@radholm/azure-devops-mcp 1.0.0-beta.1

package/LICENSE.md

@@ -0,0 +1,21 @@
+    MIT License
+
+    Copyright (c) Microsoft Corporation.
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE

package/README.md

@@ -0,0 +1,365 @@
+# ⭐ Azure DevOps MCP Server
+
+> [!IMPORTANT]
+> The Azure DevOps Remote MCP Server is now available in public preview for all organizations. We recommend migrating to the [Remote MCP Server](https://learn.microsoft.com/en-us/azure/devops/mcp-server/remote-mcp-server) going forward.
+>
+> [Learn more](#-remote-mcp-server-recommended)
+
+This project provides Azure DevOps MCP tooling for AI agents, with a **remote-first** onboarding experience and a local server option when you need it.
+
+## 📄 Table of Contents
+
+1. [📺 Overview](#-overview)
+2. [🏆 Expectations](#-expectations)
+3. [🚀 Remote MCP Server (Recommended)](#-remote-mcp-server-recommended)
+4. [⚙️ Supported Tools](#️-supported-tools)
+5. [🔌 Local MCP Server Installation (Optional)](#-local-mcp-server-installation-optional)
+6. [🌏 Using Domains (local)](#-using-domains-local)
+7. [🐥 Project and Team Defaults (local)](#-project-and-team-defaults-local)
+8. [🏢 On-Premises / Azure DevOps Server (local)](#-on-premises--azure-devops-server-local)
+9. [📝 Troubleshooting](#-troubleshooting)
+10. [🎩 Examples & Best Practices](#-examples--best-practices)
+11. [🙋‍♀️ Frequently Asked Questions](#️-frequently-asked-questions)
+12. [📌 Contributing](#-contributing)
+
+## 📺 Overview
+
+The Azure DevOps MCP Server brings Azure DevOps context to your agents. Try prompts like:
+
+- "List my ADO projects"
+- "List ADO Builds for 'Contoso'"
+- "List ADO Repos for 'Contoso'"
+- "List test plans for 'Contoso'"
+- "List teams for project 'Contoso'"
+- "List iterations for project 'Contoso'"
+- "List my work items for project 'Contoso'"
+- "List work items in current iteration for 'Contoso' project and 'Contoso Team'"
+- "List all wikis in the 'Contoso' project"
+- "Create a wiki page '/Architecture/Overview' with content about system design"
+- "Update the wiki page '/Getting Started' with new onboarding instructions"
+- "Get the content of the wiki page '/API/Authentication' from the Documentation wiki"
+
+## 🏆 Expectations
+
+The Azure DevOps MCP Server is built around tools that are concise, simple, focused, and easy to use, with each one designed for a specific scenario. We intentionally avoid creating complex tools that try to do too much. The goal is to provide a thin abstraction layer over the REST APIs that makes data access straightforward while allowing the language model to handle the more complex reasoning.
+
+## 🚀 Remote MCP Server (Recommended)
+
+The Azure DevOps **Remote MCP Server** is now available in [public preview](https://devblogs.microsoft.com/devops/azure-devops-remote-mcp-server-public-preview).
+
+Over time, the Remote MCP Server will replace this local MCP Server. We will continue to support the local server for now, but future investments will primarily focus on the remote experience.
+
+We encourage all users of the local MCP Server to begin migrating to the Remote MCP Server.
+
+If you encounter issues with tools, need support, or have a feature request, you can report an issue using the [Remote MCP Server issue template](https://github.com/microsoft/azure-devops-mcp/issues/new?template=remote-mcp-server-issue.md). During the preview period, we will track Remote MCP Server issues through this repository.
+
+> [!WARNING]
+> Internal Microsoft users of the Remote MCP Server should **not** create issues in this repository. Please use the dedicated Teams channel instead.
+
+For complete instructions, see the [Remote MCP Server onboarding documentation](https://learn.microsoft.com/en-us/azure/devops/mcp-server/remote-mcp-server?view=azure-devops).
