v4.0.0

v4.0 is a major quality, reliability, and security release - no new protocols or vendors, but a hardened foundation for v5.0.

Security & Safety:

• push_config now enforces maintenance windows (blocked outside policy)
• run_show restricted to read-only commands (no config bypass)
• RouterOS REST validation - forbidden paths blocked, POST rejected
• Syslog prompt injection mitigation (sanitize + delimiter)
• Expanded forbidden command set (5 → 14 patterns)
• TLS/SSL configurable per transport (VERIFY_TLS, ROUTEROS_USE_HTTPS, SSH_STRICT_HOST_KEY)

Architecture:

• Monolithic MCPServer.py (798 lines) decomposed into tools/, transport/, cache.py, input_models/
• Bounded LRU cache (256 entries, TTL-based eviction)
• Connection pooling for eAPI and REST transports
• HTTP timeouts on all device and Jira connections
• Structured JSON logging with configurable levels

Troubleshooting Methodology:

• 6 Core Troubleshooting Principles (mandatory, ordered) - see CLAUDE.md.example
• Standalone Mode rewritten - 10 deterministic steps with decision gates
• Protocol skill prerequisite gates (interfaces + neighbors verified before deep investigation)
• Role-aware risk assessment using INTENT.json and SLA paths

On-Call & Operational:

• SLA recovery (Up) event detection and logging
• Daemon mode (-d flag) with tmux session support
• systemd service file (oncall-watcher.service) for production deployment
• Pre-change snapshot support in push_config
• Rollback advisory generation for all config changes

Testing:

• 217 unit tests across 9 test files (up from 3 in v3.0)
• 4 integration test files with NO_LAB skip guards
• 13 manual E2E scenarios (8 standalone, 2 on-call, 3 watcher)
• Pydantic Literal validation on all query parameters