Skip to content

Changelog

Last update: June 25, 2026

All notable changes to this project are documented in this file.

[v202606] - 2026-06-25

Added

CUC (Cisco Unity Connection) — new product module

  • New cuc product module, gated by the signed license claim "cuc".
  • Supported versions: CUC v14 & v15.
  • 13 MCP tools across CUPI REST (get_version, cupi_list, cupi_call, …), SSH OS Admin (os_run_command), connectivity diagnostics and credential management.
  • Prompts: cuc/procedure, cuc/security_audit.
  • Resources: 8 VOS CLI Guide chapters, 3 optional Security Guide chapters, plus a CUPI endpoint catalogue (~80 endpoints) packaged as docs://cuc/cupi/reference and referenced by the CUC prompts.
  • Notable: CUPI client (REST /vmrest/) with mandatory TLS verification; same RBAC and credential model as CUCM / IMP.

Other additions

  • SSH session pooling extended
  • SSH pool Prometheus metrics: live pool occupancy, command-reuse histogram, success counter.
  • RBAC self-discovery for MCP clients: new tool infra_get_my_permissions(product?) and matrix embedded in infra_init_session.
  • Documentation discovery for tools-only clients: new tools infra_list_docs() / infra_get_doc(name|uri).

Changed

  • Misleading "read-only" wording removed from *_axl_call, *_os_run_command, cuc_cupi_call and related listings — permissions now depend on the caller's RBAC profile.
  • procedure prompts (CUCM / IMP / CUC) now instruct the LLM to call infra_get_my_permissions(<product>) before any write/admin operation.

Dependencies

- bcrypt==5.0.0
- colorlog==6.10.1
- cryptography==49.0.0
- fastmcp==3.2.4
- lxml==6.1.1
- Markdown==3.10.2
- matplotlib==3.11.0
- mcp==1.28.0
- numpy==2.5.0
- paramiko==5.0.0
- Pillow==12.2.0
- prometheus_client==0.25.0
- pydantic==2.13.4
- pydantic-settings>=2.14.2
- PyJWT==2.13.0
- python-dotenv==1.2.2
- python-multipart==0.0.32
- requests==2.34.2
- starlette==1.3.1
- urllib3==2.7.0
- weasyprint==69.0
- zeep==4.3.3

Dependencies (dev) - bandit>=1.7 - freezegun==1.5.5 - httpx==0.28.1 - msgpack>=1.2.1 - mypy>=1.11 - pip>=26.1.2 - pip-audit>=2.7 - pre-commit==4.6.0 - pymupdf4llm>=0.0.17 - pytest==9.1.1 - pytest-asyncio==1.4.0 - pytest-cov==7.1.0 - pytest-timeout>=2.3 - pytest-xdist>=3.6 - PyYAML>=6.0.2 - ruff==0.15.19

[v202605] - 2026-05-31

Added

Core

  • FastMCP Streamable HTTP server, configured via .env.
  • Auto-bootstrap at startup: RSA-4096 key pair, server salt, client directories, JWT tokens, license verification.
  • Client lifecycle sync with AUTH_CLIENTS at every start (create / renew / purge).
  • HTTP endpoints: /health, /metrics (Prometheus), /status.
  • Structured logging (app.log JSON + dedicated audit.log).

Security

  • Air-gapped or hybrid deployment, no cloud dependency.
  • Mandatory TLS (self-signed or CA-signed).
  • Client auth: RS256 bearer tokens, JWT or OAuth2 Client Credentials (with PKCE).
  • RBAC with admin / operator / auditor profiles, customizable per client.
  • Per-client data isolation; credentials encrypted with a per-client Fernet key (PBKDF2-SHA512).
  • Full structured audit trail with control-character sanitization.
  • Transport hardening: HTTPS, DNS-rebinding protection, Host/Origin/Content-Type checks.
  • SSH fingerprint + HTTPS certificate verification before any Cisco UC connection.
  • Pydantic input validation on every MCP tool.
  • Per-client sliding-window rate limiting and Fail2ban per-IP brute-force detection.
  • .env-only configuration policy.

Performance & Stability

  • Bounded LRU caches on Zeep/WSDL clients.
  • Reduced lock contention on credential storage.

Observability

  • In-memory 24 h sliding windows, Prometheus counters for HTTP and MCP tool calls.
  • Per-tool / resource / prompt failure audit lines with error type and metric increment.
  • Show-tech bundle redaction extended to all sensitive key patterns.

Licensing

  • RS256-signed offline JWT licenses (VALID / GRACE / EXPIRED / INVALID), optional hostname binding, background watchdog, standalone CLI inspector.

Backup & Restore

  • Periodic encrypted backups (RSA-4096 + AES-256-GCM + SHA-512 sidecar), local retention, optional SFTP export.
  • Restore script with integrity verification and safe in-place replacement.

Upgrade

  • Signed upgrade bundles with RSA-PSS verification, dry-run preview, automatic pre-upgrade backup, .env key-merge without overwriting customer values.

Reporting

  • MCP tools write_report / read_report / export_report_pdf with Markdown output, 9 chart types, and WeasyPrint PDF export.

CUCM

  • Supported versions: CUCM v14 & v15.
  • 20 MCP tools across AXL, RisPort70, SSH OS Admin and Phone Web Access.
  • Prompts: cucm/procedure, cucm/security_audit.
  • Resources: 8 VOS CLI Guide chapters and 5 Security Guide (R15) chapters.
  • Notable: IP Phone screenshot capture (phone_screenshot); security audit prompt based on the Cisco Security Guide R15.

IMP

  • Supported versions: IMP v14 & v15.
  • 14 MCP tools across AXL and SSH OS Admin.
  • Prompts: imp/procedure, imp/security_audit.
  • Resources: 8 VOS CLI Guide chapters and 3 Security Guide (R15) chapters.
  • Notable: same RBAC and credential model as CUCM.

Deployment & Supply chain

  • Production-ready Dockerfile (multi-stage) and docker-compose.yml, hardened non-root runtime.
  • Base image and GitHub Actions pinned by digest; Dependabot refreshes them weekly.
  • Dependency management migrated to uv with hashed uv.lock.

Documentation

  • SECURITY.md regenerated and aligned with the documentation site.
  • Setup guides updated to highlight the .env-only policy.

Testing & CI

  • 839+ unit tests, 93%+ coverage (90% threshold enforced), live CUCM integration tests, Python 3.12 + 3.13 matrix.
  • Bandit SAST, Gitleaks secret scan, Trivy image scan — all blocking.
  • Mypy report (warn-only) and pip-audit on runtime + dev dependency trees.
  • Signed CycloneDX SBOM produced and signed offline at release time.

Dependencies

- bcrypt==5.0.0
- colorlog==6.10.1
- cryptography==48.0.0
- fastmcp==3.2.4
- lxml==6.1.1
- Markdown==3.10.2
- matplotlib==3.10.9
- mcp==1.27.1
- numpy==2.4.6
- paramiko==5.0.0
- Pillow==12.2.0
- prometheus_client==0.25.0
- pydantic==2.13.4
- PyJWT==2.13.0
- python-dotenv==1.2.2
- requests==2.34.2
- starlette==1.2.0
- urllib3==2.7.0
- weasyprint==68.1
- zeep==4.3.2

Dependencies (dev) - freezegun==1.5.5 - httpx==0.28.1 - pre-commit==4.6.0 - pymupdf4llm>=0.0.17 - pytest==9.0.3 - pytest-asyncio==1.4.0 - pytest-cov==7.1.0 - PyYAML>=6.0.2 - ruff==0.15.15