+
+### Quick start with `.vscode/mcp.json`
+
+Use this configuration to connect directly to the Azure DevOps-hosted endpoint using streamable HTTP transport:
+
+```json
+{
+  "servers": {
+    "ado-remote-mcp": {
+      "url": "https://mcp.dev.azure.com/{organization}",
+      "type": "http"
+    }
+  },
+  "inputs": []
+}
+```
+
+See [documentation](https://learn.microsoft.com/en-us/azure/devops/mcp-server/remote-mcp-server?view=azure-devops#mcpjson-configuration) for additional configuration options.
+
+After saving `.vscode/mcp.json`, start the server from the MCP view in VS Code, then run a prompt like `List ADO projects`.
+
+## ⚙️ Supported Tools
+
+See the [Available Tools](https://learn.microsoft.com/en-us/azure/devops/mcp-server/remote-mcp-server?view=azure-devops#available-tools) documentation for the complete list of available remote tools.
+
+For a comprehensive list of local tools, see [TOOLSET.md](./docs/TOOLSET.md).
+
+## 🔌 Local MCP Server Installation (Optional)
+
+> [!IMPORTANT]
+> Start with the Remote MCP Server first. Use the local MCP Server only if your scenario specifically requires a local `stdio` setup.
+
+Use this section if you specifically need the local `stdio` server experience. For most users, start with the [Remote MCP Server](#-remote-mcp-server-recommended) section above.
+
+For the best experience, use Visual Studio Code and GitHub Copilot. See the [getting started documentation](./docs/GETTINGSTARTED.md) to use our MCP Server with other tools such as Visual Studio 2022, Claude Code, Cursor, Opencode, and Kilocode.
+
+### Prerequisites
+
+1. Install [VS Code](https://code.visualstudio.com/download) or [VS Code Insiders](https://code.visualstudio.com/insiders)
+2. Install [Node.js](https://nodejs.org/en/download) 20+
+3. Open VS Code in an empty folder
+
+### Installation
+
+#### 🧨 Install from Public Feed
+
+This installation method is the easiest for all users of Visual Studio Code.
+
+🎥 [Watch this quick start video to get up and running in under two minutes!](https://youtu.be/EUmFM6qXoYk)
+
+##### Steps
+
+In your project, add a `.vscode\mcp.json` file with the following content:
+
+```json
+{
+  "inputs": [
+    {
+      "id": "ado_org",
+      "type": "promptString",
+      "description": "Azure DevOps organization name  (e.g. 'contoso')"
+    }
+  ],
+  "servers": {
+    "ado": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@azure-devops/mcp", "${input:ado_org}"]
+    }
+  }
+}
+```
+
+🔥 To stay up to date with the latest features, you can use our nightly builds. Simply update your `mcp.json` configuration to use `@azure-devops/mcp@next`. Here is an updated example:
+
+```json
+{
+  "inputs": [
+    {
+      "id": "ado_org",
+      "type": "promptString",
+      "description": "Azure DevOps organization name  (e.g. 'contoso')"
+    }
+  ],
+  "servers": {
+    "ado": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@azure-devops/mcp@next", "${input:ado_org}"]
+    }
+  }
+}
+```
+
+Save the file, then click 'Start'.
+
+![start mcp server](./docs/media/start-mcp-server.gif)
+
+In chat, switch to [Agent Mode](https://code.visualstudio.com/blogs/2025/02/24/introducing-copilot-agent-mode).
+
+Click "Select Tools" and choose the available tools.
+
+![configure mcp server tools](./docs/media/configure-mcp-server-tools.gif)
+
+Open GitHub Copilot Chat and try a prompt like `List ADO projects`. The first time an ADO tool is executed browser will open prompting to login with your Microsoft account. Please ensure you are using credentials matching selected Azure DevOps organization.
+
+> 💥 We strongly recommend creating a `.github\copilot-instructions.md` in your project. This will enhance your experience using the Azure DevOps MCP Server with GitHub Copilot Chat.
