Security hardening release. The headline change: TLS certificate verification
is now ON by default for both the Wazuh manager and the Wazuh Indexer
connections. The previously published 1.0.0 shipped with verification off by
default; if you rely on a self-signed lab certificate, you must now opt out
explicitly with WAZUH_VERIFY_SSL=false and/or WAZUH_INDEXER_VERIFY_SSL=false
(the server prints a startup warning when you do).
Security
- Verify TLS certificates by default for the manager and indexer clients;
disabling verification is now an explicit opt-out that logs a startup
warning (security: verify TLS by default). - Gate unredacted
get_manager_configoutput behind the server-side
WAZUH_ALLOW_SENSITIVE_CONFIGflag; a model-supplied tool argument can
never enable it on its own. - Delimit attacker-influenced SIEM content returned to the model: alert
full_log, alertrule_description, raw eventdata, and manager log
descriptions are wrapped in<untrusted_siem_data>markers with an
output.untrusted_data_notewarning, and the affected tool descriptions
flag the fields as data, never instructions. - Route all tool-level error returns through the
safe-errorsanitizer so
errors that bypass the client wrappers (JSON parse errors with body
snippets, URL errors) never reach the MCP client raw. - Fail fast at startup when
WAZUH_INDEXER_URLis set without
WAZUH_INDEXER_PASSWORDinstead of silently sending an empty password. - Minimize sensitive tool output by default: agent IPs, alert full logs, raw
event data, process command lines, file hashes, and manager log
descriptions are hidden unless opted in per call. - Validate all MCP tool inputs with strict schemas: bounded pagination,
length-limited search text, per-tool sort enums, and allowlisted
identifiers for agent, alert, group, and SCA policy IDs. - Encode Wazuh API path segments to prevent path injection.
- General security hardening pass across clients and tools, including
sanitized diagnostics output that redacts URLs and never returns
credentials.
Added
- Indexer-backed vulnerability tools:
list_vulnerabilitiesand
search_vulnerabilities. - Response size caps via
WAZUH_MCP_MAX_RESPONSE_BYTES(default 250000);
oversized responses return a truncated JSON preview with
output.response_truncatedmetadata instead of an error. paginationobject (total,limit,offset,has_more) on paginated
tool responses, alongside the existing top-level fields.- Transient-error retries for manager
GETand indexer search requests on
429,502,503,504, and common network reset or timeout errors. AGENTS.mdcontributor guide and ascripts/verifyentrypoint that runs
test, typecheck, and build in order.
Changed
- The MCP server version reported in handshakes is now derived from
package.jsoninstead of a hardcoded constant. - Documentation and test fixtures use RFC 5737 documentation addresses
(192.0.2.x) instead of RFC 1918 space. - Dependencies refreshed;
npm auditclean.
Fixed
- Strip the draft-07
$schemamarker the MCP SDK stamps on tool schemas,
which some clients reject when listing the full tool set.
CI
- Publish with npm provenance (
npm publish --provenancewith
id-token: write). - Skip npm publish when the version already exists on the registry, making
tag builds idempotent.