tunnel-manager 1.0.3__py3-none-any.whl → 1.0.5__py3-none-any.whl

tunnel_manager/tunnel_manager_mcp.py

@@ -8,9 +8,16 @@ import concurrent.futures
 import yaml
 import asyncio
 from typing import Optional, Dict, List, Union
-from tunnel_manager.tunnel_manager import Tunnel
-from fastmcp import FastMCP, Context
 from pydantic import Field
+from fastmcp import FastMCP, Context
+from fastmcp.server.auth.oidc_proxy import OIDCProxy
+from fastmcp.server.auth import OAuthProxy, RemoteAuthProvider
+from fastmcp.server.auth.providers.jwt import JWTVerifier, StaticTokenVerifier
+from fastmcp.server.middleware.logging import LoggingMiddleware
+from fastmcp.server.middleware.timing import TimingMiddleware
+from fastmcp.server.middleware.rate_limiting import RateLimitingMiddleware
+from fastmcp.server.middleware.error_handling import ErrorHandlingMiddleware
+from tunnel_manager.tunnel_manager import Tunnel
 
 # Initialize FastMCP
 mcp = FastMCP(name="TunnelServer")
@@ -2120,6 +2127,83 @@ def tunnel_manager_mcp():
         default=8000,
         help="Port number for HTTP transport (default: 8000)",
     )
+    parser.add_argument(
+        "--auth-type",
+        default="none",
+        choices=["none", "static", "jwt", "oauth-proxy", "oidc-proxy", "remote-oauth"],
+        help="Authentication type for MCP server: 'none' (disabled), 'static' (internal), 'jwt' (external token verification), 'oauth-proxy', 'oidc-proxy', 'remote-oauth' (external) (default: none)",
+    )
+    # JWT/Token params
+    parser.add_argument(
+        "--token-jwks-uri", default=None, help="JWKS URI for JWT verification"
+    )
+    parser.add_argument(
+        "--token-issuer", default=None, help="Issuer for JWT verification"
+    )
+    parser.add_argument(
+        "--token-audience", default=None, help="Audience for JWT verification"
+    )
+    # OAuth Proxy params
+    parser.add_argument(
+        "--oauth-upstream-auth-endpoint",
+        default=None,
+        help="Upstream authorization endpoint for OAuth Proxy",
+    )
+    parser.add_argument(
+        "--oauth-upstream-token-endpoint",
+        default=None,
+        help="Upstream token endpoint for OAuth Proxy",
+    )
+    parser.add_argument(
+        "--oauth-upstream-client-id",
+        default=None,
+        help="Upstream client ID for OAuth Proxy",
+    )
+    parser.add_argument(
+        "--oauth-upstream-client-secret",
+        default=None,
+        help="Upstream client secret for OAuth Proxy",
+    )
+    parser.add_argument(
+        "--oauth-base-url", default=None, help="Base URL for OAuth Proxy"
+    )
+    # OIDC Proxy params
+    parser.add_argument(
+        "--oidc-config-url", default=None, help="OIDC configuration URL"
+    )
+    parser.add_argument("--oidc-client-id", default=None, help="OIDC client ID")
+    parser.add_argument("--oidc-client-secret", default=None, help="OIDC client secret")
+    parser.add_argument("--oidc-base-url", default=None, help="Base URL for OIDC Proxy")
+    # Remote OAuth params
+    parser.add_argument(
+        "--remote-auth-servers",
+        default=None,
+        help="Comma-separated list of authorization servers for Remote OAuth",
+    )
+    parser.add_argument(
+        "--remote-base-url", default=None, help="Base URL for Remote OAuth"
+    )
+    # Common
+    parser.add_argument(
+        "--allowed-client-redirect-uris",
+        default=None,
+        help="Comma-separated list of allowed client redirect URIs",
+    )
+    # Eunomia params
+    parser.add_argument(
+        "--eunomia-type",
+        default="none",
+        choices=["none", "embedded", "remote"],
+        help="Eunomia authorization type: 'none' (disabled), 'embedded' (built-in), 'remote' (external) (default: none)",
+    )
+    parser.add_argument(
+        "--eunomia-policy-file",
+        default="mcp_policies.json",
+        help="Policy file for embedded Eunomia (default: mcp_policies.json)",
+    )
+    parser.add_argument(
+        "--eunomia-remote-url", default=None, help="URL for remote Eunomia server"
+    )
 
     args = parser.parse_args()
 
@@ -2127,6 +2211,133 @@ def tunnel_manager_mcp():
         print(f"Error: Port {args.port} is out of valid range (0-65535).")
         sys.exit(1)
 
