.hasOwnProperty.call(out, normalized)) {
+      out[normalized] = value;
+    }
+  }
+  return out;
+}
+
+function pickField(raw, keys) {
+  const lookup = normalizedLookup(raw);
+  for (const key of keys) {
+    const normalized = normalizeKey(key);
+    if (!normalized) continue;
+    if (!Object.prototype.hasOwnProperty.call(lookup, normalized)) continue;
+    const value = lookup[normalized];
+    if (value == null) continue;
+    if (typeof value === "string" && value.trim() === "") continue;
+    return value;
+  }
+  return null;
+}
+
+function asText(value) {
+  if (value == null) return null;
+  const text = String(value).trim();
+  return text || null;
+}
+
+function asBool(value) {
+  if (value == null || value === "") return null;
+  if (typeof value === "boolean") return value;
+  if (typeof value === "number") return value !== 0;
+  const text = String(value).trim().toLowerCase();
+  if (!text) return null;
+  if (["1", "true", "yes", "y", "on"].includes(text)) return true;
+  if (["0", "false", "no", "n", "off"].includes(text)) return false;
+  return null;
+}
+
+function asInt(value) {
+  if (value == null || value === "") return null;
+  const num = Number(value);
+  if (!Number.isFinite(num)) return null;
+  return Math.round(num);
+}
+
+function parseCsvLine(line) {
+  const fields = [];
+  let current = "";
+  let inQuotes = false;
+  const text = String(line || "");
+  for (let i = 0; i < text.length; i += 1) {
+    const ch = text[i];
+    if (ch === "\"") {
+      if (inQuotes && text[i + 1] === "\"") {
+        current += "\"";
+        i += 1;
+      } else {
+        inQuotes = !inQuotes;
+      }
+      continue;
+    }
+    if (ch === "," && !inQuotes) {
+      fields.push(current.trim());
+      current = "";
+      continue;
+    }
+    current += ch;
+  }
+  fields.push(current.trim());
+  return fields;
+}
+
+function parseCsvObjects(text) {
+  const lines = String(text || "")
+    .replace(/^\uFEFF/, "")
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter((line) => line && !line.startsWith("#"));
+  if (!lines.length) return [];
+
+  const headers = parseCsvLine(lines[0]).map((h, i) => h || `col_${i + 1}`);
+  const out = [];
+  for (let i = 1; i < lines.length; i += 1) {
+    const values = parseCsvLine(lines[i]);
+    if (!values.some((v) => String(v || "").trim())) continue;
+    const row = {};
+    for (let j = 0; j < headers.length; j += 1) {
+      row[headers[j]] = values[j] != null ? values[j] : "";
+    }
+    out.push(row);
+  }
+  return out;
+}
+
+function loadManualServerEntries(filePath) {
+  const text = fs.readFileSync(filePath, "utf8").replace(/^\uFEFF/, "");
+  const ext = path.extname(filePath).toLowerCase();
+  if (ext === ".csv") {
+    return parseCsvObjects(text);
+  }
+
+  let parsed = null;
+  try {
+    parsed = JSON.parse(text);
+  } catch (error) {
+    if (ext === ".json") {
+      throw new Error(`Invalid JSON in manual server list: ${error.message || String(error)}`);
+    }
+    return parseCsvObjects(text);
+  }
+
+  if (Array.isArray(parsed)) return parsed;
+  if (parsed && typeof parsed === "object") {
+    if (Array.isArray(parsed.servers)) return parsed.servers;
+    if (Array.isArray(parsed.instances)) return parsed.instances;
+    if (Array.isArray(parsed.items)) return parsed.items;
+    if (Array.isArray(parsed.records)) return parsed.records;
+  }
+  throw new Error("manual server list JSON must be an array or an object containing servers/instances/items/records array.");
+}
+
+function resolvePathList(raw) {
+  const items = parseCsv(raw);
+  if (!items) return null;
+  return items.map((value) => path.resolve(expandHome(value)));
+}
+
 function toPosNum(raw, name, fallback) {
   const value = Number(raw == null ? fallback : raw);
   if (!Number.isFinite(value) || value <= 0) {
@@ -120,6 +261,13 @@ function usageText() {
     "  --snapshot-timeout <seconds>      (default: 60)",
     "  --snapshot-concurrency <n>        (default: 3)",
     "  --snapshot-max-kb <n>             (default: 64)",
+    "  --manual-server-list <path>       (JSON/CSV server list for manual inventory mode)",
+    "  --pem-paths <a,b,c>               (optional PEM keys for SSH runtime snapshot)",
+    "  --ssh-user <name>                 (default: ec2-user)",
+    "  --ssh-port <port>                 (default: 22)",
+    "  --ssh-connect-timeout <seconds>   (default: 8)",
+    "  --html-out <path>                 (optional interactive HTML report output path)",
+    "  --open-html                       (try opening HTML report after write)",
     "  --auto-sso-login / --no-auto-sso-login",
     "  --format <json|csv>               (default: json)",
     "  --out <path>",
@@ -135,6 +283,9 @@ function usageText() {
     "  MCP_AWS_ALLOW_REPLACE_PROFILE, MCP_AWS_REMEDIATION_WAIT",
     "  MCP_AWS_RUNTIME_SNAPSHOT, MCP_AWS_SNAPSHOT_TIMEOUT, MCP_AWS_SNAPSHOT_CONCURRENCY",
     "  MCP_AWS_SNAPSHOT_MAX_KB, MCP_AWS_AUTO_SSO_LOGIN",
+    "  MCP_AWS_MANUAL_SERVER_LIST, MCP_AWS_PEM_PATHS, MCP_AWS_SSH_USER, MCP_AWS_SSH_PORT",
+    "  MCP_AWS_SSH_CONNECT_TIMEOUT",
+    "  MCP_AWS_HTML_OUT, MCP_AWS_OPEN_HTML",
     "  MCP_AWS_FORMAT, MCP_AWS_OUT, MCP_AWS_NO_PROGRESS",
     ""
   ].join("\n");
@@ -287,6 +438,13 @@ function parseDiscoverArgs(argv) {
     snapshotTimeoutSec: null,
     snapshotConcurrency: null,
     snapshotMaxKb: null,
+    manualServerListPath: null,
+    pemPaths: null,
+    sshUser: null,
+    sshPort: null,
+    sshConnectTimeoutSec: null,
+    htmlOutPath: null,
+    openHtml: null,
     autoSsoLogin: null,
     format: null,
     outPath: null,
@@ -305,6 +463,12 @@ function parseDiscoverArgs(argv) {
       case "snapshot-timeout": options.snapshotTimeoutSec = value; break;
       case "snapshot-concurrency": options.snapshotConcurrency = value; break;
       case "snapshot-max-kb": options.snapshotMaxKb = value; break;
+      case "manual-server-list": options.manualServerListPath = value; break;
+      case "pem-paths": options.pemPaths = value; break;
+      case "ssh-user": options.sshUser = value; break;
+      case "ssh-port": options.sshPort = value; break;
+      case "ssh-connect-timeout": options.sshConnectTimeoutSec = value; break;
+      case "html-out": options.htmlOutPath = value; break;
       case "format": options.format = value; break;
       case "out": options.outPath = value; break;
       default: throw new Error(`Unknown discover option --${key}`);
