Release 0.2.0 - Enhanced Security Operations

🚀 Major Features

Comprehensive Wazuh Integration

• 14 Security Tools: Complete coverage of Wazuh SIEM capabilities including alerts, vulnerabilities, agents, processes, network ports, logs, statistics, and cluster management
• Dual API Support: Seamless integration with both Wazuh Indexer (for alerts) and Wazuh Manager (for agents, rules, vulnerabilities, and system data)
• Agent-Specific Intelligence: Deep visibility into individual agent processes, network ports, and vulnerability assessments

Advanced Vulnerability Management

• Critical Vulnerability Detection: Dedicated tool for identifying and prioritizing critical security vulnerabilities
• Multi-Severity Filtering: Support for filtering vulnerabilities by severity levels (Low, Medium, High, Critical)
• CVE-Specific Search: Ability to search for specific CVE identifiers across agent vulnerability data
• CVSS Score Integration: Display of CVSS2 and CVSS3 scores for comprehensive risk assessment

System Monitoring & Forensics

• Process Analysis: Real-time monitoring of running processes on Wazuh agents with memory usage and command details
• Network Port Monitoring: Comprehensive network security assessment with protocol, state, and process association
• Log Analysis: Advanced log searching and filtering capabilities for incident investigation
• Performance Statistics: Weekly aggregated statistics and daemon-specific metrics for operational monitoring

Compliance Framework Support

• Regulatory Mapping: Display of GDPR, HIPAA, PCI-DSS, and NIST 800-53 compliance mappings in security rules
• Audit Trail Support: Comprehensive logging and monitoring capabilities for compliance requirements

Cluster Management

• Health Monitoring: Real-time cluster health assessment with detailed status reporting
• Node Management: Comprehensive cluster node information including status, type, and connectivity
• Distributed Architecture: Support for multi-node Wazuh deployments

Statistics & Analytics

• Weekly Aggregations: Comprehensive weekly statistics for trend analysis
• Daemon Metrics: Detailed statistics from remoted and log collector daemons
• Performance Monitoring: Queue sizes, message counts, and throughput metrics

🔄 Breaking Changes

• Agent ID Format: All agent-specific tools now require string-formatted agent IDs
• Parameter Validation: Stricter input validation with improved error messages
• Environment Variables: Updated configuration requirements for dual API support

This release (version 0.1.2) marks a significant refactor of the mcp-server-wazuh application, migrating to the rmcp framework for handling Model Context Protocol (MCP) communication. This change simplifies the server's architecture, focusing on stdio transport and providing a more robust and standardized way of defining and exposing tools.

Here's a summary of the key changes:

Highlights / Major Changes:

• Migration to rmcp Framework: The server now leverages the rmcp crate for all MCP server logic, including transport (stdio), tool definition, and request handling. This replaces the previous custom HTTP and stdio service implementations.
• Stdio Focus: The primary mode of operation is now JSON-RPC 2.0 over stdio, aligning with common MCP client patterns. The previous HTTP service has been removed.
• Revamped Testing Suite: The testing strategy has been completely overhauled to work with the rmcp framework. New integration tests (rmcp_integration_test.rs), stdio protocol tests (mcp_stdio_test.rs), and a mock Wazuh server (mock_wazuh_server.rs) have been introduced.
• Simplified Tooling: The server now exposes a primary tool get_wazuh_alert_summary for fetching Wazuh alerts, with clear input schema defined using schemars.

New Features & Enhancements:

• Standardized MCP Implementation: Adherence to MCP standards is now managed by the rmcp library.
• Clear Tool Definition: Tools are defined using rmcp's #[tool] macros, providing automatic schema generation for client discovery.
• Improved Testability: The new testing structure allows for more focused and reliable tests of the MCP protocol and integration with a mock Wazuh API.
• Wazuh Client Flexibility: The internal Wazuh client can now be configured to use HTTP or HTTPS, facilitating testing against mock servers.

Fixes:

• Docker GLIBC Compatibility: The Dockerfile's final stage base image has been updated from debian:bullseye-slim to debian:bookworm-slim to resolve GLIBC version incompatibilities when running the compiled binary.

Breaking Changes:

• HTTP Service Removal: The previous HTTP-based MCP service and /health endpoint have been removed. The server now operates exclusively over stdio.
• Configuration Changes: While core Wazuh connection variables remain, MCP_SERVER_PORT is no longer applicable.
• Tooling Changes: The way tools are defined and called has changed due to the rmcp integration. The primary tool is now get_wazuh_alert_summary. The previous provideContext and other custom methods are superseded by rmcp's tools/list and tools/call mechanisms.
• CLI Client Removed: The mcp_client_cli binary, previously part of the dev-dependencies and build, has been removed. Interaction for testing is now primarily through direct stdio or programmatic clients.

Dependency Updates:

• Added:
  • rmcp (core framework)
  • schemars (for JSON schema generation for tools)
  • tokio-test, tempfile (for dev dependencies)
• Removed:
  • axum (HTTP framework)
  • jsonwebtoken
  • tower-http
• Updated:
  • tokio to v1.x
  • tracing-subscriber features updated.
  • chrono updated to 0.4.41.
• Project metadata in Cargo.toml updated with license, repository, and readme fields.

Internal Changes / Refactoring:

• The entire src/main.rs has been rewritten to implement rmcp::ServerHandler and rmcp::ServiceExt.
• Removed internal modules related to the old HTTP service, stdio handling, and MCP protocol implementation (http_service.rs, stdio_service.rs, mcp/*).
• Logging utilities (logging_utils.rs) have been removed; standard tracing is used.
• src/lib.rs simplified to re-export necessary items from the wazuh module.
• src/wazuh/error.rs no longer includes Axum-specific error handling.
• Docker compose files (docker-compose-*.yml) have been moved into a docker/ subdirectory.
• The run.sh script for local execution has been removed.

Documentation:

• README.md: Significantly updated to reflect the new rmcp-based architecture, stdio-only operation, installation instructions (including pre-built binaries and build from source), and revised examples for client configuration (e.g., Claude Desktop) and stdio interaction.
• tests/README.md: Rewritten to describe the new testing strategy, test files, and environment setup.

This release focuses on creating a more maintainable and standardized MCP server by adopting the rmcp framework, at the cost of removing the previous HTTP interface.