+    # Set auth based on type
+    auth = None
+    allowed_uris = (
+        args.allowed_client_redirect_uris.split(",")
+        if args.allowed_client_redirect_uris
+        else None
+    )
+
+    if args.auth_type == "none":
+        auth = None
+    elif args.auth_type == "static":
+        # Internal static tokens (hardcoded example)
+        auth = StaticTokenVerifier(
+            tokens={
+                "test-token": {"client_id": "test-user", "scopes": ["read", "write"]},
+                "admin-token": {"client_id": "admin", "scopes": ["admin"]},
+            }
+        )
+    elif args.auth_type == "jwt":
+        if not (args.token_jwks_uri and args.token_issuer and args.token_audience):
+            print(
+                "Error: jwt requires --token-jwks-uri, --token-issuer, --token-audience"
+            )
+            sys.exit(1)
+        auth = JWTVerifier(
+            jwks_uri=args.token_jwks_uri,
+            issuer=args.token_issuer,
+            audience=args.token_audience,
+        )
+    elif args.auth_type == "oauth-proxy":
+        if not (
+            args.oauth_upstream_auth_endpoint
+            and args.oauth_upstream_token_endpoint
+            and args.oauth_upstream_client_id
+            and args.oauth_upstream_client_secret
+            and args.oauth_base_url
+            and args.token_jwks_uri
+            and args.token_issuer
+            and args.token_audience
+        ):
+            print(
+                "Error: oauth-proxy requires --oauth-upstream-auth-endpoint, --oauth-upstream-token-endpoint, --oauth-upstream-client-id, --oauth-upstream-client-secret, --oauth-base-url, --token-jwks-uri, --token-issuer, --token-audience"
+            )
+            sys.exit(1)
+        token_verifier = JWTVerifier(
+            jwks_uri=args.token_jwks_uri,
+            issuer=args.token_issuer,
+            audience=args.token_audience,
+        )
+        auth = OAuthProxy(
+            upstream_authorization_endpoint=args.oauth_upstream_auth_endpoint,
+            upstream_token_endpoint=args.oauth_upstream_token_endpoint,
+            upstream_client_id=args.oauth_upstream_client_id,
+            upstream_client_secret=args.oauth_upstream_client_secret,
+            token_verifier=token_verifier,
+            base_url=args.oauth_base_url,
+            allowed_client_redirect_uris=allowed_uris,
+        )
+    elif args.auth_type == "oidc-proxy":
+        if not (
+            args.oidc_config_url
+            and args.oidc_client_id
+            and args.oidc_client_secret
+            and args.oidc_base_url
+        ):
+            print(
+                "Error: oidc-proxy requires --oidc-config-url, --oidc-client-id, --oidc-client-secret, --oidc-base-url"
+            )
+            sys.exit(1)
+        auth = OIDCProxy(
+            config_url=args.oidc_config_url,
+            client_id=args.oidc_client_id,
+            client_secret=args.oidc_client_secret,
+            base_url=args.oidc_base_url,
+            allowed_client_redirect_uris=allowed_uris,
+        )
+    elif args.auth_type == "remote-oauth":
+        if not (
+            args.remote_auth_servers
+            and args.remote_base_url
+            and args.token_jwks_uri
+            and args.token_issuer
+            and args.token_audience
+        ):
+            print(
+                "Error: remote-oauth requires --remote-auth-servers, --remote-base-url, --token-jwks-uri, --token-issuer, --token-audience"
+            )
+            sys.exit(1)
+        auth_servers = [url.strip() for url in args.remote_auth_servers.split(",")]
+        token_verifier = JWTVerifier(
+            jwks_uri=args.token_jwks_uri,
+            issuer=args.token_issuer,
+            audience=args.token_audience,
+        )
+        auth = RemoteAuthProvider(
+            token_verifier=token_verifier,
+            authorization_servers=auth_servers,
+            base_url=args.remote_base_url,
+        )
+    mcp.auth = auth
+    if args.eunomia_type != "none":
+        from eunomia_mcp import create_eunomia_middleware
+
+        if args.eunomia_type == "embedded":
+            if not args.eunomia_policy_file:
+                print("Error: embedded Eunomia requires --eunomia-policy-file")
+                sys.exit(1)
+            middleware = create_eunomia_middleware(policy_file=args.eunomia_policy_file)
+            mcp.add_middleware(middleware)
+        elif args.eunomia_type == "remote":
+            if not args.eunomia_remote_url:
+                print("Error: remote Eunomia requires --eunomia-remote-url")
+                sys.exit(1)
+            middleware = create_eunomia_middleware(
+                use_remote_eunomia=args.eunomia_remote_url
+            )
+            mcp.add_middleware(middleware)
+
+    mcp.add_middleware(
+        ErrorHandlingMiddleware(include_traceback=True, transform_errors=True)
+    )
+    mcp.add_middleware(
+        RateLimitingMiddleware(max_requests_per_second=10.0, burst_capacity=20)
+    )
+    mcp.add_middleware(TimingMiddleware())
+    mcp.add_middleware(LoggingMiddleware())
+
     if args.transport == "stdio":
         mcp.run(transport="stdio")
     elif args.transport == "http":