+> To start, just include "`This project uses Azure DevOps. Always check to see if the Azure DevOps MCP server has a tool relevant to the user's request`" in your copilot instructions file.
+
+See the [getting started documentation](./docs/GETTINGSTARTED.md) to use our MCP Server with other tools such as Visual Studio 2022, Claude Code, and Cursor.
+
+## 🌏 Using Domains (local)
+
+Azure DevOps exposes a large surface area. As a result, our Azure DevOps MCP Server includes many tools. To keep the toolset manageable, avoid confusing the model, and respect client limits on loaded tools, use Domains to load only the areas you need. Domains are named groups of related tools (for example: core, work, work-items, repositories, wiki). Add the `-d` argument and the domain names to the server args in your `mcp.json` to list the domains to enable.
+
+For example, use `"-d", "core", "work", "work-items"` to load only Work Item related tools (see the example below).
+
+```json
+{
+  "inputs": [
+    {
+      "id": "ado_org",
+      "type": "promptString",
+      "description": "Azure DevOps organization name  (e.g. 'contoso')"
+    }
+  ],
+  "servers": {
+    "ado_with_filtered_domains": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@azure-devops/mcp", "${input:ado_org}", "-d", "core", "work", "work-items"]
+    }
+  }
+}
+```
+
+Domains that are available are: `core`, `work`, `work-items`, `search`, `test-plans`, `repositories`, `wiki`, `pipelines`, `advanced-security`
+
+We recommend that you always enable `core` tools so that you can fetch project level information.
+
+> By default all domains are loaded
+
+## 🐥 Project and Team Defaults (local)
+
+You can also configure default Azure DevOps project and team values from `.vscode/mcp.json` using `project` and `team`, so tools can skip selection prompts.
+
+### Example `.vscode/mcp.json`
+
+```json
+{
+  "servers": {
+    "ado": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@azure-devops/mcp", "myorg", "--authentication", "azcli"],
+      "env": {
+        "ado_mcp_project": "Contoso",
+        "ado_mcp_team": "Fabrikam Team"
+      }
+    }
+  }
+}
+```
+
+## 📝 Troubleshooting
+
+See the [Troubleshooting guide](./docs/TROUBLESHOOTING.md) for help with common issues and logging.
+
+## 🏢 On-Premises / Azure DevOps Server (local)
+
+The local MCP server supports connecting to on-premises Azure DevOps Server (TFS) instances by specifying a custom base URL.
+
+### Configuration
+
+Use the `--base-url` (or `-b`) option to point to your on-prem server, or set the `AZURE_DEVOPS_BASE_URL` environment variable. The `organization` positional argument is still required and should match your collection name.
+
+> **Note:** Only `pat` and `envvar` authentication are supported for on-premises servers.
+
+### Example `.vscode/mcp.json`
+
+```json
+{
+  "inputs": [
+    {
+      "id": "ado_org",
+      "type": "promptString",
+      "description": "Azure DevOps collection name (e.g. 'DefaultCollection')"
+    }
+  ],
+  "servers": {
+    "ado-onprem": {
+      "type": "stdio",
+      "command": "npx",
+      "args": [
+        "-y", "@azure-devops/mcp",
+        "${input:ado_org}",
+        "--base-url", "https://azuredo.example.com/tfs/MyCollection",
+        "--authentication", "pat"
+      ],
+      "env": {
+        "PERSONAL_ACCESS_TOKEN": "<base64 encoded email:pat>"
+      }
+    }
+  }
+}
+```
+
+Alternatively, use the `AZURE_DEVOPS_BASE_URL` environment variable:
+
+```json
+{
+  "servers": {
+    "ado-onprem": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@azure-devops/mcp", "MyCollection", "--authentication", "pat"],
+      "env": {
+        "AZURE_DEVOPS_BASE_URL": "https://azuredo.example.com/tfs/MyCollection",
+        "PERSONAL_ACCESS_TOKEN": "<base64 encoded email:pat>"
+      }
+    }
+  }
+}
+```
+
+### Self-Signed Certificates
+
+If your on-prem server uses self-signed SSL certificates, you may need to set the `NODE_TLS_REJECT_UNAUTHORIZED=0` environment variable (not recommended for production) or configure the `NODE_EXTRA_CA_CERTS` variable to point to your CA certificate file.