@@ -337,6 +501,7 @@ function parseDiscoverArgs(argv) {
     if (arg === "--no-runtime-snapshot") { options.runtimeSnapshot = false; continue; }
     if (arg === "--auto-sso-login") { options.autoSsoLogin = true; continue; }
     if (arg === "--no-auto-sso-login") { options.autoSsoLogin = false; continue; }
+    if (arg === "--open-html") { options.openHtml = true; continue; }
     if (arg === "--progress") { options.noProgress = false; continue; }
     if (arg === "--no-progress") { options.noProgress = true; continue; }
     if (!arg.startsWith("--")) throw new Error(`Unexpected argument: ${arg}`);
@@ -387,6 +552,17 @@ function parseDiscoverArgs(argv) {
     snapshotTimeoutSec: Math.round(toPosNum(options.snapshotTimeoutSec || envText("MCP_AWS_SNAPSHOT_TIMEOUT") || "60", "--snapshot-timeout", 60)),
     snapshotConcurrency: Math.max(1, Math.round(toPosNum(options.snapshotConcurrency || envText("MCP_AWS_SNAPSHOT_CONCURRENCY") || DEFAULT_SNAPSHOT_CONCURRENCY, "--snapshot-concurrency", DEFAULT_SNAPSHOT_CONCURRENCY))),
     snapshotMaxBytes: Math.round(toPosNum(options.snapshotMaxKb || envText("MCP_AWS_SNAPSHOT_MAX_KB") || "64", "--snapshot-max-kb", 64)) * 1024,
+    manualServerListPath: options.manualServerListPath
+      ? path.resolve(expandHome(options.manualServerListPath))
+      : (envText("MCP_AWS_MANUAL_SERVER_LIST") ? path.resolve(expandHome(envText("MCP_AWS_MANUAL_SERVER_LIST"))) : null),
+    pemPaths: resolvePathList(options.pemPaths) || resolvePathList(envText("MCP_AWS_PEM_PATHS")),
+    sshUser: (options.sshUser || envText("MCP_AWS_SSH_USER") || "ec2-user").trim(),
+    sshPort: Math.round(toPosNum(options.sshPort || envText("MCP_AWS_SSH_PORT") || "22", "--ssh-port", 22)),
+    sshConnectTimeoutSec: Math.round(toPosNum(options.sshConnectTimeoutSec || envText("MCP_AWS_SSH_CONNECT_TIMEOUT") || "8", "--ssh-connect-timeout", 8)),
+    htmlOutPath: options.htmlOutPath
+      ? path.resolve(expandHome(options.htmlOutPath))
+      : (envText("MCP_AWS_HTML_OUT") ? path.resolve(expandHome(envText("MCP_AWS_HTML_OUT"))) : null),
+    openHtml: options.openHtml != null ? options.openHtml : envBool("MCP_AWS_OPEN_HTML"),
     autoSsoLogin: options.autoSsoLogin != null ? options.autoSsoLogin : (envText("MCP_AWS_AUTO_SSO_LOGIN") != null ? envBool("MCP_AWS_AUTO_SSO_LOGIN") : true),
     format,
     outPath: options.outPath ? path.resolve(expandHome(options.outPath)) : (envText("MCP_AWS_OUT") ? path.resolve(expandHome(envText("MCP_AWS_OUT"))) : null),
@@ -398,6 +574,52 @@ function validateConfig(config, warnings, requiredActions) {
   if (config.outPath) {
     fs.mkdirSync(path.dirname(config.outPath), { recursive: true });
   }
+  if (config.htmlOutPath) {
+    fs.mkdirSync(path.dirname(config.htmlOutPath), { recursive: true });
+  }
+
+  if (config.manualServerListPath) {
+    if (!fs.existsSync(config.manualServerListPath)) {
+      throw new Error(`--manual-server-list not found: ${config.manualServerListPath}`);
+    }
+
+    if (!config.includeEc2) {
+      warnings.push("manual-server-list mode forces EC2 records; enabling include-ec2.");
+      config.includeEc2 = true;
+    }
+
+    if (config.includeLambda || config.includeAlb || config.includeAsg || config.includeRds || config.includeElastiCache || config.includeRoute53) {
+      warnings.push("manual-server-list mode supports EC2-style server records only; non-EC2 inventory flags are ignored.");
+      config.includeLambda = false;
+      config.includeAlb = false;
+      config.includeAsg = false;
+      config.includeRds = false;
+      config.includeElastiCache = false;
+      config.includeRoute53 = false;
+    }
+
+    if (config.managedOnly) {
+      warnings.push("manual-server-list mode does not use SSM managed filters; disabling --managed-only.");
+      config.managedOnly = false;
+    }
+
+    if (config.autoRemediateSsm) {
+      warnings.push("manual-server-list mode does not support EC2 IAM profile remediation; disabling --auto-remediate-ssm.");
+      config.autoRemediateSsm = false;
+    }
+
+    if (Array.isArray(config.pemPaths) && config.pemPaths.length) {
+      for (const pemPath of config.pemPaths) {
+        if (fs.existsSync(pemPath)) continue;
+        pushRequiredAction(requiredActions, {
+          code: "PEM_KEY_NOT_FOUND",
+          message: `Configured PEM key not found: ${pemPath}`,
+          hint: "Fix --pem-paths or remove missing PEM paths."
+        });
+      }
+    }
+  }
+
   const includeAny = config.includeEc2
     || config.includeLambda
     || config.includeAlb
@@ -830,7 +1052,7 @@ async function ensureCallerIdentity(profileName, profileLabel, config, warnings,
           pushRequiredAction(requiredActions, {
             code: "SSO_REAUTH_REQUIRED",
             message: `Profile '${profileLabel}' still cannot authenticate after auto login.`,
-            hint: `Run 'aws sso login --profile ${profileName}'. Error: ${retryErr.message || String(retryErr)}`
+            hint: `Run 'aws sso login --profile ${profileName}'. If SSO/access key cannot be used, switch to manual fallback with --manual-server-list <path>. Error: ${retryErr.message || String(retryErr)}`
           });
           return { ok: false, accountId: null };
         }
@@ -839,7 +1061,7 @@ async function ensureCallerIdentity(profileName, profileLabel, config, warnings,
       pushRequiredAction(requiredActions, {
         code: "SSO_LOGIN_NEEDED",
         message: `Profile '${profileLabel}' requires interactive SSO login.`,
-        hint: `Run 'aws sso login --profile ${profileName}'. CLI: ${(login.stderr || "").trim() || "failed"}`
+        hint: `Run 'aws sso login --profile ${profileName}'. If SSO/access key cannot be used, use manual fallback with --manual-server-list <path>. CLI: ${(login.stderr || "").trim() || "failed"}`
       });
       return { ok: false, accountId: null };
     }
@@ -847,7 +1069,7 @@ async function ensureCallerIdentity(profileName, profileLabel, config, warnings,
     pushRequiredAction(requiredActions, {
       code: "AWS_CREDENTIALS_REQUIRED",
       message: `Profile '${profileLabel}' authentication failed.`,
-      hint: firstError
+      hint: `Configure SSO/access key, or use manual fallback with --manual-server-list <path>. Error: ${firstError}`
     });
     return { ok: false, accountId: null };
   } finally {
@@ -902,6 +1124,15 @@ async function buildDiscoveryPlan(config, warnings, requiredActions) {
 }
 
