Release Notes¶

Zscaler Integrations MCP Server Changelog¶

## 0.12.6 (June 4, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Bug Fixes

PR #78 - Attach the signed MCPB bundle automatically on every release. The standalone mcpb-build.yml workflow was triggered on release: published, but that event never fired — GitHub deliberately suppresses workflow events raised by the built-in GITHUB_TOKEN that semantic-release uses to publish the release, so v0.12.5 shipped without the bundle attached. The build/sign/attach step now runs as a mcpb-bundle-attach job chained off the release job in .github/workflows/release.yml (gated on new_release_published), executing in the same workflow run as semantic-release and sidestepping the token suppression entirely — the cross-platform uv-runtime .mcpb, its detached PGP signature (.asc), and SHA-256 checksum are now attached to the GitHub Release the moment a release is cut from master, with no manual step. mcpb-build.yml is retained as a workflow_dispatch-only workflow for manually re-attaching a bundle to an existing release or running a dry-run build.

## 0.12.5 (June 4, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Enhancements

PR #77 - Automated, signed MCPB (Claude Desktop) bundle releases. The canonical MCPB manifest now lives at integrations/anthropic/manifest.json (was the repo root); scripts/build_mcpb.py + make build-mcpb produce a cross-platform, source-only uv-runtime bundle and validate it before packing. A new standalone workflow (.github/workflows/mcpb-build.yml) triggers on release publication, builds the .mcpb, signs it with the project PGP key (GPG_PRIVATE_KEY + PASSPHRASE, same as release.yml), and attaches the bundle, its detached signature (.asc), and a SHA-256 checksum to the GitHub Release.

## 0.12.0 (Unreleased)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Breaking Changes

PR #64 - Removed the clientless_app_ids parameter from zpa_create_application_segment and zpa_update_application_segment. The field is only meaningful for Browser Access segments and previously triggered a stray BROWSER_ACCESS lookup when passed against a standard segment. Browser Access workloads are now served by the dedicated zpa_*_application_segment_ba tools (see below); use those instead.

### Enhancements

PR #65 - HTTP transport hardening middleware. Added two ASGI pre-processor middlewares wired in as the outermost wrapper around every HTTP transport (streamable-http + SSE), running before AuthMiddleware and SourceIPMiddleware. StripTrailingSlashMiddleware rewrites POST /mcp/ to POST /mcp so clients that can’t follow a 307-on-POST (Gemini CLI, custom LangChain agents, hand-written JSON-RPC clients) work out-of-the-box. NormalizeContentTypeMiddleware rewrites the deprecated Content-Type: application/json-rpc to the spec-compliant application/json (preserving ; charset=...). Both are pure pre-processors — no new dependencies, never short-circuit, compliant clients (Claude Desktop, Cursor) unaffected. Exposed via apply_transport_hardening(app, transport) in zscaler_mcp/auth.py; 20 unit tests in tests/test_transport_hardening.py. Mirrored to the AWS variant.

PR #65 - Auto-publish to MCP Registry. Every push to master that produces a semantic-release now also pushes the freshly-bumped server.json to https://registry.modelcontextprotocol.io so downstream catalogs (GitHub MCP Registry, MCP-aware clients) reflect the new version without manual intervention. Implemented as a new mcp-registry-publish job in .github/workflows/release.yml gated on cycjimmy/semantic-release-action’s new_release_published output, checking out the new tag (v${new_release_version}), and authenticating via short-lived GitHub OIDC (id-token: write, scoped to this job only — no PAT, no long-lived secret). Non-fatal failure mode: if the registry push fails, PyPI and the GitHub Release have already happened and operators can fall back to the manual mcp-publisher publish flow documented in integrations/github/README.md.

PR #65 - Added ZIA Mobile Advanced Threat Settings management tools: zia_get_mobile_advanced_settings, zia_update_mobile_advanced_settings. Backed by zscaler.zia.mobile_threat_settings.MobileAdvancedSettingsAPI. Tenant-wide singleton governing the Mobile Malware Protection policy applied to traffic from mobile clients (iOS / Android via the Zscaler Client Connector) — 8 boolean knobs for blocking apps with malicious activity, apps with known vulnerabilities, apps leaking unencrypted credentials / location / PII / device IDs, apps beaconing to known ad websites, and apps communicating with unknown remote servers. PUT-replace update contract (SDK forwards as **kwargs); call zia_activate_configuration afterwards. Lands in a new ``zia_threat_settings`` toolset (default=True), kept distinct from zia_advanced_settings / zia_atp_policy / zia_atp_malware so the mobile threat surface can be enabled / audited independently. Implementation in zscaler_mcp/tools/zia/mobile_threat_settings.py.

PR #65 - Added ZPA Service Edges management tools: zpa_list_service_edges, zpa_get_service_edge, zpa_update_service_edge, zpa_delete_service_edge, zpa_bulk_delete_service_edges. Backed by zscaler.zpa.service_edges.ServiceEdgeControllerAPI. These wrap the individual service edge instances (the cloud-hosted broker process running on a specific host), distinct from zpa_*_service_edge_group* (the parent group) and zpa_*_provisioning_key* (the bootstrap tokens used to enroll edges into a group). The list tool returns runtime status, version, location, enrollment cert, and serviceEdgeGroupId; update uses the SDK’s **kwargs-passthrough semantics (no full-replace silent backfill); single delete and bulk_delete are HMAC double-confirmed since each removed edge must be re-provisioned. All 5 tools land in the existing zpa_service_edge_groups toolset via the existing _service_edge prefix rule — no per-tool overrides needed. Implementation in zscaler_mcp/tools/zpa/service_edges.py.

PR #65 - Process lifecycle management. New CLI subcommands zscaler-mcp reload, zscaler-mcp restart, zscaler-mcp status, zscaler-mcp stop let operators reconfigure a running server (locally or in a container) without recreating the container. The running server writes a JSON PID file at /var/run/zscaler-mcp.pid (with sensible fallbacks; per-instance override via --pid-file / ZSCALER_MCP_PID_FILE) and installs two signal handlers — SIGHUP for soft reload (re-reads .env, MCP sessions survive) and SIGUSR2 for hard restart (re-reads .env, then os.execvp’s a fresh interpreter with the original argv — same PID, fresh memory, fresh env, sessions die). SIGTERM/SIGINT are deliberately left un-handled so docker stop / systemctl stop / Ctrl+C keep their standard semantics; zscaler-mcp stop simply sends SIGTERM. New --dotenv-path / ZSCALER_MCP_DOTENV_PATH lets operators point at an arbitrary .env; the resolved path is recorded in the PID file so reload/restart re-read the same source. The scripts/setup-mcp-server.py setup script now defaults to bind-mounting the host .env at /app/.env (with --legacy-env-file to opt back into the snapshot-only behaviour), so docker exec <container> zscaler-mcp restart picks up host-side .env edits without recreating the container. Implementation in zscaler_mcp/lifecycle.py.

PR #65 - Added ZIA Custom IPS Signature Rules management tools: zia_list_ips_signature_rules, zia_get_ips_signature_rule, zia_create_ips_signature_rule, zia_update_ips_signature_rule, zia_delete_ips_signature_rule. Backed by zscaler.zia.ips_signature_rules.IPSSignatureRulesAPI. Snort / Suricata-style detection signatures (the “what to detect” surface) — distinct from the existing Cloud Firewall IPS policy rule family (the “when to enforce” surface), but loaded together in the zia_cloud_firewall toolset because admins working on intrusion prevention typically need both. Create inherits the SDK’s pre-flight validation against the dynamic-validation endpoint (syntactic / semantic / duplicate-sid errors raise without leaving a stub on the tenant). Update is PUT-replace with silent backfill of name + rule_text (the load-bearing pair for this resource — IPS signatures have no order). Delete is HMAC double-confirmed. Implementation in zscaler_mcp/tools/zia/ips_signature_rules.py.

PR #65 - Added ZIA Advanced Settings management tools: zia_get_advanced_settings, zia_update_advanced_settings. Backed by zscaler.zia.advanced_settings.AdvancedSettingsAPI. Wraps the tenant-wide Administration → Advanced Settings singleton — ~50 knobs covering authentication / Kerberos / digest bypass URLs and apps, DNS optimization on transparent proxy (IPv4 + IPv6 with include + exempt lists), Office 365 one-click, UI session timeout, surrogate IP enforcement, HTTP tunnel tracking, domain-fronting block, HTTP/2 non-browser traffic, ECS-for-all, dynamic user risk, CONNECT-host / SNI mismatch handling, and SIPA XFF header insertion. PUT-replace update contract (SDK forwards as **kwargs); call zia_activate_configuration afterwards. Lands in a new ``zia_advanced_settings`` toolset (default=True). Implementation in zscaler_mcp/tools/zia/advanced_settings.py.

