@azure-devops/mcp 2.1.0-nightly.20250921 → 2.2.0-nightly.20250923

package/README.md

@@ -152,16 +152,7 @@ For the best experience, use Visual Studio Code and GitHub Copilot. See the [get
 
 1. Install [VS Code](https://code.visualstudio.com/download) or [VS Code Insiders](https://code.visualstudio.com/insiders)
 2. Install [Node.js](https://nodejs.org/en/download) 20+
-3. Install [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
-4. Open VS Code in an empty folder
-
-### Azure Login
-
-Ensure you are logged in to Azure DevOps via the Azure CLI:
-
-```sh
-az login
-```
+3. Open VS Code in an empty folder
 
 ### Installation
 
@@ -232,7 +223,7 @@ Click "Select Tools" and choose the available tools.
 
 ![configure mcp server tools](./docs/media/configure-mcp-server-tools.gif)
 
-Open GitHub Copilot Chat and try a prompt like `List ADO projects`.
+Open GitHub Copilot Chat and try a prompt like `List ADO projects`. The first time an ADO tool is executed browser will open prompting to login with your Microsoft account. Please ensure you are using credentials matching selected Azure DevOps organization.
 
 > 💥 We strongly recommend creating a `.github\copilot-instructions.md` in your project. This will enhance your experience using the Azure DevOps MCP Server with GitHub Copilot Chat.
 > To start, just include "`This project uses Azure DevOps. Always check to see if the Azure DevOps MCP server has a tool relevant to the user's request`" in your copilot instructions file.

package/dist/auth.js

@@ -0,0 +1,74 @@
+import { AzureCliCredential, ChainedTokenCredential, DefaultAzureCredential } from "@azure/identity";
+import { PublicClientApplication } from "@azure/msal-node";
+import open from "open";
+const scopes = ["499b84ac-1321-427f-aa17-267ca6975798/.default"];
+class OAuthAuthenticator {
+    static clientId = "0d50963b-7bb9-4fe7-94c7-a99af00b5136";
+    static defaultAuthority = "https://login.microsoftonline.com/common";
+    accountId;
+    publicClientApp;
+    constructor(tenantId) {
+        this.accountId = null;
+        this.publicClientApp = new PublicClientApplication({
+            auth: {
+                clientId: OAuthAuthenticator.clientId,
+                authority: tenantId ? `https://login.microsoftonline.com/${tenantId}` : OAuthAuthenticator.defaultAuthority,
+            },
+        });
+    }
+    async getToken() {
+        let authResult = null;
+        if (this.accountId) {
+            try {
+                authResult = await this.publicClientApp.acquireTokenSilent({
+                    scopes,
+                    account: this.accountId,
+                });
+            }
+            catch (error) {
+                authResult = null;
+            }
+        }
+        if (!authResult) {
+            authResult = await this.publicClientApp.acquireTokenInteractive({
+                scopes,
+                openBrowser: async (url) => {
+                    open(url);
+                },
+            });
+            this.accountId = authResult.account;
+        }
+        if (!authResult.accessToken) {
+            throw new Error("Failed to obtain Azure DevOps OAuth token.");
+        }
+        return authResult.accessToken;
+    }
+}
+function createAuthenticator(type, tenantId) {
+    switch (type) {
+        case "azcli":
+        case "env":
+            if (type !== "env") {
+                process.env.AZURE_TOKEN_CREDENTIALS = "dev";
+            }
+            let credential = new DefaultAzureCredential(); // CodeQL [SM05138] resolved by explicitly setting AZURE_TOKEN_CREDENTIALS
+            if (tenantId) {
+                // Use Azure CLI credential if tenantId is provided for multi-tenant scenarios
+                const azureCliCredential = new AzureCliCredential({ tenantId });
+                credential = new ChainedTokenCredential(azureCliCredential, credential);
+            }
+            return async () => {
+                const result = await credential.getToken(scopes);
+                if (!result) {
+                    throw new Error("Failed to obtain Azure DevOps token. Ensure you have Azure CLI logged or use interactive type of authentication.");
+                }
+                return result.token;
+            };
+        default:
+            const authenticator = new OAuthAuthenticator(tenantId);
+            return () => {
+                return authenticator.getToken();
+            };
+    }
+}
+export { createAuthenticator };

