base2-mcp 0.1.0__py3-none-any.whl

app.py

@@ -0,0 +1,54 @@
+from __future__ import annotations
+
+import logging
+import sys
+
+from mcp.server.fastmcp import FastMCP
+
+from tools.overview_tools import register_overview_tools
+from tools.cfhighlander_tools import register_cfhighlander_tools
+from tools.shelvery_tools import register_shelvery_tools
+from tools.guardian_tools import register_guardian_tools
+from tools.monitorable_tools import register_monitorable_tools
+from tools.cfn_vpn_tools import register_cfn_vpn_tools
+from tools.bastion_tools import register_bastion_tools
+
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s %(name)s %(levelname)s %(message)s",
+    stream=sys.stderr,
+)
+logger = logging.getLogger(__name__)
+
+mcp = FastMCP(
+    name="base2-mcp",
+    instructions=(
+        "Base2 MCP Server — documentation, guidance, and CLI execution for "
+        "Base2 open-source AWS tools.\n\n"
+        "Supported tools:\n"
+        "- **cfhighlander**: CloudFormation DSL and component library\n"
+        "- **shelvery**: Automated AWS backups (EBS, RDS, EC2, Redshift, DocumentDB)\n"
+        "- **cfn-guardian**: CloudWatch alarm management via CloudFormation\n"
+        "- **monitorable**: CloudWatch alarm coverage auditing\n"
+        "- **cfn-vpn**: AWS Client VPN management via CloudFormation\n"
+        "- **bastion-cli**: Temporary bastion EC2 instances via Session Manager\n\n"
+        "Start with 'list_base2_tools' for an overview of all tools, or "
+        "'get_tool_docs' to read detailed documentation for a specific tool."
+    ),
+)
+
+register_overview_tools(mcp)
+register_cfhighlander_tools(mcp)
+register_shelvery_tools(mcp)
+register_guardian_tools(mcp)
+register_monitorable_tools(mcp)
+register_cfn_vpn_tools(mcp)
+register_bastion_tools(mcp)
+
+
+def main() -> None:
+    mcp.run(transport="stdio")
+
+
+if __name__ == "__main__":
+    main()

