feat: add EASM service and AWS Secrets Manager integration for Bedrock Agentcore, fix ZDX SDK bugs (#20)

* feat: add ZEASM service and AWS Secrets Manager integration for Bedrock Agentcore, fix ZDX SDK bugs

Author: willguibr

CHANGELOG.md

@@ -1,5 +1,63 @@
 # Zscaler Integrations MCP Server Changelog
 
+## 0.5.0 (November 22, 2025) - AWS Bedrock AgentCore Security Enhancement
+
+> **⚠️ Important:** This release contains enhancements specific to **AWS Bedrock AgentCore deployments only**. These changes are maintained in a separate private AWS-specific repository and do **not** modify the core Zscaler MCP Server in this repository. Standard MCP server functionality remains unchanged.
+
+### Notes
+
+- Python Versions: **v3.11, v3.12, v3.13**
+
+### Enhancements
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - 🔐 AWS Bedrock AgentCore Security Enhancements
+
+**Container-Based Secrets Manager Integration:**
+
+- Container retrieves Zscaler API credentials from AWS Secrets Manager at runtime
+- **Zero credentials exposed** in AgentCore configuration, CloudFormation templates, or deployment scripts
+- Secrets encrypted at rest with AWS KMS and in transit via TLS
+- Full CloudTrail audit logging for all secret access
+- Backward compatible - supports both Secrets Manager and direct environment variable approaches
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - **CloudFormation Automation:**
+
+- One-click deployment via Launch Stack button
+- Automated AgentCore runtime deployment with conditional secret creation
+- IAM execution roles with Secrets Manager permissions automatically configured
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Added ZEASM (External Attack Surface Management) service with 7 read-only tools: `zeasm_list_organizations`, `zeasm_list_findings`, `zeasm_get_finding_details`, `zeasm_get_finding_evidence`, `zeasm_get_finding_scan_output`, `zeasm_list_lookalike_domains`, `zeasm_get_lookalike_domain`
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Updated README.md with EASM tools documentation
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Created EASM documentation in `docsrc/tools/easm/index.rst`
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Updated `docsrc/tools/index.rst` with EASM service reference
+
+### Bug Fixes
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed ZDX `zdx_list_alerts` calling wrong SDK method (`alerts.read` → `alerts.list_ongoing`)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed ZDX `zdx_list_alert_affected_devices` calling wrong SDK method (`alerts.read_affected_devices` → `alerts.list_affected_devices`)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed ZDX `zdx_list_application_users` calling wrong SDK method (`apps.list_users` → `apps.list_app_users`)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed ZDX `zdx_get_application_user` calling wrong SDK method and incorrect return handling (`apps.get_user` → `apps.get_app_user`)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed ZDX `zdx_list_software` calling wrong SDK method and incorrect return handling (`inventory.list_software` → `inventory.list_softwares`)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed ZDX `zdx_get_software_details` calling wrong SDK method (`inventory.get_software` → `inventory.list_software_keys`)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed ZDX `zdx_get_device_deep_trace` incorrect return handling (SDK returns list, not single object)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed syntax error in `services.py` ZIdentityService (missing `description` key in tool registration)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed EASM tools incorrect `use_legacy` parameter handling (removed invalid syntax)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Fixed `ZSCALER_CUSTOMER_ID` incorrectly required for non-ZPA services (now only required for ZPA)
+
+[PR #20](https://github.com/zscaler/zscaler-mcp-server/pull/20) - Updated ZDX unit tests to match corrected SDK method names (42 tests)
+
 ## 0.4.0 (November 19, 2025)
 
 ### Notes
@@ -24,7 +82,6 @@
 
 [PR #15](https://github.com/zscaler/zscaler-mcp-server/pull/15) - Added custom User-Agent header support with format `zscaler-mcp-server/VERSION python/VERSION os/arch`. Users can append AI agent information via `--user-agent-comment` flag or `ZSCALER_MCP_USER_AGENT_COMMENT` environment variable.
 