+
+### API Version Override
+
+Azure DevOps Server on-premises may not support the latest API versions used by the cloud service. If you encounter `404` or version-related errors, set the `AZURE_DEVOPS_API_VERSION` environment variable to match your server version:
+
+| Azure DevOps Server Version | Supported API Version |
+|-----------------------------|-----------------------|
+| Azure DevOps Server 2022    | `7.1`                 |
+| Azure DevOps Server 2020    | `6.0`                 |
+| Azure DevOps Server 2019    | `5.1`                 |
+
+Example:
+
+```json
+{
+  "servers": {
+    "ado-onprem": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@azure-devops/mcp", "MyCollection", "--base-url", "https://azuredo.example.com/tfs/MyCollection", "--authentication", "pat"],
+      "env": {
+        "PERSONAL_ACCESS_TOKEN": "<base64 encoded email:pat>",
+        "AZURE_DEVOPS_API_VERSION": "7.1"
+      }
+    }
+  }
+}
+```
+
+## 🎩 Examples & Best Practices
+
+Explore example prompts in our [Examples documentation](./docs/EXAMPLES.md).
+
+For best practices and tips to enhance your experience with the MCP Server, refer to the [How-To guide](./docs/HOWTO.md).
+
+## 🙋‍♀️ Frequently Asked Questions
+
+For answers to common questions about the Azure DevOps MCP Server, see the [Frequently Asked Questions](./docs/FAQ.md).
+
+## 📌 Contributing
+
+We welcome contributions! During preview, please file issues for bugs, enhancements, or documentation improvements.
+
+See our [Contributions Guide](CONTRIBUTING.md) for:
+
+- 🛠️ Development setup
+- ✨ Adding new tools
+- 📝 Code style & testing
+- 🔄 Pull request process
+
+> ⚠️ Please read the [Contributions Guide](CONTRIBUTING.md) before creating a pull request.
+
+## 🤝 Code of Conduct
+
+This project follows the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For questions, see the [FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [open@microsoft.com](mailto:open@microsoft.com).
+
+## 📈 Project Stats
+
+[![Star History Chart](https://api.star-history.com/svg?repos=microsoft/azure-devops-mcp&type=Date)](https://star-history.com/#microsoft/azure-devops-mcp)
+
+## 🏆 Hall of Fame
+
+Thanks to all contributors who make this project awesome! ❤️
+
+[![Contributors](https://contrib.rocks/image?repo=microsoft/azure-devops-mcp)](https://github.com/microsoft/azure-devops-mcp/graphs/contributors)
+
+> Generated with [contrib.rocks](https://contrib.rocks)
+
+## License
+
+Licensed under the [MIT License](LICENSE.md).