 function buildOperationPlan(config) {
+  if (config.manualServerListPath) {
+    const inventoryOps = ["inventory.manualServerList"];
+    const runtimeOps = [];
+    if (config.runtimeSnapshot) {
+      runtimeOps.push("runtime.snapshot.sshPem");
+    }
+    return { inventoryOps, runtimeOps };
+  }
+
   const inventoryOps = [];
   if (config.includeEc2) {
     inventoryOps.push("inventory.ec2");
@@ -1123,6 +1354,13 @@ function baseInventoryRecord(plan, region, resourceType, service, resourceId, na
     ssmPlatformName: null,
     ssmPlatformVersion: null,
     remediationStatus: null,
+    manualInput: false,
+    connectionMode: null,
+    sshHost: null,
+    sshUser: null,
+    sshPort: null,
+    sshPemPath: null,
+    sshPemKeyName: null,
     runtimeSnapshot: null,
     lambdaFunctionName: null,
     lambdaFunctionArn: null,
@@ -1306,6 +1544,131 @@ function addRoute53ZoneRecord(records, plan, zone, recordSetCount) {
   records.push(record);
 }
 
+function normalizeManualRecord(config, entry, index) {
+  const profile = asText(pickField(entry, ["profile", "awsProfile", "profileName"])) || "manual";
+  const accountId = asText(pickField(entry, ["accountId", "account", "accountNumber"])) || "manual";
+  const region = asText(pickField(entry, ["region", "awsRegion"])) || (config.regions && config.regions.length ? config.regions[0] : baseRegion());
+
+  const instanceId = asText(pickField(entry, ["instanceId", "instance", "id", "serverId"]));
+  const publicIp = asText(pickField(entry, ["publicIp", "publicIpv4", "ip", "ipAddress"]));
+  const privateIp = asText(pickField(entry, ["privateIp", "privateIpv4", "privateAddress"]));
+  const publicDns = asText(pickField(entry, ["publicDns", "dns", "publicHostname"]));
+  const host = asText(pickField(entry, ["host", "hostname", "address", "target", "endpoint", "sshHost"]))
+    || publicIp
+    || publicDns
+    || privateIp;
+  const name = asText(pickField(entry, ["name", "serverName", "displayName"])) || host || instanceId || `manual-${index + 1}`;
+  const state = asText(pickField(entry, ["state", "status"])) || "unknown";
+  const platform = asText(pickField(entry, ["platform", "os", "osType"])) || "Linux/UNIX";
+  const iamInstanceProfileArn = asText(pickField(entry, ["iamInstanceProfileArn", "instanceProfileArn"]));
+  const pemPathRaw = asText(pickField(entry, ["pemPath", "pemFile", "keyPath", "privateKeyPath"]));
+  const pemKeyName = asText(pickField(entry, ["pemKeyName", "keyName"]));
+  const sshUser = asText(pickField(entry, ["sshUser", "user", "username"])) || config.sshUser;
+  const sshPort = asInt(pickField(entry, ["sshPort", "port"])) || config.sshPort;
+  const ssmManaged = asBool(pickField(entry, ["ssmManaged", "isSsmManaged"]));
+  const ssmOnline = asBool(pickField(entry, ["ssmOnline", "isSsmOnline", "online"]));
+  const resourceId = instanceId || host || name || `manual-${index + 1}`;
+
+  const plan = { profileLabel: profile, accountId };
+  const record = baseInventoryRecord(plan, region, "ec2", "ec2", resourceId, name, state, platform);
+  record.instanceId = instanceId || resourceId;
+  record.privateIp = privateIp;
+  record.publicIp = publicIp;
+  record.publicDns = publicDns;
+  record.iamInstanceProfileArn = iamInstanceProfileArn;
+  record.ssmManaged = ssmManaged == null ? false : ssmManaged;
+  record.ssmOnline = ssmOnline == null ? false : ssmOnline;
+  record.manualInput = true;
+  record.connectionMode = "ssh-pem";
+  record.sshHost = host;
+  record.sshUser = sshUser;
+  record.sshPort = sshPort;
+  record.sshPemPath = pemPathRaw ? path.resolve(expandHome(pemPathRaw)) : null;
+  record.sshPemKeyName = pemKeyName;
+  return record;
+}
+
+async function collectManualInventory(config, warnings, requiredActions) {
+  const stats = {
+    profiles: 0,
+    regions: 0,
+    regionErrors: 0,
+    instancesScanned: 0,
+    lambdaFunctionsScanned: 0,
+    loadBalancersScanned: 0,
+    targetGroupsScanned: 0,
+    autoScalingGroupsScanned: 0,
+    rdsInstancesScanned: 0,
+    elasticacheClustersScanned: 0,
+    route53ZonesScanned: 0,
+    remediationAttempts: 0,
+    remediationChanged: 0,
+    manualServersScanned: 0,
+    manualServersLoaded: 0
+  };
+  const records = [];
+  const rows = loadManualServerEntries(config.manualServerListPath);
+  stats.manualServersScanned = rows.length;
+  const profileSet = new Set();
+  const regionSet = new Set();
+  const instanceFilter = config.instanceIds ? new Set(config.instanceIds) : null;
+
+  if (!rows.length) {
+    pushRequiredAction(requiredActions, {
+      code: "MANUAL_SERVER_LIST_EMPTY",
+      message: "manual-server-list file is empty.",
+      hint: "Provide JSON/CSV rows with at least host/publicIp/privateIp and optional pemPath."
+    });
+    return { records, stats };
+  }
+
+  rows.forEach((entry, index) => {
+    if (!entry || typeof entry !== "object") {
+      warnings.push(`manual-server-list row ${index + 1} is not an object; skipped.`);
+      return;
+    }
+
+    stats.instancesScanned += 1;
+    const record = normalizeManualRecord(config, entry, index);
+
+    if (instanceFilter && !instanceFilter.has(record.instanceId)) {
+      return;
+    }
+    if (config.publicOnly && !record.publicIp) {
+      return;
+    }
+
+    if (!record.sshHost) {
+      pushRequiredAction(requiredActions, {
+        code: "MANUAL_SERVER_HOST_REQUIRED",
+        message: `No SSH host could be resolved for manual record '${record.instanceId}'.`,
+        hint: "Set host/publicIp/privateIp/publicDns in manual server list."
+      });
+    }
+
+    if (record.sshPemPath && !fs.existsSync(record.sshPemPath)) {
+      pushRequiredAction(requiredActions, {
+        code: "PEM_KEY_NOT_FOUND",
+        message: `Configured PEM key not found: ${record.sshPemPath}`,
+        hint: "Fix pemPath in manual server list."
+      });
+    }
+
+    profileSet.add(record.profile || "manual");
+    regionSet.add(record.region || "unknown");
+    records.push(record);
+  });
+
+  stats.manualServersLoaded = records.length;
+  stats.profiles = profileSet.size || 1;
+  stats.regions = regionSet.size || 1;
+
+  if (!records.length) {
+    warnings.push("manual-server-list produced zero records after filters.");
+  }
+  return { records, stats };
+}
+
 async function collectInventory(config, plans, warnings, requiredActions) {
   const { ec2, ssm, lambda, elbv2, autoScaling, rds, elasticache, route53 } = loadAwsModules();
   const stats = {
@@ -1321,7 +1684,9 @@ async function collectInventory(config, plans, warnings, requiredActions) {
     elasticacheClustersScanned: 0,
     route53ZonesScanned: 0,
     remediationAttempts: 0,
-    remediationChanged: 0
+    remediationChanged: 0,
+    manualServersScanned: 0,
+    manualServersLoaded: 0
   };
   const records = [];
 