PR #65 - Added ZIA Advanced Threat Protection — Malware Protection Policy management tools: zia_get_atp_malware_policy, zia_update_atp_malware_policy, zia_get_atp_malware_inspection, zia_update_atp_malware_inspection, zia_get_atp_malware_protocols, zia_update_atp_malware_protocols, zia_get_malware_settings, zia_update_malware_settings. Backed by zscaler.zia.malware_protection_policy.MalwareProtectionPolicyAPI. The four tool pairs expose the tenant-wide malware singletons that sit alongside the ATP policy block under cyberThreatProtection: file-handling toggles (block_unscannable_files, block_password_protected_archive_files), traffic-direction inspection (inspect_inbound, inspect_outbound), protocol-level inspection (inspect_http, inspect_ftp_over_http, inspect_ftp), and the 16-field threat-class block (virus / trojan / worm / adware / spyware / ransomware / remote-access tool / unwanted-applications, each with a matching *_capture PCAP toggle). All updates are PUT-replace; zia_update_atp_malware_protocols re-fetches after the PUT to shield clients from a known SDK response-parsing bug. All 8 tools land in a new ``zia_atp_malware`` toolset (default=True). Implementation in zscaler_mcp/tools/zia/atp_malware_protection.py.

PR #65 - Housekeeping: ATP tool-module consolidation. Merged atp_malicious_urls.py into atp_settings.py so every tool backed by zscaler.zia.atp_policy.ATPPolicyAPI lives in a single module (7 tools), and renamed the new malware file from malware_protection.py to atp_malware_protection.py for symmetry. No tool names, signatures, toolset assignments, or behavior changed — pure file-organization cleanup that establishes the convention one SDK API class → one MCP module → one logical surface.

PR #64 - Added ZPA Browser Access (BA) application segment management tools: zpa_list_application_segments_ba, zpa_get_application_segment_ba, zpa_create_application_segment_ba, zpa_update_application_segment_ba, zpa_delete_application_segment_ba. Backed by client.zpa.app_segments_ba_v2 and uniformly suffixed _ba so agents can disambiguate them from the regular and PRA app-segment tools. Each BA segment carries a common_apps_dto.apps_config block with per-domain TLS certificate, port, and protocol (HTTP/HTTPS); the tools validate apps_config against the segment’s domain_names before sending to avoid the generic ZPA error returned when domains drift. New skills/zpa/application_segment-ba-onboard/SKILL.md walks the full dependency chain (connector group → server group → segment group → BA TLS cert → BA segment → access policy rule).

PR #64 - Added ZPA Privileged Remote Access (PRA) application segment management tools: zpa_list_application_segments_pra, zpa_get_application_segment_pra, zpa_create_application_segment_pra, zpa_update_application_segment_pra, zpa_delete_application_segment_pra. Backed by client.zpa.app_segments_pra and uniformly suffixed _pra. Each PRA segment publishes RDP and SSH targets through the PRA portal without requiring a native client or Zscaler Client Connector; apps_config carries per-target domain, port, application_protocol (RDP/SSH), and the RDP connection_security mode. New skills/zpa/application_segment-pra-onboard/SKILL.md walks the full dependency chain including pra_credential and pra_portal provisioning.

PR #64 - Renamed the ZPA application-onboarding skill from skills/zpa/onboard-application/SKILL.md to skills/zpa/application_segment-onboard/SKILL.md for symmetry with the new BA / PRA onboarding skills. The three skills now form a coherent set keyed on the segment style the admin actually wants: application_segment-onboard (standard client-routed), application_segment-ba-onboard (Browser Access), application_segment-pra-onboard (RDP/SSH via PRA portal).

PR #64 - Added ZCC One-Time Password (OTP) bundle read tool: zcc_get_device_otp. Wraps client.zcc.secrets.get_otp and returns the full per-device OTP bundle — logout_otp (One-Time Logout Password), exit_otp, uninstall_otp, revert_otp, and the per-service disable OTPs (zia_disable_otp, zpa_disable_otp, zdx_disable_otp, zdp_disable_otp, anti_tempering_disable_otp, deception_settings_otp). Single SDK call serves every OTP workflow (logout, uninstall, exit, temporary service disable). New skills/zcc/generate-logout-otp/SKILL.md walks the typical admin flow (user identifier → device lookup → confirmation → OTP retrieval → secure delivery) and treats every returned value as a sensitive short-lived credential.

PR #64 - Added scripts/setup-mcp-server.py — a single interactive entry point for local Docker-based deployment of the MCP server. Prompts the admin through authentication mode (jwt, zscaler, api-key, oidcproxy, none), transport (streamable-http or stdio), credentials (loaded from .env or entered interactively), Docker image pull, container start, endpoint verification, and auto-detection of 7 AI agents (Claude Desktop, Claude Code, Cursor, Gemini CLI, VS Code, Windsurf, GitHub Copilot CLI) with an opt-in offer to write the matching mcpServers entry into each detected agent’s config. Idempotent on re-run; rejects invalid combinations (e.g. stdio + any HTTP-bound auth mode) at the prompt. Companion scripts/README.md documents the flag matrix, env-file handling, agent config paths per OS, and a troubleshooting table.

PR #64 - GCP deploy operations (integrations/google/gcp/gcp_mcp_operations.py): _mint_bearer_token now supports both Auth0-style (JSON body, inline client_id/client_secret, audience claim) and generic OAuth2 (form-encoded body, HTTP Basic auth, scope-based) token-minting flows. Detection is driven by the presence of a token_scope on the credentials dict; either flavour works against Auth0, Cognito, Entra ID, Okta, and Ping without code changes. New _print_cloud_run_logs helper renders gcloud logging read output Python-side as chronological, color-coded, single-line entries (24 h window by default) — gives a tail-style experience for Cloud Run troubleshooting.

PR #63 - Issue #61 — Added ZIA Advanced Threat Protection (ATP) policy management tools: zia_get_atp_settings, zia_update_atp_settings, zia_get_atp_security_exceptions, zia_update_atp_security_exceptions. Backed by zscaler.zia.atp_policy.ATPPolicyAPI. The settings tool exposes the full ATP policy block (50+ knobs across command-and-control, malware, browser exploits, phishing, blocked countries, BitTorrent / Tor / crypto-mining, DGA domains, ad/spyware sites, and per-threat capture toggles) and the security-exceptions tool manages the tenant-wide bypass URL list. Both updates are PUT-replace; tools document the fetch-merge-write workflow and remind callers to run zia_activate_configuration afterwards. Implementation in zscaler_mcp/tools/zia/atp_settings.py.

PR #63 - ZDX toolset reorganization: 5 new dedicated toolsets replacing the single catch-all zdx toolset. New toolsets (all default=True so the prior “everything zdx loads at startup” behaviour is preserved for --toolsets default and the no-selection fallback): zdx_alerts (active + historical alerts, single-alert get, affected devices), zdx_locations (administration operand catalog — locations and departments, the scope filters used by every other ZDX query via location_id / department_id), zdx_software_inventory (list software, get software details), zdx_reports (device inventory, every zdx_application_* tool, application users, device-level web-probe / cloudpath-probe results), and zdx_troubleshooting (the only ZDX surface with write tools — deep-trace + analysis lifecycle including start/stop, deep-trace events, top processes, web-probe metrics, cloudpath metrics, cloudpath topology, and health metrics). Routing uses dedicated prefix rules in _TOOLSET_PREFIX_RULES placed at the top of the rule list and scoped to n.startswith("zdx_") so they win against broader ZIA predicates (_location, _device) — a side-effect is that zdx_list_locations is no longer incidentally resolved to zia_locations. Migration: operators selecting toolsets explicitly via --toolsets / ZSCALER_MCP_TOOLSETS should replace zdx with the new toolset ids (or use --toolsets default for the full set).

PR #63 - Toolset reorganization: 17 new dedicated resource-family toolsets so each Zscaler resource family lives in its own bucket instead of being absorbed into a catch-all. New ZIA toolsets: zia_atp_policy (all 7 tools backed by zscaler.zia.atp_policy.ATPPolicyAPI — the four new ATP settings/security-exception tools plus the existing zia_*_atp_malicious_urls), zia_devices (split from zia_users), zia_authentication_settings (cookie-auth exempt URLs, split from zia_url_categories), zia_rule_labels (split from zia_admin). New ZPA toolsets: zpa_access_policies (split from zpa_policy; the other policy-rule families remain there), zpa_segment_groups and zpa_server_groups (split from zpa_app_segments since both are shared operands referenced by application segments AND access policy rules), zpa_service_edge_groups and zpa_provisioning_keys (split from zpa_connectors), zpa_app_connector_groups (split from zpa_connectors; individual app connectors and get_zpa_enrollment_certificate stay there), zpa_application_servers, zpa_ba_certificates, zpa_pra (credentials + portals) all split from zpa_misc, plus zpa_isolation, zpa_posture, zpa_trusted_networks split from zpa_idp, and zpa_app_protection split from zpa_misc. Routing uses carefully ordered prefix rules (e.g. _app_connector_group precedes _app_connector, _application_server precedes _application_segment) so future tools auto-route correctly. Operators selecting toolsets explicitly via --toolsets may need to add the new ids; the --toolsets default set still includes the new toolsets that absorbed previously-default-on tools (zia_atp_policy, zia_devices, zia_authentication_settings, zia_rule_labels, zpa_access_policies, zpa_segment_groups, zpa_server_groups, zpa_service_edge_groups, zpa_provisioning_keys, zpa_app_connector_groups) so every tool that was previously default-on remains default-on.