+
+---
+
+_Trademarks: This project may include trademarks or logos for Microsoft or third parties. Use of Microsoft trademarks or logos must follow [Microsoft’s Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). Third-party trademarks are subject to their respective policies._
+
+<!-- version: 2023-04-07 [Do not delete this line, it is used for analytics that drive template improvements] -->

package/dist/auth.js

@@ -0,0 +1,129 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { AzureCliCredential, ChainedTokenCredential, DefaultAzureCredential } from "@azure/identity";
+import { PublicClientApplication } from "@azure/msal-node";
+import open from "open";
+import { logger } from "./logger.js";
+const scopes = ["499b84ac-1321-427f-aa17-267ca6975798/.default"];
+class OAuthAuthenticator {
+    static clientId = "0d50963b-7bb9-4fe7-94c7-a99af00b5136";
+    static defaultAuthority = "https://login.microsoftonline.com/common";
+    static zeroTenantId = "00000000-0000-0000-0000-000000000000";
+    accountId;
+    publicClientApp;
+    constructor(tenantId) {
+        this.accountId = null;
+        let authority = OAuthAuthenticator.defaultAuthority;
+        if (tenantId && tenantId !== OAuthAuthenticator.zeroTenantId) {
+            authority = `https://login.microsoftonline.com/${tenantId}`;
+            logger.debug(`OAuthAuthenticator: Using tenant-specific authority for tenantId='${tenantId}'`);
+        }
+        else {
+            logger.debug(`OAuthAuthenticator: Using default common authority`);
+        }
+        this.publicClientApp = new PublicClientApplication({
+            auth: {
+                clientId: OAuthAuthenticator.clientId,
+                authority,
+            },
+        });
+        logger.debug(`OAuthAuthenticator: Initialized with clientId='${OAuthAuthenticator.clientId}'`);
+    }
+    async getToken() {
+        let authResult = null;
+        if (this.accountId) {
+            logger.debug(`OAuthAuthenticator: Attempting silent token acquisition for cached account`);
+            try {
+                authResult = await this.publicClientApp.acquireTokenSilent({
+                    scopes,
+                    account: this.accountId,
+                });
+                logger.debug(`OAuthAuthenticator: Successfully acquired token silently`);
+            }
+            catch (error) {
+                logger.debug(`OAuthAuthenticator: Silent token acquisition failed: ${error instanceof Error ? error.message : String(error)}`);
+                authResult = null;
+            }
+        }
+        else {
+            logger.debug(`OAuthAuthenticator: No cached account available, interactive auth required`);
+        }
+        if (!authResult) {
+            logger.debug(`OAuthAuthenticator: Starting interactive token acquisition`);
+            authResult = await this.publicClientApp.acquireTokenInteractive({
+                scopes,
+                openBrowser: async (url) => {
+                    logger.debug(`OAuthAuthenticator: Opening browser for authentication`);
+                    open(url);
+                },
+            });
+            this.accountId = authResult.account;
+            logger.debug(`OAuthAuthenticator: Successfully acquired token interactively, account cached`);
+        }
+        if (!authResult.accessToken) {
+            logger.error(`OAuthAuthenticator: Authentication result contains no access token`);
+            throw new Error("Failed to obtain Azure DevOps OAuth token.");
+        }
+        logger.debug(`OAuthAuthenticator: Token obtained successfully`);
+        return authResult.accessToken;
+    }
+}
+function createAuthenticator(type, tenantId) {
+    logger.debug(`Creating authenticator of type '${type}' with tenantId='${tenantId ?? "undefined"}'`);
+    switch (type) {
+        case "pat":
+            logger.debug(`Authenticator: Using PAT authentication (PERSONAL_ACCESS_TOKEN)`);
+            return async () => {
+                logger.debug(`${type}: Reading token from PERSONAL_ACCESS_TOKEN environment variable`);
+                const b64Pat = process.env["PERSONAL_ACCESS_TOKEN"];
+                if (!b64Pat) {
+                    logger.error(`${type}: PERSONAL_ACCESS_TOKEN environment variable is not set or empty`);
+                    throw new Error("Environment variable 'PERSONAL_ACCESS_TOKEN' is not set or empty. Please set it with a valid base64-encoded Azure DevOps Personal Access Token.");
+                }
+                // Return base64 value as-is — caller uses it directly as the Basic auth credential
+                logger.debug(`${type}: Successfully retrieved PAT from environment variable`);
+                return b64Pat;
+            };
+        case "envvar":
+            logger.debug(`Authenticator: Using environment variable authentication (ADO_MCP_AUTH_TOKEN)`);