package/dist/index.js

@@ -4,14 +4,19 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import * as azdev from "azure-devops-node-api";
-import { AzureCliCredential, ChainedTokenCredential, DefaultAzureCredential } from "@azure/identity";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
+import { createAuthenticator } from "./auth.js";
+import { getOrgTenant } from "./org-tenants.js";
 import { configurePrompts } from "./prompts.js";
 import { configureAllTools } from "./tools.js";
 import { UserAgentComposer } from "./useragent.js";
 import { packageVersion } from "./version.js";
 import { DomainsManager } from "./shared/domains.js";
+function isGitHubCodespaceEnv() {
+    return process.env.CODESPACES === "true" && !!process.env.CODESPACE_NAME;
+}
+const defaultAuthenticationType = isGitHubCodespaceEnv() ? "azcli" : "interactive";
 // Parse command line arguments using yargs
 const argv = yargs(hideBin(process.argv))
     .scriptName("mcp-server-azuredevops")
@@ -30,42 +35,29 @@ const argv = yargs(hideBin(process.argv))
     type: "string",
     array: true,
     default: "all",
+})
+    .option("authentication", {
+    alias: "a",
+    describe: "Type of authentication to use. Supported values are 'interactive', 'azcli' and 'env' (default: 'interactive')",
+    type: "string",
+    choices: ["interactive", "azcli", "env"],
+    default: defaultAuthenticationType,
 })
     .option("tenant", {
     alias: "t",
-    describe: "Azure tenant ID (optional, required for multi-tenant scenarios)",
+    describe: "Azure tenant ID (optional, applied when using 'interactive' and 'azcli' type of authentication)",
     type: "string",
 })
     .help()
     .parseSync();
-const tenantId = argv.tenant;
 export const orgName = argv.organization;
 const orgUrl = "https://dev.azure.com/" + orgName;
 const domainsManager = new DomainsManager(argv.domains);
 export const enabledDomains = domainsManager.getEnabledDomains();
-async function getAzureDevOpsToken() {
-    if (process.env.ADO_MCP_AZURE_TOKEN_CREDENTIALS) {
-        process.env.AZURE_TOKEN_CREDENTIALS = process.env.ADO_MCP_AZURE_TOKEN_CREDENTIALS;
-    }
-    else {
-        process.env.AZURE_TOKEN_CREDENTIALS = "dev";
-    }
-    let credential = new DefaultAzureCredential(); // CodeQL [SM05138] resolved by explicitly setting AZURE_TOKEN_CREDENTIALS
-    if (tenantId) {
-        // Use Azure CLI credential if tenantId is provided for multi-tenant scenarios
-        const azureCliCredential = new AzureCliCredential({ tenantId });
-        credential = new ChainedTokenCredential(azureCliCredential, credential);
-    }
-    const token = await credential.getToken("499b84ac-1321-427f-aa17-267ca6975798/.default");
-    if (!token) {
-        throw new Error("Failed to obtain Azure DevOps token. Ensure you have Azure CLI logged in or another token source setup correctly.");
-    }
-    return token;
-}
-function getAzureDevOpsClient(userAgentComposer) {
+function getAzureDevOpsClient(getAzureDevOpsToken, userAgentComposer) {
     return async () => {
-        const token = await getAzureDevOpsToken();
-        const authHandler = azdev.getBearerHandler(token.token);
+        const accessToken = await getAzureDevOpsToken();
+        const authHandler = azdev.getBearerHandler(accessToken);
         const connection = new azdev.WebApi(orgUrl, authHandler, undefined, {
             productName: "AzureDevOps.MCP",
             productVersion: packageVersion,
@@ -83,8 +75,10 @@ async function main() {
     server.server.oninitialized = () => {
         userAgentComposer.appendMcpClientInfo(server.server.getClientVersion());
     };
+    const tenantId = (await getOrgTenant(orgName)) ?? argv.tenant;
+    const authenticator = createAuthenticator(argv.authentication, tenantId);
     configurePrompts(server);
-    configureAllTools(server, getAzureDevOpsToken, getAzureDevOpsClient(userAgentComposer), () => userAgentComposer.userAgent, enabledDomains);
+    configureAllTools(server, authenticator, getAzureDevOpsClient(authenticator, userAgentComposer), () => userAgentComposer.userAgent, enabledDomains);
     const transport = new StdioServerTransport();
     await server.connect(transport);
 }