base2_mcp-0.1.0.dist-info/METADATA

@@ -0,0 +1,171 @@
+Metadata-Version: 2.4
+Name: base2-mcp
+Version: 0.1.0
+Summary: MCP server for Base2 open-source AWS tools — documentation, guidance, and CLI execution
+Author: Base2 Services
+License-Expression: MIT
+Keywords: aws,backup,bastion,cloudformation,mcp,monitoring,vpn
+Classifier: Development Status :: 3 - Alpha
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.11
+Requires-Dist: mcp[cli]>=1.9.0
+Description-Content-Type: text/markdown
+
+# base2-mcp
+
+MCP server for Base2 open-source AWS tools — documentation, guidance, and CLI execution.
+
+## Supported Tools
+
+| Tool | Description | Install |
+|------|-------------|---------|
+| [cfhighlander](https://github.com/theonestack/cfhighlander) | CloudFormation DSL and component library | `gem install cfhighlander` |
+| [shelvery](https://github.com/base2Services/shelvery-aws-backups) | Automated AWS backups (EBS, RDS, EC2, Redshift, DocumentDB) | `pip install shelvery` |
+| [cfn-guardian](https://github.com/base2Services/cfn-guardian) | CloudWatch alarm management via CloudFormation | `gem install cfn-guardian` |
+| [monitorable](https://github.com/base2Services/monitorable) | CloudWatch alarm coverage auditing | Clone repo |
+| [cfn-vpn](https://github.com/base2Services/cfn-vpn) | AWS Client VPN management via CloudFormation | `gem install cfn-vpn` |
+| [bastion-cli](https://github.com/base2Services/bastion-cli) | Temporary bastion EC2 instances via Session Manager | [GitHub releases](https://github.com/base2Services/bastion-cli/releases) |
+
+## Quick Start
+
+### Cursor IDE (Recommended)
+
+Add to your `.cursor/mcp.json` (project-level) or `~/.cursor/mcp.json` (global):
+
+```json
+{
+  "mcpServers": {
+    "base2": {
+      "command": "uvx",
+      "args": ["--upgrade", "base2-mcp"]
+    }
+  }
+}
+```
+
+No manual install needed — `uvx` fetches the package from PyPI automatically and `--upgrade` ensures you always get the latest version on server restart.
+
+### Claude Desktop
+
+Add to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
+
+```json
+{
+  "mcpServers": {
+    "base2": {
+      "command": "uvx",
+      "args": ["--upgrade", "base2-mcp"]
+    }
+  }
+}
+```
+
+### Alternative: pin to a specific version
+
+If you need a stable version that won't change unexpectedly:
+
+```json
+{
+  "mcpServers": {
+    "base2": {
+      "command": "uvx",
+      "args": ["base2-mcp==0.1.0"]
+    }
+  }
+}
+```
+
+### Prerequisite: uv
+
+`uvx` is part of [uv](https://docs.astral.sh/uv/), a fast Python package manager. Install it with:
+
+```bash
+# macOS / Linux
+curl -LsSf https://astral.sh/uv/install.sh | sh
+
+# Windows
+powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
+
+# Or via pip
+pip install uv
+```
+
+## What It Does
+
+This MCP server gives AI agents two capabilities for each tool:
+
+1. **Documentation** — Embedded docs with CLI usage, configuration, examples, and best practices. The agent can read these to understand any tool without you explaining it.
+
+2. **CLI Execution** — Wrapper tools that run the actual CLI commands (`cfhighlander cfcompile`, `shelvery ebs create_backups`, `bastion launch`, etc.) and return structured output.
+
+### Available MCP Tools
+
+**Discovery:**
+- `list_base2_tools` — Overview of all 6 tools
+- `get_tool_docs` — Detailed documentation for a specific tool
+
+**cfhighlander:**
+- `cfhighlander_docs` / `cfhighlander_compile` / `cfhighlander_publish` / `cfhighlander_test` / `cfhighlander_validate`
+
+**shelvery:**
+- `shelvery_docs` / `shelvery_create_backups` / `shelvery_clean_backups` / `shelvery_pull_shared_backups`
+
+**cfn-guardian:**
+- `guardian_docs` / `guardian_compile` / `guardian_deploy` / `guardian_show_alarms` / `guardian_show_resources`
+
+**monitorable:**
+- `monitorable_docs` / `monitorable_audit`
+
+**cfn-vpn:**
+- `cfn_vpn_docs` / `cfn_vpn_init` / `cfn_vpn_modify` / `cfn_vpn_routes` / `cfn_vpn_sessions`
+
+**bastion-cli:**
+- `bastion_docs` / `bastion_launch` / `bastion_connect` / `bastion_terminate` / `bastion_port_forward`
+
+## Prerequisites
+
+The MCP server itself only needs Python 3.11+ and the `mcp` package. The CLI tools it wraps need to be installed separately — the server will tell the agent if a tool is missing and how to install it.
+
+## Development
+
+```bash
+# Install dependencies
+pip install -r requirements.txt -r requirements-dev.txt
+
+# Run tests
+pytest tests/ -v
+
+# Run the server locally (stdio mode)
+python src/app.py
+```
+
+## Architecture
+
+```
+base2-mcp/
+├── src/
+│   ├── app.py                    # FastMCP entry point (stdio transport)
+│   ├── docs/                     # Embedded markdown documentation
+│   │   ├── __init__.py           # Doc loader utility
+│   │   ├── cfhighlander.md
+│   │   ├── shelvery.md
+│   │   ├── guardian.md
+│   │   ├── monitorable.md
+│   │   ├── cfn_vpn.md
+│   │   └── bastion.md
+│   ├── executor/
+│   │   └── cli_runner.py         # Shared subprocess executor
+│   └── tools/                    # One module per tool
+│       ├── overview_tools.py     # list_base2_tools, get_tool_docs
+│       ├── cfhighlander_tools.py
+│       ├── shelvery_tools.py
+│       ├── guardian_tools.py
+│       ├── monitorable_tools.py
+│       ├── cfn_vpn_tools.py
+│       └── bastion_tools.py
+├── tests/                        # pytest suite (56 tests)
+├── pyproject.toml
+├── requirements.txt
+└── requirements-dev.txt
+```