+            // Read token from fixed environment variable
+            return async () => {
+                logger.debug(`${type}: Reading token from ADO_MCP_AUTH_TOKEN environment variable`);
+                const token = process.env["ADO_MCP_AUTH_TOKEN"];
+                if (!token) {
+                    logger.error(`${type}: ADO_MCP_AUTH_TOKEN environment variable is not set or empty`);
+                    throw new Error("Environment variable 'ADO_MCP_AUTH_TOKEN' is not set or empty. Please set it with a valid Azure DevOps Personal Access Token.");
+                }
+                logger.debug(`${type}: Successfully retrieved token from environment variable`);
+                return token;
+            };
+        case "azcli":
+        case "env":
+            if (type !== "env") {
+                logger.debug(`${type}: Setting AZURE_TOKEN_CREDENTIALS to 'dev' for development credential chain`);
+                process.env.AZURE_TOKEN_CREDENTIALS = "dev";
+            }
+            let credential = new DefaultAzureCredential(); // CodeQL [SM05138] resolved by explicitly setting AZURE_TOKEN_CREDENTIALS
+            if (tenantId) {
+                // Use Azure CLI credential if tenantId is provided for multi-tenant scenarios
+                const azureCliCredential = new AzureCliCredential({ tenantId });
+                credential = new ChainedTokenCredential(azureCliCredential, credential);
+            }
+            return async () => {
+                const result = await credential.getToken(scopes);
+                if (!result) {
+                    logger.error(`${type}: Failed to obtain token - credential.getToken returned null/undefined`);
+                    throw new Error("Failed to obtain Azure DevOps token. Ensure you have Azure CLI logged or use interactive type of authentication.");
+                }
+                logger.debug(`${type}: Successfully obtained Azure DevOps token`);
+                return result.token;
+            };
+        default:
+            logger.debug(`Authenticator: Using OAuth interactive authentication (default)`);
+            const authenticator = new OAuthAuthenticator(tenantId);
+            return () => {
+                return authenticator.getToken();
+            };
+    }
+}
+export { createAuthenticator };

package/dist/index.js

@@ -0,0 +1,140 @@
+#!/usr/bin/env node
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { getBearerHandler, getPersonalAccessTokenHandler, WebApi } from "azure-devops-node-api";
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+import { createAuthenticator } from "./auth.js";
+import { logger } from "./logger.js";
+import { getOrgTenant } from "./org-tenants.js";
+//import { configurePrompts } from "./prompts.js";
+import { configureAllTools } from "./tools.js";
+import { UserAgentComposer } from "./useragent.js";
+import { packageVersion } from "./version.js";
+import { DomainsManager } from "./shared/domains.js";
+function isGitHubCodespaceEnv() {
+    return process.env.CODESPACES === "true" && !!process.env.CODESPACE_NAME;
+}
+const defaultAuthenticationType = isGitHubCodespaceEnv() ? "azcli" : "interactive";
+// Parse command line arguments using yargs
+const argv = yargs(hideBin(process.argv))
+    .scriptName("mcp-server-azuredevops")
+    .usage("Usage: $0 <organization> [options]")
+    .version(packageVersion)
+    .command("$0 <organization> [options]", "Azure DevOps MCP Server", (yargs) => {
+    yargs.positional("organization", {
+        describe: "Azure DevOps organization name",
+        type: "string",
+        demandOption: true,
+    });
+})
+    .option("domains", {
+    alias: "d",
+    describe: "Domain(s) to enable: 'all' for everything, or specific domains like 'repositories builds work'. Defaults to 'all'.",
+    type: "string",
+    array: true,
+    default: "all",
+})
+    .option("authentication", {
+    alias: "a",
+    describe: "Type of authentication to use",
+    type: "string",
+    choices: ["interactive", "azcli", "env", "envvar", "pat"],
+    default: defaultAuthenticationType,
+})
+    .option("tenant", {
+    alias: "t",
+    describe: "Azure tenant ID (optional, applied when using 'interactive' and 'azcli' type of authentication)",
+    type: "string",
+})
+    .option("base-url", {
+    alias: "b",
+    describe: "Base URL for Azure DevOps Server (on-prem). E.g. 'https://azuredo.example.com/tfs/MyCollection'. Defaults to 'https://dev.azure.com/{organization}'.",
+    type: "string",
+})
+    .help()
+    .parseSync();
+export const orgName = argv.organization;
+export const orgUrl = argv.baseUrl ?? process.env.AZURE_DEVOPS_BASE_URL ?? "https://dev.azure.com/" + orgName;
+/**
+ * Whether the server is connecting to an on-premises Azure DevOps Server instance
+ * (i.e., not the cloud-hosted dev.azure.com service).