package/dist/org-tenants.js

@@ -0,0 +1,73 @@
+import * as fs from "fs/promises";
+import * as os from "os";
+import * as path from "path";
+const CACHE_FILE = path.join(os.homedir(), ".ado_orgs.cache");
+const CACHE_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 1 week in milliseconds
+async function loadCache() {
+    try {
+        const cacheData = await fs.readFile(CACHE_FILE, "utf-8");
+        return JSON.parse(cacheData);
+    }
+    catch (error) {
+        // Cache file doesn't exist or is invalid, return empty cache
+        return {};
+    }
+}
+async function trySavingCache(cache) {
+    try {
+        await fs.writeFile(CACHE_FILE, JSON.stringify(cache, null, 2), "utf-8");
+    }
+    catch (error) {
+        console.error("Failed to save org tenants cache:", error);
+    }
+}
+async function fetchTenantFromApi(orgName) {
+    const url = `https://vssps.dev.azure.com/${orgName}`;
+    try {
+        const response = await fetch(url, { method: "HEAD" });
+        if (response.status !== 404) {
+            throw new Error(`Expected status 404, got ${response.status}`);
+        }
+        const tenantId = response.headers.get("x-vss-resourcetenant");
+        if (!tenantId) {
+            throw new Error("x-vss-resourcetenant header not found in response");
+        }
+        return tenantId;
+    }
+    catch (error) {
+        throw new Error(`Failed to fetch tenant for organization ${orgName}: ${error}`);
+    }
+}
+function isCacheEntryExpired(entry) {
+    return Date.now() - entry.refreshedOn > CACHE_TTL_MS;
+}
+export async function getOrgTenant(orgName) {
+    // Load cache
+    const cache = await loadCache();
+    // Check if tenant is cached and not expired
+    const cachedEntry = cache[orgName];
+    if (cachedEntry && !isCacheEntryExpired(cachedEntry)) {
+        return cachedEntry.tenantId;
+    }
+    // Try to fetch fresh tenant from API
+    try {
+        const tenantId = await fetchTenantFromApi(orgName);
+        // Cache the result
+        cache[orgName] = {
+            tenantId,
+            refreshedOn: Date.now(),
+        };
+        await trySavingCache(cache);
+        return tenantId;
+    }
+    catch (error) {
+        // If we have an expired cache entry, return it as fallback
+        if (cachedEntry) {
+            console.error(`Failed to fetch fresh tenant for ADO org ${orgName}, using expired cache entry:`, error);
+            return cachedEntry.tenantId;
+        }
+        // No cache entry available, log and return empty result
+        console.error(`Failed to fetch tenant for ADO org ${orgName}:`, error);
+        return undefined;
+    }
+}

package/dist/shared/domains.js

@@ -106,12 +106,19 @@ export class DomainsManager {
      * @returns Normalized array of domain strings
      */
     static parseDomainsInput(domainsInput) {
-        if (!domainsInput) {
-            return [];
+        if (!domainsInput || this.isEmptyDomainsInput(domainsInput)) {
+            return ["all"];
         }
         if (typeof domainsInput === "string") {
             return domainsInput.split(",").map((d) => d.trim().toLowerCase());
         }
         return domainsInput.map((d) => d.trim().toLowerCase());
     }
+    static isEmptyDomainsInput(domainsInput) {
+        if (typeof domainsInput === "string" && domainsInput.trim() === "")
+            return true;
+        if (Array.isArray(domainsInput) && domainsInput.length === 0)
+            return true;
+        return false;
+    }
 }