PR #60 - Added ZPA Log Streaming Service (LSS) read-only tools: zpa_list_lss_configs, zpa_get_lss_config, zpa_list_lss_log_types, zpa_get_lss_log_format, zpa_list_lss_status_codes, zpa_list_lss_client_types. Cover the configuration-only LSS surface (the API does not stream or query log content; that ships from the LSS Connector to the SIEM out-of-band). Implementation in zscaler_mcp/tools/zpa/lss.py.

PR #60 - Added new ZPA skill zpa/audit-baseline-compliance — a fully read-only audit of a ZPA tenant against the Zscaler ZPA Baseline Recommendations v1.0 document. Inventories the tenant via zpa_list_*/zpa_get_* tools, scores ~26 configuration-only checks across 7 categories (Connectors, Server Groups, Segments, Access Policy, Forwarding Policy, Timeout Policy, LSS), and renders the result as an interactive Cursor Canvas styled like the Zscaler portal — searchable, filterable by category and severity, with per-finding evidence and remediation. Surfaces 5 “Cannot Audit” observability gaps (per-connector telemetry, app probes, LSS delivery, bandwidth, sessions) so missing telemetry APIs are tracked rather than silently skipped. Surface-aware: emits a Cursor Canvas when running in Cursor (delegates to the built-in canvas skill) and an inline structured Markdown report on Claude Code, Gemini CLI, and Copilot.

PR #60 - Enhanced six existing ZPA skills with rationale and ordering guidance from the ZPA Baseline Recommendations v1.0 document: zpa/application_segment-onboard (Step 0 classification table — Standard / Sensitive / Global / Discovery / SIPA — driving correct health_reporting defaults per class); zpa/create-server-group (5-pattern selector + dynamic_discovery anti-patterns); zpa/create-access-policy-rule (8-class taxonomy from doc §A–H + per-OS posture-block gotcha); zpa/create-forwarding-policy-rule (allow-list mindset + canonical bypass list for Microsoft / Apple / OCSP / CRL / EDR); zpa/create-timeout-policy-rule (baseline auth-timeout 24h–7d and per-class idle-timeout values); zpa/troubleshoot-app-connector (config-only pre-flight checks with explicit acknowledgement that ZPA does not expose runtime connector telemetry).

### Documentation

PR #64 - docs/deployment/amazon_bedrock_agentcore.md — added a new “Connecting MCP clients to the Gateway (Claude / Cursor / Inspector)” section covering how to point any MCP-compatible client at the AgentCore Gateway’s standard streamable-HTTP endpoint. Walks through bearer-token minting (Auth0 M2M example), Authorization: Bearer <token> wiring, and end-to-end smoke testing against the Gateway from Claude Desktop, Cursor, and the MCP Inspector. TOC updated to surface the new section.

PR #60 - Added local_dev/Zlive/zpa-baseline-skills-analysis.md — a focused execution plan reflecting the read-only audit-first direction for ZPA baseline-compliance work, including the hard constraints set by the ZPA API surface (no telemetry API, configuration-only LSS, deception is a tenant feature flag, microtenant CRUD out of scope) and the explicit list of “Cannot Audit” gaps that should drive future API requests.

## 0.11.0 (May 4, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Breaking Changes

PR #59 - Removed legacy per-service authentication. OneAPI is now the only supported authentication mode. The ZSCALER_USE_LEGACY environment variable, the use_legacy parameter on every tool, the per-service legacy clients (LegacyZPAClient, LegacyZIAClient, LegacyZCCClient, LegacyZTWClient, LegacyZDXClient), and the per-service credential blocks (ZPA_*, ZIA_*, ZCC_*, ZTW_*, ZDX_*) have all been removed. To migrate: configure ZSCALER_CLIENT_ID, ZSCALER_CLIENT_SECRET (or ZSCALER_PRIVATE_KEY), ZSCALER_VANITY_DOMAIN, and ZSCALER_CUSTOMER_ID (the last is required only when calling ZPA tools), and drop any use_legacy=true arguments from your MCP tool calls.

PR #59 - Removed the zcc_devices_csv_exporter tool. Tool registration was already removed in PR #38; this release deletes the tool module, unit tests, the e2e fixture, and all remaining references in documentation. Use zcc_list_devices for device inventory queries.

### Enhancements

PR #59 - Toolsets. Tools are now grouped into 29 logical toolsets across every service (15 ZIA, 6 ZPA, 1 each for ZDX/ZCC/ZTW/ZID/ZEASM/ZINS/ZMS, plus the always-on meta toolset). Select via --toolsets / ZSCALER_MCP_TOOLSETS (default, all, or explicit ids). Three always-on discovery meta-tools (zscaler_list_toolsets, zscaler_get_toolset_tools, zscaler_enable_toolset) let agents enumerate and runtime-enable additional toolsets. Per-toolset system instructions are composed into the server’s instructions field at startup with snippet dedup. Filter precedence: disabled_tools > toolset > enabled_tools > write_tools. See docs/guides/toolsets.md.

PR #59 - OneAPI entitlement filter. At startup the server decodes the OneAPI bearer token and intersects active toolsets with the products the token is entitled to call, hiding tools that would only ever return 401 Unauthorized. Non-fatal on every failure path. Opt-out via --no-entitlement-filter / ZSCALER_MCP_DISABLE_ENTITLEMENT_FILTER=true. Implementation in zscaler_mcp/common/entitlements.py.

PR #59 - Output sanitization. Every tool result is passed through a three-stage sanitizer before reaching the LLM: invisible / control-character stripping (BiDi overrides, zero-width spaces, BOM), HTML / Markdown sanitization (bleach strips tags + comments; Markdown link/image syntax is neutralised), and code-fence info-string filtering (suspicious tokens like system, assistant, tool, ignore are rewritten to text). Defends against prompt-injection payloads embedded in Zscaler resource names / descriptions. Recursive over dict/list/tuple. Opt-out via ZSCALER_MCP_DISABLE_OUTPUT_SANITIZATION=true. Implementation in zscaler_mcp/common/sanitize.py.

PR #59 - Tool annotations. register_read_tools() now stamps readOnlyHint=True on every read tool, and register_write_tools() stamps destructiveHint=True on every write tool. The five always-on meta-tools explicitly set readOnlyHint=True. AI-agent permission frameworks (Claude Desktop, Cursor) consume these hints to prompt for confirmation on destructive actions.

PR #59 - Auto-generated tool documentation. New --generate-docs and --check-docs CLI flags (and matching make generate-docs / make check-docs targets) regenerate marker-bounded regions of docs/guides/supported-tools.md, README.md, and docs/guides/toolsets.md from the live tool inventory. CI runs --check-docs before the test suite to fail builds on stale docs. Idempotent — re-running with no source changes produces no file writes. Implementation in zscaler_mcp/common/docgen.py.

PR #59 - Added ZIA Time Intervals management tools: zia_list_time_intervals, zia_get_time_interval, zia_create_time_interval, zia_update_time_interval, zia_delete_time_interval. Reusable schedule objects referenced by all ZIA rule types via the time_windows field; start_time/end_time are minutes from midnight (0-1439); days_of_week accepts EVERYDAY or SUN-SAT. The update tool silently backfills name, start_time, end_time, and days_of_week from the existing record when omitted (PUT-replace semantics).

PR #59 - Added ZIA Workload Groups read tools: zia_list_workload_groups, zia_get_workload_group. Used as a rule operand by every ZIA policy-rule type.

PR #59 - Added ZIA Cloud App Control rule family: zia_list_cloud_app_control_rules, zia_get_cloud_app_control_rule, zia_create_cloud_app_control_rule, zia_update_cloud_app_control_rule, zia_delete_cloud_app_control_rule, zia_list_cloud_app_control_actions. rule_type is required on every CRUD call and is discoverable via zia_list_cloud_app_policy (the app’s parent field). Cloud-application name auto-resolution is wired in (same friendly-name → enum behaviour as the SSL Inspection / File Type Control rule families).

PR #59 - Added new ZIA skills: create-firewall-filtering-rule, create-ssl-inspection-rule, create-url-filtering-rule, create-cloud-app-control-rule, manage-time-interval, look-up-rule-targets. Also renamed resolve-cloud-app-enum → look-up-cloud-app-name for clarity.

PR #59 - Added new ZPA skills: create-conditional-access-rule, create-session-duration-rule. Updated create-forwarding-policy-rule and create-timeout-policy-rule.

PR #59 - Helper-file consolidation: per-feature ZIA helper modules (e.g. zia_cloud_app_resolver.py) were collapsed into a single zscaler_mcp/common/zia_helpers.py per the helper-file convention documented in CLAUDE.md. No public API changes.

### Bug Fixes

PR #59 - Issue #58 — zpa_create_application_segment and zpa_update_application_segment now expose 16 SDK-supported fields that were previously dropped: icmp_access_type, double_encrypt, config_space, ip_anchored, bypass_on_reauth, inspect_traffic_with_zia, use_in_dr_mode, tcp_keep_alive, select_connector_close_to_app, match_style, adp_enabled, auto_app_protect_enabled, api_protection_enabled, fqdn_dns_check, weighted_load_balancing, extranet_enabled. Enum-typed fields use Literal for agent-side validation; all fields default to None so omitting them preserves existing API values on update.

### Documentation

PR #59 - New docs/guides/toolsets.md covering toolset selection, filter precedence, the OneAPI entitlement filter (with an interaction-with---toolsets matrix), per-toolset system instructions, the runtime discovery tools, and the contributor steps for adding a new toolset.

PR #59 - CLAUDE.md updated with sections covering toolsets, the entitlement filter, output sanitization, auto-generated docs, the helper-file convention (DO NOT FRAGMENT), the new ZIA rule families and tool gotchas, and the new CLI flags (--toolsets, --no-entitlement-filter, --generate-docs, --check-docs).

PR #59 - README.md and integration READMEs (integrations/kiro/POWER.md, Kiro steering files for ZCC/ZIA/ZPA) refreshed for OneAPI-only auth and the new toolset / sanitization / entitlement-filter env vars.

## 0.10.5 (April 27, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Breaking Changes

PR #57 - Renamed three ZIA Shadow IT tools to disambiguate them from the policy-engine cloud-application catalog: zia_list_cloud_applications → zia_list_shadow_it_apps, zia_list_cloud_application_custom_tags → zia_list_shadow_it_custom_tags, zia_bulk_update_cloud_applications → zia_bulk_update_shadow_it_apps. Update any saved prompts, scripts, or integrations that reference the previous names.

### Enhancements

PR #57 - Added ZIA Cloud Firewall DNS Rules management tools: zia_list_cloud_firewall_dns_rules, zia_get_cloud_firewall_dns_rule, zia_create_cloud_firewall_dns_rule, zia_update_cloud_firewall_dns_rule, zia_delete_cloud_firewall_dns_rule.

PR #57 - Added ZIA Cloud Firewall IPS Rules management tools: zia_list_cloud_firewall_ips_rules, zia_get_cloud_firewall_ips_rule, zia_create_cloud_firewall_ips_rule, zia_update_cloud_firewall_ips_rule, zia_delete_cloud_firewall_ips_rule.

PR #57 - Added ZIA File Type Control Rules management tools: zia_list_file_type_control_rules, zia_get_file_type_control_rule, zia_create_file_type_control_rule, zia_update_file_type_control_rule, zia_delete_file_type_control_rule, plus zia_list_file_type_categories for discovering canonical file_types enum values.

PR #57 - Added ZIA Sandbox Rules management tools: zia_list_sandbox_rules, zia_get_sandbox_rule, zia_create_sandbox_rule, zia_update_sandbox_rule, zia_delete_sandbox_rule. These manage the policy rules governing sandbox enforcement and are distinct from the existing sandbox report tools (zia_get_sandbox_report, zia_get_sandbox_quota).

PR #57 - Added ZIA policy-engine cloud-application catalog read tools: zia_list_cloud_app_policy and zia_list_cloud_app_ssl_policy. Use these to discover the canonical UPPER_SNAKE_CASE enum tokens (e.g. SHAREPOINT_ONLINE, GOOGLE_DRIVE, ONEDRIVE) that the cloud_applications field on SSL Inspection, Web DLP, Cloud App Control, File Type Control, Bandwidth, and Advanced Settings rules accepts. Distinct from the Shadow IT analytics catalog (zia_list_shadow_it_apps).

PR #57 - Cloud-application name auto-resolution for zia_create_ssl_inspection_rule, zia_update_ssl_inspection_rule, zia_create_file_type_control_rule, zia_update_file_type_control_rule, and zia_list_cloud_app_control_actions. Friendly inputs like "Google Drive", "one drive", or "Sharepoint Online" are silently translated to the canonical enums the API requires (GOOGLE_DRIVE, ONEDRIVE, SHAREPOINT_ONLINE) using a 5-minute in-process catalog cache. The response includes a _cloud_applications_resolution audit field showing the mapping. Set resolve_cloud_apps=False to disable.

PR #57 - Silent backfill of required fields on ZIA policy-rule update tools (zia_update_ssl_inspection_rule, zia_update_cloud_firewall_dns_rule, zia_update_cloud_firewall_ips_rule, zia_update_file_type_control_rule, zia_update_sandbox_rule). ZIA’s update endpoints are PUT (full replacement), not PATCH — partial payloads previously risked resetting unspecified fields. The tools now fetch the existing rule and silently backfill name and order when they are missing from the input payload.

PR #57 - Added new skill skills/zia/resolve-cloud-app-enum/SKILL.md guiding agents on which ZIA cloud-application catalog to use (Shadow IT analytics vs. policy-engine) and how to leverage the auto-resolver when configuring policy rules.

PR #57 - Added local_dev/scripts/setup-zscaler-auth.py — one-shot orchestration script for running the MCP server with Zscaler OneAPI authentication (auth-mode=zscaler). Loads credentials from .env, starts the server (Docker or Python), verifies the auth endpoints, and writes static X-Zscaler-Client-ID / X-Zscaler-Client-Secret headers into Claude Desktop and Cursor configs. Mirrors the existing setup-oidcproxy-auth.py flow.

### Bug Fixes

PR #57 - Fixed validation errors on the new ZIA list tools (zia_list_cloud_firewall_dns_rules, zia_list_cloud_firewall_ips_rules, zia_list_file_type_control_rules, zia_list_file_type_categories, zia_list_sandbox_rules) when JMESPath expressions returned scalars or non-dict shapes (e.g. query="length(@)" to count rules). The strict -> List[dict] return-type annotation was being rejected by the MCP/Pydantic output validator, which forced AI agents to narrate around the error and exposed JMESPath / validation internals to end users. Return type relaxed to Any to match the polymorphic JMESPath contract.

PR #57 - Hardened the four new ZIA delete tools (zia_delete_cloud_firewall_dns_rule, zia_delete_cloud_firewall_ips_rule, zia_delete_file_type_control_rule, zia_delete_sandbox_rule) into the resource-bound HMAC-SHA256 confirmation flow. Confirmation tokens are bound to the specific rule_id and rejected if replayed against a different resource — closing the same vulnerability class (CWE-345) addressed in earlier delete tools.

## 0.10.4 (April 22, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Bug Fixes

PR #55 - Switched the Claude Code plugin runtime in .mcp.json from a local-only Docker image (zscaler-mcp-server:latest with --pull=never) to the published PyPI distribution (uvx zscaler-mcp@<version>), and replaced the hard-coded absolute path to .env with ${CLAUDE_PLUGIN_ROOT}/.env. Resolves Anthropic marketplace review feedback that the previous configuration would not work for end users.

PR #55 - Added the missing "version" field to .claude-plugin/plugin.json so the plugin manifest is aligned with .claude-plugin/marketplace.json, pyproject.toml, and zscaler_mcp/__init__.py.

PR #55 - Corrected the invalid Docker image tag zscaler/zscaler-mcp-server:latest:1.2.3 to zscaler/zscaler-mcp-server:1.2.3 in README.md and docsrc/index.rst.

PR #55 - Fixed uvx invocations in README.md to use the correct PyPI package name (zscaler-mcp) instead of the repository name (zscaler-mcp-server) in three install snippets.

### Enhancements

PR #55 - Updated Docker-based MCP client configuration examples in docs/deployment/authentication-and-deployment.md (Claude Desktop, Cursor, Windsurf, VS Code, troubleshooting) to use the public Docker Hub image zscaler/zscaler-mcp-server:latest and removed the --pull=never flag so end-user snippets work without a local build.

PR #55 - Refreshed integrations/claude-code-plugin/README.md to document the uvx execution model with ${CLAUDE_PLUGIN_ROOT}/.env, mark Docker as optional, and reference the public Docker image for fallback usage.

PR #55 - Added a clarifying note in README.md on resolving .env paths across plugin contexts (${CLAUDE_PLUGIN_ROOT}/.env for Claude Code, ${extensionPath}${pathSeparator}.env for Gemini extensions, absolute paths for standalone MCP clients).

PR #55 - Extended .github/set-version.sh to bump the version field in .claude-plugin/plugin.json and the pinned zscaler-mcp@<version> reference in .mcp.json on every semantic-release cut.

PR #55 - Added .claude-plugin/plugin.json and .mcp.json to the assets list in .releaserc.json so semantic-release commits the bumped versions back to the repository alongside the other manifests.

## 0.10.3 (April 20, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Bug Fixes

PR #50 - Refactored Azure AI Foundry agent authentication to use MCPTool.project_connection_id referencing a Foundry Custom keys connection instead of inline MCPTool.headers. Foundry now rejects sensitive header names (Authorization, *-Secret, *-Key, *-Token) with Headers that can include sensitive information are not allowed in the headers property for MCP tools. Use project_connection_id instead., breaking the previous X-Zscaler-Client-ID / X-Zscaler-Client-Secret inline pattern. The connection-based flow restores end-to-end agent creation and tool calls.

