Merge feature/dependency-updates-feb2026 into main - v4.0.6 production updates

Author: alokemajumder

.env.example

@@ -14,24 +14,25 @@ MCP_HOST=127.0.0.1
 MCP_PORT=3000
 
 # === Authentication ===
-# Secret key for token signing (generate with: openssl rand -hex 32)
-AUTH_SECRET_KEY=your-secret-key-here
+# Auth mode: bearer (default), oauth, or none (authless)
+AUTH_MODE=bearer
+
+# SECURITY: Generate a secure secret key for production!
+# Run: openssl rand -hex 32
+AUTH_SECRET_KEY=CHANGE_ME_GENERATE_WITH_openssl_rand_hex_32
 
 # Token lifetime in hours
 TOKEN_LIFETIME_HOURS=24
 
-# API keys (JSON array format)
-# Example: [{"id":"key1","name":"Production","key_hash":"hash","scopes":["wazuh:read"]}]
-API_KEYS=[
-  {
-    "id": "default",
-    "name": "Default API Key",
-    "key_hash": "will-be-generated",
-    "created_at": "2024-01-01T00:00:00Z",
-    "scopes": ["wazuh:read", "wazuh:write"],
-    "active": true
-  }
-]
+# === API Key Configuration (Recommended for production) ===
+# Simple single API key configuration - generate with:
+#   python -c "import secrets; print('wazuh_' + secrets.token_urlsafe(32))"
+# If not set, server auto-generates a key and displays it on startup
+# MCP_API_KEY=wazuh_your-generated-key-here
+
+# Advanced: Multiple API keys (JSON array format)
+# Only use if you need multiple keys with different scopes
+# API_KEYS=[{"id":"key1","name":"Production","key_hash":"...","scopes":["wazuh:read"]}]
 
 # === CORS Configuration ===
 # Comma-separated list of allowed origins
@@ -46,8 +47,10 @@ ALLOWED_ORIGINS=https://claude.ai,https://*.anthropic.com,http://localhost:*
 LOG_LEVEL=INFO
 
 # === Wazuh SSL ===
-WAZUH_VERIFY_SSL=false
-WAZUH_ALLOW_SELF_SIGNED=true
+# SECURITY: Set WAZUH_VERIFY_SSL=true in production!
+# Only set to false for development with self-signed certificates
+WAZUH_VERIFY_SSL=true
+# WAZUH_ALLOW_SELF_SIGNED=true  # Uncomment only for dev/testing
 
 # === Wazuh Indexer Configuration (Required for Wazuh 4.8.0+) ===
 # The vulnerability API was removed in Wazuh 4.8.0 and replaced with Indexer queries.

.github/workflows/ci.yml

@@ -0,0 +1,111 @@
+name: CI
+
+on:
+  push:
+    branches: [ main, feature/*, develop ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.13'
+
+    - name: Install linters
+      run: |
+        python -m pip install --upgrade pip
+        pip install ruff black isort mypy
+
+    - name: Check formatting with black
+      run: black --check --diff src/ tests/ || true
+
+    - name: Check imports with isort
+      run: isort --check-only --diff src/ tests/ || true
+
+    - name: Lint with ruff
+      run: ruff check src/ || true
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python 3.13
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.13'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -e .
+        pip install pytest pytest-asyncio pytest-cov
+
+    - name: Run tests
+      run: |
+        pytest tests/ -v --cov=src/wazuh_mcp_server --cov-report=xml || true
+
+    - name: Upload coverage
+      uses: codecov/codecov-action@v4
+      with:
+        files: ./coverage.xml
+        fail_ci_if_error: false
+
+  syntax-check:
+    name: Syntax Check
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.13'
+
+    - name: Check Python syntax
+      run: |
+        python -m py_compile src/wazuh_mcp_server/*.py
+        python -m py_compile src/wazuh_mcp_server/api/*.py
+        echo "All Python files have valid syntax"
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: [syntax-check]
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.13'
+
+    - name: Install build tools
+      run: |
+        python -m pip install --upgrade pip
+        pip install build twine
+
+    - name: Build package
+      run: python -m build
+
+    - name: Check package
+      run: twine check dist/*
+
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: dist-${{ github.sha }}
+        path: dist/
+        retention-days: 5

Dockerfile

@@ -5,7 +5,7 @@
 
 ARG PYTHON_VERSION=3.13
 ARG BUILD_DATE
-ARG VERSION=4.0.5
+ARG VERSION=4.0.6
 
 # Stage 1: Build dependencies
 FROM python:${PYTHON_VERSION}-alpine AS builder
@@ -52,13 +52,17 @@ LABEL stage=scanner
 COPY --from=builder /root/.local /scan
 
 # Run comprehensive security scan
+# Set TRIVY_EXIT_CODE=1 in production builds to fail on HIGH/CRITICAL findings
+ARG TRIVY_EXIT_CODE=0
 RUN trivy fs \
     --no-progress \
     --security-checks vuln,secret,config \
     --severity HIGH,CRITICAL \
     --format json \
     --output /scan-results.json \
-    /scan || echo "Security scan completed with findings"
+    --exit-code ${TRIVY_EXIT_CODE} \
+    /scan && echo "Security scan passed" || \
+    (echo "Security scan found HIGH/CRITICAL vulnerabilities - review /scan-results.json" && exit ${TRIVY_EXIT_CODE})
 
