Bump version to 4.0.8 and update README, docs, and changelog

- Add CHANGELOG entry for v4.0.8 documenting all 17 audit fixes
- Update README: 48 tools (was 29), security middleware, updated project structure
- Update docs/api/README: add active response, verification, and rollback tool categories
- Update docs/configuration.md: fix stale stdio/binary references to Docker commands
- Update docs/security/README.md: reflect auth on all endpoints, security middleware
- Update docs/ADVANCED_FEATURES.md: add middleware section, fix retry scope description
- Update docs/OPERATIONS.md: fix endpoint table for authenticated root and custom metrics
- Update MCP_COMPLIANCE_VERIFICATION.md: 48 tools (was 29)
- Bump version to 4.0.8 in pyproject.toml and __init__.py

Author: alokemajumder

CHANGELOG.md

@@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.0.8] - 2026-02-26
+
+### Fixed
+- **Auth bypass on root endpoint**: The `/` MCP endpoint was missing authentication, allowing unauthenticated access to all tools when `AUTH_MODE=bearer`
+- **`_run_sync` RuntimeError catch**: Method raised RuntimeError as a safety guard but then caught its own exception in the `except` block, silently falling through
+- **`__contains__` async bug**: `SessionManager.__contains__` was defined as `async def` but Python's `in` operator doesn't `await`, always returning a truthy coroutine object
+- **`/auth/token` bypassing auth_manager**: Token endpoint compared raw API key strings instead of using `auth_manager.validate_api_key()` with proper format checks and constant-time hash comparison
+- **`search_security_events` ignoring query**: The `query` parameter was validated but never passed to the indexer, returning unfiltered results
+- **`cleanup_expired` signature mismatch**: `SessionManager.cleanup_expired()` didn't accept `timeout_minutes` parameter, causing TypeError when called from `HealthRecovery._recover_memory_pressure`
+- **Monitoring middleware not registered**: `setup_monitoring_middleware()` was defined but never registered on the FastAPI app, so no request tracking or correlation IDs were applied
+- **Prometheus `/metrics` empty**: `generate_latest()` was called without the custom `REGISTRY`, returning empty default registry instead of actual metrics
+
+### Added
+- Security middleware now registered on the FastAPI app, adding security headers (X-Content-Type-Options, X-Frame-Options, etc.) to all responses
+- `"12h"` added to `VALID_TIME_RANGES` and `"1d": 24` added to `_TIME_RANGE_HOURS` for consistent time range support
+- `"pending"` added to agent status enum in tool schema to match `VALID_AGENT_STATUSES`
+- Max size guard on `_initialized_sessions` dict to prevent unbounded memory growth (capped at 10,000 entries)
+- 23 new test cases covering audit fixes (33 total tests, up from 10)
+
+### Changed
+- `MCPResponse` now overrides Pydantic v2 `model_dump()` instead of deprecated v1 `dict()` method
+- `get_alerts` in `WazuhIndexerClient` refactored to use `_search()` helper for consistent retry logic
+- `analyze_security_threat`, `check_ioc_reputation`, and `check_blocked_ip` use recursive dict search instead of O(n) `json.dumps()` per alert
+- `_search()` in `WazuhIndexerClient` now accepts optional `sort` parameter
+
+### Removed
+- Dead `create_auth_endpoints()` function, `TokenRequest`/`TokenResponse` classes, and unused `HTTPException` import from `auth.py`
+
 ## [4.0.7] - 2026-02-25
 
 ### Added

MCP_COMPLIANCE_VERIFICATION.md

@@ -86,7 +86,7 @@ This document verifies that the Wazuh MCP Remote Server fully complies with the
 |-------------|--------|----------------|
 | **JSON-RPC 2.0** | ✅ COMPLIANT | Full JSON-RPC 2.0 compliance |
 | **Session management** | ✅ COMPLIANT | MCPSession class with state tracking |
-| **Tool registration** | ✅ COMPLIANT | 29 tools properly registered |
+| **Tool registration** | ✅ COMPLIANT | 48 tools properly registered |
 | **Error handling** | ✅ COMPLIANT | Standard MCP error codes |
 | **Capability negotiation** | ✅ COMPLIANT | Server capabilities exposed |
 
