Skip to content

Changelog

AI-Bridge for Cisco UC β€” by SARL SOURDEAU CONSULTING

All notable changes to this project will be documented in this file.

[v202604] - 2026-04-08

Added

Core

  • MCP Server β€” FastMCP Streamable HTTP server; configured via .env with CLI flags (-d debug, -h help); mounts infra, common, and licensed product modules
  • Startup initialization β€” auto-generates RSA-4096 key pair and server salt on first run; auto-creates client directories and issues JWT tokens; verifies license at boot
  • Client sync β€” reconciles clients/ against AUTH_CLIENTS at every start: creates new clients, renews stale tokens, purges removed clients and their data
  • HTTP endpoints β€” GET /health (liveness + readiness, no auth), GET /metrics (Prometheus, Bearer), GET /status (full operational view: license, backup state, per-protocol request counters, Bearer)
  • Metrics & observability β€” thread-safe in-memory 24h sliding windows, req/min peaks, active client tracking; Prometheus counters for HTTP requests and MCP tool calls
  • Structured logging β€” JSON app.log (rotating) and dedicated audit.log with key=valueβ†’JSON formatter; colored console output; configurable level and rotation

Security

  • Deployment model β€” air-gapped or hybrid; no cloud dependency; fully offline operation
  • TLS mandatory β€” HTTPS enforced on all auth modes; self-signed (auto-generated) or CA-signed
  • Client authentication β€” RS256 bearer tokens (RSA-4096), auto-issued at startup; JWT mode (long-lived) or OAuth2 Client Credentials (RFC 6749 Β§4.4 + Β§2.3.1; token revocation RFC 7009; server discovery RFC 8414)
  • Client Authorization β€” RBAC with predefined profiles (admin, operator, auditor); per-tool enforcement; customizable per client
  • Client data isolation β€” dedicated directory per client; credentials, tokens, and reports isolated; data automatically purged on decommissioning
  • Credential encryption β€” per-client Fernet key derived from client UUID + server salt (PBKDF2-SHA256, 600 000 iterations); credentials never stored in plaintext
  • Audit trail β€” structured JSON audit events: AUTH_SUCCESS/AUTH_FAILED (+ source IP), ALLOWED/DENIED, RATE_LIMITED, REJECTED, STORED/UPDATED/DELETED, TRUSTED fingerprint, WRITTEN/EXPORTED, STARTED/STOPPED/FAILED, transport security alerts; control character sanitization to prevent log injection
  • Transport security β€” HTTPS/TLS, DNS rebinding protection, Host/Origin/Content-Type header validation
  • Host identity verification β€” SSH fingerprint check + HTTPS certificate verification before any Cisco UC connection
  • Input validation β€” Pydantic models on all MCP tool inputs; control character sanitization in audit formatter
  • Rate limiting β€” per-client sliding window (configurable per tool category); fail2ban per-IP brute-force detection with configurable threshold and automatic unban
  • Licensing β€” RS256-signed JWT issued offline by the editor; optional hostname binding; conditional product module mounting

Licensing

  • License system β€” RS256-signed JWT issued offline by the editor; states: VALID / GRACE / EXPIRED / INVALID; optional hostname binding; conditional product module mounting; grace period duration signed in JWT; background watchdog with configurable check interval; scripts/license_checker.py standalone CLI inspector

Backup & Restore

  • Automated backups β€” periodic encrypted archives (RSA-4096 + AES-256-GCM + SHA-256 sidecar); local retention; optional SFTP export with key or password authentication; configurable exclude dirs; daemon watchdog (same pattern as license watchdog)
  • Restore script β€” scripts/backup_restore.py: safe extract to restore_*/ or --replace in-place after SIGTERM; SHA-256 integrity verified before decryption
  • SFTP password encryption β€” scripts/encrypt_sftp_password.py: Fernet-based password encrypt/decrypt; auto-updates .env

Upgrade

  • Upgrade system β€” scripts/upgrade.py: RSA-PSS signature verification against editor public key; file-level action plan (replace/create/skip protected paths); .env key merge without overwriting customer values; --dry-run preview; automatic pre-upgrade backup; timestamped log in upgrade/

Reporting

  • Report generation β€” write_report, read_report, export_report_pdf MCP tools; Markdown output with 9 chart types (pie, bar, donut, radar, gauge, treemap, grouped bars, waterfall, severity matrix); PDF export via WeasyPrint; customizable color palette

CUCM

  • CUCM support (v14 & v15) β€” 16 tools via AXL, RisPort70, and OS Admin SSH: credential management, AXL schema download, AXL/AXL-SQL calls, device registration queries (RIS), SSH commands, connectivity diagnostics
  • Security audit prompt β€” full security audit workflow based on Cisco Security Guide Release 15; 8 embedded reference resources (CLI guide, Security Guide chapters)

Testing & CI

  • Test suite β€” 839 unit tests, 93%+ code coverage (90% threshold enforced); integration tests for live CUCM (AXL, RIS, SSH); CI matrix on Python 3.12 + 3.13 in parallel; JUnit XML output

Dependencies

  • colorlog==6.10.1
  • cryptography==47.0.0
  • fastmcp==3.2.4
  • lxml==6.1.0
  • Markdown==3.10.2
  • matplotlib==3.10.9
  • numpy==2.4.4
  • paramiko==4.0.0
  • prometheus_client==0.25.0
  • pydantic==2.13.3
  • PyJWT==2.12.1
  • python-dotenv==1.2.2
  • requests==2.33.1
  • starlette==1.0.0
  • urllib3==2.6.3
  • weasyprint==68.1
  • zeep==4.3.2

Dependencies (dev)

  • freezegun==1.5.5
  • httpx==0.28.1
  • pre-commit==4.6.0
  • pymupdf4llm>=0.0.17
  • pytest==9.0.3
  • pytest-asyncio==1.3.0
  • pytest-cov==7.1.0
  • ruff==0.15.12