{tunnel_manager-1.0.3.dist-info → tunnel_manager-1.0.5.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: tunnel-manager
-Version: 1.0.3
+Version: 1.0.5
 Summary: Create SSH Tunnels to your remote hosts and host as an MCP Server for Agentic AI!
 Author-email: Audel Rouhi <knucklessg1@gmail.com>
 License: MIT
@@ -12,7 +12,7 @@ Classifier: Programming Language :: Python :: 3
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: fastmcp>=2.11.3
+Requires-Dist: fastmcp>=2.12.4
 Requires-Dist: paramiko>=4.0.0
 Dynamic: license-file
 
@@ -38,7 +38,7 @@ Dynamic: license-file
 ![PyPI - Wheel](https://img.shields.io/pypi/wheel/tunnel-manager)
 ![PyPI - Implementation](https://img.shields.io/pypi/implementation/tunnel-manager)
 
-*Version: 1.0.3*
+*Version: 1.0.5*
 
 This project provides a Python-based `Tunnel` class for secure SSH connections and file transfers, integrated with a FastMCP server (`tunnel_manager_mcp.py`) to expose these capabilities as tools for AI-driven workflows. The implementation supports both standard SSH (e.g., for local networks) and Teleport's secure access platform, leveraging the `paramiko` library for SSH operations.
 
@@ -84,135 +84,49 @@ This project provides a Python-based `Tunnel` class for secure SSH connections a
 <details>
   <summary><b>Usage:</b></summary>
 