 # Stage 3: Production image with latest Alpine
 FROM python:${PYTHON_VERSION}-alpine AS production

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "wazuh-mcp-server"
-version = "4.0.3"
+version = "4.0.6"
 description = "Production-grade MCP remote server for Wazuh SIEM integration with SSE transport"
 readme = "README.md"
 license = {text = "MIT"}
@@ -25,11 +25,12 @@ classifiers = [
 ]
 requires-python = ">=3.13"
 dependencies = [
-    "fastmcp>=2.11.0",
-    "httpx>=0.28.0",
-    "pydantic>=2.10.0",
+    "fastmcp>=2.14.0",
+    "httpx>=0.28.1",
+    "pydantic>=2.12.0",
     "python-dotenv>=1.0.0",
-    "uvicorn>=0.32.0",
+    "uvicorn>=0.40.0",
+    "cryptography>=46.0.5",
 ]
 
 [project.optional-dependencies]

requirements.txt

@@ -1,37 +1,38 @@
-# Wazuh MCP SSE Server v3.0.0 - Production Grade
+# Wazuh MCP Server v4.0.6 - Production Grade
 # MCP-compliant remote server with comprehensive monitoring
+# Updated: February 2026
 
 # Core MCP framework
-fastmcp>=2.10.6
+fastmcp>=2.14.0
 
 # Web framework for SSE endpoints
-fastapi>=0.115.0
-uvicorn[standard]>=0.32.0
+fastapi>=0.128.0
+uvicorn[standard]>=0.40.0
 
 # HTTP client for Wazuh API with connection pooling
-httpx>=0.28.0
+httpx>=0.28.1
 
 # Data validation
-pydantic>=2.10.0
+pydantic>=2.12.0
 
 # Environment configuration
 python-dotenv>=1.0.0
 
 # Authentication and security
-python-jose[cryptography]>=3.3.0
+python-jose[cryptography]>=3.5.0  # Security fix: CVE-2024-33663, CVE-2024-33664
 passlib[bcrypt]>=1.7.4
 python-multipart>=0.0.9  # Form data for OAuth token endpoint
 
 # Monitoring and metrics
-prometheus-client>=0.20.0
-psutil>=5.9.0
+prometheus-client>=0.24.0
+psutil>=6.0.0
 
 # Performance and reliability
-tenacity>=8.2.0  # Retry logic
-aiofiles>=23.0.0  # Async file operations
+tenacity>=9.0.0  # Retry logic
+aiofiles>=24.0.0  # Async file operations
 
 # Session storage for serverless (optional)
-redis[async]>=5.0.0  # Redis async client for serverless session storage
+redis>=7.0.0  # Redis async client for serverless session storage
 
 # Security and encryption
-cryptography>=41.0.0  # Encryption for secrets
+cryptography>=46.0.5  # Security fix: CVE-2026-26007

src/wazuh_mcp_server/__init__.py

@@ -4,5 +4,5 @@
 through the Model Context Protocol (MCP), enabling natural language security operations.
 """
 
-__version__ = "2.0.0"
+__version__ = "4.0.6"
 __all__ = ["__version__"]

src/wazuh_mcp_server/__main__.py

@@ -6,29 +6,37 @@
 
 import sys
 import os
-import asyncio
+import logging
 import uvicorn
 from pathlib import Path
 
 # Add the src directory to Python path
 sys.path.insert(0, str(Path(__file__).parent.parent))
 
-def main():
+# Configure basic logging for startup
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+)
+logger = logging.getLogger("wazuh_mcp_server.main")
+
+
+def main() -> None:
     """Main entry point for the Wazuh MCP Server."""
     try:
         from wazuh_mcp_server.server import app
-        
+
         # Get configuration from environment
         host = os.getenv('MCP_HOST', '0.0.0.0')
         port = int(os.getenv('MCP_PORT', '3000'))
         log_level = os.getenv('LOG_LEVEL', 'info').lower()
-        
-        print(f"🚀 Starting Wazuh MCP Server v4.0.0")
-        print(f"📡 Server: http://{host}:{port}")
-        print(f"🔍 Health: http://{host}:{port}/health")
-        print(f"📊 Metrics: http://{host}:{port}/metrics")
-        print(f"📖 Docs: http://{host}:{port}/docs")
-        
+
+        logger.info(f"Starting Wazuh MCP Server v4.0.6")
+        logger.info(f"Server: http://{host}:{port}")
+        logger.info(f"Health: http://{host}:{port}/health")
+        logger.info(f"Metrics: http://{host}:{port}/metrics")
+        logger.info(f"Docs: http://{host}:{port}/docs")
+
         # Run the server
         uvicorn.run(
             app,
@@ -39,13 +47,13 @@ def main():
             server_header=False,
             date_header=False
         )
-        
+
     except ImportError as e:
-        print(f"❌ Import error: {e}")
-        print("💡 Make sure all dependencies are installed: pip install -r requirements.txt")
+        logger.error(f"Import error: {e}")
+        logger.error("Make sure all dependencies are installed: pip install -r requirements.txt")
         sys.exit(1)
     except Exception as e:
-        print(f"❌ Server error: {e}")
+        logger.error(f"Server error: {e}")
         sys.exit(1)
 
 if __name__ == "__main__":