-
 ## 0.3.1 (October 28, 2025) - Tool Registration & Naming Updates
 
 ### Added

README.md

@@ -56,9 +56,6 @@
   - [Cursor](#cursor)
   - [Visual Studio Code + GitHub Copilot](#visual-studio-code-github-copilot)
 - [Troubleshooting](#troubleshooting)
-- [Contributing](#contributing)
-  - [Getting Started for Contributors](#getting-started-for-contributors)
-  - [Running Tests](#running-tests)
 - [License](#license)
 
 ## 📺 Overview
@@ -443,7 +440,6 @@ ZIA provides both **read-only** and **write** tools. Write operations require `-
 
 | Tool Name | Description | Type |
 |-----------|-------------|------|
-| `zia_list_dlp_dictionaries` | List DLP dictionaries | Read-only |
 | `zia_get_dlp_dictionary` | Get a specific DLP dictionary | Read-only |
 | `zia_list_dlp_engines` | List DLP engines | Read-only |
 | `zia_get_dlp_engine` | Get a specific DLP engine | Read-only |
@@ -702,6 +698,32 @@ ZTW provides both **read-only** and **write** tools. Write operations require `-
 |-----------|-------------|------|
 | `ztw_get_discovery_settings` | Get workload discovery service settings | Read-only |
 
+### EASM - External Attack Surface Management
+
+EASM provides **read-only** tools for monitoring your organization's external attack surface, including findings and lookalike domains.
+
+#### Organizations
+
+| Tool Name | Description | Type |
+|-----------|-------------|------|
+| `zeasm_list_organizations` | List all EASM organizations configured for the tenant | Read-only |
+
+#### Findings
+
+| Tool Name | Description | Type |
+|-----------|-------------|------|
+| `zeasm_list_findings` | List all findings for an organization's internet-facing assets | Read-only |
+| `zeasm_get_finding_details` | Get detailed information for a specific finding | Read-only |
+| `zeasm_get_finding_evidence` | Get scan evidence attributed to a specific finding | Read-only |
+| `zeasm_get_finding_scan_output` | Get complete scan output for a specific finding | Read-only |
+
+#### Lookalike Domains
+
+| Tool Name | Description | Type |
+|-----------|-------------|------|
+| `zeasm_list_lookalike_domains` | List all lookalike domains detected for an organization | Read-only |
+| `zeasm_get_lookalike_domain` | Get details for a specific lookalike domain | Read-only |
+
 ## Installation & Setup
 
 ### Prerequisites
@@ -1137,7 +1159,7 @@ The following environment variables control MCP server behavior (not authenticat
 | `ZSCALER_MCP_SERVICES` | `""` | Comma-separated list of services to enable (empty = all services). Supported values: `zcc`, `zdx`, `zia`, `zidentity`, `zpa`, `ztw` |
 | `ZSCALER_MCP_TOOLS` | `""` | Comma-separated list of specific tools to enable (empty = all tools) |
 | `ZSCALER_MCP_WRITE_ENABLED` | `false` | Enable write operations (`true`/`false`). When `false`, only read-only tools are available. Set to `true` or use `--enable-write-tools` flag to unlock write mode. |
-| `ZSCALER_MCP_WRITE_TOOLS` | `""` | **MANDATORY** comma-separated allowlist of write tools (supports wildcards like `zpa_create_*`). Requires `ZSCALER_MCP_WRITE_ENABLED=true`. If empty when write mode enabled, 0 write tools registered. |
+| `ZSCALER_MCP_WRITE_TOOLS` | `""` | **MANDATORY** comma-separated allowlist of write tools (supports wildcards like `zpa_*`). Requires `ZSCALER_MCP_WRITE_ENABLED=true`. If empty when write mode enabled, 0 write tools registered. |
 | `ZSCALER_MCP_DEBUG` | `false` | Enable debug logging (`true`/`false`) |
 | `ZSCALER_MCP_HOST` | `127.0.0.1` | Host to bind to for HTTP transports |
 | `ZSCALER_MCP_PORT` | `8000` | Port to listen on for HTTP transports |