@@ -1696,7 +2061,233 @@ async function waitInvocation(ssmClient, commandId, instanceId, timeoutMs) {
   }
 
   return { ok: false, error: new Error("Timed out waiting for command invocation") };
-}
+}
+
+function normalizePemName(value) {
+  const base = path.basename(String(value || ""));
+  return base.replace(/\.pem$/i, "").toLowerCase();
+}
+
+function resolvePemForRecord(record, config) {
+  if (record.sshPemPath) {
+    const explicit = path.resolve(expandHome(record.sshPemPath));
+    if (fs.existsSync(explicit)) {
+      return explicit;
+    }
+    return null;
+  }
+
+  const configured = Array.isArray(config.pemPaths) ? config.pemPaths : [];
+  const existing = configured.filter((pemPath) => fs.existsSync(pemPath));
+  if (!existing.length) return null;
+  if (existing.length === 1) return existing[0];
+
+  if (record.sshPemKeyName) {
+    const hint = normalizePemName(record.sshPemKeyName);
+    const exact = existing.find((pemPath) => normalizePemName(pemPath) === hint);
+    if (exact) return exact;
+
+    const partial = existing.find((pemPath) => {
+      const base = normalizePemName(pemPath);
+      return base.includes(hint) || hint.includes(base);
+    });
+    if (partial) return partial;
+  }
+
+  return null;
+}
+
+function runSshCommand(args, timeoutMs) {
+  return new Promise((resolve) => {
+    const child = spawn("ssh", args, {
+      cwd: process.cwd(),
+      env: process.env,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+
+    let stdout = "";
+    let stderr = "";
+    let done = false;
+    let timedOut = false;
+
+    if (child.stdout) {
+      child.stdout.setEncoding("utf8");
+      child.stdout.on("data", (chunk) => { stdout += chunk; });
+    }
+    if (child.stderr) {
+      child.stderr.setEncoding("utf8");
+      child.stderr.on("data", (chunk) => { stderr += chunk; });
+    }
+
+    const timer = setTimeout(() => {
+      if (done) return;
+      timedOut = true;
+      done = true;
+      try { child.kill("SIGTERM"); } catch {}
+      resolve({ ok: false, code: null, stdout, stderr: stderr || "ssh timed out", timedOut, spawnError: null });
+    }, timeoutMs);
+    timer.unref();
+
+    child.on("error", (error) => {
+      if (done) return;
+      done = true;
+      clearTimeout(timer);
+      resolve({
+        ok: false,
+        code: null,
+        stdout,
+        stderr,
+        timedOut,
+        spawnError: error && error.message ? error.message : String(error)
+      });
+    });
+
+    child.on("close", (code) => {
+      if (done) return;
+      done = true;
+      clearTimeout(timer);
+      resolve({ ok: code === 0, code, stdout, stderr, timedOut, spawnError: null });
+    });
+  });
+}
+
+function sshSnapshotCommand(record) {
+  if (!isWindowsRecord(record)) {
+    return linuxSnapshotCommands().join(" ; ");
+  }
+
+  const script = windowsSnapshotCommands().join("; ").replace(/"/g, "\\\"");
+  return `powershell -NoProfile -NonInteractive -Command "${script}"`;
+}
+
+async function snapshotRecordViaSsh(record, config, warnings, requiredActions, sshAvailable) {
+  const host = asText(record.sshHost) || asText(record.publicIp) || asText(record.publicDns) || asText(record.privateIp);
+  const user = asText(record.sshUser) || config.sshUser || "ec2-user";
+  const port = asInt(record.sshPort) || config.sshPort || 22;
+  const collectedAt = new Date().toISOString();
+
+  if (!host) {
+    record.runtimeSnapshot = {
+      status: "skipped-no-host",
+      collectedAt,
+      output: "",
+      errorOutput: "No host/publicIp/privateIp/publicDns"
+    };
+    pushRequiredAction(requiredActions, {
+      code: "MANUAL_SERVER_HOST_REQUIRED",
+      message: `No SSH host could be resolved for manual record '${record.instanceId}'.`,
+      hint: "Set host/publicIp/privateIp/publicDns in manual server list."
+    });
+    return;
+  }
+
+  if (!sshAvailable) {
+    record.runtimeSnapshot = {
+      status: "failed-no-ssh-client",
+      collectedAt,
+      output: "",
+      errorOutput: "ssh command not found in PATH"
+    };
+    pushRequiredAction(requiredActions, {
+      code: "SSH_CLIENT_NOT_FOUND",
+      message: "OpenSSH client is not available in PATH.",
+      hint: "Install OpenSSH client and verify 'ssh -V' works."
+    });
+    return;
+  }
+
+  let pemPath = resolvePemForRecord(record, config);
+  let explicitPemMissing = false;
+  if (!pemPath && record.sshPemPath) {
+    const explicit = path.resolve(expandHome(record.sshPemPath));
+    if (!fs.existsSync(explicit)) {
+      explicitPemMissing = true;
+      pushRequiredAction(requiredActions, {
+        code: "PEM_KEY_NOT_FOUND",
+        message: `Configured PEM key not found: ${explicit}`,
+        hint: "Fix pemPath in manual server list or --pem-paths."
+      });
+    }
+  }
+
+  if (!pemPath) {
+    record.runtimeSnapshot = {
+      status: "skipped-no-pem",
+      collectedAt,
+      output: "",
+      errorOutput: "No PEM mapping was resolved for this server."
+    };
+    if (!explicitPemMissing) {
+      pushRequiredAction(requiredActions, {
+        code: "PEM_MAPPING_REQUIRED",
+        message: `No PEM key mapping for manual server '${record.instanceId}' (${host}).`,
+        hint: "Set pemPath per server or pass --pem-paths (single key or keyName-matchable list)."
+      });
+    }
+    return;
+  }
+
+  record.sshPemPath = pemPath;
+  const target = `${user}@${host}`;
+  const args = [
+    "-i", pemPath,
+    "-o", "BatchMode=yes",
+    "-o", "StrictHostKeyChecking=accept-new",
+    "-o", `ConnectTimeout=${config.sshConnectTimeoutSec}`,
+    "-p", String(port),
+    target,
+    sshSnapshotCommand(record)
+  ];
+
+  const run = await runSshCommand(args, config.snapshotTimeoutSec * 1000 + 15000);
+  if (run.spawnError) {
+    record.runtimeSnapshot = {
+      status: "failed-spawn",
+      collectedAt,
+      output: "",
+      errorOutput: run.spawnError
+    };
+    pushRequiredAction(requiredActions, {
+      code: "SSH_CLIENT_NOT_FOUND",
+      message: "Failed to start ssh client.",
+      hint: run.spawnError
+    });
+    return;
+  }
+
+  if (run.ok) {
+    record.runtimeSnapshot = {
+      status: "Success",
+      collectedAt,
+      transport: "ssh-pem",
+      host,
+      user,
+      port,
+      output: truncateText(run.stdout || "", config.snapshotMaxBytes),
+      errorOutput: truncateText(run.stderr || "", config.snapshotMaxBytes)
+    };
+    return;
+  }
+
+  const status = run.timedOut ? "failed-timeout" : "failed-ssh";
+  const detail = truncateText((run.stderr || run.stdout || "ssh command failed").trim(), config.snapshotMaxBytes);
+  record.runtimeSnapshot = {
+    status,
+    collectedAt,
+    transport: "ssh-pem",
+    host,
+    user,
+    port,
+    output: truncateText(run.stdout || "", config.snapshotMaxBytes),
+    errorOutput: detail
+  };
+  warnings.push(`[manual/${record.region || "unknown"}/${record.instanceId}] SSH snapshot failed: ${detail}`);
+  pushRequiredAction(requiredActions, {
+    code: "SSH_AUTH_OR_CONNECT_FAILED",
+    message: `SSH snapshot failed for ${record.instanceId} (${target}).`,
+    hint: detail || "Check network/security group/user/pem permissions."
+  });
+}
 