-## Tunnel Class
-The `Tunnel` class can be used standalone for SSH operations. Examples:
-
-### Using RSA Keys
-```python
-from tunnel_manager.tunnel_manager import Tunnel
-
-# Initialize with a remote host (assumes ~/.ssh/config or explicit params)
-tunnel = Tunnel(
-    remote_host="192.168.1.10",
-    username="admin",
-    password="mypassword",
-    identity_file="/path/to/id_rsa",
-    certificate_file="/path/to/cert",  # Optional for Teleport
-    proxy_command="tsh proxy ssh %h",  # Optional for Teleport
-    ssh_config_file="~/.ssh/config",
-)
-
-# Connect and run a command
-tunnel.connect()
-out, err = tunnel.run_command("ls -la /tmp")
-print(f"Output: {out}\nError: {err}")
-
-# Upload a file
-tunnel.send_file("/local/file.txt", "/remote/file.txt")
-
-# Download a file
-tunnel.receive_file("/remote/file.txt", "/local/downloaded.txt")
-
-# Setup passwordless SSH with RSA
-tunnel.setup_passwordless_ssh(local_key_path="~/.ssh/id_rsa", key_type="rsa")
-
-# Copy SSH config
-tunnel.copy_ssh_config("/local/ssh_config", "~/.ssh/config")
-
-# Rotate SSH key with RSA
-tunnel.rotate_ssh_key("/path/to/new_rsa_key", key_type="rsa")
-
-# Close the connection
-tunnel.close()
-```
-
-### Using Ed25519 Keys
-```python
-from tunnel_manager.tunnel_manager import Tunnel
-
-# Initialize with a remote host (assumes ~/.ssh/config or explicit params)
-tunnel = Tunnel(
-    remote_host="192.168.1.10",
-    username="admin",
-    password="mypassword",
-    identity_file="/path/to/id_ed25519",
-    certificate_file="/path/to/cert",  # Optional for Teleport
-    proxy_command="tsh proxy ssh %h",  # Optional for Teleport
-    ssh_config_file="~/.ssh/config",
-)
-
-# Connect and run a command
-tunnel.connect()
-out, err = tunnel.run_command("ls -la /tmp")
-print(f"Output: {out}\nError: {err}")
-
-# Upload a file
-tunnel.send_file("/local/file.txt", "/remote/file.txt")
-
-# Download a file
-tunnel.receive_file("/remote/file.txt", "/local/downloaded.txt")
-
-# Setup passwordless SSH with Ed25519
-tunnel.setup_passwordless_ssh(local_key_path="~/.ssh/id_ed25519", key_type="ed25519")
-
-# Copy SSH config
-tunnel.copy_ssh_config("/local/ssh_config", "~/.ssh/config")
-
-# Rotate SSH key with Ed25519
-tunnel.rotate_ssh_key("/path/to/new_ed25519_key", key_type="ed25519")
-
-# Close the connection
-tunnel.close()
-```
-
-## Tunnel Manager CLI Usage
-The `tunnel_manager.py` script provides a CLI for managing SSH operations across hosts defined in an Ansible-style YAML inventory file. Below are examples for each command, targeting different inventory groups (`all`, `homelab`, `poweredge`). The CLI now supports both RSA and Ed25519 keys via the `--key-type` flag for relevant commands (default: `ed25519`).
-
-**Inventory File Example (`inventory.yml`)**:
-```yaml
-all:
-  hosts:
-    r510:
-      ansible_host: 192.168.1.10
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
-    r710:
-      ansible_host: 192.168.1.11
-      ansible_user: admin
-      ansible_ssh_pass: mypassword
-    gr1080:
-      ansible_host: 192.168.1.14
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_rsa"
-homelab:
-  hosts:
-    r510:
-      ansible_host: 192.168.1.10
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
-    r710:
-      ansible_host: 192.168.1.11
-      ansible_user: admin
-      ansible_ssh_pass: mypassword
-    gr1080:
-      ansible_host: 192.168.1.14
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_rsa"
-poweredge:
-  hosts:
-    r510:
-      ansible_host: 192.168.1.10
-      ansible_user: admin
-      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
-    r710:
-      ansible_host: 192.168.1.11
-      ansible_user: admin
-      ansible_ssh_pass: mypassword
-```
+### CLI
+| Short Flag | Long Flag            | Description                                              | Required | Default Value |
+|------------|----------------------|----------------------------------------------------------|----------|---------------|
+| -h         | --help               | Show usage for the script                                | No       | None          |
+|            | --log-file           | Log to specified file (default: console output)           | No       | Console       |
+|            | setup-all            | Setup passwordless SSH for all hosts in inventory         | Yes*     | None          |
+|            | --inventory          | YAML inventory path                                      | Yes      | None          |
+|            | --shared-key-path    | Path to shared private key                               | No       | ~/.ssh/id_shared |
+|            | --key-type           | Key type (rsa or ed25519)                                | No       | ed25519       |
+|            | --group              | Inventory group to target                                 | No       | all           |
+|            | --parallel           | Run operation in parallel                                | No       | False         |
+|            | --max-threads        | Max threads for parallel execution                       | No       | 5             |
+|            | run-command          | Run a shell command on all hosts in inventory            | Yes*     | None          |
+|            | --remote-command     | Shell command to run                                     | Yes      | None          |
+|            | copy-config          | Copy SSH config to all hosts in inventory                | Yes*     | None          |
+|            | --local-config-path  | Local SSH config path                                    | Yes      | None          |
+|            | --remote-config-path | Remote path for SSH config                               | No       | ~/.ssh/config |
+|            | rotate-key           | Rotate SSH keys for all hosts in inventory               | Yes*     | None          |
+|            | --key-prefix         | Prefix for new key paths (appends hostname)              | No       | ~/.ssh/id_    |
+|            | --key-type           | Key type (rsa or ed25519)                                | No       | ed25519       |
+|            | send-file            | Upload a file to all hosts in inventory                  | Yes*     | None          |
+|            | --local-path         | Local file path to upload                                | Yes      | None          |
+|            | --remote-path        | Remote destination path                                  | Yes      | None          |
+|            | receive-file         | Download a file from all hosts in inventory              | Yes*     | None          |
+|            | --remote-path        | Remote file path to download                             | Yes      | None          |
+|            | --local-path-prefix  | Local directory path prefix to save files                | Yes      | None          |
 
-Replace IPs, usernames, and passwords with your actual values.
+### Notes
+One of the commands (`setup-all`, `run-command`, `copy-config`, `rotate-key`, `send-file`, `receive-file`) must be specified as the first argument to `tunnel_manager.py`. Each command has required arguments that must be specified with flags:
+- `setup-all`: Requires `--inventory`.
+- `run-command`: Requires `--inventory` and `--remote-command`.
+- `copy-config`: Requires `--inventory` and `--local-config-path`.
+- `rotate-key`: Requires `--inventory`.
+- `send-file`: Requires `--inventory`, `--local-path`, and `--remote-path`.
+- `receive-file`: Requires `--inventory`, `--remote-path`, and `--local-path-prefix`.
 
-### CLI Commands
+### Additional Notes
+- Ensure `ansible_host` values in `inventory.yml` are resolvable IPs or hostnames.
+- Update `ansible_ssh_private_key_file` in the inventory after running `rotate-key`.
+- Use `--log-file` for file-based logging or omit for console output.
+- The `--parallel` option speeds up operations but may overload resources; adjust `--max-threads` as needed.
+- The `receive-file` command saves files to `local_path_prefix/<hostname>/<filename>` to preserve original filenames and avoid conflicts.
+- Ed25519 keys are recommended for better security and performance over RSA, but RSA is supported for compatibility with older systems.
 