PR #50 - Replaced the over-broad _handle_api_error exception swallowing in foundry_agent.py with a verbose handler that surfaces the underlying exception type, message, HTTP status, and error body. Optional full traceback via ZSCALER_FOUNDRY_DEBUG=1. Previous behavior masked Foundry’s real invalid_payload errors as generic “Connection error” messages.

### Enhancements

PR #50 - Added ``agent_create`` connection probe in foundry_agent.py. When the Foundry Custom keys connection (default zscaler-mcp-headers) already exists, the script silently confirms and proceeds; when missing, it prints copy-paste-ready portal instructions (Management center → Connected resources → + New connection → Custom keys, with the per-auth-mode key list) and exits before mutating Foundry. Eliminates noisy repeated portal instructions on every run.

PR #50 - Added Foundry portal deep-link generator to agent_create. Builds a working URL into the new Foundry “nextgen” experience (https://ai.azure.com/nextgen/r/{sub_b64},{rg},,{account},{project}/build/agents/{name}/build?version={n}) by base64url-encoding the subscription UUID parsed from the connection ARM resource ID. Replaces the previous non-working /projects/<proj>/agents/<name> URL.

PR #50 - Added AZURE_FOUNDRY_CONNECTION_NAME environment variable (default zscaler-mcp-headers) so agent_create runs non-interactively when the connection name is pinned in .env. Promoted from azure_mcp_operations.py into the runtime environment alongside AZURE_AI_PROJECT_ENDPOINT and AZURE_OPENAI_MODEL.

PR #50 - Updated integrations/azure/README.md with the new connection-based authentication walkthrough (per-auth-mode key list, one-time portal setup) and the correct Prompt Agent navigation path in the new Foundry UI (Build → Agents → Agents tab), plus a callout distinguishing Prompt Agents from legacy Assistant API agents (asst_xxxx) that share the same project.

PR #50 - Updated local_dev/azure_mcp_deployment/azure_demo_recording_script.md to reflect the connection-based Foundry auth flow, including the one-time portal setup callout, the new agent_create walkthrough, and the deep-link to the deployed agent.

### Documentation

PR #50 - Added ``docsrc/guides/azure-deployment.rst`` — consolidated Sphinx guide covering Azure Container Apps, Virtual Machine, AKS (Preview), and the Azure AI Foundry agent (with the new project_connection_id auth flow and Custom keys portal setup steps).

PR #50 - Added ``docsrc/guides/gcp-gke.rst`` — Sphinx guide for the GKE deployment target of gcp_mcp_operations.py (Autopilot or existing cluster, Workload Identity, Secret Manager, LoadBalancer Service).

PR #50 - Added ``docsrc/guides/gcp-compute-engine-vm.rst`` — Sphinx guide for the Compute Engine VM target (Debian 12 + systemd + PyPI), including the rationale for picking VM over Cloud Run in enterprise GCP organizations enforcing constraints/iam.allowedPolicyMemberDomains.

PR #50 - Added ``docsrc/guides/gcp-adk-agent.rst`` — Sphinx guide for the Gemini-powered Zscaler ADK Agent across Local / Cloud Run / Vertex AI Agent Engine / Google Agentspace, documenting the co-located-subprocess architecture (MCP server runs inside the agent container via stdio, not as a separate networked service).

PR #50 - Refreshed docsrc/integrations/index.rst: added Azure AKS Preview row to the deployment-targets table, replaced the “Available Integrations” external links with :doc: references to the new Sphinx guides, and rewrote the Azure AI Foundry section to document the connection-based auth requirement and the new Prompt Agent portal navigation.

PR #50 - Registered the four new guides in docsrc/guides/index.rst toctree alongside the existing gcp-cloud-run and amazon-bedrock-agentcore entries. Full Sphinx build passes with -W --keep-going (zero warnings, zero errors).

## 0.10.2 (April 14, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Enhancements

PR #49 - Update to zscaler-sdk-python v1.9.21

## 0.10.1 (April 11, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Features

PR #48 - Aligned Cursor Marketplace plugin with official plugin-template standards. Fixed category to developer-tools, moved logo to assets/, added marketplace.json for validation compatibility, declared required Zscaler OneAPI env vars in mcp.json, and added name frontmatter to all 20 command files. Plugin now passes Cursor’s validate-template.mjs checklist.

PR #48 - Added 7 Cursor rules (.mdc files) covering tool naming conventions, ZIA activation requirement, ZPA dependency chain, write operation safety, ZDX read-only conventions, ZMS GraphQL patterns, and cross-service data overlap.

## 0.10.0 (April 10, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13, v3.14

### Features

PR #47 - Added GitHub MCP Registry integration (server.json) enabling one-click installation from GitHub Copilot and MCP-compatible clients. Declares PyPI and Docker packages with required Zscaler OneAPI credentials. Version auto-updated by the release pipeline.

### Bug Fixes

PR #47 - Upgraded Docker base image from python:3.13-alpine to python:3.14-alpine (digest-pinned) and explicitly patched Alpine packages to fix CVE-2026-28390 (openssl), CVE-2026-22184 (zlib). Applied same fixes to AWS ECR Dockerfile, replacing curl health check with busybox wget to eliminate 11 additional curl CVEs.

## 0.9.0 (April 9, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13

### Features

PR #46 - Added Azure Container Apps deployment via interactive script (azure_mcp_operations.py). Pulls image from Docker Hub, supports 5 auth modes (OIDCProxy, JWT, API Key, Zscaler, None), and stores all secrets in Azure Key Vault.

PR #46 - Added Azure Virtual Machine deployment with Ubuntu 22.04, systemd service, PyPI install, NSG configuration, and SSH access.

PR #46 - Added Azure AI Foundry Agent integration (foundry_agent.py). Creates a managed GPT-4o agent that wraps the deployed MCP server as a tool via MCPTool, with require_approval="always" for human oversight.

PR #46 - Added Foundry Agent interactive CLI chat (agent_chat) with animated braille spinner, per-response token tracking, wall-clock timing, in-chat commands (help, status, clear, reset), and end-of-session summary.

PR #46 - Added OIDCProxy support for Microsoft Entra ID as an identity provider. Entra ID works as a drop-in replacement for Auth0/Okta with audience set to the Application (client) ID.

### Enhancements

PR #46 - Foundry Agent authenticates to MCP server via X-Zscaler-Client-ID / X-Zscaler-Client-Secret custom headers, bypassing Foundry’s sensitive header restriction on Authorization and the project_connection_id URI parsing bug.

PR #46 - Foundry Agent chat implements proper response chaining via previous_response_id for multi-turn conversations with tool approvals.

PR #46 - Foundry Agent chat displays Zscaler ASCII logo banner on startup with agent name and version.

PR #46 - Foundry Agent chat includes graceful API error handling for common failures (DeploymentNotFound, authentication errors, rate limits, connection issues) with actionable remediation steps instead of raw tracebacks.

PR #46 - Azure deployment script uses provider-neutral OIDC variable names (OIDCPROXY_DOMAIN, OIDCPROXY_CLIENT_ID, etc.) with backward-compatible fallbacks to AUTH0_* variables.

PR #46 - Azure deployment script auto-configures Claude Desktop and Cursor client configs with correct auth headers and MCP endpoint URL.

### Tests

PR #46 - Added 81 unit tests for Azure deployment (test_azure_mcp_operations.py) and Foundry agent (test_foundry_agent.py) covering .env parsing, credential resolution, CLI parser, state management, VM setup script generation, MCP header building, error handling, agent lifecycle, and in-chat commands.

### Documentation

PR #46 - Added Azure AI Foundry deployment guide (docs/deployment/azure-ai-foundry.md) with end-to-end walkthrough covering both CLI and portal methods, Foundry project creation with screenshots, model deployment prerequisites, in-chat commands, environment variables, and troubleshooting.

PR #46 - Added Azure integration README (integrations/azure/README.md) with architecture diagrams for Container Apps, VM, and Foundry Agent deployments, all CLI commands, client configuration examples, and troubleshooting guide.

PR #46 - Added Microsoft Entra ID OIDCProxy step-by-step guide (docs/deployment/entra-id-oidcproxy.md) with 7 portal screenshots covering app registration, client secret, ID tokens, API permissions, and endpoints.

PR #46 - Updated docsrc/integrations/index.rst with Azure Deployment, Azure AI Foundry Agent sections, quick start commands, and link to the Foundry deployment guide.

PR #46 - Updated root README.md with Azure deployment section including Foundry agent commands and platform integrations table.

PR #46 - Updated CLAUDE.md with Azure deployment architecture, Foundry Agent command reference with flags, in-chat commands, graceful error handling, deployment guide reference, and Entra ID guide reference.

PR #46 - Updated authentication-and-deployment.md with expanded Entra ID app registration instructions and link to the dedicated Entra ID guide.