base2_mcp-0.1.0.dist-info/RECORD

@@ -0,0 +1,23 @@
+__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+app.py,sha256=sNbbvdv0Y1bn5LpbeHnVsycY_s6ee1pBdDVQvA8ejDU,1815
+docs/__init__.py,sha256=9TLNUywZ35fBYuy05BheQciEhSGJVhHGEEw0fEUeEj0,668
+docs/bastion.md,sha256=_dg197MPbsfXukYJGwxJenm_-2HQm0vBk-foUu_vMuo,3672
+docs/cfhighlander.md,sha256=CejQX0pD_kKO19Awq_nuFxTBeKxqvILHUQYCIWmSn1c,5179
+docs/cfn_vpn.md,sha256=tZQnvU-4cbC98vOYxK3Qf4phHU_UhUJzY8VxaNBIJhU,2380
+docs/guardian.md,sha256=Z-oGa6e8LIZTVQpvWW4WKqnNYNztwk0nwH0128OMAXg,3184
+docs/monitorable.md,sha256=35HFs769HByrGm_WXye_tirpeKZvLyibrovCjADDEL0,2539
+docs/shelvery.md,sha256=eA_oZmH17UD4QzSKyPXJk00quxF4LIbrwIkRlIHg7d8,4459
+executor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+executor/cli_runner.py,sha256=y5Ou-y81ms7LnCGmUUZHuDwzCl-lsLycBzgjBWdQeGo,2469
+tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+tools/bastion_tools.py,sha256=OLNcoiieTZLlqsZKsY5xAJ8AaEbyoKdkGMZbjfsfumQ,4876
+tools/cfhighlander_tools.py,sha256=TAFDSoTb9bWO1f8TRqa0UAsd0xPhMrGR_pxcaJmohgw,5818
+tools/cfn_vpn_tools.py,sha256=XQC4TA3LGkUPNgDm--rcSNYFHHueE0qsfxhoZjXoSQ8,4348
+tools/guardian_tools.py,sha256=K4FFoWUbmlYemo3slCuRWFTCrJS_iEj0zooc-s8YGWY,3644
+tools/monitorable_tools.py,sha256=xrsR71u-U9aK0nDqR_s0MZ5ZJnb3SPGX_T0vxeNl6k0,2183
+tools/overview_tools.py,sha256=uir1zXGH9YcQOcYw7olVlgVTB8eAIEC6lxgSAjUj0So,2481
+tools/shelvery_tools.py,sha256=Ywt2Ap9v64zfcI0oVH6J490ye1GuUb1PFW5kssooNis,5735
+base2_mcp-0.1.0.dist-info/METADATA,sha256=les5mHRlgsmCbnxBW2iBgmoHzEES0e3kAsjecbIjClw,5607
+base2_mcp-0.1.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+base2_mcp-0.1.0.dist-info/entry_points.txt,sha256=yPZYCEC3vLL0y17JJGyaAfvA9pOmlEj_DnRYw3Au3o0,39
+base2_mcp-0.1.0.dist-info/RECORD,,

base2_mcp-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

base2_mcp-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+base2-mcp = app:main

docs/__init__.py

@@ -0,0 +1,30 @@
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Literal
+
+DOCS_DIR = Path(__file__).parent
+
+ToolName = Literal[
+    "cfhighlander",
+    "shelvery",
+    "guardian",
+    "monitorable",
+    "cfn_vpn",
+    "bastion",
+]
+
+TOOL_DOC_FILES: dict[ToolName, str] = {
+    "cfhighlander": "cfhighlander.md",
+    "shelvery": "shelvery.md",
+    "guardian": "guardian.md",
+    "monitorable": "monitorable.md",
+    "cfn_vpn": "cfn_vpn.md",
+    "bastion": "bastion.md",
+}
+
+
+def load_doc(tool: ToolName) -> str:
+    """Load the embedded markdown documentation for a tool."""
+    filename = TOOL_DOC_FILES[tool]
+    return (DOCS_DIR / filename).read_text()

