Skip to content

Added read-only tool annotations & --read-only CLI flag #604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Added read-only tool annotations & --read-only CLI flag #604

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
49743fb
add read-only flag & apply to core tools
localconst Oct 11, 2025
e69b77a
add readonly for pipeline tools
localconst Oct 12, 2025
0ed0fe0
update search tools
localconst Oct 12, 2025
13e4bea
update work tools
localconst Oct 12, 2025
59fdebb
update repo tools
localconst Oct 12, 2025
472e648
bump version to 2.3.0
localconst Oct 12, 2025
ba2415e
update work items
localconst Oct 12, 2025
413a7f5
update test plan tools
localconst Oct 12, 2025
45578c2
update wiki tools
localconst Oct 12, 2025
c8b9cfd
encapsulate wi tools helpers
localconst Oct 12, 2025
f514e5d
update advsec tools
localconst Oct 12, 2025
912280e
add read-only mode tests
localconst Oct 16, 2025
4219bb1
Merge branch 'main' of https://github.com/localconst/azure-devops-mcp…
localconst Oct 16, 2025
ee3d901
add description to readme
localconst Oct 16, 2025
2d265a3
npm run format
localconst Oct 16, 2025
b6c2d6b
add RegisteredTool type for consistency
localconst Oct 16, 2025
0c43a65
use var for readonly bool in tests for consistency
localconst Oct 17, 2025
f8785c1
Merge branch 'main' into readonly-mode
localconst Oct 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 30 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,11 @@ This TypeScript project provides a **local** MCP server for Azure DevOps, enabli
3. [⚙️ Supported Tools](#️-supported-tools)
4. [🔌 Installation & Getting Started](#-installation--getting-started)
5. [🌏 Using Domains](#-using-domains)
6. [📝 Troubleshooting](#-troubleshooting)
7. [🎩 Examples & Best Practices](#-examples--best-practices)
8. [🙋‍♀️ Frequently Asked Questions](#️-frequently-asked-questions)
9. [📌 Contributing](#-contributing)
6. [📖 Read-Only Mode](#-read-only-mode)
7. [📝 Troubleshooting](#-troubleshooting)
8. [🎩 Examples & Best Practices](#-examples--best-practices)
9. [🙋‍♀️ Frequently Asked Questions](#️-frequently-asked-questions)
10. [📌 Contributing](#-contributing)

## 📺 Overview

Expand Down Expand Up @@ -261,6 +262,31 @@ We recommend that you always enable `core` tools so that you can fetch project l

> By default all domains are loaded

## 📖 Read-Only Mode

For environments where you want to prevent any modifications to your Azure DevOps resources, use the `--read-only` flag. This mode exposes only read-only tools (like listing projects, getting work items, viewing pull requests) while hiding all tools that create, update, or delete data.

Add the `--read-only` argument to the server args in your `mcp.json`:

```json
{
"inputs": [
{
"id": "ado_org",
"type": "promptString",
"description": "Azure DevOps organization name (e.g. 'contoso')"
}
],
"servers": {
"ado_readonly": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@azure-devops/mcp", "${input:ado_org}", "--read-only"]
}
}
}
```

## 📝 Troubleshooting

See the [Troubleshooting guide](./docs/TROUBLESHOOTING.md) for help with common issues and logging.
Expand Down
4 changes: 2 additions & 2 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@azure-devops/mcp",
"version": "2.2.1",
"version": "2.3.0",
"description": "MCP server for interacting with Azure DevOps",
"license": "MIT",
"author": "Microsoft Corporation",
Expand Down
9 changes: 8 additions & 1 deletion src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,11 @@ const argv = yargs(hideBin(process.argv))
describe: "Azure tenant ID (optional, applied when using 'interactive' and 'azcli' type of authentication)",
type: "string",
})
.option("read-only", {
describe: "Run the server in read-only mode (no write/update tools exposed)",
type: "boolean",
default: false,
})
.help()
.parseSync();

