npm - @azure-devops/mcp - Versions diffs - 2.7.0-nightly.20260427 → 2.7.0-nightly.20260428 - Mend

@azure-devops/mcp 2.7.0-nightly.20260427 → 2.7.0-nightly.20260428

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/tools/repositories.js +14 -7
package/dist/tools/wiki.js +8 -1
package/dist/tools/work-items.js +46 -6
package/dist/utils.js +23 -0
package/dist/version.js +1 -1
package/package.json +1 -1

package/dist/tools/repositories.js CHANGED Viewed

@@ -3,7 +3,7 @@
 import { PullRequestStatus, GitVersionType, GitPullRequestQueryType, CommentThreadStatus, GitPullRequestMergeStrategy, VersionControlChangeType, VersionControlRecursionType, } from "azure-devops-node-api/interfaces/GitInterfaces.js";
 import { z } from "zod";
 import { getCurrentUserDetails, getUserIdFromEmail } from "./auth.js";
-import { getEnumKeys, streamToString } from "../utils.js";
+import { extractAdoStreamError, getEnumKeys, streamToString } from "../utils.js";
 const REPO_TOOLS = {
     list_repos_by_project: "repo_list_repos_by_project",
     list_pull_requests_by_repo_or_project: "repo_list_pull_requests_by_repo_or_project",
@@ -618,33 +618,33 @@ function configureRepoTools(server, tokenProvider, connectionProvider, userAgent
         try {
             const connection = await connectionProvider();
             const gitApi = await connection.getGitApi();
-            const threads = await gitApi.getThreads(repositoryId, pullRequestId, project, iteration, baseIteration);
+            const threads = (await gitApi.getThreads(repositoryId, pullRequestId, project, iteration, baseIteration)) ?? [];
             let filteredThreads = threads;
             if (status !== undefined) {
                 const statusValue = CommentThreadStatus[status];
-                filteredThreads = filteredThreads?.filter((thread) => thread.status === statusValue);
+                filteredThreads = filteredThreads.filter((thread) => thread.status === statusValue);
             }
             if (authorEmail !== undefined) {
-                filteredThreads = filteredThreads?.filter((thread) => {
+                filteredThreads = filteredThreads.filter((thread) => {
                     const firstComment = thread.comments?.[0];
                     return firstComment?.author?.uniqueName?.toLowerCase() === authorEmail.toLowerCase();
                 });
             }
             if (authorDisplayName !== undefined) {
                 const lowerAuthorName = authorDisplayName.toLowerCase();
-                filteredThreads = filteredThreads?.filter((thread) => {
+                filteredThreads = filteredThreads.filter((thread) => {
                     const firstComment = thread.comments?.[0];
                     return firstComment?.author?.displayName?.toLowerCase().includes(lowerAuthorName);
                 });
             }
-            const paginatedThreads = filteredThreads?.sort((a, b) => (a.id ?? 0) - (b.id ?? 0)).slice(skip, skip + top);
+            const paginatedThreads = filteredThreads.sort((a, b) => (a.id ?? 0) - (b.id ?? 0)).slice(skip, skip + top);
             if (fullResponse) {
                 return {
                     content: [{ type: "text", text: JSON.stringify(paginatedThreads, null, 2) }],
                 };
             }
             // Return trimmed thread data focusing on essential information
-            const trimmedThreads = paginatedThreads?.map((thread) => trimPullRequestThread(thread));
+            const trimmedThreads = paginatedThreads.map((thread) => trimPullRequestThread(thread));
             return {
                 content: [{ type: "text", text: JSON.stringify(trimmedThreads, null, 2) }],
             };
@@ -1710,6 +1710,13 @@ function configureRepoTools(server, tokenProvider, connectionProvider, userAgent
             versionDescriptor, true // includeContent
             );
             const content = await streamToString(stream);
+            const streamError = extractAdoStreamError(content);
+            if (streamError) {
+                return {
+                    content: [{ type: "text", text: `Error getting file content for '${path}': ${streamError}` }],
+                    isError: true,
+                };
+            }
             return {
                 content: [{ type: "text", text: content }],
             };

