Metadata-Version: 2.4
Name: fortigate-readonly-mcp
Version: 0.1.0
Summary: Local read-only MCP server for Fortigate administration over SSH
Author: Alberto Diaz
License-Expression: MIT
Project-URL: Homepage, https://github.com/Picaresco/MCP-Fortigate
Project-URL: Issues, https://github.com/Picaresco/MCP-Fortigate/issues
Keywords: mcp,fortigate,fortinet,ssh,readonly,security
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: System Administrators
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: System :: Networking
Classifier: Topic :: System :: Systems Administration
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: mcp>=1.6.0
Requires-Dist: paramiko>=3.4.0
Requires-Dist: pydantic>=2.7.0
Dynamic: license-file

# Fortigate MCP

Servidor MCP local para consultar Fortigate por SSH en modo solo lectura.

Pensado para FortiOS 7.4+ y para usarse desde Codex y Claude Desktop mediante transporte `stdio`.

## Seguridad

Este MCP no ejecuta comandos libres. Todas las herramientas son read-only y el comando manual `fortigate_run_readonly_command` valida una allowlist estricta.

Bloquea tokens como `config`, `edit`, `set`, `unset`, `delete`, `purge`, `execute`, `reboot`, `shutdown`, `restore`, `factoryreset`, `format` y `debug`.

La seguridad real debe reforzarse tambien en el Fortigate usando un usuario con perfil de solo lectura.

## Instalacion

```powershell
C:\Users\Alberto\AppData\Local\Programs\Python\Python311\python.exe -m venv .venv
.\.venv\Scripts\python.exe -m pip install -r requirements.txt
Copy-Item fortigate.config.example.json fortigate.config.json
```

Tambien se puede instalar como paquete Python cuando este publicado:

```powershell
python -m pip install fortigate-readonly-mcp
```

Desde TestPyPI:

```powershell
python -m pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ fortigate-readonly-mcp
```

Edita `fortigate.config.json`:

```json
{
  "fortigate": {
    "host": "192.168.1.1",
    "port": 22,
    "username": "admin",
    "password": "change-me",
    "timeout": 15,
    "banner_timeout": 15,
    "auth_timeout": 15,
    "look_for_keys": false,
    "allow_agent": false,
    "disabled_algorithms": {}
  }
}
```

`fortigate.config.json` esta ignorado por Git.

## Herramientas MCP

- `fortigate_list_allowed_commands`
- `fortigate_get_system_status`
- `fortigate_get_interfaces`
- `fortigate_get_routes`
- `fortigate_get_firewall_policies`
- `fortigate_get_ipsec_vpns`
- `fortigate_get_ssl_vpn_users`
- `fortigate_get_ssl_vpn_lan_connections`
- `fortigate_get_auth_attack_summary`
- `fortigate_run_audit_readonly`
- `fortigate_get_public_exposure`
- `fortigate_find_policy_by_ip`
- `fortigate_get_interface_health`
- `fortigate_get_vpn_overview`
- `fortigate_export_readonly_snapshot`
- `fortigate_run_readonly_command`

## Configuracion para Claude Desktop

Anade este servidor en el JSON de Claude Desktop, ajustando la ruta si cambia:

```json
{
  "mcpServers": {
    "fortigate": {
      "command": "C:\\Users\\Alberto\\Documents\\CODEX\\MCP-Fortigate\\.venv\\Scripts\\python.exe",
      "args": [
        "C:\\Users\\Alberto\\Documents\\CODEX\\MCP-Fortigate\\server.py"
      ],
      "env": {
        "FORTIGATE_MCP_CONFIG": "C:\\Users\\Alberto\\Documents\\CODEX\\MCP-Fortigate\\fortigate.config.json"
      }
    }
  }
}
```

Si lo instalas desde PyPI en vez de ejecutar el `server.py` del repo, puedes usar el comando `fortigate-mcp`:

```json
{
  "mcpServers": {
    "fortigate": {
      "command": "fortigate-mcp",
      "env": {
        "FORTIGATE_MCP_CONFIG": "C:\\ruta\\segura\\fortigate.config.json"
      }
    }
  }
}
```

## Configuracion para Codex

Anade este bloque a `C:\Users\Alberto\.codex\config.toml`:

```toml
[mcp_servers.fortigate]
command = 'C:\Users\Alberto\Documents\CODEX\MCP-Fortigate\.venv\Scripts\python.exe'
args = ['C:\Users\Alberto\Documents\CODEX\MCP-Fortigate\server.py']

[mcp_servers.fortigate.env]
FORTIGATE_MCP_CONFIG = 'C:\Users\Alberto\Documents\CODEX\MCP-Fortigate\fortigate.config.json'
```

## Prueba rapida

Validar sintaxis:

```powershell
.\.venv\Scripts\python.exe -m py_compile server.py
```

Verificar con MCP Inspector:

```powershell
npx @modelcontextprotocol/inspector .\.venv\Scripts\python.exe server.py
```

## Publicacion

No guardar tokens de PyPI/TestPyPI en el repositorio. Usar variables de entorno o `twine` interactivo.

Build local:

```powershell
.\.venv\Scripts\python.exe -m pip install build twine
.\.venv\Scripts\python.exe -m build
.\.venv\Scripts\python.exe -m twine check dist/*
```

Subida a TestPyPI:

```powershell
$env:TWINE_USERNAME='__token__'
$env:TWINE_PASSWORD='<token-testpypi>'
.\.venv\Scripts\python.exe -m twine upload --repository-url https://test.pypi.org/legacy/ dist/*
```

Subida a PyPI:

```powershell
$env:TWINE_USERNAME='__token__'
$env:TWINE_PASSWORD='<token-pypi>'
.\.venv\Scripts\python.exe -m twine upload dist/*
```
