Skip to content

AIML-396: Preparation for v1.0.0 release#81

Merged
ChrisEdwards merged 4 commits intomainfrom
AIML-396-v1-release-prep
Jan 16, 2026
Merged

AIML-396: Preparation for v1.0.0 release#81
ChrisEdwards merged 4 commits intomainfrom
AIML-396-v1-release-prep

Conversation

@ChrisEdwards
Copy link
Collaborator

@ChrisEdwards ChrisEdwards commented Jan 16, 2026

Why This Change Exists

We're preparing to release v1.0.0 of the Contrast MCP Server. This is a major milestone release that represents months of work consolidating 27 inconsistently-named tools into 13 well-designed tools, fixing critical bugs, and adding significant new capabilities.

Before cutting the release, we need documentation that helps users understand:

  1. What changed - A comprehensive changelog documenting breaking changes, bug fixes, and new features
  2. What's available - A quick reference of all 13 tools so users can discover capabilities
  3. How to release - Updated release documentation now that we're past 1.0

Approach We Chose

This PR focuses purely on documentation updates to prepare for the release:

  1. CHANGELOG.md - Comprehensive release notes following Keep a Changelog format
  2. README.md updates - Added "What's New" link and "Available Tools" quick reference
  3. RELEASING.md updates - Removed outdated pre-1.0 versioning note, added example for MAJOR changes

Outcome of this Change

Users and maintainers now have:

  • Complete documentation of all v1.0.0 changes (breaking changes, bug fixes, new features, performance improvements)
  • Quick-reference table of all 13 tools organized by category
  • Clear path to CHANGELOG for release history
  • Updated release process documentation for semantic versioning

The Chain of Logic

Step 1: Document the Release (CHANGELOG.md)

The v1.0.0 release includes significant changes that users need to understand before upgrading:

Breaking Changes - Tool consolidation requires users to update their prompts:

  • 27 tools → 13 tools with consistent naming
  • app_nameappId parameter change
  • sessionMetadataName/ValuesessionMetadataFilters JSON

Critical Bug Fixes - These were preventing core functionality:

  • Date filtering caused HTTP 400 errors
  • Status filtering was silently ignored
  • Multi-word keyword search returned 0 results

New Capabilities - JSON metadata filtering, pagination, performance improvements

The CHANGELOG follows Keep a Changelog format with clear sections for each type of change.

Step 2: Make Tools Discoverable (README.md)

Users need to quickly understand what the MCP server can do. Added:

  1. "What's New" section - Links to CHANGELOG for release history
  2. "Available Tools" section - Table of all 13 tools organized by category:
    • Applications (2 tools)
    • Vulnerabilities (4 tools)
    • Libraries/SCA (2 tools)
    • Protection/ADR (2 tools)
    • Coverage (1 tool)
    • SAST (2 tools)

Step 3: Update Release Process (RELEASING.md)

The old documentation mentioned "pre-1.0 releases use 0.0.X versioning" which is now outdated. Updated to:

  • Remove the pre-1.0 note
  • Add example for MAJOR version changes (tool renames, parameter changes)

Step 4: Update Manual Test Documentation

Minor update to expected CVE counts in manual test files to reflect current test data.

What Changed

File Change
CHANGELOG.md NEW - 107-line comprehensive release notes for v1.0.0
README.md Added "What's New" section with CHANGELOG link
README.md Added "Available Tools" section with 13 tools in 6 categories
RELEASING.md Removed pre-1.0 versioning note, added MAJOR change example
manual-tests/*.md Updated expected CVE counts (72→70, 22→21, 79→77)

Key additions to README.md

## What's New

See [CHANGELOG.md](CHANGELOG.md) for the complete release history...

## Available Tools

The Contrast MCP Server provides 13 tools for security analysis...

### Applications
| Tool | Description |
|------|-------------|
| `search_applications` | Search applications by name, tag, or metadata filters |
| `get_session_metadata` | Get session metadata fields available for an application |
...

Test Coverage

This PR contains only documentation changes - no code changes requiring tests.

Verification performed:

  • ls -la CHANGELOG.md - File exists
  • ✅ Tool count verified: 13 tools match documentation
  • make format && make check - Passes
  • ✅ All links valid (CHANGELOG.md exists at repo root)

@ChrisEdwards
docs: update RELEASING.md for 1.0.0+ versioning
aa4b36b 
Remove outdated "pre-1.0 releases" note since we're now releasing
v1.0.0. Add example for MAJOR version changes relevant to MCP servers
(tool renames, parameter changes).
@ChrisEdwards
docs: add changelog link and available tools section to README
14371be 
- Add "What's New" section with link to CHANGELOG.md for release history
- Add "Available Tools" section documenting all 13 MCP tools organized
  by category (Applications, Vulnerabilities, Libraries, Protection,
  Coverage, SAST) with brief descriptions

Helps users discover available capabilities and breaking changes.
@ChrisEdwards
docs: add CHANGELOG.md for v1.0.0 release
4559b42 
Document all changes for the 1.0.0 release including:
- Breaking changes (tool consolidation, appId requirement, field renames)
- Critical bug fixes (date filtering, status filtering, keyword search)
- New capabilities (JSON metadata filtering, pagination, rules parameter)
- Performance improvements (31x faster app search, N+1 elimination)
- Security patches for Docker image
@ChrisEdwards
docs: update expected counts in manual test documentation
38d8f5d 
Update CVE affected application counts to reflect current test data:
- CVE-2025-31651: 72 → 70 apps
- CVE-2025-41248: 22 → 21 apps
- CVE-2025-22233: 79 → 77 apps
ChrisEdwards
ChrisEdwards commented Jan 16, 2026
View reviewed changes
manual-tests/list-applications-by-cve-manual-test.md
| CVE-2025-41248 | High | spring-security-core | 22 | Spring Security annotation bypass |
| CVE-2025-22233 | Low | spring-context | 79 | Spring Framework disallowedFields bypass |
| CVE-2025-48989 | High | tomcat-embed-core | 72 | Apache Tomcat reset attack |
| CVE-2025-31651 | Critical | tomcat-embed-core | 70 | Apache Tomcat rewrite rule bypass |
Copy link
Collaborator Author

@ChrisEdwards ChrisEdwards Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes in this file just update the expectations to match the data in staging. No need to review as its not production code. I manually verified the numers in the contrast ui.

ChrisEdwards
ChrisEdwards commented Jan 16, 2026
View reviewed changes
manual-tests/search-attacks-manual-test.md
### Step 2: Derive Expected Values Using Code

**CRITICAL: Do NOT manually count values by visually inspecting the JSON response.**
**CRITICAL--THIS IS EXTREMELY IMPORTANT!!!: Do NOT manually count values by visually inspecting the JSON response.**
Copy link
Collaborator Author

@ChrisEdwards ChrisEdwards Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same with this file

@ChrisEdwards ChrisEdwards merged commit 5cd48c7 into main Jan 16, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seschis seschis seschis approved these changes

@Alex-Contrast Alex-Contrast Alex-Contrast approved these changes

@JacobMagesHaskinsContrast JacobMagesHaskinsContrast Awaiting requested review from JacobMagesHaskinsContrast

@dougj-contrast dougj-contrast Awaiting requested review from dougj-contrast

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ChrisEdwards @seschis @Alex-Contrast

Comments