 async function snapshotRecord(record, planLookup, config, warnings, requiredActions) {
   const { ssm } = loadAwsModules();
@@ -1890,31 +2481,65 @@ async function collectRemediation(config, records, plans, warnings, requiredActi
 }
 
 async function collectSnapshots(config, records, plans, warnings, requiredActions) {
-  if (!config.runtimeSnapshot) return { attempted: 0, succeeded: 0 };
-  const targets = records.filter((r) => r.ssmOnline === true);
+  if (!config.runtimeSnapshot) {
+    return {
+      attempted: 0,
+      succeeded: 0,
+      ssmAttempted: 0,
+      ssmSucceeded: 0,
+      sshAttempted: 0,
+      sshSucceeded: 0
+    };
+  }
+
+  const ssmTargets = records.filter((r) => r.ssmOnline === true && r.manualInput !== true);
+  const sshTargets = records.filter((r) => r.resourceType === "ec2" && r.manualInput === true);
   const planLookup = new Map(plans.map((p) => [`${p.profileLabel}::${p.accountId}`, p]));
   let attempted = 0;
   let succeeded = 0;
+  let ssmAttempted = 0;
+  let ssmSucceeded = 0;
+  let sshAttempted = 0;
+  let sshSucceeded = 0;
 
-  await mapWithConcurrency(targets, config.snapshotConcurrency || DEFAULT_SNAPSHOT_CONCURRENCY, async (record) => {
+  await mapWithConcurrency(ssmTargets, config.snapshotConcurrency || DEFAULT_SNAPSHOT_CONCURRENCY, async (record) => {
     attempted += 1;
+    ssmAttempted += 1;
     await snapshotRecord(record, planLookup, config, warnings, requiredActions);
     if (record.runtimeSnapshot && record.runtimeSnapshot.status === "Success") {
       succeeded += 1;
+      ssmSucceeded += 1;
     }
   });
 
-  return { attempted, succeeded };
+  const sshAvailable = sshTargets.length ? commandExists("ssh", ["-V"]) : true;
+  await mapWithConcurrency(sshTargets, config.snapshotConcurrency || DEFAULT_SNAPSHOT_CONCURRENCY, async (record) => {
+    attempted += 1;
+    sshAttempted += 1;
+    await snapshotRecordViaSsh(record, config, warnings, requiredActions, sshAvailable);
+    if (record.runtimeSnapshot && record.runtimeSnapshot.status === "Success") {
+      succeeded += 1;
+      sshSucceeded += 1;
+    }
+  });
+
+  return { attempted, succeeded, ssmAttempted, ssmSucceeded, sshAttempted, sshSucceeded };
 }
 
 async function executeRuntimeOperations(config, records, plans, warnings, requiredActions) {
-  const remediation = await collectRemediation(config, records, plans, warnings, requiredActions);
+  const remediation = config.manualServerListPath
+    ? { attempted: 0, changed: 0 }
+    : await collectRemediation(config, records, plans, warnings, requiredActions);
   const snapshots = await collectSnapshots(config, records, plans, warnings, requiredActions);
   return {
     remediationAttempts: remediation.attempted,
     remediationChanged: remediation.changed,
     snapshotAttempted: snapshots.attempted,
-    snapshotSucceeded: snapshots.succeeded
+    snapshotSucceeded: snapshots.succeeded,
+    snapshotSsmAttempted: snapshots.ssmAttempted,
+    snapshotSsmSucceeded: snapshots.ssmSucceeded,
+    snapshotSshAttempted: snapshots.sshAttempted,
+    snapshotSshSucceeded: snapshots.sshSucceeded
   };
 }
 
@@ -1957,6 +2582,13 @@ function toCsvRow(record) {
     ssmPlatformName: record.ssmPlatformName,
     ssmPlatformVersion: record.ssmPlatformVersion,
     remediationStatus: record.remediationStatus,
+    manualInput: record.manualInput,
+    connectionMode: record.connectionMode,
+    sshHost: record.sshHost,
+    sshUser: record.sshUser,
+    sshPort: record.sshPort,
+    sshPemPath: record.sshPemPath,
+    sshPemKeyName: record.sshPemKeyName,
     lambdaFunctionName: record.lambdaFunctionName,
     lambdaFunctionArn: record.lambdaFunctionArn,
     lambdaRuntime: record.lambdaRuntime,
@@ -2020,6 +2652,7 @@ function renderOutput(config, records) {
     "profile", "accountId", "region", "instanceId", "name", "state", "privateIp", "publicIp", "publicDns",
     "platform", "iamInstanceProfileArn", "ssmManaged", "ssmOnline", "ssmPingStatus", "ssmLastPingDateTime",
     "ssmAgentVersion", "ssmPlatformName", "ssmPlatformVersion", "remediationStatus",
+    "manualInput", "connectionMode", "sshHost", "sshUser", "sshPort", "sshPemPath", "sshPemKeyName",
     "lambdaFunctionName", "lambdaFunctionArn", "lambdaRuntime", "lambdaHandler", "lambdaRole", "lambdaLastModified",
     "lambdaState", "lambdaPackageType", "lambdaTimeoutSec", "lambdaMemoryMb", "lambdaVpcConfigured",
     "albArn", "albType", "albScheme", "albDnsName", "albVpcId", "albListenerPorts",
@@ -2039,6 +2672,295 @@ function renderOutput(config, records) {
   return lines.join("\n");
 }
 