package/dist/tools/wiki.js CHANGED Viewed

@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 import { z } from "zod";
-import { apiVersion } from "../utils.js";
+import { apiVersion, extractAdoStreamError } from "../utils.js";
 import { createExternalContentResponse } from "../shared/content-safety.js";
 const WIKI_TOOLS = {
     list_wikis: "wiki_list_wikis",
@@ -209,6 +209,13 @@ function configureWikiTools(server, tokenProvider, connectionProvider, userAgent
                     return { content: [{ type: "text", text: "No wiki page content found" }], isError: true };
                 }
                 pageContent = await streamToString(stream);
+                const streamError = extractAdoStreamError(pageContent);
+                if (streamError) {
+                    return {
+                        content: [{ type: "text", text: `Error fetching wiki page content: ${streamError}` }],
+                        isError: true,
+                    };
+                }
             }
             return createExternalContentResponse(pageContent, "wiki page");
         }

package/dist/tools/work-items.js CHANGED Viewed

@@ -1,5 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
+import * as fs from "fs";
+import * as path from "path";
 import { WorkItemExpand } from "azure-devops-node-api/interfaces/WorkItemTrackingInterfaces.js";
 import { QueryExpand } from "azure-devops-node-api/interfaces/WorkItemTrackingInterfaces.js";
 import { z } from "zod";
@@ -407,8 +409,9 @@ function configureWorkItemTools(server, tokenProvider, connectionProvider, userA
             if (revisions && Array.isArray(revisions)) {
                 revisions.forEach((revision) => {
                     if (revision.fields) {
-                        Object.keys(revision.fields).forEach((fieldName) => {
-                            const fieldValue = revision.fields ? revision.fields[fieldName] : undefined;
+                        const fields = revision.fields;
+                        Object.keys(fields).forEach((fieldName) => {
+                            const fieldValue = fields[fieldName];
                             // Check if this is an identity object by looking for common identity properties
                             if (fieldValue &&
                                 typeof fieldValue === "object" &&
@@ -1210,11 +1213,23 @@ function configureWorkItemTools(server, tokenProvider, connectionProvider, userA
             };
         }
     });
-    server.tool(WORKITEM_TOOLS.get_work_item_attachment, "Download a work item attachment by its ID and return the content as a base64-encoded resource. Useful for viewing images (e.g. screenshots) attached to work items such as bugs. If a project is not specified, you will be prompted to select one.", {
+    server.tool(WORKITEM_TOOLS.get_work_item_attachment, "Download a work item attachment by its ID. By default returns the content as a base64-encoded resource. If savePath is provided, saves the file locally to that directory and returns the file path instead. Useful for viewing images (e.g. screenshots) or other files attached to work items such as bugs. If a project is not specified, you will be prompted to select one.", {
         project: z.string().optional().describe("The name or ID of the Azure DevOps project. Reuse from prior context if already known. If not provided, a project selection prompt will be shown."),
         attachmentId: z.string().describe("The GUID of the attachment. Found in the attachment URL: https://dev.azure.com/{org}/{project}/_apis/wit/attachments/{attachmentId}"),
-        fileName: z.string().optional().describe("The file name of the attachment, e.g. 'screenshot.png'. Used to determine the MIME type for the returned resource."),
-    }, async ({ project, attachmentId, fileName }) => {
+        fileName: z.string().optional().describe("The file name of the attachment, e.g. 'screenshot.png'. Used to determine the MIME type or the saved file's name."),
+        savePath: z
+            .string()
+            .optional()
+            .describe("Optional local directory path where the file should be saved. Must be a relative path (e.g. 'temp' or 'downloads/attachments'); absolute paths and path traversals are not allowed. If provided, saves the attachment to this directory and returns the file path. If omitted, returns the content as a base64-encoded resource."),
+    }, async ({ project, attachmentId, fileName, savePath }) => {
+        const isAbsolutePath = (value) => path.posix.isAbsolute(value) || path.win32.isAbsolute(value);
+        const hasDriveLetter = (value) => /^[a-zA-Z]:/.test(value);
+        if (savePath !== undefined && (savePath.includes("..") || isAbsolutePath(savePath) || hasDriveLetter(savePath))) {
+            throw new Error("Invalid savePath: absolute paths and path traversals are not allowed.");
+        }
+        if (fileName !== undefined && fileName.includes("..")) {
+            throw new Error("Invalid fileName: path traversal is not allowed.");
+        }
         try {
             const connection = await connectionProvider();
             let resolvedProject = project;
@@ -1233,8 +1248,24 @@ function configureWorkItemTools(server, tokenProvider, connectionProvider, userA
                 stream.on("error", reject);
             });
             const buffer = Buffer.concat(chunks);
-            const base64Data = buffer.toString("base64");
+            if (savePath) {
+                const resolvedFileName = fileName ?? attachmentId;
+                const localFilePath = path.join(savePath, resolvedFileName);
+                if (fs.existsSync(localFilePath)) {
+                    throw new Error(`File already exists: ${localFilePath}`);
+                }
+                fs.writeFileSync(localFilePath, buffer);
+                return {
+                    content: [{ type: "text", text: `Attachment saved to: ${localFilePath}` }],
+                };
+            }
             const mimeType = getMimeType(fileName);
+            if (mimeType.startsWith("text/")) {
+                return {
+                    content: [{ type: "text", text: buffer.toString("utf-8") }],
+                };
+            }
+            const base64Data = buffer.toString("base64");
             return {
                 content: [
                     {
@@ -1269,6 +1300,15 @@ function getMimeType(fileName) {
         webp: "image/webp",
         pdf: "application/pdf",
         txt: "text/plain",
+        md: "text/markdown",
+        markdown: "text/markdown",
+        csv: "text/csv",
+        html: "text/html",
+        htm: "text/html",
+        xml: "text/xml",
+        json: "application/json",
+        yaml: "text/yaml",
+        yml: "text/yaml",
         zip: "application/zip",
     };
     return (ext && mimeTypes[ext]) ?? "application/octet-stream";