docs/bastion.md

@@ -0,0 +1,138 @@
+# bastion-cli
+
+Temporary on-demand bastion EC2 instances via AWS Session Manager.
+
+- **Source**: https://github.com/base2Services/bastion-cli
+- **Language**: Go
+- **Install**: Download binary from [GitHub releases](https://github.com/base2Services/bastion-cli/releases) and add to PATH
+- **Supported OS**: macOS, Windows, Linux
+
+## Overview
+
+Bastion CLI creates and manages temporary on-demand bastion EC2 instances and connects to them using AWS Session Manager. Supports both Amazon Linux and Windows operating systems.
+
+## Prerequisites
+
+- AWS credentials configured
+- [AWS Session Manager Plugin](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html) installed
+- For Windows RDP: Microsoft Remote Desktop (macOS) or mstsc (Windows)
+
+## CLI Commands
+
+```bash
+bastion --help                         # List all commands
+bastion COMMAND --help                 # Help for specific command
+
+# Launch a new Linux bastion
+bastion launch
+
+# Launch a new Windows bastion
+bastion launch-windows
+
+# Connect to an existing instance
+bastion start-session
+
+# Remote port forwarding
+bastion port-forward --remote-port 5432 --region ap-southeast-2
+
+# Terminate a bastion
+bastion terminate --session-id <session-id>
+```
+
+## Launching Linux Bastions
+
+```bash
+# Basic launch (auto-terminates after 2 hours)
+bastion launch
+
+# Extended expiry (5 hours)
+bastion launch --expire-after 300
+
+# No expiry (requires manual termination)
+bastion launch --no-expire
+
+# Prevent auto-terminate on session end
+bastion launch --no-terminate
+
+# SSH session with key
+bastion launch --ssh --ssh-key ~/.ssh/id_rsa.pub
+
+# SSH tunnel (e.g. to an RDS instance)
+bastion launch --ssh --ssh-key ~/.ssh/id_rsa.pub \
+  --ssh-opts '-L 3306:db.internal.example.com:3306'
+
+# Mount EFS filesystem
+bastion launch --efs fs-123456789
+
+# Mount EFS access points
+bastion launch --efs fs-123456789 \
+  --access-points fsap-12345678900000000,fsap-12345678900000001
+```
+
+## Launching Windows Bastions
+
+```bash
+# Basic launch
+bastion launch-windows
+
+# Launch with RDP session
+bastion launch-windows --rdp
+```
+
+When using `--rdp`, the CLI opens the RDP client and copies the Administrator password to clipboard.
+
+## Connecting to Existing Instances
+
+```bash
+# Interactive instance picker (any instance with SSM agent)
+bastion start-session
+```
+
+## Port Forwarding
+
+```bash
+bastion port-forward --remote-port 5432 --region ap-southeast-2
+```
+
+Creates an SSH tunnel through a bastion to a remote service (e.g. RDS on port 5432).
+
+## Instance Management
+
+### Session IDs
+
+Each launched bastion gets a session ID for reconnection or termination.
+
+### Default Behaviour
+
+- Instances use **spot pricing** by default (use `--on-demand` for critical bastions)
+- Linux instances **auto-terminate after 2 hours** by default
+- Instances **terminate when the session ends** by default
+
+### Tagging
+
+| Tag                  | Value                                     |
+|----------------------|-------------------------------------------|
+| `Name`               | `bastion-[session-id]`                    |
+| `bastion:session-id` | The session ID                            |
+| `bastion:launched-by`| IAM identity of the launcher              |
+
+### IAM
+
+Bastion CLI auto-creates an IAM policy, role, and instance profile named `BastionCliSessionManager` in the account with permissions for SSM messaging.
+
+## Terminating
+
+```bash
+bastion terminate --session-id <session-id>
+```
+
+Cleans up the EC2 instance and any associated resources.
+
+## Cancel Expiry
+
+If you launched with default expiry and want to keep the instance running:
+
+```bash
+# On the bastion instance as root
+atrm 1
+```