+function htmlSafeJson(value) {
+  return JSON.stringify(value)
+    .replace(/</g, "\\u003c")
+    .replace(/>/g, "\\u003e")
+    .replace(/&/g, "\\u0026");
+}
+
+function renderHtmlReport(records) {
+  const payload = htmlSafeJson(Array.isArray(records) ? records : []);
+  return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>AWS Inventory Report</title>
+  <style>
+    :root {
+      --bg: #0b1220;
+      --panel: #121a2b;
+      --panel-2: #16233a;
+      --text: #eef4ff;
+      --muted: #a9bad8;
+      --line: #27406b;
+      --accent: #2dd4bf;
+      --accent-2: #38bdf8;
+      --warn: #f59e0b;
+    }
+    * { box-sizing: border-box; }
+    body {
+      margin: 0;
+      color: var(--text);
+      font-family: "Segoe UI", "Noto Sans KR", system-ui, sans-serif;
+      background: radial-gradient(1200px 600px at 10% -20%, #1e3a8a 0%, transparent 70%), linear-gradient(160deg, #0b1220 0%, #07101d 100%);
+      min-height: 100vh;
+    }
+    .wrap { max-width: 1280px; margin: 0 auto; padding: 24px; }
+    .hero {
+      background: linear-gradient(135deg, rgba(45, 212, 191, 0.15), rgba(56, 189, 248, 0.12));
+      border: 1px solid var(--line);
+      border-radius: 16px;
+      padding: 20px;
+      backdrop-filter: blur(6px);
+    }
+    .title { font-size: 28px; font-weight: 700; margin: 0; letter-spacing: 0.3px; }
+    .sub { margin: 8px 0 0; color: var(--muted); font-size: 13px; }
+    .grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(170px, 1fr)); gap: 10px; margin-top: 14px; }
+    .card { background: var(--panel); border: 1px solid var(--line); border-radius: 12px; padding: 10px 12px; }
+    .card .k { color: var(--muted); font-size: 12px; }
+    .card .v { margin-top: 4px; font-size: 18px; font-weight: 700; }
+    .tools {
+      margin-top: 16px;
+      display: grid;
+      grid-template-columns: 1fr 180px 120px 140px;
+      gap: 10px;
+    }
+    input, select, button {
+      width: 100%;
+      border-radius: 10px;
+      border: 1px solid var(--line);
+      background: var(--panel-2);
+      color: var(--text);
+      padding: 10px 12px;
+      font-size: 14px;
+    }
+    button {
+      cursor: pointer;
+      background: linear-gradient(135deg, var(--accent), var(--accent-2));
+      color: #042b33;
+      font-weight: 700;
+      border: none;
+    }
+    .table-wrap {
+      margin-top: 14px;
+      background: rgba(11, 18, 32, 0.65);
+      border: 1px solid var(--line);
+      border-radius: 14px;
+      overflow: auto;
+      max-height: calc(100vh - 320px);
+    }
+    table { width: 100%; border-collapse: collapse; min-width: 980px; }
+    th, td { padding: 9px 10px; border-bottom: 1px solid rgba(39, 64, 107, 0.45); text-align: left; font-size: 13px; }
+    th { position: sticky; top: 0; background: #0d1729; color: #d9e8ff; z-index: 1; }
+    td.muted { color: var(--muted); }
+    .tag {
+      display: inline-block;
+      border-radius: 99px;
+      padding: 2px 8px;
+      font-size: 12px;
+      background: #1f2f4f;
+      border: 1px solid var(--line);
+    }
+    .ok { color: #86efac; }
+    .warn { color: var(--warn); }
+    .mono { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; }
+    @media (max-width: 900px) {
+      .tools { grid-template-columns: 1fr; }
+      .wrap { padding: 12px; }
+      .title { font-size: 22px; }
+    }
+  </style>
+</head>
+<body>
+  <div class="wrap">
+    <section class="hero">
+      <h1 class="title">AWS Inventory GUI</h1>
+      <p class="sub">Interactive local report generated by mcp-aws-manager</p>
+      <div class="grid" id="summary"></div>
+      <div class="tools">
+        <input id="q" type="text" placeholder="Search instance/resource id, name, IP, profile, region..." />
+        <select id="serviceFilter"><option value="">All services</option></select>
+        <button id="btnReset" type="button">Reset</button>
+        <button id="btnCsv" type="button">Download CSV</button>
+      </div>
+    </section>
+    <div class="table-wrap">
+      <table>
+        <thead>
+          <tr>
+            <th>service</th>
+            <th>resourceType</th>
+            <th>resourceId</th>
+            <th>name</th>
+            <th>profile</th>
+            <th>region</th>
+            <th>state</th>
+            <th>privateIp</th>
+            <th>publicIp</th>
+            <th>ssm</th>
+            <th>snapshot</th>
+          </tr>
+        </thead>
+        <tbody id="rows"></tbody>
+      </table>
+    </div>
+  </div>
+  <script>
+    const records = ${payload};
+    const qEl = document.getElementById("q");
+    const serviceEl = document.getElementById("serviceFilter");
+    const rowsEl = document.getElementById("rows");
+    const summaryEl = document.getElementById("summary");
+    const btnReset = document.getElementById("btnReset");
+    const btnCsv = document.getElementById("btnCsv");
+
+    const services = Array.from(new Set(records.map(r => r.service || ""))).filter(Boolean).sort();
+    for (const s of services) {
+      const op = document.createElement("option");
+      op.value = s;
+      op.textContent = s;
+      serviceEl.appendChild(op);
+    }
+
+    function esc(v) {
+      const span = document.createElement("span");
+      span.textContent = v == null ? "" : String(v);
+      return span.innerHTML;
+    }
+
+    function yesNo(v) {
+      if (v === true) return '<span class="tag ok">yes</span>';
+      if (v === false) return '<span class="tag warn">no</span>';
+      return '<span class="tag">n/a</span>';
+    }
+
+    function summarize(list) {
+      const byService = {};
+      for (const r of list) {
+        const key = r.service || "unknown";
+        byService[key] = (byService[key] || 0) + 1;
+      }
+      const cards = [];
+      cards.push({ k: "Total Records", v: list.length });
+      cards.push({ k: "EC2", v: list.filter(r => r.resourceType === "ec2").length });
+      cards.push({ k: "Lambda", v: list.filter(r => r.resourceType === "lambda").length });
+      cards.push({ k: "SSM Online", v: list.filter(r => r.ssmOnline === true).length });
+      cards.push({ k: "With Public IP", v: list.filter(r => !!r.publicIp).length });
+      for (const [k, v] of Object.entries(byService).sort((a, b) => a[0].localeCompare(b[0])).slice(0, 6)) {
+        cards.push({ k: "svc:" + k, v });
+      }
+      return cards;
+    }
+
+    function filterRows() {
+      const q = qEl.value.trim().toLowerCase();
+      const service = serviceEl.value;
+      return records.filter((r) => {
+        if (service && (r.service || "") !== service) return false;
+        if (!q) return true;
+        const bucket = [
+          r.resourceId, r.instanceId, r.name, r.profile, r.region, r.state,
+          r.privateIp, r.publicIp, r.publicDns, r.service, r.resourceType
+        ].map(v => (v == null ? "" : String(v).toLowerCase())).join("|");
+        return bucket.includes(q);
+      });
+    }
+
+    function render() {
+      const list = filterRows();
+      rowsEl.innerHTML = list.map((r) => \`
+        <tr>
+          <td><span class="tag">\${esc(r.service || "")}</span></td>
+          <td>\${esc(r.resourceType || "")}</td>
+          <td class="mono">\${esc(r.resourceId || "")}</td>
+          <td>\${esc(r.name || "")}</td>
+          <td>\${esc(r.profile || "")}</td>
+          <td>\${esc(r.region || "")}</td>
+          <td>\${esc(r.state || "")}</td>
+          <td class="mono muted">\${esc(r.privateIp || "")}</td>
+          <td class="mono">\${esc(r.publicIp || "")}</td>
+          <td>\${yesNo(r.ssmOnline)}</td>
+          <td>\${esc(r.runtimeSnapshot && r.runtimeSnapshot.status ? r.runtimeSnapshot.status : "")}</td>
+        </tr>
+      \`).join("");
+
+      const cards = summarize(list);
+      summaryEl.innerHTML = cards.map(c => \`<div class="card"><div class="k">\${esc(c.k)}</div><div class="v">\${esc(c.v)}</div></div>\`).join("");
+      window.__view = list;
+    }
+
+    function toCsv(list) {
+      const fields = [
+        "resourceType","service","resourceId","instanceId","name","profile","region","state",
+        "privateIp","publicIp","publicDns","ssmManaged","ssmOnline","runtimeSnapshot"
+      ];
+      const escCsv = (v) => {
+        if (v == null) return "";
+        const text = typeof v === "object" ? JSON.stringify(v) : String(v);
+        return /[",\\r\\n]/.test(text) ? '"' + text.replace(/"/g, '""') + '"' : text;
+      };
+      const lines = [fields.join(",")];
+      for (const row of list) {
+        lines.push(fields.map(f => escCsv(row[f])).join(","));
+      }
+      return lines.join("\\n");
+    }
+
+    qEl.addEventListener("input", render);
+    serviceEl.addEventListener("change", render);
+    btnReset.addEventListener("click", () => {
+      qEl.value = "";
+      serviceEl.value = "";
+      render();
+    });
+    btnCsv.addEventListener("click", () => {
+      const csv = toCsv(window.__view || []);
+      const blob = new Blob([csv], { type: "text/csv;charset=utf-8;" });
+      const url = URL.createObjectURL(blob);
+      const a = document.createElement("a");
+      a.href = url;
+      a.download = "inventory-view.csv";
+      a.click();
+      URL.revokeObjectURL(url);
+    });
+    render();
+  </script>
+</body>
+</html>`;
+}
+
+function writeHtmlReport(config, records) {
+  if (!config.htmlOutPath) return null;
+  const html = renderHtmlReport(records);
+  fs.writeFileSync(config.htmlOutPath, html, "utf8");
+  eprint(`Wrote HTML report to ${config.htmlOutPath}`);
+  return config.htmlOutPath;
+}
+
+function tryOpenFile(targetPath) {
+  if (!targetPath) return { ok: false, detail: "empty path" };
+  const fullPath = path.resolve(targetPath);
+  try {
+    if (process.platform === "win32") {
+      const child = spawn("explorer.exe", [fullPath], { stdio: "ignore", detached: true, windowsHide: true });
+      child.unref();
+      return { ok: true, detail: "explorer.exe" };
+    }
+    if (process.platform === "darwin") {
+      const child = spawn("open", [fullPath], { stdio: "ignore", detached: true });
+      child.unref();
+      return { ok: true, detail: "open" };
+    }
+    const child = spawn("xdg-open", [fullPath], { stdio: "ignore", detached: true });
+    child.unref();
+    return { ok: true, detail: "xdg-open" };
+  } catch (error) {
+    return { ok: false, detail: error && error.message ? error.message : String(error) };
+  }
+}
+
 function writeOutput(config, content) {
   if (config.outPath) {
     fs.writeFileSync(config.outPath, content, "utf8");
@@ -2054,7 +2976,7 @@ async function runWorkflow(config) {
   const requiredActions = [];
 