@@ -98,7 +98,7 @@ This document verifies that the Wazuh MCP Remote Server fully complies with the
 |--------|--------|----------------|
 | **initialize** | ✅ COMPLIANT | Session creation with capability negotiation |
 | **ping** | ✅ COMPLIANT | Returns empty `{}` per spec |
-| **tools/list** | ✅ COMPLIANT | 29 tools with pagination support |
+| **tools/list** | ✅ COMPLIANT | 48 tools with pagination support |
 | **tools/call** | ✅ COMPLIANT | Tool execution with error handling |
 | **prompts/list** | ✅ COMPLIANT | 4 security prompts with pagination |
 | **prompts/get** | ✅ COMPLIANT | Prompt content with argument substitution |
@@ -219,7 +219,7 @@ curl -X POST http://localhost:3000/mcp \
      -H "MCP-Session-Id: <session-id>" \
      -H "Content-Type: application/json" \
      -d '{"jsonrpc":"2.0","method":"tools/list","id":"2"}'
-# Expected: JSON-RPC response with 29 tools
+# Expected: JSON-RPC response with 48 tools
 
 # Test GET with SSE (requires Accept header)
 curl -H "Authorization: Bearer <token>" \

README.md

@@ -7,7 +7,7 @@
 
 **Production-ready MCP server connecting AI assistants to Wazuh SIEM.**
 
-> **Version 4.0.7** | Wazuh 4.8.0 - 4.14.3 | [Full Changelog](CHANGELOG.md)
+> **Version 4.0.8** | Wazuh 4.8.0 - 4.14.3 | [Full Changelog](CHANGELOG.md)
 
 ---
 
@@ -58,13 +58,13 @@ Agentic SOC:     Alert → AI triages → Seconds later → Response ready for a
 | Category | Capabilities |
 |----------|-------------|
 | **MCP Protocol** | 100% compliant with MCP 2025-11-25, Streamable HTTP + Legacy SSE |
-| **Security Tools** | 29 specialized tools for alerts, agents, vulnerabilities, compliance |
+| **Security Tools** | 48 specialized tools for alerts, agents, vulnerabilities, compliance, active response |
 | **Authentication** | OAuth 2.0 with DCR, Bearer tokens (JWT), or authless mode |
-| **Production Ready** | Circuit breakers, rate limiting, graceful shutdown, Prometheus metrics |
+| **Production Ready** | Circuit breakers, rate limiting, security & monitoring middleware, Prometheus metrics |
 | **Deployment** | Docker containerized, multi-platform (AMD64/ARM64), serverless-ready |
 | **Token Efficiency** | Compact output mode reduces responses by ~66% |
 
-### 29 Security Tools
+### 48 Security Tools
 
 | Category | Tools |
 |----------|-------|
@@ -73,6 +73,9 @@ Agentic SOC:     Alert → AI triages → Seconds later → Response ready for a
 | **Vulnerabilities** (3) | `get_wazuh_vulnerabilities`, `get_wazuh_critical_vulnerabilities`, `get_wazuh_vulnerability_summary` |
 | **Security Analysis** (7) | `search_security_events`, `analyze_security_threat`, `check_ioc_reputation`, `perform_risk_assessment`, `get_top_security_threats`, `generate_security_report`, `run_compliance_check` |
 | **System** (10) | `get_wazuh_statistics`, `get_wazuh_weekly_stats`, `get_wazuh_cluster_health`, `get_wazuh_cluster_nodes`, `get_wazuh_rules_summary`, `get_wazuh_remoted_stats`, `get_wazuh_log_collector_stats`, `search_wazuh_manager_logs`, `get_wazuh_manager_error_logs`, `validate_wazuh_connection` |
+| **Active Response** (9) | `wazuh_block_ip`, `wazuh_isolate_host`, `wazuh_kill_process`, `wazuh_disable_user`, `wazuh_quarantine_file`, `wazuh_active_response`, `wazuh_firewall_drop`, `wazuh_host_deny`, `wazuh_restart` |
+| **Verification** (5) | `wazuh_check_blocked_ip`, `wazuh_check_agent_isolation`, `wazuh_check_process`, `wazuh_check_user_status`, `wazuh_check_file_quarantine` |
+| **Rollback** (5) | `wazuh_unisolate_host`, `wazuh_enable_user`, `wazuh_restore_file`, `wazuh_firewall_allow`, `wazuh_host_allow` |
 