## 0.8.1 (April 6, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13

### Features

PR #45 - Added JMESPath client-side filtering across all 88 list tools spanning 9 services (ZIA, ZPA, ZDX, ZCC, ZTW, ZID, EASM, ZINS, ZMS). Every list tool now accepts an optional query parameter for server-side filtering and projection of API results before they reach the AI agent.

PR #45 - Added zscaler_search_tools meta-tool for AI agent tool discovery. Supports filtering by service, name_contains, description_contains, and advanced JMESPath queries against the full tool registry. Returns tool name, description, service, and type (read/write) for each match.

PR #45 - Added tool-call audit logging via --log-tool-calls CLI flag or ZSCALER_MCP_LOG_TOOL_CALLS environment variable. Logs tool name, sanitized arguments, execution duration, and result summary for every tool invocation. Sensitive parameters (passwords, secrets, tokens) are automatically redacted.

### Enhancements

PR #45 - Added ZMS GraphQL filtering and ordering to 6 tool domains: resources, resource groups, policy rules, app zones, app catalog, and tags. Tools now accept filter_by parameters (name, status, resource_type, cloud_provider, cloud_region, platform_os) and sort_order for server-side query refinement.

PR #45 - Added 3 new ZMS guided skills: review-tag-classification (tag namespace hierarchy analysis), analyze-policy-rules (policy rule optimization and conflict detection), and assess-workload-protection (workload coverage and agent health assessment).

PR #45 - Created centralized JMESPath utility module (zscaler_mcp/common/jmespath_utils.py) shared across all services, with graceful error handling for invalid expressions and consistent return normalization.

PR #45 - Added jmespath>=1.0.0 as an explicit dependency in pyproject.toml.

PR #45 - Updated all 88 list tool descriptions in services.py to advertise JMESPath query parameter support for AI agent discoverability.

### Documentation

PR #45 - Updated CLAUDE.md with JMESPath client-side filtering architecture, syntax reference, cross-service examples, and zscaler_search_tools usage patterns.

PR #45 - Updated CLAUDE.md with tool-call audit logging section covering CLI flag, environment variable, log format, sensitive parameter redaction, and result summarization.

## 0.8.0 (April 2, 2026)

### Notes

Python Versions: v3.11, v3.12, v3.13

### Features

PR #44 - Added GCP Cloud Run deployment with automated end-to-end deployment script (scripts/deploy-gcp.py). The script reads credentials from .env, optionally stores them in GCP Secret Manager, deploys to Cloud Run with Zscaler auth mode, and auto-configures Claude Desktop and Cursor clients. Supports –teardown for easy service deletion.

PR #44 - Added GCP Secret Manager integration (zscaler_mcp/cloud/gcp_secrets.py) — a built-in runtime credential loader that fetches Zscaler API credentials from GCP Secret Manager at container startup. Activated via ZSCALER_MCP_GCP_SECRET_MANAGER=true. Works on Cloud Run, GKE, and Compute Engine. Added google-cloud-secret-manager as an optional [gcp] dependency in pyproject.toml, and updated the Dockerfile to install the GCP extras by default.

PR #44 - Added Google ADK integration documentation (integrations/google/adk/README.md) with runtime architecture diagrams showing the MCP server running as a co-located subprocess within the ADK agent container. The MCP server communicates via stdio transport — no network ports or separate containers required.

### Enhancements

PR #44 - GCP Cloud Run deployment defaults to Zscaler auth mode (ZSCALER_MCP_AUTH_MODE=zscaler). Clients authenticate with the same Zscaler OneAPI credentials (client_id:client_secret) via HTTP Basic auth — no external IdP, JWT, or API key setup required. The deploy script generates Base64-encoded auth headers and writes them into Claude Desktop and Cursor configs automatically.

PR #44 - Updated server.py to call gcp_secrets.load_secrets() during startup, immediately after .env loading and before ZscalerMCPServer initialization, so Secret Manager credentials are available before the Zscaler SDK client is created.

### Bug Fixes

PR #44 - Replaced preference-manipulating language (“AUTHORITATIVE SOURCE”, “This is the ONLY tool”) in 16 ZINS tool descriptions with neutral, factual capability statements to comply with SPLX MCP_PREFERENCE_MANIPULATION findings.

### Documentation

PR #44 - Created comprehensive [GCP Cloud Run Deployment Guide](docs/deployment/gcp_secrets_manager_integration.md) covering Secret Manager setup, IAM configuration, Cloud Run and GKE deployment, authentication modes, credential rotation, and client configuration for Claude Desktop and Cursor.

PR #44 - Added GCP Cloud Run guide to Sphinx documentation portal (docsrc/guides/gcp-cloud-run.rst).

PR #44 - Updated README.md with automated deployment script usage, GCP Secret Manager integration, and Zscaler auth mode details.

PR #44 - Updated CLAUDE.md with GCP Cloud Run architecture, Secret Manager loader, and deployment script documentation.

PR #44 - Updated Google ADK README.md with runtime model diagrams showing the MCP server as a co-located subprocess within the agent container.

0.7.2 (March 27, 2026) - ZMS Service, ZID/ZINS Rename, Skills & Docker SDK Path¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

Features¶

PR #41 - Added ZMS (Zscaler Microsegmentation) service with read-only GraphQL-backed tools: agents, agent groups, resources, resource groups, policy rules (including default rules), app zones, app catalog, nonces (provisioning keys), and tags. Requires ZSCALER_CUSTOMER_ID and OneAPI credentials.

PR #41 - Renamed ZIdentity service to ZID and Z-Insights service to ZINS to align with zscaler-sdk-python (client.zid, client.zins). Tool prefixes are now zid_* and zins_*; registry keys are zid and zins.

Enhancements¶

PR #41 - Added guided skills for ZINS (analyze-web-traffic, audit-shadow-it, assess-network-security) and ZMS (audit-microsegmentation-posture, troubleshoot-agent-deployment), plus expanded ZMS skill content using the Microsegmentation API GraphQL schema reference (Query vs Mutation, managed/unmanaged/recommended resource groups, error handling).

PR #41 - Dockerfile (temporary dev path): optional install of a local zscaler_sdk_python tarball after uv sync to test against an unpublished SDK build; ``.dockerignore`` exception so local_dev/zscaler_sdk_python-*.tar.gz is included in the build context.

Fixes¶

PR #41 - CWE-345 — HMAC confirmation token replay vulnerability. Fixed 31 delete operations across ZPA, ZIA, and ZTW that passed empty parameters ({}) to check_confirmation(), producing fungible HMAC-SHA256 tokens that could be replayed across different resources of the same type. All delete operations now bind the specific resource identifier into the HMAC payload, preventing cross-resource token replay. Added 6 regression tests including AST-based static analysis to prevent future occurrences.

PR #41 - Resolved ruff I001 import-sorting issues in ZMS tool modules, services.py (ZMSService imports), and ZMS tests.

Documentation¶

PR #38 - Updated CLAUDE.md, README.md, docs/guides/supported-tools.md, codecov.yml, Sphinx docsrc/, integrations, and tests for ZMS, ZID, and ZINS naming.

0.7.1 (March 26, 2026) - Tool & Service Exclusion, OIDCProxy Improvements¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

Features¶

PR #38 - Added --disabled-tools CLI flag and ZSCALER_MCP_DISABLED_TOOLS environment variable to exclude specific tools from registration. Supports fnmatch wildcard patterns (e.g., zcc_list_* disables all ZCC list tools). PR #38- Added --disabled-services CLI flag and ZSCALER_MCP_DISABLED_SERVICES environment variable to exclude entire services from loading. Accepts service names: zcc, zdx, zia, zpa, ztw, zid. PR #38 - Combined --disabled-tools and --disabled-services for fine-grained control: disable an entire service to prevent loading, or selectively exclude individual tools while keeping the rest of the service active.

Enhancements¶

PR #38- Removed zcc_devices_csv_exporter tool — zcc_list_devices already returns equivalent data without file I/O overhead. PR #38 - Added verify_id_token=True to OIDCProxy setup for cross-platform compatibility. Auth0 may return opaque access tokens that fail JWT validation on certain platforms (e.g., Windows Docker). Verifying the OIDC id_token instead ensures consistent behavior across macOS and Windows. PR #38 - Added --debug CLI flag to setup-oidcproxy-auth.py for verbose token validation diagnostics (FASTMCP_DEBUG=true). PR #38 - Added Step 2b to setup-oidcproxy-auth.py to clear stale mcp-remote OAuth caches and orphaned processes before server start, preventing EADDRINUSE and invalid_token errors after container restarts.

Documentation¶

PR #38 - Updated README with “Excluding Services and Tools” section documenting fnmatch wildcard syntax and combined usage examples. PR #38 - Updated Authentication & Deployment Guide with troubleshooting entry for persistent 401 invalid_token on Windows Docker. PR #38 - Added tip about prompt specificity for large tool catalogs.