   progress(config, 1, "orchestrator: parse user request and operation scope");
-  eprint(`Inputs: execution_mode=${INTERNAL_BACKEND_ID}, profiles=${config.profiles ? config.profiles.join(",") : "auto"}, regions=${config.regions ? config.regions.join(",") : "auto"}, include_ec2=${config.includeEc2 ? "on" : "off"}, include_lambda=${config.includeLambda ? "on" : "off"}, include_alb=${config.includeAlb ? "on" : "off"}, include_asg=${config.includeAsg ? "on" : "off"}, include_rds=${config.includeRds ? "on" : "off"}, include_elasticache=${config.includeElastiCache ? "on" : "off"}, include_route53=${config.includeRoute53 ? "on" : "off"}, public_only=${config.publicOnly ? "on" : "off"}, managed_only=${config.managedOnly ? "on" : "off"}, auto_remediate_ssm=${config.autoRemediateSsm ? "on" : "off"}, runtime_snapshot=${config.runtimeSnapshot ? "on" : "off"}, auto_sso_login=${config.autoSsoLogin ? "on" : "off"}`);
+  eprint(`Inputs: execution_mode=${INTERNAL_BACKEND_ID}, profiles=${config.profiles ? config.profiles.join(",") : "auto"}, regions=${config.regions ? config.regions.join(",") : "auto"}, include_ec2=${config.includeEc2 ? "on" : "off"}, include_lambda=${config.includeLambda ? "on" : "off"}, include_alb=${config.includeAlb ? "on" : "off"}, include_asg=${config.includeAsg ? "on" : "off"}, include_rds=${config.includeRds ? "on" : "off"}, include_elasticache=${config.includeElastiCache ? "on" : "off"}, include_route53=${config.includeRoute53 ? "on" : "off"}, public_only=${config.publicOnly ? "on" : "off"}, managed_only=${config.managedOnly ? "on" : "off"}, auto_remediate_ssm=${config.autoRemediateSsm ? "on" : "off"}, runtime_snapshot=${config.runtimeSnapshot ? "on" : "off"}, manual_server_list=${config.manualServerListPath || "off"}, pem_paths=${config.pemPaths && config.pemPaths.length ? config.pemPaths.length : 0}, ssh_user=${config.sshUser}, ssh_port=${config.sshPort}, html_out=${config.htmlOutPath || "off"}, open_html=${config.openHtml ? "on" : "off"}, auto_sso_login=${config.autoSsoLogin ? "on" : "off"}`);
 
   progress(config, 2, "config_validator: validate settings and output path");
   validateConfig(config, warnings, requiredActions);
@@ -2066,11 +2988,16 @@ async function runWorkflow(config) {
   const operationPlan = buildOperationPlan(config);
   eprint(`Operation plan: inventory=${operationPlan.inventoryOps.length ? operationPlan.inventoryOps.join(",") : "none"}; runtime=${operationPlan.runtimeOps.length ? operationPlan.runtimeOps.join(",") : "none"}`);
 
-  const plans = await buildDiscoveryPlan(config, warnings, requiredActions);
-  if (plans.length) {
-    eprint("Discovery plan: " + plans.map((p) => `${p.profileLabel}(${p.regions.length} regions)`).join(", "));
+  let plans = [];
+  if (config.manualServerListPath) {
+    eprint(`Discovery plan: manual server list mode (${config.manualServerListPath})`);
   } else {
-    warnings.push("No usable AWS profiles were found after validation.");
+    plans = await buildDiscoveryPlan(config, warnings, requiredActions);
+    if (plans.length) {
+      eprint("Discovery plan: " + plans.map((p) => `${p.profileLabel}(${p.regions.length} regions)`).join(", "));
+    } else {
+      warnings.push("No usable AWS profiles were found after validation.");
+    }
   }
 
   if (config.autoRemediateSsm) {
@@ -2078,23 +3005,30 @@ async function runWorkflow(config) {
   }
 