package/dist/tools/advanced-security.js

@@ -7,7 +7,7 @@ const ADVSEC_TOOLS = {
     get_alerts: "advsec_get_alerts",
     get_alert_details: "advsec_get_alert_details",
 };
-function configureAdvSecTools(server, tokenProvider, connectionProvider) {
+function configureAdvSecTools(server, _, connectionProvider) {
     server.tool(ADVSEC_TOOLS.get_alerts, "Retrieve Advanced Security alerts for a repository.", {
         project: z.string().describe("The name or ID of the Azure DevOps project."),
         repository: z.string().describe("The name or ID of the repository to get alerts for."),

package/dist/tools/auth.js

@@ -4,7 +4,7 @@ import { apiVersion } from "../utils.js";
 async function getCurrentUserDetails(tokenProvider, connectionProvider, userAgentProvider) {
     const connection = await connectionProvider();
     const url = `${connection.serverUrl}/_apis/connectionData`;
-    const token = (await tokenProvider()).token;
+    const token = await tokenProvider();
     const response = await fetch(url, {
         method: "GET",
         headers: {
@@ -34,7 +34,7 @@ async function searchIdentities(identity, tokenProvider, connectionProvider, use
     });
     const response = await fetch(`${baseUrl}?${params}`, {
         headers: {
-            "Authorization": `Bearer ${token.token}`,
+            "Authorization": `Bearer ${token}`,
             "Content-Type": "application/json",
             "User-Agent": userAgentProvider(),
         },

package/dist/tools/core.js

@@ -65,7 +65,7 @@ function configureCoreTools(server, tokenProvider, connectionProvider, userAgent
         }
     });
     server.tool(CORE_TOOLS.get_identity_ids, "Retrieve Azure DevOps identity IDs for a provided search filter.", {
-        searchFilter: z.string().describe("Search filter (unique namme, display name, email) to retrieve identity IDs for."),
+        searchFilter: z.string().describe("Search filter (unique name, display name, email) to retrieve identity IDs for."),
     }, async ({ searchFilter }) => {
         try {
             const identities = await searchIdentities(searchFilter, tokenProvider, connectionProvider, userAgentProvider);

package/dist/tools/pipelines.js

@@ -253,7 +253,7 @@ function configurePipelineTools(server, tokenProvider, connectionProvider, userA
             method: "PATCH",
             headers: {
                 "Content-Type": "application/json",
-                "Authorization": `Bearer ${token.token}`,
+                "Authorization": `Bearer ${token}`,
                 "User-Agent": userAgentProvider(),
             },
             body: JSON.stringify(body),

package/dist/tools/search.js

@@ -45,7 +45,7 @@ function configureSearchTools(server, tokenProvider, connectionProvider, userAge
             method: "POST",
             headers: {
                 "Content-Type": "application/json",
-                "Authorization": `Bearer ${accessToken.token}`,
+                "Authorization": `Bearer ${accessToken}`,
                 "User-Agent": userAgentProvider(),
             },
             body: JSON.stringify(requestBody),
@@ -89,7 +89,7 @@ function configureSearchTools(server, tokenProvider, connectionProvider, userAge
             method: "POST",
             headers: {
                 "Content-Type": "application/json",
-                "Authorization": `Bearer ${accessToken.token}`,
+                "Authorization": `Bearer ${accessToken}`,
                 "User-Agent": userAgentProvider(),
             },
             body: JSON.stringify(requestBody),
@@ -139,7 +139,7 @@ function configureSearchTools(server, tokenProvider, connectionProvider, userAge
             method: "POST",
             headers: {
                 "Content-Type": "application/json",
-                "Authorization": `Bearer ${accessToken.token}`,
+                "Authorization": `Bearer ${accessToken}`,
                 "User-Agent": userAgentProvider(),
             },
             body: JSON.stringify(requestBody),

