@softeria/ms-365-mcp-server 0.24.0 → 0.24.2

package/Dockerfile

@@ -0,0 +1,13 @@
+FROM node:20-alpine
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci
+
+COPY . .
+RUN npm run build
+RUN npm prune --production
+
+ENTRYPOINT ["node", "dist/index.js"]
+CMD ["--http"]

package/README.md

@@ -287,19 +287,30 @@ registration:
 - Navigate to Azure Active Directory → App registrations → New registration
 - Set name: "MS365 MCP Server"
 
-1. **Configure Redirect URIs**:
-   Add these redirect URIs for testing with MCP Inspector (`npm run inspector`):
+2. **Configure Redirect URIs**:
 
-- `http://localhost:6274/oauth/callback`
-- `http://localhost:6274/oauth/callback/debug`
-- `http://localhost:3000/callback` (optional, for server callback)
+- **Configure the OAuth callback URI**: Go to your app registration and on the left side, go to Authentication.
+- Under Platform configurations:
+  - Click Add a platform (if you don’t already see one for "Mobile and desktop applications" / "Public client").
+  - Choose Mobile and desktop applications or Public client/native (mobile & desktop) (label depends on portal version).
 
-1. **Get Credentials**:
+3. **Testing with MCP Inspector (`npm run inspector`)**:
+
+- Go to your app registration and on the left side, go to Authentication.
+- Under Platform configurations:
+  - Click Add a platform (if you don’t already see one for "Web").
+  - Choose Web.
+  - Configure the following redirect URIs
+    - `http://localhost:6274/oauth/callback`
+    - `http://localhost:6274/oauth/callback/debug`
+    - `http://localhost:3000/callback` (optional, for server callback)
+
+4. **Get Credentials**:
 
 - Copy the **Application (client) ID** from Overview page
 - Go to Certificates & secrets → New client secret → Copy the secret value
 
-1. **Configure Environment Variables**:
+5. **Configure Environment Variables**:
    Create a `.env` file in your project root:
    ```env
    MS365_MCP_CLIENT_ID=your-azure-ad-app-client-id-here