 ---
 
@@ -185,26 +188,28 @@ curl http://localhost:3000/health
 
 ```
 src/wazuh_mcp_server/
-├── server.py           # MCP server with 29 tools
-├── config.py           # Configuration management
-├── auth.py             # JWT authentication
+├── server.py           # MCP server with 48 tools (Streamable HTTP + SSE)
+├── config.py           # Configuration management with validation
+├── config_validator.py # Startup configuration validation
+├── auth.py             # JWT & API key authentication
 ├── oauth.py            # OAuth 2.0 with DCR
-├── security.py         # Rate limiting, CORS
-├── monitoring.py       # Prometheus metrics
-├── resilience.py       # Circuit breakers, retries
-├── session_store.py    # Pluggable sessions
+├── security.py         # Rate limiting, CORS, input validation, security middleware
+├── monitoring.py       # Prometheus metrics, request tracking middleware
+├── resilience.py       # Circuit breakers, retries, graceful shutdown
+├── session_store.py    # Pluggable sessions (in-memory + Redis)
 └── api/
-    ├── wazuh_client.py    # Wazuh Manager API
-    └── wazuh_indexer.py   # Wazuh Indexer API
+    ├── wazuh_client.py    # Wazuh Manager API client
+    └── wazuh_indexer.py   # Wazuh Indexer API client (alerts + vulnerabilities)
 ```
 