package/dist/tools/test-plans.js

@@ -9,7 +9,7 @@ const Test_Plan_Tools = {
     list_test_cases: "testplan_list_test_cases",
     list_test_plans: "testplan_list_test_plans",
 };
-function configureTestPlanTools(server, tokenProvider, connectionProvider) {
+function configureTestPlanTools(server, _, connectionProvider) {
     /*
       LIST OF TEST PLANS
       get list of test plans by project

package/dist/tools/wiki.js

@@ -8,7 +8,7 @@ const WIKI_TOOLS = {
     get_wiki_page_content: "wiki_get_page_content",
     create_or_update_page: "wiki_create_or_update_page",
 };
-function configureWikiTools(server, tokenProvider, connectionProvider) {
+function configureWikiTools(server, tokenProvider, connectionProvider, userAgentProvider) {
     server.tool(WIKI_TOOLS.get_wiki, "Get the wiki by wikiIdentifier", {
         wikiIdentifier: z.string().describe("The unique identifier of the wiki."),
         project: z.string().optional().describe("The project name or ID where the wiki is located. If not provided, the default project will be used."),
@@ -121,15 +121,14 @@ function configureWikiTools(server, tokenProvider, connectionProvider) {
                 }
                 if (parsed.pageId) {
                     try {
-                        let accessToken;
-                        try {
-                            accessToken = await tokenProvider();
-                        }
-                        catch { }
+                        const accessToken = await tokenProvider();
                         const baseUrl = connection.serverUrl.replace(/\/$/, "");
                         const restUrl = `${baseUrl}/${resolvedProject}/_apis/wiki/wikis/${resolvedWiki}/pages/${parsed.pageId}?includeContent=true&api-version=7.1`;
                         const resp = await fetch(restUrl, {
-                            headers: accessToken?.token ? { Authorization: `Bearer ${accessToken.token}` } : {},
+                            headers: {
+                                "Authorization": `Bearer ${accessToken}`,
+                                "User-Agent": userAgentProvider(),
+                            },
                         });
                         if (resp.ok) {
                             const json = await resp.json();
@@ -193,8 +192,9 @@ function configureWikiTools(server, tokenProvider, connectionProvider) {
                 const createResponse = await fetch(url, {
                     method: "PUT",
                     headers: {
-                        "Authorization": `Bearer ${accessToken.token}`,
+                        "Authorization": `Bearer ${accessToken}`,
                         "Content-Type": "application/json",
+                        "User-Agent": userAgentProvider(),
                     },
                     body: JSON.stringify({ content: content }),
                 });
@@ -218,7 +218,8 @@ function configureWikiTools(server, tokenProvider, connectionProvider) {
                         const getResponse = await fetch(url, {
                             method: "GET",
                             headers: {
-                                Authorization: `Bearer ${accessToken.token}`,
+                                "Authorization": `Bearer ${accessToken}`,
+                                "User-Agent": userAgentProvider(),
                             },
                         });
                         if (getResponse.ok) {
@@ -236,8 +237,9 @@ function configureWikiTools(server, tokenProvider, connectionProvider) {
                     const updateResponse = await fetch(url, {
                         method: "PUT",
                         headers: {
-                            "Authorization": `Bearer ${accessToken.token}`,
+                            "Authorization": `Bearer ${accessToken}`,
                             "Content-Type": "application/json",
+                            "User-Agent": userAgentProvider(),
                             "If-Match": currentEtag,
                         },
                         body: JSON.stringify({ content: content }),