docs/cfhighlander.md

@@ -0,0 +1,145 @@
+# cfhighlander
+
+CloudFormation DSL and component library.
+
+- **Source**: https://github.com/theonestack/cfhighlander
+- **Language**: Ruby (gem)
+- **Install**: `gem install cfhighlander`
+
+## Overview
+
+Cfhighlander is a feature-rich tool and DSL for infrastructure coders working with CloudFormation templates. It allows you to:
+
+- Abstract AWS resources as **components** using cfhighlander DSL and cfndsl
+- Produce, validate, and publish CloudFormation templates from those components
+- Use **inheritance** and **composition** — components can be extended and built from other components
+- Discover and consume components from git repos, file system, or S3 buckets
+
+## CLI Commands
+
+```
+cfhighlander help                                        # List all commands
+cfhighlander cfcompile component[@version] -f FORMAT     # Compile to CloudFormation
+cfhighlander cfpublish component[@version] -f FORMAT     # Compile and publish to S3
+cfhighlander configcompile component[@version]           # Compile configuration only
+cfhighlander dslcompile component[@version] -f FORMAT    # Compile to intermediate cfndsl
+cfhighlander publish component[@version] [-v version]    # Publish component source to S3
+cfhighlander cftest component[@version] -f FORMAT        # Run component tests
+```
+
+### cfcompile
+
+Produces CloudFormation templates in the specified format (defaults to yaml). Use `--validate` to validate against AWS. Output goes to `$WORKDIR/out/$format`.
+
+### cfpublish
+
+Compiles and publishes templates to S3. Supports `--dstbucket`, `--dstprefix`, `-v` for version. Provides a quick-launch CloudFormation URL.
+
+### cftest
+
+Runs test cases defined as `*.test.yaml` files in a `tests/` directory. Each test file is compiled and validated against the AWS CloudFormation API.
+
+Options:
+- `-d, --directory=DIRECTORY` — Tests directory (default: tests)
+- `-t, --tests=LIST` — Specific test files
+- `--validate / --no-validate` — Validate template (default: true)
+- `-q, --quiet` — Silent mode for lambda packaging prompts
+- `-r, --report=FORMAT` — Output report as json or xml
+
+## Component Structure
+
+A cfhighlander component consists of:
+
+- `componentname.cfhighlander.rb` — Highlander DSL file (required)
+- `*.config.yaml` — Configuration files (optional)
+- `componentname.cfndsl.rb` — CfnDSL template (optional)
+- `*.mappings.yaml` — CloudFormation mappings (optional)
+- `componentname.mappings.rb` — Dynamic mappings (optional)
+- `ext/cfndsl/*.rb` — Ruby extensions for cfndsl (optional)
+
+## DSL Example
+
+```ruby
+CfhighlanderTemplate do
+  # Explicit VPC configuration
+  vpc_config = { 'maximum_availability_zones' => 2 }
+
+  Component name: 'vpc',
+        template: 'vpc@master.snapshot',
+        config: vpc_config do
+    parameter name: 'DnsDomain', value: 'example.com'
+  end
+
+  Component name: 'ecs', template: 'ecs@master.snapshot' do
+    parameter name: 'DnsDomain', value: 'example.com'
+  end
+end
+```
+
+## Component Library
+
+Available at https://github.com/theonestack — auto-resolved from `hl-component-$name`:
+
+- **vpc** — Public/private subnet separation, NAT gateways, route tables
+- **ecs** — ECS Cluster in VPC compute subnets
+- **bastion** — Bastion host in public subnets with IP whitelisting
+- **ecs-service** — Containerised apps on ECS
+- **loadbalancer** — ALB, ELB, or NLB
+- **sns** — SNS topics with Slack integration
+- **efs** — Elastic File System
+- **rds-mysql** / **rds-postgres** — RDS instances
+- **aurora-mysql** / **aurora-postgres** — Aurora clusters
+- **elasticache-memcache** / **elasticache-redis** — ElastiCache
+- **asg** — Auto Scaling Groups
+- **cognito** — Cognito user pools and clients
+
+## Component Sources
+
+```ruby
+CfhighlanderTemplate do
+  Component name: 'vpc0', template: 'vpc'                           # default github
+  Component name: 'vpc1', template: 'github:theonestack/hl-component-vpc#master'
+  Component name: 'vpc3', template: 'git:https://github.com/theonestack/hl-component-sns.git'
+  Component name: 'vpc5', template: 'vpc@1.0.4'                     # version tag
+end
+```
+
+## Configuration Hierarchy (lowest to highest priority)
+
+1. Component local config (`component.config.yaml`)
+2. Outer component config file (under `components` key)
+3. Outer component explicit config (`config:` parameter)
+4. Exported configuration from other components (`config_export`)
+
+## Environment Variables
+
+- `CFHIGHLANDER_WORKDIR` — Working directory for output (defaults to `$PWD`)
+- `CFHIGHLANDER_AWS_RETRY_LIMIT` — AWS SDK retry limit (default: 10)
+
+## Lambda Functions
+
+Cfhighlander can package and deploy Lambda functions defined in config:
+
+```yaml
+functions:
+  myapp:
+    role: default
+    code: src/app.py
+    runtime: python3.6
+    handler: app.index
+    timeout: 30
+    package_cmd: 'pip3 install -r requirements.txt -t .'
+    log_retention: 30
+```
+
+## Render Modes
+
+- **Substack** (default) — Creates nested CloudFormation stacks
+- **Inline** — Inlines all resources into the parent template
+
+```ruby
+CfhighlanderTemplate do
+  Component template: 'vpc@1.5.0', name: 'vpc', render: Inline
+  Component template: 'bastion@1.2.0', name: 'bastion', render: Substack
+end
+```

