Skip to content

v1.1.0

Latest

Choose a tag to compare

@solomonneas solomonneas released this 10 Jun 17:13

Security hardening release. The headline change: TLS certificate verification
is now ON by default
for both the Wazuh manager and the Wazuh Indexer
connections. The previously published 1.0.0 shipped with verification off by
default; if you rely on a self-signed lab certificate, you must now opt out
explicitly with WAZUH_VERIFY_SSL=false and/or WAZUH_INDEXER_VERIFY_SSL=false
(the server prints a startup warning when you do).

Security

  • Verify TLS certificates by default for the manager and indexer clients;
    disabling verification is now an explicit opt-out that logs a startup
    warning (security: verify TLS by default).
  • Gate unredacted get_manager_config output behind the server-side
    WAZUH_ALLOW_SENSITIVE_CONFIG flag; a model-supplied tool argument can
    never enable it on its own.
  • Delimit attacker-influenced SIEM content returned to the model: alert
    full_log, alert rule_description, raw event data, and manager log
    descriptions are wrapped in <untrusted_siem_data> markers with an
    output.untrusted_data_note warning, and the affected tool descriptions
    flag the fields as data, never instructions.
  • Route all tool-level error returns through the safe-error sanitizer so
    errors that bypass the client wrappers (JSON parse errors with body
    snippets, URL errors) never reach the MCP client raw.
  • Fail fast at startup when WAZUH_INDEXER_URL is set without
    WAZUH_INDEXER_PASSWORD instead of silently sending an empty password.
  • Minimize sensitive tool output by default: agent IPs, alert full logs, raw
    event data, process command lines, file hashes, and manager log
    descriptions are hidden unless opted in per call.
  • Validate all MCP tool inputs with strict schemas: bounded pagination,
    length-limited search text, per-tool sort enums, and allowlisted
    identifiers for agent, alert, group, and SCA policy IDs.
  • Encode Wazuh API path segments to prevent path injection.
  • General security hardening pass across clients and tools, including
    sanitized diagnostics output that redacts URLs and never returns
    credentials.

Added

  • Indexer-backed vulnerability tools: list_vulnerabilities and
    search_vulnerabilities.
  • Response size caps via WAZUH_MCP_MAX_RESPONSE_BYTES (default 250000);
    oversized responses return a truncated JSON preview with
    output.response_truncated metadata instead of an error.
  • pagination object (total, limit, offset, has_more) on paginated
    tool responses, alongside the existing top-level fields.
  • Transient-error retries for manager GET and indexer search requests on
    429, 502, 503, 504, and common network reset or timeout errors.
  • AGENTS.md contributor guide and a scripts/verify entrypoint that runs
    test, typecheck, and build in order.

Changed

  • The MCP server version reported in handshakes is now derived from
    package.json instead of a hardcoded constant.
  • Documentation and test fixtures use RFC 5737 documentation addresses
    (192.0.2.x) instead of RFC 1918 space.
  • Dependencies refreshed; npm audit clean.

Fixed

  • Strip the draft-07 $schema marker the MCP SDK stamps on tool schemas,
    which some clients reject when listing the full tool set.

CI

  • Publish with npm provenance (npm publish --provenance with
    id-token: write).
  • Skip npm publish when the version already exists on the registry, making
    tag builds idempotent.