 #### 1. Setup Passwordless SSH
 Set up passwordless SSH for hosts in the inventory, distributing a shared key. Use `--key-type` to specify RSA or Ed25519 (default: ed25519).
@@ -304,70 +218,267 @@ Download a file from all hosts in the specified group, saving to host-specific s
   tunnel-manager --log-file download_poweredge.log receive-file --inventory inventory.yml --remote-path /home/user/myfile.txt --local-path-prefix ./downloads --group poweredge
   ```
 
-### CLI Command Table
-| Short Flag | Long Flag            | Description                                              | Required | Default Value |
-|------------|----------------------|----------------------------------------------------------|----------|---------------|
-| -h         | --help               | Show usage for the script                                | No       | None          |
-|            | --log-file           | Log to specified file (default: console output)           | No       | Console       |
-|            | setup-all            | Setup passwordless SSH for all hosts in inventory         | Yes*     | None          |
-|            | --inventory          | YAML inventory path                                      | Yes      | None          |
-|            | --shared-key-path    | Path to shared private key                               | No       | ~/.ssh/id_shared |
-|            | --key-type           | Key type (rsa or ed25519)                                | No       | ed25519       |
-|            | --group              | Inventory group to target                                 | No       | all           |
-|            | --parallel           | Run operation in parallel                                | No       | False         |
-|            | --max-threads        | Max threads for parallel execution                       | No       | 5             |
-|            | run-command          | Run a shell command on all hosts in inventory            | Yes*     | None          |
-|            | --remote-command     | Shell command to run                                     | Yes      | None          |
-|            | copy-config          | Copy SSH config to all hosts in inventory                | Yes*     | None          |
-|            | --local-config-path  | Local SSH config path                                    | Yes      | None          |
-|            | --remote-config-path | Remote path for SSH config                               | No       | ~/.ssh/config |
-|            | rotate-key           | Rotate SSH keys for all hosts in inventory               | Yes*     | None          |
-|            | --key-prefix         | Prefix for new key paths (appends hostname)              | No       | ~/.ssh/id_    |
-|            | --key-type           | Key type (rsa or ed25519)                                | No       | ed25519       |
-|            | send-file            | Upload a file to all hosts in inventory                  | Yes*     | None          |
-|            | --local-path         | Local file path to upload                                | Yes      | None          |
-|            | --remote-path        | Remote destination path                                  | Yes      | None          |
-|            | receive-file         | Download a file from all hosts in inventory              | Yes*     | None          |
-|            | --remote-path        | Remote file path to download                             | Yes      | None          |
-|            | --local-path-prefix  | Local directory path prefix to save files                | Yes      | None          |
+### Tunnel Manager Inventory
 
-### Notes
-One of the commands (`setup-all`, `run-command`, `copy-config`, `rotate-key`, `send-file`, `receive-file`) must be specified as the first argument to `tunnel_manager.py`. Each command has required arguments that must be specified with flags:
-- `setup-all`: Requires `--inventory`.
-- `run-command`: Requires `--inventory` and `--remote-command`.
-- `copy-config`: Requires `--inventory` and `--local-config-path`.
-- `rotate-key`: Requires `--inventory`.
-- `send-file`: Requires `--inventory`, `--local-path`, and `--remote-path`.
-- `receive-file`: Requires `--inventory`, `--remote-path`, and `--local-path-prefix`.
+**Inventory File Example (`inventory.yml`)**:
 
-### Additional Notes
-- Ensure `ansible_host` values in `inventory.yml` are resolvable IPs or hostnames.
-- Update `ansible_ssh_private_key_file` in the inventory after running `rotate-key`.
-- Use `--log-file` for file-based logging or omit for console output.
-- The `--parallel` option speeds up operations but may overload resources; adjust `--max-threads` as needed.
-- The `receive-file` command saves files to `local_path_prefix/<hostname>/<filename>` to preserve original filenames and avoid conflicts.
-- Ed25519 keys are recommended for better security and performance over RSA, but RSA is supported for compatibility with older systems.
+```yaml
+all:
+  hosts:
+    r510:
+      ansible_host: 192.168.1.10
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
