muchiny · muchiny · May 9, 2026 · May 9, 2026 · May 9, 2026 · May 9, 2026
@@ -72,6 +72,9 @@ flamegraph.svg
 id_rsa
 id_rsa.pub
 id_ed25519
+
+# Allow OAuth test-only RSA fixtures (synthetic, never used outside tests)
+!tests/fixtures/oauth/*.pem
 id_ed25519.pub
 id_ecdsa
 id_ecdsa.pub

@@ -1,6 +1,6 @@
 {
   "name": "mcp-ssh-bridge",
-  "version": "1.16.0",
+  "version": "1.17.0",
   "description": "Secure SSH bridge for AI-powered remote server management. 357 tools across 75 groups covering Linux, Windows, Docker, Kubernetes, and more.",
   "capabilities": {
     "tools": true,

@@ -5,6 +5,116 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+## [1.17.0] - 2026-05-10
+
+### Summary
+
+**Full security audit (2026-05-09) — 30+ findings remediated across YAML
+parsing, JWT validation, transport defaults, session isolation, secret
+zeroization, and tool-group exposure.** Two BREAKING default flips
+(FIND-022 elicitation + FIND-024 tool_groups) plus per-session isolation
+hardening (FIND-033/034/035/036/037/038), Zeroizing on every cred-bearing
+struct (FIND-014/028/029/030), saphyr Budget on every YAML parse site
+(FIND-001/002/004/032), OAuth/JWT spec compliance (FIND-006/007),
+russh algo pinning + rekey limits (FIND-008), HTTP middleware hardening
+(FIND-005), SSH error sanitization (FIND-016), `deny_unknown_fields`
+on every config struct (FIND-017), and supply-chain cleanup
+(FIND-018/025/026/027). Test suite: ~6,973 → 7,200+ tests (new
+integration suites: `cross_session_cancel`, `multisession_isolation`,
+`per_session_state`, `per_session_log_level`, `oauth_keys_loaded`,
+`saphyr_budget`, `deny_unknown_fields`, `destructive_default`,
+`http_middleware`, `ssh_config_discovery_default`, `ssh_preferred_algos`,
+`sudo_password_zeroizing`, `security_audit_redaction`).
+
+### Changed (BREAKING)
+
+- **Security: `tool_groups` default-disabled, ships an 8-group minimal
+  profile** (FIND-024). The pre-FIND-024 behaviour was "unlisted =
+  enabled": `tool_groups: { groups: {} }` registered all 75 groups /
+  357 handlers out of the box. An operator who only needed `docker` +
+  `service` was also exposed to AD/LDAP/Vault/K8s/AWS/ESXi/HyperV /
+  Windows-only handlers. Unlisted groups now resolve via membership in
+  the new `MINIMAL_DEFAULT_GROUPS` const: `[core, file_ops, directory,
+  process, monitoring, network, systemd, sessions]` — everything else
+  requires explicit opt-in via `tool_groups.groups: { groupname: true }`.
+  Operators who relied on the old all-enabled behaviour must enumerate
+  the groups they need (or set every group they want to `true`).
+  Migration documented in `config/config.example.yaml`.
+
+- **Security: `security.require_elicitation_on_destructive` now defaults to
+  `true`** (was `false`). Destructive tools annotated `destructive_hint: true`
+  (e.g., `ssh_process_kill`, `ssh_file_write`, `ssh_k8s_delete`,
+  `ssh_terraform_apply`, …) now require MCP `elicitation/create`
+  confirmation by default. Operators who relied on the old permissive
+  behaviour must explicitly set
+  `security.require_elicitation_on_destructive: false` in their config
+  (NOT RECOMMENDED in production — a compromised MCP client could
+  otherwise mass-execute destructive tools without surfacing to a human).
+
+- **Security: `SshConfigDiscovery` default off** (FIND-023). `~/.ssh/config`
+  is no longer parsed unless the operator explicitly opts in. Eliminates
+  the implicit on-disk attack surface for hosts not declared in
+  `config.yaml`.
+
+### Security
+
+- **YAML parser: enforce saphyr `Budget` on every parse site**
+  (FIND-001/002/004/032). Caps node count + alias depth + recursion to
+  prevent resource-exhaustion via crafted runbooks/configs.
+- **HTTP transport: defaults to loopback; refuses anonymous public bind.**
+  Public bind requires explicit auth + origin allowlist.
+- **HTTP middleware: timeout + body-limit + request-id + sensitive-header
+  redaction** (FIND-005).
+- **JWT: signature verification via `jsonwebtoken` (Vuln 2)** + require
+  `sub`/`iss`/`aud` spec claims (FIND-007).
+- **OAuth: load keys at boot, share `Arc<OAuthValidator>`** (FIND-006).
+- **russh: pin `Preferred` algorithms + rekey limits** (FIND-008).
+- **SSH errors: sanitize at every connect-phase site** (FIND-016) —
+  no more leaking key paths/host details on auth failure.
+- **Path traversal: canonicalize in `validate_root_scope` (Vuln 11).**
+- **Audit log: sanitize commands before write** — no plaintext secrets.
+- **Heredoc: randomize terminator in `template_apply`** — defeats
+  attacker-supplied terminator injection.
+- **Env vars: validate names in `file_template` builder.**
+- **LDAP: RFC 4515-escape values in filters.**
+- **systemd: allowlist `unit_type` in `list_command`.**
+- **Firewall: allowlist protocol values.**
+- **Blacklist matcher: normalize `${IFS}` / `$'\t'` / line-continuation
+  before match** (defeats common bypass tricks).
+- **Per-session isolation:**
+  - `PendingRequests` (Vuln 8 part 2) + UUID-based unguessable IDs
+    (Vuln 8 part 1)
+  - `SessionCapabilities` (Vuln 9)
+  - `active_requests` map (FIND-038)
+  - `runtime` / `notification` / `resource_subs` / `roots` (FIND-033/034/036/037)
+  - `log_level` (FIND-035)
+- **Secret zeroization:**
+  - `HostConfig.sudo_password` (FIND-028)
+  - `db_password` Args (FIND-029)
+  - vault `Args.data` (FIND-030)
+  - `SocksProxyConfig.password` (FIND-014)
+  - vault/db secrets piped via stdin/tempfile (FIND-031)
+- **`deny_unknown_fields` on every config + runbook struct** (FIND-017) —
+  unknown keys are now hard errors, not silent ignores.
+
+### Changed
+
+- **Reliability: replace `expect`/`unwrap` with `?`/`Err` on Result-returning
+  functions** (FIND-010/011/012/013).
+- **Clippy clean across `--workspace --all-targets --all-features`**
+  (FIND-019/020).
+- **CI: `cargo-geiger` fallback + baseline** (FIND-021).
+- **Domain layer: move YAML helper into domain/** (hexagonal compliance).
+
+### Removed / Deps
+
+- **Drop archived `shellexpand`, use `dirs::home_dir`** (FIND-025).
+- **Patch `winrm-rs` to drop obsolete `reqwest` feature** (FIND-018).
+- **Supply-chain monitoring entries for `saphyr` + `tokio-socks`**
+  (FIND-026/027).
+
 ## [1.16.0] - 2026-05-03
 