 ---
 
 ## Security
 
-- **Authentication**: JWT tokens, OAuth 2.0 with DCR
+- **Authentication**: JWT tokens, OAuth 2.0 with DCR, all endpoints protected
+- **Security Middleware**: Automatic security headers (X-Content-Type-Options, X-Frame-Options, CSP)
 - **Rate Limiting**: Per-client request throttling
-- **Input Validation**: SQL injection and XSS protection
+- **Input Validation**: Comprehensive parameter validation with SQL injection and XSS protection
 - **Container Security**: Non-root user, read-only filesystem
 
 ```bash

docs/ADVANCED_FEATURES.md

@@ -17,8 +17,8 @@ The server includes production-grade HA features for maximum reliability.
 
 - Exponential backoff with jitter
 - 3 retry attempts with 1-10 second delays
-- Applies to all Wazuh API calls
-- Handles transient network failures
+- Applies to all Wazuh API and Indexer calls (including alert queries)
+- Only retries transient errors (5xx, connection errors) — not 400/401/404
 
 ### Graceful Shutdown
 
@@ -29,6 +29,15 @@ The server includes production-grade HA features for maximum reliability.
 
 **Implementation:** Automatically applied to all Wazuh API calls - no configuration required.
 
+### Security & Monitoring Middleware
+
+Two middleware layers are automatically registered on all HTTP requests:
+
+- **Monitoring Middleware**: Tracks request counts, active connections, response durations, and adds correlation IDs to every request
+- **Security Middleware**: Adds security headers to all responses (X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, X-XSS-Protection, Referrer-Policy)
+
+Prometheus metrics are available at `/metrics` using a custom collector registry for accurate reporting.
+
 ---
 
 ## Serverless Ready

docs/OPERATIONS.md

@@ -178,11 +178,11 @@ docker compose up -d
 
 | Endpoint | Method | Description |
 |----------|--------|-------------|
-| `/mcp` | GET/POST | **Recommended** - Streamable HTTP (2025-11-25) |
+| `/mcp` | GET/POST/DELETE | **Recommended** - Streamable HTTP (MCP 2025-11-25) |
 | `/sse` | GET | Legacy SSE endpoint |
-| `/` | POST | JSON-RPC 2.0 endpoint |
+| `/` | GET/POST | JSON-RPC 2.0 endpoint (authenticated) |
 | `/health` | GET | Health check |
-| `/metrics` | GET | Prometheus metrics |
+| `/metrics` | GET | Prometheus metrics (custom registry) |
 | `/docs` | GET | OpenAPI documentation |
 
 ### Authentication Endpoints

docs/api/README.md

@@ -1,6 +1,6 @@
 # FastMCP Tools API Reference
 
-Complete reference for all 29 FastMCP tools available in Wazuh MCP Server v2.1.0.
+Complete reference for all 48 tools available in Wazuh MCP Server v4.0.8.
 
 ## 🛠️ Tool Categories
 
@@ -29,17 +29,18 @@ Identify and analyze security vulnerabilities across your environment.
 - **get_wazuh_critical_vulnerabilities** - Critical vulnerabilities only
 - **get_wazuh_vulnerability_summary** - Vulnerability statistics and trends
 
-### 🔍 [Security Analysis](security.md) (6 tools)
+### 🔍 [Security Analysis](security-analysis.md) (7 tools)
 AI-powered security analysis and threat intelligence capabilities.
 
+- **search_security_events** - Advanced security event search with query filtering
 - **analyze_security_threat** - AI-powered threat analysis
 - **check_ioc_reputation** - IoC reputation checking
 - **perform_risk_assessment** - Comprehensive risk analysis
 - **get_top_security_threats** - Top threats by severity
 - **generate_security_report** - Automated security reporting
 - **run_compliance_check** - Compliance framework validation
 
-### 📊 [System Monitoring](monitoring.md) (10 tools)
+### 📊 [System Monitoring](system-monitoring.md) (10 tools)
 Monitor system health, performance, and operational metrics.
 
 - **get_wazuh_statistics** - Comprehensive system statistics
@@ -53,6 +54,37 @@ Monitor system health, performance, and operational metrics.
 - **get_wazuh_manager_error_logs** - Error log retrieval
 - **validate_wazuh_connection** - Connection validation
 
+### ⚡ Active Response (9 tools)
+Execute active response actions on Wazuh agents.
+
+- **wazuh_block_ip** - Block IP address via active response
+- **wazuh_isolate_host** - Isolate a host from the network
+- **wazuh_kill_process** - Kill a running process on an agent
+- **wazuh_disable_user** - Disable a user account
+- **wazuh_quarantine_file** - Quarantine a suspicious file
+- **wazuh_active_response** - Send custom active response command
+- **wazuh_firewall_drop** - Add firewall drop rule
+- **wazuh_host_deny** - Add host deny rule
+- **wazuh_restart** - Restart Wazuh agent
+
+### ✅ Verification (5 tools)
+Verify the status of active response actions.
+
+- **wazuh_check_blocked_ip** - Verify IP is blocked
+- **wazuh_check_agent_isolation** - Verify agent isolation status
+- **wazuh_check_process** - Check if process is running
+- **wazuh_check_user_status** - Check user account status
+- **wazuh_check_file_quarantine** - Check file quarantine status
+
+### ↩️ Rollback (5 tools)
+Reverse active response actions.
+
+- **wazuh_unisolate_host** - Remove host isolation
+- **wazuh_enable_user** - Re-enable a disabled user
+- **wazuh_restore_file** - Restore a quarantined file
+- **wazuh_firewall_allow** - Remove firewall drop rule
+- **wazuh_host_allow** - Remove host deny rule
+
 ## 🎯 Quick Examples
 
 ### Basic Usage
@@ -109,7 +141,7 @@ All tools return JSON responses with consistent structure:
   "metadata": {
     "query_time": "2024-01-01T12:00:00Z",
     "api_source": "wazuh_server",
-    "version": "2.1.0"
+    "version": "4.0.8"
   }
 }
 ```

docs/configuration.md

@@ -1,6 +1,6 @@
 # Configuration Guide
 
-Complete configuration reference for Wazuh MCP Server v2.1.0.
+Complete configuration reference for Wazuh MCP Server v4.0.8.
 
 ## 📋 Configuration Overview
 
@@ -33,7 +33,7 @@ WAZUH_USER=wazuh
 WAZUH_PASS=changeme
 
 # Transport Configuration
-MCP_TRANSPORT=stdio
+MCP_TRANSPORT=streamable-http
 ```
 
 ## 💡 Complete Configuration Reference
@@ -126,9 +126,9 @@ CACHE_MAX_SIZE=1000                      # Maximum cache entries
 
 ```bash
 # Transport Settings
-MCP_TRANSPORT=stdio                       # Transport type (stdio only)
+MCP_TRANSPORT=streamable-http            # Transport type (streamable-http)
 MCP_SERVER_NAME=Wazuh MCP Server         # Server name
-MCP_SERVER_VERSION=2.1.0                 # Server version
+MCP_SERVER_VERSION=4.0.8                 # Server version
 
 # Tool Configuration
 ENABLE_SECURITY_TOOLS=true               # Enable security analysis tools
@@ -261,26 +261,24 @@ CLIENT_KEY_PATH=/etc/wazuh-mcp/client.key
 
 ## 🎯 Configuration Validation
 
-### Health Check Command
+### Health Check
 
 ```bash
 # Validate configuration
-./bin/wazuh-mcp-server --health-check
+curl -s http://localhost:3000/health | jq .
 
-# Validate with detailed output
-./bin/wazuh-mcp-server --health-check --verbose
+# Check with verbose output
+curl -v http://localhost:3000/health
 ```
 
-### Configuration Test Script
+### Configuration Test
 
 ```bash
-# Test configuration
-python tools/validate_setup.py
+# Test configuration via health endpoint
+curl -s http://localhost:3000/health | jq .
 
-# Test specific components
-python tools/validate_setup.py --test-connection
-python tools/validate_setup.py --test-ssl
-python tools/validate_setup.py --test-auth
+# Verify imports
+PYTHONPATH=src python -c "from wazuh_mcp_server.server import app; print('OK')"
 ```
 
 ## 📝 Configuration Examples
@@ -294,7 +292,7 @@ WAZUH_PORT=55000
 WAZUH_USER=wazuh-api
 WAZUH_PASS=secure-password
 VERIFY_SSL=false
-MCP_TRANSPORT=stdio
+MCP_TRANSPORT=streamable-http
 LOG_LEVEL=INFO
 ```
 
@@ -347,10 +345,7 @@ Configuration precedence (highest to lowest):
 ```bash
 # Override via environment variable
 export WAZUH_HOST=new-server.com
-./bin/wazuh-mcp-server --stdio
-
-# Override via command line (if supported)
-./bin/wazuh-mcp-server --wazuh-host=new-server.com --stdio
+docker compose up -d
 ```
 
 ### Configuration Reloading
@@ -359,8 +354,7 @@ Currently, configuration changes require server restart:
 
 ```bash
 # After changing .env file
-pkill -f wazuh-mcp-server
-./bin/wazuh-mcp-server --stdio
+docker compose restart wazuh-mcp-remote-server
 ```
 
 ## 🐛 Troubleshooting Configuration
@@ -480,10 +474,10 @@ For detailed instructions, see the [Claude Desktop Integration](../README.md#-cl
 
 For configuration issues:
 
-1. **Check [Troubleshooting Guide](troubleshooting/README.md)**
-2. **Run health check**: `./bin/wazuh-mcp-server --health-check`
-3. **Validate setup**: `python tools/validate_setup.py`
-4. **Check logs**: `tail -f logs/wazuh-mcp-server.log`
+1. **Check [Troubleshooting Guide](TROUBLESHOOTING.md)**
+2. **Run health check**: `curl http://localhost:3000/health`
+3. **Check Prometheus metrics**: `curl http://localhost:3000/metrics`
+4. **Check logs**: `docker compose logs -f wazuh-mcp-remote-server`
 
 ---