package/dist/utils.js CHANGED Viewed

@@ -67,6 +67,29 @@ export function encodeFormattedValue(value, format) {
     const result = value.replace(/</g, "&lt;").replace(/>/g, "&gt;");
     return result;
 }
+/**
+ * Detects whether a string returned from an ADO API stream is actually an error
+ * response serialized as JSON (e.g. a 404 GitItemNotFoundException or
+ * WikiPageNotFoundException) rather than real content.
+ *
+ * The ADO Node API client swallows non-2xx HTTP responses and delivers the
+ * error body as a stream, so callers must check explicitly after reading.
+ *
+ * @returns The human-readable error message extracted from the JSON, or null if
+ *          the content is not an ADO error response.
+ */
+export function extractAdoStreamError(content) {
+    try {
+        const json = JSON.parse(content.trim());
+        if (json && typeof json.typeName === "string" && typeof json.message === "string") {
+            return json.message;
+        }
+    }
+    catch {
+        // Not JSON — not an ADO error response.
+    }
+    return null;
+}
 /**
  * Convert a Node.js ReadableStream to a string.
  * Shared utility for consistent stream handling across tools.

package/dist/version.js CHANGED Viewed

	@@ -1 +1 @@
1	- export const packageVersion = "2.7.0-nightly.~~20260427~~";
1	+ export const packageVersion = "2.7.0-nightly.20260428";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@azure-devops/mcp",
-  "version": "2.7.0-nightly.20260427",
+  "version": "2.7.0-nightly.20260428",
   "mcpName": "microsoft.com/azure-devops",
   "description": "MCP server for interacting with Azure DevOps",
   "license": "MIT",