0.7.0 (March 25, 2026) - Authentication, Security & Platform Integrations¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

MCP Client Authentication¶

PR #31 - Added multi-mode authentication for MCP clients connecting over HTTP transports (sse, streamable-http). Authentication is disabled by default for backward compatibility and does not apply to stdio transport.

Four authentication modes:

api-key — Simple shared secret. Client sends Authorization: Bearer <key>. Best for quick setup and internal environments.
jwt — External Identity Provider via JWKS. Tokens are validated locally using the IdP’s public keys. Supports Auth0, Okta, Azure AD, Keycloak, AWS Cognito, PingOne, and Google Cloud Identity.
zscaler — Zscaler OneAPI credential validation. Client sends Basic Auth (client_id:client_secret) or custom headers (X-Zscaler-Client-ID / X-Zscaler-Client-Secret). Server validates against Zscaler’s /oauth2/v1/token endpoint.

Architecture:

Implemented as ASGI middleware (zscaler_mcp/auth.py) that wraps HTTP transport apps before they reach FastMCP
Two independent security layers: Layer 1 (MCP Client Auth) controls who can connect; Layer 2 (Zscaler API Auth) controls how the server authenticates to Zscaler APIs
Zero overhead when authentication is disabled — middleware returns the app unchanged

Network Security¶

PR #31 - Added defense-in-depth network security controls for HTTP transports:

HTTPS / TLS Configuration — Optional TLS termination at the server with ZSCALER_MCP_TLS_CERT_FILE and ZSCALER_MCP_TLS_KEY_FILE
HTTPS Policy Enforcement — ZSCALER_MCP_ALLOW_HTTP=false (default) blocks plaintext HTTP on non-localhost interfaces when TLS is not configured
Host Header Validation — ZSCALER_MCP_ALLOWED_HOSTS restricts accepted Host headers to prevent DNS rebinding attacks; auto-configured for localhost
Source IP Access Control — ZSCALER_MCP_ALLOWED_SOURCE_IPS restricts which client IPs can connect (CIDR notation supported)

Platform Integrations¶

PR #31 - Added native platform integrations for AI development environments:

Claude Code Plugin (.claude-plugin/) — Plugin manifest with marketplace support, 19 guided skills, and slash commands
Cursor Plugin (.cursor-plugin/) — Plugin manifest with 19 guided skills for Cursor IDE
Gemini Extension (gemini-extension.json, GEMINI.md) — Google Gemini CLI extension with contextual tool guidance
Google Cloud (integrations/google/) — Unified GCP deployment script (Cloud Run, GKE, Compute Engine VM) with interactive CLI menus
Google ADK Agent (integrations/google/adk/) — Google Agent Development Kit integration for building autonomous Zscaler security agents powered by Gemini models
Integration documentation (integrations/) — Dedicated README per platform with installation, configuration, and verification instructions

Enhancements¶

PR #31 - Added --generate-auth-token CLI argument for generating authorization tokens from configured credentials

PR #31 - Added --write-tools, --user-agent-comment, --list-tools, and --version CLI flags

PR #31 - Added ZSCALER_MCP_CONFIRMATION_TTL environment variable for configurable confirmation window on destructive operations

PR #31 - Added ZSCALER_MCP_AUTH_ALGORITHMS environment variable for restricting JWT validation algorithms

PR #31 - Added docker-run-http, docker-stop, and docker-generate-auth-token Makefile targets for HTTP transport and authentication workflows

PR #31 - Added PyJWT[crypto]>=2.8.0 dependency for JWT token validation

PR #31 - Updated .env.example with MCP Client Authentication and network security environment variables

Documentation¶

PR #31 - Created comprehensive Authentication & Deployment Guide covering transport modes, authentication architecture, IdP-specific JWKS setup, Docker/Python deployment, client configuration, and troubleshooting

PR #31 - Updated README.md with MCP Client Authentication section, network security features, and Platform Integrations reference

PR #31 - Created integrations/README.md as central index for all platform integrations

PR #31 - Created dedicated integration READMEs for Claude Code Plugin, Cursor Plugin, Gemini Extension, and Kiro Power

PR #31 - Updated Sphinx documentation portal (docsrc/) with platform integrations page and release notes for v0.7.0

0.6.2 (February 18, 2026)¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

Enhancements¶

PR #29 - Added new ZIA tools:

network_apps
network_services_group
network_services
zia_url_lookup
zia_list_cloud_app_control_actions

PR #29 - Improved search capabilities in the ZIA tool:

device_management

0.6.1 (December 16, 2025) - Z-Insights Analytics Integration¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

Enhancements¶

PR #22 - ✨ Added Z-Insights Analytics service with 16 read-only tools for Zscaler analytics via GraphQL API PR #22 - Added zins_get_web_traffic_by_location - Get web traffic analytics grouped by location PR #22 - Added zins_get_web_traffic_no_grouping - Get overall web traffic volume metrics PR #22 - Added zins_get_web_protocols - Get web traffic by protocol (HTTP, HTTPS, SSL) PR #22 - Added zins_get_threat_super_categories - Get threat super categories (malware, phishing, spyware) PR #22 - Added zins_get_threat_class - Get detailed threat class breakdown PR #22 - Added zins_get_cyber_incidents - Get cybersecurity incidents by category PR #22 - Added zins_get_cyber_incidents_by_location - Get cybersecurity incidents grouped by location PR #22 - Added zins_get_cyber_incidents_daily - Get daily cybersecurity incident trends PR #22 - Added zins_get_cyber_incidents_by_threat_and_app - Get incidents correlated by threat and application PR #22 - Added zins_get_firewall_by_action - Get Zero Trust Firewall traffic by action (allow/block) PR #22 - Added zins_get_firewall_by_location - Get firewall traffic grouped by location PR #22 - Added zins_get_firewall_network_services - Get firewall network service usage PR #22 - Added zins_get_casb_app_report - Get CASB SaaS application usage report PR #22 - Added zins_get_shadow_it_apps - Get discovered shadow IT applications with risk scores PR #22 - Added zins_get_shadow_it_summary - Get shadow IT summary statistics and groupings PR #22 - Added zins_get_iot_device_stats - Get IoT device statistics and classifications

Bug Fixes¶

PR #22 - Fixed Z-Insights time interval defaults - changed from invalid intervals (5-day, 12-day) to valid 7 or 14-day intervals required by the API PR #22 - Fixed Z-Insights tools to return structured “no data” responses instead of throwing exceptions when API returns empty results PR #22 - Fixed Z-Insights tools to handle GraphQL errors gracefully (checking response body for errors even with HTTP 200 status) PR #22 - Fixed Z-Insights time range validation to ensure end_time is at least 1 day in the past for data availability PR #22 - Added auto-adjustment logic for Z-Insights time intervals to automatically correct invalid intervals to nearest valid 7 or 14-day interval

0.6.0 (December 8, 2025) - AWS Kiro Power Integration¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

Enhancements¶

PR #21 - ✨ Added AWS Kiro Power integration for AI-assisted Zscaler platform management within the Kiro IDE. Includes POWER.md, mcp.json, and service-specific steering files for ZPA, ZIA, ZDX, ZCC, ZTW, EASM, and ZIdentity.

0.5.0 (November 22, 2025) - AWS Bedrock AgentCore Security Enhancement¶

Note

This release contains enhancements specific to AWS Bedrock AgentCore deployments only. These changes are maintained in a separate private AWS-specific repository and do not modify the core Zscaler MCP Server in this repository. Standard MCP server functionality remains unchanged.

Notes¶

Python Versions: v3.11, v3.12, v3.13

Enhancements¶

PR #20 - 🔐 AWS Bedrock AgentCore Security Enhancements

Container-Based Secrets Manager Integration:

Container retrieves Zscaler API credentials from AWS Secrets Manager at runtime
Zero credentials exposed in AgentCore configuration, CloudFormation templates, or deployment scripts
Secrets encrypted at rest with AWS KMS and in transit via TLS
Full CloudTrail audit logging for all secret access
Backward compatible - supports both Secrets Manager and direct environment variable approaches

PR #20 - CloudFormation Automation:

One-click deployment via Launch Stack button
Automated AgentCore runtime deployment with conditional secret creation
IAM execution roles with Secrets Manager permissions automatically configured

PR #20 - Added ZEASM (External Attack Surface Management) service with 7 read-only tools:

zeasm_list_organizations - List all EASM organizations configured for the tenant
zeasm_list_findings - List all findings for an organization’s internet-facing assets
zeasm_get_finding_details - Get detailed information for a specific finding
zeasm_get_finding_evidence - Get scan evidence attributed to a specific finding
zeasm_get_finding_scan_output - Get complete scan output for a specific finding
zeasm_list_lookalike_domains - List all lookalike domains detected for an organization
zeasm_get_lookalike_domain - Get details for a specific lookalike domain

PR #20 - Updated README.md with EASM tools documentation

PR #20 - Created EASM documentation in docsrc/tools/easm/index.rst

PR #20 - Updated docsrc/tools/index.rst with EASM service reference

Bug Fixes¶

PR #20 - Fixed ZDX zdx_list_alerts calling wrong SDK method (alerts.read → alerts.list_ongoing)