Expand Down Expand Up @@ -97,7 +102,9 @@ async function main() {
// removing prompts untill further notice
// configurePrompts(server);

configureAllTools(server, authenticator, getAzureDevOpsClient(authenticator, userAgentComposer), () => userAgentComposer.userAgent, enabledDomains);
const isReadOnlyMode = argv["read-only"];

configureAllTools(server, authenticator, getAzureDevOpsClient(authenticator, userAgentComposer), () => userAgentComposer.userAgent, enabledDomains, isReadOnlyMode);

const transport = new StdioServerTransport();
await server.connect(transport);
Expand Down
27 changes: 17 additions & 10 deletions src/tools.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,29 @@ import { configureWikiTools } from "./tools/wiki.js";
import { configureWorkTools } from "./tools/work.js";
import { configureWorkItemTools } from "./tools/work-items.js";

function configureAllTools(server: McpServer, tokenProvider: () => Promise<string>, connectionProvider: () => Promise<WebApi>, userAgentProvider: () => string, enabledDomains: Set<string>) {
function configureAllTools(
server: McpServer,
tokenProvider: () => Promise<string>,
connectionProvider: () => Promise<WebApi>,
userAgentProvider: () => string,
enabledDomains: Set<string>,
isReadOnlyMode: boolean
) {
const configureIfDomainEnabled = (domain: string, configureFn: () => void) => {
if (enabledDomains.has(domain)) {
configureFn();
}
};

configureIfDomainEnabled(Domain.CORE, () => configureCoreTools(server, tokenProvider, connectionProvider, userAgentProvider));
configureIfDomainEnabled(Domain.WORK, () => configureWorkTools(server, tokenProvider, connectionProvider));
configureIfDomainEnabled(Domain.PIPELINES, () => configurePipelineTools(server, tokenProvider, connectionProvider, userAgentProvider));
configureIfDomainEnabled(Domain.REPOSITORIES, () => configureRepoTools(server, tokenProvider, connectionProvider, userAgentProvider));
configureIfDomainEnabled(Domain.WORK_ITEMS, () => configureWorkItemTools(server, tokenProvider, connectionProvider, userAgentProvider));
configureIfDomainEnabled(Domain.WIKI, () => configureWikiTools(server, tokenProvider, connectionProvider, userAgentProvider));
configureIfDomainEnabled(Domain.TEST_PLANS, () => configureTestPlanTools(server, tokenProvider, connectionProvider));
configureIfDomainEnabled(Domain.SEARCH, () => configureSearchTools(server, tokenProvider, connectionProvider, userAgentProvider));
configureIfDomainEnabled(Domain.ADVANCED_SECURITY, () => configureAdvSecTools(server, tokenProvider, connectionProvider));
configureIfDomainEnabled(Domain.CORE, () => configureCoreTools(server, tokenProvider, connectionProvider, userAgentProvider, isReadOnlyMode));
configureIfDomainEnabled(Domain.WORK, () => configureWorkTools(server, tokenProvider, connectionProvider, isReadOnlyMode));
configureIfDomainEnabled(Domain.PIPELINES, () => configurePipelineTools(server, tokenProvider, connectionProvider, userAgentProvider, isReadOnlyMode));
configureIfDomainEnabled(Domain.REPOSITORIES, () => configureRepoTools(server, tokenProvider, connectionProvider, userAgentProvider, isReadOnlyMode));
configureIfDomainEnabled(Domain.WORK_ITEMS, () => configureWorkItemTools(server, tokenProvider, connectionProvider, userAgentProvider, isReadOnlyMode));
configureIfDomainEnabled(Domain.WIKI, () => configureWikiTools(server, tokenProvider, connectionProvider, userAgentProvider, isReadOnlyMode));
configureIfDomainEnabled(Domain.TEST_PLANS, () => configureTestPlanTools(server, tokenProvider, connectionProvider, isReadOnlyMode));
configureIfDomainEnabled(Domain.SEARCH, () => configureSearchTools(server, tokenProvider, connectionProvider, userAgentProvider, isReadOnlyMode));
configureIfDomainEnabled(Domain.ADVANCED_SECURITY, () => configureAdvSecTools(server, tokenProvider, connectionProvider, isReadOnlyMode));
}

export { configureAllTools };
Loading