+    r710:
+      ansible_host: 192.168.1.11
+      ansible_user: admin
+      ansible_ssh_pass: mypassword
+    gr1080:
+      ansible_host: 192.168.1.14
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_rsa"
+homelab:
+  hosts:
+    r510:
+      ansible_host: 192.168.1.10
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
+    r710:
+      ansible_host: 192.168.1.11
+      ansible_user: admin
+      ansible_ssh_pass: mypassword
+    gr1080:
+      ansible_host: 192.168.1.14
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_rsa"
+poweredge:
+  hosts:
+    r510:
+      ansible_host: 192.168.1.10
+      ansible_user: admin
+      ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
+    r710:
+      ansible_host: 192.168.1.11
+      ansible_user: admin
+      ansible_ssh_pass: mypassword
+```
+
+Replace IPs, usernames, and passwords with your actual values.
 
-## FastMCP Server
-The FastMCP server exposes the `Tunnel` functionality as AI-accessible tools. Start the server with:
 
+### MCP CLI
+
+| Short Flag | Long Flag                          | Description                                                                 |
+|------------|------------------------------------|-----------------------------------------------------------------------------|
+| -h         | --help                             | Display help information                                                    |
+| -t         | --transport                        | Transport method: 'stdio', 'http', or 'sse' [legacy] (default: stdio)       |
+| -s         | --host                             | Host address for HTTP transport (default: 0.0.0.0)                          |
+| -p         | --port                             | Port number for HTTP transport (default: 8000)                              |
+|            | --auth-type                        | Authentication type: 'none', 'static', 'jwt', 'oauth-proxy', 'oidc-proxy', 'remote-oauth' (default: none) |
+|            | --token-jwks-uri                   | JWKS URI for JWT verification                                              |
+|            | --token-issuer                     | Issuer for JWT verification                                                |
+|            | --token-audience                   | Audience for JWT verification                                              |
+|            | --oauth-upstream-auth-endpoint     | Upstream authorization endpoint for OAuth Proxy                             |
+|            | --oauth-upstream-token-endpoint    | Upstream token endpoint for OAuth Proxy                                    |
+|            | --oauth-upstream-client-id         | Upstream client ID for OAuth Proxy                                         |
+|            | --oauth-upstream-client-secret     | Upstream client secret for OAuth Proxy                                     |
+|            | --oauth-base-url                   | Base URL for OAuth Proxy                                                   |
+|            | --oidc-config-url                  | OIDC configuration URL                                                     |
+|            | --oidc-client-id                   | OIDC client ID                                                             |
+|            | --oidc-client-secret               | OIDC client secret                                                         |
+|            | --oidc-base-url                    | Base URL for OIDC Proxy                                                    |
+|            | --remote-auth-servers              | Comma-separated list of authorization servers for Remote OAuth             |
+|            | --remote-base-url                  | Base URL for Remote OAuth                                                  |
+|            | --allowed-client-redirect-uris     | Comma-separated list of allowed client redirect URIs                       |
+|            | --eunomia-type                     | Eunomia authorization type: 'none', 'embedded', 'remote' (default: none)   |
+|            | --eunomia-policy-file              | Policy file for embedded Eunomia (default: mcp_policies.json)              |
+|            | --eunomia-remote-url               | URL for remote Eunomia server                                              |
+
+### Using as an MCP Server
+
+The MCP Server can be run in two modes: `stdio` (for local testing) or `http` (for networked access). To start the server, use the following commands:
+
+#### Run in stdio mode (default):
 ```bash
-python tunnel_manager_mcp.py --transport stdio
+tunnel-manager-mcp --transport "stdio"
 ```
 
-Or for HTTP transport:
+#### Run in HTTP mode:
 ```bash
-python tunnel_manager_mcp.py --transport http --host 127.0.0.1 --port 8080
+tunnel-manager-mcp --transport "http"  --host "0.0.0.0"  --port "8000"
 ```
 
-</details>
+### Tunnel Class
+The `Tunnel` class can be used standalone for SSH operations. Examples:
 
-<details>
-  <summary><b>Installation Instructions:</b></summary>
+#### Using RSA Keys
+```python