PR #20 - Fixed ZDX zdx_list_alert_affected_devices calling wrong SDK method (alerts.read_affected_devices → alerts.list_affected_devices)

PR #20 - Fixed ZDX zdx_list_application_users calling wrong SDK method (apps.list_users → apps.list_app_users)

PR #20 - Fixed ZDX zdx_get_application_user calling wrong SDK method and incorrect return handling (apps.get_user → apps.get_app_user)

PR #20 - Fixed ZDX zdx_list_software calling wrong SDK method and incorrect return handling (inventory.list_software → inventory.list_softwares)

PR #20 - Fixed ZDX zdx_get_software_details calling wrong SDK method (inventory.get_software → inventory.list_software_keys)

PR #20 - Fixed ZDX zdx_get_device_deep_trace incorrect return handling (SDK returns list, not single object)

PR #20 - Fixed syntax error in services.py ZIdentityService (missing description key in tool registration)

PR #20 - Fixed EASM tools incorrect use_legacy parameter handling (removed invalid syntax)

PR #20 - Fixed ZSCALER_CUSTOMER_ID incorrectly required for non-ZPA services (now only required for ZPA)

PR #20 - Updated ZDX unit tests to match corrected SDK method names (42 tests)

0.4.0 (November 19, 2025)¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

Enhancements¶

PR #16

Split the ZIA sandbox helper into dedicated tools (zia_get_sandbox_quota, zia_get_sandbox_behavioral_analysis, zia_get_sandbox_file_hash_count, zia_get_sandbox_report) so MCP clients can directly invoke quota/report endpoints.

PR #16

Added ZIA SSL Inspection Rules tools (zia_list_ssl_inspection_rules, zia_get_ssl_inspection_rule, zia_create_ssl_inspection_rule, zia_update_ssl_inspection_rule, zia_delete_ssl_inspection_rule) for managing SSL/TLS traffic decryption and inspection policies.

PR #16

Added ZTW workload discovery service tool (ztw_get_discovery_settings) for retrieving workload discovery service settings.

0.3.2 (November 4, 2025)¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

Enhancements¶

PR #15

Added custom User-Agent header support with format zscaler-mcp-server/VERSION python/VERSION os/arch. Users can append AI agent information via –user-agent-comment flag or ZSCALER_MCP_USER_AGENT_COMMENT environment variable.

0.3.1 (October 28, 2025) - Tool Registration & Naming Updates¶

Added¶

PR #14

ZIA Tools: Added missing read-only tools to services registration - get_zia_dlp_dictionaries - Manage ZIA DLP dictionaries for data loss prevention - get_zia_dlp_engines - Manage ZIA DLP engines for rule processing - get_zia_user_departments - Manage ZIA user departments for organizational structure - get_zia_user_groups - Manage ZIA user groups for access control - get_zia_users - Manage ZIA users for authentication and access control
ZPA Tools: Added missing read-only tools to services registration - get_zpa_app_protection_profile - Manage ZPA App Protection Profiles (Inspection Profiles) - get_zpa_enrollment_certificate - Manage ZPA Enrollment Certificates - get_zpa_isolation_profile - Manage ZPA Cloud Browser Isolation (CBI) profiles - get_zpa_posture_profile - Manage ZPA Posture Profiles - get_zpa_saml_attribute - Manage ZPA SAML Attributes - get_zpa_scim_attribute - Manage ZPA SCIM Attributes - get_zpa_scim_group - Manage ZPA SCIM Groups - get_zpa_app_segments_by_type - Manage ZPA application segments by type - get_zpa_trusted_network - Manage ZPA Trusted Networks

### Changed

Tool Naming Convention: Updated tool names to follow consistent get_* pattern for read-only operations - ZIA tools: zia_*_manager → get_zia_* - ZPA tools: *_manager → get_zpa_* - Maintains backward compatibility with existing zia_get_* and zpa_get_* patterns

### Fixed

Tool Registration: Resolved missing tool registrations in zscaler_mcp/services.py
Documentation: Updated README.md with correct tool names and comprehensive tool listings

0.3.0 (October 27, 2025) - Security & Confirmation Release¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

Security Enhancements¶

Multi-Layer Security Model:

Default read-only mode (110+ safe tools always available)
Global --enable-write-tools flag required for write operations
Mandatory allowlist via --write-tools (supports wildcards: zpa_create_*, zia_delete_*)
Tool annotations: readOnlyHint=True for read operations, destructiveHint=True for write operations
Double-confirmation for DELETE operations: Permission dialog + server-side confirmation block (33 delete tools)

Write Tools Allowlist (Mandatory):

No write tools registered unless explicit allowlist provided
Prevents accidental “allow all” scenarios
Granular control with wildcard patterns

DELETE Operation Protection:

All 33 delete operations require double confirmation
First: AI agent permission dialog (destructiveHint)
Second: Server-side confirmation via hidden kwargs parameter
Prevents irreversible actions from being executed accidentally

Added¶

zscaler_mcp/common/tool_helpers.py: Registration utilities for read/write tools with annotations
zscaler_mcp/common/elicitation.py: Confirmation logic for delete operations
--enable-write-tools / ZSCALER_MCP_WRITE_ENABLED: Global write mode toggle
--write-tools / ZSCALER_MCP_WRITE_TOOLS: Mandatory allowlist (required when write mode enabled)
build_mcpb.sh: Automated packaging script with bundled Python dependencies
Hidden kwargs parameter to all 33 delete functions for server-side confirmation
destructiveHint=True annotation to all 93 write operations

Changed¶

MCPB packages now bundle all Python dependencies (51MB vs 499KB)
Update operations now fetch current resource state to avoid sending null values to API
Enhanced server logging with security posture information
Updated test suite for confirmation-based delete operations (163 tests passing)

Fixed¶

Fixed MockServer.add_tool() missing annotations parameter for --list-tools functionality
Fixed update operations in ZPA segment groups, server groups, app connector groups, service edge groups to handle optional fields correctly
Fixed Pydantic validation errors in confirmation responses (return string instead of dict)
Fixed MCPB packaging to include all required dependencies
Removed problematic test_use_legacy_env.py (attempted real API calls)
Fixed 21 orphaned commas causing syntax errors
Fixed missing Union imports

Documentation¶

Updated README with comprehensive security model documentation
Rewrote docsrc/guides/configuration.rst with clear authentication guide
Added write tools allowlist examples and usage patterns
Documented double-confirmation flow for delete operations
Fixed Sphinx RST title underlines

## 0.2.2 (October 6, 2025)

### Notes

Python Versions: v3.11, v3.12, v3.13

PR #11 <https://github.com/zscaler/zscaler-mcp-server/pull/11> Fixed README and other documents to change the name title from “Zscaler MCP Server” to “Zscaler Integrations MCP Server”

0.2.1 (September 18, 2025)¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

PR #10 Fixed import sorting and markdown linting issues:

Fixed Ruff import sorting errors in client.py, services.py, and utils.py
Fixed markdownlint formatting issues in docs/guides/release-notes.md
Updated GitHub workflows to include linter checks in release process

0.2.0 (September 18, 2025)¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

NEW ZCC MCP Tools¶

PR #9 Added the following new tools:

Added zcc_list_trusted_networks - List existing trusted networks
Added zcc_list_forwarding_profiles - List existing forwarding profiles

NEW ZTW MCP Tools¶

PR #9 Added the following new tools:

Added ztw_ip_destination_groups - Manages IP Destination Groups
Added ztw_ip_group - Manages IP Pool Groups
Added ztw_ip_source_groups - Manages IP Source Groups
Added ztw_network_service_groups - Manages Network Service Groups
Added ztw_list_roles - List all existing admin roles in Zscaler Cloud & Branch Connector
Added ztw_list_admins - List all existing admin users or get details for a specific admin user

PR #9 - New documentation portal available in ReadTheDocs <https://zscaler-mcp-server.readthedocs.io/>

0.1.0 (August 15, 2025) - Initial Release¶

Notes¶

Python Versions: v3.11, v3.12, v3.13

Added¶

Initial implementation for the zscaler-mcp server (#1)
Support for Zscaler services: zcc, zdx, zia, zpa, zid (#1)
Flexible per service initialization (#1)
Streamable-http transport with Docker support (#1)
Debug option (#1)
Docker support (#1)
Comprehensive end-to-end testing framework with 44+ tests
Test runner script with multi-model testing support
Mock API strategy for realistic testing scenarios
ZIA tools for user management via the Python SDK:
- zia_user_groups: Lists and retrieves ZIA User Groups with pagination, filtering, and sorting
- zia_user_departments: Lists and retrieves ZIA User Departments with pagination, filtering, and sorting
- zia_users: Lists and retrieves ZIA Users with filtering and pagination

Changed¶

Fixed import sorting and linting issues
Simplified project structure by removing unnecessary nesting
Updated test organization for better maintainability

Documentation¶

Updated README ZIA Features to include the new tools (zia_user_groups, zia_user_departments, zia_users).