@bitwarden/mcp-server 2025.8.2 → 2025.9.0

package/README.md

@@ -5,8 +5,8 @@ Model Context Protocol (MCP) server that enables interaction with the Bitwarden
 ## Prerequisites
 
 - Node.js 22
-- Bitwarden CLI (`bw`) installed and authenticated
-- Valid Bitwarden session token
+- **For CLI operations**: Bitwarden CLI (`bw`) installed, authenticated, and valid session token
+- **For API operations**: Bitwarden organization with API access and valid client credentials
 
 ## Installation
 
@@ -36,6 +36,10 @@ npm run build
 
 ## Setup
 
+The server supports two authentication methods:
+
+### Option A: CLI Authentication (for personal vault operations)
+
 1. **Install Bitwarden CLI**:
 
    ```bash
@@ -53,6 +57,25 @@ npm run build
    export BW_SESSION=$(bw unlock --raw)
    ```
 
+### Option B: API Authentication (for organization management)
+
+1. **Create API credentials** in your Bitwarden organization settings
+
+2. **Set environment variables**:
+
+   ```bash
+   export BW_CLIENT_ID="your_client_id"
+   export BW_CLIENT_SECRET="your_client_secret"
+   ```
+
+3. **Optional: Set custom API URLs** (if using self-hosted):
+   ```bash
+   export BW_API_BASE_URL="https://api.bitwarden.com"
+   export BW_IDENTITY_URL="https://identity.bitwarden.com"
+   ```
+
+> **Note**: You can use both authentication methods simultaneously for full functionality.
+
 ## Testing
 
 ### Running unit tests
@@ -95,7 +118,9 @@ This will:
 
 ### Available tools
 
-The server provides the following Bitwarden CLI tools:
+The server provides comprehensive Bitwarden functionality through two categories of tools:
+
+#### Personal Vault Tools (CLI Authentication)
 
 | Tool       | Description                  | Required Parameters                               |
 | ---------- | ---------------------------- | ------------------------------------------------- |
@@ -110,6 +135,65 @@ The server provides the following Bitwarden CLI tools:
 | `edit`     | Edit existing item or folder | `objectType`, `id`, optional fields to update     |
 | `delete`   | Delete vault item/folder     | `object`, `id`, optional `permanent`              |
 
+#### Organization Management Tools (API Authentication)
+
+##### Collections Management
+
+| Tool                | Description                   | Required Parameters |
+| ------------------- | ----------------------------- | ------------------- |
+| `list-collections`  | List organization collections | None                |
+| `get-collection`    | Get collection details        | `id`                |
+| `create-collection` | Create new collection         | `name`              |
+| `update-collection` | Update existing collection    | `id`                |
+| `delete-collection` | Delete collection             | `id`                |
+
+##### Members Management
+
+| Tool                      | Description                       | Required Parameters |
+| ------------------------- | --------------------------------- | ------------------- |
+| `list-members`            | List organization members         | None                |
+| `get-member`              | Get member details                | `id`                |
+| `invite-member`           | Invite new member                 | `email`, `type`     |
+| `update-member`           | Update existing member            | `id`                |
+| `remove-member`           | Remove member from organization   | `id`                |
+| `reinvite-member`         | Re-invite member                  | `id`                |
+| `get-member-group-ids`    | Get member's group assignments    | `id`                |
+| `update-member-group-ids` | Update member's group assignments | `id`, `groupIds`    |
+
+##### Groups Management
+
+| Tool                      | Description                       | Required Parameters |
+| ------------------------- | --------------------------------- | ------------------- |
+| `list-groups`             | List organization groups          | None                |
+| `get-group`               | Get group details                 | `id`                |
+| `create-group`            | Create new group                  | `name`              |
+| `update-group`            | Update existing group             | `id`, `name`        |
+| `delete-group`            | Delete group                      | `id`                |
+| `get-group-member-ids`    | Get group's member assignments    | `id`                |
+| `update-group-member-ids` | Update group's member assignments | `id`, `memberIds`   |
+
+##### Policies Management
+
+| Tool            | Description                | Required Parameters |
+| --------------- | -------------------------- | ------------------- |
+| `list-policies` | List organization policies | None                |
+| `get-policy`    | Get policy details         | `type`              |
+| `update-policy` | Update organization policy | `type`, `enabled`   |
+
+##### Organization Management
+
+| Tool                               | Description                  | Required Parameters |
+| ---------------------------------- | ---------------------------- | ------------------- |
+| `get-organization-subscription`    | Get subscription details     | None                |
+| `update-organization-subscription` | Update subscription settings | None                |
+| `import-organization`              | Import members and groups    | None                |
+
+##### Events and Auditing
+
+| Tool          | Description                 | Required Parameters |
+| ------------- | --------------------------- | ------------------- |
+| `list-events` | Get organization audit logs | None                |
+
 ### Manual testing
 
 1. **Start the server**:
@@ -143,10 +227,12 @@ The server provides the following Bitwarden CLI tools:
 
 ## Security considerations
 
-- **Never commit** the `BW_SESSION` token
-- **Use environment variables** for sensitive configuration
+- **Never commit** sensitive credentials (`BW_SESSION`, `BW_CLIENT_ID`, `BW_CLIENT_SECRET`)
+- **Use environment variables** for all sensitive configuration
 - **Validate all inputs** using Zod schemas (already implemented)
 - **Test with non-production data** when possible
+- **Monitor API usage** through your organization's audit logs
+- **Use HTTPS** for all API communications (default)
 - Understand the security and privacy impacts of exposing sensitive vault data to LLM and AI tools. Using a self-hosted or local LLM may be appropriate, for example.
 
 ## Troubleshooting
@@ -156,15 +242,24 @@ The server provides the following Bitwarden CLI tools:
 1. **"Please set the BW_SESSION environment variable"**
    - Run: `export BW_SESSION=$(bw unlock --raw)`
 
-2. **Tests failing with environment errors**
+2. **"BW_CLIENT_ID and BW_CLIENT_SECRET environment variables are required"**
+   - Set your API credentials: `export BW_CLIENT_ID="your_id"` and `export BW_CLIENT_SECRET="your_secret"`
+   - Verify credentials are valid in your Bitwarden organization settings
+
+3. **API authentication failures**
+   - Check that your organization has API access enabled
+   - Verify client credentials have appropriate permissions
+   - Ensure you're using the correct API URLs for your instance
+
+4. **Tests failing with environment errors**
    - Use the environment mocking helpers in tests
    - Ensure test cleanup with `restoreEnvVars()`
 
-3. **Inspector not starting**
+5. **Inspector not starting**
    - Check that the server builds successfully: `npm run build`
    - Verify Node.js version is 22
 
-4. **CLI commands failing**
+6. **CLI commands failing**
    - Verify Bitwarden CLI is installed: `bw --version`
    - Check vault is unlocked: `bw status`
    - Ensure valid session token: `echo $BW_SESSION`

package/dist/index.d.ts

@@ -65,4 +65,45 @@ export declare function buildSafeCommand(baseCommand: string, parameters?: reado
  * @returns {boolean} True if the command is safe, false otherwise
  */
 export declare function isValidBitwardenCommand(command: string): boolean;
+/**
+ * Validates that an API endpoint path is safe and matches allowed patterns.
+ *
+ * @param {string} endpoint - The API endpoint path to validate
+ * @returns {boolean} True if the endpoint is safe, false otherwise
+ */
+export declare function validateApiEndpoint(endpoint: string): boolean;
+/**
+ * Sanitizes API parameters to prevent injection attacks.
+ *
+ * @param {unknown} params - The parameters to sanitize
+ * @returns {unknown} The sanitized parameters
+ */
+export declare function sanitizeApiParameters(params: unknown): unknown;
+/**
+ * Builds a safe API request with proper authentication and validation.
+ *
+ * @param {string} endpoint - The API endpoint path
+ * @param {string} method - The HTTP method
+ * @param {unknown} data - The request data
+ * @returns {Promise<RequestInit>} The safe request configuration
+ */
+export declare function buildSafeApiRequest(endpoint: string, method: string, data?: unknown): Promise<RequestInit>;
+/**
+ * Interface representing the response from a Bitwarden API request.
+ */
+export interface ApiResponse {
+    data?: unknown;
+    errorMessage?: string;
+    status: number;
+}
+/**
+ * Executes a safe API request to the Bitwarden Public API.
+ *
+ * @async
+ * @param {string} endpoint - The API endpoint path
+ * @param {string} method - The HTTP method
+ * @param {unknown} data - The request data
+ * @returns {Promise<ApiResponse>} A promise that resolves to the API response
+ */
+export declare function executeApiRequest(endpoint: string, method: string, data?: unknown): Promise<ApiResponse>;
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAYA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AA8exB;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AA8CD;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAC7B,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EACpB,IAAI,EAAE,OAAO,GAEX,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,GAClB,SAAS;IACP,KAAK;IACL;QACE,QAAQ,CAAC,OAAO,EAAE,SAAS;YACzB;gBAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;aAAE;SACjD,CAAC;QACF,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC;KACxB;CACF,CA0BJ;AAID;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAuBnD;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQ1D;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,UAAU,GAAE,SAAS,MAAM,EAAO,GACjC,MAAM,CAKR;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CA+BhE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAYA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAgoDxB;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AA8CD;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAC7B,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EACpB,IAAI,EAAE,OAAO,GAEX,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,GAClB,SAAS;IACP,KAAK;IACL;QACE,QAAQ,CAAC,OAAO,EAAE,SAAS;YACzB;gBAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;aAAE;SACjD,CAAC;QACF,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC;KACxB;CACF,CA0BJ;AAID;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAuBnD;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQ1D;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,UAAU,GAAE,SAAS,MAAM,EAAO,GACjC,MAAM,CAKR;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CA+BhE;AAwCD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAwB7D;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,OAAO,GAAG,OAAO,CAyB9D;AAED;;;;;;;GAOG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE,OAAO,GACb,OAAO,CAAC,WAAW,CAAC,CA+BtB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE,OAAO,GACb,OAAO,CAAC,WAAW,CAAC,CAuCtB"}