   progress(config, 5, "resource_inventory_collector: collect multi-service inventory");
-  const inventoryResult = await collectInventory(config, plans, warnings, requiredActions);
+  const inventoryResult = config.manualServerListPath
+    ? await collectManualInventory(config, warnings, requiredActions)
+    : await collectInventory(config, plans, warnings, requiredActions);
   const records = inventoryResult.records;
   const stats = inventoryResult.stats;
   eprint(`Collected inventory records: ${records.length}`);
 
   progress(config, 6, "runtime_operation_executor: execute runtime snapshot/remediation tasks");
   const ec2Records = records.filter((r) => r.resourceType === "ec2");
-  const unmanaged = ec2Records.filter((r) => !r.ssmManaged).length;
-  const offline = ec2Records.filter((r) => r.ssmManaged && !r.ssmOnline).length;
-  eprint(`Pre-runtime SSM state: unmanaged=${unmanaged}, managed_offline=${offline}`);
+  if (config.manualServerListPath) {
+    const manualTargets = ec2Records.filter((r) => r.manualInput === true).length;
+    eprint(`Pre-runtime manual SSH state: targets=${manualTargets}`);
+  } else {
+    const unmanaged = ec2Records.filter((r) => !r.ssmManaged).length;
+    const offline = ec2Records.filter((r) => r.ssmManaged && !r.ssmOnline).length;
+    eprint(`Pre-runtime SSM state: unmanaged=${unmanaged}, managed_offline=${offline}`);
 
-  if (unmanaged > 0 && !config.autoRemediateSsm) {
-    pushRequiredAction(requiredActions, {
-      code: "SSM_ROLE_OR_AGENT_REQUIRED",
-      message: `${unmanaged} instances are not SSM managed.`,
-      hint: "Attach instance profile with AmazonSSMManagedInstanceCore and verify SSM agent/network."
-    });
+    if (unmanaged > 0 && !config.autoRemediateSsm) {
+      pushRequiredAction(requiredActions, {
+        code: "SSM_ROLE_OR_AGENT_REQUIRED",
+        message: `${unmanaged} instances are not SSM managed.`,
+        hint: "Attach instance profile with AmazonSSMManagedInstanceCore and verify SSM agent/network."
+      });
+    }
   }
 
   const runtimeStats = await executeRuntimeOperations(config, records, plans, warnings, requiredActions);
@@ -2104,6 +3038,15 @@ async function runWorkflow(config) {
 
   progress(config, 8, "cli_output_formatter: render JSON/CSV and guidance payload");
   writeOutput(config, renderOutput(config, outputRecords));
+  const htmlPath = writeHtmlReport(config, outputRecords);
+  if (htmlPath && config.openHtml) {
+    const opened = tryOpenFile(htmlPath);
+    if (!opened.ok) {
+      warnings.push(`Failed to auto-open HTML report: ${opened.detail}`);
+    } else {
+      eprint(`Opened HTML report via ${opened.detail}`);
+    }
+  }
 
   progress(config, 9, "END: emit execution summary and evidence metadata");
   const outputEc2 = outputRecords.filter((r) => r.resourceType === "ec2");
@@ -2117,7 +3060,7 @@ async function runWorkflow(config) {
   const ssmManaged = outputEc2.filter((r) => r.ssmManaged).length;
   const ssmOnline = outputEc2.filter((r) => r.ssmOnline).length;
   const publicCount = outputEc2.filter((r) => Boolean(r.publicIp)).length;
-  eprint(`Summary: execution_mode=${INTERNAL_BACKEND_ID}, profiles=${stats.profiles}, regions_scanned=${stats.regions}, region_errors=${stats.regionErrors}, ec2_scanned=${stats.instancesScanned}, lambda_scanned=${stats.lambdaFunctionsScanned}, alb_scanned=${stats.loadBalancersScanned}, targetgroup_scanned=${stats.targetGroupsScanned}, asg_scanned=${stats.autoScalingGroupsScanned}, rds_scanned=${stats.rdsInstancesScanned}, elasticache_scanned=${stats.elasticacheClustersScanned}, route53_zone_scanned=${stats.route53ZonesScanned}, output_records=${outputRecords.length}, output_ec2=${outputEc2.length}, output_lambda=${outputLambda.length}, output_alb=${outputAlb.length}, output_target_group=${outputTargetGroups.length}, output_asg=${outputAsg.length}, output_rds=${outputRds.length}, output_elasticache=${outputElastiCache.length}, output_route53_zone=${outputRoute53.length}, ec2_public_ip_records=${publicCount}, ec2_ssm_managed=${ssmManaged}, ec2_ssm_online=${ssmOnline}, remediation_attempts=${runtimeStats.remediationAttempts}, remediation_changed=${runtimeStats.remediationChanged}, runtime_snapshot_attempted=${runtimeStats.snapshotAttempted}, runtime_snapshot_succeeded=${runtimeStats.snapshotSucceeded}, warnings=${warnings.length}, required_actions=${requiredActions.length}`);
+  eprint(`Summary: execution_mode=${INTERNAL_BACKEND_ID}, manual_mode=${config.manualServerListPath ? "on" : "off"}, profiles=${stats.profiles}, regions_scanned=${stats.regions}, region_errors=${stats.regionErrors}, ec2_scanned=${stats.instancesScanned}, lambda_scanned=${stats.lambdaFunctionsScanned}, alb_scanned=${stats.loadBalancersScanned}, targetgroup_scanned=${stats.targetGroupsScanned}, asg_scanned=${stats.autoScalingGroupsScanned}, rds_scanned=${stats.rdsInstancesScanned}, elasticache_scanned=${stats.elasticacheClustersScanned}, route53_zone_scanned=${stats.route53ZonesScanned}, manual_servers_scanned=${stats.manualServersScanned || 0}, manual_servers_loaded=${stats.manualServersLoaded || 0}, output_records=${outputRecords.length}, output_ec2=${outputEc2.length}, output_lambda=${outputLambda.length}, output_alb=${outputAlb.length}, output_target_group=${outputTargetGroups.length}, output_asg=${outputAsg.length}, output_rds=${outputRds.length}, output_elasticache=${outputElastiCache.length}, output_route53_zone=${outputRoute53.length}, ec2_public_ip_records=${publicCount}, ec2_ssm_managed=${ssmManaged}, ec2_ssm_online=${ssmOnline}, remediation_attempts=${runtimeStats.remediationAttempts}, remediation_changed=${runtimeStats.remediationChanged}, runtime_snapshot_attempted=${runtimeStats.snapshotAttempted}, runtime_snapshot_succeeded=${runtimeStats.snapshotSucceeded}, runtime_snapshot_ssm_attempted=${runtimeStats.snapshotSsmAttempted}, runtime_snapshot_ssm_succeeded=${runtimeStats.snapshotSsmSucceeded}, runtime_snapshot_ssh_attempted=${runtimeStats.snapshotSshAttempted}, runtime_snapshot_ssh_succeeded=${runtimeStats.snapshotSshSucceeded}, warnings=${warnings.length}, required_actions=${requiredActions.length}`);
   eprint(`EvidenceMeta: workflow_id=b60f0f18-cc45-4af9-a7c7-217284457759; schema=gesia.orflow.contract.v2; step_count=${TOTAL_STEPS}; execution_mode=${INTERNAL_BACKEND_ID}; inventory_ops=${operationPlan.inventoryOps.length}; runtime_ops=${operationPlan.runtimeOps.length}`);
 
   for (const warning of warnings) eprint(`WARNING: ${warning}`);