docs/cfn_vpn.md

@@ -0,0 +1,97 @@
+# cfn-vpn
+
+AWS Client VPN management via CloudFormation.
+
+- **Source**: https://github.com/base2Services/cfn-vpn
+- **Language**: Ruby (gem)
+- **Install**: `gem install cfn-vpn`
+- **Docs**: https://base2services.github.io/cfn-vpn/
+
+## Overview
+
+CfnVpn manages AWS Client VPN endpoints using CloudFormation. It handles the full lifecycle: initialization, modification, route management, user sessions, and teardown.
+
+## Prerequisites
+
+- AWS credentials configured
+- ACM certificate for the VPN server
+- VPC with subnets
+
+## CLI Commands
+
+```bash
+cfn-vpn help                          # List all commands
+cfn-vpn help COMMAND                  # Help for specific command
+
+# Initialize a new VPN
+cfn-vpn init my-vpn \
+  --server-cn my-vpn.example.com \
+  --subnet-ids subnet-abc123 \
+  --region ap-southeast-2
+
+# Modify VPN configuration
+cfn-vpn modify my-vpn \
+  --region ap-southeast-2 \
+  --dns-servers 10.0.0.2
+
+# Manage routes
+cfn-vpn routes my-vpn \
+  --region ap-southeast-2
+
+# View active sessions
+cfn-vpn sessions my-vpn \
+  --region ap-southeast-2
+
+# Generate client config
+cfn-vpn client my-vpn \
+  --region ap-southeast-2
+
+# Embed client config in browser
+cfn-vpn embedded my-vpn \
+  --region ap-southeast-2
+
+# Delete VPN
+cfn-vpn delete my-vpn \
+  --region ap-southeast-2
+```
+
+## Commands
+
+### init
+
+Creates a new Client VPN endpoint with CloudFormation. Requires:
+- `--server-cn` — Common name for the server certificate
+- `--subnet-ids` — VPC subnet(s) to associate
+- `--region` — AWS region
+
+Optional:
+- `--dns-servers` — Custom DNS servers
+- `--split-tunnel` — Enable split tunneling
+- `--protocol` — `udp` (default) or `tcp`
+- `--cidr` — Client CIDR block (default: `10.250.0.0/16`)
+
+### modify
+
+Updates an existing VPN's CloudFormation stack with new parameters.
+
+### routes
+
+Manages VPN authorization and routing rules. Add or remove routes to VPC subnets or external networks.
+
+### sessions
+
+Lists active VPN sessions, showing connected users and connection details.
+
+### client
+
+Generates an OpenVPN client configuration file for connecting to the VPN.
+
+### delete
+
+Tears down the VPN by deleting the CloudFormation stack and associated resources.
+
+## Authentication Methods
+
+- **Mutual TLS** — Client and server certificates (default)
+- **AWS SSO / SAML** — Federated authentication
+- **Active Directory** — AWS Directory Service integration