package/dist/auth.js

@@ -1,9 +1,25 @@
 import { PublicClientApplication } from "@azure/msal-node";
-import keytar from "keytar";
 import logger from "./logger.js";
 import fs, { existsSync, readFileSync } from "fs";
 import { fileURLToPath } from "url";
 import path from "path";
+let keytar = null;
+async function getKeytar() {
+  if (keytar === void 0) {
+    return null;
+  }
+  if (keytar === null) {
+    try {
+      keytar = await import("keytar");
+      return keytar;
+    } catch (error) {
+      logger.info("keytar not available, using file-based credential storage");
+      keytar = void 0;
+      return null;
+    }
+  }
+  return keytar;
+}
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 const endpointsData = JSON.parse(
@@ -31,9 +47,23 @@ const SCOPE_HIERARCHY = {
   "Tasks.ReadWrite": ["Tasks.Read"],
   "Contacts.ReadWrite": ["Contacts.Read"]
 };
-function buildScopesFromEndpoints(includeWorkAccountScopes = false) {
+function buildScopesFromEndpoints(includeWorkAccountScopes = false, enabledToolsPattern) {
   const scopesSet = /* @__PURE__ */ new Set();
+  let enabledToolsRegex;
+  if (enabledToolsPattern) {
+    try {
+      enabledToolsRegex = new RegExp(enabledToolsPattern, "i");
+      logger.info(`Building scopes with tool filter pattern: ${enabledToolsPattern}`);
+    } catch (error) {
+      logger.error(
+        `Invalid tool filter regex pattern: ${enabledToolsPattern}. Building scopes without filter.`
+      );
+    }
+  }
   endpoints.default.forEach((endpoint) => {
+    if (enabledToolsRegex && !enabledToolsRegex.test(endpoint.toolName)) {
+      return;
+    }
     if (!includeWorkAccountScopes && !endpoint.scopes && endpoint.workScopes) {
       return;
     }
@@ -50,7 +80,11 @@ function buildScopesFromEndpoints(includeWorkAccountScopes = false) {
       scopesSet.add(higherScope);
     }
   });
-  return Array.from(scopesSet);
+  const scopes = Array.from(scopesSet);
+  if (enabledToolsPattern) {
+    logger.info(`Built ${scopes.length} scopes for filtered tools: ${scopes.join(", ")}`);
+  }
+  return scopes;
 }
 class AuthManager {
   constructor(config = DEFAULT_CONFIG, scopes = buildScopesFromEndpoints()) {
@@ -69,9 +103,12 @@ class AuthManager {
     try {
       let cacheData;
       try {
-        const cachedData = await keytar.getPassword(SERVICE_NAME, TOKEN_CACHE_ACCOUNT);
-        if (cachedData) {
-          cacheData = cachedData;
+        const kt = await getKeytar();
+        if (kt) {
+          const cachedData = await kt.getPassword(SERVICE_NAME, TOKEN_CACHE_ACCOUNT);
+          if (cachedData) {
+            cacheData = cachedData;
+          }
         }
       } catch (keytarError) {
         logger.warn(
@@ -93,9 +130,12 @@ class AuthManager {
     try {
       let selectedAccountData;
       try {
-        const cachedData = await keytar.getPassword(SERVICE_NAME, SELECTED_ACCOUNT_KEY);
-        if (cachedData) {
-          selectedAccountData = cachedData;
+        const kt = await getKeytar();
+        if (kt) {
+          const cachedData = await kt.getPassword(SERVICE_NAME, SELECTED_ACCOUNT_KEY);
+          if (cachedData) {
+            selectedAccountData = cachedData;
+          }
         }
       } catch (keytarError) {
         logger.warn(
@@ -118,7 +158,12 @@ class AuthManager {
     try {
       const cacheData = this.msalApp.getTokenCache().serialize();
       try {
-        await keytar.setPassword(SERVICE_NAME, TOKEN_CACHE_ACCOUNT, cacheData);
+        const kt = await getKeytar();
+        if (kt) {
+          await kt.setPassword(SERVICE_NAME, TOKEN_CACHE_ACCOUNT, cacheData);
+        } else {
+          fs.writeFileSync(FALLBACK_PATH, cacheData);
+        }
       } catch (keytarError) {
         logger.warn(
           `Keychain save failed, falling back to file storage: ${keytarError.message}`
@@ -133,7 +178,12 @@ class AuthManager {
     try {
       const selectedAccountData = JSON.stringify({ accountId: this.selectedAccountId });
       try {
-        await keytar.setPassword(SERVICE_NAME, SELECTED_ACCOUNT_KEY, selectedAccountData);
+        const kt = await getKeytar();
+        if (kt) {
+          await kt.setPassword(SERVICE_NAME, SELECTED_ACCOUNT_KEY, selectedAccountData);
+        } else {
+          fs.writeFileSync(SELECTED_ACCOUNT_PATH, selectedAccountData);
+        }
       } catch (keytarError) {
         logger.warn(
           `Keychain save failed for selected account, falling back to file storage: ${keytarError.message}`
@@ -286,8 +336,11 @@ class AuthManager {
       this.tokenExpiry = null;
       this.selectedAccountId = null;
       try {
-        await keytar.deletePassword(SERVICE_NAME, TOKEN_CACHE_ACCOUNT);
-        await keytar.deletePassword(SERVICE_NAME, SELECTED_ACCOUNT_KEY);
+        const kt = await getKeytar();
+        if (kt) {
+          await kt.deletePassword(SERVICE_NAME, TOKEN_CACHE_ACCOUNT);
+          await kt.deletePassword(SERVICE_NAME, SELECTED_ACCOUNT_KEY);
+        }
       } catch (keytarError) {
         logger.warn(`Keychain deletion failed: ${keytarError.message}`);
       }

package/dist/index.js

@@ -12,7 +12,7 @@ async function main() {
     if (includeWorkScopes) {
       logger.info("Organization mode enabled - including work account scopes");
     }
-    const scopes = buildScopesFromEndpoints(includeWorkScopes);
+    const scopes = buildScopesFromEndpoints(includeWorkScopes, args.enabledTools);
     const authManager = new AuthManager(void 0, scopes);
     await authManager.loadTokenCache();
     if (args.login) {

package/dist/server.js

@@ -78,7 +78,7 @@ class MicrosoftGraphServer {
       app.get("/.well-known/oauth-authorization-server", async (req, res) => {
         const protocol = req.secure ? "https" : "http";
         const url = new URL(`${protocol}://${req.get("host")}`);
-        const scopes = buildScopesFromEndpoints(this.options.orgMode);
+        const scopes = buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
         res.json({
           issuer: url.origin,
           authorization_endpoint: `${url.origin}/authorize`,
@@ -95,7 +95,7 @@ class MicrosoftGraphServer {
       app.get("/.well-known/oauth-protected-resource", async (req, res) => {
         const protocol = req.secure ? "https" : "http";
         const url = new URL(`${protocol}://${req.get("host")}`);
-        const scopes = buildScopesFromEndpoints(this.options.orgMode);
+        const scopes = buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
         res.json({
           resource: `${url.origin}/mcp`,
           authorization_servers: [url.origin],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.24.0",
+  "version": "0.24.2",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",
@@ -40,10 +40,12 @@
     "dotenv": "^17.0.1",
     "express": "^5.1.0",
     "js-yaml": "^4.1.0",
-    "keytar": "^7.9.0",
     "winston": "^3.17.0",
     "zod": "^3.24.2"
   },
+  "optionalDependencies": {
+    "keytar": "^7.9.0"
+  },
   "devDependencies": {
     "@redocly/cli": "^1.34.3",
     "@semantic-release/exec": "^7.1.0",