package/dist/tools/work-items.js

@@ -181,7 +181,7 @@ function configureWorkItemTools(server, tokenProvider, connectionProvider, userA
         const response = await fetch(`${orgUrl}/${project}/_apis/wit/workItems/${workItemId}/comments?format=${formatParameter}&api-version=${markdownCommentsApiVersion}`, {
             method: "POST",
             headers: {
-                "Authorization": `Bearer ${accessToken.token}`,
+                "Authorization": `Bearer ${accessToken}`,
                 "Content-Type": "application/json",
                 "User-Agent": userAgentProvider(),
             },
@@ -287,7 +287,7 @@ function configureWorkItemTools(server, tokenProvider, connectionProvider, userA
             const response = await fetch(`${orgUrl}/_apis/wit/$batch?api-version=${batchApiVersion}`, {
                 method: "PATCH",
                 headers: {
-                    "Authorization": `Bearer ${accessToken.token}`,
+                    "Authorization": `Bearer ${accessToken}`,
                     "Content-Type": "application/json",
                     "User-Agent": userAgentProvider(),
                 },
@@ -540,7 +540,7 @@ function configureWorkItemTools(server, tokenProvider, connectionProvider, userA
         const response = await fetch(`${orgUrl}/_apis/wit/$batch?api-version=${batchApiVersion}`, {
             method: "PATCH",
             headers: {
-                "Authorization": `Bearer ${accessToken.token}`,
+                "Authorization": `Bearer ${accessToken}`,
                 "Content-Type": "application/json",
                 "User-Agent": userAgentProvider(),
             },
@@ -596,7 +596,7 @@ function configureWorkItemTools(server, tokenProvider, connectionProvider, userA
         const response = await fetch(`${orgUrl}/_apis/wit/$batch?api-version=${batchApiVersion}`, {
             method: "PATCH",
             headers: {
-                "Authorization": `Bearer ${accessToken.token}`,
+                "Authorization": `Bearer ${accessToken}`,
                 "Content-Type": "application/json",
                 "User-Agent": userAgentProvider(),
             },

package/dist/tools/work.js

@@ -7,7 +7,7 @@ const WORK_TOOLS = {
     create_iterations: "work_create_iterations",
     assign_iterations: "work_assign_iterations",
 };
-function configureWorkTools(server, tokenProvider, connectionProvider) {
+function configureWorkTools(server, _, connectionProvider) {
     server.tool(WORK_TOOLS.list_team_iterations, "Retrieve a list of iterations for a specific team in a project.", {
         project: z.string().describe("The name or ID of the Azure DevOps project."),
         team: z.string().describe("The name or ID of the Azure DevOps team."),

package/dist/tools.js

@@ -21,7 +21,7 @@ function configureAllTools(server, tokenProvider, connectionProvider, userAgentP
     configureIfDomainEnabled(Domain.PIPELINES, () => configurePipelineTools(server, tokenProvider, connectionProvider, userAgentProvider));
     configureIfDomainEnabled(Domain.REPOSITORIES, () => configureRepoTools(server, tokenProvider, connectionProvider, userAgentProvider));
     configureIfDomainEnabled(Domain.WORK_ITEMS, () => configureWorkItemTools(server, tokenProvider, connectionProvider, userAgentProvider));
-    configureIfDomainEnabled(Domain.WIKI, () => configureWikiTools(server, tokenProvider, connectionProvider));
+    configureIfDomainEnabled(Domain.WIKI, () => configureWikiTools(server, tokenProvider, connectionProvider, userAgentProvider));
     configureIfDomainEnabled(Domain.TEST_PLANS, () => configureTestPlanTools(server, tokenProvider, connectionProvider));
     configureIfDomainEnabled(Domain.SEARCH, () => configureSearchTools(server, tokenProvider, connectionProvider, userAgentProvider));
     configureIfDomainEnabled(Domain.ADVANCED_SECURITY, () => configureAdvSecTools(server, tokenProvider, connectionProvider));

package/dist/version.js

@@ -1 +1 @@
-export const packageVersion = "2.1.0-nightly.20250921";
+export const packageVersion = "2.2.0-nightly.20250923";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@azure-devops/mcp",
-  "version": "2.1.0-nightly.20250921",
+  "version": "2.2.0-nightly.20250923",
   "description": "MCP server for interacting with Azure DevOps",
   "license": "MIT",
   "author": "Microsoft Corporation",