+from tunnel_manager.tunnel_manager import Tunnel
 
-## Use with AI
+# Initialize with a remote host (assumes ~/.ssh/config or explicit params)
+tunnel = Tunnel(
+    remote_host="192.168.1.10",
+    username="admin",
+    password="mypassword",
+    identity_file="/path/to/id_rsa",
+    certificate_file="/path/to/cert",  # Optional for Teleport
+    proxy_command="tsh proxy ssh %h",  # Optional for Teleport
+    ssh_config_file="~/.ssh/config",
+)
+
+# Connect and run a command
+tunnel.connect()
+out, err = tunnel.run_command("ls -la /tmp")
+print(f"Output: {out}\nError: {err}")
+
+# Upload a file
+tunnel.send_file("/local/file.txt", "/remote/file.txt")
+
+# Download a file
+tunnel.receive_file("/remote/file.txt", "/local/downloaded.txt")
+
+# Setup passwordless SSH with RSA
+tunnel.setup_passwordless_ssh(local_key_path="~/.ssh/id_rsa", key_type="rsa")
+
+# Copy SSH config
+tunnel.copy_ssh_config("/local/ssh_config", "~/.ssh/config")
+
+# Rotate SSH key with RSA
+tunnel.rotate_ssh_key("/path/to/new_rsa_key", key_type="rsa")
+
+# Close the connection
+tunnel.close()
+```
+
+#### Using Ed25519 Keys
+```python
+from tunnel_manager.tunnel_manager import Tunnel
+
+# Initialize with a remote host (assumes ~/.ssh/config or explicit params)
+tunnel = Tunnel(
+    remote_host="192.168.1.10",
+    username="admin",
+    password="mypassword",
+    identity_file="/path/to/id_ed25519",
+    certificate_file="/path/to/cert",  # Optional for Teleport
+    proxy_command="tsh proxy ssh %h",  # Optional for Teleport
+    ssh_config_file="~/.ssh/config",
+)
+
+# Connect and run a command
+tunnel.connect()
+out, err = tunnel.run_command("ls -la /tmp")
+print(f"Output: {out}\nError: {err}")
+
+# Upload a file
+tunnel.send_file("/local/file.txt", "/remote/file.txt")
+
+# Download a file
+tunnel.receive_file("/remote/file.txt", "/local/downloaded.txt")
+
+# Setup passwordless SSH with Ed25519
+tunnel.setup_passwordless_ssh(local_key_path="~/.ssh/id_ed25519", key_type="ed25519")
+
+# Copy SSH config
+tunnel.copy_ssh_config("/local/ssh_config", "~/.ssh/config")
+
+# Rotate SSH key with Ed25519
+tunnel.rotate_ssh_key("/path/to/new_ed25519_key", key_type="ed25519")
+
+# Close the connection
+tunnel.close()
+```
+
+### Deploy MCP Server as a Service
+
+The MCP server can be deployed using Docker, with configurable authentication, middleware, and Eunomia authorization.
+
+#### Using Docker Run
+
+```bash
+docker pull knucklessg1/tunnel-manager:latest
+
+docker run -d \
+  --name tunnel-manager-mcp \
+  -p 8004:8004 \
+  -e HOST=0.0.0.0 \
+  -e PORT=8004 \
+  -e TRANSPORT=http \
+  -e AUTH_TYPE=none \
+  -e EUNOMIA_TYPE=none \
+  knucklessg1/tunnel-manager:latest
+```
+
+For advanced authentication (e.g., JWT, OAuth Proxy, OIDC Proxy, Remote OAuth) or Eunomia, add the relevant environment variables:
+
+```bash
+docker run -d \
+  --name tunnel-manager-mcp \
+  -p 8004:8004 \
+  -e HOST=0.0.0.0 \
+  -e PORT=8004 \
+  -e TRANSPORT=http \
+  -e AUTH_TYPE=oidc-proxy \
+  -e OIDC_CONFIG_URL=https://provider.com/.well-known/openid-configuration \
+  -e OIDC_CLIENT_ID=your-client-id \
+  -e OIDC_CLIENT_SECRET=your-client-secret \
+  -e OIDC_BASE_URL=https://your-server.com \
+  -e ALLOWED_CLIENT_REDIRECT_URIS=http://localhost:*,https://*.example.com/* \
+  -e EUNOMIA_TYPE=embedded \
+  -e EUNOMIA_POLICY_FILE=/app/mcp_policies.json \
+  knucklessg1/tunnel-manager:latest
+```
+
+#### Using Docker Compose
+
+Create a `docker-compose.yml` file:
+
+```yaml
+services:
+  tunnel-manager-mcp:
+    image: knucklessg1/tunnel-manager:latest
+    environment:
+      - HOST=0.0.0.0
+      - PORT=8004
+      - TRANSPORT=http
+      - AUTH_TYPE=none
+      - EUNOMIA_TYPE=none
+    ports:
+      - 8004:8004
+```
+
+For advanced setups with authentication and Eunomia:
+
+```yaml
+services:
+  tunnel-manager-mcp:
+    image: knucklessg1/tunnel-manager:latest
+    environment:
+      - HOST=0.0.0.0
+      - PORT=8004
+      - TRANSPORT=http
+      - AUTH_TYPE=oidc-proxy
+      - OIDC_CONFIG_URL=https://provider.com/.well-known/openid-configuration
+      - OIDC_CLIENT_ID=your-client-id
+      - OIDC_CLIENT_SECRET=your-client-secret
+      - OIDC_BASE_URL=https://your-server.com
+      - ALLOWED_CLIENT_REDIRECT_URIS=http://localhost:*,https://*.example.com/*
+      - EUNOMIA_TYPE=embedded
+      - EUNOMIA_POLICY_FILE=/app/mcp_policies.json
+    ports:
+      - 8004:8004
+    volumes:
+      - ./mcp_policies.json:/app/mcp_policies.json
+```
+
+Run the service:
+
+```bash
+docker-compose up -d
+```
+
+#### Configure `mcp.json` for AI Integration
 
-Configure `mcp.json`
 ```json
 {
   "mcpServers": {
@@ -398,23 +509,10 @@ Configure `mcp.json`
   }
 }
 ```
+</details>
 
-### Deploy MCP Server as a Container
-```bash
-docker pull knucklessg1/tunnel-manager:latest
-```
-
-Modify the `compose.yml`
-```yaml
-services:
-  tunnel-manager:
-    image: knucklessg1/tunnel-manager:latest
-    environment:
-      - HOST=0.0.0.0
-      - PORT=8021
-    ports:
-      - 8021:8021
-```
+<details>
+  <summary><b>Installation Instructions:</b></summary>
 
 ### Install Python Package
 ```bash