 ### Summary

@@ -3,7 +3,7 @@ members = [".", "crates/mcp-ssh-bridge-macros"]
 
 [package]
 name = "mcp-ssh-bridge"
-version = "1.16.1"
+version = "1.17.0"
 edition = "2024"
 rust-version = "1.94"
 description = "MCP server that bridges Claude Code to air-gapped environments via SSH"
@@ -93,7 +93,6 @@ regex = "1"
 aho-corasick = "1"
 chrono = { version = "0.4", default-features = false, features = ["clock", "serde", "std"] }
 dirs = "6"
-shellexpand = "3"
 tokio-socks = "0.5"
 async-trait = "0.1"
 sha2 = "0.10"
@@ -110,7 +109,7 @@ rayon = "1"
 # HTTP transport (optional, for Streamable HTTP + OAuth)
 axum = { version = "0.8", features = ["json"], optional = true }
 tower = { version = "0.5", optional = true }
-tower-http = { version = "0.6", features = ["cors", "limit"], optional = true }
+tower-http = { version = "0.6", features = ["cors", "limit", "timeout", "request-id", "sensitive-headers"], optional = true }
 hyper-util = { version = "0.1", features = ["tokio"], optional = true }
 tokio-stream = { version = "0.1", optional = true }
 
@@ -149,6 +148,7 @@ tracing-opentelemetry = { version = "0.32", optional = true }
 similar = "2.6"
 inventory = "0.3"
 mcp-ssh-bridge-macros = { version = "0.1.0", path = "crates/mcp-ssh-bridge-macros" }
+jsonwebtoken = "9"
 
 [dev-dependencies]
 tempfile = "3"
@@ -157,6 +157,7 @@ filetime = "0.2"
 tracing-test = "0.2"
 proptest = "1"
 insta = { version = "1", features = ["json", "yaml"] }
+base64 = "0.22.1"
 
 [[bench]]
 name = "validator_bench"
@@ -224,3 +225,12 @@ missing_errors_doc = "allow"
 missing_panics_doc = "allow"
 module_name_repetitions = "allow"
 must_use_candidate = "allow"
+
+# =============================================================================
+# Patch overrides (FIND-018 / audit 2026-05-09)
+# =============================================================================
+# winrm-rs 1.0 on crates.io declares an obsolete reqwest feature
+# (`webpki-roots`) that blocks `cargo outdated` resolution. Local fork
+# carries the fix; pin to it until winrm-rs > 1.0 is published.
+[patch.crates-io]
+winrm-rs = { git = "https://github.com/muchiny/winrm-rs.git", rev = "573dadf5abcaed681f65999f216164c9f33a6250" }
@@ -159,7 +159,15 @@ security-audit: audit deny security-tests geiger
 
 # Scan for unsafe code in dependencies (requires cargo-geiger)
 geiger:
-	@command -v cargo-geiger >/dev/null 2>&1 && cargo geiger --all-features --output-format ascii || echo "cargo-geiger not installed, run: cargo install cargo-geiger --locked"
+	@command -v cargo-geiger >/dev/null 2>&1 || { echo "cargo-geiger not installed, run: cargo install cargo-geiger --locked"; exit 0; }
+	@# FIND-021 (audit 2026-05-09): cloud features (aws-sdk, azure, gcp)
+	@# pull nkeys-0.4.5 which cargo-geiger fails to extract on a cold
+	@# graph. Pre-fetch first; if extraction still fails on --all-features,
+	@# fall back to --forbid-only (acceptable since the workspace already
+	@# enforces `#![forbid(unsafe_code)]`).
+	@cargo fetch >/dev/null 2>&1 || true
+	@cargo geiger --all-features --output-format Ascii 2>/dev/null \
+	    || cargo geiger --forbid-only --output-format Ascii
 
 # Check for semver-breaking API changes (requires cargo-semver-checks)
 semver-checks: