@dynatrace-oss/dynatrace-mcp-server 1.8.7 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,22 @@
1
1
  # @dynatrace-oss/dynatrace-mcp-server
2
2
 
3
+ ## Unreleased
4
+
5
+ ## 2.0.1
6
+
7
+ - Fixed: Human approval elicitation now defaults to `true`, so users only need to press Accept instead of having to toggle the value first.
8
+
9
+ ## 2.0.0
10
+
11
+ - **Breaking**: Raised the minimum supported Node.js version from `22.10.0` to `24.0.0`.
12
+ - **Breaking**: Removed`create_workflow_for_notification` tool. The tool was not heavily used and `dtctl` provides more flexibility. If you relied on this tool, please create Dynatrace workflows manually via the Dynatrace UI, `dtctl`, or the Automations API.
13
+ - **Breaking**: Removed `make_workflow_public` tool. The tool was not heavily used and `dtctl` provides more flexibility. If you relied on this tool, please update workflow visibility manually via the Dynatrace UI, `dtctl`, or the Automations API.
14
+ - **Deprecation**: Using `--http` mode without a bearer token is deprecated and will be removed in a future release.
15
+ - Added `MCP_BEARER_TOKEN` environment variable to secure `--http` mode.
16
+ - Several security improvements when running in `--http` mode
17
+ - OAuth Authorization Code Flow tokens are now persisted to the OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service), so the browser authentication window only opens once per token lifetime instead of on every server restart.
18
+ - Updated `@dynatrace-sdk/client-classic-environment-v2` (5.1.0 → 5.2.3), `@dynatrace-sdk/client-davis-analyzers` (1.9.8 → 1.10.0), `@dynatrace-sdk/client-document` (1.29.0 → 1.31.0), `@dynatrace-sdk/client-platform-management-service` (1.6.3 → 1.7.0), `@dynatrace-sdk/client-query` (1.18.1 → 1.25.0), `@dynatrace-sdk/shared-errors` (1.0.0 → 1.0.2), `@dynatrace/openkit-js` (4.1.0 → 4.2.0), `@dynatrace/strato-icons` (2.1.0 → 2.3.0), `@modelcontextprotocol/ext-apps` (1.0.1 → 1.2.2), `commander` (14.0.0 → 14.0.3), `zod` (4.1.0 → 4.1.13), and `zod-to-json-schema` (3.25.0 → 3.25.1).
19
+
3
20
  ## 1.8.7
4
21
 
5
22
  - Added a human approval gate to the `create_dynatrace_notebook` tool, consistent with other write-capable tools.
package/README.md CHANGED
@@ -24,9 +24,15 @@
24
24
  </a>
25
25
  </h4>
26
26
 
27
- > 🚀 **Try out our brand new [Remote Dynatrace MCP Server](https://www.dynatrace.com/hub/detail/dynatrace-mcp-server/)!** Now available - no local setup required, connect instantly to your Dynatrace environment from any MCP-compatible client. See our [migration guide](docs/remote-mcp-migration.md) for a comparison and step-by-step instructions.
27
+ ## 🛠️ MAINTENANCE MODE
28
28
 
29
- **MAINTENANCE MODE** - Please note, that this repository is currently in [_Maintenance Mode_](https://github.com/dynatrace-oss/dynatrace-mcp/issues/496).
29
+ Please note, that this repository is currently in [_Maintenance Mode_](https://github.com/dynatrace-oss/dynatrace-mcp/issues/496). We will continue fixing/patching issues when they come up.
30
+
31
+ **Recommended Actions**
32
+
33
+ > 🚀 **Try [Dynatrace-for-Ai](https://github.com/Dynatrace/dynatrace-for-ai/) and [`dtctl`](https://github.com/dynatrace-oss/dtctl)** (recommended for local development use cases like VS Code, IntelliJ, Claude Code, Cursor and alike)
34
+
35
+ > **Try out our new [Remote Dynatrace MCP Server](https://www.dynatrace.com/hub/detail/dynatrace-mcp-server/)!** Now available - no local setup required, connect instantly to your Dynatrace environment from any MCP-compatible client. See our [migration guide](docs/remote-mcp-migration.md) for a comparison and step-by-step instructions. This setup is recommended when connecting another Agent (e.g., Atlassian Rovo, GitHub Coding Agent and alike) to Dynatrace.
30
36
 
31
37
  The local _Dynatrace MCP server_ allows AI Assistants to interact with the [Dynatrace](https://www.dynatrace.com/) observability platform,
32
38
  bringing real-time observability data directly into your development workflow.
@@ -39,7 +45,7 @@ https://github.com/user-attachments/assets/25c05db1-8e09-4a7f-add2-ed486ffd4b5a
39
45
 
40
46
  ## Prerequisites
41
47
 
42
- - **Node.js v22.10 or newer** is required to run the Dynatrace MCP Server.
48
+ - **Node.js v24 or newer** is required to run the Dynatrace MCP Server.
43
49
 
44
50
  ## Quickstart
45
51
 
@@ -49,7 +55,9 @@ Furthermore, you need to configure the URL to a Dynatrace environment:
49
55
 
50
56
  - `DT_ENVIRONMENT` (string, e.g., `https://abc12345.apps.dynatrace.com`) - URL to your Dynatrace Platform (do not use Dynatrace classic URLs like `abc12345.live.dynatrace.com`)
51
57
 
52
- Authentication will be handled via Authorization Code Flow in your browser, you don't need to define a Platform Token nor an OAuth Client to get started.
58
+ Authentication will be handled via Authorization Code Flow in your browser, you don't need to define a Platform Token nor an OAuth Client to get started. After the initial authentication, your token is securely stored in the **OS keychain** (macOS Keychain, Windows Credential Manager, or Linux Secret Service) and reused on subsequent server starts, so the browser only opens once per token lifetime.
59
+
60
+ If you are running in a headless/container environment where the OS keychain is unavailable, set `DT_MCP_TOKEN_STORAGE=file` to persist tokens in `~/.config/dynatrace-mcp/` instead.
53
61
 
54
62
  Once you are done, we recommend looking into [example prompts](#-example-prompts-), like `Get all details of the entity 'my-service'` or `Show me error logs`. Please mind that these prompts lead to executing DQL statements which may incur [costs](#costs) in accordance to your licence.
55
63
 
@@ -91,7 +99,7 @@ Once you are done, we recommend looking into [example prompts](#-example-prompts
91
99
  - Querying Data from Grail (e.g., `execute_dql`, `verify_dql`, `generate_dql_from_natural_language`, `explain_dql_in_natural_language`)
92
100
  - Entity Discovery (e.g., `find_entity_by_name`)
93
101
  - [Dynatrace Intelligence](https://www.dynatrace.com/platform/artificial-intelligence/) (e.g., `chat_with_davis_copilot`, `list_davis_analyzers`, `execute_davis_analyzer`)
94
- - Automation & Notifications (e.g., `create_workflow_for_notification`, `send_slack_message`, `send_email`, `send_event`)
102
+ - Automation & Notifications (e.g., `send_slack_message`, `send_email`, `send_event`)
95
103
  - Share results (e.g., `create_dynatrace_notebook`)
96
104
 
97
105
  ### Costs
@@ -252,10 +260,18 @@ Or manually in your `~/.gemini/settings.json` or `.gemini/settings.json`:
252
260
 
253
261
  ### HTTP Server Mode (Alternative)
254
262
 
263
+ > **💡 Recommendation:** Instead of self-hosting with `--http` / `--server`, consider using the official [Dynatrace Remote MCP Server](https://www.dynatrace.com/hub/detail/dynatrace-mcp-server/) — it is more secure, always up to date, and requires no infrastructure management.
264
+
255
265
  For scenarios where you need to run the MCP server as an HTTP service instead of using stdio (e.g., for stateful sessions, load balancing, or integration with web clients), you can use the HTTP server mode:
256
266
 
257
267
  **Running as HTTP server:**
258
268
 
269
+ Please secure your server with a bearer token:
270
+
271
+ ```bash
272
+ export MCP_BEARER_TOKEN=<bearer-token>
273
+ ```
274
+
259
275
  ```bash
260
276
  # Get help and see all available options
261
277
  npx -y @dynatrace-oss/dynatrace-mcp-server@latest --help
@@ -269,7 +285,7 @@ npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http --port 3001
269
285
 
270
286
  # Run with custom host/IP (using short or long flag)
271
287
  npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http --host 127.0.0.1 # recommended for local computers
272
- npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http --host 0.0.0.0 # recommended for container
288
+ npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http --host 0.0.0.0 # required for container (binds all interfaces; omitting --host defaults to 127.0.0.1)
273
289
  npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http -H 192.168.0.1 # recommended when sharing connection over a local network
274
290
 
275
291
  # Static OAuth callback port (useful when the port must be exposed, e.g., when running the MCP in a container)
@@ -286,7 +302,42 @@ npx -y @dynatrace-oss/dynatrace-mcp-server@latest --version
286
302
  "mcpServers": {
287
303
  "dynatrace-http": {
288
304
  "url": "http://localhost:3000",
289
- "transport": "http"
305
+ "transport": "http",
306
+ "headers": {
307
+ "Authorization": "Bearer <bearer-token>"
308
+ }
309
+ }
310
+ }
311
+ }
312
+ ```
313
+
314
+ #### Bearer Token Authentication (`MCP_BEARER_TOKEN`)
315
+
316
+ When running in HTTP mode you can protect the server with a bearer token:
317
+
318
+ | Behavior | Detail |
319
+ | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
320
+ | `MCP_BEARER_TOKEN` **set** | Every HTTP request must include an `Authorization: Bearer <token>` header. Requests without a valid token receive `401 Unauthorized`. |
321
+ | `MCP_BEARER_TOKEN` **not set** | **Deprecated** The server starts with a warning printed to stderr and accepts all requests without authentication. **Not recommended for production or any network-exposed deployment.** |
322
+
323
+ **Generating a secure token:**
324
+
325
+ ```bash
326
+ export MCP_BEARER_TOKEN=$(openssl rand -base64 32)
327
+ npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http
328
+ ```
329
+
330
+ **Configuring the MCP client to send the token:**
331
+
332
+ ```json
333
+ {
334
+ "mcpServers": {
335
+ "dynatrace-http": {
336
+ "url": "http://localhost:3000",
337
+ "transport": "http",
338
+ "headers": {
339
+ "Authorization": "Bearer <your-token>"
340
+ }
290
341
  }
291
342
  }
292
343
  }
@@ -382,9 +433,6 @@ Depending on the features you are using, the following scopes are needed:
382
433
  **Available for both Platform Tokens and OAuth Clients:**
383
434
 
384
435
  - `app-engine:apps:run` - needed for almost all tools
385
- - `automation:workflows:read` - read Workflows
386
- - `automation:workflows:write` - create and update Workflows
387
- - `automation:workflows:run` - run Workflows
388
436
  - `app-settings:objects:read` - read app-settings - needed for `send_slack_message` tool to read connection details from App-Settings
389
437
  - `storage:buckets:read` - needed for `execute_dql` tool to read all system data stored on Grail
390
438
  - `storage:logs:read` - needed for `execute_dql` tool to read logs for reliability guardian validations