+ */
+export const isOnPrem = !orgUrl.startsWith("https://dev.azure.com/");
+const domainsManager = new DomainsManager(argv.domains);
+export const enabledDomains = domainsManager.getEnabledDomains();
+function getAzureDevOpsClient(getAzureDevOpsToken, userAgentComposer, authType) {
+    return async () => {
+        const accessToken = await getAzureDevOpsToken();
+        // For pat, accessToken is base64("{email}:{token}"). Decode to extract the token part,
+        // since getPersonalAccessTokenHandler prepends ":" internally and just needs the raw token.
+        const authHandler = authType === "pat" ? getPersonalAccessTokenHandler(Buffer.from(accessToken, "base64").toString("utf8").split(":").slice(1).join(":")) : getBearerHandler(accessToken);
+        const connection = new WebApi(orgUrl, authHandler, undefined, {
+            productName: "AzureDevOps.MCP",
+            productVersion: packageVersion,
+            userAgent: userAgentComposer.userAgent,
+        });
+        return connection;
+    };
+}
+async function main() {
+    logger.info("Starting Azure DevOps MCP Server", {
+        organization: orgName,
+        organizationUrl: orgUrl,
+        authentication: argv.authentication,
+        tenant: argv.tenant,
+        domains: argv.domains,
+        enabledDomains: Array.from(enabledDomains),
+        version: packageVersion,
+        isCodespace: isGitHubCodespaceEnv(),
+        isOnPrem,
+    });
+    // Validate authentication type for on-prem servers
+    if (isOnPrem && argv.authentication !== "pat" && argv.authentication !== "envvar") {
+        logger.error("On-premises Azure DevOps Server only supports 'pat' or 'envvar' authentication.");
+        throw new Error("On-premises Azure DevOps Server only supports 'pat' or 'envvar' authentication. " +
+            "Please use '--authentication pat' or '--authentication envvar'.");
+    }
+    const server = new McpServer({
+        name: "Azure DevOps MCP Server",
+        version: packageVersion,
+        icons: [
+            {
+                src: "https://cdn.vsassets.io/content/icons/favicon.ico",
+            },
+        ],
+    });
+    const userAgentComposer = new UserAgentComposer(packageVersion);
+    server.server.oninitialized = () => {
+        userAgentComposer.appendMcpClientInfo(server.server.getClientVersion());
+    };
+    const tenantId = isOnPrem ? argv.tenant : ((await getOrgTenant(orgName)) ?? argv.tenant);
+    const authenticator = createAuthenticator(argv.authentication, tenantId);
+    if (argv.authentication === "pat") {
+        const basicValue = await authenticator();
+        // basicValue is already base64("{email}:{token}") — use it directly in the Authorization header
+        const _originalFetch = globalThis.fetch;
+        globalThis.fetch = async (input, init) => {
+            if (init?.headers) {
+                const headers = new Headers(init.headers);
+                if (headers.get("Authorization")?.startsWith("Bearer ")) {
+                    headers.set("Authorization", `Basic ${basicValue}`);
+                    init = { ...init, headers };
+                }
+            }
+            return _originalFetch(input, init);
+        };
+        logger.debug("PAT mode: global fetch interceptor installed to rewrite Bearer -> Basic auth headers");
+    }
+    // removing prompts untill further notice
+    // configurePrompts(server);
+    configureAllTools(server, authenticator, getAzureDevOpsClient(authenticator, userAgentComposer, argv.authentication), () => userAgentComposer.userAgent, enabledDomains);
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch((error) => {
+    logger.error("Fatal error in main():", error);
+    process.exit(1);
+});