tunnel_manager-1.0.5.dist-info/RECORD

@@ -0,0 +1,11 @@
+tests/test_tunnel.py,sha256=Dj6z1EM50uGqEJA0GBDP6L8ZPUMRAJNT7dAnwkuSgNU,2461
+tunnel_manager/__init__.py,sha256=cqAitAkoCcEkaCQcP7Y8tngiUK7pU6SIMlmpABShh9g,807
+tunnel_manager/__main__.py,sha256=Z1uxNLjwIjJpvu97bXrvsawnghJScA52E2wtAgg5MLo,152
+tunnel_manager/tunnel_manager.py,sha256=DZn2Zs0OPxB_2wWqkro--UbFLdoe8kivaeLvKZKWANM,39384
+tunnel_manager/tunnel_manager_mcp.py,sha256=W8glkvrtD0jxdddkOgEAz4YZMoKfqOYsNB2jdrTrqSY,84492
+tunnel_manager-1.0.5.dist-info/licenses/LICENSE,sha256=Z1xmcrPHBnGCETO_LLQJUeaSNBSnuptcDVTt4kaPUOE,1060
+tunnel_manager-1.0.5.dist-info/METADATA,sha256=6B1XWaT318I_xGl2cxwbnuJTztrOmC88fynozPQI_P4,25585
+tunnel_manager-1.0.5.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+tunnel_manager-1.0.5.dist-info/entry_points.txt,sha256=hYtm4jvOAew8CbeqqUBH2nXY51mSQwhF4GhU0yclV6c,154
+tunnel_manager-1.0.5.dist-info/top_level.txt,sha256=W4J-lyPPNeOS696f0LneZsP2MVERR8HE9UHbAFQ550A,21
+tunnel_manager-1.0.5.dist-info/RECORD,,

tunnel_manager-1.0.3.dist-info/RECORD

@@ -1,11 +0,0 @@
-tests/test_tunnel.py,sha256=Dj6z1EM50uGqEJA0GBDP6L8ZPUMRAJNT7dAnwkuSgNU,2461
-tunnel_manager/__init__.py,sha256=cqAitAkoCcEkaCQcP7Y8tngiUK7pU6SIMlmpABShh9g,807
-tunnel_manager/__main__.py,sha256=Z1uxNLjwIjJpvu97bXrvsawnghJScA52E2wtAgg5MLo,152
-tunnel_manager/tunnel_manager.py,sha256=DZn2Zs0OPxB_2wWqkro--UbFLdoe8kivaeLvKZKWANM,39384
-tunnel_manager/tunnel_manager_mcp.py,sha256=_TVDIH7fZpNsADbCKpMU8uzTUU41l9YqKNuK6dvaxl4,76157
-tunnel_manager-1.0.3.dist-info/licenses/LICENSE,sha256=Z1xmcrPHBnGCETO_LLQJUeaSNBSnuptcDVTt4kaPUOE,1060
-tunnel_manager-1.0.3.dist-info/METADATA,sha256=Es2jT6ZIlWs1miyKjAw6mK3K0V59ZkLIHtR81YFVh10,20683
-tunnel_manager-1.0.3.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-tunnel_manager-1.0.3.dist-info/entry_points.txt,sha256=hYtm4jvOAew8CbeqqUBH2nXY51mSQwhF4GhU0yclV6c,154
-tunnel_manager-1.0.3.dist-info/top_level.txt,sha256=W4J-lyPPNeOS696f0LneZsP2MVERR8HE9UHbAFQ550A,21
-tunnel_manager-1.0.3.dist-info/RECORD,,